tcell_agent 0.2.29 → 0.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Readme.txt +7 -0
- data/bin/tcell_agent +9 -0
- data/lib/tcell_agent/agent/policy_manager.rb +3 -0
- data/lib/tcell_agent/agent/policy_types.rb +4 -1
- data/lib/tcell_agent/appsensor/injections_matcher.rb +20 -0
- data/lib/tcell_agent/appsensor/injections_reporter.rb +15 -56
- data/lib/tcell_agent/appsensor/meta_data.rb +56 -2
- data/lib/tcell_agent/appsensor/rules/baserules.json +371 -138
- data/lib/tcell_agent/cmdi.rb +113 -0
- data/lib/tcell_agent/config/unknown_options.rb +2 -0
- data/lib/tcell_agent/configuration.rb +30 -16
- data/lib/tcell_agent/hooks/login_fraud.rb +79 -0
- data/lib/tcell_agent/instrumentation.rb +6 -11
- data/lib/tcell_agent/patches/meta_data.rb +14 -11
- data/lib/tcell_agent/policies/appsensor/injection_sensor.rb +5 -9
- data/lib/tcell_agent/policies/appsensor_policy.rb +22 -206
- data/lib/tcell_agent/policies/clickjacking_policy.rb +4 -2
- data/lib/tcell_agent/policies/command_injection_policy.rb +196 -0
- data/lib/tcell_agent/policies/content_security_policy.rb +3 -2
- data/lib/tcell_agent/policies/dataloss_policy.rb +3 -1
- data/lib/tcell_agent/policies/honeytokens_policy.rb +3 -1
- data/lib/tcell_agent/policies/http_redirect_policy.rb +51 -37
- data/lib/tcell_agent/policies/http_tx_policy.rb +5 -1
- data/lib/tcell_agent/policies/login_fraud_policy.rb +6 -1
- data/lib/tcell_agent/policies/patches_policy.rb +3 -1
- data/lib/tcell_agent/policies/policy.rb +10 -0
- data/lib/tcell_agent/policies/secure_headers_policy.rb +5 -2
- data/lib/tcell_agent/rails/auth/devise.rb +12 -23
- data/lib/tcell_agent/rails/csrf_exception.rb +1 -1
- data/lib/tcell_agent/rails/dlp.rb +50 -54
- data/lib/tcell_agent/rails/middleware/body_filter_middleware.rb +0 -1
- data/lib/tcell_agent/rails/middleware/context_middleware.rb +0 -1
- data/lib/tcell_agent/rails/middleware/global_middleware.rb +0 -1
- data/lib/tcell_agent/rails/middleware/headers_middleware.rb +7 -10
- data/lib/tcell_agent/rails/on_start.rb +0 -1
- data/lib/tcell_agent/rails/tcell_body_proxy.rb +4 -4
- data/lib/tcell_agent/rails.rb +0 -2
- data/lib/tcell_agent/rust/libtcellagent-0.6.1.dylib +0 -0
- data/lib/tcell_agent/rust/libtcellagent-0.6.1.so +0 -0
- data/lib/tcell_agent/rust/models.rb +61 -0
- data/lib/tcell_agent/rust/tcellagent-0.6.1.dll +0 -0
- data/lib/tcell_agent/rust/whisperer.rb +112 -0
- data/lib/tcell_agent/sensor_events/appsensor_event.rb +25 -21
- data/lib/tcell_agent/sensor_events/appsensor_meta_event.rb +31 -24
- data/lib/tcell_agent/sensor_events/command_injection.rb +58 -0
- data/lib/tcell_agent/sensor_events/discovery.rb +1 -1
- data/lib/tcell_agent/sensor_events/login_fraud.rb +3 -13
- data/lib/tcell_agent/sensor_events/sensor.rb +81 -77
- data/lib/tcell_agent/sensor_events/util/sanitizer_utilities.rb +8 -0
- data/lib/tcell_agent/start_background_thread.rb +12 -3
- data/lib/tcell_agent/utils/io.rb +4 -1
- data/lib/tcell_agent/utils/params.rb +1 -0
- data/lib/tcell_agent/version.rb +1 -1
- data/lib/tcell_agent.rb +0 -1
- data/spec/lib/tcell_agent/appsensor/injections_matcher_spec.rb +27 -9
- data/spec/lib/tcell_agent/appsensor/injections_reporter_spec.rb +143 -193
- data/spec/lib/tcell_agent/appsensor/meta_data_spec.rb +67 -0
- data/spec/lib/tcell_agent/appsensor/rules/appsensor_rule_manager_spec.rb +0 -10
- data/spec/lib/tcell_agent/cmdi_spec.rb +748 -0
- data/spec/lib/tcell_agent/config/unknown_options_spec.rb +8 -0
- data/spec/lib/tcell_agent/configuration_spec.rb +138 -6
- data/spec/lib/tcell_agent/hooks/login_fraud_spec.rb +357 -0
- data/spec/lib/tcell_agent/patches/block_rule_spec.rb +70 -87
- data/spec/lib/tcell_agent/patches_spec.rb +9 -4
- data/spec/lib/tcell_agent/policies/appsensor/xss_sensor_spec.rb +186 -9
- data/spec/lib/tcell_agent/policies/appsensor_policy_spec.rb +309 -484
- data/spec/lib/tcell_agent/policies/command_injection_policy_spec.rb +736 -0
- data/spec/lib/tcell_agent/policies/http_redirect_policy_spec.rb +222 -41
- data/spec/lib/tcell_agent/policies/patches_policy_spec.rb +56 -32
- data/spec/lib/tcell_agent/rails/middleware/appsensor_middleware_spec.rb +161 -85
- data/spec/lib/tcell_agent/rails/middleware/tcell_body_proxy_spec.rb +40 -72
- data/spec/lib/tcell_agent/rust/whisperer_spec.rb +267 -0
- data/spec/lib/tcell_agent/sensor_events/appsensor_meta_event_spec.rb +20 -15
- data/spec/spec_helper.rb +0 -9
- data/tcell_agent.gemspec +8 -3
- metadata +40 -39
- data/lib/tcell_agent/appsensor/sensor.rb +0 -52
- data/lib/tcell_agent/policies/appsensor/database_sensor.rb +0 -56
- data/lib/tcell_agent/policies/appsensor/misc_sensor.rb +0 -59
- data/lib/tcell_agent/policies/appsensor/payloads_policy.rb +0 -150
- data/lib/tcell_agent/policies/appsensor/request_size_sensor.rb +0 -25
- data/lib/tcell_agent/policies/appsensor/response_codes_sensor.rb +0 -73
- data/lib/tcell_agent/policies/appsensor/response_size_sensor.rb +0 -25
- data/lib/tcell_agent/policies/appsensor/size_sensor.rb +0 -71
- data/lib/tcell_agent/policies/appsensor/user_agent_sensor.rb +0 -47
- data/lib/tcell_agent/rails/auth/hooks.rb +0 -79
- data/lib/tcell_agent/sensor_events/util/redirect_utils.rb +0 -22
- data/spec/lib/tcell_agent/policies/appsensor/database_sensor_spec.rb +0 -165
- data/spec/lib/tcell_agent/policies/appsensor/misc_sensor_spec.rb +0 -429
- data/spec/lib/tcell_agent/policies/appsensor/payloads_policy_apply_spec.rb +0 -466
- data/spec/lib/tcell_agent/policies/appsensor/payloads_policy_from_json_spec.rb +0 -890
- data/spec/lib/tcell_agent/policies/appsensor/payloads_policy_log_spec.rb +0 -417
- data/spec/lib/tcell_agent/policies/appsensor/request_size_sensor_spec.rb +0 -236
- data/spec/lib/tcell_agent/policies/appsensor/response_codes_sensor_spec.rb +0 -297
- data/spec/lib/tcell_agent/policies/appsensor/response_size_sensor_spec.rb +0 -241
- data/spec/lib/tcell_agent/policies/appsensor/user_agent_sensor_spec.rb +0 -172
- data/spec/lib/tcell_agent/rails/auth/hooks_spec.rb +0 -246
- data/spec/lib/tcell_agent/sensor_events/util/redirect_utils_spec.rb +0 -25
- data/spec/support/resources/baserules.json +0 -155
@@ -1,52 +0,0 @@
|
|
1
|
-
require 'tcell_agent/sensor_events/appsensor_event'
|
2
|
-
|
3
|
-
module TCellAgent
|
4
|
-
module AppSensor
|
5
|
-
|
6
|
-
class Sensor
|
7
|
-
class << self
|
8
|
-
def send_event(appsensor_meta, detection_point, parameter, meta,
|
9
|
-
payload, pattern, collect_full_uri)
|
10
|
-
event = TCellAgent::SensorEvents::TCellAppSensorEvent.new(
|
11
|
-
appsensor_meta.location,
|
12
|
-
detection_point,
|
13
|
-
appsensor_meta.method,
|
14
|
-
appsensor_meta.remote_address,
|
15
|
-
parameter,
|
16
|
-
appsensor_meta.route_id,
|
17
|
-
meta,
|
18
|
-
appsensor_meta.session_id,
|
19
|
-
appsensor_meta.user_id,
|
20
|
-
payload,
|
21
|
-
pattern,
|
22
|
-
collect_full_uri
|
23
|
-
)
|
24
|
-
|
25
|
-
TCellAgent.send_event(event)
|
26
|
-
end
|
27
|
-
|
28
|
-
def send_event_from_tcell_data(tcell_data, detection_point, parameter,
