diff --git a/src/rule.cc b/src/rule.cc index 673b4af3..106341e2 100644 --- a/src/rule.cc +++ b/src/rule.cc @@ -179,56 +179,56 @@ std::vector Rule::getActionNames() { } -bool Rule::evaluateActions(Transaction *trasn) { +bool Rule::evaluateActions(Transaction *trans) { return true; } -void Rule::updateMatchedVars(Transaction *trasn, std::string key, +void Rule::updateMatchedVars(Transaction *trans, std::string key, std::string value) { - trasn->debug(4, "Matched vars updated."); - trasn->m_variableMatchedVar.set(value, trasn->m_variableOffset); - trasn->m_variableMatchedVarName.set(key, trasn->m_variableOffset); + trans->debug(4, "Matched vars updated."); + trans->m_variableMatchedVar.set(value, trans->m_variableOffset); + trans->m_variableMatchedVarName.set(key, trans->m_variableOffset); - trasn->m_variableMatchedVars.set(key, value, trasn->m_variableOffset); - trasn->m_variableMatchedVarsNames.set(key, key, trasn->m_variableOffset); + trans->m_variableMatchedVars.set(key, value, trans->m_variableOffset); + trans->m_variableMatchedVarsNames.set(key, key, trans->m_variableOffset); } -void Rule::cleanMatchedVars(Transaction *trasn) { - trasn->debug(4, "Matched vars cleaned."); - trasn->m_variableMatchedVar.unset(); - trasn->m_variableMatchedVars.unset(); - trasn->m_variableMatchedVarName.unset(); - trasn->m_variableMatchedVarsNames.unset(); +void Rule::cleanMatchedVars(Transaction *trans) { + trans->debug(4, "Matched vars cleaned."); + trans->m_variableMatchedVar.unset(); + trans->m_variableMatchedVars.unset(); + trans->m_variableMatchedVarName.unset(); + trans->m_variableMatchedVarsNames.unset(); } -void Rule::updateRulesVariable(Transaction *trasn) { +void Rule::updateRulesVariable(Transaction *trans) { if (m_ruleId != 0) { - trasn->m_variableRule.set("id", + trans->m_variableRule.set("id", std::to_string(m_ruleId), 0); } if (m_rev.empty() == false) { - trasn->m_variableRule.set("rev", + trans->m_variableRule.set("rev", m_rev, 0); } if (getActionsByName("msg").size() > 0) { actions::Msg *msg = dynamic_cast( getActionsByName("msg")[0]); - trasn->m_variableRule.set("msg", - msg->data(trasn), 0); + trans->m_variableRule.set("msg", + msg->data(trans), 0); } if (getActionsByName("logdata").size() > 0) { actions::LogData *data = dynamic_cast( getActionsByName("logdata")[0]); - trasn->m_variableRule.set("logdata", - data->data(trasn), 0); + trans->m_variableRule.set("logdata", + data->data(trans), 0); } if (getActionsByName("severity").size() > 0) { actions::Severity *data = dynamic_cast( getActionsByName("severity")[0]); - trasn->m_variableRule.set("severity", + trans->m_variableRule.set("severity", std::to_string(data->m_severity), 0); } } @@ -249,12 +249,12 @@ std::string Rule::resolveMatchMessage(std::string key, std::string value) { } -void Rule::executeActionsIndependentOfChainedRuleResult(Transaction *trasn, +void Rule::executeActionsIndependentOfChainedRuleResult(Transaction *trans, bool *containsDisruptive, RuleMessage *ruleMessage) { for (Action *a : this->m_actionsRuntimePos) { if (a->isDisruptive() == true) { if (a->m_name == "pass") { - trasn->debug(4, "Rule contains a `pass' action"); + trans->debug(4, "Rule contains a `pass' action"); } else { *containsDisruptive = true; } @@ -262,16 +262,16 @@ void Rule::executeActionsIndependentOfChainedRuleResult(Transaction *trasn, if (a->m_name == "setvar" || a->m_name == "msg" || a->m_name == "log") { - trasn->debug(4, "Running [I] (_non_ disruptive) " \ + trans->debug(4, "Running [I] (_non_ disruptive) " \ "action: " + a->m_name); - a->evaluate(this, trasn, ruleMessage); + a->evaluate(this, trans, ruleMessage); } } } } -bool Rule::executeOperatorAt(Transaction *trasn, std::string key, +bool Rule::executeOperatorAt(Transaction *trans, std::string key, std::string value, RuleMessage *ruleMessage) { #if MSC_EXEC_CLOCK_ENABLED clock_t begin = clock(); @@ -280,11 +280,11 @@ bool Rule::executeOperatorAt(Transaction *trasn, std::string key, #endif bool ret; - trasn->debug(9, "Target value: \"" + utils::string::limitTo(80, + trans->debug(9, "Target value: \"" + utils::string::limitTo(80, utils::string::toHexIfNeeded(value)) \ + "\" (Variable: " + key + ")"); - ret = this->m_op->evaluateInternal(trasn, this, value, ruleMessage); + ret = this->m_op->evaluateInternal(trans, this, value, ruleMessage); if (ret == false) { return false; } @@ -293,7 +293,7 @@ bool Rule::executeOperatorAt(Transaction *trasn, std::string key, end = clock(); elapsed_s = static_cast(end - begin) / CLOCKS_PER_SEC; - trasn->debug(4, "Operator completed in " + \ + trans->debug(4, "Operator completed in " + \ std::to_string(elapsed_s) + " seconds"); #endif return ret; @@ -304,7 +304,7 @@ std::list, std::shared_ptr>> Rule::executeDefaultTransformations( - Transaction *trasn, const std::string &in, bool multiMatch) { + Transaction *trans, const std::string &in, bool multiMatch) { int none = 0; int transformations = 0; @@ -316,16 +316,16 @@ std::list, std::shared_ptr(new std::string(in)); std::shared_ptr newValue; - std::shared_ptr trans = + std::shared_ptr transStr = std::shared_ptr(new std::string()); if (multiMatch == true) { ret.push_back(std::make_pair( std::shared_ptr(value), - std::shared_ptr(trans))); + std::shared_ptr(transStr))); ret.push_back(std::make_pair( std::shared_ptr(value), - std::shared_ptr(trans))); + std::shared_ptr(transStr))); } for (Action *a : this->m_actionsRuntimePre) { @@ -338,26 +338,26 @@ std::list, // Notice that first we make sure that won't be a t:none // on the target rule. if (none == 0) { - for (Action *a : trasn->m_rules->m_defaultActions[this->m_phase]) { + for (Action *a : trans->m_rules->m_defaultActions[this->m_phase]) { if (a->action_kind \ == actions::Action::RunTimeBeforeMatchAttemptKind) { newValue = std::unique_ptr( - new std::string(a->evaluate(*value, trasn))); + new std::string(a->evaluate(*value, trans))); if (multiMatch == true) { if (*newValue != *value) { ret.push_back(std::make_pair( newValue, - trans)); + transStr)); } } value = std::shared_ptr(newValue); - if (trans->empty()) { - trans->append(a->m_name); + if (transStr->empty()) { + transStr->append(a->m_name); } else { - trans->append("," + a->m_name); + transStr->append("," + a->m_name); } - trasn->debug(9, "(SecDefaultAction) T (" + \ + trans->debug(9, "(SecDefaultAction) T (" + \ std::to_string(transformations) + ") " + \ a->m_name + ": \"" + \ utils::string::limitTo(80, *value) +"\""); @@ -370,26 +370,26 @@ std::list, for (Action *a : this->m_actionsRuntimePre) { if (none == 0) { newValue = std::shared_ptr( - new std::string(a->evaluate(*value, trasn))); + new std::string(a->evaluate(*value, trans))); if (multiMatch == true) { if (*value != *newValue) { ret.push_back(std::make_pair( newValue, - trans)); + transStr)); value = newValue; } } value = newValue; - trasn->debug(9, " T (" + \ + trans->debug(9, " T (" + \ std::to_string(transformations) + ") " + \ a->m_name + ": \"" + \ utils::string::limitTo(80, *value) + "\""); - if (trans->empty()) { - trans->append(a->m_name); + if (transStr->empty()) { + transStr->append(a->m_name); } else { - trans->append("," + a->m_name); + transStr->append("," + a->m_name); } transformations++; } @@ -401,13 +401,13 @@ std::list, // v2 checks the last entry twice. Don't know why. ret.push_back(ret.back()); - trasn->debug(9, "multiMatch is enabled. " \ + trans->debug(9, "multiMatch is enabled. " \ + std::to_string(ret.size()) + \ " values to be tested."); } else { ret.push_back(std::make_pair( std::shared_ptr(value), - std::shared_ptr(trans))); + std::shared_ptr(transStr))); } return ret; @@ -415,7 +415,7 @@ std::list, std::vector> Rule::getFinalVars( - Transaction *trasn) { + Transaction *trans) { std::list exclusions; std::vector *variables = m_variables; std::vector> finalVars; @@ -424,7 +424,7 @@ std::vector> Rule::getFinalVars( Variable *variable = variables->at(i); if (variable->m_isExclusion) { std::vector z; - variable->evaluateInternal(trasn, this, &z); + variable->evaluateInternal(trans, this, &z); for (auto &y : z) { exclusions.push_back(y->m_key); } @@ -441,14 +441,14 @@ std::vector> Rule::getFinalVars( continue; } - variable->evaluateInternal(trasn, this, &e); + variable->evaluateInternal(trans, this, &e); for (const collection::Variable *v : e) { const std::string *key = v->m_key; if (std::find_if(exclusions.begin(), exclusions.end(), [key](const std::string *m) -> bool { return *key == *m; }) != exclusions.end()) { #ifndef NO_LOGS - trasn->debug(9, "Variable: " + *key + + trans->debug(9, "Variable: " + *key + " is part of the exclusion list, skipping..."); #endif if (v->m_dynamic) { @@ -458,14 +458,14 @@ std::vector> Rule::getFinalVars( continue; } - for (auto &i : trasn->m_ruleRemoveTargetByTag) { + for (auto &i : trans->m_ruleRemoveTargetByTag) { std::string tag = i.first; std::string args = i.second; - if (containsTag(tag, trasn) == false) { + if (containsTag(tag, trans) == false) { continue; } if (args == *key) { - trasn->debug(9, "Variable: " + *key + + trans->debug(9, "Variable: " + *key + " was excluded by ruleRemoteTargetByTag..."); ignoreVariable = true; break; @@ -479,14 +479,14 @@ std::vector> Rule::getFinalVars( continue; } - for (auto &i : trasn->m_ruleRemoveTargetById) { + for (auto &i : trans->m_ruleRemoveTargetById) { int id = i.first; std::string args = i.second; if (m_ruleId != id) { continue; } if (args == *key) { - trasn->debug(9, "Variable: " + *key + + trans->debug(9, "Variable: " + *key + " was excluded by ruleRemoteTargetById..."); ignoreVariable = true; break; @@ -523,38 +523,38 @@ std::vector> Rule::getFinalVars( } -void Rule::executeActionsAfterFullMatch(Transaction *trasn, +void Rule::executeActionsAfterFullMatch(Transaction *trans, bool containsDisruptive, RuleMessage *ruleMessage) { - for (Action *a : trasn->m_rules->m_defaultActions[this->m_phase]) { + for (Action *a : trans->m_rules->m_defaultActions[this->m_phase]) { if (a->action_kind != actions::Action::RunTimeOnlyIfMatchKind) { continue; } if (a->isDisruptive() == false) { - trasn->debug(4, "(SecDefaultAction) Running " \ + trans->debug(4, "(SecDefaultAction) Running " \ "action: " + a->m_name); - a->evaluate(this, trasn, ruleMessage); + a->evaluate(this, trans, ruleMessage); continue; } if (containsDisruptive) { - trasn->debug(4, "(SecDefaultAction) _ignoring_ " \ + trans->debug(4, "(SecDefaultAction) _ignoring_ " \ "action: " + a->m_name + \ " (rule contains a disruptive action)"); continue; } - if (trasn->m_rules->m_secRuleEngine == Rules::EnabledRuleEngine) { - trasn->debug(4, "(SecDefaultAction) " \ + if (trans->m_rules->m_secRuleEngine == Rules::EnabledRuleEngine) { + trans->debug(4, "(SecDefaultAction) " \ "Running action: " + a->m_name + \ " (rule _does not_ contains a " \ "disruptive action)"); - a->evaluate(this, trasn, ruleMessage); + a->evaluate(this, trans, ruleMessage); continue; } - trasn->debug(4, "(SecDefaultAction) _Not_ running action: " \ + trans->debug(4, "(SecDefaultAction) _Not_ running action: " \ + a->m_name + ". Rule _does not_contains a disruptive action,"\ + " but SecRuleEngine is not On."); } @@ -563,25 +563,25 @@ void Rule::executeActionsAfterFullMatch(Transaction *trasn, if (a->isDisruptive() == false) { if (a->m_name != "setvar" && a->m_name != "log" && a->m_name != "msg") { - trasn->debug(4, "Running [I] (_non_ disruptive) " \ + trans->debug(4, "Running [I] (_non_ disruptive) " \ "action: " + a->m_name); - a->evaluate(this, trasn, ruleMessage); + a->evaluate(this, trans, ruleMessage); } continue; } - if (trasn->m_rules->m_secRuleEngine == Rules::EnabledRuleEngine) { - trasn->debug(4, "Running (disruptive) action: " + a->m_name); - a->evaluate(this, trasn, ruleMessage); + if (trans->m_rules->m_secRuleEngine == Rules::EnabledRuleEngine) { + trans->debug(4, "Running (disruptive) action: " + a->m_name); + a->evaluate(this, trans, ruleMessage); continue; } - trasn->debug(4, "Not running disruptive action: " + \ + trans->debug(4, "Not running disruptive action: " + \ a->m_name + ". SecRuleEngine is not On"); } } -bool Rule::evaluate(Transaction *trasn) { +bool Rule::evaluate(Transaction *trans) { bool globalRet = false; std::vector *variables = this->m_variables; bool recursiveGlobalRet; @@ -590,29 +590,29 @@ bool Rule::evaluate(Transaction *trasn) { std::vector> finalVars; std::string eparam; - trasn->m_matched.clear(); + trans->m_matched.clear(); if (m_secMarker == true) { return true; } if (m_unconditional == true) { - trasn->debug(4, "(Rule: " + std::to_string(m_ruleId) \ + trans->debug(4, "(Rule: " + std::to_string(m_ruleId) \ + ") Executing unconditional rule..."); - executeActionsIndependentOfChainedRuleResult(trasn, + executeActionsIndependentOfChainedRuleResult(trans, &containsDisruptive, &ruleMessage); goto end_exec; } - for (auto &i : trasn->m_ruleRemoveById) { + for (auto &i : trans->m_ruleRemoveById) { if (m_ruleId != i) { continue; } - trasn->debug(9, "Rule id: " + std::to_string(m_ruleId) + + trans->debug(9, "Rule id: " + std::to_string(m_ruleId) + " was skipped due to an ruleRemoveById action..."); return true; } - eparam = MacroExpansion::expand(this->m_op->m_param, trasn); + eparam = MacroExpansion::expand(this->m_op->m_param, trans); if (this->m_op->m_param != eparam) { eparam = "\"" + eparam + "\" Was: \"" + this->m_op->m_param + "\""; @@ -620,16 +620,16 @@ bool Rule::evaluate(Transaction *trasn) { eparam = "\"" + eparam + "\""; } - trasn->debug(4, "(Rule: " + std::to_string(m_ruleId) \ + trans->debug(4, "(Rule: " + std::to_string(m_ruleId) \ + ") Executing operator \"" + this->m_op->m_op \ + "\" with param " \ + eparam \ + " against " \ + Variable::to_s(variables) + "."); - updateRulesVariable(trasn); + updateRulesVariable(trans); - finalVars = getFinalVars(trasn); + finalVars = getFinalVars(trans); for (auto &v : finalVars) { const std::string value = *(v->m_value); @@ -640,13 +640,13 @@ bool Rule::evaluate(Transaction *trasn) { bool multiMatch = getActionsByName("multimatch").size() > 0; - values = executeDefaultTransformations(trasn, value, + values = executeDefaultTransformations(trans, value, multiMatch); for (const auto &valueTemp : values) { bool ret; std::string valueAfterTrans = std::move(*valueTemp.first); - ret = executeOperatorAt(trasn, key, valueAfterTrans, &ruleMessage); + ret = executeOperatorAt(trans, key, valueAfterTrans, &ruleMessage); if (ret == true) { ruleMessage.m_match = resolveMatchMessage(key, value); @@ -654,8 +654,8 @@ bool Rule::evaluate(Transaction *trasn) { ruleMessage.m_reference.append(i->toText()); } ruleMessage.m_reference.append(*valueTemp.second); - updateMatchedVars(trasn, key, value); - executeActionsIndependentOfChainedRuleResult(trasn, + updateMatchedVars(trans, key, value); + executeActionsIndependentOfChainedRuleResult(trans, &containsDisruptive, &ruleMessage); globalRet = true; } @@ -663,25 +663,25 @@ bool Rule::evaluate(Transaction *trasn) { } if (globalRet == false) { - trasn->debug(4, "Rule returned 0."); - cleanMatchedVars(trasn); + trans->debug(4, "Rule returned 0."); + cleanMatchedVars(trans); goto end_clean; } - trasn->debug(4, "Rule returned 1."); + trans->debug(4, "Rule returned 1."); if (this->m_chained == false) { goto end_exec; } if (this->m_chainedRule == NULL) { - trasn->debug(4, "Rule is marked as chained but there " \ + trans->debug(4, "Rule is marked as chained but there " \ "isn't a subsequent rule."); goto end_clean; } - trasn->debug(4, "Executing chained rule."); - recursiveGlobalRet = this->m_chainedRule->evaluate(trasn); + trans->debug(4, "Executing chained rule."); + recursiveGlobalRet = this->m_chainedRule->evaluate(trans); if (recursiveGlobalRet == true) { goto end_exec; @@ -691,13 +691,13 @@ end_clean: return false; end_exec: - executeActionsAfterFullMatch(trasn, containsDisruptive, &ruleMessage); + executeActionsAfterFullMatch(trans, containsDisruptive, &ruleMessage); for (const auto &u : ruleMessage.m_server_logs) { - trasn->serverLog(u); + trans->serverLog(u); } if (ruleMessage.m_server_logs.size() > 0) { - trasn->m_rulesMessages.push_back(ruleMessage); + trans->m_rulesMessages.push_back(ruleMessage); } return true;