Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: logs multiple vars matched by same rule #1074

Merged
merged 2 commits into from
May 30, 2024
Merged

fix: logs multiple vars matched by same rule #1074

merged 2 commits into from
May 30, 2024

Conversation

M4tteoP
Copy link
Member

@M4tteoP M4tteoP commented May 26, 2024
edited

Fixes #1070.

Expansion of Msg and LogData was postponed in a way that MATCHED_VAR was only used with the latest matched var after the whole evaluation of the rule, not permitting to log into both error and audit logs more than one match per rule.

This PR tries to address it. The underneath before-and-after shows how the same rule that matched 3 different variables is now logged in both error and audit logs.

Error logs:

Before:

[logError][critical] [client "[::1]"] Coraza: Warning. SQL Injection Attack Detected via libinjection [file "default.conf"] [line "33"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: s&nov found within ARGS:arg3: ' AND id3 IS NULL; --"] [severity "critical"] [ver "OWASP_CRS/4.4.0-dev"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname ""] [uri "/hello?arg1=%27%20AND%20id1%20IS%20NULL%3B%20--&arg2=%27%20AND%20id2%20IS%20NULL%3B%20--&arg3=%27%20AND%20id3%20IS%20NULL%3B%20--"] [unique_id "wIFcBCyNLdcfhoqqeYn"]

After:

[logError][critical] [client "[::1]"] Coraza: Warning. SQL Injection Attack Detected via libinjection [file "default.conf"] [line "33"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: s&nov found within ARGS:arg3: ' AND id3 IS NULL; --"] [severity "critical"] [ver "OWASP_CRS/4.4.0-dev"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname ""] [uri "/hello?arg1=%27%20AND%20id1%20IS%20NULL%3B%20--&arg2=%27%20AND%20id2%20IS%20NULL%3B%20--&arg3=%27%20AND%20id3%20IS%20NULL%3B%20--"] [unique_id "nRyjpsPNHkupMwMLANa"][msg_match_1 "SQL Injection Attack Detected via libinjection"] [data_match_1 "Matched Data: s&nov found within ARGS:arg1: ' AND id1 IS NULL; --"][msg_match_2 "SQL Injection Attack Detected via libinjection"] [data_match_2 "Matched Data: s&nov found within ARGS:arg2: ' AND id2 IS NULL; --"]

AuditLogs:

Before:

  "messages": [
    {
      "actionset": "",
      "message": "SQL Injection Attack Detected via libinjection",
      "data": {
        "file": "default.conf",
        "line": 33,
        "id": 942100,
        "rev": "",
        "msg": "SQL Injection Attack Detected via libinjection",
        "data": "Matched Data: s&nov found within ARGS:arg3: ' AND id3 IS NULL; --",
        "severity": 2,
        "ver": "OWASP_CRS/4.4.0-dev",
        "maturity": 0,
        "accuracy": 0,
        "tags": [
          "application-multi",
          "language-multi",
          "platform-multi",
          "attack-sqli",
          "paranoia-level/1",
          "OWASP_CRS",
          "capec/1000/152/248/66",
          "PCI/6.5.2"
        ],
        "raw": "SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* \"@detectSQLi\" \"id:942100,phase:2,block,capture,t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,msg:'SQL Injection Attack Detected via libinjection',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.4.0-dev',severity:'CRITICAL'\""
      }
    },
    {
      "actionset": "",
      "message": "",
      "data": {
        "file": "default.conf",
        "line": 33,
        "id": 942100,
        "rev": "",
        "msg": "",
        "data": "",
        "severity": 2,
        "ver": "OWASP_CRS/4.4.0-dev",
        "maturity": 0,
        "accuracy": 0,
        "tags": [
          "application-multi",
          "language-multi",
          "platform-multi",
          "attack-sqli",
          "paranoia-level/1",
          "OWASP_CRS",
          "capec/1000/152/248/66",
          "PCI/6.5.2"
        ],
        "raw": "SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* \"@detectSQLi\" \"id:942100,phase:2,block,capture,t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,msg:'SQL Injection Attack Detected via libinjection',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.4.0-dev',severity:'CRITICAL'\""
      }
    },
    {
      "actionset": "",
      "message": "",
      "data": {
        "file": "default.conf",
        "line": 33,
        "id": 942100,
        "rev": "",
        "msg": "",
        "data": "",
        "severity": 2,
        "ver": "OWASP_CRS/4.4.0-dev",
        "maturity": 0,
        "accuracy": 0,
        "tags": [
          "application-multi",
          "language-multi",
          "platform-multi",
          "attack-sqli",
          "paranoia-level/1",
          "OWASP_CRS",
          "capec/1000/152/248/66",
          "PCI/6.5.2"
        ],
        "raw": "SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* \"@detectSQLi\" \"id:942100,phase:2,block,capture,t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,msg:'SQL Injection Attack Detected via libinjection',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.4.0-dev',severity:'CRITICAL'\""
      }
    }
  ]
}

