search

corazawaf / coraza-caddy

OWASP Coraza middleware for Caddy. It provides Web Application Firewall capabilities
https://www.coraza.io/
Apache License 2.0
330 stars 41 forks source link

Missing hostname in logs, SecRule SERVER_NAME rules not working #35

Closed fuomag9 closed 1 year ago

fuomag9 commented 1 year ago

Hi, when using the recommended files and configuration with 4.0/dev for coreruleset there is no hostname value in logs and all SecRule SERVER_NAME will not match as a consequence

FYI the same rules do work on modsecurity + nginx so they are NOT the issue

Relevant logs:

Dec 09 18:40:41 nginx caddy[34591]: {"level":"error","ts":1670611241.6194084,"logger":"http.handlers.waf","msg":"[client \"[2a077e813a390698224611e3abd9d]\"] Coraza: Warning. Request content type is not allowed by policy [file \"/etc/caddy/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\"] [line \"0\"] [id \"920420\"] [rev \"\"] [msg \"Request content type is not allowed by policy\"] [data \"text/plain;charset=UTF-8\"] [severity \"critical\"] [ver \"OWASP_CRS/4.0.0-rc1\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-protocol\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/255/153\"] [tag \"PCI/12.1\"] [hostname \"\"] [uri \"/auth/login_flow\"] [unique_id \"bberzX58CQInOuGRpJV\"]\n[client \"[2a077e813a390698224611e3abd9d]\"] Coraza: Warning. Request content type is not allowed by policy [file \"/etc/caddy/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\"] [line \"0\"] [id \"920420\"] [rev \"\"] [msg \"\"] [data \"\"] [severity \"critical\"] [ver \"OWASP_CRS/4.0.0-rc1\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-protocol\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/255/153\"] [tag \"PCI/12.1\"] [hostname \"\"] [uri \"/auth/login_flow\"] [unique_id \"bberzX58CQInOuGRpJV\"]\n"}
josiahchoi commented 1 year ago

I got the same issue:

{"level":"error","ts":1673544236.7567112,"logger":"http.handlers.waf","msg":"[client \"10.244.0.67\"] Coraza: Warning. HTTP Parameter Pollution (6) [file \"/ruleset/rules/REQUEST-921-PROTOCOL-ATTACK.conf\"] [line \"0\"] [id \"921180\"] [rev \"\"] [msg \"HTTP Parameter Pollution (6)\"] [data \"Matched Data: 61 found within TX:paramcounter_args_names: 2\"] [severity \"critical\"] [ver \"OWASP_CRS/4.0.0-rc1\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-protocol\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/152/137/15/460\"] [tag \"paranoia-level/3\"] [hostname \"\"] [uri \"/auth/signin\"] [unique_id \"6O9wmrLtst9uCuC0uJH\"]\n[client \"10.244.0.67\"] Coraza: Warning. HTTP Parameter Pollution (6) [file \"/ruleset/rules/REQUEST-921-PROTOCOL-ATTACK.conf\"] [line \"0\"] [id \"921180\"] [rev \"\"] [msg \"\"] [data \"\"] [severity \"critical\"] [ver \"OWASP_CRS/4.0.0-rc1\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-protocol\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/152/137/15/460\"] [tag \"paranoia-level/3\"] [hostname \"\"] [uri \"/auth/signin\"] [unique_id \"6O9wmrLtst9uCuC0uJH\"]\n"}
{"level":"error","ts":1673544237.6627173,"logger":"http.handlers.waf","msg":"[client \"10.244.0.67\"] Coraza: Warning. HTTP Parameter Pollution (3) [file \"/ruleset/rules/REQUEST-921-PROTOCOL-ATTACK.conf\"] [line \"0\"] [id \"921180\"] [rev \"\"] [msg \"HTTP Parameter Pollution (3)\"] [data \"Matched Data: db31 found within TX:paramcounter_args_names: 2\"] [severity \"critical\"] [ver \"OWASP_CRS/4.0.0-rc1\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-protocol\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/152/137/15/460\"] [tag \"paranoia-level/3\"] [hostname \"\"] [uri \"/auth/signin\"] [unique_id \"Jgn0Cp0kW7w3kKLGCzJ\"]\n[client \"10.244.0.67\"] Coraza: Warning. HTTP Parameter Pollution (3) [file \"/ruleset/rules/REQUEST-921-PROTOCOL-ATTACK.conf\"] [line \"0\"] [id \"921180\"] [rev \"\"] [msg \"\"] [data \"\"] [severity \"critical\"] [ver \"OWASP_CRS/4.0.0-rc1\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-protocol\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/152/137/15/460\"] [tag \"paranoia-level/3\"] [hostname \"\"] [uri \"/auth/signin\"] [unique_id \"Jgn0Cp0kW7w3kKLGCzJ\"]\n"}
jptosso commented 1 year ago

This issue is being taken care in Coraza Core, thank you for your report