Skip to content

【requested help】 how to get the latest modsecurity-action in trascation event life-cycle #3326

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
xx-zhang opened this issue Jan 10, 2025 · 2 comments
Closed

【requested help】 how to get the latest modsecurity-action in trascation event life-cycle #3326

xx-zhang opened this issue Jan 10, 2025 · 2 comments

Comments

@xx-zhang
Copy link

i have tried ur example and this is a log callback, i want a latest modsecurity-action like passed or reject.

i want to do action in process_request , what's the function to get the latest action. i want to set it to response-html;

// https://github.com/xx-zhang/wf_waf_server/blob/master/src/wf_waf.cpp
#include <cstddef>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <signal.h>
#include <stdlib.h>
#include <stdio.h>

#include <workflow/WFHttpServer.h>
#include "modsecurity/rule_message.h"
#include "workflow/HttpMessage.h"
#include "workflow/HttpUtil.h"
#include "workflow/WFHttpServer.h"
#include "workflow/WFFacilities.h"

#include <modsecurity/modsecurity.h>
#include <modsecurity/rules.h>
#include <modsecurity/rules_set.h>
#include <modsecurity/transaction.h>

void process_request(WFHttpTask *task, modsecurity::ModSecurity *modsec, modsecurity::RulesSet *rules) {
    auto *req = task->get_req();
    auto *resp = task->get_resp();
    
    // create modsecurity Transaction event 
    auto modsecTransaction = std::make_unique<modsecurity::Transaction>(modsec, rules, nullptr);
    modsecTransaction->processURI(req->get_request_uri(), req->get_method(), "1.1");
    std::this_thread::sleep_for(std::chrono::microseconds(5));

    //  proccess header 
    protocol::HttpHeaderCursor cursor(req);
    std::string header_name, header_value;
    while (cursor.next(header_name, header_value)) {
        // std::cout << header_name.c_str() << ":" << header_value.c_str() << std::endl; 
        modsecTransaction->addRequestHeader(header_name.c_str(), header_value.c_str());
    }
    modsecTransaction->processRequestHeaders();

    //  proccess response body 
    const void *body;
    size_t body_len;
    req->get_parsed_body(&body, &body_len);
    modsecTransaction->appendRequestBody((const unsigned char *)body, body_len);
    modsecTransaction->processRequestBody(); 
  ########################### ACTION !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 

    modsecTransaction->processLogging() ; // generate default alog 
    resp->set_status_code("625");
    resp->append_output_body(modsecTransaction->m_id + "\r\n");

}


static WFFacilities::WaitGroup wait_group(1);

void sig_handler(int signo)
{
	wait_group.done();
}


static void logCb(void *data, const void *ruleMessagev) {
    if (ruleMessagev == NULL) {
        std::cout << "I've got a call but the message was null ;(";
        std::cout << std::endl;
        return;
    }

    const modsecurity::RuleMessage *ruleMessage = \
        reinterpret_cast<const modsecurity::RuleMessage *>(ruleMessagev);

    std::cout << "Rule Id: " << std::to_string(ruleMessage->m_rule.m_ruleId);
    std::cout << " phase: " << std::to_string(ruleMessage->getPhase());
    std::cout << std::endl;
    if (ruleMessage->m_isDisruptive) {
        std::cout << " * Disruptive action: ";
        std::cout << modsecurity::RuleMessage::log(*ruleMessage);
        std::cout << std::endl;
        std::cout << " ** %d is meant to be informed by the webserver.";
        std::cout << std::endl;
    } else {
        std::cout << " * Match, but no disruptive action: ";
        std::cout << modsecurity::RuleMessage::log(*ruleMessage);
        std::cout << std::endl;
    }
}

int main() {

    auto modsec = std::make_unique<modsecurity::ModSecurity>();
    modsec->setConnectorInformation("ModSecurity-test v0.0.1-alpha" \
        " (ModSecurity test)");
    modsec->setServerLogCb(logCb, modsecurity::RuleMessageLogProperty
        | modsecurity::IncludeFullHighlightLogProperty);

    auto rules = std::make_unique<modsecurity::RulesSet>();

    if (rules->loadFromUri("./main.conf") < 0) {
        std::cerr << "Failed to load rules: " << rules->getParserError() << std::endl;
        return 1;
    }

    WFHttpServer server([&modsec, &rules](WFHttpTask *task) {
        process_request(task, modsec.get(), rules.get());
    });

    signal(SIGINT, sig_handler);

    if (server.start(8977) == 0) {
        getchar();
        server.stop();
    } else {
        std::cerr << "Failed to start server" << std::endl;
        return 1;
    }

    return 0;
}
@airween
Copy link
Member

airween commented Jan 10, 2025

Hi @xx-zhang,

I don't see in your code you handle (or at least use) any intervention object. Unfortunately there is only one example which demonstrates how does it work - please take a look at that first.

You can't have any accurate information about the action, I mean you won't have the "name" of action. You can get information about it is disruptive or not.

@xx-zhang
Copy link
Author

Hi @xx-zhang,

I don't see in your code you handle (or at least use) any intervention object. Unfortunately there is only one example which demonstrates how does it work - please take a look at that first.

You can't have any accurate information about the action, I mean you won't have the "name" of action. You can get information about it is disruptive or not.

@airween it help me a lot , thank you very much.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@airween @xx-zhang