diff --git a/deps/wazuh_testing/wazuh_testing/modules/aws/constants.py b/deps/wazuh_testing/wazuh_testing/modules/aws/constants.py index ceef20fd67..da948eb80c 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/aws/constants.py +++ b/deps/wazuh_testing/wazuh_testing/modules/aws/constants.py @@ -40,3 +40,4 @@ CUSTOM_TYPE = 'custom' GUARD_DUTY_TYPE = 'guardduty' NATIVE_GUARD_DUTY_TYPE = 'native-guardduty' +WAF_TYPE = 'waf' diff --git a/deps/wazuh_testing/wazuh_testing/modules/aws/data_generator.py b/deps/wazuh_testing/wazuh_testing/modules/aws/data_generator.py index 3c77be598d..81785d545f 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/aws/data_generator.py +++ b/deps/wazuh_testing/wazuh_testing/modules/aws/data_generator.py @@ -834,7 +834,7 @@ def get_filename(self) -> str: Returns: str: Synthetic filename. """ - now = datetime.now() + now = datetime.utcnow() path = join(self.BASE_PATH, now.strftime(cons.PATH_DATE_FORMAT)) name = f"{str(uuid4())}{cons.JSON_GZ_EXT}" @@ -962,6 +962,94 @@ def get_data_sample(self) -> str: ) + '\n' +class WAFDataGenerator(DataGenerator): + BASE_PATH = '' + BASE_FILE_NAME = "aws-waf-logs-delivery-stream-1-" + + def get_filename(self) -> str: + """Return the filename in the KMS format. + + Example: + /// + Returns: + str: Synthetic filename. + """ + now = datetime.utcnow() + path = join(self.BASE_PATH, now.strftime(cons.PATH_DATE_FORMAT)) + name = f"{self.BASE_FILE_NAME}{now.strftime(cons.FILENAME_DATE_FORMAT)}{cons.JSON_EXT}" + + return join(path, name) + + def get_data_sample(self) -> str: + """Return a sample of data according to the cloudtrail format. + + Returns: + str: Synthetic data. + """ + return json.dumps( + { + 'timestamp': 1576280412771, + 'formatVersion': 1, + 'webaclId': ( + f"arn:aws:wafv2:ap-southeast-2:{cons.RANDOM_ACCOUNT_ID}:regional/" + 'webacl/STMTest/1EXAMPLE-2ARN-3ARN-4ARN-123456EXAMPLE' + ), + 'terminatingRuleId': 'STMTest_SQLi_XSS', + 'terminatingRuleType': 'REGULAR', + 'action': 'BLOCK', + 'terminatingRuleMatchDetails': [ + { + 'conditionType': 'SQL_INJECTION', + 'sensitivityLevel': 'HIGH', + 'location': 'HEADER', + 'matchedData': [ + '10', + 'AND', + '1' + ] + } + ], + 'httpSourceName': '-', + 'httpSourceId': '-', + 'ruleGroupList': [], + 'rateBasedRuleList': [], + 'nonTerminatingMatchingRules': [], + 'httpRequest': { + 'clientIp': get_random_ip(), + 'country': 'AU', + 'headers': [ + { + 'name': 'Host', + 'value': 'localhost:1989' + }, + { + 'name': 'User-Agent', + 'value': 'curl/7.61.1' + }, + { + 'name': 'Accept', + 'value': '*/*' + }, + { + 'name': 'x-stm-test', + 'value': '10 AND 1=1' + } + ], + 'uri': '/myUri', + 'args': '', + 'httpVersion': 'HTTP/1.1', + 'httpMethod': 'GET', + 'requestId': 'rid' + }, + 'labels': [ + { + 'name': 'value' + } + ] + } + ) + + # Maps bucket type with corresponding data generator buckets_data_mapping = { cons.CLOUD_TRAIL_TYPE: CloudTrailDataGenerator, @@ -974,7 +1062,8 @@ def get_data_sample(self) -> str: cons.MACIE_TYPE: MacieDataGenerator, cons.TRUSTED_ADVISOR_TYPE: TrustedAdvisorDataGenerator, cons.GUARD_DUTY_TYPE: GuardDutyDataGenerator, - cons.NATIVE_GUARD_DUTY_TYPE: NativeGuardDutyDataGenerator + cons.NATIVE_GUARD_DUTY_TYPE: NativeGuardDutyDataGenerator, + cons.WAF_TYPE: WAFDataGenerator, } diff --git a/deps/wazuh_testing/wazuh_testing/modules/aws/db_utils.py b/deps/wazuh_testing/wazuh_testing/modules/aws/db_utils.py index 674b39c31f..9e949c6272 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/aws/db_utils.py +++ b/deps/wazuh_testing/wazuh_testing/modules/aws/db_utils.py @@ -12,6 +12,7 @@ NLB_TYPE, S3_CLOUDTRAIL_DB_PATH, VPC_FLOW_TYPE, + WAF_TYPE ) SELECT_QUERY_TEMPLATE = 'SELECT * FROM {table_name}' @@ -36,6 +37,10 @@ 'S3GuardDutyRow', 'bucket_path aws_account_id log_key processed_date created_date' ) +S3WAFRow = namedtuple( + 'S3WAFRow', 'bucket_path aws_account_id log_key processed_date created_date' +) + s3_rows_map = { CLOUD_TRAIL_TYPE: S3CloudTrailRow, VPC_FLOW_TYPE: S3VPCFlowRow, @@ -43,7 +48,8 @@ CLB_TYPE: S3ALBRow, NLB_TYPE: S3ALBRow, CUSTOM_TYPE: S3CustomRow, - GUARD_DUTY_TYPE: S3GuardDutyRow + GUARD_DUTY_TYPE: S3GuardDutyRow, + WAF_TYPE: S3WAFRow } diff --git a/tests/integration/test_aws/data/test_cases/basic_test_module/cases_defaults.yaml b/tests/integration/test_aws/data/test_cases/basic_test_module/cases_defaults.yaml index ee003894a0..25aa5bf0bb 100644 --- a/tests/integration/test_aws/data/test_cases/basic_test_module/cases_defaults.yaml +++ b/tests/integration/test_aws/data/test_cases/basic_test_module/cases_defaults.yaml @@ -96,3 +96,12 @@ metadata: bucket_type: guardduty bucket_name: wazuh-native-guardduty-integration-tests + +- name: waf_defaults + description: WAF default configurations + configuration_parameters: + BUCKET_TYPE: waf + BUCKET_NAME: wazuh-waf-integration-tests + metadata: + bucket_type: waf + bucket_name: wazuh-waf-integration-tests diff --git a/tests/integration/test_aws/data/test_cases/discard_regex_test_module/cases_discard_regex.yaml b/tests/integration/test_aws/data/test_cases/discard_regex_test_module/cases_discard_regex.yaml index 94bfb219b3..a03442f24d 100644 --- a/tests/integration/test_aws/data/test_cases/discard_regex_test_module/cases_discard_regex.yaml +++ b/tests/integration/test_aws/data/test_cases/discard_regex_test_module/cases_discard_regex.yaml @@ -173,3 +173,19 @@ discard_regex: aws-test found_logs: 3 skipped_logs: 1 + +- name: waf_discard_regex + description: WAF discard regex configurations + configuration_parameters: + BUCKET_TYPE: waf + BUCKET_NAME: wazuh-waf-integration-tests + DISCARD_FIELD: action + DISCARD_REGEX: ALLOW + metadata: + bucket_type: waf + bucket_name: wazuh-waf-integration-tests + only_logs_after: 2022-NOV-20 + discard_field: action + discard_regex: ALLOW + found_logs: 3 + skipped_logs: 1 diff --git a/tests/integration/test_aws/data/test_cases/only_logs_after_test_module/cases_multiple_calls.yaml b/tests/integration/test_aws/data/test_cases/only_logs_after_test_module/cases_multiple_calls.yaml index 2b664de889..2bc3d037c4 100644 --- a/tests/integration/test_aws/data/test_cases/only_logs_after_test_module/cases_multiple_calls.yaml +++ b/tests/integration/test_aws/data/test_cases/only_logs_after_test_module/cases_multiple_calls.yaml @@ -84,3 +84,10 @@ bucket_name: wazuh-native-guardduty-integration-tests expected_skipped_logs_step_3: 3 expected_skipped_logs_step_4: 3 + +- name: waf_only_logs_after_multiple_calls + description: WAF only_logs_after multiple calls configurations + configuration_parameters: + metadata: + bucket_type: waf + bucket_name: wazuh-waf-integration-tests diff --git a/tests/integration/test_aws/data/test_cases/only_logs_after_test_module/cases_with_only_logs_after.yaml b/tests/integration/test_aws/data/test_cases/only_logs_after_test_module/cases_with_only_logs_after.yaml index 4089c050fd..e7b11687f7 100644 --- a/tests/integration/test_aws/data/test_cases/only_logs_after_test_module/cases_with_only_logs_after.yaml +++ b/tests/integration/test_aws/data/test_cases/only_logs_after_test_module/cases_with_only_logs_after.yaml @@ -129,3 +129,15 @@ bucket_name: wazuh-native-guardduty-integration-tests