search

corazawaf / coraza-caddy

OWASP Coraza middleware for Caddy. It provides Web Application Firewall capabilities
https://www.coraza.io/
Apache License 2.0
329 stars 41 forks source link

Incomplete Anomaly Score Log: Missing Value for 'msg' Field with Rule ID 980170 #142

Closed Barnoux closed 6 months ago

Barnoux commented 6 months ago

1. The problem I'm having:

Hello,

We don't have the value of the msg field in the anomaly score log wich have the rule id 980170. this was already reported and fix in #684

2. Expected behavior :

We should have a log like this one. 

{
  "level": "error",
  "ts": 1685797070.7382822,
  "logger": "http.handlers.waf",
  "msg": "[client \"192.168.1.1\"] Coraza: Warning. Anomaly Scores: (Inbound Scores: blocking=25, detection=25, per_pl=15-0-0-10, threshold=1000) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=1000) - (SQLI=0, XSS=0, RFI=0, LFI= [file \"/ruleset/coreruleset/rules/RESPONSE-980-CORRELATION.conf\"] [line \"11046\"] [id \"980170\"] [rev \"\"] [msg \"Anomaly Scores: (Inbound Scores: blocking=25, detection=25, per_pl=15-0-0-10, threshold=1000) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=1000) - (SQLI=0, XSS=0, RFI=0, LFI=\"] [data \"\"] [severity \"emergency\"] [ver \"OWASP_CRS/4.0.0-rc1\"] [maturity \"0\"] [accuracy \"0\"] [tag \"reporting\"] [hostname \"\"] [uri \"/?foo=/etc/passwd&bar=/bin/sh\"] [unique_id \"DyldtRcMRMBWPrdM\"]\n"
}

3. Error messages and/or full log output:

Actually the rule 980170 is trigerred but we have no msg.

{
    "level": "error",
    "ts": 1711207475.5746813,
    "logger": "http.handlers.waf",
    "msg": "[client \"192.168.1.1\"] Coraza: Warning. Inbound Anomaly Score Exceeded (Total Score: 25) [file \"/ruleset/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"0\"] [id \"949110\"] [rev \"\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 25)\"] [data \"\"] [severity \"emergency\"] [ver \"OWASP_CRS/4.0.0-rc2\"] [maturity \"0\"] [accuracy \"0\"] [tag \"anomaly-evaluation\"] [hostname \"\"] [uri \"/?foo=/etc/passwd&bar=/bin/sh\"] [unique_id \"pzIBCQEecpuPBGDi\"]\n"
}
{
    "level": "error",
    "ts": 1711207475.5751467,
    "logger": "http.handlers.waf",
    "msg": "[client \"192.168.1.1\"] Coraza: Warning.  [file \"/ruleset/coreruleset/rules/RESPONSE-980-CORRELATION.conf\"] [line \"0\"] [id \"980170\"] [rev \"\"] [msg \"\"] [data \"\"] [severity \"emergency\"] [ver \"OWASP_CRS/4.0.0-rc2\"] [maturity \"0\"] [accuracy \"0\"] [tag \"reporting\"] [hostname \"\"] [uri \"/?foo=/etc/passwd&bar=/bin/sh\"] [unique_id \"pzIBCQEecpuPBGDi\"]\n"
}

4. Caddy version:

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

5. How I installed and ran Caddy and Coraza:

a. System environment:

I'm using a raspeberrypi 4B

Linux srvone4all 5.4.0-1100-raspi #112-Ubuntu SMP PREEMPT Fri Nov 24 15:35:17 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux

NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

Docker version

Docker version 26.0.0, build 2ae903e

b. Command:

Caddy and Coraza is a service and it is build from a Dockerfile

docker compose up -d

c. Dockerfile:

FROM caddy:builder AS builder
RUN xcaddy build \
    --with github.com/corazawaf/coraza-caddy \
    --with github.com/caddy-dns/gandi

FROM caddy:alpine

COPY --from=builder /usr/bin/caddy /usr/bin/caddy
RUN set -eux; \
    apk add --no-cache libcap tzdata; \
    setcap cap_net_bind_service=ep /usr/bin/caddy; \
    addgroup -g 2023 -S www-caddy; \
    adduser -u 2023 -D -S -G www-caddy www-caddy; \
    chown -R www-caddy /data /var/log

USER www-caddy

WORKDIR /srv

CMD ["/usr/bin/caddy", "run", "--config", "/Caddyfile", "--adapter", "caddyfile"]

d. My complete Caddy config:

# coraza_waf first must be always included in your Caddyfile for Coraza module to work
{
    order coraza_waf first
    persist_config off
    log {
        level INFO
        output file /var/log/caddy/caddy.log
    }
    servers {
        timeouts {
            # sets timeouts for various actions
            idle 10s # timeout for idle connections
            read_body 1m # timeout for reading request body
            read_header 10s # timeout for reading request header
        }
        max_header_size 4KB # sets maximum header size for requests
    }
}

# Default server block that will respond with a "Not found" message for all requests to port 443
:443 {
    log
    respond "Not found" 404
}
# Default server block that will respond with a "Not found" message for all requests to port 80
:80 {
    log
    respond "Not found" 404
}
# Pour chacune de nos applications nous aurons des règles différentes à appliquer, si l'on souhaite traiter les faux positifs plus tard.
{$DOMAIN} {
    log
    coraza_waf {
        directives `
        Include /ruleset/coraza.conf
        Include /ruleset/vaultwarden/crs-setup.conf
        Include /ruleset/coreruleset/rules/*.conf
        `
    }

    request_body {
        max_size 100MB
    }

    # Handle vaultwarden sends with file upload.
    @not-api not path /api/sends/*
    request_body @not-api {
        max_size 100KB
    }

    encode gzip
    tls {
            dns gandi {$GANDI_API_KEY}
    }

    # By default, Vaultwarden actually handle a lot Web Security Header and caching.
    header {
        # Enable HTTP Strict Transport Security (HSTS)
        Strict-Transport-Security "max-age=15768000;"
        #Good Practice Security - Ensure X-Content-Type-Options header is configured and enabled
        Referrer-Policy "no-referrer"
        # Prevent search engines from indexing (optional)
        X-Robots-Tag "none"
    }

    @insecureadmin {
        not remote_ip 192.168.1.0/24
        path /admin*
    }
    redir @insecureadmin /
    # Proxy everything to Rocket
    reverse_proxy vaultwarden:60278 {
        # Send the true remote IP to Rocket, so that vaultwarden can put this in the
        # log, so that crowdsec can ban the correct IP.
        header_up X-Real-IP {remote_host}
    }
}

unifi.one4all.icu {
    log
    @postinform {
        method POST
        path /inform
    }
        tls {
                dns gandi {$GANDI_API_KEY}
        }
    reverse_proxy @postinform unifi-controller:8080
    reverse_proxy unifi-controller:8443 {
        transport http {
            tls_insecure_skip_verify
        }
    }
    @insecureaccess {
        not remote_ip 192.168.1.0/24
    }
    respond @insecureaccess "Access Forbidden!" 403
}

crowdsec-lapi.one4all.icu {
        log
        reverse_proxy http://crowdsec:8080 {
        header_up X-Real-IP {remote_host}
        }
        tls {
                dns gandi {$GANDI_API_KEY}
        }
        @insecureaccess {
                not remote_ip 192.168.1.0/24
        }
        respond @insecureaccess "Access Forbidden!" 403
}

e. CRS version:

from crs-setup.conf: tx.crs_setup_version=400

Barnoux commented 6 months ago

Duplicate of https://github.com/corazawaf/coraza/issues/1021