-
Notifications
You must be signed in to change notification settings - Fork 485
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Application Security Engine Support (#2273)
Add a new datasource that: - Receives HTTP requests from remediation components - Apply rules on them to determine whether they are malicious or not - Rules can be evaluated in-band (the remediation component will block the request directly) or out-band (the RC will let the request through, but crowdsec can still process the rule matches with scenarios) The PR also adds support for 2 new hub items: - appsec-configs: Configure the Application Security Engine (which rules to load, in which phase) - appsec-rules: a rule that is added in the Application Security Engine (can use either our own format, or seclang) --------- Co-authored-by: alteredCoder <kevin@crowdsec.net> Co-authored-by: Sebastien Blot <sebastien@crowdsec.net> Co-authored-by: mmetc <92726601+mmetc@users.noreply.github.com> Co-authored-by: Marco Mariani <marco@crowdsec.net>
- Loading branch information
1 parent
90d3a21
commit 8cca434
Showing
52 changed files
with
5,067 additions
and
780 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,105 @@ | ||
package main | ||
|
||
import ( | ||
"fmt" | ||
"os" | ||
|
||
"golang.org/x/text/cases" | ||
"golang.org/x/text/language" | ||
"gopkg.in/yaml.v3" | ||
|
||
"github.com/crowdsecurity/crowdsec/pkg/appsec" | ||
"github.com/crowdsecurity/crowdsec/pkg/appsec/appsec_rule" | ||
"github.com/crowdsecurity/crowdsec/pkg/cwhub" | ||
) | ||
|
||
func NewAppsecConfigCLI() *itemCLI { | ||
return &itemCLI{ | ||
name: cwhub.APPSEC_CONFIGS, | ||
singular: "appsec-config", | ||
oneOrMore: "appsec-config(s)", | ||
help: cliHelp{ | ||
example: `cscli appsec-configs list -a | ||
cscli appsec-configs install crowdsecurity/vpatch | ||
cscli appsec-configs inspect crowdsecurity/vpatch | ||
cscli appsec-configs upgrade crowdsecurity/vpatch | ||
cscli appsec-configs remove crowdsecurity/vpatch | ||
`, | ||
}, | ||
installHelp: cliHelp{ | ||
example: `cscli appsec-configs install crowdsecurity/vpatch`, | ||
}, | ||
removeHelp: cliHelp{ | ||
example: `cscli appsec-configs remove crowdsecurity/vpatch`, | ||
}, | ||
upgradeHelp: cliHelp{ | ||
example: `cscli appsec-configs upgrade crowdsecurity/vpatch`, | ||
}, | ||
inspectHelp: cliHelp{ | ||
example: `cscli appsec-configs inspect crowdsecurity/vpatch`, | ||
}, | ||
listHelp: cliHelp{ | ||
example: `cscli appsec-configs list | ||
cscli appsec-configs list -a | ||
cscli appsec-configs list crowdsecurity/vpatch`, | ||
}, | ||
} | ||
} | ||
|
||
func NewAppsecRuleCLI() *itemCLI { | ||
inspectDetail := func(item *cwhub.Item) error { | ||
appsecRule := appsec.AppsecCollectionConfig{} | ||
yamlContent, err := os.ReadFile(item.State.LocalPath) | ||
if err != nil { | ||
return fmt.Errorf("unable to read file %s : %s", item.State.LocalPath, err) | ||
} | ||
if err := yaml.Unmarshal(yamlContent, &appsecRule); err != nil { | ||
return fmt.Errorf("unable to unmarshal yaml file %s : %s", item.State.LocalPath, err) | ||
} | ||
|
||
for _, ruleType := range appsec_rule.SupportedTypes() { | ||
fmt.Printf("\n%s format:\n", cases.Title(language.Und, cases.NoLower).String(ruleType)) | ||
for _, rule := range appsecRule.Rules { | ||
convertedRule, _, err := rule.Convert(ruleType, appsecRule.Name) | ||
if err != nil { | ||
return fmt.Errorf("unable to convert rule %s : %s", rule.Name, err) | ||
