merge
This commit is contained in:
parent
4993758b36
commit
01ced8fb99
2
go.mod
2
go.mod
|
@ -204,3 +204,5 @@ require (
|
||||||
)
|
)
|
||||||
|
|
||||||
replace golang.org/x/time/rate => github.com/crowdsecurity/crowdsec/pkg/time/rate v0.0.0
|
replace golang.org/x/time/rate => github.com/crowdsecurity/crowdsec/pkg/time/rate v0.0.0
|
||||||
|
|
||||||
|
replace github.com/crowdsecurity/coraza/v3 => /home/seb/taff/crowdsec/git/crowdsec-org/coraza
|
||||||
|
|
|
@ -8,7 +8,6 @@ import (
|
||||||
"github.com/crowdsecurity/crowdsec/pkg/types"
|
"github.com/crowdsecurity/crowdsec/pkg/types"
|
||||||
"github.com/crowdsecurity/crowdsec/pkg/waf"
|
"github.com/crowdsecurity/crowdsec/pkg/waf"
|
||||||
"github.com/prometheus/client_golang/prometheus"
|
"github.com/prometheus/client_golang/prometheus"
|
||||||
log "github.com/sirupsen/logrus"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
func EventFromRequest(r waf.ParsedRequest) (types.Event, error) {
|
func EventFromRequest(r waf.ParsedRequest) (types.Event, error) {
|
||||||
|
@ -47,16 +46,17 @@ func EventFromRequest(r waf.ParsedRequest) (types.Event, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func LogWaapEvent(evt *types.Event) {
|
func LogWaapEvent(evt *types.Event) {
|
||||||
log.WithFields(log.Fields{
|
/*log.WithFields(log.Fields{
|
||||||
"module": "waf",
|
"module": "waf",
|
||||||
"source": evt.Parsed["source_ip"],
|
"source": evt.Parsed["source_ip"],
|
||||||
"target_uri": evt.Parsed["target_uri"],
|
"target_uri": evt.Parsed["target_uri"],
|
||||||
}).Infof("%s triggered %d rules [%+v]", evt.Parsed["source_ip"], len(evt.Waap), evt.Waap.GetRuleIDs())
|
}).Infof("%s triggered %d rules [%+v]", evt.Parsed["source_ip"], len(evt.Waap), evt.Waap.GetRuleIDs())*/
|
||||||
//log.Infof("%s", evt.Waap)
|
//log.Infof("%s", evt.Waap)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (r *WafRunner) AccumulateTxToEvent(tx experimental.FullTransaction, kind string, evt *types.Event) error {
|
func (r *WafRunner) AccumulateTxToEvent(tx experimental.FullTransaction, kind string, evt *types.Event) error {
|
||||||
r.logger.Infof("TX %v", &tx)
|
|
||||||
|
//log.Infof("tx addr: %p", tx)
|
||||||
if tx.IsInterrupted() {
|
if tx.IsInterrupted() {
|
||||||
r.logger.Infof("interrupted() = %t", tx.IsInterrupted())
|
r.logger.Infof("interrupted() = %t", tx.IsInterrupted())
|
||||||
r.logger.Infof("interrupted.action = %s", tx.Interruption().Action)
|
r.logger.Infof("interrupted.action = %s", tx.Interruption().Action)
|
||||||
|
@ -66,10 +66,15 @@ func (r *WafRunner) AccumulateTxToEvent(tx experimental.FullTransaction, kind st
|
||||||
evt.Parsed["interrupted"] = "true"
|
evt.Parsed["interrupted"] = "true"
|
||||||
evt.Parsed["action"] = tx.Interruption().Action
|
evt.Parsed["action"] = tx.Interruption().Action
|
||||||
|
|
||||||
|
//log.Infof("action: %s", tx.Interruption().Action)
|
||||||
|
|
||||||
evt.Meta["waap_interrupted"] = "1"
|
evt.Meta["waap_interrupted"] = "1"
|
||||||
evt.Meta["waap_action"] = tx.Interruption().Action
|
evt.Meta["waap_action"] = tx.Interruption().Action
|
||||||
}
|
}
|
||||||
|
r.logger.Infof("variables addr in AccumulateTxToEvent: %p", tx.Variables())
|
||||||
|
//log.Infof("variables: %s", spew.Sdump(tx.Variables()))
|
||||||
|
//log.Infof("tx variables: %+v", tx.Collection(variables.TX))
|
||||||
|
//log.Infof("TX %s", spew.Sdump(tx.MatchedRules()))
|
||||||
for _, rule := range tx.MatchedRules() {
|
for _, rule := range tx.MatchedRules() {
|
||||||
if rule.Message() == "" {
|
if rule.Message() == "" {
|
||||||
continue
|
continue
|
||||||
|
|
|
@ -11,8 +11,10 @@ import (
|
||||||
|
|
||||||
"github.com/antonmedv/expr"
|
"github.com/antonmedv/expr"
|
||||||
"github.com/crowdsecurity/coraza/v3"
|
"github.com/crowdsecurity/coraza/v3"
|
||||||
|
"github.com/crowdsecurity/coraza/v3/collection"
|
||||||
"github.com/crowdsecurity/coraza/v3/experimental"
|
"github.com/crowdsecurity/coraza/v3/experimental"
|
||||||
corazatypes "github.com/crowdsecurity/coraza/v3/types"
|
corazatypes "github.com/crowdsecurity/coraza/v3/types"
|
||||||
|
"github.com/crowdsecurity/coraza/v3/types/variables"
|
||||||
"github.com/crowdsecurity/crowdsec/pkg/acquisition/configuration"
|
"github.com/crowdsecurity/crowdsec/pkg/acquisition/configuration"
|
||||||
"github.com/crowdsecurity/crowdsec/pkg/types"
|
"github.com/crowdsecurity/crowdsec/pkg/types"
|
||||||
"github.com/crowdsecurity/crowdsec/pkg/waf"
|
"github.com/crowdsecurity/crowdsec/pkg/waf"
|
||||||
|
@ -206,6 +208,7 @@ func (w *WafSource) Configure(yamlConfig []byte, logger *log.Entry) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
w.InChan = make(chan waf.ParsedRequest)
|
w.InChan = make(chan waf.ParsedRequest)
|
||||||
|
w.logger.Infof("w.InChan creation: %p", w.InChan)
|
||||||
w.WafRunners = make([]WafRunner, w.config.WafRoutines)
|
w.WafRunners = make([]WafRunner, w.config.WafRoutines)
|
||||||
for nbRoutine := 0; nbRoutine < w.config.WafRoutines; nbRoutine++ {
|
for nbRoutine := 0; nbRoutine < w.config.WafRoutines; nbRoutine++ {
|
||||||
w.logger.Infof("Loading %d in-band rules", len(strings.Split(inBandRules, "\n")))
|
w.logger.Infof("Loading %d in-band rules", len(strings.Split(inBandRules, "\n")))
|
||||||
|
@ -259,10 +262,7 @@ func (w *WafSource) Configure(yamlConfig []byte, logger *log.Entry) error {
|
||||||
w.WafRunners[nbRoutine] = runner
|
w.WafRunners[nbRoutine] = runner
|
||||||
}
|
}
|
||||||
|
|
||||||
w.logger.Infof("Loading %d out-of-band rules", len(strings.Split(outOfBandRules, "\n")))
|
w.logger.Infof("Created %d waf runners", len(w.WafRunners))
|
||||||
if err != nil {
|
|
||||||
return errors.Wrap(err, "Cannot create WAF")
|
|
||||||
}
|
|
||||||
|
|
||||||
//We don´t use the wrapper provided by coraza because we want to fully control what happens when a rule match to send the information in crowdsec
|
//We don´t use the wrapper provided by coraza because we want to fully control what happens when a rule match to send the information in crowdsec
|
||||||
w.mux.HandleFunc(w.config.Path, w.wafHandler)
|
w.mux.HandleFunc(w.config.Path, w.wafHandler)
|
||||||
|
@ -296,6 +296,7 @@ func (w *WafSource) StreamingAcquisition(out chan types.Event, t *tomb.Tomb) err
|
||||||
runner := runner
|
runner := runner
|
||||||
runner.outChan = out
|
runner.outChan = out
|
||||||
t.Go(func() error {
|
t.Go(func() error {
|
||||||
|
defer trace.CatchPanic("crowdsec/acquis/waf/live/runner")
|
||||||
return runner.Run(t)
|
return runner.Run(t)
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
@ -370,15 +371,26 @@ func (r *WafRunner) processReqWithEngine(tx experimental.FullTransaction, parsed
|
||||||
|
|
||||||
in = tx.ProcessRequestHeaders()
|
in = tx.ProcessRequestHeaders()
|
||||||
|
|
||||||
|
for _, v := range tx.Collection(variables.TX).FindAll() {
|
||||||
|
log.Infof("tx variable: %s | %s", v.Key(), v.Value())
|
||||||
|
}
|
||||||
|
|
||||||
|
tx.Variables().All(func(v variables.RuleVariable, col collection.Collection) bool {
|
||||||
|
log.Infof("Collection: %s", col.Name())
|
||||||
|
log.Infof("Variable: %s", v.Name())
|
||||||
|
//collect := tx.Collection(col)
|
||||||
|
return true
|
||||||
|
})
|
||||||
|
|
||||||
//spew.Dump(in)
|
//spew.Dump(in)
|
||||||
//spew.Dump(tx.MatchedRules())
|
//spew.Dump(tx.MatchedRules())
|
||||||
|
|
||||||
for _, rule := range tx.MatchedRules() {
|
/*for _, rule := range tx.MatchedRules() {
|
||||||
//r.logger.Infof("Rule %d disruptive: %t", rule.Rule().ID(), rule.Disruptive())
|
log.Infof("Rule %d disruptive: %t", rule.Rule().ID(), rule.Disruptive())
|
||||||
if rule.Message() == "" {
|
if rule.Message() == "" {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
}
|
}*/
|
||||||
|
|
||||||
//if we're inband, we should stop here, but for outofband go to the end
|
//if we're inband, we should stop here, but for outofband go to the end
