Re: [I] request help: How to import rule set files in Coraza waf [apisix-ingress-controller]

via GitHub Thu, 16 Nov 2023 19:46:11 -0800


DokiDoki1103 commented on issue #2044:
URL: 
https://github.com/apache/apisix-ingress-controller/issues/2044#issuecomment-1815702756


    I tested that not only one plugin is not working, it seems that all plugins 
are not working, such as  
    
    
https://github.com/coreruleset/coreruleset/blob/v3.2/dev/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
    
    ```
   {
       "id": "getting-started-waf",
       "uri": "/anything/*",
       "plugins": {
           "coraza-filter": {
               "conf": {
                   "directives_map": {
                       "default": [
                           "SecDebugLogLevel 9",
                           "SecRuleEngine On",
                       
                           "Include @crs-setup-demo-conf",
                           "Include 
@owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf"
                       ]
                   },
                   "default_directives": "default"
               }
           }
       },
       "upstream": {
           "type": "roundrobin",
           "nodes": {
               "httpbin.org:80": 1
           }
       }
   }
   ```
    
    
   <img width="904" alt="图片" 
src="https://github.com/apache/apisix-ingress-controller/assets/62740231/de85270a-8b52-4fc0-ae42-bb92ba7d3414";>
   
    
    ```
   2023/11/17 03:41:34 [error] 240#240: *4059042 Invalid value 
tx_id="hlvdigxudQknOIWCbie" var_value="+tx.critical_anomaly_score" 
rule_id=941160 error="strconv.Atoi: parsing "tx.critical_anomaly_score": 
invalid syntax", client: 124.42.51.91, server: _, request: "POST /anything/unix 
HTTP/1.1", host: "lyck6.cn"
   2023/11/17 03:41:34 [error] 240#240: *4059042 Invalid value 
tx_id="hlvdigxudQknOIWCbie" var_value="+tx.critical_anomaly_score" 
rule_id=941160 error="strconv.Atoi: parsing "tx.critical_anomaly_score": 
invalid syntax", client: 124.42.51.91, server: _, request: "POST /anything/unix 
HTTP/1.1", host: "lyck6.cn"
   2023/11/17 03:41:34 [emerg] 240#240: *4059042 [client ""] Coraza: Warning. 
NoScript XSS InjectionChecker: HTML Injection [file 
"@owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "943"] [id 
"941160"] [rev ""] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data 
"Matched Data: <body  found within REQUEST_COOKIES_NAMES:<body onload: <body 
onload"] [severity "critical"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] 
[accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag 
"platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] 
[tag "capec/1000/152/242"] [hostname ""] [uri "/anything/unix"] [unique_id 
"hlvdigxudQknOIWCbie"], client: 124.42.51.91, server: _, request: "POST 
/anything/unix HTTP/1.1", host: "lyck6.cn"
   2023/11/17 03:41:34 [error] 240#240: *4059042 Invalid value 
tx_id="hlvdigxudQknOIWCbie" var_value="+tx.critical_anomaly_score" 
rule_id=941390 error="strconv.Atoi: parsing "tx.critical_anomaly_score": 
invalid syntax", client: 124.42.51.91, server: _, request: "POST /anything/unix 
HTTP/1.1", host: "lyck6.cn"
   2023/11/17 03:41:34 [error] 240#240: *4059042 Invalid value 
tx_id="hlvdigxudQknOIWCbie" var_value="+tx.critical_anomaly_score" 
rule_id=941390 error="strconv.Atoi: parsing "tx.critical_anomaly_score": 
invalid syntax", client: 124.42.51.91, server: _, request: "POST /anything/unix 
HTTP/1.1", host: "lyck6.cn"
   2023/11/17 03:41:34 [emerg] 240#240: *4059042 [client ""] Coraza: Warning. 
Javascript method detected [file 
"@owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "1437"] [id 
"941390"] [rev ""] [msg "Javascript method detected"] [data "Matched Data: 
alert( found within REQUEST_COOKIES:<body onload: \"alert(1)\">"] [severity 
"critical"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag 
"application-multi"] [tag "language-multi"] [tag "attack-xss"] [tag 
"paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname ""] 
[uri "/anything/unix"] [unique_id "hlvdigxudQknOIWCbie"], client: 124.42.51.91, 
server: _, request: "POST /anything/unix HTTP/1.1", host: "lyck6.cn"
   2023/11/17 03:41:34 [error] 240#240: *4059042 Invalid value 
tx_id="hlvdigxudQknOIWCbie" var_value="+tx.critical_anomaly_score" 
rule_id=941320 error="strconv.Atoi: parsing "tx.critical_anomaly_score": 
invalid syntax", client: 124.42.51.91, server: _, request: "POST /anything/unix 
HTTP/1.1", host: "lyck6.cn"
   2023/11/17 03:41:34 [error] 240#240: *4059042 Invalid value 
tx_id="hlvdigxudQknOIWCbie" var_value="+tx.critical_anomaly_score" 
rule_id=941320 error="strconv.Atoi: parsing "tx.critical_anomaly_score": 
invalid syntax", client: 124.42.51.91, server: _, request: "POST /anything/unix 
HTTP/1.1", host: "lyck6.cn"
   2023/11/17 03:41:34 [emerg] 240#240: *4059042 [client ""] Coraza: Warning. 
Possible XSS Attack Detected - HTML Tag Handler [file 
"@owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "1668"] [id 
"941320"] [rev ""] [msg "Possible XSS Attack Detected - HTML Tag Handler"] 
[data "Matched Data: <body  found within REQUEST_COOKIES_NAMES:<body onload: 
<body onload"] [severity "critical"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] 
[accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag 
"platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS"] [tag 
"capec/1000/152/242/63"] [tag "PCI/6.5.1"] [tag "paranoia-level/2"] [hostname 
""] [uri "/anything/unix"] [unique_id "hlvdigxudQknOIWCbie"], client: 
124.42.51.91, server: _, request: "POST /anything/unix HTTP/1.1", host: 
"lyck6.cn"
   ```
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [I] request help: How to import rule set files in Coraza waf [apisix-ingress-controller]

Reply via email to