github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-15 23:55:03 +03:00
Code Issues Packages Projects Releases Wiki Activity

General improvements on audit logs information

Browse Source 
Making actions: msg, logdata, tag and others to work in the same
fashion that they work on ModSecurity v2.x
This commit is contained in:
Felipe Zimmerle 2016-02-05 15:12:20 -03:00
parent 31117d7577
commit 9474373264
7 changed files with 157 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
headers/modsecurity/rule.h
View File

@ -76,12 +76,64 @@ class Rule {
bool m_secmarker; bool m_secmarker;
std::string m_fileName; std::string m_fileName;
int m_lineNumber; int m_lineNumber;
std::list<std::string> m_tags;
std::string m_log_data;
std::string m_log_message;
private: private:
bool m_unconditional; bool m_unconditional;
int m_referenceCount; int m_referenceCount;
}; };
class RuleMessage {
public:
RuleMessage(Rule *rule) {
m_ruleFile = rule->m_fileName;
m_ruleLine = rule->m_lineNumber;
m_ruleId = rule->rule_id;
m_ruleRev = 0;
m_message = std::string("");
m_data = std::string("");
m_severity = std::string("");
m_ver = std::string("");
m_maturity = 0;
m_accuracy = 0;
m_tags = std::string("");
m_rule = rule;
};
RuleMessage(Rule *rule, std::string message) {
m_ruleFile = rule->m_fileName;
m_ruleLine = rule->m_lineNumber;
m_ruleId = rule->rule_id;
m_ruleRev = 0;
m_message = message;
m_data = std::string("");
m_severity = std::string("");
m_ver = std::string("");
m_maturity = 0;
m_accuracy = 0;
m_tags = std::string("");
m_rule = rule;
};
std::string m_match;
std::string m_ruleFile;
int m_ruleLine;
int m_ruleId;
int m_ruleRev;
std::string m_message;
std::string m_data;
std::string m_severity;
std::string m_ver;
int m_maturity;
int m_accuracy;
std::string m_tags;
Rule *m_rule;
};
} // namespace modsecurity } // namespace modsecurity
#endif #endif

9
headers/modsecurity/transaction.h
View File

@ -71,6 +71,7 @@ class ModSecurity;
class Transaction; class Transaction;
class Rules; class Rules;
class Collections; class Collections;
class RuleMessage;
namespace actions { namespace actions {
class Action; class Action;
} }
@ -264,14 +265,14 @@ class Transaction {
/** /**
* This variable holds all the messages asked to be save by the utilization * This variable holds all the messages asked to be save by the utilization
* of the actions: `log_data' and `msg'. These should be included on the * of the actions: `log_data' and `msg'. These should be included on the
* auditlogs. * auditlogs.
*/ */
std::list<std::string> m_rulesMessages; std::list<modsecurity::RuleMessage *> m_rulesMessages;
/** /**
* The list m_ruleTags contains all tags that were specified by the * The list m_ruleTags contains all tags that were specified by the
* action `tag'. * action `tag'.
*/ */
std::list<std::string> m_ruleTags; std::list<std::string> m_ruleTags;

12
src/actions/log_data.cc
View File

@ -22,6 +22,7 @@
#include "modsecurity/transaction.h" #include "modsecurity/transaction.h"
#include "src/utils.h" #include "src/utils.h"
#include "src/macro_expansion.h" #include "src/macro_expansion.h"
#include "modsecurity/rule.h"
namespace modsecurity { namespace modsecurity {
namespace actions { namespace actions {
@ -35,14 +36,11 @@ LogData::LogData(std::string action)
bool LogData::evaluate(Rule *rule, Transaction *transaction) { bool LogData::evaluate(Rule *rule, Transaction *transaction) {
std::string msg = MacroExpansion::expand(m_data, transaction); std::string data = MacroExpansion::expand(m_data, transaction);
#ifndef NO_LOGS
transaction->debug(9, "Saving msg: " + msg); rule->m_log_data = data;
#endif
transaction->m_rulesMessages.push_back(msg);
transaction->serverLog(msg);
return true;
} }
} // namespace actions } // namespace actions
} // namespace modsecurity } // namespace modsecurity

26
src/actions/msg.cc
View File

@ -22,6 +22,25 @@
#include "modsecurity/transaction.h" #include "modsecurity/transaction.h"
#include "src/utils.h" #include "src/utils.h"
#include "src/macro_expansion.h" #include "src/macro_expansion.h"
#include "modsecurity/rule.h"
/*
* Description: Assigns a custom message to the rule or chain in which it
* appears. The message will be logged along with every alert.
*
* Action Group: Meta-data
*
* Example:
* SecRule &REQUEST_HEADERS:Host "@eq 0" "log,id:60008,severity:2,msg:'Request Missing a Host Header'"
*
* Note : The msg information appears in the error and/or audit log files
* and is not sent back to the client in response headers.
*
* Note 2: The msg action can appear multiple times in the SecRule, however
* just the last one will be take into consideration.
*
*/
namespace modsecurity { namespace modsecurity {
namespace actions { namespace actions {
@ -36,13 +55,16 @@ Msg::Msg(std::string action)
bool Msg::evaluate(Rule *rule, Transaction *transaction) { bool Msg::evaluate(Rule *rule, Transaction *transaction) {
std::string msg = MacroExpansion::expand(m_msg, transaction); std::string msg = MacroExpansion::expand(m_msg, transaction);
#ifndef NO_LOGS #ifndef NO_LOGS
transaction->debug(9, "Saving msg: " + msg); transaction->debug(9, "Saving msg: " + msg);
#endif #endif
transaction->m_rulesMessages.push_back(msg);
transaction->serverLog(msg); rule->m_log_message = msg;
return true; return true;
} }
} // namespace actions } // namespace actions
} // namespace modsecurity } // namespace modsecurity

