crowdsec/pkg/appsec/appsec_rule/modsec_rule_test.go

package appsec_rule

import "testing"

func TestVPatchRuleString(t *testing.T) {
	tests := []struct {
		name     string
		rule     CustomRule
		expected string
	}{
		{
			name: "Collection count",
			rule: CustomRule{
				Zones:     []string{"ARGS"},
				Variables: []string{"foo"},
				Match:     Match{Type: "eq", Value: "1"},
				Transform: []string{"count"},
			},
			expected: `SecRule &ARGS_GET:foo "@eq 1" "id:853070236,phase:2,deny,log,msg:'Collection count',tag:'crowdsec-Collection count'"`,
		},
		{
			name: "Base Rule",
			rule: CustomRule{
				Zones:     []string{"ARGS"},
				Variables: []string{"foo"},
				Match:     Match{Type: "regex", Value: "[^a-zA-Z]"},
				Transform: []string{"lowercase"},
			},
			expected: `SecRule ARGS_GET:foo "@rx [^a-zA-Z]" "id:2203944045,phase:2,deny,log,msg:'Base Rule',tag:'crowdsec-Base Rule',t:lowercase"`,
		},
		{
			name: "One zone, multi var",
			rule: CustomRule{
				Zones:     []string{"ARGS"},
				Variables: []string{"foo", "bar"},
				Match:     Match{Type: "regex", Value: "[^a-zA-Z]"},
				Transform: []string{"lowercase"},
			},
			expected: `SecRule ARGS_GET:foo|ARGS_GET:bar "@rx [^a-zA-Z]" "id:385719930,phase:2,deny,log,msg:'One zone, multi var',tag:'crowdsec-One zone, multi var',t:lowercase"`,
		},
		{
			name: "Base Rule #2",
			rule: CustomRule{
				Zones: []string{"METHOD"},
				Match: Match{Type: "startsWith", Value: "toto"},
			},
			expected: `SecRule REQUEST_METHOD "@beginsWith toto" "id:2759779019,phase:2,deny,log,msg:'Base Rule #2',tag:'crowdsec-Base Rule #2'"`,
		},
		{
			name: "Base Negative Rule",
			rule: CustomRule{
				Zones: []string{"METHOD"},
				Match: Match{Type: "startsWith", Value: "toto", Not: true},
			},
			expected: `SecRule REQUEST_METHOD "!@beginsWith toto" "id:3966251995,phase:2,deny,log,msg:'Base Negative Rule',tag:'crowdsec-Base Negative Rule'"`,
		},
		{
			name: "Multiple Zones",
			rule: CustomRule{
				Zones:     []string{"ARGS", "BODY_ARGS"},
				Variables: []string{"foo"},
				Match:     Match{Type: "regex", Value: "[^a-zA-Z]"},
				Transform: []string{"lowercase"},
			},
			expected: `SecRule ARGS_GET:foo|ARGS_POST:foo "@rx [^a-zA-Z]" "id:3387135861,phase:2,deny,log,msg:'Multiple Zones',tag:'crowdsec-Multiple Zones',t:lowercase"`,
		},
		{
			name: "Multiple Zones Multi Var",
			rule: CustomRule{
				Zones:     []string{"ARGS", "BODY_ARGS"},
				Variables: []string{"foo", "bar"},
				Match:     Match{Type: "regex", Value: "[^a-zA-Z]"},
				Transform: []string{"lowercase"},
			},
			expected: `SecRule ARGS_GET:foo|ARGS_GET:bar|ARGS_POST:foo|ARGS_POST:bar "@rx [^a-zA-Z]" "id:1119773585,phase:2,deny,log,msg:'Multiple Zones Multi Var',tag:'crowdsec-Multiple Zones Multi Var',t:lowercase"`,
		},
		{
			name: "Multiple Zones No Vars",
			rule: CustomRule{
				Zones:     []string{"ARGS", "BODY_ARGS"},
				Match:     Match{Type: "regex", Value: "[^a-zA-Z]"},
				Transform: []string{"lowercase"},
			},
			expected: `SecRule ARGS_GET|ARGS_POST "@rx [^a-zA-Z]" "id:2020110336,phase:2,deny,log,msg:'Multiple Zones No Vars',tag:'crowdsec-Multiple Zones No Vars',t:lowercase"`,
		},
		{
			name: "Basic AND",
			rule: CustomRule{
				And: []CustomRule{
					{

						Zones:     []string{"ARGS"},
						Variables: []string{"foo"},
						Match:     Match{Type: "regex", Value: "[^a-zA-Z]"},
						Transform: []string{"lowercase"},
					},
					{
						Zones:     []string{"ARGS"},
						Variables: []string{"bar"},
						Match:     Match{Type: "regex", Value: "[^a-zA-Z]"},
						Transform: []string{"lowercase"},
					},
				},
			},
			expected: `SecRule ARGS_GET:foo "@rx [^a-zA-Z]" "id:4145519614,phase:2,deny,log,msg:'Basic AND',tag:'crowdsec-Basic AND',t:lowercase,chain"
SecRule ARGS_GET:bar "@rx [^a-zA-Z]" "id:1865217529,phase:2,deny,log,msg:'Basic AND',tag:'crowdsec-Basic AND',t:lowercase"`,
		},
		{
			name: "Basic OR",
			rule: CustomRule{
				Or: []CustomRule{
					{
						Zones:     []string{"ARGS"},
						Variables: []string{"foo"},
						Match:     Match{Type: "regex", Value: "[^a-zA-Z]"},
						Transform: []string{"lowercase"},
					},
					{
						Zones:     []string{"ARGS"},
						Variables: []string{"bar"},
						Match:     Match{Type: "regex", Value: "[^a-zA-Z]"},
						Transform: []string{"lowercase"},
					},
				},
			},
			expected: `SecRule ARGS_GET:foo "@rx [^a-zA-Z]" "id:651140804,phase:2,deny,log,msg:'Basic OR',tag:'crowdsec-Basic OR',t:lowercase,skip:1"
SecRule ARGS_GET:bar "@rx [^a-zA-Z]" "id:271441587,phase:2,deny,log,msg:'Basic OR',tag:'crowdsec-Basic OR',t:lowercase"`,
		},
		{
			name: "OR AND mix",
			rule: CustomRule{
				And: []CustomRule{
					{
						Zones:     []string{"ARGS"},
						Variables: []string{"foo"},
						Match:     Match{Type: "regex", Value: "[^a-zA-Z]"},
						Transform: []string{"lowercase"},
						Or: []CustomRule{
							{
								Zones:     []string{"ARGS"},
								Variables: []string{"foo"},
								Match:     Match{Type: "regex", Value: "[^a-zA-Z]"},
								Transform: []string{"lowercase"},
							},
							{
								Zones:     []string{"ARGS"},
								Variables: []string{"bar"},
								Match:     Match{Type: "regex", Value: "[^a-zA-Z]"},
								Transform: []string{"lowercase"},
							},
						},
					},
				},
			},
			expected: `SecRule ARGS_GET:foo "@rx [^a-zA-Z]" "id:1714963250,phase:2,deny,log,msg:'OR AND mix',tag:'crowdsec-OR AND mix',t:lowercase,skip:1"
SecRule ARGS_GET:bar "@rx [^a-zA-Z]" "id:1519945803,phase:2,deny,log,msg:'OR AND mix',tag:'crowdsec-OR AND mix',t:lowercase"
SecRule ARGS_GET:foo "@rx [^a-zA-Z]" "id:1519945803,phase:2,deny,log,msg:'OR AND mix',tag:'crowdsec-OR AND mix',t:lowercase"`,
		},
	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			actual, _, err := tt.rule.Convert(ModsecurityRuleType, tt.name)

			if err != nil {
				t.Errorf("Error converting rule: %s", err)
			}
			if actual != tt.expected {
				t.Errorf("Expected:\n%s\nGot:\n%s", tt.expected, actual)
			}
		})
	}
}
Application Security Engine Support (#2273) Add a new datasource that: - Receives HTTP requests from remediation components - Apply rules on them to determine whether they are malicious or not - Rules can be evaluated in-band (the remediation component will block the request directly) or out-band (the RC will let the request through, but crowdsec can still process the rule matches with scenarios) The PR also adds support for 2 new hub items: - appsec-configs: Configure the Application Security Engine (which rules to load, in which phase) - appsec-rules: a rule that is added in the Application Security Engine (can use either our own format, or seclang) --------- Co-authored-by: alteredCoder <kevin@crowdsec.net> Co-authored-by: Sebastien Blot <sebastien@crowdsec.net> Co-authored-by: mmetc <92726601+mmetc@users.noreply.github.com> Co-authored-by: Marco Mariani <marco@crowdsec.net> 2023-12-07 11:21:04 +00:00			`package appsec_rule`

			`import "testing"`

			`func TestVPatchRuleString(t *testing.T) {`
			`tests := []struct {`
			`name string`
			`rule CustomRule`
			`expected string`
			`}{`
[appsec] implement count transformation (#2698) * implement count transfo 2024-01-12 13:30:08 +00:00			`{`
			`name: "Collection count",`
			`rule: CustomRule{`
