Simple WAF code learning

Web Code saw http://sourceforge.net/projects/sqlxsswaf? Source = directory

Start read!

I. Main Functions

The process is clear,

1. the main function of WAF is an endless loop. In the while (1) code segment, after the code completes processing the current log Content, it sleeps for 10 ms and continues to process new content from get_pos.

2. When the second while processing log finds the log Content starting with get or post, it checks the commands sent by the client until the end of the document. Then it reaches the end of The while loop in 1.

#define tailer "/var/log/apache2/access.log"

#define finder "GET"

#define finder2 "POST"

int main(void){        fpos_t get_pos;        printf("SQLXSSGRABBER HAS STARTED\n");        while(1) {FILE *fp = fopen(tailer,"r");fsetpos(fp,&get_pos);if (fp != NULL){char max_line[LINE_MAX];while(fgets(max_line,sizeof(max_line),fp) != NULL){if (strstr(max_line,finder)||strstr(max_line,finder2)){fgetpos(fp,&get_pos);capture(max_line);}}                fclose(fp);}                else{                   perror(tailer);                    }        sleep(10);}return 0;}

 

Ii. capture Function

It is mainly an intermediate layer that abstracts the specific regular expression and matching implementation into a function for main to use.

The novelty is that fall throuth is used in all cases and it is easy to control from regex_roller, saving the comments time for many function modifications, if you do not need an engine and do not want to delete it, place it in front of regex_roller.

#define att_1 "((\%3C)|<)[^\n]+((\%3E)|>)"
#define att_2 "((\%3C)|<)((\%2F)|\\/)*[a-z0-9\%]+((\%3E)|>)"
#define att_3 "((\%3C)|<)((\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)"
#define att_4 "((\%27)|('))union"
#define att_5 "((\%3D)|(=))[^\n]*((\%27)|(\\')|(\\-\\-)|(\%3B)|(;))"
#define att_6 "((\%27)|('))"

char *capture(char *log_line){int regex_roller =0;char *xss_para_regex = att_1;char *xss_simple_regex = att_2;char *css_img_regex = att_3;char *unionsql_regex = att_4;char *sqlmeta_regex = att_5;char *sqlmagicquote_regex = att_6;switch(regex_roller){//add as many more as you wish but dont forget to #define the regex above.case 0:cap_matcher(log_line,xss_para_regex,0);case 1:cap_matcher(log_line,xss_simple_regex,1);case 2:cap_matcher(log_line,css_img_regex,2);case 3:cap_matcher(log_line,unionsql_regex,3);case 4:cap_matcher(log_line,sqlmeta_regex,4);case 5:cap_matcher(log_line,sqlmagicquote_regex,5);default:break;}return 0;}

The consequence of convenience is that if an attack code is detected, it will continue to detect other possibilities of the Code. This is not necessary and the underlying functions are too complex, bring functions that should have been implemented in the middle layer to the bottom layer.

Iii. matching engine

First, compile the Regular Expression and then perform matching. The matching succeeds. Based on the incoming rule number, output the corresponding attack method, block the IP address, and then notify the Administrator by email.

char *cap_matcher(char *log_line, char *regex,int attack_type){pid_t pid;pcre *attack_regex;const char *error;int erroffset;int ovector[OVECCOUNT];int rc;attack_regex = pcre_compile(regex,0,&error,&erroffset,NULL);if (! attack_regex){fprintf(stderr,"PCRE compilation failed at expression offset %d: %s\n", erroffset, error);return (char *)1;}rc = pcre_exec(attack_regex,NULL,log_line,strlen(log_line),0,0,ovector,OVECCOUNT);if (rc < 3){return (char *)1;}else{switch(attack_type){case 0:printf("Paranoid Xss Filter Detection\n");iptables_blockage(log_line);break;case 1:printf("Simple Xss Filter Detection\n");iptables_blockage(log_line);break;case 2:printf("Xss Img Filter Detection\n");iptables_blockage(log_line);break;case 3:printf("Sql Injection Union Filter Detection\n");iptables_blockage(log_line);break;case 4:printf("Sql Injection meta characters Filter Detection\n");iptables_blockage(log_line);break;case 5:printf("Sql Injection magic quote Filter Detection\n");iptables_blockage(log_line);break;default:break;}pid = fork();if (pid ==0){  FILE *emails = popen("/usr/bin/mail -s 'WebAttack On server' root@localhost","w");  fprintf(emails,"Attack FOUND %s ! in the log file.\n",log_line);pclose(emails);_exit(0);}　　}return 0;}

I personally feel that the logic of the code here is a bit confusing. After successful matching, I should end the code, return the capture function in the middle layer for processing, and replace the code with a macro in capture.

In this way, the code will be much less and the logic will be clear :)

#define R(re,way,info) if(cap_matcher(log_line,#re,#way)){\ printf(##info);\iptables_blockage(log_line);\break;\}

Iv. firewall blocking IP Address

The apache log file is in the following format:

127.0.0.1--[23/Sep/2011: 15: 27: 36 + 0800] "GET/HTTP/1.1" 200 44

Therefore, the first space is used as the standard. After obtaining the IP address, call iptables to add the blocked IP address.

void iptables_blockage(char *log_line){char *ip_address= malloc(100);char command[1000];int i;for (i =0; i <= 100 ; i++){if (isspace(log_line[i])){break;}ip_address[i] = log_line[i];}snprintf(command,sizeof(command),"/sbin/iptables -A INPUT -s %s -j DROP",ip_address);FILE *iptables_run = (FILE*)popen(command,"r");pclose(iptables_run);free(ip_address);}

 

The last email notification implementation is similar to iptables. For details, refer to the previous article. In LINUX, C language uses commands to send emails.