coreruleset
Test Blocking Evaluation phase
Hello, currently, ftw is looking for the IDs of the triggered rules after sending a request. What we are facing running Coraza on Envoy is that the phase when the rule is triggered may differ from the phase when the disruptive action is executed. While it may be intended (enabling or disabling the CRS early blocking feature), it could still be useful to check that an interruption caused by a rule has been raised before a certain phase (therefore avoiding WAF bypasses). For more context: https://github.com/corazawaf/coraza-proxy-wasm/pull/129 (phase 1 rule with enough anomaly score triggered, but interruption raised only during phase 3. In this case the expected interruption phase would be phase 1 if early blocking, otherwise phase 2).
I'm aware that it is more a check of the expected behaviour of the proxy/server, but what do you think in terms of both usefulness and feasibility? Could there be a way to test when a triggered rule takes action? I see it as a kind of a Cloud mode test, but checking inside the logs if the interruption has happened during the expected phase.
Just an idea, thanks for any feedback and advice!
It is an interesting idea. I don't think we can do too much now with the current ftw test spec.
I started working on a new spec to include additional information that could be useful for tests, this might make it there if we think it has value.
How would you determine the phase of the action taken?
Keeping a data file that maps rules to phases?
