def detect_web_shell(self, data):
"""
Detect possible Web Shell attacks.
Use string comparison to scan GET request with the
list of possible web shell payloads.
Args:
data (dict): Parsed log file data
Raises:
None
Returns:
None
"""
for ip in data.keys():
get_req = data[ip]["get"]
if (self.payload_match(get_req)):
if ip not in self.logged_IP: # if not logged earlier
self.logged_IP.append(ip)
last_time = data[ip]["ep_time"][0]
msg = "Possible web shell detected from: " + str(ip) + \
" on: " + str(utils.epoch_to_date(last_time))
self.logger.log(msg, logtype="warning")
utils.write_ip(str(ip))
# Generate CSV report using OSINT tools
self.osint_obj.perform_osint_scan(ip.strip(" "))
# Write malicious IP to file, to teach Firewall about the IP
write_mal_ip(ip.strip(" "))
def detect_port_scan(self, data):
"""
Detect possible Port Scan recon attacks.
Look for a possible port scan user agent payload
in the user agent field.
Args:
data (dict): Parsed log file data
Raises:
None
Returns:
None
"""
for ip in data.keys():
user_agent = data[ip]["ua"]
if (self.payload_match(user_agent)):
if ip not in self.logged_IP:
self.logged_IP.append(ip)
last_time = data[ip]["ep_time"][0]
msg = "Possible port scan detected from: " + str(ip) + \
" on: " + utils.epoch_to_date(last_time)
self.logger.log(msg, logtype="warning")
utils.write_ip(str(ip))
# Generate CSV report using OSINT tools
self.osint_obj.perform_osint_scan(ip.strip(" "))
# Write malicious IP to file, to teach Firewall about the IP
write_mal_ip(ip.strip(" "))
def detect_web_shell(self, data):
"""
Detect possible Web Shell attacks.
Use string comparison to scan GET request with the
list of possible web shell payloads.
Args:
data (dict): Parsed log file data
Raises:
None
Returns:
None
"""
for ip in data.keys():
get_req = data[ip]["get"]
if (self.payload_match(get_req)):
if ip not in self.logged_IP: # if not logged earlier
self.logged_IP.append(ip)
last_time = data[ip]["ep_time"][0]
msg = "Possible web shell detected from: " + str(ip) + \
" on: " + str(utils.epoch_to_date(last_time))
self.logger.log(msg, logtype="warning")
utils.write_ip(str(ip))
def detect_sqli(self, data):
"""
Detect possible SQL Injection (sqli) attacks.
Use regex rules and string matching to detect
SQLi attacks.
4 Level rules:
- Simple regex
- Hex regex
- Payload string matching
- URI encoded string matching
Args:
data (dict): Parsed log file data
Raises:
None
Returns:
None
"""
for ip in data.keys():
get_req = data[ip]["get"]
last_time = data[ip]["ep_time"][0]
if (self.payload_match(get_req) or self.regex_check(get_req)):
if ip not in self.logged_IP: # if not logged earlier
self.logged_IP.append(ip)
msg = "Possible SQL injection (sqli) detected from: " + str(ip) + \
" on: " + str(utils.epoch_to_date(last_time))
self.logger.log(msg, logtype="warning")
utils.write_ip(str(ip))
# Generate CSV report using OSINT tools
self.osint_obj.perform_osint_scan(ip.strip(" "))
# Write malicious IP to file, to teach Firewall about the IP
write_mal_ip(ip.strip(" "))
def detect_sqli(self, data):
"""
Detect possible SQL Injection (sqli) attacks.
Use regex rules and string matching to detect
SQLi attacks.
4 Level rules:
- Simple regex
- Hex regex
- Payload string matching
- URI encoded string matching
Args:
data (dict): Parsed log file data
Raises:
None
Returns:
None
"""
for ip in data.keys():
get_req = data[ip]["get"]
last_time = data[ip]["ep_time"][0]
if (self.payload_match(get_req) or self.regex_check(get_req)):
if ip not in self.logged_IP: # if not logged earlier
self.logged_IP.append(ip)
msg = "Possible SQL injection (sqli) detected from: " + str(ip) + \
" on: " + str(utils.epoch_to_date(last_time))
self.logger.log(
msg,
logtype="warning"
)
utils.write_ip(str(ip))
def detect_port_scan(self, data):
"""
Detect possible Port Scan recon attacks.
Look for a possible port scan user agent payload
in the user agent field.
Args:
data (dict): Parsed log file data
Raises:
None
Returns:
None
"""
for ip in data.keys():
user_agent = data[ip]["ua"]
if (self.payload_match(user_agent)):
if ip not in self.logged_IP:
self.logged_IP.append(ip)
last_time = data[ip]["ep_time"][0]
msg = "Possible port scan detected from: " + str(ip) + \
" on: " + utils.epoch_to_date(last_time)
self.logger.log(msg, logtype="warning")
utils.write_ip(str(ip))
def detect_spider(self, data):
"""
Detect possible Web Crawler / Spider / Bad user agents.
High amount of unique GET request from an IP within a
small period of time are likely to indicate a web crawler /
spider.
Look for bad user agents payload to guess a bad user agent.
Args:
data (dict): Parsed log file data
Raises:
None
Returns:
None
"""
for ip in data.keys():
count = data[ip]["count"]
last_time = data[ip]["ep_time"][0]
initial_time = data[ip]["ep_time"][int(
len(data[ip]["ep_time"]) - 1)]
delta = abs(int(last_time - initial_time))
try:
calc_count_thresh = count / delta
calc_get_thresh = len(data[ip]["unique_get"]) / delta
except ZeroDivisionError:
calc_count_thresh = count
calc_get_thresh = len(data[ip]["unique_get"])
if (calc_count_thresh > self._THRESHOLD
or calc_get_thresh > self._THRESHOLD
or self.payload_match(data[ip]["ua"])):
if ip not in self.logged_IP:
self.logged_IP.append(ip)
self.logger.log(
"Possible web crawler / spider / bad user agent detected from: "
+ str(ip),
logtype="warning")
utils.write_ip(str(ip))
# Generate CSV report using OSINT tools
self.osint_obj.perform_osint_scan(ip.strip(" "))
# Write malicious IP to file, to teach Firewall about the IP
write_mal_ip(ip.strip(" "))
def detect_ssrf(self , data):
"""
Detects SSRF
Args:
data (dict): Parsed Log File
Raises:
None
Returns:
None
"""
for ip in data.keys():
get_req = data[ip]["get"]
last_time = data[ip]["ep_time"][0]
# extracting all the urls in path
urls=re.findall(r"https?://(?:[-\w.]|(?:%[\da-fA-F]{2}))+", get_req[0])
for url in urls:
resolved_ip=utils.resolver(url)
if resolved_ip:
if (self.rmatch(resolved_ip)):
if ip not in self.logged_IP: # if not logged earlier
self.logged_IP.append(ip)
msg = "Possible SSRF detected From: " + str(ip) + \
" on: " + str(utils.epoch_to_date(last_time))
self.logger.log(
msg,
logtype="warning"
)
utils.write_ip(str(ip))
# Generate CSV report using OSINT tools
self.osint_obj.perform_osint_scan(ip.strip(" "))
# Write malicious IP to file, to teach Firewall about the IP
write_mal_ip(ip.strip(" "))
if(self.payload_match(url) or self.regex_match(get_req)):
if ip not in self.logged_IP:
self.logged_IP.append(ip)
msg = "Possible SSRF detected From " + str(ip) + \
" on: " + str(utils.epoch_to_date(last_time))
self.logger.log(msg,logtype="warning")
utils.write_ip(str(ip))
# Generate CSV report using OSINT tools
self.osint_obj.perform_osint_scan(ip.strip(" "))
# Write malicious IP to file, to teach Firewall about the IP
write_mal_ip(ip.strip(" "))
def detect_fuzzer(self, data):
"""
Detect possible URL fuzzing attacks.
High number of failure codes (400-500) range from an IP
within a small period of time indicates a possible
fuzzing attack.
Args:
data (dict): Parsed log file data
Raises:
None
Returns:
None
"""
for ip in data.keys():
status_code = data[ip]["status_code"]
# Count failure attempts for that IP
failure_count = self.count_failure(status_code)
last_time = data[ip]["ep_time"][0]
initial_time = data[ip]["ep_time"][int(
len(data[ip]["ep_time"]) - 1)]
delta = abs(int(last_time - initial_time))
try:
calc_count_thresh = failure_count / delta
calc_get_thresh = len(data[ip]["get"]) / delta
except ZeroDivisionError:
calc_count_thresh = failure_count
calc_get_thresh = len(data[ip]["get"])
if (calc_count_thresh > self._THRESHOLD
or calc_get_thresh > self._THRESHOLD):
if ip not in self.logged_IP:
self.logged_IP.append(ip)
msg = "Possible URL fuzzing detected from: " + str(ip) + \
" on: " + utils.epoch_to_date(data[ip]["ep_time"][0])
self.logger.log(msg, logtype="warning")
utils.write_ip(str(ip))
# Generate CSV report using OSINT tools
self.osint_obj.perform_osint_scan(ip.strip(" "))
# Write malicious IP to file, to teach Firewall about the IP
write_mal_ip(ip.strip(" "))
def detect_lfi(self, data):
"""
Detect possible Local File Inclusion (lfi) attacks.
Use string comparison to scan GET request with the
list of possible LFI payloads.
Args:
data (dict): Parsed log file data
Raises:
None
Returns:
None
"""
for ip in data.keys():
get_req = data[ip]["get"]
if (self.payload_match(get_req)):
if ip not in self.logged_IP: # if IP not logged earlier
self.logged_IP.append(ip)
msg = "Possible LFI injection detected from: " + str(ip) + \
" on: " + utils.epoch_to_date(data[ip]["ep_time"][0])
self.logger.log(msg, logtype="warning")
utils.write_ip(str(ip))