Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitc955945

Browse files
authored
change waf log - add transaction id and mandatory info, fix minor issues (microsoft#93)
* change waf log - add transaction id and mandatory info, fix minor issues* Matched is the choosen one....* minor improve* fix comments
1 parentee74781 commitc955945

File tree

5 files changed

+116
-41
lines changed

5 files changed

+116
-41
lines changed

‎apache2/apache2_util.c‎

Lines changed: 12 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -200,9 +200,10 @@ char *get_env_var(request_rec *r, char *name) {
200200
staticvoidget_field_value(constchar*from,constchar*to,constchar*text,char*output) {
201201
char*first=strstr(text,from);
202202
intfirst_index=first-text;
203+
charbackslash[]="\\";
203204

204205
if (first!=NULL ) {
205-
if ((first_index>0&&(first-1)[0]!="\\")|| (first_index==0)) {
206+
if ((first_index>0&&strncmp((first-1),backslash,2)!=0)|| (first_index==0)) {
206207
first+=strlen(from);
207208
}
208209
else {
@@ -216,7 +217,7 @@ static void get_field_value(const char* from, const char* to, const char* text,
216217
char*last=strstr(first,to);
217218
intlast_index=last-first;
218219
if (last!=NULL ) {
219-
if ((last_index>0&&(last-1)[0]!="\\")|| (last_index==0)) {
220+
if ((last_index>0&&strncmp((last-1),backslash,2)!=0)|| (last_index==0)) {
220221
}
221222
else {
222223
last=NULL;
@@ -317,7 +318,7 @@ static int write_file_with_lock(struct waf_lock* lock, apr_file_t* fd, char* str
317318
/**
318319
* send all waf fields in json format to a file.
319320
*/
320-
staticvoidsend_waf_log(structwaf_lock*lock,apr_file_t*fd,constchar*str1,constchar*ip_port,constchar*uri,intmode,constchar*hostname,request_rec*r) {
321+
staticvoidsend_waf_log(structwaf_lock*lock,apr_file_t*fd,constchar*str1,constchar*ip_port,constchar*uri,intmode,constchar*hostname,char*unique_id,request_rec*r) {
321322
intrc=0;
322323
char*json_str;
323324
charwaf_filename[1024]="";
@@ -331,19 +332,21 @@ static void send_waf_log(struct waf_lock* lock, apr_file_t* fd, const char* str1
331332
charwaf_ruleset_type[50]="";
332333
charwaf_ruleset_version[50]="";
333334
charwaf_detail_message[1024]="";
335+
charwaf_unique_id[100]="";
334336

335337
get_field_value("[file ","]",str1,waf_filename);
336338
get_field_value("[id ","]",str1,waf_id);
337339
get_field_value("[line ","]",str1,waf_line);
338340
get_field_value("[msg ","]",str1,waf_message);
339341
get_field_value("[data ","]",str1,waf_data);
340-
get_field_value("[ver ","]",str1,waf_ruleset_info);
341-
get_ip_port(ip_port,waf_ip,waf_port);
342+
get_field_value("[ver ","]",str1,waf_ruleset_info);
343+
get_field_value("[unique_id ","]",unique_id,waf_unique_id);
344+
get_ip_port(ip_port,waf_ip,waf_port);
342345
get_detail_message(str1,waf_detail_message);
343346
get_short_filename(waf_filename);
344347
get_ruleset_type_version(waf_ruleset_info,waf_ruleset_type,waf_ruleset_version);
345348

346-
rc=generate_json(&json_str,msc_waf_resourceId,WAF_LOG_UTIL_OPERATION_NAME,WAF_LOG_UTIL_CATEGORY,msc_waf_instanceId,waf_ip,waf_port,uri,waf_ruleset_type,waf_ruleset_version,waf_id,waf_message,mode,0,waf_detail_message,waf_data,waf_filename,waf_line,hostname);
349+
rc=generate_json(&json_str,msc_waf_resourceId,WAF_LOG_UTIL_OPERATION_NAME,WAF_LOG_UTIL_CATEGORY,msc_waf_instanceId,waf_ip,waf_port,uri,waf_ruleset_type,waf_ruleset_version,waf_id,waf_message,mode,0,waf_detail_message,waf_data,waf_filename,waf_line,hostname,waf_unique_id);
347350
if (rc==WAF_LOG_UTIL_FAILED) {
348351
#ifAP_SERVER_MAJORVERSION_NUMBER>1&&AP_SERVER_MINORVERSION_NUMBER>2
349352
ap_log_rerror(APLOG_MARK,APLOG_ERR |APLOG_NOERRNO,0,r,
@@ -434,8 +437,8 @@ static void internal_log_ex(request_rec *r, directory_config *dcfg, modsec_rec *
434437

435438
/* Send message levels 1-3 to the Apache error log and
436439
* add it to the message list in the audit log. */
437-
if (level <=3) {
438-
char*unique_id= (char*)get_env_var(r,"UNIQUE_ID");
440+
char*unique_id= (char*)get_env_var(r,"UNIQUE_ID");
441+
if (level <=3) {
439442
char*hostname= (char*)msr->hostname;
440443
char*requestheaderhostname= (char*)r->hostname;
441444

@@ -458,7 +461,7 @@ static void internal_log_ex(request_rec *r, directory_config *dcfg, modsec_rec *
458461
elserequestheaderhostname="";
459462

460463
#ifdefWAF_JSON_LOGGING_ENABLE
461-
send_waf_log(msr->modsecurity->wafjsonlog_lock,dcfg->wafjsonlog_fd,str1,r->useragent_ip ?r->useragent_ip :r->connection->client_ip,log_escape(msr->mp,r->uri),dcfg->is_enabled, (char*)msr->hostname,r);
464+
send_waf_log(msr->modsecurity->wafjsonlog_lock,dcfg->wafjsonlog_fd,str1,r->useragent_ip ?r->useragent_ip :r->connection->client_ip,log_escape(msr->mp,r->uri),dcfg->is_enabled, (char*)msr->hostname,unique_id,r);
462465
#endif
463466

464467
#ifAP_SERVER_MAJORVERSION_NUMBER>1&&AP_SERVER_MINORVERSION_NUMBER>2

‎apache2/waf_logging/waf_format.proto‎

100644100755
Lines changed: 2 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -19,19 +19,15 @@ message Properties {
1919
optionalstringruleSetVersion=6;
2020
optionalstringruleId=7;
2121
optionalstringmessage=8;
22-
23-
enumActionType {
24-
Detected=0;
25-
Blocked=1;
26-
}
27-
optionalActionTypeaction=9;
22+
optionalstringaction=9;
2823

2924
enumSiteType {
3025
Global=0;
3126
}
3227
optionalSiteTypesite=10;
3328
optionalDetailsdetails=11;
3429
optionalstringhostname=12;
30+
optionalstringtransactionId=13;
3531
}
3632

3733
messageWaf_Format {

‎apache2/waf_logging/waf_log_util.cc‎

100644100755
Lines changed: 84 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,11 @@
11
#include"waf_log_util_internal.h"
22
#include"waf_log_util_external.h"
33

4+
usingnamespacestd;
5+
unordered_map<int,bool> appgw_ruleid_hash;
6+
47
// This function fills in a waf format message based on modsec input.
5-
voidset_waf_format(waf_format::Waf_Format* waf_format,char* resourceId,char* operationName,char* category,char* instanceId,char* clientIP,char* clientPort,char* requestUri,char* ruleSetType,char* ruleSetVersion,char* ruleId,char* messages,int action,int site,char* details_messages,char* details_data,char* details_file,char* details_line,char* hostname) {
8+
voidset_waf_format(waf_format::Waf_Format* waf_format,char* resourceId,char* operationName,char* category,char* instanceId,char* clientIP,char* clientPort,constchar* requestUri,char* ruleSetType,char* ruleSetVersion,char* ruleId,char* messages,int action,int site,char* details_messages,char* details_data,char* details_file,char* details_line,constchar* hostname,char* waf_unique_id) {
69
waf_format::Properties *properties;
710
waf_format::Details *details;
811

@@ -46,25 +49,57 @@ void set_waf_format(waf_format::Waf_Format* waf_format, char* resourceId, char*
4649
}
4750

4851
if (ruleId !=NULL) {
49-
properties->set_ruleid(ruleId);
50-
}
51-
52-
if (messages !=NULL) {
53-
properties->set_message(messages);
52+
ruleId[strlen(ruleId) -1] ='\0';
53+
properties->set_ruleid(ruleId+1);
5454
}
5555

56-
switch(action) {
57-
case1:
58-
properties->set_action(waf_format::Properties::Detected);
59-
break;
60-
case2:
61-
properties->set_action(waf_format::Properties::Blocked);
62-
break;
63-
default:
64-
break;
65-
}
56+
bool is_mandatory =false;
57+
try {
58+
int tmpid =atoi(ruleId+1);
59+
is_mandatory =rule_is_mandatory(tmpid);
60+
61+
if (ruleSetVersion[0] !='2' && !is_mandatory)
62+
properties->set_action(WAF_ACTION_MATCHED);
63+
else {
64+
switch (action) {
65+
case MODSEC_MODE_DETECT:
66+
properties->set_action(WAF_ACTION_DETECTED);
67+
break;
68+
case MODSEC_MODE_PREVENT:
69+
properties->set_action(WAF_ACTION_BLOCKED);
70+
break;
71+
default:
72+
break;
73+
}
74+
}
75+
}
76+
catch (...) {
77+
properties->set_action("");
78+
}
6679

67-
if (site ==0) {
80+
if (messages !=NULL) {
81+
if (is_mandatory) {
82+
char mandatory_message[1024] ="Mandatory rule. Cannot be disabled.";
83+
int ind =strlen(mandatory_message) -1;
84+
int i;
85+
for (i =1; i <strlen(messages) -1; i++) {
86+
if (i + ind <1023) {
87+
mandatory_message[ind + i] = messages[i];
88+
}
89+
else {
90+
break;
91+
}
92+
}
93+
mandatory_message[ind + i] ='\0';
94+
properties->set_message(mandatory_message);
95+
}
96+
else {
97+
messages[strlen(messages) -1] ='\0';
98+
properties->set_message(messages+1);
99+
}
100+
}
101+
102+
if (site ==0) {
68103
properties->set_site(waf_format::Properties::Global);
69104
}
70105

@@ -73,26 +108,33 @@ void set_waf_format(waf_format::Waf_Format* waf_format, char* resourceId, char*
73108
}
74109

75110
if (details_data !=NULL) {
76-
details->set_data(details_data);
111+
details_data[strlen(details_data) -1] ='\0';
112+
details->set_data(details_data+1);
77113
}
78114

79115
if (details_file !=NULL) {
80116
details->set_file(details_file);
81117
}
82118

83119
if (details_line !=NULL) {
84-
details->set_line(details_line);
120+
details_line[strlen(details_line) -1] ='\0';
121+
details->set_line(details_line+1);
85122
}
86123

87-
if (hostname !=NULL) {
88-
properties->set_hostname(hostname);
89-
}
124+
if (hostname !=NULL) {
125+
properties->set_hostname(hostname);
126+
}
127+
128+
if (waf_unique_id !=NULL) {
129+
waf_unique_id[strlen(waf_unique_id) -1] ='\0';
130+
properties->set_transactionid(waf_unique_id+1);
131+
}
90132
}
91133

92134
// Main function: get fields from modsec, set the protobuf object and write to file in json.
93-
intgenerate_json(char** result_json,char* resourceId,char* operationName,char* category,char* instanceId,char* clientIP,char* clientPort,char* requestUri,char* ruleSetType,char* ruleSetVersion,char* ruleId,char* messages,int action,int site,char* details_messages,char* details_data,char* details_file,char* details_line,char* hostname) {
135+
intgenerate_json(char** result_json,char* resourceId,char* operationName,char* category,char* instanceId,char* clientIP,char* clientPort,constchar* requestUri,char* ruleSetType,char* ruleSetVersion,char* ruleId,char* messages,int action,int site,char* details_messages,char* details_data,char* details_file,char* details_line,constchar* hostname,char* waf_unique_id) {
94136
waf_format::Waf_Format waf_format;
95-
std::string json_string;
137+
string json_string;
96138
google::protobuf::util::JsonPrintOptions options;
97139
google::protobuf::util::Status convert_result;
98140
char* json_str;
@@ -103,7 +145,7 @@ int generate_json(char** result_json, char* resourceId, char* operationName, cha
103145
GOOGLE_PROTOBUF_VERIFY_VERSION;
104146

105147
// Set Waf format.
106-
set_waf_format(&waf_format, resourceId, operationName, category, instanceId, clientIP, clientPort, requestUri, ruleSetType, ruleSetVersion, ruleId, messages, action, site, details_messages, details_data, details_file, details_line, hostname);
148+
set_waf_format(&waf_format, resourceId, operationName, category, instanceId, clientIP, clientPort, requestUri, ruleSetType, ruleSetVersion, ruleId, messages, action, site, details_messages, details_data, details_file, details_line, hostname, waf_unique_id);
107149

108150
options.add_whitespace =false;
109151
options.always_print_primitive_fields =true;
@@ -127,3 +169,20 @@ int generate_json(char** result_json, char* resourceId, char* operationName, cha
127169
voidfree_json(char* str) {
128170
free(str);
129171
}
172+
173+
voidinit_appgw_rules_id_hash() {
174+
ifstreaminfile(RULES_ID_FILE);
175+
string line;
176+
177+
while (getline(infile, line)) {
178+
int rule_id =stoi(line);
179+
appgw_ruleid_hash[rule_id] =true;
180+
}
181+
infile.close();
182+
183+
return;
184+
}
185+
186+
boolrule_is_mandatory(int rule_id) {
187+
return (appgw_ruleid_hash.find(rule_id) == appgw_ruleid_hash.end());
188+
}

‎apache2/waf_logging/waf_log_util_external.h‎

100644100755
Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,16 +3,30 @@
33

44
#defineWAF_LOG_UTIL_FAILED -1
55
#defineWAF_LOG_UTIL_SUCCESS 0
6+
#defineMODSEC_MODE_DETECT 1
7+
#defineMODSEC_MODE_PREVENT 2
68
#defineWAF_RULESET_PREFIX "/RuleSets/"
79
#defineWAF_LOG_UTIL_FILE "waf_json.log"
810
#defineWAF_LOG_UTIL_OPERATION_NAME "ApplicationGatewayFirewall"
911
#defineWAF_LOG_UTIL_CATEGORY "ApplicationGatewayFirewallLog"
1012

13+
#defineWAF_ACTION_BLOCKED "Blocked"
14+
#defineWAF_ACTION_DETECTED "Detected"
15+
#defineWAF_ACTION_MATCHED "Matched"
16+
17+
#defineRULE_TYPE_OWASP_CRS "OWASP_CRS"
18+
19+
#defineRULE_HASH_SIZE 499
20+
#defineRULES_ID_FILE "/etc/nginx/modsec/disableableRules.conf"
21+
1122
#ifdef__cplusplus
1223
extern"C" {
1324
#endif
14-
intgenerate_json(char**result,char*resourceId,char*operationName,char*category,char*instanceId,char*clientIP,char*clientPort,char*requestUri,char*ruleSetType,char*ruleSetVersion,char*ruleId,char*messages,intaction,intsite,char*details_messages,char*details_data,char*details_file,char*details_line,char*hostname);
25+
intgenerate_json(char**result,char*resourceId,char*operationName,char*category,char*instanceId,char*clientIP,char*clientPort,constchar*requestUri,char*ruleSetType,char*ruleSetVersion,char*ruleId,char*messages,intaction,intsite,char*details_messages,char*details_data,char*details_file,char*details_line,constchar*hostname,char*waf_unique_id);
1526
voidfree_json(char*str);
27+
boolrule_is_mandatory(intruleId);
28+
voidinit_appgw_rules_id_hash();
29+
voidstrip_number(char*in);
1630
#ifdef__cplusplus
1731
}
1832
#endif

‎nginx/modsecurity/ngx_http_modsecurity.c‎

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@
2222
#undef CRLF
2323

2424
#include"api.h"
25+
#include<waf_log_util_external.h>
2526

2627
#defineNOTE_NGINX_REQUEST_CTX "nginx-ctx"
2728

@@ -977,6 +978,8 @@ ngx_http_modsecurity_init(ngx_conf_t *cf)
977978
externpthread_mutex_tmsc_pregcomp_ex_mtx;
978979
pthread_mutex_init(&msc_pregcomp_ex_mtx,NULL);
979980

981+
init_appgw_rules_id_hash();
982+
980983
returnNGX_OK;
981984
}
982985

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp