Mozilla Security libinjection processing for request events

For events matching the message matcher, apply SQLi and XSS detection using libinjection to request_field.

request_field should contain the URI to be analyzed, including it's parameters. For example "http://example.host/test?arg=value".

If request_field contains more than just the URI (for example, it may also contain the HTTP method and protocol as is common with web server logs) then the request_field_capture configuration can be set to provide a capture on request_field to get the desired substring.

Where XSS/SQLi is detected by libinjection, an entry is added to a list that is processed during the tick interval. This can result in either TSV output being submitted or if send_iprepd is enabled, violation messages being generated for IP addresses associated with the findings.

If enable_metrics is true, the module will submit metrics events for collection by the metrics output sandbox. Ensure timer_event_inject_limit is set appropriately, as if enabled timer_event will submit up to 2 messages (the violation notice, and the metric event).

1. Sample Configuration

filename = "moz_security_webinj.lua"
message_matcher = "Logger == 'input.nginx'"
ticker_interval = 120
preserve_data = false

id_field = "Fields[remote_addr]" -- field to use as the identifier (e.g., remote address)
-- id_field_capture = ",? *([^,]+)$",  -- optional e.g. extract the last entry in a comma delimited list
request_field = "Fields[request] -- field containing HTTP request
-- request_field_capture = "%S+%s+(%S+)" -- optional, e.g., extract second string in field
-- list_max_size = 500 -- optional, defaults to 500 if unset
-- strip_nul = true -- optional, strip %00 prior to inspection, defaults to false

-- send_iprepd = false -- optional, if true plugin will generate iprepd violation messages
-- xss_violation_type = "fxa:webinj_xss" -- required in violations mode, iprepd violation type
-- sqli_violation_type = "fxa:webinj_sqli" -- required in violations mode, iprepd violation type

-- enable_metrics = false -- optional, if true enable secmetrics submission

source code: moz_security_webinj.lua

results matching ""

    No results matching ""