			`Zones: []string{"ARGS"},`
			`Variables: []string{"foo"},`
[appsec] waf tester (#2746) 2024-01-16 10:39:23 +00:00			`Match: Match{Type: "eq", Value: "1"},`
[appsec] implement count transformation (#2698) * implement count transfo 2024-01-12 13:30:08 +00:00			`Transform: []string{"count"},`
			`},`
			expected: `SecRule &ARGS_GET:foo "@eq 1" "id:853070236,phase:2,deny,log,msg:'Collection count',tag:'crowdsec-Collection count'"`,
			`},`
Application Security Engine Support (#2273) Add a new datasource that: - Receives HTTP requests from remediation components - Apply rules on them to determine whether they are malicious or not - Rules can be evaluated in-band (the remediation component will block the request directly) or out-band (the RC will let the request through, but crowdsec can still process the rule matches with scenarios) The PR also adds support for 2 new hub items: - appsec-configs: Configure the Application Security Engine (which rules to load, in which phase) - appsec-rules: a rule that is added in the Application Security Engine (can use either our own format, or seclang) --------- Co-authored-by: alteredCoder <kevin@crowdsec.net> Co-authored-by: Sebastien Blot <sebastien@crowdsec.net> Co-authored-by: mmetc <92726601+mmetc@users.noreply.github.com> Co-authored-by: Marco Mariani <marco@crowdsec.net> 2023-12-07 11:21:04 +00:00			`{`
			`name: "Base Rule",`
			`rule: CustomRule{`
			`Zones: []string{"ARGS"},`
			`Variables: []string{"foo"},`
[appsec] waf tester (#2746) 2024-01-16 10:39:23 +00:00			`Match: Match{Type: "regex", Value: "[^a-zA-Z]"},`
Application Security Engine Support (#2273) Add a new datasource that: - Receives HTTP requests from remediation components - Apply rules on them to determine whether they are malicious or not - Rules can be evaluated in-band (the remediation component will block the request directly) or out-band (the RC will let the request through, but crowdsec can still process the rule matches with scenarios) The PR also adds support for 2 new hub items: - appsec-configs: Configure the Application Security Engine (which rules to load, in which phase) - appsec-rules: a rule that is added in the Application Security Engine (can use either our own format, or seclang) --------- Co-authored-by: alteredCoder <kevin@crowdsec.net> Co-authored-by: Sebastien Blot <sebastien@crowdsec.net> Co-authored-by: mmetc <92726601+mmetc@users.noreply.github.com> Co-authored-by: Marco Mariani <marco@crowdsec.net> 2023-12-07 11:21:04 +00:00			`Transform: []string{"lowercase"},`
			`},`
			expected: `SecRule ARGS_GET:foo "@rx [^a-zA-Z]" "id:2203944045,phase:2,deny,log,msg:'Base Rule',tag:'crowdsec-Base Rule',t:lowercase"`,
			`},`
fix multizone multivar (#2727) 2024-01-12 09:11:13 +00:00			`{`
			`name: "One zone, multi var",`
			`rule: CustomRule{`
			`Zones: []string{"ARGS"},`
			`Variables: []string{"foo", "bar"},`
[appsec] waf tester (#2746) 2024-01-16 10:39:23 +00:00			`Match: Match{Type: "regex", Value: "[^a-zA-Z]"},`
fix multizone multivar (#2727) 2024-01-12 09:11:13 +00:00			`Transform: []string{"lowercase"},`
			`},`
			expected: `SecRule ARGS_GET:foo\|ARGS_GET:bar "@rx [^a-zA-Z]" "id:385719930,phase:2,deny,log,msg:'One zone, multi var',tag:'crowdsec-One zone, multi var',t:lowercase"`,
			`},`
minor waf fixes (#2693) 2024-01-03 16:19:48 +00:00			`{`
			`name: "Base Rule #2",`
			`rule: CustomRule{`
			`Zones: []string{"METHOD"},`
[appsec] waf tester (#2746) 2024-01-16 10:39:23 +00:00			`Match: Match{Type: "startsWith", Value: "toto"},`
minor waf fixes (#2693) 2024-01-03 16:19:48 +00:00			`},`
