Stream inspection #171

rcbarnett-zz · 2013-10-17T19:31:29Z

MODSEC-18: Go beyond the discrete inspection model we currently have implemented, and toward streaming inspection. The idea is that the code would generate a number of streams, each streaming transaction data but in a slightly different way. Examples include:

Request body (after dechunking and decompression)
Response body (before dechunking and decompression)
File content (one stream per uploaded file)

Implementation:

SecStreamingInspection On|Off - on by default.
SecStreamMatch TARGETS PATTERNS ACTIONS
We would reuse variable names for TARGETS.
PATTERNS is a list of @pm patterns.
The ACTIONS part would support a limited set of actions (e.g. no flow control ones, no phases).
We would initially support inspection of raw streams, but, at a later date, we can implement streaming transformation operators to allow for streaming transformation pipelines.
All instances of SecStreamMatch targeting the same stream (and, later, using the same tfn operators) would be combined into a single matching tree.

Stream inspection would occur in real-time, as the content is being processed. There are two advantages of this approach:

We can block on streaming-only mode (MODSEC-17).
Makes pre-qualification easier (and faster).

rcbarnett-zz · 2013-10-17T19:31:30Z

Original reporter: ivanr

rcbarnett-zz · 2013-10-17T19:31:30Z

ivanr: A more generic implementation would probably be a better choice. For example:

SecStreamInspect REQUEST_BODY "@pm one two" log,pass,t:none

victorhora · 2017-05-19T22:08:26Z

Already implemented:

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#REQUEST_BODY
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#RESPONSE_BODY
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#STREAM_INPUT_BODY
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#STREAM_OUTPUT_BODY

csanders-git · 2017-05-19T22:14:10Z

You are not understanding what stream inspection means

victorhora · 2017-05-20T04:52:56Z

Thank you @csanders-git. Could you please clarify the meaning of stream inspection on this issue? And please let us know if this a feature that the community is missing.

csanders-git · 2017-05-20T22:03:26Z

@zimmerle could also easily explain what this means, this means treating HTTP requests incoming as a stream instead of assembling them into a buffered request.

victorhora · 2017-05-22T06:39:58Z

Nice. Thanks for clarifying @csanders-git. Is this something that the CRS and / or the community are currently missing? If yes, I'll happily tag it for libModSecurity and see if we get some traction, otherwise it should be treated as #304 as it had no update / interest or for the past 5 years.

Thanks for letting us know.

ghost assigned zimmerle Oct 17, 2013

victorhora closed this as completed May 19, 2017

victorhora reopened this May 20, 2017

victorhora added 2.x Related to ModSecurity version 2.x 3.x Related to ModSecurity version 3.x pending feedback labels Nov 14, 2018

zimmerle closed this as completed Dec 1, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Stream inspection #171

Stream inspection #171

rcbarnett-zz commented Oct 17, 2013

rcbarnett-zz commented Oct 17, 2013

rcbarnett-zz commented Oct 17, 2013

victorhora commented May 19, 2017

csanders-git commented May 19, 2017

victorhora commented May 20, 2017 •

edited

csanders-git commented May 20, 2017

victorhora commented May 22, 2017

Stream inspection #171

Stream inspection #171

Comments

rcbarnett-zz commented Oct 17, 2013

rcbarnett-zz commented Oct 17, 2013

rcbarnett-zz commented Oct 17, 2013

victorhora commented May 19, 2017

csanders-git commented May 19, 2017

victorhora commented May 20, 2017 • edited

csanders-git commented May 20, 2017

victorhora commented May 22, 2017

victorhora commented May 20, 2017 •

edited