diff --git a/Makefile.am b/Makefile.am index 9f32fde9a4..a618ae5e99 100644 --- a/Makefile.am +++ b/Makefile.am @@ -277,6 +277,7 @@ TESTS+=test/test-cases/regression/variable-variation-count.json TESTS+=test/test-cases/regression/variable-variation-exclusion.json TESTS+=test/test-cases/regression/variable-WEBAPPID.json TESTS+=test/test-cases/regression/variable-WEBSERVER_ERROR_LOG.json +TESTS+=test/test-cases/regression/noauditlog-relevant.json TESTS+=test/test-cases/secrules-language-tests/operators/beginsWith.json TESTS+=test/test-cases/secrules-language-tests/operators/contains.json TESTS+=test/test-cases/secrules-language-tests/operators/containsWord.json diff --git a/src/audit_log/audit_log.cc b/src/audit_log/audit_log.cc index 50213d5df9..f0713b0bb8 100644 --- a/src/audit_log/audit_log.cc +++ b/src/audit_log/audit_log.cc @@ -304,11 +304,11 @@ bool AuditLog::saveIfRelevant(Transaction *transaction, int parts) { if ((m_status == RelevantOnlyAuditLogStatus && this->isRelevant(transaction->m_httpCodeReturned) == false) - && saveAnyway == false) { + || saveAnyway == false) { ms_dbg_a(transaction, 9, "Return code `" + std::to_string(transaction->m_httpCodeReturned) + "'" \ " is not interesting to audit logs, relevant code(s): `" + - m_relevant + "'."); + m_relevant + "', saveAnyway: `" + std::to_string(saveAnyway) + "'."); return false; } diff --git a/test/test-cases/regression/noauditlog-relevant.json b/test/test-cases/regression/noauditlog-relevant.json new file mode 100644 index 0000000000..787533b953 --- /dev/null +++ b/test/test-cases/regression/noauditlog-relevant.json @@ -0,0 +1,164 @@ +[ + { + "enabled":1, + "version_min":300000, + "title":"Case 1. Rule matches the request but the return status code '403' is not relevant. The 'noauditlog' action is not specified.", + "client":{ + "ip":"127.0.0.1", + "port":1234 + }, + "server":{ + "ip":"127.0.0.1", + "port":80 + }, + "request":{ + "headers":{ + "Host":"localhost", + "User-Agent":"curl/7.38.0", + "Accept":"*/*" + }, + "uri":"index.php?foo=bar", + "method":"GET", + "body": "" + }, + "expected": { + "http_code": 403, + "error_log": "Access denied with code 403", + "audit_log": "^$", + "debug_log": "Return code `403' is not interesting to audit logs" + }, + "rules":[ + "SecRuleEngine On", + "SecAuditEngine RelevantOnly", + "SecAuditLogParts ABIJDEFHZ", + "SecAuditLog /tmp/test/modsec_audit.log", + "SecAuditLogDirMode 0766", + "SecAuditLogFileMode 0666", + "SecAuditLogType Serial", + "SecAuditLogRelevantStatus \"^500\"", + "SecRule ARGS:foo \"@rx ^bar$\" \"id:1234,phase:request,deny,status:403\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Case 2. Rule matches the request but the return status code '403' is not relevant. The 'noauditlog' action is specified.", + "client":{ + "ip":"127.0.0.1", + "port":1234 + }, + "server":{ + "ip":"127.0.0.1", + "port":80 + }, + "request":{ + "headers":{ + "Host":"localhost", + "User-Agent":"curl/7.38.0", + "Accept":"*/*" + }, + "uri":"index.php?foo=bar", + "method":"GET", + "body": "" + }, + "expected": { + "http_code": 403, + "error_log": "Access denied with code 403", + "audit_log": "^$", + "debug_log": "Return code `403' is not interesting to audit logs" + }, + "rules":[ + "SecRuleEngine On", + "SecAuditEngine RelevantOnly", + "SecAuditLogParts ABIJDEFHZ", + "SecAuditLog /tmp/test/modsec_audit.log", + "SecAuditLogDirMode 0766", + "SecAuditLogFileMode 0666", + "SecAuditLogType Serial", + "SecAuditLogRelevantStatus \"^500\"", + "SecRule ARGS:foo \"@rx ^bar$\" \"id:1234,phase:request,noauditlog,deny,status:403\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Case 3. Rule matches the request and the return status code '403' is relevant. The 'noauditlog' action is not specified.", + "client":{ + "ip":"127.0.0.1", + "port":1234 + }, + "server":{ + "ip":"127.0.0.1", + "port":80 + }, + "request":{ + "headers":{ + "Host":"localhost", + "User-Agent":"curl/7.38.0", + "Accept":"*/*" + }, + "uri":"index.php?foo=bar", + "method":"GET", + "body": "" + }, + "expected": { + "http_code": 403, + "error_log": "Access denied with code 403", + "audit_log": "Access denied with code 403", + "debug_log": "Request was relevant to be saved" + }, + "rules":[ + "SecRuleEngine On", + "SecAuditEngine RelevantOnly", + "SecAuditLogParts ABIJDEFHZ", + "SecAuditLog /tmp/test/modsec_audit.log", + "SecAuditLogDirMode 0766", + "SecAuditLogFileMode 0666", + "SecAuditLogType Serial", + "SecAuditLogRelevantStatus \"^403\"", + "SecRule ARGS:foo \"@rx ^bar$\" \"id:1234,phase:request,deny,status:403\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Case 4. Rule matches the request and the return status code '403' is relevant. The 'noauditlog' action is specified.", + "client":{ + "ip":"127.0.0.1", + "port":1234 + }, + "server":{ + "ip":"127.0.0.1", + "port":80 + }, + "request":{ + "headers":{ + "Host":"localhost", + "User-Agent":"curl/7.38.0", + "Accept":"*/*" + }, + "uri":"index.php?foo=bar", + "method":"GET", + "body": "" + }, + "expected": { + "http_code": 403, + "error_log": "Access denied with code 403", + "audit_log": "^$", + "debug_log": "Return code `403' is not interesting to audit logs" + }, + "rules":[ + "SecRuleEngine On", + "SecAuditEngine RelevantOnly", + "SecAuditLogParts ABIJDEFHZ", + "SecAuditLog /tmp/test/modsec_audit.log", + "SecAuditLogDirMode 0766", + "SecAuditLogFileMode 0666", + "SecAuditLogType Serial", + "SecAuditLogRelevantStatus \"^403\"", + "SecRule ARGS:foo \"@rx ^bar$\" \"id:1234,phase:request,noauditlog,deny,status:403\"" + ] + } + + ] + \ No newline at end of file