github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-11-15 17:12:14 +03:00
Code Issues Packages Projects Releases Wiki Activity

Computes auditlog during rules load time

Browse Source
This commit is contained in:
Felipe Zimmerle
2020-06-03 20:57:27 -03:00
parent 156202d10c
commit 92a853bceb
16 changed files with 192 additions and 91 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
test/test-cases/regression/auditlog.json
View File

@@ -3,7 +3,7 @@
"enabled": 1,
"version_min": 300000,
"version_max": 0,
"title": "auditlog : basic parser test - Parallel",
"title": "auditlog : basic parser test - Parallel 1",
"client": {
"ip": "200.249.12.31",
"port": 2313
@@ -40,7 +40,7 @@
},
"expected": {
"audit_log": "",
"debug_log": "\\[9\\] T \\(0\\) t:trim: \"test",
"debug_log": "Saving this request as part of the audit logs",
"error_log": "",
"http_code": 403
},
@@ -60,7 +60,7 @@
"enabled": 1,
"version_min": 300000,
"version_max": 0,
"title": "auditlog : basic parser test - Serial",
"title": "auditlog : basic parser test - Serial 1",
"client": {
"ip": "200.249.12.31",
"port": 2313
@@ -96,8 +96,8 @@
]
},
"expected": {
"audit_log": "",
"debug_log": "\\[9\\] T \\(0\\) t:trim: \"test",
"audit_log": "Access denied with code 403",
"debug_log": "",
"error_log": "",
"http_code": 403
},
@@ -118,7 +118,7 @@
"enabled": 1,
"version_min": 300000,
"version_max": 0,
"title": "auditlog : basic parser test - Parallel",
"title": "auditlog : basic parser test - Parallel 2",
"client": {
"ip": "200.249.12.31",
"port": 2313
@@ -154,8 +154,8 @@
]
},
"expected": {
"audit_log": "",
"debug_log": "\\[9\\] T \\(0\\) t:trim: \"test",
"audit_log": "www.modsecurity.org 200.249.12.31",
"debug_log": "Saving this request as part of the audit logs",
"error_log": "",
"http_code": 403
},
@@ -220,5 +220,55 @@
"SecAuditLogType Serial",
"SecAuditLogRelevantStatus \"^(?:5|4(?!04))\""
]
},
{
"enabled": 1,
"version_min": 300000,
"version_max": 0,
"title": "auditlog : messages verification - nolog,noauditlog",
"client": {
"ip": "200.249.12.31",
"port": 2313
},
"server": {
"ip": "200.249.12.31",
"port": 80
},
"request": {
"headers": {
"Host": "www.modsecurity.org",
"User-Agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko\/20091102 Firefox\/3.5.5 (.NET CLR 3.5.30729)",
"Accept": "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8",
"Accept-Language": "en-us,en;q=0.5",
"Accept-Encoding": "gzip,deflate",
"Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7",
"Keep-Alive": "300",
"Connection": "keep-alive",
"Pragma": "no-cache",
"Cache-Control": "no-cache"
},
"uri": "\/test.pl?param1=test&param2=test2",
"method": "GET",
"http_version": 1.1,
"body": ""
},
"expected": {
"audit_log": "1556",
"error_log": "",
"http_code": 403
},
"rules": [
"SecRuleEngine On",
"SecDefaultAction \"phase:1,nolog,auditlog,status:403,pass\"",
"SecRule ARGS \"@contains test\" \"id:1555,phase:1,log,noauditlog\"",
"SecRule ARGS \"@contains test\" \"id:1556,phase:1,deny,auditlog\"",
"SecAuditEngine RelevantOnly",
"SecAuditLogParts ABCFHZ",
"SecAuditLog /tmp/test/modsec_audit_auditlog_1.log",
"SecAuditLogDirMode 0766",
"SecAuditLogFileMode 0666",
"SecAuditLogType Serial",
"SecAuditLogRelevantStatus \"^(?:5|4(?!04))\""
]
}
]

3
test/test-cases/regression/config-secdefaultaction.json
View File

@@ -272,11 +272,12 @@
},
"expected":{
"audit_log":"",
"debug_log":"Request was relevant to be saved.",
"debug_log":"Saving this request as part of the audit logs",
"http_code": 302
},
"rules":[
"SecRuleEngine On",
"SecAuditEngine On",
"SecDefaultAction \"phase:2,log,auditlog,status:302,redirect:'http://www.google.com'\"",
"SecRule REQUEST_HEADERS \"@contains PHPSESSID\" \"phase:2,id:1,block\"",
"SecRule TX \"@contains to_test\" \"id:2,t:lowercase,t:none,block\""