After:

  "messages": [
    {
      "actionset": "",
      "message": "SQL Injection Attack Detected via libinjection",
      "data": {
        "file": "default.conf",
        "line": 33,
        "id": 942100,
        "rev": "",
        "msg": "SQL Injection Attack Detected via libinjection",
        "data": "Matched Data: s&nov found within ARGS:arg3: ' AND id3 IS NULL; --",
        "severity": 2,
        "ver": "OWASP_CRS/4.4.0-dev",
        "maturity": 0,
        "accuracy": 0,
        "tags": [
          "application-multi",
          "language-multi",
          "platform-multi",
          "attack-sqli",
          "paranoia-level/1",
          "OWASP_CRS",
          "capec/1000/152/248/66",
          "PCI/6.5.2"
        ],
        "raw": "SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* \"@detectSQLi\" \"id:942100,phase:2,block,capture,t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,msg:'SQL Injection Attack Detected via libinjection',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.4.0-dev',severity:'CRITICAL'\""
      }
    },
    {
      "actionset": "",
      "message": "SQL Injection Attack Detected via libinjection",
      "data": {
        "file": "default.conf",
        "line": 33,
        "id": 942100,
        "rev": "",
        "msg": "SQL Injection Attack Detected via libinjection",
        "data": "Matched Data: s&nov found within ARGS:arg1: ' AND id1 IS NULL; --",
        "severity": 2,
        "ver": "OWASP_CRS/4.4.0-dev",
        "maturity": 0,
        "accuracy": 0,
        "tags": [
          "application-multi",
          "language-multi",
          "platform-multi",
          "attack-sqli",
          "paranoia-level/1",
          "OWASP_CRS",
          "capec/1000/152/248/66",
          "PCI/6.5.2"
        ],
        "raw": "SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* \"@detectSQLi\" \"id:942100,phase:2,block,capture,t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,msg:'SQL Injection Attack Detected via libinjection',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.4.0-dev',severity:'CRITICAL'\""
      }
    },
    {
      "actionset": "",
      "message": "SQL Injection Attack Detected via libinjection",
      "data": {
        "file": "default.conf",
        "line": 33,
        "id": 942100,
        "rev": "",
        "msg": "SQL Injection Attack Detected via libinjection",
        "data": "Matched Data: s&nov found within ARGS:arg2: ' AND id2 IS NULL; --",
        "severity": 2,
        "ver": "OWASP_CRS/4.4.0-dev",
        "maturity": 0,
        "accuracy": 0,
        "tags": [
          "application-multi",
          "language-multi",
          "platform-multi",
          "attack-sqli",
          "paranoia-level/1",
          "OWASP_CRS",
          "capec/1000/152/248/66",
          "PCI/6.5.2"
        ],
        "raw": "SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* \"@detectSQLi\" \"id:942100,phase:2,block,capture,t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,msg:'SQL Injection Attack Detected via libinjection',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.4.0-dev',severity:'CRITICAL'\""
      }
    }
  ]
}

@M4tteoP M4tteoP requested a review from a team as a code owner May 26, 2024 15:11
@codecov Codecov
Copy link

codecov bot commented May 26, 2024
edited

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 83.06%. Comparing base (4ff1f76) to head (0c76eff).
Report is 46 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1074      +/-   ##
==========================================
+ Coverage   82.72%   83.06%   +0.34%     
==========================================
  Files         162      164       +2     
  Lines        9080     7671    -1409     
==========================================
- Hits         7511     6372    -1139     
+ Misses       1319     1044     -275     
- Partials      250      255       +5
Flag Coverage Δ
default 83.06% <100.00%> (+5.22%) ⬆️
examples 83.06% <100.00%> (+56.63%) ⬆️
ftw 83.06% <100.00%> (+35.69%) ⬆️
ftw-multiphase 83.06% <100.00%> (+33.52%) ⬆️
tinygo 83.06% <100.00%> (+7.66%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@M4tteoP M4tteoP added the v3.2 label May 28, 2024
@jcchavezs
Copy link
Member

Awesome!

@M4tteoP
Copy link
Member Author

M4tteoP commented May 30, 2024

Merging, thanks!

@M4tteoP M4tteoP merged commit 5e4a004 into corazawaf:main May 30, 2024
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jcchavezs jcchavezs jcchavezs approved these changes

Assignees
No one assigned
Labels
v3.2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Audit Logs are not indicating all matches
2 participants
@M4tteoP @jcchavezs