Parsing args in URIs and request body and matching them in the Generic Matching Engine
#24,615 opened on Dec 18, 2022
Repository metrics
- Stars
- (27,997 stars)
- PR merge metrics
- (Avg merge 8d) (378 merged PRs in 30d)
Description
The Ability to Parse Args Is Essential for a WAF
We, Curiefense maintainers, willing to extend Generic Matching so it can act as de-facto Native WAF for Envoy users.
The vision is simple: Curiefense users will be able to activate the security policy in a given runnign environemtn, using generic-matching, since the rules will be renderd as such.
We have work on a PoC that already has the capabilitied to do so (attached yaml), yet, without the ability to parse and match entries in the queryString and request body, the WAF cannot be considered useful.
The table below describe the current capabilities and the missing ones, and tagged them with their priority (P1..P4)
Capabilities map
| Function | y/n | Remarks |
|---|---|---|
| Match headers | Yes | |
| Match CIDR | Yes | |
| Query string args | No | P1 |
| Body args | No | P1 form-url-encoded and multipart |
| JSON body | No | P2 nested structures |
| GraphQL body | No | P3 |
| XML body | No | P4 |
| Geo, ASN, IP INfo | No | Require MaxMind integration |
So far, we have added support for the following Curiefense policy generation * WAF rules (signatures) * Global filters tagging * ACL
Curiefense team involved: