diff --git a/README.md b/README.md index 0278390..49e74c8 100644 --- a/README.md +++ b/README.md @@ -22,107 +22,76 @@ Configuration ## datafilter Currently, go-slm implements 3 data filters, **owasp-sqli**, **owasp-xss** and **pan-filtering**. The default definitions for these filters are defined in the go-slm package -and can be viewed under **datafilter/rules**. At the same time, the definitions of these filters are defined in **datafilter/datafilter_rule_set.json** and are ready to use without any modification.
+and can be viewed under **datafilter/rules**. At the same time, the definitions of these filters are defined in **datafilter/datafilter_rule_set.yaml** and are ready to use without any modification.
If users want to make any changes in the existing filters, or if they want to add new rules to the filters; * First, they need to create custom filter files and put them into the project directory. -* Second, they need to create a custom **datafilter_rule_set.json** file and put it into the project directory. Users can update existing types/rules in the default datafilter_rule_set.json file -or define new types/rules with changes made in their own datafilter_rule_set.json. -* Finally, custom filter files should be linked in the custom datafilter_rule_set.json. +* Second, they need to create a custom **datafilter_rule_set.yaml** file and put it into the project directory. Users can update existing types/rules in the default datafilter_rule_set.yaml file +or define new types/rules with changes made in their own datafilter_rule_set.yaml. +* Finally, custom filter files should be linked in the custom datafilter_rule_set.yaml. -**custom_owasp_attack_sqli.json** +**custom_owasp_attack_sqli.yaml** (As an example, let's assume that we put this file under the **/config** directory in the main application.) ``` -[ - { - "name": "942110", - "disable" : true, - "rule": "(?:^\\s*[\\\"'`;]+|[\\\"'`]+\\s*$)", - "message": "My custom message: SQL Injection Attack: Common Injection Testing Detected", - "sample": "var=''" - }, - { - "name": "new_rule_1", - "disable" : false, - "rule": "", - "message": "", - "sample": "" - }, -] +- name: '942110' + disable: true + rule: (?:^\s*[\"'`;]+|[\"'`]+\s*$) + message: 'My custom message: SQL Injection Attack: Common Injection Testing Detected' + sample: var='' +- name: new_rule_1 + disable: false + rule: + message: + sample: ``` In the example file above, 2 rules are defined for owasp_attack_sqli. -* The first rule with name=942110 updates and disables the existing rule in the package rule file (**datafilter/rules/owasp_attack_sqli.json**). +* The first rule with name=942110 updates and disables the existing rule in the package rule file (**datafilter/rules/owasp_attack_sqli.yaml**). By doing this, we disable the rule which is not required in our rule set. Similarly, we can change the rule message or regex value as needed. * The second rule creates a new filter rule and adds it to the rule set which is generated from the package rule file. -**custom_datafilter_rule_set.json** +**custom_datafilter_rule_set.yaml** ``` -[ - { - "type": "owasp", - "rules": [ - { - "name": "sqli", - "path": "rules/owasp_attack_sqli.json" - "custom_path": "config/custom_owasp_attack_sqli.json" - } - ] - } -] +- type: owasp + rules: + - name: sqli + path: rules/owasp_attack_sqli.yaml + custom_path: config/custom_owasp_attack_sql.yaml ``` -In the **custom_datafilter_rule_set.json** file above, we define a single rule which only updates **owasp_sqli** and leaves the other rules as is. -So, the rules inside **custom_owasp_attack_sqli.json** update the rules defined in the **owasp_attack_sqli.json** file if necessary, or add them to our rule_set as a new rule.
-In order for the newly created **custom_owasp_attack_sqli.json** file to be considered, it should be defined in the **GO_SLM_DATA_FILTER_RULE_SET_PATH** environment variable as in the example below. +In the **custom_datafilter_rule_set.yaml** file above, we define a single rule which only updates **owasp_sqli** and leaves the other rules as is. +So, the rules inside **custom_owasp_attack_sqli.yaml** update the rules defined in the **owasp_attack_sqli.yaml** file if necessary, or add them to our rule_set as a new rule.
+In order for the newly created **custom_owasp_attack_sqli.yaml** file to be considered, it should be defined in the **GO_SLM_DATA_FILTER_RULE_SET_PATH** environment variable as in the example below. -`_ = os.Setenv("GO_SLM_DATA_FILTER_RULE_SET_PATH", "/{directory}/custom_datafilter_rule_set.json") +`_ = os.Setenv("GO_SLM_DATA_FILTER_RULE_SET_PATH", "/{directory}/custom_datafilter_rule_set.yaml") ` ## policy -We can create reusable policies in our common policy rule file (similar to **/testconfig/common_policies.json**) and use them -to combine different policies in **policy_rule_set.json**. This file can be named based on requirement and should be defined in the **GO_SLM_COMMON_POLICIES_PATH** +We can create reusable policies in our common policy rule file (similar to **/testconfig/common_policies.yaml**) and use them +to combine different policies in **policy_rule_set.yaml**. This file can be named based on requirement and should be defined in the **GO_SLM_COMMON_POLICIES_PATH** environment variable as in the example below. -`_ = os.Setenv("GO_SLM_COMMON_POLICIES_PATH", "/{directory}/common_policies.json") +`_ = os.Setenv("GO_SLM_COMMON_POLICIES_PATH", "/{directory}/common_policies.yaml") ` -**common_policies.json** +**common_policies.yaml** ``` - { - "commonPolicies": [ - { - "PolicyName": "combined_policy", - "Policy": [ - { - "name": "xss", - "active": true - }, - { - "name": "pan_process", - "active": true - }, - { - "name": "sqli", - "active": true - } - ] - }, - { - "PolicyName": "pan_only_policy", - "Policy": [ - { - "name": "pan_process", - "active": true - } - ] - } - ] -} +- PolicyName: combined_policy + Policy: + - name: xss + active: true + - name: pan_process + active: true + - name: sqli + active: true +- PolicyName: pan_only_policy + Policy: + - name: pan_process + active: true ``` Below, you can see how policy definitions are generated for our API services. Simply, our common policies that we defined @@ -130,25 +99,17 @@ before are assigned to the services to be triggered for request and response in This file can be named based on requirement and should be defined in the **GO_SLM_COMMON_RULES_PATH** environment variable as in the example below. -`_ = os.Setenv("GO_SLM_POLICY_RULE_SET_PATH", "/{directory}/policy_rule_set.json") +`_ = os.Setenv("GO_SLM_POLICY_RULE_SET_PATH", "/{directory}/policy_rule_set.yaml") ` -**policy_rule_set.json** +**policy_rule_set.yaml** ``` -{ - "policies": [ - { - "serviceName": "test", - "request": "pan_only_policy", - "response": "combined_policy" - }, - { - "serviceName": "test2", - "request": "combined_policy", - "response": "pan_only_policy" - } - ] -} +- serviceName: test + request: combined_policy + response: pan_only_policy +- serviceName: test2 + request: combined_policy + response: pan_only_policy ``` diff --git a/common_test.go b/common_test.go index 43b75c8..ca39d7e 100644 --- a/common_test.go +++ b/common_test.go @@ -6,8 +6,8 @@ import ( ) func TestMain(m *testing.M) { - _ = os.Setenv("GO_SLM_POLICY_RULE_SET_PATH", "/testconfig/policy_rule_set.json") - _ = os.Setenv("GO_SLM_COMMON_POLICIES_PATH", "/testconfig/common_policies.json") + _ = os.Setenv("GO_SLM_POLICY_RULE_SET_PATH", "/testconfig/policy_rule_set.yaml") + _ = os.Setenv("GO_SLM_COMMON_POLICIES_PATH", "/testconfig/common_policies.yaml") _ = os.Setenv("GO_SLM_CURRENT_MODULE_NAME", "github.com/kaanaktas/dummy") os.Exit(m.Run()) diff --git a/datafilter/datafilter_rule_set.json b/datafilter/datafilter_rule_set.json deleted file mode 100644 index 16d7a93..0000000 --- a/datafilter/datafilter_rule_set.json +++ /dev/null @@ -1,24 +0,0 @@ -[ - { - "type": "pan", - "rules": [ - { - "name": "pan_process", - "path": "rules/pan_process.json" - } - ] - }, - { - "type": "owasp", - "rules": [ - { - "name": "sqli", - "path": "rules/owasp_attack_sqli.json" - }, - { - "name": "xss", - "path": "rules/owasp_attack_xss.json" - } - ] - } -] diff --git a/datafilter/datafilter_rule_set.yaml b/datafilter/datafilter_rule_set.yaml new file mode 100644 index 0000000..033ae66 --- /dev/null +++ b/datafilter/datafilter_rule_set.yaml @@ -0,0 +1,10 @@ +- type: pan + rules: + - name: pan_process + path: rules/pan_process.yaml +- type: owasp + rules: + - name: sqli + path: rules/owasp_attack_sqli.yaml + - name: xss + path: rules/owasp_attack_xss.yaml diff --git a/datafilter/load.go b/datafilter/load.go index 74317ab..a853761 100644 --- a/datafilter/load.go +++ b/datafilter/load.go @@ -2,28 +2,28 @@ package datafilter import ( "embed" - "encoding/json" "fmt" "github.com/kaanaktas/go-slm/cache" "github.com/kaanaktas/go-slm/config" + "gopkg.in/yaml.v3" "log" "path/filepath" ) type ruleSet struct { - Type string `json:"type"` - Rules []rules `json:"rules"` + Type string `yaml:"type"` + Rules []rules `yaml:"rules"` } type rules struct { - Name string `json:"name"` - Path string `json:"path"` - CustomPath string `json:"custom_path"` + Name string `yaml:"name"` + Path string `yaml:"path"` + CustomPath string `yaml:"custom_path"` } var cacheIn = cache.NewInMemory() -//go:embed datafilter_rule_set.json +//go:embed datafilter_rule_set.yaml var dataFilterRuleSet []byte //go:embed rules/* @@ -31,9 +31,9 @@ var ruleFs embed.FS func Load(dataFilterRuleSetPath