From 3fe919bbe7b0c070de3043714d7ce6e827b32979 Mon Sep 17 00:00:00 2001 From: alteredCoder Date: Thu, 7 Dec 2023 17:36:04 +0100 Subject: [PATCH 1/3] Unique context for appsec event --- pkg/acquisition/modules/appsec/utils.go | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/pkg/acquisition/modules/appsec/utils.go b/pkg/acquisition/modules/appsec/utils.go index e43313a19bf..a2bd4ddff2d 100644 --- a/pkg/acquisition/modules/appsec/utils.go +++ b/pkg/acquisition/modules/appsec/utils.go @@ -63,18 +63,7 @@ func AppsecEventGeneration(inEvt types.Event) (*types.Event, error) { alert.Meta = append(alert.Meta, &meta) } } - for _, key := range evt.Appsec.MatchedRules.GetMatchedZones() { - valueByte, err := json.Marshal([]string{key}) - if err != nil { - log.Debugf("unable to serialize key %s", key) - continue - } - meta := models.MetaItems0{ - Key: "matched_zones", - Value: string(valueByte), - } - alert.Meta = append(alert.Meta, &meta) - } + alert.EventsCount = ptr.Of(int32(1)) alert.Leakspeed = ptr.Of("") alert.Scenario = ptr.Of(inEvt.Appsec.MatchedRules.GetName()) From d9466f15c15aedb8827d7a747421ce74b6616ed2 Mon Sep 17 00:00:00 2001 From: alteredCoder Date: Thu, 7 Dec 2023 18:01:21 +0100 Subject: [PATCH 2/3] Fix metrics --- .../modules/appsec/appsec_runner.go | 23 +++++++++++++++---- pkg/acquisition/modules/appsec/metrics.go | 2 +- pkg/types/appsec_event.go | 7 +++++- 3 files changed, 25 insertions(+), 7 deletions(-) diff --git a/pkg/acquisition/modules/appsec/appsec_runner.go b/pkg/acquisition/modules/appsec/appsec_runner.go index 086060b4657..0287d2fa169 100644 --- a/pkg/acquisition/modules/appsec/appsec_runner.go +++ b/pkg/acquisition/modules/appsec/appsec_runner.go @@ -298,8 +298,9 @@ func (r *AppsecRunner) handleRequest(request *appsec.ParsedRequest) { request.IsInBand = true request.IsOutBand = false - //to measure the time spent in the Application Security Engine - startParsing := time.Now() + //to measure the time spent in the Application Security Engine for InBand rules + startInBandParsing := time.Now() + startGlobalParsing := time.Now() //inband appsec rules err := r.ProcessInBandRules(request) @@ -308,13 +309,14 @@ func (r *AppsecRunner) handleRequest(request *appsec.ParsedRequest) { return } + // time spent to process in band rules + inBandParsingElapsed := time.Since(startInBandParsing) + AppsecInbandParsingHistogram.With(prometheus.Labels{"source": request.RemoteAddrNormalized}).Observe(inBandParsingElapsed.Seconds()) + if request.Tx.IsInterrupted() { r.handleInBandInterrupt(request) } - elapsed := time.Since(startParsing) - AppsecInbandParsingHistogram.With(prometheus.Labels{"source": request.RemoteAddr}).Observe(elapsed.Seconds()) - // send back the result to the HTTP handler for the InBand part request.ResponseChannel <- r.AppsecRuntime.Response @@ -325,12 +327,23 @@ func (r *AppsecRunner) handleRequest(request *appsec.ParsedRequest) { r.AppsecRuntime.Response.SendAlert = false r.AppsecRuntime.Response.SendEvent = true + //to measure the time spent in the Application Security Engine for OutOfBand rules + startOutOfBandParsing := time.Now() + err = r.ProcessOutOfBandRules(request) if err != nil { logger.Errorf("unable to process OutOfBand rules: %s", err) return } + // time spent to process out of band rules + outOfBandParsingElapsed := time.Since(startOutOfBandParsing) + AppsecOutbandParsingHistogram.With(prometheus.Labels{"source": request.RemoteAddrNormalized}).Observe(outOfBandParsingElapsed.Seconds()) + + // time spent to process inband AND out of band rules + globalParsingElapsed := time.Since(startGlobalParsing) + AppsecGlobalParsingHistogram.With(prometheus.Labels{"source": request.RemoteAddrNormalized}).Observe(globalParsingElapsed.Seconds()) + if request.Tx.IsInterrupted() { r.handleOutBandInterrupt(request) } diff --git a/pkg/acquisition/modules/appsec/metrics.go b/pkg/acquisition/modules/appsec/metrics.go index 9aa3c8bde7a..44debc75aff 100644 --- a/pkg/acquisition/modules/appsec/metrics.go +++ b/pkg/acquisition/modules/appsec/metrics.go @@ -15,7 +15,7 @@ var AppsecInbandParsingHistogram = prometheus.NewHistogramVec( prometheus.HistogramOpts{ Help: "Time spent processing a request by the inband Application Security Engine.", Name: "cs_appsec_inband_parsing_time_seconds", - Buckets: []float64{0.0005, 0.001, 0.0015, 0.002, 0.0025, 0.003, 0.004, 0.005, 0.0075, 0.01}, + Buckets: []float64{0.001, 0.005, 0.01, 0.025, 0.050, 0.1, 0.2, 0.3, 0.4, 0.5, 1}, }, []string{"source"}, ) diff --git a/pkg/types/appsec_event.go b/pkg/types/appsec_event.go index 4cd5d8f585f..dc81c63b344 100644 --- a/pkg/types/appsec_event.go +++ b/pkg/types/appsec_event.go @@ -2,6 +2,7 @@ package types import ( "regexp" + "slices" log "github.com/sirupsen/logrus" ) @@ -132,7 +133,11 @@ func (w MatchedRules) GetMatchedZones() []string { ret := make([]string, 0) for _, rule := range w { - ret = append(ret, rule["matched_zones"].([]string)...) + for _, zone := range rule["matched_zones"].([]string) { + if !slices.Contains(ret, zone) { + ret = append(ret, zone) + } + } } return ret } From 6b2d0b19d2f8160bc806dc3f5f927c1c94285467 Mon Sep 17 00:00:00 2001 From: alteredCoder Date: Thu, 7 Dec 2023 18:02:22 +0100 Subject: [PATCH 3/3] fix buckets metrics for appsec --- pkg/acquisition/modules/appsec/metrics.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/acquisition/modules/appsec/metrics.go b/pkg/acquisition/modules/appsec/metrics.go index 44debc75aff..8efa5631338 100644 --- a/pkg/acquisition/modules/appsec/metrics.go +++ b/pkg/acquisition/modules/appsec/metrics.go @@ -6,7 +6,7 @@ var AppsecGlobalParsingHistogram = prometheus.NewHistogramVec( prometheus.HistogramOpts{ Help: "Time spent processing a request by the Application Security Engine.", Name: "cs_appsec_parsing_time_seconds", - Buckets: []float64{0.0005, 0.001, 0.0015, 0.002, 0.0025, 0.003, 0.004, 0.005, 0.0075, 0.01}, + Buckets: []float64{0.005, 0.01, 0.025, 0.050, 0.1, 0.2, 0.3, 0.4, 0.5, 1}, }, []string{"source"}, ) @@ -15,7 +15,7 @@ var AppsecInbandParsingHistogram = prometheus.NewHistogramVec( prometheus.HistogramOpts{ Help: "Time spent processing a request by the inband Application Security Engine.", Name: "cs_appsec_inband_parsing_time_seconds", - Buckets: []float64{0.001, 0.005, 0.01, 0.025, 0.050, 0.1, 0.2, 0.3, 0.4, 0.5, 1}, + Buckets: []float64{0.005, 0.01, 0.025, 0.050, 0.1, 0.2, 0.3, 0.4, 0.5, 1}, }, []string{"source"}, ) @@ -24,7 +24,7 @@ var AppsecOutbandParsingHistogram = prometheus.NewHistogramVec( prometheus.HistogramOpts{ Help: "Time spent processing a request by the Application Security Engine.", Name: "cs_appsec_outband_parsing_time_seconds", - Buckets: []float64{0.0005, 0.001, 0.0015, 0.002, 0.0025, 0.003, 0.004, 0.005, 0.0075, 0.01}, + Buckets: []float64{0.005, 0.01, 0.025, 0.050, 0.1, 0.2, 0.3, 0.4, 0.5, 1}, }, []string{"source"}, )