CGI-IDS
view release on metacpan or search on metacpan
Example XML Code
<whitelist>
<param>
<key>scr_id</key>
<rule><![CDATA[(?:^[0-9]+\.[0-9a-f]+$)]]></rule>
</param>
<param>
<key>uid</key>
</param>
<param>
<key>json_value</key>
<encoding>json</encoding>
</param>
<param>
<key>login_password</key>
<conditions>
<condition>
<key>username</key>
<rule><![CDATA[(?:^[a-z]+$)]]></rule>
</condition>
<condition>
<key>send</key>
</condition>
<condition>
<key>action</key>
<rule><![CDATA[(?:^login$)]]></rule>
</condition>
</conditions>
</param>
<param>
<key>sender_id</key>
<rule><![CDATA[(?:[0-9]+\.[0-9a-f]+)]]></rule>
<conditions>
<condition>
<key>action</key>
<rule><![CDATA[(?:^message$)]]></rule>
</condition>
</conditions>
</param>
</whitelist>
Used XML Tags
* whitelist
The root tag.
* param
Parameter item. Defines the query parameter to be whitelisted.
* key
Parameter key.
* rule
Regular expression to match. If the parameter value matches
this rule or the rule tag is not present, the IDS will not
run its filters on it. Case-sensitive; mode modifiers *m*
and *s* in use.
* encoding
Use value *json* if the parameter contains JSON encoded
data. IDS will test the decoded data, otherwise a false
positive would occur due to the 'suspicious' JSON encoding
characters.
* conditions
Set of conditions to be fulfilled. This is the parameter
environment in which the whitelisted parameter has to live
in. The parameter will only be skipped if all conditions
(and its own parameter rule) match.
In the example XML this means: *login_password* may only be
skipped of filtering if parameter *action* equals *login*,
parameter *send* is present and parameter *username*
contains only small letters.
* condition
A condition to be fulfilled.
* key
Parameter key.
* rule
Regular expression to match. Missing `<rule>' means
*key has to be present no matter what content (can
even be empty)*.
Helper methods for building and improving whitelists
# check request
my $impact = $ids->detect_attacks( request => $request);
# print reasons and key/value pairs to a logfile for analysis of your application parameters.
print LOG "filtered_keys:\n"
foreach my $entry (@{$ids->{filtered_keys}}) {
print LOG "\t".$entry->{reason}."\t".$entry->{key}.' => '.$entry->{value}."\n";
}
print LOG "non_filtered_keys:\n"
foreach my $entry (@{$ids->{non_filtered_keys}}) {
print LOG "\t".$entry->{reason}."\t".$entry->{key}.' => '.$entry->{value}."\n";
}
`$entry->{reason}' returns following reasons for skipping and
non-skipping a value:
`$ids->{filtered_keys}'
* *key*: key not whitelisted
Filtered due to missing rule set for this key.
* *cond*: condition mismatch
Filtered due to mismatching conditions for this key.
* *rule*: rule mismatch
Filtered due to mismatching rule for this key.
* *enc*: value contains encoding
Filtered due to containing (JSON) encoding for this key.
`$ids->{non_filtered_keys}'
* *empty*: empty value
Not filtered due to empty value for this key.
* *harml*: harmless value
( run in 1.620 second using v1.01-cache-2.11-cpan-39bf76dae61 )