Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom Actions for templates #4

Open
Sebitosh opened this issue Dec 16, 2024 · 0 comments
Open

Custom Actions for templates #4

Sebitosh opened this issue Dec 16, 2024 · 0 comments

Comments

@Sebitosh
Copy link
Contributor

Objective

Add a feature to define custom actions to SecRules/SecActions in templates. The custom actions should be defined per-file. There should be the possibility to add multiple lines of actions, defined as an array of actions, and there should be the possibility to define multiple sets of actions to be used to define combinations of test cases.

Current features

Let's describe how MRTS generates SecRules and SecActions with templates.

global:
  version: MRTS/0.1
  baseid: 100000
  default_operator: "@rx"
  templates:
  - name: "SecRule for TARGETS"
    template: |
      SecRule $TARGET "$OPERATOR $OPARG" \
          "id:$CURRID,\
          phase:$PHASE,\
          deny,\
          t:none,\
          log,\
          msg:'%{MATCHED_VAR_NAME} was caught in phase:$PHASE',\
          ver:'$VERSION'"

Templates are defined globally, and used per-file for a collection of test cases.

General variables in templates are simply replaced with their value in a dictionnary, such as $VERSION with what is found in version.

Other variables however, are used in generating combinations of test cases, such as $TARGET $OPERATOR $OPARG and $PHASE. For each of these variables, there is either one variable per file, making the generated tests only use this variable, or their is a list of variables used to generate combinations of test cases.

Proposition

In the same way as those variables, the idea would be to add a new variable $ACTIONS, such that it can be added to any template:

    template: |
      SecRule $TARGET "$OPERATOR $OPARG" \
          "id:$CURRID,\
          phase:$PHASE,\
          t:none,\
          log,\
          msg:'%{MATCHED_VAR_NAME} was caught in phase:$PHASE',\
          ver:'$VERSION',\
          $ACTIONS"

In MRTS yaml files, a new actions section would be used to define the directives to be replaced, as a list of lists:

target: XML
rulefile: MRTS_110_XML.conf
testfile: MRTS_110_XML.yaml
templates:
- SecRule for TARGETS
colkey:
- - '/*'
operator:
- '@beginsWith'
oparg:
- foo
actions:
  - action:
      - deny
      - status:403
  - action: 
      - deny
      - status:404
      - setenv:'variable=abc'
phase:
- 2
- 3
- 4
testdata:
...

This example would add the combinations:

SecRule ARGS "@contains attack" \
    "id:100001,\
    phase:2,\
    t:none,\
    log,\
    msg:'%{MATCHED_VAR_NAME} was caught in phase:2',\
    ver:'MRTS/0.1',\
    deny,\
    status:403"

SecRule ARGS "@contains attack" \
    "id:100002,\
    phase:2,\
    t:none,\
    log,\
    msg:'%{MATCHED_VAR_NAME} was caught in phase:2',\
    ver:'MRTS/0.1',\
    deny,\
    status:404,\
    setenv:'variable=abc'"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Sebitosh