Skip to content

Commit c3036e2

Browse files
blotusblotus
authored
WAF: Improve user-experience with CRS and modsecurity rules (#3827)
1 parent 2a8f460 commit c3036e2

File tree

13 files changed

+326
-78
lines changed

13 files changed

+326
-78
lines changed

cmd/crowdsec-cli/cliitem/hubappsec.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -137,7 +137,7 @@ func NewAppsecRule(cfg configGetter) *cliItem {
137137
fmt.Fprintf(os.Stdout, "\n%s format:\n", cases.Title(language.Und, cases.NoLower).String(ruleType))
138138

139139
for _, rule := range appsecRule.Rules {
140-
convertedRule, _, err := rule.Convert(ruleType, appsecRule.Name)
140+
convertedRule, _, err := rule.Convert(ruleType, appsecRule.Name, appsecRule.Description)
141141
if err != nil {
142142
return fmt.Errorf("unable to convert rule %s: %w", rule.Name, err)
143143
}

pkg/acquisition/modules/appsec/appsec_hooks_test.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -459,7 +459,7 @@ func TestAppsecPreEvalHooks(t *testing.T) {
459459
require.Equal(t, types.LOG, events[1].Type)
460460
require.True(t, events[1].Appsec.HasInBandMatches)
461461
require.Len(t, events[1].Appsec.MatchedRules, 1)
462-
require.Equal(t, "rule1", events[1].Appsec.MatchedRules[0]["msg"])
462+
require.Equal(t, "test-rule", events[1].Appsec.MatchedRules[0]["msg"])
463463

464464
require.Len(t, responses, 1)
465465
require.True(t, responses[0].InBandInterrupt)
@@ -573,7 +573,7 @@ func TestAppsecPreEvalHooks(t *testing.T) {
573573
require.True(t, events[0].Appsec.HasOutBandMatches)
574574
require.False(t, events[0].Appsec.HasInBandMatches)
575575
require.Len(t, events[0].Appsec.MatchedRules, 1)
576-
require.Equal(t, "rulez", events[0].Appsec.MatchedRules[0]["msg"])
576+
require.Equal(t, "test-rule", events[0].Appsec.MatchedRules[0]["msg"])
577577
//maybe surprising, but response won't mention OOB event, as it's sent as soon as the inband phase is over.
578578
require.Len(t, responses, 1)
579579
require.False(t, responses[0].InBandInterrupt)

pkg/acquisition/modules/appsec/appsec_lnx_test.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ func TestAppsecRuleTransformsOthers(t *testing.T) {
3838
require.Len(t, events, 2)
3939
require.Equal(t, types.APPSEC, events[0].Type)
4040
require.Equal(t, types.LOG, events[1].Type)
41-
require.Equal(t, "rule1", events[1].Appsec.MatchedRules[0]["msg"])
41+
require.Equal(t, "test-rule", events[1].Appsec.MatchedRules[0]["msg"])
4242
},
4343
},
4444
{
@@ -62,7 +62,7 @@ func TestAppsecRuleTransformsOthers(t *testing.T) {
6262
require.Len(t, events, 2)
6363
require.Equal(t, types.APPSEC, events[0].Type)
6464
require.Equal(t, types.LOG, events[1].Type)
65-
require.Equal(t, "rule1", events[1].Appsec.MatchedRules[0]["msg"])
65+
require.Equal(t, "test-rule", events[1].Appsec.MatchedRules[0]["msg"])
6666
},
6767
},
6868
}

pkg/acquisition/modules/appsec/appsec_rules_test.go

Lines changed: 24 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ func TestAppsecRuleMatches(t *testing.T) {
4343
require.Equal(t, types.LOG, events[1].Type)
4444
require.True(t, events[1].Appsec.HasInBandMatches)
4545
require.Len(t, events[1].Appsec.MatchedRules, 1)
46-
require.Equal(t, "rule1", events[1].Appsec.MatchedRules[0]["msg"])
46+
require.Equal(t, "test-rule", events[1].Appsec.MatchedRules[0]["msg"])
4747

4848
require.Len(t, responses, 1)
4949
require.True(t, responses[0].InBandInterrupt)
@@ -266,7 +266,7 @@ func TestAppsecRuleMatches(t *testing.T) {
266266
require.Equal(t, types.LOG, events[1].Type)
267267
require.True(t, events[1].Appsec.HasInBandMatches)
268268
require.Len(t, events[1].Appsec.MatchedRules, 1)
269-
require.Equal(t, "rule1", events[1].Appsec.MatchedRules[0]["msg"])
269+
require.Equal(t, "test-rule", events[1].Appsec.MatchedRules[0]["msg"])
270270

271271
require.Len(t, responses, 1)
272272
require.True(t, responses[0].InBandInterrupt)
@@ -297,7 +297,7 @@ func TestAppsecRuleMatches(t *testing.T) {
297297
require.Equal(t, types.LOG, events[1].Type)
298298
require.True(t, events[1].Appsec.HasInBandMatches)
299299
require.Len(t, events[1].Appsec.MatchedRules, 1)
300-
require.Equal(t, "rule1", events[1].Appsec.MatchedRules[0]["msg"])
300+
require.Equal(t, "test-rule", events[1].Appsec.MatchedRules[0]["msg"])
301301

302302
require.Len(t, responses, 1)
303303
require.True(t, responses[0].InBandInterrupt)
@@ -328,7 +328,7 @@ func TestAppsecRuleMatches(t *testing.T) {
328328
require.Equal(t, types.LOG, events[1].Type)
329329
require.True(t, events[1].Appsec.HasInBandMatches)
330330
require.Len(t, events[1].Appsec.MatchedRules, 1)
331-
require.Equal(t, "rule1", events[1].Appsec.MatchedRules[0]["msg"])
331+
require.Equal(t, "test-rule", events[1].Appsec.MatchedRules[0]["msg"])
332332

333333
require.Len(t, responses, 1)
334334
require.True(t, responses[0].InBandInterrupt)
@@ -366,7 +366,7 @@ toto
366366
require.Equal(t, types.LOG, events[1].Type)
367367
require.True(t, events[1].Appsec.HasInBandMatches)
368368
require.Len(t, events[1].Appsec.MatchedRules, 1)
369-
require.Equal(t, "rule1", events[1].Appsec.MatchedRules[0]["msg"])
369+
require.Equal(t, "test-rule", events[1].Appsec.MatchedRules[0]["msg"])
370370

371371
require.Len(t, responses, 1)
372372
require.True(t, responses[0].InBandInterrupt)
@@ -435,7 +435,7 @@ func TestAppsecRuleTransforms(t *testing.T) {
435435
require.Len(t, events, 2)
436436
require.Equal(t, types.APPSEC, events[0].Type)
437437
require.Equal(t, types.LOG, events[1].Type)
438-
require.Equal(t, "rule1", events[1].Appsec.MatchedRules[0]["msg"])
438+
require.Equal(t, "test-rule", events[1].Appsec.MatchedRules[0]["msg"])
439439
},
440440
},
441441
{
@@ -459,7 +459,7 @@ func TestAppsecRuleTransforms(t *testing.T) {
459459
require.Len(t, events, 2)
460460
require.Equal(t, types.APPSEC, events[0].Type)
461461
require.Equal(t, types.LOG, events[1].Type)
462-
require.Equal(t, "rule1", events[1].Appsec.MatchedRules[0]["msg"])
462+
require.Equal(t, "test-rule", events[1].Appsec.MatchedRules[0]["msg"])
463463
},
464464
},
465465
{
@@ -483,7 +483,7 @@ func TestAppsecRuleTransforms(t *testing.T) {
483483
require.Len(t, events, 2)
484484
require.Equal(t, types.APPSEC, events[0].Type)
485485
require.Equal(t, types.LOG, events[1].Type)
486-
require.Equal(t, "rule1", events[1].Appsec.MatchedRules[0]["msg"])
486+
require.Equal(t, "test-rule", events[1].Appsec.MatchedRules[0]["msg"])
487487
},
488488
},
489489
{
@@ -508,7 +508,7 @@ func TestAppsecRuleTransforms(t *testing.T) {
508508
require.Len(t, events, 2)
509509
require.Equal(t, types.APPSEC, events[0].Type)
510510
require.Equal(t, types.LOG, events[1].Type)
511-
require.Equal(t, "rule1", events[1].Appsec.MatchedRules[0]["msg"])
511+
require.Equal(t, "test-rule", events[1].Appsec.MatchedRules[0]["msg"])
512512
},
513513
},
514514
{
@@ -533,7 +533,7 @@ func TestAppsecRuleTransforms(t *testing.T) {
533533
require.Len(t, events, 2)
534534
require.Equal(t, types.APPSEC, events[0].Type)
535535
require.Equal(t, types.LOG, events[1].Type)
536-
require.Equal(t, "rule1", events[1].Appsec.MatchedRules[0]["msg"])
536+
require.Equal(t, "test-rule", events[1].Appsec.MatchedRules[0]["msg"])
537537
},
538538
},
539539
{
@@ -558,7 +558,7 @@ func TestAppsecRuleTransforms(t *testing.T) {
558558
require.Len(t, events, 2)
559559
require.Equal(t, types.APPSEC, events[0].Type)
560560
require.Equal(t, types.LOG, events[1].Type)
561-
require.Equal(t, "rule1", events[1].Appsec.MatchedRules[0]["msg"])
561+
require.Equal(t, "test-rule", events[1].Appsec.MatchedRules[0]["msg"])
562562
},
563563
},
564564
{
@@ -583,7 +583,7 @@ func TestAppsecRuleTransforms(t *testing.T) {
583583
require.Len(t, events, 2)
584584
require.Equal(t, types.APPSEC, events[0].Type)
585585
require.Equal(t, types.LOG, events[1].Type)
586-
require.Equal(t, "rule1", events[1].Appsec.MatchedRules[0]["msg"])
586+
require.Equal(t, "test-rule", events[1].Appsec.MatchedRules[0]["msg"])
587587
},
588588
},
589589
{
@@ -608,7 +608,7 @@ func TestAppsecRuleTransforms(t *testing.T) {
608608
require.Len(t, events, 2)
609609
require.Equal(t, types.APPSEC, events[0].Type)
610610
require.Equal(t, types.LOG, events[1].Type)
611-
require.Equal(t, "rule1", events[1].Appsec.MatchedRules[0]["msg"])
611+
require.Equal(t, "test-rule", events[1].Appsec.MatchedRules[0]["msg"])
612612
},
613613
},
614614
}
@@ -647,7 +647,7 @@ func TestAppsecRuleZones(t *testing.T) {
647647
require.Len(t, events, 2)
648648
require.Equal(t, types.APPSEC, events[0].Type)
649649
require.Equal(t, types.LOG, events[1].Type)
650-
require.Equal(t, "rule1", events[1].Appsec.MatchedRules[0]["msg"])
650+
require.Equal(t, "test-rule", events[1].Appsec.MatchedRules[0]["msg"])
651651
},
652652
},
653653
{
@@ -675,7 +675,7 @@ func TestAppsecRuleZones(t *testing.T) {
675675
require.Len(t, events, 2)
676676
require.Equal(t, types.APPSEC, events[0].Type)
677677
require.Equal(t, types.LOG, events[1].Type)
678-
require.Equal(t, "rule2", events[1].Appsec.MatchedRules[0]["msg"])
678+
require.Equal(t, "test-rule", events[1].Appsec.MatchedRules[0]["msg"])
679679
},
680680
},
681681
{
@@ -705,7 +705,7 @@ func TestAppsecRuleZones(t *testing.T) {
705705
require.Len(t, events, 2)
706706
require.Equal(t, types.APPSEC, events[0].Type)
707707
require.Equal(t, types.LOG, events[1].Type)
708-
require.Equal(t, "rule1", events[1].Appsec.MatchedRules[0]["msg"])
708+
require.Equal(t, "test-rule", events[1].Appsec.MatchedRules[0]["msg"])
709709
},
710710
},
711711
{
@@ -735,7 +735,7 @@ func TestAppsecRuleZones(t *testing.T) {
735735
require.Len(t, events, 2)
736736
require.Equal(t, types.APPSEC, events[0].Type)
737737
require.Equal(t, types.LOG, events[1].Type)
738-
require.Equal(t, "rule2", events[1].Appsec.MatchedRules[0]["msg"])
738+
require.Equal(t, "test-rule", events[1].Appsec.MatchedRules[0]["msg"])
739739
},
740740
},
741741
{
@@ -764,7 +764,7 @@ func TestAppsecRuleZones(t *testing.T) {
764764
require.Len(t, events, 2)
765765
require.Equal(t, types.APPSEC, events[0].Type)
766766
require.Equal(t, types.LOG, events[1].Type)
767-
require.Equal(t, "rule1", events[1].Appsec.MatchedRules[0]["msg"])
767+
require.Equal(t, "test-rule", events[1].Appsec.MatchedRules[0]["msg"])
768768
},
769769
},
770770
{
@@ -793,7 +793,7 @@ func TestAppsecRuleZones(t *testing.T) {
793793
require.Len(t, events, 2)
794794
require.Equal(t, types.APPSEC, events[0].Type)
795795
require.Equal(t, types.LOG, events[1].Type)
796-
require.Equal(t, "rule2", events[1].Appsec.MatchedRules[0]["msg"])
796+
require.Equal(t, "test-rule", events[1].Appsec.MatchedRules[0]["msg"])
797797
},
798798
},
799799
{
@@ -816,7 +816,7 @@ func TestAppsecRuleZones(t *testing.T) {
816816
require.Len(t, events, 2)
817817
require.Equal(t, types.APPSEC, events[0].Type)
818818
require.Equal(t, types.LOG, events[1].Type)
819-
require.Equal(t, "rule1", events[1].Appsec.MatchedRules[0]["msg"])
819+
require.Equal(t, "test-rule", events[1].Appsec.MatchedRules[0]["msg"])
820820
},
821821
},
822822
{
@@ -840,7 +840,7 @@ func TestAppsecRuleZones(t *testing.T) {
840840
require.Len(t, events, 2)
841841
require.Equal(t, types.APPSEC, events[0].Type)
842842
require.Equal(t, types.LOG, events[1].Type)
843-
require.Equal(t, "rule1", events[1].Appsec.MatchedRules[0]["msg"])
843+
require.Equal(t, "test-rule", events[1].Appsec.MatchedRules[0]["msg"])
844844
},
845845
},
846846
{
@@ -863,7 +863,7 @@ func TestAppsecRuleZones(t *testing.T) {
863863
require.Len(t, events, 2)
864864
require.Equal(t, types.APPSEC, events[0].Type)
865865
require.Equal(t, types.LOG, events[1].Type)
866-
require.Equal(t, "rule1", events[1].Appsec.MatchedRules[0]["msg"])
866+
require.Equal(t, "test-rule", events[1].Appsec.MatchedRules[0]["msg"])
867867
},
868868
},
869869
{
@@ -886,7 +886,7 @@ func TestAppsecRuleZones(t *testing.T) {
886886
require.Len(t, events, 2)
887887
require.Equal(t, types.APPSEC, events[0].Type)
888888
require.Equal(t, types.LOG, events[1].Type)
889-
require.Equal(t, "rule1", events[1].Appsec.MatchedRules[0]["msg"])
889+
require.Equal(t, "test-rule", events[1].Appsec.MatchedRules[0]["msg"])
890890
},
891891
},
892892
{
@@ -911,7 +911,7 @@ func TestAppsecRuleZones(t *testing.T) {
911911
require.Len(t, events, 2)
912912
require.Equal(t, types.APPSEC, events[0].Type)
913913
require.Equal(t, types.LOG, events[1].Type)
914-
require.Equal(t, "rule1", events[1].Appsec.MatchedRules[0]["msg"])
914+
require.Equal(t, "test-rule", events[1].Appsec.MatchedRules[0]["msg"])
915915
},
916916
},
917917
}

pkg/acquisition/modules/appsec/appsec_test.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -75,7 +75,7 @@ func loadAppSecEngine(test appsecRuleTest, t *testing.T) {
7575

7676
//build rules
7777
for ridx, rule := range test.inband_rules {
78-
strRule, _, err := rule.Convert(appsec_rule.ModsecurityRuleType, rule.Name)
78+
strRule, _, err := rule.Convert(appsec_rule.ModsecurityRuleType, rule.Name, "test-rule")
7979
if err != nil {
8080
t.Fatalf("failed compilation of rule %d/%d of %s : %s", ridx, len(test.inband_rules), test.name, err)
8181
}
@@ -85,7 +85,7 @@ func loadAppSecEngine(test appsecRuleTest, t *testing.T) {
8585
nativeInbandRules = append(nativeInbandRules, test.inband_native_rules...)
8686
nativeOutofbandRules = append(nativeOutofbandRules, test.outofband_native_rules...)
8787
for ridx, rule := range test.outofband_rules {
88-
strRule, _, err := rule.Convert(appsec_rule.ModsecurityRuleType, rule.Name)
88+
strRule, _, err := rule.Convert(appsec_rule.ModsecurityRuleType, rule.Name, "test-rule")
8989
if err != nil {
9090
t.Fatalf("failed compilation of rule %d/%d of %s : %s", ridx, len(test.outofband_rules), test.name, err)
9191
}

0 commit comments

Comments
 (0)