mguinness / KestrelWAF

A basic WAF for the Kestrel web server.
MIT License
44 stars 12 forks source link

Question: Is this library still being developed? #3

Open bbqchickenrobot opened 1 year ago

bbqchickenrobot commented 1 year ago

If so, I'd love to contribute where possible. If not, I'd love to fork it and make it part of a larger system that I am building out. Thanks!

mguinness commented 1 year ago

I have no plans to develop further, but I'd welcome contributions. If you like I can add you as a collaborator to the repo. Would also like to hear your ideas for the project.

bbqchickenrobot commented 1 year ago

Sure, that would be great if you can add me to the repo. To start I would just be learning the code ... But ultimately I want to build something that does what the F5 WAF dos for Nginx / Apache. Although I don't think i'll be as comprehensive, I want it to get close.

On Wed, Jun 28, 2023 at 10:45 AM mguinness @.***> wrote:

I have no plans to develop further, but I'd welcome contributions. If you like I can add you as a collaborator to the repo. Would also like to hear your ideas for the project.

— Reply to this email directly, view it on GitHub https://github.com/mguinness/KestrelWAF/issues/3#issuecomment-1611677069, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAYZV4KXG7VFX2TT2VQBXDXNRGR5ANCNFSM6AAAAAAZWJI5II . You are receiving this because you authored the thread.Message ID: @.***>

kenlnetherland commented 7 months ago

@bbqchickenrobot (love the name). I know its a year later, but are you still helping with this? I am using this for Kestrel. I have downloaded the rules from https://github.com/coreruleset/coreruleset. I have developed a parser to go through each rule (that makes sense to do so) and create a corresponding entry in the config, as well as code to the WebRequest to handle. I am almost done with the parser part (not too hard). Anyhow, I too am willing to contribute my changes back to this repo (note for @mguinness. I think with the high costs (typically monthly) to use a professional WAF, this may have some potential lucrative application. I will keep you both informed. Ken

mguinness commented 7 months ago

Apologies to BBQ, I don't think I made them a collaborator. Let me know if you still wish to be added.

kenlnetherland commented 7 months ago

Done with the parser, moving on to the emitter part.

image

I also had to figure out how to handle persistence since ModSecurity handles the following collection types (some durable, some not):

image

I had a very specific use-case for this, but I'm beginning to see the potential outside of that. I am impressed with your code and will try to stay true to the model. Let me know your thoughts.

kenlnetherland commented 7 months ago

You should see the test cases. Wow!

image

bbqchickenrobot commented 7 months ago

Apologies to BBQ, I don't think I made them a collaborator. Let me know if you still wish to be added.

Sure, that would be cool - I'm willing to help out and am building a project now that will be making use of this.

kenlnetherland commented 7 months ago

Attached resulting config:

wafruleset.json

mguinness commented 7 months ago

Thanks for your work kenlnetherland, this looks like a great addition. I've invited you both as contributors, so feel free to merge your changes to this repo. Would also love to hear feedback from others using this ruleset.

kenlnetherland commented 7 months ago

Hi, just wanted to give you both a status update. The code emitter was much more difficult than I anticipated. I am wrapping up the c# code emit to WebContext.cs. This was changed from WebRequest.cs since there are rules that impact request, response, and the connection itself. The code compiles, but I've now moved on to compiling the rules (i.e. programmatically in the rules engine - a mind-twister for sure). Mguinness, to respond to your last message, most of the code I've written is the compiler/emitter. The bulk of the changes to the project is the result of the emitted code. Once I can get all the rules to compile (see below), I will have code changes to push back to the repo. I do have a legacy library that I use called Utils.csproj. This has Winforms code, C++ code, tons of Windows Api declarations, and even a few VB projects etc. Getting that to work with .NET 8 was a beast. I may try to sever that dependency in the final product as I don't want to pollute the repo. Just give me time for now. I attached a sample of the WebContext.cs. It is auto-gened, so keep that in mind.

Compiling rule: 100021. 103 of 1658 rules WebContext.cs.txt

In terms of feedback from others, you have the non-profit and all of its supporters and sponsors: https://owasp.org/www-project-modsecurity-core-rule-set/

mguinness commented 7 months ago

Thanks for the update, I'm sure many will be interested in using the OWASP CRS.

kenlnetherland commented 7 months ago

mguinness Can you tell me your motivation for developing this? What were/are your goals? Are you still interested in taking this further? Do you think its marketable? Just curious of your motivation.

bbqchickenrobot commented 7 months ago

@bbqchickenrobot (love the name). I know its a year later, but are you still helping with this? I am using this for Kestrel. I have downloaded the rules from https://github.com/coreruleset/coreruleset. I have developed a parser to go through each rule (that makes sense to do so) and create a corresponding entry in the config, as well as code to the WebRequest to handle. I am almost done with the parser part (not too hard). Anyhow, I too am willing to contribute my changes back to this repo (note for @mguinness. I think with the high costs (typically monthly) to use a professional WAF, this may have some potential lucrative application. I will keep you both informed. Ken

I am planning on it for some ventures I'm about to launch.... I'll be behind cloudflare, but also would like to have some protection at this level (even for white listing other servers I'm using). And thanks re: the name! :) Old name that stuck haha. Thanks for the update!

I'll have a couple blog sites that are smaller, some SMBs may have some use cases here who can't afford the higher WAF, etc.

bbqchickenrobot commented 7 months ago

And dangit, my invitation expired, can you resend @mguinness ? Gracias!

kenlnetherland commented 7 months ago

bbqchicken.. I like the entrepreneurship attitude. Maybe a case of 3 strangers build a company together, who know? Lol.

mguinness commented 7 months ago

Can you tell me your motivation for developing this? What were/are your goals? Are you still interested in taking this further? Do you think its marketable? Just curious of your motivation.

It was developed for my hobby projects that needed basic protection. Using middleware to block traffic with configuration files was my goal. Not looking to work on it further at this point, but happy for others to get involved.

And dangit, my invitation expired, can you resend @mguinness?

Of course, invite resent.

kenlnetherland commented 7 months ago

FYI.. Status: Compiling rule: 932160. 348 of 1658 rules

bbqchickenrobot commented 7 months ago

bbqchicken.. I like the entrepreneurship attitude. Maybe a case of 3 strangers build a company together, who know? Lol.

I'm open to it!!! Currently made the jump over to the crypto defi market and am trying to build some things there - I'm open to people joining, there's a lot of stuff to do lol

kenlnetherland commented 7 months ago

Finished compiling rules. Moving on to unit testing.

Compiling rule: 980018. 1621 of 1621 rules (some of the rules were simply "markers", why you see 1621 instead of 1658) Found 290 test files.

kenlnetherland commented 7 months ago

From unit testing, I ran into quite a few obstacles. First and foremost, the top level ruleset operator was previously "OrElse", but many of the rules do nothing more than log an event or set a variable on failure. This means even though a rule may have failed innocuously, it short circuited the operation and bailed. I tried changing the operator to "And", but that meant that it would run every rule, even though one failed with an intended true Http status code. I had to add an OuterOperator to each rule which could either default to "And" if missing or to "AndAlso" if the rule needed to short-circuit. Dealing with this rules engine and understanding Expressions was a new venture for me, because I only used them from an Enumerable Linq perspective. Wow! What a learning curve!

What I'm beginning to realize is that with all of the changes I've had to make to the rules engine, its becoming a "product" in its own right. I've added many more operators, the rules and results of each are put onto a stack that is part of Thread Local Storage (anticipating the need for handling many connections), and you can manipulate and handle the results as needed.

Another thing I had to do is put the rules in a BTree index, because of the vast increase in the rule count.

Last thing I wanted to mention, I've been in conversation with Tony Jenniges, the CEO of dotFurther (https://dotfurther.com). Nice guy! They have a product called Open Discover® SDK for .NET. I want to encorporate PII detection into the product. It would be, what I hope, is an super easy value added service. I don't want to get too far away from a niche product, that could low-cost "open-source" compete with CloudFlare with a single focus on WAF/Firewall.

Also joined here: https://www.meetup.com/owasp-phoenix-chapter/events/calendar/ https://www.meetup.com/pro/owasp/

Stay tuned.

mguinness commented 7 months ago

For sure there is a lot more to a WAF than what I've attempted. Maybe the best approach would be for you to create a new repo under your control and I can then include a reference to that project in README for others to follow. That way you have full autonomy and can invite others to contribute to that effort. I look forward to hearing more on your plans.

kenlnetherland commented 7 months ago

Dude, I still want you involved :( .. lol.

I think that's a great idea. I have my org site. I will put it there and invite both of you. There are so many changes and 3rd party libraries now, that resolving back to the "origin" was looking to be painful. I will definitely give you the credit you deserve, and if this grows and you want to jump back in, you will always have a seat somewhere, whether on a board, or as a "founder" title. I couldn't have done this without your work, but I understand your caution. I appreciate the referral, and I will do the same.

kenlnetherland commented 7 months ago

I met with the gentelmen from dotFurther, Tony, his Sales broker, and his Chief of Data Analytics (both get sales commission when dotFurther gets sold). They were very interested in a partnership and talked about how it would add a new dimension to their current offering. They used the term PXI which I guess the X stands for I or H, PII or PHI.

PII = personally identifiable information. PHI = protected health information.

They said they could see the demand for this in both financial and medical industries. They are currently in talks with Bank of America. They are definitely interested in expanding their cyber offering beyond document scanning.

They asked me to put together a bare-bones marketing package for them. Tony will also get me a license to their product following ND/NC agreement.

Unit testing is slow. Even the first test case has to run through 1658 rules for the first request/response. I'm hoping it will pick up after the first test case can complete. Sometimes I see issues with the auto-gen'd code (which I haulted utilizing) and have to make changes to 1000's of properties and callbacks in mass. Visual Studio regex find/replace really helps out.

Sad status (but picking up): Executing 1 of 3788 test cases

Executing rule: 901320, 22 of 1658 Successfully executed rule: 901320, 22 of 1658, status code: OK

kenlnetherland commented 6 months ago

Just a quick status update. The below doesn't seem like a lot of progress but I'm coming close to hitting every rule type. Hopefully smooth sailing after. Executing rule: 913100, 46 of 1658

bbqchickenrobot commented 6 months ago

Ok, starting up a new proj and am definitely going to make use of this in it - how much of a task would it be to start w/ this version @kenlnetherland and then when you're changes are ready to "upgrade" to your bits?

kenlnetherland commented 6 months ago

Hey Troy, I'm about 30% with unit testing, stress testing next. Are you willing to take it in its current state?

kenlnetherland commented 6 months ago

Also, what OS, version of Visual Studio, and .NET?

kenlnetherland commented 6 months ago

Alright, new repo is set up. I have not tested this on another machine, but I'm happy to help you get through any build errors or issues. It may take a few iterations with the legacy stuff.

https://github.com/CloudIDEaaS/CloudIDEaaSWAF

Adding Sample Web project and tests.. stay tuned

kenlnetherland commented 6 months ago

I added Sample Web project and tests. I was trying to resolve all hard-coded paths but ran out of steam. Will finish tomorrow. Remember, I have yet to get a full run of all tests for a request/response.

bbqchickenrobot commented 6 months ago

Hey Troy, I'm about 30% with unit testing, stress testing next. Are you willing to take it in its current state?

sure thing! and if I hit something that I can fix I'll submit a PR, etc

bbqchickenrobot commented 6 months ago

Also, what OS, version of Visual Studio, and .NET?

Windows 11, Visual Studio 2022 17.9 and Rider 2024.1 on top of .NET 8

yoli799480165 commented 5 months ago

@bbqchickenrobot Is this project still ongoing?

I've checked out the code of https://github.com/CloudIDEaaS/CloudIDEaaSWAF and tried to run it or use it in my own project. But none of these attempts were successful, and to be honest the code of that project was hard to use, it contained too much extraneous code.

I hope this project can continue and support more rules.

kenlnetherland commented 5 months ago

Yoli, my apologies.  I do not have a separate computer to test this on right now.  I am willing to help you or someone get it set up and running as I mentioned to Troy (bbqchicken).  

Let me know if you would like my help.