当前位置:首页 > 开发 > IT生活 > 正文

简单版WAF代码学习

发表于: 2015-11-13   作者:互联网   来源:转载   浏览:
摘要: 简单版WAF代码学习   网上代码只见了http://sourceforge.net/projects/sqlxsswaf/?source=directory 开始read! 一: 主函数 流程很清晰, 1.  整个WAF主函数体为死循环,在while(1)的代码段中,当代码处理完毕当前日志内容后,睡眠10ms,继续从get_pos处向后处理新内容。 2.&

简单版WAF代码学习

 

网上代码只见了http://sourceforge.net/projects/sqlxsswaf/?source=directory

开始read!

一: 主函数

流程很清晰,

1.  整个WAF主函数体为死循环,在while(1)的代码段中,当代码处理完毕当前日志内容后,睡眠10ms,继续从get_pos处向后处理新内容。

2.  第二个while处理日志,当找到get或post为开头的日志内容后,对客户端发送来的命令进行检测,直到文档结尾。然后到达1中while循环的末尾

?
1
#define tailer "/var/log/apache2/access.log"
?
1
#define finder "GET"
?
1
#define finder2 "POST"
?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
int main( void ){
         fpos_t get_pos;
         printf ( "SQLXSSGRABBER HAS STARTED\n" );
         while (1) {
         FILE *fp = fopen (tailer, "r" );
         fsetpos (fp,&get_pos);
         if (fp != NULL){
                 char max_line[LINE_MAX];
                 while ( fgets (max_line, sizeof (max_line),fp) != NULL)
                 {
                         if ( strstr (max_line,finder)|| strstr (max_line,finder2)){
                             fgetpos (fp,&get_pos);
                             capture(max_line);         
                         }
                 }
                 fclose (fp);
             }
                 else {
                    perror (tailer);
                     }
         sleep(10);
}
 
return 0;
}

 

 二: capture函数

  主要是一个中间层,把具体的正则式和匹配实现抽象成一个函数,供main使用。

  很新奇的一点是,全部case使用了FALL THROUTH,又从regex_roller开始控制,很方便,省去了许多修改功能的注释时间,不需要某个引擎又不想要删除的时候,直接放在regex_roller的前面即可。

?
1
#define att_1 "((\%3C)|<)[^\n]+((\%3E)|>)"<br>#define att_2 "((\%3C)|<)((\%2F)|\\/)*[a-z0-9\%]+((\%3E)|>)"<br>#define att_3 "((\%3C)|<)((\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)"<br>#define att_4 "((\%27)|('))union"<br>#define att_5 "((\%3D)|(=))[^\n]*((\%27)|(<a href="file://')%7c(//-//-)%7C(/%253B" target="_blank">\\')|(\\-\\-)|(\%3B</a>)|(;))"<br>#define att_6 "((\%27)|('))"
?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
char *capture( char *log_line){
     int regex_roller =0;
     
     char *xss_para_regex = att_1;
     char *xss_simple_regex = att_2;
     char *css_img_regex = att_3;
     char *unionsql_regex = att_4;
     char *sqlmeta_regex = att_5;
     char *sqlmagicquote_regex = att_6;
     
     switch (regex_roller){
         //add as many more as you wish but dont forget to #define the regex above.
         case 0:
         cap_matcher(log_line,xss_para_regex,0);
         case 1:
         cap_matcher(log_line,xss_simple_regex,1);
         case 2:
         cap_matcher(log_line,css_img_regex,2);
         case 3:
         cap_matcher(log_line,unionsql_regex,3);
         case 4:
         cap_matcher(log_line,sqlmeta_regex,4);
         case 5:
         cap_matcher(log_line,sqlmagicquote_regex,5);
         default :
             break ;
     }
 
     return 0;
}

 方便带来的后果就是如果检测出一段攻击代码后,会对这段代码继续进行其他可能性的检测,这是不需要的,同时底层函数功能过于复杂,把本该在中间层函数实现的功能带到了底层去。

三: 匹配引擎

  首先编译正则式,然后进行匹配,匹配成功,根据传入的规则编号,输出对应的攻击方式,阻塞IP,再利用邮件通知给管理员。

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
char *cap_matcher( char *log_line, char *regex, int attack_type){
     pid_t pid;
     pcre *attack_regex;
     const char *error;
     int erroffset;
     int ovector[OVECCOUNT];
     int rc;
     attack_regex = pcre_compile(regex,0,&error,&erroffset,NULL);
     if (! attack_regex){
         fprintf (stderr, "PCRE compilation failed at expression offset %d: %s\n" , erroffset, error);
         return ( char *)1;
         }
     rc = pcre_exec(attack_regex,NULL,log_line, strlen (log_line),0,0,ovector,OVECCOUNT);
 
     if (rc < 3)
     {
         return ( char *)1;
     }
     else {
         switch (attack_type){
             case 0:
                 printf ( "Paranoid Xss Filter Detection\n" );
                 iptables_blockage(log_line);
                 break ;
             case 1:
                 printf ( "Simple Xss Filter Detection\n" );
                 iptables_blockage(log_line);
                 break ;
             case 2:
                 printf ( "Xss Img Filter Detection\n" );
                 iptables_blockage(log_line);
                 break ;
             case 3:
                 printf ( "Sql Injection Union Filter Detection\n" );
                 iptables_blockage(log_line);
                 break ;
             case 4:
                 printf ( "Sql Injection meta characters Filter Detection\n" );
                 iptables_blockage(log_line);
                 break ;
             case 5:
                 printf ( "Sql Injection magic quote Filter Detection\n" );
                 iptables_blockage(log_line);
                 break ;
             default :
                 break ;
             }
         pid = fork();
         if (pid ==0){
           FILE *emails = popen( "/usr/bin/mail -s 'WebAttack On server' root@localhost" , "w" );
          fprintf (emails, "Attack FOUND %s ! in the log file.\n" ,log_line);
                         pclose(emails);
                         _exit(0);
                 }
            }
 
     return 0;
}

 个人感觉作者在这里的代码逻辑有些混乱,应该在匹配成功后,结束代码,返回中间层的capture函数进行处理,在capture中用宏来替换代码

这样代码会少很多而且逻辑清晰:)

?
#define R(re,way,info) if(cap_matcher(log_line,#re,#way)){\
                         printf (##info);\
                         iptables_blockage(log_line);\
                         break ;\
                     }

 四: 防火墙阻塞IP

apache的log文件如下格式:

127.0.0.1 - - [23/Sep/2011:15:27:36 +0800] "GET / HTTP/1.1" 200 44

因此以第一个空格为标准,获取IP后,调用iptables添加阻塞IP

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
void iptables_blockage( char *log_line){
     char *ip_address= malloc (100);
     char command[1000];
     int i;
     for (i =0; i <= 100 ; i++){
         if ( isspace (log_line[i])){ break ;}
         ip_address[i] = log_line[i];
     }
     snprintf(command, sizeof (command), "/sbin/iptables -A INPUT -s %s -j DROP" ,ip_address);
     FILE *iptables_run = ( FILE *)popen(command, "r" );
     pclose(iptables_run);
 
     free (ip_address);
}

 

最后的邮件通知实现与iptables差不多,详细的可以参见前一篇文章,LINUX下C语言利用命令发邮件

简单版WAF代码学习

  • 0

    开心

    开心

  • 0

    板砖

    板砖

  • 0

    感动

    感动

  • 0

    有用

    有用

  • 0

    疑问

    疑问

  • 0

    难过

    难过

  • 0

    无聊

    无聊

  • 0

    震惊

    震惊

版权所有 IT知识库 CopyRight © 2009-2015 IT知识库 IT610.com , All Rights Reserved. 京ICP备09083238号