Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-15 04:58:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

In progress commit on a few items.

Browse source 
- Beginning rework of metrics interface.
- Updates to URI based SQLI detection to match metrics framework.
- Addition to SQLI regex to catch use of XOR.
This commit is contained in:
Seth Hall 2011-07-29 23:07:36 -04:00
parent 5e7b727433
commit c2725ed58e
2 changed files with 45 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

49
policy/frameworks/metrics/base/main.bro
View file

@ -2,9 +2,9 @@
module Metrics; module Metrics;
redef enum Log::ID += { METRICS };
export { export {
redef enum Log::ID += { METRICS };
type ID: enum { type ID: enum {
ALL, ALL,
}; };
@ -12,10 +12,10 @@ export {
const default_aggregation_mask = 24 &redef; const default_aggregation_mask = 24 &redef;
const default_break_interval = 5mins &redef; const default_break_interval = 5mins &redef;
# TODO: configure a metrics config logging stream to log the current # TODO: configure a metrics filter logging stream to log the current
# metrics configuration in case someone is looking through # metrics configuration in case someone is looking through
# old logs and the configuration has changed since then. # old logs and the configuration has changed since then.
type Config: record { type Filter: record {
name: ID &optional; name: ID &optional;
## Global mask by which you'd like to aggregate traffic. ## Global mask by which you'd like to aggregate traffic.
aggregation_mask: count &optional; aggregation_mask: count &optional;
@ -46,13 +46,13 @@ export {
value: count &log; value: count &log;
}; };
global configure: function(name: ID, config: Config); global add_filter: function(name: ID, filter: Filter);
global add_data: function(name: ID, index: Index, increment: count); global add_data: function(name: ID, index: Index, increment: count);
global log_metrics: event(rec: Info); global log_metrics: event(rec: Info);
} }
global metric_configs: table[ID] of Config = table(); global metric_filters: table[ID] of Filter = table();
type MetricIndex: table[string] of count &default=0; type MetricIndex: table[string] of count &default=0;
type MetricTable: table[string] of MetricIndex; type MetricTable: table[string] of MetricIndex;
@ -68,12 +68,12 @@ function reset(name: ID)
store[name] = table(); store[name] = table();
} }
event log_it(config: Config) event log_it(filter: Filter)
{ {
# If this node is the manager in a cluster, this needs to request values # If this node is the manager in a cluster, this needs to request values
# for this metric from all of the workers. # for this metric from all of the workers.
local name = config$name; local name = filter$name;
for ( agg_subnet in store[name] ) for ( agg_subnet in store[name] )
{ {
local metric_values = store[name][agg_subnet]; local metric_values = store[name][agg_subnet];
@ -92,29 +92,32 @@ event log_it(config: Config)
Log::write(METRICS, m); Log::write(METRICS, m);
} }
} }
reset(name); reset(name);
schedule config$break_interval { log_it(config) };
schedule filter$break_interval { log_it(filter) };
} }
function configure(name: ID, config: Config) function add_filter(name: ID, filter: Filter)
{ {
if ( config?$aggregation_table && config?$aggregation_mask ) if ( filter?$aggregation_table && filter?$aggregation_mask )
{ {
print "INVALID Metric configuration: Defined $aggregation_table and $aggregation_mask."; print "INVALID Metric filter: Defined $aggregation_table and $aggregation_mask.";
return; return;
} }
config$name = name; filter$name = name;
metric_configs[name] = config; metric_filters[name] = filter;
store[name] = table(); store[name] = table();
# Only do this on the manager if in a cluster. # Only do this on the manager if in a cluster.
schedule config$break_interval { log_it(config) }; schedule filter$break_interval { log_it(filter) };
} }
function add_data(name: ID, index: Index, increment: count) function add_data(name: ID, index: Index, increment: count)
{ {
local conf = metric_configs[name]; local conf = metric_filters[name];
local agg_subnet = ""; local agg_subnet = "";
if ( index?$host ) if ( index?$host )
@ -127,14 +130,14 @@ function add_data(name: ID, index: Index, increment: count)
} }
else if ( conf?$aggregation_table ) else if ( conf?$aggregation_table )
agg_subnet = fmt("%s", conf$aggregation_table[index$host]); agg_subnet = fmt("%s", conf$aggregation_table[index$host]);
else
agg_subnet = fmt("%s", index$host);
} }
if ( agg_subnet !in store[name] ) if ( agg_subnet !in store[name] )
store[name][agg_subnet] = table([index$index] = increment); store[name][agg_subnet] = table();
else
{ if ( index$index !in store[name][agg_subnet] )
if ( index$index !in store[name][agg_subnet] ) store[name][agg_subnet][index$index] = 0;
store[name][agg_subnet][index$index] = 0; store[name][agg_subnet][index$index] = store[name][agg_subnet][index$index] + increment;
store[name][agg_subnet][index$index] = store[name][agg_subnet][index$index] + increment;
}
} }

21
policy/protocols/http/base/detect-sqli.bro
View file

@ -6,8 +6,14 @@ module HTTP;
export { export {
redef enum Notice::Type += { redef enum Notice::Type += {
SQL_Injection_Attacker,
SQL_Injection_Attack, SQL_Injection_Attack,
}; };
redef enum Metrics::ID += {
SQL_ATTACKER,
SQL_ATTACK_AGAINST,
};
redef enum Tags += { redef enum Tags += {
## Indicator of a URI based SQL injection attack. ## Indicator of a URI based SQL injection attack.
@ -22,15 +28,26 @@ export {
## This regular expression is used to match URI based SQL injections ## This regular expression is used to match URI based SQL injections
const match_sql_injection_uri = const match_sql_injection_uri =
/[\?&][^[:blank:]\|]+?=[\-0-9%]+([[:blank:]]|\/\*.*?\*\/)*['"]?([[:blank:]]|\/\*.*?\*\/|\)?;)+([hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[iI][nN][sS][eE][rR][tT])[^a-zA-Z&]/ /[\?&][^[:blank:]\|]+?=[\-0-9%]+([[:blank:]]|\/\*.*?\*\/)*['"]?([[:blank:]]|\/\*.*?\*\/|\)?;)+([hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[iI][nN][sS][eE][rR][tT])[^a-zA-Z&]/
| /[\?&][^[:blank:]\|]+?=[\-0-9%]+([[:blank:]]|\/\*.*?\*\/)*['"]?([[:blank:]]|\/\*.*?\*\/|\)?;)+([oO][rR]|[aA][nN][dD])([[:blank:]]|\/\*.*?\*\/)+['"]?[^a-zA-Z&]+?=/ | /[\?&][^[:blank:]\|]+?=[\-0-9%]+([[:blank:]]|\/\*.*?\*\/)*['"]?([[:blank:]]|\/\*.*?\*\/|\)?;)+([xX]?[oO][rR]|[aA][nN][dD])([[:blank:]]|\/\*.*?\*\/)+['"]?[^a-zA-Z&]+?=/
| /[\?&][^[:blank:]]+?=[\-0-9%]*([[:blank:]]|\/\*.*?\*\/)*['"]([[:blank:]]|\/\*.*?\*\/)*(\-|\+|\|\|)([[:blank:]]|\/\*.*?\*\/)*([0-9]|\(?[cC][oO][nN][vV][eE][rR][tT]|[cC][aA][sS][tT])/ | /[\?&][^[:blank:]]+?=[\-0-9%]*([[:blank:]]|\/\*.*?\*\/)*['"]([[:blank:]]|\/\*.*?\*\/)*(\-|\+|\|\|)([[:blank:]]|\/\*.*?\*\/)*([0-9]|\(?[cC][oO][nN][vV][eE][rR][tT]|[cC][aA][sS][tT])/
| /[\?&][^[:blank:]\|]+?=([[:blank:]]|\/\*.*?\*\/)*['"]([[:blank:]]|\/\*.*?\*\/|;)*([oO][rR]|[aA][nN][dD]|[hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[rR][eE][gG][eE][xX][pP]|[iI][nN][sS][eE][rR][tT]|\()[^a-zA-Z&]/ | /[\?&][^[:blank:]\|]+?=([[:blank:]]|\/\*.*?\*\/)*['"]([[:blank:]]|\/\*.*?\*\/|;)*([xX]?[oO][rR]|[aA][nN][dD]|[hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[rR][eE][gG][eE][xX][pP]|[iI][nN][sS][eE][rR][tT]|\()[^a-zA-Z&]/
| /[\?&][^[:blank:]]+?=[^\.]*?([cC][hH][aA][rR]|[aA][sS][cC][iI][iI]|[sS][uU][bB][sS][tT][rR][iI][nN][gG]|[tT][rR][uU][nN][cC][aA][tT][eE]|[vV][eE][rR][sS][iI][oO][nN]|[lL][eE][nN][gG][tT][hH])\(/ &redef; | /[\?&][^[:blank:]]+?=[^\.]*?([cC][hH][aA][rR]|[aA][sS][cC][iI][iI]|[sS][uU][bB][sS][tT][rR][iI][nN][gG]|[tT][rR][uU][nN][cC][aA][tT][eE]|[vV][eE][rR][sS][iI][oO][nN]|[lL][eE][nN][gG][tT][hH])\(/ &redef;
} }
event bro_init()
{
Metrics::add_filter(SQL_ATTACKER, [$break_interval=5mins, $note=SQL_Injection_Attack]);
Metrics::add_filter(SQL_ATTACK_AGAINST, [$break_interval=5mins, $note=SQL_Injection_Attack]);
}
event http_request(c: connection, method: string, original_URI: string, event http_request(c: connection, method: string, original_URI: string,
unescaped_URI: string, version: string) &priority=3 unescaped_URI: string, version: string) &priority=3
{ {
if ( match_sql_injection_uri in unescaped_URI ) if ( match_sql_injection_uri in unescaped_URI )
{
add c$http$tags[URI_SQLI]; add c$http$tags[URI_SQLI];
Metrics::add_data(SQL_ATTACKER, [$host=c$id$orig_h], 1);
Metrics::add_data(SQL_ATTACK_AGAINST, [$host=c$id$resp_h], 1);
}
} }