From f86a71f7a7433f39fb38ee2e189f00f02d625d7e Mon Sep 17 00:00:00 2001 From: Felipe Zimmerle Date: Mon, 2 Dec 2013 13:22:39 -0800 Subject: [PATCH] Adds SecStatusEngine On/Off switch Add the possibility to turn the Status Engine On or Off using the directive SecStatusEngine [On/Off]. By default it is On. --- apache2/apache2_config.c | 25 +++++++++++++++++++++++++ apache2/mod_security2.c | 11 ++++++++++- apache2/modsecurity.h | 5 +++++ apache2/msc_status_engine.h | 2 +- 4 files changed, 41 insertions(+), 2 deletions(-) diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c index b826a5b4..304d0b91 100644 --- a/apache2/apache2_config.c +++ b/apache2/apache2_config.c @@ -2083,6 +2083,23 @@ static const char *cmd_rule_engine(cmd_parms *cmd, void *_dcfg, const char *p1) return NULL; } +static const char *cmd_STATUS_ENGINE(cmd_parms *cmd, void *_dcfg, const char *p1) +{ + if (strcasecmp(p1, "on") == 0) { + status_engine_state = STATUS_ENGINE_ENABLED; + } + else if (strcasecmp(p1, "off") == 0) { + status_engine_state = STATUS_ENGINE_DISABLED; + } + else { + return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for " \ + "SecStatusEngine: %s", p1); + } + + return NULL; +} + + static const char *cmd_rule_inheritance(cmd_parms *cmd, void *_dcfg, int flag) { directory_config *dcfg = (directory_config *)_dcfg; @@ -3297,6 +3314,14 @@ const command_rec module_directives[] = { "On or Off" ), + AP_INIT_TAKE1 ( + "SecStatusEngine", + cmd_status_engine, + NULL, + CMD_SCOPE_ANY, + "On or Off" + ), + AP_INIT_TAKE1 ( "SecXmlExternalEntity", cmd_xml_external_entity, diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c index 552848f2..c3eeacca 100644 --- a/apache2/mod_security2.c +++ b/apache2/mod_security2.c @@ -61,6 +61,8 @@ unsigned long int DSOLOCAL msc_pcre_match_limit = 0; unsigned long int DSOLOCAL msc_pcre_match_limit_recursion = 0; +int DSOLOCAL status_engine_state = STATUS_ENGINE_ENABLED; + unsigned long int DSOLOCAL conn_read_state_limit = 0; unsigned long int DSOLOCAL conn_write_state_limit = 0; @@ -724,7 +726,14 @@ static int hook_post_config(apr_pool_t *mp, apr_pool_t *mp_log, apr_pool_t *mp_t "Original server signature: %s", real_server_signature); } - msc_status_engine_call(); + if (status_engine_state != STATUS_ENGINE_DISABLED) { + msc_status_engine_call(); + } + else { + ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, + "Status engine is currently disabled, enable it by set " \ + "SecStatusEngine to On."); + } } srand((unsigned int)(time(NULL) * getpid())); diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h index 24d3d21b..71fb2b69 100644 --- a/apache2/modsecurity.h +++ b/apache2/modsecurity.h @@ -142,6 +142,8 @@ extern DSOLOCAL unsigned long int msc_pcre_match_limit; extern DSOLOCAL unsigned long int msc_pcre_match_limit_recursion; +extern DSOLOCAL int status_engine_state; + extern DSOLOCAL unsigned long int conn_read_state_limit; extern DSOLOCAL unsigned long int conn_write_state_limit; @@ -182,6 +184,9 @@ extern DSOLOCAL int *unicode_map_table; #define MODSEC_DETECTION_ONLY 1 #define MODSEC_ENABLED 2 +#define STATUS_ENGINE_ENABLED 1 +#define STATUS_ENGINE_DISABLED 0 + #define HASH_DISABLED 0 #define HASH_ENABLED 1 diff --git a/apache2/msc_status_engine.h b/apache2/msc_status_engine.h index 0b3398b9..b757e9a9 100644 --- a/apache2/msc_status_engine.h +++ b/apache2/msc_status_engine.h @@ -21,7 +21,7 @@ #include "apr_optional.h" #include "msc_pcre.h" -#define STATUS_ENGINE_DNS_IN_BETWEEN_DOTS 13 +#define STATUS_ENGINE_DNS_IN_BETWEEN_DOTS 32 #define STATUS_ENGINE_DNS_SUFFIX "status.modsecurity.org"