Suricata - Lua Output Script

发表于 更新于 分类于
本文字数: 9.9k 阅读时长 ≈ 9 分钟

背景

​ 由于近期网站遭受大量撞库攻击, 想监控一下登录接口中的异常行为。通过alert并不能起到很好的效果, 所以采用Lua脚本进行扩展, 写了一个审计登录接口的脚本。通过登录接口事件, 再配合Wazuh进行一些简单的关联告警, 效果还是不错的。

需求

  • 由于审计内容涉及到用户敏感信息, 因此需要对敏感信息进行Hash之后再输出;
  • 除通用HTTP Header字段外支持对自定义字段进行选择性输出;

代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
json = require "json"
md5 = require "md5"

-- 登录接口
login_url = "/login"
-- 登录状态码
success_code = 0
-- event_name
event_name = "login_audit"
-- event_type
event_type = "lua"
-- app_type
app_type = "web"
-- logs
name = "web_login_audit.json"

-- common_mapping
http_common_mapping = '{"accept":"accept","accept-charset":"accept_charset","accept-encoding":"accept_encoding","accept-language":"accept_language","accept-datetime":"accept_datetime","authorization":"authorization","cache-control":"cache_control","from":"from","max-forwards":"max_forwards","origin":"origin","pragma":"pragma","proxy-authorization":"proxy_authorization","via":"via","vary":"vary","x-requested-with":"x_requested_with","x-forwarded-proto":"x_forwarded_proto","accept-range":"accept_range","allow":"allow","connection":"connection","content-encoding":"content_encoding","content-language":"content_language","content-location":"content_location","content-md5":"content_md5","content-range":"content_range","date":"date","last-modified":"last_modified","location":"location","proxy-authenticate":"proxy_authenticate","referrer":"refer","retry-after":"retry_after","server":"server","transfer-encoding":"transfer_encoding","upgrade":"upgrade","www-authenticate":"www_authenticate","x-authenticated-user":"x_authenticated_user","user-agent":"user_agent"}'
common_mapping_table = json.decode(http_common_mapping)

-- request_mapping
http_request_mapping = '{"content-length":"request_content_length","content-type":"request_content_type"}'
request_mapping_table = json.decode(http_request_mapping)

-- response_mapping
http_response_mapping = '{"content-length":"response_content_length","content-type":"response_content_type"}'
response_mapping_table = json.decode(http_response_mapping)

-- defind functioin
function md5Encode(args)
    m = md5.new()
    m:update(args)
    return md5.tohex(m:finish())
end

function urlDecode(args)
    s = string.gsub(args, "%%(%x%x)", function(h) return string.char(tonumber(h, 16)) end)
    return s
end

-- email=xxx@yyy.com&password=zzz
function formatStr(args)
    t = {}
    data = string.split(args, '&')
    for n, v in ipairs(data) do
        d = string.split(v, '=')
        t[d[1]] = d[2]
    end
    return t
end

function string.split(s, p)
    local rt = {}
    string.gsub(s, '[^'..p..']+', function(w) table.insert(rt, w) end )
    return rt
end

function trim(s)
    return (string.gsub(s, "^%s*(.-)%s*$", "%1"))
end

function formatCookie(args)
    t = {}
    data = string.split(args, ";")
    for n, v in ipairs(data) do
        v = trim(v)
        d = string.split(v, "=")
        t[d[1]] = d[2]
    end
    return t
end

-- default function
function init (args)
    local needs = {}
    needs["protocol"] = "http"
    return needs
end


function setup (args)
    filename = SCLogPath() .. "/" .. name
    file = assert(io.open(filename, "a"))
    SCLogInfo("Web Login Log Filename " .. filename)
    http = 0
end


function log(args)

    -- init tables
    http_table = {}

    -- http_hostname
    http_hostname = HttpGetRequestHost()
    http_table["hostname"] = http_hostname

    -- http_url
    http_url = HttpGetRequestUriNormalized()
    if http_url ~= login_url then
        return
    end
    http_table["url"] = login_url

    -- http_url_path
    http_table["url_path"] = http_url

    -- http_method
    rl = HttpGetRequestLine()
    http_method = string.match(rl, "%w+")
    http_table["method"] = http_method

    -- http_status
    rsl = HttpGetResponseLine()
    status_code = string.match(rsl, "%s(%d+)%s")
    http_status = tonumber(status_code)
    http_table["status"] = http_status

    -- http_protocol
    http_protocol = string.match(rsl, "(.-)%s")
    http_table["protocol"] = http_protocol

    -- request_token
    cookie = HttpGetRequestHeader("Cookie")
    if cookie ~= nil then
        session_id = string.match(cookie, "sessionID=(.-);")
        if session_id ~= nil then
            http_table["request_token"] = md5Encode(session_id)
        else
            http_table["request_token"]  = nil
        end
    end

