search

p0pr0ck5 / lua-resty-waf

High-performance WAF built on the OpenResty stack
GNU General Public License v3.0
1.28k stars 305 forks source link

events logs not being captured & help in activating additonal ruleset #327

Open rahulbhatu opened 5 years ago

rahulbhatu commented 5 years ago

Hi I have lua-resty-waf setup but event logs are not being captured in the given file location.

nginx.conf 

user www-data;
worker_processes  auto;
pid /run/openresty.pid;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    tcp_nopush      on;
    tcp_nodelay     on;

    keepalive_timeout  65;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    access_log /var/log/openresty/access.log;
    error_log /var/log/openresty/error.log;

    gzip  on;
    gzip_disable "msie6";

    include ../sites/*;

    init_by_lua_block {
        require "resty.core"
        local lua_resty_waf = require "resty.waf"
        lua_resty_waf.init()

        local lua_resty_waf = require "resty.waf"

        -- this translates and calculates a ruleset called 'ruleset_name'
        local ok, errs = pcall(function()
            lua_resty_waf.load_secrules("/usr/local/openresty/lua-resty-waf/rules/26_Apps_WordPress.conf")
        end)

        -- errs is an array-like table
        if errs then
            for i = 1, #errs do
                ngx.log(ngx.ERR, errs[i])
            end
        end   

        lua_resty_waf.init()
 }

}

########################################################################

my default.conf


server {
    # Listen on port 80.
    listen 80 default_server;
    listen [::]:80 default_server;

    # The document root.
    root /usr/local/openresty/nginx/html/default;

    # Add index.php if you are using PHP.
    index index.html index.htm;

    # The server name, which isn't relevant in this case, because we only have one.
    server_name _;

    # When we try to access this site...
    location / {
        try_files $uri $uri/ =404;
    }

    location /example {
        default_type 'text/plain';

        content_by_lua_block {
             ngx.say('Hello, Sammy!')
         } 
        access_by_lua_block {
                local lua_resty_waf = require "resty.waf"
                local waf = lua_resty_waf:new()

                waf:set_option("debug", true)
                waf:set_option("info", "true")
                waf:set_option("mode", "ACTIVE")
                waf:set_option("add_ruleset", "26_Apps_WordPress.conf")

                waf:set_option("event_log_ngx_vars", "host")
                waf:set_option("event_log_ngx_vars", "request_id")
                waf:set_option("event_log_ngx_vars", "server_port")
                waf:set_option("event_log_request_arguments", true)

                waf:set_option("allow_unknown_content_types", true)
                waf:set_option("event_log_target", "file")
                waf:set_option("event_log_target_path", "/var/log/waf/eve.log")
                waf:set_option("process_multipart_body", true)
                waf:set_option("res_body_max_size", 1024 * 1024 * 2)
                waf:set_option("req_tid_header", false)
                waf:set_option("res_tid_header", false)
                waf:set_option("res_body_mime_types", { "text/plain", "text/html", "text/json", "application/json", "text/php", "text/plain", "text/x-php", "application/php", "application/x-php", "application/x-httpd-php", "application/x-httpd-php-source" })

                waf:exec()
        }

            header_filter_by_lua_block {
                local lua_resty_waf = require "resty.waf"
                local waf = lua_resty_waf:new()
                waf:exec()
            }

            body_filter_by_lua_block {
                local lua_resty_waf = require "resty.waf"
                local waf = lua_resty_waf:new()
                waf:exec()
            }

            log_by_lua_block {
                local lua_resty_waf = require "resty.waf"
                local waf = lua_resty_waf:new()
                waf:exec()
                waf:write_log_events()
            }

    }

    # Redirect server error pages to the static page /50x.html.
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root /usr/local/openresty/nginx/html;
    }
}
rahulbhatu commented 5 years ago

Managed to get the event logs enabled in file. Next challenge is 1) I am converting the .conf rules to json using modsec2lua-resty-waf.pl, However the rules are converted to json and also the echo $? suggests that the conversion was successful with 0 status but but i get some errors not sure if these are warning as comparing the .conf and json files all rules are there.

