Appsec improvement and fixes after merge (#2645)
This commit is contained in:
parent
518c7f178a
commit
b1f85693c2
|
@ -298,8 +298,9 @@ func (r *AppsecRunner) handleRequest(request *appsec.ParsedRequest) {
|
||||||
request.IsInBand = true
|
request.IsInBand = true
|
||||||
request.IsOutBand = false
|
request.IsOutBand = false
|
||||||
|
|
||||||
//to measure the time spent in the Application Security Engine
|
//to measure the time spent in the Application Security Engine for InBand rules
|
||||||
startParsing := time.Now()
|
startInBandParsing := time.Now()
|
||||||
|
startGlobalParsing := time.Now()
|
||||||
|
|
||||||
//inband appsec rules
|
//inband appsec rules
|
||||||
err := r.ProcessInBandRules(request)
|
err := r.ProcessInBandRules(request)
|
||||||
|
@ -308,13 +309,14 @@ func (r *AppsecRunner) handleRequest(request *appsec.ParsedRequest) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// time spent to process in band rules
|
||||||
|
inBandParsingElapsed := time.Since(startInBandParsing)
|
||||||
|
AppsecInbandParsingHistogram.With(prometheus.Labels{"source": request.RemoteAddrNormalized}).Observe(inBandParsingElapsed.Seconds())
|
||||||
|
|
||||||
if request.Tx.IsInterrupted() {
|
if request.Tx.IsInterrupted() {
|
||||||
r.handleInBandInterrupt(request)
|
r.handleInBandInterrupt(request)
|
||||||
}
|
}
|
||||||
|
|
||||||
elapsed := time.Since(startParsing)
|
|
||||||
AppsecInbandParsingHistogram.With(prometheus.Labels{"source": request.RemoteAddr}).Observe(elapsed.Seconds())
|
|
||||||
|
|
||||||
// send back the result to the HTTP handler for the InBand part
|
// send back the result to the HTTP handler for the InBand part
|
||||||
request.ResponseChannel <- r.AppsecRuntime.Response
|
request.ResponseChannel <- r.AppsecRuntime.Response
|
||||||
|
|
||||||
|
@ -325,12 +327,23 @@ func (r *AppsecRunner) handleRequest(request *appsec.ParsedRequest) {
|
||||||
r.AppsecRuntime.Response.SendAlert = false
|
r.AppsecRuntime.Response.SendAlert = false
|
||||||
r.AppsecRuntime.Response.SendEvent = true
|
r.AppsecRuntime.Response.SendEvent = true
|
||||||
|
|
||||||
|
//to measure the time spent in the Application Security Engine for OutOfBand rules
|
||||||
|
startOutOfBandParsing := time.Now()
|
||||||
|
|
||||||
err = r.ProcessOutOfBandRules(request)
|
err = r.ProcessOutOfBandRules(request)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Errorf("unable to process OutOfBand rules: %s", err)
|
logger.Errorf("unable to process OutOfBand rules: %s", err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// time spent to process out of band rules
|
||||||
|
outOfBandParsingElapsed := time.Since(startOutOfBandParsing)
|
||||||
|
AppsecOutbandParsingHistogram.With(prometheus.Labels{"source": request.RemoteAddrNormalized}).Observe(outOfBandParsingElapsed.Seconds())
|
||||||
|
|
||||||
|
// time spent to process inband AND out of band rules
|
||||||
|
globalParsingElapsed := time.Since(startGlobalParsing)
|
||||||
|
AppsecGlobalParsingHistogram.With(prometheus.Labels{"source": request.RemoteAddrNormalized}).Observe(globalParsingElapsed.Seconds())
|
||||||
|
|
||||||
if request.Tx.IsInterrupted() {
|
if request.Tx.IsInterrupted() {
|
||||||
r.handleOutBandInterrupt(request)
|
r.handleOutBandInterrupt(request)
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,7 +6,7 @@ var AppsecGlobalParsingHistogram = prometheus.NewHistogramVec(
|
||||||
prometheus.HistogramOpts{
|
prometheus.HistogramOpts{
|
||||||
Help: "Time spent processing a request by the Application Security Engine.",
|
Help: "Time spent processing a request by the Application Security Engine.",
|
||||||
Name: "cs_appsec_parsing_time_seconds",
|
Name: "cs_appsec_parsing_time_seconds",
|
||||||
Buckets: []float64{0.0005, 0.001, 0.0015, 0.002, 0.0025, 0.003, 0.004, 0.005, 0.0075, 0.01},
|
Buckets: []float64{0.005, 0.01, 0.025, 0.050, 0.1, 0.2, 0.3, 0.4, 0.5, 1},
|
||||||
},
|
},
|
||||||
[]string{"source"},
|
[]string{"source"},
|
||||||
)
|
)
|
||||||
|
@ -15,7 +15,7 @@ var AppsecInbandParsingHistogram = prometheus.NewHistogramVec(
|
||||||
prometheus.HistogramOpts{
|
prometheus.HistogramOpts{
|
||||||
Help: "Time spent processing a request by the inband Application Security Engine.",
|
Help: "Time spent processing a request by the inband Application Security Engine.",
|
||||||
Name: "cs_appsec_inband_parsing_time_seconds",
|
Name: "cs_appsec_inband_parsing_time_seconds",
|
||||||
Buckets: []float64{0.0005, 0.001, 0.0015, 0.002, 0.0025, 0.003, 0.004, 0.005, 0.0075, 0.01},
|
Buckets: []float64{0.005, 0.01, 0.025, 0.050, 0.1, 0.2, 0.3, 0.4, 0.5, 1},
|
||||||
},
|
},
|
||||||
[]string{"source"},
|
[]string{"source"},
|
||||||
)
|
)
|
||||||
|
@ -24,7 +24,7 @@ var AppsecOutbandParsingHistogram = prometheus.NewHistogramVec(
|
||||||
prometheus.HistogramOpts{
|
prometheus.HistogramOpts{
|
||||||
Help: "Time spent processing a request by the Application Security Engine.",
|
Help: "Time spent processing a request by the Application Security Engine.",
|
||||||
Name: "cs_appsec_outband_parsing_time_seconds",
|
Name: "cs_appsec_outband_parsing_time_seconds",
|
||||||
Buckets: []float64{0.0005, 0.001, 0.0015, 0.002, 0.0025, 0.003, 0.004, 0.005, 0.0075, 0.01},
|
Buckets: []float64{0.005, 0.01, 0.025, 0.050, 0.1, 0.2, 0.3, 0.4, 0.5, 1},
|
||||||
},
|
},
|
||||||
[]string{"source"},
|
[]string{"source"},
|
||||||
)
|
)
|
||||||
|
|
|
@ -63,18 +63,7 @@ func AppsecEventGeneration(inEvt types.Event) (*types.Event, error) {
|
||||||
alert.Meta = append(alert.Meta, &meta)
|
alert.Meta = append(alert.Meta, &meta)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
for _, key := range evt.Appsec.MatchedRules.GetMatchedZones() {
|
|
||||||
valueByte, err := json.Marshal([]string{key})
|
|
||||||
if err != nil {
|
|
||||||
log.Debugf("unable to serialize key %s", key)
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
meta := models.MetaItems0{
|
|
||||||
Key: "matched_zones",
|
|
||||||
Value: string(valueByte),
|
|
||||||
}
|
|
||||||
alert.Meta = append(alert.Meta, &meta)
|
|
||||||
}
|
|
||||||
alert.EventsCount = ptr.Of(int32(1))
|
alert.EventsCount = ptr.Of(int32(1))
|
||||||
alert.Leakspeed = ptr.Of("")
|
alert.Leakspeed = ptr.Of("")
|
||||||
alert.Scenario = ptr.Of(inEvt.Appsec.MatchedRules.GetName())
|
alert.Scenario = ptr.Of(inEvt.Appsec.MatchedRules.GetName())
|
||||||
|
|
|
@ -2,6 +2,7 @@ package types
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"regexp"
|
"regexp"
|
||||||
|
"slices"
|
||||||
|
|
||||||
log "github.com/sirupsen/logrus"
|
log "github.com/sirupsen/logrus"
|
||||||
)
|
)
|
||||||
|
@ -132,7 +133,11 @@ func (w MatchedRules) GetMatchedZones() []string {
|
||||||
ret := make([]string, 0)
|
ret := make([]string, 0)
|
||||||
|
|
||||||
for _, rule := range w {
|
for _, rule := range w {
|
||||||
ret = append(ret, rule["matched_zones"].([]string)...)
|
for _, zone := range rule["matched_zones"].([]string) {
|
||||||
|
if !slices.Contains(ret, zone) {
|
||||||
|
ret = append(ret, zone)
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return ret
|
return ret
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue