Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Log clarification #443

Merged
merged 8 commits into from Oct 29, 2018

Conversation

Projects
None yet
5 participants
@sabban
Copy link
Contributor

sabban commented Oct 22, 2018

This pull request to close #440.

This PR gets rid of log inconsistencies of "learning=1&block=1". WE should see "config=learning" OR "config=block" or "config=learning-drop" when we drop in learning.

@buixor I hope this is what you meant

Manuel Sabban and others added some commits Oct 19, 2018

Manuel Sabban
Manuel
Manuel
Manuel
const char *fmt_score = "&cscore%d=%.*s&score%d=%zu";
const char *fmt_rm = "&zone%d=%s&id%d=%d&var_name%d=%.*s";
const char *fmt_config = ctx->learning ? (ctx->drop ? "learning-drop" : "learning" ) : (ctx->block ? "block" : (ctx->drop ? "drop" : "unknown"));

This comment has been minimized.

@jvoisin

jvoisin Oct 22, 2018

Collaborator

"unknown" should never happen, the right™ way would be to use an assertion here.

Manuel
const char *fmt_score = "&cscore%d=%.*s&score%d=%zu";
const char *fmt_rm = "&zone%d=%s&id%d=%d&var_name%d=%.*s";
const char *fmt_config = ctx->learning ? (ctx->drop ? "learning-drop" : "learning" ) : (ctx->block ? "block" : (ctx->drop ? "drop" : ""));

This comment has been minimized.

@buixor

buixor Oct 23, 2018

Member

I think we want to be able to distinguish a request that was blocked because a rule trigger a drop while learning mode is off from a request that trigger a block while learning mode is off :)

(I tend to use DROP rules for vpatching or so, and thus might want to react differently to blocked and dropped requests)

This comment has been minimized.

@sabban

sabban Oct 23, 2018

Author Contributor

This is the case in my proposal, or am I missing something ?

The only quirk is if the request is blockcked and dropped, it will be seen as blocked as it is evaluated first...

This comment has been minimized.

@buixor

buixor Oct 23, 2018

Member

Yes, this is my point :) I guess in terms of priority drop > block

This comment has been minimized.

@sabban

sabban Oct 23, 2018

Author Contributor

ok, then. It makes sense.

b94415f fixes this.

@@ -78,7 +100,7 @@ location /RequestDenied {
GET /x,y?uuu=b,c
--- error_code: 404
--- error_log eval
[qr@NAXSI_FMT: ip=127\.0\.0\.1&server=localhost&uri=/x,y&learning=1&vers=[^&]+&total_processed=1&total_blocked=1&block=1&cscore0=\$SQL&score0=8&zone0=URL&id0=1015&var_name0=&zone1=ARGS&id1=1015&var_name1=uuu@,
[qr@NAXSI_FMT: ip=127\.0\.0\.1&server=localhost&uri=\/x,y&vers=[^&]+&total_processed=1&total_blocked=1&config=learning&cscore0=\$SQL&score0=8&zone0=URL&id0=1015&var_name0=&zone1=ARGS&id1=1015&var_name1=uuu@,

This comment has been minimized.

@smagnin

smagnin Oct 23, 2018

It shouldn't be "learning-drop" instead of "learning" ?

This comment has been minimized.

@sabban

sabban Oct 23, 2018

Author Contributor

Why ? There's no drop in the configuration...

Manuel

@sabban sabban merged commit d7ae4ff into master Oct 29, 2018

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details

@sabban sabban deleted the log_clarification branch Oct 29, 2018

@Doemela

This comment has been minimized.

Copy link

Doemela commented Dec 16, 2018

Did update integration fail2ban: https://github.com/nbs-system/naxsi/wiki/integration-fail2ban check if I did it correct

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.