RubyGems - tcell_agent - Versions diffs - 0.2.12 → 0.2.13 - Mend

tcell_agent 0.2.12 → 0.2.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (79) hide show

data/lib/tcell_agent/policies/appsensor/injection_sensor.rb ADDED Viewed

@@ -0,0 +1,136 @@
+require 'tcell_agent/policies/appsensor/sensor'
+require 'tcell_agent/utils/params'
+module TCellAgent
+  module Policies
+    class InjectionSensor < Sensor
+      include TCellAgent::Utils::Params
+      attr_accessor :enabled, :detection_point, :exclude_headers, :exclude_forms,
+        :exclude_cookies, :exclusions, :active_pattern_ids, :v1_compatability_enabled,
+        :rule_manager
+      def initialize(detection_point, policy_json=nil)
+        @enabled = false
+        @detection_point = detection_point
+        @exclude_headers = false
+        @exclude_forms = false
+        @exclude_cookies = false
+        @exclusions = {}
+        @active_pattern_ids = {}
+        @v1_compatability_enabled = false
+        @rule_manager = AppSensorRuleManager.new
+        if policy_json
+          @enabled = policy_json.fetch("enabled", false)
+          @exclude_headers = policy_json.fetch("exclude_headers", false)
+          @exclude_forms = policy_json.fetch("exclude_forms", false)
+          @exclude_cookies = policy_json.fetch("exclude_cookies", false)
+          @v1_compatability_enabled = policy_json.fetch("v1_compatability_enabled", false)
+          @rule_manager = policy_json.fetch("rule_manager", AppSensorRuleManager.new)
+          policy_json.fetch("patterns", []).each do |pattern|
+            @active_pattern_ids[pattern] = true
+          end
+          policy_json.fetch("exclusions", {}).each do |common_word, locations|
+            @exclusions[common_word] = locations
+          end
+        end
+      end
+      def get_ruleset
+        @rule_manager.get_ruleset_for(@detection_point)
+      end
+      def find_vulnerability(param_name, param_value)
+        rules = get_ruleset
+        return nil unless rules
+        param_deep_loop(param_name, param_value) do |name, value|
+          rules.check_violation(name, value, @active_pattern_ids, @v1_compatability_enabled)
+        end
+      end
+      def check(type_of_param, appsensor_meta, param_name, param_value)
+        return false unless @enabled
+        if @exclude_forms && (GET_PARAM == type_of_param or POST_PARAM == type_of_param or JSON_PARAM == type_of_param)
+          return false
+        end
+        if @exclude_cookies && COOKIE_PARAM == type_of_param
+          return false
+        end
+        vuln_results = find_vulnerability(param_name, param_value)
+        if vuln_results
+          vuln_param = vuln_results["param"]
+          payload = nil
+          if TCellAgent.configuration.allow_unencrypted_appsensor_payloads
+            payload = vuln_results["value"]
+          end
+          if vuln_param
+            unless payload.nil?
+              if TCellAgent.configuration.blacklisted_params.has_key?(vuln_param.downcase)
+                payload = "BLACKLISTED"
+              elsif TCellAgent.configuration.whitelist_present &&
+                  !TCellAgent.configuration.whitelisted_params.has_key?(vuln_param.downcase)
+                payload = "NOT_WHITELISTED"
+              end
+            end
+            log_appsensor_events(type_of_param, appsensor_meta, vuln_param, vuln_results["value"])
+            send_event(
+              appsensor_meta,
+              @detection_point,
+              vuln_param,
+              {"t" => type_of_param}.to_json,
+              payload,
+              vuln_results["pattern"]
+            )
+            return true
+          end
+        end
+        return false
+      end
+      def log_appsensor_events(type_of_param, appsensor_meta, vuln_param, vuln_value)
+        if TCellAgent.configuration.log_appfirewall_events
+          event = TCellAgent::SensorEvents::TCellAppSensorEvent.new(
+            appsensor_meta.location,
+            @detection_point,
+            appsensor_meta.method,
+            appsensor_meta.remote_address,
+            vuln_param,
+            appsensor_meta.route_id,
+            {"t" => type_of_param}.to_json,
+            appsensor_meta.transaction_id,
+            appsensor_meta.session_id,
+            appsensor_meta.user_id,
+            vuln_value
+          )
+          event.post_process
+          TCellAgent.appfirewall_payloads_logger.info(event.to_json)
+        end
+      end
+      def to_s
+        "<#{self.class.name} enabled: #{@enabled} dp: #{@detection_point} " +
+        "exclude_headers: #{@exclude_headers} exclude_forms: #{exclude_forms} " +
+        "exclude_cookies: #{exclude_cookies} v1_compatability_enabled: #{@v1_compatability_enabled} " +
+        "active_pattern_ids: #{@active_pattern_ids} exclusions: #{exclusions}>"
+      end
+    end
+  end
+end

data/lib/tcell_agent/policies/appsensor/login_sensor.rb ADDED Viewed

@@ -0,0 +1,42 @@
+require 'tcell_agent/policies/appsensor/size_sensor'
+require 'tcell_agent/sensor_events/util/utils'
+module TCellAgent
+  module Policies
+    class LoginSensor < Sensor
+      LOGIN_FAILURE_DP = "lgnFlr"
+      attr_accessor :enabled
+      def initialize(policy_json=nil)
+        @enabled = false
+        if policy_json
+          @enabled = policy_json.fetch("enabled", false)
+        end
+      end
+      def check(appsensor_meta, username)
+        return unless self.enabled
+        if username
+          username = TCellAgent::SensorEvents::Util.hmac(
+            username,
+            TCellAgent::SensorEvents::Util.getHmacKey()
+          )
+        end
+        send_event(appsensor_meta, LOGIN_FAILURE_DP, username, nil)
+      end
+      def to_s
+        "<#{self.class.name} enabled: #{@enabled}>"
+      end
+    end
+  end
+end

data/lib/tcell_agent/policies/appsensor/nullbyte_sensor.rb ADDED Viewed

@@ -0,0 +1,22 @@
+require 'tcell_agent/policies/appsensor/injection_sensor'
+module TCellAgent
+  module Policies
+    class NullbyteSensor < InjectionSensor
+      def initialize(policy_json=nil)
+        super(
+          "null",
+          policy_json
+        )
+      end
+      def get_ruleset
+        @rule_manager.get_ruleset_for("nullbyte")
+      end
+    end
+  end
+end

data/lib/tcell_agent/policies/appsensor/request_size_sensor.rb ADDED Viewed

@@ -0,0 +1,21 @@
+require 'tcell_agent/policies/appsensor/size_sensor'
+module TCellAgent
+  module Policies
+    class RequestSizeSensor < SizeSensor
+      MAX_NORMAL_REQUEST_BYTES = 1024*512
+      DP_UNUSUAL_REQUEST_SIZE = "reqsz"
+      def initialize(policy_json=nil)
+        super(
+          MAX_NORMAL_REQUEST_BYTES,
+          DP_UNUSUAL_REQUEST_SIZE,
+          policy_json
+      )
+      end
+    end
+  end
+end

data/lib/tcell_agent/policies/appsensor/response_codes_sensor.rb ADDED Viewed

@@ -0,0 +1,58 @@
+require 'tcell_agent/policies/appsensor/sensor'
+module TCellAgent
+  module Policies
+    class ResponseCodesSensor < Sensor
+      RESPONSE_CODE_DP_DICT = {
+        401 => "s401",
+        403 => "s403",
+        404 => "s404",
+        4 => "s4xx",
+        500 => "s500",
+        5 => "s5xx"
+      }
+      attr_accessor :enabled, :series_400_enabled, :series_500_enabled
+      def initialize(policy_json=nil)
+        @enabled = false
+        @series_400_enabled = false
+        @series_500_enabled = false
+        if policy_json
+          @enabled = policy_json.fetch("enabled", false)
+          @series_400_enabled = policy_json.fetch("series_400_enabled", false)
+          @series_500_enabled = policy_json.fetch("series_500_enabled", false)
+        end
+      end
+      def check(appsensor_meta, response_code)
+        return unless self.enabled
+        return if response_code == 200
+        return if !self.series_400_enabled && (response_code >= 400 && response_code < 500)
+        return if !self.series_500_enabled and (response_code >= 500 && response_code < 600)
+        dp = RESPONSE_CODE_DP_DICT.fetch(response_code, nil)
+        if dp.nil?
+          code_series = (response_code / 100).to_i
+          dp = RESPONSE_CODE_DP_DICT.fetch(code_series, nil)
+        end
+        if dp
+          send_event(appsensor_meta, dp, response_code.to_s, nil)
+        end
+        def to_s
+          "<#{self.class.name} enabled: #{@enabled} series_400_enabled: #{@series_400_enabled} series_500_enabled: #{@series_500_enabled}>"
+        end
+      end
+    end
+  end
+end

data/lib/tcell_agent/policies/appsensor/response_size_sensor.rb ADDED Viewed

@@ -0,0 +1,21 @@
+require 'tcell_agent/policies/appsensor/size_sensor'
+module TCellAgent
+  module Policies
+    class ResponseSizeSensor < SizeSensor
+      MAX_NORMAL_RESPONSE_BYTES = 1024*1024*2
+      DP_UNUSUAL_RESPONSE_SIZE = "rspsz"
+      def initialize(policy_json=nil)
+        super(
+          MAX_NORMAL_RESPONSE_BYTES,
+          DP_UNUSUAL_RESPONSE_SIZE,
+          policy_json
+        )
+      end
+    end
+  end
+end

data/lib/tcell_agent/policies/appsensor/retr_sensor.rb ADDED Viewed

@@ -0,0 +1,18 @@
+require 'tcell_agent/policies/appsensor/injection_sensor'
+module TCellAgent
+  module Policies
+    class RetrSensor < InjectionSensor
+      def initialize(policy_json=nil)
+        super(
+          "retr",
+          policy_json
+        )
+      end
+    end
+  end
+end

data/lib/tcell_agent/policies/appsensor/sensor.rb ADDED Viewed

@@ -0,0 +1,28 @@
+require 'tcell_agent/sensor_events/appsensor_event'
+module TCellAgent
+  module Policies
+    class Sensor
+      def send_event(appsensor_meta, detection_point, parameter, data, payload=nil, pattern=nil)
+        event = TCellAgent::SensorEvents::TCellAppSensorEvent.new(
+          appsensor_meta.location,
+          detection_point,
+          appsensor_meta.method,
+          appsensor_meta.remote_address,
+          parameter,
+          appsensor_meta.route_id,
+          data,
+          appsensor_meta.transaction_id,
+          appsensor_meta.session_id,
+          appsensor_meta.user_id,
+          payload,
+          pattern
+        )
+        TCellAgent.send_event(event)
+      end
+    end
+  end
+end

data/lib/tcell_agent/policies/appsensor/size_sensor.rb ADDED Viewed

@@ -0,0 +1,43 @@
+require 'tcell_agent/policies/appsensor/sensor'
+module TCellAgent
+  module Policies
+    class SizeSensor < Sensor
+      attr_accessor :enabled, :limit, :exclude_routes, :dp_code
+      def initialize(default_limit, dp_code, policy_json)
+        @enabled = false
+        @limit = default_limit
+        @exclude_routes = {}
+        @dp_code = dp_code
+        if policy_json != nil
+          @enabled = policy_json.fetch("enabled", false)
+          @limit = policy_json.fetch("limit", @limit)
+          policy_json.fetch("exclude_routes", []).each do |route_id|
+            @exclude_routes[route_id] = true
+          end
+        end
+      end
+      def check(appsensor_meta, content_length)
+        if !@enabled || @exclude_routes.fetch(appsensor_meta.route_id, false)
+          return
+        end
+        if content_length && content_length > @limit
+          send_event(appsensor_meta, @dp_code, content_length.to_s, nil)
+        end
+      end
+      def to_s
+        "<#{self.class.name} enabled: #{@enabled} limit: #{@limit} dp_code: #{@dp_code} exclude_routes: #{@exclude_routes}>"
+      end
+    end
+  end
+end

data/lib/tcell_agent/policies/appsensor/sqli_sensor.rb ADDED Viewed

@@ -0,0 +1,25 @@
+require 'tcell_agent/policies/appsensor/injection_sensor'
+module TCellAgent
+  module Policies
+    class SqliSensor < InjectionSensor
+      attr_accessor :libinjection
+      def initialize(policy_json=nil)
+        super(
+          "sqli",
+          policy_json
+        )
+        @libinjection = false
+        if policy_json
+          @libinjection = policy_json.fetch("libinjection", false)
+        end
+      end
+    end
+  end
+end

data/lib/tcell_agent/policies/appsensor/xss_sensor.rb ADDED Viewed

@@ -0,0 +1,26 @@
+require 'tcell_agent/policies/appsensor/injection_sensor'
+module TCellAgent
+  module Policies
+    class XssSensor < InjectionSensor
+      attr_accessor :libinjection
+      def initialize(policy_json=nil)
+        super(
+          "xss",
+          policy_json
+        )
+        @libinjection = false
+        if policy_json
+          @libinjection = policy_json.fetch("libinjection", false)
+        end
+      end
+    end
+  end
+end