Comments (5)
Can you share your settings? I've sent this payload to our playground and it is detected by Coraza and CRS.
from coraza-spoa.
haproxy.conf:
global
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
mode http
timeout connect 5000
timeout client 50000
timeout server 50000
mailers mymailers
mailer smtp1 noreply-com.mail.protection.outlook.com:25
http-errors myerrors
errorfile 403 /usr/local/haproxy/etc/errors/403.http
frontend http-frontend
bind x.x.x.x:80
redirect scheme https if !{ ssl_fc }
frontend https_frontend
bind x.x.x.x:443 ssl crt /nfs/noreply.crt
mode http
option httpclose
default_backend web_server
backend web_server
mode http
balance roundrobin
cookie SERVERID insert indirect nocache
option forwardfor
server s1 127.0.0.1:80
frontend http_frontend
bind 127.0.0.1:80
mode http
unique-id-format %[uuid()]
unique-id-header X-Unique-ID
errorfiles myerrors
http-response return status 403 default-errorfiles if { status 403 }
log-format "%ci:%cp\ [%t]\ %ft\ %b/%s\ %Th/%Ti/%TR/%Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r\ %ID\ spoa-error:\ %[var(txn.coraza.error)]\ waf-hit:\ %[var(txn.coraza.fail)]"
filter spoe engine coraza config /usr/local/haproxy/etc/coraza.cfg
Deny for Coraza WAF hits
http-request deny if { var(txn.coraza.action) -m str deny }
http-response deny if { var(txn.coraza.action) -m str deny }
use_backend https_web_server
backend https_web_server
mode http
balance roundrobin
cookie SERVERID insert indirect nocache
server s1 x.x.x.x:443 ssl verify none check cookie s1
server s2 x.x.x.x:443 ssl verify none check cookie s2
server s3 x.x.x.x:443 ssl verify none check cookie s3
backend coraza-spoa
mode tcp
email-alert mailers mymailers
email-alert from [email protected]
email-alert to [email protected]
server s1 x.x.x.x:9000 check
coraza.cfg
https://github.com/haproxy/haproxy/blob/master/doc/SPOE.txt
[coraza]
spoe-agent coraza-agent
messages coraza-req coraza-res
option var-prefix coraza
option set-on-error error
timeout hello 100ms
timeout idle 2m
timeout processing 500ms
use-backend coraza-spoa
log global
spoe-message coraza-req
args app=str(sample_app) id=unique-id src-ip=src src-port=src_port dst-ip=dst dst-port=dst_port method=method path=path query=query version=req.ver headers=req.hdrs body=req.body
event on-frontend-http-request
spoe-message coraza-res
args app=str(sample_app) id=unique-id version=res.ver status=status headers=res.hdrs body=res.body
event on-http-response
On the coraza server....
config.yaml
The SPOA server bind address
bind: 0.0.0.0:9000
Process request and response with this application if provided app name is not found.
You can remove or comment out this config param if you don't need "default_application" functionality.
default_application: sample_app
applications:
sample_app:
# Get the coraza.conf from https://github.com/corazawaf/coraza
#
# Download the OWASP CRS from https://github.com/coreruleset/coreruleset/releases
# and copy crs-setup.conf & the rules, plugins directories to /etc/coraza-spoa
rules:
- Include /etc/coraza-spoa/coraza.conf
- Include /etc/coraza-spoa/crs-setup.conf
- Include /etc/coraza-spoa/rules/*.conf
# The transaction cache lifetime in milliseconds (60000ms = 60s)
transaction_ttl_ms: 60000
# The maximum number of transactions which can be cached
transaction_active_limit: 100000
# The log level configuration, one of: debug/info/warn/error/panic/fatal
log_level: info
# The log file path
log_file: /var/log/corazo.log
coraza.conf is empty, crs-setup.conf is the default, and rules/*.conf is the coreruleset.
from coraza-spoa.
Hi
I test this with my Coraza haproxy and detect without any problem...
(I redacted IP data)
{"level":"error","ts":1693058026.2358866,"msg":"[client "xxxxxxxxxxxx"] Coraza: Access denied (phase 2). SQL Injection Attack Detected via libinjection [file "/etc/coraza-spoa/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "7359"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: s;EnE found within ARGS:bfirstname: Dave '; update subscribers set username='joe' where username='joe';--"] [severity "critical"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "xxxxxxxxxxx"] [uri "/apps/files/?dir=/&fileid=7&fullname=&bfirstname=Dave+%27%3B+update+subscribers+set+username%3D%27joe%27+where+username%3D%27joe%27%3B--"] [unique_id "WDdWKQltDBvdNBGelwL"]\n"}
And have a deny in haproxy logs
2023-08-26T13:59:24+00:00 xxxx haproxy[29]: xxxxxxx [26/Aug/2023:13:59:24.490] http-in~ http-in/ 18/1/-1/-1/-1/-1/-1/52 -1 0 - - PR-- 2/1/0/0/0 0/0 "GET https://xxxxxxxxxxx/?dir=/&fileid=7&fullname=&bfirstname=Dave+%27%3B+update+subscribers+set+username%3D%27joe%27+where+username%3D%27joe%27%3B-- HTTP/2.0" - spoa-error: - waf-action: deny waf-data: -
My haproxy config
#Coraza
filter spoe engine coraza config /usr/local/etc/haproxy/spoe-coraza.conf
# Deny for Coraza WAF hits
http-request silent-drop if { var(txn.coraza.action) -m str deny }
backend coraza-spoa
mode tcp
server s1 127.0.0.1:9000
spoe-coraza.conf
[coraza]
spoe-agent coraza-agent
messages coraza-req
option var-prefix coraza
option set-on-error error
timeout hello 2s
timeout idle 2m
timeout processing 15s
use-backend coraza-spoa
log global
spoe-message coraza-req
args app=fe_name id=unique-id src-ip=src src-port=src_port dst-ip=dst dst-port=dst_port method=method path=path query=query version=req.ver headers=req.hdrs body=req.body
event on-frontend-http-request
I don`t use http-response because at least for my have errors with the cache memory and don't work
Maybe your problem is that have coraza.conf empty that is modsecurity.conf in ModSec project
Edit: You can download from this URL https://github.com/corazawaf/coraza/blob/main/coraza.conf-recommended
Regards and sorry for my English.....
from coraza-spoa.
Hello,
I agree this is detected when attempted in the URL itself. It's when it's in the payload it seems to be missed. I have gzip disabled, so it's not compressing it. And, you can see in my tcpflow what coraza is seeing/haproxy is sending.
from coraza-spoa.
I see what you are saying about the coraza.cfg file... and the body setting in there. Thank you. I will try that.
from coraza-spoa.
Related Issues (20)
- Systemd service failed
- SPOE deprecated in haproxy 3.1 HOT 2
- Add unit tests for internal package
- Adds readme/command to run a example application HOT 1
- Panic on empty Application name
- Adds support for FTW
- Drop logger, logLevel and use coraza's
- Argument version and headers not found HOT 11
- Use github.com/corazawaf/coraza/v3/http/e2e for E2E tests
- coraza-spoa always returns "-" on verdict %[var(txn.coraza.fail) instead of "1" as per documentation HOT 5
- Garbarge in client and hostname fields in Coraza's log
- Log to Syslog HOT 7
- Support json format as loglevel in config.yaml HOT 9
- Multiple domains - backend HOT 3
- Error sample_app, error: Key not found HOT 1
- Fetch methods for app parameter HOT 4
- Runtime error checking header user-agent HOT 1
- Listen "server" on .sock
- Excessive memory and CPU usage HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from coraza-spoa.