string) { var ruleSet, customRuleSet []ruleSet - err := json.Unmarshal(dataFilterRuleSet, &ruleSet) + err := yaml.Unmarshal(dataFilterRuleSet, &ruleSet) if err != nil { - msg := fmt.Sprintf("Can't unmarshall the content of datafilter_rule_set.json. Error: %s", err) + msg := fmt.Sprintf("Can't unmarshall the content of datafilter_rule_set.yaml. Error: %s", err) panic(msg) } @@ -43,7 +43,7 @@ func Load(dataFilterRuleSetPath string) { msg := fmt.Sprintf("Error while reading %s. Error: %s", dataFilterRuleSetPath, err) panic(msg) } - err = json.Unmarshal(content, &customRuleSet) + err = yaml.Unmarshal(content, &customRuleSet) if err != nil { msg := fmt.Sprintf("Can't unmarshall the content of %s. Error: %s", dataFilterRuleSetPath, err) panic(msg) @@ -76,7 +76,7 @@ func Load(dataFilterRuleSetPath string) { } var patterns, customPatterns []pattern - err = json.Unmarshal(content, &patterns) + err = yaml.Unmarshal(content, &patterns) if err != nil { msg := fmt.Sprintf("Can't unmarshall the content of %s. Error: %s", rule.Path, err) panic(msg) @@ -88,7 +88,7 @@ func Load(dataFilterRuleSetPath string) { msg := fmt.Sprintf("Error while reading %s. Error: %s", rule.CustomPath, err) panic(msg) } - err = json.Unmarshal(content, &customPatterns) + err = yaml.Unmarshal(content, &customPatterns) if err != nil { msg := fmt.Sprintf("Can't unmarshall the content of %s. Error: %s", rule.CustomPath, err) panic(msg) diff --git a/datafilter/rules/owasp_attack_sqli.json b/datafilter/rules/owasp_attack_sqli.json deleted file mode 100644 index 026a828..0000000 --- a/datafilter/rules/owasp_attack_sqli.json +++ /dev/null @@ -1,310 +0,0 @@ -[ - { - "name": "942110", - "disable" : false, - "rule": "(?:^\\s*[\\\"'`;]+|[\\\"'`]+\\s*$)", - "message": "SQL Injection Attack: Common Injection Testing Detected", - "sample": "var=''" - }, - { - "name": "942120", - "disable" : false, - "rule": "(?i)(?:not\\s+between\\s+(?:(?:(?:'[^']*')|(?:\\\"[^\\\"]*\\\"))\\s+and\\s+(?:(?:'[^']*')|(?:\\\"[^\\\"]*\\\"))|0\\s+and)|(?:^|\\W)in[+\\s]*\\([\\s\\d\\\"]+[^()]*\\)|\\b(?:r(?:egexp|like)|isnull|xor)\\b|<(?:>(?:\\s+binary)?|=>?|<)|r(?:egexp|like)\\s+binary|(?:like|is)\\s+null|>[=>]|\\|\\||!=|&&)", - "message": "SQL Injection Attack: SQL Operator Detected", - "sample": "pay= in ( Aa,- Ab-, and Ac)" - }, - { - "name": "942140", - "disable" : false, - "rule": "(?i)\\b(?:(?:m(?:s(?:ys(?:ac(?:cess(?:objects|storage|xml)|es)|(?:relationship|object|querie)s|modules2?)|db)|aster\\.\\.sysdatabases|ysql\\.db)|pg_(?:catalog|toast)|information_schema|northwind|tempdb)\\b|s(?:(?:ys(?:\\.database_name|aux)|qlite(?:_temp)?_master)\\b|chema(?:_name\\b|\\W*\\())|d(?:atabas|b_nam)e\\W*\\()", - "message": "SQL Injection Attack: Common DB Names Detected", - "sample": "DaTaBasE(" - }, - { - "name": "942150", - "disable" : false, - "rule": "(?i)\\b(?:c(?:o(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|(?:un)?t|llation|alesce)|ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)|s(?:u(?:b(?:str(?:ing(?:_index)?)?|(?:dat|tim)e)|m)|t(?:d(?:dev_(?:sam|po)p)?|r(?:_to_date|cmp))|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha[12]?|oundex|chema|ig?n|leep|pace|qrt)|i(?:s(?:_(?:ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|(?:free|used)_lock)|null)|n(?:et(?:6_(?:aton|ntoa)|_(?:aton|ntoa))|s(?:ert|tr)|terval)?|f(?:null)?)|d(?:a(?:t(?:e(?:_(?:format|add|sub)|diff)?|abase)|y(?:of(?:month|week|year)|name)?)|e(?:(?:s_(?:de|en)cryp|faul)t|grees|code)|count|ump)|l(?:o(?:ca(?:l(?:timestamp)?|te)|g(?:10|2)?|ad_file|wer)|ast(?:_(?:inser_id|day))?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(?:time(?:stamp)?|date)|p(?:datexml|per)|uid(?:_short)?|case|ser)|t(?:ime(?:_(?:format|to_sec)|stamp(?:diff|add)?|diff)?|o(?:(?:second|day)s|_base64|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(?:name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|a(?:wtohex|dians|nd)|o(?:w_count|und)|ight|trim|pad)|f(?:i(?:eld(?:_in_set)?|nd_in_set)|rom_(?:unixtime|base64|days)|o(?:und_rows|rmat)|loor)|p(?:o(?:w(?:er)?|sition)|eriod_(?:diff|add)|rocedure_analyse|assword|g_sleep|i)|a(?:s(?:cii(?:str)?|in)|es_(?:de|en)crypt|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|b(?:i(?:t_(?:length|count|x?or|and)|n(?:_to_num)?)|enchmark)|e(?:x(?:tract(?:value)?|p(?:ort_set)?)|nc(?:rypt|ode)|lt)|g(?:r(?:oup_conca|eates)t|et_(?:format|lock))|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|o(?:(?:ld_passwo)?rd|ct(?:et_length)?)|we(?:ek(?:ofyear|day)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|h(?:ex(?:toraw)?|our)|qu(?:arter|ote)|year(?:week)?|xmltype)\\W*\\(", - "message": "SQL Injection Attack", - "sample": "var=test\\\"+(function(){if(typeof gs78r==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<20000);gs78r=1;}}())+\\\"" - }, - { - "name": "942160", - "disable" : false, - "rule": "(?i:sleep\\(\\s*?\\d*?\\s*?\\)|benchmark\\(.*?\\,.*?\\))", - "message": "Detects blind sqli tests using sleep() or benchmark()", - "sample": "pay=BeNChMaRK(1000000, md5 AND 9796=4706('')" - }, - { - "name": "942170", - "disable" : false, - "rule": "(?i)(?:select|;)\\s+(?:benchmark|sleep|if)\\s*?\\(\\s*?\\(?\\s*?\\w+", - "message": "Detects SQL benchmark and sleep injection attempts including conditional queries", - "sample": "var=SELECT BENCHMARK(1000000,1+1);" - }, - { - "name": "942180", - "disable" : false, - "rule": "(?i)(?:[\\\"'`](?:\\s*?(?:(?:between|x?or|and|div)[\\w\\s-]+\\s*?[+<>=(),-]\\s*?[\\d\\\"'`]|like(?:[\\w\\s-]+\\s*?[+<>=(),-]\\s*?[\\d\\\"'`]|\\W+[\\w\\\"'`(])|[!=|](?:[\\d\\s!=+-]+.*?[\\\"'`(].*?|[\\d\\s!=]+.*?\\d+)$|[^\\w\\s]?=\\s*?[\\\"'`])|(?:\\W*?[+=]+\\W*?|[<>~]+)[\\\"'`])|(?:/\\*)+[\\\"'`]+\\s?(?:[#{]|\\/\\*|--)?|\\d[\\\"'`]\\s+[\\\"'`]\\s+\\d|where\\s[\\s\\w\\.,-]+\\s=|^admin\\s*?[\\\"'`]|\\sis\\s*?0\\W)", - "message": "Detects basic SQL authentication bypass attempts 1/3", - "sample": "javascript:\\\"/*'/*`/*-->alert(\"XSS\")',table_name FROM information_schema.tables WHERE 2>1--/**/; EXEC xp_cmdshell" - }, - { - "name": "942200", - "disable" : false, - "rule": "(?i)(?:(?:(?:(?:trunc|cre|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|alter|load)\\s*?\\(\\s*?space\\s*?\\(|,.*?[)\\da-f\\\"'`][\\\"'`](?:[\\\"'`].*?[\\\"'`]|(?:\\r?\\n)?\\z|[^\\\"'`]+)|\\Wselect.+\\W*?from)", - "message": "Detects MySQL comment-/space-obfuscated injections and backtick termination", - "sample": ",varname\"=somedata" - }, - { - "name": "942210", - "disable" : false, - "rule": "(?i)(?:(?:n(?:and|ot)|(?:x?x)?or|between|\\|\\||like|and|div|&&)[\\s(]+\\w+[\\s)]*?[!=+]+[\\s\\d]*?[\\\"'`=()]|\\d(?:\\s*?(?:between|like|x?or|and|div)\\s*?\\d+\\s*?[\\-+]|\\s+group\\s+by.+\\()|\\/\\w+;?\\s+(?:between|having|select|like|x?or|and|div)\\W|--\\s*?(?:(?:insert|update)\\s*?\\w{2,}|alter|drop)|#\\s*?(?:(?:insert|update)\\s*?\\w{2,}|alter|drop)|;\\s*?(?:(?:insert|update)\\s*?\\w{2,}|alter|drop)|@.+=\\s*?\\(\\s*?select|[^\\w]SET\\s*?@\\w+)", - "message": "Detects chained SQL injection attempts 1/2", - "sample": "pay=@example.com&name=(select" - }, - { - "name": "942220", - "disable" : false, - "rule": "^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$", - "message": "Looking for integer overflow attacks, these are taken from skipfish, except 2.2.2250738585072011e-308 is the \\\"magic number\\\" crash", - "sample": "/?string_to_convert= 4294967296" - }, - { - "name": "942230", - "disable" : false, - "rule": "(?i)(?:select.*?having\\s*?[^\\s]+\\s*?[^\\w\\s]|[\\s()]case\\s+when.*?then|if\\s?\\(\\w+\\s*?[=<>~]|\\)\\s*?like\\s*?\\()", - "message": "Detects conditional SQL injection attempts", - "sample": "/?var= case when condition1 then result1" - }, - { - "name": "942240", - "disable" : false, - "rule": "(?i)(?:[\\\"'`](?:;*?\\s*?waitfor\\s+(?:delay|time)\\s+[\\\"'`]|;.*?:\\s*?goto)|alter\\s*?\\w+.*?cha(?:racte)?r\\s+set\\s+\\w+)", - "message": "Detects MySQL charset switch and MSSQL DoS attempts", - "sample": "pay=ALTER TABLE `mass_mails` CHANGE `receivers` `receivers` ENUM('FACILITIES','APPLICATION_2015','APPLICATION_2016') CHARACTER SET utf8" - }, - { - "name": "942250", - "disable" : false, - "rule": "(?i:merge.*?using\\s*?\\(|execute\\s*?immediate\\s*?[\\\"'`]|match\\s*?[\\w(),+-]+\\s*?against\\s*?\\()", - "message": "Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections", - "sample": "/?var=EXECUTE IMMEDIATE \"" - }, - { - "name": "942251", - "disable" : false, - "rule": "(?i)\\W+\\d*?\\s*?\\bhaving\\b\\s*?[^\\s\\-]", - "message": "Detects HAVING injections", - "sample": "/?var= HAVING COUNT(CustomerID) > 5" - }, - { - "name": "942260", - "disable" : true, - "rule": "(?i)(?:[\\\"'`]\\s*?(?:(?:n(?:and|ot)|(?:x?x)?or|between|\\|\\||and|div|&&)\\s+[\\s\\w]+=\\s*?\\w+\\s*?having\\s+|like(?:\\s+[\\s\\w]+=\\s*?\\w+\\s*?having\\s+|\\W*?[\\\"'`\\d])|[^?\\w\\s=.,;)(]+\\s*?[(@\\\"'`]*?\\s*?\\w+\\W+\\w|\\*\\s*?\\w+\\W+[\\\"'`])|(?:union\\s*?(?:distinct|[(!@]*?|all)?\\s*?[([]*?\\s*?select|select\\s+?[\\[\\]()\\s\\w\\.,\\\"'`-]+from)\\s+|\\w\\s+like\\s+[\\\"'`]|find_in_set\\s*?\\(|like\\s*?[\\\"'`]%)", - "message": "Detects basic SQL authentication bypass attempts 2/3", - "sample": "" - }, - { - "name": "942270", - "disable" : false, - "rule": "(?i)union.*?select.*?from", - "message": "Looking for basic sql injection. Common attack string for mysql, oracle and others.", - "sample": "/?var=union select col from" - }, - { - "name": "942280", - "disable" : false, - "rule": "(?i)(?:;\\s*?shutdown\\s*?(?:[#;{]|\\/\\*|--)|waitfor\\s*?delay\\s?[\\\"'`]+\\s?\\d|select\\s*?pg_sleep)", - "message": "Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts\n", - "sample": "/?var=select pg_sleep" - }, - { - "name": "942290", - "disable" : false, - "rule": "(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))", - "message": "Finds basic MongoDB SQL injection attempts", - "sample": "/mongo/show.php?u_id[$ne]=2" - }, - { - "name": "942300", - "disable" : false, - "rule": "(?i)(?:\\b(?:(?:r(?:egexp|like)|n(?:and|ot)|(?:x?x)?or|like|and|div)\\s+\\s*?\\w+\\(|b(?:etween\\s+\\s*?\\w+\\(|inary\\s*?\\(\\s*?\\d)|cha?r\\s*?\\(\\s*?\\d)|\\)\\s*?when\\s*?\\d+\\s*?then|(?:\\|\\||&&)\\s+\\s*?\\w+\\(|[\\\"'`]\\s*?(?:[#{]|--)|\\/\\*!\\s?\\d+)", - "message": "Detects MySQL comments, conditions and ch(a)r injections", - "sample": "var=) when 234 then&foo=bar" - }, - { - "name": "942310", - "disable" : false, - "rule": "(?i)(?:(?:\\(\\s*?select\\s*?\\w+|order\\s+by\\s+if\\w*?|coalesce)\\s*?\\(|[\\\"'`](?:;\\s*?(?:begin|while|if)|[\\s\\d]+=\\s*?\\d)|\\w[\\\"'`]\\s*?(?:(?:[-+=|@]+\\s+?)+|[-+=|@]+)[\\d(]|[\\s(]+case\\d*?\\W.+[tw]hen[\\s(]|\\+\\s*?\\d+\\s*?\\+\\s*?@|@@\\w+\\s*?[^\\w\\s]|\\W!+[\\\"'`]\\w|\\*\\/from)", - "message": "Detects chained SQL injection attempts 2/2", - "sample": "/?var=' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') --" - }, - { - "name": "942320", - "disable" : false, - "rule": "(?i)(?:create\\s+(?:procedure|function)\\s*?\\w+\\s*?\\(\\s*?\\)\\s*?-|;\\s*?(?:declare|open)\\s+[\\w-]+|procedure\\s+analyse\\s*?\\(|declare[^\\w]+[@#]\\s*?\\w+|exec\\s*?\\(\\s*?@)", - "message": "Detects MySQL and PostgreSQL stored procedure/function injections", - "sample": "pay=DECLARE/**/@x" - }, - { - "name": "942330", - "disable" : true, - "rule": "(?i)(?:^(?:[\\\"'`\\x5c]*?(?:[^\\\"'`]+[\\\"'`]|[\\d\\\"'`]+)\\s*?(?:n(?:and|ot)|(?:x?x)?or|between|\\|\\||like|and|div|&&)\\s*?[\\w\\\"'`][+&!@(),.-]|.?[\\\"'`]$)|@(?:[\\w-]+\\s(?:between|like|x?or|and|div)\\s*?[^\\w\\s]|\\w+\\s+(?:between|like|x?or|and|div)\\s*?[\\\"'`\\d]+)|[\\\"'`]\\s*?(?:between|like|x?or|and|div)\\s*?[\\\"'`]?\\d|[^\\w\\s:]\\s*?\\d\\W+[^\\w\\s]\\s*?[\\\"'`].|[^\\w\\s]\\w+\\s*?[|-]\\s*?[\\\"'`]\\s*?\\w|\\Winformation_schema|\\x5cx(?:23|27|3d)|table_name\\W)", - "message": "Detects classic SQL injection probings 1/3", - "sample": "var=\\\\x23" - }, - { - "name": "942340", - "disable" : true, - "rule": "(?i)(?:[\\\"'`](?:\\s*?(?:is\\s*?(?:[\\d.]+\\s*?\\W.*?[\\\"'`]|\\d.+[\\\"'`]?\\w)|\\d\\s*?(?:--|#))|(?:\\W+[\\w+-]+\\s*?=\\s*?\\d\\W+|\\|?[\\w-]{3,}[^\\w\\s.,]+)[\\\"'`]|[\\%&<>^=]+\\d\\s*?(?:between|like|x?or|and|div|=))|(?i:n?and|x?x?or|div|like|between|not|\\|\\||\\&\\&)\\s+[\\s\\w+]+(?:sounds\\s+like\\s*?[\\\"'`]|regexp\\s*?\\(|[=\\d]+x)|in\\s*?\\(+\\s*?select)", - "message": "Detects basic SQL authentication bypass attempts 3/3", - "sample": "/?var=in ( select * from" - }, - { - "name": "942350", - "disable" : false, - "rule": "(?i)(?:;\\s*?(?:(?:(?:trunc|cre|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|alter|load)\\b\\s*?[\\[(]?\\w{2,}|create\\s+function\\s.+\\sreturns)", - "message": "Detects MySQL UDF injection and other data/structure manipulation attempts", - "sample": "/?var=CREATE FUNCTION hello (s CHAR(20)) RETURNS CHAR(50) DETERMINISTIC RETURN CONCAT('Hello, ',s,'!');" - }, - { - "name": "942360", - "disable" : false, - "rule": "(?i)(?:^[\\W\\d]+\\s*?(?:alter\\s*(?:a(?:(?:pplication\\s*rol|ggregat)e|s(?:ymmetric\\s*ke|sembl)y|u(?:thorization|dit)|vailability\\s*group)|c(?:r(?:yptographic\\s*provider|edential)|o(?:l(?:latio|um)|nversio)n|ertificate|luster)|s(?:e(?:rv(?:ice|er)|curity|quence|ssion|arch)|y(?:mmetric\\s*key|nonym)|togroup|chema)|m(?:a(?:s(?:ter\\s*key|k)|terialized)|e(?:ssage\\s*type|thod)|odule)|l(?:o(?:g(?:file\\s*group|in)|ckdown)|a(?:ngua|r)ge|ibrary)|t(?:(?:abl(?:espac)?|yp)e|r(?:igger|usted)|hreshold|ext)|p(?:a(?:rtition|ckage)|ro(?:cedur|fil)e|ermission)|d(?:i(?:mension|skgroup)|atabase|efault|omain)|r(?:o(?:l(?:lback|e)|ute)|e(?:sourc|mot)e)|f(?:u(?:lltext|nction)|lashback|oreign)|e(?:xte(?:nsion|rnal)|(?:ndpoi|ve)nt)|in(?:dex(?:type)?|memory|stance)|b(?:roker\\s*priority|ufferpool)|x(?:ml\\s*schema|srobject)|w(?:ork(?:load)?|rapper)|hi(?:erarchy|stogram)|o(?:perator|utline)|(?:nicknam|queu)e|us(?:age|er)|group|java|view)\\b|(?:(?:(?:trunc|cre)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)\\s+\\w+|u(?:nion\\s*(?:(?:distin|sele)ct|all)\\b|pdate\\s+\\w+))|\\b(?:(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\\s+(?:group_concat|load_file|char)\\b\\s*\\(?|end\\s*?\\);)|[\\\"'`\\w]\\s+as\\b\\s*[\\\"'`\\w]+\\s*\\bfrom|[\\s(]load_file\\s*?\\(|[\\\"'`]\\s+regexp\\W)", - "message": "Detects concatenated basic SQL injection and SQLLFI attempts", - "sample": "var=1234 AS \"foobar\" FROM tablevar2=whatever" - }, - { - "name": "942361", - "disable" : false, - "rule": "(?i:^[\\W\\d]+\\s*?(?:alter|union)\\b)", - "message": "Detects basic SQL injection based on keyword alter or union", - "sample": "\\\" ALTER A" - }, - { - "name": "942370", - "disable" : true, - "rule": "(?i)(?:[\\\"'`](?:\\s*?(?:(?:\\*.+(?:(?:an|i)d|between|like|x?or|div)\\W*?[\\\"'`]|(?:between|like|x?or|and|div)\\s[^\\d]+[\\w-]+.*?)\\d|[^\\w\\s?]+\\s*?[^\\w\\s]+\\s*?[\\\"'`]|[^\\w\\s]+\\s*?[\\W\\d].*?(?:--|#))|.*?\\*\\s*?\\d)|[()\\*<>%+-][\\w-]+[^\\w\\s]+[\\\"'`][^,]|\\^[\\\"'`])", - "message": "Detects classic SQL injection probings 2/3", - "sample": "var=\\\"` * 12344" - }, - { - "name": "942380", - "disable" : false, - "rule": "(?i)(?:\\b(?:having\\b(?: ?(?:[\\'\\\"][^=]{1,10}[\\'\\\" ?[=<>]+|\\d{1,10} ?[=<>]+)|\\s+(?:'[^=]{1,10}'|\\d{1,10})\\s*?[=<>])|ex(?:ecute(?:\\s{1,5}[\\w\\.$]{1,5}\\s{0,3}|\\()|ists\\s*?\\(\\s*?select\\b)|(?:create\\s+?table.{0,20}?|like\\W*?char\\W*?)\\()|exists\\s(?:s(?:elect\\S(?:if(?:null)?\\s\\(|concat|top)|ystem\\s\\()|\\bhaving\\b\\s+\\d{1,10}|'[^=]{1,10}'|\\sselect)|select.*?case|from.*?limit|order\\sby)", - "message": "SQL Injection Attack", - "sample": "from(select count(*),concat((select (select (select concat(0x53,0x65,0x61,0x72,0x63,0x68,0x43,0x6F,0x6C,0x6C,0x65,0x63,0x74,0x6F,0x72) from `information_schema`.tables limit" - }, - { - "name": "942390", - "disable" : false, - "rule": "(?:\\b(?:(?i:xor)\\b\\s+(?:'[^=]{1,10}'(?:\\s*?[=<>])?|\\d{1,10}(?:\\s*?[=<>])?)|(?i:or)\\b\\s+(?:'[^=]{1,10}'(?:\\s*?[=<>])?|\\d{1,10}(?:\\s*?[=<>])?))|(?i:\\bor\\b ?[\\'\\\"][^=]{1,10}[\\'\\\"] ?[=<>]+)|(?i:'\\s+xor\\s+.{1,20}[+\\-!<>=])|(?i:'\\s+or\\s+.{1,20}[+\\-!<>=])|(?i:\\bor\\b ?\\d{1,10} ?[=<>]+))", - "message": "SQL Injection Attack", - "sample": "/?var=sdfsd'or 1 > 1" - }, - { - "name": "942400", - "disable" : false, - "rule": "(?i)\\band\\b(?: ?(?:[\\'\\\"][^=]{1,10}[\\'\\\"]|\\d{1,10}) ?[=<>]+|\\s+(?:\\d{1,10}\\s*?[=<>]|'[^=]{1,10}'))", - "message": "SQL Injection Attack", - "sample": "and '5'orig_var_datavarname=whatever" - }, - { - "name": "942410", - "disable" : false, - "rule": "(?i)\\b(?:c(?:o(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|(?:un)?t|alesce)|ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)|s(?:t(?:d(?:dev(?:_(?:sam|po)p)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(?:_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha[12]?|oundex|chema|ig?n|leep|pace|qrt)|i(?:s(?:_(?:ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|(?:free|used)_lock)|null)?|n(?:et(?:6_(?:aton|ntoa)|_(?:aton|ntoa))|s(?:ert|tr)|terval)?|f(?:null)?)|d(?:a(?:t(?:e(?:_(?:format|add|sub)|diff)?|abase)|y(?:of(?:month|week|year)|name)?)|e(?:(?:s_(?:de|en)cryp|faul)t|grees|code)|count|ump)|l(?:o(?:ca(?:l(?:timestamp)?|te)|g(?:10|2)?|ad_file|wer)|ast(?:_(?:insert_id|day))?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(?:time(?:stamp)?|date)|p(?:datexml|per)|uid(?:_short)?|case|ser)|r(?:a(?:wto(?:nhex(?:toraw)?|hex)|dians|nd)|e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|ight|trim|pad)|t(?:ime(?:_(?:format|to_sec)|stamp(?:diff|add)?|diff)?|o_(?:(?:second|day)s|base64|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(?:name)?|d)|d5)|f(?:i(?:eld(?:_in_set)?|nd_in_set)|rom_(?:unixtime|base64|days)|o(?:und_rows|rmat)|loor)|p(?:o(?:w(?:er)?|sition)|eriod_(?:diff|add)|rocedure_analyse|assword|g_sleep|i)|a(?:s(?:cii(?:str)?|in)|es_(?:de|en)crypt|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|b(?:i(?:t_(?:length|count|x?or|and)|n(?:_to_num)?)|enchmark)|e(?:x(?:tract(?:value)?|p(?:ort_set)?)|nc(?:rypt|ode)|lt)|g(?:r(?:oup_conca|eates)t|et_(?:format|lock))|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|o(?:(?:ld_passwo)?rd|ct(?:et_length)?)|we(?:ek(?:ofyear|day)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|h(?:ex(?:toraw)?|our)|qu(?:arter|ote)|year(?:week)?|xmltype)\\W*?\\(", - "message": "SQL Injection Attack", - "sample": "BENChmARk(" - }, - { - "name": "942420", - "disable" : true, - "rule": "((?:[~!@#\\$%\\^&\\*\\(\\)\\-\\+=\\{\\}\\[\\]\\|:;\\\"'´’‘`<>][^~!@#\\$%\\^&\\*\\(\\)\\-\\+=\\{\\}\\[\\]\\|:;\\\"'´’‘`<>]*?){8})", - "message": "Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)", - "sample": "ar=%7e%7e%7e%7e%7e%7e%7e%7e%7e&foo=var" - }, - { - "name": "942421", - "disable" : true, - "rule": "((?:[~!@#\\$%\\^&\\*\\(\\)\\-\\+=\\{\\}\\[\\]\\|:;\\\"'´’‘`<>][^~!@#\\$%\\^&\\*\\(\\)\\-\\+=\\{\\}\\[\\]\\|:;\\\"'´’‘`<>]*?){3})", - "message": "Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)", - "sample": "cookie=@@@@@@@@@@@@@" - }, - { - "name": "942430", - "disable" : true, - "rule": "((?:[~!@#\\$%\\^&\\*\\(\\)\\-\\+=\\{\\}\\[\\]\\|:;\\\"'´’‘`<>][^~!@#\\$%\\^&\\*\\(\\)\\-\\+=\\{\\}\\[\\]\\|:;\\\"'´’‘`<>]*?){12})", - "message": "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)", - "sample": "var=(((((())))))&var2=whatever" - }, - { - "name": "942431", - "disable" : true, - "rule": "((?:[~!@#\\$%\\^&\\*\\(\\)\\-\\+=\\{\\}\\[\\]\\|:;\\\"'´’‘`<>][^~!@#\\$%\\^&\\*\\(\\)\\-\\+=\\{\\}\\[\\]\\|:;\\\"'´’‘`<>]*?){6})", - "message": "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)", - "sample": "var=-------------------&var2=whatever" - }, - { - "name": "942432", - "disable" : true, - "rule": "((?:[~!@#\\$%\\^&\\*\\(\\)\\-\\+=\\{\\}\\[\\]\\|:;\\\"'´’‘`<>][^~!@#\\$%\\^&\\*\\(\\)\\-\\+=\\{\\}\\[\\]\\|:;\\\"'´’‘`<>]*?){2})", - "message": "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)", - "sample": "var=;;dd foo bar" - }, - { - "name": "942440", - "disable" : false, - "rule": " (?:--(?:[\\s\\r\\n\\v\\f]|[^-]*?-)|[^&-]#.*?[\\s\\r\\n\\v\\f]|;?\\x00|[';]--|\\/\\*!?|\\*\\/)", - "message": "SQL Comment Sequence Detected", - "sample": "" - }, - { - "name": "942450", - "disable" : false, - "rule": " (?i:\\b0x[a-f\\d]{3,})", - "message": "SQL Hex Encoding Identified", - "sample": "var=select 0x616263" - }, - { - "name": "942460", - "disable" : true, - "rule": "\\W{4}", - "message": "Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters", - "sample": "var=foo...." - }, - { - "name": "942470", - "disable" : false, - "rule": "(?i)(?:xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|(?:servicecontro|cmdshel)l|e(?:xecresultset|numdsn)|ntsec(?:_enumdomains)?|terminate(?:_process)?|availablemedia|loginconfig|filelist|dirtree|makecab)|s(?:p_(?:(?:addextendedpro|sqlexe)c|p(?:assword|repare)|replwritetovarbin|is_srvrolemember|execute(?:sql)?|makewebtask|oacreate|help)|ql_(?:longvarchar|variant))|open(?:owa_util|rowset|query)|(?:n?varcha|tbcreato)r|autonomous_transaction|db(?:a_users|ms_java)|utl_(?:file|http))", - "message": "SQL Injection Attack", - "sample": "ppay=sp_executesql" - }, - { - "name": "942480", - "disable" : false, - "rule": "(?i)(?:\\b(?:(?:s(?:elect\\b.{1,100}?\\b(?:(?:(?:length|count)\\b.{1,100}?|.*?\\bdump\\b.*)\\bfrom|to(?:p\\b.{1,100}?\\bfrom|_(?:numbe|cha)r)|(?:from\\b.{1,100}?\\bwher|data_typ)e|instr)|ys_context)|in(?:to\\b\\W*?\\b(?:dump|out)file|sert\\b\\W*?\\binto|ner\\b\\W*?\\bjoin)|u(?:nion\\b.{1,100}?\\bselect|tl_inaddr)|group\\b.*?\\bby\\b.{1,100}?\\bhaving|d(?:elete\\b\\W*?\\bfrom|bms_\\w+\\.)|load\\b\\W*?\\bdata\\b.*?\\binfile)\\b|print\\b\\W*?\\@\\@)|(?:;\\W*?\\b(?:shutdown|drop)|collation\\W*?\\(a|\\@\\@version)\\b|'(?:s(?:qloledb|a)|msdasql|dbo)')", - "message": "SQL Injection Attack", - "sample": "/?'msdasql'" - }, - { - "name": "942490", - "disable" : true, - "rule": "[\\\"'`][\\s\\d]*?[^\\w\\s]\\W*?\\d\\W*?.*?[\\\"'`\\d]", - "message": "Detects classic SQL injection probings 3/3", - "sample": "pay='][0]]), strtolower($b[$GLOBALS['\n" - }, - { - "name": "942500", - "disable" : false, - "rule": "(?i:\\/\\*[!+](?:[\\w\\s=_\\-()]+)?\\*\\/)", - "message": "MySQL in-line comment detected", - "sample": "/?id=9999+or+{if+length((/*!5000select+username/*!50000from*/user+where+id=1))>0}" - } -] diff --git a/datafilter/rules/owasp_attack_sqli.yaml b/datafilter/rules/owasp_attack_sqli.yaml new file mode 100644 index 0000000..48675bd --- /dev/null +++ b/datafilter/rules/owasp_attack_sqli.yaml @@ -0,0 +1,296 @@ +- name: '942110' + disable: false + rule: '(?:^\s*[\"''`;]+|[\"''`]+\s*$)' + message: 'SQL Injection Attack: Common Injection Testing Detected' + sample: var='' +- name: '942120' + disable: false + rule: >- + (?i)(?:not\s+between\s+(?:(?:(?:'[^']*')|(?:\"[^\"]*\"))\s+and\s+(?:(?:'[^']*')|(?:\"[^\"]*\"))|0\s+and)|(?:^|\W)in[+\s]*\([\s\d\"]+[^()]*\)|\b(?:r(?:egexp|like)|isnull|xor)\b|<(?:>(?:\s+binary)?|=>?|<)|r(?:egexp|like)\s+binary|(?:like|is)\s+null|>[=>]|\|\||!=|&&) + message: 'SQL Injection Attack: SQL Operator Detected' + sample: 'pay= in ( Aa,- Ab-, and Ac)' +- name: '942140' + disable: false + rule: >- + (?i)\b(?:(?:m(?:s(?:ys(?:ac(?:cess(?:objects|storage|xml)|es)|(?:relationship|object|querie)s|modules2?)|db)|aster\.\.sysdatabases|ysql\.db)|pg_(?:catalog|toast)|information_schema|northwind|tempdb)\b|s(?:(?:ys(?:\.database_name|aux)|qlite(?:_temp)?_master)\b|chema(?:_name\b|\W*\())|d(?:atabas|b_nam)e\W*\() + message: 'SQL Injection Attack: Common DB Names Detected' + sample: DaTaBasE( +- name: '942150' + disable: false + rule: >- + (?i)\b(?:c(?:o(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|(?:un)?t|llation|alesce)|ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)|s(?:u(?:b(?:str(?:ing(?:_index)?)?|(?:dat|tim)e)|m)|t(?:d(?:dev_(?:sam|po)p)?|r(?:_to_date|cmp))|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha[12]?|oundex|chema|ig?n|leep|pace|qrt)|i(?:s(?:_(?:ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|(?:free|used)_lock)|null)|n(?:et(?:6_(?:aton|ntoa)|_(?:aton|ntoa))|s(?:ert|tr)|terval)?|f(?:null)?)|d(?:a(?:t(?:e(?:_(?:format|add|sub)|diff)?|abase)|y(?:of(?:month|week|year)|name)?)|e(?:(?:s_(?:de|en)cryp|faul)t|grees|code)|count|ump)|l(?:o(?:ca(?:l(?:timestamp)?|te)|g(?:10|2)?|ad_file|wer)|ast(?:_(?:inser_id|day))?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(?:time(?:stamp)?|date)|p(?:datexml|per)|uid(?:_short)?|case|ser)|t(?:ime(?:_(?:format|to_sec)|stamp(?:diff|add)?|diff)?|o(?:(?:second|day)s|_base64|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(?:name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|a(?:wtohex|dians|nd)|o(?:w_count|und)|ight|trim|pad)|f(?:i(?:eld(?:_in_set)?|nd_in_set)|rom_(?:unixtime|base64|days)|o(?:und_rows|rmat)|loor)|p(?:o(?:w(?:er)?|sition)|eriod_(?:diff|add)|rocedure_analyse|assword|g_sleep|i)|a(?:s(?:cii(?:str)?|in)|es_(?:de|en)crypt|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|b(?:i(?:t_(?:length|count|x?or|and)|n(?:_to_num)?)|enchmark)|e(?:x(?:tract(?:value)?|p(?:ort_set)?)|nc(?:rypt|ode)|lt)|g(?:r(?:oup_conca|eates)t|et_(?:format|lock))|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|o(?:(?:ld_passwo)?rd|ct(?:et_length)?)|we(?:ek(?:ofyear|day)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|h(?:ex(?:toraw)?|our)|qu(?:arter|ote)|year(?:week)?|xmltype)\W*\( + message: SQL Injection Attack + sample: >- + var=test\"+(function(){if(typeof gs78r==='undefined'){var a=new + Date();do{var b=new Date();}while(b-a<20000);gs78r=1;}}())+\" +- name: '942160' + disable: false + rule: '(?i:sleep\(\s*?\d*?\s*?\)|benchmark\(.*?\,.*?\))' + message: Detects blind sqli tests using sleep() or benchmark() + sample: 'pay=BeNChMaRK(1000000, md5 AND 9796=4706('''')' +- name: '942170' + disable: false + rule: '(?i)(?:select|;)\s+(?:benchmark|sleep|if)\s*?\(\s*?\(?\s*?\w+' + message: >- + Detects SQL benchmark and sleep injection attempts including conditional + queries + sample: 'var=SELECT BENCHMARK(1000000,1+1);' +- name: '942180' + disable: false + rule: >- + (?i)(?:[\"'`](?:\s*?(?:(?:between|x?or|and|div)[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`]|like(?:[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`]|\W+[\w\"'`(])|[!=|](?:[\d\s!=+-]+.*?[\"'`(].*?|[\d\s!=]+.*?\d+)$|[^\w\s]?=\s*?[\"'`])|(?:\W*?[+=]+\W*?|[<>~]+)[\"'`])|(?:/\*)+[\"'`]+\s?(?:[#{]|\/\*|--)?|\d[\"'`]\s+[\"'`]\s+\d|where\s[\s\w\.,-]+\s=|^admin\s*?[\"'`]|\sis\s*?0\W) + message: Detects basic SQL authentication bypass attempts 1/3 + sample: >- + javascript:\"/*'/*`/*-->- + (?i)(?:\b(?:(?:c(?:onnection_id|urrent_user)|database)\s*?\([^\)]*?|u(?:nion(?:[\w(\s]*?select| + select + @)|ser\s*?\([^\)]*?)|s(?:chema\s*?\([^\)]*?|elect.*?\w?user\()|into[\s+]+(?:dump|out)file\s*?[\"'`]|from\W+information_schema\W|exec(?:ute)?\s+master\.)|[\"'`](?:;?\s*?(?:union\b\s*?(?:(?:distin|sele)ct|all)|having|select)\b\s*?[^\s]|\s*?!\s*?[\"'`\w])|\s*?exec(?:ute)?.*?\Wxp_cmdshell|\Wiif\s*?\() + message: Detects MSSQL code execution and information gathering attempts + sample: >- + execution=e1s1&OlyH=9767 AND 1=1 UNION ALL SELECT + 1,NULL,'',table_name FROM + information_schema.tables WHERE 2>1--/**/; EXEC xp_cmdshell +- name: '942200' + disable: false + rule: >- + (?i)(?:(?:(?:(?:trunc|cre|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|alter|load)\s*?\(\s*?space\s*?\(|,.*?[)\da-f\"'`][\"'`](?:[\"'`].*?[\"'`]|(?:\r?\n)?\z|[^\"'`]+)|\Wselect.+\W*?from) + message: Detects MySQL comment-/space-obfuscated injections and backtick termination + sample: ',varname"=somedata' +- name: '942210' + disable: false + rule: >- + (?i)(?:(?:n(?:and|ot)|(?:x?x)?or|between|\|\||like|and|div|&&)[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()]|\d(?:\s*?(?:between|like|x?or|and|div)\s*?\d+\s*?[\-+]|\s+group\s+by.+\()|\/\w+;?\s+(?:between|having|select|like|x?or|and|div)\W|--\s*?(?:(?:insert|update)\s*?\w{2,}|alter|drop)|#\s*?(?:(?:insert|update)\s*?\w{2,}|alter|drop)|;\s*?(?:(?:insert|update)\s*?\w{2,}|alter|drop)|@.+=\s*?\(\s*?select|[^\w]SET\s*?@\w+) + message: Detects chained SQL injection attempts 1/2 + sample: pay=@example.com&name=(select +- name: '942220' + disable: false + rule: >- + ^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$ + message: >- + Looking for integer overflow attacks, these are taken from skipfish, except + 2.2.2250738585072011e-308 is the \"magic number\" crash + sample: /?string_to_convert= 4294967296 +- name: '942230' + disable: false + rule: >- + (?i)(?:select.*?having\s*?[^\s]+\s*?[^\w\s]|[\s()]case\s+when.*?then|if\s?\(\w+\s*?[=<>~]|\)\s*?like\s*?\() + message: Detects conditional SQL injection attempts + sample: /?var= case when condition1 then result1 +- name: '942240' + disable: false + rule: >- + (?i)(?:[\"'`](?:;*?\s*?waitfor\s+(?:delay|time)\s+[\"'`]|;.*?:\s*?goto)|alter\s*?\w+.*?cha(?:racte)?r\s+set\s+\w+) + message: Detects MySQL charset switch and MSSQL DoS attempts + sample: >- + pay=ALTER TABLE `mass_mails` CHANGE `receivers` `receivers` + ENUM('FACILITIES','APPLICATION_2015','APPLICATION_2016') CHARACTER SET utf8 +- name: '942250' + disable: false + rule: >- + (?i:merge.*?using\s*?\(|execute\s*?immediate\s*?[\"'`]|match\s*?[\w(),+-]+\s*?against\s*?\() + message: 'Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections' + sample: /?var=EXECUTE IMMEDIATE " +- name: '942251' + disable: false + rule: '(?i)\W+\d*?\s*?\bhaving\b\s*?[^\s\-]' + message: Detects HAVING injections + sample: /?var= HAVING COUNT(CustomerID) > 5 +- name: '942260' + disable: true + rule: >- + (?i)(?:[\"'`]\s*?(?:(?:n(?:and|ot)|(?:x?x)?or|between|\|\||and|div|&&)\s+[\s\w]+=\s*?\w+\s*?having\s+|like(?:\s+[\s\w]+=\s*?\w+\s*?having\s+|\W*?[\"'`\d])|[^?\w\s=.,;)(]+\s*?[(@\"'`]*?\s*?\w+\W+\w|\*\s*?\w+\W+[\"'`])|(?:union\s*?(?:distinct|[(!@]*?|all)?\s*?[([]*?\s*?select|select\s+?[\[\]()\s\w\.,\"'`-]+from)\s+|\w\s+like\s+[\"'`]|find_in_set\s*?\(|like\s*?[\"'`]%) + message: Detects basic SQL authentication bypass attempts 2/3 + sample: '' +- name: '942270' + disable: false + rule: (?i)union.*?select.*?from + message: >- + Looking for basic sql injection. Common attack string for mysql, oracle and + others. + sample: /?var=union select col from +- name: '942280' + disable: false + rule: >- + (?i)(?:;\s*?shutdown\s*?(?:[#;{]|\/\*|--)|waitfor\s*?delay\s?[\"'`]+\s?\d|select\s*?pg_sleep) + message: > + Detects Postgres pg_sleep injection, waitfor delay attacks and database + shutdown attempts + sample: /?var=select pg_sleep +- name: '942290' + disable: false + rule: >- + (?i:(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\])) + message: Finds basic MongoDB SQL injection attempts + sample: '/mongo/show.php?u_id[$ne]=2' +- name: '942300' + disable: false + rule: >- + (?i)(?:\b(?:(?:r(?:egexp|like)|n(?:and|ot)|(?:x?x)?or|like|and|div)\s+\s*?\w+\(|b(?:etween\s+\s*?\w+\(|inary\s*?\(\s*?\d)|cha?r\s*?\(\s*?\d)|\)\s*?when\s*?\d+\s*?then|(?:\|\||&&)\s+\s*?\w+\(|[\"'`]\s*?(?:[#{]|--)|\/\*!\s?\d+) + message: 'Detects MySQL comments, conditions and ch(a)r injections' + sample: var=) when 234 then&foo=bar +- name: '942310' + disable: false + rule: >- + (?i)(?:(?:\(\s*?select\s*?\w+|order\s+by\s+if\w*?|coalesce)\s*?\(|[\"'`](?:;\s*?(?:begin|while|if)|[\s\d]+=\s*?\d)|\w[\"'`]\s*?(?:(?:[-+=|@]+\s+?)+|[-+=|@]+)[\d(]|[\s(]+case\d*?\W.+[tw]hen[\s(]|\+\s*?\d+\s*?\+\s*?@|@@\w+\s*?[^\w\s]|\W!+[\"'`]\w|\*\/from) + message: Detects chained SQL injection attempts 2/2 + sample: >- + /?var=' and 1 in (select min(name) from sysobjects where xtype = 'U' and + name > '.') -- +- name: '942320' + disable: false + rule: >- + (?i)(?:create\s+(?:procedure|function)\s*?\w+\s*?\(\s*?\)\s*?-|;\s*?(?:declare|open)\s+[\w-]+|procedure\s+analyse\s*?\(|declare[^\w]+[@#]\s*?\w+|exec\s*?\(\s*?@) + message: Detects MySQL and PostgreSQL stored procedure/function injections + sample: pay=DECLARE/**/@x +- name: '942330' + disable: true + rule: >- + (?i)(?:^(?:[\"'`\x5c]*?(?:[^\"'`]+[\"'`]|[\d\"'`]+)\s*?(?:n(?:and|ot)|(?:x?x)?or|between|\|\||like|and|div|&&)\s*?[\w\"'`][+&!@(),.-]|.?[\"'`]$)|@(?:[\w-]+\s(?:between|like|x?or|and|div)\s*?[^\w\s]|\w+\s+(?:between|like|x?or|and|div)\s*?[\"'`\d]+)|[\"'`]\s*?(?:between|like|x?or|and|div)\s*?[\"'`]?\d|[^\w\s:]\s*?\d\W+[^\w\s]\s*?[\"'`].|[^\w\s]\w+\s*?[|-]\s*?[\"'`]\s*?\w|\Winformation_schema|\x5cx(?:23|27|3d)|table_name\W) + message: Detects classic SQL injection probings 1/3 + sample: var=\\x23 +- name: '942340' + disable: true + rule: >- + (?i)(?:[\"'`](?:\s*?(?:is\s*?(?:[\d.]+\s*?\W.*?[\"'`]|\d.+[\"'`]?\w)|\d\s*?(?:--|#))|(?:\W+[\w+-]+\s*?=\s*?\d\W+|\|?[\w-]{3,}[^\w\s.,]+)[\"'`]|[\%&<>^=]+\d\s*?(?:between|like|x?or|and|div|=))|(?i:n?and|x?x?or|div|like|between|not|\|\||\&\&)\s+[\s\w+]+(?:sounds\s+like\s*?[\"'`]|regexp\s*?\(|[=\d]+x)|in\s*?\(+\s*?select) + message: Detects basic SQL authentication bypass attempts 3/3 + sample: /?var=in ( select * from +- name: '942350' + disable: false + rule: >- + (?i)(?:;\s*?(?:(?:(?:trunc|cre|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|alter|load)\b\s*?[\[(]?\w{2,}|create\s+function\s.+\sreturns) + message: Detects MySQL UDF injection and other data/structure manipulation attempts + sample: >- + /?var=CREATE FUNCTION hello (s CHAR(20)) RETURNS CHAR(50) DETERMINISTIC + RETURN CONCAT('Hello, ',s,'!'); +- name: '942360' + disable: false + rule: >- + (?i)(?:^[\W\d]+\s*?(?:alter\s*(?:a(?:(?:pplication\s*rol|ggregat)e|s(?:ymmetric\s*ke|sembl)y|u(?:thorization|dit)|vailability\s*group)|c(?:r(?:yptographic\s*provider|edential)|o(?:l(?:latio|um)|nversio)n|ertificate|luster)|s(?:e(?:rv(?:ice|er)|curity|quence|ssion|arch)|y(?:mmetric\s*key|nonym)|togroup|chema)|m(?:a(?:s(?:ter\s*key|k)|terialized)|e(?:ssage\s*type|thod)|odule)|l(?:o(?:g(?:file\s*group|in)|ckdown)|a(?:ngua|r)ge|ibrary)|t(?:(?:abl(?:espac)?|yp)e|r(?:igger|usted)|hreshold|ext)|p(?:a(?:rtition|ckage)|ro(?:cedur|fil)e|ermission)|d(?:i(?:mension|skgroup)|atabase|efault|omain)|r(?:o(?:l(?:lback|e)|ute)|e(?:sourc|mot)e)|f(?:u(?:lltext|nction)|lashback|oreign)|e(?:xte(?:nsion|rnal)|(?:ndpoi|ve)nt)|in(?:dex(?:type)?|memory|stance)|b(?:roker\s*priority|ufferpool)|x(?:ml\s*schema|srobject)|w(?:ork(?:load)?|rapper)|hi(?:erarchy|stogram)|o(?:perator|utline)|(?:nicknam|queu)e|us(?:age|er)|group|java|view)\b|(?:(?:(?:trunc|cre)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)\s+\w+|u(?:nion\s*(?:(?:distin|sele)ct|all)\b|pdate\s+\w+))|\b(?:(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\s+(?:group_concat|load_file|char)\b\s*\(?|end\s*?\);)|[\"'`\w]\s+as\b\s*[\"'`\w]+\s*\bfrom|[\s(]load_file\s*?\(|[\"'`]\s+regexp\W) + message: Detects concatenated basic SQL injection and SQLLFI attempts + sample: var=1234 AS "foobar" FROM tablevar2=whatever +- name: '942361' + disable: false + rule: '(?i:^[\W\d]+\s*?(?:alter|union)\b)' + message: Detects basic SQL injection based on keyword alter or union + sample: \" ALTER A +- name: '942370' + disable: true + rule: >- + (?i)(?:[\"'`](?:\s*?(?:(?:\*.+(?:(?:an|i)d|between|like|x?or|div)\W*?[\"'`]|(?:between|like|x?or|and|div)\s[^\d]+[\w-]+.*?)\d|[^\w\s?]+\s*?[^\w\s]+\s*?[\"'`]|[^\w\s]+\s*?[\W\d].*?(?:--|#))|.*?\*\s*?\d)|[()\*<>%+-][\w-]+[^\w\s]+[\"'`][^,]|\^[\"'`]) + message: Detects classic SQL injection probings 2/3 + sample: var=\"` * 12344 +- name: '942380' + disable: false + rule: >- + (?i)(?:\b(?:having\b(?: ?(?:[\'\"][^=]{1,10}[\'\" ?[=<>]+|\d{1,10} + ?[=<>]+)|\s+(?:'[^=]{1,10}'|\d{1,10})\s*?[=<>])|ex(?:ecute(?:\s{1,5}[\w\.$]{1,5}\s{0,3}|\()|ists\s*?\(\s*?select\b)|(?:create\s+?table.{0,20}?|like\W*?char\W*?)\()|exists\s(?:s(?:elect\S(?:if(?:null)?\s\(|concat|top)|ystem\s\()|\bhaving\b\s+\d{1,10}|'[^=]{1,10}'|\sselect)|select.*?case|from.*?limit|order\sby) + message: SQL Injection Attack + sample: >- + from(select count(*),concat((select (select (select + concat(0x53,0x65,0x61,0x72,0x63,0x68,0x43,0x6F,0x6C,0x6C,0x65,0x63,0x74,0x6F,0x72) + from `information_schema`.tables limit +- name: '942390' + disable: false + rule: >- + (?:\b(?:(?i:xor)\b\s+(?:'[^=]{1,10}'(?:\s*?[=<>])?|\d{1,10}(?:\s*?[=<>])?)|(?i:or)\b\s+(?:'[^=]{1,10}'(?:\s*?[=<>])?|\d{1,10}(?:\s*?[=<>])?))|(?i:\bor\b + ?[\'\"][^=]{1,10}[\'\"] + ?[=<>]+)|(?i:'\s+xor\s+.{1,20}[+\-!<>=])|(?i:'\s+or\s+.{1,20}[+\-!<>=])|(?i:\bor\b + ?\d{1,10} ?[=<>]+)) + message: SQL Injection Attack + sample: /?var=sdfsd'or 1 > 1 +- name: '942400' + disable: false + rule: >- + (?i)\band\b(?: ?(?:[\'\"][^=]{1,10}[\'\"]|\d{1,10}) + ?[=<>]+|\s+(?:\d{1,10}\s*?[=<>]|'[^=]{1,10}')) + message: SQL Injection Attack + sample: and '5'orig_var_datavarname=whatever +- name: '942410' + disable: false + rule: >- + (?i)\b(?:c(?:o(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|(?:un)?t|alesce)|ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)|s(?:t(?:d(?:dev(?:_(?:sam|po)p)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(?:_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha[12]?|oundex|chema|ig?n|leep|pace|qrt)|i(?:s(?:_(?:ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|(?:free|used)_lock)|null)?|n(?:et(?:6_(?:aton|ntoa)|_(?:aton|ntoa))|s(?:ert|tr)|terval)?|f(?:null)?)|d(?:a(?:t(?:e(?:_(?:format|add|sub)|diff)?|abase)|y(?:of(?:month|week|year)|name)?)|e(?:(?:s_(?:de|en)cryp|faul)t|grees|code)|count|ump)|l(?:o(?:ca(?:l(?:timestamp)?|te)|g(?:10|2)?|ad_file|wer)|ast(?:_(?:insert_id|day))?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(?:time(?:stamp)?|date)|p(?:datexml|per)|uid(?:_short)?|case|ser)|r(?:a(?:wto(?:nhex(?:toraw)?|hex)|dians|nd)|e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|ight|trim|pad)|t(?:ime(?:_(?:format|to_sec)|stamp(?:diff|add)?|diff)?|o_(?:(?:second|day)s|base64|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(?:name)?|d)|d5)|f(?:i(?:eld(?:_in_set)?|nd_in_set)|rom_(?:unixtime|base64|days)|o(?:und_rows|rmat)|loor)|p(?:o(?:w(?:er)?|sition)|eriod_(?:diff|add)|rocedure_analyse|assword|g_sleep|i)|a(?:s(?:cii(?:str)?|in)|es_(?:de|en)crypt|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|b(?:i(?:t_(?:length|count|x?or|and)|n(?:_to_num)?)|enchmark)|e(?:x(?:tract(?:value)?|p(?:ort_set)?)|nc(?:rypt|ode)|lt)|g(?:r(?:oup_conca|eates)t|et_(?:format|lock))|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|o(?:(?:ld_passwo)?rd|ct(?:et_length)?)|we(?:ek(?:ofyear|day)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|h(?:ex(?:toraw)?|our)|qu(?:arter|ote)|year(?:week)?|xmltype)\W*?\( + message: SQL Injection Attack + sample: BENChmARk( +- name: '942420' + disable: true + rule: >- + ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){8}) + message: >- + Restricted SQL Character Anomaly Detection (cookies): # of special + characters exceeded (8) + sample: ar=%7e%7e%7e%7e%7e%7e%7e%7e%7e&foo=var +- name: '942421' + disable: true + rule: >- + ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){3}) + message: >- + Restricted SQL Character Anomaly Detection (cookies): # of special + characters exceeded (3) + sample: cookie=@@@@@@@@@@@@@ +- name: '942430' + disable: true + rule: >- + ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){12}) + message: >- + Restricted SQL Character Anomaly Detection (args): # of special characters + exceeded (12) + sample: var=(((((())))))&var2=whatever +- name: '942431' + disable: true + rule: >- + ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){6}) + message: >- + Restricted SQL Character Anomaly Detection (args): # of special characters + exceeded (6) + sample: var=-------------------&var2=whatever +- name: '942432' + disable: true + rule: >- + ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){2}) + message: >- + Restricted SQL Character Anomaly Detection (args): # of special characters + exceeded (2) + sample: var=;;dd foo bar +- name: '942440' + disable: false + rule: ' (?:--(?:[\s\r\n\v\f]|[^-]*?-)|[^&-]#.*?[\s\r\n\v\f]|;?\x00|['';]--|\/\*!?|\*\/)' + message: SQL Comment Sequence Detected + sample: '' +- name: '942450' + disable: false + rule: ' (?i:\b0x[a-f\d]{3,})' + message: SQL Hex Encoding Identified + sample: var=select 0x616263 +- name: '942460' + disable: true + rule: '\W{4}' + message: Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters + sample: var=foo.... +- name: '942470' + disable: false + rule: >- + (?i)(?:xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|(?:servicecontro|cmdshel)l|e(?:xecresultset|numdsn)|ntsec(?:_enumdomains)?|terminate(?:_process)?|availablemedia|loginconfig|filelist|dirtree|makecab)|s(?:p_(?:(?:addextendedpro|sqlexe)c|p(?:assword|repare)|replwritetovarbin|is_srvrolemember|execute(?:sql)?|makewebtask|oacreate|help)|ql_(?:longvarchar|variant))|open(?:owa_util|rowset|query)|(?:n?varcha|tbcreato)r|autonomous_transaction|db(?:a_users|ms_java)|utl_(?:file|http)) + message: SQL Injection Attack + sample: ppay=sp_executesql +- name: '942480' + disable: false + rule: >- + (?i)(?:\b(?:(?:s(?:elect\b.{1,100}?\b(?:(?:(?:length|count)\b.{1,100}?|.*?\bdump\b.*)\bfrom|to(?:p\b.{1,100}?\bfrom|_(?:numbe|cha)r)|(?:from\b.{1,100}?\bwher|data_typ)e|instr)|ys_context)|in(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)|u(?:nion\b.{1,100}?\bselect|tl_inaddr)|group\b.*?\bby\b.{1,100}?\bhaving|d(?:elete\b\W*?\bfrom|bms_\w+\.)|load\b\W*?\bdata\b.*?\binfile)\b|print\b\W*?\@\@)|(?:;\W*?\b(?:shutdown|drop)|collation\W*?\(a|\@\@version)\b|'(?:s(?:qloledb|a)|msdasql|dbo)') + message: SQL Injection Attack + sample: /?'msdasql' +- name: '942490' + disable: true + rule: '[\"''`][\s\d]*?[^\w\s]\W*?\d\W*?.*?[\"''`\d]' + message: Detects classic SQL injection probings 3/3 + sample: | + pay='][0]]), strtolower($b[$GLOBALS[' +- name: '942500' + disable: false + rule: '(?i:\/\*[!+](?:[\w\s=_\-()]+)?\*\/)' + message: MySQL in-line comment detected + sample: >- + /?id=9999+or+{if+length((/*!5000select+username/*!50000from*/user+where+id=1))>0} diff --git a/datafilter/rules/owasp_attack_xss.json b/datafilter/rules/owasp_attack_xss.json deleted file mode 100644 index 9d80b10..0000000 --- a/datafilter/rules/owasp_attack_xss.json +++ /dev/null @@ -1,191 +0,0 @@ -[ - { - "name": "941110", - "disable" : false, - "rule": "(?i)]*>[\\s\\S]*?", - "message": "XSS Filter - Category 1: Script Tag Vector", - "sample": "xyz=" - }, - { - "name": "941120", - "disable" : true, - "rule": "(?i)[\\s\\\"'`;\\/0-9=\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]on[a-zA-Z]{3,25}[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=[^=]", - "message": "XSS Filter - Category 2: Event Handler Vector", - "sample": "/? onload= =vardata" - }, - { - "name": "941130", - "disable" : false, - "rule": "(?i)[\\s\\S](?:\\b(?:x(?:link:href|html|mlns)|data:text\\/html|pattern\\b.*?=|formaction)|!ENTITY\\s+(?:\\S+|%\\s+\\S+)\\s+(?:PUBLIC|SYSTEM)|;base64|@import)\\b", - "message": "XSS Filter - Category 3: Attribute Vector", - "sample": "var=555-555-0199@example.com'||(select extractvalue(xmltype('%lbsod;" - }, - { - "name": "941140", - "disable" : false, - "rule": "(?i)[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url\\(javascript", - "message": "XSS Filter - Category 4: Javascript URI Vector", - "sample": "

=941140-2" - }, - { - "name": "941150", - "disable" : false, - "rule": "(?i)\\b(?:s(?:tyle|rc)|href)\\b[\\s\\S]*?=", - "message": "XSS Filter - Category 5: Disallowed HTML Attributes", - "sample": "payload=XSS]*(?:[^<>\\\"'\\s]*:)?[^\\w<>]*\\W*?(?:(?:a\\W*?(?:n\\W*?i\\W*?m\\W*?a\\W*?t\\W*?e|p\\W*?p\\W*?l\\W*?e\\W*?t|u\\W*?d\\W*?i\\W*?o)|b\\W*?(?:i\\W*?n\\W*?d\\W*?i\\W*?n\\W*?g\\W*?s|a\\W*?s\\W*?e|o\\W*?d\\W*?y)|i?\\W*?f\\W*?r\\W*?a\\W*?m\\W*?e|o\\W*?b\\W*?j\\W*?e\\W*?c\\W*?t|i\\W*?m\\W*?a?\\W*?g\\W*?e?|e\\W*?m\\W*?b\\W*?e\\W*?d|p\\W*?a\\W*?r\\W*?a\\W*?m|v\\W*?i\\W*?d\\W*?e\\W*?o|l\\W*?i\\W*?n\\W*?k)[^>\\w]|s\\W*?(?:c\\W*?r\\W*?i\\W*?p\\W*?t|t\\W*?y\\W*?l\\W*?e|e\\W*?t[^>\\w]|v\\W*?g)|m\\W*?(?:a\\W*?r\\W*?q\\W*?u\\W*?e\\W*?e|e\\W*?t\\W*?a[^>\\w])|f\\W*?o\\W*?r\\W*?m))", - "message": "NoScript XSS InjectionChecker: HTML Injection", - "sample": "/char_test?mime=text/xml&body='formaction=" - }, - { - "name": "941170", - "disable" : false, - "rule": "(?i)(?:\\W|^)(?:javascript:(?:[\\s\\S]+[=\\x5c\\(\\[\\.<]|[\\s\\S]*?(?:\\bname\\b|\\x5c[ux]\\d))|data:(?:(?:[a-z]\\w+\\\\w[\\w+-]+\\w)?[;,]|[\\s\\S]*?;[\\s\\S]*?\\b(?:base64|charset=)|[\\s\\S]*?,[\\s\\S]*?<[\\s\\S]*?\\w[\\s\\S]*?>))|@\\W*?i\\W*?m\\W*?p\\W*?o\\W*?r\\W*?t\\W*?(?:\\\\*[\\s\\S]*?)?(?:[\\\"']|\\W*?u\\W*?r\\W*?l[\\s\\S]*?\\()|[^-]*?-\\W*?m\\W*?o\\W*?z\\W*?-\\W*?b\\W*?i\\W*?n\\W*?d\\W*?i\\W*?n\\W*?g[^:]*?:\\W*?u\\W*?r\\W*?l[\\s\\S]*?\\(", - "message": "NoScript XSS InjectionChecker: Attribute Injection", - "sample": "payload=javascript:/*-->" - }, - { - "name": "941190", - "disable" : false, - "rule": "(?i:.*?(?:@[i\\x5c]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(\\x5c]|&#x?0*(?:40|28|92|5C);?)))", - "message": "IE XSS Filters - Attack Detected", - "sample": "x=" - }, - { - "name": "941200", - "disable" : false, - "rule": "(?i:<.*[:]?vmlframe.*?[\\s/+]*?src[\\s/+]*=)", - "message": "IE XSS Filters - Attack Detected", - "sample": "=941200-3" - }, - { - "name": "941210", - "disable" : false, - "rule": "(?i:(?:j|&#x?0*(?:74|4A|106|6A);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:v|&#x?0*(?:86|56|118|76);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)", - "message": "IE XSS Filters - Attack Detected", - "sample": "941210-1=ja&tab;vascript: " - }, - { - "name": "941220", - "disable" : false, - "rule": "(?i:(?:v|&#x?0*(?:86|56|118|76);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:b|&#x?0*(?:66|42|98|62);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)", - "message": "IE XSS Filters - Attack Detected", - "sample": "var=v&newline;b&tab;s&newline;c&newline;r&tab;i&tab;p&newline;t::&var2=whatever" - }, - { - "name": "941230", - "disable" : false, - "rule": "(?i)" - }, - { - "name": "941240", - "disable" : false, - "rule": "<[?]?import[\\s\\+\\S]*?implementation[\\s\\+]*?=", - "message": "IE XSS Filters - Attack Detected", - "sample": "/?var=&var2=whatever" - }, - { - "name": "941270", - "disable" : false, - "rule": "(?i)" - }, - { - "name": "941280", - "disable" : false, - "rule": "(?i)xss" - }, - { - "name": "941290", - "disable" : false, - "rule": "(?i)]", - "message": "IE XSS Filters - Attack Detected", - "sample": "payload=" - }, - { - "name": "941300", - "disable" : false, - "rule": "(?i)" - }, - { - "name": "941310", - "disable" : false, - "rule": "(?:\\xbc\\s*\\\\s*[^\\xbe>]*[\\xbe>])|(?:<\\s*\\\\s*[^\\xbe]*\\xbe)", - "message": "US-ASCII Malformed Encoding XSS Filter - Attack Detected", - "sample": "" - }, - { - "name": "941320", - "disable" : false, - "rule": "<(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\\W", - "message": "Possible XSS Attack Detected - HTML Tag Handler", - "sample": "var=\\\">" - }, - { - "name": "941340", - "disable" : false, - "rule": "(?i)[\\\"\\'][ ]*(?:[^a-z0-9~_:\\' ]|in).+?[.].+?=", - "message": "IE XSS Filters - Attack Detected", - "sample": "payload=XSS" - }, - { - "name": "941350", - "disable" : false, - "rule": "\\+ADw-.*(?:\\+AD4-|>)|<.*\\+AD4-", - "message": "UTF-7 Encoding IE XSS - Attack Detected", - "sample": "" - }, - { - "name": "941360", - "disable" : false, - "rule": "![!+ ]\\[\\]", - "message": "JSFuck / Hieroglyphy obfuscation detected", - "sample": "a=(![]+[])[+!+[]]" - }, - { - "name": "941370", - "disable" : false, - "rule": "(?:self|document|this|top|window)\\s*(?:\\\\*|[\\[)]).+?(?:\\]|\\*)", - "message": "JavaScript global variable found", - "sample": "a=document+/*foo*/+.+++++cookie" - }, - { - "name": "941380", - "disable" : false, - "rule": "{{.*?}}", - "message": "AngularJS client side template injection detected", - "sample": "/login?user= x {{constructor.constructor('alert(1)')()}} . ff" - } -] diff --git a/datafilter/rules/owasp_attack_xss.yaml b/datafilter/rules/owasp_attack_xss.yaml new file mode 100644 index 0000000..fe5580d --- /dev/null +++ b/datafilter/rules/owasp_attack_xss.yaml @@ -0,0 +1,158 @@ +- name: '941110' + disable: false + rule: '(?i)]*>[\s\S]*?' + message: 'XSS Filter - Category 1: Script Tag Vector' + sample: xyz= +- name: '941120' + disable: true + rule: >- + (?i)[\s\"'`;\/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]on[a-zA-Z]{3,25}[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=[^=] + message: 'XSS Filter - Category 2: Event Handler Vector' + sample: /? onload= =vardata +- name: '941130' + disable: false + rule: >- + (?i)[\s\S](?:\b(?:x(?:link:href|html|mlns)|data:text\/html|pattern\b.*?=|formaction)|!ENTITY\s+(?:\S+|%\s+\S+)\s+(?:PUBLIC|SYSTEM)|;base64|@import)\b + message: 'XSS Filter - Category 3: Attribute Vector' + sample: >- + var=555-555-0199@example.com'||(select extractvalue(xmltype('%lbsod; +- name: '941140' + disable: false + rule: '(?i)[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url\(javascript' + message: 'XSS Filter - Category 4: Javascript URI Vector' + sample: '

=941140-2' +- name: '941150' + disable: false + rule: '(?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=' + message: 'XSS Filter - Category 5: Disallowed HTML Attributes' + sample: >- + payload=XSS- + (?i)(?:(?:<\w[\s\S]*[\s/]|['\"](?:[\s\S]*[\s/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)|op)|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed))|abled)|aling)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|(?:(?:Press)?TapGestur|BeforeResiz)e|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|A(?:udioAvailable|fterPaint))|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rolselect|extmenu)|nect(?:ing|ed))|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|(?:fstate|ell)change|u(?:echange|t)|l(?:ick|ose))|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:ek(?:complete|ing|ed)|(?:lec(?:tstar)?)?t|n(?:ding|t))|(?:peech|ound)(?:start|end)|u(?:ccess|spend|bmit)|croll|how)|m(?:o(?:z(?:(?:pointerlock|fullscreen)(?:change|error)|(?:orientation|time)change|network(?:down|up)load)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|a(?:n(?:imation(?:iteration|start|end)|tennastatechange)|fter(?:(?:scriptexecu|upda)te|print)|udio(?:process|start|end)|d(?:apteradded|dtrack)|ctivate|lerting|bort)|b(?:e(?:fore(?:(?:(?:de)?activa|scriptexecu)te|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut)|editfocus)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|r(?:e(?:s(?:u(?:m(?:ing|e)|lt)|ize|et)|adystatechange|pea(?:tEven)?t|movetrack|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|atechange)|p(?:op(?:up(?:hid(?:den|ing)|show(?:ing|n))|state)|a(?:ge(?:hide|show)|(?:st|us)e|int)|ro(?:pertychange|gress)|lay(?:ing)?)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ransition(?:cancel|end|run)|ime(?:update|out)|ext)|u(?:s(?:erproximity|sdreceived)|p(?:gradeneeded|dateready)|n(?:derflow|load))|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|ailed)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)|secapture)|evelchange|y)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|et)|e(?:n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|mptied|xit)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|valid|put))|o(?:(?:(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Abort|Error|Zoom)|h(?:e(?:adphoneschange|l[dp])|ashchange|olding)|v(?:o(?:lum|ic)e|ersion)change|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|no(?:update|match)|Request|zoom)|s(?:tyle|rc)|background|formaction|lowsrc|ping)[\s\x08]*?=|<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?(?:(?:a\W*?(?:n\W*?i\W*?m\W*?a\W*?t\W*?e|p\W*?p\W*?l\W*?e\W*?t|u\W*?d\W*?i\W*?o)|b\W*?(?:i\W*?n\W*?d\W*?i\W*?n\W*?g\W*?s|a\W*?s\W*?e|o\W*?d\W*?y)|i?\W*?f\W*?r\W*?a\W*?m\W*?e|o\W*?b\W*?j\W*?e\W*?c\W*?t|i\W*?m\W*?a?\W*?g\W*?e?|e\W*?m\W*?b\W*?e\W*?d|p\W*?a\W*?r\W*?a\W*?m|v\W*?i\W*?d\W*?e\W*?o|l\W*?i\W*?n\W*?k)[^>\w]|s\W*?(?:c\W*?r\W*?i\W*?p\W*?t|t\W*?y\W*?l\W*?e|e\W*?t[^>\w]|v\W*?g)|m\W*?(?:a\W*?r\W*?q\W*?u\W*?e\W*?e|e\W*?t\W*?a[^>\w])|f\W*?o\W*?r\W*?m)) + message: 'NoScript XSS InjectionChecker: HTML Injection' + sample: /char_test?mime=text/xml&body='formaction= +- name: '941170' + disable: false + rule: >- + (?i)(?:\W|^)(?:javascript:(?:[\s\S]+[=\x5c\(\[\.<]|[\s\S]*?(?:\bname\b|\x5c[ux]\d))|data:(?:(?:[a-z]\w+\\w[\w+-]+\w)?[;,]|[\s\S]*?;[\s\S]*?\b(?:base64|charset=)|[\s\S]*?,[\s\S]*?<[\s\S]*?\w[\s\S]*?>))|@\W*?i\W*?m\W*?p\W*?o\W*?r\W*?t\W*?(?:\\*[\s\S]*?)?(?:[\"']|\W*?u\W*?r\W*?l[\s\S]*?\()|[^-]*?-\W*?m\W*?o\W*?z\W*?-\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g[^:]*?:\W*?u\W*?r\W*?l[\s\S]*?\( + message: 'NoScript XSS InjectionChecker: Attribute Injection' + sample: >- + payload=javascript:/*--> +- name: '941190' + disable: false + rule: >- + (?i:.*?(?:@[i\x5c]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(\x5c]|&#x?0*(?:40|28|92|5C);?))) + message: IE XSS Filters - Attack Detected + sample: 'x=' +- name: '941200' + disable: false + rule: '(?i:<.*[:]?vmlframe.*?[\s/+]*?src[\s/+]*=)' + message: IE XSS Filters - Attack Detected + sample: '=941200-3' +- name: '941210' + disable: false + rule: >- + (?i:(?:j|&#x?0*(?:74|4A|106|6A);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:v|&#x?0*(?:86|56|118|76);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).) + message: IE XSS Filters - Attack Detected + sample: '941210-1=ja&tab;vascript: ' +- name: '941220' + disable: false + rule: >- + (?i:(?:v|&#x?0*(?:86|56|118|76);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:b|&#x?0*(?:66|42|98|62);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).) + message: IE XSS Filters - Attack Detected + sample: >- + var=v&newline;b&tab;s&newline;c&newline;r&tab;i&tab;p&newline;t::&var2=whatever +- name: '941230' + disable: false + rule: '(?i)' +- name: '941240' + disable: false + rule: '<[?]?import[\s\+\S]*?implementation[\s\+]*?=' + message: IE XSS Filters - Attack Detected + sample: /?var=- + (?i:&var2=whatever +- name: '941270' + disable: false + rule: '(?i) +- name: '941280' + disable: false + rule: '(?i)- + payload=xss' +- name: '941310' + disable: false + rule: '(?:\xbc\s*\\s*[^\xbe>]*[\xbe>])|(?:<\s*\\s*[^\xbe]*\xbe)' + message: US-ASCII Malformed Encoding XSS Filter - Attack Detected + sample: '' +- name: '941320' + disable: false + rule: >- + <(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\W + message: Possible XSS Attack Detected - HTML Tag Handler + sample: 'var=- + (?i:[\"'][ ]*(?:[^a-z0-9~_:' + ]|in).*?(?:(?:l|\x5cu006C)(?:o|\x5cu006F)(?:c|\x5cu0063)(?:a|\x5cu0061)(?:t|\x5cu0074)(?:i|\x5cu0069)(?:o|\x5cu006F)(?:n|\x5cu006E)|(?:n|\x5cu006E)(?:a|\x5cu0061)(?:m|\x5cu006D)(?:e|\x5cu0065)|(?:o|\x5cu006F)(?:n|\x5cu006E)(?:e|\x5cu0065)(?:r|\x5cu0072)(?:r|\x5cu0072)(?:o|\x5cu006F)(?:r|\x5cu0072)|(?:v|\x5cu0076)(?:a|\x5cu0061)(?:l|\x5cu006C)(?:u|\x5cu0075)(?:e|\x5cu0065)(?:O|\x5cu004F)(?:f|\x5cu0066)).*?=) + message: IE XSS Filters - Attack Detected + sample: payload= +- name: '941340' + disable: false + rule: '(?i)[\"\''][ ]*(?:[^a-z0-9~_:\'' ]|in).+?[.].+?=' + message: IE XSS Filters - Attack Detected + sample: >- + payload=XSS +- name: '941350' + disable: false + rule: '\+ADw-.*(?:\+AD4-|>)|<.*\+AD4-' + message: UTF-7 Encoding IE XSS - Attack Detected + sample: '' +- name: '941360' + disable: false + rule: '![!+ ]\[\]' + message: JSFuck / Hieroglyphy obfuscation detected + sample: 'a=(![]+[])[+!+[]]' +- name: '941370' + disable: false + rule: '(?:self|document|this|top|window)\s*(?:\\*|[\[)]).+?(?:\]|\*)' + message: JavaScript global variable found + sample: a=document+/*foo*/+.+++++cookie +- name: '941380' + disable: false + rule: '{{.*?}}' + message: AngularJS client side template injection detected + sample: '/login?user= x {{constructor.constructor(''alert(1)'')()}} . ff' diff --git a/datafilter/rules/pan_process.json b/datafilter/rules/pan_process.json deleted file mode 100644 index 4593ee6..0000000 --- a/datafilter/rules/pan_process.json +++ /dev/null @@ -1,9 +0,0 @@ -[ - { - "name": "pan_blocker", - "disable" : false, - "rule": "(?:4[0-9]{12}(?:[0-9]{3})?|[25][1-7][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\\d{3})\\d{11})", - "message": "Potential PAN detected", - "sample": "374245455400126" - } -] diff --git a/datafilter/rules/pan_process.yaml b/datafilter/rules/pan_process.yaml new file mode 100644 index 0000000..42c8414 --- /dev/null +++ b/datafilter/rules/pan_process.yaml @@ -0,0 +1,6 @@ +- name: pan_blocker + disable: false + rule: >- + (?:4[0-9]{12}(?:[0-9]{3})?|[25][1-7][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11}) + message: Potential PAN detected + sample: '374245455400126' diff --git a/datafilter/testdata/datafilter_rule_set.json b/datafilter/testdata/datafilter_rule_set.json deleted file mode 100644 index bd7369f..0000000 --- a/datafilter/testdata/datafilter_rule_set.json +++ /dev/null @@ -1,24 +0,0 @@ -[ - { - "type": "pan", - "rules": [ - { - "name": "test_pan_process", - "path": "rules/pan_process.json" - } - ] - }, - { - "type": "owasp", - "rules": [ - { - "name": "sqli", - "path": "rules/owasp_attack_sqli.json" - }, - { - "name": "xss", - "path": "rules/owasp_attack_xss.json" - } - ] - } -] diff --git a/executor/executor.go b/executor/executor.go index d0f2a47..53c0de9 100644 --- a/executor/executor.go +++ b/executor/executor.go @@ -49,7 +49,7 @@ func Execute(data, serviceName, direction string) { panic("policyRule doesn't exist") } - policies := cachedRule.(policy.CommonPolicyMap)[policyKey] + policies := cachedRule.(policy.CommonPolicies)[policyKey] if len(policies) == 0 { log.Println("No ruleSet found for", serviceName) return diff --git a/go.mod b/go.mod index 95da0d8..0ff6ebf 100644 --- a/go.mod +++ b/go.mod @@ -6,6 +6,7 @@ require ( github.com/kelseyhightower/envconfig v1.4.0 github.com/labstack/echo/v4 v4.7.2 github.com/patrickmn/go-cache v2.1.0+incompatible + gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b ) require ( diff --git a/go.sum b/go.sum index 81cd2b7..7695f1a 100644 --- a/go.sum +++ b/go.sum @@ -36,6 +36,7 @@ golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/time v0.0.0-20201208040808-7e3f01d25324 h1:Hir2P/De0WpUhtrKGGjvSb2YxUgyZ7EFOSLIcSSpiwE= golang.org/x/time v0.0.0-20201208040808-7e3f01d25324/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo= diff --git a/main.go b/main.go index a623abe..a5239d0 100644 --- a/main.go +++ b/main.go @@ -16,9 +16,9 @@ func main() { log.Println("All Channels were closed successfully. Number of goroutine:", runtime.NumGoroutine()) }() - _ = os.Setenv("GO_SLM_COMMON_POLICIES_PATH", "/testconfig/common_policies.json") - _ = os.Setenv("GO_SLM_POLICY_RULE_SET_PATH", "/testconfig/policy_rule_set.json") - _ = os.Setenv("GO_SLM_DATA_FILTER_RULE_SET_PATH", "/testconfig/custom_datafilter_rule_set.json") + _ = os.Setenv("GO_SLM_COMMON_POLICIES_PATH", "/testconfig/common_policies.yaml") + _ = os.Setenv("GO_SLM_POLICY_RULE_SET_PATH", "/testconfig/policy_rule_set.yaml") + _ = os.Setenv("GO_SLM_DATA_FILTER_RULE_SET_PATH", "/testconfig/custom_datafilter_rule_set.yaml") //pretending to be imported by another project _ = os.Setenv("GO_SLM_CURRENT_MODULE_NAME", "github.com/kaanaktas/dummy") diff --git a/policy/load.go b/policy/load.go index aaaa030..e085c60 100644 --- a/policy/load.go +++ b/policy/load.go @@ -1,10 +1,10 @@ package policy import ( - "encoding/json" "fmt" "github.com/kaanaktas/go-slm/cache" "github.com/kaanaktas/go-slm/config" + "gopkg.in/yaml.v3" "log" "path/filepath" ) @@ -14,30 +14,22 @@ const Key = "policy_rule" var cacheIn = cache.NewInMemory() type CommonPolicy struct { - Name string `json:"name"` - Active bool `json:"active"` + Name string `yaml:"name"` + Active bool `yaml:"active"` } type commonPolicies struct { - CommonPolicyName string `json:"PolicyName"` - Policy []CommonPolicy `json:"Policy"` -} - -type commonPolicySet struct { - CommonPolicies []commonPolicies `json:"commonPolicies"` + PolicyName string `yaml:"PolicyName"` + Policy []CommonPolicy `yaml:"Policy"` } type policy struct { - ServiceName string `json:"serviceName"` - Request string `json:"request"` - Response string `json:"response"` -} - -type policies struct { - Policies []policy `json:"policies"` + ServiceName string `yaml:"serviceName"` + Request string `yaml:"request"` + Response string `yaml:"response"` } -type CommonPolicyMap map[string][]CommonPolicy +type CommonPolicies map[string][]CommonPolicy func Load(policyRuleSetPath, commonRulesPath string) { if policyRuleSetPath == "" { @@ -48,40 +40,40 @@ func Load(policyRuleSetPath, commonRulesPath string) { panic("GO_SLM_COMMON_POLICIES_PATH hasn't been set") } - var ps policies + var policies []policy content, err := config.ReadFile(filepath.Join(config.RootDirectory, policyRuleSetPath)) if err != nil { msg := fmt.Sprintf("Error while reading %s. Error: %s", policyRuleSetPath, err) panic(msg) } - err = json.Unmarshal(content, &ps) + err = yaml.Unmarshal(content, &policies) if err != nil { msg := fmt.Sprintf("Can't unmarshall the content of %s. Error: %s", policyRuleSetPath, err) panic(msg) } - var rules commonPolicySet + var retrievedCommonPolicies []commonPolicies content, err = config.ReadFile(filepath.Join(config.RootDirectory, commonRulesPath)) if err != nil { msg := fmt.Sprintf("Error while reading %s. Error: %s", commonRulesPath, err) panic(msg) } - err = json.Unmarshal(content, &rules) + err = yaml.Unmarshal(content, &retrievedCommonPolicies) if err != nil { msg := fmt.Sprintf("Can't unmarshall the content of %s. Error: %s", commonRulesPath, err) panic(msg) } - policyRules := make(CommonPolicyMap) + policyRules := make(CommonPolicies) - for _, policy := range ps.Policies { - for _, rule := range rules.CommonPolicies { - if rule.CommonPolicyName == policy.Request { + for _, policy := range policies { + for _, rule := range retrievedCommonPolicies { + if rule.PolicyName == policy.Request { policyRules[config.PolicyKey(policy.ServiceName, config.Request)] = rule.Policy } - if rule.CommonPolicyName == policy.Response { + if rule.PolicyName == policy.Response { policyRules[config.PolicyKey(policy.ServiceName, config.Response)] = rule.Policy } } diff --git a/policy_load_test.go b/policy_load_test.go index 0671fa9..1c1d8c6 100644 --- a/policy_load_test.go +++ b/policy_load_test.go @@ -11,7 +11,7 @@ import ( ) func TestDataFilterRuleLoad(t *testing.T) { - _ = os.Setenv("GO_SLM_DATA_FILTER_RULE_SET_PATH", "/testconfig/custom_datafilter_rule_set.json") + _ = os.Setenv("GO_SLM_DATA_FILTER_RULE_SET_PATH", "/testconfig/custom_datafilter_rule_set.yaml") cacheIn := cache.NewInMemory() cacheIn.Flush() @@ -95,12 +95,12 @@ func TestPolicyLoad(t *testing.T) { for _, test := range tests { t.Run(test.name, func(t *testing.T) { if cachedData, ok := cacheIn.Get(test.policy.name); ok { - if len(cachedData.(policy.CommonPolicyMap)) != test.policy.size { + if len(cachedData.(policy.CommonPolicies)) != test.policy.size { t.Errorf("cached data size doesn't match up. Expected: %d, got:%d", test.policy.size, - len(cachedData.(policy.CommonPolicyMap))) + len(cachedData.(policy.CommonPolicies))) } for _, v := range test.policy.policies { - cachedPolicies := cachedData.(policy.CommonPolicyMap) + cachedPolicies := cachedData.(policy.CommonPolicies) if _, exists := cachedPolicies[v]; !exists { t.Errorf("%s is not in the policy rule set", v) } diff --git a/testconfig/common_policies.json b/testconfig/common_policies.json deleted file mode 100644 index 9add6cf..0000000 --- a/testconfig/common_policies.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "commonPolicies": [ - { - "PolicyName": "combined_policy", - "Policy": [ - { - "name": "xss", - "active": true - }, - { - "name": "pan_process", - "active": true - }, - { - "name": "sqli", - "active": true - } - ] - }, - { - "PolicyName": "pan_only_policy", - "Policy": [ - { - "name": "pan_process", - "active": true - } - ] - } - ] -} diff --git a/testconfig/common_policies.yaml b/testconfig/common_policies.yaml new file mode 100644 index 0000000..4251a12 --- /dev/null +++ b/testconfig/common_policies.yaml @@ -0,0 +1,12 @@ +- PolicyName: combined_policy + Policy: + - name: xss + active: true + - name: pan_process + active: true + - name: sqli + active: true +- PolicyName: pan_only_policy + Policy: + - name: pan_process + active: true diff --git a/testconfig/custom_datafilter_rule_set.json b/testconfig/custom_datafilter_rule_set.json deleted file mode 100644 index 07f47d4..0000000 --- a/testconfig/custom_datafilter_rule_set.json +++ /dev/null @@ -1,17 +0,0 @@ -[ - { - "type": "pan", - "rules": [ - { - "name": "pan_process", - "path": "rules/pan_process.json", - "custom_path": "/testconfig/custom_pan_process.json" - }, - { - "name": "custom_pan_process", - "path": "rules/pan_process.json", - "custom_path": "" - } - ] - } -] diff --git a/testconfig/custom_datafilter_rule_set.yaml b/testconfig/custom_datafilter_rule_set.yaml new file mode 100644 index 0000000..4143035 --- /dev/null +++ b/testconfig/custom_datafilter_rule_set.yaml @@ -0,0 +1,8 @@ +- type: pan + rules: + - name: pan_process + path: rules/pan_process.yaml + custom_path: /testconfig/custom_pan_process.yaml + - name: custom_pan_process + path: rules/pan_process.yaml + custom_path: '' diff --git a/testconfig/custom_pan_process.json b/testconfig/custom_pan_process.json deleted file mode 100644 index 4b6d340..0000000 --- a/testconfig/custom_pan_process.json +++ /dev/null @@ -1,9 +0,0 @@ -[ - { - "name": "pan_blocker", - "disable" : false, - "rule": "(?:4[0-9]{12}(?:[0-9]{3})?|[25][1-7][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\\d{3})\\d{11})", - "message": "Potential PAN detected and caught in the custom pan_blocker Rule", - "sample": "374245455400126" - } -] diff --git a/testconfig/custom_pan_process.yaml b/testconfig/custom_pan_process.yaml new file mode 100644 index 0000000..c75edd9 --- /dev/null +++ b/testconfig/custom_pan_process.yaml @@ -0,0 +1,6 @@ +- name: pan_blocker + disable: false + rule: >- + (?:4[0-9]{12}(?:[0-9]{3})?|[25][1-7][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11}) + message: Potential PAN detected and caught in the custom pan_blocker Rule + sample: '374245455400126' diff --git a/testconfig/policy_rule_set.json b/testconfig/policy_rule_set.json deleted file mode 100644 index 7ba6518..0000000 --- a/testconfig/policy_rule_set.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "policies": [ - { - "serviceName": "test", - "request": "combined_policy", - "response": "pan_only_policy" - }, - { - "serviceName": "test2", - "request": "combined_policy", - "response": "pan_only_policy" - } - ] -} diff --git a/testconfig/policy_rule_set.yaml b/testconfig/policy_rule_set.yaml new file mode 100644 index 0000000..6c7b552 --- /dev/null +++ b/testconfig/policy_rule_set.yaml @@ -0,0 +1,6 @@ +- serviceName: test + request: combined_policy + response: pan_only_policy +- serviceName: test2 + request: combined_policy + response: pan_only_policy