NotificationsYou must be signed in to change notification settings
Fork0
Star0

Commit9b836b6

Felipe Zimmerle

committed

Initial support to load rules from a remote server

New directive `SecRemoteRules' was added. It allows the user to load aset of rules from a given HTTP server.

1 parent899ee0c commit9b836b6Copy full SHA for 9b836b6

File tree

12 files changed

+902

-7

lines changed

12 files changed

+902

-7

lines changed

`‎apache2/Makefile.am‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,7 @@ mod_security2_la_SOURCES = acmp.c \`
`21`	`21`	`msc_parsers.c\`
`22`	`22`	`msc_pcre.c\`
`23`	`23`	`msc_release.c\`
	`24`	`+ msc_remote_rules.c\`
`24`	`25`	`msc_reqbody.c\`
`25`	`26`	`msc_tree.c\`
`26`	`27`	`msc_unicode.c\`

`‎apache2/Makefile.win‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -58,6 +58,7 @@ OBJS = mod_security2.obj apache2_config.obj apache2_io.obj apache2_util.obj \`
`58`	`58`	`msc_reqbody.obj msc_geo.obj msc_gsb.obj msc_crypt.obj msc_tree.obj msc_unicode.obj acmp.obj msc_lua.obj \`
`59`	`59`	`msc_release.obj \`
`60`	`60`	`msc_status_engine.obj \`
	`61`	`+ msc_remote_rules.obj \`
`61`	`62`	`msc_json.obj \`
`62`	`63`	`libinjection/libinjection_html5.obj \`
`63`	`64`	`libinjection/libinjection_sqli.obj \`

`‎apache2/apache2_config.c‎`

Lines changed: 52 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -2213,6 +2213,50 @@ static const char cmd_rule_engine(cmd_parms cmd, void _dcfg, const char p1)`
`2213`	`2213`	`returnNULL;`
`2214`	`2214`	`}`
`2215`	`2215`
	`2216`	`+staticconstcharcmd_remote_rules(cmd_parmscmd,void_dcfg,constcharp1,`
	`2217`	`+constchar*p2)`
	`2218`	`+{`
	`2219`	`+char*error_msg=NULL;`
	`2220`	`+directory_configdcfg= (directory_config)_dcfg;`
	`2221`	`+if (dcfg==NULL)returnNULL;`
	`2222`	`+`
	`2223`	`+// FIXME: make it https only.`
	`2224`	`+// if (strncasecmp(p1, "https", 5) != 0) {`
	`2225`	`+if (strncasecmp(p2,"http",4)!=0) {`
	`2226`	`+returnapr_psprintf(cmd->pool,"ModSecurity: Invalid value for " \`
	`2227`	`+" %s, expected an HTTPS address.",p2);`
	`2228`	`+ }`
	`2229`	`+`
	`2230`	`+// FIXME: Should we handle more then one server at once?`
	`2231`	`+if (remote_rules_server!=NULL)`
	`2232`	`+ {`
	`2233`	`+returnapr_psprintf(cmd->pool,"ModSecurity: " \`
	`2234`	`+"SecRemoteRules cannot be used more than once.");`
	`2235`	`+ }`
	`2236`	`+`
	`2237`	`+remote_rules_server=apr_pcalloc(cmd->pool,sizeof(msc_remote_rules_server));`
	`2238`	`+if (remote_rules_server==NULL)`
	`2239`	`+ {`
	`2240`	`+returnapr_psprintf(cmd->pool,"ModSecurity: " \`
	`2241`	`+"SecRemoteRules: Internal failure. Not enougth memory.");`
	`2242`	`+ }`
	`2243`	`+`
	`2244`	`+remote_rules_server->context=dcfg;`
	`2245`	`+remote_rules_server->context_label=apr_pstrdup(cmd->pool,"Unkwon context");`
	`2246`	`+remote_rules_server->key=p1;`
	`2247`	`+remote_rules_server->uri=p2;`
	`2248`	`+remote_rules_server->amount_of_rules=0;`
	`2249`	`+`
	`2250`	`+msc_remote_add_rules_from_uri(cmd,remote_rules_server,&error_msg);`
	`2251`	`+if (error_msg!=NULL)`
	`2252`	`+ {`
	`2253`	`+returnerror_msg;`
	`2254`	`+ }`
	`2255`	`+`
	`2256`	`+returnNULL;`
	`2257`	`+}`
	`2258`	`+`
	`2259`	`+`
`2216`	`2260`	`staticconstcharcmd_status_engine(cmd_parmscmd,void_dcfg,constcharp1)`
`2217`	`2261`	`{`
`2218`	`2262`	`if (strcasecmp(p1,"on")==0) {`
`@@ -3500,6 +3544,14 @@ const command_rec module_directives[] = {`
`3500`	`3544`	`"On or Off"`
`3501`	`3545`	`),`
`3502`	`3546`
	`3547`	`+AP_INIT_TAKE2 (`
	`3548`	`+"SecRemoteRules",`
	`3549`	`+cmd_remote_rules,`
	`3550`	`+NULL,`
	`3551`	`+CMD_SCOPE_ANY,`
	`3552`	`+"key and URI to the remote rules"`
	`3553`	`+ ),`
	`3554`	`+`
`3503`	`3555`	`AP_INIT_TAKE1 (`
`3504`	`3556`	`"SecXmlExternalEntity",`
`3505`	`3557`	`cmd_xml_external_entity,`

`‎apache2/mod_security2.c‎`

Lines changed: 22 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -33,6 +33,8 @@`
`33`	`33`
`34`	`34`	`#include"apr_version.h"`
`35`	`35`
	`36`	`+#include"msc_remote_rules.h"`
	`37`	`+`
`36`	`38`	`#if defined(WITH_LUA)`
`37`	`39`	`#include"msc_lua.h"`
`38`	`40`	`#endif`
`@@ -66,6 +68,8 @@ unsigned long int DSOLOCAL msc_pcre_match_limit = 0;`
`66`	`68`
`67`	`69`	`unsigned longintDSOLOCALmsc_pcre_match_limit_recursion=0;`
`68`	`70`
	`71`	`+msc_remote_rules_serverDSOLOCAL*remote_rules_server=NULL;`
	`72`	`+`
`69`	`73`	`intDSOLOCALstatus_engine_state=STATUS_ENGINE_DISABLED;`
`70`	`74`
`71`	`75`	`intDSOLOCALconn_limits_filter_state=MODSEC_DISABLED;`
`@@ -752,6 +756,24 @@ static int hook_post_config(apr_pool_t mp, apr_pool_t mp_log, apr_pool_t *mp_t`
`752`	`756`	`"SecStatusEngine to On.");`
`753`	`757`	`}`
`754`	`758`	`#endif`
	`759`	`+`
	`760`	`+if (remote_rules_server!=NULL)`
	`761`	`+ {`
	`762`	`+if (remote_rules_server->amount_of_rules==1)`
	`763`	`+ {`
	`764`	`+ap_log_error(APLOG_MARK,APLOG_NOTICE,0,NULL,`
	`765`	`+"ModSecurity: Loaded %d rule from: '%s'.",`
	`766`	`+remote_rules_server->amount_of_rules,`
	`767`	`+remote_rules_server->uri);`
	`768`	`+ }`
	`769`	`+else`
	`770`	`+ {`
	`771`	`+ap_log_error(APLOG_MARK,APLOG_NOTICE,0,NULL,`
	`772`	`+"ModSecurity: Loaded %d rule from: '%s'.",`
	`773`	`+remote_rules_server->amount_of_rules,`
	`774`	`+remote_rules_server->uri);`
	`775`	`+ }`
	`776`	`+ }`
`755`	`777`	`}`
`756`	`778`
`757`	`779`	`srand((unsignedint)(time(NULL)*getpid()));`

`‎apache2/modsecurity.c‎`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -536,7 +536,7 @@ static apr_status_t modsecurity_process_phase_request_body(modsec_rec *msr) {`
`536`	`536`	`apr_time_ttime_before;`
`537`	`537`	`apr_status_trc=0;`
`538`	`538`
`539`		`-`
	`539`	`+`
`540`	`540`	`if ((msr->allow_scope==ACTION_ALLOW_REQUEST)\|\|(msr->allow_scope==ACTION_ALLOW)) {`
`541`	`541`	`if (msr->txcfg->debuglog_level >=4) {`
`542`	`542`	`msr_log(msr,4,"Skipping phase REQUEST_BODY (allow used).");`
`@@ -626,7 +626,7 @@ static apr_status_t modsecurity_process_phase_response_body(modsec_rec *msr) {`
`626`	`626`	`*/`
`627`	`627`	`staticapr_status_tmodsecurity_process_phase_logging(modsec_rec*msr) {`
`628`	`628`	`apr_time_ttime_before,time_after;`
`629`		`-`
	`629`	`+`
`630`	`630`	`if (msr->txcfg->debuglog_level >=4) {`
`631`	`631`	`msr_log(msr,4,"Starting phase LOGGING.");`
`632`	`632`	`}`

`‎apache2/modsecurity.h‎`

Lines changed: 11 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -33,6 +33,7 @@ typedef struct msc_arg msc_arg;`
`33`	`33`	`typedefstructmsc_stringmsc_string;`
`34`	`34`	`typedefstructmsc_parmmsc_parm;`
`35`	`35`
	`36`	`+#include"msc_remote_rules.h"`
`36`	`37`	`#include"msc_release.h"`
`37`	`38`	`#include"msc_logging.h"`
`38`	`39`	`#include"msc_multipart.h"`
`@@ -144,6 +145,8 @@ extern DSOLOCAL unsigned long int msc_pcre_match_limit;`
`144`	`145`
`145`	`146`	`externDSOLOCAL unsigned longintmsc_pcre_match_limit_recursion;`
`146`	`147`
	`148`	`+externDSOLOCALmsc_remote_rules_server*remote_rules_server;`
	`149`	`+`
`147`	`150`	`externDSOLOCALintstatus_engine_state;`
`148`	`151`
`149`	`152`	`externDSOLOCALintconn_limits_filter_state;`
`@@ -619,6 +622,14 @@ struct directory_config {`
`619`	`622`
`620`	`623`	`/* xml */`
`621`	`624`	`intxml_external_entity;`
	`625`	`+`
	`626`	`+/* This will be used whenever ModSecurity will be ready`
	`627`	`+ * to ask the server for newer rules.`
	`628`	`+ */`
	`629`	`+#if0`
	`630`	`+msc_remote_rules_server*remote_rules;`
	`631`	`+intremote_timeout;`
	`632`	`+#endif`
`622`	`633`	`};`
`623`	`634`
`624`	`635`	`structerror_message_t {`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit9b836b6

File tree

12 files changed

12 files changed

`‎apache2/Makefile.am‎`

`‎apache2/Makefile.win‎`

`‎apache2/apache2_config.c‎`

`‎apache2/mod_security2.c‎`

`‎apache2/modsecurity.c‎`

`‎apache2/modsecurity.h‎`

0 commit comments