Adding WAF Coraza+Caddy parser/scenario #942
Conversation
Barnoux
changed the title
|
Hey 👋🏻 Thank you for opening a PR! We going to be need some tests for the parsers and scenarios. I left an initial comment since coraza is a modsecurity implementation meaning a scenario on the rule id might not be best since you dont have to use CRS. |
What type of input do you need for testing ? The rule id chosed in the scenario is based on the inbound anomaly score that is triggered and can be tuned by the user (https://coreruleset.org/docs/concepts/anomaly_scoring/#anomaly-score-thresholds). I did't find a better way to handle this. The crowdsec modsecurity scenario is trigger based on the severity of the alert and it is too restrictive approach. |
|
Okay, the last thing is adding a Parser |
I add the collection, is it looking good ? |
|
Hey there, just passing by. I came across this PR as it's exactly what I'm looking for. @LaurenceJJones , hope you don't mind the ping after so long, but are any more changes needed to get this merged? 🙂 |
The only issue I have with is the scenario as its close to the original one we have for modsecurity. However, I did forget about this, so ill do this now. |
…one will just unmarshal and pass, add to filter to ignore lines that are generated from WAF
What can i do to help you on this one ? |
|
I will look into it, the only thing I dont like is the modification that was needed to the original caddy parser (which I had to do because we just unmarshal the json and move on) Maybe we can move this too |
Hello,
Hope this parser will find some love.
The goal of this parser is to parse waf alert from coraza when coraza is integreted as a plugin in caddy.
the scenario is triggered based on the treshold of the inbound anomaly score setup by the users in the crs-setup.conf file.
The work on the parser is based on the work done by https://github.com/crowdsecurity/hub/blob/master/parsers/s01-parse/crowdsecurity/modsecurity.yaml
It's time for me to eat a cake and take a nap.