up
This commit is contained in:
Sebastien Blot
parent
dd7fa82543
commit
92a3c4b2fb
|
|
@ -150,6 +150,9 @@ func (r *WaapRunner) Run(t *tomb.Tomb) error {
|
||||||
r.logger.Infof("Requests handled by runner %s", request.UUID)
|
r.logger.Infof("Requests handled by runner %s", request.UUID)
|
||||||
r.WaapRuntime.ClearResponse()
|
r.WaapRuntime.ClearResponse()
|
||||||
|
|
||||||
|
request.IsInBand = true
|
||||||
|
request.IsOutBand = false
|
||||||
|
|
||||||
WafReqCounter.With(prometheus.Labels{"source": request.RemoteAddr}).Inc()
|
WafReqCounter.With(prometheus.Labels{"source": request.RemoteAddr}).Inc()
|
||||||
//to measure the time spent in the WAF
|
//to measure the time spent in the WAF
|
||||||
startParsing := time.Now()
|
startParsing := time.Now()
|
||||||
|
|
@ -171,21 +174,25 @@ func (r *WaapRunner) Run(t *tomb.Tomb) error {
|
||||||
if in := request.Tx.Interruption(); in != nil {
|
if in := request.Tx.Interruption(); in != nil {
|
||||||
r.logger.Debugf("inband rules matched : %d", in.RuleID)
|
r.logger.Debugf("inband rules matched : %d", in.RuleID)
|
||||||
r.WaapRuntime.Response.InBandInterrupt = true
|
r.WaapRuntime.Response.InBandInterrupt = true
|
||||||
|
|
||||||
|
err = r.WaapRuntime.ProcessOnMatchRules(request)
|
||||||
|
if err != nil {
|
||||||
|
r.logger.Errorf("unable to process OnMatch rules: %s", err)
|
||||||
|
continue
|
||||||
|
}
|
||||||
}
|
}
|
||||||
elapsed := time.Since(startParsing)
|
elapsed := time.Since(startParsing)
|
||||||
WafInbandParsingHistogram.With(prometheus.Labels{"source": request.RemoteAddr}).Observe(elapsed.Seconds())
|
WafInbandParsingHistogram.With(prometheus.Labels{"source": request.RemoteAddr}).Observe(elapsed.Seconds())
|
||||||
|
|
||||||
//generate reponse for the remediation component, based on the WAAP config + inband rules evaluation
|
//generate reponse for the remediation component, based on the WAAP config + inband rules evaluation
|
||||||
//@tko : this should move in the WaapRuntimeConfig as it knows what to do with the interruption and the expected remediation
|
//@tko : this should move in the WaapRuntimeConfig as it knows what to do with the interruption and the expected remediation
|
||||||
err = r.WaapRuntime.ProcessOnMatchRules(request)
|
|
||||||
if err != nil {
|
|
||||||
r.logger.Errorf("unable to process OnMatch rules: %s", err)
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
|
|
||||||
// send back the result to the HTTP handler for the InBand part
|
// send back the result to the HTTP handler for the InBand part
|
||||||
request.ResponseChannel <- r.WaapRuntime.Response
|
request.ResponseChannel <- r.WaapRuntime.Response
|
||||||
|
|
||||||
|
request.IsInBand = false
|
||||||
|
request.IsOutBand = true
|
||||||
|
|
||||||
err = r.ProcessOutOfBandRules(&request)
|
err = r.ProcessOutOfBandRules(&request)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
r.logger.Errorf("unable to process OutOfBand rules: %s", err)
|
r.logger.Errorf("unable to process OutOfBand rules: %s", err)
|
||||||
|
|
@ -195,6 +202,14 @@ func (r *WaapRunner) Run(t *tomb.Tomb) error {
|
||||||
if in := request.Tx.Interruption(); in != nil {
|
if in := request.Tx.Interruption(); in != nil {
|
||||||
r.logger.Debugf("outband rules matched : %d", in.RuleID)
|
r.logger.Debugf("outband rules matched : %d", in.RuleID)
|
||||||
r.WaapRuntime.Response.OutOfBandInterrupt = true
|
r.WaapRuntime.Response.OutOfBandInterrupt = true
|
||||||
|
} else {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
err = r.WaapRuntime.ProcessOnMatchRules(request)
|
||||||
|
if err != nil {
|
||||||
|
r.logger.Errorf("unable to process OnMatch rules: %s", err)
|
||||||
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -38,5 +38,7 @@ func GetHookEnv(w *WaapRuntimeConfig, request ParsedRequest) map[string]interfac
|
||||||
"SetHTTPCode": w.SetHTTPCode,
|
"SetHTTPCode": w.SetHTTPCode,
|
||||||
"SetActionByID": w.SetActionByID,
|
"SetActionByID": w.SetActionByID,
|
||||||
"CancelEvent": w.CancelEvent,
|
"CancelEvent": w.CancelEvent,
|
||||||
|
"IsInBand": request.IsInBand,
|
||||||
|
"IsOutBand": request.IsOutBand,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -74,6 +74,8 @@ type ParsedRequest struct {
|
||||||
UUID string
|
UUID string
|
||||||
Tx experimental.FullTransaction
|
Tx experimental.FullTransaction
|
||||||
ResponseChannel chan WaapTempResponse
|
ResponseChannel chan WaapTempResponse
|
||||||
|
IsInBand bool
|
||||||
|
IsOutBand bool
|
||||||
}
|
}
|
||||||
|
|
||||||
// Generate a ParsedRequest from a http.Request. ParsedRequest can be consumed by the Waap Engine
|
// Generate a ParsedRequest from a http.Request. ParsedRequest can be consumed by the Waap Engine
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue