Fix Remove{in,out}bandby{name,tag}
This commit is contained in:
Sebastien Blot
parent
6fb965bb3f
commit
cb030beaca
2
go.mod
2
go.mod
|
|
@ -90,7 +90,7 @@ require (
|
|||
)
|
||||
|
||||
require (
|
||||
github.com/crowdsecurity/coraza/v3 v3.0.0-20231204125126-35deffad7734
|
||||
github.com/crowdsecurity/coraza/v3 v3.0.0-20231204135508-23eef9bf7f39
|
||||
golang.org/x/text v0.14.0
|
||||
gopkg.in/yaml.v3 v3.0.1
|
||||
gotest.tools/v3 v3.5.0
|
||||
|
|
|
|||
4
go.sum
4
go.sum
|
|
@ -102,6 +102,10 @@ github.com/crowdsecurity/coraza/v3 v3.0.0-20231114091225-b0f8bc435a75 h1:Kp1sY2P
|
|||
github.com/crowdsecurity/coraza/v3 v3.0.0-20231114091225-b0f8bc435a75/go.mod h1:jNww1Y9SujXQc89zDR+XOb70bkC7mZ6ep7iKhUBBsiI=
|
||||
github.com/crowdsecurity/coraza/v3 v3.0.0-20231204125126-35deffad7734 h1:THMSMkBW/DLG5NvMAr/Mdg/eQOrEnMJ9Y+UdFG4yV8k=
|
||||
github.com/crowdsecurity/coraza/v3 v3.0.0-20231204125126-35deffad7734/go.mod h1:jNww1Y9SujXQc89zDR+XOb70bkC7mZ6ep7iKhUBBsiI=
|
||||
github.com/crowdsecurity/coraza/v3 v3.0.0-20231204135226-6c45fc2dedf9 h1:vFJiYtKOW5DwGQ9gxQi8+XDNc+YvuXXsJyWXXuiOn+M=
|
||||
github.com/crowdsecurity/coraza/v3 v3.0.0-20231204135226-6c45fc2dedf9/go.mod h1:jNww1Y9SujXQc89zDR+XOb70bkC7mZ6ep7iKhUBBsiI=
|
||||
github.com/crowdsecurity/coraza/v3 v3.0.0-20231204135508-23eef9bf7f39 h1:vY0KZvoS4Xl9IfGucBA4l1CV1auRPPJtjZSTz/Rl6iQ=
|
||||
github.com/crowdsecurity/coraza/v3 v3.0.0-20231204135508-23eef9bf7f39/go.mod h1:jNww1Y9SujXQc89zDR+XOb70bkC7mZ6ep7iKhUBBsiI=
|
||||
github.com/crowdsecurity/dlog v0.0.0-20170105205344-4fb5f8204f26 h1:r97WNVC30Uen+7WnLs4xDScS/Ex988+id2k6mDf8psU=
|
||||
github.com/crowdsecurity/dlog v0.0.0-20170105205344-4fb5f8204f26/go.mod h1:zpv7r+7KXwgVUZnUNjyP22zc/D7LKjyoY02weH2RBbk=
|
||||
github.com/crowdsecurity/go-cs-lib v0.0.5 h1:eVLW+BRj3ZYn0xt5/xmgzfbbB8EBo32gM4+WpQQk2e8=
|
||||
|
|
|
|||
|
|
@ -70,6 +70,30 @@ func (r *WaapRunner) Init(datadir string) error {
|
|||
}
|
||||
r.WaapOutbandEngine, err = coraza.NewWAF(outbandCfg)
|
||||
|
||||
if r.WaapRuntime.DisabledInBandRulesTags != nil {
|
||||
for _, tag := range r.WaapRuntime.DisabledInBandRulesTags {
|
||||
r.WaapInbandEngine.GetRuleGroup().DeleteByTag(tag)
|
||||
}
|
||||
}
|
||||
|
||||
if r.WaapRuntime.DisabledOutOfBandRulesTags != nil {
|
||||
for _, tag := range r.WaapRuntime.DisabledOutOfBandRulesTags {
|
||||
r.WaapOutbandEngine.GetRuleGroup().DeleteByTag(tag)
|
||||
}
|
||||
}
|
||||
|
||||
if r.WaapRuntime.DisabledInBandRuleIds != nil {
|
||||
for _, id := range r.WaapRuntime.DisabledInBandRuleIds {
|
||||
r.WaapInbandEngine.GetRuleGroup().DeleteByID(id)
|
||||
}
|
||||
}
|
||||
|
||||
if r.WaapRuntime.DisabledOutOfBandRuleIds != nil {
|
||||
for _, id := range r.WaapRuntime.DisabledOutOfBandRuleIds {
|
||||
r.WaapOutbandEngine.GetRuleGroup().DeleteByID(id)
|
||||
}
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
return fmt.Errorf("unable to initialize outband engine : %w", err)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -103,11 +103,11 @@ type WaapRuntimeConfig struct {
|
|||
Logger *log.Entry
|
||||
|
||||
//Set by on_load to ignore some rules on loading
|
||||
disabledInBandRuleIds []int
|
||||
disabledInBandRulesTags []string //Also used for ByName, as the name (for modsec rules) is a tag crowdsec-NAME
|
||||
DisabledInBandRuleIds []int
|
||||
DisabledInBandRulesTags []string //Also used for ByName, as the name (for modsec rules) is a tag crowdsec-NAME
|
||||
|
||||
disabledOutOfBandRuleIds []int
|
||||
disabledOutOfBandRulesTags []string //Also used for ByName, as the name (for modsec rules) is a tag crowdsec-NAME
|
||||
DisabledOutOfBandRuleIds []int
|
||||
DisabledOutOfBandRulesTags []string //Also used for ByName, as the name (for modsec rules) is a tag crowdsec-NAME
|
||||
}
|
||||
|
||||
type WaapConfig struct {
|
||||
|
|
@ -434,7 +434,7 @@ func (w *WaapRuntimeConfig) CancelEvent(params ...any) (any, error) {
|
|||
// func (w *WaapRuntimeConfig) DisableInBandRuleByID(id int) error {
|
||||
// Disable a rule at load time, meaning it will not run for any request
