Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commita15f881

Browse files
author
Felipe Zimmerle
committed
Honor the SecRuleEngine while filtering connections
The SecRuleEngine has the capability to Enable, Disable or even to place theModSecurity in DetectionOnly mode. The SecReadStateLimit and SecWriteStateLimitwere not honoring such state, due the fact that our configuration belongs torequests not to connections, the only struct that exists while those filtersare placed. By adding a global variable "conn_limits_filter_state" we are nowable to identify the current state of the ModSecurity, once the configurationis loaded this variable is set and used by the connections filters.
1 parent0037a07 commita15f881

File tree

3 files changed

+53
-29
lines changed

3 files changed

+53
-29
lines changed

‎apache2/apache2_config.c‎

Lines changed: 19 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -2144,18 +2144,30 @@ static const char *cmd_rule(cmd_parms *cmd, void *_dcfg,
21442144
staticconstchar*cmd_rule_engine(cmd_parms*cmd,void*_dcfg,constchar*p1)
21452145
{
21462146
directory_config*dcfg= (directory_config*)_dcfg;
2147+
21472148
if (dcfg==NULL)returnNULL;
21482149

2149-
if (strcasecmp(p1,"on")==0)dcfg->is_enabled=MODSEC_ENABLED;
2150-
else
2151-
if (strcasecmp(p1,"off")==0)dcfg->is_enabled=MODSEC_DISABLED;
2152-
else
2153-
if (strcasecmp(p1,"detectiononly")==0) {
2150+
if (strcasecmp(p1,"on")==0)
2151+
{
2152+
dcfg->is_enabled=MODSEC_ENABLED;
2153+
}
2154+
elseif (strcasecmp(p1,"off")==0)
2155+
{
2156+
dcfg->is_enabled=MODSEC_DISABLED;
2157+
}
2158+
elseif (strcasecmp(p1,"detectiononly")==0)
2159+
{
21542160
dcfg->is_enabled=MODSEC_DETECTION_ONLY;
21552161
dcfg->of_limit_action=RESPONSE_BODY_LIMIT_ACTION_PARTIAL;
21562162
dcfg->if_limit_action=REQUEST_BODY_LIMIT_ACTION_PARTIAL;
2157-
}else
2158-
returnapr_psprintf(cmd->pool,"ModSecurity: Invalid value for SecRuleEngine: %s",p1);
2163+
}
2164+
else
2165+
{
2166+
returnapr_psprintf(cmd->pool,"ModSecurity: Invalid value for " \
2167+
"SecRuleEngine: %s",p1);
2168+
}
2169+
2170+
conn_limits_filter_state=dcfg->is_enabled;
21592171

21602172
returnNULL;
21612173
}

‎apache2/mod_security2.c‎

Lines changed: 32 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,8 @@ unsigned long int DSOLOCAL msc_pcre_match_limit_recursion = 0;
6363

6464
intDSOLOCALstatus_engine_state=STATUS_ENGINE_DISABLED;
6565

66+
intDSOLOCALconn_limits_filter_state=0;
67+
6668
unsigned longintDSOLOCALconn_read_state_limit=0;
6769
TreeRootDSOLOCAL*conn_read_state_whitelist=0;
6870
TreeRootDSOLOCAL*conn_read_state_suspicious_list=0;
@@ -1419,27 +1421,28 @@ static int hook_connection_early(conn_rec *conn)
14191421
}
14201422
}
14211423

1422-
14231424
if (conn_read_state_limit>0&&ip_count_r>conn_read_state_limit)
14241425
{
14251426
if (conn_read_state_suspicious_list&&
14261427
(tree_contains_ip(conn->pool,
14271428
conn_read_state_suspicious_list,client_ip,NULL,&error_msg) <=0))
14281429
{
1429-
ap_log_error(APLOG_MARK,APLOG_WARNING,0,NULL,
1430-
"ModSecurity: Too many threads [%ld] of %ld allowed in " \
1431-
"READ state from %s - There is a suspission list but " \
1432-
"that IP is not part of it, access granted",ip_count_r,
1433-
conn_read_state_limit,client_ip);
1430+
if (conn_limits_filter_state==MODSEC_DETECTION_ONLY)
1431+
ap_log_error(APLOG_MARK,APLOG_WARNING,0,NULL,
1432+
"ModSecurity: Too many threads [%ld] of %ld allowed " \
1433+
"in READ state from %s - There is a suspission list " \
1434+
"but that IP is not part of it, access granted",
1435+
ip_count_r,conn_read_state_limit,client_ip);
14341436
}
1435-
14361437
elseif (tree_contains_ip(conn->pool,
14371438
conn_read_state_whitelist,client_ip,NULL,&error_msg)>0)
14381439
{
1439-
ap_log_error(APLOG_MARK,APLOG_WARNING,0,NULL,
1440-
"ModSecurity: Too many threads [%ld] of %ld allowed in " \
1441-
"READ state from %s - Ip is on whitelist, access granted",
1442-
ip_count_r,conn_read_state_limit,client_ip);
1440+
if (conn_limits_filter_state==MODSEC_DETECTION_ONLY)
1441+
ap_log_error(APLOG_MARK,APLOG_WARNING,0,NULL,
1442+
"ModSecurity: Too many threads [%ld] of %ld allowed " \
1443+
"in READ state from %s - Ip is on whitelist, access " \
1444+
"granted",ip_count_r,conn_read_state_limit,
1445+
client_ip);
14431446
}
14441447
else
14451448
{
@@ -1448,7 +1451,9 @@ static int hook_connection_early(conn_rec *conn)
14481451
"threads [%ld] of %ld allowed in READ state from %s - " \
14491452
"Possible DoS Consumption Attack [Rejected]",ip_count_r,
14501453
conn_read_state_limit,client_ip);
1451-
returnOK;
1454+
1455+
if (conn_limits_filter_state==MODSEC_ENABLED)
1456+
returnOK;
14521457
}
14531458
}
14541459

@@ -1458,19 +1463,22 @@ static int hook_connection_early(conn_rec *conn)
14581463
(tree_contains_ip(conn->pool,
14591464
conn_write_state_suspicious_list,client_ip,NULL,&error_msg) <=0))
14601465
{
1461-
ap_log_error(APLOG_MARK,APLOG_WARNING,0,NULL,
1462-
"ModSecurity: Too many threads [%ld] of %ld allowed in " \
1463-
"WRITE state from %s - There is a suspission list but " \
1464-
"that IP is not part of it, access granted",ip_count_w,
1465-
conn_read_state_limit,client_ip);
1466+
if (conn_limits_filter_state==MODSEC_DETECTION_ONLY)
1467+
ap_log_error(APLOG_MARK,APLOG_WARNING,0,NULL,
1468+
"ModSecurity: Too many threads [%ld] of %ld allowed " \
1469+
"in WRITE state from %s - There is a suspission list " \
1470+
"but that IP is not part of it, access granted",
1471+
ip_count_w,conn_read_state_limit,client_ip);
14661472
}
14671473
elseif (tree_contains_ip(conn->pool,
14681474
conn_write_state_whitelist,client_ip,NULL,&error_msg)>0)
14691475
{
1470-
ap_log_error(APLOG_MARK,APLOG_WARNING,0,NULL,
1471-
"ModSecurity: Too many threads [%ld] of %ld allowed in " \
1472-
"WRITE state from %s - Ip is on whitelist, access granted",
1473-
ip_count_w,conn_read_state_limit,client_ip);
1476+
if (conn_limits_filter_state==MODSEC_DETECTION_ONLY)
1477+
ap_log_error(APLOG_MARK,APLOG_WARNING,0,NULL,
1478+
"ModSecurity: Too many threads [%ld] of %ld allowed " \
1479+
"in WRITE state from %s - Ip is on whitelist, " \
1480+
"access granted",ip_count_w,conn_read_state_limit,
1481+
client_ip);
14741482
}
14751483
else
14761484
{
@@ -1479,7 +1487,9 @@ static int hook_connection_early(conn_rec *conn)
14791487
"threads [%ld] of %ld allowed in WRITE state from %s - " \
14801488
"Possible DoS Consumption Attack [Rejected]",ip_count_w,
14811489
conn_write_state_limit,client_ip);
1482-
returnOK;
1490+
1491+
if (!conn_limits_filter_state==MODSEC_ENABLED)
1492+
returnOK;
14831493
}
14841494
}
14851495
}

‎apache2/modsecurity.h‎

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -145,6 +145,8 @@ extern DSOLOCAL unsigned long int msc_pcre_match_limit_recursion;
145145

146146
externDSOLOCALintstatus_engine_state;
147147

148+
externDSOLOCALintconn_limits_filter_state;
149+
148150
externDSOLOCAL unsigned longintconn_read_state_limit;
149151
externDSOLOCALTreeRoot*conn_read_state_whitelist;
150152
externDSOLOCALTreeRoot*conn_read_state_suspicious_list;

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp