/*
* Copyright 2010 NCHOVY
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.krakenapps.sonar.passive.ids;
import org.apache.felix.ipojo.annotations.Component;
import org.apache.felix.ipojo.annotations.Invalidate;
import org.apache.felix.ipojo.annotations.Provides;
import org.apache.felix.ipojo.annotations.Requires;
import org.apache.felix.ipojo.annotations.Validate;
import org.krakenapps.malwaredomains.MalwareDomain;
import org.krakenapps.malwaredomains.MalwareDomainService;
import org.krakenapps.pcap.Protocol;
import org.krakenapps.pcap.decoder.http.DefaultHttpProcessor;
import org.krakenapps.pcap.decoder.http.HttpRequest;
import org.krakenapps.pcap.decoder.http.HttpResponse;
import org.krakenapps.sonar.Metabase;
import org.krakenapps.sonar.PassiveScanner;
import org.krakenapps.sonar.passive.ids.checker.InjectionChecker;
import org.krakenapps.sonar.passive.ids.rule.Rule;
import org.krakenapps.sonar.passive.safebrowsing.GoogleSafeBrowsing;
import java.io.File;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@Component(name = "sonar-http-attack-detector")
@Provides
public class HttpAttackDetector extends DefaultHttpProcessor {
private final Logger logger = LoggerFactory.getLogger(HttpAttackDetector.class.getName());
@Requires
private PassiveScanner scanner;
@Requires
private MalwareDomainService malwareDomainService;
private InjectionChecker injectionChecker;
private GoogleSafeBrowsing gsb;
final String DATA_PATH = System.getProperty("kraken.data.dir") + "/kraken-sonar/ids-rules/http/";
@Validate
public void start() {
// Create Data Location
prepareDataPath();
// Load RFI Injection script
injectionChecker = new InjectionChecker();
injectionChecker.setHomeDir(DATA_PATH);
injectionChecker.load();
// Load GoogleSafeBrowsing
gsb = new GoogleSafeBrowsing(DATA_PATH);
gsb.update();
scanner.addTcpSniffer(Protocol.HTTP, this);
logger.info("kraken sonar: http attack detector started.");
}
private void prepareDataPath() {
File dir = new File(DATA_PATH);
if (!dir.isDirectory()) {
dir.mkdirs();
}
}
@Invalidate
public void stop() {
if (scanner != null)
scanner.removeTcpSniffer(Protocol.HTTP, this);
}
@Override
public void onRequest(HttpRequest req) {
String rawUrl = req.getURL().toString();
String url = normalizeUrl(rawUrl);
logger.trace("kraken sonar: check url {}", url);
List<Rule> injections = injectionChecker.check(url);
if (!injections.isEmpty()) {
trace("Injection", rawUrl, injections);
// alert(rawUrl, "Injection",
// metabase.updateIpEndPoint(req.getLocalAddress()));
}
MalwareDomain malwareDomain = malwareDomainService.match(req.getURL());
if (malwareDomain != null) {
logger.info("kraken sonar: malware domain detected [{}]", malwareDomain);
}
int result = gsb.SafeCheck(url);
if (result == 1) {
// alert(rawUrl, "GSB-Malware",
// metabase.updateIpEndPoint(req.getLocalAddress()));
}
if (result == 2) {
// alert(rawUrl, "GSB-BlackList",
// metabase.updateIpEndPoint(req.getLocalAddress()));
}
}
@Override
public void onResponse(HttpRequest req, HttpResponse resp) {
}
private static String normalizeUrl(String originalURL) {
String url = "";
String[] tempSplit = originalURL.split("/");
String tempToken = tempSplit[0];
for (int i = 1; i < tempSplit.length; ++i) {
if (tempSplit[i].equals(".")) {
// this token "./" found! -> remove this token
} else if (tempSplit[i].equals("..")) {
// next token "../" found! -> remove this token and next token
tempToken = "[DEL]";
} else {
if (tempToken.equals("[DEL]") == false) {
url += tempToken + "/";
}
tempToken = tempSplit[i];
}
}
if (tempToken.isEmpty() == false) {
url += tempToken + "/";
}
return url;
}
private void trace(String title, String url, List<Rule> result) {
if (result.isEmpty() == false) {
System.out.println(title + " found! - '" + url + "'");
for (Rule r : result)
System.out.println(" >> " + r);
}
}
}