allow to select what variables shouldd be tracked
This commit is contained in:
parent
c41386056a
commit
a7cd86f725
|
@ -2,6 +2,7 @@ package wafacquisition
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"regexp"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/crowdsecurity/coraza/v3/collection"
|
"github.com/crowdsecurity/coraza/v3/collection"
|
||||||
|
@ -56,6 +57,13 @@ func LogWaapEvent(evt *types.Event) {
|
||||||
//log.Infof("%s", evt.Waap)
|
//log.Infof("%s", evt.Waap)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
how to configure variables to be kept:
|
||||||
|
1) full collection : tx.*
|
||||||
|
2) subvariables : tx.a*
|
||||||
|
|
||||||
|
*/
|
||||||
|
|
||||||
func (r *WafRunner) AccumulateTxToEvent(tx experimental.FullTransaction, kind string, evt *types.Event) error {
|
func (r *WafRunner) AccumulateTxToEvent(tx experimental.FullTransaction, kind string, evt *types.Event) error {
|
||||||
|
|
||||||
//log.Infof("tx addr: %p", tx)
|
//log.Infof("tx addr: %p", tx)
|
||||||
|
@ -78,6 +86,12 @@ func (r *WafRunner) AccumulateTxToEvent(tx experimental.FullTransaction, kind st
|
||||||
evt.Waap.Vars = map[string]string{}
|
evt.Waap.Vars = map[string]string{}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// collectionsToKeep := []string{
|
||||||
|
// "toto",
|
||||||
|
// "TX.allowed_methods",
|
||||||
|
// "TX.*_score",
|
||||||
|
// }
|
||||||
|
|
||||||
tx.Variables().All(func(v variables.RuleVariable, col collection.Collection) bool {
|
tx.Variables().All(func(v variables.RuleVariable, col collection.Collection) bool {
|
||||||
for _, variable := range col.FindAll() {
|
for _, variable := range col.FindAll() {
|
||||||
key := ""
|
key := ""
|
||||||
|
@ -89,8 +103,19 @@ func (r *WafRunner) AccumulateTxToEvent(tx experimental.FullTransaction, kind st
|
||||||
if variable.Value() == "" {
|
if variable.Value() == "" {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
evt.Waap.Vars[key] = variable.Value()
|
for _, collectionToKeep := range r.VariablesTracking {
|
||||||
r.logger.Infof("%s.%s = %s", variable.Variable().Name(), variable.Key(), variable.Value())
|
match, err := regexp.MatchString("(?i)"+collectionToKeep, key)
|
||||||
|
if err != nil {
|
||||||
|
r.logger.Warningf("error matching %s with %s: %s", key, collectionToKeep, err)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if match {
|
||||||
|
evt.Waap.Vars[key] = variable.Value()
|
||||||
|
r.logger.Infof("%s.%s = %s", variable.Variable().Name(), variable.Key(), variable.Value())
|
||||||
|
} else {
|
||||||
|
r.logger.Infof("%s.%s != %s (%s) (not kept)", variable.Variable().Name(), variable.Key(), collectionToKeep, variable.Value())
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return true
|
return true
|
||||||
})
|
})
|
||||||
|
|
|
@ -31,21 +31,23 @@ const (
|
||||||
)
|
)
|
||||||
|
|
||||||
type WafRunner struct {
|
type WafRunner struct {
|
||||||
outChan chan types.Event
|
outChan chan types.Event
|
||||||
inChan chan waf.ParsedRequest
|
inChan chan waf.ParsedRequest
|
||||||
inBandWaf coraza.WAF
|
inBandWaf coraza.WAF
|
||||||
outOfBandWaf coraza.WAF
|
outOfBandWaf coraza.WAF
|
||||||
UUID string
|
UUID string
|
||||||
RulesCollections []*waf.WafRulesCollection
|
RulesCollections []*waf.WafRulesCollection
|
||||||
logger *log.Entry
|
logger *log.Entry
|
||||||
|
VariablesTracking []string
|
||||||
}
|
}
|
||||||
|
|
||||||
type WafSourceConfig struct {
|
type WafSourceConfig struct {
|
||||||
ListenAddr string `yaml:"listen_addr"`
|
ListenAddr string `yaml:"listen_addr"`
|
||||||
ListenPort int `yaml:"listen_port"`
|
ListenPort int `yaml:"listen_port"`
|
||||||
Path string `yaml:"path"`
|
Path string `yaml:"path"`
|
||||||
WafRoutines int `yaml:"waf_routines"`
|
WafRoutines int `yaml:"waf_routines"`
|
||||||
Debug bool `yaml:"debug"`
|
Debug bool `yaml:"debug"`
|
||||||
|
VariablesTracking []string `yaml:"variables_tracking"`
|
||||||
configuration.DataSourceCommonCfg `yaml:",inline"`
|
configuration.DataSourceCommonCfg `yaml:",inline"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -250,12 +252,13 @@ func (w *WafSource) Configure(yamlConfig []byte, logger *log.Entry) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
runner := WafRunner{
|
runner := WafRunner{
|
||||||
outOfBandWaf: outofbandwaf,
|
outOfBandWaf: outofbandwaf,
|
||||||
inBandWaf: inbandwaf,
|
inBandWaf: inbandwaf,
|
||||||
inChan: w.InChan,
|
inChan: w.InChan,
|
||||||
UUID: wafUUID,
|
UUID: wafUUID,
|
||||||
RulesCollections: rulesCollections,
|
RulesCollections: rulesCollections,
|
||||||
logger: wafLogger,
|
logger: wafLogger,
|
||||||
|
VariablesTracking: w.config.VariablesTracking,
|
||||||
}
|
}
|
||||||
w.WafRunners[nbRoutine] = runner
|
w.WafRunners[nbRoutine] = runner
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue