Changeset 824665
- Timestamp:
- 12/18/2013 01:08:16 PM (12 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
6scan-protection/trunk/modules/signatures/analyzer.php
r566110 r824665 1 1 <?php 2 2 3 if ( ! defined( 'ABSPATH' ) ) 3 if ( ! defined( 'ABSPATH' ) ) 4 4 die( 'No direct access allowed' ); 5 5 6 6 7 7 function sixscan_signatures_analyzer_is_env_flag_on( $flag_value ){ … … 20 20 if ( $is_suspicious ) 21 21 $count_option_name = SIXSCAN_OPTION_STAT_SUSPICIOUS_REQ_COUNT; 22 22 23 23 $counter_update_query = "update " . $wpdb->options . " set option_value=option_value+1 where option_name like '$count_option_name'"; 24 24 $wpdb->query( $counter_update_query ); … … 28 28 global $wpdb; 29 29 30 $counter_reset_query = "update " . $wpdb->options . " set option_value=0 where option_name like '" . SIXSCAN_OPTION_STAT_OK_REQ_COUNT . 30 $counter_reset_query = "update " . $wpdb->options . " set option_value=0 where option_name like '" . SIXSCAN_OPTION_STAT_OK_REQ_COUNT . 31 31 "' or option_name like '" . SIXSCAN_OPTION_STAT_SUSPICIOUS_REQ_COUNT . "'"; 32 32 $wpdb->query( $counter_reset_query ); … … 36 36 global $wpdb; 37 37 38 $counter_get_query = "select * from " . $wpdb->options . " where option_name like '" . SIXSCAN_OPTION_STAT_OK_REQ_COUNT . 38 $counter_get_query = "select * from " . $wpdb->options . " where option_name like '" . SIXSCAN_OPTION_STAT_OK_REQ_COUNT . 39 39 "' or option_name like '" . SIXSCAN_OPTION_STAT_SUSPICIOUS_REQ_COUNT . "'"; 40 40 41 41 $analyzer_counter_array = $wpdb->get_results( $counter_get_query ); 42 42 … … 45 45 /* convert stdClass into associative array for ease of use */ 46 46 foreach ( $analyzer_counter_array as $one_request ){ 47 $response_array[ $one_request->option_name ] = $one_request->option_value; 47 $response_array[ $one_request->option_name ] = $one_request->option_value; 48 48 } 49 49 … … 58 58 } 59 59 60 function sixscan_signatures_analyzer_suspicious_request(){ 61 60 function sixscan_signatures_analyzer_suspicious_request(){ 61 62 62 /* If we were accessed by one of our servers, do not count this request */ 63 63 if ( strstr( SIXSCAN_SIGNATURE_SCANNER_IP_LIST, $_SERVER[ 'REMOTE_ADDR' ] ) !== FALSE ) … … 70 70 } 71 71 72 list($analyze_action, $exploit_type) = sixscan_signatures_analyzer_is_to_block_request(); 73 if ( $analyze_action == 'ignore' ) 74 return; 75 72 76 /* Suspicious request */ 73 77 sixscan_signatures_analyzer_requests_count( TRUE ); 74 78 75 79 if ( is_writeable (dirname ( SIXSCAN_ANALYZER_LOG_FILEPATH ) . "/" ) == FALSE ) 76 80 return; 77 81 78 82 /* If it exists, we want to limit the filesize to some maximum */ 79 83 if ( is_file( SIXSCAN_ANALYZER_LOG_FILEPATH ) && ( filesize( SIXSCAN_ANALYZER_LOG_FILEPATH ) > SIXSCAN_ANALYZER_MAX_LOG_FILESIZE ) ) 80 84 return; 81 82 $data_log = "\"" . $_SERVER['SCRIPT_NAME'] . "\" \"" . addslashes( $_SERVER['QUERY_STRING'] ) . "\" \"" . addslashes( $_SERVER['HTTP_REFERER'] ) . "\" \"" . addslashes( $_SERVER['HTTP_USER_AGENT'] ) . "\"" . SIXSCAN_SECURITY_LOG_SEPARATOR; 85 86 87 /* get current request time in UTC */ 88 date_default_timezone_set("UTC"); 89 $current_time = date("Y-m-d H:i:s", time()); 90 91 /* we build a json string to provide easy parsing in the backend */ 92 $data_log = json_encode(array( 'site' => $_SERVER['HTTP_HOST'], 93 'uri' => $_SERVER['REQUEST_URI'], 94 'query_string' => $_SERVER['QUERY_STRING'], 95 'script_name' => $_SERVER['SCRIPT_NAME'], 96 'exploit_type' => $exploit_type, 97 'remote_ip' => $_SERVER['REMOTE_ADDR'], 98 'remote_user_agent' => $_SERVER['HTTP_USER_AGENT'], 99 'remote_referrer' => $_SERVER['HTTP_REFERER'], 100 'time' => $current_time)); 83 101 84 102 @file_put_contents( SIXSCAN_ANALYZER_LOG_FILEPATH , $data_log , FILE_APPEND ); 85 103 86 /* Check whether we should block this request */ 87 if ( sixscan_signatures_analyzer_is_to_block_request() ) 104 if ( $analyze_action == 'block' ) 88 105 sixscan_signatures_analyzer_deny_access(); 89 106 } … … 93 110 $requested_url = strtolower( urldecode( $requested_url ) ); 94 111 $required_mask = strtolower( $required_mask ); 95 112 96 113 $rfi_pattern = "/(https?|ftp|gzip|bzip2):\/\/([a-z0-9.-\/]+)&?/i"; 97 114 98 115 /* Get the URL, that address points to */ 99 116 preg_match_all( $rfi_pattern, $requested_url, $rfi_matched ); … … 107 124 if ( $is_strict ){ 108 125 if ( strcmp( $one_rfi, $required_mask ) != 0 ) 109 return FALSE; 126 return FALSE; 110 127 } 111 128 else{ … … 119 136 120 137 function sixscan_signatures_analyzer_is_to_block_request(){ 121 $allowed_waf_rules = get_option( SIXSCAN_OPTION_WAF_REQUESTED ); 138 $allowed_waf_rules = get_option( SIXSCAN_OPTION_WAF_REQUESTED ); 139 140 /* 141 Return values: 142 'ignore' - do not block, do not log 143 'noblock' - log, don't block 144 'block' - log and block 145 */ 122 146 123 147 /* WAF is disabled */ 124 if ( in_array( 'waf_global_enable' , $allowed_waf_rules ) == FALSE ) 125 return FALSE;148 if ( in_array( 'waf_global_enable' , $allowed_waf_rules ) == FALSE ) 149 return array('noblock',''); 126 150 127 151 /* Filter strange requests */ 128 152 if ( sixscan_signatures_analyzer_is_env_flag_on( "sixscanstrangerequest" ) ){ 129 153 if ( in_array( 'waf_non_standard_req_disable' , $allowed_waf_rules ) ) 130 return TRUE;154 return array('block',''); 131 155 } 132 156 … … 134 158 if ( sixscan_signatures_analyzer_is_env_flag_on( "sixscanwafsqli" ) ){ 135 159 if ( in_array( 'waf_sql_protection_enable' , $allowed_waf_rules ) ) 136 return TRUE;160 return array('block','sql'); 137 161 } 138 162 … … 140 164 if ( sixscan_signatures_analyzer_is_env_flag_on( "sixscanwafxss" ) ){ 141 165 if ( in_array( 'waf_xss_protection_enable' , $allowed_waf_rules ) ) 142 return TRUE;166 return array('block','xss'); 143 167 } 144 168 … … 146 170 if ( sixscan_signatures_analyzer_is_env_flag_on( "sixscanwafcsrf" ) ){ 147 171 if ( in_array( 'waf_post_csrf_protection_enable' , $allowed_waf_rules ) ) 148 return TRUE;149 } 172 return array('block','csrf'); 173 } 150 174 151 175 /* Filter RFI */ … … 153 177 if ( in_array( 'waf_rfi_protection_enable' , $allowed_waf_rules ) ){ 154 178 $allowed_rfi_scripts = array( '/wp-login.php' ); 155 179 156 180 /* If link is OK to be used with URL as mask */ 157 if ( in_array( $_SERVER['SCRIPT_NAME'] , $allowed_rfi_scripts ) ) 158 return FALSE;181 if ( in_array( $_SERVER['SCRIPT_NAME'] , $allowed_rfi_scripts ) ) 182 return array('ignore',''); 159 183 160 184 /* Allow local inclusions */ 161 if ( in_array( 'waf_rfi_local_access_enable' , $allowed_waf_rules ) ){ 185 if ( in_array( 'waf_rfi_local_access_enable' , $allowed_waf_rules ) ){ 162 186 163 187 $mixed_site_address = parse_url( home_url() ); 164 188 165 189 $current_hostname = $mixed_site_address[ 'host' ] ; 166 190 167 /* If the RFI doesn't satisfy requested mask - block the request. 191 /* If the RFI doesn't satisfy requested mask - block the request. 168 192 Have to add "/", to avoid turning good domains (www.site.com) into bad (www.site.com.badsite.com) */ 169 193 if ( ( sixscan_signatures_analyzer_is_rfi_by_mask( $_SERVER['QUERY_STRING'] , $current_hostname , TRUE ) == FALSE ) 170 194 && ( sixscan_signatures_analyzer_is_rfi_by_mask( $_SERVER['QUERY_STRING'] , $current_hostname . "/" ) == FALSE ) ) 171 172 return TRUE;173 174 return FALSE;195 196 return array('block','rfi'); 197 198 return array('ignore',''); 175 199 } 176 200 177 201 /* RFI with no exclusions - always blocking */ 178 return TRUE;179 } 180 } 202 return array('block','rfi'); 203 } 204 } 181 205 182 206 /* Trigger is not blocked */ 183 return FALSE; 184 185 } 207 return array('noblock',''); 208 } 186 209 ?>
Note: See TracChangeset
for help on using the changeset viewer.