xbase-util 0.4.0__tar.gz → 0.4.1__tar.gz
Sign up to get free protection for your applications and to get access to all the features.
- {xbase_util-0.4.0 → xbase_util-0.4.1}/PKG-INFO +1 -1
- {xbase_util-0.4.0 → xbase_util-0.4.1}/setup.py +1 -1
- {xbase_util-0.4.0 → xbase_util-0.4.1}/xbase_util/handle_features_util.py +6 -25
- {xbase_util-0.4.0 → xbase_util-0.4.1}/xbase_util/xbase_constant.py +19 -1
- {xbase_util-0.4.0 → xbase_util-0.4.1}/xbase_util.egg-info/PKG-INFO +1 -1
- {xbase_util-0.4.0 → xbase_util-0.4.1}/README.md +0 -0
- {xbase_util-0.4.0 → xbase_util-0.4.1}/setup.cfg +0 -0
- {xbase_util-0.4.0 → xbase_util-0.4.1}/xbase_util/__init__.py +0 -0
- {xbase_util-0.4.0 → xbase_util-0.4.1}/xbase_util/add_column_util.py +0 -0
- {xbase_util-0.4.0 → xbase_util-0.4.1}/xbase_util/db/__init__.py +0 -0
- {xbase_util-0.4.0 → xbase_util-0.4.1}/xbase_util/db/bean/ConfigBean.py +0 -0
- {xbase_util-0.4.0 → xbase_util-0.4.1}/xbase_util/db/bean/CurrentConfigBean.py +0 -0
- {xbase_util-0.4.0 → xbase_util-0.4.1}/xbase_util/db/bean/FlowBean.py +0 -0
- {xbase_util-0.4.0 → xbase_util-0.4.1}/xbase_util/db/bean/TaskTemplateBean.py +0 -0
- {xbase_util-0.4.0 → xbase_util-0.4.1}/xbase_util/db/bean/__init__.py +0 -0
- {xbase_util-0.4.0 → xbase_util-0.4.1}/xbase_util/db/dao/ConfigDao.py +0 -0
- {xbase_util-0.4.0 → xbase_util-0.4.1}/xbase_util/db/dao/CurrentConfigDao.py +0 -0
- {xbase_util-0.4.0 → xbase_util-0.4.1}/xbase_util/db/dao/FlowDao.py +0 -0
- {xbase_util-0.4.0 → xbase_util-0.4.1}/xbase_util/db/dao/TaskTemplateDao.py +0 -0
- {xbase_util-0.4.0 → xbase_util-0.4.1}/xbase_util/db/dao/__init__.py +0 -0
- {xbase_util-0.4.0 → xbase_util-0.4.1}/xbase_util/db/initsqlite3.py +0 -0
- {xbase_util-0.4.0 → xbase_util-0.4.1}/xbase_util/es_db_util.py +0 -0
- {xbase_util-0.4.0 → xbase_util-0.4.1}/xbase_util/esreq.py +0 -0
- {xbase_util-0.4.0 → xbase_util-0.4.1}/xbase_util/geo_util.py +0 -0
- {xbase_util-0.4.0 → xbase_util-0.4.1}/xbase_util/pcap_util.py +0 -0
- {xbase_util-0.4.0 → xbase_util-0.4.1}/xbase_util/xbase_util.py +0 -0
- {xbase_util-0.4.0 → xbase_util-0.4.1}/xbase_util.egg-info/SOURCES.txt +0 -0
- {xbase_util-0.4.0 → xbase_util-0.4.1}/xbase_util.egg-info/dependency_links.txt +0 -0
- {xbase_util-0.4.0 → xbase_util-0.4.1}/xbase_util.egg-info/not-zip-safe +0 -0
- {xbase_util-0.4.0 → xbase_util-0.4.1}/xbase_util.egg-info/top_level.txt +0 -0
- {xbase_util-0.4.0 → xbase_util-0.4.1}/xbase_util_assets/GeoLite2-City.mmdb +0 -0
- {xbase_util-0.4.0 → xbase_util-0.4.1}/xbase_util_assets/arkimeparse.js +0 -0
|
@@ -4,30 +4,11 @@ import traceback
|
|
|
4
4
|
from urllib.parse import unquote
|
|
5
5
|
|
|
6
6
|
import pandas as pd
|
|
7
|
-
from tqdm import tqdm
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
def handle_uri(data,use_tqdm=True):
|
|
12
|
-
# 定义正则表达式,确保精确匹配各种攻击特征
|
|
13
|
-
regex_patterns = {
|
|
14
|
-
"sql": re.compile(
|
|
15
|
-
r"\b(select|union|insert|update|delete|drop|--|#| or |' or '|information_schema|database\(\)|version\(\))\b",
|
|
16
|
-
re.IGNORECASE),
|
|
17
|
-
"xss": re.compile(r"(<script\b|javascript:|onload=|onclick=|<iframe\b|src=)", re.IGNORECASE),
|
|
18
|
-
"cmd": re.compile(
|
|
19
|
-
r"(/etc/passwd\b|/etc/shadow\b|;|&&|\||\$\(.+\)|\bcurl\b|\bwget\b|\bexec\b|\bsystem\b|cmd=|proc/self/environ)",
|
|
20
|
-
re.IGNORECASE),
|
|
21
|
-
"path": re.compile(r"(\.\./|\.\.%2f|\.\.%5c|\.\.\\|\.\.;|%2f%2e%2e%2f)", re.IGNORECASE),
|
|
22
|
-
"redirect": re.compile(r"(redirect=|url=|next=|redirect_uri=|redirect:|RedirectTo=)", re.IGNORECASE),
|
|
23
|
-
"danger": re.compile(
|
|
24
|
-
r"(%3C|%3E|%27|%22|%00|%2F|%5C|%3B|%7C|%28|%29|%20|%3D|%3A|%3F|%26|%23|%2B|%25|file://|<foo|xmlns:|/etc/passwd|windows/win\.ini)",
|
|
25
|
-
re.IGNORECASE),
|
|
26
|
-
"suspicious_ext": re.compile(
|
|
27
|
-
r"\.(exe|sh|py|pl|bak|php5|jspx|bat|cmd|pif|js|vbs|vbe|sct|ini|inf|tmp|swp|jar|java|class|ps1)\b",
|
|
28
|
-
re.IGNORECASE)
|
|
29
|
-
}
|
|
30
7
|
|
|
8
|
+
from xbase_util.xbase_constant import regex_patterns
|
|
9
|
+
|
|
10
|
+
|
|
11
|
+
def handle_uri(data, use_tqdm=True):
|
|
31
12
|
# 定义多层解码函数,确保完全解码 URI
|
|
32
13
|
def fully_decode_uri(uri):
|
|
33
14
|
try:
|
|
@@ -53,7 +34,6 @@ def handle_uri(data,use_tqdm=True):
|
|
|
53
34
|
traceback.print_exc()
|
|
54
35
|
exit(0)
|
|
55
36
|
|
|
56
|
-
|
|
57
37
|
# 初始化统计变量
|
|
58
38
|
param_count = 0
|
|
59
39
|
path_depth = 0
|
|
@@ -95,6 +75,7 @@ def handle_uri(data,use_tqdm=True):
|
|
|
95
75
|
result[f"URI_FEATURES_EXTRA_contains_{key}"] = value
|
|
96
76
|
|
|
97
77
|
return result
|
|
78
|
+
|
|
98
79
|
if use_tqdm:
|
|
99
80
|
feature_data = data.progress_apply(process_row, axis=1, result_type="expand")
|
|
100
81
|
else:
|
|
@@ -103,7 +84,7 @@ def handle_uri(data,use_tqdm=True):
|
|
|
103
84
|
return data
|
|
104
85
|
|
|
105
86
|
|
|
106
|
-
def handle_ua(data,use_tqdm=True):
|
|
87
|
+
def handle_ua(data, use_tqdm=True):
|
|
107
88
|
data['http.useragent'] = data['http.useragent'].fillna('').astype(str)
|
|
108
89
|
# 处理换行符及多余空格
|
|
109
90
|
data['http.useragent'] = data['http.useragent'].str.replace(r'\s+', ' ', regex=True)
|
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import os
|
|
2
|
+
import re
|
|
2
3
|
|
|
3
4
|
current_dir = os.path.dirname(__file__)
|
|
4
5
|
parse_path = os.path.join(current_dir, '..', 'xbase_util_assets', 'arkimeparse.js')
|
|
@@ -203,4 +204,21 @@ features_key = [
|
|
|
203
204
|
'URI_FEATURES_EXTRA_param_length_max', 'UserAgent_is_attack', 'UserAgent_is_enterprise', 'UserAgent_browser',
|
|
204
205
|
'UserAgent_browser_version', 'UserAgent_os', 'UserAgent_os_version', 'UserAgent_device_type',
|
|
205
206
|
'UserAgent_platform', 'UserAgent_is_bot', 'UserAgent_language', 'UserAgent_special_char_count',
|
|
206
|
-
'UserAgent_is_unknown']
|
|
207
|
+
'UserAgent_is_unknown']
|
|
208
|
+
regex_patterns = {
|
|
209
|
+
"sql": re.compile(
|
|
210
|
+
r"\b(select|union|insert|update|delete|drop|--|#| or |' or '|information_schema|database\(\)|version\(\))\b",
|
|
211
|
+
re.IGNORECASE),
|
|
212
|
+
"xss": re.compile(r"(<script\b|javascript:|onload=|onclick=|<iframe\b|src=)", re.IGNORECASE),
|
|
213
|
+
"cmd": re.compile(
|
|
214
|
+
r"(/etc/passwd\b|/etc/shadow\b|;|&&|\||\$\(.+\)|\bcurl\b|\bwget\b|\bexec\b|\bsystem\b|cmd=|proc/self/environ)",
|
|
215
|
+
re.IGNORECASE),
|
|
216
|
+
"path": re.compile(r"(\.\./|\.\.%2f|\.\.%5c|\.\.\\|\.\.;|%2f%2e%2e%2f)", re.IGNORECASE),
|
|
217
|
+
"redirect": re.compile(r"(redirect=|url=|next=|redirect_uri=|redirect:|RedirectTo=)", re.IGNORECASE),
|
|
218
|
+
"danger": re.compile(
|
|
219
|
+
r"(%3C|%3E|%27|%22|%00|%2F|%5C|%3B|%7C|%28|%29|%20|%3D|%3A|%3F|%26|%23|%2B|%25|file://|<foo|xmlns:|/etc/passwd|windows/win\.ini)",
|
|
220
|
+
re.IGNORECASE),
|
|
221
|
+
"suspicious_ext": re.compile(
|
|
222
|
+
r"\.(exe|sh|py|pl|bak|php5|jspx|bat|cmd|pif|js|vbs|vbe|sct|ini|inf|tmp|swp|jar|java|class|ps1)\b",
|
|
223
|
+
re.IGNORECASE)
|
|
224
|
+
}
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|