|
29
|
-
meta, collect_full_uri)
|
30
|
-
payload = pattern = nil
|
31
|
-
event = TCellAgent::SensorEvents::TCellAppSensorEvent.new(
|
32
|
-
tcell_data.uri,
|
33
|
-
detection_point,
|
34
|
-
tcell_data.request_method,
|
35
|
-
tcell_data.ip_address,
|
36
|
-
parameter,
|
37
|
-
tcell_data.route_id,
|
38
|
-
meta,
|
39
|
-
tcell_data.session_id,
|
40
|
-
tcell_data.user_id,
|
41
|
-
payload,
|
42
|
-
pattern,
|
43
|
-
collect_full_uri
|
44
|
-
)
|
45
|
-
|
46
|
-
TCellAgent.send_event(event)
|
47
|
-
end
|
48
|
-
end
|
49
|
-
end
|
50
|
-
|
51
|
-
end
|
52
|
-
end
|
@@ -1,56 +0,0 @@
|
|
1
|
-
require 'tcell_agent/appsensor/sensor'
|
2
|
-
|
3
|
-
module TCellAgent
|
4
|
-
module Policies
|
5
|
-
|
6
|
-
class DatabaseSensor
|
7
|
-
|
8
|
-
DP_CODE="dbmaxrows"
|
9
|
-
|
10
|
-
attr_accessor :enabled, :max_rows, :excluded_route_ids, :collect_full_uri
|
11
|
-
|
12
|
-
def initialize(policy_json=nil)
|
13
|
-
@enabled = false
|
14
|
-
@max_rows = 1001
|
15
|
-
@excluded_route_ids = {}
|
16
|
-
@collect_full_uri = false
|
17
|
-
|
18
|
-
if policy_json
|
19
|
-
@enabled = policy_json.fetch("enabled", false)
|
20
|
-
large_result = policy_json.fetch("large_result", {})
|
21
|
-
@max_rows = large_result.fetch("limit", @max_rows)
|
22
|
-
@collect_full_uri = policy_json.fetch("collect_full_uri", @collect_full_uri)
|
23
|
-
|
24
|
-
policy_json.fetch("exclude_routes", []).each do |excluded_route|
|
25
|
-
@excluded_route_ids[excluded_route] = true
|
26
|
-
end
|
27
|
-
end
|
28
|
-
end
|
29
|
-
|
30
|
-
|
31
|
-
def check(tcell_data, number_of_records)
|
32
|
-
return unless @enabled
|
33
|
-
|
34
|
-
return if @excluded_route_ids.fetch(tcell_data.route_id, false)
|
35
|
-
|
36
|
-
if number_of_records > @max_rows
|
37
|
-
param = nil
|
38
|
-
meta = { "rows" => number_of_records }
|
39
|
-
TCellAgent::AppSensor::Sensor.send_event_from_tcell_data(
|
40
|
-
tcell_data,
|
41
|
-
DP_CODE,
|
42
|
-
param,
|
43
|
-
meta,
|
44
|
-
@collect_full_uri)
|
45
|
-
end
|
46
|
-
end
|
47
|
-
|
48
|
-
def to_s
|
49
|
-
"<#{self.class.name} enabled: #{@enabled} max_rows: #{@max_rows} " +
|
50
|
-
"excluded_route_ids: #{@excluded_route_ids}>"
|
51
|
-
end
|
52
|
-
|
53
|
-
end
|
54
|
-
|
55
|
-
end
|
56
|
-
end
|
@@ -1,59 +0,0 @@
|
|
1
|
-
require 'tcell_agent/appsensor/sensor'
|
2
|
-
|
3
|
-
module TCellAgent
|
4
|
-
module Policies
|
5
|
-
|
6
|
-
class MiscSensor
|
7
|
-
|
8
|
-
attr_accessor :enabled, :csrf_exception_enabled, :sql_exception_enabled,
|
9
|
-
:excluded_route_ids, :collect_full_uri
|
10
|
-
|
11
|
-
def initialize(policy_json=nil)
|
12
|
-
@enabled = false
|
13
|
-
@csrf_exception_enabled = false
|
14
|
-
@sql_exception_enabled = false
|
15
|
-
@excluded_route_ids = {}
|
16
|
-
@collect_full_uri = false
|
17
|
-
|
18
|
-
if policy_json
|
19
|
-
@enabled = policy_json.fetch("enabled", false)
|
20
|
-
@csrf_exception_enabled = policy_json.fetch("csrf_exception_enabled", false)
|
21
|
-
@sql_exception_enabled = policy_json.fetch("sql_exception_enabled", false)
|
22
|
-
@collect_full_uri = policy_json.fetch("collect_full_uri", @collect_full_uri)
|
23
|
-
|
24
|
-
policy_json.fetch("exclude_routes", []).each do |excluded_route|
|
25
|
-
@excluded_route_ids[excluded_route] = true
|
26
|
-
end
|
27
|
-
end
|
28
|
-
end
|
29
|
-
|
30
|
-
def csrf_rejected(tcell_data, exception_class)
|
31
|
-
return unless @enabled && @csrf_exception_enabled
|
32
|
-
|
33
|
-
return if tcell_data && @excluded_route_ids.fetch(tcell_data.route_id, false)