|
||||
func (w *WaapRuntimeConfig) DisableInBandRuleByID(params ...any) (any, error) {
|
||||
w.disabledInBandRuleIds = append(w.disabledInBandRuleIds, params[0].(int))
|
||||
w.DisabledInBandRuleIds = append(w.DisabledInBandRuleIds, params[0].(int))
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
|
|
@ -442,21 +442,21 @@ func (w *WaapRuntimeConfig) DisableInBandRuleByID(params ...any) (any, error) {
|
|||
// Disable a rule at load time, meaning it will not run for any request
|
||||
func (w *WaapRuntimeConfig) DisableInBandRuleByName(params ...any) (any, error) {
|
||||
tagValue := fmt.Sprintf("crowdsec-%s", params[0].(string))
|
||||
w.disabledInBandRulesTags = append(w.disabledInBandRulesTags, tagValue)
|
||||
w.DisabledInBandRulesTags = append(w.DisabledInBandRulesTags, tagValue)
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
// func (w *WaapRuntimeConfig) DisableInBandRuleByTag(tag string) error {
|
||||
// Disable a rule at load time, meaning it will not run for any request
|
||||
func (w *WaapRuntimeConfig) DisableInBandRuleByTag(params ...any) (any, error) {
|
||||
w.disabledInBandRulesTags = append(w.disabledInBandRulesTags, params[0].(string))
|
||||
w.DisabledInBandRulesTags = append(w.DisabledInBandRulesTags, params[0].(string))
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
// func (w *WaapRuntimeConfig) DisableOutBandRuleByID(id int) error {
|
||||
// Disable a rule at load time, meaning it will not run for any request
|
||||
func (w *WaapRuntimeConfig) DisableOutBandRuleByID(params ...any) (any, error) {
|
||||
w.disabledOutOfBandRuleIds = append(w.disabledOutOfBandRuleIds, params[0].(int))
|
||||
w.DisabledOutOfBandRuleIds = append(w.DisabledOutOfBandRuleIds, params[0].(int))
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
|
|
@ -464,14 +464,14 @@ func (w *WaapRuntimeConfig) DisableOutBandRuleByID(params ...any) (any, error) {
|
|||
// Disable a rule at load time, meaning it will not run for any request
|
||||
func (w *WaapRuntimeConfig) DisableOutBandRuleByName(params ...any) (any, error) {
|
||||
tagValue := fmt.Sprintf("crowdsec-%s", params[0].(string))
|
||||
w.disabledOutOfBandRulesTags = append(w.disabledOutOfBandRulesTags, tagValue)
|
||||
w.DisabledOutOfBandRulesTags = append(w.DisabledOutOfBandRulesTags, tagValue)
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
// func (w *WaapRuntimeConfig) DisableOutBandRuleByTag(tag string) error {
|
||||
// Disable a rule at load time, meaning it will not run for any request
|
||||
func (w *WaapRuntimeConfig) DisableOutBandRuleByTag(params ...any) (any, error) {
|
||||
w.disabledOutOfBandRulesTags = append(w.disabledOutOfBandRulesTags, params[0].(string))
|
||||
w.DisabledOutOfBandRulesTags = append(w.DisabledOutOfBandRulesTags, params[0].(string))
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -22,13 +22,15 @@ func GetExprWAFOptions(ctx map[string]interface{}) []expr.Option {
|
|||
func GetOnLoadEnv(w *WaapRuntimeConfig) map[string]interface{} {
|
||||
//FIXME: use expr.Function instead of this
|
||||
return map[string]interface{}{
|
||||
"RemoveInBandRuleByID": w.DisableInBandRuleByID,
|
||||
"RemoveOutBandRuleByID": w.DisableOutBandRuleByID,
|
||||
"RemoveInBandRuleByTag": w.DisableInBandRuleByTag,
|
||||
"RemoveOutBandRuleByTag": w.DisableOutBandRuleByTag,
|
||||
"SetRemediationByTag": w.SetActionByTag,
|
||||
"SetRemediationByID": w.SetActionByID,
|
||||
"SetRemediationByName": w.SetActionByName,
|
||||
"RemoveInBandRuleByID": w.DisableInBandRuleByID,
|
||||
"RemoveOutBandRuleByID": w.DisableOutBandRuleByID,
|
||||
"RemoveInBandRuleByName": w.DisableInBandRuleByName,
|
||||
"RemoveInBandRuleByTag": w.DisableInBandRuleByTag,
|
||||
"RemoveOutBandRuleByTag": w.DisableOutBandRuleByTag,
|
||||
"RemoveOutBandRuleByName": w.DisableOutBandRuleByName,
|
||||
"SetRemediationByTag": w.SetActionByTag,
|
||||
"SetRemediationByID": w.SetActionByID,
|
||||
"SetRemediationByName": w.SetActionByName,
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue