Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

appsec: Suspicious Attacker Blocking #2878

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

appsec: Suspicious Attacker Blocking #2878

wants to merge 3 commits into from

Conversation

eliottness
Copy link
Contributor

@eliottness eliottness commented Sep 18, 2024
edited
Loading

What does this PR do?

  • Copy rules_data behaviour to exclusion_data to support exclusion lists
  • Setup a new test ruleset to test SAB feature
  • Actually test the feature
  • Fix bug where disabling appsec via RC did not reset the rules to the default ones
  • Fix missing waf.RunAddressData.Scope to RASP SSRF WAF run
  • Upgrade github.com/DataDog/datadog-agent/pkg/remoteconfig/state

Reviewer's Checklist

  • Changed code has unit tests for its functionality at or near 100% coverage.
  • System-Tests covering this feature have been added and enabled with the va.b.c-dev version tag.
  • There is a benchmark for any new code, or changes to existing code.
  • If this interacts with the agent in a new way, a system test has been added.
  • Add an appropriate team label so this PR gets put in the right place for the release notes.
  • Non-trivial go.mod changes, e.g. adding new modules, are reviewed by @DataDog/dd-trace-go-guild.

Unsure? Have a question? Request a review!

@pr-commenter
Copy link

pr-commenter bot commented Sep 18, 2024
edited
Loading

Benchmarks

Benchmark execution time: 2024-09-18 19:43:09

Comparing candidate commit 8f88b8d in PR branch eliott.bouhana/APPSEC-54194 with baseline commit b94c2c3 in branch main.

Found 2 performance improvements and 8 performance regressions! Performance is the same for 49 metrics, 0 unstable metrics.

scenario:BenchmarkExtractW3C-24

  • 🟥 execution_time [+48.436ns; +52.964ns] or [+2.013%; +2.201%]

scenario:BenchmarkInjectW3C-24

  • 🟩 execution_time [-170.581ns; -130.819ns] or [-4.067%; -3.119%]

scenario:BenchmarkPartialFlushing/Disabled-24

  • 🟥 execution_time [+10.530ms; +12.974ms] or [+3.860%; +4.756%]

scenario:BenchmarkPartialFlushing/Enabled-24

  • 🟥 execution_time [+10.128ms; +13.010ms] or [+3.653%; +4.693%]
  • 🟩 avgHeapInUse(Mb) [-8.083MB; -2.035MB] or [-11.404%; -2.871%]

scenario:BenchmarkSingleSpanRetention/no-rules-24

  • 🟥 execution_time [+12.542µs; +13.314µs] or [+5.233%; +5.555%]

scenario:BenchmarkSingleSpanRetention/with-rules/match-all-24

  • 🟥 execution_time [+12.579µs; +14.475µs] or [+5.193%; +5.976%]

scenario:BenchmarkSingleSpanRetention/with-rules/match-half-24

  • 🟥 execution_time [+12.467µs; +13.930µs] or [+5.152%; +5.757%]

scenario:BenchmarkStartSpan-24

  • 🟥 execution_time [+106.508ns; +132.292ns] or [+4.718%; +5.860%]

scenario:BenchmarkTracerAddSpans-24

  • 🟥 execution_time [+141.775ns; +157.825ns] or [+3.576%; +3.981%]

Base automatically changed from eliott.bouhana/APPSEC-54945 to main September 18, 2024 14:37
An error occurred while trying to automatically change base from eliott.bouhana/APPSEC-54945 to main September 18, 2024 14:38
@eliottness
internal/appsec: add exclusion_data to rules management
fda0071 
Signed-off-by: Eliott Bouhana <eliott.bouhana@datadoghq.com>
@eliottness
Copy link
Contributor Author

eliottness commented Sep 18, 2024
edited
Loading

https://github.com/DataDog/dd-trace-go/actions/runs/10929945536

@eliottness
fix multiple bugs:
8f88b8d 
* After recieving the order to stop appsec via RC we did not reset the ruleset to the default one
* some code in http listeners where deduplicated for RASP SSRF making SSRF RASP span tags not working
* its 'exclusions' but its 'exclusion_data' without an 's'

Signed-off-by: Eliott Bouhana <eliott.bouhana@datadoghq.com>
@eliottness eliottness self-assigned this Sep 18, 2024
@eliottness eliottness marked this pull request as ready for review September 18, 2024 19:19
@eliottness eliottness requested a review from a team as a code owner September 18, 2024 19:19
Julio-Guerra
Julio-Guerra reviewed Sep 19, 2024
View reviewed changes
internal/appsec/appsec.go
@@ -199,6 +199,10 @@ func (a *appsec) stop() {
a.wafHandle.Close()
a.wafHandle = nil
}

// Reset rules edits received from the remote configuration
a.cfg.RulesManager, _ = config.NewRulesManager(nil)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIRC, Christophe has added start and stop system tests which you can probably use to further validate this.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I already enabled them yes

@eliottness
switch from a free form map to a struct
40f442d 
Signed-off-by: Eliott Bouhana <eliott.bouhana@datadoghq.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Julio-Guerra Julio-Guerra Julio-Guerra left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@eliottness eliottness

Labels
appsec
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@eliottness @Julio-Guerra