crowdsec-local-mcp 0.0.2__py3-none-any.whl

crowdsec_local_mcp/yaml-schemas/appsec_rules_schema.yaml

@@ -0,0 +1,343 @@
+$schema: "https://json-schema.org/draft-04/schema"
+$id: "http://schemas.crowdsec.net/schemas/appsec-rule.yaml"
+title: "CrowdSec AppSec Rule"
+
+# Top-level definition for a CrowdSec AppSec rule.
+#
+# This schema is derived from the official CrowdSec AppSec rule
+# specification.  It describes the structure of an application
+# security rule used by the CrowdSec WAF.  A rule defines a
+# human‑readable `name` and `description`, one or more `rules`
+# describing matching conditions, and optional `labels`.  For
+# compatibility with ModSecurity/Seclang rules, `seclang_rules`
+# and `seclang_files_rules` may also be provided.
+type: object
+additionalProperties: false
+properties:
+  name:
+    type: string
+    description: |
+      Unique identifier for the AppSec rule.  Names follow the
+      `author/name` convention (e.g. `crowdsecurity/vpatch-CVE-2024-0001`).
+  description:
+    type: string
+    description: |
+      Free‑form description of what the rule detects.  This text
+      appears in the Hub and the CrowdSec console.
+  format:
+    type: number
+    description: |
+      Optional format version.  If specified, it MUST be a
+      positive number.  This allows CrowdSec to ensure that the
+      running version understands all features used by the rule.
+    minimum: 1.0
+  rules:
+    type: array
+    description: |
+      A non‑empty list of conditions and/or logical groups that
+      define when the rule is triggered.  Each item in the list
+      can either be a leaf (matching a specific request part) or a
+      composite rule using `and` or `or` to combine other
+      conditions.  When multiple top‑level items are present they
+      are evaluated in order and each matching item will trigger
+      the rule independently.
+    minItems: 1
+    items:
+      $ref: "#/$defs/ruleItem"
+  labels:
+    $ref: "#/$defs/labels"
+  seclang_rules:
+    type: array
+    description: |
+      Inline ModSecurity/Seclang rules to be loaded by the AppSec
+      engine.  These are interpreted by the Coraza runtime.
+    items:
+      type: string
+  seclang_files_rules:
+    type: array
+    description: |
+      A list of file names containing ModSecurity/Seclang rules.  The
+      referenced files must live in the CrowdSec data directory
+      (e.g. `/var/lib/crowdsec/data`).  Each entry SHOULD be a
+      relative file name without path traversal.
+    items:
+      type: string
+  data:
+    type: array
+    description: |
+      External data files required by the rule.  When installing a rule from
+      the hub, `cscli` will fetch each `source_url` and store it at
+      `dest_file`.  The optional `type` controls how the contents are
+      parsed in memory.
+    items:
+      type: object
+      additionalProperties: false
+      properties:
+        source_url:
+          type: string
+          format: uri
+          description: |
+            URL where the data file can be downloaded.
+        dest_file:
+          type: string
+          description: |
+            Local filename (within the CrowdSec data directory) where the
+            downloaded file will be stored.
+        type:
+          type: string
+          description: |
+            How to interpret the downloaded file.  `modsec` denotes a
+            ModSecurity rules file.  `regex` means the file contains one
+            RE2 regular expression per line, while `string` means one
+            literal string per line.
+          enum:
+            - modsec
+            - regex
+            - string
+      required:
+        - source_url
+        - dest_file
+required:
+  - name
+anyOf:
+  - required: ["rules"]
+  - required: ["seclang_rules"]
+  - required: ["seclang_files_rules"]
+$defs:
+  labels:
+    type: object
+    description: |
+      A map of labels applied to the rule.  Labels are free‑form
+      key/value pairs used by the Hub and console to categorise
+      rules.  The following keys are commonly used:
+
+        * `type` — high level category (e.g. `exploit`)
+        * `service` — service targeted by the rule (e.g. `http`)
+        * `behavior` — behaviour tag used by the remediation engine (e.g. `http:exploit`)
+        * `confidence` — integer from 1 to 5 describing how confident we are in the detection
+        * `spoofable` — integer (`0` or `1`) indicating if the detection can be spoofed
+        * `label` — human readable summary of the rule
+        * `classification` — list of reference identifiers (e.g. CVE or ATT&CK IDs)
+
+      Additional keys MAY be present and MUST have string, number or
+      boolean values.  The schema only constrains known keys and
+      leaves room for extensibility.
+    additionalProperties:
+      anyOf:
+        - type: string
+        - type: number
+        - type: boolean
+        - type: array
+          items:
+            type: string
+
+    properties:
+      type:
+        type: string
+      service:
+        type: string
+      behavior:
+        type: string
+      confidence:
+        type: integer
+        minimum: 0
+      spoofable:
+        type: integer
+        minimum: 0
+      label:
+        type: string
+      classification:
+        type: array
+        items:
+          type: string
+          description: "MITRE/ATT&CK-like tags."
+      references:
+        description: |
+          A reference to external resources, such as CVE identifiers, blog posts
+          or other documentation.  The value can be either a single string or
+          an array of strings.
+        anyOf:
+          - type: string
+          - type: array
+            items:
+              type: string
+      additionalProperties:
+        type: string
+    required:
+      - type
+      - service
+      - behavior
+      - confidence
+      - spoofable
+      - classification
+
+  # A ruleItem can either be a leaf rule (matching on request
+  # content) or a composite rule that groups other ruleItems with a
+  # logical operator.  Note: unlike the original schema, this version
+  # omits `additionalProperties: false` at this level.  Without it,
+  # the validator will correctly allow either the `and`/`or` keys of
+  # a composite rule or the `zones`/`match` keys of a leaf rule.
+  ruleItem:
+    type: object
+    oneOf:
+      - $ref: "#/$defs/compositeRule"
+      - $ref: "#/$defs/leafRule"
+
+  compositeRule:
+    type: object
+    additionalProperties: false
+    description: |
+      A composite rule groups several sub‑rules together using
+      either `and` or `or`.  Only one of these keys MUST be
+      present.  The evaluation semantics follow boolean logic:
+      * `and`: all sub‑rules MUST match for the composite rule to
+      trigger.
+      * `or`: any sub‑rule matching triggers the composite rule.
+    properties:
+      and:
+        type: array
+        minItems: 1
+        items:
+          $ref: "#/$defs/ruleItem"
+      or:
+        type: array
+        minItems: 1
+        items:
+          $ref: "#/$defs/ruleItem"
+    oneOf:
+      - required: [and]
+      - required: [or]
+
+  leafRule:
+    type: object
+    additionalProperties: false
+    description: |
+      A leaf rule describes a single condition evaluated against
+      specific parts of the HTTP request.  It MUST provide at
+      least one zone via the `zones` list and a `match` object
+      describing the comparison to perform.
+    properties:
+      zones:
+        type: array
+        description: |
+          List of zones specifying which parts of the HTTP request
+          to inspect.
+        minItems: 1
+        items:
+          type: string
+          enum:
+            - ARGS
+            - ARGS_NAMES
+            - BODY_ARGS
+            - ARGS_POST,
+            - BODY_ARGS_NAMES
+            - COOKIES
+            - COOKIES_NAMES
+            - REQUEST_COOKIES_NAMES
+            - FILES
+            - FILES_NAMES
+            - FILES_TOTAL_SIZE
+            - HEADERS_NAMES
+            - HEADERS
+            - METHOD
+            - PROTOCOL
+            - URI
+            - URI_FULL
+            - RAW_BODY
+            - FILENAMES
+      variables:
+        type: array
+        description: |
+          Restricts the match to specific variable names within the
+          selected zones.  Only relevant when zones include
+          `ARGS`, `BODY_ARGS` or `HEADERS`.  Each entry MUST be
+          a non‑empty string.
+        items:
+          type: string
+      transform:
+        type: array
+        description: |
+          List of transformations applied sequentially on the
+          target before performing the match.
+        items:
+          type: string
+          enum:
+            - lowercase
+            - uppercase
+            - b64decode
+            - length
+            - urldecode
+            - trim
+            - normalizepath
+            - htmlEntitydecode
+            - count
+      name:
+        type: string
+        description: |
+          A single variable name to restrict the match.  This is a
+          convenience shorthand equivalent to specifying `variables` with a
+          one‑element array.
+      match:
+        $ref: "#/$defs/match"
+    required:
+      - zones
+      - match
+
+  match:
+    type: object
+    description: |
+      Specifies how to compare the extracted target against a
+      constant value.  Both `type` and `value` are required.
+    oneOf:
+      - properties:
+          type:
+            type: string
+            enum:
+              - libinjectionSQL
+              - libinjectionXSS
+        required:
+          - type
+        additionalProperties: false
+      - properties:
+          type:
+            type: string
+            description: |
+              Method used to compare the target to the value.
+            enum:
+              - regex
+              - equals
+              - startsWith
+              - endsWith
+              - contains
+              - libinjectionSQL
+              - libinjectionXSS
+          value:
+            type: string
+            description: |
+              The constant value to compare the target against. Its meaning
+              depends on the selected `type` (e.g. a RE2 regular expression for
+              `regex`).
+        required:
+          - type
+          - value
+      - properties:
+          type:
+            type: string
+            description: |
+              Method used to compare the target to the value.
+            enum:
+              - gt
+              - lt
+              - gte
+              - lte
+              - equals
+          value:
+            type: number
+            description: |
+              The constant value to compare the target against. Its meaning
+              depends on the selected `type` (e.g. gt, lt, gte, lte requires a
+              number)
+        required:
+          - type
+          - value
+        additionalProperties: false