search

corazawaf / coraza-proxy-wasm

proxy-wasm filter based on Coraza WAF
Apache License 2.0
115 stars 24 forks source link

feat: Audit logs in proxy-wasm logs #263

Closed M4tteoP closed 4 months ago

M4tteoP commented 8 months ago

Address https://github.com/corazawaf/coraza-proxy-wasm/issues/255. As an initial solution to address the lack of audit logs, this PR proposes, as suggested in https://github.com/corazawaf/coraza-proxy-wasm/issues/255#issuecomment-1955993849, to write audit logs the normal envoy logs.

This PR relies on:

Any feedback or better alternative approaches is welcomed.

Examples:

    "SecAuditEngine On",
    "SecAuditLogType wasmSerial",
    "SecAuditLogFormat JSON",
    "Include @owasp_crs/*.conf",
▶ curl -I 'localhost:8080/get?<script>alert</script>'

envoy-logs-1  | [2024-03-25 22:25:21.566289][40][info][wasm] [source/extensions/common/wasm/context.cc:1148] wasm log coraza-filter my_vm_id: {"transaction":{"timestamp":"2024/03/25 22:25:21","unix_timestamp":1711405521529601000,"id":"XvJJqLMKctidFfNPzFn","client_ip":"192.168.65.1","client_port":19332,"host_ip":"172.19.0.2","host_port":8080,"server_id":"localhost","request":{"method":"HEAD","protocol":"HTTP/1.1","uri":"/get?\u003cscript\u003ealert\u003c/script\u003e","http_version":"","headers":{":authority":["localhost:8080"],":method":["HEAD"],":path":["/get?\u003cscript\u003ealert\u003c/script\u003e"],":scheme":["http"],"accept":["*/*"],"host":["localhost:8080"],"user-agent":["curl/8.4.0"],"x-forwarded-proto":["http"],"x-request-id":["45002c61-c2f3-4cea-bf4e-f565e3e01638"]},"body":"","files":null},"response":{"protocol":"","status":0,"headers":{},"body":""},"producer":{"connector":"","version":"","server":"","rule_engine":"On","stopwatch":"1711405521529601000 36411000; combined=34752000, p1=34231000, p2=0, p3=0, p4=0, p5=521000","rulesets":["OWASP_CRS/4.0.0-rc2"]}}}
    "SecAuditEngine On",
    "SecAuditLogType wasmSerial",
    "SecAuditLogFormat Native",
    "Include @owasp_crs/*.conf",

▶ curl -I 'localhost:8080/get?<script>alert</script>'

envoy-logs-1  | [2024-03-25 22:36:04.613069][37][debug][wasm] [source/extensions/common/wasm/context.cc:1145] wasm log coraza-filter my_vm_id: Transaction marked for audit logging tx_id="nWttyyYWjlmazTVNjHX"
envoy-logs-1  | [2024-03-25 22:36:04.613225][37][info][wasm] [source/extensions/common/wasm/context.cc:1148] wasm log coraza-filter my_vm_id: --UTQkQHkZIS-B--
envoy-logs-1  | [2024/03/25 22:36:04] nWttyyYWjlmazTVNjHX 192.168.65.1 21341 172.19.0.6 8080
log coraza-filter my_vm_id: Finished phase tx_id="nWttyyYWjlmazTVNjHX" phase=5
envoy-logs-1  | HEAD /get?<script>alert</script> HTTP/1.1
envoy-logs-1  | :method: HEAD
envoy-logs-1  | :scheme: http
envoy-logs-1  | user-agent: curl/8.4.0
envoy-logs-1  | x-request-id: b45b2564-7066-4924-9e58-651b2f5c90e2
envoy-logs-1  | host: localhost:8080
envoy-logs-1  | :authority: localhost:8080
envoy-logs-1  | :path: /get?<script>alert</script>
envoy-logs-1  | accept: */*
envoy-logs-1  | x-forwarded-proto: http
envoy-logs-1  | --UTQkQHkZIS-I--
envoy-logs-1  | [2024/03/25 22:36:04] nWttyyYWjlmazTVNjHX 192.168.65.1 21341 172.19.0.6 8080
envoy-logs-1  | --UTQkQHkZIS-J--
envoy-logs-1  | [2024/03/25 22:36:04] nWttyyYWjlmazTVNjHX 192.168.65.1 21341 172.19.0.6 8080
envoy-logs-1  | --UTQkQHkZIS-D--
envoy-logs-1  | [2024/03/25 22:36:04] nWttyyYWjlmazTVNjHX 192.168.65.1 21341 172.19.0.6 8080
envoy-logs-1  | --UTQkQHkZIS-E--
envoy-logs-1  | [2024/03/25 22:36:04] nWttyyYWjlmazTVNjHX 192.168.65.1 21341 172.19.0.6 8080
envoy-logs-1  | --UTQkQHkZIS-F--
envoy-logs-1  | [2024/03/25 22:36:04] nWttyyYWjlmazTVNjHX 192.168.65.1 21341 172.19.0.6 8080
envoy-logs-1  | --UTQkQHkZIS-H--
envoy-logs-1  | [2024/03/25 22:36:04] nWttyyYWjlmazTVNjHX 192.168.65.1 21341 172.19.0.6 8080
envoy-logs-1  | Stopwatch:
envoy-logs-1  | Response-Body-Transformed:
envoy-logs-1  | Producer:
envoy-logs-1  | Server:
envoy-logs-1  |
envoy-logs-1  | [2024-03-25 22:36:04.613251][37][debug][wasm] [source/extensions/common/wasm/context.cc:1145] wasm log coraza-filter my_vm_id: Transaction finished tx_id="nWttyyYWjlmazTVNjHX" is_interrupted=true status=0 rule_id=949111```
jcchavezs commented 8 months ago

Maybe we want to set the formatter to json? cc @anuraaga

M4tteoP commented 8 months ago

Maybe we want to set the formatter to json

I agree, while the native formatter is "working", the output emitted in multiple lines logs looks far from being easily usable unless for a very controlled debugging

jcchavezs commented 8 months ago

Maybe we can override the json formatter for this repo but does not have to happen in this PR but specifically with envoy, I think it makes sense to have the logs in json.

On Wed, 27 Mar 2024, 00:07 Matteo Pace, @.***> wrote:

Maybe we want to set the formatter to json

I agree, while the native formatter is "working", the output emitted in multiple lines logs looks far from being easily usable unless for a very controlled debugging

— Reply to this email directly, view it on GitHub https://github.com/corazawaf/coraza-proxy-wasm/pull/263#issuecomment-2021616139, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXOYASTLF7Y7N7NUFNDDMDY2HWTTAVCNFSM6AAAAABFH433J2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMRRGYYTMMJTHE . You are receiving this because your review was requested.Message ID: @.***>

jcchavezs commented 7 months ago

Could you please rebase this PR @M4tteoP ?

M4tteoP commented 5 months ago

To be resolved before Merging: point to Coraza v3.2 version that comes with https://github.com/corazawaf/coraza/pull/1027

jcchavezs commented 5 months ago

Can we merge this @M4tteoP ?