Honor the SecRuleEngine while filtering connections

Felipe Zimmerle · Felipe Zimmerle · commit a15f8813e98c · 2014-03-31T16:22:10.000-07:00
The SecRuleEngine has the capability to Enable, Disable or even to place the
ModSecurity in DetectionOnly mode. The SecReadStateLimit and SecWriteStateLimit
were not honoring such state, due the fact that our configuration belongs to
requests not to connections, the only struct that exists while those filters
are placed. By adding a global variable "conn_limits_filter_state" we are now
able to identify the current state of the ModSecurity, once the configuration
is loaded this variable is set and used by the connections filters.
diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c
@@ -2144,18 +2144,30 @@ static const char *cmd_rule(cmd_parms *cmd, void *_dcfg,
 static const char *cmd_rule_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
 {
     directory_config *dcfg = (directory_config *)_dcfg;
+
     if (dcfg == NULL) return NULL;
 
-    if (strcasecmp(p1, "on") == 0) dcfg->is_enabled = MODSEC_ENABLED;
-    else
-    if (strcasecmp(p1, "off") == 0) dcfg->is_enabled = MODSEC_DISABLED;
-    else
-    if (strcasecmp(p1, "detectiononly") == 0) {
+    if (strcasecmp(p1, "on") == 0)
+    {
+        dcfg->is_enabled = MODSEC_ENABLED;
+    }
+    else if (strcasecmp(p1, "off") == 0)
+    {
+        dcfg->is_enabled = MODSEC_DISABLED;
+    }
+    else if (strcasecmp(p1, "detectiononly") == 0)
+    {
         dcfg->is_enabled = MODSEC_DETECTION_ONLY;
         dcfg->of_limit_action = RESPONSE_BODY_LIMIT_ACTION_PARTIAL;
         dcfg->if_limit_action = REQUEST_BODY_LIMIT_ACTION_PARTIAL;
-    } else
-    return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecRuleEngine: %s", p1);
+    }
+    else
+    {
+        return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for " \
+                "SecRuleEngine: %s", p1);
+    }
+
+    conn_limits_filter_state = dcfg->is_enabled;
 
     return NULL;
 }
diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c
@@ -63,6 +63,8 @@ unsigned long int DSOLOCAL msc_pcre_match_limit_recursion = 0;
 
 int DSOLOCAL status_engine_state = STATUS_ENGINE_DISABLED;
 
+int DSOLOCAL conn_limits_filter_state = 0;
+
 unsigned long int DSOLOCAL conn_read_state_limit = 0;
 TreeRoot DSOLOCAL *conn_read_state_whitelist = 0;
 TreeRoot DSOLOCAL *conn_read_state_suspicious_list = 0;
@@ -1419,27 +1421,28 @@ static int hook_connection_early(conn_rec *conn)
             }
         }
 
-
         if (conn_read_state_limit > 0 && ip_count_r > conn_read_state_limit)
         {
             if (conn_read_state_suspicious_list &&
                 (tree_contains_ip(conn->pool,
                    conn_read_state_suspicious_list, client_ip, NULL, &error_msg) <= 0))
             {
-                ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, 
-                    "ModSecurity: Too many threads [%ld] of %ld allowed in " \
-                    "READ state from %s - There is a suspission list but " \
-                    "that IP is not part of it, access granted", ip_count_r,
-                    conn_read_state_limit, client_ip);
+                if (conn_limits_filter_state == MODSEC_DETECTION_ONLY)
+                    ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, 
+                        "ModSecurity: Too many threads [%ld] of %ld allowed " \
+                        "in READ state from %s - There is a suspission list " \
+                        "but that IP is not part of it, access granted",
+                        ip_count_r, conn_read_state_limit, client_ip);
             }
-
             else if (tree_contains_ip(conn->pool,
                 conn_read_state_whitelist, client_ip, NULL, &error_msg) > 0)
             {
-                ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
-                    "ModSecurity: Too many threads [%ld] of %ld allowed in " \
-                    "READ state from %s - Ip is on whitelist, access granted",
-                    ip_count_r, conn_read_state_limit, client_ip);
+                if (conn_limits_filter_state == MODSEC_DETECTION_ONLY)
+                    ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
+                        "ModSecurity: Too many threads [%ld] of %ld allowed " \
+                        "in READ state from %s - Ip is on whitelist, access " \
+                        "granted", ip_count_r, conn_read_state_limit,
+                        client_ip);
             }
             else
             {
@@ -1448,7 +1451,9 @@ static int hook_connection_early(conn_rec *conn)
                     "threads [%ld] of %ld allowed in READ state from %s - " \
                     "Possible DoS Consumption Attack [Rejected]", ip_count_r,
                     conn_read_state_limit, client_ip);
-                return OK;
+
+                if (conn_limits_filter_state == MODSEC_ENABLED)
+                    return OK;
             }
         }
 
@@ -1458,19 +1463,22 @@ static int hook_connection_early(conn_rec *conn)
                 (tree_contains_ip(conn->pool,
                     conn_write_state_suspicious_list, client_ip, NULL, &error_msg) <= 0))
             {
-                ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
-                    "ModSecurity: Too many threads [%ld] of %ld allowed in " \
-                    "WRITE state from %s - There is a suspission list but " \
-                    "that IP is not part of it, access granted", ip_count_w,
-                    conn_read_state_limit, client_ip);
+                if (conn_limits_filter_state == MODSEC_DETECTION_ONLY)
+                    ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
+                        "ModSecurity: Too many threads [%ld] of %ld allowed " \
+                        "in WRITE state from %s - There is a suspission list " \
+                        "but that IP is not part of it, access granted",
+                        ip_count_w, conn_read_state_limit, client_ip);
             }
             else if (tree_contains_ip(conn->pool,
                 conn_write_state_whitelist, client_ip, NULL, &error_msg) > 0)
             {
-                ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
-                    "ModSecurity: Too many threads [%ld] of %ld allowed in " \
-                    "WRITE state from %s - Ip is on whitelist, access granted",
-                    ip_count_w, conn_read_state_limit, client_ip);
+                if (conn_limits_filter_state == MODSEC_DETECTION_ONLY)
+                    ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
+                        "ModSecurity: Too many threads [%ld] of %ld allowed " \
+                        "in WRITE state from %s - Ip is on whitelist, " \
+                        "access granted", ip_count_w, conn_read_state_limit,
+                        client_ip);
             }
             else
             {
@@ -1479,7 +1487,9 @@ static int hook_connection_early(conn_rec *conn)
                     "threads [%ld] of %ld allowed in WRITE state from %s - " \
                     "Possible DoS Consumption Attack [Rejected]", ip_count_w,
                     conn_write_state_limit, client_ip);
-                return OK;
+
+                if (!conn_limits_filter_state == MODSEC_ENABLED)
+                    return OK;
             }
         }
     }
diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h
@@ -145,6 +145,8 @@ extern DSOLOCAL unsigned long int msc_pcre_match_limit_recursion;
 
 extern DSOLOCAL int status_engine_state;
 
+extern DSOLOCAL int conn_limits_filter_state;
+
 extern DSOLOCAL unsigned long int conn_read_state_limit;
 extern DSOLOCAL TreeRoot *conn_read_state_whitelist;
 extern DSOLOCAL TreeRoot *conn_read_state_suspicious_list;
