search

corazawaf / coraza-proxy-wasm

proxy-wasm filter based on Coraza WAF
Apache License 2.0
115 stars 24 forks source link

Add x-request-id header to coraza logs #295

Open matheustmattioli opened 2 weeks ago

matheustmattioli commented 2 weeks ago

Hello, I'm currently having the same issue as coraza #1119. I posted the text below in the linked issue. But I'm posting it again in a new issue because I thought maybe this repository is a better place.
Is there a way to include the x-request-id header in coraza logs as an additional tag or field like "unique_id" in each rule? I tried to implement it locally but I couldn't modify the rules metadata with actions in .conf files. Or even through the "Matched Rules" transaction variable in plugin.go file. For example at the function "OnHttpRequestHeaders" I got the header with ctx.requestID, err = proxywasm.GetHttpRequestHeader("x-request-id") and appended it to logFields: logFields = append(logFields, debuglog.Str("x-request-id", ctx.requestID)).

But it only logged this information in non-rule messages, like:

wasm-logs_1 | [2024-10-25 17:33:37.111701][23][info][wasm] [source/extensions/common/wasm/context.cc:1148] wasm log coraza-filter my_vm_id: Finished tx_id="qMHzlTjlKflKbnatBFn" context_id=2 x-request-id="6160d595-971e-4c23-81b1-e33d2468e17c"

And nothing happened in rule messages, like:

[2024-10-25 17:33:37.111423][23][critical][wasm] [source/extensions/common/wasm/context.cc:1157] wasm log coraza-filter my_vm_id: [client "172.19.0.1"] Coraza: Warning. Anomaly Scores: (Inbound Scores: blocking=20, detection=20, per_pl=20-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=20, RFI=0, LFI=0, RCE [file "@owasp_crs/RESPONSE-980-CORRELATION.conf"] [line "13394"] [id "980170"] [rev ""] [msg "Anomaly Scores: (Inbound Scores: blocking=20, detection=20, per_pl=20-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=20, RFI=0, LFI=0, RCE"] [data ""] [severity "emergency"] [ver "OWASP_CRS/4.3.0"] [maturity "0"] [accuracy "0"] [tag "reporting"] [tag "OWASP_CRS"] [hostname "172.19.0.4"] [uri "/anything?arg="] [unique_id "qMHzlTjlKflKbnatBFn"]

In the same function, I tried to access the rules captured by the transaction (as in the snippet below), but it did not work because I could only get the values, and not set new values (I noticed there are no "set" methods). 

matchedRules := tx.MatchedRules()

// log x-request-id in each matched rule
for _, rule := range matchedRules {
   ruleTags := rule.Rule().Tags()
   ruleTags = append(ruleTags, "x-request-id: "+ctx.requestID)
   // rule.Rule().SetTags()?
}

Is there another way to implement this idea in the coraza-proxy-wasm version?

icksa commented 3 days ago

Hello: I ran into this same issue and was not able to get it to work. I ended up leveraging the audit log for this purpose. If add mode "K" to SecAuditLogParts it will include all of the rules that matched. This is very verbose because it also shows the full definition of each rule, but it does include all of the needed info. You can also include headers in the audit log message, so that should show the x-request-id.

I didn't like this last part because I cannot risk accidentally showing sensitive headers in the logs so I added a custom rule to specifically show the x-request-id header. The audit log message will include this along with the other matches.