tcell_agent 0.2.21 → 0.2.22
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/tcell_agent.rb +1 -0
- data/lib/tcell_agent/api.rb +3 -2
- data/lib/tcell_agent/appsensor/injections_matcher.rb +137 -0
- data/lib/tcell_agent/appsensor/injections_reporter.rb +67 -0
- data/lib/tcell_agent/appsensor/meta_data.rb +71 -0
- data/lib/tcell_agent/appsensor/rules/appsensor_rule_manager.rb +5 -2
- data/lib/tcell_agent/appsensor/rules/appsensor_rule_set.rb +1 -1
- data/lib/tcell_agent/appsensor/sensor.rb +48 -0
- data/lib/tcell_agent/configuration.rb +15 -2
- data/lib/tcell_agent/instrumentation.rb +3 -2
- data/lib/tcell_agent/logger.rb +19 -3
- data/lib/tcell_agent/patches.rb +26 -0
- data/lib/tcell_agent/patches/block_rule.rb +58 -0
- data/lib/tcell_agent/patches/meta_data.rb +54 -0
- data/lib/tcell_agent/patches/sensors_matcher.rb +30 -0
- data/lib/tcell_agent/policies/appsensor/cmdi_sensor.rb +4 -0
- data/lib/tcell_agent/policies/appsensor/database_sensor.rb +7 -3
- data/lib/tcell_agent/policies/appsensor/fpt_sensor.rb +4 -0
- data/lib/tcell_agent/policies/appsensor/injection_sensor.rb +32 -38
- data/lib/tcell_agent/policies/appsensor/misc_sensor.rb +4 -4
- data/lib/tcell_agent/policies/appsensor/nullbyte_sensor.rb +4 -0
- data/lib/tcell_agent/policies/appsensor/payloads_policy.rb +3 -1
- data/lib/tcell_agent/policies/appsensor/response_codes_sensor.rb +3 -3
- data/lib/tcell_agent/policies/appsensor/retr_sensor.rb +4 -0
- data/lib/tcell_agent/policies/appsensor/size_sensor.rb +9 -3
- data/lib/tcell_agent/policies/appsensor/user_agent_sensor.rb +3 -3
- data/lib/tcell_agent/policies/appsensor_policy.rb +55 -131
- data/lib/tcell_agent/policies/content_security_policy.rb +148 -137
- data/lib/tcell_agent/policies/patches_policy.rb +41 -13
- data/lib/tcell_agent/rails.rb +11 -109
- data/lib/tcell_agent/rails/auth/devise.rb +5 -1
- data/lib/tcell_agent/rails/dlp.rb +5 -2
- data/lib/tcell_agent/rails/dlp/process_request.rb +88 -0
- data/lib/tcell_agent/rails/middleware/body_filter_middleware.rb +1 -1
- data/lib/tcell_agent/rails/middleware/headers_middleware.rb +3 -13
- data/lib/tcell_agent/rails/on_start.rb +5 -101
- data/lib/tcell_agent/rails/routes.rb +240 -81
- data/lib/tcell_agent/rails/routes/grape.rb +113 -0
- data/lib/tcell_agent/rails/routes/route_id.rb +29 -0
- data/lib/tcell_agent/sensor_events/app_config.rb +21 -13
- data/lib/tcell_agent/sensor_events/appsensor_meta_event.rb +7 -26
- data/lib/tcell_agent/servers/passenger.rb +10 -0
- data/lib/tcell_agent/start_background_thread.rb +82 -0
- data/lib/tcell_agent/utils/params.rb +1 -1
- data/lib/tcell_agent/version.rb +1 -1
- data/spec/lib/tcell_agent/appsensor/injections_matcher_spec.rb +504 -0
- data/spec/lib/tcell_agent/appsensor/injections_reporter_spec.rb +222 -0
- data/spec/lib/tcell_agent/appsensor/rules/appsensor_rule_manager_spec.rb +7 -13
