diff --git a/CHANGES b/CHANGES index 000f8438..2c701896 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,8 @@ v3.0.4 - YYYY-MMM-DD (to be released) ------------------------------------- + - Fix: audit log data omitted when nolog,auditlog + [@martinhsv] - Fix: ModSecurity 3.x inspectFile operator does not pass FILES_TMPNAMES parameter to lua engine [Issue #2204, #2205 - @kadirerdogan] diff --git a/src/actions/audit_log.cc b/src/actions/audit_log.cc index 02afe9cb..258591cc 100644 --- a/src/actions/audit_log.cc +++ b/src/actions/audit_log.cc @@ -21,6 +21,7 @@ #include "modsecurity/transaction.h" #include "modsecurity/rule_message.h" +#include "modsecurity/rules.h" namespace modsecurity { namespace actions { @@ -29,6 +30,9 @@ namespace actions { bool AuditLog::evaluate(Rule *rule, Transaction *transaction, std::shared_ptr rm) { rm->m_noAuditLog = false; + ms_dbg_a(transaction, 9, "Saving transaction to logs"); + rm->m_saveMessage = true; + return true; } diff --git a/src/actions/no_audit_log.cc b/src/actions/no_audit_log.cc index 1a729204..ca7e0ce0 100644 --- a/src/actions/no_audit_log.cc +++ b/src/actions/no_audit_log.cc @@ -29,6 +29,8 @@ namespace actions { bool NoAuditLog::evaluate(Rule *rule, Transaction *transaction, std::shared_ptr rm) { rm->m_noAuditLog = true; + rm->m_saveMessage = false; + return true; } diff --git a/test/test-cases/regression/auditlog.json b/test/test-cases/regression/auditlog.json index 4729370b..33b61101 100644 --- a/test/test-cases/regression/auditlog.json +++ b/test/test-cases/regression/auditlog.json @@ -171,5 +171,54 @@ "SecAuditLogType Parallel", "SecAuditLogRelevantStatus \"^(?:5|4(?!04))\"" ] + }, + { + "enabled": 1, + "version_min": 300000, + "version_max": 0, + "title": "auditlog : messages verification - nolog,auditlog", + "client": { + "ip": "200.249.12.31", + "port": 2313 + }, + "server": { + "ip": "200.249.12.31", + "port": 80 + }, + "request": { + "headers": { + "Host": "www.modsecurity.org", + "User-Agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko\/20091102 Firefox\/3.5.5 (.NET CLR 3.5.30729)", + "Accept": "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8", + "Accept-Language": "en-us,en;q=0.5", + "Accept-Encoding": "gzip,deflate", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Keep-Alive": "300", + "Connection": "keep-alive", + "Pragma": "no-cache", + "Cache-Control": "no-cache" + }, + "uri": "\/test.pl?param1=test¶m2=test2", + "method": "GET", + "http_version": 1.1, + "body": "" + }, + "expected": { + "audit_log": "id \"1556", + "error_log": "", + "http_code": 403 + }, + "rules": [ + "SecRuleEngine On", + "SecDefaultAction \"phase:1,nolog,auditlog,deny,status:403\"", + "SecRule ARGS \"@contains test\" \"id:1556,phase:1,block,nolog,auditlog\"", + "SecAuditEngine RelevantOnly", + "SecAuditLogParts ABCFHZ", + "SecAuditLog /tmp/test/modsec_audit_auditlog_1.log", + "SecAuditLogDirMode 0766", + "SecAuditLogFileMode 0666", + "SecAuditLogType Serial", + "SecAuditLogRelevantStatus \"^(?:5|4(?!04))\"" + ] } ]