hub icon indicating copy to clipboard operation
hub copied to clipboard

Published 20 hours ago verified publisher icon crowdsecurity

Adding WAF Coraza+Caddy parser/scenario

Open Barnoux opened this issue 1 year ago • 6 comments

Hello,

Hope this parser will find some love. The goal of this parser is to parse waf alert from coraza when coraza is integreted as a plugin in caddy. the scenario is triggered based on the treshold of the inbound anomaly score setup by the users in the crs-setup.conf file.

The work on the parser is based on the work done by https://github.com/crowdsecurity/hub/blob/master/parsers/s01-parse/crowdsecurity/modsecurity.yaml

It's time for me to eat a cake and take a nap.

Barnoux avatar Jan 29 '24 21:01 Barnoux

Hey 👋🏻 Thank you for opening a PR!

We going to be need some tests for the parsers and scenarios. I left an initial comment since coraza is a modsecurity implementation meaning a scenario on the rule id might not be best since you dont have to use CRS.

LaurenceJJones avatar Jan 29 '24 21:01 LaurenceJJones

Hey 👋🏻 Thank you for opening a PR!

We going to be need some tests for the parsers and scenarios. I left an initial comment since coraza is a modsecurity implementation meaning a scenario on the rule id might not be best since you dont have to use CRS.

What type of input do you need for testing ? The rule id chosed in the scenario is based on the inbound anomaly score that is triggered and can be tuned by the user (https://coreruleset.org/docs/concepts/anomaly_scoring/#anomaly-score-thresholds). I did't find a better way to handle this. The crowdsec modsecurity scenario is trigger based on the severity of the alert and it is too restrictive approach.

Barnoux avatar Jan 31 '24 21:01 Barnoux

Okay, the last thing is adding a collection of

Parser Scenarios (could include our standard modsec one 🤷🏻 )

LaurenceJJones avatar Feb 20 '24 11:02 LaurenceJJones

Okay, the last thing is adding a collection of

Parser Scenarios (could include our standard modsec one 🤷🏻 )

I add the collection, is it looking good ?

Barnoux avatar Feb 29 '24 22:02 Barnoux

Hey there, just passing by. I came across this PR as it's exactly what I'm looking for.

@LaurenceJJones , hope you don't mind the ping after so long, but are any more changes needed to get this merged? :slightly_smiling_face:

ubergeek77 avatar Aug 19 '24 08:08 ubergeek77

Hey there, just passing by. I came across this PR as it's exactly what I'm looking for.

@LaurenceJJones , hope you don't mind the ping after so long, but are any more changes needed to get this merged? 🙂

The only issue I have with is the scenario as its close to the original one we have for modsecurity. However, I did forget about this, so ill do this now.

LaurenceJJones avatar Aug 20 '24 13:08 LaurenceJJones