- data/spec/lib/tcell_agent/appsensor/rules/appsensor_rule_set_spec.rb +18 -18
- data/spec/lib/tcell_agent/patches/block_rule_spec.rb +381 -0
- data/spec/lib/tcell_agent/patches/sensors_matcher_spec.rb +35 -0
- data/spec/lib/tcell_agent/patches_spec.rb +156 -0
- data/spec/lib/tcell_agent/policies/appsensor/cmdi_sensor_spec.rb +21 -10
- data/spec/lib/tcell_agent/policies/appsensor/fpt_sensor_spec.rb +20 -9
- data/spec/lib/tcell_agent/policies/appsensor/nullbyte_sensor_spec.rb +44 -9
- data/spec/lib/tcell_agent/policies/appsensor/request_size_sensor_spec.rb +4 -4
- data/spec/lib/tcell_agent/policies/appsensor/response_codes_sensor_spec.rb +13 -13
- data/spec/lib/tcell_agent/policies/appsensor/response_size_sensor_spec.rb +5 -5
- data/spec/lib/tcell_agent/policies/appsensor/retr_sensor_spec.rb +20 -9
- data/spec/lib/tcell_agent/policies/appsensor/sqli_sensor_spec.rb +24 -14
- data/spec/lib/tcell_agent/policies/appsensor/xss_sensor_spec.rb +243 -241
- data/spec/lib/tcell_agent/policies/appsensor_policy_spec.rb +128 -200
- data/spec/lib/tcell_agent/policies/content_security_policy_spec.rb +126 -55
- data/spec/lib/tcell_agent/policies/patches_policy_spec.rb +485 -24
- data/spec/lib/tcell_agent/rails/middleware/appsensor_middleware_spec.rb +5 -0
- data/spec/lib/tcell_agent/rails/middleware/dlp_middleware_spec.rb +4 -2
- data/spec/lib/tcell_agent/rails/routes/grape_spec.rb +294 -0
- data/spec/lib/tcell_agent/rails/routes/route_id_spec.rb +80 -0
- data/spec/lib/tcell_agent/rails/routes/routes_spec.rb +182 -0
- metadata +30 -7
- data/lib/tcell_agent/policies/appsensor/login_sensor.rb +0 -39
- data/lib/tcell_agent/policies/appsensor/sensor.rb +0 -46
- data/lib/tcell_agent/rails/path_parameters_setter.rb +0 -43
- data/spec/lib/tcell_agent/policies/appsensor/login_sensor_spec.rb +0 -104
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 0436d6cc489b525b048c92ac39ca316368c5fb90
|
|
4
|
+
data.tar.gz: 09b162b17a7d373de8eaeba59d192c30d2fbb1c2
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b244fce3ca335f9a524e286fe214915656485209eb3be501abc5ecf891a31133b9c116b4e8b929123752b56343607918e96252f4b1b0da8b165c8170cc13c266
|
|
7
|
+
data.tar.gz: 16eebbdcf0a19dbb64c106fc8f2ff43521a95317d2da3bf2414c88f5de22ca5b6e09570f775073c0dcca4f6f7a0d622c6ce11d77778f3395b4dd89fdd9a9d0ea
|
data/lib/tcell_agent.rb
CHANGED
|
@@ -16,6 +16,7 @@ require 'tcell_agent/policies/secure_headers_policy'
|
|
|
16
16
|
require 'tcell_agent/policies/honeytokens_policy'
|
|
17
17
|
require 'tcell_agent/policies/clickjacking_policy'
|
|
18
18
|
require 'tcell_agent/policies/appsensor_policy'
|
|
19
|
+
require 'tcell_agent/policies/patches_policy'
|
|
19
20
|
require 'tcell_agent/policies/login_fraud_policy'
|
|
20
21
|
require 'tcell_agent/policies/dataloss_policy'
|
|
21
22
|
|
data/lib/tcell_agent/api.rb
CHANGED
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
# encoding: utf-8
|
|
2
2
|
# See the file "LICENSE" for the full license governing this code.
|
|
3
|
+
require 'json'
|
|
3
4
|
require 'rest-client'
|
|
4
5
|
require 'tcell_agent/logger'
|
|
5
6
|
require 'tcell_agent/configuration'
|
|
@@ -55,7 +56,7 @@ module TCellAgent
|
|
|
55
56
|
eventset = { "uuid"=>TCellAgent.configuration.uuid,
|
|
56
57
|
"hostname"=>TCellAgent.configuration.host_identifier,
|
|
57
58
|
"events"=>events }
|
|
58
|
-
TCellAgent.logger.debug("Sending #{eventset
|
|
59
|
+
TCellAgent.logger.debug("Sending #{JSON.dump(eventset)}")
|
|
59
60
|
full_url = TCellAgent.configuration.tcell_input_url + "/app/" + TCellAgent.configuration.app_id + "/server_agent"
|
|
60
61
|
|
|
61
62
|
TCellAgent.logger.debug("tCell.io SendEvents API Request: " + full_url)
|
|
@@ -69,7 +70,7 @@ module TCellAgent
|
|
|
69
70
|
rescue Exception => e
|
|
70
71
|
TCellAgent.logger.debug("tCell.io Could not add agent string: " + e.message)
|
|
71
72
|
end
|
|
72
|
-
response = RestClient.post full_url, eventset
|
|
73
|
+
response = RestClient.post full_url, JSON.dump(eventset), request_headers
|
|
73
74
|
TCellAgent.logger.debug("tCell.io SendEvents API Response: " + response.code.to_s)
|
|
74
75
|
return response.code == 200
|
|
75
76
|
end
|
|
@@ -0,0 +1,137 @@
|
|
|
1
|
+
module TCellAgent
|
|
2
|
+
module AppSensor
|
|
3
|
+
|
|
4
|
+
class InjectionsMatcher
|
|
5
|
+
GET_PARAM = TCellAgent::Utils::Params::GET_PARAM
|
|
6
|
+
POST_PARAM = TCellAgent::Utils::Params::POST_PARAM
|
|
7
|
+
JSON_PARAM = TCellAgent::Utils::Params::JSON_PARAM
|
|
8
|
+
COOKIE_PARAM = TCellAgent::Utils::Params::COOKIE_PARAM
|
|
9
|
+
URI_PARAM = TCellAgent::Utils::Params::URI_PARAM
|
|
10
|
+
|
|
11
|
+
DETECTION_POINTS_V2 = {
|
|
12
|
+
"xss" => TCellAgent::Policies::XssSensor,
|
|
13
|
+
"sqli" => TCellAgent::Policies::SqliSensor,
|
|
14
|
+
"cmdi" => TCellAgent::Policies::CmdiSensor,
|
|
15
|
+
"fpt" => TCellAgent::Policies::FptSensor,
|
|
16
|
+
"nullbyte" => TCellAgent::Policies::NullbyteSensor,
|
|
17
|
+
"retr" => TCellAgent::Policies::RetrSensor
|
|
18
|
+
}
|
|
19
|
+
|
|
20
|
+
attr_accessor :enabled, :sensors
|
|
21
|
+
|
|
22
|
+
def initialize(sensors)
|
|
23
|
+
@sensors = sensors
|
|
24
|
+
@enabled = sensors.size > 0
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
def each_injection(meta_data)
|
|
28
|
+
return unless @enabled
|
|
29
|
+
|
|
30
|
+
meta_data.flattened_path_parameters.each do |param_name, param_value|
|
|
31
|
+
TCellAgent::Instrumentation.safe_block("AppSensor Check Path Params injections") do
|
|
32
|
+
param_name = param_name[-1]
|
|
33
|
+
injection_attempt =
|
|
34
|
+
check_param_for_injections(URI_PARAM, meta_data, param_name, param_value)
|
|
35
|
+
|
|
36
|
+
yield(injection_attempt) if injection_attempt
|
|
37
|
+
end
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
