Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom rule filter actions #303

Merged
merged 9 commits into from
Jun 24, 2024
Merged

Custom rule filter actions #303

merged 9 commits into from
Jun 24, 2024

Conversation

Anilm3
Copy link
Collaborator

@Anilm3 Anilm3 commented Jun 6, 2024
edited
Loading

This PR introduces support for custom exclusion filter actions, limited to rule filters only. The filter custom action allows overriding the "blocking" (i.e. block, redirect, monitor) action of a rule if the exclusion filter is evaluated positively. For example, when the following filter matches the given IP, rule 1 is set to block:

exclusions:
  - id: 1
    rules_target:
      - rule_id: 1
    conditions:
      - operator: ip_match
        parameters:
          inputs:
            - address: http.client_ip
          list:
            - 192.168.0.1
    on_match: block

The precedence of rule filter actions is still bypass > monitor > custom.

This feature is one of the two required for suspicious attacker blocking.

Related Jira: APPSEC-53545

@codecov-commenter
Copy link

codecov-commenter commented Jun 6, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 92.68293% with 3 lines in your changes missing coverage. Please review.

Project coverage is 83.59%. Comparing base (2fbc676) to head (11a312a).

Files Patch % Lines
src/event.cpp 83.33% 1 Missing and 1 partial ⚠️
src/collection.cpp 83.33% 0 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master     #303      +/-   ##
==========================================
- Coverage   83.60%   83.59%   -0.01%     
==========================================
  Files         137      137              
  Lines        6025     6041      +16     
  Branches     2842     2848       +6     
==========================================
+ Hits         5037     5050      +13     
- Misses        369      370       +1     
- Partials      619      621       +2
Flag Coverage Δ
waf_test 83.59% <92.68%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@pr-commenter
Copy link

pr-commenter bot commented Jun 6, 2024
edited
Loading

Benchmarks

Benchmark execution time: 2024-06-24 13:36:39

Comparing candidate commit 11a312a in PR branch anilm3/custom-rule-filter-action with baseline commit 2fbc676 in branch master.

Found 4 performance improvements and 6 performance regressions! Performance is the same for 9 metrics, 0 unstable metrics.

scenario:ip_match_matcher.random

  • 🟥 execution_time [+62.982µs; +63.996µs] or [+3.948%; +4.011%]

scenario:is_xss_matcher.random

  • 🟥 execution_time [+4.817ms; +4.833ms] or [+5.827%; +5.846%]

scenario:lowercase_transformer.random

  • 🟥 execution_time [+212.381µs; +217.574µs] or [+12.492%; +12.797%]

scenario:phrase_match_matcher.enforce_word_boundary.random

  • 🟥 execution_time [+3.010ms; +3.013ms] or [+42.183%; +42.224%]

scenario:regex_match_matcher.case_insensitive_flag.random

  • 🟩 execution_time [-800.607µs; -797.639µs] or [-13.750%; -13.699%]

scenario:regex_match_matcher.case_insensitive_option.random

  • 🟩 execution_time [-798.958µs; -796.358µs] or [-13.724%; -13.679%]

scenario:regex_match_matcher.lowercase_transformer.random

  • 🟩 execution_time [-605.062µs; -602.004µs] or [-8.370%; -8.327%]

scenario:regex_match_matcher.random

  • 🟩 execution_time [-130.320µs; -128.820µs] or [-5.496%; -5.433%]

scenario:remove_nulls_transformer.random

  • 🟥 execution_time [+4.209ms; +4.217ms] or [+41.559%; +41.639%]

scenario:ruleset_1.10.0.random

  • 🟥 execution_time [+17.065ms; +17.152ms] or [+6.383%; +6.416%]

@Anilm3 Anilm3 marked this pull request as ready for review June 7, 2024 10:46
@Anilm3 Anilm3 requested a review from a team as a code owner June 7, 2024 10:46
cataphract
cataphract approved these changes Jun 24, 2024
View reviewed changes
src/event.cpp Show resolved Hide resolved
src/exclusion/common.hpp Show resolved Hide resolved
src/exclusion/common.hpp Outdated Show resolved Hide resolved
Anilm3 added 2 commits June 24, 2024 13:52
@Anilm3
Address review comments:
8c76662 
 * Simplify and rename a few things
 * Add extra checks to ensure an action override must be a blocking action
@Anilm3
Add missing configurations
11a312a
@Anilm3 Anilm3 merged commit aaf4d2a into master Jun 24, 2024
44 checks passed
@Anilm3 Anilm3 deleted the anilm3/custom-rule-filter-action branch June 24, 2024 14:21
@Anilm3 Anilm3 mentioned this pull request Jul 15, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@estringana estringana estringana approved these changes

@cataphract cataphract cataphract approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Anilm3 @codecov-commenter @cataphract @estringana