1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
|
/*
* ModSecurity for Apache 2.x, http://www.modsecurity.org/
* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* If any of the files related to licensing are missing or if you have any
* other questions related to licensing please contact Trustwave Holdings, Inc.
* directly using the email address security@modsecurity.org.
*/
#ifndef _ALP2_H_
#define _ALP2_H_
#include <apr_time.h>
#include <apr_uri.h>
#include "alp2_pp.h"
#include "pcre.h"
/* -- Data structures -- */
typedef struct alp2_msg_t alp2_msg_t;
struct alp2_msg_t {
const char *engine_message;
const char *target;
const char *id;
const char *rev;
const char *msg;
const char *data;
const char *file;
unsigned long file_line;
size_t offset;
int severity;
int warning;
apr_array_header_t *tags;
};
typedef struct auditlog2_t auditlog2_t;
struct auditlog2_t {
apr_pool_t *mp;
/* Transaction data */
const char *id;
apr_time_t timestamp;
unsigned int duration;
const char *src_ip;
unsigned int src_port;
const char *dst_ip;
unsigned int dst_port;
/* Request */
unsigned int request_line_valid;
const char *request_line;
const char *request_method;
const char *request_uri;
apr_uri_t *parsed_uri;
const char *request_protocol;
apr_table_t *request_headers;
/* Determine the hostname: The hostname from the URI is
* used where present, otherwise the value of the Host
* request header is used.
*
* If neither of these two is available we will use the
* combination of the destination IP and port as hostname.
*
* The resulting hostname may have the port attached.
*/
const char *hostname;
/* Response */
const char *response_protocol;
unsigned int response_status;
const char *response_message;
apr_table_t *response_headers;
const char *response_tfn;
/* Other */
apr_table_t *trailer_headers;
unsigned int was_intercepted;
unsigned int intercept_phase; /* -1 if interception did not happen */
const char *producer;
const char *server;
const char *handler;
const char *application_id;
const char *session_id;
const char *user_id;
apr_array_header_t *messages;
alp2_pp_entry_t *pp_entry;
};
typedef struct alp2_t alp2_t;
struct alp2_t {
apr_pool_t *mp;
void *user_data;
int (*user_callback)(alp2_t *alp);
alp2_pp_t *pp;
unsigned int previous_part_id;
unsigned int part_line_counter;
unsigned int part_data_done;
unsigned int seen_part_h;
unsigned int done;
unsigned int parse_error;
apr_array_header_t *errors;
/* Regular expression patterns. */
// TODO All these need reviewing
pcre *part_a_pattern;
pcre *request_line_pattern;
pcre *header_pattern;
pcre *response_line_pattern;
pcre *trailer_action_pattern;
pcre *trailer_stopwatch_pattern;
pcre *trailer_webappinfo_pattern;
auditlog2_t *auditlog;
};
/* Higher-level (user) parser. */
/* NOTE Parser will create a subpool for its own use, but each
* entry will be created in a separate subpool directly
* under the main pool. This allows the created audit log
* entries to survive the death of the parser.
*/
/* -- Functions -- */
int alp2_create(alp2_t **_alp, apr_pool_t *mp,
void *user_data, int (*user_callback)(alp2_t *alp));
int alp2_process(alp2_t *alp, const char *data, size_t len);
void alp2_destroy(alp2_t *alp);
auditlog2_t *alp2_auditlog_create(apr_pool_t *mp);
void alp2_auditlog_destroy(auditlog2_t *al);
#endif
|
