From 059c0adb93ad277e69d803f1561bab3b12769e2f Mon Sep 17 00:00:00 2001 From: Sebastien Blot Date: Mon, 4 Dec 2023 22:49:11 +0100 Subject: [PATCH] appsec renaming, part 5 --- cmd/crowdsec-cli/appsec_rules.go | 8 +++--- cmd/crowdsec/crowdsec.go | 4 +-- pkg/acquisition/acquisition.go | 2 +- pkg/acquisition/modules/appsec/appsec.go | 24 ++++++++-------- .../modules/appsec/appsec_runner.go | 28 +++++++++---------- pkg/acquisition/modules/appsec/utils.go | 20 ++++++------- .../appsec_rule}/modsec_rule_test.go | 2 +- .../appsec_rule}/modsecurity.go | 20 ++++++------- .../waap_rule => appsec/appsec_rule}/types.go | 2 +- .../appsec_rule}/waap_rule.go | 6 ++-- pkg/{waf => appsec}/coraza_logger.go | 2 +- pkg/{waf => appsec}/loader.go | 3 +- pkg/{waf => appsec}/request.go | 4 +-- pkg/{waf => appsec}/request_test.go | 2 +- pkg/{waf => appsec}/tx.go | 2 +- pkg/{waf => appsec}/waap.go | 2 +- pkg/{waf => appsec}/waap_rules_collection.go | 22 +++++++-------- pkg/{waf => appsec}/waf_helpers.go | 2 +- pkg/csconfig/crowdsec_service.go | 2 -- pkg/hubtest/coverage.go | 4 +-- 20 files changed, 78 insertions(+), 83 deletions(-) rename pkg/{waf/waap_rule => appsec/appsec_rule}/modsec_rule_test.go (99%) rename pkg/{waf/waap_rule => appsec/appsec_rule}/modsecurity.go (82%) rename pkg/{waf/waap_rule => appsec/appsec_rule}/types.go (85%) rename pkg/{waf/waap_rule => appsec/appsec_rule}/waap_rule.go (88%) rename pkg/{waf => appsec}/coraza_logger.go (99%) rename pkg/{waf => appsec}/loader.go (95%) rename pkg/{waf => appsec}/request.go (99%) rename pkg/{waf => appsec}/request_test.go (99%) rename pkg/{waf => appsec}/tx.go (99%) rename pkg/{waf => appsec}/waap.go (99%) rename pkg/{waf => appsec}/waap_rules_collection.go (81%) rename pkg/{waf => appsec}/waf_helpers.go (99%) diff --git a/cmd/crowdsec-cli/appsec_rules.go b/cmd/crowdsec-cli/appsec_rules.go index a5da34c3c..9fa2f85d6 100644 --- a/cmd/crowdsec-cli/appsec_rules.go +++ b/cmd/crowdsec-cli/appsec_rules.go @@ -11,9 +11,9 @@ import ( "gopkg.in/yaml.v3" "github.com/crowdsecurity/crowdsec/cmd/crowdsec-cli/require" + "github.com/crowdsecurity/crowdsec/pkg/appsec" + "github.com/crowdsecurity/crowdsec/pkg/appsec/appsec_rule" "github.com/crowdsecurity/crowdsec/pkg/cwhub" - "github.com/crowdsecurity/crowdsec/pkg/waf" - "github.com/crowdsecurity/crowdsec/pkg/waf/waap_rule" ) func NewAppsecRulesCmd() *cobra.Command { @@ -127,7 +127,7 @@ func AppsecRulesInspectRunner(itemType hubItemType) func(cmd *cobra.Command, arg hub, _ := require.Hub(csConfig, nil) for _, name := range args { hubItem := hub.GetItem(itemType.name, name) - appsecRule := waf.AppsecCollectionConfig{} + appsecRule := appsec.AppsecCollectionConfig{} yamlContent, err := os.ReadFile(hubItem.State.LocalPath) if err != nil { return fmt.Errorf("unable to read file %s : %s", hubItem.State.LocalPath, err) @@ -136,7 +136,7 @@ func AppsecRulesInspectRunner(itemType hubItemType) func(cmd *cobra.Command, arg return fmt.Errorf("unable to unmarshal yaml file %s : %s", hubItem.State.LocalPath, err) } - for _, ruleType := range waap_rule.SupportedTypes() { + for _, ruleType := range appsec_rule.SupportedTypes() { fmt.Printf("\n%s format:\n", cases.Title(language.Und, cases.NoLower).String(ruleType)) for _, rule := range appsecRule.Rules { convertedRule, _, err := rule.Convert(ruleType, appsecRule.Name) diff --git a/cmd/crowdsec/crowdsec.go b/cmd/crowdsec/crowdsec.go index 64c479727..1e0d54c07 100644 --- a/cmd/crowdsec/crowdsec.go +++ b/cmd/crowdsec/crowdsec.go @@ -13,12 +13,12 @@ import ( "github.com/crowdsecurity/go-cs-lib/trace" "github.com/crowdsecurity/crowdsec/pkg/acquisition" + "github.com/crowdsecurity/crowdsec/pkg/appsec" "github.com/crowdsecurity/crowdsec/pkg/csconfig" "github.com/crowdsecurity/crowdsec/pkg/cwhub" leaky "github.com/crowdsecurity/crowdsec/pkg/leakybucket" "github.com/crowdsecurity/crowdsec/pkg/parser" "github.com/crowdsecurity/crowdsec/pkg/types" - "github.com/crowdsecurity/crowdsec/pkg/waf" ) func initCrowdsec(cConfig *csconfig.Config, hub *cwhub.Hub) (*parser.Parsers, error) { @@ -34,7 +34,7 @@ func initCrowdsec(cConfig *csconfig.Config, hub *cwhub.Hub) (*parser.Parsers, er return nil, fmt.Errorf("while loading scenarios: %w", err) } - if err := waf.LoadAppsecRules(hub); err != nil { + if err := appsec.LoadAppsecRules(hub); err != nil { return nil, fmt.Errorf("while loading appsec rules: %w", err) } diff --git a/pkg/acquisition/acquisition.go b/pkg/acquisition/acquisition.go index 960de8241..336029363 100644 --- a/pkg/acquisition/acquisition.go +++ b/pkg/acquisition/acquisition.go @@ -77,7 +77,7 @@ var AcquisitionSources = map[string]func() DataSource{ "k8s-audit": func() DataSource { return &k8sauditacquisition.KubernetesAuditSource{} }, "loki": func() DataSource { return &lokiacquisition.LokiSource{} }, "s3": func() DataSource { return &s3acquisition.S3Source{} }, - "waf": func() DataSource { return &appsecacquisition.AppsecSource{} }, + "appsec": func() DataSource { return &appsecacquisition.AppsecSource{} }, } var transformRuntimes = map[string]*vm.Program{} diff --git a/pkg/acquisition/modules/appsec/appsec.go b/pkg/acquisition/modules/appsec/appsec.go index e128ba6ae..d55c077fb 100644 --- a/pkg/acquisition/modules/appsec/appsec.go +++ b/pkg/acquisition/modules/appsec/appsec.go @@ -11,8 +11,8 @@ import ( "github.com/crowdsecurity/crowdsec/pkg/csconfig" "github.com/crowdsecurity/crowdsec/pkg/acquisition/configuration" + "github.com/crowdsecurity/crowdsec/pkg/appsec" "github.com/crowdsecurity/crowdsec/pkg/types" - "github.com/crowdsecurity/crowdsec/pkg/waf" "github.com/crowdsecurity/go-cs-lib/trace" "github.com/google/uuid" "github.com/pkg/errors" @@ -52,9 +52,9 @@ type AppsecSource struct { server *http.Server addr string outChan chan types.Event - InChan chan waf.ParsedRequest - AppsecRuntime *waf.AppsecRuntimeConfig - AppsecConfigs map[string]waf.AppsecConfig + InChan chan appsec.ParsedRequest + AppsecRuntime *appsec.AppsecRuntimeConfig + AppsecConfigs map[string]appsec.AppsecConfig lapiURL string AuthCache AuthCache AppsecRunners []AppsecRunner //one for each go-routine @@ -119,7 +119,7 @@ func (wc *AppsecSource) UnmarshalConfig(yamlConfig []byte) error { wc.config.Mode = configuration.TAIL_MODE } - // always have at least one waf routine + // always have at least one appsec routine if wc.config.Routines == 0 { wc.config.Routines = 1 } @@ -150,12 +150,12 @@ func (w *AppsecSource) GetAggregMetrics() []prometheus.Collector { func (w *AppsecSource) Configure(yamlConfig []byte, logger *log.Entry) error { err := w.UnmarshalConfig(yamlConfig) if err != nil { - return errors.Wrap(err, "unable to parse waf configuration") + return errors.Wrap(err, "unable to parse appsec configuration") } w.logger = logger w.logger.Logger.SetLevel(*w.config.LogLevel) - w.logger.Tracef("WAF configuration: %+v", w.config) + w.logger.Tracef("Appsec configuration: %+v", w.config) if w.config.AuthCacheDuration == nil { w.config.AuthCacheDuration = &DefaultAuthCacheDuration @@ -169,8 +169,8 @@ func (w *AppsecSource) Configure(yamlConfig []byte, logger *log.Entry) error { Handler: w.mux, } - w.InChan = make(chan waf.ParsedRequest) - appsecCfg := waf.AppsecConfig{Logger: w.logger.WithField("component", "appsec_config")} + w.InChan = make(chan appsec.ParsedRequest) + appsecCfg := appsec.AppsecConfig{Logger: w.logger.WithField("component", "appsec_config")} //let's load the associated appsec_config: if w.config.AppsecConfigPath != "" { @@ -317,8 +317,8 @@ func (w *AppsecSource) IsAuth(apiKey string) bool { // should this be in the runner ? func (w *AppsecSource) appsecHandler(rw http.ResponseWriter, r *http.Request) { - apiKey := r.Header.Get(waf.APIKeyHeaderName) - clientIP := r.Header.Get(waf.IPHeaderName) + apiKey := r.Header.Get(appsec.APIKeyHeaderName) + clientIP := r.Header.Get(appsec.IPHeaderName) remoteIP := r.RemoteAddr if apiKey == "" { w.logger.Errorf("Unauthorized request from '%s' (real IP = %s)", remoteIP, clientIP) @@ -339,7 +339,7 @@ func (w *AppsecSource) appsecHandler(rw http.ResponseWriter, r *http.Request) { } // parse the request only once - parsedRequest, err := waf.NewParsedRequestFromRequest(r) + parsedRequest, err := appsec.NewParsedRequestFromRequest(r) if err != nil { log.Errorf("%s", err) rw.WriteHeader(http.StatusInternalServerError) diff --git a/pkg/acquisition/modules/appsec/appsec_runner.go b/pkg/acquisition/modules/appsec/appsec_runner.go index 6ce7e57df..b2b10ea6b 100644 --- a/pkg/acquisition/modules/appsec/appsec_runner.go +++ b/pkg/acquisition/modules/appsec/appsec_runner.go @@ -8,8 +8,8 @@ import ( "github.com/crowdsecurity/coraza/v3" corazatypes "github.com/crowdsecurity/coraza/v3/types" + "github.com/crowdsecurity/crowdsec/pkg/appsec" "github.com/crowdsecurity/crowdsec/pkg/types" - "github.com/crowdsecurity/crowdsec/pkg/waf" "github.com/prometheus/client_golang/prometheus" log "github.com/sirupsen/logrus" "gopkg.in/tomb.v2" @@ -18,9 +18,9 @@ import ( // that's the runtime structure of the Application security engine as seen from the acquis type AppsecRunner struct { outChan chan types.Event - inChan chan waf.ParsedRequest + inChan chan appsec.ParsedRequest UUID string - AppsecRuntime *waf.AppsecRuntimeConfig //this holds the actual appsec runtime config, rules, remediations, hooks etc. + AppsecRuntime *appsec.AppsecRuntimeConfig //this holds the actual appsec runtime config, rules, remediations, hooks etc. AppsecInbandEngine coraza.WAF AppsecOutbandEngine coraza.WAF logger *log.Entry @@ -44,7 +44,7 @@ func (r *AppsecRunner) Init(datadir string) error { outBandLogger := r.logger.Dup().WithField("band", "outband") //setting up inband engine - inbandCfg := coraza.NewWAFConfig().WithDirectives(inBandRules).WithRootFS(fs).WithDebugLogger(waf.NewCrzLogger(inBandLogger)) + inbandCfg := coraza.NewWAFConfig().WithDirectives(inBandRules).WithRootFS(fs).WithDebugLogger(appsec.NewCrzLogger(inBandLogger)) if !r.AppsecRuntime.Config.InbandOptions.DisableBodyInspection { inbandCfg = inbandCfg.WithRequestBodyAccess() } else { @@ -59,7 +59,7 @@ func (r *AppsecRunner) Init(datadir string) error { } //setting up outband engine - outbandCfg := coraza.NewWAFConfig().WithDirectives(outOfBandRules).WithRootFS(fs).WithDebugLogger(waf.NewCrzLogger(outBandLogger)) + outbandCfg := coraza.NewWAFConfig().WithDirectives(outOfBandRules).WithRootFS(fs).WithDebugLogger(appsec.NewCrzLogger(outBandLogger)) if !r.AppsecRuntime.Config.OutOfBandOptions.DisableBodyInspection { outbandCfg = outbandCfg.WithRequestBodyAccess() } else { @@ -101,7 +101,7 @@ func (r *AppsecRunner) Init(datadir string) error { return nil } -func (r *AppsecRunner) processRequest(tx waf.ExtendedTransaction, request *waf.ParsedRequest) error { +func (r *AppsecRunner) processRequest(tx appsec.ExtendedTransaction, request *appsec.ParsedRequest) error { var in *corazatypes.Interruption var err error request.Tx = tx @@ -185,21 +185,21 @@ func (r *AppsecRunner) processRequest(tx waf.ExtendedTransaction, request *waf.P return nil } -func (r *AppsecRunner) ProcessInBandRules(request *waf.ParsedRequest) error { - tx := waf.NewExtendedTransaction(r.AppsecInbandEngine, request.UUID) +func (r *AppsecRunner) ProcessInBandRules(request *appsec.ParsedRequest) error { + tx := appsec.NewExtendedTransaction(r.AppsecInbandEngine, request.UUID) r.AppsecRuntime.InBandTx = tx err := r.processRequest(tx, request) return err } -func (r *AppsecRunner) ProcessOutOfBandRules(request *waf.ParsedRequest) error { - tx := waf.NewExtendedTransaction(r.AppsecOutbandEngine, request.UUID) +func (r *AppsecRunner) ProcessOutOfBandRules(request *appsec.ParsedRequest) error { + tx := appsec.NewExtendedTransaction(r.AppsecOutbandEngine, request.UUID) r.AppsecRuntime.OutOfBandTx = tx err := r.processRequest(tx, request) return err } -func (r *AppsecRunner) handleInBandInterrupt(request *waf.ParsedRequest) { +func (r *AppsecRunner) handleInBandInterrupt(request *appsec.ParsedRequest) { //create the associated event for crowdsec itself evt, err := EventFromRequest(request) if err != nil { @@ -248,7 +248,7 @@ func (r *AppsecRunner) handleInBandInterrupt(request *waf.ParsedRequest) { } } -func (r *AppsecRunner) handleOutBandInterrupt(request *waf.ParsedRequest) { +func (r *AppsecRunner) handleOutBandInterrupt(request *appsec.ParsedRequest) { evt, err := EventFromRequest(request) if err != nil { //let's not interrupt the pipeline for this @@ -284,7 +284,7 @@ func (r *AppsecRunner) handleOutBandInterrupt(request *waf.ParsedRequest) { } } -func (r *AppsecRunner) handleRequest(request *waf.ParsedRequest) { +func (r *AppsecRunner) handleRequest(request *appsec.ParsedRequest) { r.logger.Debugf("Requests handled by runner %s", request.UUID) r.AppsecRuntime.ClearResponse() @@ -334,7 +334,7 @@ func (r *AppsecRunner) Run(t *tomb.Tomb) error { for { select { case <-t.Dying(): - r.logger.Infof("Waf Runner is dying") + r.logger.Infof("Appsec Runner is dying") return nil case request := <-r.inChan: r.handleRequest(&request) diff --git a/pkg/acquisition/modules/appsec/utils.go b/pkg/acquisition/modules/appsec/utils.go index a228cf72d..008811ae7 100644 --- a/pkg/acquisition/modules/appsec/utils.go +++ b/pkg/acquisition/modules/appsec/utils.go @@ -7,9 +7,9 @@ import ( "github.com/crowdsecurity/coraza/v3/collection" "github.com/crowdsecurity/coraza/v3/types/variables" + "github.com/crowdsecurity/crowdsec/pkg/appsec" "github.com/crowdsecurity/crowdsec/pkg/models" "github.com/crowdsecurity/crowdsec/pkg/types" - "github.com/crowdsecurity/crowdsec/pkg/waf" "github.com/crowdsecurity/go-cs-lib/ptr" "github.com/prometheus/client_golang/prometheus" log "github.com/sirupsen/logrus" @@ -51,7 +51,7 @@ func AppsecEventGeneration(inEvt types.Event) (*types.Event, error) { alert.Meta = append(alert.Meta, &meta) } alert.EventsCount = ptr.Of(int32(1)) - alert.Labels = []string{"waf"} //don't know what to do about this + alert.Labels = []string{"appsec"} //don't know what to do about this alert.Leakspeed = ptr.Of("") msg := fmt.Sprintf("Application Security Engine alert: %s", inEvt.Waap.MatchedRules.GetName()) alert.Message = &msg @@ -68,7 +68,7 @@ func AppsecEventGeneration(inEvt types.Event) (*types.Event, error) { return &evt, nil } -func EventFromRequest(r *waf.ParsedRequest) (types.Event, error) { +func EventFromRequest(r *appsec.ParsedRequest) (types.Event, error) { evt := types.Event{} //we might want to change this based on in-band vs out-of-band ? evt.Type = types.LOG @@ -91,11 +91,11 @@ func EventFromRequest(r *waf.ParsedRequest) (types.Event, error) { evt.Line = types.Line{ Time: time.Now(), //should we add some info like listen addr/port/path ? - Labels: map[string]string{"type": "crowdsec-waap"}, //FIXME: use the labels from the acquis + Labels: map[string]string{"type": "crowdsec-appsec"}, //FIXME: use the labels from the acquis Process: true, Module: "appsec", Src: "appsec", - Raw: "dummy-waap-data", //we discard empty Line.Raw items :) + Raw: "dummy-appsec-data", //we discard empty Line.Raw items :) } evt.Waap = types.AppsecEvent{} @@ -110,19 +110,19 @@ func LogAppsecEvent(evt *types.Event, logger *log.Entry) { if evt.Meta["waap_interrupted"] == "true" { logger.WithFields(log.Fields{ - "module": "waf", + "module": "appsec", "source": evt.Parsed["source_ip"], "target_uri": req, }).Infof("%s blocked on %s (%d rules) [%v]", evt.Parsed["source_ip"], req, len(evt.Waap.MatchedRules), evt.Waap.GetRuleIDs()) } else if evt.Parsed["outofband_interrupted"] == "true" { logger.WithFields(log.Fields{ - "module": "waf", + "module": "appsec", "source": evt.Parsed["source_ip"], "target_uri": req, }).Infof("%s out-of-band blocking rules on %s (%d rules) [%v]", evt.Parsed["source_ip"], req, len(evt.Waap.MatchedRules), evt.Waap.GetRuleIDs()) } else { logger.WithFields(log.Fields{ - "module": "waf", + "module": "appsec", "source": evt.Parsed["source_ip"], "target_uri": req, }).Debugf("%s triggered non-blocking rules on %s (%d rules) [%v]", evt.Parsed["source_ip"], req, len(evt.Waap.MatchedRules), evt.Waap.GetRuleIDs()) @@ -130,7 +130,7 @@ func LogAppsecEvent(evt *types.Event, logger *log.Entry) { } -func (r *AppsecRunner) AccumulateTxToEvent(evt *types.Event, req *waf.ParsedRequest) error { +func (r *AppsecRunner) AccumulateTxToEvent(evt *types.Event, req *appsec.ParsedRequest) error { if evt == nil { //an error was already emitted, let's not spam the logs @@ -206,7 +206,7 @@ func (r *AppsecRunner) AccumulateTxToEvent(evt *types.Event, req *waf.ParsedRequ hash := "NOT_SET" ruleNameProm := fmt.Sprintf("%d", rule.Rule().ID()) - if details, ok := waf.AppsecRulesDetails[rule.Rule().ID()]; ok { + if details, ok := appsec.AppsecRulesDetails[rule.Rule().ID()]; ok { //Only set them for custom rules, not for rules written in seclang name = details.Name version = details.Version diff --git a/pkg/waf/waap_rule/modsec_rule_test.go b/pkg/appsec/appsec_rule/modsec_rule_test.go similarity index 99% rename from pkg/waf/waap_rule/modsec_rule_test.go rename to pkg/appsec/appsec_rule/modsec_rule_test.go index 2232540ec..d919dce25 100644 --- a/pkg/waf/waap_rule/modsec_rule_test.go +++ b/pkg/appsec/appsec_rule/modsec_rule_test.go @@ -1,4 +1,4 @@ -package waap_rule +package appsec_rule import "testing" diff --git a/pkg/waf/waap_rule/modsecurity.go b/pkg/appsec/appsec_rule/modsecurity.go similarity index 82% rename from pkg/waf/waap_rule/modsecurity.go rename to pkg/appsec/appsec_rule/modsecurity.go index 1ac7486db..760c697cc 100644 --- a/pkg/waf/waap_rule/modsecurity.go +++ b/pkg/appsec/appsec_rule/modsecurity.go @@ -1,4 +1,4 @@ -package waap_rule +package appsec_rule import ( "fmt" @@ -50,9 +50,9 @@ var bodyTypeMatch map[string]string = map[string]string{ "urlencoded": "URLENCODED", } -func (m *ModsecurityRule) Build(rule *CustomRule, waapRuleName string) (string, []uint32, error) { +func (m *ModsecurityRule) Build(rule *CustomRule, appsecRuleName string) (string, []uint32, error) { - rules, err := m.buildRules(rule, waapRuleName, false, 0, 0) + rules, err := m.buildRules(rule, appsecRuleName, false, 0, 0) if err != nil { return "", nil, err @@ -62,9 +62,9 @@ func (m *ModsecurityRule) Build(rule *CustomRule, waapRuleName string) (string, return strings.Join(rules, "\n"), m.ids, nil } -func (m *ModsecurityRule) generateRuleID(rule *CustomRule, waapRuleName string, depth int) uint32 { +func (m *ModsecurityRule) generateRuleID(rule *CustomRule, appsecRuleName string, depth int) uint32 { h := fnv.New32a() - h.Write([]byte(waapRuleName)) + h.Write([]byte(appsecRuleName)) h.Write([]byte(rule.Match.Type)) h.Write([]byte(rule.Match.Value)) h.Write([]byte(fmt.Sprintf("%d", depth))) @@ -79,7 +79,7 @@ func (m *ModsecurityRule) generateRuleID(rule *CustomRule, waapRuleName string, return id } -func (m *ModsecurityRule) buildRules(rule *CustomRule, waapRuleName string, and bool, toSkip int, depth int) ([]string, error) { +func (m *ModsecurityRule) buildRules(rule *CustomRule, appsecRuleName string, and bool, toSkip int, depth int) ([]string, error) { ret := make([]string, 0) if len(rule.And) != 0 && len(rule.Or) != 0 { @@ -89,9 +89,8 @@ func (m *ModsecurityRule) buildRules(rule *CustomRule, waapRuleName string, and if rule.And != nil { for c, andRule := range rule.And { depth++ - //subName := fmt.Sprintf("%s_and_%d", waapRuleName, c) lastRule := c == len(rule.And)-1 // || len(rule.Or) == 0 - rules, err := m.buildRules(&andRule, waapRuleName, !lastRule, 0, depth) + rules, err := m.buildRules(&andRule, appsecRuleName, !lastRule, 0, depth) if err != nil { return nil, err } @@ -102,9 +101,8 @@ func (m *ModsecurityRule) buildRules(rule *CustomRule, waapRuleName string, and if rule.Or != nil { for c, orRule := range rule.Or { depth++ - //subName := fmt.Sprintf("%s_or_%d", waapRuleName, c) skip := len(rule.Or) - c - 1 - rules, err := m.buildRules(&orRule, waapRuleName, false, skip, depth) + rules, err := m.buildRules(&orRule, appsecRuleName, false, skip, depth) if err != nil { return nil, err } @@ -147,7 +145,7 @@ func (m *ModsecurityRule) buildRules(rule *CustomRule, waapRuleName string, and } //Should phase:2 be configurable? - r.WriteString(fmt.Sprintf(` "id:%d,phase:2,deny,log,msg:'%s',tag:'crowdsec-%s'`, m.generateRuleID(rule, waapRuleName, depth), waapRuleName, waapRuleName)) + r.WriteString(fmt.Sprintf(` "id:%d,phase:2,deny,log,msg:'%s',tag:'crowdsec-%s'`, m.generateRuleID(rule, appsecRuleName, depth), appsecRuleName, appsecRuleName)) if rule.Transform != nil { for _, transform := range rule.Transform { diff --git a/pkg/waf/waap_rule/types.go b/pkg/appsec/appsec_rule/types.go similarity index 85% rename from pkg/waf/waap_rule/types.go rename to pkg/appsec/appsec_rule/types.go index ba7bfdafb..13716975a 100644 --- a/pkg/waf/waap_rule/types.go +++ b/pkg/appsec/appsec_rule/types.go @@ -1,4 +1,4 @@ -package waap_rule +package appsec_rule const ( ModsecurityRuleType = "modsecurity" diff --git a/pkg/waf/waap_rule/waap_rule.go b/pkg/appsec/appsec_rule/waap_rule.go similarity index 88% rename from pkg/waf/waap_rule/waap_rule.go rename to pkg/appsec/appsec_rule/waap_rule.go index 00e6cefd1..c011e58fb 100644 --- a/pkg/waf/waap_rule/waap_rule.go +++ b/pkg/appsec/appsec_rule/waap_rule.go @@ -1,4 +1,4 @@ -package