beenull/crowdsec
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

up

Browse source
This commit is contained in:
bui 2023-09-14 09:43:22 +02:00
parent 6a47b9e97d
commit a8321b5cc5
2 changed files with 8 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
pkg/acquisition/modules/waap/waap_runner.go
View file

@ -46,13 +46,15 @@ func (r *WaapRunner) Run(t *tomb.Tomb) error {
log.Infof("now response is -> %s", r.WaapRuntime.Response.Action) log.Infof("now response is -> %s", r.WaapRuntime.Response.Action)
//inband WAAP rules //inband WAAP rules
err = r.WaapRuntime.ProcessInBandRules(request) err = r.WaapRuntime.ProcessInBandRules(request)
if err != nil {
r.logger.Errorf("unable to process InBand rules: %s", err)
continue
}
elapsed := time.Since(startParsing) elapsed := time.Since(startParsing)
WafInbandParsingHistogram.With(prometheus.Labels{"source": request.RemoteAddr}).Observe(elapsed.Seconds()) WafInbandParsingHistogram.With(prometheus.Labels{"source": request.RemoteAddr}).Observe(elapsed.Seconds())
//generate reponse for the remediation component, based on the WAAP config + inband rules evaluation //generate reponse for the remediation component, based on the WAAP config + inband rules evaluation
//@tko : this should move in the WaapRuntimeConfig as it knows what to do with the interruption and the expected remediation //@tko : this should move in the WaapRuntimeConfig as it knows what to do with the interruption and the expected remediation
//response := waf.NewResponseRequest(r.WaapRuntime.InBandTx.Tx, interrupt, request.UUID, err)
err = r.WaapRuntime.ProcessOnMatchRules(request) err = r.WaapRuntime.ProcessOnMatchRules(request)
if err != nil { if err != nil {
r.logger.Errorf("unable to process OnMatch rules: %s", err) r.logger.Errorf("unable to process OnMatch rules: %s", err)

10
pkg/waf/waap.go
View file

@ -65,6 +65,7 @@ type WaapRuntimeConfig struct {
OutOfBandTx ExtendedTransaction //is it a good idea ? OutOfBandTx ExtendedTransaction //is it a good idea ?
InBandTx ExtendedTransaction //is it a good idea ? InBandTx ExtendedTransaction //is it a good idea ?
Response WaapTempResponse Response WaapTempResponse
//should we store matched rules here ?
} }
type WaapConfig struct { type WaapConfig struct {
@ -181,10 +182,7 @@ func (w *WaapRuntimeConfig) ProcessOnMatchRules(request ParsedRequest) error {
for _, rule := range w.CompiledOnMatch { for _, rule := range w.CompiledOnMatch {
if rule.FilterExpr != nil { if rule.FilterExpr != nil {
output, err := expr.Run(rule.FilterExpr, map[string]interface{}{ output, err := expr.Run(rule.FilterExpr, GetHookEnv(w, request))
//"rules": rules, //is it still useful ?
"req": request,
})
if err != nil { if err != nil {
return fmt.Errorf("unable to run filter %s : %w", rule.Filter, err) return fmt.Errorf("unable to run filter %s : %w", rule.Filter, err)
} }
@ -275,12 +273,12 @@ func (w *WaapRuntimeConfig) RemoveOutbandRuleByID(id int) error {
} }
func (w *WaapRuntimeConfig) SetAction(action string) error { func (w *WaapRuntimeConfig) SetAction(action string) error {
log.Infof("setting to %s", action) //log.Infof("setting to %s", action)
switch action { switch action {
case "allow": case "allow":
w.Response.Action = action w.Response.Action = action
w.Response.HTTPResponseCode = w.Config.PassedHTTPCode w.Response.HTTPResponseCode = w.Config.PassedHTTPCode
//how should we handle this ? //@tko how should we handle this ? it seems bouncer only understand bans, but it might be misleading ?
case "deny", "ban", "block": case "deny", "ban", "block":
w.Response.Action = "ban" w.Response.Action = "ban"
w.Response.HTTPResponseCode = w.Config.BlockedHTTPCode w.Response.HTTPResponseCode = w.Config.BlockedHTTPCode