			expected: `SecRule REQUEST_METHOD "@beginsWith toto" "id:2759779019,phase:2,deny,log,msg:'Base Rule #2',tag:'crowdsec-Base Rule #2'"`,
			`},`
			`{`
			`name: "Base Negative Rule",`
			`rule: CustomRule{`
			`Zones: []string{"METHOD"},`
[appsec] waf tester (#2746) 2024-01-16 10:39:23 +00:00			`Match: Match{Type: "startsWith", Value: "toto", Not: true},`
minor waf fixes (#2693) 2024-01-03 16:19:48 +00:00			`},`
			expected: `SecRule REQUEST_METHOD "!@beginsWith toto" "id:3966251995,phase:2,deny,log,msg:'Base Negative Rule',tag:'crowdsec-Base Negative Rule'"`,
			`},`
Application Security Engine Support (#2273) Add a new datasource that: - Receives HTTP requests from remediation components - Apply rules on them to determine whether they are malicious or not - Rules can be evaluated in-band (the remediation component will block the request directly) or out-band (the RC will let the request through, but crowdsec can still process the rule matches with scenarios) The PR also adds support for 2 new hub items: - appsec-configs: Configure the Application Security Engine (which rules to load, in which phase) - appsec-rules: a rule that is added in the Application Security Engine (can use either our own format, or seclang) --------- Co-authored-by: alteredCoder <kevin@crowdsec.net> Co-authored-by: Sebastien Blot <sebastien@crowdsec.net> Co-authored-by: mmetc <92726601+mmetc@users.noreply.github.com> Co-authored-by: Marco Mariani <marco@crowdsec.net> 2023-12-07 11:21:04 +00:00			`{`
			`name: "Multiple Zones",`
			`rule: CustomRule{`
			`Zones: []string{"ARGS", "BODY_ARGS"},`
			`Variables: []string{"foo"},`
[appsec] waf tester (#2746) 2024-01-16 10:39:23 +00:00			`Match: Match{Type: "regex", Value: "[^a-zA-Z]"},`
Application Security Engine Support (#2273) Add a new datasource that: - Receives HTTP requests from remediation components - Apply rules on them to determine whether they are malicious or not - Rules can be evaluated in-band (the remediation component will block the request directly) or out-band (the RC will let the request through, but crowdsec can still process the rule matches with scenarios) The PR also adds support for 2 new hub items: - appsec-configs: Configure the Application Security Engine (which rules to load, in which phase) - appsec-rules: a rule that is added in the Application Security Engine (can use either our own format, or seclang) --------- Co-authored-by: alteredCoder <kevin@crowdsec.net> Co-authored-by: Sebastien Blot <sebastien@crowdsec.net> Co-authored-by: mmetc <92726601+mmetc@users.noreply.github.com> Co-authored-by: Marco Mariani <marco@crowdsec.net> 2023-12-07 11:21:04 +00:00			`Transform: []string{"lowercase"},`
			`},`
			expected: `SecRule ARGS_GET:foo\|ARGS_POST:foo "@rx [^a-zA-Z]" "id:3387135861,phase:2,deny,log,msg:'Multiple Zones',tag:'crowdsec-Multiple Zones',t:lowercase"`,
			`},`
fix multizone multivar (#2727) 2024-01-12 09:11:13 +00:00			`{`
			`name: "Multiple Zones Multi Var",`
			`rule: CustomRule{`
			`Zones: []string{"ARGS", "BODY_ARGS"},`
			`Variables: []string{"foo", "bar"},`
[appsec] waf tester (#2746) 2024-01-16 10:39:23 +00:00			`Match: Match{Type: "regex", Value: "[^a-zA-Z]"},`
fix multizone multivar (#2727) 2024-01-12 09:11:13 +00:00			`Transform: []string{"lowercase"},`
			`},`
			expected: `SecRule ARGS_GET:foo\|ARGS_GET:bar\|ARGS_POST:foo\|ARGS_POST:bar "@rx [^a-zA-Z]" "id:1119773585,phase:2,deny,log,msg:'Multiple Zones Multi Var',tag:'crowdsec-Multiple Zones Multi Var',t:lowercase"`,
			`},`
			`{`
			`name: "Multiple Zones No Vars",`
			`rule: CustomRule{`
			`Zones: []string{"ARGS", "BODY_ARGS"},`
[appsec] waf tester (#2746) 2024-01-16 10:39:23 +00:00			`Match: Match{Type: "regex", Value: "[^a-zA-Z]"},`
fix multizone multivar (#2727) 2024-01-12 09:11:13 +00:00			`Transform: []string{"lowercase"},`
			`},`
			expected: `SecRule ARGS_GET\|ARGS_POST "@rx [^a-zA-Z]" "id:2020110336,phase:2,deny,log,msg:'Multiple Zones No Vars',tag:'crowdsec-Multiple Zones No Vars',t:lowercase"`,
			`},`
Application Security Engine Support (#2273) Add a new datasource that: - Receives HTTP requests from remediation components - Apply rules on them to determine whether they are malicious or not - Rules can be evaluated in-band (the remediation component will block the request directly) or out-band (the RC will let the request through, but crowdsec can still process the rule matches with scenarios) The PR also adds support for 2 new hub items: - appsec-configs: Configure the Application Security Engine (which rules to load, in which phase) - appsec-rules: a rule that is added in the Application Security Engine (can use either our own format, or seclang) --------- Co-authored-by: alteredCoder <kevin@crowdsec.net> Co-authored-by: Sebastien Blot <sebastien@crowdsec.net> Co-authored-by: mmetc <92726601+mmetc@users.noreply.github.com> Co-authored-by: Marco Mariani <marco@crowdsec.net> 2023-12-07 11:21:04 +00:00			`{`
			`name: "Basic AND",`
			`rule: CustomRule{`
			`And: []CustomRule{`
			`{`

			`Zones: []string{"ARGS"},`
			`Variables: []string{"foo"},`
[appsec] waf tester (#2746) 2024-01-16 10:39:23 +00:00			`Match: Match{Type: "regex", Value: "[^a-zA-Z]"},`
Application Security Engine Support (#2273) Add a new datasource that: - Receives HTTP requests from remediation components - Apply rules on them to determine whether they are malicious or not - Rules can be evaluated in-band (the remediation component will block the request directly) or out-band (the RC will let the request through, but crowdsec can still process the rule matches with scenarios) The PR also adds support for 2 new hub items: - appsec-configs: Configure the Application Security Engine (which rules to load, in which phase) - appsec-rules: a rule that is added in the Application Security Engine (can use either our own format, or seclang) --------- Co-authored-by: alteredCoder <kevin@crowdsec.net> Co-authored-by: Sebastien Blot <sebastien@crowdsec.net> Co-authored-by: mmetc <92726601+mmetc@users.noreply.github.com> Co-authored-by: Marco Mariani <marco@crowdsec.net> 2023-12-07 11:21:04 +00:00			`Transform: []string{"lowercase"},`
			`},`
			`{`
			`Zones: []string{"ARGS"},`
			`Variables: []string{"bar"},`
[appsec] waf tester (#2746) 2024-01-16 10:39:23 +00:00			`Match: Match{Type: "regex", Value: "[^a-zA-Z]"},`
Application Security Engine Support (#2273) Add a new datasource that: - Receives HTTP requests from remediation components - Apply rules on them to determine whether they are malicious or not - Rules can be evaluated in-band (the remediation component will block the request directly) or out-band (the RC will let the request through, but crowdsec can still process the rule matches with scenarios) The PR also adds support for 2 new hub items: - appsec-configs: Configure the Application Security Engine (which rules to load, in which phase) - appsec-rules: a rule that is added in the Application Security Engine (can use either our own format, or seclang) --------- Co-authored-by: alteredCoder <kevin@crowdsec.net> Co-authored-by: Sebastien Blot <sebastien@crowdsec.net> Co-authored-by: mmetc <92726601+mmetc@users.noreply.github.com> Co-authored-by: Marco Mariani <marco@crowdsec.net> 2023-12-07 11:21:04 +00:00			`Transform: []string{"lowercase"},`
			`},`
			`},`
			`},`
			expected: `SecRule ARGS_GET:foo "@rx [^a-zA-Z]" "id:4145519614,phase:2,deny,log,msg:'Basic AND',tag:'crowdsec-Basic AND',t:lowercase,chain"
			SecRule ARGS_GET:bar "@rx [^a-zA-Z]" "id:1865217529,phase:2,deny,log,msg:'Basic AND',tag:'crowdsec-Basic AND',t:lowercase"`,
			`},`
			`{`
			`name: "Basic OR",`
			`rule: CustomRule{`
			`Or: []CustomRule{`
			`{`
			`Zones: []string{"ARGS"},`
			`Variables: []string{"foo"},`
[appsec] waf tester (#2746) 2024-01-16 10:39:23 +00:00			`Match: Match{Type: "regex", Value: "[^a-zA-Z]"},`
Application Security Engine Support (#2273) Add a new datasource that: - Receives HTTP requests from remediation components - Apply rules on them to determine whether they are malicious or not - Rules can be evaluated in-band (the remediation component will block the request directly) or out-band (the RC will let the request through, but crowdsec can still process the rule matches with scenarios) The PR also adds support for 2 new hub items: - appsec-configs: Configure the Application Security Engine (which rules to load, in which phase) - appsec-rules: a rule that is added in the Application Security Engine (can use either our own format, or seclang) --------- Co-authored-by: alteredCoder <kevin@crowdsec.net> Co-authored-by: Sebastien Blot <sebastien@crowdsec.net> Co-authored-by: mmetc <92726601+mmetc@users.noreply.github.com> Co-authored-by: Marco Mariani <marco@crowdsec.net> 2023-12-07 11:21:04 +00:00			`Transform: []string{"lowercase"},`
			`},`
			`{`
			`Zones: []string{"ARGS"},`
			`Variables: []string{"bar"},`
[appsec] waf tester (#2746) 2024-01-16 10:39:23 +00:00			`Match: Match{Type: "regex", Value: "[^a-zA-Z]"},`
Application Security Engine Support (#2273) Add a new datasource that: - Receives HTTP requests from remediation components - Apply rules on them to determine whether they are malicious or not - Rules can be evaluated in-band (the remediation component will block the request directly) or out-band (the RC will let the request through, but crowdsec can still process the rule matches with scenarios) The PR also adds support for 2 new hub items: - appsec-configs: Configure the Application Security Engine (which rules to load, in which phase) - appsec-rules: a rule that is added in the Application Security Engine (can use either our own format, or seclang) --------- Co-authored-by: alteredCoder <kevin@crowdsec.net> Co-authored-by: Sebastien Blot <sebastien@crowdsec.net> Co-authored-by: mmetc <92726601+mmetc@users.noreply.github.com> Co-authored-by: Marco Mariani <marco@crowdsec.net> 2023-12-07 11:21:04 +00:00			`Transform: []string{"lowercase"},`
			`},`
			`},`
			`},`
			expected: `SecRule ARGS_GET:foo "@rx [^a-zA-Z]" "id:651140804,phase:2,deny,log,msg:'Basic OR',tag:'crowdsec-Basic OR',t:lowercase,skip:1"
			SecRule ARGS_GET:bar "@rx [^a-zA-Z]" "id:271441587,phase:2,deny,log,msg:'Basic OR',tag:'crowdsec-Basic OR',t:lowercase"`,
			`},`
			`{`
			`name: "OR AND mix",`
			`rule: CustomRule{`
			`And: []CustomRule{`
			`{`
			`Zones: []string{"ARGS"},`
			`Variables: []string{"foo"},`
[appsec] waf tester (#2746) 2024-01-16 10:39:23 +00:00			`Match: Match{Type: "regex", Value: "[^a-zA-Z]"},`
Application Security Engine Support (#2273) Add a new datasource that: - Receives HTTP requests from remediation components - Apply rules on them to determine whether they are malicious or not - Rules can be evaluated in-band (the remediation component will block the request directly) or out-band (the RC will let the request through, but crowdsec can still process the rule matches with scenarios) The PR also adds support for 2 new hub items: - appsec-configs: Configure the Application Security Engine (which rules to load, in which phase) - appsec-rules: a rule that is added in the Application Security Engine (can use either our own format, or seclang) --------- Co-authored-by: alteredCoder <kevin@crowdsec.net> Co-authored-by: Sebastien Blot <sebastien@crowdsec.net> Co-authored-by: mmetc <92726601+mmetc@users.noreply.github.com> Co-authored-by: Marco Mariani <marco@crowdsec.net> 2023-12-07 11:21:04 +00:00			`Transform: []string{"lowercase"},`
			`Or: []CustomRule{`
			`{`
			`Zones: []string{"ARGS"},`
			`Variables: []string{"foo"},`
[appsec] waf tester (#2746) 2024-01-16 10:39:23 +00:00			`Match: Match{Type: "regex", Value: "[^a-zA-Z]"},`
Application Security Engine Support (#2273) Add a new datasource that: - Receives HTTP requests from remediation components - Apply rules on them to determine whether they are malicious or not - Rules can be evaluated in-band (the remediation component will block the request directly) or out-band (the RC will let the request through, but crowdsec can still process the rule matches with scenarios) The PR also adds support for 2 new hub items: - appsec-configs: Configure the Application Security Engine (which rules to load, in which phase) - appsec-rules: a rule that is added in the Application Security Engine (can use either our own format, or seclang) --------- Co-authored-by: alteredCoder <kevin@crowdsec.net> Co-authored-by: Sebastien Blot <sebastien@crowdsec.net> Co-authored-by: mmetc <92726601+mmetc@users.noreply.github.com> Co-authored-by: Marco Mariani <marco@crowdsec.net> 2023-12-07 11:21:04 +00:00			`Transform: []string{"lowercase"},`
			`},`
			`{`
			`Zones: []string{"ARGS"},`
			`Variables: []string{"bar"},`
[appsec] waf tester (#2746) 2024-01-16 10:39:23 +00:00			`Match: Match{Type: "regex", Value: "[^a-zA-Z]"},`
Application Security Engine Support (#2273) Add a new datasource that: - Receives HTTP requests from remediation components - Apply rules on them to determine whether they are malicious or not - Rules can be evaluated in-band (the remediation component will block the request directly) or out-band (the RC will let the request through, but crowdsec can still process the rule matches with scenarios) The PR also adds support for 2 new hub items: - appsec-configs: Configure the Application Security Engine (which rules to load, in which phase) - appsec-rules: a rule that is added in the Application Security Engine (can use either our own format, or seclang) --------- Co-authored-by: alteredCoder <kevin@crowdsec.net> Co-authored-by: Sebastien Blot <sebastien@crowdsec.net> Co-authored-by: mmetc <92726601+mmetc@users.noreply.github.com> Co-authored-by: Marco Mariani <marco@crowdsec.net> 2023-12-07 11:21:04 +00:00			`Transform: []string{"lowercase"},`
			`},`
			`},`
			`},`
			`},`
			`},`
			expected: `SecRule ARGS_GET:foo "@rx [^a-zA-Z]" "id:1714963250,phase:2,deny,log,msg:'OR AND mix',tag:'crowdsec-OR AND mix',t:lowercase,skip:1"
			`SecRule ARGS_GET:bar "@rx [^a-zA-Z]" "id:1519945803,phase:2,deny,log,msg:'OR AND mix',tag:'crowdsec-OR AND mix',t:lowercase"`
			SecRule ARGS_GET:foo "@rx [^a-zA-Z]" "id:1519945803,phase:2,deny,log,msg:'OR AND mix',tag:'crowdsec-OR AND mix',t:lowercase"`,
			`},`
			`}`

			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`actual, _, err := tt.rule.Convert(ModsecurityRuleType, tt.name)`

			`if err != nil {`
			`t.Errorf("Error converting rule: %s", err)`
			`}`
			`if actual != tt.expected {`
			`t.Errorf("Expected:\n%s\nGot:\n%s", tt.expected, actual)`
			`}`
			`})`
			`}`
			`}`