rename waap to appsec

.appsec-tests/cve-2023-42793/config.yaml

@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2023-42793.yaml
+nuclei_template: cve-2023-42793.yaml

.waap-tests/cve-2023-42793/cve-2023-42793.yaml → .appsec-tests/cve-2023-42793/cve-2023-42793.yaml

@@ -5,7 +5,7 @@ info:
   severity: medium
   description: |
     cve-2023-42793 testing
-  tags: waap-testing
+  tags: appsec-testing
 
 http:
   - raw:

.appsec-tests/template_acquis.yaml

@@ -0,0 +1,8 @@
+listen_addr: 127.0.0.1
+listen_port: 4241
+path: /
+source: appsec
+labels:
+  type: appsec
+#appsec_config: appsec-test
+appsec_config_path: ./runtime/appsec-configs/config.yaml

.waap-tests/template_waap-profile.yaml → .appsec-tests/template_waap-profile.yaml

@@ -1,4 +1,4 @@
-name: waap-test
+name: appsec-test
 inband_rules:
  - "crowdsecurity/*" # all rules
 default_remediation: ban

.github/workflows/test_waap_rules.yaml

@@ -1,23 +1,23 @@
-name: Waap Rules Tests
+name: Appsec Rules Tests
 on:
   pull_request:
     branches: [ master ]
     paths:
-      - 'waap-configs/**.yaml'
-      - 'waap-configs/**.yml'
-      - 'waap-rules/**.yaml'
-      - 'waap-rules/**.yml'
-      - '.github/workflows/test_waap_rules.yaml'
-      - '.waap-tests/**'
+      - 'appsec-configs/**.yaml'
+      - 'appsec-configs/**.yml'
+      - 'appsec-rules/**.yaml'
+      - 'appsec-rules/**.yml'
+      - '.github/workflows/test_appsec_rules.yaml'
+      - '.appsec-tests/**'
   push:
     branches: [ master ]
     paths:
-      - 'waap-configs/**.yaml'
-      - 'waap-configs/**.yml'
-      - 'waap-rules/**.yaml'
-      - 'waap-rules/**.yml'
-      - '.github/workflows/test_waap_rules.yaml'
-      - '.waap-tests/**'
+      - 'appsec-configs/**.yaml'
+      - 'appsec-configs/**.yml'
+      - 'appsec-rules/**.yaml'
+      - 'appsec-rules/**.yml'
+      - '.github/workflows/test_appsec_rules.yaml'
+      - '.appsec-tests/**'
 
 jobs:
   run-hub-tests:
@@ -54,25 +54,25 @@ jobs:
         sudo ./install.sh -y
     - name: Setup NGINX Bouncer API key
       run: |
-        sudo cscli bouncers add hubtestWaap -k "this_is_a_bad_password"
+        sudo cscli bouncers add hubtestAppsec -k "this_is_a_bad_password"
         sudo sed -i 's/API_KEY=.*$/API_KEY=this_is_a_bad_password/' /etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf
         echo "WAF_URL=http://127.0.0.1:4241" | sudo tee -a /etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf
         sudo systemctl restart nginx
     - name: run tests on last crowdsec tag
       run: |
-        cscli hubtest run --all --waap
-        echo "WAAP_RULE_COV=$(cscli hubtest coverage --waap --percent | cut -d '=' -f2)" >> $GITHUB_ENV
-        WAAP_RULE_COV_NUMBER=$(cscli hubtest coverage --waap --percent | cut -d '=' -f2 | tr -d '%' | tr -d '[[:space:]]')
-        echo "WAAP_RULE_BADGE_COLOR=$(if [ "$WAAP_RULE_COV_NUMBER" -lt "70" ]; then echo 'red'; else echo 'green'; fi)" >> $GITHUB_ENV
-    - name: Create waap badge
+        cscli hubtest run --all --appsec
+        echo "APPSEC_RULE_COV=$(cscli hubtest coverage --appsec --percent | cut -d '=' -f2)" >> $GITHUB_ENV
+        APPSEC_RULE_COV_NUMBER=$(cscli hubtest coverage --appsec --percent | cut -d '=' -f2 | tr -d '%' | tr -d '[[:space:]]')
+        echo "APPSEC_RULE_BADGE_COLOR=$(if [ "$APPSEC_RULE_COV_NUMBER" -lt "70" ]; then echo 'red'; else echo 'green'; fi)" >> $GITHUB_ENV
+    - name: Create appsec badge
       uses: schneegans/[email protected]
       #if: ${{ github.ref == 'refs/heads/master' }}
       if: false
       with:
         auth: ${{ secrets.GIST_BADGES_SECRET }}
         gistID: ${{ secrets.GIST_BADGES_ID }}
-        filename: hub_waap_badge.json
-        label: Hub Waap
-        message: ${{ env.WAAP_RULE_COV }}
-        color: ${{ env.WAAP_RULE_BADGE_COLOR }}
+        filename: hub_appsec_badge.json
+        label: Hub Appsec
+        message: ${{ env.APPSEC_RULE_COV }}
+        color: ${{ env.APPSEC_RULE_BADGE_COLOR }}
 

.github/workflows/update-index.yml

@@ -7,20 +7,20 @@ on:
       - 'parsers/**.yaml'
       - 'postoverflows/**.yaml'
       - 'collections/**.yaml'
-      - 'waap-rules/**.yaml'
-      - 'waap-configs/**.yaml'
+      - 'appsec-rules/**.yaml'
+      - 'appsec-configs/**.yaml'
       - 'scenarios/**.yml'
       - 'parsers/**.yml'
       - 'postoverflows/**.yml'
       - 'collections/**.yml'
-      - 'waap-rules/**.yml'
-      - 'waap-configs/**.yml'
+      - 'appsec-rules/**.yml'
+      - 'appsec-configs/**.yml'
       - 'scenarios/**.md'
       - 'parsers/**.md'
       - 'postoverflows/**.md'
       - 'collections/**.md'
-      - 'waap-rules/**.md'
-      - 'waap-configs/**.md'
+      - 'appsec-rules/**.md'
+      - 'appsec-configs/**.md'
       - '.github/workflows/update-index.yml'
       - "*.go"
 jobs:

.github/workflows/update_taxonomy.yaml

@@ -5,8 +5,8 @@ on:
     paths:
       - "scenarios/**.yaml"
       - "scenarios/**.yml"
-      - "waap-rules/**.yaml"
-      - "waap-rules/**.yml"
+      - "appsec-rules/**.yaml"
+      - "appsec-rules/**.yml"
       - "scripts/**.py"
       - ".github/workflows/update_taxonomy.yaml"
       - "scripts/.scenariosignore"

waap-rules/crowdsecurity/crs.yaml → appsec-rules/crowdsecurity/crs.yaml

@@ -1,4 +1,3 @@
-type: waap-rule
 name: crowdsecurity/crs-waf
 seclang_rules:
  - SecRuleEngine On

waap-rules/crowdsecurity/vpatch-CVE-2023-40044.yaml → appsec-rules/crowdsecurity/vpatch-CVE-2023-40044.yaml

@@ -1,6 +1,5 @@
 name: crowdsecurity/vpatch-CVE-2023-40044
 description: "Detect CVE-2023-40044 exploits"
-type: waap-rule
 rules:
   - and:
     - zones:

waap-rules/crowdsecurity/vpatch-CVE-2023-42793.yaml → appsec-rules/crowdsecurity/vpatch-CVE-2023-42793.yaml

@@ -1,6 +1,5 @@
 name: crowdsecurity/vpatch-CVE-2023-42793
 description: CVE-2023-42793
-type: waap-rule
 rules:
   - zones:
     - URI

ci.go

@@ -26,8 +26,8 @@ type typeInfo struct {
 	Parsers         []string               `json:"parsers,omitempty"`
 	PostOverflows   []string               `json:"postoverflows,omitempty"`
 	Scenarios       []string               `json:"scenarios,omitempty"`
-	WaapRules       []string               `json:"waap-rules,omitempty"`
-	WaapConfigs     []string               `json:"waap-configs,omitempty"`
+	AppsecRules     []string               `json:"appsec-rules,omitempty"`
+	AppsecConfigs   []string               `json:"appsec-configs,omitempty"`
 	Collections     []string               `json:"collections,omitempty"`
 }
 
@@ -39,8 +39,8 @@ type fileInfo struct {
 	Parsers       []string               `yaml:"parsers,omitempty"`
 	PostOverflows []string               `yaml:"postoverflows,omitempty"`
 	Scenarios     []string               `yaml:"scenarios,omitempty"`
-	WaapRules     []string               `yaml:"waap-rules,omitempty"`
-	WaapConfigs   []string               `yaml:"waap-configs,omitempty"`
+	AppsecRules   []string               `yaml:"appsec-rules,omitempty"`
+	AppsecConfigs []string               `yaml:"appsec-configs,omitempty"`
 	Collections   []string               `yaml:"collections,omitempty"`
 }
 
@@ -53,8 +53,8 @@ var types = []string{
 	"parsers",
 	"scenarios",
 	"postoverflows",
-	"waap-rules",
-	"waap-configs",
+	"appsec-rules",
+	"appsec-configs",
 	"collections",
 }
 

collections/crowdsecurity-waap/cisa-virtual-patching.yaml

@@ -1,13 +1,13 @@
 name: crowdsecurity-waap/cisa-virtual-patching
-waap-rules:
+appsec-rules:
   - crowdsecurity/vpatch-CVE-2023-40044
   - crowdsecurity/vpatch-CVE-2023-42793
-waap-configs:
+appsec-configs:
   - crowdsecurity/vpatch
 parsers:
-  - crowdsecurity/waap-logs
+  - crowdsecurity/appsec-logs
 scenarios:
-  - crowdsecurity/waap-vpatch
+  - crowdsecurity/appsec-vpatch
 description: "a generic virtual patching collection, suitable for most web servers"
 author: crowdsecurity-waap
 

generate.go

@@ -14,12 +14,12 @@ import (
 )
 
 const (
-	PARSER_TYPE       = "parsers"
-	SCENARIO_TYPE     = "scenarios"
-	POSTOVERFLOW_TYPE = "postoverflows"
-	WAAP_RULES_TYPE   = "waap-rules"
-	WAAP_CONFIGS_TYPE = "waap-configs"
-	COLLECTIONS_TYPE  = "collections"
+	PARSER_TYPE         = "parsers"
+	SCENARIO_TYPE       = "scenarios"
+	POSTOVERFLOW_TYPE   = "postoverflows"
+	APPSEC_RULES_TYPE   = "appsec-rules"
+	APPSEC_CONFIGS_TYPE = "appsec-configs"
+	COLLECTIONS_TYPE    = "collections"
 )
 
 func (ti *typeInfo) generate(filepath string, configType string) (string, error) {
@@ -48,7 +48,7 @@ func (ti *typeInfo) generate(filepath string, configType string) (string, error)
 		user = pathSplit[1]
 		configName = pathSplit[2]
 		configName = strings.Split(configName, ".")[0]
-	case SCENARIO_TYPE, WAAP_RULES_TYPE, WAAP_CONFIGS_TYPE, COLLECTIONS_TYPE:
+	case SCENARIO_TYPE, APPSEC_RULES_TYPE, APPSEC_CONFIGS_TYPE, COLLECTIONS_TYPE:
 		if len(pathSplit) != 2 {
 			return "", fmt.Errorf("invalid filepath '%s', should be : './%s/<user>/<scenario.yaml>'", configType, filepath)
 		}
@@ -119,15 +119,15 @@ func (ti *typeInfo) generate(filepath string, configType string) (string, error)
 		} else {
 			ti.Collections = nil
 		}
-		if len(fInfo.WaapRules) > 0 {
-			ti.WaapRules = fInfo.WaapRules
+		if len(fInfo.AppsecRules) > 0 {
+			ti.AppsecRules = fInfo.AppsecRules
 		} else {
-			ti.WaapRules = nil
+			ti.AppsecRules = nil
 		}
-		if len(fInfo.WaapConfigs) > 0 {
-			ti.WaapConfigs = fInfo.WaapConfigs
+		if len(fInfo.AppsecConfigs) > 0 {
+			ti.AppsecConfigs = fInfo.AppsecConfigs
 		} else {
-			ti.WaapConfigs = nil
+			ti.AppsecConfigs = nil
 		}
 	}
 

parsers/s01-parse/crowdsecurity/waap-logs.yaml → parsers/s01-parse/crowdsecurity/appsec-logs.yaml

@@ -1,11 +1,11 @@
 onsuccess: next_stage
 debug: true
 filter: "evt.Parsed.program == 'coraza-waap'"
-name: crowdsecurity/waap-logs
-description: "Parse WAAP events"
+name: crowdsecurity/appsec-logs
+description: "Parse Appsec events"
 statics:
   - meta: service
-    value: waap
+    value: appsec
   - meta: source_ip
     expression: "evt.Parsed.source_ip"
   - meta: target_host
@@ -15,7 +15,7 @@ statics:
   - meta: target_uri
     expression: "evt.Parsed.target_uri"
   - meta: log_type
-    value: waap-block
+    value: appsec-block
   - meta: rule_name
     expression: evt.Waap.GetName()
   - meta: rule_ids

scenarios/crowdsecurity/crowdsec-waap-inband.yaml → scenarios/crowdsecurity/crowdsec-appsec-inband.yaml

@@ -1,8 +1,8 @@
 type: trigger
 filter: evt.Parsed.program == 'crowdsec-waap' && evt.Waap.HasInBandMatches == true && evt.Parsed.action in ["deny", "drop"]
 #debug: true
-name: crowdsecurity/crowdsec-waap-inband
-description: IP has trigger an In Band CrowdSec Waap rule
+name: crowdsecurity/crowdsec-appsec-inband
+description: IP has trigger an In Band CrowdSec appsec rule
 blackhole: 2m
 labels:
   type: exploit

scripts/scenario_taxonomy.py

@@ -185,7 +185,7 @@ def main():
 
     stats = {"scenarios_ok": [], "scenarios_nok": [], "mitre": [], "behaviors": []}
     hub_scenarios_path = os.path.join(args.hub, "scenarios")
-    hub_waaprules_path = os.path.join(args.hub, "waap-rules")
+    hub_appsecrules_path = os.path.join(args.hub, "appsec-rules")
     ignore_list = list()
     if os.path.exists(args.ignore):
         ignore_list = open(args.ignore).read().split("\n")
@@ -194,7 +194,7 @@ def main():
     scenarios_taxonomy = dict()
     filepath_list = []
 
-    for r, d, f in chain.from_iterable(os.walk(path) for path in [hub_scenarios_path, hub_waaprules_path]):
+    for r, d, f in chain.from_iterable(os.walk(path) for path in [hub_scenarios_path, hub_appsecrules_path]):
         for file in f:
             if file.endswith(".yaml") or file.endswith(".yml"):
                 filepath_list.append(os.path.join(r, file))