eveplw

导航

五.Suricata识别http攻击流量

一.定义http攻击类型

编辑classification.config文件,为HTTP协议增加以下类别,并设定相应的priority

HTTP协议是明文传输,其流量特征存在于URL地址,POST请求正文,请求头或响应头,文件上传的情况(POST请求正文)

config classification: web-status-error, web服务器状态异常, 4
config classification: web-scan-attack, web页面扫描攻击, 2
config classification: web-sql-injection, SQL注入攻击, 1
config classification: web-xss-attack, XSS跨站攻击, 2
config classification: web-ssrf-attack, SSRF跨站攻击, 2
config classification: web-shell-attack, 站点木马植入, 1
config classification: web-file-upload, 文件上传异常, 1

 

二.URL地址栏异常

1.状态码异常

# 状态码异常
alert http any any <> $HOME_NET 8443 (msg:"Web服务器出现404."; content:"404"; http_stat_code; classtype:web-status-error; sid:561001; rev:1;)
alert http any any <> $HOME_NET 8443 (msg:"Web服务器出现403."; content:"404"; 
http_stat_code; classtype:web-status-error; sid:561002; rev:1;)

alert http any any <> $HOME_NET 8443 (msg:"Web服务器出现500."; content:"404";
http_stat_code; classtype:web-status-error; sid:561003; rev:1;)

# 扫描攻击
alert http any any <> $HOME_NET 8443 (msg:"Web服务器出现404."; content:"404";
http_stat_code; threshold:type threshold, track by_src, count 5, seconds 20;
classtype:web-scan-attack; sid:561004; )

2.SQL注入攻击

# SQL注入攻击
alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-union."; content:"select"; 
http_uri; nocase; classtype:web-sql-injection; sid:562001; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-ordey by."; content:"order by";
http_uri; nocase; classtype:web-sql-injection; sid:562002; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-database()."; content:"database()";
http_uri; nocase; classtype:web-sql-injection; sid:562003; rev:1;)
alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-version()."; content:"version()"; 
http_uri; nocase; classtype:web-sql-injection; sid:562004; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-user()."; content:"user()";
http_uri; nocase; classtype:web-sql-injection; sid:562005; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-updatexml(."; content:"updatexml(";
http_uri; nocase; classtype:web-sql-injection; sid:562006; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-extract(."; content:"extract(";
http_uri; nocase; classtype:web-sql-injection; sid:562007; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-and."; content:"|20|and|20|";
http_uri; nocase; classtype:web-sql-injection; sid:562008; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-or."; content:"|20|or|20|";
http_uri; nocase; classtype:web-sql-injection; sid:562009; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-| |."; content:"|7C 7C|";
http_uri; nocase; classtype:web-sql-injection; sid:562010; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-and."; content:"&&";
http_uri; nocase; classtype:web-sql-injection; sid:562011; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-#."; content:"|23|";
http_uri; nocase; classtype:web-sql-injection; sid:562012; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击---."; content:"--";
http_uri; nocase; classtype:web-sql-injection; sid:562013; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击---."; content:"--"; http_uri;
pcre:"/\+*|\s*/i"; nocase; classtype:web-sql-injection; sid:562014; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击."; content:"="; http_uri;
pcre:"/union|select|from|updatexml|extract|database\
(|user\(|version\(|information_schema|where|columns|--\
s+|--\++|\s+and\s+|\s+or\s+|\|\||&&/i";
classtype:web-sql-injection; sid:562015; rev:1;)

 3.XSS跨站脚本

alert http any any -> $HOME_NET 8443 (msg:"XSS攻击"; content:"<script"; 
http_uri; nocase; classtype:web-xss-attack; sid:563001; rev:1;)
alert http any any
-> $HOME_NET 8443 (msg:"XSS攻击"; content:"</script"; http_uri; nocase; classtype:web-xss-attack; sid:563002; rev:1;)
alert http any any
-> $HOME_NET 8443 (msg:"XSS攻击"; content:"javascript"; http_uri; nocase; classtype:web-xss-attack; sid:563003; rev:1;)
alert http any any
-> $HOME_NET 8443 (msg:"XSS攻击"; content:"alert("; http_uri; nocase; classtype:web-xss-attack; sid:563004; rev:1;)
alert http any any
-> $HOME_NET 8443 (msg:"XSS攻击"; content:"onload="; http_uri; nocase; classtype:web-xss-attack; sid:563005; rev:1;)
alert http any any
-> $HOME_NET 8443 (msg:"XSS攻击"; content:"http|3A|//"; http_uri; nocase; classtype:web-xss-attack; sid:563005; rev:1;)

 4.SSRF攻击

alert http any any -> $HOME_NET 8443 (msg:"SSRF攻击"; content:"=file|3A|"; 
http_uri; nocase; classtype:web-ssrf-attack; sid:564001; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SSRF攻击"; content:"http|3A|"; 
http_uri; nocase; classtype:web-ssrf-attack; sid:564002; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SSRF攻击"; content:"https|3A|"; 
http_uri; nocase; classtype:web-ssrf-attack; sid:564003; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SSRF攻击"; content:"dict|3A|"; 
http_uri; nocase; classtype:web-ssrf-attack; sid:564004; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SSRF攻击"; content:"gopher|3A|"; 
http_uri; nocase; classtype:web-ssrf-attack; sid:564005; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SSRF攻击"; content:"phar|3A|"; 
http_uri; nocase; classtype:web-ssrf-attack; sid:564005; rev:1;)

5.木马脚本

alert http any any -> $HOME_NET 8443 (msg:"URL地址木马"; content:"<?"; 
http_uri; pcre:"/eval|assert|system\(|exec|$_POST|$_GET/i"; classtype:web
-shell-attack; sid:545005; rev:1;)

 

三.POST请求和HTTP头部

整体上操作于GET请求一致,只是需要将http_uri换成http.request_body或http_client_body即可

# POST请求
alert http any any -> $HOME_NET 8443 (msg:"POST正文木马"; content:"="; http.request_body; pcre:"/eval|assert|system\(|exec|$_POST|$_GET/i"; content:"x-www-form-urlencoded"; classtype:web-shell-attack; sid:546001; rev:1;)
# http头部请求
alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-HTTP头部.";
content:"="; http.header; pcre:"/union|select|from|updatexml|extract|database\ (|user\(|version\(|information_schema|where|columns|--\ s+|--\++|\s+and\s+|\s+or\s+|\|\||&&/i"; classtype:web-sql-injection; sid:567015; rev:1;)

posted on 2022-08-20 19:00  eveplw  阅读(786)  评论(0编辑  收藏  举报