From 13512891e41177323ac0a8afa4b26055f55a135a Mon Sep 17 00:00:00 2001 From: alteredCoder Date: Tue, 4 Jul 2023 17:36:56 +0200 Subject: [PATCH] add waf_routines --- pkg/acquisition/modules/waf/utils.go | 8 +- pkg/acquisition/modules/waf/waf.go | 262 ++++++++++++++++----------- pkg/waf/env.go | 32 ++++ pkg/waf/request.go | 106 +++++++++++ pkg/waf/waf.go | 8 +- pkg/waf/waf_rules_collection.go | 2 + 6 files changed, 301 insertions(+), 117 deletions(-) create mode 100644 pkg/waf/env.go create mode 100644 pkg/waf/request.go diff --git a/pkg/acquisition/modules/waf/utils.go b/pkg/acquisition/modules/waf/utils.go index 7aa734d59..6d2932bf9 100644 --- a/pkg/acquisition/modules/waf/utils.go +++ b/pkg/acquisition/modules/waf/utils.go @@ -8,10 +8,12 @@ import ( corazatypes "github.com/corazawaf/coraza/v3/types" "github.com/crowdsecurity/crowdsec/pkg/types" + "github.com/crowdsecurity/crowdsec/pkg/waf" "github.com/pkg/errors" + log "github.com/sirupsen/logrus" ) -func TxToEvents(r ParsedRequest, kind string) ([]types.Event, error) { +func TxToEvents(r waf.ParsedRequest, kind string) ([]types.Event, error) { evts := []types.Event{} if r.Tx == nil { return nil, fmt.Errorf("tx is nil") @@ -32,7 +34,7 @@ func TxToEvents(r ParsedRequest, kind string) ([]types.Event, error) { } // Transforms a coraza interruption to a crowdsec event -func RuleMatchToEvent(rule corazatypes.MatchedRule, tx corazatypes.Transaction, r ParsedRequest, kind string) (types.Event, error) { +func RuleMatchToEvent(rule corazatypes.MatchedRule, tx corazatypes.Transaction, r waf.ParsedRequest, kind string) (types.Event, error) { evt := types.Event{} //we might want to change this based on in-band vs out-of-band ? evt.Type = types.LOG @@ -40,7 +42,7 @@ func RuleMatchToEvent(rule corazatypes.MatchedRule, tx corazatypes.Transaction, //def needs fixing evt.Stage = "s00-raw" evt.Process = true - + log.Infof("SOURCE IP: %+v", rule) //we build a big-ass object that is going to be marshaled in line.raw and unmarshaled later. //why ? because it's more consistent with the other data-sources etc. and it provides users with flexibility to alter our parsers CorazaEvent := map[string]interface{}{ diff --git a/pkg/acquisition/modules/waf/waf.go b/pkg/acquisition/modules/waf/waf.go index 762626070..e46e875eb 100644 --- a/pkg/acquisition/modules/waf/waf.go +++ b/pkg/acquisition/modules/waf/waf.go @@ -2,14 +2,15 @@ package wafacquisition import ( "context" + "encoding/json" "fmt" - "io/ioutil" "net/http" - "net/url" "os" "strings" + "github.com/antonmedv/expr" "github.com/corazawaf/coraza/v3" + "github.com/corazawaf/coraza/v3/experimental" corazatypes "github.com/corazawaf/coraza/v3/types" "github.com/crowdsecurity/crowdsec/pkg/acquisition/configuration" "github.com/crowdsecurity/crowdsec/pkg/types" @@ -29,11 +30,20 @@ const ( ) type WafRunner struct { - outChan chan types.Event - inChan chan ParsedRequest - inBandWaf coraza.WAF - outOfBandWaf coraza.WAF - UUID string + outChan chan types.Event + inChan chan waf.ParsedRequest + inBandWaf coraza.WAF + outOfBandWaf coraza.WAF + UUID string + RulesCollections []*waf.WafRulesCollection +} + +type WafSourceConfig struct { + ListenAddr string `yaml:"listen_addr"` + ListenPort int `yaml:"listen_port"` + Path string `yaml:"path"` + WafRoutines int `yaml:"waf_routines"` + configuration.DataSourceCommonCfg `yaml:",inline"` } type WafSource struct { @@ -43,47 +53,15 @@ type WafSource struct { server *http.Server addr string outChan chan types.Event - InChan chan ParsedRequest + InChan