diff --git a/CHANGES b/CHANGES index 2f560266..a0efa01a 100644 --- a/CHANGES +++ b/CHANGES @@ -2,10 +2,10 @@ ?? ??? 2007 - 2.2.0-trunk ------------------------- - * TODO: Add file/line to audit log - * TODO: Detect static files (trac #15) + * Added rule file/line to audit log messages. + * Added new parallel matching operators, @pm and @pmfile. These use an alternate set based matching engine to perform faster keyword type matches. diff --git a/apache2/re.c b/apache2/re.c index 2cae6d96..debd6c7a 100644 --- a/apache2/re.c +++ b/apache2/re.c @@ -421,6 +421,7 @@ msre_actionset *msre_actionset_create(msre_engine *engine, const char *text, actionset->msg = NOT_SET_P; actionset->phase = NOT_SET; actionset->severity = -1; + actionset->rule = NOT_SET_P; /* Flow */ actionset->is_chained = NOT_SET; @@ -495,6 +496,7 @@ msre_actionset *msre_actionset_merge(msre_engine *engine, msre_actionset *parent if (child->msg != NOT_SET_P) merged->msg = child->msg; if (child->severity != NOT_SET) merged->severity = child->severity; if (child->phase != NOT_SET) merged->phase = child->phase; + if (child->rule != NOT_SET_P) merged->rule = child->rule; /* Flow */ merged->is_chained = child->is_chained; @@ -550,6 +552,7 @@ static void msre_actionset_set_defaults(msre_actionset *actionset) { if (actionset->msg == NOT_SET_P) actionset->msg = NULL; if (actionset->phase == NOT_SET) actionset->phase = 2; if (actionset->severity == -1); /* leave at -1 */ + if (actionset->rule == NOT_SET_P) actionset->rule = NULL; /* Flow */ if (actionset->is_chained == NOT_SET) actionset->is_chained = 0; @@ -844,6 +847,8 @@ int msre_ruleset_rule_add(msre_ruleset *ruleset, msre_rule *rule, int phase) { */ msre_actionset_set_defaults(rule->actionset); + rule->actionset->rule = rule; + *(const msre_rule **)apr_array_push(arr) = rule; return 1; @@ -972,14 +977,23 @@ char *msre_format_metadata(modsec_rec *msr, msre_actionset *actionset) { char *msg = ""; char *severity = ""; char *tags = ""; + char *fn = ""; int k; if (actionset == NULL) return ""; - if (actionset->id != NULL) id = apr_psprintf(msr->mp, " [id \"%s\"]", - log_escape(msr->mp, actionset->id)); - if (actionset->rev != NULL) rev = apr_psprintf(msr->mp, " [rev \"%s\"]", - log_escape(msr->mp, actionset->rev)); + if ((actionset->rule != NULL) && (actionset->rule->filename != NULL)) { + fn = apr_psprintf(msr->mp, " [file \"%s\"] [line \"%d\"]", + actionset->rule->filename, actionset->rule->line_num); + } + if (actionset->id != NULL) { + id = apr_psprintf(msr->mp, " [id \"%s\"]", + log_escape(msr->mp, actionset->id)); + } + if (actionset->rev != NULL) { + rev = apr_psprintf(msr->mp, " [rev \"%s\"]", + log_escape(msr->mp, actionset->rev)); + } if (actionset->msg != NULL) { /* Expand variables in the message string. */ msc_string *var = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); @@ -988,11 +1002,11 @@ char *msre_format_metadata(modsec_rec *msr, msre_actionset *actionset) { expand_macros(msr, var, NULL, msr->mp); msg = apr_psprintf(msr->mp, " [msg \"%s\"]", - log_escape_ex(msr->mp, var->value, var->value_len)); + log_escape_ex(msr->mp, var->value, var->value_len)); } if ((actionset->severity >= 0)&&(actionset->severity <= 7)) { severity = apr_psprintf(msr->mp, " [severity \"%s\"]", - msre_format_severity(actionset->severity)); + msre_format_severity(actionset->severity)); } /* Extract rule tags from the action list. */ @@ -1007,7 +1021,7 @@ char *msre_format_metadata(modsec_rec *msr, msre_actionset *actionset) { } } - return apr_pstrcat(msr->mp, id, rev, msg, severity, tags, NULL); + return apr_pstrcat(msr->mp, fn, id, rev, msg, severity, tags, NULL); } /** diff --git a/apache2/re.h b/apache2/re.h index 203a5089..b459ce01 100644 --- a/apache2/re.h +++ b/apache2/re.h @@ -226,6 +226,7 @@ struct msre_actionset { const char *msg; int severity; int phase; + msre_rule *rule; /* Flow */ int is_chained;