Hi, I am using coraza with caddy and trying to find the audit logs noted that it d

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

Hello <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-ur

I think the right syntax is xcaddy build --with***@***.*** <span

Coraza not logging logs and audit logs about coraza-caddy HOT 18 OPEN

corazawaf commented on July 29, 2024

Coraza not logging logs and audit logs

from coraza-caddy.

Comments (18)

carlos-herrer commented on July 29, 2024

this logs is from coraza ? If that is, why all logs are generate on /var/log/syslog and not generate on the rute I specificated ?

Feb 6 19:47:04 lab caddy[585]: {"level":"error","ts":1675730824.3300385,"logger":"http.handlers.waf","msg":"[client "192.168.152.1"] Coraza: Warning. SQL Injection Attack Detected via libinjection [file "/usr/share/caddy/waf/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "0"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: n&1 found within ARGS:name: carlos or 1=1"] [severity "critical"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname ""] [uri "/?name=carlos%20or%201=1"] [unique_id "hEliunlRvPlEKAvH"]\n[client "192.168.152.1"] Coraza: Warning. SQL Injection Attack Detected via libinjection [file "/usr/share/caddy/waf/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "0"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: n&1 found within ARGS:name: carlos or 1=1"] [severity "critical"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname ""] [uri "/?name=carlos%20or%201=1"] [unique_id "hEliunlRvPlEKAvH"]\n[client "192.168.152.1"] Coraza: Warning. SQL Injection Attack Detected via libinjection [file "/usr/share/caddy/waf/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "0"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: n&1 found within ARGS:name: carlos or 1=1"] [severity "critical"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname ""] [uri "/?name=carlos%20or%201=1"] [unique_id "hEliunlRvPlEKAvH"]\n[client "192.168.152.1"] Coraza: Warning. SQL Injection Attack Detected via libinjection [file "/usr/share/caddy/waf/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "0"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: n&1 found within ARGS:name: carlos or 1=1"] [severity "critical"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname ""] [uri "/?name=carlos%20or%201=1"] [unique_id "hEliunlRvPlEKAvH"]\n"}
Feb 6 19:47:04 lab caddy[585]: {"level":"error","ts":1675730824.3382945,"logger":"http.handlers.waf","msg":"[client "192.168.152.1"] Coraza: Warning. Inbound Anomaly Score Exceeded (Total Score: 20) [file "/usr/share/caddy/waf/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "0"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 20)"] [data ""] [severity "emergency"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname ""] [uri "/?name=carlos%20or%201=1"] [unique_id "hEliunlRvPlEKAvH"]\n"}

from coraza-caddy.

fzipi commented on July 29, 2024

@jptosso @jcchavezs Any inputs here?

from coraza-caddy.

fzipi commented on July 29, 2024

@jcchavezs @jptosso ping.

from coraza-caddy.

fzipi commented on July 29, 2024

@jcchavezs @jptosso ping 2.

from coraza-caddy.

jcchavezs commented on July 29, 2024

we completely rewrite the connector. Do you mind testing again with latest commit? At least the debug logging should be working fine. Audit we will tackle soon.

from coraza-caddy.

carlos-herrer commented on July 29, 2024

Hello @jcchavezs when try to update caddy it's take v1.2.2 this is the final version of coraza-caddy? it's not will be 1.2.3 ?
"SecAuditLogDir /var/log/audit_coraza.log" provision http.handlers.waf: invalid WAF config: open /var/log/audit_coraza.log: permission denied

same error.

from coraza-caddy.

