[PoC] Suspicious attacker blocking

DataDog · Nov 20, 2023 · 3b3c35c · 3b3c35c
1 parent 55879e9
commit 3b3c35c
Show file tree

Hide file tree

Showing 8 changed files with 72 additions and 11 deletions.
diff --git a/src/collection.cpp b/src/collection.cpp
@@ -29,16 +29,14 @@ std::optional<event> match_rule(rule *rule, const object_store &store,
         return std::nullopt;
     }
 
-    bool skip_actions = false;
     auto exclusion = policy.find(rule);
-    if (exclusion.mode == exclusion::filter_mode::bypass) {
+    if (exclusion.mode == exclusion::filter_mode::block) {
+        DDWAF_DEBUG("Potentially blocking rule '{}'", id);
+    } else if (exclusion.mode == exclusion::filter_mode::bypass) {
         DDWAF_DEBUG("Bypassing rule '{}'", id);
         return std::nullopt;
-    }
-
-    if (exclusion.mode == exclusion::filter_mode::monitor) {
+    } else if (exclusion.mode == exclusion::filter_mode::monitor) {
         DDWAF_DEBUG("Monitoring rule '{}'", id);
-        skip_actions = true;
     }
 
     DDWAF_DEBUG("Evaluating rule '{}'", id);
@@ -54,8 +52,12 @@ std::optional<event> match_rule(rule *rule, const object_store &store,
         std::optional<event> event;
         event = rule->match(store, rule_cache, exclusion.objects, dynamic_matchers, deadline);
 
-        if (event.has_value() && skip_actions) {
-            event->skip_actions = true;
+        if (event.has_value()) {
+            if (exclusion.mode == exclusion::filter_mode::block) {
+                event->override_action = "block";
+            } else if (exclusion.mode == exclusion::filter_mode::monitor) {
+                event->skip_actions = true;
+            }
         }
 
         return event;

diff --git a/src/event.cpp b/src/event.cpp
@@ -99,7 +99,14 @@ void event_serializer::serialize(const std::vector<event> &events, ddwaf_result
             ddwaf_object_map_add(&rule_map, "name", to_object(tmp, event.rule->get_name()));
 
             const auto &actions = event.rule->get_actions();
-            if (!actions.empty()) {
+            if (!event.override_action.empty()) {
+                all_actions.emplace(event.override_action);
+
+                ddwaf_object actions_array;
+                ddwaf_object_array(&actions_array);
+                ddwaf_object_array_add(&actions_array, to_object(tmp, event.override_action));
+                ddwaf_object_map_add(&rule_map, "on_match", &actions_array);
+            } else if (!actions.empty()) {
                 ddwaf_object actions_array;
                 ddwaf_object_array(&actions_array);
                 if (!event.skip_actions) {

diff --git a/src/event.hpp b/src/event.hpp
@@ -34,6 +34,7 @@ struct event {
     std::vector<match> matches;
     bool ephemeral{false};
     bool skip_actions{false};
+    std::string override_action{};
 };
 
 using optional_event = std::optional<event>;

diff --git a/src/exclusion/common.hpp b/src/exclusion/common.hpp
@@ -19,7 +19,7 @@ class rule;
 
 namespace exclusion {
 
-enum class filter_mode : uint8_t { none = 0, monitor = 1, bypass = 2 };
+enum class filter_mode : uint8_t { none = 0, monitor = 1, bypass = 2, block = 3 };
 
 struct object_set {
     std::unordered_set<const ddwaf_object *> persistent;

diff --git a/src/parser/parser_v2.cpp b/src/parser/parser_v2.cpp
@@ -11,6 +11,7 @@
 #include <vector>
 
 #include "exception.hpp"
+#include "exclusion/common.hpp"
 #include "exclusion/object_filter.hpp"
 #include "generator/extract_schema.hpp"
 #include "indexer.hpp"
@@ -433,7 +434,9 @@ rule_filter_spec parse_rule_filter(
         on_match = exclusion::filter_mode::bypass;
     } else if (on_match_str == "monitor") {
         on_match = exclusion::filter_mode::monitor;
-    } else {
+    } else if (on_match_str == "block") {
+        on_match = exclusion::filter_mode::block;
+    }else {
         throw ddwaf::parsing_error("unsupported on_match value: " + std::string(on_match_str));
     }
 

diff --git a/...r/tests/exclusions/rule_filter/unconditional/011_rule11_rule_blocking_through_filter.yaml b/...r/tests/exclusions/rule_filter/unconditional/011_rule11_rule_blocking_through_filter.yaml
@@ -0,0 +1,22 @@
+{
+  name: "Rule blocking through exclusion filter",
+  runs: [
+    {
+      persistent-input: {
+        rule11-input: "rule11"
+      },
+      rules: [
+        {
+          11: [
+            {
+              address: rule11-input,
+              value: rule11
+            }
+          ]
+        }
+      ],
+      code: match,
+      actions: ["block"]
+    }
+  ]
+}
diff --git a/validator/tests/exclusions/rule_filter/unconditional/012_rule11_rule_not_blocking.yaml b/validator/tests/exclusions/rule_filter/unconditional/012_rule11_rule_not_blocking.yaml
@@ -0,0 +1,11 @@
+{
+  name: "Rule doesn't block due to no match",
+  runs: [
+    {
+      persistent-input: {
+        rule11-input: "rule12"
+      },
+      code: ok,
+    }
+  ]
+}
diff --git a/validator/tests/exclusions/rule_filter/unconditional/ruleset.yaml b/validator/tests/exclusions/rule_filter/unconditional/ruleset.yaml
@@ -40,6 +40,10 @@ exclusions:
     rules_target:
       - rule_id: "1"
     on_match: monitor
+  - id: "9"
+    rules_target:
+      - rule_id: "11"
+    on_match: block
 
 rules:
   - id: "1"
@@ -154,3 +158,14 @@ rules:
             - address: rule10-input
           regex: rule10
     on_match: [ block ]
+  - id: "11"
+    name: rule11-block-through-filter
+    tags:
+      type: flow11
+      category: category11
+    conditions:
+      - operator: match_regex
+        parameters:
+          inputs:
+            - address: rule11-input
+          regex: rule11