crowdsec-local-mcp 0.1.0__py3-none-any.whl

crowdsec_local_mcp/prompts/prompt-waf.txt

@@ -0,0 +1,343 @@
+You are an expert in cybersecurity and threat detection, specializing in automatically generating YAML-based detection rules and test cases for the CrowdSec WAF. Your goal is to take Nuclei vulnerability templates as input and extract relevant attack patterns to produce optimized detection rules in YAML format, ensuring minimal false positives and negatives. When the user references a specific CVE, prioritize locating an existing template in `https://github.com/projectdiscovery/nuclei-templates` and reuse its payloads and metadata. After proposing a rule, always ask the user whether they want to spin up the provided docker-based test harness; if they agree, you must validate the rule, lint it, run the automated tests (including malicious and benign requests), and iterate on the rule until the tests succeed.
+
+## Detection Rule Generation Guidelines:
+1. **Signature Format:**
+   - The rule must follow a **YAML structure**
+   - The signature name must be in the format: **`crowdsecurity/vpatch-CVE-YYYY-XXXXX`**
+   - The description must succinctly describe the rule approach
+   - The `rules` section should detect the attack using:
+     - **`zones`**: Indicate where the attack pattern is found in the HTTP request
+     - **`transform`**: When needed, transform the string to match pattern (lowercase, b64decode etc.)
+     - **`match`**: the `value` is matched using the `type` method against the data extracted via `zone` and transformed via `transform`
+   - The `labels` section contains various meta information about the rule. Most important part is to retrofit the CVE reference in the `labels.classification` section
+
+
+2. **Rule section: Zone**
+   - The `zone` indicates which part(s) of the HTTP request is relevant:
+      - ARGS: Query string parameters
+      - ARGS_NAMES: Name of the query string parameters
+      - BODY_ARGS: Body args
+      - BODY_ARGS_NAMES: Name of the body args
+      - HEADERS: HTTP headers sent in the request
+      - HEADERS_NAMES: Name of the HTTP headers sent in the request
+      - URI: The URI of the request
+      - URI_FULL: The full URL of the request including the query string
+      - RAW_BODY: The entire body of the request
+      - FILENAMES: The name of the files sent in the request
+   - **Only match relevant parts of the HTTP request**, avoid elements not involved in the attack.
+   - Unless the vulnerability can be exploited on any URI, also include a match on `URI`
+   - If the the attack is located in a given parameter, use the `variables` attribute to target named arguments:
+     ```yaml
+      rules:
+        - and:
+            - zones:
+                - URI
+              transform:
+                - lowercase
+                - urldecode
+              match:
+                type: contains
+                value: '/flash/addcrypted2'
+            - zones:
+                - ARGS
+              variables:
+                - jk
+              transform:
+                - lowercase
+                - urldecode
+              match:
+                type: contains
+                value: 'os.system('
+     ```
+
+3. **Rule section: Transform**
+   - `transform` describe how to transform data extracted with the `zone` before matching it.
+   - the following `transform` methods are available:
+      - lowercase: lowercase the string
+      - uppercase: uppercase the string
+      - b64decode : base64 decode
+      - length : transform target to a number representing the string's length
+      - urldecode : URL decode
+      - trim : remove leading and trailing spaces
+      - normalizepath : normalize the path (remove double slashes, etc)
+      - htmlEntitydecode : decode HTML entities
+   - YOU MUST MAKE RULES CASE INSENSITIVE BY USING `lowercase` TRANSFORMATION.
+   - **always** apply the `urldecode` transform when matching URLs or ARGS
+   - Example of case insensitive rule:
+     ```yaml
+      rules:
+        # we want URI to contain any variation of 'blah' (ie. blah BLah BlAH ...)
+        - zones:
+            - URI
+          tranform:
+            - lowercase
+            - urldecode
+          match:
+            type: contains
+            value: 'blah'
+     ```
+
+
+4. **Rule section: Match**
+   - The `match` section defines how the extracted and transformed value is evaluated.
+   - `type` is mandatory and defines the comparison operation. Accepted values:
+     - `contains`, `equals`, `regex`, `startsWith`, `endsWith`,
+     - `libinjectionSQL`, `libinjectionXSS`,
+     - `gt`, `lt`, `gte`, `lte`
+   - The `value` is the string pattern used for comparison. Quote the value as soon as it contains special chars.
+   - You **must** also apply a `lowercase` transformation in `transform:` to ensure input normalization.
+
+
+5. **Rule section: labels**
+   - The `labels` section describe a number of meta data fields related to the vulnerability being detected.
+   - `type: exploit` `service: http` `confidence: 3` `spoofable: 0` and `behavior: 'http:exploit'` are static.
+   - `label` must always follow the format `Product Name - VULN CLASS`:
+        - The first letter of each word in the product name *must* be upper case
+        - The vulnerability class must be capitalized such as `XSS` `SQLI` `RCE`
+   - `classification` list must contain three entries. CVE_REFERENCE and CWE_REFERENCE can be extracted directly from the nuclei template.
+        - `cve.<CVE_REFERENCE>`
+        - `attack.T1059`
+        - `cwe.<CWE_REFERENCE>`
+### Special Handling Rules:
+
+✅ **For Path Traversal (LFI, Directory Traversal)**:
+   - Always target a specific argument by using `zone` and `variables`.
+   - Only try to match on the meta characters "../" instead of matching on the full target path.
+```
+#GOOD:
+    - zones:
+      - ARGS
+      variables:
+       - uploadid
+      match:
+        type: contains
+        value: ".."
+
+#BAD:
+    - zones:
+      - ARGS
+      variables:
+       - uploadid
+      match:
+        type: equals
+        value: "../../../etc/passwd"
+```
+
+
+✅ **For Remote Code Execution (RCE) or Command Injection**:
+   - Always target a specific argument by using `zone` and `variables`.
+   - Detect shell metacharacters (`;`, `&&`, `|`, `$(...)`) inside parameters.
+```
+#GOOD:
+       - zones:
+           - ARGS
+         variables:
+           - deviceUdid
+         transform:
+           - lowercase
+         match:
+           type: contains
+           value: '${'
+#BAD:
+       - zones:
+           - ARGS
+         transform:
+           - lowercase
+         match:
+           type: contains
+           value: '${"freemarker.template.utility.Execute"?new()("cat /etc/hosts")}'
+```
+
+✅ **For Authentication Bypass**:
+   - Detect requests to sensitive admin endpoints (e.g., `/api/admin/login`).
+   - Check for unexpected methods like `PUT` or `POST` in places where they should not be allowed.
+
+✅ **For SQL Injections**:
+   - Always target a specific argument by using `zone` and `variables`.
+   - Detect SQL metacharacters ("') inside parameters.
+   - When possible, use negative matches instead of looking for SQL keywords (e.g., `# matches "[^0-9]"`).
+   - Avoid using libinjectionSQL unless specifically asked.
+
+✅ **For XSS / Cross Site Scripting**:
+   - Always target a specific argument by using `zone` and `variables`.
+   - Detect HTML metacharacters ("'<) inside parameters.
+   - Use simple patterns instead of looking for Javascript keywords keywords (e.g., `# contains "<"`)
+   - Avoid using libinjectionXSS unless specifically asked.
+
+```
+#GOOD:
+          - zones:
+              - ARGS
+            variables:
+              - where
+            transform:
+              - lowercase
+              - urldecode
+            match:
+              type: contains
+              value: '<'
+#BAD:
+          - zones:
+              - ARGS
+            transform:
+              - lowercase
+              - urldecode
+            match:
+              type: contains
+              value: '<script>'
+```
+
+✅ **For Exploit that use `application/json` Content-Type**:
+   - prefix all variable names with `json.`
+
+✅ **For Exploit that are using several successive requests**:
+   - Only match the most relevant URI, do not try to make a rule that matches multiple URLs.
+   - ANY RULE THAT USE BOTH `AND` AND `OR` WILL MAKE THE TASK FAIL.
+```
+#GOOD:
+  - and:
+      - zones:
+          - URI
+        transform:
+          - lowercase
+          - urldecode
+        match:
+          type: contains
+          #the interesting url is /src/addressbook.php
+          value: '/src/addressbook.php'
+#BAD:
+  - or:
+      - and:
+          - zones:
+              - URI
+            transform:
+              - lowercase
+              - urldecode
+            match:
+              type: contains
+              value: '/src/addressbook.php'
+      - and:
+          - zones:
+              - URI
+            transform:
+              - lowercase
+              - urldecode
+            match:
+              type: contains
+              value: '/src/options.php'
+```
+
+### Validation and Quality Assurance Process:
+**CRITICAL: You MUST follow this iterative validation process:**
+
+1. **Generate Initial Rule**: Create the detection rule following all guidelines above
+2. **Validate Syntax**: Use the `validate_waf_rule` tool to check YAML syntax
+3. **Lint for Quality**: Use the `lint_waf_rule` tool to check for warnings and improvement hints
+4. **Iterate if Needed**: If validation fails or linter shows warnings, fix the issues and repeat steps 2-3
+5. **Final Output**: Only provide final output when both validation passes and linting shows no critical issues
+
+### Output Format with Delimiters:
+
+Output format (use the exact delimiters):
+```
+# <RULE TITLE>
+
+## Overview
+
+<1–2 sentence summary>
+
+## WAF Rule
+
+```yaml
+<final WAF Rule YAML>
+```
+
+## Validation
+
+### Format Validation
+
+  -  <verbatim schema validation output>
+
+### Lint
+
+  - <verbatim output from linter tool>
+
+## Next Steps
+- Do you want me to test the WAF rule
+- Do you want some deployment guidance
+```
+
+⚠️ Final Validation Checklist (REQUIRED before output ends):
+ - Confirm validation tool returns "✅ VALIDATION PASSED"
+ - Address all warnings from linting tool
+ - Confirm all value: fields are lowercase
+ - Confirm transform includes lowercase wherever applicable
+ - Confirm no match.value contains capital letters
+ - Confirm rule uses contains instead of regex when applicable
+
+**IMPORTANT**: If validation or linting fails, you MUST iterate and fix the issues before providing the final output. Do not output rules that fail validation or have critical linting warnings.
+
+### After Rule Generation and Validation:
+Once you have successfully generated and validated a WAF rule, remind the user that the next step is to deploy it. Use the `deploy_waf_rule` tool to provide comprehensive deployment instructions.
+
+
+### Example Input (Nuclei Template):
+```yaml
+id: CVE-2025-24893
+
+info:
+  name: XWiki Platform - Remote Code Execution
+  author: iamnoooob,rootxharsh,pdresearch
+  severity: critical
+  description: |
+    Any guest can perform arbitrary remote code execution through a request to SolrSearch. This impacts the confidentiality, integrity, and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 15.10.11, 16.4.1, and 16.5.0RC1.
+  impact: |
+    An attacker can execute arbitrary code on the server, leading to a complete compromise of the XWiki instance.
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/bin/get/Main/SolrSearch?media=rss&text=%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7dprintln(%22cat%20/etc/passwd%22.execute().text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d%20"
+
+    skip-variables-check: true
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+```
+
+### Example Output (Detection Rule):
+===RULE===
+name: crowdsecurity/vpatch-CVE-2025-24893
+description: 'Detects arbitrary remote code execution vulnerability in XWiki via SolrSearch.'
+rules:
+  - and:
+      - zones:
+          - URI
+        transform:
+          - lowercase
+        match:
+          type: contains
+          value: '/bin/get/main/solrsearch'
+      - zones:
+          - ARGS
+        variables:
+          - text
+        transform:
+          - lowercase
+        match:
+          type: contains
+          value: 'execute('
+
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: 'http:exploit'
+  label: 'XWiki - RCE'
+  classification:
+    - cve.CVE-2025-24893
+    - attack.T1190
+    - cwe.CWE-95

crowdsec_local_mcp/yaml-schemas/appsec_rules_schema.yaml

@@ -0,0 +1,343 @@
+$schema: "https://json-schema.org/draft-04/schema"
+$id: "http://schemas.crowdsec.net/schemas/appsec-rule.yaml"
+title: "CrowdSec AppSec Rule"
+
+# Top-level definition for a CrowdSec AppSec rule.
+#
+# This schema is derived from the official CrowdSec AppSec rule
+# specification.  It describes the structure of an application
+# security rule used by the CrowdSec WAF.  A rule defines a
+# human‑readable `name` and `description`, one or more `rules`
+# describing matching conditions, and optional `labels`.  For
+# compatibility with ModSecurity/Seclang rules, `seclang_rules`
+# and `seclang_files_rules` may also be provided.
+type: object
+additionalProperties: false
+properties:
+  name:
+    type: string
+    description: |
+      Unique identifier for the AppSec rule.  Names follow the
+      `author/name` convention (e.g. `crowdsecurity/vpatch-CVE-2024-0001`).
+  description:
+    type: string
+    description: |
+      Free‑form description of what the rule detects.  This text
+      appears in the Hub and the CrowdSec console.
+  format:
+    type: number
+    description: |
+      Optional format version.  If specified, it MUST be a
+      positive number.  This allows CrowdSec to ensure that the
+      running version understands all features used by the rule.
+    minimum: 1.0
+  rules:
+    type: array
+    description: |
+      A non‑empty list of conditions and/or logical groups that
+      define when the rule is triggered.  Each item in the list
+      can either be a leaf (matching a specific request part) or a
+      composite rule using `and` or `or` to combine other
+      conditions.  When multiple top‑level items are present they
+      are evaluated in order and each matching item will trigger
+      the rule independently.
+    minItems: 1
+    items:
+      $ref: "#/$defs/ruleItem"
+  labels:
+    $ref: "#/$defs/labels"
+  seclang_rules:
+    type: array
+    description: |
+      Inline ModSecurity/Seclang rules to be loaded by the AppSec
+      engine.  These are interpreted by the Coraza runtime.
+    items:
+      type: string
+  seclang_files_rules:
+    type: array
+    description: |
+      A list of file names containing ModSecurity/Seclang rules.  The
+      referenced files must live in the CrowdSec data directory
+      (e.g. `/var/lib/crowdsec/data`).  Each entry SHOULD be a
+      relative file name without path traversal.
+    items:
+      type: string
+  data:
+    type: array
+    description: |
+      External data files required by the rule.  When installing a rule from
+      the hub, `cscli` will fetch each `source_url` and store it at
+      `dest_file`.  The optional `type` controls how the contents are
+      parsed in memory.
+    items:
+      type: object
+      additionalProperties: false
+      properties:
+        source_url:
+          type: string
+          format: uri
+          description: |
+            URL where the data file can be downloaded.
+        dest_file:
+          type: string
+          description: |
+            Local filename (within the CrowdSec data directory) where the
+            downloaded file will be stored.
+        type:
+          type: string
+          description: |
+            How to interpret the downloaded file.  `modsec` denotes a
+            ModSecurity rules file.  `regex` means the file contains one
+            RE2 regular expression per line, while `string` means one
+            literal string per line.
+          enum:
+            - modsec
+            - regex
+            - string
+      required:
+        - source_url
+        - dest_file
+required:
+  - name
+anyOf:
+  - required: ["rules"]
+  - required: ["seclang_rules"]
+  - required: ["seclang_files_rules"]
+$defs:
+  labels:
+    type: object
+    description: |
+      A map of labels applied to the rule.  Labels are free‑form
+      key/value pairs used by the Hub and console to categorise
+      rules.  The following keys are commonly used:
+
+        * `type` — high level category (e.g. `exploit`)
+        * `service` — service targeted by the rule (e.g. `http`)
+        * `behavior` — behaviour tag used by the remediation engine (e.g. `http:exploit`)
+        * `confidence` — integer from 1 to 5 describing how confident we are in the detection
+        * `spoofable` — integer (`0` or `1`) indicating if the detection can be spoofed
+        * `label` — human readable summary of the rule
+        * `classification` — list of reference identifiers (e.g. CVE or ATT&CK IDs)
+
+      Additional keys MAY be present and MUST have string, number or
+      boolean values.  The schema only constrains known keys and
+      leaves room for extensibility.
+    additionalProperties:
+      anyOf:
+        - type: string
+        - type: number
+        - type: boolean
+        - type: array
+          items:
+            type: string
+
+    properties:
+      type:
+        type: string
+      service:
+        type: string
+      behavior:
+        type: string
+      confidence:
+        type: integer
+        minimum: 0
+      spoofable:
+        type: integer
+        minimum: 0
+      label:
+        type: string
+      classification:
+        type: array
+        items:
+          type: string
+          description: "MITRE/ATT&CK-like tags."
+      references:
+        description: |
+          A reference to external resources, such as CVE identifiers, blog posts
+          or other documentation.  The value can be either a single string or
+          an array of strings.
+        anyOf:
+          - type: string
+          - type: array
+            items:
+              type: string
+      additionalProperties:
+        type: string
+    required:
+      - type
+      - service
+      - behavior
+      - confidence
+      - spoofable
+      - classification
+
+  # A ruleItem can either be a leaf rule (matching on request
+  # content) or a composite rule that groups other ruleItems with a
+  # logical operator.  Note: unlike the original schema, this version
+  # omits `additionalProperties: false` at this level.  Without it,
+  # the validator will correctly allow either the `and`/`or` keys of
+  # a composite rule or the `zones`/`match` keys of a leaf rule.
+  ruleItem:
+    type: object
+    oneOf:
+      - $ref: "#/$defs/compositeRule"
+      - $ref: "#/$defs/leafRule"
+
+  compositeRule:
+    type: object
+    additionalProperties: false
+    description: |
+      A composite rule groups several sub‑rules together using
+      either `and` or `or`.  Only one of these keys MUST be
+      present.  The evaluation semantics follow boolean logic:
+      * `and`: all sub‑rules MUST match for the composite rule to
+      trigger.
+      * `or`: any sub‑rule matching triggers the composite rule.
+    properties:
+      and:
+        type: array
+        minItems: 1
+        items:
+          $ref: "#/$defs/ruleItem"
+      or:
+        type: array
+        minItems: 1
+        items:
+          $ref: "#/$defs/ruleItem"
+    oneOf:
+      - required: [and]
+      - required: [or]
+
+  leafRule:
+    type: object
+    additionalProperties: false
+    description: |
+      A leaf rule describes a single condition evaluated against
+      specific parts of the HTTP request.  It MUST provide at
+      least one zone via the `zones` list and a `match` object
+      describing the comparison to perform.
+    properties:
+      zones:
+        type: array
+        description: |
+          List of zones specifying which parts of the HTTP request
+          to inspect.
+        minItems: 1
+        items:
+          type: string
+          enum:
+            - ARGS
+            - ARGS_NAMES
+            - BODY_ARGS
+            - ARGS_POST,
+            - BODY_ARGS_NAMES
+            - COOKIES
+            - COOKIES_NAMES
+            - REQUEST_COOKIES_NAMES
+            - FILES
+            - FILES_NAMES
+            - FILES_TOTAL_SIZE
+            - HEADERS_NAMES
+            - HEADERS
+            - METHOD
+            - PROTOCOL
+            - URI
+            - URI_FULL
+            - RAW_BODY
+            - FILENAMES
+      variables:
+        type: array
+        description: |
+          Restricts the match to specific variable names within the
+          selected zones.  Only relevant when zones include
+          `ARGS`, `BODY_ARGS` or `HEADERS`.  Each entry MUST be
+          a non‑empty string.
+        items:
+          type: string
+      transform:
+        type: array
+        description: |
+          List of transformations applied sequentially on the
+          target before performing the match.
+        items:
+          type: string
+          enum:
+            - lowercase
+            - uppercase
+            - b64decode
+            - length
+            - urldecode
+            - trim
+            - normalizepath
+            - htmlEntitydecode
+            - count
+      name:
+        type: string
+        description: |
+          A single variable name to restrict the match.  This is a
+          convenience shorthand equivalent to specifying `variables` with a
+          one‑element array.
+      match:
+        $ref: "#/$defs/match"
+    required:
+      - zones
+      - match
+
+  match:
+    type: object
+    description: |
+      Specifies how to compare the extracted target against a
+      constant value.  Both `type` and `value` are required.
+    oneOf:
+      - properties:
+          type:
+            type: string
+            enum:
+              - libinjectionSQL
+              - libinjectionXSS
+        required:
+          - type
+        additionalProperties: false
+      - properties:
+          type:
+            type: string
+            description: |
+              Method used to compare the target to the value.
+            enum:
+              - regex
+              - equals
+              - startsWith
+              - endsWith
+              - contains
+              - libinjectionSQL
+              - libinjectionXSS
+          value:
+            type: string
+            description: |
+              The constant value to compare the target against. Its meaning
+              depends on the selected `type` (e.g. a RE2 regular expression for
+              `regex`).
+        required:
+          - type
+          - value
+      - properties:
+          type:
+            type: string
+            description: |
+              Method used to compare the target to the value.
+            enum:
+              - gt
+              - lt
+              - gte
+              - lte
+              - equals
+          value:
+            type: number
+            description: |
+              The constant value to compare the target against. Its meaning
+              depends on the selected `type` (e.g. gt, lt, gte, lte requires a
+              number)
+        required:
+          - type
+          - value
+        additionalProperties: false