/GolangWebApplicationFirewall

Test repository for Web Application Firewall code experiments in Golang

Primary LanguageGoGNU General Public License v3.0GPL-3.0

GolangWebApplicationFirewall

Test repository for Web Application Firewall code experiments in Golang

int retVal = msc_intervention( transaction, &intervention );

what sets this retVal?

deny.cc evaluate() drop.cc evaluate() redirect.cc evaluate()

~/ModSecurity/src/actions/disruptive transaction->m_it.disruptive = true;

transaction object has ModSecurityIntervention property ModSecurityIntervention object has disruptive property int

so what code calls e.g. deny.cc evaluate()

msc_append_request_body msc_append_response_body

e.g. msc_append_response_body this->m_rules->evaluate(modsecurity::RequestBodyPhase, this);

which calls deny.cc evaluate() which sets transaction->m_it.disruptive = true;

then by the time msc_intervention() is called this evalates to true bool Transaction::intervention(ModSecurityIntervention *it) {

thus the code con'ts and sets it->disruptive = m_it.disruptive;

which is the disruptive flag of the ModSecurityIntervention object passed in to the function and the msc_intervention() ends as

return it->disruptive;

How does a malicious request get detected? believe everything channelled here: int inter = msc_intervention( transaction, &intervention );

and checks intervention struct ModSecurityIntervention disruptive

what functions set "disruptive" flag? transaction.cc appendRequestBody appendResponseBody

wrappers? msc_append_request_body msc_append_response_body

deny.cc evaluate() drop.cc evaluate() redirect.cc evaluate()

IMPORTANT log sql injection attack details from here

rule_with_actions.cc void RuleWithActions::performLogging

modsecurity.cc void ModSecurity::serverLog(void *data, std::shared_ptr rm) {

rule_message.cc std::string RuleMessage::log(const RuleMessage *rm, int props, int code) { std::string RuleMessage::_details(const RuleMessage *rm) {

LOGGING transaction.cc extern "C" int msc_process_request_body( Transaction *transaction ) int Transaction::processRequestBody()

this->m_rules->evaluate(modsecurity::RequestBodyPhase, this);

IMPOSSIBLE having to hack ModSecurity code base directly now and insert log statements!

StevePro RulesSet::evaluate() 2 StevePro RulesSet::evaluate() 3

phase 3

Violate 942100 detected SQLi using libinjection

serverlog REQUEST-942-APPLICATION-ATTACK-SQLI.conf

line "45" line "1102" line "1188" line "1570"

"id:942100,\
phase:2,\

"id:942480,\
phase:2,\

RuleMessage::log() msg.append("[client " + std::string(*rm->m_clientIpAddress.get()) + "] "); msg.append("ModSecurity: Warning. "); msg.append("ModSecurity: Warning. "); msg.append(rm->m_match); msg.append(_details(rm));

ENCOURAGING I found this meesage i.e. m_match m_match_message.assign("detected SQLi using libinjection.");

in operators detect_sqi.h

Do I need to modify the SecRule to something like this? SecRule REQUEST_BODY "blocktest" "id:2,phase:2,deny,status:400,msg:'Test rule'"

Web Application Firewall in Go OWASP ModSecurity Core RuleSet https://medium.com/lightbaseio/web-application-firewall-in-go-feat-owasp-modsecurity-core-rule-set-3f97a26e3311