-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathaccess-logs.sh
66 lines (56 loc) · 2.72 KB
/
access-logs.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# Copyright 2020 FireEye, Inc. and Citrix Systems, Inc.
declare -a success_regexes;
# here's a great example of a write-once, read-never regex!
# so, lets explain how it works:
#
# we want to match successful requests in web server access logs containing paths like:
#
# /vpns/portal/12345678.xml
# /vpn/../vpns/portal/12345678.xml
#
# these paths can be URL encoded, so we also match that.
#
# [any method] [space] [any url prefix] /vpns/ [any url fragment].xml [any postfix, like query params] [space] HTTP/1.1" [space] [200 or 304]
# ^^^^ maybe encoded
success_regexes[0]="\]\s\"[A-Z]{3,7}\s[^\s]*/(v|%76)(p|%70)(n|%6[Ee])(s|%73)/[^\s]*\.(x|%[57]8)(m|%[46]d)(l|%[46]c)[^\s]*\sHTTP/1\.1\"\s(200|304)";
success_regexes[1]="(GET|POST)\s[^\s]*/(v|%76)(p|%70)(n|%6[Ee])(s|%73)/[^\s]*\.pl[^\s]*\sHTTP/1\.1\"\s304"
# there are other patterns that can be effective at finding scanning and exploitation.
# however, we're not convinced that they won't FP on simple scanning.
# right now, this script is specifically focusing on high confidence indicators of compromise.
# please see the discussion in the readme about our philosophy here.
#
# find success requests to perl scripts.
# we are not sure if there are any legitimate uses for this URL extension.
# we are not sure if this will flag on simple scanning.
#success_regexes[2]="(POST|GET|HEAD).*\.pl.*(200|304)";
# find directory traversal.
# we suspect this will flag on simple scanning.
#success_regexes[3]="/vpn/\.\./vpns/.*(200|304)";
# find single-request exploitation, associated with NOTROBIN actor.
# we're not sure how the exploit works.
# we're not sure if this will flag on scanning or legitimate interaction.
#success_regexes[4]="POST\s[^\s]*/(v|%76)(p|%70)(n|%6[Ee])(s|%73)/[^\s]*\.pl.*HTTP/1\.1\"\s304"
successful_exploitation() {
if [ ! -d "$root_directory/var/log/" ]; then
debug "didn't find /var/log/";
return;
fi
local results="";
for regex in "${success_regexes[@]}"; do
hits=$(find "$root_directory/var/log/" -type f -iname "*httpaccess*" -exec zgrep -HEi "$regex" {} \;);
# ref: https://stackoverflow.com/a/3182519/87207
results="$results"$'\n'"$hits";
done
local readonly deduped_results=$(echo "$results" | grep -E [a-zA-Z0-9]| sort | uniq);
local readonly result_count=$(echo "$results" | grep -E [a-zA-Z0-9]| sort | uniq | wc -l);
if [ $result_count -gt 0 ]; then
report_match "web access logs show $result_count instances of successful HTTP exploitation";
report "web access log entries:"
report "$deduped_results";
else
debug "no instances of exploit attempts found in HTTP access logs";
fi
}
scan_access_logs() {
successful_exploitation;
}