waap_rule +package appsec_rule import ( "fmt" @@ -43,7 +43,7 @@ type CustomRule struct { BodyType string `yaml:"body_type,omitempty"` } -func (v *CustomRule) Convert(ruleType string, waapRuleName string) (string, []uint32, error) { +func (v *CustomRule) Convert(ruleType string, appsecRuleName string) (string, []uint32, error) { if v.Zones == nil && v.And == nil && v.Or == nil { return "", nil, fmt.Errorf("no zones defined") @@ -60,7 +60,7 @@ func (v *CustomRule) Convert(ruleType string, waapRuleName string) (string, []ui switch ruleType { case ModsecurityRuleType: r := ModsecurityRule{} - return r.Build(v, waapRuleName) + return r.Build(v, appsecRuleName) default: return "", nil, fmt.Errorf("unknown rule format '%s'", ruleType) } diff --git a/pkg/waf/coraza_logger.go b/pkg/appsec/coraza_logger.go similarity index 99% rename from pkg/waf/coraza_logger.go rename to pkg/appsec/coraza_logger.go index dfeeb669e..372a0098e 100644 --- a/pkg/waf/coraza_logger.go +++ b/pkg/appsec/coraza_logger.go @@ -1,4 +1,4 @@ -package waf +package appsec import ( "fmt" diff --git a/pkg/waf/loader.go b/pkg/appsec/loader.go similarity index 95% rename from pkg/waf/loader.go rename to pkg/appsec/loader.go index e58c1650f..43bd7d78b 100644 --- a/pkg/waf/loader.go +++ b/pkg/appsec/loader.go @@ -1,4 +1,4 @@ -package waf +package appsec import ( "os" @@ -17,7 +17,6 @@ func LoadAppsecRules(hubInstance *cwhub.Hub) error { hub = hubInstance for _, hubAppsecRuleItem := range hub.GetItemMap(cwhub.APPSEC_RULES) { - //log.Infof("loading %s", hubWafRuleItem.LocalPath) if !hubAppsecRuleItem.State.Installed { continue } diff --git a/pkg/waf/request.go b/pkg/appsec/request.go similarity index 99% rename from pkg/waf/request.go rename to pkg/appsec/request.go index b0fe75676..9979caf90 100644 --- a/pkg/waf/request.go +++ b/pkg/appsec/request.go @@ -1,4 +1,4 @@ -package waf +package appsec import ( "encoding/json" @@ -266,7 +266,7 @@ func (r *ReqDumpFilter) ToJSON() error { return nil } -// Generate a ParsedRequest from a http.Request. ParsedRequest can be consumed by the Waap Engine +// Generate a ParsedRequest from a http.Request. ParsedRequest can be consumed by the App security Engine func NewParsedRequestFromRequest(r *http.Request) (ParsedRequest, error) { var err error body := make([]byte, 0) diff --git a/pkg/waf/request_test.go b/pkg/appsec/request_test.go similarity index 99% rename from pkg/waf/request_test.go rename to pkg/appsec/request_test.go index 2625e11f5..b05ecbde6 100644 --- a/pkg/waf/request_test.go +++ b/pkg/appsec/request_test.go @@ -1,4 +1,4 @@ -package waf +package appsec import "testing" diff --git a/pkg/waf/tx.go b/pkg/appsec/tx.go similarity index 99% rename from pkg/waf/tx.go rename to pkg/appsec/tx.go index 1e2c83331..47da19d15 100644 --- a/pkg/waf/tx.go +++ b/pkg/appsec/tx.go @@ -1,4 +1,4 @@ -package waf +package appsec import ( "github.com/crowdsecurity/coraza/v3" diff --git a/pkg/waf/waap.go b/pkg/appsec/waap.go similarity index 99% rename from pkg/waf/waap.go rename to pkg/appsec/waap.go index 546040a85..0477642dd 100644 --- a/pkg/waf/waap.go +++ b/pkg/appsec/waap.go @@ -1,4 +1,4 @@ -package waf +package appsec import ( "fmt" diff --git a/pkg/waf/waap_rules_collection.go b/pkg/appsec/waap_rules_collection.go similarity index 81% rename from pkg/waf/waap_rules_collection.go rename to pkg/appsec/waap_rules_collection.go index 820642d68..6a404e9c7 100644 --- a/pkg/waf/waap_rules_collection.go +++ b/pkg/appsec/waap_rules_collection.go @@ -1,12 +1,12 @@ -package waf +package