26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
# File 'lib/fluent/plugin/filter_nginx_nap_decode.rb', line 26
def filter(tag, time, record)
case record['violations']['violation']['name']
when 'VIOL_ATTACK_SIGNATURE'
if record['violations'].has_key?('observedEntity')
if record['violations']['policyEntity'].has_key?('cookies')
record['violations']['context']='cookies' record['violations']['observedEntity']['value-decode']=Base64.decode64(record['violations']['observedEntity']['value'])
record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer']) if record['violations'].has_key?('snippet')
if record['violations']['policyEntity']['cookies'][0]['type']=="wildcard"
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name'])
else
record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['cookies'][0]['name']
end
end
if record['violations']['policyEntity'].has_key?('headers')
record['violations']['context']='headers' record['violations']['observedEntity']['value-decode']=Base64.decode64(record['violations']['observedEntity']['value'])
record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer']) if record['violations'].has_key?('snippet')
if record['violations']['policyEntity']['headers'][0]['type']=="wildcard"
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name'])
else
record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['headers'][0]['name']
end
end
if record['violations']['policyEntity'].has_key?('parameters')
record['violations']['context']='parameters'
record['violations']['observedEntity']['value-decode']=Base64.decode64(record['violations']['observedEntity']['value'])
record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer']) if record['violations'].has_key?('snippet')
if record['violations']['policyEntity']['parameters'][0]['type']=="wildcard"
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name'])
else
record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['parameters'][0]['name']
end
end
if record['violations']['policyEntity'].has_key?('urls')
record['violations']['context']='urls' record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer']) if record['violations'].has_key?('snippet')
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name'])
end
else
record['violations']['context']='request'
record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer']) if record['violations'].has_key?('snippet')
end
when 'VIOL_COOKIE_LENGTH', 'VIOL_HEADER_LENGTH', 'VIOL_URL_METACHAR'
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name'])
when 'VIOL_PARAMETER_VALUE_METACHAR', 'VIOL_PARAMETER_NAME_METACHAR', 'VIOL_PARAMETER_DATA_TYPE', 'VIOL_PARAMETER_NUMERIC_VALUE', 'VIOL_PARAMETER_VALUE_LENGTH', 'VIOL_PARAMETER_ARRAY_VALUE', 'VIOL_PARAMETER_LOCATION', 'VIOL_PARAMETER_STATIC_VALUE'
record['violations']['observedEntity']['value-decode']=Base64.decode64(record['violations']['observedEntity']['value']) if record['violations']['policyEntity']['parameters'][0]['type']=="wildcard"
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name']) else
record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['parameters'][0]['name']
end
when 'VIOL_PARAMETER_EMPTY_VALUE', 'VIOL_PARAMETER'
if record['violations']['policyEntity']['parameters'][0]['type']=="wildcard"
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name']) else
record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['parameters'][0]['name']
end
when 'VIOL_URL_LENGTH', 'VIOL_POST_DATA_LENGTH', 'VIOL_QUERY_STRING_LENGTH', 'VIOL_REQUEST_LENGTH', 'VIOL_COOKIE_LENGTH', 'VIOL_HEADER_LENGTH'
if record['violations']['policyEntity']['filetypes'][0]['type']=="wildcard"
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name']) else
record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['filetypes'][0]['name']
end
when 'VIOL_EVASION'
if record['violations']['observedEntity']['scope']=="parameter"
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name']) record['violations']['observedEntity']['value-decode']=Base64.decode64(record['violations']['observedEntity']['value'])
record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer']) if record['violations'].has_key?('snippet')
end
end
record
end
|