From 11a1045f4797519a193e1b4f30518dfd3f111fce Mon Sep 17 00:00:00 2001 From: Felipe Zimmerle Date: Tue, 27 Oct 2015 10:40:35 -0300 Subject: [PATCH] Adds support to capture this fingerprint of the detectSQLi operator --- src/actions/capture.cc | 6 ++++++ src/operators/detect_sqli.cc | 4 +--- src/operators/detect_sqli.h | 2 ++ 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/src/actions/capture.cc b/src/actions/capture.cc index df3efcc3..06c68d16 100644 --- a/src/actions/capture.cc +++ b/src/actions/capture.cc @@ -26,6 +26,7 @@ #include "operators/pm.h" #include "operators/rx.h" #include "operators/contains.h" +#include "operators/detect_sqli.h" namespace ModSecurity { namespace actions { @@ -49,6 +50,11 @@ bool Capture::evaluate(Rule *rule, Assay *assay) { match = &contains->matched; } + operators::DetectSQLi *dsqli = dynamic_cast(op); + if (dsqli != NULL) { + match = &dsqli->matched; + } + if (match->empty()) { return false; } diff --git a/src/operators/detect_sqli.cc b/src/operators/detect_sqli.cc index 096806ef..60a1d7a0 100644 --- a/src/operators/detect_sqli.cc +++ b/src/operators/detect_sqli.cc @@ -27,13 +27,11 @@ namespace operators { bool DetectSQLi::evaluate(Assay *assay, const std::string &input) { char fingerprint[8]; int issqli; - // int capture; issqli = libinjection_sqli(input.c_str(), input.length(), fingerprint); - // capture = apr_table_get(rule->actionset->actions, "capture") ? 1 : 0; if (issqli) { - // set_match_to_tx(msr, capture, fingerprint, 0); + matched.push_back(fingerprint); if (assay) { #ifndef NO_LOGS assay->debug(4, "detected SQLi using libinjection with " \ diff --git a/src/operators/detect_sqli.h b/src/operators/detect_sqli.h index 2353cc0f..26c33fd2 100644 --- a/src/operators/detect_sqli.h +++ b/src/operators/detect_sqli.h @@ -30,6 +30,8 @@ class DetectSQLi : public Operator { : Operator(op, param, negation) { } bool evaluate(Assay *assay, const std::string &input); + + std::list matched; }; } // namespace operators