25
src/actions/tag.cc
View File

@ -22,6 +22,29 @@
#include "modsecurity/transaction.h" #include "modsecurity/transaction.h"
#include "src/utils.h" #include "src/utils.h"
#include "src/macro_expansion.h" #include "src/macro_expansion.h"
#include "modsecurity/rule.h"
/**
* Description: Assigns a tag (category) to a rule or a chain.
*
* Action Group: Meta-data
*
* Example:
*
* SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bgetparentfolder\b" \
* "phase:2,rev:'2.1.3',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958016',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'% \
* {TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
*
*
* The tag information appears along with other rule metadata. The
* purpose of the tagging mechanism to allow easy automated categorization
* of events. Multiple tags can be specified on the same rule. Use forward
* slashes to create a hierarchy of categories (as in the example). Since
* ModSecurity 2.6.0 tag supports macro expansion.
*
*
*/
namespace modsecurity { namespace modsecurity {
namespace actions { namespace actions {
@ -39,7 +62,7 @@ bool Tag::evaluate(Rule *rule, Transaction *transaction) {
#ifndef NO_LOGS #ifndef NO_LOGS
transaction->debug(9, "Rule tag: " + tag); transaction->debug(9, "Rule tag: " + tag);
#endif #endif
transaction->m_ruleTags.push_back(tag); rule->m_tags.push_back(tag);
return true; return true;
} }

7
src/rule.cc
View File

@ -508,6 +508,13 @@ bool Rule::evaluate(Transaction *trasn) {
e.pop_back(); e.pop_back();
} }
} }
if (!m_log_message.empty() || !m_log_data.empty()) {
RuleMessage *ruleMessage = new modsecurity::RuleMessage(this, m_log_message);
ruleMessage->m_data = m_log_data;
trasn->m_rulesMessages.push_back(ruleMessage);
}
return ret; return ret;
} }

40
src/transaction.cc
View File

@ -40,6 +40,7 @@
#include "audit_log/audit_log.h" #include "audit_log/audit_log.h"
#include "src/unique_id.h" #include "src/unique_id.h"
#include "src/utils.h" #include "src/utils.h"
#include "modsecurity/rule.h"
using modsecurity::actions::Action; using modsecurity::actions::Action;
using modsecurity::RequestBodyProcessor::Multipart; using modsecurity::RequestBodyProcessor::Multipart;
@ -1527,7 +1528,46 @@ std::string Transaction::toJSON(int parts) {
/* end: producer */ /* end: producer */
yajl_gen_map_close(g); yajl_gen_map_close(g);
/* messages */
yajl_gen_string(g,
reinterpret_cast<const unsigned char*>("messages"),
strlen("messages"));
yajl_gen_array_open(g);
for (auto a : m_rulesMessages) {
yajl_gen_map_open(g);
LOGFY_ADD("message", a->m_message.c_str());
yajl_gen_string(g,
reinterpret_cast<const unsigned char*>("producer"),
strlen("producer"));
yajl_gen_map_open(g);
LOGFY_ADD("ruleId", std::to_string(a->m_ruleId).c_str());
LOGFY_ADD("file", a->m_ruleFile.c_str());
LOGFY_ADD("lineNumber", std::to_string(a->m_ruleLine).c_str());
LOGFY_ADD("data", a->m_data.c_str());
LOGFY_ADD("serverity", a->m_severity.c_str());
LOGFY_ADD("ver", a->m_ver.c_str());
yajl_gen_string(g,
reinterpret_cast<const unsigned char*>("tags"),
strlen("tags"));
yajl_gen_array_open(g);
for (auto b : a->m_rule->m_tags) {
yajl_gen_string(g,
reinterpret_cast<const unsigned char*>(b.c_str()),
strlen(b.c_str()));
}
yajl_gen_array_close(g);
LOGFY_ADD("maturity", std::to_string(a->m_maturity).c_str());
LOGFY_ADD("accuracy", std::to_string(a->m_accuracy).c_str());
yajl_gen_map_close(g);
yajl_gen_map_close(g);
}
yajl_gen_array_close(g);
/* end: messages */
} }
/* end: transaction */ /* end: transaction */
yajl_gen_map_close(g); yajl_gen_map_close(g);