Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitdbe21a6

Browse files
authored
add protobuf and use that to format the waf log in json format (microsoft#25)
* add protobuf and use that to format the waf log in json format* add define so won't break windows* add exception handling* refactor the code and add passing directory as arguments* add time and improve filename* add directive for owasp type and version* add the waf format proto file* get crs rules and type from str* add lock and fd* add cmd for resource id and instanceid and correct the format* fix the typo
1 parent8c1652a commitdbe21a6

File tree

15 files changed

+4789
-2
lines changed

15 files changed

+4789
-2
lines changed

‎apache2/Makefile.am‎

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,8 @@ pkglib_LTLIBRARIES = mod_security2.la
44
mod_security2_la_SOURCES = acmp.c\
55
ag_mdb/murmur3.c\
66
ag_mdb/ag_mdb.cpp\
7+
waf_logging/waf_format.pb.cc\
8+
waf_logging/waf_log_util.cc\
79
apache2_config.c\
810
apache2_io.c\
911
apache2_util.c\

‎apache2/apache2_config.c‎

Lines changed: 74 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,9 @@
2828
#if defined(WITH_LUA)
2929
#include"msc_lua.h"
3030
#endif
31+
#ifdefWAF_JSON_LOGGING_ENABLE
32+
#include"waf_log_util_external.h"
33+
#endif
3134

3235

3336
/* -- Directory context creation and initialisation -- */
@@ -111,6 +114,9 @@ void *create_directory_config(apr_pool_t *mp, char *path)
111114

112115
/* Misc */
113116
dcfg->data_dir=NOT_SET_P;
117+
#ifdefWAF_JSON_LOGGING_ENABLE
118+
dcfg->wafjsonlog_fd=NOT_SET_P;
119+
#endif
114120
dcfg->webappid=NOT_SET_P;
115121
dcfg->sensor_id=NOT_SET_P;
116122
dcfg->httpBlkey=NOT_SET_P;
@@ -548,6 +554,10 @@ void *merge_directory_configs(apr_pool_t *mp, void *_parent, void *_child)
548554
/* Misc */
549555
merged->data_dir= (child->data_dir==NOT_SET_P
550556
?parent->data_dir :child->data_dir);
557+
#ifdefWAF_JSON_LOGGING_ENABLE
558+
merged->wafjsonlog_fd= (child->wafjsonlog_fd==NOT_SET_P
559+
?parent->wafjsonlog_fd :child->wafjsonlog_fd);
560+
#endif
551561
merged->webappid= (child->webappid==NOT_SET_P
552562
?parent->webappid :child->webappid);
553563
merged->sensor_id= (child->sensor_id==NOT_SET_P
@@ -716,6 +726,9 @@ void init_directory_config(directory_config *dcfg)
716726

717727
/* Misc */
718728
if (dcfg->data_dir==NOT_SET_P)dcfg->data_dir=NULL;
729+
#ifdefWAF_JSON_LOGGING_ENABLE
730+
if (dcfg->wafjsonlog_fd==NOT_SET_P)dcfg->wafjsonlog_fd=NULL;
731+
#endif
719732
if (dcfg->webappid==NOT_SET_P)dcfg->webappid="default";
720733
if (dcfg->sensor_id==NOT_SET_P)dcfg->sensor_id="default";
721734
if (dcfg->httpBlkey==NOT_SET_P)dcfg->httpBlkey=NULL;
@@ -1160,6 +1173,35 @@ static const char *cmd_db_option(cmd_parms *cmd, void *_dcfg, const char *p1){
11601173
}
11611174
#endif
11621175

1176+
/* resourceId and instanceId */
1177+
#ifdefWAF_JSON_LOGGING_ENABLE
1178+
staticconstchar*cmd_waf_resourceId(cmd_parms*cmd,
1179+
void*_dcfg,constchar*p1)
1180+
{
1181+
1182+
if (cmd->server->is_virtual) {
1183+
return"ModSecurity: SecWafResourceId not allowed in VirtualHost";
1184+
}
1185+
1186+
msc_waf_resourceId= (char*)p1;
1187+
1188+
returnNULL;
1189+
}
1190+
1191+
staticconstchar*cmd_waf_instanceId(cmd_parms*cmd,
1192+
void*_dcfg,constchar*p1)
1193+
{
1194+
1195+
if (cmd->server->is_virtual) {
1196+
return"ModSecurity: SecWafInstanceId not allowed in VirtualHost";
1197+
}
1198+
1199+
msc_waf_instanceId= (char*)p1;
1200+
1201+
returnNULL;
1202+
}
1203+
#endif
1204+
11631205
staticconstchar*cmd_action(cmd_parms*cmd,void*_dcfg,constchar*p1)
11641206
{
11651207
returnadd_rule(cmd, (directory_config*)_dcfg,RULE_TYPE_ACTION,SECACTION_TARGETS,SECACTION_ARGS,p1);
@@ -1472,6 +1514,10 @@ static const char *cmd_content_injection(cmd_parms *cmd, void *_dcfg, int flag)
14721514

14731515
staticconstchar*cmd_data_dir(cmd_parms*cmd,void*_dcfg,constchar*p1)
14741516
{
1517+
#ifdefWAF_JSON_LOGGING_ENABLE
1518+
intrc;
1519+
charwafjsonlog_path[1024];
1520+
#endif
14751521
directory_config*dcfg= (directory_config*)_dcfg;
14761522

14771523
if (cmd->server->is_virtual) {
@@ -1480,6 +1526,18 @@ static const char *cmd_data_dir(cmd_parms *cmd, void *_dcfg, const char *p1)
14801526

14811527
dcfg->data_dir=ap_server_root_relative(cmd->pool,p1);
14821528

1529+
#ifdefWAF_JSON_LOGGING_ENABLE
1530+
strcpy(wafjsonlog_path,dcfg->data_dir );
1531+
strcat(wafjsonlog_path,WAF_LOG_UTIL_FILE );
1532+
rc=apr_file_open(&dcfg->wafjsonlog_fd,wafjsonlog_path,
1533+
APR_WRITE |APR_APPEND |APR_CREATE |APR_BINARY,
1534+
CREATEMODE,cmd->pool);
1535+
1536+
if (rc!=APR_SUCCESS) {
1537+
returnapr_psprintf(cmd->pool,"ModSecurity: Failed to open wafjson log file: %s",
1538+
wafjsonlog_path);
1539+
}
1540+
#endif
14831541
returnNULL;
14841542
}
14851543

@@ -3958,6 +4016,22 @@ const command_rec module_directives[] = {
39584016
CMD_SCOPE_ANY,
39594017
"Choose database. (origin/redis/agdb)"
39604018
),
4019+
#endif
4020+
#ifdefWAF_JSON_LOGGING_ENABLE
4021+
AP_INIT_TAKE1 (
4022+
"SecWafResourceId",
4023+
cmd_waf_resourceId,
4024+
NULL,
4025+
CMD_SCOPE_ANY,
4026+
"Set waf resourceId"
4027+
),
4028+
AP_INIT_TAKE1 (
4029+
"SecWafInstanceId",
4030+
cmd_waf_instanceId,
4031+
NULL,
4032+
CMD_SCOPE_ANY,
4033+
"Set waf instanceId"
4034+
),
39614035
#endif
39624036
{NULL }
39634037
};

‎apache2/apache2_util.c‎

Lines changed: 195 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,11 @@
1717
#include"http_core.h"
1818
#include"util_script.h"
1919

20+
#ifdefWAF_JSON_LOGGING_ENABLE
21+
#include"waf_log_util_external.h"
22+
#include"string.h"
23+
#endif
24+
2025
/**
2126
* Sends a brigade with an error bucket down the filter chain.
2227
*/
@@ -187,6 +192,192 @@ char *get_env_var(request_rec *r, char *name) {
187192
returnresult;
188193
}
189194

195+
#ifdefWAF_JSON_LOGGING_ENABLE
196+
/**
197+
* Retrieve waf log field.
198+
*/
199+
voidget_field_value(constchar*from,constchar*to,constchar*text,char*output) {
200+
char*first=strstr(text,from);
201+
intfirst_index=first-text;
202+
203+
if (first!=NULL ) {
204+
if ((first_index>0&& (first-1)[0]!="\\")|| (first_index==0)) {
205+
first+=strlen(from);
206+
}
207+
else {
208+
first=NULL;
209+
}
210+
}
211+
else {
212+
return;
213+
}
214+
215+
char*last=strstr(first,to);
216+
intlast_index=last-first;
217+
if (last!=NULL ) {
218+
if ((last_index>0&& (last-1)[0]!="\\")|| (last_index==0)) {
219+
}
220+
else {
221+
last=NULL;
222+
}
223+
}
224+
225+
if (first!=NULL&&last!=NULL) {
226+
strncpy(output,first,last-first);
227+
}
228+
}
229+
230+
/**
231+
* get ip and port number.
232+
*/
233+
voidget_ip_port(constchar*ip_port,char*waf_ip,char*waf_port) {
234+
char*comma=strstr(ip_port,":");
235+
if (comma!=NULL) {
236+
strcpy(waf_port,comma+1);
237+
strncpy(waf_ip,ip_port,comma-ip_port);
238+
}
239+
else {
240+
strcpy(waf_ip,ip_port);
241+
}
242+
}
243+
244+
/**
245+
* get detail_messages.
246+
*/
247+
voidget_detail_message(constchar*str1,char*waf_detail_message) {
248+
char*end=strstr(str1,"[file ");
249+
if (end!=NULL) {
250+
strncpy(waf_detail_message,str1,end-str1);
251+
}
252+
}
253+
254+
/**
255+
* only expose short path.
256+
*/
257+
voidget_short_filename(char*waf_filename) {
258+
chartmp_filename[1024]="";
259+
char*index=strstr(waf_filename,WAF_RULESET_PREFIX);
260+
261+
if (index!=NULL) {
262+
index+=strlen(WAF_RULESET_PREFIX);
263+
index=strstr(index,"/");
264+
if (index!=NULL) {
265+
strcpy(tmp_filename,index+1);
266+
strcpy(waf_filename,tmp_filename);
267+
}
268+
}
269+
}
270+
271+
/**
272+
* get crs type and version.
273+
*/
274+
voidget_ruleset_type_version(char*waf_ruleset_info,char*waf_ruleset_type,char*waf_ruleset_version) {
275+
charruleset_info_no_quote[200]="";
276+
char*type_start=NULL;
277+
char*type_end=NULL;
278+
279+
get_field_value("\"","\"",waf_ruleset_info,ruleset_info_no_quote);
280+
type_start=ruleset_info_no_quote;
281+
282+
type_end=strstr(type_start,"/");
283+
if (type_end!=NULL) {
284+
strncpy(waf_ruleset_type,type_start,type_end-type_start);
285+
strcpy(waf_ruleset_version,type_end+1);
286+
}
287+
else {
288+
strcpy(waf_ruleset_type,type_start+1);
289+
}
290+
}
291+
292+
intwrite_file_with_lock(apr_global_mutex_t*lock,apr_file_t*fd,char*str) {
293+
intrc;
294+
apr_size_tnbytes,nbytes_written;
295+
296+
rc=apr_global_mutex_lock(lock);
297+
if (rc!=APR_SUCCESS) {
298+
returnWAF_LOG_UTIL_FAILED;
299+
}
300+
301+
if (fd!=NULL) {
302+
nbytes=strlen(str);
303+
apr_file_write_full(fd,str,nbytes,&nbytes_written);
304+
}
305+
306+
rc=apr_global_mutex_unlock(lock);
307+
if (rc!=APR_SUCCESS) {
308+
returnWAF_LOG_UTIL_FAILED;
309+
}
310+
311+
returnWAF_LOG_UTIL_SUCCESS;
312+
}
313+
314+
char*waf_current_logtime(apr_pool_t*mp) {
315+
apr_time_exp_tt;
316+
chartstr[100];
317+
apr_size_tlen;
318+
319+
apr_time_exp_lt(&t,apr_time_now());
320+
321+
apr_strftime(tstr,&len,80,"%Y-%m-%dT%H:%M:%SZ",&t);
322+
returnapr_pstrdup(mp,tstr);
323+
}
324+
325+
/**
326+
* send all waf fields in json format to a file.
327+
*/
328+
voidsend_waf_log(apr_global_mutex_t*lock,apr_file_t*fd,constchar*str1,constchar*ip_port,constchar*uri,constchar*time,intmode,constchar*hostname,request_rec*r) {
329+
intrc=0;
330+
char*json_str;
331+
charwaf_filename[1024]="";
332+
charwaf_line[1024]="";
333+
charwaf_id[1024]="";
334+
charwaf_message[1024]="";
335+
charwaf_data[1024]="";
336+
charwaf_ip[50]="";
337+
charwaf_port[50]="";
338+
charwaf_ruleset_info[200]="";
339+
charwaf_ruleset_type[50]="";
340+
charwaf_ruleset_version[50]="";
341+
charwaf_detail_message[1024]="";
342+
343+
get_field_value("[file ","]",str1,waf_filename);
344+
get_field_value("[id ","]",str1,waf_id);
345+
get_field_value("[line ","]",str1,waf_line);
346+
get_field_value("[msg ","]",str1,waf_message);
347+
get_field_value("[data ","]",str1,waf_data);
348+
get_field_value("[ver ","]",str1,waf_ruleset_info);
349+
get_ip_port(ip_port,waf_ip,waf_port);
350+
get_detail_message(str1,waf_detail_message);
351+
get_short_filename(waf_filename);
352+
get_ruleset_type_version(waf_ruleset_info,waf_ruleset_type,waf_ruleset_version);
353+
354+
rc=generate_json(&json_str,msc_waf_resourceId,WAF_LOG_UTIL_OPERATION_NAME,WAF_LOG_UTIL_CATEGORY,msc_waf_instanceId,waf_ip,waf_port,uri,waf_ruleset_type,waf_ruleset_version,waf_id,waf_message,mode,0,waf_detail_message,waf_data,waf_filename,waf_line,hostname,time);
355+
if (rc==WAF_LOG_UTIL_FAILED) {
356+
#ifAP_SERVER_MAJORVERSION_NUMBER>1&&AP_SERVER_MINORVERSION_NUMBER>2
357+
ap_log_rerror(APLOG_MARK,APLOG_ERR |APLOG_NOERRNO,0,r,
358+
"ModSecurity: can't print json log");
359+
#else
360+
ap_log_error(APLOG_MARK,APLOG_ERR |APLOG_NOERRNO,0,r->server,
361+
"ModSecurity: can't print json log");
362+
#endif
363+
return;
364+
}
365+
366+
rc=write_file_with_lock(lock,fd,json_str);
367+
if (rc==WAF_LOG_UTIL_FAILED) {
368+
#ifAP_SERVER_MAJORVERSION_NUMBER>1&&AP_SERVER_MINORVERSION_NUMBER>2
369+
ap_log_rerror(APLOG_MARK,APLOG_ERR |APLOG_NOERRNO,0,r,
370+
"ModSecurity: can't print json log");
371+
#else
372+
ap_log_error(APLOG_MARK,APLOG_ERR |APLOG_NOERRNO,0,r->server,
373+
"ModSecurity: can't print json log");
374+
#endif
375+
}
376+
377+
free_json(json_str);
378+
}
379+
#endif
380+
190381
/**
191382
* Extended internal log helper function. Use msr_log instead. If fixup is
192383
* true, the message will be stripped of any trailing newline and any
@@ -274,6 +465,10 @@ static void internal_log_ex(request_rec *r, directory_config *dcfg, modsec_rec *
274465
}
275466
elserequestheaderhostname="";
276467

468+
#ifdefWAF_JSON_LOGGING_ENABLE
469+
send_waf_log(msr->modsecurity->wafjsonlog_lock,dcfg->wafjsonlog_fd,str1,r->useragent_ip ?r->useragent_ip :r->connection->client_ip,log_escape(msr->mp,r->uri),waf_current_logtime(msr->mp),dcfg->is_enabled, (char*)msr->hostname,r);
470+
#endif
471+
277472
#ifAP_SERVER_MAJORVERSION_NUMBER>1&&AP_SERVER_MINORVERSION_NUMBER>2
278473
ap_log_rerror(APLOG_MARK,APLOG_ERR |APLOG_NOERRNO,0,r,
279474
"[client %s] ModSecurity: %s%s [uri \"%s\"]%s%s",r->useragent_ip ?r->useragent_ip :r->connection->client_ip,str1,

‎apache2/mod_security2.c‎

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -92,6 +92,10 @@ unsigned long int DSOLOCAL conn_write_state_limit = 0;
9292
TreeRootDSOLOCAL*conn_write_state_whitelist=0;
9393
TreeRootDSOLOCAL*conn_write_state_suspicious_list=0;
9494

95+
#ifdefWAF_JSON_LOGGING_ENABLE
96+
charDSOLOCAL*msc_waf_resourceId="";
97+
charDSOLOCAL*msc_waf_instanceId="";
98+
#endif
9599

96100
#if defined(WIN32)|| defined(VERSION_NGINX)
97101
int (*modsecDropAction)(request_rec*r)=NULL;

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp