Merge pull request #3049 from geeknik/patch-41

new log analysis templates
2021-11-02 16:57:10 +05:30 · 2021-11-02 16:57:10 +05:30 · 08b1ace01e
parent 09433b002f b00383dd60
commit 08b1ace01e
5 changed files with 149 additions and 0 deletions
--- a/file/logs/django-framework-exceptions.yaml
+++ b/file/logs/django-framework-exceptions.yaml
@ -0,0 +1,33 @@
+id: django-framework-exceptions
+
+info:
+  name: Django Framework Exceptions
+  description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
+  author: geeknik
+  reference:
+    - https://docs.djangoproject.com/en/1.11/ref/exceptions/
+    - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security
+  severity: medium
+  tags: file,logs,django
+
+file:
+  - extensions:
+      - all
+
+    extractors:
+      - type: regex
+        name: exception
+        part: body
+        regex:
+          - 'SuspiciousOperation'
+          - 'DisallowedHost'
+          - 'DisallowedModelAdminLookup'
+          - 'DisallowedModelAdminToField'
+          - 'DisallowedRedirect'
+          - 'InvalidSessionKey'
+          - 'RequestDataTooBig'
+          - 'SuspiciousFileOperation'
+          - 'SuspiciousMultipartForm'
+          - 'SuspiciousSession'
+          - 'TooManyFieldsSent'
+          - 'PermissionDenied'
--- a/file/logs/python-app-sql-exceptions.yaml
+++ b/file/logs/python-app-sql-exceptions.yaml
@ -0,0 +1,23 @@
+id: python-app-sql-exceptions
+
+info:
+  name: Python App SQL Exception Check
+  description: Generic check for SQL exceptions in Python according to PEP 249
+  reference: https://www.python.org/dev
+  author: geeknik
+  severity: medium
+  tags: file,logs,python,sql
+
+file:
+  - extensions:
+      - all
+
+    extractors:
+      - type: regex
+        name: exception
+        part: body
+        regex:
+          - 'DataError'
+          - 'IntegrityError'
+          - 'ProgrammingError'
+          - 'OperationalError'
--- a/file/logs/ruby-on-rails-framework-exceptions.yaml
+++ b/file/logs/ruby-on-rails-framework-exceptions.yaml
@ -0,0 +1,28 @@
+id: ruby-on-rails-framework-exceptions
+
+info:
+  name: Ruby on Rails Framework Exceptions
+  description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
+  author: geeknik
+  reference:
+    - http://edgeguides.rubyonrails.org/security.html
+    - http://guides.rubyonrails.org/action_controller_overview.html
+    - https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception
+    - https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb
+  severity: medium
+  tags: file,logs,ruby,rails
+
+file:
+  - extensions:
+      - all
+
+    extractors:
+      - type: regex
+        name: exception
+        part: body
+        regex:
+          - 'ActionController\:\:InvalidAuthenticityToken'
+          - 'ActionController::InvalidCrossOriginRequest'
+          - 'ActionController::MethodNotAllowed'
+          - 'ActionController::BadRequest'
+          - 'ActionController::ParameterMissing'
--- a/file/logs/spring-framework-exceptions.yaml
+++ b/file/logs/spring-framework-exceptions.yaml
@ -0,0 +1,27 @@
+id: spring-framework-exceptions
+
+info:
+  name: Spring Framework Exceptions
+  description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts
+  author: geeknik
+  reference:
+    - https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html
+  severity: medium
+  tags: file,logs,spring
+
+file:
+  - extensions:
+      - all
+
+    extractors:
+      - type: regex
+        name: exception
+        part: body
+        regex:
+          - 'AccessDeniedException'
+          - 'CsrfException'
+          - 'InvalidCsrfTokenException'
+          - 'MissingCsrfTokenException'
+          - 'CookieTheftException'
+          - 'InvalidCookieException'
+          - 'RequestRejectedException'
--- a/file/logs/suspicious-sql-error-messages.yaml
+++ b/file/logs/suspicious-sql-error-messages.yaml
@ -0,0 +1,38 @@
+id: suspicious-sql-error-messages
+
+info:
+  name: Suspicious SQL Error Messages
+  description: Detects SQL error messages that indicate probing for an injection attack
+  author: geeknik
+  severity: high
+  tags: file,logs,sql
+
+file:
+  - extensions:
+      - all
+
+    extractors:
+      - type: regex
+        name: oracle
+        part: body
+        regex:
+          - 'quoted string not properly terminated'
+
+      - type: regex
+        name: mysql
+        part: body
+        regex:
+          - 'You have an error in your SQL syntax'
+
+      - type: regex
+        name: sql_server
+        part: body
+        regex:
+          - 'Unclosed quotation mark'
+
+      - type: regex
+        name: sqlite
+        part: body
+        regex:
+          - 'near \"\*\"\: syntax error'
+          - 'SELECTs to the left and right of UNION do not have the same number of result columns'