chan waf.ParsedRequest - inBandWaf coraza.WAF - outOfBandWaf coraza.WAF + inBandWaf coraza.WAF + outOfBandWaf coraza.WAF + RulesCollections []*waf.WafRulesCollection WafRunners []WafRunner } -type ParsedRequest struct { - RemoteAddr string - Host string - ClientIP string - URI string - ClientHost string - Headers http.Header - URL *url.URL - Method string - Proto string - Body []byte - TransferEncoding []string - UUID string - Tx corazatypes.Transaction - ResponseChannel chan ResponseRequest -} - -type ResponseRequest struct { - ResponseChannel chan ResponseRequest - UUID string - Tx corazatypes.Transaction - Interruption *corazatypes.Interruption - Err error -} - -type WafSourceConfig struct { - ListenAddr string `yaml:"listen_addr"` - ListenPort int `yaml:"listen_port"` - Path string `yaml:"path"` - WafRoutines int `yaml:"waf_routines"` - configuration.DataSourceCommonCfg `yaml:",inline"` -} - func (w *WafSource) GetMetrics() []prometheus.Collector { return nil } @@ -156,6 +134,8 @@ func (w *WafSource) Configure(yamlConfig []byte, logger *log.Entry) error { return fmt.Errorf("cannot load WAF rules: %w", err) } + w.RulesCollections = rulesCollections + var inBandRules string var outOfBandRules string @@ -179,7 +159,7 @@ func (w *WafSource) Configure(yamlConfig []byte, logger *log.Entry) error { w.config.WafRoutines = 1 } - w.InChan = make(chan ParsedRequest) + w.InChan = make(chan waf.ParsedRequest) w.WafRunners = make([]WafRunner, w.config.WafRoutines) for nbRoutine := 0; nbRoutine < w.config.WafRoutines; nbRoutine++ { w.logger.Infof("Loading %d in-band rules", len(strings.Split(inBandRules, "\n"))) @@ -207,10 +187,11 @@ func (w *WafSource) Configure(yamlConfig []byte, logger *log.Entry) error { } runner := WafRunner{ - outOfBandWaf: outofbandwaf, - inBandWaf: inbandwaf, - inChan: w.InChan, - UUID: uuid.New().String(), + outOfBandWaf: outofbandwaf, + inBandWaf: inbandwaf, + inChan: w.InChan, + UUID: uuid.New().String(), + RulesCollections: rulesCollections, } w.WafRunners[nbRoutine] = runner } @@ -284,51 +265,8 @@ func (w *WafSource) Dump() interface{} { return w } -func NewParsedRequestFromRequest(r *http.Request) (ParsedRequest, error) { - var body []byte - var err error - - if r.Body != nil { - body = make([]byte, 0) - body, err = ioutil.ReadAll(r.Body) - if err != nil { - return ParsedRequest{}, fmt.Errorf("unable to read body: %s", err) - } - } - - // the real source of the request is set in 'x-client-ip' - clientIP := r.Header.Get("X-Client-Ip") - // the real target Host of the request is set in 'x-client-host' - clientHost := r.Header.Get("X-Client-Host") - // the real URI of the request is set in 'x-client-uri' - clientURI := r.Header.Get("X-Client-Uri") - - // delete those headers before coraza process the request - delete(r.Header, "x-client-ip") - delete(r.Header, "x-client-host") - delete(r.Header, "x-client-uri") - - return ParsedRequest{ - RemoteAddr: r.RemoteAddr, - UUID: uuid.New().String(), - ClientHost: clientHost, - ClientIP: clientIP, - URI: clientURI, - Host: r.Host, - Headers: r.Header, - URL: r.URL, - Method: r.Method, - Proto: r.Proto, - Body: body, - TransferEncoding: r.TransferEncoding, - ResponseChannel: make(chan ResponseRequest), - }, nil -} - -func processReqWithEngine(waf coraza.WAF, r ParsedRequest, uuid string, wafType string) (*corazatypes.Interruption, corazatypes.Transaction, error) { +func processReqWithEngine(tx experimental.FullTransaction, r waf.ParsedRequest, wafType string) (*corazatypes.Interruption, experimental.FullTransaction, error) { var in *corazatypes.Interruption - tx := waf.NewTransactionWithID(uuid) - if tx.IsRuleEngineOff() { log.Printf("engine is off") return nil, nil, nil @@ -346,7 +284,6 @@ func processReqWithEngine(waf coraza.WAF, r ParsedRequest, uuid string, wafType //txx := experimental.ToFullInterface(tx) //txx = tx.