Merge branch 'master' into dependabot/go_modules/github.com/expr-lang…

…/expr-1.16.9

.github/workflows/tests.yaml

@@ -49,9 +49,9 @@ jobs:
         if: (github.event_name == 'push')
       - uses: teler-sh/actions/golangci-lint@v1
       - uses: teler-sh/actions/semgrep@v1
-      - uses: teler-sh/actions/bearer@v1
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+      # - uses: teler-sh/actions/bearer@v1
+      #   with:
+      #     token: ${{ secrets.GITHUB_TOKEN }}
       - uses: teler-sh/actions/codeql@v1
         with:
           lang: go

README.md

@@ -369,9 +369,9 @@ telerMiddleware := teler.New(teler.Options{
 Here is an example of what the log lines would look like if teler-waf detects a threat on a request:
 
 ```json
-{"level":"warn","ts":1672261174.5995026,"msg":"bad crawler","id":"654b85325e1b2911258a","category":"BadCrawler","request":{"method":"GET","path":"/","ip_addr":"127.0.0.1:37702","headers":{"Accept":["*/*"],"User-Agent":["curl/7.81.0"]},"body":""}}
-{"level":"warn","ts":1672261175.9567692,"msg":"directory bruteforce","id":"b29546945276ed6b1fba","category":"DirectoryBruteforce","request":{"method":"GET","path":"/.git","ip_addr":"127.0.0.1:37716","headers":{"Accept":["*/*"],"User-Agent":["X"]},"body":""}}
-{"level":"warn","ts":1672261177.1487508,"msg":"Detects common comment types","id":"75412f2cc0ec1cf79efd","category":"CommonWebAttack","request":{"method":"GET","path":"/?id=1%27%20or%201%3D1%23","ip_addr":"127.0.0.1:37728","headers":{"Accept":["*/*"],"User-Agent":["X"]},"body":""}}
+{"level":"warn","ts":1672261174.5995026,"msg":"bad crawler","id":"654b85325e1b2911258a","category":"BadCrawler","caller":"teler-waf","listen_addr":"127.0.0.1:36267","request":{"method":"GET","path":"/","ip_addr":"127.0.0.1:37702","headers":{"Accept":["*/*"],"User-Agent":["curl/7.81.0"]},"body":""}}
+{"level":"warn","ts":1672261175.9567692,"msg":"directory bruteforce","id":"b29546945276ed6b1fba","category":"DirectoryBruteforce","caller":"teler-waf","listen_addr":"127.0.0.1:36267","request":{"method":"GET","path":"/.git","ip_addr":"127.0.0.1:37716","headers":{"Accept":["*/*"],"User-Agent":["X"]},"body":""}}
+{"level":"warn","ts":1672261177.1487508,"msg":"Detects common comment types","id":"75412f2cc0ec1cf79efd","category":"CommonWebAttack","caller":"teler-waf","listen_addr":"127.0.0.1:36267","request":{"method":"GET","path":"/?id=1%27%20or%201%3D1%23","ip_addr":"127.0.0.1:37728","headers":{"Accept":["*/*"],"User-Agent":["X"]},"body":""}}
 ```
 
 The **id** is a unique identifier that is generated when a request is rejected by teler-waf. It is included in the HTTP response headers of the request (`X-Teler-Req-Id`), and can be used to troubleshoot issues with requests that are being made to the website.
@@ -447,6 +447,27 @@ The event forwarded to Falco Sidekick instance includes the following informatio
 
 Overall, Falco Sidekick is a versatile tool that can help you automate your security response process and improve your overall security posture. By leveraging its capabilities, you can ensure that your cloud-native applications are secure and protected against potential threats.
 
+### Wazuh
+
+You can enhance your security monitoring by integrating teler WAF logs into Wazuh. To do this, use [custom rules](https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html) available in the [`extras/`](/extras) directory.
+
+Add the `localfile` element block below inside `ossec_config` element in the [local configuration](https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/index.html) file:
+
+```xml
+<ossec_config>
+  <!-- ... -->
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/path/to/your/teler.log</location>
+  </localfile>
+</ossec_config>
+```
+
+> [!NOTE]
+> The value of `location` should be the teler WAF log file path you specified in [`Options.LogFile`](https://pkg.go.dev/github.com/kitabisa/teler-waf#Options.LogFile).
+
+By doing this, Wazuh will be able to read and analyze the teler WAF logs, enhancing your network protection and providing better insights.
+
 ### Datasets
 
 The teler-waf package utilizes a dataset of threats to identify and analyze each incoming request for potential security threats. This dataset is updated daily, which means that you will always have the latest resource. The dataset is initially stored in the user-level cache directory _(on Unix systems, it returns `$XDG_CACHE_HOME/teler-waf` as specified by [XDG Base Directory Specification

extras/wazuh/teler_rules.xml

@@ -0,0 +1,89 @@
+<!--
+  -  teler WAF rules
+  -  Author: Dwi Siswanto (me@dw1.io).
+  -  Copyright (C) 2024, Dwi Siswanto.
+  -  This program is a free software; you can redistribute it and/or modify it under the terms of Apache 2.0 License.
+-->
+
+<group name="teler,teler-waf,teler-proxy,">
+  <!-- 
+  {"level":"warn","ts":1672261174.5995026,"msg":"bad crawler","id":"654b85325e1b2911258a","category":"BadCrawler","caller":"teler-waf","listen_addr":"127.0.0.1:36267","request":{"method":"GET","path":"/","ip_addr":"127.0.0.1:37702","headers":{"Accept":["*/*"],"User-Agent":["curl/7.81.0"]},"body":""}}
+  {"level":"warn","ts":1672261175.9567692,"msg":"directory bruteforce","id":"b29546945276ed6b1fba","category":"DirectoryBruteforce","caller":"teler-waf","listen_addr":"127.0.0.1:36267","request":{"method":"GET","path":"/.git","ip_addr":"127.0.0.1:37716","headers":{"Accept":["*/*"],"User-Agent":["X"]},"body":""}}
+  {"level":"warn","ts":1672261177.1487508,"msg":"Detects common comment types","id":"75412f2cc0ec1cf79efd","category":"CommonWebAttack","caller":"teler-waf","listen_addr":"127.0.0.1:36267","request":{"method":"GET","path":"/?id=1%27%20or%201%3D1%23","ip_addr":"127.0.0.1:37728","headers":{"Accept":["*/*"],"User-Agent":["X"]},"body":""}}
+  -->
+
+  <rule id="100300" level="0">
+    <decoded_as>json</decoded_as>
+    <field name="level">^warn$</field>
+    <description>teler WAF events</description>
+  </rule>
+
+  <rule id="100301" level="10">
+    <if_sid>100300</if_sid>
+    <field name="category">CommonWebAttack</field>
+    <description>teler: $(msg) request at "$(request.path)" from "$(request.ip_addr)" to "$(listen_addr)" ($(caller))</description>
+    <mitre>
+      <id>T1210</id>
+    </mitre>
+  </rule>
+
+  <rule id="100302" level="10">
+    <if_sid>100300</if_sid>
+    <field name="category">CVE</field>
+    <info type="cve">$(msg)</info>
+    <description>teler: $(msg) exploit detected at "$(request.path)" from "$(request.ip_addr)" to "$(listen_addr)" ($(caller))</description>
+    <mitre>
+      <id>T1190</id>
+      <id>T1210</id>
+      <id>T1595.002</id>
+    </mitre>
+  </rule>
+
+  <rule id="100303" level="9">
+    <if_sid>100300</if_sid>
+    <field name="category">BadIPAddress</field>
+    <description>teler: $(msg) request detected at "$(request.path)" from "$(request.ip_addr)" to "$(listen_addr)" ($(caller))</description>
+    <options>no_full_log</options>
+    <mitre>
+      <id>T1102</id>
+      <id>T1584.005</id>
+    </mitre>
+  </rule>
+
+  <rule id="100304" level="9">
+    <if_sid>100300</if_sid>
+    <field name="category">BadReferrer</field>
+    <description>teler: $(msg) request $(request.headers.Referer) detected at "$(request.path)" from "$(request.ip_addr)" to "$(listen_addr)" ($(caller))</description>
+    <options>no_full_log</options>
+    <mitre>
+      <id>T1102</id>
+      <id>T1584.005</id>
+    </mitre>
+  </rule>
+
+  <rule id="100305" level="9">
+    <if_sid>100300</if_sid>
+    <field name="category">BadCrawler</field>
+    <description>teler: $(msg) request $(request.headers.User-Agent) detected at "$(request.path)" from "$(request.ip_addr)" to "$(listen_addr)" ($(caller))</description>
+    <options>no_full_log</options>
+    <mitre>
+      <id>T1595.002</id>
+    </mitre>
+  </rule>
+
+  <rule id="100306" level="10">
+    <if_sid>100300</if_sid>
+    <field name="category">DirectoryBruteforce</field>
+    <description>teler: $(msg) request detected at "$(request.path)" from "$(request.ip_addr)" to "$(listen_addr)" ($(caller))</description>
+    <options>no_full_log</options>
+    <mitre>
+      <id>T1595.003</id>
+    </mitre>
+  </rule>
+
+  <rule id="100307" level="13">
+    <if_sid>100300</if_sid>
+    <field name="category">Custom</field>
+    <description>teler: $(msg) detected at "$(request.path)" from "$(request.ip_addr)" to "$(listen_addr)" ($(caller))</description>
+  </rule>
+</group>

