allow to select what variables shouldd be tracked

pkg/acquisition/modules/waf/utils.go

@@ -2,6 +2,7 @@ package wafacquisition
 
 import (
 	"fmt"
+	"regexp"
 	"time"
 
 	"github.com/crowdsecurity/coraza/v3/collection"
@@ -56,6 +57,13 @@ func LogWaapEvent(evt *types.Event) {
 	//log.Infof("%s", evt.Waap)
 }
 
+/*
+ how to configure variables to be kept:
+  1) full collection : tx.*
+  2) subvariables : tx.a*
+
+*/
+
 func (r *WafRunner) AccumulateTxToEvent(tx experimental.FullTransaction, kind string, evt *types.Event) error {
 
 	//log.Infof("tx addr: %p", tx)
@@ -78,6 +86,12 @@ func (r *WafRunner) AccumulateTxToEvent(tx experimental.FullTransaction, kind st
 		evt.Waap.Vars = map[string]string{}
 	}
 
+	// collectionsToKeep := []string{
+	// 	"toto",
+	// 	"TX.allowed_methods",
+	// 	"TX.*_score",
+	// }
+
 	tx.Variables().All(func(v variables.RuleVariable, col collection.Collection) bool {
 		for _, variable := range col.FindAll() {
 			key := ""
@@ -89,8 +103,19 @@ func (r *WafRunner) AccumulateTxToEvent(tx experimental.FullTransaction, kind st
 			if variable.Value() == "" {
 				continue
 			}
-			evt.Waap.Vars[key] = variable.Value()
-			r.logger.Infof("%s.%s = %s", variable.Variable().Name(), variable.Key(), variable.Value())
+			for _, collectionToKeep := range r.VariablesTracking {
+				match, err := regexp.MatchString("(?i)"+collectionToKeep, key)
+				if err != nil {
+					r.logger.Warningf("error matching %s with %s: %s", key, collectionToKeep, err)
+					continue
+				}
+				if match {
+					evt.Waap.Vars[key] = variable.Value()
+					r.logger.Infof("%s.%s = %s", variable.Variable().Name(), variable.Key(), variable.Value())
+				} else {
+					r.logger.Infof("%s.%s != %s (%s) (not kept)", variable.Variable().Name(), variable.Key(), collectionToKeep, variable.Value())
+				}
+			}
 		}
 		return true
 	})

pkg/acquisition/modules/waf/waf.go

@@ -31,21 +31,23 @@ const (
 )
 
 type WafRunner struct {
-	outChan          chan types.Event
-	inChan           chan waf.ParsedRequest
-	inBandWaf        coraza.WAF
-	outOfBandWaf     coraza.WAF
-	UUID             string
-	RulesCollections []*waf.WafRulesCollection
-	logger           *log.Entry
+	outChan           chan types.Event
+	inChan            chan waf.ParsedRequest
+	inBandWaf         coraza.WAF
+	outOfBandWaf      coraza.WAF
+	UUID              string
+	RulesCollections  []*waf.WafRulesCollection
+	logger            *log.Entry
+	VariablesTracking []string
 }
 
 type WafSourceConfig struct {
-	ListenAddr                        string `yaml:"listen_addr"`
-	ListenPort                        int    `yaml:"listen_port"`
-	Path                              string `yaml:"path"`
-	WafRoutines                       int    `yaml:"waf_routines"`
-	Debug                             bool   `yaml:"debug"`
+	ListenAddr                        string   `yaml:"listen_addr"`
+	ListenPort                        int      `yaml:"listen_port"`
+	Path                              string   `yaml:"path"`
+	WafRoutines                       int      `yaml:"waf_routines"`
+	Debug                             bool     `yaml:"debug"`
+	VariablesTracking                 []string `yaml:"variables_tracking"`
 	configuration.DataSourceCommonCfg `yaml:",inline"`
 }
 
@@ -250,12 +252,13 @@ func (w *WafSource) Configure(yamlConfig []byte, logger *log.Entry) error {
 		}
 
 		runner := WafRunner{
-			outOfBandWaf:     outofbandwaf,
-			inBandWaf:        inbandwaf,
-			inChan:           w.InChan,
-			UUID:             wafUUID,
-			RulesCollections: rulesCollections,
-			logger:           wafLogger,
+			outOfBandWaf:      outofbandwaf,
+			inBandWaf:         inbandwaf,
+			inChan:            w.InChan,
+			UUID:              wafUUID,
+			RulesCollections:  rulesCollections,
+			logger:            wafLogger,
+			VariablesTracking: w.config.VariablesTracking,
 		}
 		w.WafRunners[nbRoutine] = runner
 	}