From 73c039e18ea78674f7e8b3c4724cc61ab4cd74e0 Mon Sep 17 00:00:00 2001 From: Matteo Pace Date: Thu, 27 Oct 2022 01:47:42 +0200 Subject: [PATCH] FTW: updates ignored rules (#59) --- ftw/ftw.yml | 227 ++++++++++-------------------------------- rules/ftw-config.conf | 2 + 2 files changed, 55 insertions(+), 174 deletions(-) diff --git a/ftw/ftw.yml b/ftw/ftw.yml index f6ee03bccd1fa..d93db84e3a6e7 100644 --- a/ftw/ftw.yml +++ b/ftw/ftw.yml @@ -4,185 +4,64 @@ testoverride: input: dest_addr: envoy ignore: + # Envoy not compatible tests '911100-5': 'Invalid HTTP method. Rejected by Envoy with Error 400' '911100-7': 'Invalid HTTP method. Rejected by Envoy with Error 400' '920100-4': 'Accepted by Envoy. Valid request. It is only disabled by default from Apache and Nginx' '920100-10': 'Invalid HTTP method. Rejected by Envoy with Error 400' '920100-14': 'Invalid HTTP method. Rejected by Envoy with Error 400' - '932140-3': 'Invalid URL, Coraza stops this.' - '920120-4': 'Rule bug' - '920120-6': 'Rule bug' - '920120-7': 'Rule bug' - '932180-2': 'Bad multipart' - '942490-17': 'Invalid URL, Coraza stops this.' - # Temporary: - '943110-4': 'Temporary, this works but the testing framework does not support it yet.' - - # Rules somewhat working + '949110-3': 'Related to 920100. Invalid HTTP method. Rejected by Envoy with Error 400' + '941110-4': 'Referer header is sanitized by Envoy and removed from the request' + '941110-9': 'Referer header is sanitized by Envoy and removed from the request' + '920270-5': 'Referer header is sanitized by Envoy and removed from the request' + '941101-1': 'Referer header is sanitized by Envoy and removed from the request' + '920210-2': 'Connection header is stripped out by Envoy' + '920210-3': 'Connection header is stripped out by Envoy' + '920210-4': 'Connection header is stripped out by Envoy' + '920210-6': 'Connection header is stripped out by Envoy' + '920210-7': 'Connection header is stripped out by Envoy' + '920274-2': 'PL4 - False positive. Envoy Populates :path header, therefore invalid character are detected' + '920274-3': 'PL4 - False positive. Envoy Populates :path header, therefore invalid character are detected' + '920274-5': 'PL4 - False positive. Envoy Populates :path header, therefore invalid character are detected' + + # Rules working, tests excluded for different expected output '920270-4': 'Log contains 920270. Test has log_contains disabled.' - '920270-5': 'Manually working, with go-ftw rule not in the log' '920340-2': 'Log contains 920340, but tests expects expect_error: true' + '920400-1': 'Log contains 920400, but tests expects expect_error: true' + + # Failing tests to be addressed + '920180-4': 'False positive. go-ftw sends POST / HTTP/2.0, but coraza-proxy-wasm reads HTTP/1.0. It does not happen with curl --http2-prior-knowledge' + '980170-0': 'Related to phase 4 logs. Not detected' + '980170-1': 'Related to phase 4 logs. Not detected' - # Rules not working - '920171-2': 'Rule 920171 not detected. GET/HEAD with body' - '920171-3': 'Rule 920171 not detected. GET/HEAD with body' - '920180-4': 'Rule 920180 not detected.' - '920210-2': 'Rule 920210 not detected.' - '920210-3': 'Rule 920210 not detected.' - '920210-4': 'Rule 920210 not detected.' - '920210-6': 'Rule 920210 not detected.' - '920210-7': 'Rule 920210 not detected.' - '920274-2': 'False positive. Rule 920274 always triggered' - '920274-3': 'False positive. Rule 920274 always triggered' - '920274-5': 'False positive. Rule 920274 always triggered' - '920280-1': 'Rule 920280 not detected. Host not present' - '920280-3': 'Rule 920280 not detected. Host not present' - '920290-1': 'Rule 920290 not detected. Empty Host' - '920400-1': 'Rule 920400 not detected.' - '920430-3': 'Rule 920430 not detected.' - '920430-5': 'Rule 920430 not detected. HTTP protocol version' - '920430-8': 'Rule 920430 not detected. HTTP protocol version' - '920430-9': 'Rule 920430 not detected. HTTP protocol version' - '921180-2': 'False Positive. Parameters with the same name' - '921180-4': 'False Positive. Parameters with the same name' - '921180-5': 'False Positive. Parameters with the same name' - '921180-6': 'False Positive. Parameters with the same name' - '934120-28': 'Rule 934120 partially detected. Enclosed alphanumerics not detected' - '934120-29': 'Rule 934120 partially detected. Enclosed alphanumerics not detected' - '934120-30': 'Rule 934120 partially detected. Enclosed alphanumerics not detected' - '934120-31': 'Rule 934120 partially detected. Enclosed alphanumerics not detected' - '934130-7': 'Rule 934130 partially detected.' - '934130-8': 'Rule 934130 partially detected.' - '934130-9': 'Rule 934130 partially detected.' - '934130-10': 'Rule 934130 partially detected.' - '934130-11': 'Rule 934130 partially detected.' - '934131-1': 'Rule 934131 not detected' - '941101-1': 'Rule 941101 not detected' - '941110-4': 'Rule 941110 partially detected. Referer header' - '941110-9': 'Rule 941110 partially detected. Referer header' - '941310-1': 'Rule 941310 partially detected' - '941310-3': 'Rule 941310 partially detected' - '942190-42': 'Rule 942190 partially detected. SQLi' - '942440-16': 'False Positive. Rx' - '942440-17': 'False Positive. Rx' - '942440-18': 'False Positive. Rx' - '944200-1': 'Rule 944200 not detected' - '944210-7': 'Rule 944210 partially detected' - '944210-8': 'Rule 944210 partially detected' - '944210-9': 'Rule 944210 partially detected' - '944210-24': 'Rule 944210 partially detected' - '944210-25': 'Rule 944210 partially detected' - '944210-26': 'Rule 944210 partially detected' - '944210-41': 'Rule 944210 partially detected' - '944210-42': 'Rule 944210 partially detected' - '944210-43': 'Rule 944210 partially detected' - '944240-50': 'Rule 944240 partially detected' - '944240-51': 'Rule 944240 partially detected' - '944240-60': 'Rule 944240 partially detected' - '944240-61': 'Rule 944240 partially detected' - '944240-62': 'Rule 944240 partially detected' - '944240-71': 'Rule 944240 partially detected' - '944240-72': 'Rule 944240 partially detected' - '944240-73': 'Rule 944240 partially detected' - '944240-82': 'Rule 944240 partially detected' - '944240-83': 'Rule 944240 partially detected' - '944240-84': 'Rule 944240 partially detected' - '944250-5': 'Rule 944250 partially detected' - '944250-6': 'Rule 944250 partially detected' - '944250-7': 'Rule 944250 partially detected' - '944250-16': 'Rule 944250 partially detected' - '944250-17': 'Rule 944250 partially detected' - '944250-18': 'Rule 944250 partially detected' - '944300-5': 'Rule 944300 partially detected' - '944300-6': 'Rule 944300 partially detected' - '944300-7': 'Rule 944300 partially detected' - '944300-16': 'Rule 944300 partially detected' - '944300-17': 'Rule 944300 partially detected' - '944300-18': 'Rule 944300 partially detected' - '944300-27': 'Rule 944300 partially detected' - '944300-28': 'Rule 944300 partially detected' - '944300-29': 'Rule 944300 partially detected' - '944300-38': 'Rule 944300 partially detected' - '944300-39': 'Rule 944300 partially detected' - '944300-40': 'Rule 944300 partially detected' - '944300-49': 'Rule 944300 partially detected' - '944300-50': 'Rule 944300 partially detected' - '944300-51': 'Rule 944300 partially detected' - '944300-60': 'Rule 944300 partially detected' - '944300-61': 'Rule 944300 partially detected' - '944300-62': 'Rule 944300 partially detected' - '944300-71': 'Rule 944300 partially detected' - '944300-72': 'Rule 944300 partially detected' - '944300-73': 'Rule 944300 partially detected' - '944300-82': 'Rule 944300 partially detected' - '944300-83': 'Rule 944300 partially detected' - '944300-84': 'Rule 944300 partially detected' - '944300-93': 'Rule 944300 partially detected' - '944300-94': 'Rule 944300 partially detected' - '944300-95': 'Rule 944300 partially detected' - '944300-104': 'Rule 944300 partially detected' - '944300-105': 'Rule 944300 partially detected' - '944300-106': 'Rule 944300 partially detected' - '944300-115': 'Rule 944300 partially detected' - '944300-116': 'Rule 944300 partially detected' - '944300-117': 'Rule 944300 partially detected' - '944300-126': 'Rule 944300 partially detected' - '944300-127': 'Rule 944300 partially detected' - '944300-128': 'Rule 944300 partially detected' - '944300-137': 'Rule 944300 partially detected' - '944300-138': 'Rule 944300 partially detected' - '944300-139': 'Rule 944300 partially detected' - '944300-148': 'Rule 944300 partially detected' - '944300-149': 'Rule 944300 partially detected' - '944300-150': 'Rule 944300 partially detected' - '944300-159': 'Rule 944300 partially detected' - '944300-160': 'Rule 944300 partially detected' - '944300-161': 'Rule 944300 partially detected' - '944300-170': 'Rule 944300 partially detected' - '944300-171': 'Rule 944300 partially detected' - '944300-172': 'Rule 944300 partially detected' - '944300-181': 'Rule 944300 partially detected' - '944300-182': 'Rule 944300 partially detected' - '944300-183': 'Rule 944300 partially detected' - '944300-192': 'Rule 944300 partially detected' - '944300-193': 'Rule 944300 partially detected' - '944300-194': 'Rule 944300 partially detected' - '944300-203': 'Rule 944300 partially detected' - '944300-204': 'Rule 944300 partially detected' - '944300-205': 'Rule 944300 partially detected' - '944300-214': 'Rule 944300 partially detected' - '944300-215': 'Rule 944300 partially detected' - '944300-216': 'Rule 944300 partially detected' - '944300-225': 'Rule 944300 partially detected' - '944300-226': 'Rule 944300 partially detected' - '944300-227': 'Rule 944300 partially detected' - '944300-236': 'Rule 944300 partially detected' - '944300-237': 'Rule 944300 partially detected' - '944300-238': 'Rule 944300 partially detected' - '944300-247': 'Rule 944300 partially detected' - '944300-248': 'Rule 944300 partially detected' - '944300-249': 'Rule 944300 partially detected' - '944300-258': 'Rule 944300 partially detected' - '944300-259': 'Rule 944300 partially detected' - '944300-260': 'Rule 944300 partially detected' - '944300-269': 'Rule 944300 partially detected' - '944300-270': 'Rule 944300 partially detected' - '944300-271': 'Rule 944300 partially detected' - '944300-280': 'Rule 944300 partially detected' - '944300-281': 'Rule 944300 partially detected' - '944300-282': 'Rule 944300 partially detected' - '944300-291': 'Rule 944300 partially detected' - '944300-292': 'Rule 944300 partially detected' - '944300-293': 'Rule 944300 partially detected' - '944300-302': 'Rule 944300 partially detected' - '944300-303': 'Rule 944300 partially detected' - '944300-304': 'Rule 944300 partially detected' - '944300-313': 'Rule 944300 partially detected' - '944300-314': 'Rule 944300 partially detected' - '944300-315': 'Rule 944300 partially detected' - '944300-324': 'Rule 944300 partially detected' - '944300-325': 'Rule 944300 partially detected' - '944300-326': 'Rule 944300 partially detected' - '949110-3': 'Rule 949110 not detected. Related to 920100' - '980170-0': 'Related to phase 4. Not detected' - '980170-1': 'Related to phase 4. Not detected' + # Coraza related issues + '920171-2': 'Rule 920171 not detected. GET/HEAD with body. Coraza side' + '920171-3': 'Rule 920171 not detected. GET/HEAD with body. Coraza side' + '920280-1': 'Rule 920280 not detected. Host not present. Coraza side' + '920280-3': 'Rule 920280 not detected. Host not present. Coraza side' + '920430-3': 'Rule 920430 not detected. Proto version. Coraza side' + '920430-5': 'Rule 920430 not detected. Proto version. Coraza side' + '920430-8': 'Rule 920430 not detected. Proto version. Coraza side' + '920430-9': 'Rule 920430 not detected. Proto version. Coraza side' + '921180-2': 'False Positive. Parameters with the same name. Coraza Side' + '921180-4': 'False Positive. Parameters with the same name. Coraza Side' + '921180-5': 'False Positive. Parameters with the same name. Coraza Side' + '921180-6': 'False Positive. Parameters with the same name. Coraza Side' + '920290-1': 'Rule 920290 not detected. Empty Host. Coraza side' + '934120-28': 'Rule 934120 partially detected. With HTTP/1.1 Envoy return 400. With HTTP/2 Enclosed alphanumerics not detected. Coraza Side' + '934120-29': 'Rule 934120 partially detected. With HTTP/1.1 Envoy return 400. With HTTP/2 Enclosed alphanumerics not detected. Coraza Side' + '934120-30': 'Rule 934120 partially detected. With HTTP/1.1 Envoy return 400. With HTTP/2 Enclosed alphanumerics not detected. Coraza Side' + '934120-31': 'Rule 934120 partially detected. With HTTP/1.1 Envoy return 400. With HTTP/2 Enclosed alphanumerics not detected. Coraza Side' + '934130-7': 'Rule 934130 partially detected. Coraza side' + '934130-8': 'Rule 934130 partially detected. Test equals to 934130-7. Coraza side' + '934130-9': 'Rule 934130 partially detected. Coraza side' + '934130-10': 'Rule 934130 partially detected. Coraza side' + '934130-11': 'Rule 934130 partially detected. Coraza side' + '934131-1': 'Rule 934131 not detected. Coraza side' + '941310-1': 'Rule 941310 partially detected. Coraza side' + '941310-3': 'Rule 941310 partially detected. Coraza side' + '942190-42': 'Rule 942190 partially detected. SQLi. Coraza side' + '942440-16': 'False Positive. Rx. Coraza side' + '942440-17': 'False Positive. Rx. Coraza side' + '942440-18': 'False Positive. Rx. Coraza side' + '944200-1': 'Rule 944200 not detected. Coraza side' diff --git a/rules/ftw-config.conf b/rules/ftw-config.conf index f3a1f9d4eca57..50964d75f7b0d 100644 --- a/rules/ftw-config.conf +++ b/rules/ftw-config.conf @@ -6,6 +6,7 @@ SecDefaultAction "phase:3,log,auditlog,pass" SecDefaultAction "phase:4,log,auditlog,pass" SecDebugLogLevel 3 +# By default rule 900340 is commented, therefore max_file_size is added to 900005 in order to test 920400-* rules SecAction "id:900005,\ phase:1,\ nolog,\ @@ -18,6 +19,7 @@ SecAction "id:900005,\ setvar:tx.arg_length=400,\ setvar:tx.total_arg_length=64000,\ setvar:tx.max_num_args=255,\ + setvar:tx.max_file_size=64100,\ setvar:tx.combined_file_sizes=65535" # Write the value from the X-CRS-Test header as a marker to the log