Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge branch 'topic/jazoff/sqli-policy-hook' of https://github.com/JustinAzoff/bro

Browse source 
* 'topic/jazoff/sqli-policy-hook' of https://github.com/JustinAzoff/bro:
  add sqli_policy hook
This commit is contained in:
Jon Siwek 2018-09-19 15:21:00 -05:00
commit c2c5754e28
4 changed files with 17 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

5
CHANGES
View file

@ -1,4 +1,9 @@
2.6-beta2-3 | 2018-09-19 15:21:00 -0500
* Add HTTP::sqli_policy hook to ignore counting a request as a SQL injection
(Justin Azoff)
2.6-beta2 | 2018-09-18 16:52:34 -0500 2.6-beta2 | 2018-09-18 16:52:34 -0500
* Release 2.6-beta2 * Release 2.6-beta2

3
NEWS
View file

@ -280,6 +280,9 @@ New Functionality
- HTTP now recognizes and skips upgraded/websocket connections. A new event, - HTTP now recognizes and skips upgraded/websocket connections. A new event,
"http_connection_upgrade", is raised in such cases. "http_connection_upgrade", is raised in such cases.
- A new hook, HTTP::sqli_policy, may be used to whitelist requests that
could otherwise be counted as SQL injection attempts.
- Added a MOUNT3 protocol parser - Added a MOUNT3 protocol parser
- This is not enabled by default (no ports are registered and no - This is not enabled by default (no ports are registered and no

2
VERSION
View file

@ -1 +1 @@
2.6-beta2 2.6-beta2-3

8
scripts/policy/protocols/http/detect-sqli.bro
View file

@ -52,6 +52,11 @@ export {
| /[\?&][^[:blank:]\x00-\x37\|]+?=([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x37]|\/\*.*?\*\/|;)*([xX]?[oO][rR]|[nN]?[aA][nN][dD]|[hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[rR][eE][gG][eE][xX][pP]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x37]|\/\*.*?\*\/|[\[(])+[a-zA-Z&]{2,}/ | /[\?&][^[:blank:]\x00-\x37\|]+?=([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x37]|\/\*.*?\*\/|;)*([xX]?[oO][rR]|[nN]?[aA][nN][dD]|[hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[rR][eE][gG][eE][xX][pP]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x37]|\/\*.*?\*\/|[\[(])+[a-zA-Z&]{2,}/
| /[\?&][^[:blank:]\x00-\x37]+?=[^\.]*?([cC][hH][aA][rR]|[aA][sS][cC][iI][iI]|[sS][uU][bB][sS][tT][rR][iI][nN][gG]|[tT][rR][uU][nN][cC][aA][tT][eE]|[vV][eE][rR][sS][iI][oO][nN]|[lL][eE][nN][gG][tT][hH])\(/ | /[\?&][^[:blank:]\x00-\x37]+?=[^\.]*?([cC][hH][aA][rR]|[aA][sS][cC][iI][iI]|[sS][uU][bB][sS][tT][rR][iI][nN][gG]|[tT][rR][uU][nN][cC][aA][tT][eE]|[vV][eE][rR][sS][iI][oO][nN]|[lL][eE][nN][gG][tT][hH])\(/
| /\/\*![[:digit:]]{5}.*?\*\// &redef; | /\/\*![[:digit:]]{5}.*?\*\// &redef;
## A hook that can be used to prevent specific requests from being counted
## as an injection attempt. Use a 'break' statement to exit the hook
## early and ignore the request.
global HTTP::sqli_policy: hook(c: connection, method: string, unescaped_URI: string);
} }
function format_sqli_samples(samples: vector of SumStats::Observation): string function format_sqli_samples(samples: vector of SumStats::Observation): string
@ -109,6 +114,9 @@ event bro_init() &priority=3
event http_request(c: connection, method: string, original_URI: string, event http_request(c: connection, method: string, original_URI: string,
unescaped_URI: string, version: string) &priority=3 unescaped_URI: string, version: string) &priority=3
{ {
if ( ! hook HTTP::sqli_policy(c, method, unescaped_URI) )
return;
if ( match_sql_injection_uri in unescaped_URI ) if ( match_sql_injection_uri in unescaped_URI )
{ {
add c$http$tags[URI_SQLI]; add c$http$tags[URI_SQLI];