search

voroojax / waf-fle

Automatically exported from code.google.com/p/waf-fle
0 stars 0 forks source link

rule_message caching doesn't work well #27

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Set up a ruleset with anomaly scoring
2. Set up a final outbound blocking rule which dynamic block message (rule id 
is always the same)
3. Get blocked traffic by the outbound blocking rule

What is the expected output? What do you see instead?
Depending on the score and the rule that caused the actul score, the blocking 
rule outputs the information provided by the rule. The output is dynamic. But 
waf-fle caches the first output message for the corresponding rule and uses the 
same message for all other hits of this rule id.
e. g. first hit is a SQL injection attempt. 2nd is a XSS. waf-fle will cache 
the SQLi and so also for the XSS it will say, this was a SQLi (although the raw 
file (and server log) are saying s. th. different.

What version of the product are you using? On what operating system?
0.6.0

Original issue reported on code.google.com by do...@pebcak.de on 14 Oct 2013 at 12:33

GoogleCodeExporter commented 9 years ago 
I could reproduce this, and I'm working in a solution.

Klaubert

Original comment by klaub...@gmail.com on 30 Jan 2014 at 7:07

GoogleCodeExporter commented 9 years ago

Original comment by klaub...@gmail.com on 30 Jan 2014 at 7:08

GoogleCodeExporter commented 9 years ago 
One workaround is customizing rules and changing database tables. I was facing 
same issue with some rules (for example 981176). I changed the rule, so now it 
looks like this:
SecRule TX:ANOMALY_SCORE "@gt 0" \
    "chain,phase:2,id:'981176',t:none,deny,log,msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): Last Matched Message: %{tx.msg}',logdata:'Total Score: %{TX.ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbound_anomaly_score=%{tx.anomaly_score}"
        SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_level}" chain
                SecRule TX:ANOMALY_SCORE_BLOCKING "@streq on" chain
                        SecRule TX:/^\d/ "(.*)"

I have changed logdata, so I am able to view score levels in the waffle 
console. In the database table rule_message I have changed rule_message for 
message_ruleId 981176 to "Inbound Anomaly Score Exceeded". I didn't change msg 
in the rule because anomaly score is counted from the information in the msg 
text. Now i have all information I wanted in the console, and I am able to 
filter via score.

Original comment by juraj.sa...@gmail.com on 6 Mar 2014 at 12:37