Re: [Mod-security-developers] Question regarding calls to serverLog()
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-developers] Question regarding calls to serverLog()
|
From: Felipe C. <FC...@tr...> - 2019-02-25 12:46:25
|
Hi Jai, Sometimes logging is a consequence of a disruptive action; sometimes the logging is just a warning. On 3.0.2 the logging for disruptive (aka error on 2.x) was being generated as a warning as well. To avoid creating the same message twice, we have changed 3.0.3 to produce only warnings, and give access to error message along with the disruptive structure. Here is how the ngnix connector is handling it: https://github.com/SpiderLabs/ModSecurity-nginx/blob/master/src/ngx_http_modsecurity_module.c#L139 Yes, performance is better and will be even better for the upcoming releases :) Br., Felipe "Zimmerle" Costa Security Researcher, Lead Developer ModSecurity m: +55 81.98706.5547 [signature_480191669] www.trustwave.com<http://www.trustwave.com/> Recognized by industry analysts as a leader in managed security services.<https://www.trustwave.com/company/about-us/accolades/> ________________________________ From: Jai Harpalani via mod-security-developers <mod...@li...> Sent: Wednesday, February 20, 2019 8:32 PM To: mod-security-d. Cc: Jai Harpalani Subject: [Mod-security-developers] Question regarding calls to serverLog() We are integrating ModSecurity into our product as a library, and using it to evaluate owasp crs rules. With version 3.0.2, all was working relatively well. With version 3.0.3, we are encountering problems. Details below. We invoke setServerLogCb(ourCallbackMethod) and expect that ourCallbackMethod() will be invoked whenever a rule is triggered. This is the only way we know a rule has triggered, and this was working with version 3.0.2. With 3.0.3, this scheme does not work for all rules. Looking at the code in rule.cc,<http://scanmail.trustwave.com/?c=4062&d=9urt3IzQGylflGxIvXzdwpsVsyjoMmRH3TE5HVEtqg&s=5&u=http%3a%2f%2frule%2ecc> I notice that logic surrounding the invocation of trans->serverLog() which eventually invokes ourCallbackMethod() has changed. Due to these changes, ourCallbackMethod() is not called for all rules. First question: Why were these changes made, and can they be reverted? Second question: Are there other ways for our product-specific code to know that a rule has been triggered along with all the information in modsecurity::RuleMessage? In other words, are there any other hooks into ModSecurity that our product-specific code can use to get this information? BTW, I am seeing a 2x speedup with version 3.0.3 vs 3.0.2 which is great. Good job on making ModSecurity more performant! |
