Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom Rule with Country Code #92

Closed
cm91 opened this issue Jan 17, 2024 · 12 comments
Closed

Custom Rule with Country Code #92

cm91 opened this issue Jan 17, 2024 · 12 comments
Labels
bug Something isn't working

Comments

@cm91
Copy link

cm91 commented Jan 17, 2024

Hi,

i've tried to create a custom rule to block access from several countries.
Unfortunatle this is not working. I also cannot see any country related information in the events.

I'm using the docker agent + the nginx attachment image and blocking of different threats is working as expected.

Is Premium or Enterprise Edition needed to make this work?

Thanks in advance.
@orianelou
Copy link
Collaborator

Hi @cm91,

The Country Code custom rule is included in the community editions. It resolves the country based on the source IP address, and ISO-3166 Alpha-2 codes are recommended for country-based exceptions. You can find the codes here.

Kindly confirm your correct configuration of the country code. Additionally, could you share a screenshot of the expectation you've set up (you can redact the country code)?

Thanks!

@cm91
Copy link
Author

cm91 commented Jan 17, 2024

Thanks for the response. I'm pretty sure, that my country code is correct.
My rule looks like this:
ccode

@cm91
Copy link
Author

cm91 commented Jan 17, 2024

i also mentioned some log entries:

==> cp-nano-http-transaction-handler.dbg2 <==
[2024-01-17T10:36:34.820867: : <37> operator()@WaapOverrideFunctor.cc:119 | ###] Invalid override tag:countrycode

@orianelou
Copy link
Collaborator

Hi @cm91,

As long as the country code is correct everything seems good. Could you please send your tenant ID to info@openappsec.io, we'll look into this.

Thank you!

@cm91
Copy link
Author

cm91 commented Jan 17, 2024

Thanks, i've sent the mail a few hours ago, feel free to check and let me know if you need further information.

Currently my setup is pretty basic, both docker containers are started as mentioned in the documentation.
All i did in nginx was to add my hostname to the server name line and changed the port form 80 to 8080.

@5hin0bi
Copy link

5hin0bi commented Jan 22, 2024

Hello.
Any update on this issue? I've had no luck with countryCode based exceptions in my kubernetes cluster as well.

My story:
I manage appsec via the CRD resources and it works pretty well with url based and source ip based exceptions. But there is some problem with the countryCode.

As far as I understood there is some limitation on the geo filtering mentioned in the limitations here https://docs.openappsec.io/release-notes

Country-based Exception rules: When configuring exceptions in Asset edit->Exceptions Tab, an exception rule using the keys Country Name or Country Code cannot be defined with additional conditions based on other keys in the same exception. There’s an implicit OR logic between different exception rules, so it is possible to define different exception rules, some using country code/name, and others using other keys.

So I've created separate exception CRD and mentioned two exceptions in the policy CRD via the array under the exceptions key. But it didn't work too.

Kindly asking for help! Thank you in advance.

@orianelou
Copy link
Collaborator

Hi @5hin0bi,

We are looking into this, could you please share the CRDs you've created (both exception & policy), if you prefer you can send it to info@openappsec.io.

Also, does setting the country-code based exception CRDs only work correctly?

Thank you!

@5hin0bi
Copy link

5hin0bi commented Jan 22, 2024
edited

@orianelou

could you please share the CRDs you've created (both exception & policy)
Policy:

apiVersion: openappsec.io/v1beta1
kind: Policy
metadata:
    name: open-webapp-best-practice-policy
spec:
    default:
        mode: prevent
        practices:
            - webapp-best-practice
        triggers:
            - appsec-log-trigger-custom
        custom-response: 403-forbidden
        source-identifiers: ""
        trusted-sources: ""
        exceptions:
            # - appsec-exception
            - appsec-exception-contry-code-us

Exception:

apiVersion: openappsec.io/v1beta1
kind: Exception
metadata:
  name: appsec-exception-contry-code-us
spec:
  - action: accept
    comment: Allow US
    countryCode:
      - US

Also, does setting the country-code based exception CRDs only work correctly?
Unfortunatelly, negative.

@orianelou orianelou added the bug Something isn't working label Jan 22, 2024
@orianelou
Copy link
Collaborator

Thank you! We are looking into this and hope to update you soon.

@5hin0bi
Copy link

5hin0bi commented Jan 22, 2024

Thank you for your quick responses!

I must say that the open-appsec is one of the best things happened to my cluster lately, please keep up the good work!

Eagerly looking forward to the fix!

@cm91
Copy link
Author

cm91 commented Feb 12, 2024

Hi,

my containers got updated during the night and today i've noticed, that the geolocation for my ip was resolved and blocked due to:

Practice Type:
HTTP Geo Filter

I'll keep monitoring for some more days, but for now it looks like you've been able to fix it!

Thanks,
Christian

@orianelou
Copy link
Collaborator

Hi,

Issue was fixed as part of our latest release

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cm91 @5hin0bi @orianelou