uuWAF/plugins/ip-intelligence.lua

---
--- Generated by UUSEC(https://www.uusec.com/)
--- Created by Safe3.
--- DateTime: 2024/7/25 11:11
---
--[[
/uuwaf/conf/uuwaf.conf
resolver 1.1.1.1 valid=30s ipv6=off;
lua_ssl_trusted_certificate /etc/ssl/certs/ca-bundle.crt;
--]]
local ngx = ngx
local ngx_exit = ngx.exit
local ngx_log = ngx.log
local ngx_err = ngx.ERR
local ngx_today = ngx.today
local ngx_kv = ngx.shared
local http = require("resty.http")
local ipmatcher = require("resty.ipmatcher")
local resty_lock = require("resty.lock")
local util = require("waf.util")

local _M = {
    version = 0.1,
    name = "ip-intelligence"
}

local matcher, today

local function init_matcher()
    local http_client = http.new()
    local res, err = http_client:request_uri("https://waf.uusec.com/ip-intelligence-feed.json")
    if not res then
        ngx_log(ngx_err, "get ip intelligence failed: ", err)
        return
    end
    res, err = util.jsonDecode(res.body)
    if not res then
        ngx_log(ngx_err, "decode ip intelligence feed failed: ", err)
        return
    end
    matcher = ipmatcher.new_with_value(res)
end

function _M.req_post_filter(waf)
    local lock, err, ok

    if (not today) or today ~= ngx_today() then
        matcher = nil
        today = ngx_today()
    end

    if not matcher then
        lock, err = resty_lock:new("lock")
        if not lock then
            ngx_log(ngx_err, "create ip_threat_lock failed: ", err)
            return nil
        end

        ok, err = lock:lock("ip_threat_lock")
        if not ok then
            return
        end

        if not matcher then
            init_matcher()
        end

        ok, err = lock:unlock()
        if not ok then
            ngx_log(ngx_err, "unlock ip_threat_lock failed: ", err)
        end
    end

    if matcher then
        local level = matcher:match(waf.ip)
        if level then
            waf.msg = "ip threat level: " .. level
            waf.rule_id = 10000
            waf.deny = true
            ngx_kv.ipBlock:incr(waf.ip, 1, 0)
            return ngx_exit(403)
        end
    end
end

return _M
ip intelligence plugin 4 months ago			`---`
			`--- Generated by UUSEC(https://www.uusec.com/)`
			`--- Created by Safe3.`
			`--- DateTime: 2024/7/25 11:11`
			`---`
Update ip-intelligence.lua 4 months ago			`--[[`
			`/uuwaf/conf/uuwaf.conf`
			`resolver 1.1.1.1 valid=30s ipv6=off;`
			`lua_ssl_trusted_certificate /etc/ssl/certs/ca-bundle.crt;`
			`--]]`
ip intelligence plugin 4 months ago			`local ngx = ngx`
			`local ngx_exit = ngx.exit`
			`local ngx_log = ngx.log`
			`local ngx_err = ngx.ERR`
			`local ngx_today = ngx.today`
			`local ngx_kv = ngx.shared`
			`local http = require("resty.http")`
			`local ipmatcher = require("resty.ipmatcher")`
			`local resty_lock = require("resty.lock")`
			`local util = require("waf.util")`

			`local _M = {`
			`version = 0.1,`
			`name = "ip-intelligence"`
			`}`

			`local matcher, today`

			`local function init_matcher()`
			`local http_client = http.new()`
			`local res, err = http_client:request_uri("https://waf.uusec.com/ip-intelligence-feed.json")`
			`if not res then`
			`ngx_log(ngx_err, "get ip intelligence failed: ", err)`
			`return`
			`end`
			`res, err = util.jsonDecode(res.body)`
			`if not res then`
			`ngx_log(ngx_err, "decode ip intelligence feed failed: ", err)`
			`return`
			`end`
			`matcher = ipmatcher.new_with_value(res)`
			`end`

			`function _M.req_post_filter(waf)`
			`local lock, err, ok`

			`if (not today) or today ~= ngx_today() then`
			`matcher = nil`
			`today = ngx_today()`
			`end`

			`if not matcher then`
			`lock, err = resty_lock:new("lock")`
			`if not lock then`
			`ngx_log(ngx_err, "create ip_threat_lock failed: ", err)`
			`return nil`
			`end`

			`ok, err = lock:lock("ip_threat_lock")`
			`if not ok then`
			`return`
			`end`

			`if not matcher then`
			`init_matcher()`
			`end`

			`ok, err = lock:unlock()`
			`if not ok then`
			`ngx_log(ngx_err, "unlock ip_threat_lock failed: ", err)`
			`end`
			`end`

			`if matcher then`
			`local level = matcher:match(waf.ip)`
			`if level then`
			`waf.msg = "ip threat level: " .. level`
			`waf.rule_id = 10000`
			`waf.deny = true`
			`ngx_kv.ipBlock:incr(waf.ip, 1, 0)`
			`return ngx_exit(403)`
			`end`
			`end`
			`end`

			`return _M`