|
34
|
-
|
35
|
-
meta = nil
|
36
|
-
TCellAgent::AppSensor::Sensor.send_event_from_tcell_data(
|
37
|
-
tcell_data, "excsrf", exception_class.name, meta, @collect_full_uri
|
38
|
-
)
|
39
|
-
end
|
40
|
-
|
41
|
-
def sql_exception_detected(tcell_data, exception)
|
42
|
-
return unless @enabled && @sql_exception_enabled
|
43
|
-
|
44
|
-
return if tcell_data && @excluded_route_ids.fetch(tcell_data.route_id, false)
|
45
|
-
|
46
|
-
meta = nil
|
47
|
-
TCellAgent::AppSensor::Sensor.send_event_from_tcell_data(
|
48
|
-
tcell_data, "exsql", exception.class.name, meta, @collect_full_uri
|
49
|
-
)
|
50
|
-
end
|
51
|
-
|
52
|
-
def to_s
|
53
|
-
"<#{self.class.name} enabled: #{@enabled} csrf_exception_enabled: #{@csrf_exception_enabled} " +
|
54
|
-
"sql_exception_enabled: #{sql_exception_enabled}>"
|
55
|
-
end
|
56
|
-
end
|
57
|
-
|
58
|
-
end
|
59
|
-
end
|
@@ -1,150 +0,0 @@
|
|
1
|
-
require 'json'
|
2
|
-
|
3
|
-
require 'tcell_agent/utils/params'
|
4
|
-
|
5
|
-
module TCellAgent
|
6
|
-
module Policies
|
7
|
-
|
8
|
-
class PayloadsPolicy
|
9
|
-
PARAM_TYPE_MAP = {
|
10
|
-
TCellAgent::Utils::Params::GET_PARAM => "form",
|
11
|
-
TCellAgent::Utils::Params::POST_PARAM => "form",
|
12
|
-
TCellAgent::Utils::Params::JSON_PARAM => "form",
|
13
|
-
TCellAgent::Utils::Params::COOKIE_PARAM => "cookie"
|
14
|
-
}
|
15
|
-
|
16
|
-
attr_accessor :send_payloads, :send_blacklist, :send_whitelist, :use_send_whitelist,
|
17
|
-
:log_payloads, :log_blacklist, :log_whitelist, :use_log_whitelist,
|
18
|
-
:collect_full_uri
|
19
|
-
|
20
|
-
def initialize
|
21
|
-
@send_payloads = false
|
22
|
-
@log_payloads = false
|
23
|
-
@collect_full_uri = false
|
24
|
-
|
25
|
-
@send_blacklist = {}
|
26
|
-
@log_blacklist = {}
|
27
|
-
@send_whitelist = {}
|
28
|
-
@log_whitelist = {}
|
29
|
-
|
30
|
-
@use_send_whitelist = false
|
31
|
-
@use_log_whitelist = false
|
32
|
-
end
|
33
|
-
|
34
|
-
def apply(dp, appsensor_meta, type_of_param, vuln_param, vuln_value, meta, pattern)
|
35
|
-
payload = nil
|
36
|
-
|
37
|
-
if @send_payloads && TCellAgent.configuration.allow_unencrypted_appfirewall_payloads
|
38
|
-
|
39
|
-
blacklisted_locations = @send_blacklist[vuln_param.downcase]
|
40
|
-
param_location = PARAM_TYPE_MAP[type_of_param]
|
41
|
-
|
42
|
-
if blacklisted_locations &&
|
43
|
-
( blacklisted_locations.include?(param_location) ||
|
44
|
-
blacklisted_locations.include?("*") )
|
45
|
-
payload = "BLACKLISTED"
|
46
|
-
|
47
|
-
elsif use_send_whitelist
|
48
|
-
whitelisted_locations = @send_whitelist[vuln_param.downcase]
|
49
|
-
if whitelisted_locations &&
|
50
|
-
( whitelisted_locations.include?(param_location) ||
|
51
|
-
whitelisted_locations.include?("*") )
|
52
|
-
|
53
|
-
payload = vuln_value
|
54
|
-
|
55
|
-
else
|
56
|
-
payload = "NOT_WHITELISTED"
|
57
|
-
end
|
58
|
-
|
59
|
-
else
|
60
|
-
payload = vuln_value
|
61
|
-
end
|
62
|
-
|
63
|
-
end
|
64
|
-
|
65
|
-
log(dp, appsensor_meta, type_of_param, vuln_param, vuln_value, meta, pattern)
|
66
|
-
|
67
|
-
payload
|
68
|
-
end
|
69
|
-
|
70
|
-
def log(dp, appsensor_meta, type_of_param, vuln_param, vuln_value, meta, pattern)
|
71
|
-
if @log_payloads
|
72
|
-
blacklisted_locations = @log_blacklist[vuln_param.downcase]
|
73
|
-
param_location = PARAM_TYPE_MAP[type_of_param]
|
74
|
-
|
75
|
-
if !blacklisted_locations ||
|
76
|
-
( !blacklisted_locations.include?(param_location) &&
|
77
|
-
!blacklisted_locations.include?("*") )
|
78
|
-
|
79
|
-
whitelisted_locations = @log_whitelist[vuln_param.downcase]
|
80
|
-
if !use_log_whitelist ||
|
81
|
-
(whitelisted_locations && (whitelisted_locations.include?(param_location) ||
|
82
|
-
whitelisted_locations.include?("*")))
|
83
|
-
|
84
|
-
event = TCellAgent::SensorEvents::TCellAppSensorEvent.new(
|
85
|
-
appsensor_meta.location,
|
86
|
-
dp,
|
87
|
-
appsensor_meta.method,
|
88
|
-
appsensor_meta.remote_address,
|
89
|
-
vuln_param,
|
90
|
-
appsensor_meta.route_id,
|
91
|
-
meta,
|
92
|
-
appsensor_meta.session_id,
|
93
|
-
appsensor_meta.user_id,
|
94
|
-
vuln_value,
|
95
|
-
pattern,
|
96
|
-
@collect_full_uri
|
97
|
-
)
|
98
|
-
event.post_process
|
99
|
-
TCellAgent.appfirewall_payloads_logger.info(JSON.dump(event))
|
100
|
-
end
|
101
|
-
end
|
102
|
-
end
|
103
|
-
end
|
104
|
-
|
105
|
-
def self.from_json(policy_json)
|
106
|
-
policy = PayloadsPolicy.new
|
107
|
-
|
108
|
-
if policy_json
|
109
|
-
policy.collect_full_uri = policy_json.fetch("uri_options", {}).fetch("collect_full_uri", false)
|
110
|
-
|
111
|
-
payloads_json = policy_json.fetch("payloads", {})
|
112
|
-
policy.send_payloads = payloads_json.fetch("send_payloads", false)
|
113
|
-
policy.log_payloads = payloads_json.fetch("log_payloads", false)
|
114
|
-
|
115
|
-
if policy.send_payloads
|
116
|
-
payloads_json.fetch("send_blacklist", {}).each do |param_name, locations|
|
117
|
-
policy.send_blacklist[param_name.downcase] = Set.new(locations)
|
118
|
-
end
|
119
|
-
|
120
|
-
send_whitelist = payloads_json["send_whitelist"]
|
121
|
-
if send_whitelist
|
122
|
-
send_whitelist.each do |param_name, locations|
|
123
|
-
policy.send_whitelist[param_name.downcase] = Set.new(locations)
|
124
|
-
end
|
125
|
-
policy.use_send_whitelist = true
|
126
|
-
end
|
127
|
-
end
|
128
|
-
|
129
|
-
if policy.log_payloads
|
130
|
-
payloads_json.fetch("log_blacklist", {}).each do |param_name, locations|
|
131
|
-
policy.log_blacklist[param_name.downcase] = Set.new(locations)
|
132
|
-
end
|
133
|
-
|
134
|
-
log_whitelist = payloads_json["log_whitelist"]
|
135
|
-
if log_whitelist
|
136
|
-
log_whitelist.each do |param_name, locations|
|
137
|
-
policy.log_whitelist[param_name.downcase] = Set.new(locations)
|
138
|
-
end
|
139
|
-
|
140
|
-
policy.use_log_whitelist = true
|
141
|
-
end
|
142
|
-
end
|
143
|
-
end
|
144
|
-
|
145
|
-
policy
|
146
|
-
end
|
147
|
-
end
|
148
|
-
|
149
|
-
end
|
150
|
-
end
|
@@ -1,25 +0,0 @@
|
|
1
|
-
require 'tcell_agent/policies/appsensor/size_sensor'
|
2
|
-
|
3
|
-
|
4
|
-
module TCellAgent
|
5
|
-
module Policies
|
6
|
-
|
7
|
-
class RequestSizeSensor < SizeSensor
|
8
|
-
MAX_NORMAL_REQUEST_BYTES = 1024*512
|
9
|
-
DP_UNUSUAL_REQUEST_SIZE = "reqsz"
|
10
|
-
|
11
|
-
def initialize(policy_json=nil)
|
12
|
-
super(
|
13
|
-
MAX_NORMAL_REQUEST_BYTES,
|
14
|
-
DP_UNUSUAL_REQUEST_SIZE,
|
15
|
-
policy_json
|
16
|
-
)
|
17
|
-
end
|
18
|
-
|
19
|
-
def get_content_length(appsensor_meta)
|
20
|
-
appsensor_meta.request_content_bytes_len
|
21
|
-
end
|
22
|
-
end
|
23
|
-
|
24
|
-
end
|
25
|
-
end
|
@@ -1,73 +0,0 @@
|
|
1
|
-
require 'tcell_agent/appsensor/sensor'
|
2
|
-
|
3
|
-
|
4
|
-
module TCellAgent
|
5
|
-
module Policies
|
6
|
-
|
7
|
-
class ResponseCodesSensor
|
8
|
-
|
9
|
-
RESPONSE_CODE_DP_DICT = {
|
10
|
-
401 => "s401",
|
11
|
-
403 => "s403",
|
12
|
-
404 => "s404",
|
13
|
-
4 => "s4xx",
|
14
|
-
500 => "s500",
|
15
|
-
5 => "s5xx"
|
16
|
-
}
|
17
|
-
|
18
|
-
attr_accessor :enabled, :series_400_enabled, :series_500_enabled, :excluded_route_ids,
|
19
|
-
:collect_full_uri
|
20
|
-
|
21
|
-
def initialize(policy_json=nil)
|
22
|
-
@enabled = false
|
23
|
-
@series_400_enabled = false
|
24
|
-
@series_500_enabled = false
|
25
|
-
@excluded_route_ids = {}
|
26
|
-
@collect_full_uri = false
|
27
|
-
|
28
|
-
if policy_json
|
29
|
-
@enabled = policy_json.fetch("enabled", false)
|
30
|
-
@series_400_enabled = policy_json.fetch("series_400_enabled", false)
|
31
|
-
@series_500_enabled = policy_json.fetch("series_500_enabled", false)
|
32
|
-
@collect_full_uri = policy_json.fetch("collect_full_uri", @collect_full_uri)
|
33
|
-
|
34
|
-
policy_json.fetch("exclude_routes", []).each do |excluded_route|
|
35
|
-
@excluded_route_ids[excluded_route] = true
|
36
|
-
end
|
37
|
-
end
|
38
|
-
end
|
39
|
-
|
40
|
-
def check(appsensor_meta, response_code)
|
41
|
-
return unless @enabled
|
42
|
-
|
43
|
-
return if @excluded_route_ids.fetch(appsensor_meta.route_id, false)
|
44
|
-
|
45
|
-
return if response_code == 200
|
46
|
-
return if !self.series_400_enabled && (response_code >= 400 && response_code < 500)
|
47
|
-
return if !self.series_500_enabled and (response_code >= 500 && response_code < 600)
|
48
|
-
|
49
|
-
dp = RESPONSE_CODE_DP_DICT.fetch(response_code, nil)
|
50
|
-
|
51
|
-
if dp.nil?
|
52
|
-
code_series = (response_code / 100).to_i
|
53
|
-
dp = RESPONSE_CODE_DP_DICT.fetch(code_series, nil)
|
54
|
-
end
|
55
|
-
|
56
|
-
if dp
|
57
|
-
param = payload = pattern = nil
|
58
|
-
meta = { code: response_code }
|
59
|
-
TCellAgent::AppSensor::Sensor.send_event(
|
60
|
-
appsensor_meta, dp, param, meta, payload, pattern, @collect_full_uri
|
61
|
-
)
|
62
|
-
end
|
63
|
-
|
64
|
-
def to_s
|
65
|
-
"<#{self.class.name} enabled: #{@enabled} series_400_enabled: #{@series_400_enabled} " +
|
66
|
-
"series_500_enabled: #{@series_500_enabled}>"
|
67
|
-
end
|
68
|
-
end
|
69
|
-
|
70
|
-
end
|
71
|
-
|
72
|
-
end
|
73
|
-
end
|
@@ -1,25 +0,0 @@
|
|
1
|
-
require 'tcell_agent/policies/appsensor/size_sensor'
|
2
|
-
|
3
|
-
|
4
|
-
module TCellAgent
|
5
|
-
module Policies
|
6
|
-
|
7
|
-
class ResponseSizeSensor < SizeSensor
|
8
|
-
MAX_NORMAL_RESPONSE_BYTES = 1024*1024*2
|
9
|
-
DP_UNUSUAL_RESPONSE_SIZE = "rspsz"
|
10
|
-
|
11
|
-
def initialize(policy_json=nil)
|
12
|
-
super(
|
13
|
-
MAX_NORMAL_RESPONSE_BYTES,
|
14
|
-
DP_UNUSUAL_RESPONSE_SIZE,
|
15
|
-
policy_json
|
16
|
-
)
|
17
|
-
end
|
18
|
-
|
19
|
-
def get_content_length(appsensor_meta)
|
20
|
-
appsensor_meta.response_content_bytes_len
|
21
|
-
end
|
22
|
-
end
|
23
|
-
|
24
|
-
end
|
25
|
-
end
|
@@ -1,71 +0,0 @@
|
|
1
|
-
require 'tcell_agent/appsensor/sensor'
|
2
|
-
|
3
|
-
module TCellAgent
|
4
|
-
module Policies
|
5
|
-
|
6
|
-
class SizeSensor
|
7
|
-
|
8
|
-
attr_accessor :enabled, :limit, :excluded_route_ids, :dp_code, :collect_full_uri
|
9
|
-
|
10
|
-
def initialize(default_limit, dp_code, policy_json)
|
11
|
-
@enabled = false
|
12
|
-
@limit = default_limit
|
13
|
-
@excluded_route_ids = {}
|
14
|
-
@dp_code = dp_code
|
15
|
-
@collect_full_uri = false
|
16
|
-
|
17
|
-
if policy_json
|
18
|
-
@enabled = policy_json.fetch("enabled", false)
|
19
|
-
@limit = policy_json.fetch("limit", @limit)
|
20
|
-
@collect_full_uri = policy_json.fetch("collect_full_uri", @collect_full_uri)
|
21
|
-
|
22
|
-
policy_json.fetch("exclude_routes", []).each do |route_id|
|
23
|
-
@excluded_route_ids[route_id] = true
|
24
|
-
end
|
25
|
-
end
|
26
|
-
end
|
27
|
-
|
28
|
-
def get_content_length(appsensor_meta)
|
29
|
-
throw Exception("Not Implemented")
|
30
|
-
end
|
31
|
-
|
32
|
-
def check(appsensor_meta)
|
33
|
-
if !@enabled || @excluded_route_ids.fetch(appsensor_meta.route_id, false)
|
34
|
-
return
|
35
|
-
end
|
36
|
-
|
37
|
-
content_length_bytes = get_content_length(appsensor_meta)
|
38
|
-
content_length_KiB = convert_to_kibibytes(content_length_bytes)
|
39
|
-
|
40
|
-
if content_length_KiB > @limit
|
41
|
-
param = payload = pattern = nil
|
42
|
-
meta = { "sz" => content_length_bytes }
|
43
|
-
TCellAgent::AppSensor::Sensor.send_event(
|
44
|
-
appsensor_meta,
|
45
|
-
@dp_code,
|
46
|
-
param,
|
47
|
-
meta,
|
48
|
-
payload,
|
49
|
-
pattern,
|
50
|
-
@collect_full_uri
|
51
|
-
)
|
52
|
-
end
|
53
|
-
end
|
54
|
-
|
55
|
-
def convert_to_kibibytes(content_length)
|
56
|
-
if content_length
|
57
|
-
content_length / 1024.0
|
58
|
-
else
|
59
|
-
0
|
60
|
-
end
|
61
|
-
end
|
62
|
-
|
63
|
-
def to_s
|
64
|
-
"<#{self.class.name} enabled: #{@enabled} limit: #{@limit} dp_code: #{@dp_code} " +
|
65
|
-
"excluded_route_ids: #{@excluded_route_ids}>"
|
66
|
-
end
|
67
|
-
|
68
|
-
end
|
69
|
-
|
70
|
-
end
|
71
|
-
end
|
@@ -1,47 +0,0 @@
|
|
1
|
-
require 'tcell_agent/appsensor/sensor'
|
2
|
-
|
3
|
-
module TCellAgent
|
4
|
-
module Policies
|
5
|
-
|
6
|
-
class UserAgentSensor
|
7
|
-
DP_CODE = "uaempty"
|
8
|
-
|
9
|
-
attr_accessor :enabled, :empty_enabled, :excluded_route_ids, :collect_full_uri
|
10
|
-
|
11
|
-
def initialize(policy_json=nil)
|
12
|
-
@enabled = false
|
13
|
-
@empty_enabled = false
|
14
|
-
@excluded_route_ids = {}
|
15
|
-
@collect_full_uri = false
|
16
|
-
|
17
|
-
if policy_json
|
18
|
-
@enabled = policy_json.fetch("enabled", false)
|
19
|
-
@empty_enabled = policy_json.fetch("empty_enabled", false)
|
20
|
-
@collect_full_uri = policy_json.fetch("collect_full_uri", @collect_full_uri)
|
21
|
-
|
22
|
-
policy_json.fetch("exclude_routes", []).each do |excluded_route|
|
23
|
-
@excluded_route_ids[excluded_route] = true
|
24
|
-
end
|
25
|
-
end
|
26
|
-
end
|
27
|
-
|
28
|
-
def check(appsensor_meta)
|
29
|
-
return unless @enabled && @empty_enabled
|
30
|
-
|
31
|
-
return if @excluded_route_ids.fetch(appsensor_meta.route_id, false)
|
32
|
-
|
33
|
-
user_agent = appsensor_meta.user_agent
|
34
|
-
if !user_agent || user_agent.strip == ""
|
35
|
-
TCellAgent::AppSensor::Sensor.send_event(
|
36
|
-
appsensor_meta, DP_CODE, nil, nil, nil, nil, @collect_full_uri
|
37
|
-
)
|
38
|
-
end
|
39
|
-
end
|
40
|
-
|
41
|
-
def to_s
|
42
|
-
"<#{self.class.name} enabled: #{@enabled} empty_enabled: #{@empty_enabled} dp_code: #{DP_CODE}>"
|
43
|
-
end
|
44
|
-
end
|
45
|
-
|
46
|
-
end
|
47
|
-
end
|
@@ -1,79 +0,0 @@
|
|
1
|
-
require 'tcell_agent/agent'
|
2
|
-
require 'tcell_agent/sensor_events/login_fraud'
|
3
|
-
require 'tcell_agent/policies/appsensor_policy'
|
4
|
-
require 'tcell_agent/sensor_events/login_fraud'
|
5
|
-
|
6
|
-
if defined?(TCellAgent::Hooks::V1::Frameworks::Rails::Login)
|
7
|
-
TCellAgent::Hooks::V1::Frameworks::Rails::Login.module_eval do
|
8
|
-
class << self
|
9
|
-
alias_method :tcell_register_login_event, :register_login_event
|
10
|
-
def register_login_event(status, rails_request, user_id, user_valid=nil)
|
11
|
-
TCellAgent::Instrumentation.safe_block("Rails Auth Hooks") do
|
12
|
-
if (TCellAgent.configuration.enabled && TCellAgent.configuration.should_intercept_requests?)
|
13
|
-
login_fraud_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LoginFraud)
|
14
|
-
if (login_fraud_policy && login_fraud_policy.enabled && login_fraud_policy.login_failed_enabled)
|
15
|
-
tcell_data = rails_request.env[TCellAgent::Instrumentation::TCELL_ID]
|
16
|
-
if tcell_data
|
17
|
-
if status == TCellAgent::Hooks::V1::Login::LOGIN_FAILURE
|
18
|
-
TCellAgent.send_event(
|
19
|
-
TCellAgent::SensorEvents::LoginFailure.new(rails_request.env, tcell_data, user_id)
|
20
|
-
)
|
21
|
-
elsif status == TCellAgent::Hooks::V1::Login::LOGIN_SUCCESS
|
22
|
-
TCellAgent.send_event(
|
23
|
-
TCellAgent::SensorEvents::LoginSuccess.new(rails_request.env, tcell_data, user_id)
|
24
|
-
)
|
25
|
-
else
|
26
|
-
TCellAgent.logger.error("Unkown login status: #{status}")
|
27
|
-
end
|
28
|
-
end
|
29
|
-
end
|
30
|
-
end
|
31
|
-
end
|
32
|
-
end
|
33
|
-
end
|
34
|
-
end
|
35
|
-
end
|
36
|
-
|
37
|
-
if defined?(TCellAgent::Hooks::V1::Login)
|
38
|
-
TCellAgent::Hooks::V1::Login.module_eval do
|
39
|
-
class << self
|
40
|
-
alias_method :tcell_register_login_event, :register_login_event
|
41
|
-
def register_login_event(
|
42
|
-
status,
|
43
|
-
session_id,
|
44
|
-
user_agent,
|
45
|
-
referrer,
|
46
|
-
remote_address,
|
47
|
-
header_keys,
|
48
|
-
user_id,
|
49
|
-
document_uri,
|
50
|
-
user_valid=nil)
|
51
|
-
TCellAgent::Instrumentation.safe_block("Login Auth Hooks") do
|
52
|
-
if (TCellAgent.configuration.enabled && TCellAgent.configuration.should_intercept_requests?)
|
53
|
-
login_fraud_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LoginFraud)
|
54
|
-
if (login_fraud_policy && login_fraud_policy.enabled && login_fraud_policy.login_failed_enabled)
|
55
|
-
tcell_data = TCellAgent::Instrumentation::TCellData.new
|
56
|
-
tcell_data.user_agent = user_agent
|
57
|
-
tcell_data.referrer = referrer
|
58
|
-
tcell_data.ip_address = remote_address
|
59
|
-
tcell_data.path = document_uri
|
60
|
-
tcell_data.hmac_session_id = TCellAgent::SensorEvents::Util.hmac(session_id)
|
61
|
-
|
62
|
-
if status == TCellAgent::Hooks::V1::Login::LOGIN_FAILURE
|
63
|
-
TCellAgent.send_event(
|
64
|
-
TCellAgent::SensorEvents::LoginFailure.new(header_keys, tcell_data, user_id)
|
65
|
-
)
|
66
|
-
elsif status == TCellAgent::Hooks::V1::Login::LOGIN_SUCCESS
|
67
|
-
TCellAgent.send_event(
|
68
|
-
TCellAgent::SensorEvents::LoginSuccess.new(header_keys, tcell_data, user_id)
|
69
|
-
)
|
70
|
-
else
|
71
|
-
TCellAgent.logger.error("Unkown login status: #{status}")
|
72
|
-
end
|
73
|
-
end
|
74
|
-
end
|
75
|
-
end
|
76
|
-
end
|
77
|
-
end
|
78
|
-
end
|
79
|
-
end
|
@@ -1,22 +0,0 @@
|
|
1
|
-
# See the file "LICENSE" for the full license governing this code.
|
2
|
-
|
3
|
-
require 'logger'
|
4
|
-
require 'cgi'
|
5
|
-
require 'uri'
|
6
|
-
require 'openssl'
|
7
|
-
|
8
|
-
module TCellAgent
|
9
|
-
module SensorEvents
|
10
|
-
module Util
|
11
|
-
def self.wildcardMatch(target, wildcardPattern)
|
12
|
-
escaped = Regexp.escape(wildcardPattern).gsub('\*','.*?')
|
13
|
-
regex = Regexp.new "^#{escaped}$", Regexp::IGNORECASE
|
14
|
-
!!(target =~ regex)
|
15
|
-
end
|
16
|
-
def self.domainFromUrl(url)
|
17
|
-
uri = URI.parse(url)
|
18
|
-
uri.host
|
19
|
-
end
|
20
|
-
end
|
21
|
-
end
|
22
|
-
end
|