|
||||||
if in != nil && wafType == InBand {
|
if in != nil && wafType == InBand {
|
||||||
|
@ -393,6 +405,7 @@ func (r *WafRunner) processReqWithEngine(tx experimental.FullTransaction, parsed
|
||||||
}
|
}
|
||||||
|
|
||||||
if it != nil {
|
if it != nil {
|
||||||
|
//log.Infof("blocking rule id %d", in.RuleID)
|
||||||
return it, nil, nil
|
return it, nil, nil
|
||||||
}
|
}
|
||||||
// from https://github.com/corazawaf/coraza/blob/main/internal/corazawaf/transaction.go#L419
|
// from https://github.com/corazawaf/coraza/blob/main/internal/corazawaf/transaction.go#L419
|
||||||
|
@ -413,6 +426,8 @@ func (r *WafRunner) processReqWithEngine(tx experimental.FullTransaction, parsed
|
||||||
return nil, nil, errors.Wrap(err, "Cannot process request body")
|
return nil, nil, errors.Wrap(err, "Cannot process request body")
|
||||||
}
|
}
|
||||||
if in != nil && wafType == InBand {
|
if in != nil && wafType == InBand {
|
||||||
|
//log.Infof("blocking rule id %d", in.RuleID)
|
||||||
|
|
||||||
return in, tx, nil
|
return in, tx, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -427,6 +442,7 @@ func (r *WafRunner) Run(t *tomb.Tomb) error {
|
||||||
r.logger.Infof("Waf Runner is dying")
|
r.logger.Infof("Waf Runner is dying")
|
||||||
return nil
|
return nil
|
||||||
case request := <-r.inChan:
|
case request := <-r.inChan:
|
||||||
|
r.logger.Infof("Requests handled by runner %s", r.UUID)
|
||||||
var evt *types.Event
|
var evt *types.Event
|
||||||
WafReqCounter.With(prometheus.Labels{"source": request.RemoteAddr}).Inc()
|
WafReqCounter.With(prometheus.Labels{"source": request.RemoteAddr}).Inc()
|
||||||
//measure the time spent in the WAF
|
//measure the time spent in the WAF
|
||||||
|
@ -436,6 +452,8 @@ func (r *WafRunner) Run(t *tomb.Tomb) error {
|
||||||
// we use this internal transaction for the expr helpers
|
// we use this internal transaction for the expr helpers
|
||||||
tx := waf.NewTransaction(expTx)
|
tx := waf.NewTransaction(expTx)
|
||||||
|
|
||||||
|
//r.logger.Infof("Processing request %s | tx: %p", request.UUID, tx)
|
||||||
|
|
||||||
//Run the pre_eval hooks
|
//Run the pre_eval hooks
|
||||||
for _, rules := range r.RulesCollections {
|
for _, rules := range r.RulesCollections {
|
||||||
if len(rules.CompiledPreEval) == 0 {
|
if len(rules.CompiledPreEval) == 0 {
|
||||||
|
@ -482,6 +500,12 @@ func (r *WafRunner) Run(t *tomb.Tomb) error {
|
||||||
request.Tx = expTx
|
request.Tx = expTx
|
||||||
//log.Infof("-> %s", spew.Sdump(in))
|
//log.Infof("-> %s", spew.Sdump(in))
|
||||||
|
|
||||||
|
//log.Infof("tx variables: %+v", expTx.Collection(variables.TX))
|
||||||
|
|
||||||
|
//foo := expTx.(plugintypes.TransactionState)
|
||||||
|
|
||||||
|
//log.Infof("from tstate: %+v", foo.Variables().TX().FindAll())
|
||||||
|
|
||||||
response := waf.NewResponseRequest(expTx, in, request.UUID, err)
|
response := waf.NewResponseRequest(expTx, in, request.UUID, err)
|
||||||
|
|
||||||
// run the on_match hooks
|
// run the on_match hooks
|
||||||
|
|
|
@ -11,7 +11,6 @@ import (
|
||||||
"github.com/crowdsecurity/crowdsec/pkg/csconfig"
|
"github.com/crowdsecurity/crowdsec/pkg/csconfig"
|
||||||
"github.com/crowdsecurity/crowdsec/pkg/cwhub"
|
"github.com/crowdsecurity/crowdsec/pkg/cwhub"
|
||||||
"github.com/crowdsecurity/crowdsec/pkg/types"
|
"github.com/crowdsecurity/crowdsec/pkg/types"
|
||||||
"github.com/davecgh/go-spew/spew"
|
|
||||||
log "github.com/sirupsen/logrus"
|
log "github.com/sirupsen/logrus"
|
||||||
"gopkg.in/yaml.v3"
|
"gopkg.in/yaml.v3"
|
||||||
)
|
)
|
||||||
|
@ -104,7 +103,7 @@ func (w *WafRuleLoader) LoadWafRules() ([]*WafRulesCollection, error) {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
spew.Dump(wafConfig)
|
//spew.Dump(wafConfig)
|
||||||
|
|
||||||
collection := &WafRulesCollection{}
|
collection := &WafRulesCollection{}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue