Samstag, 17. August 2013

Ruleset-Updates / SolusVM, HTTP-Smuggling, Joomla-Exploits/Java+Apache-Struts

[+] new sigs:
42000269 :: web_server.rules :: DN WEB_SERVER Possible Scan for SolusVM WHMCS Module 3.16 Vulnerability
42000270 :: web_server.rules :: DN WEB_SERVER Possible Fast-Track Tool Spidering User-Agent Detected
42000271 :: web_server.rules :: DN WEB_SERVER ForumSpammer Access
42000272 :: scanner.rules :: DN SCAN Arachni Scanner Web Scan (UA)
42000273 :: scanner.rules :: DN SCAN Arachni Web Scan (URL)
42000274 :: web_server.rules :: DN WEB_SERVER HTTP - Smuggling-Attempt (GET in Headers)
42000275 :: web_server.rules :: DN WEB_SERVER HTTP - Smuggling-Attempt (POST in Headers)
42000276 :: web_apps.rules :: DN WEB_APPS HTTP - Smuggling-Attempt (Proxy-GET in Headers)
42000277 :: web_server.rules :: DN WEB_SERVER HTTP - Smuggling-Attempt (Proxy-POST in Headers)
42000278 :: web_server.rules :: DN WEB_SERVER HTTP - Smuggling-Attempt (NewLine in URI)
42000279 :: web_server.rules :: DN WEB_SERVER HTTP Request Smuggling - Comma in Content-Type
42000280 :: web_server.rules :: DN WEB_SERVER HTTP Request Smuggling - Comma in Content-Length
42000282 :: web_server.rules :: DN WEB_SERVER HTTP Request Smuggling - Multiple Values in Transfer-Encoding
42000284 :: web_server.rules :: DN WEB_SERVER Open-Proxy-Scan
42000285 :: web_server.rules :: DN WEB_SERVER Joomla JCE-Exploit-Scan
42000286 :: app_server.rules :: DN APP_SERVER Apache Struts Possible OGNL Java ProcessBuilder URI
42000287 :: app_server.rules :: DN APP_SERVER Generic JAVA - Attempt - java.lang.Runtime in Request
42000288 :: app_server.rules :: DN APP_SERVER Generic JAVA - Attempt - getRuntime.exec() in Request
42000289 :: web_server.rules :: DN WEB_SERVER Attempt To Access MSSQL xp_servicecontrol Stored Procedure Via URI
42000290 :: web_server.rules :: DN WEB_SERVER Attempt To Access MSSQL xp_regread Stored Procedure Via URI
42000291 :: web_server.rules :: DN WEB_SERVER Attempt To Access MSSQL xp_regwrite Stored Procedure Via URI
42000292 :: web_server.rules :: DN WEB_SERVER Attempt To Access MSSQL xp_regdeletevalue Stored Procedure Via URI
42000293 :: web_server.rules :: DN WEB_SERVER Attempt To Access MSSQL xp_regdeletekey Stored Procedure Via URI
42000294 :: web_server.rules :: DN WEB_SERVER Attempt To Access MSSQL xp_fileexist Stored Procedure Via URI
42000295 :: web_server.rules :: DN WEB_SERVER Attempt To Access MSSQL xp_enumerrorlogs Stored Procedure Via URI
42000296 :: web_server.rules :: DN WEB_SERVER Attempt To Access MSSQL xp_readerrorlogs Stored Procedure Via URI
42000297 :: web_server.rules :: DN WEB_SERVER Attempt To Access MSSQL xp_enumdsn Stored Procedure Via URI
42000298 :: web_server.rules :: DN WEB_SERVER Attempt To Access MSSQLxp_enumgroups Stored Procedure Via URI
42000299 :: web_server.rules :: DN WEB_SERVER Attempt To Access MSSQL xp_ntsec_enumdomains Stored Procedure Via URI
42000300 :: scanner.rules :: DN SCAN SQLNinja Attempt To Recreate xp_cmdshell Using sp_configure
42000301 :: web_server.rules :: DN WEB_SERVER SQLNinja Attempt To Create xp_cmdshell Session
42000302 :: web_server.rules :: DN WEB_SERVER AWSTATS - Access
42000303 :: web_server.rules :: DN WEB_SERVER AWSTATS - Access (2)
42000304 :: scanner.rules :: DN SCAN Spambot Windows-Live-Social-Object-Extractor-Engine
42000305 :: scanner.rules :: DN SCAN Possible HNAP-Exploit-Attempt
42000306 :: scanner.rules :: DN SCAN Morfeus - F*cking-Scanner
42000307 :: scanner.rules :: DN SCAN WP-Contents/Plugins Access
42000308 :: web_server.rules :: DN WEB_SERVER Base64Encoded phpinfo

Sonntag, 11. August 2013

DX-Console - central interface to distributed Naxsi-installations






DX-Console is a webbased Frontend to a mongodb-based Naxsi-database.
It should provide centralised monitoring, analysis and alerting (tbd) of a  set of distributed naxsi-sensors

Features:

  • centralised display of distributed naxsi-installations
  • dashboard for quick overview
  • latest events (kinda livelog) + marking of new events
  • alerts on new found url/ip/host
  • combined or standalone search for ips/naxsi-ids/hosts etc, e.g ip = x.x.x.x & host = www.example.com
  • free adjustable timerange-based filter, e.g. 1d/7d/42w, but also 7d-14d
  • audit your own ip; usefull when pentesting a site
  • ip-reputation-control / feed a list of your own ips and get alerts when suspicious requests are made from those ips
  • comprehensive status-display (tbf)
  • Mark events false-positive / delete from Event_DB
  • user-administration
  • rules_id based whitelist_generation
  • saved searches (saving search-terms and results) (tbf)
  • running agents that alert when given threshould are met, e.g. attacks/day  (tbf)
  • api-interface for agents (think nagios) (tbd)

  • flask-based application
  • modified nx_util
    • mongo-db for storing event-data
    • skip known events, thus enabling a shot-term cronjob for nx_util
  • fancy webX.0 - flat njustyle webscale js-only ajax based interface bootstrap-based interface


Screenshots


Dashboard



Dashboard-charts



Latest Events / Livelog w/ 1 new





Search & result



Search & Charts


combined Search / host + peer_ip




Search - add new terms from interface




Search - predefined Searches



Agents -Log



Alerts on new found IPs/URLS etc



Known Sigs Display



System-Messages



Basic Admin-Interface


DX-Console was inspired by Snorby and Splunk.