From a15f8813e98c8d3109a06f5913e3795aba79de76 Mon Sep 17 00:00:00 2001 From: Felipe Zimmerle Date: Thu, 31 Oct 2013 14:28:00 -0700 Subject: [PATCH] Honor the SecRuleEngine while filtering connections The SecRuleEngine has the capability to Enable, Disable or even to place the ModSecurity in DetectionOnly mode. The SecReadStateLimit and SecWriteStateLimit were not honoring such state, due the fact that our configuration belongs to requests not to connections, the only struct that exists while those filters are placed. By adding a global variable "conn_limits_filter_state" we are now able to identify the current state of the ModSecurity, once the configuration is loaded this variable is set and used by the connections filters. --- apache2/apache2_config.c | 26 +++++++++++++------ apache2/mod_security2.c | 54 ++++++++++++++++++++++++---------------- apache2/modsecurity.h | 2 ++ 3 files changed, 53 insertions(+), 29 deletions(-) diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c index 678fb96c..2ee70bfe 100644 --- a/apache2/apache2_config.c +++ b/apache2/apache2_config.c @@ -2144,18 +2144,30 @@ static const char *cmd_rule(cmd_parms *cmd, void *_dcfg, static const char *cmd_rule_engine(cmd_parms *cmd, void *_dcfg, const char *p1) { directory_config *dcfg = (directory_config *)_dcfg; + if (dcfg == NULL) return NULL; - if (strcasecmp(p1, "on") == 0) dcfg->is_enabled = MODSEC_ENABLED; - else - if (strcasecmp(p1, "off") == 0) dcfg->is_enabled = MODSEC_DISABLED; - else - if (strcasecmp(p1, "detectiononly") == 0) { + if (strcasecmp(p1, "on") == 0) + { + dcfg->is_enabled = MODSEC_ENABLED; + } + else if (strcasecmp(p1, "off") == 0) + { + dcfg->is_enabled = MODSEC_DISABLED; + } + else if (strcasecmp(p1, "detectiononly") == 0) + { dcfg->is_enabled = MODSEC_DETECTION_ONLY; dcfg->of_limit_action = RESPONSE_BODY_LIMIT_ACTION_PARTIAL; dcfg->if_limit_action = REQUEST_BODY_LIMIT_ACTION_PARTIAL; - } else - return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecRuleEngine: %s", p1); + } + else + { + return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for " \ + "SecRuleEngine: %s", p1); + } + + conn_limits_filter_state = dcfg->is_enabled; return NULL; } diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c index dfa3e40c..8e90e64a 100644 --- a/apache2/mod_security2.c +++ b/apache2/mod_security2.c @@ -63,6 +63,8 @@ unsigned long int DSOLOCAL msc_pcre_match_limit_recursion = 0; int DSOLOCAL status_engine_state = STATUS_ENGINE_DISABLED; +int DSOLOCAL conn_limits_filter_state = 0; + unsigned long int DSOLOCAL conn_read_state_limit = 0; TreeRoot DSOLOCAL *conn_read_state_whitelist = 0; TreeRoot DSOLOCAL *conn_read_state_suspicious_list = 0; @@ -1419,27 +1421,28 @@ static int hook_connection_early(conn_rec *conn) } } - if (conn_read_state_limit > 0 && ip_count_r > conn_read_state_limit) { if (conn_read_state_suspicious_list && (tree_contains_ip(conn->pool, conn_read_state_suspicious_list, client_ip, NULL, &error_msg) <= 0)) { - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, - "ModSecurity: Too many threads [%ld] of %ld allowed in " \ - "READ state from %s - There is a suspission list but " \ - "that IP is not part of it, access granted", ip_count_r, - conn_read_state_limit, client_ip); + if (conn_limits_filter_state == MODSEC_DETECTION_ONLY) + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, + "ModSecurity: Too many threads [%ld] of %ld allowed " \ + "in READ state from %s - There is a suspission list " \ + "but that IP is not part of it, access granted", + ip_count_r, conn_read_state_limit, client_ip); } - else if (tree_contains_ip(conn->pool, conn_read_state_whitelist, client_ip, NULL, &error_msg) > 0) { - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, - "ModSecurity: Too many threads [%ld] of %ld allowed in " \ - "READ state from %s - Ip is on whitelist, access granted", - ip_count_r, conn_read_state_limit, client_ip); + if (conn_limits_filter_state == MODSEC_DETECTION_ONLY) + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, + "ModSecurity: Too many threads [%ld] of %ld allowed " \ + "in READ state from %s - Ip is on whitelist, access " \ + "granted", ip_count_r, conn_read_state_limit, + client_ip); } else { @@ -1448,7 +1451,9 @@ static int hook_connection_early(conn_rec *conn) "threads [%ld] of %ld allowed in READ state from %s - " \ "Possible DoS Consumption Attack [Rejected]", ip_count_r, conn_read_state_limit, client_ip); - return OK; + + if (conn_limits_filter_state == MODSEC_ENABLED) + return OK; } } @@ -1458,19 +1463,22 @@ static int hook_connection_early(conn_rec *conn) (tree_contains_ip(conn->pool, conn_write_state_suspicious_list, client_ip, NULL, &error_msg) <= 0)) { - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, - "ModSecurity: Too many threads [%ld] of %ld allowed in " \ - "WRITE state from %s - There is a suspission list but " \ - "that IP is not part of it, access granted", ip_count_w, - conn_read_state_limit, client_ip); + if (conn_limits_filter_state == MODSEC_DETECTION_ONLY) + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, + "ModSecurity: Too many threads [%ld] of %ld allowed " \ + "in WRITE state from %s - There is a suspission list " \ + "but that IP is not part of it, access granted", + ip_count_w, conn_read_state_limit, client_ip); } else if (tree_contains_ip(conn->pool, conn_write_state_whitelist, client_ip, NULL, &error_msg) > 0) { - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, - "ModSecurity: Too many threads [%ld] of %ld allowed in " \ - "WRITE state from %s - Ip is on whitelist, access granted", - ip_count_w, conn_read_state_limit, client_ip); + if (conn_limits_filter_state == MODSEC_DETECTION_ONLY) + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, + "ModSecurity: Too many threads [%ld] of %ld allowed " \ + "in WRITE state from %s - Ip is on whitelist, " \ + "access granted", ip_count_w, conn_read_state_limit, + client_ip); } else { @@ -1479,7 +1487,9 @@ static int hook_connection_early(conn_rec *conn) "threads [%ld] of %ld allowed in WRITE state from %s - " \ "Possible DoS Consumption Attack [Rejected]", ip_count_w, conn_write_state_limit, client_ip); - return OK; + + if (!conn_limits_filter_state == MODSEC_ENABLED) + return OK; } } } diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h index a9460e78..3b1badf4 100644 --- a/apache2/modsecurity.h +++ b/apache2/modsecurity.h @@ -145,6 +145,8 @@ extern DSOLOCAL unsigned long int msc_pcre_match_limit_recursion; extern DSOLOCAL int status_engine_state; +extern DSOLOCAL int conn_limits_filter_state; + extern DSOLOCAL unsigned long int conn_read_state_limit; extern DSOLOCAL TreeRoot *conn_read_state_whitelist; extern DSOLOCAL TreeRoot *conn_read_state_suspicious_list;