8cca4346a5
Add a new datasource that: - Receives HTTP requests from remediation components - Apply rules on them to determine whether they are malicious or not - Rules can be evaluated in-band (the remediation component will block the request directly) or out-band (the RC will let the request through, but crowdsec can still process the rule matches with scenarios) The PR also adds support for 2 new hub items: - appsec-configs: Configure the Application Security Engine (which rules to load, in which phase) - appsec-rules: a rule that is added in the Application Security Engine (can use either our own format, or seclang) --------- Co-authored-by: alteredCoder <kevin@crowdsec.net> Co-authored-by: Sebastien Blot <sebastien@crowdsec.net> Co-authored-by: mmetc <92726601+mmetc@users.noreply.github.com> Co-authored-by: Marco Mariani <marco@crowdsec.net>
68 lines
1.4 KiB
Go
68 lines
1.4 KiB
Go
package appsec_rule
|
|
|
|
import (
|
|
"fmt"
|
|
)
|
|
|
|
/*
|
|
rules:
|
|
- name: "test"
|
|
and:
|
|
- zones:
|
|
- BODY_ARGS
|
|
variables:
|
|
- foo
|
|
- bar
|
|
transform:
|
|
- lowercase|uppercase|b64decode|...
|
|
match:
|
|
type: regex
|
|
value: "[^a-zA-Z]"
|
|
- zones:
|
|
- ARGS
|
|
variables:
|
|
- bla
|
|
|
|
*/
|
|
|
|
type match struct {
|
|
Type string `yaml:"type"`
|
|
Value string `yaml:"value"`
|
|
}
|
|
|
|
type CustomRule struct {
|
|
Name string `yaml:"name"`
|
|
|
|
Zones []string `yaml:"zones"`
|
|
Variables []string `yaml:"variables"`
|
|
|
|
Match match `yaml:"match"`
|
|
Transform []string `yaml:"transform"` //t:lowercase, t:uppercase, etc
|
|
And []CustomRule `yaml:"and,omitempty"`
|
|
Or []CustomRule `yaml:"or,omitempty"`
|
|
BodyType string `yaml:"body_type,omitempty"`
|
|
}
|
|
|
|
func (v *CustomRule) Convert(ruleType string, appsecRuleName string) (string, []uint32, error) {
|
|
|
|
if v.Zones == nil && v.And == nil && v.Or == nil {
|
|
return "", nil, fmt.Errorf("no zones defined")
|
|
}
|
|
|
|
if v.Match.Type == "" && v.And == nil && v.Or == nil {
|
|
return "", nil, fmt.Errorf("no match type defined")
|
|
}
|
|
|
|
if v.Match.Value == "" && v.And == nil && v.Or == nil {
|
|
return "", nil, fmt.Errorf("no match value defined")
|
|
}
|
|
|
|
switch ruleType {
|
|
case ModsecurityRuleType:
|
|
r := ModsecurityRule{}
|
|
return r.Build(v, appsecRuleName)
|
|
default:
|
|
return "", nil, fmt.Errorf("unknown rule format '%s'", ruleType)
|
|
}
|
|
}
|