teler.go

@@ -315,11 +315,9 @@ func New(opts ...Options) *Teler {
 		}
 	}
 
-	// If development mode is enabled, create a new cache with a default
-	// expiration time of 15 minutes and cleanup interval of 20 minutes.
-	if !o.Development {
-		t.cache = cache.New(15*time.Minute, 20*time.Minute)
-	}
+	// Initialize cache with a default expiration time of 15 minutes and cleanup
+	// interval of 20 minutes.
+	t.cache = cache.New(15*time.Minute, 20*time.Minute)
 
 	// If custom response status is set, overwrite default response status.
 	if o.Response.Status != 0 {
@@ -392,11 +390,14 @@ func (t *Teler) sendLogs(r *http.Request, k threat.Threat, id string, msg string
 	cat := k.String()
 	path := r.URL.String()
 	ipAddr := t.env.GetRequestValue("IP")
+	listenAddr := t.getListenAddr(r)
 
 	// Log the detected threat, request details and the error message.
 	t.log.With(
 		zap.String("id", id),
 		zap.String("category", cat),
+		zap.String("caller", t.caller),
+		zap.String("listen_addr", listenAddr),
 		zap.Namespace("request"),
 		zap.String("method", r.Method),
 		zap.String("path", path),

utils.go

@@ -10,14 +10,15 @@ import (
 	"errors"
 	"html"
 	"io"
+	"net"
 	"regexp"
 	"strings"
 
 	"net/http"
 	"net/url"
 
-	"github.com/expr-lang/expr/vm"
 	"github.com/dwisiswant0/clientip"
+	"github.com/expr-lang/expr/vm"
 	"github.com/kitabisa/teler-waf/request"
 	"github.com/kitabisa/teler-waf/threat"
 	"github.com/patrickmn/go-cache"
@@ -314,3 +315,24 @@ func isValidReferrer(ref string) (bool, string, error) {
 
 	return false, host, nil
 }
+
+// getListenAddr retrieves the local network address that the HTTP server is
+// listening on from the request's context, utilizing a cache to store and
+// retrieve this value efficiently.
+func (t *Teler) getListenAddr(r *http.Request) string {
+	cacheKey := "listen_addr"
+	localAddrCtx := r.Context().Value(http.LocalAddrContextKey)
+
+	if listenAddrCache, ok := t.cache.Get(cacheKey); ok {
+		return listenAddrCache.(string)
+	}
+
+	if conn, ok := localAddrCtx.(net.Addr); ok {
+		listenAddr := conn.String()
+		t.cache.Set(cacheKey, listenAddr, cache.DefaultExpiration)
+
+		return listenAddr
+	}
+
+	return ""
+}