v1.19.0 (unstable)
New features
This new version of libddwaf
introduces a multitude of new features in order to support new use cases and expand existing ones.
Exploit prevention: Shell injection detection
A new operator shi_detector
has been introduced for detecting and blocking shell injections, based on input parameters and the final shell code being evaluated. This new operator is part of the exploit prevention feature, so it is meant to be used in combination with targeted instrumentation.
The following example rule takes advantage of the new operator to identify injections originating from request parameters:
- id: rsp-930-004
name: SHi Exploit detection
tags:
type: shi
category: exploit_detection
module: rasp
conditions:
- parameters:
resource:
- address: server.sys.shell.cmd
params:
- address: server.request.query
- address: server.request.body
- address: server.request.path_params
- address: grpc.server.request.message
- address: graphql.server.all_resolvers
- address: graphql.server.resolver
operator: shi_detector
Attacker & Request Fingerprinting
This release includes a new family of processors which can be used to generate different fingerprints for a request and / or user, depending on available information:
http_endpoint_fingerprint
: this processor generates a fingerprint which uniquely identifies the HTTP endpoint accessed by the request as well as how this endpoint was accessed (i.e. which parameters were used).http_headers_fingerprint
: generates a fingerprint which provides information about the headers used when accessing said HTTP endpoint.http_network_fingerprint
: provides a fingerprint containing some information about the network-related HTTP headers used within the request.session_fingerprint
: this processor generates a specific fingeprint with sufficient information to track a unique session and / or attacker.
Suspicious attacker blocking
Suspicious attackers can now be blocked conditionally when they perform a restricted action or an attack. With the combination of custom exclusion filter actions and exclusion data, it is now possible to change the action of a rule dynamically depending on a condition, e.g. all rules could be set to blocking mode if a given IP performs a known attack.
The following exclusion filter, in combination with the provided exclusion data, changes the action of all rules based on the client IP:
exclusions:
- id: suspicious_attacker
conditions:
- operator: ip_match
parameters:
inputs:
- address: http.client_ip
data: ip_data
exclusion_data:
- id: ip_data
type: ip_with_expiration
data:
- value: 1.2.3.4
expiration: 0
Other new features
- New operator
exists
: this new operator can be used to assert the presence of at least one address from a given set of addresses, regardless of their underlying value. - Rule tagging overrides: rule overrides now allow adding tags to an existing rule, e.g. to provide information about the policy used.
- New function
ddwaf_known_actions
: this new function can be used to obtain a list of the action types which can be triggered given the set of rules and exclusion filters available.
Release changelog
Changes
- Multivariate processors and remove generators (#298)
- Custom rule filter actions (#303)
- SHA256 hash based on OpenSSL (#304)
- Shell injection detection operator (#308)
- Limit the number of transformers per rule or input (#309)
- Validate redirection location and restrict status codes (#310)
- Rule override for adding tags (#313)
- Add support for dynamic exclusion filter data (#316)
- HTTP Endpoint Fingerprint Processor (#318)
- HTTP Header, HTTP Network and Session Fingerprints (#320)
- Exists operator and waf.context.event virtual address (#321)
- Add function to obtain available actions (#324)
Fixes
- Transformer fixes and improvements (#299)