History

bui f18b554177 warn at start if body reading is disabled		2023-10-26 12:45:59 +02:00
..
coraza_logger.go	logger	2023-10-23 10:59:02 +02:00
metrics.go	up	2023-09-12 09:45:14 +02:00
README.md	naming	2023-10-18 17:17:57 +02:00
rx_operator.go	up	2023-09-12 09:45:14 +02:00
utils.go	new custom rule format	2023-10-25 18:45:49 +02:00
waap.go	default level	2023-10-24 10:57:22 +02:00
waap_runner.go	warn at start if body reading is disabled	2023-10-26 12:45:59 +02:00

README.md

Ongoing poc for Coraza WAAP

Configuration pieces

Acquisition

acquisition example:

config/acquis.yaml :

listen_addr: 127.0.0.1
listen_port: 4241
path: /
source: waf
labels:
  type: waf
#routines: 1
waap_config_path: config/waap-configs/mytest.yaml

Waap config

The waap config defines what rules that will be loaded by a given waap engine (associated with an acquis).

config/waap-configs/mytest.yaml

name: default
outofband_rules:
# - crowdsecurity/crs-waf
inband_rules:
# - crowdsecurity/crs-waf
 - crowdsecurity/custom-waf-rule
default_remediation: ban
#on_load:
# - apply:
#     - SetInBand()
pre_eval:
 - filter: ClientIP != '127.0.0.1'
   apply:
     - SetAction("ban")

Waap Rules

For the above two to work, we need to have the two refered waap collection installed : crowdsec/crs-default and crowdsec/vpatch-default. You need to set hub_branch to ...

type: waap-rule
name: crowdsecurity/custom-waf-rule
seclang_rules:
 - SecRule ARGS:ip ";" "t:none,phase:1,log,deny,msg:'semi colon test',id:2"

#$_GET['bar'] matches [0-9]+ AND REQUEST_URI == "/joomla/index.php/component/users/"
#REQUEST_URI == /webui/create_user AND $_POST[username] == "cisco_tac_admin"
rules:
 - target: ARGS
   var: bar
   match: "[0-9]+"
   logic: AND
   sub_rules:
    - target: "REQUEST_URI"
      match: /joomla/index.php/component/users/
 - target: "REQUEST_URI"
   equals: /webui/create_user
   logic: AND
   sub_rules:
    - target: ARGS_POST
      var: username
      equals: cisco_tac_admin