Adds support to suspicious and whitelist to Read and Write limits

The operators @ipMatch, @ipMatchF and @ipMatchFromFile were
added to the functions: SecReadStateLimit and SecReadStateLimit,
by using them it is possible to declare a suspicious list. When
a suspicious list is given, the {Read|Write}StateLimit will be
applied just to the IPs that belongs to that restricted list.
Note that the negative of those operators (e.g. !@ipMatch) can be
used to place a whitelist. The {Read|Write}StateLimit
restrictions will not be applied to those in the whitelist.
This current version the Sec{Read|Write}StateLimit can be used
varios times to add elements to both lists, however, the
last informed limit will be applied for the entire group. This
feature is experimental, and suggestions on how to improve it
are very welcome. For further discussion use the issue: #353.

Author: Felipe Zimmerle

apache2/apache2_config.c

@@ -1670,29 +1670,101 @@ static const char *cmd_rule_perf_time(cmd_parms *cmd, void *_dcfg,
     return NULL;
 }
 
+char *parser_conn_limits_operator(apr_pool_t *mp, const char *p2,
+    TreeRoot **whitelist, msre_ipmatch **whitelist_param,
+    TreeRoot **suspicious_list, msre_ipmatch **suspicious_list_param,
+    const char *filename)
+{
+    int res = 0;
+    char *config_orig_path;
+    char *param = strchr(p2, ' ');
+    char *file = NULL;
+    char *error_msg = NULL;
+    param++;
+
+    config_orig_path = apr_pstrndup(mp, filename,
+        strlen(filename) - strlen(apr_filepath_name_get(filename)));
+
+    apr_filepath_merge(&file, config_orig_path, param, APR_FILEPATH_TRUENAME,
+        mp);
+
+    if ((strncasecmp(p2, "!@ipMatchFromFile", strlen("!@ipMatchFromFile")) == 0) ||
+        (strncasecmp(p2, "!@ipMatchF", strlen("!@ipMatchF")) == 0)) {
+
+        res = ip_tree_from_file(whitelist,
+            file, mp, NULL);
+    }
+    else if (strncasecmp(p2, "!@ipMatch", strlen("!@ipMatch")) == 0) {
+        res = ip_list_from_param(mp, param,
+            whitelist_param, &error_msg);
+    }
+    else if ((strncasecmp(p2, "@ipMatchFromFile", strlen("@ipMatchFromFile")) == 0) ||
+        (strncasecmp(p2, "@ipMatchF", strlen("@ipMatchF")) == 0)) {
+
+        res = ip_tree_from_file(suspicious_list,
+            file, mp, NULL);
+    }
+    else if (strncasecmp(p2, "@ipMatch", strlen("@ipMatch")) == 0) {
+        res = ip_list_from_param(mp, param,
+            suspicious_list_param, &error_msg);
+    }
+    else {
+        return apr_psprintf(mp, "ModSecurity: Invalid operator for " \
+           "SecReadStateLimit: %s, expected operators: @ipMatch, @ipMatchF " \
+           "or @ipMatchFromFile with or without !", p2);
+    }
+
+    if (res) {
+        char *error;
+        error = apr_psprintf(mp, "ModSecurity: failed to load IPs " \
+            "from: %s", param);
+
+        if (*error_msg) {
+            error = apr_psprintf(mp, "%s %s", error, error_msg);
+        }
+
+        return error;
+    }
+
+    return NULL;
+}
+
+
 /**
 * \brief Add SecReadStateLimit configuration option
 *
 * \param cmd Pointer to configuration data
 * \param _dcfg Pointer to directory configuration
 * \param p1 Pointer to configuration option
+* \param p2 Pointer to configuration option
 *
 * \retval NULL On failure
 * \retval apr_psprintf On Success
 */
 static const char *cmd_conn_read_state_limit(cmd_parms *cmd, void *_dcfg,
-        const char *p1)
+        const char *p1, const char *p2)
 {
     directory_config *dcfg = (directory_config *)_dcfg;
     long int limit;
 
     if (dcfg == NULL) return NULL;
 
     limit = strtol(p1, NULL, 10);
-    if ((limit == LONG_MAX)||(limit == LONG_MIN)||(limit <= 0)) {
-        return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecReadStateLimit: %s", p1);
+    if ((limit == LONG_MAX) || (limit == LONG_MIN) || (limit <= 0)) {
+        return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for " \
+            "SecReadStateLimit: %s", p1);
     }
 
+    if (p2 != NULL) {
+        char *param = parser_conn_limits_operator(cmd->pool, p2,
+            &conn_read_state_whitelist, &conn_read_state_whitelist_param,
+            &conn_read_state_suspicious_list,
+            &conn_read_state_suspicious_list_param, cmd->directive->filename);
+
+        if (param)
+            return param;
+    }
+    
     conn_read_state_limit = limit;
 
     return NULL;
@@ -1704,21 +1776,33 @@ static const char *cmd_conn_read_state_limit(cmd_parms *cmd, void *_dcfg,
 * \param cmd Pointer to configuration data
 * \param _dcfg Pointer to directory configuration
 * \param p1 Pointer to configuration option
+* \param p2 Pointer to configuration option
 *
 * \retval NULL On failure
 * \retval apr_psprintf On Success
 */
 static const char *cmd_conn_write_state_limit(cmd_parms *cmd, void *_dcfg,
-        const char *p1)
+        const char *p1, const char *p2)
 {
     directory_config *dcfg = (directory_config *)_dcfg;
     long int limit;
 
     if (dcfg == NULL) return NULL;
 
     limit = strtol(p1, NULL, 10);
-    if ((limit == LONG_MAX)||(limit == LONG_MIN)||(limit <= 0)) {
-        return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecWriteStateLimit: %s", p1);
+    if ((limit == LONG_MAX) || (limit == LONG_MIN) || (limit <= 0)) {
+        return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for " \
+            "SecWriteStateLimit: %s", p1);
+    }
+
+    if (p2 != NULL) {
+        char *param = parser_conn_limits_operator(cmd->pool, p2,
+            &conn_write_state_whitelist, &conn_write_state_whitelist_param,
+            &conn_write_state_suspicious_list,
+            &conn_write_state_suspicious_list_param, cmd->directive->filename);
+
+        if (param)
+            return param;
     }
 
     conn_write_state_limit = limit;
@@ -3192,15 +3276,15 @@ const command_rec module_directives[] = {
         "Threshold to log slow rules in usecs."
     ),
 
-    AP_INIT_TAKE1 (
+    AP_INIT_TAKE12 (
         "SecReadStateLimit",
         cmd_conn_read_state_limit,
         NULL,
         CMD_SCOPE_ANY,
         "maximum number of threads in READ_BUSY state per ip address"
     ),
 
-    AP_INIT_TAKE1 (
+    AP_INIT_TAKE12 (
         "SecWriteStateLimit",
         cmd_conn_write_state_limit,
         NULL,

apache2/mod_security2.c

@@ -64,6 +64,15 @@ unsigned long int DSOLOCAL msc_pcre_match_limit_recursion = 0;
 int DSOLOCAL status_engine_state = STATUS_ENGINE_DISABLED;
 
 unsigned long int DSOLOCAL conn_read_state_limit = 0;
+TreeRoot DSOLOCAL *conn_read_state_whitelist = 0;
+TreeRoot DSOLOCAL *conn_read_state_suspicious_list = 0;
+msre_ipmatch DSOLOCAL *conn_read_state_whitelist_param = 0;
+msre_ipmatch DSOLOCAL *conn_read_state_suspicious_list_param = 0;
+
+TreeRoot DSOLOCAL *conn_write_state_whitelist = 0;
+TreeRoot DSOLOCAL *conn_write_state_suspicious_list = 0;
+msre_ipmatch DSOLOCAL *conn_write_state_whitelist_param = 0;
+msre_ipmatch DSOLOCAL *conn_write_state_suspicious_list_param = 0;
 
 unsigned long int DSOLOCAL conn_write_state_limit = 0;
 
