We use cookies to ensure you get the best experience on our website
Sākums Izpētīt Palīdzība
Reģistrēties Pierakstīties
0ct0pu5
/
crowdsec
1
0
Atdalīts 0
Faili Problēmas 0 Izmaiņu pieprasījumi 0 Vikivietne
Koks: a7cd86f725
Atzari Tagi
crowdsec
/
pkg
/
acquisition
/
modules
/
waf
/
utils.go

utils.go 4.2 KB
Vēsture Neapstrādāts

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152 
  1. package wafacquisition
    2. 

  2. 

  3. import (
    4. 

  4. 	"fmt"
    5. 

  5. 	"regexp"
    6. 

  6. 	"time"
    7. 

  7. 

  8. 	"github.com/crowdsecurity/coraza/v3/collection"
    9. 

  9. 	"github.com/crowdsecurity/coraza/v3/experimental"
    10. 

  10. 	"github.com/crowdsecurity/coraza/v3/types/variables"
    11. 

  11. 	"github.com/crowdsecurity/crowdsec/pkg/types"
    12. 

  12. 	"github.com/crowdsecurity/crowdsec/pkg/waf"
    13. 

  13. 	"github.com/prometheus/client_golang/prometheus"
    14. 

  14. )
    15. 

  15. 

  16. func EventFromRequest(r waf.ParsedRequest) (types.Event, error) {
    17. 

  17. 	evt := types.Event{}
    18. 

  18. 	//we might want to change this based on in-band vs out-of-band ?
    19. 

  19. 	evt.Type = types.LOG
    20. 

  20. 	evt.ExpectMode = types.LIVE
    21. 

  21. 	//def needs fixing
    22. 

  22. 	evt.Stage = "s00-raw"
    23. 

  23. 	evt.Process = true
    24. 

  24. 	evt.Parsed = map[string]string{
    25. 

  25. 		"source_ip":   r.ClientIP,
    26. 

  26. 		"target_host": r.Host,
    27. 

  27. 		"target_uri":  r.URI,
    28. 

  28. 		"method":      r.Method,
    29. 

  29. 		"req_uuid":    r.Tx.ID(),
    30. 

  30. 		"source":      "coraza",
    31. 

  31. 

  32. 		//TBD:
    33. 

  33. 		//http_status
    34. 

  34. 		//user_agent
    35. 

  35. 

  36. 	}
    37. 

  37. 	evt.Line = types.Line{
    38. 

  38. 		Time: time.Now(),
    39. 

  39. 		//should we add some info like listen addr/port/path ?
    40. 

  40. 		Labels:  map[string]string{"type": "coraza-waf"},
    41. 

  41. 		Process: true,
    42. 

  42. 		Module:  "waf",
    43. 

  43. 		Src:     "waf",
    44. 

  44. 		Raw:     "dummy-waf-data", //we discard empty Line.Raw items :)
    45. 

  45. 	}
    46. 

  46. 	evt.Waap = types.WaapEvent{}
    47. 

  47. 

  48. 	return evt, nil
    49. 

  49. }
    50. 

  50. 

  51. func LogWaapEvent(evt *types.Event) {
    52. 

  52. 	/*log.WithFields(log.Fields{
    53. 

  53. 		"module":     "waf",
    54. 

  54. 		"source":     evt.Parsed["source_ip"],
    55. 

  55. 		"target_uri": evt.Parsed["target_uri"],
    56. 

  56. 	}).Infof("%s triggered %d rules [%+v]", evt.Parsed["source_ip"], len(evt.Waap), evt.Waap.GetRuleIDs())*/
    57. 

  57. 	//log.Infof("%s", evt.Waap)
    58. 

  58. }
    59. 

  59. 

  60. /*
    61. 

  61.  how to configure variables to be kept:
    62. 

  62.   1) full collection : tx.*
    63. 

  63.   2) subvariables : tx.a*
    64. 

  64. 

  65. */
    66. 

  66. 

  67. func (r *WafRunner) AccumulateTxToEvent(tx experimental.FullTransaction, kind string, evt *types.Event) error {
    68. 

  68. 

  69. 	//log.Infof("tx addr: %p", tx)
    70. 

  70. 	if tx.IsInterrupted() {
    71. 

  71. 		r.logger.Infof("interrupted() = %t", tx.IsInterrupted())
    72. 

  72. 		r.logger.Infof("interrupted.action = %s", tx.Interruption().Action)
    73. 

  73. 		if evt.Meta == nil {
    74. 

  74. 			evt.Meta = map[string]string{}
    75. 

  75. 		}
    76. 

  76. 		evt.Parsed["interrupted"] = "true"
    77. 

  77. 		evt.Parsed["action"] = tx.Interruption().Action
    78. 

  78. 

  79. 		//log.Infof("action: %s", tx.Interruption().Action)
    80. 

  80. 

  81. 		evt.Meta["waap_interrupted"] = "1"
    82. 

  82. 		evt.Meta["waap_action"] = tx.Interruption().Action
    83. 

  83. 	}
    84. 

  84. 

  85. 	if evt.Waap.Vars == nil {
    86. 

  86. 		evt.Waap.Vars = map[string]string{}
    87. 

  87. 	}
    88. 

  88. 

  89. 	// collectionsToKeep := []string{
    90. 

  90. 	// 	"toto",
    91. 

  91. 	// 	"TX.allowed_methods",
    92. 

  92. 	// 	"TX.*_score",
    93. 

  93. 	// }
    94. 

  94. 

  95. 	tx.Variables().All(func(v variables.RuleVariable, col collection.Collection) bool {
    96. 

  96. 		for _, variable := range col.FindAll() {
    97. 

  97. 			key := ""
    98. 

  98. 			if variable.Key() == "" {
    99. 

  99. 				key = variable.Variable().Name()
    100. 

  100. 			} else {
    101. 

  101. 				key = variable.Variable().Name() + "." + variable.Key()
    102. 

  102. 			}
    103. 

  103. 			if variable.Value() == "" {
    104. 

  104. 				continue
    105. 

  105. 			}
    106. 

  106. 			for _, collectionToKeep := range r.VariablesTracking {
    107. 

  107. 				match, err := regexp.MatchString("(?i)"+collectionToKeep, key)
    108. 

  108. 				if err != nil {
    109. 

  109. 					r.logger.Warningf("error matching %s with %s: %s", key, collectionToKeep, err)
    110. 

  110. 					continue
    111. 

  111. 				}
    112. 

  112. 				if match {
    113. 

  113. 					evt.Waap.Vars[key] = variable.Value()
    114. 

  114. 					r.logger.Infof("%s.%s = %s", variable.Variable().Name(), variable.Key(), variable.Value())
    115. 

  115. 				} else {
    116. 

  116. 					r.logger.Infof("%s.%s != %s (%s) (not kept)", variable.Variable().Name(), variable.Key(), collectionToKeep, variable.Value())
    117. 

  117. 				}
    118. 

  118. 			}
    119. 

  119. 		}
    120. 

  120. 		return true
    121. 

  121. 	})
    122. 

  122. 

  123. 	r.logger.Infof("variables addr in AccumulateTxToEvent: %p", tx.Variables())
    124. 

  124. 	//log.Infof("variables: %s", spew.Sdump(tx.Variables()))
    125. 

  125. 	//log.Infof("tx variables: %+v", tx.Collection(variables.TX))
    126. 

  126. 	//log.Infof("TX %s", spew.Sdump(tx.MatchedRules()))
    127. 

  127. 	for _, rule := range tx.MatchedRules() {
    128. 

  128. 		if rule.Message() == "" {
    129. 

  129. 			continue
    130. 

  130. 		}
    131. 

  131. 		WafRuleHits.With(prometheus.Labels{"rule_id": fmt.Sprintf("%d", rule.Rule().ID()), "type": kind}).Inc()
    132. 

  132. 

  133. 		corazaRule := map[string]interface{}{
    134. 

  134. 			"id":         rule.Rule().ID(),
    135. 

  135. 			"uri":        evt.Parsed["uri"],
    136. 

  136. 			"rule_type":  kind,
    137. 

  137. 			"method":     evt.Parsed["method"],
    138. 

  138. 			"disruptive": rule.Disruptive(),
    139. 

  139. 			"tags":       rule.Rule().Tags(),
    140. 

  140. 			"file":       rule.Rule().File(),
    141. 

  141. 			"file_line":  rule.Rule().Line(),
    142. 

  142. 			"revision":   rule.Rule().Revision(),
    143. 

  143. 			"secmark":    rule.Rule().SecMark(),
    144. 

  144. 			"accuracy":   rule.Rule().Accuracy(),
    145. 

  145. 			"msg":        rule.Message(),
    146. 

  146. 			"severity":   rule.Rule().Severity().String(),
    147. 

  147. 		}
    148. 

  148. 		evt.Waap.MatchedRules = append(evt.Waap.MatchedRules, corazaRule)
    149. 

  149. 	}
    150. 

  150. 

  151. 	return nil
    152. 

  152. }
    153.

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5