feat(#3343): WAF integration tests (#3763)

* feat(#3343): Add basic test for aws WAF integration * feat(#3343): Add data generator for WAF type * feat(#3343): Add remove_from_bucket test for aws WAF integration * feat(#3343): Add schema for WAF table * feat(#3343): Add only_logs_after tests for aws WAF integration * feat(#3343): Add path tests for aws WAF integration * feat(#3343): Add discard_regex tests for aws WAF integration * feat(#3343): Add only_logs_after tier 1 for aws WAF integration * style(#3343): Apply suggestions from code review Co-authored-by: Facundo Dalmau <[email protected]> * refactor(#3343): Improve discard_regex test findings --------- Co-authored-by: Facundo Dalmau <[email protected]>
wazuh · Apr 26, 2023 · 497207e · 497207e
1 parent 582d62e
commit 497207e
Show file tree

Hide file tree

Showing 10 changed files with 201 additions and 3 deletions.
diff --git a/deps/wazuh_testing/wazuh_testing/modules/aws/constants.py b/deps/wazuh_testing/wazuh_testing/modules/aws/constants.py
@@ -40,3 +40,4 @@
 CUSTOM_TYPE = 'custom'
 GUARD_DUTY_TYPE = 'guardduty'
 NATIVE_GUARD_DUTY_TYPE = 'native-guardduty'
+WAF_TYPE = 'waf'
diff --git a/deps/wazuh_testing/wazuh_testing/modules/aws/data_generator.py b/deps/wazuh_testing/wazuh_testing/modules/aws/data_generator.py
@@ -834,7 +834,7 @@ def get_filename(self) -> str:
  Returns:
  str: Synthetic filename.
  """
- now = datetime.now()
+ now = datetime.utcnow()
  path = join(self.BASE_PATH, now.strftime(cons.PATH_DATE_FORMAT))
  name = f"{str(uuid4())}{cons.JSON_GZ_EXT}"
 
@@ -962,6 +962,94 @@ def get_data_sample(self) -> str:
  ) + '\n'
 
 
+class WAFDataGenerator(DataGenerator):
+ BASE_PATH = ''
+ BASE_FILE_NAME = "aws-waf-logs-delivery-stream-1-"
+
+ def get_filename(self) -> str:
+ """Return the filename in the KMS format.
+
+ Example:
+ <prefix>/<year>/<month>/<day>
+ Returns:
+ str: Synthetic filename.
+ """
+ now = datetime.utcnow()
+ path = join(self.BASE_PATH, now.strftime(cons.PATH_DATE_FORMAT))
+ name = f"{self.BASE_FILE_NAME}{now.strftime(cons.FILENAME_DATE_FORMAT)}{cons.JSON_EXT}"
+
+ return join(path, name)
+
+ def get_data_sample(self) -> str:
+ """Return a sample of data according to the cloudtrail format.
+
+ Returns:
+ str: Synthetic data.
+ """
+ return json.dumps(
+ {
+ 'timestamp': 1576280412771,
+ 'formatVersion': 1,
+ 'webaclId': (
+ f"arn:aws:wafv2:ap-southeast-2:{cons.RANDOM_ACCOUNT_ID}:regional/"
+ 'webacl/STMTest/1EXAMPLE-2ARN-3ARN-4ARN-123456EXAMPLE'
+ ),
+ 'terminatingRuleId': 'STMTest_SQLi_XSS',
+ 'terminatingRuleType': 'REGULAR',
+ 'action': 'BLOCK',
+ 'terminatingRuleMatchDetails': [
+ {
+ 'conditionType': 'SQL_INJECTION',
+ 'sensitivityLevel': 'HIGH',
+ 'location': 'HEADER',
+ 'matchedData': [
+ '10',
+ 'AND',
+ '1'
+ ]
+ }
+ ],
+ 'httpSourceName': '-',
+ 'httpSourceId': '-',
+ 'ruleGroupList': [],
+ 'rateBasedRuleList': [],
+ 'nonTerminatingMatchingRules': [],
+ 'httpRequest': {
+ 'clientIp': get_random_ip(),
+ 'country': 'AU',
+ 'headers': [
+ {
+ 'name': 'Host',
+ 'value': 'localhost:1989'
+ },
+ {
+ 'name': 'User-Agent',
+ 'value': 'curl/7.61.1'
+ },
+ {
+ 'name': 'Accept',
+ 'value': '*/*'
+ },
+ {
+ 'name': 'x-stm-test',
+ 'value': '10 AND 1=1'
+ }
+ ],
+ 'uri': '/myUri',
+ 'args': '',
+ 'httpVersion': 'HTTP/1.1',
+ 'httpMethod': 'GET',
+ 'requestId': 'rid'
+ },
+ 'labels': [
+ {
+ 'name': 'value'
+ }
+ ]
+ }
+ )
+
+
 # Maps bucket type with corresponding data generator
 buckets_data_mapping = {
  cons.CLOUD_TRAIL_TYPE: CloudTrailDataGenerator,
@@ -974,7 +1062,8 @@ def get_data_sample(self) -> str:
  cons.MACIE_TYPE: MacieDataGenerator,
  cons.TRUSTED_ADVISOR_TYPE: TrustedAdvisorDataGenerator,
  cons.GUARD_DUTY_TYPE: GuardDutyDataGenerator,
- cons.NATIVE_GUARD_DUTY_TYPE: NativeGuardDutyDataGenerator
+ cons.NATIVE_GUARD_DUTY_TYPE: NativeGuardDutyDataGenerator,
+ cons.WAF_TYPE: WAFDataGenerator,
 }
 
 

diff --git a/deps/wazuh_testing/wazuh_testing/modules/aws/db_utils.py b/deps/wazuh_testing/wazuh_testing/modules/aws/db_utils.py
@@ -12,6 +12,7 @@
  NLB_TYPE,
  S3_CLOUDTRAIL_DB_PATH,
  VPC_FLOW_TYPE,
+ WAF_TYPE
 )
 
 SELECT_QUERY_TEMPLATE = 'SELECT * FROM {table_name}'
@@ -36,14 +37,19 @@
  'S3GuardDutyRow', 'bucket_path aws_account_id log_key processed_date created_date'
 )
 
+S3WAFRow = namedtuple(
+ 'S3WAFRow', 'bucket_path aws_account_id log_key processed_date created_date'
+)
+
 s3_rows_map = {
  CLOUD_TRAIL_TYPE: S3CloudTrailRow,
  VPC_FLOW_TYPE: S3VPCFlowRow,
  ALB_TYPE: S3ALBRow,
  CLB_TYPE: S3ALBRow,
  NLB_TYPE: S3ALBRow,
  CUSTOM_TYPE: S3CustomRow,
- GUARD_DUTY_TYPE: S3GuardDutyRow
+ GUARD_DUTY_TYPE: S3GuardDutyRow,
+ WAF_TYPE: S3WAFRow
 }
 
 

diff --git a/tests/integration/test_aws/data/test_cases/basic_test_module/cases_defaults.yaml b/tests/integration/test_aws/data/test_cases/basic_test_module/cases_defaults.yaml
@@ -96,3 +96,12 @@
  metadata:
  bucket_type: guardduty
  bucket_name: wazuh-native-guardduty-integration-tests
+
+- name: waf_defaults
+ description: WAF default configurations
+ configuration_parameters:
+ BUCKET_TYPE: waf
+ BUCKET_NAME: wazuh-waf-integration-tests
+ metadata:
+ bucket_type: waf
+ bucket_name: wazuh-waf-integration-tests
diff --git a/...s/integration/test_aws/data/test_cases/discard_regex_test_module/cases_discard_regex.yaml b/...s/integration/test_aws/data/test_cases/discard_regex_test_module/cases_discard_regex.yaml
@@ -173,3 +173,19 @@
  discard_regex: aws-test
  found_logs: 3
  skipped_logs: 1
+
+- name: waf_discard_regex
+ description: WAF discard regex configurations
+ configuration_parameters:
+ BUCKET_TYPE: waf
+ BUCKET_NAME: wazuh-waf-integration-tests
+ DISCARD_FIELD: action
+ DISCARD_REGEX: ALLOW
+ metadata:
+ bucket_type: waf
+ bucket_name: wazuh-waf-integration-tests
+ only_logs_after: 2022-NOV-20
+ discard_field: action
+ discard_regex: ALLOW
+ found_logs: 3
+ skipped_logs: 1
diff --git a/...ntegration/test_aws/data/test_cases/only_logs_after_test_module/cases_multiple_calls.yaml b/...ntegration/test_aws/data/test_cases/only_logs_after_test_module/cases_multiple_calls.yaml
@@ -84,3 +84,10 @@
  bucket_name: wazuh-native-guardduty-integration-tests
  expected_skipped_logs_step_3: 3
  expected_skipped_logs_step_4: 3
+
+- name: waf_only_logs_after_multiple_calls
+ description: WAF only_logs_after multiple calls configurations
+ configuration_parameters:
+ metadata:
+ bucket_type: waf
+ bucket_name: wazuh-waf-integration-tests
diff --git a/...tion/test_aws/data/test_cases/only_logs_after_test_module/cases_with_only_logs_after.yaml b/...tion/test_aws/data/test_cases/only_logs_after_test_module/cases_with_only_logs_after.yaml
@@ -129,3 +129,15 @@
  bucket_name: wazuh-native-guardduty-integration-tests
  only_logs_after: 2022-NOV-20
  expected_results: 3
+
+- name: waf_with_only_logs_after
+ description: WAF only logs after configurations
+ configuration_parameters:
+ BUCKET_TYPE: waf
+ BUCKET_NAME: wazuh-waf-integration-tests
+ ONLY_LOGS_AFTER: 2022-NOV-20
+ metadata:
+ bucket_type: waf
+ bucket_name: wazuh-waf-integration-tests
+ only_logs_after: 2022-NOV-20
+ expected_results: 3
diff --git a/...n/test_aws/data/test_cases/only_logs_after_test_module/cases_without_only_logs_after.yaml b/...n/test_aws/data/test_cases/only_logs_after_test_module/cases_without_only_logs_after.yaml
@@ -107,3 +107,13 @@
  bucket_type: guardduty
  bucket_name: wazuh-native-guardduty-integration-tests
  expected_results: 1
+
+- name: waf_without_only_logs_after
+ description: WAF only logs after configurations
+ configuration_parameters:
+ BUCKET_TYPE: waf
+ BUCKET_NAME: wazuh-waf-integration-tests
+ metadata:
+ bucket_type: waf
+ bucket_name: wazuh-waf-integration-tests
+ expected_results: 1
diff --git a/tests/integration/test_aws/data/test_cases/path_test_module/cases_path.yaml b/tests/integration/test_aws/data/test_cases/path_test_module/cases_path.yaml
@@ -426,3 +426,42 @@
  only_logs_after: 2022-NOV-20
  path: inexistent_prefix
  expected_results: 0
+
+- name: waf_path_with_data
+ description: WAF path configurations
+ configuration_parameters:
+ BUCKET_TYPE: waf
+ BUCKET_NAME: wazuh-waf-integration-tests
+ PATH: test_prefix
+ metadata:
+ bucket_type: waf
+ bucket_name: wazuh-waf-integration-tests
+ only_logs_after: 2022-NOV-20
+ path: test_prefix
+ expected_results: 1
+
+- name: waf_path_without_data
+ description: WAF path configurations
+ configuration_parameters:
+ BUCKET_TYPE: waf
+ BUCKET_NAME: wazuh-waf-integration-tests
+ PATH: empty_prefix
+ metadata:
+ bucket_type: waf
+ bucket_name: wazuh-waf-integration-tests
+ only_logs_after: 2022-NOV-20
+ path: empty_prefix
+ expected_results: 0
+
+- name: waf_inexistent_path
+ description: WAF path configurations
+ configuration_parameters:
+ BUCKET_TYPE: waf
+ BUCKET_NAME: wazuh-waf-integration-tests
+ PATH: inexistent_prefix
+ metadata:
+ bucket_type: waf
+ bucket_name: wazuh-waf-integration-tests
+ only_logs_after: 2022-NOV-20
+ path: inexistent_prefix
+ expected_results: 0
diff --git a/...ion/test_aws/data/test_cases/remove_from_bucket_test_module/cases_remove_from_bucket.yaml b/...ion/test_aws/data/test_cases/remove_from_bucket_test_module/cases_remove_from_bucket.yaml
@@ -96,3 +96,12 @@
  metadata:
  bucket_type: guardduty
  bucket_name: wazuh-native-guardduty-integration-tests
+
+- name: waf_remove_from_bucket
+ description: WAF remove from bucket configurations
+ configuration_parameters:
+ BUCKET_TYPE: waf
+ BUCKET_NAME: wazuh-waf-integration-tests
+ metadata:
+ bucket_type: waf
+ bucket_name: wazuh-waf-integration-tests