def detect_web_shell(self, data): """ Detect possible Web Shell attacks. Use string comparison to scan GET request with the list of possible web shell payloads. Args: data (dict): Parsed log file data Raises: None Returns: None """ for ip in data.keys(): get_req = data[ip]["get"] if (self.payload_match(get_req)): if ip not in self.logged_IP: # if not logged earlier self.logged_IP.append(ip) last_time = data[ip]["ep_time"][0] msg = "Possible web shell detected from: " + str(ip) + \ " on: " + str(utils.epoch_to_date(last_time)) self.logger.log(msg, logtype="warning") utils.write_ip(str(ip)) # Generate CSV report using OSINT tools self.osint_obj.perform_osint_scan(ip.strip(" ")) # Write malicious IP to file, to teach Firewall about the IP write_mal_ip(ip.strip(" "))
def detect_port_scan(self, data): """ Detect possible Port Scan recon attacks. Look for a possible port scan user agent payload in the user agent field. Args: data (dict): Parsed log file data Raises: None Returns: None """ for ip in data.keys(): user_agent = data[ip]["ua"] if (self.payload_match(user_agent)): if ip not in self.logged_IP: self.logged_IP.append(ip) last_time = data[ip]["ep_time"][0] msg = "Possible port scan detected from: " + str(ip) + \ " on: " + utils.epoch_to_date(last_time) self.logger.log(msg, logtype="warning") utils.write_ip(str(ip)) # Generate CSV report using OSINT tools self.osint_obj.perform_osint_scan(ip.strip(" ")) # Write malicious IP to file, to teach Firewall about the IP write_mal_ip(ip.strip(" "))
def detect_web_shell(self, data): """ Detect possible Web Shell attacks. Use string comparison to scan GET request with the list of possible web shell payloads. Args: data (dict): Parsed log file data Raises: None Returns: None """ for ip in data.keys(): get_req = data[ip]["get"] if (self.payload_match(get_req)): if ip not in self.logged_IP: # if not logged earlier self.logged_IP.append(ip) last_time = data[ip]["ep_time"][0] msg = "Possible web shell detected from: " + str(ip) + \ " on: " + str(utils.epoch_to_date(last_time)) self.logger.log(msg, logtype="warning") utils.write_ip(str(ip))
def detect_sqli(self, data): """ Detect possible SQL Injection (sqli) attacks. Use regex rules and string matching to detect SQLi attacks. 4 Level rules: - Simple regex - Hex regex - Payload string matching - URI encoded string matching Args: data (dict): Parsed log file data Raises: None Returns: None """ for ip in data.keys(): get_req = data[ip]["get"] last_time = data[ip]["ep_time"][0] if (self.payload_match(get_req) or self.regex_check(get_req)): if ip not in self.logged_IP: # if not logged earlier self.logged_IP.append(ip) msg = "Possible SQL injection (sqli) detected from: " + str(ip) + \ " on: " + str(utils.epoch_to_date(last_time)) self.logger.log(msg, logtype="warning") utils.write_ip(str(ip)) # Generate CSV report using OSINT tools self.osint_obj.perform_osint_scan(ip.strip(" ")) # Write malicious IP to file, to teach Firewall about the IP write_mal_ip(ip.strip(" "))
def detect_sqli(self, data): """ Detect possible SQL Injection (sqli) attacks. Use regex rules and string matching to detect SQLi attacks. 4 Level rules: - Simple regex - Hex regex - Payload string matching - URI encoded string matching Args: data (dict): Parsed log file data Raises: None Returns: None """ for ip in data.keys(): get_req = data[ip]["get"] last_time = data[ip]["ep_time"][0] if (self.payload_match(get_req) or self.regex_check(get_req)): if ip not in self.logged_IP: # if not logged earlier self.logged_IP.append(ip) msg = "Possible SQL injection (sqli) detected from: " + str(ip) + \ " on: " + str(utils.epoch_to_date(last_time)) self.logger.log( msg, logtype="warning" ) utils.write_ip(str(ip))
def detect_port_scan(self, data): """ Detect possible Port Scan recon attacks. Look for a possible port scan user agent payload in the user agent field. Args: data (dict): Parsed log file data Raises: None Returns: None """ for ip in data.keys(): user_agent = data[ip]["ua"] if (self.payload_match(user_agent)): if ip not in self.logged_IP: self.logged_IP.append(ip) last_time = data[ip]["ep_time"][0] msg = "Possible port scan detected from: " + str(ip) + \ " on: " + utils.epoch_to_date(last_time) self.logger.log(msg, logtype="warning") utils.write_ip(str(ip))
def detect_spider(self, data): """ Detect possible Web Crawler / Spider / Bad user agents. High amount of unique GET request from an IP within a small period of time are likely to indicate a web crawler / spider. Look for bad user agents payload to guess a bad user agent. Args: data (dict): Parsed log file data Raises: None Returns: None """ for ip in data.keys(): count = data[ip]["count"] last_time = data[ip]["ep_time"][0] initial_time = data[ip]["ep_time"][int( len(data[ip]["ep_time"]) - 1)] delta = abs(int(last_time - initial_time)) try: calc_count_thresh = count / delta calc_get_thresh = len(data[ip]["unique_get"]) / delta except ZeroDivisionError: calc_count_thresh = count calc_get_thresh = len(data[ip]["unique_get"]) if (calc_count_thresh > self._THRESHOLD or calc_get_thresh > self._THRESHOLD or self.payload_match(data[ip]["ua"])): if ip not in self.logged_IP: self.logged_IP.append(ip) self.logger.log( "Possible web crawler / spider / bad user agent detected from: " + str(ip), logtype="warning") utils.write_ip(str(ip)) # Generate CSV report using OSINT tools self.osint_obj.perform_osint_scan(ip.strip(" ")) # Write malicious IP to file, to teach Firewall about the IP write_mal_ip(ip.strip(" "))
def detect_ssrf(self , data): """ Detects SSRF Args: data (dict): Parsed Log File Raises: None Returns: None """ for ip in data.keys(): get_req = data[ip]["get"] last_time = data[ip]["ep_time"][0] # extracting all the urls in path urls=re.findall(r"https?://(?:[-\w.]|(?:%[\da-fA-F]{2}))+", get_req[0]) for url in urls: resolved_ip=utils.resolver(url) if resolved_ip: if (self.rmatch(resolved_ip)): if ip not in self.logged_IP: # if not logged earlier self.logged_IP.append(ip) msg = "Possible SSRF detected From: " + str(ip) + \ " on: " + str(utils.epoch_to_date(last_time)) self.logger.log( msg, logtype="warning" ) utils.write_ip(str(ip)) # Generate CSV report using OSINT tools self.osint_obj.perform_osint_scan(ip.strip(" ")) # Write malicious IP to file, to teach Firewall about the IP write_mal_ip(ip.strip(" ")) if(self.payload_match(url) or self.regex_match(get_req)): if ip not in self.logged_IP: self.logged_IP.append(ip) msg = "Possible SSRF detected From " + str(ip) + \ " on: " + str(utils.epoch_to_date(last_time)) self.logger.log(msg,logtype="warning") utils.write_ip(str(ip)) # Generate CSV report using OSINT tools self.osint_obj.perform_osint_scan(ip.strip(" ")) # Write malicious IP to file, to teach Firewall about the IP write_mal_ip(ip.strip(" "))
def detect_fuzzer(self, data): """ Detect possible URL fuzzing attacks. High number of failure codes (400-500) range from an IP within a small period of time indicates a possible fuzzing attack. Args: data (dict): Parsed log file data Raises: None Returns: None """ for ip in data.keys(): status_code = data[ip]["status_code"] # Count failure attempts for that IP failure_count = self.count_failure(status_code) last_time = data[ip]["ep_time"][0] initial_time = data[ip]["ep_time"][int( len(data[ip]["ep_time"]) - 1)] delta = abs(int(last_time - initial_time)) try: calc_count_thresh = failure_count / delta calc_get_thresh = len(data[ip]["get"]) / delta except ZeroDivisionError: calc_count_thresh = failure_count calc_get_thresh = len(data[ip]["get"]) if (calc_count_thresh > self._THRESHOLD or calc_get_thresh > self._THRESHOLD): if ip not in self.logged_IP: self.logged_IP.append(ip) msg = "Possible URL fuzzing detected from: " + str(ip) + \ " on: " + utils.epoch_to_date(data[ip]["ep_time"][0]) self.logger.log(msg, logtype="warning") utils.write_ip(str(ip)) # Generate CSV report using OSINT tools self.osint_obj.perform_osint_scan(ip.strip(" ")) # Write malicious IP to file, to teach Firewall about the IP write_mal_ip(ip.strip(" "))
def detect_lfi(self, data): """ Detect possible Local File Inclusion (lfi) attacks. Use string comparison to scan GET request with the list of possible LFI payloads. Args: data (dict): Parsed log file data Raises: None Returns: None """ for ip in data.keys(): get_req = data[ip]["get"] if (self.payload_match(get_req)): if ip not in self.logged_IP: # if IP not logged earlier self.logged_IP.append(ip) msg = "Possible LFI injection detected from: " + str(ip) + \ " on: " + utils.epoch_to_date(data[ip]["ep_time"][0]) self.logger.log(msg, logtype="warning") utils.write_ip(str(ip))