mirror of
https://github.com/openappsec/openappsec.git
synced 2025-09-29 19:24:26 +03:00
2024 April 14th update
This commit is contained in:
Ned Wright
@@ -50,9 +50,13 @@ public:
|
||||
|
||||
private:
|
||||
void readRules(cereal::JSONInputArchive &ar);
|
||||
void readTriggerId(cereal::JSONInputArchive &ar);
|
||||
void readExceptionId(cereal::JSONInputArchive &ar);
|
||||
void readDefaultAction(cereal::JSONInputArchive &ar);
|
||||
|
||||
std::vector<Rule> rules;
|
||||
std::string trigger_id;
|
||||
std::string exception_id;
|
||||
};
|
||||
|
||||
#endif // __IPS_BASIC_POLICY_H__
|
||||
|
||||
@@ -27,6 +27,7 @@
|
||||
#include "log_generator.h"
|
||||
#include "parsed_context.h"
|
||||
#include "pm_hook.h"
|
||||
#include "i_generic_rulebase.h"
|
||||
|
||||
/// \namespace IPSSignatureSubTypes
|
||||
/// \brief Namespace containing subtypes for IPS signatures.
|
||||
@@ -348,8 +349,16 @@ public:
|
||||
/// \brief Construct a SignatureAndAction object.
|
||||
/// \param _signature The complete signature.
|
||||
/// \param _action The signature action.
|
||||
SignatureAndAction(std::shared_ptr<CompleteSignature> _signature, SignatureAction _action) :
|
||||
signature(_signature), action(_action)
|
||||
SignatureAndAction(
|
||||
std::shared_ptr<CompleteSignature> _signature,
|
||||
SignatureAction _action,
|
||||
std::string _trigger_id,
|
||||
std::string _exception_id)
|
||||
:
|
||||
signature(_signature),
|
||||
action(_action),
|
||||
trigger_id(_trigger_id),
|
||||
exception_id(_exception_id)
|
||||
{}
|
||||
|
||||
/// \brief Check if the signature is matched for prevention.
|
||||
@@ -375,6 +384,11 @@ public:
|
||||
return signature->getContext();
|
||||
}
|
||||
|
||||
LogTriggerConf getTrigger() const;
|
||||
|
||||
std::set<ParameterBehavior>
|
||||
getBehavior(const std::unordered_map<std::string, std::set<std::string>> &exceptions_dict) const;
|
||||
|
||||
private:
|
||||
/// \brief Get the action results for the IPS state.
|
||||
/// \param ips_state The IPS entry.
|
||||
@@ -382,6 +396,8 @@ private:
|
||||
|
||||
std::shared_ptr<CompleteSignature> signature;
|
||||
SignatureAction action;
|
||||
std::string trigger_id;
|
||||
std::string exception_id;
|
||||
};
|
||||
} // namespace IPSSignatureSubTypes
|
||||
|
||||
|
||||
@@ -17,6 +17,8 @@ public:
|
||||
private:
|
||||
IPSSignatureSubTypes::SignatureAction action = IPSSignatureSubTypes::SignatureAction::IGNORE;
|
||||
std::vector<std::string> file_names;
|
||||
std::string trigger_id;
|
||||
std::string exception_id;
|
||||
};
|
||||
|
||||
#endif // __SNORT_BASIC_POLICY_H__
|
||||
|
||||
@@ -17,6 +17,8 @@ void
|
||||
RuleSelector::load(cereal::JSONInputArchive &ar)
|
||||
{
|
||||
readRules(ar);
|
||||
readTriggerId(ar);
|
||||
readExceptionId(ar);
|
||||
readDefaultAction(ar);
|
||||
}
|
||||
|
||||
@@ -36,7 +38,7 @@ RuleSelector::selectSignatures() const
|
||||
if (rule.isSignaturedMatched(*signature)) {
|
||||
if (rule.getAction() != IPSSignatureSubTypes::SignatureAction::IGNORE) {
|
||||
signature->setIndicators("Check Point", signatures_version);
|
||||
res.emplace_back(signature, rule.getAction());
|
||||
res.emplace_back(signature, rule.getAction(), trigger_id, exception_id);
|
||||
}
|
||||
break;
|
||||
}
|
||||
@@ -52,6 +54,28 @@ RuleSelector::readRules(cereal::JSONInputArchive &ar)
|
||||
