Adjustments on the error log

zimmerle · zimmerle · commit ecd7316e6a8e · 2020-09-28T13:20:51.000-03:00
i/o operations are expensive. Making sure that they were not
being executed/printed more than necessary.
diff --git a/src/rule_with_actions.cc b/src/rule_with_actions.cc
@@ -236,10 +236,12 @@ void RuleWithActions::executeActionsAfterFullMatch(Transaction *trans) const {
         }
     }
     if (!disruptiveAlreadyExecuted && m_actionDisruptiveAction != nullptr) {
+        trans->messageGetLast()->setRule(this);
         executeAction(trans,
             m_actionDisruptiveAction.get(), false);
     } else if  (!disruptiveAlreadyExecuted && hasBlockAction()
         && m_defaultActions.m_actionDisruptiveAction != nullptr) {
+        trans->messageGetLast()->setRule(this);
         executeAction(trans,
             m_defaultActions.m_actionDisruptiveAction.get(), false);
     }
diff --git a/src/rule_with_actions.h b/src/rule_with_actions.h
@@ -294,25 +294,27 @@ class RuleWithActions : public Rule, public RuleWithActionsProperties {
             return false;
         }
 
+        if (!hasDisruptiveAction() && !hasBlockAction()) {
+            return false;
+        }
+
         return true;
     }
 
-
     inline bool isItToBeAuditLogged() const noexcept {
-        if (!isItToBeLogged() && !m_containsAuditLogAction
-            && !m_defaultActions.m_containsAuditLogAction) {
-            return false;
+        if (m_containsAuditLogAction) {
+            return true;
         }
 
-        if (m_containsNoAuditLogAction) {
-            return false;
+        if (m_defaultActions.m_containsAuditLogAction && !m_containsNoAuditLogAction) {
+            return true;
         }
 
-        if (m_defaultActions.m_containsAuditLogAction && !m_containsAuditLogAction) {
-            return false;
+        if (isItToBeLogged()) {
+            return true;
         }
 
-        return true;
+        return false;
     }
 
 
diff --git a/src/transaction.cc b/src/transaction.cc
@@ -72,12 +72,12 @@ void TransactionRuleMessageManagement::logMatchLastRuleOnTheChain(const RuleWith
 
     rm->setRule(rule);
 
-    if (rule->hasDisruptiveAction() && rule->isItToBeLogged() &&
-        (m_transaction->getRuleEngineState() == RulesSet::DetectionOnlyRuleEngine)) {
+    if (rule->isItToBeLogged() &&
+        (m_transaction->getRuleEngineState() == RulesSet::EnabledRuleEngine)) {
         /* error */
         // The error goes over the disruptive massage. We don't need it here.
         //m_transaction->serverLog(rm);
-    } else if (rule->hasBlockAction() && rule->isItToBeLogged()) {
+    } else if (rule->isItToBeLogged()) {
         /* Log as warning. */
         m_transaction->serverLog(rm);
     }
diff --git a/test/test-cases/regression/config-secdefaultaction.json b/test/test-cases/regression/config-secdefaultaction.json
@@ -277,7 +277,13 @@
     },
     "rules":[
       "SecRuleEngine On",
-      "SecAuditEngine On",
+      "SecAuditEngine RelevantOnly",
+      "SecAuditLogParts ABCFHZ",
+      "SecAuditLog /tmp/test/modsec_audit_auditlog_1.log",
+      "SecAuditLogDirMode 0766",
+      "SecAuditLogFileMode 0666",
+      "SecAuditLogType Serial",
+      "SecAuditLogRelevantStatus \"^(?:3|4(?!04))\"",
       "SecDefaultAction \"phase:2,log,auditlog,status:302,redirect:'http://www.google.com'\"",
       "SecRule REQUEST_HEADERS \"@contains PHPSESSID\" \"phase:2,id:1,block\"",
       "SecRule TX \"@contains to_test\" \"id:2,t:lowercase,t:none,block\""
diff --git a/test/test-cases/regression/issue-1528.json b/test/test-cases/regression/issue-1528.json
@@ -27,12 +27,13 @@
   },
   "expected": {
     "debug_log": "Rule returned 1",
-    "error_log": "Matched \"Operator `Rx' with parameter `\\^attack\\$'"
+    "error_log": "Matched \"Operator `Rx' with parameter `\\^attack\\$'",
+    "http_code": 403
   },
   "rules": [
     "SecRuleEngine On",
     "SecAction \"id:1, setvar:tx.bad_value=attack\"",
-    "SecRule ARGS:param \"@rx ^%{tx.bad_value}$\" \"id:2,log\""
+    "SecRule ARGS:param \"@rx ^%{tx.bad_value}$\" \"id:2,log,deny\""
   ]
 }
 ]
diff --git a/test/test-cases/regression/issue-1844.json b/test/test-cases/regression/issue-1844.json
@@ -85,10 +85,12 @@
       ]
     },
     "expected":{
-      "error_log":"line \"55\""
+      "error_log":"line \"55\"",
+      "http_code": 403
     },
     "rules":[
       "SecRuleEngine On",
+      "SecDefaultAction \"phase:2,deny\"",
       "SecRule WEBAPPID \"@contains test2\" \"id:1,phase:3,pass,t:trim\"",
       "Include test-cases/data/big-file.conf"
     ]

Original file line number	Diff line number	Diff line change
`@@ -236,10 +236,12 @@ void RuleWithActions::executeActionsAfterFullMatch(Transaction *trans) const {`
`236`	`236`	`}`
`237`	`237`	`}`
`238`	`238`	`if (!disruptiveAlreadyExecuted && m_actionDisruptiveAction != nullptr) {`
	`239`	`+ trans->messageGetLast()->setRule(this);`
`239`	`240`	`executeAction(trans,`
`240`	`241`	`m_actionDisruptiveAction.get(), false);`
`241`	`242`	`} else if (!disruptiveAlreadyExecuted && hasBlockAction()`
`242`	`243`	`&& m_defaultActions.m_actionDisruptiveAction != nullptr) {`
	`244`	`+ trans->messageGetLast()->setRule(this);`
`243`	`245`	`executeAction(trans,`
`244`	`246`	`m_defaultActions.m_actionDisruptiveAction.get(), false);`
`245`	`247`	`}`
Original file line number	Diff line number	Diff line change
`@@ -294,25 +294,27 @@ class RuleWithActions : public Rule, public RuleWithActionsProperties {`
`294`	`294`	`return false;`
`295`	`295`	`}`
`296`	`296`
	`297`	`+ if (!hasDisruptiveAction() && !hasBlockAction()) {`
	`298`	`+ return false;`
	`299`	`+ }`
	`300`	`+`
`297`	`301`	`return true;`
`298`	`302`	`}`
`299`	`303`
`300`		`-`
`301`	`304`	`inline bool isItToBeAuditLogged() const noexcept {`
`302`		`- if (!isItToBeLogged() && !m_containsAuditLogAction`
`303`		`- && !m_defaultActions.m_containsAuditLogAction) {`
`304`		`- return false;`
	`305`	`+ if (m_containsAuditLogAction) {`
	`306`	`+ return true;`
`305`	`307`	`}`
`306`	`308`
`307`		`- if (m_containsNoAuditLogAction) {`
`308`		`- return false;`
	`309`	`+ if (m_defaultActions.m_containsAuditLogAction && !m_containsNoAuditLogAction) {`
	`310`	`+ return true;`
`309`	`311`	`}`
`310`	`312`
`311`		`- if (m_defaultActions.m_containsAuditLogAction && !m_containsAuditLogAction) {`
`312`		`- return false;`
	`313`	`+ if (isItToBeLogged()) {`
	`314`	`+ return true;`
`313`	`315`	`}`
`314`	`316`
`315`		`- return true;`
	`317`	`+ return false;`
`316`	`318`	`}`
`317`	`319`
`318`	`320`
Original file line number	Diff line number	Diff line change
`@@ -27,12 +27,13 @@`
`27`	`27`	`},`
`28`	`28`	`"expected": {`
`29`	`29`	`"debug_log": "Rule returned 1",`
`30`		- "error_log": "Matched \"Operator `Rx' with parameter `\\^attack\\$'"
	`30`	+ "error_log": "Matched \"Operator `Rx' with parameter `\\^attack\\$'",
	`31`	`+ "http_code": 403`
`31`	`32`	`},`
`32`	`33`	`"rules": [`
`33`	`34`	`"SecRuleEngine On",`
`34`	`35`	`"SecAction \"id:1, setvar:tx.bad_value=attack\"",`
`35`		`- "SecRule ARGS:param \"@rx ^%{tx.bad_value}$\" \"id:2,log\""`
	`36`	`+ "SecRule ARGS:param \"@rx ^%{tx.bad_value}$\" \"id:2,log,deny\""`
`36`	`37`	`]`
`37`	`38`	`}`
`38`	`39`	`]`
Original file line number	Diff line number	Diff line change
`@@ -85,10 +85,12 @@`
`85`	`85`	`]`
`86`	`86`	`},`
`87`	`87`	`"expected":{`
`88`		`- "error_log":"line \"55\""`
	`88`	`+ "error_log":"line \"55\"",`
	`89`	`+ "http_code": 403`
`89`	`90`	`},`
`90`	`91`	`"rules":[`
`91`	`92`	`"SecRuleEngine On",`
	`93`	`+ "SecDefaultAction \"phase:2,deny\"",`
`92`	`94`	`"SecRule WEBAPPID \"@contains test2\" \"id:1,phase:3,pass,t:trim\"",`
`93`	`95`	`"Include test-cases/data/big-file.conf"`
`94`	`96`	`]`