Closed ericinfra closed 1 year ago
What is the log you configured in envoy?
On Tue, 20 Jun 2023, 11:02 Erictang, @.***> wrote:
I set the Wasm EnvoyFilter as follows, and the config_dump is also effective, but I used sqlmap zaproxy to simulate the attack, and I did not see the log output of wasm denial of the attack, even if SecDebugLogLevel is set to 9,
I checked http_filters and confirmed that the inbound configuration on port 15006 has loaded the type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm rule
Why can't I see the wasm denial attack log? Is it because envoy.filters.http.wasm has not taken effect? Because the system also has a default istio.metadata_exchange wasm configuration? But my customized envoy.filters.http.wasm is INSERT_BEFORE priority
istio version 1.17.2
apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: httpconnectionmanager spec: configPatches:
applyTo: HTTP_FILTER match: listener: filterChain: filter: name: envoy.filters.network.http_connection_manager patch: operation: INSERT_BEFORE value: name: envoy.filters.http.wasm typed_config: @.': type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm config: configuration: @.': type.googleapis.com/google.protobuf.StringValue value: | { "directives_map": { "default": [ "SecDebugLogLevel 9", "SecRuleEngine On", "SecAuditEngine RelevantOnly", "SecAuditLogParts ABIJDEFHZ", "SecAuditLogType Concurrent", "SecAuditLogRelevantStatus ^(1[0-9]{2}|2[0-9]{2}|3[0-8][0-9]|39[0-9]|40[0-3]|405|5[0-9]{2})$", "Include @crs-setup-demo-conf", "Include @owasp_crs/*.conf" ] }, "default_directives": "default" } root_id: my-wasm-root-id vm_config: code: local: filename: /data/coraza/main.wasm runtime: envoy.wasm.runtime.v8 vm_id: my-wasm-vm-id
{ "name": "envoy.filters.network.http_connection_manager", "typed_config": { ***@***.***": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", "stat_prefix": "InboundPassthroughClusterIpv4", "route_config": { "name": "InboundPassthroughClusterIpv4", "virtual_hosts": [ { "name": "inbound|http|0", "domains": [ "*" ], "routes": [ { "match": { "prefix": "/" }, "route": { "cluster": "InboundPassthroughClusterIpv4", "timeout": "0s", "max_stream_duration": { "max_stream_duration": "0s", "grpc_timeout_header_max": "0s" } }, "decorator": { "operation": ":0/*" }, "name": "default" } ] } ], "validate_clusters": false }, "http_filters": [ { "name": "envoy.filters.http.wasm", "typed_config": { ***@***.***": "type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm", "config": { "root_id": "my-wasm-root-id", "vm_config": { "vm_id": "my-wasm-vm-id", "runtime": "envoy.wasm.runtime.v8", "code": { "local": { "filename": "/data/coraza/main.wasm" } } }, "configuration": { ***@***.***": "type.googleapis.com/google.protobuf.StringValue", "value": "{\n \"directives_map\": {\n \"default\": [\n \"SecDebugLogLevel 9\",\n \"SecRuleEngine On\",\n \"SecAuditEngine RelevantOnly\",\n \"SecAuditLogParts ABIJDEFHZ\",\n \"SecAuditLogType Concurrent\", \n \"SecAuditLogRelevantStatus ^(1[0-9]{2}|2[0-9]{2}|3[0-8][0-9]|39[0-9]|40[0-3]|405|5[0-9]{2})$\",\n \"Include @crs-setup-demo-conf\",\n \"Include @owasp_crs/*.conf\"\n ]\n },\n \"default_directives\": \"default\"\n }\n" } } } }, { "name": "istio.metadata_exchange", "typed_config": { ***@***.***": "type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm", "config": { "vm_config": { "runtime": "envoy.wasm.runtime.null", "code": { "local": { "inline_string": "envoy.wasm.metadata_exchange" } } }, "configuration": { ***@***.***": "type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange" } } } },
— Reply to this email directly, view it on GitHub https://github.com/corazawaf/coraza-proxy-wasm/issues/208, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXOYAXRIAHYYJYCURG3ECTXMFRITANCNFSM6AAAAAAZM6UGSA . You are receiving this because you are subscribed to this thread.Message ID: @.***>
istio configmap log configuration
# kubectl -n istio-system get cm istio -o yaml | more
apiVersion: v1
data:
mesh: |-
accessLogFile: /dev/stdout
accessLogFormat: '{"start_time": "%START_TIME%","req_method": "%REQ(:METHOD)%","x_envoy_original_path": "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol": "%PROTOCOL%","response_code": "%RESPONSE_CODE%
","response_flags": "%RESPONSE_FLAGS%","bytes_received": "%BYTES_RECEIVED%","bytes_send": "%BYTES_SENT%","duration": "%DURATION%","resp_x_envoy_upstream_service_time": "%RESP(X-ENVOY-UPSTREAM-SERVICE-TIM
E)%","x_forwarded_for": "%REQ(X-FORWARDED-FOR)%","user_agent": "%REQ(USER-AGENT)%","x_request_id": "%REQ(X-REQUEST-ID)%","authority": "%REQ(:AUTHORITY)%","upstream_host": "%UPSTREAM_HOST%","upstream_clus
ter": "%UPSTREAM_CLUSTER%","upstream_local_address": "%UPSTREAM_LOCAL_ADDRESS%","downstream_local_address": "%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address": "%DOWNSTREAM_REMOTE_ADDRESS%","resp_x
_foo_fault_flag": "%RESP(X-FOO-FAULT-FLAG)%"}'
defaultConfig:
discoveryAddress: istiod.istio-system.svc:15012
proxyMetadata: {}
tracing:
zipkin:
address: zipkin.istio-system:9411
enablePrometheusMerge: true
HttpConnectionManager MERGE policy configuration, but viewing envoy config_dump does not take effect
# cat http-merge.yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: httpconnectionmanager
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
patch:
operation: MERGE
value:
name: envoy.filters.network.http_connection_manager,
typed_config: {
'@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager,
"access_log": [
{
"name": "envoy.access_loggers.file",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog",
"path": "/dev/stdout",
"log_format": {
"text_format_source": {
"inline_string": "{\"start_time\": \"%START_TIME%\",\"req_method\": \"%REQ(:METHOD)%\",\"x_envoy_original_path\": \"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%\",\"protocol\": \"%PROTOCOL%\",\"response_code\": \"%RESPONSE_CODE%\",\"response_flags\": \"%RESPONSE_FLAGS%\",\"bytes_received\": \"%BYTES_RECEIVED%\",\"bytes_send\": \"%BYTES_SENT%\",\"duration\": \"%DURATION%\",\"resp_x_envoy_upstream_service_time\": \"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%\",\"x_forwarded_for\": \"%REQ(X-FORWARDED-FOR)%\",\"user_agent\": \"%REQ(USER-AGENT)%\",\"x_request_id\": \"%REQ(X-REQUEST-ID)%\",\"authority\": \"%REQ(:AUTHORITY)%\",\"upstream_host\": \"%UPSTREAM_HOST%\",\"upstream_cluster\": \"%UPSTREAM_CLUSTER%\",\"upstream_local_address\": \"%UPSTREAM_LOCAL_ADDRESS%\",\"downstream_local_address\": \"%DOWNSTREAM_LOCAL_ADDRESS%\",\"downstream_remote_address\": \"%DOWNSTREAM_REMOTE_ADDRESS%\",\"resp_x_foo_fault_flag\": \"%RESP(X-FOO-FAULT-FLAG)%\"}\n"
}
}
}
}
]
}
envoy config_dump did not see HttpConnectionManager FileAccessLog related configuration
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
"stat_prefix": "inbound_0.0.0.0_9080",
"route_config": {
"name": "inbound|9080||",
"virtual_hosts": [
{
"name": "inbound|http|9080",
"domains": [
"*"
],
"routes": [
{
"match": {
"prefix": "/"
},
"route": {
"cluster": "inbound|9080||",
"timeout": "0s",
"max_stream_duration": {
"max_stream_duration": "0s",
"grpc_timeout_header_max": "0s"
}
},
"decorator": {
"operation": "productpage.default.svc.cluster.local:9080/*"
},
"name": "default"
}
]
}
],
"validate_clusters": false
},
The log configuration seen by envoy config_dump is in the following two areas, the type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager paragraph cannot see the FileAccessLog configuration
{
"name": "envoy.filters.network.tcp_proxy",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
"stat_prefix": "InboundPassthroughClusterIpv4",
"cluster": "InboundPassthroughClusterIpv4",
"access_log": [
{
"name": "envoy.access_loggers.file",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog",
"path": "/dev/stdout",
"log_format": {
"text_format_source": {
"inline_string": "{\"start_time\": \"%START_TIME%\",\"req_method\": \"%REQ(:METHOD)%\",\"x_envoy_original_path\": \"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%\",\"protocol\": \"%PROTOCOL%\",\"response_code\": \"%RESPONSE_CODE%\",\"response_flags\": \"%RESPONSE_FLAGS%\",\"bytes_received\": \"%BYTES_RECEIVED%\",\"bytes_send\": \"%BYTES_SENT%\",\"duration\": \"%DURATION%\",\"resp_x_envoy_upstream_service_time\": \"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%\",\"x_forwarded_for\": \"%REQ(X-FORWARDED-FOR)%\",\"user_agent\": \"%REQ(USER-AGENT)%\",\"x_request_id\": \"%REQ(X-REQUEST-ID)%\",\"authority\": \"%REQ(:AUTHORITY)%\",\"upstream_host\": \"%UPSTREAM_HOST%\",\"upstream_cluster\": \"%UPSTREAM_CLUSTER%\",\"upstream_local_address\": \"%UPSTREAM_LOCAL_ADDRESS%\",\"downstream_local_address\": \"%DOWNSTREAM_LOCAL_ADDRESS%\",\"downstream_remote_address\": \"%DOWNSTREAM_REMOTE_ADDRESS%\",\"resp_x_foo_fault_flag\": \"%RESP(X-FOO-FAULT-FLAG)%\"}\n"
}
}
}
}
]
}
}
],
"name": "virtualInbound"
},
"server_name": "istio-envoy",
"access_log": [
{
"name": "envoy.access_loggers.file",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog",
"path": "/dev/stdout",
"log_format": {
"text_format_source": {
"inline_string": "{\"start_time\": \"%START_TIME%\",\"req_method\": \"%REQ(:METHOD)%\",\"x_envoy_original_path\": \"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%\",\"protocol\": \"%PROTOCOL%\",\"response_code\": \"%RESPONSE_CODE%\",\"response_flags\": \"%RESPONSE_FLAGS%\",\"bytes_received\": \"%BYTES_RECEIVED%\",\"bytes_send\": \"%BYTES_SENT%\",\"duration\": \"%DURATION%\",\"resp_x_envoy_upstream_service_time\": \"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%\",\"x_forwarded_for\": \"%REQ(X-FORWARDED-FOR)%\",\"user_agent\": \"%REQ(USER-AGENT)%\",\"x_request_id\": \"%REQ(X-REQUEST-ID)%\",\"authority\": \"%REQ(:AUTHORITY)%\",\"upstream_host\": \"%UPSTREAM_HOST%\",\"upstream_cluster\": \"%UPSTREAM_CLUSTER%\",\"upstream_local_address\": \"%UPSTREAM_LOCAL_ADDRESS%\",\"downstream_local_address\": \"%DOWNSTREAM_LOCAL_ADDRESS%\",\"downstream_remote_address\": \"%DOWNSTREAM_REMOTE_ADDRESS%\",\"resp_x_foo_fault_flag\": \"%RESP(X-FOO-FAULT-FLAG)%\"}\n"
}
}
}
},
@jcchavezs After upgrading to the latest coraza-proxy-wasm 3.0, the following wasm logs appeared. Are these logs related to SecDebugLogLevel? Is it normal for these logs to show up??
2023-06-21T10:01:48.560350Z warning envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1151 wasm log my-wasm-root-id my-wasm-vm-id: [client "10.110.32.80"] Coraza: Access denied (phase 1). Host header is a numeric IP address [file "@owasp_crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "2243"] [id "920350"] [rev ""] [msg "Host header is a numeric IP address"] [data "10.110.32.70:80"] [severity "warning"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "10.110.32.70"] [uri "/metrics"] [unique_id "htZAHnJIMYAWIlwqbeu"]
thread=26
2023-06-21T10:01:48.574701Z critical envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1157 wasm log my-wasm-root-id my-wasm-vm-id: [client "10.110.32.80"] Coraza: Access denied (phase 5). Anomaly Scores: (Inbound Scores: blocking=3, detection=3, per_pl=3-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=0, [file "@owasp_crs/RESPONSE-980-CORRELATION.conf"] [line "12628"] [id "980170"] [rev ""] [msg "Anomaly Scores: (Inbound Scores: blocking=3, detection=3, per_pl=3-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=0, "] [data ""] [severity "emergency"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "reporting"] [hostname "10.110.32.70"] [uri "/metrics"] [unique_id "htZAHnJIMYAWIlwqbeu"]
thread=26
2023-06-21T10:01:48.574794Z info envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1148 wasm log my-wasm-root-id my-wasm-vm-id: Finished tx_id="htZAHnJIMYAWIlwqbeu" context_id=15 thread=26
{"start_time": "2023-06-21T10:01:48.557Z","req_method": "GET","x_envoy_original_path": "/metrics","protocol": "HTTP/1.1","response_code": "503","response_flags": "UF","bytes_received": "0","bytes_send": "145","duration": "16","resp_x_envoy_upstream_service_time": "-","x_forwarded_for": "-","user_agent": "Prometheus/2.38.0","x_request_id": "cc68b39b-17b0-97d0-ac24-582829f25ab3","authority": "10.110.32.70:80","upstream_host": "10.110.32.70:80","upstream_cluster": "InboundPassthroughClusterIpv4","upstream_local_address": "-","downstream_local_address": "10.110.32.70:80","downstream_remote_address": "10.110.32.80:51658","resp_x_foo_fault_flag": "-"}
envoy.yaml EnvoyFilter configuration file is as follows:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: httpconnectionmanager
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.wasm
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
config:
configuration:
'@type': type.googleapis.com/google.protobuf.StringValue
value: |
{
"directives_map": {
"default": [
"SecDebugLogLevel 9",
"SecRuleEngine On",
"SecAuditEngine RelevantOnly",
"SecAuditLogParts ABIJDEFHZ",
"SecAuditLogType Concurrent",
"SecDefaultAction \"phase:3,log,auditlog,pass\"",
"SecDefaultAction \"phase:4,log,auditlog,pass\"",
"SecDefaultAction \"phase:5,log,auditlog,pass\"",
"SecAuditLog \"/dev/stdout\"",
"SecAuditLogRelevantStatus ^(1[0-9]{2}|2[0-9]{2}|3[0-8][0-9]|39[0-9]|40[0-3]|405|5[0-9]{2})$",
"Include @crs-setup-demo-conf",
"Include @owasp_crs/*.conf"
]
},
"default_directives": "default"
}
root_id: my-wasm-root-id
vm_config:
code:
local:
filename: /data/coraza/main.wasm
runtime: envoy.wasm.runtime.v8
vm_id: my-wasm-vm-id
I set the Wasm EnvoyFilter as follows, and the config_dump is also effective, but I used sqlmap zaproxy to simulate the attack, and I did not see the log output of wasm denial of the attack, even if SecDebugLogLevel is set to 9,
I checked http_filters and confirmed that the inbound configuration on port 15006 has loaded the type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm rule
Why can't I see the wasm denial attack log? Is it because envoy.filters.http.wasm has not taken effect? Because the system also has a default istio.metadata_exchange wasm configuration? But my customized envoy.filters.http.wasm is INSERT_BEFORE priority
istio version 1.17.2