update block and throttle format log

SAP · Jul 2, 2024 · 04ae47c · 04ae47c
1 parent 6fbb058
commit 04ae47c
Show file tree

Hide file tree

Showing 7 changed files with 81 additions and 79 deletions.
diff --git a/configmanager/server.js b/configmanager/server.js
@@ -113,17 +113,17 @@ app.get('/blocklist', (req, res) => {
     const blocklist = JSON.parse(fs.readFileSync("/data/blocklist/blocklist.json", 'utf8'))
     i = 0
     for (const elem of blocklist.list) {
-      if (elem.duration == 'forever') continue
-      const unbanDate = new Date(elem.timeDetected)
-      switch (elem.duration[elem.duration.length-1]) {
+      if (elem.Duration == 'forever') continue
+      const unbanDate = new Date(elem.Time * 1000)
+      switch (elem.Duration[elem.Duration.length-1]) {
         case 's':
-          unbanDate.setSeconds(unbanDate.getSeconds() + parseInt(elem.duration.substring(0, elem.duration.length-1)))
+          unbanDate.setSeconds(unbanDate.getSeconds() + parseInt(elem.Duration.substring(0, elem.Duration.length-1)))
           break;
         case 'm':
-          unbanDate.setMinutes(unbanDate.getMinutes() + parseInt(elem.duration.substring(0, elem.duration.length-1)))
+          unbanDate.setMinutes(unbanDate.getMinutes() + parseInt(elem.Duration.substring(0, elem.Duration.length-1)))
           break;
         case 'h':
-          unbanDate.setHours(unbanDate.getHours() + parseInt(elem.duration.substring(0, elem.duration.length-1)))
+          unbanDate.setHours(unbanDate.getHours() + parseInt(elem.Duration.substring(0, elem.Duration.length-1)))
           break;
       }
       if (new Date() >= unbanDate){
@@ -163,17 +163,17 @@ app.get('/throttlelist', (req, res) => {
     const throttlelist = JSON.parse(fs.readFileSync("/data/blocklist/throttlelist.json", 'utf8'))
     i = 0
     for (const elem of throttlelist.list) {
-      if (elem.duration == 'forever') continue
-      const unbanDate = new Date(elem.timeDetected)
-      switch (elem.duration[elem.duration.length-1]) {
+      if (elem.Duration == 'forever') continue
+      const unbanDate = new Date(elem.Time * 1000)
+      switch (elem.Duration[elem.Duration.length-1]) {
         case 's':
-          unbanDate.setSeconds(unbanDate.getSeconds() + parseInt(elem.duration.substring(0, elem.duration.length-1)))
+          unbanDate.setSeconds(unbanDate.getSeconds() + parseInt(elem.Duration.substring(0, elem.Duration.length-1)))
           break;
         case 'm':
-          unbanDate.setMinutes(unbanDate.getMinutes() + parseInt(elem.duration.substring(0, elem.duration.length-1)))
+          unbanDate.setMinutes(unbanDate.getMinutes() + parseInt(elem.Duration.substring(0, elem.Duration.length-1)))
           break;
         case 'h':
-          unbanDate.setHours(unbanDate.getHours() + parseInt(elem.duration.substring(0, elem.duration.length-1)))
+          unbanDate.setHours(unbanDate.getHours() + parseInt(elem.Duration.substring(0, elem.Duration.length-1)))
           break;
       }
       if (new Date() >= unbanDate){

diff --git a/proxy/wasm/alert/alert.go b/proxy/wasm/alert/alert.go
@@ -125,7 +125,7 @@ func SetAlertAction(alerts []AlertParam, config config_parser.ConfigType, header
   session := alerts[0].LogParameters["session"]
   if config.Respond != nil && len(config.Respond) != 0 {
     for _, respondItem := range config.Respond {
-      updateBlocklistItem := map[string]string{ "delay": "now" ,"duration": "forever" }
+      updateBlocklistItem := map[string]string{ "Delay": "now" ,"Duration": "forever", "RequestID": headers["x-request-id"] }
       sources, err := getSource(respondItem.Source, session, headers["user-agent"])
       if err != nil {
         respondJson, _ := json.Marshal(respondItem)
@@ -138,26 +138,25 @@ func SetAlertAction(alerts []AlertParam, config config_parser.ConfigType, header
       for _, source := range sources {
         updateBlocklistItem[source[0]] = source[1]
       }
-      updateBlocklistItem["behavior"] = respondItem.Behavior
+      updateBlocklistItem["Behavior"] = respondItem.Behavior
       if respondItem.Delay != "" {
         splitDelay := strings.Split(respondItem.Delay, "-")
         if len(splitDelay) == 2 {
           min, _ := strconv.Atoi(splitDelay[0][:len(splitDelay[0])-1])
           max, _ := strconv.Atoi(splitDelay[1][:len(splitDelay[1])-1])
-          updateBlocklistItem["delay"] = strconv.Itoa(rand.Intn(max - min + 1) + min) + string(respondItem.Delay[len(respondItem.Delay)-1])
+          updateBlocklistItem["Delay"] = strconv.Itoa(rand.Intn(max - min + 1) + min) + string(respondItem.Delay[len(respondItem.Delay)-1])
         } else {
-          updateBlocklistItem["delay"] = respondItem.Delay
+          updateBlocklistItem["Delay"] = respondItem.Delay
         }
       }
       if respondItem.Duration != "" {
-        updateBlocklistItem["duration"] = respondItem.Duration
+        updateBlocklistItem["Duration"] = respondItem.Duration
       }
-      updateBlocklistItem["timeDetected"] = time.Now().Format("01-02-2006 15:04:05")
-
-      if updateBlocklistItem["behavior"] == "throttle" {
-        updateBlocklistItem["property"] = respondItem.Property
+      updateBlocklistItem["Time"] = strconv.Itoa(int(time.Now().Unix()))
+      if updateBlocklistItem["Behavior"] == "throttle" {
+        updateBlocklistItem["Property"] = respondItem.Property
         if respondItem.Property == "" {
-          updateBlocklistItem["property"] = "30-120"
+          updateBlocklistItem["Property"] = "30-120"
         }
         if doesNotContains(throttlelist, updateBlocklistItem) {
           updateThrottleList = append(updateThrottleList, updateBlocklistItem)
@@ -171,7 +170,7 @@ func SetAlertAction(alerts []AlertParam, config config_parser.ConfigType, header
   }
   if alerts[0].Filter.Detect.Respond != nil && len(alerts[0].Filter.Detect.Respond) != 0 {
     for _, respondItem := range alerts[0].Filter.Detect.Respond {
-      updateBlocklistItem := map[string]string{ "delay": "now" ,"duration": "forever" }
+      updateBlocklistItem := map[string]string{ "Delay": "now" ,"Duration": "forever", "RequestID": headers["x-request-id"] }
       sources, err := getSource(respondItem.Source, session, headers["user-agent"])
       if err != nil {
         respondJson, _ := json.Marshal(respondItem)
@@ -184,25 +183,25 @@ func SetAlertAction(alerts []AlertParam, config config_parser.ConfigType, header
       for _, source := range sources {
         updateBlocklistItem[source[0]] = source[1]
       }
-      updateBlocklistItem["behavior"] = respondItem.Behavior
+      updateBlocklistItem["Behavior"] = respondItem.Behavior
       if respondItem.Delay != "" {
         splitDelay := strings.Split(respondItem.Delay, "-")
         if len(splitDelay) == 2 {
           min, _ := strconv.Atoi(splitDelay[0][:len(splitDelay[0])-1])
           max, _ := strconv.Atoi(splitDelay[1][:len(splitDelay[1])-1])
-          updateBlocklistItem["delay"] = strconv.Itoa(rand.Intn(max - min + 1) + min) + string(respondItem.Delay[len(respondItem.Delay)-1])
+          updateBlocklistItem["Delay"] = strconv.Itoa(rand.Intn(max - min + 1) + min) + string(respondItem.Delay[len(respondItem.Delay)-1])
         } else {
-          updateBlocklistItem["delay"] = respondItem.Delay
+          updateBlocklistItem["Delay"] = respondItem.Delay
         }
       }
       if respondItem.Duration != "" {
-        updateBlocklistItem["duration"] = respondItem.Duration
+        updateBlocklistItem["Duration"] = respondItem.Duration
       }
-      updateBlocklistItem["timeDetected"] = time.Now().Format("01-02-2006 15:04:05")
-      if updateBlocklistItem["behavior"] == "throttle" {
-        updateBlocklistItem["property"] = respondItem.Property
+      updateBlocklistItem["Time"] = strconv.Itoa(int(time.Now().Unix()))
+      if updateBlocklistItem["Behavior"] == "throttle" {
+        updateBlocklistItem["Property"] = respondItem.Property
         if respondItem.Property == "" {
-          updateBlocklistItem["property"] = "30-120"
+          updateBlocklistItem["Property"] = "30-120"
         }
         if doesNotContains(throttlelist, updateBlocklistItem){
           updateThrottleList = append(updateThrottleList, updateBlocklistItem)
@@ -229,37 +228,37 @@ func getSource(configSource string, session string, userAgent string) (sourceRes
       if len(ip) == 0 {
         err = fmt.Errorf("cannot ban with this decoy because ip is missing")
       }
-      sourceResponse = append(sourceResponse, [2]string{ "ip", strings.Split(string(ip), ":")[0] }) 
+      sourceResponse = append(sourceResponse, [2]string{ "SourceIp", strings.Split(string(ip), ":")[0] }) 
     case "session":
       if session == "" {
         err = fmt.Errorf("cannot ban with this decoy because session is not configured or is missing")
       }
-      sourceResponse = append(sourceResponse, [2]string{ "session", session })
+      sourceResponse = append(sourceResponse, [2]string{ "Session", session })
     case "userAgent":
       if userAgent == "" {
         userAgent = "empty"
       }
-      sourceResponse = append(sourceResponse, [2]string{ "userAgent", userAgent })
+      sourceResponse = append(sourceResponse, [2]string{ "UserAgent", userAgent })
     }
   }
     return sourceResponse, err
 }
 
 func toMapFiltered(s config_parser.BlocklistType) map[string]string {
 	m := make(map[string]string)
-  if s.Ip != "" {
-	  m["ip"] = s.Ip
+  if s.SourceIp != "" {
+	  m["SourceIp"] = s.SourceIp
   }
   if s.Useragent != "" {
-	  m["userAgent"] = s.Useragent
+	  m["UserAgent"] = s.Useragent
   }
 	if s.Session != "" {
-    m["session"] = s.Session
+    m["Session"] = s.Session
   }
   if s.Property != "" {
-    m["property"] = s.Property
+    m["Property"] = s.Property
   }
-  m["behavior"] = s.Behavior
+  m["Behavior"] = s.Behavior
   return m
 }
 
@@ -276,7 +275,7 @@ func filterMapEle(m map[string]string, keys []string) map[string]string {
 
 func doesNotContains(slice []config_parser.BlocklistType, element map[string]string) bool {
 	for _, a := range slice {
-		if reflect.DeepEqual(toMapFiltered(a), filterMapEle(element, []string{"delay", "duration", "timeDetected"})) {
+    if reflect.DeepEqual(toMapFiltered(a), filterMapEle(element, []string{"Delay", "Duration", "Time", "RequestID"})) {
 			return false
 		}
 	}

diff --git a/proxy/wasm/block/block.go b/proxy/wasm/block/block.go
@@ -65,10 +65,11 @@ func isTimeout(bl config_parser.BlocklistType) bool {
 	if bl.Delay == "" || bl.Delay == "now" {
 		return true
 	}
-	parsedDate, err := time.Parse("01-02-2006 15:04:05", bl.TimeDetected)
+	date, err := strconv.ParseInt(bl.Time, 10, 64)
 	if err != nil {
 		proxywasm.LogErrorf("error parsing blocklist element '%s' when parsing time: %s", bl, err)
 	}
+	parsedDate := time.Unix(date, 0)	
 	intDelay, _ := strconv.Atoi(bl.Delay[:len(bl.Delay)-1])
 	var dateToCompare time.Time
 	switch string(bl.Delay[len(bl.Delay)-1]) {
@@ -90,18 +91,18 @@ func isTimeout(bl config_parser.BlocklistType) bool {
 
 func AppendBlocklist(blocklist []config_parser.BlocklistType, elements []map[string]string) []config_parser.BlocklistType{
 	for _, elem := range elements {
-		newElement := config_parser.BlocklistType{ Behavior: elem["behavior"], Duration: elem["duration"], Delay: elem["delay"], TimeDetected: elem["timeDetected"] }
-		if elem["property"] != "" {
-			newElement.Property = elem["property"]
+		newElement := config_parser.BlocklistType{ Behavior: elem["Behavior"], Duration: elem["Duration"], Delay: elem["Delay"], Time: elem["Time"] }
+		if elem["Property"] != "" {
+			newElement.Property = elem["Property"]
 		}
-		if elem["ip"] != "" {
-			newElement.Ip = elem["ip"]
+		if elem["SourceIp"] != "" {
+			newElement.SourceIp = elem["SourceIp"]
 		}
-		if elem["session"] != "" {
-			newElement.Session = elem["session"]
+		if elem["Session"] != "" {
+			newElement.Session = elem["Session"]
 		}
-		if elem["userAgent"] != "" {
-			newElement.Useragent = elem["userAgent"]
+		if elem["UserAgent"] != "" {
+			newElement.Useragent = elem["UserAgent"]
 		}
 		blocklist = append(blocklist, newElement)
 	}
@@ -118,9 +119,9 @@ func findSourcePriority(blocklist []config_parser.BlocklistType, session, userAg
 		userAgent = "empty"
 	}
 	for _, block := range blocklist {
-		if (session != "" && block.Session == session) && (ip != "" && block.Ip == ip) && (userAgent != "" && block.Useragent == userAgent){
+		if (session != "" && block.Session == session) && (ip != "" && block.SourceIp == ip) && (userAgent != "" && block.Useragent == userAgent){
 			return block
-		} else if (session != "" && block.Session == session) && (ip != "" && block.Ip == ip){
+		} else if (session != "" && block.Session == session) && (ip != "" && block.SourceIp == ip){
 			if highestPriority > 1 {
 				highestPriority = 1
 				highestBlock = block
@@ -135,12 +136,12 @@ func findSourcePriority(blocklist []config_parser.BlocklistType, session, userAg
 				highestPriority = 3
 				highestBlock = block
 			}
-		} else if (ip != "" && block.Ip == ip) && (userAgent != "" && block.Useragent == userAgent) {
+		} else if (ip != "" && block.SourceIp == ip) && (userAgent != "" && block.Useragent == userAgent) {
 			if highestPriority > 4 {
 				highestPriority = 4
 				highestBlock = block
 			}
-		} else if (ip != "" && block.Ip == ip){
+		} else if (ip != "" && block.SourceIp == ip){
 			if highestPriority > 5 {
 				highestPriority = 5
 				highestBlock = block
@@ -156,20 +157,20 @@ func findSourcePriority(blocklist []config_parser.BlocklistType, session, userAg
 }
 
 func checkSource(blocklist config_parser.BlocklistType, userAgent string, session string, ip string) bool {
-	if blocklist.Ip != "" && blocklist.Session != "" && blocklist.Useragent != "" {
-		if blocklist.Ip == ip && blocklist.Session == session && blocklist.Useragent == userAgent {
+	if blocklist.SourceIp != "" && blocklist.Session != "" && blocklist.Useragent != "" {
+		if blocklist.SourceIp == ip && blocklist.Session == session && blocklist.Useragent == userAgent {
 			return true
 		} else {
 			return false
 		}
-	} else if blocklist.Ip != "" && blocklist.Session != "" {
-		if blocklist.Ip == ip && blocklist.Session == session {
+	} else if blocklist.SourceIp != "" && blocklist.Session != "" {
+		if blocklist.SourceIp == ip && blocklist.Session == session {
 			return true
 		} else {
 			return false
 		}
-	} else if blocklist.Ip != "" && blocklist.Useragent != "" {
-		if blocklist.Ip == ip && blocklist.Useragent == userAgent  {
+	} else if blocklist.SourceIp != "" && blocklist.Useragent != "" {
+		if blocklist.SourceIp == ip && blocklist.Useragent == userAgent  {
 			return true
 		} else {
 			return false
@@ -180,7 +181,7 @@ func checkSource(blocklist config_parser.BlocklistType, userAgent string, sessio
 		} else {
 			return false
 		}
-	} else if (blocklist.Ip != "" && blocklist.Ip == ip) || (blocklist.Useragent != "" && blocklist.Useragent == userAgent) || (blocklist.Session != "" && blocklist.Session == session) {
+	} else if (blocklist.SourceIp != "" && blocklist.SourceIp == ip) || (blocklist.Useragent != "" && blocklist.Useragent == userAgent) || (blocklist.Session != "" && blocklist.Session == session) {
 		return true
 	}
 	return false

