[Mod-security-developers] Fwd: Question regarding calls to serverLog()
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[Mod-security-developers] Fwd: Question regarding calls to serverLog()
|
From: Jai H. <jai...@mu...> - 2019-03-21 14:30:06
|
---------- Forwarded message --------- From: Jai Harpalani <jai...@mu...> Date: Wed, Mar 20, 2019 at 10:29 AM Subject: Re: [Mod-security-developers] Question regarding calls to serverLog() To: Felipe Costa <FC...@tr...> Felipe, I looked through the ngx_http_modsecurity_process_intervention (Transaction *transaction, ngx_http_request_t *r) nginx connector code that you referenced. In this code, how does one determine which rule(s) were triggered? Thanks, Jai On Mon, Feb 25, 2019 at 6:46 AM Felipe Costa <FC...@tr...> wrote: > Hi Jai, > > Sometimes logging is a consequence of a disruptive action; sometimes the > logging is just a warning. On 3.0.2 the logging for disruptive (aka error > on 2.x) was being generated as a warning as well. To avoid creating the > same message twice, we have changed 3.0.3 to produce only warnings, and > give access to error message along with the disruptive structure. > > Here is how the ngnix connector is handling it: > > https://github.com/SpiderLabs/ModSecurity-nginx/blob/master/src/ngx_http_modsecurity_module.c#L139 > > > Yes, performance is better and will be even better for the upcoming > releases :) > > Br., > > *Felipe "Zimmerle" Costa* > > Security Researcher, Lead Developer ModSecurity > > m: +55 81.98706.5547 > > > > [image: signature_480191669] > > *www.trustwave.com <http://www.trustwave.com/>* > > > > *Recognized by industry analysts as a leader in managed security services. > <https://www.trustwave.com/company/about-us/accolades/>* > > ------------------------------ > *From:* Jai Harpalani via mod-security-developers < > mod...@li...> > *Sent:* Wednesday, February 20, 2019 8:32 PM > *To:* mod-security-d. > *Cc:* Jai Harpalani > *Subject:* [Mod-security-developers] Question regarding calls to > serverLog() > > We are integrating ModSecurity into our product as a library, and using it > to evaluate owasp crs rules. With version 3.0.2, all was working relatively > well. With version 3.0.3, we are encountering problems. Details below. > > We invoke setServerLogCb(ourCallbackMethod) and expect that > ourCallbackMethod() will be invoked whenever a rule is triggered. This is > the only way we know a rule has triggered, and this was working with > version 3.0.2. With 3.0.3, this scheme does not work for all rules. > > Looking at the code in rule.cc, > <http://scanmail.trustwave.com/?c=4062&d=9urt3IzQGylflGxIvXzdwpsVsyjoMmRH3TE5HVEtqg&s=5&u=http%3a%2f%2frule%2ecc> > I notice that logic surrounding the invocation of trans->serverLog() which > eventually invokes ourCallbackMethod() has changed. Due to these changes, > ourCallbackMethod() is not called for all rules. > > First question: Why were these changes made, and can they be reverted? > Second question: Are there other ways for our product-specific code to > know that a rule has been triggered along with all the information in > modsecurity::RuleMessage? In other words, are there any other hooks into > ModSecurity that our product-specific code can use to get this information? > > BTW, I am seeing a 2x speedup with version 3.0.3 vs 3.0.2 which is great. > Good job on making ModSecurity more performant! > |
