-
Notifications
You must be signed in to change notification settings - Fork 305
Rule Sieves
Starting with v0.11.1, lua-resty-waf provides a mechanism to exclude portions of collections from operator comparison via the sieve_rule object method. This method is akin to the SecRules SecRuleUpdateTargetById directive, except that it currently only removes collection elements, instead of updating the rule vars outright. The sieve_rule method takes two arguments, an ID representing the rule.id element of a rule that has previously been loaded, and a nested table containing data describing how to sieve the rule. Each sieve definition contains the following keys:
- type, the SecRules representation of the rule target
- elts, either a string or table of elements to sieve from the collection
-
action, a string, either
ignoreorregex, that determines how to match each element.
Given this, you can directly translate SecRuleUpdateTargetById or ctl:ruleRemoveTargetById directives via this interface (though currently this only applies at initial runtime; direct translation of ctl:ruleRemoveTargetById is not yet supported). Several examples follow.
To exclude the query string param foo from rule "12345":
local sieves = {
{
type = "ARGS_GET",
elts = "foo",
action = "ignore",
}
}
waf:sieve_rule("12345", sieves)To exclude the query string params foo and bar from the same rule:
local sieves = {
{
type = "ARGS_GET",
elts = { "foo", "bar" },
action = "ignore",
}
}
waf:sieve_rule("12345", sieves)To exclude the query string param foo and the request body param bar:
local sieves = {
{
type = "ARGS_GET",
elts = "foo",
action = "ignore",
},
{
type = "ARGS_POST",
elts = "bar",
action = "ignore",
}
}
waf:sieve_rule("12345", sieves)To exclude all request cookies that match the regex ^__utm:
local sieves = {
{
type = "COOKIES",
elts = "^__utm",
action = "regex",
}
}
waf:sieve_rule("12345", sieves)