diff --git a/proxy/wasm/cloud-active-defense.wasm b/proxy/wasm/cloud-active-defense.wasm
diff --git a/proxy/wasm/config_parser/parser.go b/proxy/wasm/config_parser/parser.go
@@ -136,14 +136,15 @@ func BlocklistJsonToStruct(content []byte) (error, []BlocklistType) {
 	list := json.GetArray("list")
 	for _, elem := range list {
 		bl := BlocklistType{
-			Ip:          	string(elem.GetStringBytes("ip")),
-			Session: 		string(elem.GetStringBytes("session")),
-			Useragent: 		string(elem.GetStringBytes("userAgent")),
-			Behavior:   	string(elem.GetStringBytes("behavior")),
-			Delay:			string(elem.GetStringBytes("delay")),
-			Duration:     	string(elem.GetStringBytes("duration")),
-			Property: 		string(elem.GetStringBytes("property")),
-			TimeDetected: 	string(elem.GetStringBytes("timeDetected")),
+			SourceIp:       string(elem.GetStringBytes("SourceIp")),
+			Session: 		string(elem.GetStringBytes("Session")),
+			Useragent: 		string(elem.GetStringBytes("UserAgent")),
+			Behavior:   	string(elem.GetStringBytes("Behavior")),
+			Delay:			string(elem.GetStringBytes("Delay")),
+			Duration:     	string(elem.GetStringBytes("Duration")),
+			Property: 		string(elem.GetStringBytes("Property")),
+			Time: 			string(elem.GetStringBytes("Time")),
+			RequestID: 		string(elem.GetStringBytes("RequestID")),
 		}
 		blocklist = append(blocklist, bl)
 	}

diff --git a/proxy/wasm/config_parser/type_emptyInstances.go b/proxy/wasm/config_parser/type_emptyInstances.go
@@ -69,5 +69,5 @@ func EmptyRespond() RespondType {
 }
 
 func EmptyBlocklist() BlocklistType {
-  return BlocklistType{"", "", "", "", "", "", "", ""}
+  return BlocklistType{"", "", "", "", "", "", "", "", ""}
 }
diff --git a/proxy/wasm/config_parser/types.go b/proxy/wasm/config_parser/types.go
@@ -109,14 +109,15 @@ type RespondType struct {
 }
 
 type BlocklistType struct {
-	Ip            string  `json:"ip"`
-	Useragent	  string  `json:"userAgent"`
-	Session		  string  `json:"session"`
-	Behavior      string  `json:"behavior"`
-	Delay         string  `json:"delay"`
-	Duration      string  `json:"duration"`
-	Property	  string  `json:"property"`
-	TimeDetected  string  `json:"timeDetected"`
+	SourceIp      string  `json:"SourceIp"`
+	Useragent	  string  `json:"UserAgent"`
+	Session		  string  `json:"Session"`
+	Behavior      string  `json:"Behavior"`
+	Delay         string  `json:"Delay"`
+	Duration      string  `json:"Duration"`
+	Property	  string  `json:"Property"`
+	Time  		  string  `json:"Time"`
+	RequestID	  string  `json:"RequestID"`
 }
 func (c *DecoyConfig) MakeChecksum() [20]byte{
   confStr := ""