mhatzl / web_ids Goto Github PK
View Code? Open in Web Editor NEWIntrusion Detection System analysing http requests
License: MIT License
Intrusion Detection System analysing http requests
License: MIT License
I was wondering, maybe it would be easier to use Flags Package instead of Environment Variables for debugging, testing and maybe even future features?
I would try to implement this, as it would allow us to provide redis channel name through flag for example. Thoughts?
In my opinion we should rename web_ids/doc/Overview.md
to web_ids/doc/README.md
. This would lead to it auto showing when viewing the doc
subfolder in github.
Unique IDs should be added to signatures for easier referencing.
To prevent collisions, the ID must only be unique inside one file. Internally, web_ids adds the filename to the ID, so every signature can be uniquely identified.
See pull request #6 on why this feature might be useful
The signature object is passed as pure object, so the fields are not visible in the log
New syntax was decided in issue #2
In short, new syntax of signature files:
ipSignature is an array of ips.
requestSignature can have any of the following keys: method, status, uri. and body. At least one of those keys must be provided, but others are optional and get treated as AND conditions.
Implementation idea:
two functions to match a request.
The following changes need to be made to increase the consistancy between the signatures and the request logs:
These improvements were mentioned here and here
EDIT: Fix typo
Currently, there are several keys per signature type, which is nice, if we want to have several values, a request must match before being considered malicious.
But how should we use those keys inside web_ids?
Additionally: Should we add a key to specify, if something that matches is malicious, warning, ok, ... ?
web_ids crashes, if an invalid regex was provided in a signature file.
fix:
web_ids shall not crash and the invalid regex string shall be logged
Typo when checking the uri signature.
hasMatch must be initially set to true, since matches are combined over AND
request method not combined per AND
idea behind see end of issue #2
in short:
ipSignature is an array of ips.
requestSignature can have any of the following keys: method, status, uri. and body. At least one of those keys must be provided, but others are optional and get treated as AND conditions.
A possible signature file would then look like:
{
"ipSignature" : [ "^10\.0\.0\.10$", "^192\.168\.0\.255$" ],
"requestSignature" : [
{
"uri" : ".*\.php"
} ,
{
"method" : "GET",
"body" : ".+"
},
{
"status" : "[45]\d\d"
}
]
}
In example_signature.json is a regex pattern with an unescaped ) resulting in a crash of web_ids
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.