diff --git a/go.mod b/go.mod index 2d208484a..68e7b6a4d 100644 --- a/go.mod +++ b/go.mod @@ -90,7 +90,7 @@ require ( ) require ( - github.com/crowdsecurity/coraza/v3 v3.0.0-20231204125126-35deffad7734 + github.com/crowdsecurity/coraza/v3 v3.0.0-20231204135508-23eef9bf7f39 golang.org/x/text v0.14.0 gopkg.in/yaml.v3 v3.0.1 gotest.tools/v3 v3.5.0 diff --git a/go.sum b/go.sum index 085a77d13..10f864160 100644 --- a/go.sum +++ b/go.sum @@ -102,6 +102,10 @@ github.com/crowdsecurity/coraza/v3 v3.0.0-20231114091225-b0f8bc435a75 h1:Kp1sY2P github.com/crowdsecurity/coraza/v3 v3.0.0-20231114091225-b0f8bc435a75/go.mod h1:jNww1Y9SujXQc89zDR+XOb70bkC7mZ6ep7iKhUBBsiI= github.com/crowdsecurity/coraza/v3 v3.0.0-20231204125126-35deffad7734 h1:THMSMkBW/DLG5NvMAr/Mdg/eQOrEnMJ9Y+UdFG4yV8k= github.com/crowdsecurity/coraza/v3 v3.0.0-20231204125126-35deffad7734/go.mod h1:jNww1Y9SujXQc89zDR+XOb70bkC7mZ6ep7iKhUBBsiI= +github.com/crowdsecurity/coraza/v3 v3.0.0-20231204135226-6c45fc2dedf9 h1:vFJiYtKOW5DwGQ9gxQi8+XDNc+YvuXXsJyWXXuiOn+M= +github.com/crowdsecurity/coraza/v3 v3.0.0-20231204135226-6c45fc2dedf9/go.mod h1:jNww1Y9SujXQc89zDR+XOb70bkC7mZ6ep7iKhUBBsiI= +github.com/crowdsecurity/coraza/v3 v3.0.0-20231204135508-23eef9bf7f39 h1:vY0KZvoS4Xl9IfGucBA4l1CV1auRPPJtjZSTz/Rl6iQ= +github.com/crowdsecurity/coraza/v3 v3.0.0-20231204135508-23eef9bf7f39/go.mod h1:jNww1Y9SujXQc89zDR+XOb70bkC7mZ6ep7iKhUBBsiI= github.com/crowdsecurity/dlog v0.0.0-20170105205344-4fb5f8204f26 h1:r97WNVC30Uen+7WnLs4xDScS/Ex988+id2k6mDf8psU= github.com/crowdsecurity/dlog v0.0.0-20170105205344-4fb5f8204f26/go.mod h1:zpv7r+7KXwgVUZnUNjyP22zc/D7LKjyoY02weH2RBbk= github.com/crowdsecurity/go-cs-lib v0.0.5 h1:eVLW+BRj3ZYn0xt5/xmgzfbbB8EBo32gM4+WpQQk2e8= diff --git a/pkg/acquisition/modules/waap/waap_runner.go b/pkg/acquisition/modules/waap/waap_runner.go index 2a9e53c29..5375a4d2c 100644 --- a/pkg/acquisition/modules/waap/waap_runner.go +++ b/pkg/acquisition/modules/waap/waap_runner.go @@ -70,6 +70,30 @@ func (r *WaapRunner) Init(datadir string) error { } r.WaapOutbandEngine, err = coraza.NewWAF(outbandCfg) + if r.WaapRuntime.DisabledInBandRulesTags != nil { + for _, tag := range r.WaapRuntime.DisabledInBandRulesTags { + r.WaapInbandEngine.GetRuleGroup().DeleteByTag(tag) + } + } + + if r.WaapRuntime.DisabledOutOfBandRulesTags != nil { + for _, tag := range r.WaapRuntime.DisabledOutOfBandRulesTags { + r.WaapOutbandEngine.GetRuleGroup().DeleteByTag(tag) + } + } + + if r.WaapRuntime.DisabledInBandRuleIds != nil { + for _, id := range r.WaapRuntime.DisabledInBandRuleIds { + r.WaapInbandEngine.GetRuleGroup().DeleteByID(id) + } + } + + if r.WaapRuntime.DisabledOutOfBandRuleIds != nil { + for _, id := range r.WaapRuntime.DisabledOutOfBandRuleIds { + r.WaapOutbandEngine.GetRuleGroup().DeleteByID(id) + } + } + if err != nil { return fmt.Errorf("unable to initialize outband engine : %w", err) } diff --git a/pkg/waf/waap.go b/pkg/waf/waap.go index 28abf6b04..85eb4e4fd 100644 --- a/pkg/waf/waap.go +++ b/pkg/waf/waap.go @@ -103,11 +103,11 @@ type WaapRuntimeConfig struct { Logger *log.Entry //Set by on_load to ignore some rules on loading - disabledInBandRuleIds []int - disabledInBandRulesTags []string //Also used for ByName, as the name (for modsec rules) is a tag crowdsec-NAME + DisabledInBandRuleIds []int + DisabledInBandRulesTags []string //Also used for ByName, as the name (for modsec rules) is a tag crowdsec-NAME - disabledOutOfBandRuleIds []int - disabledOutOfBandRulesTags []string //Also used for ByName, as the name (for modsec rules) is a tag crowdsec-NAME + DisabledOutOfBandRuleIds []int + DisabledOutOfBandRulesTags []string //Also used for ByName, as the name (for modsec rules) is a tag crowdsec-NAME } type WaapConfig struct { @@ -434,7 +434,7 @@ func (w *WaapRuntimeConfig) CancelEvent(params ...any) (any, error) { // func (w *WaapRuntimeConfig) DisableInBandRuleByID(id int) error { // Disable a rule at load time, meaning it will not run for any request func (w *WaapRuntimeConfig) DisableInBandRuleByID(params ...any) (any, error) { - w.disabledInBandRuleIds = append(w.disabledInBandRuleIds, params[0].(int)) + w.DisabledInBandRuleIds = append(w.DisabledInBandRuleIds, params[0].(int)) return nil, nil } @@ -442,21 +442,21 @@ func (w *WaapRuntimeConfig) DisableInBandRuleByID(params ...any) (any, error) { // Disable a rule at load time, meaning it will not run for any request func (w *WaapRuntimeConfig) DisableInBandRuleByName(params ...any) (any, error) { tagValue := fmt.Sprintf("crowdsec-%s", params[0].(string)) - w.disabledInBandRulesTags = append(w.disabledInBandRulesTags, tagValue) + w.DisabledInBandRulesTags = append(w.DisabledInBandRulesTags, tagValue) return nil, nil } // func (w *WaapRuntimeConfig) DisableInBandRuleByTag(tag string) error { // Disable a rule at load time, meaning it will not run for any request func (w *WaapRuntimeConfig) DisableInBandRuleByTag(params ...any) (any, error) { - w.disabledInBandRulesTags = append(w.disabledInBandRulesTags, params[0].(string)) + w.DisabledInBandRulesTags = append(w.DisabledInBandRulesTags, params[0].(string)) return nil, nil } // func (w *WaapRuntimeConfig) DisableOutBandRuleByID(id int) error { // Disable a rule at load time, meaning it will not run for any request func (w *WaapRuntimeConfig) DisableOutBandRuleByID(params ...any) (any, error) { - w.disabledOutOfBandRuleIds = append(w.disabledOutOfBandRuleIds, params[0].(int)) + w.DisabledOutOfBandRuleIds = append(w.DisabledOutOfBandRuleIds, params[0].(int)) return nil, nil } @@ -464,14 +464,14 @@ func (w *WaapRuntimeConfig) DisableOutBandRuleByID(params ...any) (any, error) { // Disable a rule at load time, meaning it will not run for any request func (w *WaapRuntimeConfig) DisableOutBandRuleByName(params ...any) (any, error) { tagValue := fmt.Sprintf("crowdsec-%s", params[0].(string)) - w.disabledOutOfBandRulesTags = append(w.disabledOutOfBandRulesTags, tagValue) + w.DisabledOutOfBandRulesTags = append(w.DisabledOutOfBandRulesTags, tagValue) return nil, nil } // func (w *WaapRuntimeConfig) DisableOutBandRuleByTag(tag string) error { // Disable a rule at load time, meaning it will not run for any request func (w *WaapRuntimeConfig) DisableOutBandRuleByTag(params ...any) (any, error) { - w.disabledOutOfBandRulesTags = append(w.disabledOutOfBandRulesTags, params[0].(string)) + w.DisabledOutOfBandRulesTags = append(w.DisabledOutOfBandRulesTags, params[0].(string)) return nil, nil } diff --git a/pkg/waf/waf_helpers.go b/pkg/waf/waf_helpers.go index 69b53df1e..bb65df851 100644 --- a/pkg/waf/waf_helpers.go +++ b/pkg/waf/waf_helpers.go @@ -22,13 +22,15 @@ func GetExprWAFOptions(ctx map[string]interface{}) []expr.Option { func GetOnLoadEnv(w *WaapRuntimeConfig) map[string]interface{} { //FIXME: use expr.Function instead of this return map[string]interface{}{ - "RemoveInBandRuleByID": w.DisableInBandRuleByID, - "RemoveOutBandRuleByID": w.DisableOutBandRuleByID, - "RemoveInBandRuleByTag": w.DisableInBandRuleByTag, - "RemoveOutBandRuleByTag": w.DisableOutBandRuleByTag, - "SetRemediationByTag": w.SetActionByTag, - "SetRemediationByID": w.SetActionByID, - "SetRemediationByName": w.SetActionByName, + "RemoveInBandRuleByID": w.DisableInBandRuleByID, + "RemoveOutBandRuleByID": w.DisableOutBandRuleByID, + "RemoveInBandRuleByName": w.DisableInBandRuleByName, + "RemoveInBandRuleByTag": w.DisableInBandRuleByTag, + "RemoveOutBandRuleByTag": w.DisableOutBandRuleByTag, + "RemoveOutBandRuleByName": w.DisableOutBandRuleByName, + "SetRemediationByTag": w.SetActionByTag, + "SetRemediationByID": w.SetActionByID, + "SetRemediationByName": w.SetActionByName, } }