Add a revised script for detecting HTTP SQL injection, deprecate original

2025-10-02 06:38:20 +00:00 · 2025-05-17 07:58:11 -07:00 · 2025-05-17 07:58:11 -07:00 · dcd14f7a16
commit dcd14f7a16
parent 6b6c3dbbb7
12 changed files with 217 additions and 1 deletions
--- a/scripts/policy/protocols/http/detect-sql-injection.zeek
+++ b/scripts/policy/protocols/http/detect-sql-injection.zeek
@ -0,0 +1,142 @@
+##! SQL injection attack detection in HTTP.
+
+## The script annotates the notices it generates with an associated $uid
+## connection identifier; always provides an attacker IP address in the
+## $src field; and always provides a victim IP address in the $dst field.
+
+@load base/frameworks/notice
+@load base/frameworks/sumstats
+@load base/protocols/http
+
+module HTTP;
+
+export {
+	redef enum Notice::Type += {
+		## Indicates that a host performing SQL injection attacks was
+		## detected.
+		SQL_Injection_Attacker,
+
+		## Indicates that a host was seen to have SQL injection attacks
+		## against it.  This is tracked by IP address as opposed to
+		## hostname.
+		SQL_Injection_Victim,
+	};
+
+	redef enum Tags += {
+		## Indicator of a URI based SQL injection attack.
+		URI_SQLI,
+	};
+
+	## Defines the threshold that determines if an SQL injection attack
+	## is ongoing based on the number of requests that appear to be SQL
+	## injection attacks.
+	const sqli_requests_threshold: double = 50.0 &redef;
+
+	## Interval at which to watch for the
+	## :zeek:id:`HTTP::sqli_requests_threshold` variable to be crossed.
+	## At the end of each interval the counter is reset.
+	const sqli_requests_interval = 5 min &redef;
+
+	## Regular expression is used to match URI based SQL injections.
+	const match_sql_injection_uri =
+		  /[\?&][^[:blank:]\x00-\x1f\|\+]+?=[\-[:alnum:]%]+([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*'?([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|\)?;)+.*?(having|union|exec|select|delete|drop|declare|create|insert)([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)+/i
+		| /[\?&][^[:blank:]\x00-\x1f\|\+]+?=[\-0-9%]+([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*'?([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|\)?;)+(x?or|n?and)([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)+'?(([^a-zA-Z&]+)?=|exists)/i
+		| /[\?&][^[:blank:]\x00-\x1f\+]+?=[\-0-9%]*([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*'([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*(-|=|\+|\|\|)([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*([0-9]|\(?convert|cast)/i
+		| /[\?&][^[:blank:]\x00-\x1f\|\+]+?=([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*'([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|;)*(x?or|n?and|having|union|exec|select|delete|drop|declare|create|regexp|insert)([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|[\[(])+[a-zA-Z&]{2,}/i
+		| /[\?&][^[:blank:]\x00-\x1f\+]+?=[^\.]*?(char|ascii|substring|truncate|version|length)\(/i
+		| /\/\*![[:digit:]]{5}.*?\*\// &redef;
+
+	## A hook that can be used to prevent specific requests from being counted
+	## as an injection attempt.  Use a 'break' statement to exit the hook
+	## early and ignore the request.
+	global HTTP::sqli_policy: hook(c: connection, method: string, unescaped_URI: string);
+}
+
+redef record SumStats::Observation += {
+	uid: string &optional;
+};
+
+event zeek_init() &priority=3
+	{
+	# Add filters to the metrics so that the metrics framework knows how to
+	# determine when it looks like an actual attack and how to respond when
+	# thresholds are crossed.
+	local r1 = SumStats::Reducer(
+		$stream="http.sqli.attacker",
+		$apply=set(SumStats::SUM, SumStats::SAMPLE),
+		$num_samples=1
+	);
+	local r2 = SumStats::Reducer(
+		$stream="http.sqli.victim",
+		$apply=set(SumStats::SUM, SumStats::SAMPLE),
+		$num_samples=1
+	);
+
+	SumStats::create([
+		$name="detect-sqli-attackers",
+		$epoch=sqli_requests_interval,
+		$reducers=set(r1),
+		$threshold_val(key: SumStats::Key, result: SumStats::Result) =
+			{
+			return result["http.sqli.attacker"]$sum;
+			},
+		$threshold=sqli_requests_threshold,
+		$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
+			{
+			local r = result["http.sqli.attacker"];
+			local dst = to_addr(r$samples[0]$str);
+			local uid = r$samples[0]$uid;
+			NOTICE([$note=SQL_Injection_Attacker,
+				$msg="An SQL injection attacker was discovered!",
+				$uid=uid,
+				$src=key$host,
+				$dst=dst,
+				$identifier=cat(key$host)]);
+			}
+	]);
+
+	SumStats::create([
+		$name="detect-sqli-victims",
+		$epoch=sqli_requests_interval,
+		$reducers=set(r2),
+		$threshold_val(key: SumStats::Key, result: SumStats::Result) =
+			{
+			return result["http.sqli.victim"]$sum;
+			},
+		$threshold=sqli_requests_threshold,
+		$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
+			{
+			local r = result["http.sqli.victim"];
+			local src = to_addr(r$samples[0]$str);
+			local uid = r$samples[0]$uid;
+			NOTICE([$note=SQL_Injection_Victim,
+				$msg="An SQL injection victim was discovered!",
+				$uid=uid,
+				$src=src,
+				$dst=key$host,
+				$identifier=cat(key$host)]);
+			}
+	]);
+	}
+
+event http_request(c: connection, method: string, original_URI: string,
+                   unescaped_URI: string, version: string) &priority=3
+	{
+	if ( ! hook HTTP::sqli_policy(c, method, unescaped_URI) )
+		return;
+
+	if ( match_sql_injection_uri !in unescaped_URI )
+		return;
+
+	add c$http$tags[URI_SQLI];
+
+	local id = c$id;
+	local orig = id$orig_h;
+	local resp = id$resp_h;
+	local uid = c$uid;
+
+	SumStats::observe("http.sqli.attacker", SumStats::Key($host=orig),
+		SumStats::Observation($str=fmt("%s", resp), $uid=c$uid));
+	SumStats::observe("http.sqli.victim", SumStats::Key($host=resp),
+		SumStats::Observation($str=fmt("%s", orig), $uid=c$uid));
+	}
--- a/scripts/policy/protocols/http/detect-sqli.zeek
+++ b/scripts/policy/protocols/http/detect-sqli.zeek
@ -1,5 +1,20 @@
 ##! SQL injection attack detection in HTTP.

+## This package is deprecated in favor of detect-sql-injection.zeek.
+##
+## The replacement script annotates the notices it generates with
+## an associated $uid connection identifier; always provides an attacker
+## IP address in the $src field; and always provides a victim IP address
+## in the $dst field. The notices generated by this script, on the other
+## hand, lack a $uid identifier, and do not provide $dst information.
+## In addition, for SQL_Injection_Victim notices, this script provides the
+## victim's IP address in the $src field, which some find counter-intuitive.
+##
+## In addition, the replacement script removes support for generating
+## Notice emails.
+
+@deprecated "Remove in v8.1: Switch to the improved detect-sql-injection script"
+
@load base/frameworks/notice
@load base/frameworks/sumstats
@load base/protocols/http
--- a/scripts/test-all-policy.zeek
+++ b/scripts/test-all-policy.zeek
@ -119,7 +119,8 @@
@load protocols/ftp/detect-bruteforcing.zeek
@load protocols/ftp/detect.zeek
@load protocols/ftp/software.zeek
-@load protocols/http/detect-sqli.zeek
+# @load protocols/http/detect-sqli.zeek
+@load protocols/http/detect-sql-injection.zeek
@load protocols/http/detect-webapps.zeek
@load protocols/http/header-names.zeek
@load protocols/http/software-browser-plugins.zeek
--- a/scripts/zeekygen/load.zeek
+++ b/scripts/zeekygen/load.zeek
@ -17,6 +17,9 @@
@load policy/misc/dump-events.zeek
@load policy/protocols/conn/speculative-service.zeek

+# Remove in v8.1: This script is deprecated and conflicts with detect-sql-injection.zeek
+# @load policy/protocols/http/detect-sqli.zeek
+
@if ( have_spicy() )
 # Loading this messes up documentation of some elements defined elsewhere.
 # @load frameworks/spicy/record-spicy-batch.zeek