tcell_agent 0.2.12 → 0.2.13
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/tcell_agent.rb +2 -2
- data/lib/tcell_agent/agent/policy_manager.rb +1 -1
- data/lib/tcell_agent/api.rb +2 -2
- data/lib/tcell_agent/appsensor/rules/appsensor_rule_manager.rb +46 -0
- data/lib/tcell_agent/appsensor/rules/appsensor_rule_set.rb +67 -0
- data/lib/tcell_agent/appsensor/rules/baserules.json +153 -0
- data/lib/tcell_agent/configuration.rb +7 -1
- data/lib/tcell_agent/instrumentation.rb +3 -0
- data/lib/tcell_agent/logger.rb +25 -3
- data/lib/tcell_agent/policies/appsensor/cmdi_sensor.rb +19 -0
- data/lib/tcell_agent/policies/appsensor/fpt_sensor.rb +19 -0
- data/lib/tcell_agent/policies/appsensor/injection_sensor.rb +136 -0
- data/lib/tcell_agent/policies/appsensor/login_sensor.rb +42 -0
- data/lib/tcell_agent/policies/appsensor/nullbyte_sensor.rb +22 -0
- data/lib/tcell_agent/policies/appsensor/request_size_sensor.rb +21 -0
- data/lib/tcell_agent/policies/appsensor/response_codes_sensor.rb +58 -0
- data/lib/tcell_agent/policies/appsensor/response_size_sensor.rb +21 -0
- data/lib/tcell_agent/policies/appsensor/retr_sensor.rb +18 -0
- data/lib/tcell_agent/policies/appsensor/sensor.rb +28 -0
- data/lib/tcell_agent/policies/appsensor/size_sensor.rb +43 -0
- data/lib/tcell_agent/policies/appsensor/sqli_sensor.rb +25 -0
- data/lib/tcell_agent/policies/appsensor/xss_sensor.rb +26 -0
- data/lib/tcell_agent/policies/appsensor_policy.rb +198 -67
- data/lib/tcell_agent/policies/clickjacking_policy.rb +1 -1
- data/lib/tcell_agent/policies/content_security_policy.rb +1 -1
- data/lib/tcell_agent/policies/dataloss_policy.rb +1 -1
- data/lib/tcell_agent/policies/honeytokens_policy.rb +1 -1
- data/lib/tcell_agent/policies/http_redirect_policy.rb +1 -1
- data/lib/tcell_agent/policies/http_tx_policy.rb +1 -1
- data/lib/tcell_agent/policies/login_fraud_policy.rb +1 -1
- data/lib/tcell_agent/policies/secure_headers_policy.rb +1 -1
- data/lib/tcell_agent/rails.rb +0 -1
- data/lib/tcell_agent/rails/auth/devise.rb +0 -1
- data/lib/tcell_agent/rails/dlp.rb +58 -13
- data/lib/tcell_agent/rails/middleware/body_filter_middleware.rb +0 -1
- data/lib/tcell_agent/rails/middleware/context_middleware.rb +0 -1
- data/lib/tcell_agent/rails/middleware/global_middleware.rb +0 -1
- data/lib/tcell_agent/rails/middleware/headers_middleware.rb +6 -34
- data/lib/tcell_agent/sensor_events/appsensor_event.rb +59 -0
- data/lib/tcell_agent/sensor_events/appsensor_meta_event.rb +95 -0
- data/lib/tcell_agent/servers/rails_server.rb +18 -9
- data/lib/tcell_agent/utils/params.rb +40 -0
- data/lib/tcell_agent/version.rb +1 -1
- data/spec/lib/tcell_agent/appsensor/rules/appsensor_rule_manager_spec.rb +39 -0
- data/spec/lib/tcell_agent/appsensor/rules/appsensor_rule_set_spec.rb +152 -0
- data/spec/lib/tcell_agent/instrumentation_spec.rb +4 -4
- data/spec/lib/tcell_agent/policies/appsensor/cmdi_sensor_spec.rb +128 -0
- data/spec/lib/tcell_agent/policies/appsensor/fpt_sensor_spec.rb +128 -0
- data/spec/lib/tcell_agent/policies/appsensor/login_sensor_spec.rb +104 -0
- data/spec/lib/tcell_agent/policies/appsensor/nullbyte_sensor_spec.rb +132 -0
- data/spec/lib/tcell_agent/policies/appsensor/request_size_sensor_spec.rb +164 -0
- data/spec/lib/tcell_agent/policies/appsensor/response_codes_sensor_spec.rb +194 -0
- data/spec/lib/tcell_agent/policies/appsensor/response_size_sensor_spec.rb +157 -0
- data/spec/lib/tcell_agent/policies/appsensor/retr_sensor_spec.rb +128 -0
- data/spec/lib/tcell_agent/policies/appsensor/sqli_sensor_spec.rb +151 -0
- data/spec/lib/tcell_agent/policies/appsensor/xss_sensor_spec.rb +652 -0
- data/spec/lib/tcell_agent/policies/appsensor_policy_spec.rb +461 -28
- data/spec/lib/tcell_agent/policies/clickjacking_policy_spec.rb +4 -4
- data/spec/lib/tcell_agent/policies/content_security_policy_spec.rb +6 -6
- data/spec/lib/tcell_agent/policies/dataloss_policy_spec.rb +10 -10
- data/spec/lib/tcell_agent/policies/honeytokens_policy_spec.rb +1 -1
- data/spec/lib/tcell_agent/policies/http_redirect_policy_spec.rb +1 -1
- data/spec/lib/tcell_agent/policies/http_tx_policy_spec.rb +1 -1
- data/spec/lib/tcell_agent/policies/login_policy_spec.rb +2 -2
- data/spec/lib/tcell_agent/policies/secure_headers_policy_spec.rb +4 -4
- data/spec/lib/tcell_agent/rails/middleware/appsensor_middleware_spec.rb +67 -7
- data/spec/lib/tcell_agent/sensor_events/appsensor_meta_event_spec.rb +80 -0
- data/spec/lib/tcell_agent/utils/params_spec.rb +119 -0
- data/spec/support/resources/baserules.json +155 -0
- metadata +51 -12
- data/lib/tcell_agent/appsensor.rb +0 -42
- data/lib/tcell_agent/appsensor/cmdi.rb +0 -32
- data/lib/tcell_agent/appsensor/path_traversal.rb +0 -33
- data/lib/tcell_agent/appsensor/sqli.rb +0 -55
- data/lib/tcell_agent/appsensor/xss.rb +0 -40
- data/lib/tcell_agent/sensor_events/app_sensor.rb +0 -302
- data/spec/lib/tcell_agent/appsensor_spec.rb +0 -65
- data/spec/lib/tcell_agent/sensor_events/tcell_app_sensor_event_processor_spec.rb +0 -289
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: e5ccc67c1c1611e9a2824184b1b89693dc6d0c95
|
4
|
+
data.tar.gz: 7722062a8bd1a12cda449ce20645ec11fbf024cf
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 11be4d4e2e569c6edbcf737944410aa9c9c7f90e12e585e90026ca539330f3debe7667bcd5db02ee4f402528d92166089f225579d5dd075320118b6f481b15c5
|
7
|
+
data.tar.gz: ed0b1023516c6122b585774908acf5dbb13243619b3c1822ff55e4701616716f1d33acae60a2d5eee7dbdc416f21eb11792caa3ba59214f6d533ac1dc2038ac7
|
data/lib/tcell_agent.rb
CHANGED
@@ -5,6 +5,8 @@ require 'tcell_agent/configuration'
|
|
5
5
|
|
6
6
|
require 'tcell_agent/agent'
|
7
7
|
|
8
|
+
require 'tcell_agent/appsensor/rules/appsensor_rule_manager'
|
9
|
+
|
8
10
|
require 'tcell_agent/policies/content_security_policy'
|
9
11
|
require 'tcell_agent/policies/http_tx_policy'
|
10
12
|
require 'tcell_agent/policies/http_redirect_policy'
|
@@ -15,9 +17,7 @@ require 'tcell_agent/policies/appsensor_policy'
|
|
15
17
|
require 'tcell_agent/policies/login_fraud_policy'
|
16
18
|
require 'tcell_agent/policies/dataloss_policy'
|
17
19
|
|
18
|
-
require 'tcell_agent/sensor_events/app_sensor'
|
19
20
|
require 'tcell_agent/sensor_events/dlp'
|
20
|
-
require 'tcell_agent/appsensor'
|
21
21
|
require 'tcell_agent/sensor_events/util/sanitizer_utilities'
|
22
22
|
require 'tcell_agent/sensor_events/util/redirect_utils'
|
23
23
|
|
@@ -100,7 +100,7 @@ module TCellAgent
|
|
100
100
|
|
101
101
|
TCellAgent::PolicyTypes::ClassMap.each do | policy_type, policy_class |
|
102
102
|
if (policy_jsons.key?(policy_type))
|
103
|
-
new_policy = policy_class.
|
103
|
+
new_policy = policy_class.from_json(policy_jsons[policy_type])
|
104
104
|
if new_policy
|
105
105
|
@lock.synchronize do
|
106
106
|
@policies[policy_type] = new_policy
|
data/lib/tcell_agent/api.rb
CHANGED
@@ -81,8 +81,8 @@ module TCellAgent
|
|
81
81
|
TCellAgent.logger.debug("tCell.io SendEvents API Request: " + full_url)
|
82
82
|
request_headers = {
|
83
83
|
:Authorization => 'Bearer ' + TCellAgent.configuration.api_key,
|
84
|
-
:content_type =>
|
85
|
-
:accept =>
|
84
|
+
:content_type => "application/json",
|
85
|
+
:accept => "application/json",
|
86
86
|
}
|
87
87
|
begin
|
88
88
|
request_headers[:TCellAgent] = "RubyAgent " + TCellAgent::VERSION
|
@@ -0,0 +1,46 @@
|
|
1
|
+
require 'tcell_agent/appsensor/rules/appsensor_rule_set'
|
2
|
+
|
3
|
+
module TCellAgent
|
4
|
+
|
5
|
+
class AppSensorRuleManager
|
6
|
+
|
7
|
+
attr_accessor :rule_info
|
8
|
+
|
9
|
+
def initialize(filename=nil)
|
10
|
+
@rule_info = {}
|
11
|
+
|
12
|
+
load_rules_file(filename) if filename
|
13
|
+
end
|
14
|
+
|
15
|
+
def load_default_rules_file
|
16
|
+
filename = File.join(File.dirname(__FILE__), "baserules.json")
|
17
|
+
load_rules_file(filename)
|
18
|
+
end
|
19
|
+
|
20
|
+
def load_rules_file(filename)
|
21
|
+
@rule_info = {}
|
22
|
+
|
23
|
+
if File.file?(filename)
|
24
|
+
rules_from_file = YAML.load(File.open(filename).read)
|
25
|
+
rule_types = rules_from_file.fetch("sensors", {})
|
26
|
+
|
27
|
+
rule_types.each do |sensor_name, sensor_config|
|
28
|
+
rule_set = AppSensorRuleSet.new()
|
29
|
+
rule_set.set_safe_pattern_from_string(sensor_config.fetch("safe_pattern", nil))
|
30
|
+
|
31
|
+
sensor_config.fetch("patterns", []).each do |pattern_config|
|
32
|
+
rule_set.add_pattern_from_dict(pattern_config)
|
33
|
+
end
|
34
|
+
|
35
|
+
@rule_info[sensor_name] = rule_set
|
36
|
+
end
|
37
|
+
end
|
38
|
+
end
|
39
|
+
|
40
|
+
def get_ruleset_for(rule_type)
|
41
|
+
@rule_info.fetch(rule_type, nil)
|
42
|
+
end
|
43
|
+
|
44
|
+
end
|
45
|
+
|
46
|
+
end
|
@@ -0,0 +1,67 @@
|
|
1
|
+
module TCellAgent
|
2
|
+
|
3
|
+
class AppSensorRulePattern
|
4
|
+
attr_accessor :pattern_id, :pattern_regex, :enabled
|
5
|
+
def initialize(pattern_id, pattern_regex, enabled)
|
6
|
+
@pattern_id = pattern_id
|
7
|
+
@pattern_regex = pattern_regex
|
8
|
+
@enabled = enabled
|
9
|
+
end
|
10
|
+
end
|
11
|
+
|
12
|
+
class AppSensorRuleSet
|
13
|
+
attr_accessor :safe_pattern, :patterns
|
14
|
+
|
15
|
+
def initialize()
|
16
|
+
@safe_pattern = nil
|
17
|
+
@patterns = []
|
18
|
+
end
|
19
|
+
|
20
|
+
def check_violation(param_name, param_value, active_pattern_ids, v1_compatability_enabled)
|
21
|
+
return nil if param_value.nil? || (@safe_pattern && param_value.match(@safe_pattern))
|
22
|
+
|
23
|
+
@patterns.each do |pattern|
|
24
|
+
next if pattern.nil? || pattern.enabled == false
|
25
|
+
|
26
|
+
if v1_compatability_enabled || active_pattern_ids.fetch(pattern.pattern_id, false)
|
27
|
+
pattern_result = param_value.match(pattern.pattern_regex)
|
28
|
+
|
29
|
+
if pattern_result
|
30
|
+
return {"param" => param_name, "value" => param_value, "pattern" => pattern.pattern_id}
|
31
|
+
end
|
32
|
+
end
|
33
|
+
end
|
34
|
+
|
35
|
+
return nil
|
36
|
+
rescue
|
37
|
+
return nil
|
38
|
+
end
|
39
|
+
|
40
|
+
def add_pattern_from_dict(rule_dict)
|
41
|
+
return unless rule_dict
|
42
|
+
|
43
|
+
pattern_id = rule_dict.fetch("id", nil)
|
44
|
+
pattern = rule_dict.fetch("ruby", nil)
|
45
|
+
if pattern == nil
|
46
|
+
pattern = rule_dict.fetch("common", nil)
|
47
|
+
elsif pattern == "disabled"
|
48
|
+
return
|
49
|
+
end
|
50
|
+
|
51
|
+
return if pattern_id == nil or pattern == nil
|
52
|
+
|
53
|
+
pattern_regex = Regexp.new(pattern)
|
54
|
+
enabled = rule_dict.fetch("enabled", true)
|
55
|
+
|
56
|
+
rule_pattern = AppSensorRulePattern.new(pattern_id, pattern_regex, enabled)
|
57
|
+
@patterns.push(rule_pattern)
|
58
|
+
end
|
59
|
+
|
60
|
+
def set_safe_pattern_from_string(safe_pattern_str)
|
61
|
+
if safe_pattern_str != nil
|
62
|
+
@safe_pattern = Regexp.new(safe_pattern_str)
|
63
|
+
end
|
64
|
+
end
|
65
|
+
end
|
66
|
+
|
67
|
+
end
|
@@ -0,0 +1,153 @@
|
|
1
|
+
{
|
2
|
+
"version":"20160322",
|
3
|
+
"sensors":{
|
4
|
+
"xss":{
|
5
|
+
"patterns":[
|
6
|
+
{
|
7
|
+
"title":"Basic Injection",
|
8
|
+
"sophistication":1,
|
9
|
+
"common": "(?:<(script|iframe|embed|frame|frameset|object|img|applet|body|html|style|layer|link|ilayer|meta|bgsound))",
|
10
|
+
"id": "1"
|
11
|
+
},
|
12
|
+
{
|
13
|
+
"title":"Alert or Event XSS",
|
14
|
+
"sophistication":2,
|
15
|
+
"common": "(?:(alert|on\\w+|function\\s+\\w+)\\s*\\(\\s*(['+\\d\\w](,?\\s*['+\\d\\w]*)*)*\\s*\\))",
|
16
|
+
"id": "2"
|
17
|
+
},
|
18
|
+
{
|
19
|
+
"title":"Tag Breaks",
|
20
|
+
"sophistication":2,
|
21
|
+
"common": "(?:\\\"[^\\\"]*[^-]?>)|(?:[^\\w\\s]\\s*\\/>)|(?:>\\\")",
|
22
|
+
"id": "3"
|
23
|
+
},
|
24
|
+
{
|
25
|
+
"title":"Attribute Breaks",
|
26
|
+
"sophistication":3,
|
27
|
+
"common": "(?:\\\"+.*[<=]\\s*\\\"[^\\\"]+\\\")|(?:\\\"\\s*\\w+\\s*=)|(?:>\\w=\\/)|(?:#.+\\)[\\\"\\s]*>)|(?:\\\"\\s*(?:src|style|on\\w+)\\s*=\\s*\\\")|(?:[^\\\"]?\\\"[,;\\s]+\\w*[\\[\\(])(?:^>[\\w\\s]*<\\/?\\w{2,}>)",
|
28
|
+
"id": "4"
|
29
|
+
},
|
30
|
+
{
|
31
|
+
"title":"Basic Obfuscation",
|
32
|
+
"sophistication":3,
|
33
|
+
"common": "(?:[\\\".]script\\s*\\()|(?:\\$\\$?\\s*\\(\\s*[\\w\\\"])|(?:\\/[\\w\\s]+\\/\\.)|(?:=\\s*\\/\\w+\\/\\s*\\.)|(?:(?:this|window|top|parent|frames|self|content)\\[\\s*[(,\\\"]*\\s*[\\w\\$])|(?:,\\s*new\\s+\\w+\\s*[,;)])",
|
34
|
+
"id": "5"
|
35
|
+
},
|
36
|
+
{
|
37
|
+
"title":"Common Concatenation",
|
38
|
+
"sophistication":3,
|
39
|
+
"common": "(?:=\\s*\\w+\\s*\\+\\s*\\\")|(?:\\+=\\s*\\(\\s\\\")|(?:!+\\s*[\\d.,]+\\w?\\d*\\s*\\?)|(?:=\\s*\\[s*\\])|(?:\\\"\\s*\\+\\s*\\\")|(?:[^\\s]\\[\\s*\\d+\\s*\\]\\s*[;+])|(?:\\\"\\s*[&|]+\\s*\\\")|(?:\\/\\s*\\?\\s*\\\")|(?:\\/\\s*\\)\\s*\\[)|(?:\\d\\?.+:\\d)|(?:\\]\\s*\\[\\W*\\w)|(?:[^\\s]\\s*=\\s*\\/)",
|
40
|
+
"id": "6"
|
41
|
+
},
|
42
|
+
{
|
43
|
+
"title":"IFrame Tag Injection",
|
44
|
+
"sophistication":1,
|
45
|
+
"common": "<iframe.*",
|
46
|
+
"id": "7"
|
47
|
+
}
|
48
|
+
]
|
49
|
+
},
|
50
|
+
"cmdi":{
|
51
|
+
"safe_pattern":"^[a-zA-Z0-9_\\s\\r\\n\\t]*$",
|
52
|
+
"patterns":[
|
53
|
+
{
|
54
|
+
"title":"Common Remote Attempts",
|
55
|
+
"sophistication":2,
|
56
|
+
"id":"1",
|
57
|
+
"common":"(?:[\\;\\|\\`]\\W*?\\bcc|\\b(wget|curl))\\b|\\/cc(?:[\\'\\\"\\|\\;\\`\\-\\s]|$)",
|
58
|
+
"ruby":"(?i:(?:[\\;\\|\\`]\\W*?\\bcc|\\b(wget|curl))\\b|\\/cc(?:[\\'\\\"\\|\\;\\`\\-\\s]|$))"
|
59
|
+
},
|
60
|
+
{
|
61
|
+
"title":"Common Command Attempts",
|
62
|
+
"sophistication":1,
|
63
|
+
"id":"2",
|
64
|
+
"common":"(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:\\.exe|32)\\b|\\b\\W*?\\\\\\/c)|d(?:\\b\\W*?[\\\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*?\\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\\b|g(?:\\+\\+|cc\\b)))"
|
65
|
+
}
|
66
|
+
]
|
67
|
+
},
|
68
|
+
"sqli":{
|
69
|
+
"safe_pattern":"^[a-zA-Z0-9_\\s\\r\\n\\t]*$",
|
70
|
+
"patterns":[
|
71
|
+
{
|
72
|
+
"title":"Common Encoding Obfuscations",
|
73
|
+
"sophistication":3,
|
74
|
+
"common": "(?:(?:\\d[\\\"'`\u00b4\u2019\u2018]\\s+[\\\"'`\u00b4\u2019\u2018]\\s+\\d)|(?:^admin\\s*?[\\\"'`\u00b4\u2019\u2018]|(\\/\\*)+[\\\"'`\u00b4\u2019\u2018]+\\s?(?:--|#|\\/\\*|{)?)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?\\b(x?or|div|like|between|and)\\b\\s*?[+<>=(),-]\\s*?[\\d\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[^\\w\\s]?=\\s*?[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\W*?[+=]+\\W*?[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=+-]+.*?[\\\"'`\u00b4\u2019\u2018(].*?$)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=]+.*?\\d+$)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?like\\W+[\\w\\\"'`\u00b4\u2019\u2018(])|(?:\\sis\\s*?0\\W)|(?:where\\s[\\s\\w\\.,-]+\\s=)|(?:[\\\"'`\u00b4\u2019\u2018][<>~]+[\\\"'`\u00b4\u2019\u2018]))",
|
75
|
+
"id": "1"
|
76
|
+
},
|
77
|
+
{
|
78
|
+
"title":"Common Probes/Executions",
|
79
|
+
"sophistication":1,
|
80
|
+
"common": "\\b(?:having)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=<>]|(?:\\bexecute(\\s{1,5}[\\w\\.$]{1,5}\\s{0,3})?\\()|\\bhaving\\b ?(?:\\d{1,10}|[\\'\\\"][^=]{1,10}[\\'\\\"]) ?[=<>]+|(?:\\bcreate\\s+?table.{0,20}?\\()|(?:\\blike\\W*?char\\W*?\\()|(?:(?:(select(.*?)case|from(.*?)limit|order\\sby)))|exists\\s(\\sselect|select\\Sif(null)?\\s\\(|select\\Stop|select\\Sconcat|system\\s\\(|\\b(?:having)\\b\\s+(\\d{1,10})|'[^=]{1,10}')",
|
81
|
+
"id": "2"
|
82
|
+
},
|
83
|
+
{
|
84
|
+
"title":"Comment Injection",
|
85
|
+
"sophistication":1,
|
86
|
+
"common": "([';]--|--[\\s\\r\\n\\v\\f]|(?:--[^-]*?-)|([^\\-&])#.*?[\\s\\r\\n\\v\\f]|;?\\\\x00)",
|
87
|
+
"id": "3"
|
88
|
+
},
|
89
|
+
{
|
90
|
+
"title":"Extraction Attempts 1",
|
91
|
+
"sophistication":1,
|
92
|
+
"common": "(?:(?:@.+=\\s*?\\(\\s*?select)|(?:\\d+\\s*?(x?or|div|like|between|and)\\s*?\\d+\\s*?[\\-+])|(?:\\/\\w+;?\\s+(?:having|and|x?or|div|like|between|and|select)\\W)|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*?(?:drop|alter))|(?:(?:;|#|--)\\s*?(?:update|insert)\\s*?\\w{2,})|(?:[^\\w]SET\\s*?@\\w+)|(?:(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)[\\s(]+\\w+[\\s)]*?[!=+]+[\\s\\d]*?[\\\"'`\u00b4\u2019\u2018=()]))",
|
93
|
+
"id": "4"
|
94
|
+
},
|
95
|
+
{
|
96
|
+
"title":"Extraction Attempts 2",
|
97
|
+
"sophistication":2,
|
98
|
+
"pattern": "(?:(?:in\\s*?\\(+\\s*?select)|(?:(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)\\s+[\\s\\w+]+(?:regexp\\s*?\\(|sounds\\s+like\\s*?[\\\"'`\u00b4\u2019\u2018]|[=\\d]+x))|([\\\"'`\u00b4\u2019\u2018]\\s*?\\d\\s*?(?:--|#))|(?:[\\\"'`\u00b4\u2019\u2018][\\%&<>^=]+\\d\\s*?(=|x?or|div|like|between|and))|(?:[\\\"'`\u00b4\u2019\u2018]\\W+[\\w+-]+\\s*?=\\s*?\\d\\W+[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?is\\s*?\\d.+[\\\"'`\u00b4\u2019\u2018]?\\w)|(?:[\\\"'`\u00b4\u2019\u2018]\\|?[\\w-]{3,}[^\\w\\s.,]+[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?is\\s*?[\\d.]+\\s*?\\W.*?[\\\"'`\u00b4\u2019\u2018]))",
|
99
|
+
"id": "5"
|
100
|
+
},
|
101
|
+
{
|
102
|
+
"title":"Extraction Attempts 3",
|
103
|
+
"sophistication":3,
|
104
|
+
"pattern": "(?:(?:\\d[\\\"'`\u00b4\u2019\u2018]\\s+[\\\"'`\u00b4\u2019\u2018]\\s+\\d)|(?:^admin\\s*?[\\\"'`\u00b4\u2019\u2018]|(\\/\\*)+[\\\"'`\u00b4\u2019\u2018]+\\s?(?:--|#|\\/\\*|{)?)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?\\b(x?or|div|like|between|and)\\b\\s*?[+<>=(),-]\\s*?[\\d\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[^\\w\\s]?=\\s*?[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\W*?[+=]+\\W*?[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=+-]+.*?[\\\"'`\u00b4\u2019\u2018(].*?$)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=]+.*?\\d+$)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?like\\W+[\\w\\\"'`\u00b4\u2019\u2018(])|(?:\\sis\\s*?0\\W)|(?:where\\s[\\s\\w\\.,-]+\\s=)|(?:[\\\"'`\u00b4\u2019\u2018][<>~]+[\\\"'`\u00b4\u2019\u2018]))",
|
105
|
+
"id": "6"
|
106
|
+
}
|
107
|
+
]
|
108
|
+
},
|
109
|
+
"fpt":{
|
110
|
+
"patterns":[
|
111
|
+
{
|
112
|
+
"title":"Windows Probing",
|
113
|
+
"sophistication":1,
|
114
|
+
"common": "(?:(?:\\/|\\\\)?\\.+(\\/|\\\\)(?:\\.+)?)|(?:\\w+\\.exe\\??\\s)|(?:;\\s*\\w+\\s*\\/[\\w*-]+\\/)|(?:\\d\\.\\dx\\|)|(?:%(?:c0\\.|af\\.|5c\\.))|(?:\\/(?:%2e){2})",
|
115
|
+
"ruby": "(?:(?:\\/|\\\\)?\\.+(\\/|\\\\)(?:\\.*))|(?:\\w+\\.exe\\??\\s)|(?:;\\s*\\w+\\s*\\/[\\w*-]+\\/)|(?:\\d\\.\\dx\\|)|(?:%(?:c0\\.|af\\.|5c\\.))|(?:\\/(?:%2e){2})",
|
116
|
+
"id": "1"
|
117
|
+
},
|
118
|
+
{
|
119
|
+
"title":"Unix Probing",
|
120
|
+
"sophistication":1,
|
121
|
+
"common": "(?:%c0%ae\\/)|(?:(?:\\/|\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\\/|\\\\))|(?:(?:\\/|\\\\)inetpub|localstart\\.asp|boot\\.ini)",
|
122
|
+
"id": "2"
|
123
|
+
},
|
124
|
+
{
|
125
|
+
"title":"Attempt for /etc/passwd",
|
126
|
+
"sophistication":1,
|
127
|
+
"common": "(?:etc\\/\\W*passwd)",
|
128
|
+
"id": "3"
|
129
|
+
}
|
130
|
+
]
|
131
|
+
},
|
132
|
+
"nullbyte":{
|
133
|
+
"patterns":[
|
134
|
+
{
|
135
|
+
"title":"Any Null Byte",
|
136
|
+
"sophistication":1,
|
137
|
+
"id":"1",
|
138
|
+
"common":"\\0"
|
139
|
+
}
|
140
|
+
]
|
141
|
+
},
|
142
|
+
"retr":{
|
143
|
+
"patterns":[
|
144
|
+
{
|
145
|
+
"title":"Any Line-Break Character",
|
146
|
+
"sophistication":1,
|
147
|
+
"id":"1",
|
148
|
+
"common":"(\\n|\\r)"
|
149
|
+
}
|
150
|
+
]
|
151
|
+
}
|
152
|
+
}
|
153
|
+
}
|
@@ -38,7 +38,9 @@ module TCellAgent
|
|
38
38
|
:whitelist_present,
|
39
39
|
:config_filename,
|
40
40
|
:agent_log_dir,
|
41
|
-
:max_data_ex_db_records_per_request
|
41
|
+
:max_data_ex_db_records_per_request,
|
42
|
+
:log_appfirewall_events,
|
43
|
+
:appfirewall_payloads_log_filename
|
42
44
|
|
43
45
|
attr_accessor :disable_all,
|
44
46
|
:enabled,
|
@@ -104,6 +106,7 @@ module TCellAgent
|
|
104
106
|
@cache_filename = File.join(@agent_home_dir, "cache", "tcell_agent.cache")
|
105
107
|
@log_filename = File.join(@agent_log_dir, "tcell_agent.log")
|
106
108
|
|
109
|
+
|
107
110
|
# Because ENV can override this one
|
108
111
|
env_unencrypted_firewall =
|
109
112
|
if (ENV["TCELL_AGENT_ALLOW_UNENCRYPTED_APPSENSOR_PAYLOADS"] != nil)
|
@@ -113,6 +116,9 @@ module TCellAgent
|
|
113
116
|
@allow_unencrypted_appsensor_payloads = [true, "true", "yes", "1"].include?(ENV["TCELL_AGENT_ALLOW_UNENCRYPTED_APPFIREWALL_PAYLOADS"])
|
114
117
|
end
|
115
118
|
|
119
|
+
@log_appfirewall_events = [true, "true", "yes", "1"].include?(ENV["TCELL_AGENT_ALLOW_UNENCRYPTED_APPFIREWALL_PAYLOADS_LOGGING"])
|
120
|
+
@appfirewall_payloads_log_filename = File.join(@agent_log_dir, "tcell_agent_payloads.log")
|
121
|
+
|
116
122
|
@tcell_api_url ||= "https://api.tcell.io/api/v1"
|
117
123
|
@tcell_input_url ||= "https://input.tcell.io/api/v1"
|
118
124
|
@js_agent_api_base_url ||= nil
|
@@ -5,6 +5,7 @@ require 'tcell_agent/logger'
|
|
5
5
|
require 'tcell_agent/configuration'
|
6
6
|
require 'tcell_agent/version'
|
7
7
|
require 'date'
|
8
|
+
require 'cgi'
|
8
9
|
|
9
10
|
module TCellAgent
|
10
11
|
module Instrumentation
|
@@ -126,6 +127,7 @@ module TCellAgent
|
|
126
127
|
session_id_actions.action_id
|
127
128
|
).for_framework(TCellAgent::SensorEvents::DlpEvent::FRAMEWORK_VARIABLE_SESSION_ID)
|
128
129
|
)
|
130
|
+
|
129
131
|
end
|
130
132
|
end
|
131
133
|
end
|
@@ -133,6 +135,7 @@ module TCellAgent
|
|
133
135
|
replace_filters = (context_filters.select {|context_filter| context_filter.rule.body_redact == true })
|
134
136
|
event_filters = (context_filters.select {|context_filter| (context_filter.rule.body_redact != true && context_filter.rule.body_event == true) })
|
135
137
|
send_flag = TCellData.filterx(body, event_filters.length > 0, replace_filters.length > 0, term)
|
138
|
+
send_flag = send_flag || TCellData.filterx(body, event_filters.length > 0, replace_filters.length > 0, CGI.escapeHTML(term))
|
136
139
|
if send_flag
|
137
140
|
(replace_filters + event_filters).each { |filter|
|
138
141
|
base_event = TCellAgent::SensorEvents::DlpEvent.new(
|
data/lib/tcell_agent/logger.rb
CHANGED
@@ -23,8 +23,30 @@ module TCellAgent
|
|
23
23
|
return Logger::ERROR
|
24
24
|
end
|
25
25
|
|
26
|
+
def self.appfirewall_payloads_logger
|
27
|
+
if defined?(@paylods_logger) && @logger_pid == Process.pid
|
28
|
+
return @payloads_logger
|
29
|
+
end
|
30
|
+
|
31
|
+
if TCellAgent.configuration.log_appfirewall_events
|
32
|
+
FileUtils.mkdir_p TCellAgent.configuration.agent_log_dir
|
33
|
+
@payloads_logger = Logger.new(TCellAgent.configuration.appfirewall_payloads_log_filename, 9, 5242880)
|
34
|
+
@payloads_logger.level = Logger::INFO
|
35
|
+
@payloads_logger.formatter = proc do |severity, datetime, progname, msg|
|
36
|
+
date_format = datetime.strftime("%Y-%m-%dT%H:%M:%S.%L%:z")
|
37
|
+
"#{date_format} - #{msg}\n"
|
38
|
+
end
|
39
|
+
|
40
|
+
return @payloads_logger
|
41
|
+
end
|
42
|
+
|
43
|
+
logger = Logger.new(TCellAgent.configuration.appfirewall_payloads_log_filename)
|
44
|
+
logger.level = Logger::ERROR
|
45
|
+
return logger
|
46
|
+
end
|
47
|
+
|
26
48
|
def self.logger
|
27
|
-
if defined?(@logger)
|
49
|
+
if defined?(@logger) && @logger_pid == Process.pid
|
28
50
|
return @logger
|
29
51
|
end
|
30
52
|
|
@@ -40,8 +62,8 @@ module TCellAgent
|
|
40
62
|
@logger.level = level
|
41
63
|
@logger.formatter = proc do |severity, datetime, progname, msg|
|
42
64
|
# ISO 8601 format
|
43
|
-
date_format = datetime.strftime("%Y-%m-%
|
44
|
-
"
|
65
|
+
date_format = datetime.strftime("%Y-%m-%dT%H:%M:%S.%L%:z")
|
66
|
+
"#{date_format} - [#{TCellAgent::VERSION}] - #{severity}[#{@logger_pid}]: #{msg}\n"
|
45
67
|
end
|
46
68
|
|
47
69
|
return @logger
|
@@ -0,0 +1,19 @@
|
|
1
|
+
require 'tcell_agent/policies/appsensor/injection_sensor'
|
2
|
+
|
3
|
+
|
4
|
+
module TCellAgent
|
5
|
+
module Policies
|
6
|
+
|
7
|
+
class CmdiSensor < InjectionSensor
|
8
|
+
|
9
|
+
def initialize(policy_json=nil)
|
10
|
+
super(
|
11
|
+
"cmdi",
|
12
|
+
policy_json
|
13
|
+
)
|
14
|
+
end
|
15
|
+
|
16
|
+
end
|
17
|
+
|
18
|
+
end
|
19
|
+
end
|
@@ -0,0 +1,19 @@
|
|
1
|
+
require 'tcell_agent/policies/appsensor/injection_sensor'
|
2
|
+
|
3
|
+
|
4
|
+
module TCellAgent
|
5
|
+
module Policies
|
6
|
+
|
7
|
+
class FptSensor < InjectionSensor
|
8
|
+
|
9
|
+
def initialize(policy_json=nil)
|
10
|
+
super(
|
11
|
+
"fpt",
|
12
|
+
policy_json
|
13
|
+
)
|
14
|
+
end
|
15
|
+
|
16
|
+
end
|
17
|
+
|
18
|
+
end
|
19
|
+
end
|