As shown in the figure, three logs of the same session can be seen above:
Two alert_http.json, one eve.json log
According to the url accessed by the browser: /app/.git/config, it can be seen that the actual request response code is 404, but the response code of alert_http.json is 200, and there is a response body, which is obviously wrong.
Visit: /notice/8.0.0/ios/Version.txt It can be seen that the actual response code is 200, and there is a response body, but the corresponding missing alert_htp.json has no response information, and there is a loss.
In the log of eve.json, the log with the url /app/.git/config also has a response body, and the response code is 200, which is obviously wrong.
local helper = require("common/helper")
local logger = require("common/logger")
local cjson = require("cjson")
luaunit = require("luaunit")
-- 当前模块名称
moduleName = "check.sensitive_file"
-- 加载字典库
sensitive_file_keywords = helper.loadFile("sensitive_file_keywords.json")
-- 规则过滤
local sensitiveFileFilterMap = {
[212669] = "git", -- 对应 sensitive_file_keywords.json中的key
[214582] = "svn",
}
function errorHandler(err)
logger.writeLog(moduleName, logger.LogLevel.ERROR, err)
end
function init_data()
sensitive_file_keywords = cjson.decode(sensitive_file_keywords)
for k, item in pairs(sensitive_file_keywords) do
item = helper.convertListToLowercase(item)
end
end
local ret, _ = xpcall(init_data, errorHandler)
if not ret then
logger.writeLog(moduleName, logger.LogLevel.ERROR, moduleName .. "初始化失败")
return 0
end
-- 获取url base路径
function getBaseUrl(http_uri)
local questionMarkIndex = http_uri:find("?")
if questionMarkIndex then
return http_uri:sub(1, questionMarkIndex - 1)
end
return http_uri
end
function functionToBeExecuted (http_uri, gid)
http_uri = string.lower(tostring(http_uri))
baseUrl = getBaseUrl(http_uri)
-- 专项检测 使用base url进行识别
if helper.mapExistKey(sensitiveFileFilterMap, gid) then
if helper.mapExistKey(sensitive_file_keywords, sensitiveFileFilterMap[gid]) then
for _, keyword in ipairs(sensitive_file_keywords[sensitiveFileFilterMap[gid]]) do
if string.find(baseUrl, keyword, 1, true) then -- 避免正则匹配
return 1
end
end
end
end
-- other 进行路径包含匹配, 因为涉及到系统敏感文件,可能出现变量拼装的方式探测,则会出现在url params中
for _, keyword in ipairs(sensitive_file_keywords["other"]) do
if string.find(http_uri, keyword, 1, true) then
return 1
end
end
-- 后缀匹配
for _, keyword in ipairs(sensitive_file_keywords["blackSuffix"]) do
if string.find(baseUrl, "download", 1, true) then -- 避免正则匹配, download认为是允许下载
return 0
end
-- 后缀匹配上 同时 不是业务下载目录进行告警
if baseUrl:sub(-#keyword) == keyword then
return 1
end
end
return 0
end
function init (args)
local needs = {}
needs["http.uri"] = tostring(true)
if #sensitive_file_keywords["other"] > 0 or #sensitive_file_keywords["blackSuffix"] > 0 then
helper.printInitCheckModuleLog(moduleName)
else
logger.writeLog(moduleName, logger.LogLevel.ERROR, moduleName .. "初始化失败,sensitive_file_keywords 为空")
end
return needs
end
function match(args)
sid, rev, gid = SCRuleIds()
local ret, result = xpcall(functionToBeExecuted, errorHandler, args["http.uri"], gid)
if ret then
return result
end
return 0
end