tcell_agent 0.2.12 → 0.2.13
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/tcell_agent.rb +2 -2
- data/lib/tcell_agent/agent/policy_manager.rb +1 -1
- data/lib/tcell_agent/api.rb +2 -2
- data/lib/tcell_agent/appsensor/rules/appsensor_rule_manager.rb +46 -0
- data/lib/tcell_agent/appsensor/rules/appsensor_rule_set.rb +67 -0
- data/lib/tcell_agent/appsensor/rules/baserules.json +153 -0
- data/lib/tcell_agent/configuration.rb +7 -1
- data/lib/tcell_agent/instrumentation.rb +3 -0
- data/lib/tcell_agent/logger.rb +25 -3
- data/lib/tcell_agent/policies/appsensor/cmdi_sensor.rb +19 -0
- data/lib/tcell_agent/policies/appsensor/fpt_sensor.rb +19 -0
- data/lib/tcell_agent/policies/appsensor/injection_sensor.rb +136 -0
- data/lib/tcell_agent/policies/appsensor/login_sensor.rb +42 -0
- data/lib/tcell_agent/policies/appsensor/nullbyte_sensor.rb +22 -0
- data/lib/tcell_agent/policies/appsensor/request_size_sensor.rb +21 -0
- data/lib/tcell_agent/policies/appsensor/response_codes_sensor.rb +58 -0
- data/lib/tcell_agent/policies/appsensor/response_size_sensor.rb +21 -0
- data/lib/tcell_agent/policies/appsensor/retr_sensor.rb +18 -0
- data/lib/tcell_agent/policies/appsensor/sensor.rb +28 -0
- data/lib/tcell_agent/policies/appsensor/size_sensor.rb +43 -0
- data/lib/tcell_agent/policies/appsensor/sqli_sensor.rb +25 -0
- data/lib/tcell_agent/policies/appsensor/xss_sensor.rb +26 -0
- data/lib/tcell_agent/policies/appsensor_policy.rb +198 -67
- data/lib/tcell_agent/policies/clickjacking_policy.rb +1 -1
- data/lib/tcell_agent/policies/content_security_policy.rb +1 -1
- data/lib/tcell_agent/policies/dataloss_policy.rb +1 -1
- data/lib/tcell_agent/policies/honeytokens_policy.rb +1 -1
- data/lib/tcell_agent/policies/http_redirect_policy.rb +1 -1
- data/lib/tcell_agent/policies/http_tx_policy.rb +1 -1
- data/lib/tcell_agent/policies/login_fraud_policy.rb +1 -1
- data/lib/tcell_agent/policies/secure_headers_policy.rb +1 -1
- data/lib/tcell_agent/rails.rb +0 -1
- data/lib/tcell_agent/rails/auth/devise.rb +0 -1
- data/lib/tcell_agent/rails/dlp.rb +58 -13
- data/lib/tcell_agent/rails/middleware/body_filter_middleware.rb +0 -1
- data/lib/tcell_agent/rails/middleware/context_middleware.rb +0 -1
- data/lib/tcell_agent/rails/middleware/global_middleware.rb +0 -1
- data/lib/tcell_agent/rails/middleware/headers_middleware.rb +6 -34
- data/lib/tcell_agent/sensor_events/appsensor_event.rb +59 -0
- data/lib/tcell_agent/sensor_events/appsensor_meta_event.rb +95 -0
- data/lib/tcell_agent/servers/rails_server.rb +18 -9
- data/lib/tcell_agent/utils/params.rb +40 -0
- data/lib/tcell_agent/version.rb +1 -1
- data/spec/lib/tcell_agent/appsensor/rules/appsensor_rule_manager_spec.rb +39 -0
- data/spec/lib/tcell_agent/appsensor/rules/appsensor_rule_set_spec.rb +152 -0
- data/spec/lib/tcell_agent/instrumentation_spec.rb +4 -4
- data/spec/lib/tcell_agent/policies/appsensor/cmdi_sensor_spec.rb +128 -0
- data/spec/lib/tcell_agent/policies/appsensor/fpt_sensor_spec.rb +128 -0
- data/spec/lib/tcell_agent/policies/appsensor/login_sensor_spec.rb +104 -0
- data/spec/lib/tcell_agent/policies/appsensor/nullbyte_sensor_spec.rb +132 -0
- data/spec/lib/tcell_agent/policies/appsensor/request_size_sensor_spec.rb +164 -0
- data/spec/lib/tcell_agent/policies/appsensor/response_codes_sensor_spec.rb +194 -0
- data/spec/lib/tcell_agent/policies/appsensor/response_size_sensor_spec.rb +157 -0
- data/spec/lib/tcell_agent/policies/appsensor/retr_sensor_spec.rb +128 -0
- data/spec/lib/tcell_agent/policies/appsensor/sqli_sensor_spec.rb +151 -0
- data/spec/lib/tcell_agent/policies/appsensor/xss_sensor_spec.rb +652 -0
- data/spec/lib/tcell_agent/policies/appsensor_policy_spec.rb +461 -28
- data/spec/lib/tcell_agent/policies/clickjacking_policy_spec.rb +4 -4
- data/spec/lib/tcell_agent/policies/content_security_policy_spec.rb +6 -6
- data/spec/lib/tcell_agent/policies/dataloss_policy_spec.rb +10 -10
- data/spec/lib/tcell_agent/policies/honeytokens_policy_spec.rb +1 -1
- data/spec/lib/tcell_agent/policies/http_redirect_policy_spec.rb +1 -1
- data/spec/lib/tcell_agent/policies/http_tx_policy_spec.rb +1 -1
- data/spec/lib/tcell_agent/policies/login_policy_spec.rb +2 -2
- data/spec/lib/tcell_agent/policies/secure_headers_policy_spec.rb +4 -4
- data/spec/lib/tcell_agent/rails/middleware/appsensor_middleware_spec.rb +67 -7
- data/spec/lib/tcell_agent/sensor_events/appsensor_meta_event_spec.rb +80 -0
- data/spec/lib/tcell_agent/utils/params_spec.rb +119 -0
- data/spec/support/resources/baserules.json +155 -0
- metadata +51 -12
- data/lib/tcell_agent/appsensor.rb +0 -42
- data/lib/tcell_agent/appsensor/cmdi.rb +0 -32
- data/lib/tcell_agent/appsensor/path_traversal.rb +0 -33
- data/lib/tcell_agent/appsensor/sqli.rb +0 -55
- data/lib/tcell_agent/appsensor/xss.rb +0 -40
- data/lib/tcell_agent/sensor_events/app_sensor.rb +0 -302
- data/spec/lib/tcell_agent/appsensor_spec.rb +0 -65
- data/spec/lib/tcell_agent/sensor_events/tcell_app_sensor_event_processor_spec.rb +0 -289
@@ -0,0 +1,119 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
module TCellAgent
|
4
|
+
module Utils
|
5
|
+
|
6
|
+
class ParamsTest
|
7
|
+
include TCellAgent::Utils::Params
|
8
|
+
end
|
9
|
+
|
10
|
+
describe ParamsTest do
|
11
|
+
before(:each) do
|
12
|
+
@p_test = ParamsTest.new
|
13
|
+
end
|
14
|
+
|
15
|
+
context "#param_deep_loop" do
|
16
|
+
context "with a parameter hash" do
|
17
|
+
context "there is no match" do
|
18
|
+
it "should return nil" do
|
19
|
+
result = @p_test.param_deep_loop(
|
20
|
+
"hash_param",
|
21
|
+
{
|
22
|
+
key_one: "no match",
|
23
|
+
key_dos: "no match"
|
24
|
+
}
|
25
|
+
) do |param_name, param_value|
|
26
|
+
nil
|
27
|
+
end
|
28
|
+
|
29
|
+
expect(result).to be_nil
|
30
|
+
end
|
31
|
+
end
|
32
|
+
context "there is a match" do
|
33
|
+
it "should return the match" do
|
34
|
+
result = @p_test.param_deep_loop(
|
35
|
+
"hash_param",
|
36
|
+
{
|
37
|
+
key_one: "no match",
|
38
|
+
key_dos: "i'm a match"
|
39
|
+
}
|
40
|
+
) do |param_name, param_value|
|
41
|
+
if param_value =~ /i'm a match/
|
42
|
+
"#{param_name} - #{param_value}"
|
43
|
+
else
|
44
|
+
nil
|
45
|
+
end
|
46
|
+
end
|
47
|
+
|
48
|
+
expect(result).to eq("key_dos - i'm a match")
|
49
|
+
end
|
50
|
+
end
|
51
|
+
end
|
52
|
+
|
53
|
+
context "with a parameter array" do
|
54
|
+
context "there is no match" do
|
55
|
+
it "should return nil" do
|
56
|
+
result = @p_test.param_deep_loop(
|
57
|
+
"array_param",
|
58
|
+
[ "no match", "no match" ]
|
59
|
+
) do |param_name, param_value|
|
60
|
+
nil
|
61
|
+
end
|
62
|
+
|
63
|
+
expect(result).to be_nil
|
64
|
+
end
|
65
|
+
end
|
66
|
+
context "there is a match" do
|
67
|
+
it "should return the match" do
|
68
|
+
result = @p_test.param_deep_loop(
|
69
|
+
"array_param",
|
70
|
+
[ "no match", "i'm a match" ]
|
71
|
+
) do |param_name, param_value|
|
72
|
+
if param_value =~ /i'm a match/
|
73
|
+
"#{param_name} - #{param_value}"
|
74
|
+
else
|
75
|
+
nil
|
76
|
+
end
|
77
|
+
end
|
78
|
+
|
79
|
+
expect(result).to eq("array_param - i'm a match")
|
80
|
+
end
|
81
|
+
end
|
82
|
+
end
|
83
|
+
|
84
|
+
context "with a paramater string" do
|
85
|
+
context "there is no match" do
|
86
|
+
it "should return nil" do
|
87
|
+
result = @p_test.param_deep_loop(
|
88
|
+
"string_param",
|
89
|
+
"no match",
|
90
|
+
) do |param_name, param_value|
|
91
|
+
nil
|
92
|
+
end
|
93
|
+
|
94
|
+
expect(result).to be_nil
|
95
|
+
end
|
96
|
+
end
|
97
|
+
|
98
|
+
context "there is a match" do
|
99
|
+
it "should return the match" do
|
100
|
+
result = @p_test.param_deep_loop(
|
101
|
+
"string_param",
|
102
|
+
"i'm a match"
|
103
|
+
) do |param_name, param_value|
|
104
|
+
if param_value =~ /i'm a match/
|
105
|
+
"#{param_name} - #{param_value}"
|
106
|
+
else
|
107
|
+
nil
|
108
|
+
end
|
109
|
+
end
|
110
|
+
|
111
|
+
expect(result).to eq("string_param - i'm a match")
|
112
|
+
end
|
113
|
+
end
|
114
|
+
end
|
115
|
+
end
|
116
|
+
end
|
117
|
+
|
118
|
+
end
|
119
|
+
end
|
@@ -0,0 +1,155 @@
|
|
1
|
+
{
|
2
|
+
"version":"20160322",
|
3
|
+
"sensors":{
|
4
|
+
"xss":{
|
5
|
+
"patterns":[
|
6
|
+
{
|
7
|
+
"title":"Basic Injection",
|
8
|
+
"sophistication":1,
|
9
|
+
"common": "(?:<(script|iframe|embed|frame|frameset|object|img|applet|body|html|style|layer|link|ilayer|meta|bgsound))",
|
10
|
+
"id": "1"
|
11
|
+
},
|
12
|
+
{
|
13
|
+
"title":"Alert or Event XSS",
|
14
|
+
"sophistication":2,
|
15
|
+
"common": "(?:(alert|on\\w+|function\\s+\\w+)\\s*\\(\\s*(['+\\d\\w](,?\\s*['+\\d\\w]*)*)*\\s*\\))",
|
16
|
+
"id": "2"
|
17
|
+
},
|
18
|
+
{
|
19
|
+
"title":"Tag Breaks",
|
20
|
+
"sophistication":2,
|
21
|
+
"common": "(?:\\\"[^\\\"]*[^-]?>)|(?:[^\\w\\s]\\s*\\/>)|(?:>\\\")",
|
22
|
+
"id": "3"
|
23
|
+
},
|
24
|
+
{
|
25
|
+
"title":"Attribute Breaks",
|
26
|
+
"sophistication":3,
|
27
|
+
"common": "(?:\\\"+.*[<=]\\s*\\\"[^\\\"]+\\\")|(?:\\\"\\s*\\w+\\s*=)|(?:>\\w=\\/)|(?:#.+\\)[\\\"\\s]*>)|(?:\\\"\\s*(?:src|style|on\\w+)\\s*=\\s*\\\")|(?:[^\\\"]?\\\"[,;\\s]+\\w*[\\[\\(])(?:^>[\\w\\s]*<\\/?\\w{2,}>)",
|
28
|
+
"id": "4"
|
29
|
+
},
|
30
|
+
{
|
31
|
+
"title":"Basic Obfuscation",
|
32
|
+
"sophistication":3,
|
33
|
+
"common": "(?:[\\\".]script\\s*\\()|(?:\\$\\$?\\s*\\(\\s*[\\w\\\"])|(?:\\/[\\w\\s]+\\/\\.)|(?:=\\s*\\/\\w+\\/\\s*\\.)|(?:(?:this|window|top|parent|frames|self|content)\\[\\s*[(,\\\"]*\\s*[\\w\\$])|(?:,\\s*new\\s+\\w+\\s*[,;)])",
|
34
|
+
"id": "5"
|
35
|
+
},
|
36
|
+
{
|
37
|
+
"title":"Common Concatenation",
|
38
|
+
"sophistication":3,
|
39
|
+
"common": "(?:=\\s*\\w+\\s*\\+\\s*\\\")|(?:\\+=\\s*\\(\\s\\\")|(?:!+\\s*[\\d.,]+\\w?\\d*\\s*\\?)|(?:=\\s*\\[s*\\])|(?:\\\"\\s*\\+\\s*\\\")|(?:[^\\s]\\[\\s*\\d+\\s*\\]\\s*[;+])|(?:\\\"\\s*[&|]+\\s*\\\")|(?:\\/\\s*\\?\\s*\\\")|(?:\\/\\s*\\)\\s*\\[)|(?:\\d\\?.+:\\d)|(?:\\]\\s*\\[\\W*\\w)|(?:[^\\s]\\s*=\\s*\\/)",
|
40
|
+
"id": "6"
|
41
|
+
},
|
42
|
+
{
|
43
|
+
"title":"IFrame Tag Injection",
|
44
|
+
"sophistication":1,
|
45
|
+
"common": "<iframe.*",
|
46
|
+
"id": "7"
|
47
|
+
}
|
48
|
+
]
|
49
|
+
},
|
50
|
+
"cmdi":{
|
51
|
+
"safe_pattern":"^[a-zA-Z0-9_\\s\\r\\n\\t]*$",
|
52
|
+
"patterns":[
|
53
|
+
{
|
54
|
+
"title":"Common Remote Attempts",
|
55
|
+
"sophistication":2,
|
56
|
+
"id":"1",
|
57
|
+
"common":"(?:[\\;\\|\\`]\\W*?\\bcc|\\b(wget|curl))\\b|\\/cc(?:[\\'\\\"\\|\\;\\`\\-\\s]|$)",
|
58
|
+
"ruby":"(?i:(?:[\\;\\|\\`]\\W*?\\bcc|\\b(wget|curl))\\b|\\/cc(?:[\\'\\\"\\|\\;\\`\\-\\s]|$))"
|
59
|
+
},
|
60
|
+
{
|
61
|
+
"title":"Common Command Attempts",
|
62
|
+
"sophistication":1,
|
63
|
+
"id":"2",
|
64
|
+
"common":"(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:\\.exe|32)\\b|\\b\\W*?\\\\\\/c)|d(?:\\b\\W*?[\\\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*?\\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\\b|g(?:\\+\\+|cc\\b)))"
|
65
|
+
}
|
66
|
+
]
|
67
|
+
},
|
68
|
+
"sqli":{
|
69
|
+
"safe_pattern":"^[a-zA-Z0-9_\\s\\r\\n\\t]*$",
|
70
|
+
"patterns":[
|
71
|
+
{
|
72
|
+
"title":"Common Encoding Obfuscations",
|
73
|
+
"sophistication":3,
|
74
|
+
"common": "(?:(?:\\d[\\\"'`\u00b4\u2019\u2018]\\s+[\\\"'`\u00b4\u2019\u2018]\\s+\\d)|(?:^admin\\s*?[\\\"'`\u00b4\u2019\u2018]|(\\/\\*)+[\\\"'`\u00b4\u2019\u2018]+\\s?(?:--|#|\\/\\*|{)?)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?\\b(x?or|div|like|between|and)\\b\\s*?[+<>=(),-]\\s*?[\\d\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[^\\w\\s]?=\\s*?[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\W*?[+=]+\\W*?[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=+-]+.*?[\\\"'`\u00b4\u2019\u2018(].*?$)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=]+.*?\\d+$)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?like\\W+[\\w\\\"'`\u00b4\u2019\u2018(])|(?:\\sis\\s*?0\\W)|(?:where\\s[\\s\\w\\.,-]+\\s=)|(?:[\\\"'`\u00b4\u2019\u2018][<>~]+[\\\"'`\u00b4\u2019\u2018]))",
|
75
|
+
"id": "1"
|
76
|
+
},
|
77
|
+
{
|
78
|
+
"title":"Common Probes/Executions",
|
79
|
+
"sophistication":1,
|
80
|
+
"common": "\\b(?:having)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=<>]|(?:\\bexecute(\\s{1,5}[\\w\\.$]{1,5}\\s{0,3})?\\()|\\bhaving\\b ?(?:\\d{1,10}|[\\'\\\"][^=]{1,10}[\\'\\\"]) ?[=<>]+|(?:\\bcreate\\s+?table.{0,20}?\\()|(?:\\blike\\W*?char\\W*?\\()|(?:(?:(select(.*?)case|from(.*?)limit|order\\sby)))|exists\\s(\\sselect|select\\Sif(null)?\\s\\(|select\\Stop|select\\Sconcat|system\\s\\(|\\b(?:having)\\b\\s+(\\d{1,10})|'[^=]{1,10}')",
|
81
|
+
"id": "2"
|
82
|
+
},
|
83
|
+
{
|
84
|
+
"title":"Comment Injection",
|
85
|
+
"sophistication":1,
|
86
|
+
"common": "([';]--|--[\\s\\r\\n\\v\\f]|(?:--[^-]*?-)|([^\\-&])#.*?[\\s\\r\\n\\v\\f]|;?\\\\x00)",
|
87
|
+
"id": "3"
|
88
|
+
},
|
89
|
+
{
|
90
|
+
"title":"Extraction Attempts 1",
|
91
|
+
"sophistication":1,
|
92
|
+
"common": "(?:(?:@.+=\\s*?\\(\\s*?select)|(?:\\d+\\s*?(x?or|div|like|between|and)\\s*?\\d+\\s*?[\\-+])|(?:\\/\\w+;?\\s+(?:having|and|x?or|div|like|between|and|select)\\W)|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*?(?:drop|alter))|(?:(?:;|#|--)\\s*?(?:update|insert)\\s*?\\w{2,})|(?:[^\\w]SET\\s*?@\\w+)|(?:(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)[\\s(]+\\w+[\\s)]*?[!=+]+[\\s\\d]*?[\\\"'`\u00b4\u2019\u2018=()]))",
|
93
|
+
"id": "4"
|
94
|
+
},
|
95
|
+
{
|
96
|
+
"title":"Extraction Attempts 2",
|
97
|
+
"sophistication":2,
|
98
|
+
"pattern": "(?:(?:in\\s*?\\(+\\s*?select)|(?:(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)\\s+[\\s\\w+]+(?:regexp\\s*?\\(|sounds\\s+like\\s*?[\\\"'`\u00b4\u2019\u2018]|[=\\d]+x))|([\\\"'`\u00b4\u2019\u2018]\\s*?\\d\\s*?(?:--|#))|(?:[\\\"'`\u00b4\u2019\u2018][\\%&<>^=]+\\d\\s*?(=|x?or|div|like|between|and))|(?:[\\\"'`\u00b4\u2019\u2018]\\W+[\\w+-]+\\s*?=\\s*?\\d\\W+[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?is\\s*?\\d.+[\\\"'`\u00b4\u2019\u2018]?\\w)|(?:[\\\"'`\u00b4\u2019\u2018]\\|?[\\w-]{3,}[^\\w\\s.,]+[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?is\\s*?[\\d.]+\\s*?\\W.*?[\\\"'`\u00b4\u2019\u2018]))",
|
99
|
+
"id": "5"
|
100
|
+
},
|
101
|
+
{
|
102
|
+
"title":"Extraction Attempts 3",
|
103
|
+
"sophistication":3,
|
104
|
+
"pattern": "(?:(?:\\d[\\\"'`\u00b4\u2019\u2018]\\s+[\\\"'`\u00b4\u2019\u2018]\\s+\\d)|(?:^admin\\s*?[\\\"'`\u00b4\u2019\u2018]|(\\/\\*)+[\\\"'`\u00b4\u2019\u2018]+\\s?(?:--|#|\\/\\*|{)?)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?\\b(x?or|div|like|between|and)\\b\\s*?[+<>=(),-]\\s*?[\\d\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[^\\w\\s]?=\\s*?[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\W*?[+=]+\\W*?[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=+-]+.*?[\\\"'`\u00b4\u2019\u2018(].*?$)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=]+.*?\\d+$)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?like\\W+[\\w\\\"'`\u00b4\u2019\u2018(])|(?:\\sis\\s*?0\\W)|(?:where\\s[\\s\\w\\.,-]+\\s=)|(?:[\\\"'`\u00b4\u2019\u2018][<>~]+[\\\"'`\u00b4\u2019\u2018]))",
|
105
|
+
"id": "6"
|
106
|
+
}
|
107
|
+
]
|
108
|
+
},
|
109
|
+
"fpt":{
|
110
|
+
"patterns":[
|
111
|
+
{
|
112
|
+
"title":"Windows Probing",
|
113
|
+
"sophistication":1,
|
114
|
+
"common": "(?:(?:\\/|\\\\)?\\.+(\\/|\\\\)(?:\\.+)?)|(?:\\w+\\.exe\\??\\s)|(?:;\\s*\\w+\\s*\\/[\\w*-]+\\/)|(?:\\d\\.\\dx\\|)|(?:%(?:c0\\.|af\\.|5c\\.))|(?:\\/(?:%2e){2})",
|
115
|
+
"ruby": "(?:(?:\\/|\\\\)?\\.+(\\/|\\\\)(?:\\.*))|(?:\\w+\\.exe\\??\\s)|(?:;\\s*\\w+\\s*\\/[\\w*-]+\\/)|(?:\\d\\.\\dx\\|)|(?:%(?:c0\\.|af\\.|5c\\.))|(?:\\/(?:%2e){2})",
|
116
|
+
"id": "1"
|
117
|
+
},
|
118
|
+
{
|
119
|
+
"title":"Unix Probing",
|
120
|
+
"sophistication":1,
|
121
|
+
"common": "(?:%c0%ae\\/)|(?:(?:\\/|\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\\/|\\\\))|(?:(?:\\/|\\\\)inetpub|localstart\\.asp|boot\\.ini)",
|
122
|
+
"id": "2"
|
123
|
+
},
|
124
|
+
{
|
125
|
+
"title":"Attempt for /etc/passwd",
|
126
|
+
"sophistication":1,
|
127
|
+
"common": "(?:etc\\/\\W*passwd)",
|
128
|
+
"id": "3"
|
129
|
+
}
|
130
|
+
]
|
131
|
+
},
|
132
|
+
"nullbyte":{
|
133
|
+
"safe_pattern":"^[a-zA-Z0-9_\\s\\r\\n\\t]*$",
|
134
|
+
"patterns":[
|
135
|
+
{
|
136
|
+
"title":"Any Null Byte",
|
137
|
+
"sophistication":1,
|
138
|
+
"id":"1",
|
139
|
+
"common":"\\0"
|
140
|
+
}
|
141
|
+
]
|
142
|
+
},
|
143
|
+
"retr":{
|
144
|
+
"safe_pattern":"^[a-zA-Z0-9_\\s\\r\\n\\t]*$",
|
145
|
+
"patterns":[
|
146
|
+
{
|
147
|
+
"title":"Any Line-Break Character",
|
148
|
+
"sophistication":1,
|
149
|
+
"id":"1",
|
150
|
+
"common":"(\\n|\\r)"
|
151
|
+
}
|
152
|
+
]
|
153
|
+
}
|
154
|
+
}
|
155
|
+
}
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: tcell_agent
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.2.
|
4
|
+
version: 0.2.13
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Garrett
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-04
|
11
|
+
date: 2016-05-04 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rest-client
|
@@ -126,16 +126,27 @@ files:
|
|
126
126
|
- lib/tcell_agent/agent/static_agent.rb
|
127
127
|
- lib/tcell_agent/agent.rb
|
128
128
|
- lib/tcell_agent/api.rb
|
129
|
-
- lib/tcell_agent/appsensor/
|
130
|
-
- lib/tcell_agent/appsensor/
|
131
|
-
- lib/tcell_agent/appsensor/
|
132
|
-
- lib/tcell_agent/appsensor/xss.rb
|
133
|
-
- lib/tcell_agent/appsensor.rb
|
129
|
+
- lib/tcell_agent/appsensor/rules/appsensor_rule_manager.rb
|
130
|
+
- lib/tcell_agent/appsensor/rules/appsensor_rule_set.rb
|
131
|
+
- lib/tcell_agent/appsensor/rules/baserules.json
|
134
132
|
- lib/tcell_agent/authlogic.rb
|
135
133
|
- lib/tcell_agent/configuration.rb
|
136
134
|
- lib/tcell_agent/devise.rb
|
137
135
|
- lib/tcell_agent/instrumentation.rb
|
138
136
|
- lib/tcell_agent/logger.rb
|
137
|
+
- lib/tcell_agent/policies/appsensor/cmdi_sensor.rb
|
138
|
+
- lib/tcell_agent/policies/appsensor/fpt_sensor.rb
|
139
|
+
- lib/tcell_agent/policies/appsensor/injection_sensor.rb
|
140
|
+
- lib/tcell_agent/policies/appsensor/login_sensor.rb
|
141
|
+
- lib/tcell_agent/policies/appsensor/nullbyte_sensor.rb
|
142
|
+
- lib/tcell_agent/policies/appsensor/request_size_sensor.rb
|
143
|
+
- lib/tcell_agent/policies/appsensor/response_codes_sensor.rb
|
144
|
+
- lib/tcell_agent/policies/appsensor/response_size_sensor.rb
|
145
|
+
- lib/tcell_agent/policies/appsensor/retr_sensor.rb
|
146
|
+
- lib/tcell_agent/policies/appsensor/sensor.rb
|
147
|
+
- lib/tcell_agent/policies/appsensor/size_sensor.rb
|
148
|
+
- lib/tcell_agent/policies/appsensor/sqli_sensor.rb
|
149
|
+
- lib/tcell_agent/policies/appsensor/xss_sensor.rb
|
139
150
|
- lib/tcell_agent/policies/appsensor_policy.rb
|
140
151
|
- lib/tcell_agent/policies/clickjacking_policy.rb
|
141
152
|
- lib/tcell_agent/policies/content_security_policy.rb
|
@@ -158,7 +169,8 @@ files:
|
|
158
169
|
- lib/tcell_agent/rails.rb
|
159
170
|
- lib/tcell_agent/routes/table.rb
|
160
171
|
- lib/tcell_agent/sensor_events/app_config.rb
|
161
|
-
- lib/tcell_agent/sensor_events/
|
172
|
+
- lib/tcell_agent/sensor_events/appsensor_event.rb
|
173
|
+
- lib/tcell_agent/sensor_events/appsensor_meta_event.rb
|
162
174
|
- lib/tcell_agent/sensor_events/discovery.rb
|
163
175
|
- lib/tcell_agent/sensor_events/dlp.rb
|
164
176
|
- lib/tcell_agent/sensor_events/honeytokens.rb
|
@@ -178,6 +190,7 @@ files:
|
|
178
190
|
- lib/tcell_agent/start_background_thread.rb
|
179
191
|
- lib/tcell_agent/system_info.rb
|
180
192
|
- lib/tcell_agent/userinfo.rb
|
193
|
+
- lib/tcell_agent/utils/params.rb
|
181
194
|
- lib/tcell_agent/utils/queue_with_timeout.rb
|
182
195
|
- lib/tcell_agent/version.rb
|
183
196
|
- lib/tcell_agent.rb
|
@@ -230,9 +243,20 @@ files:
|
|
230
243
|
- spec/lib/tcell_agent/agent/policy_manager_spec.rb
|
231
244
|
- spec/lib/tcell_agent/agent/static_agent_spec.rb
|
232
245
|
- spec/lib/tcell_agent/api/api_spec.rb
|
233
|
-
- spec/lib/tcell_agent/
|
246
|
+
- spec/lib/tcell_agent/appsensor/rules/appsensor_rule_manager_spec.rb
|
247
|
+
- spec/lib/tcell_agent/appsensor/rules/appsensor_rule_set_spec.rb
|
234
248
|
- spec/lib/tcell_agent/configuration_spec.rb
|
235
249
|
- spec/lib/tcell_agent/instrumentation_spec.rb
|
250
|
+
- spec/lib/tcell_agent/policies/appsensor/cmdi_sensor_spec.rb
|
251
|
+
- spec/lib/tcell_agent/policies/appsensor/fpt_sensor_spec.rb
|
252
|
+
- spec/lib/tcell_agent/policies/appsensor/login_sensor_spec.rb
|
253
|
+
- spec/lib/tcell_agent/policies/appsensor/nullbyte_sensor_spec.rb
|
254
|
+
- spec/lib/tcell_agent/policies/appsensor/request_size_sensor_spec.rb
|
255
|
+
- spec/lib/tcell_agent/policies/appsensor/response_codes_sensor_spec.rb
|
256
|
+
- spec/lib/tcell_agent/policies/appsensor/response_size_sensor_spec.rb
|
257
|
+
- spec/lib/tcell_agent/policies/appsensor/retr_sensor_spec.rb
|
258
|
+
- spec/lib/tcell_agent/policies/appsensor/sqli_sensor_spec.rb
|
259
|
+
- spec/lib/tcell_agent/policies/appsensor/xss_sensor_spec.rb
|
236
260
|
- spec/lib/tcell_agent/policies/appsensor_policy_spec.rb
|
237
261
|
- spec/lib/tcell_agent/policies/clickjacking_policy_spec.rb
|
238
262
|
- spec/lib/tcell_agent/policies/content_security_policy_spec.rb
|
@@ -248,15 +272,17 @@ files:
|
|
248
272
|
- spec/lib/tcell_agent/rails/middleware/global_middleware_spec.rb
|
249
273
|
- spec/lib/tcell_agent/rails/middleware/redirect_middleware_spec.rb
|
250
274
|
- spec/lib/tcell_agent/rails_spec.rb
|
275
|
+
- spec/lib/tcell_agent/sensor_events/appsensor_meta_event_spec.rb
|
251
276
|
- spec/lib/tcell_agent/sensor_events/dlp_spec.rb
|
252
277
|
- spec/lib/tcell_agent/sensor_events/sessions_metric_spec.rb
|
253
|
-
- spec/lib/tcell_agent/sensor_events/tcell_app_sensor_event_processor_spec.rb
|
254
278
|
- spec/lib/tcell_agent/sensor_events/util/redirect_utils_spec.rb
|
255
279
|
- spec/lib/tcell_agent/sensor_events/util/sanitizer_utilities_spec.rb
|
256
280
|
- spec/lib/tcell_agent/utils/bounded_queue_spec.rb
|
281
|
+
- spec/lib/tcell_agent/utils/params_spec.rb
|
257
282
|
- spec/lib/tcell_agent_spec.rb
|
258
283
|
- spec/spec_helper.rb
|
259
284
|
- spec/support/middleware_helper.rb
|
285
|
+
- spec/support/resources/baserules.json
|
260
286
|
- spec/support/resources/normal_config.json
|
261
287
|
- spec/support/static_agent_overrides.rb
|
262
288
|
- README.md
|
@@ -339,9 +365,20 @@ test_files:
|
|
339
365
|
- spec/lib/tcell_agent/agent/policy_manager_spec.rb
|
340
366
|
- spec/lib/tcell_agent/agent/static_agent_spec.rb
|
341
367
|
- spec/lib/tcell_agent/api/api_spec.rb
|
342
|
-
- spec/lib/tcell_agent/
|
368
|
+
- spec/lib/tcell_agent/appsensor/rules/appsensor_rule_manager_spec.rb
|
369
|
+
- spec/lib/tcell_agent/appsensor/rules/appsensor_rule_set_spec.rb
|
343
370
|
- spec/lib/tcell_agent/configuration_spec.rb
|
344
371
|
- spec/lib/tcell_agent/instrumentation_spec.rb
|
372
|
+
- spec/lib/tcell_agent/policies/appsensor/cmdi_sensor_spec.rb
|
373
|
+
- spec/lib/tcell_agent/policies/appsensor/fpt_sensor_spec.rb
|
374
|
+
- spec/lib/tcell_agent/policies/appsensor/login_sensor_spec.rb
|
375
|
+
- spec/lib/tcell_agent/policies/appsensor/nullbyte_sensor_spec.rb
|
376
|
+
- spec/lib/tcell_agent/policies/appsensor/request_size_sensor_spec.rb
|
377
|
+
- spec/lib/tcell_agent/policies/appsensor/response_codes_sensor_spec.rb
|
378
|
+
- spec/lib/tcell_agent/policies/appsensor/response_size_sensor_spec.rb
|
379
|
+
- spec/lib/tcell_agent/policies/appsensor/retr_sensor_spec.rb
|
380
|
+
- spec/lib/tcell_agent/policies/appsensor/sqli_sensor_spec.rb
|
381
|
+
- spec/lib/tcell_agent/policies/appsensor/xss_sensor_spec.rb
|
345
382
|
- spec/lib/tcell_agent/policies/appsensor_policy_spec.rb
|
346
383
|
- spec/lib/tcell_agent/policies/clickjacking_policy_spec.rb
|
347
384
|
- spec/lib/tcell_agent/policies/content_security_policy_spec.rb
|
@@ -357,14 +394,16 @@ test_files:
|
|
357
394
|
- spec/lib/tcell_agent/rails/middleware/global_middleware_spec.rb
|
358
395
|
- spec/lib/tcell_agent/rails/middleware/redirect_middleware_spec.rb
|
359
396
|
- spec/lib/tcell_agent/rails_spec.rb
|
397
|
+
- spec/lib/tcell_agent/sensor_events/appsensor_meta_event_spec.rb
|
360
398
|
- spec/lib/tcell_agent/sensor_events/dlp_spec.rb
|
361
399
|
- spec/lib/tcell_agent/sensor_events/sessions_metric_spec.rb
|
362
|
-
- spec/lib/tcell_agent/sensor_events/tcell_app_sensor_event_processor_spec.rb
|
363
400
|
- spec/lib/tcell_agent/sensor_events/util/redirect_utils_spec.rb
|
364
401
|
- spec/lib/tcell_agent/sensor_events/util/sanitizer_utilities_spec.rb
|
365
402
|
- spec/lib/tcell_agent/utils/bounded_queue_spec.rb
|
403
|
+
- spec/lib/tcell_agent/utils/params_spec.rb
|
366
404
|
- spec/lib/tcell_agent_spec.rb
|
367
405
|
- spec/spec_helper.rb
|
368
406
|
- spec/support/middleware_helper.rb
|
407
|
+
- spec/support/resources/baserules.json
|
369
408
|
- spec/support/resources/normal_config.json
|
370
409
|
- spec/support/static_agent_overrides.rb
|
@@ -1,42 +0,0 @@
|
|
1
|
-
# encoding: utf-8
|
2
|
-
# See the file "LICENSE" for the full license governing this code.
|
3
|
-
|
4
|
-
require 'tcell_agent/appsensor/xss'
|
5
|
-
require 'tcell_agent/appsensor/sqli'
|
6
|
-
require 'tcell_agent/appsensor/cmdi'
|
7
|
-
require 'tcell_agent/appsensor/path_traversal'
|
8
|
-
|
9
|
-
module TCellAgent
|
10
|
-
class AppSensor
|
11
|
-
|
12
|
-
GENERALLY_SAFE_REGEX = /^[a-zA-Z0-9_\s\r\n\t]*$/
|
13
|
-
NULL_CHARS_REGEX=/\0/
|
14
|
-
RETURN_CHARS_REGEX=/(\n|\r)/
|
15
|
-
|
16
|
-
def self.generallySafe(value)
|
17
|
-
if !value.instance_of? String
|
18
|
-
return false
|
19
|
-
end
|
20
|
-
return (value.match(AppSensor::GENERALLY_SAFE_REGEX)!=nil)
|
21
|
-
end
|
22
|
-
def self.containsNull(value)
|
23
|
-
if !value.instance_of? String
|
24
|
-
return false
|
25
|
-
end
|
26
|
-
if value.match(AppSensor::NULL_CHARS_REGEX)
|
27
|
-
return true
|
28
|
-
end
|
29
|
-
return false
|
30
|
-
end
|
31
|
-
def self.containsReturnChars(value)
|
32
|
-
if !value.instance_of? String
|
33
|
-
return false
|
34
|
-
end
|
35
|
-
if value.match(AppSensor::RETURN_CHARS_REGEX)
|
36
|
-
return true
|
37
|
-
end
|
38
|
-
return false
|
39
|
-
end
|
40
|
-
end
|
41
|
-
end
|
42
|
-
|