External/patterns
1
0
Fork 0
mirror of https://github.com/fabriziosalmi/patterns.git synced 2025-12-29 16:15:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update owasp2apache.py

Browse Source 
Small improvements.
This commit is contained in:
fab
2025-01-07 18:13:49 +01:00
committed by GitHub
parent fb05724676
commit e22d5d8ddb
1 changed files with 43 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
owasp2apache.py
View File

@@ -1,5 +1,6 @@
import json import json
import os import os
import re
from collections import defaultdict from collections import defaultdict
import logging import logging
from pathlib import Path from pathlib import Path
@@ -23,6 +24,8 @@ MODSEC_RULE_TEMPLATE = (
'SecRule REQUEST_URI "{pattern}" "id:{rule_id},phase:1,deny,status:403,log,msg:\'{category} attack detected\'"\n' 'SecRule REQUEST_URI "{pattern}" "id:{rule_id},phase:1,deny,status:403,log,msg:\'{category} attack detected\'"\n'
) )
UNSUPPORTED_PATTERNS = ["@pmFromFile", "!@eq", "!@within", "@lt"]
def load_owasp_rules(file_path): def load_owasp_rules(file_path):
""" """
@@ -42,25 +45,57 @@ def load_owasp_rules(file_path):
raise raise
def validate_regex(pattern):
"""
Validate regex pattern to ensure it is compatible with ModSecurity.
"""
try:
re.compile(pattern)
return True
except re.error as e:
logging.warning(f"[!] Skipping invalid regex: {pattern} - {e}")
return False
def sanitize_pattern(pattern):
"""
Sanitize unsupported patterns and directives for ModSecurity.
"""
if any(directive in pattern for directive in UNSUPPORTED_PATTERNS):
logging.warning(f"[!] Skipping unsupported pattern: {pattern}")
return None
# Handle regex patterns prefixed with @rx
if pattern.startswith("@rx "):
return pattern.replace("@rx ", "").strip()
return pattern
def generate_apache_waf(rules): def generate_apache_waf(rules):
""" """
Generate Apache ModSecurity configuration files from OWASP rules. Generate Apache ModSecurity configuration files from OWASP rules.
""" """
categorized_rules = defaultdict(list) categorized_rules = defaultdict(set)
rule_id_counter = 1000 # Starting rule ID rule_id_counter = 1000 # Starting rule ID
# Group rules by category # Group rules by category and ensure deduplication
for rule in rules: for rule in rules:
try: try:
category = rule.get("category", "generic").lower() category = rule.get("category", "generic").lower()
pattern = rule["pattern"] pattern = rule["pattern"]
categorized_rules[category].append((pattern, rule_id_counter))
rule_id_counter += 1 # Increment rule ID to avoid collisions sanitized_pattern = sanitize_pattern(pattern)
if sanitized_pattern and validate_regex(sanitized_pattern):
categorized_rules[category].add((sanitized_pattern, rule_id_counter))
rule_id_counter += 1
else:
logging.warning(f"[!] Skipping invalid or unsupported rule: {pattern}")
except KeyError as e: except KeyError as e:
logging.warning(f"[!] Skipping invalid rule (missing key: {e}): {rule}") logging.warning(f"[!] Skipping malformed rule (missing key: {e}): {rule}")
continue continue
# Convert to Apache conf files # Write rules to per-category configuration files
for category, patterns in categorized_rules.items(): for category, patterns in categorized_rules.items():
output_file = OUTPUT_DIR / f"{category}.conf" output_file = OUTPUT_DIR / f"{category}.conf"
@@ -69,10 +104,10 @@ def generate_apache_waf(rules):
f.write(f"# Apache ModSecurity rules for {category.upper()}\n") f.write(f"# Apache ModSecurity rules for {category.upper()}\n")
f.write("SecRuleEngine On\n\n") f.write("SecRuleEngine On\n\n")
# Write rules as ModSecurity SecRules # Write rules with unique IDs
for pattern, rule_id in patterns: for pattern, rule_id in patterns:
rule = MODSEC_RULE_TEMPLATE.format( rule = MODSEC_RULE_TEMPLATE.format(
pattern=pattern, rule_id=rule_id, category=category pattern=re.escape(pattern), rule_id=rule_id, category=category
) )
f.write(rule) f.write(rule)