meta_data.flattened_get_dict.each do |param_name, param_value|
|
|
41
|
+
TCellAgent::Instrumentation.safe_block("AppSensor Check GET var injections") do
|
|
42
|
+
param_name = param_name[-1]
|
|
43
|
+
injection_attempt =
|
|
44
|
+
check_param_for_injections(GET_PARAM, meta_data, param_name, param_value)
|
|
45
|
+
|
|
46
|
+
yield(injection_attempt) if injection_attempt
|
|
47
|
+
end
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
meta_data.flattened_post_dict.each do |param_name, param_value|
|
|
51
|
+
TCellAgent::Instrumentation.safe_block("AppSensor Check POST var injections") do
|
|
52
|
+
param_name = param_name[-1]
|
|
53
|
+
injection_attempt =
|
|
54
|
+
check_param_for_injections(POST_PARAM, meta_data, param_name, param_value)
|
|
55
|
+
|
|
56
|
+
yield(injection_attempt) if injection_attempt
|
|
57
|
+
end
|
|
58
|
+
end
|
|
59
|
+
|
|
60
|
+
meta_data.flattened_body_dict.each do |param_name, param_value|
|
|
61
|
+
TCellAgent::Instrumentation.safe_block("AppSensor Check JSON var injections") do
|
|
62
|
+
param_name = param_name[-1]
|
|
63
|
+
injection_attempt = check_param_for_injections(JSON_PARAM, meta_data, param_name, param_value)
|
|
64
|
+
|
|
65
|
+
yield(injection_attempt) if injection_attempt
|
|
66
|
+
end
|
|
67
|
+
end
|
|
68
|
+
|
|
69
|
+
meta_data.flattened_cookie_dict.each do |param_name, param_value|
|
|
70
|
+
TCellAgent::Instrumentation.safe_block("AppSensor Check COOKIE var injections") do
|
|
71
|
+
param_name = param_name[-1]
|
|
72
|
+
injection_attempt =
|
|
73
|
+
check_param_for_injections(COOKIE_PARAM, meta_data, param_name, param_value)
|
|
74
|
+
|
|
75
|
+
yield(injection_attempt) if injection_attempt
|
|
76
|
+
end
|
|
77
|
+
end
|
|
78
|
+
end
|
|
79
|
+
|
|
80
|
+
def check_param_for_injections(param_type, appsensor_meta, param_name, param_value)
|
|
81
|
+
@sensors.each do |sensor|
|
|
82
|
+
next unless sensor.applicable_for_param_type?(param_type)
|
|
83
|
+
|
|
84
|
+
injection_attempt = sensor.get_injection_attempt(param_type, appsensor_meta, param_name, param_value)
|
|
85
|
+
return injection_attempt if injection_attempt
|
|
86
|
+
end
|
|
87
|
+
|
|
88
|
+
return nil
|
|
89
|
+
end
|
|
90
|
+
|
|
91
|
+
def self.from_json(version, sensors_json)
|
|
92
|
+
sensors_json = sensors_json || {}
|
|
93
|
+
sensors = []
|
|
94
|
+
|
|
95
|
+
if version == 1
|
|
96
|
+
options_json = sensors_json.fetch("options", {})
|
|
97
|
+
|
|
98
|
+
(options_json || {}).each do |sensor_key, enabled|
|
|
99
|
+
next unless enabled
|
|
100
|
+
|
|
101
|
+
if sensor_key == "null"
|
|
102
|
+
sensor_key = "nullbyte"
|
|
103
|
+
end
|
|
104
|
+
|
|
105
|
+
clazz = DETECTION_POINTS_V2[sensor_key]
|
|
106
|
+
|
|
107
|
+
next unless clazz
|
|
108
|
+
|
|
109
|
+
if enabled
|
|
110
|
+
sensors.push(clazz.new(
|
|
111
|
+
{
|
|
112
|
+
"enabled" => enabled,
|
|
113
|
+
"v1_compatability_enabled" => true
|
|
114
|
+
}
|
|
115
|
+
))
|
|
116
|
+
end
|
|
117
|
+
end
|
|
118
|
+
|
|
119
|
+
elsif version == 2
|
|
120
|
+
sensors_json.each do |sensor_key, settings|
|
|
121
|
+
clazz = DETECTION_POINTS_V2[sensor_key]
|
|
122
|
+
|
|
123
|
+
next unless clazz
|
|
124
|
+
|
|
125
|
+
updated_settings = {"enabled" => true}.merge(settings)
|
|
126
|
+
if updated_settings["enabled"]
|
|
127
|
+
sensors.push(clazz.new(updated_settings))
|
|
128
|
+
end
|
|
129
|
+
end
|
|
130
|
+
end
|
|
131
|
+
|
|
132
|
+
InjectionsMatcher.new(sensors)
|
|
133
|
+
end
|
|
134
|
+
end
|
|
135
|
+
|
|
136
|
+
end
|
|
137
|
+
end
|
|
@@ -0,0 +1,67 @@
|
|
|
1
|
+
require 'tcell_agent/appsensor/sensor'
|
|
2
|
+
require 'tcell_agent/utils/params'
|
|
3
|
+
|
|
4
|
+
|
|
5
|
+
module TCellAgent
|
|
6
|
+
module AppSensor
|
|
7
|
+
|
|
8
|
+
class InjectionsReporter
|
|
9
|
+
GET_PARAM = TCellAgent::Utils::Params::GET_PARAM
|
|
10
|
+
POST_PARAM = TCellAgent::Utils::Params::POST_PARAM
|
|
11
|
+
JSON_PARAM = TCellAgent::Utils::Params::JSON_PARAM
|
|
12
|
+
COOKIE_PARAM = TCellAgent::Utils::Params::COOKIE_PARAM
|
|
13
|
+
URI_PARAM = TCellAgent::Utils::Params::URI_PARAM
|
|
14
|
+
|
|
15
|
+
PARAM_TYPE_TO_L = {
|
|
16
|
+
GET_PARAM => 'query',
|
|
17
|
+
POST_PARAM => 'body',
|
|
18
|
+
JSON_PARAM => 'body',
|
|
19
|
+
URI_PARAM => 'uri',
|
|
20
|
+
COOKIE_PARAM => 'cookie'
|
|
21
|
+
}
|
|
22
|
+
|
|
23
|
+
attr_accessor :injections_matcher, :payloads_policy
|
|
24
|
+
|
|
25
|
+
def initialize(injections_matcher, payloads_policy)
|
|
26
|
+
@injections_matcher = injections_matcher
|
|
27
|
+
@payloads_policy = payloads_policy
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
def check(appsensor_meta)
|
|
31
|
+
@injections_matcher.each_injection(appsensor_meta) do |injection_attempt|
|
|
32
|
+
vuln_param = injection_attempt.param_name
|
|
33
|
+
type_of_param = injection_attempt.type_of_param
|
|
34
|
+
|
|
35
|
+
meta = {"l" => PARAM_TYPE_TO_L[type_of_param]}
|
|
36
|
+
pattern = injection_attempt.pattern
|
|
37
|
+
|
|
38
|
+
payload = @payloads_policy.apply(
|
|
39
|
+
injection_attempt.detection_point,
|
|
40
|
+
appsensor_meta,
|
|
41
|
+
type_of_param,
|
|
42
|
+
vuln_param,
|
|
43
|
+
injection_attempt.param_value,
|
|
44
|
+
meta,
|
|
45
|
+
pattern
|
|
46
|
+
)
|
|
47
|
+
|
|
48
|
+
TCellAgent::AppSensor::Sensor.send_event(
|
|
49
|
+
appsensor_meta,
|
|
50
|
+
injection_attempt.detection_point,
|
|
51
|
+
vuln_param,
|
|
52
|
+
meta,
|
|
53
|
+
payload,
|
|
54
|
+
pattern)
|
|
55
|
+
end
|
|
56
|
+
end
|
|
57
|
+
|
|
58
|
+
def self.from_json(version, data_json, payloads_policy)
|
|
59
|
+
injections_matcher = InjectionsMatcher.from_json(version, data_json)
|
|
60
|
+
|
|
61
|
+
InjectionsReporter.new(injections_matcher, payloads_policy)
|
|
62
|
+
end
|
|
63
|
+
|
|
64
|
+
end
|
|
65
|
+
|
|
66
|
+
end
|
|
67
|
+
end
|
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
require 'tcell_agent/logger'
|
|
2
|
+
require 'tcell_agent/sensor_events/sensor'
|
|
3
|
+
require 'tcell_agent/utils/params'
|
|
4
|
+
|
|
5
|
+
module TCellAgent
|
|
6
|
+
module AppSensor
|
|
7
|
+
|
|
8
|
+
class MetaData < TCellAgent::SensorEvents::TCellSensorEvent
|
|
9
|
+
|
|
10
|
+
attr_accessor :get_dict, :post_dict, :body_dict, :cookie_dict, :path_parameters
|
|
11
|
+
|
|
12
|
+
def initialize
|
|
13
|
+
@send = false
|
|
14
|
+
|
|
15
|
+
@body_dict = {}
|
|
16
|
+
@get_dict = {}
|
|
17
|
+
@post_dict = {}
|
|
18
|
+
@cookie_dict = {}
|
|
19
|
+
@path_parameters = {}
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
def flattened_path_parameters
|
|
23
|
+
@flattened_path_parameters ||= TCellAgent::Utils::Params.flatten(@path_parameters)
|
|
24
|
+
|
|
25
|
+
@flattened_path_parameters
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
def flattened_get_dict
|
|
29
|
+
@flattened_get_dict ||= TCellAgent::Utils::Params.flatten(@get_dict)
|
|
30
|
+
|
|
31
|
+
@flattened_get_dict
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
def flattened_post_dict
|
|
35
|
+
@flattened_post_dict ||= TCellAgent::Utils::Params.flatten(@post_dict)
|
|
36
|
+
|
|
37
|
+
@flattened_post_dict
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
def flattened_body_dict
|
|
41
|
+
@body_dict
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
def flattened_cookie_dict
|
|
45
|
+
@flattened_cookie_dict ||= TCellAgent::Utils::Params.flatten(@cookie_dict)
|
|
46
|
+
|
|
47
|
+
@flattened_cookie_dict
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
def set_body_dict(request_content_len, request_content_type, request_body)
|
|
51
|
+
if request_content_len > 2000000
|
|
52
|
+
@body_dict = {}
|
|
53
|
+
|
|
54
|
+
else
|
|
55
|
+
if request_content_type =~ %r{application/json}i && request_body
|
|
56
|
+
begin
|
|
57
|
+
# don't enqueue parameter values of unknown type to avoid any serialization issues
|
|
58
|
+
@body_dict = TCellAgent::Utils::Params.flatten(JSON.parse(request_body))
|
|
59
|
+
rescue
|
|
60
|
+
TCellAgent.logger.debug("JSON body parameter parsing failed")
|
|
61
|
+
@body_dict = {}
|
|
62
|
+
end
|
|
63
|
+
else
|
|
64
|
+
@body_dict = {}
|
|
65
|
+
end
|
|
66
|
+
end
|
|
67
|
+
end
|
|
68
|
+
end
|
|
69
|
+
|
|
70
|
+
end
|
|
71
|
+
end
|
|
@@ -1,15 +1,18 @@
|
|
|
1
|
+
require 'singleton'
|
|
1
2
|
require 'tcell_agent/appsensor/rules/appsensor_rule_set'
|
|
2
3
|
|
|
3
4
|
module TCellAgent
|
|
4
5
|
|
|
5
6
|
class AppSensorRuleManager
|
|
6
7
|
|
|
8
|
+
include Singleton
|
|
9
|
+
|
|
7
10
|
attr_accessor :rule_info
|
|
8
11
|
|
|
9
|
-
def initialize
|
|
12
|
+
def initialize
|
|
10
13
|
@rule_info = {}
|
|
11
14
|
|
|
12
|
-
|
|
15
|
+
load_default_rules_file
|
|
13
16
|
end
|
|
14
17
|
|
|
15
18
|
def load_default_rules_file
|
|
@@ -23,7 +23,7 @@ module TCellAgent
|
|
|
23
23
|
@patterns.each do |pattern|
|
|
24
24
|
next if pattern.nil? || pattern.enabled == false
|
|
25
25
|
|
|
26
|
-
if v1_compatability_enabled || active_pattern_ids.
|
|
26
|
+
if v1_compatability_enabled || active_pattern_ids.include?(pattern.pattern_id)
|
|
27
27
|
pattern_result = param_value.match(pattern.pattern_regex)
|
|
28
28
|
|
|
29
29
|
if pattern_result
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
require 'tcell_agent/sensor_events/appsensor_event'
|
|
2
|
+
|
|
3
|
+
module TCellAgent
|
|
4
|
+
module AppSensor
|
|
5
|
+
|
|
6
|
+
class Sensor
|
|
7
|
+
class << self
|
|
8
|
+
def send_event(appsensor_meta, detection_point, parameter, meta, payload, pattern)
|
|
9
|
+
event = TCellAgent::SensorEvents::TCellAppSensorEvent.new(
|
|
10
|
+
appsensor_meta.location,
|
|
11
|
+
detection_point,
|
|
12
|
+
appsensor_meta.method,
|
|
13
|
+
appsensor_meta.remote_address,
|
|
14
|
+
parameter,
|
|
15
|
+
appsensor_meta.route_id,
|
|
16
|
+
meta,
|
|
17
|
+
appsensor_meta.session_id,
|
|
18
|
+
appsensor_meta.user_id,
|
|
19
|
+
payload,
|
|
20
|
+
pattern
|
|
21
|
+
)
|
|
22
|
+
|
|
23
|
+
TCellAgent.send_event(event)
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
def send_event_from_tcell_data(tcell_data, detection_point, parameter, meta)
|
|
27
|
+
payload = pattern = nil
|
|
28
|
+
event = TCellAgent::SensorEvents::TCellAppSensorEvent.new(
|
|
29
|
+
tcell_data.uri,
|
|
30
|
+
detection_point,
|
|
31
|
+
tcell_data.request_method,
|
|
32
|
+
tcell_data.ip_address,
|
|
33
|
+
parameter,
|
|
34
|
+
tcell_data.route_id,
|
|
35
|
+
meta,
|
|
36
|
+
tcell_data.session_id,
|
|
37
|
+
tcell_data.user_id,
|
|
38
|
+
payload,
|
|
39
|
+
pattern
|
|
40
|
+
)
|
|
41
|
+
|
|
42
|
+
TCellAgent.send_event(event)
|
|
43
|
+
end
|
|
44
|
+
end
|
|
45
|
+
end
|
|
46
|
+
|
|
47
|
+
end
|
|
48
|
+
end
|
|
@@ -19,6 +19,8 @@ module TCellAgent
|
|
|
19
19
|
attr_accessor :version, :app_id, :api_key, :hmac_key,
|
|
20
20
|
:tcell_api_url, :tcell_input_url,
|
|
21
21
|
:logging_options,
|
|
22
|
+
:logger,
|
|
23
|
+
:appfirewall_payloads_logger,
|
|
22
24
|
:fetch_policies_from_tcell, :instrument_for_events,
|
|
23
25
|
:preload_policy_filename,
|
|
24
26
|
:proxy_host, :proxy_port, :proxy_username, :proxy_password,
|
|
@@ -30,6 +32,7 @@ module TCellAgent
|
|
|
30
32
|
:cache_filename,
|
|
31
33
|
:js_agent_api_base_url,
|
|
32
34
|
:js_agent_url,
|
|
35
|
+
:startup_js_agent_url,
|
|
33
36
|
:raise_exceptions,
|
|
34
37
|
:allow_unencrypted_appfirewall_payloads,
|
|
35
38
|
:config_filename,
|
|
@@ -39,7 +42,8 @@ module TCellAgent
|
|
|
39
42
|
:agent_home_dir,
|
|
40
43
|
:agent_home_owner,
|
|
41
44
|
:reverse_proxy,
|
|
42
|
-
:reverse_proxy_ip_address_header
|
|
45
|
+
:reverse_proxy_ip_address_header,
|
|
46
|
+
:log_file_name
|
|
43
47
|
|
|
44
48
|
attr_accessor :disable_all,
|
|
45
49
|
:enabled,
|
|
@@ -77,6 +81,9 @@ module TCellAgent
|
|
|
77
81
|
@cache_filename = nil
|
|
78
82
|
@agent_log_dir = nil
|
|
79
83
|
|
|
84
|
+
@logger = nil
|
|
85
|
+
@appfirewall_payloads_logger = nil
|
|
86
|
+
|
|
80
87
|
@version = 0
|
|
81
88
|
@exp_config_settings = true
|
|
82
89
|
@demomode = false
|
|
@@ -96,6 +103,7 @@ module TCellAgent
|
|
|
96
103
|
@agent_home_dir = File.join(Dir.getwd, "tcell")
|
|
97
104
|
@config_filename = File.join(Dir.getwd, filename)
|
|
98
105
|
|
|
106
|
+
@log_file_name = "tcell_agent.log"
|
|
99
107
|
|
|
100
108
|
@event_batch_size_limit = 50
|
|
101
109
|
@event_time_limit_seconds = 15
|
|
@@ -113,6 +121,8 @@ module TCellAgent
|
|
|
113
121
|
puts "tCell.io Agent: [DEPRECATED] TCELL_AGENT_ALLOW_UNENCRYPTED_APPSENSOR_PAYLOADS is deprecated, please switch to TCELL_AGENT_ALLOW_UNENCRYPTED_APPFIREWALL_PAYLOADS."
|
|
114
122
|
end
|
|
115
123
|
|
|
124
|
+
@allow_unencrypted_appfirewall_payloads = false
|
|
125
|
+
|
|
116
126
|
# Because ENV can override this one
|
|
117
127
|
env_unencrypted_firewall =
|
|
118
128
|
if (ENV["TCELL_AGENT_ALLOW_UNENCRYPTED_APPSENSOR_PAYLOADS"] != nil)
|
|
@@ -128,6 +138,7 @@ module TCellAgent
|
|
|
128
138
|
@tcell_input_url ||= "https://input.tcell.io/api/v1"
|
|
129
139
|
@js_agent_api_base_url ||= nil
|
|
130
140
|
@js_agent_url ||= "https://api.tcell.io/tcellagent.min.js"
|
|
141
|
+
@startup_js_agent_url = @js_agent_url
|
|
131
142
|
|
|
132
143
|
if (@host_identifier == nil)
|
|
133
144
|
begin
|
|
@@ -203,6 +214,8 @@ module TCellAgent
|
|
|
203
214
|
@agent_home_owner = app_data.fetch("agent_home_owner",@agent_home_owner)
|
|
204
215
|
|
|
205
216
|
@logging_options = app_data.fetch("logging_options", {})
|
|
217
|
+
@agent_log_dir = @logging_options.fetch("log_dir", @agent_log_dir)
|
|
218
|
+
@log_file_name = @logging_options.fetch("filename", @log_file_name)
|
|
206
219
|
|
|
207
220
|
@tcell_api_url = app_data.fetch("tcell_api_url", @tcell_api_url)
|
|
208
221
|
@tcell_input_url = app_data.fetch("tcell_input_url", @tcell_input_url)
|
|
@@ -268,7 +281,7 @@ module TCellAgent
|
|
|
268
281
|
|
|
269
282
|
def log_filename
|
|
270
283
|
@agent_log_dir ||= File.join(@agent_home_dir, "logs")
|
|
271
|
-
File.join(@agent_log_dir,
|
|
284
|
+
File.join(@agent_log_dir, @log_file_name)
|
|
272
285
|
end
|
|
273
286
|
|
|
274
287
|
def appfirewall_payloads_log_filename
|