ar(cereal::make_nvp("rules", rules));
|
||||
}
|
||||
|
||||
void
|
||||
RuleSelector::readTriggerId(cereal::JSONInputArchive &ar)
|
||||
{
|
||||
try {
|
||||
ar(cereal::make_nvp("triggers", trigger_id));
|
||||
} catch (const cereal::Exception &e) {
|
||||
ar.setNextName(nullptr);
|
||||
trigger_id = "";
|
||||
}
|
||||
}
|
||||
|
||||
void
|
||||
RuleSelector::readExceptionId(cereal::JSONInputArchive &ar)
|
||||
{
|
||||
try {
|
||||
ar(cereal::make_nvp("exceptions", exception_id));
|
||||
} catch (const cereal::Exception &e) {
|
||||
ar.setNextName(nullptr);
|
||||
exception_id = "";
|
||||
}
|
||||
}
|
||||
|
||||
void
|
||||
RuleSelector::readDefaultAction(cereal::JSONInputArchive &ar)
|
||||
{
|
||||
|
||||
@@ -280,8 +280,7 @@ SignatureAndAction::getAction(const IPSEntry &ips_state) const
|
||||
exceptions_dict["sourceIdentifier"].insert(*env_source_identifier);
|
||||
}
|
||||
|
||||
I_GenericRulebase *i_rulebase = Singleton::Consume<I_GenericRulebase>::by<IPSComp>();
|
||||
auto behaviors = i_rulebase->getBehavior(exceptions_dict);
|
||||
auto behaviors = getBehavior(exceptions_dict);
|
||||
|
||||
set<BehaviorValue> override_actions;
|
||||
vector<string> override_ids;
|
||||
@@ -315,6 +314,23 @@ static const auto url_query = LogTriggerConf::WebLogFields::webUrlQuery;
|
||||
static const auto res_body = LogTriggerConf::WebLogFields::responseBody;
|
||||
static const auto res_code = LogTriggerConf::WebLogFields::responseCode;
|
||||
|
||||
LogTriggerConf
|
||||
SignatureAndAction::getTrigger() const
|
||||
{
|
||||
if (trigger_id.empty()) return getConfigurationWithDefault(LogTriggerConf(), "rulebase", "log");
|
||||
|
||||
return Singleton::Consume<I_GenericRulebase>::by<IPSComp>()->getLogTriggerConf(trigger_id);
|
||||
}
|
||||
|
||||
set<ParameterBehavior>
|
||||
SignatureAndAction::getBehavior(const unordered_map<string, set<string>> &exceptions_dict) const
|
||||
{
|
||||
I_GenericRulebase *i_rulebase = Singleton::Consume<I_GenericRulebase>::by<IPSComp>();
|
||||
if (exception_id.empty()) return i_rulebase->getBehavior(exceptions_dict);
|
||||
|
||||
return i_rulebase->getParameterException(exception_id).getBehavior(exceptions_dict);
|
||||
}
|
||||
|
||||
bool
|
||||
SignatureAndAction::matchSilent(const Buffer &sample) const
|
||||
{
|
||||
@@ -398,7 +414,7 @@ SignatureAndAction::isMatchedPrevent(const Buffer &context_buffer, const set<PMP
|
||||
|
||||
dbgDebug(D_IPS) << "Signature matched - sending log";
|
||||
|
||||
auto &trigger = getConfigurationWithDefault(default_triger, "rulebase", "log");
|
||||
auto trigger = getTrigger();
|
||||
bool is_prevent = get<0>(override_action) == IPSSignatureSubTypes::SignatureAction::PREVENT;
|
||||
|
||||
auto severity = signature->getSeverity() < IPSLevel::HIGH ? Severity::HIGH : Severity::CRITICAL;
|
||||
|
||||
@@ -596,6 +596,8 @@ TEST_F(ComponentTest, check_filtering_by_year)
|
||||
|
||||
TEST_F(ComponentTest, log_fields)
|
||||
{
|
||||
generic_rulebase.preload();
|
||||
generic_rulebase.init();
|
||||
string config =
|
||||
"{"
|
||||
"\"IPS\": {"
|
||||
@@ -632,6 +634,8 @@ TEST_F(ComponentTest, log_fields)
|
||||
"\"assetId\": \"1-1-1\","
|
||||
"\"practiceId\": \"2-2-2\","
|
||||
"\"practiceName\": \"practice1\","
|
||||
"\"triggers\": \"5eaeefde6765c30010bae8b6\","
|
||||
"\"exceptions\": \"\","
|
||||
"\"defaultAction\": \"Detect\","
|
||||
"\"rules\": ["
|
||||
"{"
|
||||
@@ -643,10 +647,36 @@ TEST_F(ComponentTest, log_fields)
|
||||
"]"
|
||||
"}"
|
||||
"]"
|
||||
"},"
|
||||
"\"rulebase\": {"
|
||||
"\"log\": ["
|
||||
"{"
|
||||
"\"context\": \"triggerId(5eaeefde6765c30010bae8b6)\","
|
||||
"\"triggerName\": \"Logging Trigger\","
|
||||
"\"triggerType\": \"log\","
|
||||
"\"urlForSyslog\": \"\","
|
||||
"\"urlForCef\": \"128.1.1.1:333\","
|
||||
"\"acAllow\": false,"
|
||||
"\"acDrop\": true,"
|
||||
"\"complianceViolations\": true,"
|
||||
"\"complianceWarnings\": true,"
|
||||
"\"logToAgent\": true,"
|
||||
"\"logToCloud\": true,"
|
||||
"\"logToSyslog\": false,"
|
||||
"\"logToCef\": true,"
|
||||
"\"tpDetect\": true,"
|
||||
"\"tpPrevent\": true,"
|
||||
"\"verbosity\": \"Standard\","
|
||||
"\"webBody\": true,"
|
||||
"\"webHeaders\": true,"
|
||||
"\"webRequests\": true,"
|
||||
"\"webUrlPath\": true,"
|
||||
"\"webUrlQuery\": true"
|
||||
"}"
|
||||
"]"
|
||||
"}"
|
||||
"}";
|
||||
loadPolicy(config);
|
||||
setTrigger();
|
||||
|
||||
EXPECT_CALL(table, createStateRValueRemoved(_, _));
|
||||
EXPECT_CALL(table, getState(_)).WillRepeatedly(Return(&entry));
|
||||
@@ -829,6 +859,8 @@ TEST_F(ComponentTest, prxeem_exception_bug)
|
||||
" \"practiceId\": \"2-2-2\","
|
||||
" \"practiceName\": \"practice1\","
|
||||
" \"defaultAction\": \"Prevent\","
|
||||
" \"triggers\": \"\","
|
||||
" \"exceptions\": \"6c3867be-4da5-42c2-93dc-8f509a764004\","
|
||||
" \"rules\": []"
|
||||
" }"
|
||||
" ]"
|
||||
@@ -847,6 +879,11 @@ TEST_F(ComponentTest, prxeem_exception_bug)
|
||||
" \"parameterId\": \"6c3867be-4da5-42c2-93dc-8f509a764003\","
|
||||
" \"parameterType\": \"exceptions\","
|
||||
" \"parameterName\": \"exception\""
|
||||
" },"
|
||||
" {"
|
||||
" \"parameterId\": \"6c3867be-4da5-42c2-93dc-8f509a764004\","
|
||||
" \"parameterType\": \"exceptions\","
|
||||
" \"parameterName\": \"exception\""
|
||||
" }"
|
||||
" ],"
|
||||
" \"zoneId\": \"\","
|
||||
@@ -855,7 +892,7 @@ TEST_F(ComponentTest, prxeem_exception_bug)
|
||||
" ],"
|
||||
" \"exception\": ["
|
||||
" {"
|
||||
" \"context\": \"parameterId(6c3867be-4da5-42c2-93dc-8f509a764003)\","
|
||||
" \"context\": \"parameterId(6c3867be-4da5-42c2-93dc-8f509a764004)\","
|
||||
" \"match\": {"
|
||||
" \"type\": \"operator\","
|
||||
" \"op\": \"and\","
|
||||
|
||||
@@ -16,6 +16,19 @@ using namespace std;
|
||||
void
|
||||
SnortRuleSelector::load(cereal::JSONInputArchive &ar)
|
||||
{
|
||||
try {
|
||||
ar(cereal::make_nvp("triggers", trigger_id));
|
||||
} catch (const cereal::Exception &e) {
|
||||
ar.setNextName(nullptr);
|
||||
trigger_id = "";
|
||||
}
|
||||
|
||||
try {
|
||||
ar(cereal::make_nvp("exceptions", exception_id));
|
||||
} catch (const cereal::Exception &e) {
|
||||
ar.setNextName(nullptr);
|
||||
exception_id = "";
|
||||
}
|
||||
string mode;
|
||||
ar(cereal::make_nvp("mode", mode), cereal::make_nvp("files", file_names));
|
||||
|
||||
@@ -38,7 +51,7 @@ SnortRuleSelector::selectSignatures() const
|
||||
|
||||
for (auto &file : file_names) {
|
||||
for (auto &signature : (*signatures).getSignatures(file)) {
|
||||
res.emplace_back(signature, action);
|
||||
res.emplace_back(signature, action, trigger_id, exception_id);
|
||||
}
|
||||
}
|
||||
return res;
|
||||
|
||||
Reference in New Issue
Block a user