diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c index 678fb96c..2ee70bfe 100644 --- a/apache2/apache2_config.c +++ b/apache2/apache2_config.c @@ -2144,18 +2144,30 @@ static const char *cmd_rule(cmd_parms *cmd, void *_dcfg, static const char *cmd_rule_engine(cmd_parms *cmd, void *_dcfg, const char *p1) { directory_config *dcfg = (directory_config *)_dcfg; + if (dcfg == NULL) return NULL; - if (strcasecmp(p1, "on") == 0) dcfg->is_enabled = MODSEC_ENABLED; - else - if (strcasecmp(p1, "off") == 0) dcfg->is_enabled = MODSEC_DISABLED; - else - if (strcasecmp(p1, "detectiononly") == 0) { + if (strcasecmp(p1, "on") == 0) + { + dcfg->is_enabled = MODSEC_ENABLED; + } + else if (strcasecmp(p1, "off") == 0) + { + dcfg->is_enabled = MODSEC_DISABLED; + } + else if (strcasecmp(p1, "detectiononly") == 0) + { dcfg->is_enabled = MODSEC_DETECTION_ONLY; dcfg->of_limit_action = RESPONSE_BODY_LIMIT_ACTION_PARTIAL; dcfg->if_limit_action = REQUEST_BODY_LIMIT_ACTION_PARTIAL; - } else - return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecRuleEngine: %s", p1); + } + else + { + return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for " \ + "SecRuleEngine: %s", p1); + } + + conn_limits_filter_state = dcfg->is_enabled; return NULL; } diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c index dfa3e40c..8e90e64a 100644 --- a/apache2/mod_security2.c +++ b/apache2/mod_security2.c @@ -63,6 +63,8 @@ unsigned long int DSOLOCAL msc_pcre_match_limit_recursion = 0; int DSOLOCAL status_engine_state = STATUS_ENGINE_DISABLED; +int DSOLOCAL conn_limits_filter_state = 0; + unsigned long int DSOLOCAL conn_read_state_limit = 0; TreeRoot DSOLOCAL *conn_read_state_whitelist = 0; TreeRoot DSOLOCAL *conn_read_state_suspicious_list = 0; @@ -1419,27 +1421,28 @@ static int hook_connection_early(conn_rec *conn) } } - if (conn_read_state_limit > 0 && ip_count_r > conn_read_state_limit) { if (conn_read_state_suspicious_list && (tree_contains_ip(conn->pool, conn_read_state_suspicious_list, client_ip, NULL, &error_msg) <= 0)) { - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, - "ModSecurity: Too many threads [%ld] of %ld allowed in " \ - "READ state from %s - There is a suspission list but " \ - "that IP is not part of it, access granted", ip_count_r, - conn_read_state_limit, client_ip); + if (conn_limits_filter_state == MODSEC_DETECTION_ONLY) + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, + "ModSecurity: Too many threads [%ld] of %ld allowed " \ + "in READ state from %s - There is a suspission list " \ + "but that IP is not part of it, access granted", + ip_count_r, conn_read_state_limit, client_ip); } - else if (tree_contains_ip(conn->pool, conn_read_state_whitelist, client_ip, NULL, &error_msg) > 0) { - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, - "ModSecurity: Too many threads [%ld] of %ld allowed in " \ - "READ state from %s - Ip is on whitelist, access granted", - ip_count_r, conn_read_state_limit, client_ip); + if (conn_limits_filter_state == MODSEC_DETECTION_ONLY) + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, + "ModSecurity: Too many threads [%ld] of %ld allowed " \ + "in READ state from %s - Ip is on whitelist, access " \ + "granted", ip_count_r, conn_read_state_limit, + client_ip); } else { @@ -1448,7 +1451,9 @@ static int hook_connection_early(conn_rec *conn) "threads [%ld] of %ld allowed in READ state from %s - " \ "Possible DoS Consumption Attack [Rejected]", ip_count_r, conn_read_state_limit, client_ip); - return OK; + + if (conn_limits_filter_state == MODSEC_ENABLED) + return OK; } } @@ -1458,19 +1463,22 @@ static int hook_connection_early(conn_rec *conn) (tree_contains_ip(conn->pool, conn_write_state_suspicious_list, client_ip, NULL, &error_msg) <= 0)) { - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, - "ModSecurity: Too many threads [%ld] of %ld allowed in " \ - "WRITE state from %s - There is a suspission list but " \ - "that IP is not part of it, access granted", ip_count_w, - conn_read_state_limit, client_ip); + if (conn_limits_filter_state == MODSEC_DETECTION_ONLY) + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, + "ModSecurity: Too many threads [%ld] of %ld allowed " \ + "in WRITE state from %s - There is a suspission list " \ + "but that IP is not part of it, access granted", + ip_count_w, conn_read_state_limit, client_ip); } else if (tree_contains_ip(conn->pool, conn_write_state_whitelist, client_ip, NULL, &error_msg) > 0) { - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, - "ModSecurity: Too many threads [%ld] of %ld allowed in " \ - "WRITE state from %s - Ip is on whitelist, access granted", - ip_count_w, conn_read_state_limit, client_ip); + if (conn_limits_filter_state == MODSEC_DETECTION_ONLY) + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, + "ModSecurity: Too many threads [%ld] of %ld allowed " \ + "in WRITE state from %s - Ip is on whitelist, " \ + "access granted", ip_count_w, conn_read_state_limit, + client_ip); } else { @@ -1479,7 +1487,9 @@ static int hook_connection_early(conn_rec *conn) "threads [%ld] of %ld allowed in WRITE state from %s - " \ "Possible DoS Consumption Attack [Rejected]", ip_count_w, conn_write_state_limit, client_ip); - return OK; + + if (!conn_limits_filter_state == MODSEC_ENABLED) + return OK; } } } diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h index a9460e78..3b1badf4 100644 --- a/apache2/modsecurity.h +++ b/apache2/modsecurity.h @@ -145,6 +145,8 @@ extern DSOLOCAL unsigned long int msc_pcre_match_limit_recursion; extern DSOLOCAL int status_engine_state; +extern DSOLOCAL int conn_limits_filter_state; + extern DSOLOCAL unsigned long int conn_read_state_limit; extern DSOLOCAL TreeRoot *conn_read_state_whitelist; extern DSOLOCAL TreeRoot *conn_read_state_suspicious_list;