Honor the SecRuleEngine while filtering connections

The SecRuleEngine has the capability to Enable, Disable or even to place the ModSecurity in DetectionOnly mode. The SecReadStateLimit and SecWriteStateLimit were not honoring such state, due the fact that our configuration belongs to requests not to connections, the only struct that exists while those filters are placed. By adding a global variable "conn_limits_filter_state" we are now able to identify the current state of the ModSecurity, once the configuration is loaded this variable is set and used by the connections filters.
2025-08-14 05:45:59 +03:00 · 2013-10-31 14:28:00 -07:00 · 2013-10-31 14:28:00 -07:00 · a15f8813e9
commit a15f8813e9
parent 0037a0732a
3 changed files with 53 additions and 29 deletions
--- a/apache2/apache2_config.c
+++ b/apache2/apache2_config.c
@ -2144,18 +2144,30 @@ static const char *cmd_rule(cmd_parms *cmd, void *_dcfg,
 static const char *cmd_rule_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
 {
    directory_config *dcfg = (directory_config *)_dcfg;
+
    if (dcfg == NULL) return NULL;

-    if (strcasecmp(p1, "on") == 0) dcfg->is_enabled = MODSEC_ENABLED;
-    else
-    if (strcasecmp(p1, "off") == 0) dcfg->is_enabled = MODSEC_DISABLED;
-    else
-    if (strcasecmp(p1, "detectiononly") == 0) {
+    if (strcasecmp(p1, "on") == 0)
+    {
+        dcfg->is_enabled = MODSEC_ENABLED;
+    }
+    else if (strcasecmp(p1, "off") == 0)
+    {
+        dcfg->is_enabled = MODSEC_DISABLED;
+    }
+    else if (strcasecmp(p1, "detectiononly") == 0)
+    {
        dcfg->is_enabled = MODSEC_DETECTION_ONLY;
        dcfg->of_limit_action = RESPONSE_BODY_LIMIT_ACTION_PARTIAL;
        dcfg->if_limit_action = REQUEST_BODY_LIMIT_ACTION_PARTIAL;
-    } else
-    return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecRuleEngine: %s", p1);
+    }
+    else
+    {
+        return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for " \
+                "SecRuleEngine: %s", p1);
+    }
+
+    conn_limits_filter_state = dcfg->is_enabled;

    return NULL;
 }
--- a/apache2/mod_security2.c
+++ b/apache2/mod_security2.c
@ -63,6 +63,8 @@ unsigned long int DSOLOCAL msc_pcre_match_limit_recursion = 0;

 int DSOLOCAL status_engine_state = STATUS_ENGINE_DISABLED;

+int DSOLOCAL conn_limits_filter_state = 0;
+
 unsigned long int DSOLOCAL conn_read_state_limit = 0;
 TreeRoot DSOLOCAL *conn_read_state_whitelist = 0;
 TreeRoot DSOLOCAL *conn_read_state_suspicious_list = 0;
@ -1419,27 +1421,28 @@ static int hook_connection_early(conn_rec *conn)
            }
        }

-
        if (conn_read_state_limit > 0 && ip_count_r > conn_read_state_limit)
        {
            if (conn_read_state_suspicious_list &&
                (tree_contains_ip(conn->pool,
                   conn_read_state_suspicious_list, client_ip, NULL, &error_msg) <= 0))
            {
-                ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, 
-                    "ModSecurity: Too many threads [%ld] of %ld allowed in " \
-                    "READ state from %s - There is a suspission list but " \
-                    "that IP is not part of it, access granted", ip_count_r,
-                    conn_read_state_limit, client_ip);
+                if (conn_limits_filter_state == MODSEC_DETECTION_ONLY)
+                    ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, 
+                        "ModSecurity: Too many threads [%ld] of %ld allowed " \
+                        "in READ state from %s - There is a suspission list " \
+                        "but that IP is not part of it, access granted",
+                        ip_count_r, conn_read_state_limit, client_ip);
            }
-
            else if (tree_contains_ip(conn->pool,
                conn_read_state_whitelist, client_ip, NULL, &error_msg) > 0)
            {
-                ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
-                    "ModSecurity: Too many threads [%ld] of %ld allowed in " \
-                    "READ state from %s - Ip is on whitelist, access granted",
-                    ip_count_r, conn_read_state_limit, client_ip);
+                if (conn_limits_filter_state == MODSEC_DETECTION_ONLY)
+                    ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
+                        "ModSecurity: Too many threads [%ld] of %ld allowed " \
+                        "in READ state from %s - Ip is on whitelist, access " \
+                        "granted", ip_count_r, conn_read_state_limit,
+                        client_ip);
            }
            else
            {
@ -1448,7 +1451,9 @@ static int hook_connection_early(conn_rec *conn)
                    "threads [%ld] of %ld allowed in READ state from %s - " \
                    "Possible DoS Consumption Attack [Rejected]", ip_count_r,
                    conn_read_state_limit, client_ip);
-                return OK;
+
+                if (conn_limits_filter_state == MODSEC_ENABLED)
+                    return OK;
            }
        }

@ -1458,19 +1463,22 @@ static int hook_connection_early(conn_rec *conn)
                (tree_contains_ip(conn->pool,
                    conn_write_state_suspicious_list, client_ip, NULL, &error_msg) <= 0))
            {
-                ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
-                    "ModSecurity: Too many threads [%ld] of %ld allowed in " \
-                    "WRITE state from %s - There is a suspission list but " \
-                    "that IP is not part of it, access granted", ip_count_w,
-                    conn_read_state_limit, client_ip);
+                if (conn_limits_filter_state == MODSEC_DETECTION_ONLY)
+                    ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
+                        "ModSecurity: Too many threads [%ld] of %ld allowed " \
+                        "in WRITE state from %s - There is a suspission list " \
+                        "but that IP is not part of it, access granted",
+                        ip_count_w, conn_read_state_limit, client_ip);
            }
            else if (tree_contains_ip(conn->pool,
                conn_write_state_whitelist, client_ip, NULL, &error_msg) > 0)
            {
-                ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
-                    "ModSecurity: Too many threads [%ld] of %ld allowed in " \
-                    "WRITE state from %s - Ip is on whitelist, access granted",
-                    ip_count_w, conn_read_state_limit, client_ip);
+                if (conn_limits_filter_state == MODSEC_DETECTION_ONLY)
+                    ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
+                        "ModSecurity: Too many threads [%ld] of %ld allowed " \
+                        "in WRITE state from %s - Ip is on whitelist, " \
+                        "access granted", ip_count_w, conn_read_state_limit,
+                        client_ip);
            }
            else
            {
@ -1479,7 +1487,9 @@ static int hook_connection_early(conn_rec *conn)
                    "threads [%ld] of %ld allowed in WRITE state from %s - " \
                    "Possible DoS Consumption Attack [Rejected]", ip_count_w,
                    conn_write_state_limit, client_ip);
-                return OK;
+
+                if (!conn_limits_filter_state == MODSEC_ENABLED)
+                    return OK;
            }
        }
    }
--- a/apache2/modsecurity.h
+++ b/apache2/modsecurity.h
@ -145,6 +145,8 @@ extern DSOLOCAL unsigned long int msc_pcre_match_limit_recursion;

 extern DSOLOCAL int status_engine_state;

+extern DSOLOCAL int conn_limits_filter_state;
+
 extern DSOLOCAL unsigned long int conn_read_state_limit;
 extern DSOLOCAL TreeRoot *conn_read_state_whitelist;
 extern DSOLOCAL TreeRoot *conn_read_state_suspicious_list;