(experimental.FullTransaction) //txx.RemoveRuleByID(1) - tx.ProcessConnection(r.ClientIP, 0, "", 0) //tx.ProcessURI(r.URL.String(), r.Method, r.Proto) //FIXME: get it from the headers @@ -369,12 +306,15 @@ func processReqWithEngine(waf coraza.WAF, r ParsedRequest, uuid string, wafType } in = tx.ProcessRequestHeaders() + //spew.Dump(in) //spew.Dump(tx.MatchedRules()) - /*for _, rule := range tx.MatchedRules() { - spew.Dump(rule.Rule()) - }*/ + for _, rule := range tx.MatchedRules() { + if rule.Message() == "" { + continue + } + } //if we're inband, we should stop here, but for outofband go to the end if in != nil && wafType == InBand { @@ -422,17 +362,105 @@ func (r *WafRunner) Run(t *tomb.Tomb) error { log.Infof("Waf Runner is dying") return nil case request := <-r.inChan: - in, tx, err := processReqWithEngine(r.inBandWaf, request, request.UUID, InBand) - response := ResponseRequest{ - Tx: tx, - Interruption: in, - Err: err, - UUID: request.UUID, + inBoundTx := r.inBandWaf.NewTransactionWithID(request.UUID) + expTx := inBoundTx.(experimental.FullTransaction) + // we use this internal transaction for the expr helpers + tx := waf.NewTransaction(expTx) + + //Run the pre_eval hooks + for _, rules := range r.RulesCollections { + if len(rules.CompiledPreEval) == 0 { + continue + } + for _, compiledHook := range rules.CompiledPreEval { + if compiledHook.Filter != nil { + res, err := expr.Run(compiledHook.Filter, map[string]interface{}{ + "rules": rules, + "req": request, + }) + if err != nil { + log.Errorf("unable to run PreEval filter: %s", err) + continue + } + + switch t := res.(type) { + case bool: + if t == false { + log.Infof("filter didnt match") + continue + } + default: + log.Errorf("Filter must return a boolean, can't filter") + continue + } + } + // here means there is no filter or the filter matched + for _, applyExpr := range compiledHook.Apply { + _, err := expr.Run(applyExpr, map[string]interface{}{ + "rules": rules, + "req": request, + "RemoveRuleByID": tx.RemoveRuleByIDWithError, + }) + if err != nil { + log.Errorf("unable to apply filter: %s", err) + continue + } + } + } } + + in, expTx, err := processReqWithEngine(expTx, request, InBand) + request.Tx = expTx + + response := waf.NewResponseRequest(expTx, in, request.UUID, err) + + // run the on_match hooks + for _, rules := range r.RulesCollections { + if len(rules.CompiledOnMatch) == 0 { + continue + } + for _, compiledHook := range rules.CompiledOnMatch { + if compiledHook.Filter != nil { + res, err := expr.Run(compiledHook.Filter, map[string]interface{}{ + "rules": rules, + "req": request, + }) + if err != nil { + log.Errorf("unable to run PreEval filter: %s", err) + continue + } + + switch t := res.