Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update preconfig waf rules block to support path matches #65

Closed
nhu-nguyen27 opened this issue Sep 5, 2023 · 5 comments · Fixed by #71
Closed

update preconfig waf rules block to support path matches #65

nhu-nguyen27 opened this issue Sep 5, 2023 · 5 comments · Fixed by #71
Labels
enhancement New feature or request question Further information is requested

Comments

@nhu-nguyen27
Copy link

nhu-nguyen27 commented Sep 5, 2023
edited

This preconfig waf rule is being trigger whenever there's certain keywords in the URI. We have try the following to exclude the alert from being trigger using the preconfig waf exclusion parameter:

"methodenforcement-v33-stable_level_1" = {
      action            = "deny(403)"
      preview           = true
      priority          = 6
      description       = "Method enforcement Level 1"
      target_rule_set   = "methodenforcement-v33-stable"
      sensitivity_level = 1
      preconfigured_waf_config_exclusion = {
        target_rule_set = "methodenforcement-v33-stable"
        target_rule_ids = ["owasp-crs-v030301-id911100-methodenforcement"]
        request_uri = [
          {
            operator = "CONTAINS"
            value    = "/keyword/here/"
          },
        ]
      }

Whenever its not working and after talking to Google support rep, they suggest we try something like this

evaluatePreconfiguredWaf('methodenforcement-v33-stable', {'sensitivity': 1}) && !request.path.matches('/keyword/here/')

But from the current module, it doesnt look like we can pass in path matches etc?
@imrannayer imrannayer added the question Further information is requested label Sep 5, 2023
@imrannayer
Copy link
Member

@nhu-nguyen27 This can be done using custom_rule variable. Here is an example but custom rules currently dont have preconfigured_waf_config block support in this module. We will need to add preconfigured_waf_config block in custom rule to support this type of rule.

You code will look something like this:

custom_rules = {

  "methodenforcement-v33-stable_level_1" = {
    action            = "deny(403)"
    priority          = 6
    description       = "Method enforcement Level 1"
    preview           = true
    expression        = "evaluatePreconfiguredWaf('methodenforcement-v33-stable', {'sensitivity': 1}) && !request.path.matches('/keyword/here/')"
  }

}

Once we add support for preconfigured_waf_config_exclusion in custom_rules your code will be:

custom_rules = {

    "methodenforcement-v33-stable_level_1" = {
      action            = "deny(403)"
      priority          = 6
      description       = "Method enforcement Level 1"
      preview           = true
      expression        = "evaluatePreconfiguredWaf('methodenforcement-v33-stable', {'sensitivity': 1}) && !request.path.matches('/keyword/here/')"

      preconfigured_waf_config_exclusion = {
        target_rule_set = "methodenforcement-v33-stable"
        target_rule_ids = ["owasp-crs-v030301-id911100-methodenforcement"]
        request_uri = [
          {
            operator = "CONTAINS"
            value    = "/keyword/here/"
          },
        ]
      }
    }

  }

@imrannayer imrannayer added the enhancement New feature or request label Sep 5, 2023
@imrannayer imrannayer mentioned this issue Sep 5, 2023
Closed
@imrannayer imrannayer added enhancement New feature or request and removed enhancement New feature or request labels Sep 5, 2023
@imrannayer
Copy link
Member

created issue #66 to support this using custom_rules

@nhu-nguyen27
Copy link
Author

I see, I will move the rule out of pre_configured_rules block and add it under custom_rules block instead. Thank you for the suggestions.

@imrannayer
Copy link
Member

@nhu-nguyen27 we dont have pre_configured_waf_exclusion block support in custom_rules variable. Do you need pre_configured_waf_exclusion block?

@nhu-nguyen27
Copy link
Author

No, I dont need pre_configured_waf_exclusion because I try to use it to exclude alerts from being trigger when certain keywords is in the path for the URI like this:

"methodenforcement-v33-stable_level_1" = {
      action            = "deny(403)"
      preview           = true
      priority          = 6
      description       = "Method enforcement Level 1"
      target_rule_set   = "methodenforcement-v33-stable"
      sensitivity_level = 1
      preconfigured_waf_config_exclusion = {
        target_rule_set = "methodenforcement-v33-stable"
        target_rule_ids = ["owasp-crs-v030301-id911100-methodenforcement"]
        request_uri = [
          {
            operator = "CONTAINS"
            value    = "/keyword/here/"
          },
        ]
      }

But its not working so I want to try to exclude the path match like this instead of URI
expression = "evaluatePreconfiguredWaf('methodenforcement-v33-stable', {'sensitivity': 1}) && !request.path.matches('/keyword/here/')"

@imrannayer imrannayer added enhancement New feature or request and removed enhancement New feature or request labels Sep 5, 2023
@imrannayer imrannayer mentioned this issue Sep 29, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request question Further information is requested
Projects
None yet
Milestone
No milestone
2 participants
@imrannayer @nhu-nguyen27