Skip to content

Read fuzzy hash db on init #1339

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 2 commits into from
Closed

Read fuzzy hash db on init #1339

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3690708
Don't leak an fd on fuzzy hash initialization
p0pr0ck5 Feb 22, 2017
578ea98
Read fuzzy hash databases on init
p0pr0ck5 Mar 2, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions apache2/re.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -409,8 +409,14 @@ struct msre_cache_rec {
apr_size_t val_len;
};

struct fuzzy_hash_chunk {
const char *data;
struct fuzzy_hash_chunk *next;
};

struct fuzzy_hash_param_data {
const char *file;
struct fuzzy_hash_chunk *head;
int threshold;
};

Expand Down
59 changes: 38 additions & 21 deletions apache2/re_operators.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1279,7 +1279,7 @@ static int msre_op_pmFromFile_param_init(msre_rule *rule, char **error_msg) {
strncmp(fn, "http://", strlen("http://")) == 0)
{
*error_msg = apr_psprintf(rule->ruleset->mp, "HTTPS address or " \
"file path are expected for operator pmFromFile \"%s\"", fn);
"file path are expected for operator pmFromFile \"%s\"", fn);
return 0;
}
else if (strlen(fn) > strlen("https://") &&
Expand Down Expand Up @@ -1316,7 +1316,7 @@ static int msre_op_pmFromFile_param_init(msre_rule *rule, char **error_msg) {
msc_remote_clean_chunk(&chunk);
#else
*error_msg = apr_psprintf(rule->ruleset->mp, "ModSecurity was not " \
"compiled with Curl support, it cannot load: \"%s\"", fn);
"compiled with Curl support, it cannot load: \"%s\"", fn);
return 0;
#endif
}
Expand Down Expand Up @@ -3828,15 +3828,20 @@ static int msre_op_fuzzy_hash_init(msre_rule *rule, char **error_msg)
{
#ifdef WITH_SSDEEP
struct fuzzy_hash_param_data *param_data;
struct fuzzy_hash_chunk *chunk, *t;
FILE *fp;
char *file;
int param_len,threshold;
char line[1024];

char *data = NULL;
char *threshold_str = NULL;

param_data = apr_palloc(rule->ruleset->mp,
sizeof(struct fuzzy_hash_param_data));

param_data->head = NULL;

data = apr_pstrdup(rule->ruleset->mp, rule->op_param);
threshold_str = data;
#endif
Expand Down Expand Up @@ -3876,14 +3881,37 @@ static int msre_op_fuzzy_hash_init(msre_rule *rule, char **error_msg)
}

file = resolve_relative_path(rule->ruleset->mp, rule->filename, file);

if (!fopen(file, "r"))

fp = fopen(file, "r");
if (!fp)
{
*error_msg = apr_psprintf(rule->ruleset->mp, "Not able to open file:" \
" %s.", file);
return -1;
}

while (read_line(line, sizeof(line), fp))
{
chunk = apr_palloc(rule->ruleset->mp,
sizeof(struct fuzzy_hash_chunk));

chunk->data = apr_pstrdup(rule->ruleset->mp, line);
chunk->next = NULL;

if (param_data->head == NULL) {
param_data->head = chunk;
} else {
t = param_data->head;

while (t->next) {
t = t->next;
}

t->next = chunk;
}
}

fclose(fp);

param_data->file = file;
param_data->threshold = threshold;
Expand All @@ -3909,8 +3937,7 @@ static int msre_op_fuzzy_hash_execute(modsec_rec *msr, msre_rule *rule,
#ifdef WITH_SSDEEP
char result[FUZZY_MAX_RESULT];
struct fuzzy_hash_param_data *param = rule->op_param_data;
FILE *fp;
char line[1024];
struct fuzzy_hash_chunk *chunk = param->head;
#endif

if (error_msg == NULL)
Expand All @@ -3929,29 +3956,19 @@ static int msre_op_fuzzy_hash_execute(modsec_rec *msr, msre_rule *rule,
return -1;
}

fp = fopen(param->file, "r");
if (!fp)
{
*error_msg = apr_psprintf(rule->ruleset->mp, "Not able to open " \
"fuzzy hash file: %s", param->file);

return 1;
}

while (read_line(line, sizeof(line), fp))
while (chunk != NULL)
{
int i = fuzzy_compare(line, result);
int i = fuzzy_compare(chunk->data, result);
msr_log(msr, 9, "%d (%s)", i, chunk->data);
if (i >= param->threshold)
{
*error_msg = apr_psprintf(msr->mp, "Fuzzy hash of %s matched " \
"with %s (from: %s). Score: %d.", var->name, line,
"with %s (from: %s). Score: %d.", var->name, chunk->data,
param->file, i);
fclose(fp);
return 1;
}
chunk = chunk->next;
}

fclose(fp);
#else
*error_msg = apr_psprintf(rule->ruleset->mp, "ModSecurity was not " \
"compiled with ssdeep support.");
Expand Down