(type) { + case bool: + if t == false { + continue + } + default: + log.Errorf("Filter must return a boolean, can't filter") + continue + } + } + // here means there is no filter or the filter matched + for _, applyExpr := range compiledHook.Apply { + _, err := expr.Run(applyExpr, map[string]interface{}{ + "rules": rules, + "req": request, + "RemoveRuleByID": tx.RemoveRuleByIDWithError, + "SetRemediation": response.SetRemediation, + "SetRemediationByID": response.SetRemediationByID, + "CancelEvent": response.CancelEvent, + }) + if err != nil { + log.Errorf("unable to apply filter: %s", err) + continue + } + } + } + } + // send back the result to the HTTP handler for the InBand part request.ResponseChannel <- response - if in != nil { - request.Tx = tx + if in != nil && response.SendEvents { // Generate the events for InBand channel events, err := TxToEvents(request, InBand) if err != nil { @@ -446,13 +474,15 @@ func (r *WafRunner) Run(t *tomb.Tomb) error { } // Process outBand - in, tx, err = processReqWithEngine(r.outOfBandWaf, request, request.UUID, OutOfBand) + outBandTx := r.outOfBandWaf.NewTransactionWithID(request.UUID) + expTx = outBandTx.(experimental.FullTransaction) + in, expTx, err = processReqWithEngine(expTx, request, OutOfBand) if err != nil { //things went south log.Errorf("Error while processing request : %s", err) continue } - request.Tx = tx - if tx != nil && len(tx.MatchedRules()) > 0 { + request.Tx = expTx + if expTx != nil && len(expTx.MatchedRules()) > 0 { events, err := TxToEvents(request, OutOfBand) log.Infof("Request triggered by WAF, %d events to send", len(events)) for _, evt := range events { @@ -467,9 +497,13 @@ func (r *WafRunner) Run(t *tomb.Tomb) error { } } +type BodyResponse struct { + Action string `json:"action"` +} + func (w *WafSource) wafHandler(rw http.ResponseWriter, r *http.Request) { // parse the request only once - parsedRequest, err := NewParsedRequestFromRequest(r) + parsedRequest, err := waf.NewParsedRequestFromRequest(r) if err != nil { log.Errorf("%s", err) rw.WriteHeader(http.StatusForbidden) @@ -487,10 +521,22 @@ func (w *WafSource) wafHandler(rw http.ResponseWriter, r *http.Request) { if message.Interruption != nil { rw.WriteHeader(http.StatusForbidden) + body, err := json.Marshal(BodyResponse{Action: message.Interruption.Action}) + if err != nil { + log.Errorf("unable to build response: %s", err) + } else { + rw.Write(body) + } return } rw.WriteHeader(http.StatusOK) + body, err := json.Marshal(BodyResponse{Action: "allow"}) + if err != nil { + log.Errorf("unable to build response: %s", err) + } else { + rw.Write(body) + } return } diff --git a/pkg/waf/env.go b/pkg/waf/env.go new file mode 100644 index 000000000..797fe5c37 --- /dev/null +++ b/pkg/waf/env.go @@ -0,0 +1,32 @@ +package waf + +import "github.com/corazawaf/coraza/v3/experimental" + +type Transaction struct { + Tx experimental.FullTransaction +} + +func NewTransaction(tx experimental.FullTransaction) Transaction { + return Transaction{Tx: tx} +} + +func (t *Transaction) RemoveRuleByIDWithError(id int) error { + t.Tx.RemoveRuleByID(id) + return nil +} + +func GetEnv() map[string]interface{} { + ResponseRequest := ResponseRequest{} + ParsedRequest := ParsedRequest{} + Rules := &WafRulesCollection{} + Tx := Transaction{} + + return map[string]interface{}{ + "rules": Rules, + "req": ParsedRequest, + "SetRemediation": ResponseRequest.SetRemediation, + "SetRemediationByID": ResponseRequest.SetRemediationByID, + "CancelEvent": ResponseRequest.CancelEvent, + "RemoveRuleByID": Tx.RemoveRuleByIDWithError, + } +} diff --git a/pkg/waf/request.go b/pkg/waf/request.go new file mode 100644 index 000000000..29d9ab35f --- /dev/null +++ b/pkg/waf/request.go @@ -0,0 +1,106 @@ +package waf + +import ( + "fmt" + "io/ioutil" + "net/http" + "net/url" + + "github.com/corazawaf/coraza/v3/experimental" + corazatypes "github.com/corazawaf/coraza/v3/types" + "github.com/google/uuid" +) + +type ResponseRequest struct { + UUID string + Tx corazatypes.Transaction + Interruption *corazatypes.Interruption + Err error + SendEvents bool +} + +func NewResponseRequest(Tx experimental.FullTransaction, in *corazatypes.Interruption, UUID string, err error) ResponseRequest { + return ResponseRequest{ + UUID: UUID, + Tx: Tx, + Interruption: in, + Err: err, + SendEvents: true, + } +} + +func (r *ResponseRequest) SetRemediation(remediation string) error { + r.Interruption.Action = remediation + return nil +} + +func (r *ResponseRequest) SetRemediationByID(ID int, remediation string) error { + if r.Interruption.RuleID == ID { + r.Interruption.Action = remediation + } + return nil +} + +func (r *ResponseRequest) CancelEvent() error { + // true by default + r.SendEvents = false + return nil +} + +type ParsedRequest struct { + RemoteAddr string + Host string + ClientIP string + URI string + ClientHost string + Headers http.Header + URL *url.URL + Method string + Proto string + Body []byte + TransferEncoding []string + UUID string + Tx experimental.FullTransaction + ResponseChannel chan ResponseRequest +} + +func NewParsedRequestFromRequest(r *http.Request) (ParsedRequest, error) { + var body []byte + var err error + + if r.Body != nil { + body = make([]byte, 0) + body, err = ioutil.ReadAll(r.Body) + if err != nil { + return ParsedRequest{}, fmt.Errorf("unable to read body: %s", err) + } + } + + // the real source of the request is set in 'x-client-ip' + clientIP := r.Header.Get("X-Client-Ip") + // the real target Host of the request is set in 'x-client-host' + clientHost := r.Header.Get("X-Client-Host") + // the real URI of the request is set in 'x-client-uri' + clientURI := r.Header.Get("X-Client-Uri") + + // delete those headers before coraza process the request + delete(r.Header, "x-client-ip") + delete(r.Header, "x-client-host") + delete(r.Header, "x-client-uri") + + return ParsedRequest{ + RemoteAddr: r.RemoteAddr, + UUID: uuid.New().String(), + ClientHost: clientHost, + ClientIP: clientIP, + URI: clientURI, + Host: r.Host, + Headers: r.Header, + URL: r.URL, + Method: r.Method, + Proto: r.Proto, + Body: body, + TransferEncoding: r.TransferEncoding, + ResponseChannel: make(chan ResponseRequest), + }, nil +} diff --git a/pkg/waf/waf.go b/pkg/waf/waf.go index 0c61d2447..d2d4d0dc8 100644 --- a/pkg/waf/waf.go +++ b/pkg/waf/waf.go @@ -67,9 +67,7 @@ func buildHook(hook Hook) (CompiledHook, error) { compiledHook.Filter = program } for _, apply := range hook.Apply { - program, err := expr.Compile(apply, GetExprWAFOptions(map[string]interface{}{ - "rules": &WafRulesCollection{}, - })...) + program, err := expr.Compile(apply, GetExprWAFOptions(GetEnv())...) if err != nil { return CompiledHook{}, fmt.Errorf("unable to compile apply %s : %w", apply, err) } @@ -173,9 +171,7 @@ func (w *WafRuleLoader) LoadWafRules() ([]*WafRulesCollection, error) { //Ignore filter for on load ? if onLoadHook.Apply != nil { for exprIdx, applyExpr := range onLoadHook.Apply { - _, err := expr.Run(applyExpr, map[string]interface{}{ - "rules": collection, - }) + _, err := expr.Run(applyExpr, GetEnv()) if err != nil { w.logger.Errorf("unable to run apply for on_load rule %s : %s", wafConfig.OnLoad[hookIdx].Apply[exprIdx], err) continue diff --git a/pkg/waf/waf_rules_collection.go b/pkg/waf/waf_rules_collection.go index 3ce130e56..f6669527f 100644 --- a/pkg/waf/waf_rules_collection.go +++ b/pkg/waf/waf_rules_collection.go @@ -4,6 +4,8 @@ import "strings" type WafRule struct { RawRule string + RuleID string + InBand bool } // This is the "compiled" state of a WafConfig