diff --git a/plugin/machine-learning-after.conf b/plugin/machine-learning-after.conf index 8980c93..69efb95 100644 --- a/plugin/machine-learning-after.conf +++ b/plugin/machine-learning-after.conf @@ -39,7 +39,7 @@ SecRule TX:ANOMALY_SCORE "@lt %{tx.machine-learning-plugin_inbound_anomaly_score phase:2,\ pass,\ nolog,\ - ctl:ruleRemoveById=9516120-9516310-9516320,\ + ctl:ruleRemoveById=9516310-9516320,\ ver:'machine-learning-plugin/1.0.0'" # This rule checks if the anomaly score exceeds inbound_anomaly_score_threshold @@ -53,8 +53,11 @@ SecRule TX:ANOMALY_SCORE "@ge %{tx.machine-learning-plugin_inbound_anomaly_score msg:'Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE}) - ML kicked in.',\ tag:'anomaly-evaluation',\ ver:'machine-learning-plugin/1.0.0',\ - severity:'CRITICAL'" - SecRuleScript machine-learning-client.lua + severity:'CRITICAL', \ + chain,\ + setvar:'tx.machine-learning-plugin_inbound_anomaly_score=%{tx.anomaly_score}', \ + setvar:'tx.machine-learning-plugin_inbound_ml_status=%{tx.machine-learning-plugin_inbound_ml_status}'" + SecRuleScript machine-learning-client.lua # This rule calls the ml model which generates an anomaly score. # Based on this score the model gives a status deny or pass (0 or 1). @@ -64,14 +67,14 @@ SecAction \ phase:2,\ pass,\ t:none,\ - msg:'ML kicked in for evaluation.',\ + msg:'ML kicked in for evaluation. %{tx.machine-learning-plugin_inbound_ml_status}',\ tag:'anomaly-evaluation',\ ver:'machine-learning-plugin/1.0.0',\ severity:'NOTICE'" SecRuleScript machine-learning-client.lua # This rule checks the status of the ML model and makes a decision to pass. -SecRule TX:INBOUND_ML_STATUS "@eq %{tx.machine-learning-plugin_inbound_ml_pass_flag} " \ +SecRule TX:MACHINE-LEARNING-PLUGIN_INBOUND_ML_STATUS "@eq %{tx.machine-learning-plugin_inbound_ml_pass_flag} " \ "id:9516310,\ phase:2,\ pass,\ @@ -83,7 +86,7 @@ SecRule TX:INBOUND_ML_STATUS "@eq %{tx.machine-learning-plugin_inbound_ml_pass_f severity:'NOTICE'" # This rule checks the status of the ML model and makes a decision to deny. -SecRule TX:INBOUND_ML_STATUS "@eq %{tx.machine-learning-plugin_inbound_ml_deny_flag} " \ +SecRule TX:MACHINE-LEARNING-PLUGIN_INBOUND_ML_STATUS "@eq %{tx.machine-learning-plugin_inbound_ml_deny_flag} " \ "id:9516320,\ phase:2,\ deny,\ diff --git a/plugin/machine-learning-client.lua b/plugin/machine-learning-client.lua index ec96836..ba6229c 100644 --- a/plugin/machine-learning-client.lua +++ b/plugin/machine-learning-client.lua @@ -83,7 +83,7 @@ function main() ["Content-Length"] = #body } local source = ltn12.source.string(body) - local client, code, headers, status = http.request{ + local client, code, headers, score = http.request{ url=ml_server_url, method='POST', source=source, @@ -91,18 +91,23 @@ function main() sink = ltn12.sink.table(respbody) } respbody = table.concat(respbody) - + m.log(1, "Client "..client.." Code "..code.."..".." Score "..score) + m.log(1, "Respbody "..respbody) -- Processing the result if client == nil then m.log(2, 'The server is unreachable ') end if code == 401 then m.log(1,'Anomaly found by ML') + m.setvar("TX.machine-learning-plugin_inbound_anomaly_score", score) end if code == 200 then inbound_ml_result = 1 + m.setvar("TX.machine-learning-plugin_inbound_anomaly_score", score) + m.setvar("TX.machine-learning-plugin_inbound_ml_status", inbound_ml_result) end - m.setvar("TX.machine-learning-plugin_inbound_ml_anomaly_score", respbody) - m.setvar("TX.machine-learning-plugin_inbound_ml_status", inbound_ml_result) + --m.setvar("TX.machine-learning-plugin_inbound_anomaly_score", score) + --m.setvar("TX.machine-learning-plugin_inbound_ml_status", inbound_ml_result) + --m.log(1, "Status "..TX.machine-learning-plugin_inbound_ml_status) return inbound_ml_result end diff --git a/plugin/machine-learning-config.conf b/plugin/machine-learning-config.conf index 2089473..66d2abb 100644 --- a/plugin/machine-learning-config.conf +++ b/plugin/machine-learning-config.conf @@ -63,5 +63,6 @@ SecAction \ setvar:'tx.machine-learning-plugin_inbound_ml_pass_flag=1',\ setvar:'tx.machine-learning-plugin_inbound_ml_deny_flag=0',\ setvar:'tx.machine-learning-plugin_inbound_ml_anomaly_score=0',\ + setvar:'tx.machine-learning-plugin_inbound_anomaly_score=0',\ setvar:'tx.machine-learning-plugin_inbound_ml_threshold=0', \ setvar:'tx.machine-learning-plugin_ml_server_url=http://127.0.0.1:5000/'"