mirrors/crowdsec
1
0
Fork 0
mirror of https://github.com/crowdsecurity/crowdsec.git synced 2025-05-11 12:25:53 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

appsec: handle SendAlert() properly for out of band matches (#3497)

Browse source
This commit is contained in:
blotus 2025-03-05 16:04:16 +01:00 committed by GitHub
parent b12ade27f4
commit a203d8ebbf
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 40 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

35
pkg/acquisition/modules/appsec/appsec_hooks_test.go
View file

@ -332,6 +332,41 @@ func TestAppsecOnMatchHooks(t *testing.T) {
require.Equal(t, appsec.CaptchaRemediation, responses[0].Action) require.Equal(t, appsec.CaptchaRemediation, responses[0].Action)
}, },
}, },
{
name: "on_match: SendAlert() with out-of-band rule",
expected_load_ok: true,
outofband_rules: []appsec_rule.CustomRule{
{
Name: "rule42",
Zones: []string{"ARGS"},
Variables: []string{"foo"},
Match: appsec_rule.Match{Type: "regex", Value: "^toto"},
Transform: []string{"lowercase"},
},
},
DefaultRemediation: appsec.AllowRemediation,
on_match: []appsec.Hook{
{Filter: "IsInBand == false", Apply: []string{"SendAlert()"}},
},
input_request: appsec.ParsedRequest{
ClientIP: "1.2.3.4",
RemoteAddr: "1.2.3.4",
Method: "GET",
URI: "/urllll",
Args: url.Values{"foo": []string{"toto"}},
},
output_asserts: func(events []types.Event, responses []appsec.AppsecTempResponse, appsecResponse appsec.BodyResponse, statusCode int) {
require.Equal(t, appsec.AllowRemediation, appsecResponse.Action)
require.Equal(t, http.StatusOK, appsecResponse.HTTPStatus)
require.Equal(t, http.StatusOK, statusCode)
// We have both an event an overflow
require.Len(t, events, 2)
require.Equal(t, types.LOG, events[0].Type)
require.Equal(t, types.APPSEC, events[1].Type)
require.Nil(t, events[0].Overflow.Alert)
require.NotNil(t, events[1].Overflow.Alert)
},
},
} }
for _, test := range tests { for _, test := range tests {
t.Run(test.name, func(t *testing.T) { t.Run(test.name, func(t *testing.T) {

5
pkg/acquisition/modules/appsec/appsec_runner.go
View file

@ -286,7 +286,6 @@ func (r *AppsecRunner) handleInBandInterrupt(request *appsec.ParsedRequest) {
r.outChan <- *appsecOvlfw r.outChan <- *appsecOvlfw
} }
} }
// Should the in band match trigger an event ? // Should the in band match trigger an event ?
if r.AppsecRuntime.Response.SendEvent { if r.AppsecRuntime.Response.SendEvent {
r.outChan <- evt r.outChan <- evt
@ -332,7 +331,9 @@ func (r *AppsecRunner) handleOutBandInterrupt(request *appsec.ParsedRequest) {
r.logger.Errorf("unable to generate appsec event : %s", err) r.logger.Errorf("unable to generate appsec event : %s", err)
return return
} }
r.outChan <- *appsecOvlfw if appsecOvlfw != nil {
r.outChan <- *appsecOvlfw
}
} }
} }
} }

4
pkg/acquisition/modules/appsec/utils.go
View file

@ -60,8 +60,8 @@ func AppsecEventGenerationGeoIPEnrich(src *models.Source) error {
} }
func AppsecEventGeneration(inEvt types.Event, request *http.Request) (*types.Event, error) { func AppsecEventGeneration(inEvt types.Event, request *http.Request) (*types.Event, error) {
// if the request didnd't trigger inband rules, we don't want to generate an event to LAPI/CAPI // if the request didn't trigger inband rules or out-of-band rules, we don't want to generate an event to LAPI/CAPI
if !inEvt.Appsec.HasInBandMatches { if !inEvt.Appsec.HasInBandMatches && !inEvt.Appsec.HasOutBandMatches {
return nil, nil return nil, nil
} }