appsec import ( "os" "path/filepath" "strings" + "github.com/crowdsecurity/crowdsec/pkg/appsec/appsec_rule" "github.com/crowdsecurity/crowdsec/pkg/exprhelpers" - "github.com/crowdsecurity/crowdsec/pkg/waf/waap_rule" log "github.com/sirupsen/logrus" ) @@ -20,13 +20,13 @@ var APPSEC_RULE = "appsec-rule" // to be filled w/ seb update type AppsecCollectionConfig struct { - Type string `yaml:"type"` - Name string `yaml:"name"` - Debug bool `yaml:"debug"` - Description string `yaml:"description"` - SecLangFilesRules []string `yaml:"seclang_files_rules"` - SecLangRules []string `yaml:"seclang_rules"` - Rules []waap_rule.CustomRule `yaml:"rules"` + Type string `yaml:"type"` + Name string `yaml:"name"` + Debug bool `yaml:"debug"` + Description string `yaml:"description"` + SecLangFilesRules []string `yaml:"seclang_files_rules"` + SecLangRules []string `yaml:"seclang_rules"` + Rules []appsec_rule.CustomRule `yaml:"rules"` Labels map[string]interface{} `yaml:"labels"` //Labels is K:V list aiming at providing context the overflow @@ -47,7 +47,7 @@ type RulesDetails struct { var AppsecRulesDetails = make(map[int]RulesDetails) func LoadCollection(pattern string) ([]AppsecCollection, error) { - //FIXME: have a proper logger here, inheriting from waap-config to have consistent log levels + //FIXME: have a proper logger here, inheriting from appsec-config to have consistent log levels ret := make([]AppsecCollection, 0) for _, appsecRule := range appsecRules { @@ -100,7 +100,7 @@ func LoadCollection(pattern string) ([]AppsecCollection, error) { if appsecRule.Rules != nil { for _, rule := range appsecRule.Rules { - strRule, rulesId, err := rule.Convert(waap_rule.ModsecurityRuleType, appsecRule.Name) + strRule, rulesId, err := rule.Convert(appsec_rule.ModsecurityRuleType, appsecRule.Name) if err != nil { log.Errorf("unable to convert rule %s : %s", rule.Name, err) return nil, err diff --git a/pkg/waf/waf_helpers.go b/pkg/appsec/waf_helpers.go similarity index 99% rename from pkg/waf/waf_helpers.go rename to pkg/appsec/waf_helpers.go index fa43c8848..605d42ccb 100644 --- a/pkg/waf/waf_helpers.go +++ b/pkg/appsec/waf_helpers.go @@ -1,4 +1,4 @@ -package waf +package appsec import ( "github.com/crowdsecurity/crowdsec/pkg/types" diff --git a/pkg/csconfig/crowdsec_service.go b/pkg/csconfig/crowdsec_service.go index 77a3ed630..dc226cfd6 100644 --- a/pkg/csconfig/crowdsec_service.go +++ b/pkg/csconfig/crowdsec_service.go @@ -11,8 +11,6 @@ import ( "github.com/crowdsecurity/go-cs-lib/ptr" ) -var DataDir string // FIXME: find a better way to pass this to the waf - // CrowdsecServiceCfg contains the location of parsers/scenarios/... and acquisition files type CrowdsecServiceCfg struct { Enable *bool `yaml:"enable"` diff --git a/pkg/hubtest/coverage.go b/pkg/hubtest/coverage.go index ce4083573..edbe10454 100644 --- a/pkg/hubtest/coverage.go +++ b/pkg/hubtest/coverage.go @@ -7,8 +7,8 @@ import ( "path/filepath" "strings" + "github.com/crowdsecurity/crowdsec/pkg/appsec/appsec_rule" "github.com/crowdsecurity/crowdsec/pkg/cwhub" - "github.com/crowdsecurity/crowdsec/pkg/waf/waap_rule" log "github.com/sirupsen/logrus" "gopkg.in/yaml.v2" ) @@ -55,7 +55,7 @@ func (h *HubTest) GetAppsecCoverage() ([]Coverage, error) { } for _, appsecRulesFile := range configFileData.AppsecRules { - appsecRuleData := &waap_rule.CustomRule{} + appsecRuleData := &appsec_rule.CustomRule{} yamlFile, err := os.ReadFile(appsecRulesFile) if err != nil { log.Printf("unable to open appsec rule '%s': %s", appsecRulesFile, err)