Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

events logs not being captured & help in activating additonal ruleset #327

Open
rahulbhatu opened this issue Oct 1, 2019 · 1 comment
Open

events logs not being captured & help in activating additonal ruleset #327

rahulbhatu opened this issue Oct 1, 2019 · 1 comment

Comments

@rahulbhatu
Copy link

rahulbhatu commented Oct 1, 2019
edited
Loading

Hi
I have lua-resty-waf setup but event logs are not being captured in the given file location.

nginx.conf 

user www-data;
worker_processes  auto;
pid /run/openresty.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    tcp_nopush      on;
    tcp_nodelay     on;

    keepalive_timeout  65;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    access_log /var/log/openresty/access.log;
    error_log /var/log/openresty/error.log;

    gzip  on;
    gzip_disable "msie6";

    include ../sites/*;

    init_by_lua_block {
        require "resty.core"
        local lua_resty_waf = require "resty.waf"
        lua_resty_waf.init()
    

        local lua_resty_waf = require "resty.waf"

        -- this translates and calculates a ruleset called 'ruleset_name'
        local ok, errs = pcall(function()
            lua_resty_waf.load_secrules("/usr/local/openresty/lua-resty-waf/rules/26_Apps_WordPress.conf")
        end)

        -- errs is an array-like table
        if errs then
            for i = 1, #errs do
                ngx.log(ngx.ERR, errs[i])
            end
        end   

        lua_resty_waf.init()
 }

}

########################################################################

my default.conf

server {
    # Listen on port 80.
    listen 80 default_server;
    listen [::]:80 default_server;

    # The document root.
    root /usr/local/openresty/nginx/html/default;

    # Add index.php if you are using PHP.
    index index.html index.htm;

    # The server name, which isn't relevant in this case, because we only have one.
    server_name _;

    # When we try to access this site...
    location / {
        try_files $uri $uri/ =404;
    }
     
    location /example {
        default_type 'text/plain';

        content_by_lua_block {
             ngx.say('Hello, Sammy!')
         } 
        access_by_lua_block {
                local lua_resty_waf = require "resty.waf"
                local waf = lua_resty_waf:new()
                
                waf:set_option("debug", true)
                waf:set_option("info", "true")
                waf:set_option("mode", "ACTIVE")
                waf:set_option("add_ruleset", "26_Apps_WordPress.conf")

                waf:set_option("event_log_ngx_vars", "host")
                waf:set_option("event_log_ngx_vars", "request_id")
                waf:set_option("event_log_ngx_vars", "server_port")
                waf:set_option("event_log_request_arguments", true)
         
                waf:set_option("allow_unknown_content_types", true)
                waf:set_option("event_log_target", "file")
                waf:set_option("event_log_target_path", "/var/log/waf/eve.log")
                waf:set_option("process_multipart_body", true)
                waf:set_option("res_body_max_size", 1024 * 1024 * 2)
                waf:set_option("req_tid_header", false)
                waf:set_option("res_tid_header", false)
                waf:set_option("res_body_mime_types", { "text/plain", "text/html", "text/json", "application/json", "text/php", "text/plain", "text/x-php", "application/php", "application/x-php", "application/x-httpd-php", "application/x-httpd-php-source" })
                 
                waf:exec()
        }

            header_filter_by_lua_block {
                local lua_resty_waf = require "resty.waf"
                local waf = lua_resty_waf:new()
                waf:exec()
            }

            body_filter_by_lua_block {
                local lua_resty_waf = require "resty.waf"
                local waf = lua_resty_waf:new()
                waf:exec()
            }

            log_by_lua_block {
                local lua_resty_waf = require "resty.waf"
                local waf = lua_resty_waf:new()
                waf:exec()
                waf:write_log_events()
            }


    }

    # Redirect server error pages to the static page /50x.html.
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root /usr/local/openresty/nginx/html;
    }
}
@rahulbhatu
Copy link
Author

rahulbhatu commented Oct 3, 2019
edited
Loading

Managed to get the event logs enabled in file. Next challenge is

  1. I am converting the .conf rules to json using modsec2lua-resty-waf.pl, However the rules are converted to json and also the echo $? suggests that the conversion was successful with 0 status but but i get some errors not sure if these are warning as comparing the .conf and json files all rules are there.
root@ip-172-31-29-13:/usr/local/openresty/lua-resty-waf/tools# ./modsec2lua-resty-waf.pl < 26_Apps_WordPress.conf > 26_Apps_WordPress.json
Cannot translate variable FILES at /usr/local/openresty/lua-resty-waf/tools/Modsec2LRW.pm line 674, <> line 170.
SecRule TX:WordPress @eq 1 id:225120,chain,msg:'COMODO WAF: XSS vulnerability in WordPress before 4.6.1 (CVE-2016-7168)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'WordPress'
SecRule REQUEST_BASENAME @streq media-new.php chain,t:none,t:urlDecodeUni
SecRule FILES @rx (?:\<(.+)\>) chain,capture,t:none,t:urlDecodeUni
SecRule TX:1 @contains = t:none
Cannot perform transform normalizePath at /usr/local/openresty/lua-resty-waf/tools/Modsec2LRW.pm line 951, <> line 170.
Cannot translate variable FILES at /usr/local/openresty/lua-resty-waf/tools/Modsec2LRW.pm line 674, <> line 170.
SecRule TX:WordPress @eq 1 id:225140,chain,msg:'COMODO WAF: XSS vulnerability in the in WordPress before 4.5.3 (CVE-2016-5834)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'WordPress'
SecRule ARGS_POST:action @streq upload-attachment chain,t:none,t:urlDecodeUni,t:lowercase
SecRule FILES @contains < chain,t:none,t:urlDecodeUni
SecRule REQUEST_BASENAME @streq async-upload.php t:none,t:urlDecodeUni,t:lowercase
Cannot translate variable FILES at /usr/local/openresty/lua-resty-waf/tools/Modsec2LRW.pm line 674, <> line 170.
SecRule TX:WordPress @eq 1 id:225141,chain,msg:'COMODO WAF: XSS vulnerability in the in WordPress before 4.5.3 (CVE-2016-5834)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'WordPress'
SecRule ARGS_POST:html-upload @streq upload chain,t:none,t:lowercase
SecRule FILES @contains < chain,t:none,t:urlDecodeUni
SecRule REQUEST_FILENAME @streq media-new.php t:none,t:urlDecodeUni,t:lowercase
Cannot perform transform normalizePath at /usr/local/openresty/lua-resty-waf/tools/Modsec2LRW.pm line 951, <> line 170.
Cannot translate variable FILES at /usr/local/openresty/lua-resty-waf/tools/Modsec2LRW.pm line 674, <> line 170.
SecRule TX:WordPress @eq 1 id:225210,chain,msg:'COMODO WAF: Unrestricted file upload vulnerability in WordPress 4.9.7 (CVE-2018-14028)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:2,severity:2,tag:'CWAF',tag:'WordPress'
SecRule REQUEST_BASENAME @streq update.php chain,t:none,t:urlDecodeUni,t:lowercase
SecRule ARGS_GET:action @rx ^upload-(?:plugin|theme)$ chain,t:none,t:urlDecodeUni,t:lowercase
SecRule FILES !@rx \.zip$ t:none,t:urlDecodeUni,t:lowercase
Cannot perform transform normalizePath at /usr/local/openresty/lua-resty-waf/tools/Modsec2LRW.pm line 951, <> line 170.
Cannot translate variable FILES at /usr/local/openresty/lua-resty-waf/tools/Modsec2LRW.pm line 674, <> line 170.
SecRule REQUEST_FILENAME @contains /wp-content/plugins/sexy-contact-form/includes/fileupload/ id:240020,chain,msg:'COMODO WAF: Protecting WordPress Creative Contact Form Files folder||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,t:normalizePath,rev:5,severity:2,tag:'CWAF',tag:'WordPress'
SecRule FILES @rx \.(?:php|js|pl)(?:\.|$) t:none,t:lowercase,t:urlDecodeUni
Cannot perform transform normalizePath at /usr/local/openresty/lua-resty-waf/tools/Modsec2LRW.pm line 951, <> line 170.
Cannot perform transform utf8toUnicode at /usr/local/openresty/lua-resty-waf/tools/Modsec2LRW.pm line 951, <> line 170.
Cannot perform transform utf8toUnicode at /usr/local/openresty/lua-resty-waf/tools/Modsec2LRW.pm line 951, <> line 170.
Cannot perform transform normalizePath at /usr/local/openresty/lua-resty-waf/tools/Modsec2LRW.pm line 951, <> line 170.
Cannot perform transform normalizePath at /usr/local/openresty/lua-resty-waf/tools/Modsec2LRW.pm line 951, <> line 170.
Cannot perform transform normalizePath at /usr/local/openresty/lua-resty-waf/tools/Modsec2LRW.pm line 951, <> line 170.
Cannot perform transform normalizePath at /usr/local/openresty/lua-resty-waf/tools/Modsec2LRW.pm line 951, <> line 170.
  1. after converting rules to json Moving them to rules directory activate them or One has to do lua_resty_waf.load_secrules and add waf:set_option("add_ruleset", "example.conf") after converting to json

Thanks

@rahulbhatu rahulbhatu changed the title events logs not being captured events logs not being captured & help in activating additonal ruleset Oct 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rahulbhatu