Commit96a1f55

p0pr0ck5

authored and

Felipe Zimmerle

committed

Read fuzzy hash databases on init

Instead of reading the fuzzy db on every invocation, read and storethe db contents during initialization and store the contents in memory.The only significant behavior change here is that a change in db contentsnow (obviously) requires a daemon restart, as no API is provided toflush the list of ssdeep chunks.

1 parentfd49ca7 commit96a1f55Copy full SHA for 96a1f55

File tree

2 files changed

+40

-19

lines changed

apache2
- re.h
- re_operators.c

2 files changed

+40

-19

lines changed

`‎apache2/re.h‎`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -409,8 +409,14 @@ struct msre_cache_rec {`
`409`	`409`	`apr_size_tval_len;`
`410`	`410`	`};`
`411`	`411`
	`412`	`+structfuzzy_hash_chunk {`
	`413`	`+constchar*data;`
	`414`	`+structfuzzy_hash_chunk*next;`
	`415`	`+};`
	`416`	`+`
`412`	`417`	`structfuzzy_hash_param_data {`
`413`	`418`	`constchar*file;`
	`419`	`+structfuzzy_hash_chunk*head;`
`414`	`420`	`intthreshold;`
`415`	`421`	`};`
`416`	`422`

`‎apache2/re_operators.c‎`

Lines changed: 34 additions & 19 deletions

Original file line number	Diff line number	Diff line change
`@@ -1279,7 +1279,7 @@ static int msre_op_pmFromFile_param_init(msre_rule rule, char *error_msg) {`
`1279`	`1279`	`strncmp(fn,"http://",strlen("http://"))==0)`
`1280`	`1280`	`{`
`1281`	`1281`	`*error_msg=apr_psprintf(rule->ruleset->mp,"HTTPS address or " \`
`1282`		`-"file path are expected for operator pmFromFile \"%s\"",fn);`
	`1282`	`+"file path are expected for operator pmFromFile \"%s\"",fn);`
`1283`	`1283`	`return0;`
`1284`	`1284`	`}`
`1285`	`1285`	`elseif (strlen(fn)>strlen("https://")&&`
`@@ -1316,7 +1316,7 @@ static int msre_op_pmFromFile_param_init(msre_rule rule, char *error_msg) {`
`1316`	`1316`	`msc_remote_clean_chunk(&chunk);`
`1317`	`1317`	`#else`
`1318`	`1318`	`*error_msg=apr_psprintf(rule->ruleset->mp,"ModSecurity was not " \`
`1319`		`-"compiled with Curl support, it cannot load: \"%s\"",fn);`
	`1319`	`+"compiled with Curl support, it cannot load: \"%s\"",fn);`
`1320`	`1320`	`return0;`
`1321`	`1321`	`#endif`
`1322`	`1322`	`}`
`@@ -3828,16 +3828,20 @@ static int msre_op_fuzzy_hash_init(msre_rule rule, char *error_msg)`
`3828`	`3828`	`{`
`3829`	`3829`	`#ifdefWITH_SSDEEP`
`3830`	`3830`	`structfuzzy_hash_param_data*param_data;`
	`3831`	`+structfuzzy_hash_chunkchunk,t;`
`3831`	`3832`	`FILE*fp;`
`3832`	`3833`	`char*file;`
`3833`	`3834`	`intparam_len,threshold;`
	`3835`	`+charline[1024];`
`3834`	`3836`
`3835`	`3837`	`char*data=NULL;`
`3836`	`3838`	`char*threshold_str=NULL;`
`3837`	`3839`
`3838`	`3840`	`param_data=apr_palloc(rule->ruleset->mp,`
`3839`	`3841`	`sizeof(structfuzzy_hash_param_data));`
`3840`	`3842`
	`3843`	`+param_data->head=NULL;`
	`3844`	`+`
`3841`	`3845`	`data=apr_pstrdup(rule->ruleset->mp,rule->op_param);`
`3842`	`3846`	`threshold_str=data;`
`3843`	`3847`	`#endif`
`@@ -3885,6 +3889,28 @@ static int msre_op_fuzzy_hash_init(msre_rule rule, char *error_msg)`
`3885`	`3889`	`" %s.",file);`
`3886`	`3890`	`return-1;`
`3887`	`3891`	`}`
	`3892`	`+`
	`3893`	`+while (read_line(line,sizeof(line),fp))`
	`3894`	`+ {`
	`3895`	`+chunk=apr_palloc(rule->ruleset->mp,`
	`3896`	`+sizeof(structfuzzy_hash_chunk));`
	`3897`	`+`
	`3898`	`+chunk->data=apr_pstrdup(rule->ruleset->mp,line);`
	`3899`	`+chunk->next=NULL;`
	`3900`	`+`
	`3901`	`+if (param_data->head==NULL) {`
	`3902`	`+param_data->head=chunk;`
	`3903`	`+ }else {`
	`3904`	`+t=param_data->head;`
	`3905`	`+`
	`3906`	`+while (t->next) {`
	`3907`	`+t=t->next;`
	`3908`	`+ }`
	`3909`	`+`
	`3910`	`+t->next=chunk;`
	`3911`	`+ }`
	`3912`	`+ }`
	`3913`	`+`
`3888`	`3914`	`fclose(fp);`
`3889`	`3915`
`3890`	`3916`	`param_data->file=file;`
`@@ -3911,8 +3937,7 @@ static int msre_op_fuzzy_hash_execute(modsec_rec msr, msre_rule rule,`
`3911`	`3937`	`#ifdefWITH_SSDEEP`
`3912`	`3938`	`charresult[FUZZY_MAX_RESULT];`
`3913`	`3939`	`structfuzzy_hash_param_data*param=rule->op_param_data;`
`3914`		`-FILE*fp;`
`3915`		`-charline[1024];`
	`3940`	`+structfuzzy_hash_chunk*chunk=param->head;`
`3916`	`3941`	`#endif`
`3917`	`3942`
`3918`	`3943`	`if (error_msg==NULL)`
`@@ -3931,29 +3956,19 @@ static int msre_op_fuzzy_hash_execute(modsec_rec msr, msre_rule rule,`
`3931`	`3956`	`return-1;`
`3932`	`3957`	`}`
`3933`	`3958`
`3934`		`-fp=fopen(param->file,"r");`
`3935`		`-if (!fp)`
`3936`		`- {`
`3937`		`-*error_msg=apr_psprintf(rule->ruleset->mp,"Not able to open " \`
`3938`		`-"fuzzy hash file: %s",param->file);`
`3939`		`-`
`3940`		`-return1;`
`3941`		`- }`
`3942`		`-`
`3943`		`-while (read_line(line,sizeof(line),fp))`
	`3959`	`+while (chunk!=NULL)`
`3944`	`3960`	`{`
`3945`		`-inti=fuzzy_compare(line,result);`
	`3961`	`+inti=fuzzy_compare(chunk->data,result);`
	`3962`	`+msr_log(msr,9,"%d (%s)",i,chunk->data);`
`3946`	`3963`	`if (i >=param->threshold)`
`3947`	`3964`	`{`
`3948`	`3965`	`*error_msg=apr_psprintf(msr->mp,"Fuzzy hash of %s matched " \`
`3949`		`-"with %s (from: %s). Score: %d.",var->name,line,`
	`3966`	`+"with %s (from: %s). Score: %d.",var->name,chunk->data,`
`3950`	`3967`	`param->file,i);`
`3951`		`-fclose(fp);`
`3952`	`3968`	`return1;`
`3953`	`3969`	`}`
	`3970`	`+chunk=chunk->next;`
`3954`	`3971`	`}`
`3955`		`-`
`3956`		`-fclose(fp);`
`3957`	`3972`	`#else`
`3958`	`3973`	`*error_msg=apr_psprintf(rule->ruleset->mp,"ModSecurity was not " \`
`3959`	`3974`	`"compiled with ssdeep support.");`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit96a1f55

File tree

2 files changed

2 files changed

`‎apache2/re.h‎`

`‎apache2/re_operators.c‎`

0 commit comments