root@ip-172-31-29-13:/usr/local/openresty/lua-resty-waf/tools# ./modsec2lua-resty-waf.pl < 26_Apps_WordPress.conf > 26_Apps_WordPress.json
Cannot translate variable FILES at /usr/local/openresty/lua-resty-waf/tools/Modsec2LRW.pm line 674, <> line 170.
SecRule TX:WordPress @eq 1 id:225120,chain,msg:'COMODO WAF: XSS vulnerability in WordPress before 4.6.1 (CVE-2016-7168)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'WordPress'
SecRule REQUEST_BASENAME @streq media-new.php chain,t:none,t:urlDecodeUni
SecRule FILES @rx (?:\<(.+)\>) chain,capture,t:none,t:urlDecodeUni
SecRule TX:1 @contains = t:none
Cannot perform transform normalizePath at /usr/local/openresty/lua-resty-waf/tools/Modsec2LRW.pm line 951, <> line 170.
Cannot translate variable FILES at /usr/local/openresty/lua-resty-waf/tools/Modsec2LRW.pm line 674, <> line 170.
SecRule TX:WordPress @eq 1 id:225140,chain,msg:'COMODO WAF: XSS vulnerability in the in WordPress before 4.5.3 (CVE-2016-5834)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'WordPress'
SecRule ARGS_POST:action @streq upload-attachment chain,t:none,t:urlDecodeUni,t:lowercase
SecRule FILES @contains < chain,t:none,t:urlDecodeUni
SecRule REQUEST_BASENAME @streq async-upload.php t:none,t:urlDecodeUni,t:lowercase
Cannot translate variable FILES at /usr/local/openresty/lua-resty-waf/tools/Modsec2LRW.pm line 674, <> line 170.
SecRule TX:WordPress @eq 1 id:225141,chain,msg:'COMODO WAF: XSS vulnerability in the in WordPress before 4.5.3 (CVE-2016-5834)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'WordPress'
SecRule ARGS_POST:html-upload @streq upload chain,t:none,t:lowercase
SecRule FILES @contains < chain,t:none,t:urlDecodeUni
SecRule REQUEST_FILENAME @streq media-new.php t:none,t:urlDecodeUni,t:lowercase
Cannot perform transform normalizePath at /usr/local/openresty/lua-resty-waf/tools/Modsec2LRW.pm line 951, <> line 170.
Cannot translate variable FILES at /usr/local/openresty/lua-resty-waf/tools/Modsec2LRW.pm line 674, <> line 170.
SecRule TX:WordPress @eq 1 id:225210,chain,msg:'COMODO WAF: Unrestricted file upload vulnerability in WordPress 4.9.7 (CVE-2018-14028)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'WordPress'
SecRule REQUEST_BASENAME @streq update.php chain,t:none,t:urlDecodeUni,t:lowercase
SecRule ARGS_GET:action @rx ^upload-(?:plugin|theme)$ chain,t:none,t:urlDecodeUni,t:lowercase
SecRule FILES !@rx \.zip$ t:none,t:urlDecodeUni,t:lowercase
Cannot perform transform normalizePath at /usr/local/openresty/lua-resty-waf/tools/Modsec2LRW.pm line 951, <> line 170.
Cannot translate variable FILES at /usr/local/openresty/lua-resty-waf/tools/Modsec2LRW.pm line 674, <> line 170.
SecRule REQUEST_FILENAME @contains /wp-content/plugins/sexy-contact-form/includes/fileupload/ id:240020,chain,msg:'COMODO WAF: Protecting WordPress Creative Contact Form Files folder||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,t:normalizePath,rev:5,severity:2,tag:'CWAF',tag:'WordPress'
SecRule FILES @rx \.(?:php|js|pl)(?:\.|$) t:none,t:lowercase,t:urlDecodeUni
Cannot perform transform normalizePath at /usr/local/openresty/lua-resty-waf/tools/Modsec2LRW.pm line 951, <> line 170.
Cannot perform transform utf8toUnicode at /usr/local/openresty/lua-resty-waf/tools/Modsec2LRW.pm line 951, <> line 170.
Cannot perform transform utf8toUnicode at /usr/local/openresty/lua-resty-waf/tools/Modsec2LRW.pm line 951, <> line 170.
Cannot perform transform normalizePath at /usr/local/openresty/lua-resty-waf/tools/Modsec2LRW.pm line 951, <> line 170.
Cannot perform transform normalizePath at /usr/local/openresty/lua-resty-waf/tools/Modsec2LRW.pm line 951, <> line 170.
Cannot perform transform normalizePath at /usr/local/openresty/lua-resty-waf/tools/Modsec2LRW.pm line 951, <> line 170.
Cannot perform transform normalizePath at /usr/local/openresty/lua-resty-waf/tools/Modsec2LRW.pm line 951, <> line 170.

2) after converting rules to json Moving them to rules directory activate them or One has to do lua_resty_waf.load_secrules and add waf:set_option("add_ruleset", "example.conf") after converting to json

Thanks