From c8af58d1bf35d01552e1d5046a0e56f9e2892e3e Mon Sep 17 00:00:00 2001 From: bui Date: Wed, 15 Nov 2023 17:46:31 +0100 Subject: [PATCH] ensure we're sending lapi/capi alert if the request matched some inband rules --- pkg/acquisition/modules/waap/utils.go | 12 ++++++++++-- pkg/acquisition/modules/waap/waap_runner.go | 4 ++-- pkg/types/waap_event.go | 1 + 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/pkg/acquisition/modules/waap/utils.go b/pkg/acquisition/modules/waap/utils.go index da25daa6f..e302f8682 100644 --- a/pkg/acquisition/modules/waap/utils.go +++ b/pkg/acquisition/modules/waap/utils.go @@ -16,7 +16,11 @@ import ( log "github.com/sirupsen/logrus" ) -func WaapEventGeneration(inEvt types.Event) (types.Event, error) { +func WaapEventGeneration(inEvt types.Event) (*types.Event, error) { + //if the request didnd't trigger inband rules, we don't want to generate an event to LAPI/CAPI + if !inEvt.Waap.HasInBandMatches { + return nil, nil + } evt := types.Event{} evt.Type = types.WAAP evt.Process = true @@ -62,7 +66,7 @@ func WaapEventGeneration(inEvt types.Event) (types.Event, error) { evt.Overflow.APIAlerts = []models.Alert{alert} evt.Overflow.Alert = &alert - return evt, nil + return &evt, nil } func EventFromRequest(r waf.ParsedRequest) (types.Event, error) { @@ -193,7 +197,11 @@ func (r *WaapRunner) AccumulateTxToEvent(evt *types.Event, req waf.ParsedRequest kind := "outofband" if req.IsInBand { kind = "inband" + evt.Waap.HasInBandMatches = true + } else { + evt.Waap.HasOutBandMatches = true } + WafRuleHits.With(prometheus.Labels{"rule_id": fmt.Sprintf("%d", rule.Rule().ID()), "type": kind}).Inc() spew.Dump(waf.WaapRulesDetails) diff --git a/pkg/acquisition/modules/waap/waap_runner.go b/pkg/acquisition/modules/waap/waap_runner.go index fa80141ed..a8f83d41e 100644 --- a/pkg/acquisition/modules/waap/waap_runner.go +++ b/pkg/acquisition/modules/waap/waap_runner.go @@ -253,8 +253,8 @@ func (r *WaapRunner) Run(t *tomb.Tomb) error { waapOvlfw, err := WaapEventGeneration(evt) if err != nil { r.logger.Errorf("unable to generate waap event : %s", err) - } else { - r.outChan <- waapOvlfw + } else if waapOvlfw != nil { + r.outChan <- *waapOvlfw } } } diff --git a/pkg/types/waap_event.go b/pkg/types/waap_event.go index 9b474be4d..c0c89408e 100644 --- a/pkg/types/waap_event.go +++ b/pkg/types/waap_event.go @@ -20,6 +20,7 @@ len(evt.Waf.ByTagRx("*CVE*").ByConfidence("high").ByAction("block")) > 1 type MatchedRules []map[string]interface{} type WaapEvent struct { + HasInBandMatches, HasOutBandMatches bool MatchedRules Vars map[string]string }