Open cbornet opened 3 years ago
That sounds like a great idea.
We already exchange variables within Lua - https://github.com/SpiderLabs/ModSecurity/blob/f18595f42830f2f0ac27362a8b31120e3dfb850c/src/engine/lua.cc#L258-L281
We also exchange transformations - https://github.com/SpiderLabs/ModSecurity/blob/f18595f42830f2f0ac27362a8b31120e3dfb850c/src/engine/lua.cc#L412-L478
Alternatively, libModSecurity could be ported to Lua (bindings) and all the inspection could be held on a Lua script.
Hello @zimmerle, any news on that feature ?
Hi, @zimmerle, @fl0ppy-d1sk, @cbornet. I've been investigating this topic for a while.
const char *ngx_modsecurity_lua_ffi_transaction_variable(ngx_http_request_t *r,const char *v){
ngx_http_modsecurity_ctx_t *ctx = NULL;
Transaction *t = NULL;
ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
if (ctx == NULL){
dd("no ctx found");
return NULL;
}
t = ctx->modsec_transaction;
if (t == NULL){
dd("no transaction found")
return NULL;
}
return msc_get_transaction_variable(t,v);
}
Having this, variable value can be obtained from Lua code using FFI function call:
local base = require "resty.core.base"
local get_request = base.get_request
local ffi = require "ffi"
local C = ffi.C
local msc = {}
ffi.cdef[[
typedef void ngx_http_request_t;
const char *ngx_modsecurity_lua_ffi_transaction_variable(ngx_http_request_t *r, const char *var_name);
]]
msc.transaction_variable = C.ngx_modsecurity_lua_ffi_transaction_variable
local anoscore = msc.transaction_variable(get_request(),'tx:anomaly_score')
I could provide patch and pull request for existing ModSecurity-nginx connector with Lua code to obtain variable in such way.
It would be nice to have the variables of Modsecurity exposed to ngx/LUA (ngx.var). So we can do some treatment on the transaction (eg. increment a Prometheus counter, set headers, ...) Something like having the variables
$modsecurity_tx
,$modsecurity_env
,$modsecurity_geo
available. Also having the possibility to get all the rules that matched and their metadata (I'm not sure in which var they are stored). Do you think that's feasible ?