github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-14 13:56:01 +03:00
Code Issues Packages Projects Releases Wiki Activity

Honor the SecRuleEngine while filtering connections

Browse Source 
The SecRuleEngine has the capability to Enable, Disable or even to place the
ModSecurity in DetectionOnly mode. The SecReadStateLimit and SecWriteStateLimit
were not honoring such state, due the fact that our configuration belongs to
requests not to connections, the only struct that exists while those filters
are placed. By adding a global variable "conn_limits_filter_state" we are now
able to identify the current state of the ModSecurity, once the configuration
is loaded this variable is set and used by the connections filters.
This commit is contained in:
Felipe Zimmerle 2013-10-31 14:28:00 -07:00
parent 0037a0732a
commit a15f8813e9
3 changed files with 53 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
apache2/apache2_config.c
View File

@ -2144,18 +2144,30 @@ static const char *cmd_rule(cmd_parms *cmd, void *_dcfg,
static const char *cmd_rule_engine(cmd_parms *cmd, void *_dcfg, const char *p1) static const char *cmd_rule_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
{ {
directory_config *dcfg = (directory_config *)_dcfg; directory_config *dcfg = (directory_config *)_dcfg;
if (dcfg == NULL) return NULL; if (dcfg == NULL) return NULL;
if (strcasecmp(p1, "on") == 0) dcfg->is_enabled = MODSEC_ENABLED; if (strcasecmp(p1, "on") == 0)
else {
if (strcasecmp(p1, "off") == 0) dcfg->is_enabled = MODSEC_DISABLED; dcfg->is_enabled = MODSEC_ENABLED;
else }
if (strcasecmp(p1, "detectiononly") == 0) { else if (strcasecmp(p1, "off") == 0)
{
dcfg->is_enabled = MODSEC_DISABLED;
}
else if (strcasecmp(p1, "detectiononly") == 0)
{
dcfg->is_enabled = MODSEC_DETECTION_ONLY; dcfg->is_enabled = MODSEC_DETECTION_ONLY;
dcfg->of_limit_action = RESPONSE_BODY_LIMIT_ACTION_PARTIAL; dcfg->of_limit_action = RESPONSE_BODY_LIMIT_ACTION_PARTIAL;
dcfg->if_limit_action = REQUEST_BODY_LIMIT_ACTION_PARTIAL; dcfg->if_limit_action = REQUEST_BODY_LIMIT_ACTION_PARTIAL;
} else }
return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecRuleEngine: %s", p1); else
{
return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for " \
"SecRuleEngine: %s", p1);
}
conn_limits_filter_state = dcfg->is_enabled;
return NULL; return NULL;
} }

54
apache2/mod_security2.c
View File

@ -63,6 +63,8 @@ unsigned long int DSOLOCAL msc_pcre_match_limit_recursion = 0;
int DSOLOCAL status_engine_state = STATUS_ENGINE_DISABLED; int DSOLOCAL status_engine_state = STATUS_ENGINE_DISABLED;
int DSOLOCAL conn_limits_filter_state = 0;
unsigned long int DSOLOCAL conn_read_state_limit = 0; unsigned long int DSOLOCAL conn_read_state_limit = 0;
TreeRoot DSOLOCAL *conn_read_state_whitelist = 0; TreeRoot DSOLOCAL *conn_read_state_whitelist = 0;
TreeRoot DSOLOCAL *conn_read_state_suspicious_list = 0; TreeRoot DSOLOCAL *conn_read_state_suspicious_list = 0;
@ -1419,27 +1421,28 @@ static int hook_connection_early(conn_rec *conn)
} }
} }
if (conn_read_state_limit > 0 && ip_count_r > conn_read_state_limit) if (conn_read_state_limit > 0 && ip_count_r > conn_read_state_limit)
{ {
if (conn_read_state_suspicious_list && if (conn_read_state_suspicious_list &&
(tree_contains_ip(conn->pool, (tree_contains_ip(conn->pool,
conn_read_state_suspicious_list, client_ip, NULL, &error_msg) <= 0)) conn_read_state_suspicious_list, client_ip, NULL, &error_msg) <= 0))
{ {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, if (conn_limits_filter_state == MODSEC_DETECTION_ONLY)
"ModSecurity: Too many threads [%ld] of %ld allowed in " \ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
"READ state from %s - There is a suspission list but " \ "ModSecurity: Too many threads [%ld] of %ld allowed " \
"that IP is not part of it, access granted", ip_count_r, "in READ state from %s - There is a suspission list " \
conn_read_state_limit, client_ip); "but that IP is not part of it, access granted",
ip_count_r, conn_read_state_limit, client_ip);
} }
else if (tree_contains_ip(conn->pool, else if (tree_contains_ip(conn->pool,
conn_read_state_whitelist, client_ip, NULL, &error_msg) > 0) conn_read_state_whitelist, client_ip, NULL, &error_msg) > 0)
{ {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, if (conn_limits_filter_state == MODSEC_DETECTION_ONLY)
"ModSecurity: Too many threads [%ld] of %ld allowed in " \ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
"READ state from %s - Ip is on whitelist, access granted", "ModSecurity: Too many threads [%ld] of %ld allowed " \
ip_count_r, conn_read_state_limit, client_ip); "in READ state from %s - Ip is on whitelist, access " \
"granted", ip_count_r, conn_read_state_limit,
client_ip);
} }
else else
{ {
@ -1448,7 +1451,9 @@ static int hook_connection_early(conn_rec *conn)
"threads [%ld] of %ld allowed in READ state from %s - " \ "threads [%ld] of %ld allowed in READ state from %s - " \
"Possible DoS Consumption Attack [Rejected]", ip_count_r, "Possible DoS Consumption Attack [Rejected]", ip_count_r,
conn_read_state_limit, client_ip); conn_read_state_limit, client_ip);
return OK;
if (conn_limits_filter_state == MODSEC_ENABLED)
return OK;
} }
} }
@ -1458,19 +1463,22 @@ static int hook_connection_early(conn_rec *conn)
(tree_contains_ip(conn->pool, (tree_contains_ip(conn->pool,
conn_write_state_suspicious_list, client_ip, NULL, &error_msg) <= 0)) conn_write_state_suspicious_list, client_ip, NULL, &error_msg) <= 0))
{ {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, if (conn_limits_filter_state == MODSEC_DETECTION_ONLY)
"ModSecurity: Too many threads [%ld] of %ld allowed in " \ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
"WRITE state from %s - There is a suspission list but " \ "ModSecurity: Too many threads [%ld] of %ld allowed " \
"that IP is not part of it, access granted", ip_count_w, "in WRITE state from %s - There is a suspission list " \
conn_read_state_limit, client_ip); "but that IP is not part of it, access granted",
ip_count_w, conn_read_state_limit, client_ip);
} }
else if (tree_contains_ip(conn->pool, else if (tree_contains_ip(conn->pool,
conn_write_state_whitelist, client_ip, NULL, &error_msg) > 0) conn_write_state_whitelist, client_ip, NULL, &error_msg) > 0)
{ {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, if (conn_limits_filter_state == MODSEC_DETECTION_ONLY)
"ModSecurity: Too many threads [%ld] of %ld allowed in " \ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
"WRITE state from %s - Ip is on whitelist, access granted", "ModSecurity: Too many threads [%ld] of %ld allowed " \
ip_count_w, conn_read_state_limit, client_ip); "in WRITE state from %s - Ip is on whitelist, " \
"access granted", ip_count_w, conn_read_state_limit,
client_ip);
} }
else else
{ {
@ -1479,7 +1487,9 @@ static int hook_connection_early(conn_rec *conn)
"threads [%ld] of %ld allowed in WRITE state from %s - " \ "threads [%ld] of %ld allowed in WRITE state from %s - " \
"Possible DoS Consumption Attack [Rejected]", ip_count_w, "Possible DoS Consumption Attack [Rejected]", ip_count_w,
conn_write_state_limit, client_ip); conn_write_state_limit, client_ip);
return OK;
if (!conn_limits_filter_state == MODSEC_ENABLED)
return OK;
} }
} }
} }

2
apache2/modsecurity.h
View File

@ -145,6 +145,8 @@ extern DSOLOCAL unsigned long int msc_pcre_match_limit_recursion;
extern DSOLOCAL int status_engine_state; extern DSOLOCAL int status_engine_state;
extern DSOLOCAL int conn_limits_filter_state;
extern DSOLOCAL unsigned long int conn_read_state_limit; extern DSOLOCAL unsigned long int conn_read_state_limit;
extern DSOLOCAL TreeRoot *conn_read_state_whitelist; extern DSOLOCAL TreeRoot *conn_read_state_whitelist;
extern DSOLOCAL TreeRoot *conn_read_state_suspicious_list; extern DSOLOCAL TreeRoot *conn_read_state_suspicious_list;