Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initial commit for script to help determine WAF exclusions. #301

Merged
merged 1 commit into from
Nov 2, 2023
Merged

Initial commit for script to help determine WAF exclusions. #301

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 42 additions & 1 deletion Azure WAF/Script - Create Exclusions for Multiple rules/README.MD
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,42 @@
# Python script to create exclusion for multiple rule signatures in Azure WAF
# generate_waf_exclusion.py

This script takes an export of a log query that shows blocks and outputs a de-duped, sorted lst of arguments and what rules were found to be problematic. It can be used to generate WAF exclusions where necessary based on what's present in the logs.

## Samply Query

A sample KQL to export the blocked URLs is:

```
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog"
| where action_s =="Blocked"
| distinct requestUri_s, ruleId_s
```

## Usage

`python generate_waf_exclusion.py query_data.csv`

## Output

This is an output sample that can be used to then base WAF exclusions off of.

```
dashboard 942200
dashboard 942260
dashboard 942340
selection 942200
selection 942260
selection 942330
selection 942340
selection 942430
stickySessionKey 942200
stickySessionKey 942260
stickySessionKey 942300
stickySessionKey 942340
stickySessionKey 942370
stickySessionKey 942430
RegionRect 942260
RegionRect 942370
RegionRect 942430
```
28 changes: 28 additions & 0 deletions Azure WAF/Script - Create Exclusions for Multiple rules/generate_waf_exclusion.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
import csv
import re

def main(argv):
p = re.compile('ARGS:([^:]*)')
entries = []
with open(argv[1]) as f:
rows = csv.reader(f)
headers = next(rows)
for row in rows:
ruleID = row[headers.index('ruleId_s')]
if ruleID != 949110:
details = row[headers.index('details_data_s')]
m = p.findall(details)
try:
entries.append((m[0], ruleID))
except:
pass
unique_entries = sorted(set(entries))
for argument, rule in unique_entries:
print(f'{argument:<30s} {rule:>20s}')

if __name__ == "__main__":
import sys
if len(sys.argv) == 2:
main(sys.argv)
else:
print(f' Usage: Script <csv_log_file.csv>')