@@ -1363,29 +1372,30 @@ static int hook_connection_early(conn_rec *conn)
 {
     sb_handle *sb = conn->sbh;
     int i, j;
-    unsigned long int ip_count = 0, ip_count_w = 0;
+    unsigned long int ip_count_r = 0, ip_count_w = 0;
+    char *error_msg;
     worker_score *ws_record = NULL;
 #if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
     ap_sb_handle_t *sbh = NULL;
+    char *client_ip = conn->client_ip;
+#else
+    char *client_ip = conn->remote_ip;
 #endif
 
-    if(sb != NULL && (conn_read_state_limit > 0 || conn_write_state_limit > 0))   {
+    if (sb != NULL && (conn_read_state_limit > 0 || conn_write_state_limit > 0)) {
 
         ws_record = &ap_scoreboard_image->servers[sb->child_num][sb->thread_num];
-        if(ws_record == NULL)
+        if (ws_record == NULL)
             return DECLINED;
 
-#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
-        apr_cpystrn(ws_record->client, conn->client_ip, sizeof(ws_record->client));
-#else
-        apr_cpystrn(ws_record->client, conn->remote_ip, sizeof(ws_record->client));
-#endif
+        apr_cpystrn(ws_record->client, client_ip, sizeof(ws_record->client));
+
         for (i = 0; i < server_limit; ++i) {
             for (j = 0; j < thread_limit; ++j) {
 
 #if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
                 sbh = conn->sbh;
-                if (sbh == NULL)        {
+                if (sbh == NULL) {
                     return DECLINED;
                 }
 
@@ -1394,50 +1404,96 @@ static int hook_connection_early(conn_rec *conn)
                 ws_record = ap_get_scoreboard_worker(i, j);
 #endif
 
-                if(ws_record == NULL)
+                if (ws_record == NULL)
                     return DECLINED;
 
                 switch (ws_record->status) {
                     case SERVER_BUSY_READ:
-#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
-                        if (strcmp(conn->client_ip, ws_record->client) == 0)
-                            ip_count++;
-#else
-                        if (strcmp(conn->remote_ip, ws_record->client) == 0)
-                            ip_count++;
-#endif
+                        if (strcmp(client_ip, ws_record->client) == 0)
+                            ip_count_r++;
                         break;
+
                     case SERVER_BUSY_WRITE:
-#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
-                        if (strcmp(conn->client_ip, ws_record->client) == 0)
-                            ip_count_w++;
-#else
-                        if (strcmp(conn->remote_ip, ws_record->client) == 0)
+                        if (strcmp(client_ip, ws_record->client) == 0)
                             ip_count_w++;
-#endif
+
                         break;
                     default:
                         break;
                 }
             }
         }
 
-        if ((conn_read_state_limit > 0) && (ip_count > conn_read_state_limit)) {
-#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
-            ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, "ModSecurity: Access denied with code 400. Too many threads [%ld] of %ld allowed in READ state from %s - Possible DoS Consumption Attack [Rejected]", ip_count,conn_read_state_limit,conn->client_ip);
-#else
-            ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, "ModSecurity: Access denied with code 400. Too many threads [%ld] of %ld allowed in READ state from %s - Possible DoS Consumption Attack [Rejected]", ip_count,conn_read_state_limit,conn->remote_ip);
-#endif
-            return OK;
-        } else if ((conn_write_state_limit > 0) && (ip_count_w > conn_write_state_limit)) {
-#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
-            ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, "ModSecurity: Access denied with code 400. Too many threads [%ld] of %ld allowed in WRITE state from %s - Possible DoS Consumption Attack [Rejected]", ip_count_w,conn_write_state_limit,conn->client_ip);
-#else
-            ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, "ModSecurity: Access denied with code 400. Too many threads [%ld] of %ld allowed in WRITE state from %s - Possible DoS Consumption Attack [Rejected]", ip_count_w,conn_write_state_limit,conn->remote_ip);
-#endif
-            return OK;
-        } else {
-            return DECLINED;
+
+        if (conn_read_state_limit > 0 && ip_count_r > conn_read_state_limit)
+        {
+            if (conn_read_state_suspicious_list &&
+                (!((tree_contains_ip(conn->pool,
+                   conn_read_state_suspicious_list, client_ip, NULL, &error_msg) <= 0) ||
+                (list_contains_ip(conn->pool,
+                   conn_read_state_suspicious_list_param, client_ip, &error_msg) <= 0))))
+            {
+                ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, 
+                    "ModSecurity: Too many threads [%ld] of %ld allowed in " \
+                    "READ state from %s - There is a suspission list but " \
+                    "that IP is not part of it, access granted", ip_count_r,
+                    conn_read_state_limit, client_ip);
+            }
+
+            else if ((tree_contains_ip(conn->pool,
+                conn_read_state_whitelist, client_ip, NULL, &error_msg) > 0) ||
+                (list_contains_ip(conn->pool,
+                    conn_read_state_whitelist_param, client_ip, &error_msg) > 0))
+            {
+                ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
+                    "ModSecurity: Too many threads [%ld] of %ld allowed in " \
+                    "READ state from %s - Ip is on whitelist, access granted",
+                    ip_count_r, conn_read_state_limit, client_ip);
+            }
+            else
+            {
+                ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
+                    "ModSecurity: Access denied with code 400. Too many " \
+                    "threads [%ld] of %ld allowed in READ state from %s - " \
+                    "Possible DoS Consumption Attack [Rejected]", ip_count_r,
+                    conn_read_state_limit, client_ip);
+                return OK;
+            }
+        }
+
+        if (conn_write_state_limit > 0 && ip_count_w > conn_write_state_limit)
+        {
+            if (conn_write_state_suspicious_list &&
+                (!((tree_contains_ip(conn->pool,
+                    conn_write_state_suspicious_list, client_ip, NULL, &error_msg) <= 0) ||
+                (list_contains_ip(conn->pool,
+                    conn_write_state_suspicious_list_param, client_ip, &error_msg) <= 0))))
+            {
+                ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
+                    "ModSecurity: Too many threads [%ld] of %ld allowed in " \
+                    "WRITE state from %s - There is a suspission list but " \
+                    "that IP is not part of it, access granted", ip_count_w,
+                    conn_read_state_limit, client_ip);
+            }
+            else if ((tree_contains_ip(conn->pool,
+                conn_write_state_whitelist, client_ip, NULL, &error_msg) > 0) ||
+                (list_contains_ip(conn->pool,
+                    conn_write_state_whitelist_param, client_ip, &error_msg) > 0))
+            {
+                ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
+                    "ModSecurity: Too many threads [%ld] of %ld allowed in " \
+                    "WRITE state from %s - Ip is on whitelist, access granted",
+                    ip_count_w, conn_read_state_limit, client_ip);
+            }
+            else
+            {
+                ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
+                    "ModSecurity: Access denied with code 400. Too many " \
+                    "threads [%ld] of %ld allowed in WRITE state from %s - " \
+                    "Possible DoS Consumption Attack [Rejected]", ip_count_w,
+                    conn_write_state_limit, client_ip);
+                return OK;
+            }
         }
     }
 

apache2/modsecurity.h

@@ -40,6 +40,7 @@ typedef struct msc_parm msc_parm;
 #include "msc_util.h"
 #include "msc_json.h"
 #include "msc_xml.h"
+#include "msc_tree.h"
 #include "msc_geo.h"
 #include "msc_gsb.h"
 #include "msc_unicode.h"
@@ -145,8 +146,16 @@ extern DSOLOCAL unsigned long int msc_pcre_match_limit_recursion;
 extern DSOLOCAL int status_engine_state;
 
 extern DSOLOCAL unsigned long int conn_read_state_limit;
+extern DSOLOCAL TreeRoot *conn_read_state_whitelist;
+extern DSOLOCAL TreeRoot *conn_read_state_suspicious_list;
+extern DSOLOCAL msre_ipmatch *conn_read_state_whitelist_param;
+extern DSOLOCAL msre_ipmatch *conn_read_state_suspicious_list_param;
 
 extern DSOLOCAL unsigned long int conn_write_state_limit;
+extern DSOLOCAL TreeRoot *conn_write_state_whitelist;
+extern DSOLOCAL TreeRoot *conn_write_state_suspicious_list;
+extern DSOLOCAL msre_ipmatch *conn_write_state_whitelist_param;
+extern DSOLOCAL msre_ipmatch *conn_write_state_suspicious_list_param;
 
 extern DSOLOCAL unsigned long int unicode_codepage;