mhatzl / web_ids Goto Github PK

I was wondering, maybe it would be easier to use Flags Package instead of Environment Variables for debugging, testing and maybe even future features?

I would try to implement this, as it would allow us to provide redis channel name through flag for example. Thoughts?

In my opinion we should rename web_ids/doc/Overview.md to web_ids/doc/README.md. This would lead to it auto showing when viewing the doc subfolder in github.

Unique IDs should be added to signatures for easier referencing.
To prevent collisions, the ID must only be unique inside one file. Internally, web_ids adds the filename to the ID, so every signature can be uniquely identified.

See pull request #6 on why this feature might be useful

The signature object is passed as pure object, so the fields are not visible in the log

New syntax was decided in issue #2

In short, new syntax of signature files:

ipSignature is an array of ips.
requestSignature can have any of the following keys: method, status, uri. and body. At least one of those keys must be provided, but others are optional and get treated as AND conditions.

Implementation idea:
two functions to match a request.

1. match against array of ipSignature
2. match against array of requestSignature, checking if a key is present and trying to match request against it

The following changes need to be made to increase the consistancy between the signatures and the request logs:

• Change the field name request_method to method
• Change the field name request_uri to uri
• Update the documentation in doc/FetchingLogs.md

These improvements were mentioned here and here

EDIT: Fix typo

Currently, there are several keys per signature type, which is nice, if we want to have several values, a request must match before being considered malicious.
But how should we use those keys inside web_ids?

Additionally: Should we add a key to specify, if something that matches is malicious, warning, ok, ... ?

web_ids crashes, if an invalid regex was provided in a signature file.

fix:
web_ids shall not crash and the invalid regex string shall be logged

Typo when checking the uri signature.

hasMatch must be initially set to true, since matches are combined over AND
request method not combined per AND

idea behind see end of issue #2

in short:

ipSignature is an array of ips.
requestSignature can have any of the following keys: method, status, uri. and body. At least one of those keys must be provided, but others are optional and get treated as AND conditions.

A possible signature file would then look like:

{
"ipSignature" : [ "^10\.0\.0\.10$", "^192\.168\.0\.255$" ],

"requestSignature" : [
{
"uri" : ".*\.php"
} ,
{
"method" : "GET",
"body" : ".+"
},
{
"status" : "[45]\d\d"
}
]
}

In example_signature.json is a regex pattern with an unescaped ) resulting in a crash of web_ids