    -- response_token && member_id
    set_cookie = HttpGetResponseHeader("Set-Cookie")
    if set_cookie ~= nil then
        session_id = string.match(set_cookie, "sessionID=(.-);")
        http_table["response_token"]  = md5Encode(session_id)
        member_id = string.match(set_cookie, "memberId=(.-);")
        http_table["member_id"] = tonumber(member_id)
    end
    
    -- login_results
    a, o, e = HttpGetResponseBody()
    for n, v in ipairs(a) do
        body = json.decode(v)
        results_code = tonumber(body["code"])
        if results_code == success_code then
            results = "success"
        else
            results = "failed"
        end
    end
    http_table["results"] = results
    http_table["results_code"] = results_code

    -- email & password
    a, o, e = HttpGetRequestBody()
    for n, v in ipairs(a) do
        res = formatStr(v)
        mail = urlDecode(res['email'])
        pass = md5Encode(res['password'])
    end
    http_table["email"] = mail
    http_table["password"] = pass

    -- RequestHeaders
    rh = HttpGetRequestHeaders()
    for k, v in pairs(rh) do
        key = string.lower(k)

        common_var = common_mapping_table[key]
        if common_var ~= nil then
            http_table[common_var] = v
        end

        request_var = request_mapping_table[key]
        if request_var ~= nil then
            http_table[request_var] = v
        end
    end

    -- ResponseHeaders
    rsh = HttpGetResponseHeaders()
    for k, v in pairs(rsh) do
        key = string.lower(k)

        common_var = common_mapping_table[key]
        if common_var ~= nil then
            http_table[common_var] = v
        end

        response_var = response_mapping_table[key]
        if response_var ~= nil then
            http_table[response_var] = v
        end
    end

    -- timestring = SCPacketTimeString() 2019-09-10T06:08:35.582449+0000
    sec, usec = SCPacketTimestamp()
    timestring = os.date("!%Y-%m-%dT%T", sec) .. "." .. usec .. "+0000"
    
    ip_version, src_ip, dst_ip, protocol, src_port, dst_port = SCFlowTuple()

    -- flow_id
    id = SCFlowId()
    flow_id = string.format("%.0f", id)

    -- true_ip
    true_client_ip = HttpGetRequestHeader("True-Client-IP")
    if true_client_ip ~= nil then
        src_ip = true_client_ip
    end

    -- table
    raw_data = {
        timestamp = timestring,
        flow_id = flow_id,
        src_ip = src_ip,
        src_port = src_port,
        dest_ip = dst_ip,
        dest_port = dst_port,
        event_name = event_name,
        event_type = event_type,
        app_type = app_type,
        http = http_table,
        proto = "TCP"
    }

    -- json encode
    data = json.encode(raw_data)

    file:write(data .. "\n")
    file:flush()

    http = http + 1
end


function deinit (args)
    SCLogInfo ("HTTP transactions logged: " .. http);
    file:close(file)
end

示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
{
    "src_port": 34963,
    "event_type": "lua",
    "proto": "TCP",
    "flow_id": "471693756052529",
    "timestamp": "2019-10-07T13:51:01.560556+0000",
    "event_name": "login_audit",
    "dest_port": 3007,
    "http": {
        "response_content_length": "446",
        "response_content_type": "application/json; charset=utf-8",
        "accept_encoding": "gzip",
        "accept": "*/*",
        "server": "nginx",
        "results_code": 0,
        "vary": "Accept-Encoding",
        "password": "420ce28ef813a2dc05e52a7e24eb0d5c",
        "date": "Mon, 07 Oct 2019 13:51:01 GMT",
        "request_content_type": "application/x-www-form-urlencoded; charset=UTF-8",
        "accept_language": "en-US,en;q=0.9",
        "url": "/login",
        "x_requested_with": "XMLHttpRequest",
        "x_forwarded_proto": "https",
        "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36",
        "origin": "https://www.canon.com",
        "response_token": "4f5f386aec34e877ce63fce7ddd3f15f",
        "pragma": "no-cache",
        "connection": "close",
        "status": 200,
        "protocol": "HTTP/1.1",
        "hostname": "www.canon.com",
        "url_path": "/login",
        "cache_control": "no-cache, max-age=0, no-store, must-revalidate",
        "method": "POST",
        "email": "admin@canon.com",
        "request_token": "109464370570b23fa9768078ab1ac8a9",
        "member_id": 123456,
        "results": "success",
        "request_content_length": "49"
    },
    "src_ip": "77.99.22.17",
    "dest_ip": "1.1.1.1",
    "app_type": "web"
}