M4tteoP commented on July 29, 2024

The version with the rewritten connector is not yet tagged, you should be able to try it pointing directly to the commit (34daaf87f9ddaca2833461de59ebada21c902598)

from coraza-caddy.

carlos-herrer commented on July 29, 2024

Hello @M4tteoP if used xcaddy with build 34daaf8 i got error invalid

go: github.com/caddyserver/caddy/v2@34daaf87f9ddaca2833461de59ebada21c902598: invalid version: unknown revision 34daaf8

I used xcaddy build 34daaf8 --with github.com/corazawaf/coraza-caddy

from coraza-caddy.

jcchavezs commented on July 29, 2024

I think the right syntax is xcaddy build --with ***@***.***

…

On Tue, 4 Apr 2023, 19:45 Carlos Herrera, ***@***.***> wrote: Hello @M4tteoP <https://github.com/M4tteoP> if used xcaddy with build 34daaf8 <34daaf8> i got error invalid go: ***@***.***: invalid version: unknown revision 34daaf8 <34daaf8> I used xcaddy build 34daaf8 <34daaf8> --with github.com/corazawaf/coraza-caddy — Reply to this email directly, view it on GitHub <#42 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAXOYAV2CB3NFMJA4P23R23W7RM2TANCNFSM6AAAAAAUPQYRVU> . You are receiving this because you were mentioned.Message ID: ***@***.***>

from coraza-caddy.

M4tteoP commented on July 29, 2024

The right syntax should be this one: xcaddy build --with github.com/corazawaf/coraza-caddy@34daaf87f9ddaca2833461de59ebada21c902598
In your attempt, you are trying to use the commit like it was a caddy commit, not a coraza-caddy one.

Edit: ops, JC has been faster :3

from coraza-caddy.

carlos-herrer commented on July 29, 2024

Hello @M4tteoP @jcchavezs

You have right I can compile using xcaddy build --with github....coraza-caddy@build_hash

But now the error change and I got a error with the CRS loaded.
["/usr/share/caddy/waf/coreruleset/rules/REQUEST-901-INITIALIZATION.conf","/usr/share/caddy/waf/coreruleset/rules/]

from coraza-caddy.

jcchavezs commented on July 29, 2024

Unfortunately this is an issue with the file system as it does not like absolute paths. I tried different approaches and ended up creating my own library for merging filesystems because existing ones did have some opinions.

This is the same issue as in jcchavezs/coraza-httpbin#4 (comment) which I will soon fix as soon as finish test the new merge library.

from coraza-caddy.

jptosso commented on July 29, 2024

@jcchavezs I would remove your coreruleset library from coraza-caddy until it is fixed. It's not such an important feature for the connector, and it's not even documented

from coraza-caddy.

jcchavezs commented on July 29, 2024

Yeah I will remove that. And reassess the os filesystem.

from coraza-caddy.

jcchavezs commented on July 29, 2024

In the other hand, the coreruleset library eases testing in this repo which we really need it to avoid poor coverage. I'd rather make that work to not to have to download CRS for ftw.

…

On Wed, 5 Apr 2023, 14:28 José Carlos Chávez, ***@***.***> wrote: The coreruleset library isn't the problem. Loading filesystem is and that is what I am fixing. On Wed, 5 Apr 2023, 14:28 Juan Pablo Tosso, ***@***.***> wrote: > @jcchavezs <https://github.com/jcchavezs> I would remove your > coreruleset library from coraza-caddy until it is fixed. It's not such an > important feature for the connector, and it's not even documented > > — > Reply to this email directly, view it on GitHub > <#42 (comment)>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAXOYAWDPIAWJ23JFDCCWL3W7VQNFANCNFSM6AAAAAAUPQYRVU> > . > You are receiving this because you were mentioned.Message ID: > ***@***.***> >

from coraza-caddy.

jcchavezs commented on July 29, 2024

@carlos-herrer please do try this branch #52

from coraza-caddy.

carlos-herrer commented on July 29, 2024

Hello @jcchavezs, I got the same error Permission deny.

with "SecDebugLog /var/log/coraza/coraza.log" with "SexDebugLogLevel 6" I got invalid sintax.
and if I using audit log "SecAuditLogDir /var/log/audit/audit_coraza.log", it's generate a permission error.

from coraza-caddy.

jwDevOps commented on July 29, 2024

Hey there,
any updates on this? Still can't get logs working for coraza.

from coraza-caddy.

Coraza not logging logs and audit logs about coraza-caddy HOT 18 OPEN

Comments (18)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent