github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-16 07:56:12 +03:00
Code Issues Packages Projects Releases Wiki Activity

First version of the inline highlight calculation

Browse Source
This commit is contained in:
Felipe Zimmerle 2018-10-11 10:00:54 -03:00
parent aa8fb3434f
commit eec95cfe17
No known key found for this signature in database
GPG Key ID: E6DFB08CE8B11277
11 changed files with 205 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
examples/reading_logs_via_rule_message/blocked_request.conf
View File

@ -1,3 +1,3 @@
SecRule ARGS:param1 "test" "id:1,deny,phase:2,chain,msg:'test'"
SecRule ARGS:param1 "test" "id:1,deny,phase:2,t:lowercase,chain,msg:'test'"
SecRule ARGS:param1 "test" "log"

2
examples/reading_logs_via_rule_message/blocked_request_engine_on.conf
View File

@ -1,2 +1,2 @@
SecRuleEngine On
SecRule ARGS:param1 "test" "id:1,deny"
SecRule ARGS:param1 "test" "id:1,deny,t:lowercase"

2
examples/reading_logs_via_rule_message/match.conf
View File

@ -1 +1 @@
SecRule ARGS:param1 "test" "id:1,deny,msg:'this',msg:'is',msg:'a',msg:'test'"
SecRule ARGS:param1 "test" "id:1,deny,msg:'this',t:replaceNulls,msg:'is',msg:'a',msg:'test',t:lowercase,t:trim"

2
examples/reading_logs_via_rule_message/no_match.conf
View File

@ -1 +1 @@
SecRule ARGS:param1 "WHEEE" "id:1,phase:2,deny,msg:'this',msg:'is',msg:'a',msg:'test'"
SecRule ARGS:param1 "WHEEE" "id:1,phase:2,deny,msg:'this',msg:'is',msg:'a',msg:'test',t:lower"

44
examples/reading_logs_via_rule_message/reading_logs_via_rule_message.h
View File

@ -163,7 +163,6 @@ class ReadingLogsViaRuleMessage {
pthread_join(threads[i], &status);
std::cout << "Main: completed thread id :" << i << std::endl;
}
delete rules;
delete modsec;
pthread_exit(NULL);
@ -172,6 +171,38 @@ end:
return -1;
}
static std::string highlightToText(
const modsecurity::RuleMessageHighlight &h) {
std::cout << " * ModSecurity variable to be highlighted" << std::endl;
for (const auto &i : h.m_variable) {
std::cout << " - From: " << std::to_string(i.m_startingAt);
std::cout << " to: " << std::to_string(i.m_startingAt + i.m_size);
std::cout << std::endl;
}
std::cout << std::endl;
std::cout << " * Variable's values ";
std::cout << "(may include transformations)" << std::endl;
for (const auto &i : h.m_value) {
std::cout << " - " << i.first << ": " << i.second << std::endl;
}
std::cout << std::endl;
std::cout << " * Operators match to be highlight inside ";
std::cout << "the variables (after transformations)" << std::endl;
for (const auto &i : h.m_op) {
std::cout << " - From: " << i.m_area.m_startingAt;
std::cout << " to: " << std::to_string(i.m_area.m_startingAt \
+ i.m_area.m_size);
std::cout << " [Value: " << i.m_value << "]" << std::endl;
}
std::cout << std::endl;
return "";
}
static void logCb(void *data, const void *ruleMessagev) {
if (ruleMessagev == NULL) {
std::cout << "I've got a call but the message was null ;(";
@ -196,6 +227,17 @@ end:
std::cout << modsecurity::RuleMessage::log(ruleMessage);
std::cout << std::endl;
}
std::cout << std::endl;
std::cout << "Verbose details on the match highlight" << std::endl;
std::cout << " Highlight reference string: ";
std::cout << ruleMessage->m_reference << std::endl;
std::cout << std::endl;
std::cout << "Details:" << std::endl;
modsecurity::RuleMessageHighlight h =
modsecurity::RuleMessage::computeHighlight(ruleMessage,
ruleMessage->m_buf);
highlightToText(h);
std::cout << std::endl;
}
protected:

2
examples/reading_logs_via_rule_message/simple_request.cc
View File

@ -32,7 +32,7 @@ int main(int argc, char **argv) {
*(argv++);
std::string rules(*argv);
ReadingLogsViaRuleMessage rlvrm(request_header, request_uri, request_body,
response_headers, response_body, ip, rules);
"", response_body, ip, rules);
rlvrm.process();

2
headers/modsecurity/modsecurity.h
View File

@ -301,12 +301,12 @@ class ModSecurity {
collection::Collection *m_ip_collection;
collection::Collection *m_session_collection;
collection::Collection *m_user_collection;
int m_logProperties;
private:
std::string m_connector;
std::string m_whoami;
ModSecLogCb m_logCb;
int m_logProperties;
};

37
headers/modsecurity/rule_message.h
View File

@ -24,6 +24,11 @@
#ifndef HEADERS_MODSECURITY_RULE_MESSAGE_H_
#define HEADERS_MODSECURITY_RULE_MESSAGE_H_
#ifdef __cplusplus
#include <utility>
#endif
#include "modsecurity/modsecurity.h"
#include "modsecurity/transaction.h"
#include "modsecurity/rule.h"
@ -32,6 +37,31 @@
namespace modsecurity {
class RuleMessageHighlightArea {
public:
RuleMessageHighlightArea()
: m_startingAt(0),
m_size(0) { }
size_t m_startingAt;
size_t m_size;
};
class RuleMessageHighlightOperator {
public:
RuleMessageHighlightOperator()
: m_value("") { }
RuleMessageHighlightArea m_area;
std::string m_value;
};
class RuleMessageHighlight {
public:
std::list<RuleMessageHighlightArea> m_variable;
std::list<std::pair<std::string, std::string>> m_value;
std::list<RuleMessageHighlightOperator> m_op;
};
class RuleMessage {
@ -88,10 +118,14 @@ class RuleMessage {
return RuleMessage::log(rm, 0);
}
static RuleMessageHighlight computeHighlight(const RuleMessage *rm,
const std::string buf);
static std::string _details(const RuleMessage *rm);
static std::string _errorLogTail(const RuleMessage *rm);
int m_accuracy;
std::string m_buf;
std::string m_clientIpAddress;
std::string m_data;
std::string m_id;
@ -100,6 +134,7 @@ class RuleMessage {
int m_maturity;
std::string m_message;
bool m_noAuditLog;
std::string m_opValue;
int m_phase;
std::string m_reference;
std::string m_rev;
@ -111,9 +146,11 @@ class RuleMessage {
std::string m_serverIpAddress;
int m_severity;
std::string m_uriNoQueryStringDecoded;
std::string m_varValue;
std::string m_ver;
std::list<std::string> m_tags;
RuleMessageHighlight m_highlight;
};

1
headers/modsecurity/transaction.h
View File

@ -343,6 +343,7 @@ class Transaction : public TransactionAnchoredVariables {
int getRuleEngineState();
std::string toJSON(int parts);
std::string toBuf();
std::string toOldAuditLogFormat(int parts, const std::string &trailer);
std::string toOldAuditLogFormatIndex(const std::string &filename,
double size, const std::string &md5);

81
src/rule_message.cc
View File

@ -20,10 +20,12 @@
#include "modsecurity/modsecurity.h"
#include "modsecurity/transaction.h"
#include "src/utils/string.h"
#include "src/utils/regex.h"
#include "modsecurity/actions/action.h"
#include "src/actions/transformations/transformation.h"
namespace modsecurity {
std::string RuleMessage::_details(const RuleMessage *rm) {
std::string msg;
@ -61,7 +63,6 @@ std::string RuleMessage::_errorLogTail(const RuleMessage *rm) {
return msg;
}
std::string RuleMessage::log(const RuleMessage *rm, int props, int code) {
std::string msg("");
@ -93,4 +94,80 @@ std::string RuleMessage::log(const RuleMessage *rm, int props, int code) {
}
RuleMessageHighlight RuleMessage::computeHighlight(const RuleMessage *rm,
const std::string buf) {
RuleMessageHighlight ret;
Utils::Regex variables("v([0-9]+),([0-9]+)");
Utils::Regex operators("o([0-9]+),([0-9]+)");
Utils::Regex transformations("t:(?:(?!t:).)+");
std::string ref(rm->m_reference);
std::list<Utils::SMatch> vars = variables.searchAll(ref);
std::list<Utils::SMatch> ops = operators.searchAll(ref);
std::list<Utils::SMatch> trans = transformations.searchAll(ref);
std::string varValue;
while (vars.size() > 0) {
std::string value;
RuleMessageHighlightArea a;
vars.pop_back();
std::string startingAt = vars.back().match;
vars.pop_back();
std::string size = vars.back().match;
vars.pop_back();
a.m_startingAt = std::stoi(startingAt);
a.m_size = std::stoi(size);
ret.m_variable.push_back(a);
if ((stoi(startingAt) + stoi(size)) > buf.size()) {
return ret;
}
value = std::string(buf, stoi(startingAt), stoi(size));
if (varValue.size() > 0) {
varValue.append(" " + value);
} else {
varValue.append(value);
}
}
ret.m_value.push_back(std::make_pair("original value", varValue));
while (trans.size() > 0) {
modsecurity::actions::transformations::Transformation *t;
std::string varValueRes;
std::string transformation = trans.back().match.c_str();
t = actions::transformations::Transformation::instantiate(
transformation);
varValueRes = t->evaluate(varValue, NULL);
varValue.assign(varValueRes);
ret.m_value.push_back(std::make_pair(transformation, varValue));
trans.pop_back();
delete t;
}
while (ops.size() > 0) {
RuleMessageHighlightOperator o;
ops.pop_back();
std::string startingAt = ops.back().match;
ops.pop_back();
std::string size = ops.back().match;
ops.pop_back();
if ((stoi(startingAt) + stoi(size)) > buf.size()) {
return ret;
}
o.m_area.m_startingAt = std::stoi(startingAt);
o.m_area.m_size = std::stoi(size);
o.m_value.assign(std::string(varValue, o.m_area.m_startingAt,
o.m_area.m_size));
ret.m_op.push_back(o);
}
return ret;
}
} // namespace modsecurity

39
src/transaction.cc
View File

@ -1584,6 +1584,45 @@ std::string Transaction::toOldAuditLogFormat(int parts,
}
std::string Transaction::toBuf() {
std::string a;
a.append(*m_variableRequestMethod.evaluate());
a.append(" ");
a.append(m_uri);
a.append(" HTTP/");
a.append(m_httpVersion);
a.append("\n");
std::vector<const collection::Variable *> l;
m_variableRequestHeaders.resolve(&l);
for (auto h : l) {
size_t pos = strlen("REQUEST_HEADERS:");
a.append((h->m_key.c_str() + pos));
a.append(": ");
a.append((h->m_value.c_str()));
}
a.append("\n\n");
if (this->m_requestBody.str().length() > 0) {
a.append(this->m_requestBody.str().c_str());
a.append("\n\n");
}
#if 0
l.clear();
m_variableResponseHeaders.resolve(&l);
for (auto h : l) {
size_t pos = strlen("RESPONSE_HEADERS:");
a.append((h->m_key->c_str() + pos));
a.append(": ");
a.append((h->m_value->c_str()));
}
a.append("\n\n");
a.append(this->m_responseBody.str().c_str());
#endif
return a;
}
std::string Transaction::toJSON(int parts) {
#ifdef WITH_YAJL
const unsigned char *buf;