Strona główna Odkrywaj Pomoc
Zarejestruj się Zaloguj się
AFS
/
xdr-terraform-modules
2
0
Forkuj 0
Pliki Problemy 0 Oczekujące zmiany 0 Wiki
Przeglądaj źródła

Adds XDR Custom Rule to Block Log4j Exploit

May require manually removing the xdr custom ruleset first.
Fred Damstra [afs macbook] 3 lat temu
rodzic
01c973246e
commit
fb88629d3a
2 zmienionych plików z 77 dodań i 3 usunięć
Widok podzielony Pokaż statystyki zmian
  1. 2 1
      submodules/wafv2/blocklist.tf
  2. 75 2
      submodules/wafv2/waf.tf

+ 2 - 1
submodules/wafv2/blocklist.tf
Wyświetl plik 

@@ -3,6 +3,7 @@ locals {
 
     "172.16.0.0/12",
 
     "192.168.0.0/16",
 
     "169.254.0.0/16",
 
-    "127.0.0.0/8"
 
+    "127.0.0.0/8",
 
+    "45.155.205.233/32" # 2021-12-10 russian log4j attacker
 
   ]
 
 }

+ 75 - 2
submodules/wafv2/waf.tf
Wyświetl plik 

@@ -40,9 +40,9 @@ resource "aws_wafv2_ip_set" "allowed" {
 
 }
 
 
 resource "aws_wafv2_rule_group" "xdr_custom_rules" {
 
-  name = "${local.waf_name}_xdr_custom_rules"
 
+  name = "${local.waf_name}_xdr_custom_rules_rev2" # update name when updating
 
   scope    = "REGIONAL"
 
-  capacity = 1
 
+  capacity = 50
 
 
   # Note, there is visibilty config for the group and for the rule
 
   visibility_config {
 
@@ -78,8 +78,79 @@ resource "aws_wafv2_rule_group" "xdr_custom_rules" {
 
       metric_name                = "Block_Nonpermitted_Countries"
 
       sampled_requests_enabled   = true
 
     }
 
+
 
+#    rule_label {
 
+#      name = "xdr_custom:nonpermittedcountry"
 
+#    }
 
   }
 
 
+  rule {
 
+    name = "Block_log4j_Exploit_20211210"
 
+    action {
 
+      block {}
 
+    }
 
+    priority = 110
 
+
 
+    #rule_label {
 
+    #  name = "xdr_custom:log4j"
 
+    #}
 
+
 
+    visibility_config {
 
+      cloudwatch_metrics_enabled = true
 
+      metric_name                = "Block_Log4j_exploit_20211210"
 
+      sampled_requests_enabled   = true
 
+    }
 
+
 
+    statement {
 
+      or_statement {
 
+        statement {
 
+          byte_match_statement {
 
+            field_to_match {
 
+              single_header {
 
+                name = "user-agent"
 
+              }
 
+            }
 
+            positional_constraint = "STARTS_WITH"
 
+            search_string = "$${jndi:ldap://"
 
+            text_transformation {
 
+              priority = 2
 
+              type     = "LOWERCASE"
 
+            }
 
+          }
 
+        }
 
+        statement {
 
+          byte_match_statement {
 
+            field_to_match {
 
+              single_header {
 
+                name = "user-agent"
 
+              }
 
+            }
 
+            positional_constraint = "STARTS_WITH"
 
+            search_string = "$${jndi:rmi:"
 
+            text_transformation {
 
+              priority = 2
 
+              type     = "LOWERCASE"
 
+            }
 
+          }
 
+        }
 
+        statement {
 
+          byte_match_statement {
 
+            field_to_match {
 
+              single_header {
 
+                name = "user-agent"
 
+              }
 
+            }
 
+            positional_constraint = "STARTS_WITH"
 
+            search_string = "$${jndi:dns:"
 
+            text_transformation {
 
+              priority = 2
 
+              type     = "LOWERCASE"
 
+            }
 
+          }
 
+        }
 
+      }  
+    }
 
+  }
 
   # Add additional custom rules here
 
 
   lifecycle {
 
@@ -183,6 +254,8 @@ module "wafv2" {
 
       "priority": 560
 
     }
 
   ]
 
+
 
+  depends_on = [ aws_wafv2_rule_group.xdr_custom_rules ]
 
   tags = var.tags
 
 }