up

2023-07-18 18:12:17 +02:00 · 2023-07-18 18:12:17 +02:00 · f7eaefa518
parent ef4fe8f5d3
commit f7eaefa518
2 changed files with 84 additions and 18 deletions
--- a/pkg/acquisition/modules/waf/utils.go
+++ b/pkg/acquisition/modules/waf/utils.go
@ -26,11 +26,17 @@ func EventFromRequest(r waf.ParsedRequest) (types.Event, error) {
 		"target_uri":  r.URI,
 		"method":      r.Method,
 		"req_uuid":    r.Tx.ID(),
+		"source":      "coraza",
+
+		//TBD:
+		//http_status
+		//user_agent
+
 	}
 	evt.Line = types.Line{
 		Time: time.Now(),
 		//should we add some info like listen addr/port/path ?
-		Labels:  map[string]string{"type": "waf"},
+		Labels:  map[string]string{"type": "coraza-waf"},
 		Process: true,
 		Module:  "waf",
 		Src:     "waf",
@ -58,6 +64,9 @@ func AccumulateTxToEvent(tx experimental.FullTransaction, kind string, evt *type
 		if evt.Meta == nil {
 			evt.Meta = map[string]string{}
 		}
+		evt.Parsed["interrupted"] = "true"
+		evt.Parsed["action"] = tx.Interruption().Action
+
 		evt.Meta["waap_interrupted"] = "1"
 		evt.Meta["waap_action"] = tx.Interruption().Action
 	}
--- a/pkg/types/event.go
+++ b/pkg/types/event.go
@ -1,6 +1,7 @@
 package types

 import (
+	"fmt"
 	"regexp"
 	"time"

@ -28,15 +29,33 @@ len(evt.Waf.ByTagRx("*CVE*").ByConfidence("high").ByAction("block")) > 1

 type WaapEvent []map[string]interface{}

-func (w WaapEvent) ByID(id int) WaapEvent {
-	waap := WaapEvent{}
+type Field string

+func (f Field) String() string {
+	return fmt.Sprintf("%s", f)
+}
+
+const (
+	ID         Field = "id"
+	RuleType   Field = "rule_type"
+	Tags       Field = "tags"
+	File       Field = "file"
+	Confidence Field = "confidence"
+	Revision   Field = "revision"
+	SecMark    Field = "secmark"
+	Accuracy   Field = "accuracy"
+	Msg        Field = "msg"
+	Severity   Field = "severity"
+	Kind       Field = "kind"
+)
+
+// getters
+func (w WaapEvent) GetField(field Field) []interface{} {
+	ret := make([]interface{}, 0)
 	for _, rule := range w {
-		if rule["id"] == id {
-			waap = append(waap, rule)
-		}
+		ret = append(ret, rule[field.String()])
 	}
-	return waap
+	return ret
 }

 func (w WaapEvent) GetURI() string {
@ -61,16 +80,6 @@ func (w WaapEvent) GetRuleIDs() []int {
 	return ret
 }

-func (w WaapEvent) ByKind(kind string) WaapEvent {
-	waap := WaapEvent{}
-	for _, rule := range w {
-		if rule["kind"] == kind {
-			waap = append(waap, rule)
-		}
-	}
-	return waap
-}
-
 func (w WaapEvent) Kinds() []string {
 	ret := make([]string, 0)
 	for _, rule := range w {
@ -88,6 +97,43 @@ func (w WaapEvent) Kinds() []string {
 	return ret
 }

+// filters
+func (w WaapEvent) ByID(id int) WaapEvent {
+	waap := WaapEvent{}
+
+	for _, rule := range w {
+		if rule["id"] == id {
+			waap = append(waap, rule)
+		}
+	}
+	return waap
+}
+
+func (w WaapEvent) ByKind(kind string) WaapEvent {
+	waap := WaapEvent{}
+	for _, rule := range w {
+		if rule["kind"] == kind {
+			waap = append(waap, rule)
+		}
+	}
+	return waap
+}
+
+func (w WaapEvent) ByTags(match []string) WaapEvent {
+	waap := WaapEvent{}
+	for _, rule := range w {
+		for _, tag := range rule["tags"].([]string) {
+			for _, match_tag := range match {
+				if tag == match_tag {
+					waap = append(waap, rule)
+					break
+				}
+			}
+		}
+	}
+	return waap
+}
+
 func (w WaapEvent) ByTag(match string) WaapEvent {
 	waap := WaapEvent{}
 	for _, rule := range w {
@ -138,7 +184,18 @@ func (w WaapEvent) BySeverity(severity string) WaapEvent {
 			wap = append(wap, rule)
 		}
 	}
-	log.Infof("BySeverity(%t) -> %d", severity, len(wap))
+	log.Infof("BySeverity(%s) -> %d", severity, len(wap))
+	return wap
+}
+
+func (w WaapEvent) ByAccuracy(accuracy string) WaapEvent {
+	wap := WaapEvent{}
+	for _, rule := range w {
+		if rule["accuracy"] == accuracy {
+			wap = append(wap, rule)
+		}
+	}
+	log.Infof("ByAccuracy(%s) -> %d", accuracy, len(wap))
 	return wap
 }