search

corazawaf / coraza-caddy

OWASP Coraza middleware for Caddy. It provides Web Application Firewall capabilities
https://www.coraza.io/
Apache License 2.0
357 stars 41 forks source link

Add tag for all SecRules with SecDefaultAction #175

Open glenn-kusardi opened 1 month ago

glenn-kusardi commented 1 month ago

I'm trying to add a tag in all SecRules. In @crs-setup.conf this is already outlined in an example for SecDefaultAction: SecDefaultAction "phase:1,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'" SecDefaultAction "phase:2,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'"

But if I uncomment this lines an error message is returned when restarting Caddy, describing that "SecDefaultAction must not contain metadata actions".

M4tteoP commented 1 month ago

Hi, this is tricky because of inconsistent documentation. 

SecDefaultAction "phase:1,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'"
SecDefaultAction "phase:2,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'"

These lines are 8 years old from the crs-setup.conf.example, but accordingly to documentation, both Coraza and Modsecurity are actually not supporting it.

Mentioning both ModSec v2 and v3 docs:

Every SecDefaultAction directive must specify a disruptive action and a processing phase and cannot contain metadata actions.

With metadata actions including tag:

metadata actions (id, rev, msg, tag, severity, logdata)

I'm sharing this conversation in Slack #coreruleset: https://owasp.slack.com/archives/CBKGH8A5P/p1729806584858919, where we can evolve it with Coraza, CRS and Modsec people.