github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-14 13:56:01 +03:00
Code Issues Packages Projects Releases Wiki Activity

Computes auditlog during rules load time

Browse Source
This commit is contained in:
Felipe Zimmerle 2020-06-03 20:57:27 -03:00 committed by Felipe Zimmerle
parent bf3a1d84ff
commit c38051324d
18 changed files with 197 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGES
View File

@ -1,6 +1,8 @@
v3.x.y - YYYY-MMM-DD (to be released) v3.x.y - YYYY-MMM-DD (to be released)
------------------------------------- -------------------------------------
- auditlog: Computes whether or not to save while loading the rules.
[@zimmerle]
- actions: Computes Rule association while loading the rules given a - actions: Computes Rule association while loading the rules given a
performance boost on run time. performance boost on run time.
[@zimmerle, @martinhsv, @WGH-] [@zimmerle, @martinhsv, @WGH-]

14
headers/modsecurity/actions/action.h
View File

@ -33,20 +33,20 @@ namespace actions {
class Action { class Action {
public: public:
Action() Action()
: m_name(""), : m_parserPayload(""),
m_parserPayload("") m_name("")
{ } { }
explicit Action(const std::string& action) explicit Action(const std::string& action)
: m_name(sort_name(action)), : m_parserPayload(sort_payload(action)),
m_parserPayload(sort_payload(action)) m_name(sort_name(action))
{ } { }
Action(const Action &a) Action(const Action &a)
: m_name(a.m_name), : m_parserPayload(a.m_parserPayload),
m_parserPayload(a.m_parserPayload) m_name(a.m_name)
{ } { }
@ -76,7 +76,7 @@ class Action {
} }
const std::string *getName() { const std::string *getName() const {
return &m_name; return &m_name;
} }

5
headers/modsecurity/audit_log.h
View File

@ -170,9 +170,8 @@ class AuditLog {
bool init(std::string *error); bool init(std::string *error);
virtual bool close(); virtual bool close();
bool saveIfRelevant(Transaction *transaction); bool saveIfRelevant(Transaction *transaction) const noexcept;
bool saveIfRelevant(Transaction *transaction, int parts); bool isRelevant(int status) const noexcept;
bool isRelevant(int status);
static int addParts(int parts, const std::string& new_parts); static int addParts(int parts, const std::string& new_parts);
static int removeParts(int parts, const std::string& new_parts); static int removeParts(int parts, const std::string& new_parts);

2
headers/modsecurity/rule_message.h
View File

@ -130,6 +130,8 @@ class RuleMessage {
std::string getUri() const; std::string getUri() const;
bool isDisruptive() const; bool isDisruptive() const;
bool toBeAuditLog() const;
int m_severity; int m_severity;
std::list<std::string> m_tags; std::list<std::string> m_tags;

21
headers/modsecurity/transaction.h
View File

@ -322,8 +322,7 @@ class TransactionSecMarkerManagement {
class TransactionRuleMessageManagement { class TransactionRuleMessageManagement {
public: public:
explicit TransactionRuleMessageManagement(Transaction *t) explicit TransactionRuleMessageManagement(Transaction *t)
: m_transaction(t), : m_transaction(t) {
m_noAuditLog(false) {
messageNew(); messageNew();
}; };
@ -332,22 +331,7 @@ class TransactionRuleMessageManagement {
void logMatchLastRuleOnTheChain(RuleWithActions *rule); void logMatchLastRuleOnTheChain(RuleWithActions *rule);
void messageSetNoAuditLog(bool a) { std::list<RuleMessage *> messageGetAll();
m_noAuditLog = a;
}
bool messageSaveAuditLog() const {
return m_noAuditLog;
}
std::list<RuleMessage *> messageGetAll() {
std::list<RuleMessage *> messages;
for (RuleMessage *a : m_rulesMessages) {
messages.push_back(a);
}
return messages;
}
void messageClear() { void messageClear() {
m_rulesMessages.clear(); m_rulesMessages.clear();
@ -362,7 +346,6 @@ class TransactionRuleMessageManagement {
std::list<RuleMessage *> m_rulesMessages; std::list<RuleMessage *> m_rulesMessages;
Transaction *m_transaction; Transaction *m_transaction;
bool m_noAuditLog;
}; };

10
src/actions/audit_log.cc
View File

@ -15,20 +15,10 @@
#include "src/actions/audit_log.h" #include "src/actions/audit_log.h"
#include <string>
#include "modsecurity/transaction.h"
namespace modsecurity { namespace modsecurity {
namespace actions { namespace actions {
bool AuditLog::execute(Transaction *transaction) noexcept {
transaction->messageSetNoAuditLog(false);
return true;
}
} // namespace actions } // namespace actions
} // namespace modsecurity } // namespace modsecurity

11
src/actions/audit_log.h
View File

@ -16,6 +16,10 @@
#include "src/actions/action_allowed_in_sec_default_action.h" #include "src/actions/action_allowed_in_sec_default_action.h"
#include "src/actions/action_type_rule_metadata.h"
#include "src/actions/action_allowed_in_sec_default_action.h"
#ifndef SRC_ACTIONS_AUDIT_LOG_H_ #ifndef SRC_ACTIONS_AUDIT_LOG_H_
#define SRC_ACTIONS_AUDIT_LOG_H_ #define SRC_ACTIONS_AUDIT_LOG_H_
@ -24,13 +28,16 @@ namespace modsecurity {
namespace actions { namespace actions {
class AuditLog : public ActionAllowedAsSecDefaultAction { class AuditLog : public ActionTypeRuleMetaData,
public ActionAllowedAsSecDefaultAction {
public: public:
AuditLog() AuditLog()
: Action("auditLog") : Action("auditLog")
{ } { }
bool execute(Transaction *transaction) noexcept override; void configure(RuleWithActions *rule) override {
rule->setHasAuditLogAction(true);
}
}; };

8
src/actions/no_audit_log.cc
View File

@ -16,18 +16,10 @@
#include "src/actions/no_audit_log.h" #include "src/actions/no_audit_log.h"
#include "modsecurity/transaction.h"
namespace modsecurity { namespace modsecurity {
namespace actions { namespace actions {
bool NoAuditLog::execute(Transaction *transaction) noexcept {
transaction->messageSetNoAuditLog(true);
return true;
}
} // namespace actions } // namespace actions
} // namespace modsecurity } // namespace modsecurity

10
src/actions/no_audit_log.h
View File

@ -15,7 +15,8 @@
#include "modsecurity/actions/action.h" #include "modsecurity/actions/action.h"
#include "modsecurity/transaction.h"
#include "src/actions/action_type_rule_metadata.h"
#include "src/actions/action_allowed_in_sec_default_action.h" #include "src/actions/action_allowed_in_sec_default_action.h"
@ -27,13 +28,16 @@ namespace modsecurity {
namespace actions { namespace actions {
class NoAuditLog : public ActionAllowedAsSecDefaultAction { class NoAuditLog : public ActionTypeRuleMetaData,
public ActionAllowedAsSecDefaultAction {
public: public:
NoAuditLog() NoAuditLog()
: Action("noAuditLog") : Action("noAuditLog")
{ } { }
bool execute(Transaction *transaction) noexcept override; void configure(RuleWithActions *rule) override {
rule->setHasNoAuditLogAction(true);
}
}; };

38
src/audit_log/audit_log.cc
View File

@ -266,14 +266,13 @@ bool AuditLog::init(std::string *error) {
} }
bool AuditLog::isRelevant(int status) { bool AuditLog::isRelevant(int status) const noexcept {
std::string sstatus = std::to_string(status); std::string sstatus = std::to_string(status);
if (m_relevant.empty()) { if (m_relevant.empty()) {
return false; return false;
} }
if (sstatus.empty()) { if (sstatus.empty()) {
return true; return true;
} }
@ -283,45 +282,34 @@ bool AuditLog::isRelevant(int status) {
} }
bool AuditLog::saveIfRelevant(Transaction *transaction) { bool AuditLog::saveIfRelevant(Transaction *transaction) const noexcept {
return saveIfRelevant(transaction, -1);
}
bool AuditLog::saveIfRelevant(Transaction *transaction, int parts) {
bool saveAnyway = false;
if (m_status == OffAuditLogStatus || m_status == NotSetLogStatus) { if (m_status == OffAuditLogStatus || m_status == NotSetLogStatus) {
ms_dbg_a(transaction, 5, "Audit log engine was not set."); ms_dbg_a(transaction, 5, "Audit log engine was not set.");
return true; return false;
} }
saveAnyway = transaction->messageSaveAuditLog();
if ((m_status == RelevantOnlyAuditLogStatus if ((m_status == RelevantOnlyAuditLogStatus
&& this->isRelevant(transaction->m_httpCodeReturned) == false) && isRelevant(transaction->m_httpCodeReturned) == false)) {
&& saveAnyway == false) {
ms_dbg_a(transaction, 9, "Return code `" + ms_dbg_a(transaction, 9, "Return code `" +
std::to_string(transaction->m_httpCodeReturned) + "'" \ std::to_string(transaction->m_httpCodeReturned) + "'" \
" is not interesting to audit logs, relevant code(s): `" + " is not interesting to audit logs, relevant code(s): `" +
m_relevant + "'."); m_relevant + "'.");
return false; return false;
} }
if (parts == -1) {
parts = m_parts;
}
ms_dbg_a(transaction, 5, "Saving this request as part " \ ms_dbg_a(transaction, 5, "Saving this request as part " \
"of the audit logs."); "of the audit logs.");
if (m_writer == NULL) { if (m_writer == NULL) {
ms_dbg_a(transaction, 1, "Internal error, audit log writer is null"); ms_dbg_a(transaction, 1, "Internal error, audit log writer is null");
} else { return false;
std::string error; }
bool a = m_writer->write(transaction, parts, &error);
if (a == false) { std::string error;
ms_dbg_a(transaction, 1, "Cannot save the audit log: " + error); bool a = m_writer->write(transaction, transaction->m_auditLogParts, &error);
return false; if (a == false) {
} ms_dbg_a(transaction, 1, "Cannot save the audit log: " + error);
return false;
} }
return true; return true;

6
src/parser/driver.cc
View File

@ -157,6 +157,12 @@ int Driver::addSecRule(std::unique_ptr<RuleWithActions> r) {
firstRule->getChainedParent()->setHasLogAction( firstRule->getChainedParent()->setHasLogAction(
firstRule->hasNoLogAction() firstRule->hasNoLogAction()
); );
firstRule->getChainedParent()->setHasAuditLogAction(
firstRule->hasAuditLogAction()
);
firstRule->getChainedParent()->setHasNoAuditLogAction(
firstRule->hasNoAuditLogAction()
);
firstRule = firstRule->getChainedParent(); firstRule = firstRule->getChainedParent();
} }
} }

8
src/rule_message.cc
View File

@ -176,6 +176,14 @@ int RuleMessage::getAccuracy() const {
} }
bool RuleMessage::toBeAuditLog() const {
if (m_rule) {
return m_rule->isItToBeAuditLogged();
}
return false;
}
std::string RuleMessage::getClientIpAddress() const { std::string RuleMessage::getClientIpAddress() const {
if (m_transaction) { if (m_transaction) {
return *m_transaction->m_clientIpAddress.get(); return *m_transaction->m_clientIpAddress.get();

4
src/rule_with_actions.cc
View File

@ -90,6 +90,8 @@ RuleWithActions::RuleWithActions(
m_containsCaptureAction(false), m_containsCaptureAction(false),
m_containsLogAction(false), m_containsLogAction(false),
m_containsNoLogAction(false), m_containsNoLogAction(false),
m_containsAuditLogAction(false),
m_containsNoAuditLogAction(false),
m_containsMultiMatchAction(false), m_containsMultiMatchAction(false),
m_containsStaticBlockAction(false), m_containsStaticBlockAction(false),
m_defaultSeverity(SEVERITY_NOT_SET), m_defaultSeverity(SEVERITY_NOT_SET),
@ -100,6 +102,8 @@ RuleWithActions::RuleWithActions(
m_defaultContainsCaptureAction(false), m_defaultContainsCaptureAction(false),
m_defaultContainsLogAction(false), m_defaultContainsLogAction(false),
m_defaultContainsNoLogAction(false), m_defaultContainsNoLogAction(false),
m_defaultContainsAuditLogAction(false),
m_defaultContainsNoAuditLogAction(false),
m_defaultContainsMultiMatchAction(false), m_defaultContainsMultiMatchAction(false),
m_defaultContainsStaticBlockAction(false), m_defaultContainsStaticBlockAction(false),
m_isChained(false) { m_isChained(false) {

49
src/rule_with_actions.h
View File

@ -146,6 +146,8 @@ class RuleWithActions : public Rule {
m_containsCaptureAction(r.m_containsCaptureAction), m_containsCaptureAction(r.m_containsCaptureAction),
m_containsLogAction(r.m_containsLogAction), m_containsLogAction(r.m_containsLogAction),
m_containsNoLogAction(r.m_containsNoLogAction), m_containsNoLogAction(r.m_containsNoLogAction),
m_containsAuditLogAction(r.m_containsAuditLogAction),
m_containsNoAuditLogAction(r.m_containsNoAuditLogAction),
m_containsMultiMatchAction(r.m_containsMultiMatchAction), m_containsMultiMatchAction(r.m_containsMultiMatchAction),
m_containsStaticBlockAction(r.m_containsStaticBlockAction), m_containsStaticBlockAction(r.m_containsStaticBlockAction),
m_defaultSeverity(r.m_defaultSeverity), m_defaultSeverity(r.m_defaultSeverity),
@ -156,6 +158,8 @@ class RuleWithActions : public Rule {
m_defaultContainsCaptureAction(r.m_defaultContainsCaptureAction), m_defaultContainsCaptureAction(r.m_defaultContainsCaptureAction),
m_defaultContainsLogAction(r.m_defaultContainsLogAction), m_defaultContainsLogAction(r.m_defaultContainsLogAction),
m_defaultContainsNoLogAction(r.m_defaultContainsNoLogAction), m_defaultContainsNoLogAction(r.m_defaultContainsNoLogAction),
m_defaultContainsAuditLogAction(r.m_defaultContainsAuditLogAction),
m_defaultContainsNoAuditLogAction(r.m_defaultContainsNoAuditLogAction),
m_defaultContainsMultiMatchAction(r.m_defaultContainsMultiMatchAction), m_defaultContainsMultiMatchAction(r.m_defaultContainsMultiMatchAction),
m_defaultContainsStaticBlockAction(r.m_defaultContainsStaticBlockAction), m_defaultContainsStaticBlockAction(r.m_defaultContainsStaticBlockAction),
m_isChained(r.m_isChained) { m_isChained(r.m_isChained) {
@ -190,6 +194,8 @@ class RuleWithActions : public Rule {
m_containsCaptureAction = r.m_containsCaptureAction; m_containsCaptureAction = r.m_containsCaptureAction;
m_containsLogAction = r.m_containsLogAction; m_containsLogAction = r.m_containsLogAction;
m_containsNoLogAction = r.m_containsNoLogAction; m_containsNoLogAction = r.m_containsNoLogAction;
m_containsAuditLogAction = r.m_containsAuditLogAction;
m_containsNoAuditLogAction = r.m_containsNoAuditLogAction;
m_containsMultiMatchAction = r.m_containsMultiMatchAction; m_containsMultiMatchAction = r.m_containsMultiMatchAction;
m_containsStaticBlockAction = r.m_containsStaticBlockAction; m_containsStaticBlockAction = r.m_containsStaticBlockAction;
m_defaultSeverity = r.m_defaultSeverity; m_defaultSeverity = r.m_defaultSeverity;
@ -200,6 +206,8 @@ class RuleWithActions : public Rule {
m_defaultContainsCaptureAction = r.m_defaultContainsCaptureAction; m_defaultContainsCaptureAction = r.m_defaultContainsCaptureAction;
m_defaultContainsLogAction = r.m_defaultContainsLogAction; m_defaultContainsLogAction = r.m_defaultContainsLogAction;
m_defaultContainsNoLogAction = r.m_defaultContainsNoLogAction; m_defaultContainsNoLogAction = r.m_defaultContainsNoLogAction;
m_defaultContainsAuditLogAction = r.m_defaultContainsAuditLogAction;
m_defaultContainsNoAuditLogAction = r.m_defaultContainsNoAuditLogAction;
m_defaultContainsMultiMatchAction = r.m_defaultContainsMultiMatchAction; m_defaultContainsMultiMatchAction = r.m_defaultContainsMultiMatchAction;
m_defaultContainsStaticBlockAction = r.m_defaultContainsStaticBlockAction; m_defaultContainsStaticBlockAction = r.m_defaultContainsStaticBlockAction;
m_isChained = r.m_isChained; m_isChained = r.m_isChained;
@ -358,11 +366,48 @@ class RuleWithActions : public Rule {
inline void setHasMultimatchAction(bool b) { m_containsMultiMatchAction = b; } inline void setHasMultimatchAction(bool b) { m_containsMultiMatchAction = b; }
inline bool hasMultimatchAction() const { return m_containsMultiMatchAction || m_defaultContainsMultiMatchAction; } inline bool hasMultimatchAction() const { return m_containsMultiMatchAction || m_defaultContainsMultiMatchAction; }
inline bool hasAuditLogAction() const { return m_containsAuditLogAction == true; }
inline void setHasAuditLogAction(bool b) { m_containsAuditLogAction = b; }
inline bool hasNoAuditLogAction() const { return m_containsNoAuditLogAction == true; }
inline void setHasNoAuditLogAction(bool b) { m_containsNoAuditLogAction = b; }
inline bool hasLogAction() const { return m_containsLogAction == true; } inline bool hasLogAction() const { return m_containsLogAction == true; }
inline void setHasLogAction(bool b) { m_containsLogAction = b; } inline void setHasLogAction(bool b) { m_containsLogAction = b; }
inline bool hasNoLogAction() const { return m_containsNoLogAction == true; } inline bool hasNoLogAction() const { return m_containsNoLogAction == true; }
inline void setHasNoLogAction(bool b) { m_containsNoLogAction = b; } inline void setHasNoLogAction(bool b) { m_containsNoLogAction = b; }
inline bool isItToBeLogged() const noexcept {
if (m_containsNoLogAction) {
return false;
}
if (m_defaultContainsNoLogAction && !m_containsLogAction) {
return false;
}
return true;
}
inline bool isItToBeAuditLogged() const noexcept {
if (!isItToBeLogged() && !m_containsAuditLogAction
&& !m_defaultContainsAuditLogAction) {
return false;
}
if (m_containsNoAuditLogAction) {
return false;
}
if (m_defaultContainsNoLogAction && !m_containsAuditLogAction) {
return false;
}
return true;
}
inline bool hasLogDataAction() const { return m_logData != nullptr || m_defaultActionLogData != nullptr; } inline bool hasLogDataAction() const { return m_logData != nullptr || m_defaultActionLogData != nullptr; }
inline std::shared_ptr<actions::LogData> getLogDataAction() const { return m_logData; } inline std::shared_ptr<actions::LogData> getLogDataAction() const { return m_logData; }
std::string getLogData(/*const */Transaction *t) const; std::string getLogData(/*const */Transaction *t) const;
@ -543,6 +588,8 @@ class RuleWithActions : public Rule {
bool m_containsCaptureAction:1; bool m_containsCaptureAction:1;
bool m_containsLogAction:1; bool m_containsLogAction:1;
bool m_containsNoLogAction:1; bool m_containsNoLogAction:1;
bool m_containsAuditLogAction:1;
bool m_containsNoAuditLogAction:1;
bool m_containsMultiMatchAction:1; bool m_containsMultiMatchAction:1;
bool m_containsStaticBlockAction:1; bool m_containsStaticBlockAction:1;
@ -555,6 +602,8 @@ class RuleWithActions : public Rule {
bool m_defaultContainsCaptureAction:1; bool m_defaultContainsCaptureAction:1;
bool m_defaultContainsLogAction:1; bool m_defaultContainsLogAction:1;
bool m_defaultContainsNoLogAction:1; bool m_defaultContainsNoLogAction:1;
bool m_defaultContainsAuditLogAction:1;
bool m_defaultContainsNoAuditLogAction:1;
bool m_defaultContainsMultiMatchAction:1; bool m_defaultContainsMultiMatchAction:1;
bool m_defaultContainsStaticBlockAction:1; bool m_defaultContainsStaticBlockAction:1;

28
src/transaction.cc
View File

@ -72,12 +72,15 @@ void TransactionRuleMessageManagement::logMatchLastRuleOnTheChain(RuleWithAction
rm->setRule(rule); rm->setRule(rule);
if (rule->hasDisruptiveAction() && if (rule->hasDisruptiveAction() && rule->isItToBeLogged() &&
(m_transaction->getRuleEngineState() == RulesSet::DetectionOnlyRuleEngine)) { (m_transaction->getRuleEngineState() == RulesSet::DetectionOnlyRuleEngine)) {
/* error */ /* error */
// The error goes over the disruptive massage. We don't need it here. // The error goes over the disruptive massage. We don't need it here.
//m_transaction->serverLog(rm); //m_transaction->serverLog(rm);
} else if (rule->hasBlockAction() && (!rule->hasNoLogAction()) || rule->hasLogAction()) { } else if (rule->hasBlockAction() && rule->isItToBeLogged()) {
/* Log as warning. */
m_transaction->serverLog(rm);
} else if (rule->isItToBeLogged()) {
/* Log as warning. */ /* Log as warning. */
m_transaction->serverLog(rm); m_transaction->serverLog(rm);
messageNew(); messageNew();
@ -88,6 +91,15 @@ void TransactionRuleMessageManagement::messageNew() {
m_rulesMessages.push_back(new RuleMessage(m_transaction)); m_rulesMessages.push_back(new RuleMessage(m_transaction));
} }
std::list<RuleMessage *> TransactionRuleMessageManagement::messageGetAll() {
std::list<RuleMessage *> messages;
for (RuleMessage *a : m_rulesMessages) {
messages.push_back(a);
}
return messages;
}
/** /**
* @name Transaction * @name Transaction
@ -272,7 +284,7 @@ Transaction::Transaction(ModSecurity *ms, RulesSet *rules, char *id, void *logCb
ms_dbg(4, "Initializing transaction"); ms_dbg(4, "Initializing transaction");
if (m_rules != NULL && m_rules->m_auditLog != NULL) { if (m_rules != NULL && m_rules->m_auditLog != NULL) {
m_auditLogParts = this->m_rules->m_auditLog->getParts(); m_auditLogParts = m_rules->m_auditLog->getParts();
} }
intervention::clean(&m_it); intervention::clean(&m_it);
@ -1418,8 +1430,7 @@ int Transaction::processLogging() {
ms_dbg(8, "Checking if this request is suitable to be " \ ms_dbg(8, "Checking if this request is suitable to be " \
"saved as an audit log."); "saved as an audit log.");
// FIXME: m_auditLogParts can be accessed via Transaction. bool saved = m_rules->m_auditLog->saveIfRelevant(this);
bool saved = this->m_rules->m_auditLog->saveIfRelevant(this, m_auditLogParts);
if (saved) { if (saved) {
ms_dbg(8, "Request was relevant to be saved. Parts: " + ms_dbg(8, "Request was relevant to be saved. Parts: " +
std::to_string(m_auditLogParts)); std::to_string(m_auditLogParts));
@ -1605,6 +1616,9 @@ std::string Transaction::toOldAuditLogFormat(int parts,
if (parts & audit_log::AuditLog::HAuditLogPart) { if (parts & audit_log::AuditLog::HAuditLogPart) {
audit_log << "--" << trailer << "-" << "H--" << std::endl; audit_log << "--" << trailer << "-" << "H--" << std::endl;
for (auto a : messageGetAll()) { for (auto a : messageGetAll()) {
if (!a->toBeAuditLog()) {
continue;
}
audit_log << a->log(0, m_httpCodeReturned) << std::endl; audit_log << a->log(0, m_httpCodeReturned) << std::endl;
} }
audit_log << std::endl; audit_log << std::endl;
@ -1768,6 +1782,10 @@ std::string Transaction::toJSON(int parts) {
strlen("messages")); strlen("messages"));
yajl_gen_array_open(g); yajl_gen_array_open(g);
for (auto a : messageGetAll()) { for (auto a : messageGetAll()) {
if (!a->toBeAuditLog()) {
continue;
}
yajl_gen_map_open(g); yajl_gen_map_open(g);
LOGFY_ADD("message", a->m_message.c_str()); LOGFY_ADD("message", a->m_message.c_str());
yajl_gen_string(g, yajl_gen_string(g,

2
test/cppcheck_suppressions.txt
View File

@ -42,7 +42,7 @@ redundantAssignment:src/operators/pm.cc:94
functionStatic:src/operators/geo_lookup.h:39 functionStatic:src/operators/geo_lookup.h:39
useInitializationList:src/utils/shared_files.h:87 useInitializationList:src/utils/shared_files.h:87
unmatchedSuppression:src/utils/msc_tree.cc unmatchedSuppression:src/utils/msc_tree.cc
functionStatic:headers/modsecurity/transaction.h:454 functionStatic:headers/modsecurity/transaction.h:437
duplicateBranch:src/audit_log/audit_log.cc:223 duplicateBranch:src/audit_log/audit_log.cc:223
unreadVariable:src/request_body_processor/multipart.cc:435 unreadVariable:src/request_body_processor/multipart.cc:435
stlcstrParam:src/audit_log/writer/parallel.cc:145 stlcstrParam:src/audit_log/writer/parallel.cc:145

66
test/test-cases/regression/auditlog.json
View File

@ -3,7 +3,7 @@
"enabled": 1, "enabled": 1,
"version_min": 300000, "version_min": 300000,
"version_max": 0, "version_max": 0,
"title": "auditlog : basic parser test - Parallel", "title": "auditlog : basic parser test - Parallel 1",
"client": { "client": {
"ip": "200.249.12.31", "ip": "200.249.12.31",
"port": 2313 "port": 2313
@ -40,7 +40,7 @@
}, },
"expected": { "expected": {
"audit_log": "", "audit_log": "",
"debug_log": "\\[9\\] T \\(0\\) t:trim: \"test", "debug_log": "Saving this request as part of the audit logs",
"error_log": "", "error_log": "",
"http_code": 403 "http_code": 403
}, },
@ -60,7 +60,7 @@
"enabled": 1, "enabled": 1,
"version_min": 300000, "version_min": 300000,
"version_max": 0, "version_max": 0,
"title": "auditlog : basic parser test - Serial", "title": "auditlog : basic parser test - Serial 1",
"client": { "client": {
"ip": "200.249.12.31", "ip": "200.249.12.31",
"port": 2313 "port": 2313
@ -96,8 +96,8 @@
] ]
}, },
"expected": { "expected": {
"audit_log": "", "audit_log": "Access denied with code 403",
"debug_log": "\\[9\\] T \\(0\\) t:trim: \"test", "debug_log": "",
"error_log": "", "error_log": "",
"http_code": 403 "http_code": 403
}, },
@ -118,7 +118,7 @@
"enabled": 1, "enabled": 1,
"version_min": 300000, "version_min": 300000,
"version_max": 0, "version_max": 0,
"title": "auditlog : basic parser test - Parallel", "title": "auditlog : basic parser test - Parallel 2",
"client": { "client": {
"ip": "200.249.12.31", "ip": "200.249.12.31",
"port": 2313 "port": 2313
@ -154,8 +154,8 @@
] ]
}, },
"expected": { "expected": {
"audit_log": "", "audit_log": "www.modsecurity.org 200.249.12.31",
"debug_log": "\\[9\\] T \\(0\\) t:trim: \"test", "debug_log": "Saving this request as part of the audit logs",
"error_log": "", "error_log": "",
"http_code": 403 "http_code": 403
}, },
@ -220,5 +220,55 @@
"SecAuditLogType Serial", "SecAuditLogType Serial",
"SecAuditLogRelevantStatus \"^(?:5|4(?!04))\"" "SecAuditLogRelevantStatus \"^(?:5|4(?!04))\""
] ]
},
{
"enabled": 1,
"version_min": 300000,
"version_max": 0,
"title": "auditlog : messages verification - nolog,noauditlog",
"client": {
"ip": "200.249.12.31",
"port": 2313
},
"server": {
"ip": "200.249.12.31",
"port": 80
},
"request": {
"headers": {
"Host": "www.modsecurity.org",
"User-Agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko\/20091102 Firefox\/3.5.5 (.NET CLR 3.5.30729)",
"Accept": "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8",
"Accept-Language": "en-us,en;q=0.5",
"Accept-Encoding": "gzip,deflate",
"Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7",
"Keep-Alive": "300",
"Connection": "keep-alive",
"Pragma": "no-cache",
"Cache-Control": "no-cache"
},
"uri": "\/test.pl?param1=test&param2=test2",
"method": "GET",
"http_version": 1.1,
"body": ""
},
"expected": {
"audit_log": "1556",
"error_log": "",
"http_code": 403
},
"rules": [
"SecRuleEngine On",
"SecDefaultAction \"phase:1,nolog,auditlog,status:403,pass\"",
"SecRule ARGS \"@contains test\" \"id:1555,phase:1,log,noauditlog\"",
"SecRule ARGS \"@contains test\" \"id:1556,phase:1,deny,auditlog\"",
"SecAuditEngine RelevantOnly",
"SecAuditLogParts ABCFHZ",
"SecAuditLog /tmp/test/modsec_audit_auditlog_1.log",
"SecAuditLogDirMode 0766",
"SecAuditLogFileMode 0666",
"SecAuditLogType Serial",
"SecAuditLogRelevantStatus \"^(?:5|4(?!04))\""
]
} }
] ]

5
test/test-cases/regression/config-secdefaultaction.json
View File

@ -272,11 +272,14 @@
}, },
"expected":{ "expected":{
"audit_log":"", "audit_log":"",
"debug_log":"Request was relevant to be saved.", "debug_log":"Saving this request as part of the audit logs",
"http_code": 302 "http_code": 302
}, },
"rules":[ "rules":[
"SecRuleEngine On", "SecRuleEngine On",
"SecAuditEngine On",
"SecAuditLogStorageDir /tmp/test",
"SecAuditLogType Parallel",
"SecDefaultAction \"phase:2,log,auditlog,status:302,redirect:'http://www.google.com'\"", "SecDefaultAction \"phase:2,log,auditlog,status:302,redirect:'http://www.google.com'\"",
"SecRule REQUEST_HEADERS \"@contains PHPSESSID\" \"phase:2,id:1,block\"", "SecRule REQUEST_HEADERS \"@contains PHPSESSID\" \"phase:2,id:1,block\"",
"SecRule TX \"@contains to_test\" \"id:2,t:lowercase,t:none,block\"" "SecRule TX \"@contains to_test\" \"id:2,t:lowercase,t:none,block\""