} | ||
fmt.Println(convertedRule) | ||
} | ||
} | ||
|
||
return nil | ||
} | ||
|
||
return &itemCLI{ | ||
name: "appsec-rules", | ||
singular: "appsec-rule", | ||
oneOrMore: "appsec-rule(s)", | ||
help: cliHelp{ | ||
example: `cscli appsec-rules list -a | ||
cscli appsec-rules install crowdsecurity/crs | ||
cscli appsec-rules inspect crowdsecurity/crs | ||
cscli appsec-rules upgrade crowdsecurity/crs | ||
cscli appsec-rules remove crowdsecurity/crs | ||
`, | ||
}, | ||
installHelp: cliHelp{ | ||
example: `cscli appsec-rules install crowdsecurity/crs`, | ||
}, | ||
removeHelp: cliHelp{ | ||
example: `cscli appsec-rules remove crowdsecurity/crs`, | ||
}, | ||
upgradeHelp: cliHelp{ | ||
example: `cscli appsec-rules upgrade crowdsecurity/crs`, | ||
}, | ||
inspectHelp: cliHelp{ | ||
example: `cscli appsec-rules inspect crowdsecurity/crs`, | ||
}, | ||
inspectDetail: inspectDetail, | ||
listHelp: cliHelp{ | ||
example: `cscli appsec-rules list | ||
cscli appsec-rules list -a | ||
cscli appsec-rules list crowdsecurity/crs`, | ||
}, | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
package main | ||
|
||
import ( | ||
"github.com/crowdsecurity/crowdsec/pkg/cwhub" | ||
) | ||
|
||
func NewCollectionCLI() *itemCLI { | ||
return &itemCLI{ | ||
name: cwhub.COLLECTIONS, | ||
singular: "collection", | ||
oneOrMore: "collection(s)", | ||
help: cliHelp{ | ||
example: `cscli collections list -a | ||
cscli collections install crowdsecurity/http-cve crowdsecurity/iptables | ||
cscli collections inspect crowdsecurity/http-cve crowdsecurity/iptables | ||
cscli collections upgrade crowdsecurity/http-cve crowdsecurity/iptables | ||
cscli collections remove crowdsecurity/http-cve crowdsecurity/iptables | ||
`, | ||
}, | ||
installHelp: cliHelp{ | ||
example: `cscli collections install crowdsecurity/http-cve crowdsecurity/iptables`, | ||
}, | ||
removeHelp: cliHelp{ | ||
example: `cscli collections remove crowdsecurity/http-cve crowdsecurity/iptables`, | ||
}, | ||
upgradeHelp: cliHelp{ | ||
example: `cscli collections upgrade crowdsecurity/http-cve crowdsecurity/iptables`, | ||
}, | ||
inspectHelp: cliHelp{ | ||
example: `cscli collections inspect crowdsecurity/http-cve crowdsecurity/iptables`, | ||
}, | ||
listHelp: cliHelp{ | ||
example: `cscli collections list | ||
cscli collections list -a | ||
cscli collections list crowdsecurity/http-cve crowdsecurity/iptables | ||
List only enabled collections unless "-a" or names are specified.`, | ||
}, | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
package main | ||
|
||
import ( | ||
"github.com/crowdsecurity/crowdsec/pkg/cwhub" | ||
) | ||
|
||
func NewParserCLI() *itemCLI { | ||
return &itemCLI{ | ||
name: cwhub.PARSERS, | ||
singular: "parser", | ||
oneOrMore: "parser(s)", | ||
help: cliHelp{ | ||
example: `cscli parsers list -a | ||
cscli parsers install crowdsecurity/caddy-logs crowdsecurity/sshd-logs | ||
cscli parsers inspect crowdsecurity/caddy-logs crowdsecurity/sshd-logs | ||
cscli parsers upgrade crowdsecurity/caddy-logs crowdsecurity/sshd-logs | ||
cscli parsers remove crowdsecurity/caddy-logs crowdsecurity/sshd-logs | ||
`, | ||
}, | ||
installHelp: cliHelp{ | ||
example: `cscli parsers install crowdsecurity/caddy-logs crowdsecurity/sshd-logs`, | ||
}, | ||
removeHelp: cliHelp{ | ||
example: `cscli parsers remove crowdsecurity/caddy-logs crowdsecurity/sshd-logs`, | ||
}, | ||
upgradeHelp: cliHelp{ | ||
example: `cscli parsers upgrade crowdsecurity/caddy-logs crowdsecurity/sshd-logs`, | ||
}, | ||
inspectHelp: cliHelp{ | ||
example: `cscli parsers inspect crowdsecurity/httpd-logs crowdsecurity/sshd-logs`, | ||
}, | ||
listHelp: cliHelp{ | ||
example: `cscli parsers list | ||
cscli parsers list -a | ||
cscli parsers list crowdsecurity/caddy-logs crowdsecurity/sshd-logs | ||
List only enabled parsers unless "-a" or names are specified.`, | ||
}, | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
package main | ||
|
||
import ( | ||
"github.com/crowdsecurity/crowdsec/pkg/cwhub" | ||
) | ||
|
||
func NewPostOverflowCLI() *itemCLI { | ||
return &itemCLI{ | ||
name: cwhub.POSTOVERFLOWS, | ||
singular: "postoverflow", | ||
oneOrMore: "postoverflow(s)", | ||
help: cliHelp{ | ||
example: `cscli postoverflows list -a | ||
cscli postoverflows install crowdsecurity/cdn-whitelist crowdsecurity/rdns | ||
cscli postoverflows inspect crowdsecurity/cdn-whitelist crowdsecurity/rdns | ||
cscli postoverflows upgrade crowdsecurity/cdn-whitelist crowdsecurity/rdns | ||
cscli postoverflows remove crowdsecurity/cdn-whitelist crowdsecurity/rdns | ||
`, | ||
}, | ||
installHelp: cliHelp{ | ||
example: `cscli postoverflows install crowdsecurity/cdn-whitelist crowdsecurity/rdns`, | ||
}, | ||
removeHelp: cliHelp{ | ||
example: `cscli postoverflows remove crowdsecurity/cdn-whitelist crowdsecurity/rdns`, | ||
}, | ||
upgradeHelp: cliHelp{ | ||
example: `cscli postoverflows upgrade crowdsecurity/cdn-whitelist crowdsecurity/rdns`, | ||
}, | ||
inspectHelp: cliHelp{ | ||
example: `cscli postoverflows inspect crowdsecurity/cdn-whitelist crowdsecurity/rdns`, | ||
}, | ||
listHelp: cliHelp{ | ||
example: `cscli postoverflows list | ||
cscli postoverflows list -a | ||
cscli postoverflows list crowdsecurity/cdn-whitelist crowdsecurity/rdns | ||
List only enabled postoverflows unless "-a" or names are specified.`, | ||
}, | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
package main | ||
|
||
import ( | ||
"github.com/crowdsecurity/crowdsec/pkg/cwhub" | ||
) | ||
|
||
func NewScenarioCLI() *itemCLI { | ||
return &itemCLI{ | ||
name: cwhub.SCENARIOS, | ||
singular: "scenario", | ||
oneOrMore: "scenario(s)", | ||
help: cliHelp{ | ||
example: `cscli scenarios list -a | ||
cscli scenarios install crowdsecurity/ssh-bf crowdsecurity/http-probing | ||
cscli scenarios inspect crowdsecurity/ssh-bf crowdsecurity/http-probing | ||
cscli scenarios upgrade crowdsecurity/ssh-bf crowdsecurity/http-probing | ||
cscli scenarios remove crowdsecurity/ssh-bf crowdsecurity/http-probing | ||
`, | ||
}, | ||
installHelp: cliHelp{ | ||
example: `cscli scenarios install crowdsecurity/ssh-bf crowdsecurity/http-probing`, | ||
}, | ||
removeHelp: cliHelp{ | ||
example: `cscli scenarios remove crowdsecurity/ssh-bf crowdsecurity/http-probing`, | ||
}, | ||
upgradeHelp: cliHelp{ | ||
example: `cscli scenarios upgrade crowdsecurity/ssh-bf crowdsecurity/http-probing`, | ||
}, | ||
inspectHelp: cliHelp{ | ||
example: `cscli scenarios inspect crowdsecurity/ssh-bf crowdsecurity/http-probing`, | ||
}, | ||
listHelp: cliHelp{ | ||
example: `cscli scenarios list | ||
cscli scenarios list -a | ||
cscli scenarios list crowdsecurity/ssh-bf crowdsecurity/http-probing | ||
List only enabled scenarios unless "-a" or names are specified.`, | ||
}, | ||
} | ||
} |
Oops, something went wrong.