From f7eaefa5186f89e42c2d38f29b60311a03dee5de Mon Sep 17 00:00:00 2001 From: bui Date: Tue, 18 Jul 2023 18:12:17 +0200 Subject: [PATCH] up --- pkg/acquisition/modules/waf/utils.go | 11 +++- pkg/types/event.go | 91 ++++++++++++++++++++++------ 2 files changed, 84 insertions(+), 18 deletions(-) diff --git a/pkg/acquisition/modules/waf/utils.go b/pkg/acquisition/modules/waf/utils.go index 8c937592d..c0469845a 100644 --- a/pkg/acquisition/modules/waf/utils.go +++ b/pkg/acquisition/modules/waf/utils.go @@ -26,11 +26,17 @@ func EventFromRequest(r waf.ParsedRequest) (types.Event, error) { "target_uri": r.URI, "method": r.Method, "req_uuid": r.Tx.ID(), + "source": "coraza", + + //TBD: + //http_status + //user_agent + } evt.Line = types.Line{ Time: time.Now(), //should we add some info like listen addr/port/path ? - Labels: map[string]string{"type": "waf"}, + Labels: map[string]string{"type": "coraza-waf"}, Process: true, Module: "waf", Src: "waf", @@ -58,6 +64,9 @@ func AccumulateTxToEvent(tx experimental.FullTransaction, kind string, evt *type if evt.Meta == nil { evt.Meta = map[string]string{} } + evt.Parsed["interrupted"] = "true" + evt.Parsed["action"] = tx.Interruption().Action + evt.Meta["waap_interrupted"] = "1" evt.Meta["waap_action"] = tx.Interruption().Action } diff --git a/pkg/types/event.go b/pkg/types/event.go index 7dc957996..a0741c660 100644 --- a/pkg/types/event.go +++ b/pkg/types/event.go @@ -1,6 +1,7 @@ package types import ( + "fmt" "regexp" "time" @@ -28,15 +29,33 @@ len(evt.Waf.ByTagRx("*CVE*").ByConfidence("high").ByAction("block")) > 1 type WaapEvent []map[string]interface{} -func (w WaapEvent) ByID(id int) WaapEvent { - waap := WaapEvent{} +type Field string +func (f Field) String() string { + return fmt.Sprintf("%s", f) +} + +const ( + ID Field = "id" + RuleType Field = "rule_type" + Tags Field = "tags" + File Field = "file" + Confidence Field = "confidence" + Revision Field = "revision" + SecMark Field = "secmark" + Accuracy Field = "accuracy" + Msg Field = "msg" + Severity Field = "severity" + Kind Field = "kind" +) + +// getters +func (w WaapEvent) GetField(field Field) []interface{} { + ret := make([]interface{}, 0) for _, rule := range w { - if rule["id"] == id { - waap = append(waap, rule) - } + ret = append(ret, rule[field.String()]) } - return waap + return ret } func (w WaapEvent) GetURI() string { @@ -61,16 +80,6 @@ func (w WaapEvent) GetRuleIDs() []int { return ret } -func (w WaapEvent) ByKind(kind string) WaapEvent { - waap := WaapEvent{} - for _, rule := range w { - if rule["kind"] == kind { - waap = append(waap, rule) - } - } - return waap -} - func (w WaapEvent) Kinds() []string { ret := make([]string, 0) for _, rule := range w { @@ -88,6 +97,43 @@ func (w WaapEvent) Kinds() []string { return ret } +// filters +func (w WaapEvent) ByID(id int) WaapEvent { + waap := WaapEvent{} + + for _, rule := range w { + if rule["id"] == id { + waap = append(waap, rule) + } + } + return waap +} + +func (w WaapEvent) ByKind(kind string) WaapEvent { + waap := WaapEvent{} + for _, rule := range w { + if rule["kind"] == kind { + waap = append(waap, rule) + } + } + return waap +} + +func (w WaapEvent) ByTags(match []string) WaapEvent { + waap := WaapEvent{} + for _, rule := range w { + for _, tag := range rule["tags"].([]string) { + for _, match_tag := range match { + if tag == match_tag { + waap = append(waap, rule) + break + } + } + } + } + return waap +} + func (w WaapEvent) ByTag(match string) WaapEvent { waap := WaapEvent{} for _, rule := range w { @@ -138,7 +184,18 @@ func (w WaapEvent) BySeverity(severity string) WaapEvent { wap = append(wap, rule) } } - log.Infof("BySeverity(%t) -> %d", severity, len(wap)) + log.Infof("BySeverity(%s) -> %d", severity, len(wap)) + return wap +} + +func (w WaapEvent) ByAccuracy(accuracy string) WaapEvent { + wap := WaapEvent{} + for _, rule := range w { + if rule["accuracy"] == accuracy { + wap = append(wap, rule) + } + } + log.Infof("ByAccuracy(%s) -> %d", accuracy, len(wap)) return wap }