only_logs_after: 2022-NOV-20 expected_results: 3 + +- name: waf_with_only_logs_after + description: WAF only logs after configurations + configuration_parameters: + BUCKET_TYPE: waf + BUCKET_NAME: wazuh-waf-integration-tests + ONLY_LOGS_AFTER: 2022-NOV-20 + metadata: + bucket_type: waf + bucket_name: wazuh-waf-integration-tests + only_logs_after: 2022-NOV-20 + expected_results: 3 diff --git a/tests/integration/test_aws/data/test_cases/only_logs_after_test_module/cases_without_only_logs_after.yaml b/tests/integration/test_aws/data/test_cases/only_logs_after_test_module/cases_without_only_logs_after.yaml index 6ef2d1ef16..0355a309fe 100644 --- a/tests/integration/test_aws/data/test_cases/only_logs_after_test_module/cases_without_only_logs_after.yaml +++ b/tests/integration/test_aws/data/test_cases/only_logs_after_test_module/cases_without_only_logs_after.yaml @@ -107,3 +107,13 @@ bucket_type: guardduty bucket_name: wazuh-native-guardduty-integration-tests expected_results: 1 + +- name: waf_without_only_logs_after + description: WAF only logs after configurations + configuration_parameters: + BUCKET_TYPE: waf + BUCKET_NAME: wazuh-waf-integration-tests + metadata: + bucket_type: waf + bucket_name: wazuh-waf-integration-tests + expected_results: 1 diff --git a/tests/integration/test_aws/data/test_cases/path_test_module/cases_path.yaml b/tests/integration/test_aws/data/test_cases/path_test_module/cases_path.yaml index 9a548a9b8c..ae64f529a3 100644 --- a/tests/integration/test_aws/data/test_cases/path_test_module/cases_path.yaml +++ b/tests/integration/test_aws/data/test_cases/path_test_module/cases_path.yaml @@ -426,3 +426,42 @@ only_logs_after: 2022-NOV-20 path: inexistent_prefix expected_results: 0 + +- name: waf_path_with_data + description: WAF path configurations + configuration_parameters: + BUCKET_TYPE: waf + BUCKET_NAME: wazuh-waf-integration-tests + PATH: test_prefix + metadata: + bucket_type: waf + bucket_name: wazuh-waf-integration-tests + only_logs_after: 2022-NOV-20 + path: test_prefix + expected_results: 1 + +- name: waf_path_without_data + description: WAF path configurations + configuration_parameters: + BUCKET_TYPE: waf + BUCKET_NAME: wazuh-waf-integration-tests + PATH: empty_prefix + metadata: + bucket_type: waf + bucket_name: wazuh-waf-integration-tests + only_logs_after: 2022-NOV-20 + path: empty_prefix + expected_results: 0 + +- name: waf_inexistent_path + description: WAF path configurations + configuration_parameters: + BUCKET_TYPE: waf + BUCKET_NAME: wazuh-waf-integration-tests + PATH: inexistent_prefix + metadata: + bucket_type: waf + bucket_name: wazuh-waf-integration-tests + only_logs_after: 2022-NOV-20 + path: inexistent_prefix + expected_results: 0 diff --git a/tests/integration/test_aws/data/test_cases/remove_from_bucket_test_module/cases_remove_from_bucket.yaml b/tests/integration/test_aws/data/test_cases/remove_from_bucket_test_module/cases_remove_from_bucket.yaml index 04fd8994cf..62a6bb8721 100644 --- a/tests/integration/test_aws/data/test_cases/remove_from_bucket_test_module/cases_remove_from_bucket.yaml +++ b/tests/integration/test_aws/data/test_cases/remove_from_bucket_test_module/cases_remove_from_bucket.yaml @@ -96,3 +96,12 @@ metadata: bucket_type: guardduty bucket_name: wazuh-native-guardduty-integration-tests + +- name: waf_remove_from_bucket + description: WAF remove from bucket configurations + configuration_parameters: + BUCKET_TYPE: waf + BUCKET_NAME: wazuh-waf-integration-tests + metadata: + bucket_type: waf + bucket_name: wazuh-waf-integration-tests