up
This commit is contained in:
parent
ef4fe8f5d3
commit
f7eaefa518
|
@ -26,11 +26,17 @@ func EventFromRequest(r waf.ParsedRequest) (types.Event, error) {
|
||||||
"target_uri": r.URI,
|
"target_uri": r.URI,
|
||||||
"method": r.Method,
|
"method": r.Method,
|
||||||
"req_uuid": r.Tx.ID(),
|
"req_uuid": r.Tx.ID(),
|
||||||
|
"source": "coraza",
|
||||||
|
|
||||||
|
//TBD:
|
||||||
|
//http_status
|
||||||
|
//user_agent
|
||||||
|
|
||||||
}
|
}
|
||||||
evt.Line = types.Line{
|
evt.Line = types.Line{
|
||||||
Time: time.Now(),
|
Time: time.Now(),
|
||||||
//should we add some info like listen addr/port/path ?
|
//should we add some info like listen addr/port/path ?
|
||||||
Labels: map[string]string{"type": "waf"},
|
Labels: map[string]string{"type": "coraza-waf"},
|
||||||
Process: true,
|
Process: true,
|
||||||
Module: "waf",
|
Module: "waf",
|
||||||
Src: "waf",
|
Src: "waf",
|
||||||
|
@ -58,6 +64,9 @@ func AccumulateTxToEvent(tx experimental.FullTransaction, kind string, evt *type
|
||||||
if evt.Meta == nil {
|
if evt.Meta == nil {
|
||||||
evt.Meta = map[string]string{}
|
evt.Meta = map[string]string{}
|
||||||
}
|
}
|
||||||
|
evt.Parsed["interrupted"] = "true"
|
||||||
|
evt.Parsed["action"] = tx.Interruption().Action
|
||||||
|
|
||||||
evt.Meta["waap_interrupted"] = "1"
|
evt.Meta["waap_interrupted"] = "1"
|
||||||
evt.Meta["waap_action"] = tx.Interruption().Action
|
evt.Meta["waap_action"] = tx.Interruption().Action
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
package types
|
package types
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"fmt"
|
||||||
"regexp"
|
"regexp"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
@ -28,15 +29,33 @@ len(evt.Waf.ByTagRx("*CVE*").ByConfidence("high").ByAction("block")) > 1
|
||||||
|
|
||||||
type WaapEvent []map[string]interface{}
|
type WaapEvent []map[string]interface{}
|
||||||
|
|
||||||
func (w WaapEvent) ByID(id int) WaapEvent {
|
type Field string
|
||||||
waap := WaapEvent{}
|
|
||||||
|
|
||||||
|
func (f Field) String() string {
|
||||||
|
return fmt.Sprintf("%s", f)
|
||||||
|
}
|
||||||
|
|
||||||
|
const (
|
||||||
|
ID Field = "id"
|
||||||
|
RuleType Field = "rule_type"
|
||||||
|
Tags Field = "tags"
|
||||||
|
File Field = "file"
|
||||||
|
Confidence Field = "confidence"
|
||||||
|
Revision Field = "revision"
|
||||||
|
SecMark Field = "secmark"
|
||||||
|
Accuracy Field = "accuracy"
|
||||||
|
Msg Field = "msg"
|
||||||
|
Severity Field = "severity"
|
||||||
|
Kind Field = "kind"
|
||||||
|
)
|
||||||
|
|
||||||
|
// getters
|
||||||
|
func (w WaapEvent) GetField(field Field) []interface{} {
|
||||||
|
ret := make([]interface{}, 0)
|
||||||
for _, rule := range w {
|
for _, rule := range w {
|
||||||
if rule["id"] == id {
|
ret = append(ret, rule[field.String()])
|
||||||
waap = append(waap, rule)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
return waap
|
return ret
|
||||||
}
|
}
|
||||||
|
|
||||||
func (w WaapEvent) GetURI() string {
|
func (w WaapEvent) GetURI() string {
|
||||||
|
@ -61,16 +80,6 @@ func (w WaapEvent) GetRuleIDs() []int {
|
||||||
return ret
|
return ret
|
||||||
}
|
}
|
||||||
|
|
||||||
func (w WaapEvent) ByKind(kind string) WaapEvent {
|
|
||||||
waap := WaapEvent{}
|
|
||||||
for _, rule := range w {
|
|
||||||
if rule["kind"] == kind {
|
|
||||||
waap = append(waap, rule)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return waap
|
|
||||||
}
|
|
||||||
|
|
||||||
func (w WaapEvent) Kinds() []string {
|
func (w WaapEvent) Kinds() []string {
|
||||||
ret := make([]string, 0)
|
ret := make([]string, 0)
|
||||||
for _, rule := range w {
|
for _, rule := range w {
|
||||||
|
@ -88,6 +97,43 @@ func (w WaapEvent) Kinds() []string {
|
||||||
return ret
|
return ret
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// filters
|
||||||
|
func (w WaapEvent) ByID(id int) WaapEvent {
|
||||||
|
waap := WaapEvent{}
|
||||||
|
|
||||||
|
for _, rule := range w {
|
||||||
|
if rule["id"] == id {
|
||||||
|
waap = append(waap, rule)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return waap
|
||||||
|
}
|
||||||
|
|
||||||
|
func (w WaapEvent) ByKind(kind string) WaapEvent {
|
||||||
|
waap := WaapEvent{}
|
||||||
|
for _, rule := range w {
|
||||||
|
if rule["kind"] == kind {
|
||||||
|
waap = append(waap, rule)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return waap
|
||||||
|
}
|
||||||
|
|
||||||
|
func (w WaapEvent) ByTags(match []string) WaapEvent {
|
||||||
|
waap := WaapEvent{}
|
||||||
|
for _, rule := range w {
|
||||||
|
for _, tag := range rule["tags"].([]string) {
|
||||||
|
for _, match_tag := range match {
|
||||||
|
if tag == match_tag {
|
||||||
|
waap = append(waap, rule)
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return waap
|
||||||
|
}
|
||||||
|
|
||||||
func (w WaapEvent) ByTag(match string) WaapEvent {
|
func (w WaapEvent) ByTag(match string) WaapEvent {
|
||||||
waap := WaapEvent{}
|
waap := WaapEvent{}
|
||||||
for _, rule := range w {
|
for _, rule := range w {
|
||||||
|
@ -138,7 +184,18 @@ func (w WaapEvent) BySeverity(severity string) WaapEvent {
|
||||||
wap = append(wap, rule)
|
wap = append(wap, rule)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
log.Infof("BySeverity(%t) -> %d", severity, len(wap))
|
log.Infof("BySeverity(%s) -> %d", severity, len(wap))
|
||||||
|
return wap
|
||||||
|
}
|
||||||
|
|
||||||
|
func (w WaapEvent) ByAccuracy(accuracy string) WaapEvent {
|
||||||
|
wap := WaapEvent{}
|
||||||
|
for _, rule := range w {
|
||||||
|
if rule["accuracy"] == accuracy {
|
||||||
|
wap = append(wap, rule)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
log.Infof("ByAccuracy(%s) -> %d", accuracy, len(wap))
|
||||||
return wap
|
return wap
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue