nbs-system / nxtool-ng Goto Github PK

Because life is too short to waste your time transforming naxsi logs to rules by hand

Python 100.00%

naxsi python waf

nxtool-ng's Introduction

              __                __                  
.-----.--.--.|  |_.-----.-----.|  |____.-----.-----.
|     |_   _||   _|  _  |  _  ||  |____|     |  _  |
|__|__|__.__||____|_____|_____||__|    |__|__|___  |
                                             |_____|

 -- Because life is too short to transform naxsi logs into rules by hand.

nxtool-ng is a tool to magically transform your naxsi logs into useful rules. It can get its data from your elastic instance, or you can feed it flat files, and it will magically show you some statistics, generate relevant whitelists, provide type-based rules, …

It works with modules, that are generating whitelists, without overlapping each other.

Proudly powered by Python (2 and 3 by the way), using (optionally) elasticsearch-dsl, written with love and tears by the great people of NBS-System, nxtool-ng is released under the GPL.

Installation

Nxtool-ng depends on nxapi for naxsi-related magic, and optionally on elasticsearch-dsl if you want to generate rules from an Elastic instance. You can install them with

Elasticsearch 5.x

pip install -r ./requirements-v5.txt

Elasticsearch 2.x

pip install -r ./requirements-v2.txt

Elasticsearch 1.x

pip install -r /requirements-v1.txt

Usage

$ python nxtool.py -h
usage: nxtool.py [-h] [-v] [--elastic] [--flat-file] [--stdin] [--archive]
                 [--typing] [--whitelist] [--filter FILTER] [--stats]
                 [hostname]

Sweet tool to help you managing your naxsi logs.

positional arguments:
  hostname

optional arguments:
  -h, --help       show this help message and exit
  -v, --verbose

Log sources:
  --elastic-source
  --flat-file
  --stdin

Actions:
  --typing
  --whitelist
  --elastic-dest
  --filter FILTER
  --stats
  --slack

First you can populate an elasticsearch instance by:

$ python nxtool.py --elastic-dest --flat-file example.com.log

For example, if you want some stats about example.com using your elasticsearch instance:

$ python nxtool.py --elastic-source --stats example.com
2.39.218.24: 14
14.76.8.132: 18
13.24.13.122: 8
157.5.39.176: 13
19.187.104.23: 8
80.24.150.43: 21
50.2.176.10: 198
79.14.72.145: 44
14.26.23.213: 80
86.242.8.36: 58

# URI #
/cache.php: 12
/11.php: 12
/call-for-paper-contact/: 82
/: 22
/xmlrpc.php: 22
/en/production/type.asp: 41
/contact/: 21
/wp-json/oembed/1.0/embed: 38
/en/production/formation.asp: 68
/totallylegit/: 14

# ZONE #
BODY: 276
ARGS|NAME: 24
URL: 22
ARGS: 146
HEADERS: 54
BODY|NAME: 10
FILE_EXT: 4

# SERVER #
example.com: 536

To generate some whitelists for example.com, using your elasticsearch instance:

$ python nxtool.py --elastic-source --whitelist example.com
[+] Generating Google analytics rules
[+] Generating Image 1002 rules
[+] Generating cookies rules
[+] Generating var + zone rules
[+] Generating site rules
[+] Generating zone rules
[+] Generating url rules

Generated whitelists:
	BasicRule wl:1310,1311 "mz:$HEADERS_VAR:cookie" "msg:Cookies";

You can add the --verbose flag if you want more information about what's going on. If you're using flat files, you can either pass, well flat files, but also archives, like .zip or .tar.gz.

You can add the --slack flag if you want loosen constraints on whitelist generation. It can be useful with only little amount of logs.

You can also use nxtool-ng to query your elasticsearch instance, for example to search for access to /admin, that triggered the rule 1010 in the HEADERS:

$ python nxtool.py --elastic-source --filter 'uri=/admin,zone=HEADERS,id=1010'

zone: HEADERS
ip: 133.144.211.172
whitelisted: false
uri: /admin
comments: import:2016-08-30 09:44:17.938620
server: example.com
content: 
var_name: cookie
country: 
date: 2016-08-30T09:45:13+0200
id: 1010

zone: HEADERS
ip: 15.125.251.122
whitelisted: false
uri: /admin
comments: import:2016-08-30 11:00:03.523580
server: example.com
content: 
var_name: cookie
country: 
date: 2016-08-30T11:06:36+0200
id: 1010

It's also possible to type your parameters, to tighten a bit the security of your application:

$ python nxtool.py --elastic-source --typing --verbose example.com

Generated types:

BasicRule negative "rx:^$" "msg:empty" "mz:FILE_EXT:user_avatar" "s:BLOCK";
BasicRule negative "rx:^$" "msg:empty" "mz:FILE_EXT:society_logo" "s:BLOCK";
BasicRule negative "rx:^https?://([0-9a-z-.]+\.)+[\w?+-=&/ ]+$" "msg:url" "mz:ARGS:url" "s:BLOCK";

Note on the structure of ElasticSearch entries

Each core rule violation is logged in a NAXSI_FMT entry. Each violation is reported once in the ElasticSearch instance. Types in the used elasticsearch entries are enforced:

    ip = Ip
    coords = GeoPoint
    learning = Boolean
    total_processed = Integer
    total_blocked = Integer
    blocked = Boolean
    cscore0 = Keyword
    score0 = Integer
    zone = Keyword
    id = Integer
    var_name = Keyword
    date = Date
    whitelisted = Boolean
    uri = Text
    server = Text
    comments = Text
    vers = Text

First term is the key used in NAXSI_FMT and second term is the defined ElasticSearch type. Text is used as a backward compatible version of Keyword. We may drop the support of old elasticsearch version in the near future and replace Text with Keyword.

It is noteworthy that one request might violate multiple core rule and lead to multiple entries in ElasticSearch.

nxtool-ng's People

Contributors

Stargazers

Watchers

Forkers

rchicoli he2ss cybershieldconsulting virtualadrian dstrbad secgovusa itoffshore kutim rogervaas query67 zeus911 lxh1401 nhannguyensy

nxtool-ng's Issues

regex support for filters

Currently filters in nxtool are static. A filter for var_name: g-recaptcha-response can easily be added whereas a filter for comments: import:2016-09-29 08:22:17.215923,Whitelisted:2016-09-30 10:09:31.724727 cannot be added since the last part is modified for each event.

Could you please add a regex support for the --filter option. This way users could filter fields like this --filter "comments:.*Whitelisted.*"

Error importing logs into Elastic on Centos 7

Hi I am attempting to get our logs into an ElasticSearch V5 server but am getting the following error. could you help ?

nxtool-ng-master]# python ./nxtool.py --flat-file /root/Z.log --elastic-dest
Traceback (most recent call last):
  File "./nxtool.py", line 153, in <module>
    sys.exit(main())
  File "./nxtool.py", line 129, in main
    destination.insert([log])
  File "/root/nxtool-ng-master/nxtool/log_providers/__init__.py", line 53, in insert
    self.nList.extend(obj)
AttributeError: 'Elastic' object has no attribute 'nList'

Thanks
Keith

whitelist generation seems a bit restrictive on the number of samples

Some of the whitelist generator ask for a lot of samples before returning a whitelist. This configuration is hardcoded. It seems to be a bit confusing since we have that --slack option. We may at least loosen constraints when slack is activated.

Duplicates generated rules

nxtool-ng just generated the following rules,something is wrong:

Generated whitelists:
	BasicRule wl:1013 "mz:$HEADERS_VAR:cookie" "msg:Cookies that matches a simple quote";
	BasicRule wl:1013 "mz:HEADERS" "msg:zone-wide ID whitelist if it matches a simple quote";
	BasicRule wl:1013 "mz:HEADERS" "msg:Site-wide id+zone if it matches simple quote";

Statistics

It would be great to be able to generate ~~useless~~ fancy statistics with nxtool

whitelist generation syntax is incorrect

Hello,

There are a few glitches in the whitelists generated by nxtool.
At the moment, I noticed two of them :

1

You can't mix BODY_VAR and ARGS_VAR in the same rule:

BasicRule wl:1310,1311 "mz:$BODY_VAR_X:data\[.+\]|$ARGS_VAR_X:data\[.+\]" "msg:Array-like variable name";

You should use to rules, on with "mz:$URL:/url|$BODY_VAR:data"; and the other with s/BODY/ARGS/

2

The args or body var name whitelist is incorrectly set:

BasicRule wl:1000 "mz:ARGS|NAME:yes" "msg:Variable zone-wide";

Should be :

BasicRule wl:1000 "mz:$ARGS_VAR:yes|NAME" "msg:Variable zone-wide";

Implement regexp factorization

It would be great to be able to factorize results like those ones:

BasicRule wl:1015 "mz:$URL:/api/fr/contents|$ARGS_VAR:type" "msg:Variable zone-wide on a specific url if it matches a comma";
BasicRule wl:1015 "mz:$URL:/api/ar/contents|$ARGS_VAR:type" "msg:Variable zone-wide on a specific url if it matches a comma";
BasicRule wl:1015 "mz:$URL:/api/en/contents|$ARGS_VAR:type" "msg:Variable zone-wide on a specific url if it matches a comma";

nxtool was not able to generate meaningful whitelist

Hello,

I run this tool against a test error log and it returned this message

Command: python nxtool.py --whitelist --flat-file=/var/www/error.log

Result: nxtool was not able to generate meaningful whitelist

When I run the same test error log against the nx_util.py included int Naxsi version 0.53.2 it does generate this white list rules.

########### Optimized Rules Suggestion ##################
# total_count:2 (20.0%), peer_count:1 (50.0%) | sql keywords
BasicRule wl:1000 "mz:$URL:/naxsi2/wp-includes/js/imgareaselect/imgareaselect.css|URL";
# total_count:1 (10.0%), peer_count:1 (50.0%) | close square bracket (]), possible js
BasicRule wl:1311 "mz:$URL:/naxsi2/|$BODY_VAR:ips[0]|NAME";
# total_count:1 (10.0%), peer_count:1 (50.0%) | open square backet ([), possible js
BasicRule wl:1310 "mz:$URL:/naxsi2/|$BODY_VAR:ips[0]|NAME";
# total_count:1 (10.0%), peer_count:1 (50.0%) | double encoding
BasicRule wl:1315 "mz:$URL:/naxsi2/|$HEADERS_VAR:cookie";

Any idea why nxtool is not creating these rules?

Filters

nxtool should support filters, like Please give me everything that triggered an alert in the URL.

log unicity

Find a way to ensure that a logline is imported only once.

Whitelist generation fails due to core dump

Hello there,
if I run nxtool.py with --whitelist --flatfile /var/log/nginx/error.log and the log has stuff like
[alert] 16676#16676: worker process 16678 exited on signal 11 (core dumped)\n is an invalid extlog or nxlog, string "ip=" not found.'] while parsing 2017/04/10 14:43:27 [alert] 16676#16676: worker process 16678 exited on signal 11 (core dumped) the whitelist generation fails.

Perhaps ignore stuff like that?

--typing

--typing seems broken

Can't generate whitelists from flat-file?

I can't seem to get it working with a flat file even with the example one.


[root@li1305-120 nxtool-master]# python nxtool.py -v --flat-file --whitelist
INFO:root:Running Google analytics
INFO:root:Running Image 1002
INFO:root:Running cookies
INFO:root:Running url_wide_id
INFO:root:Searching for aguments in the zone ARGS
Traceback (most recent call last):
  File "nxtool.py", line 99, in <module>
    sys.exit(main())
  File "nxtool.py", line 92, in main
    whitelist.extend(module.generate_whitelist(source, whitelist))
  File "/home/nxtool-master/nxtool/whitelists_generators/__init__.py", line 4, in wrapper
    return func(provider, wl)
  File "/home/nxtool-master/nxtool/whitelists_generators/zone_var_wide.py", line 19, in generate_whitelist
    search = provider.export_search()
AttributeError: 'FlatFile' object has no attribute 'export_search'
[root@li1305-120 nxtool-master]#

Implement regressive matching on url

It would be great to have regressive matching on url, like:

/pif/paf/pouf/test.gif
/pif/paf/pouet
/pif/pof

would result in a rule on ^/pif/.

Log import on Centos 7 fails

Hi, If I try and import / parse ? a log file with nxtool-ng it fails with the following error. I am running the command on a new Centos 7.3 VM. Any help would be appreciated.

# python ./nxtool-ng-master/nxtool.py --flat-file /root/Y.log
Traceback (most recent call last):
  File "./nxtool-ng-master/nxtool.py", line 153, in <module>
    sys.exit(main())
  File "./nxtool-ng-master/nxtool.py", line 149, in main
    print(printers.print_generic(source.get_results()))
  File "/root/nxtool-ng-master/nxtool/printers.py", line 18, in print_generic
    print('\n'.join('%s: %s' % (k, item[k]) for k in item) + '\n')
  File "/root/nxtool-ng-master/nxtool/printers.py", line 18, in <genexpr>
    print('\n'.join('%s: %s' % (k, item[k]) for k in item) + '\n')
TypeError: list indices must be integers, not dict

Thanks
Keith.

whitelist generation restriction

Don't generate too wide whitelists :

when generating url-wide WL(s), check that at least X different URLs are impacted
etc :)
when generating zone-wide WL(s), check that at least X different named arguments are impacted

Documentation of ES structure

The internal details of the ES data strucutre used in nxtool-ng should be documented.

support globbing for flat-files arguments

It will be useful if the --flat-file argument can support globing, nxapi will be able to process many files at the same time.

example : python nxtool.py --flat-file /mydirectory/error.log.*

Display id meaning in comments

Currently,m nxtool is able to generate rules like this one: BasicRule wl:1009,1302,1303 "mz:$ARGS_VAR:ope|$URL:/StoreLocator/" "msg:Variable zone-wide on a specific url".

It would be great to have things like "msg:chars < and > allowed in variable 'ope' on url '/StoreLocator/'" instead of "msg:Variable zone-wide on a specific url".

Bug on whitelist generation with flat file

This is the bug:

root@machine:/var/opt/nxtool-ng# python nxtool.py --whitelist --flat-file /var/log/nginx/site/error.log 

[+] ['2017/06/16 11:43:01 [error] 8090#0: *717302 access forbidden by rule, client: 1.2.3.4, server: site, request: "GET /spip.php?page=login&url=ecrire%2F HTTP/1.1", host: "site"\n is an invalid extlog or nxlog, string "ip=" not found.'] while parsing 2017/06/16 11:43:01 [error] 8090#0: *717302 access forbidden by rule, client: 1.2.3.4, server: site, request: "GET /spip.php?page=login&url=ecrire%2F HTTP/1.1", host: "site"

[+] ['2017/06/16 12:10:04 [error] 8765#0: *717762 access forbidden by rule, client: 5.6.7.8, server: site, request: "GET /spip.php?page=login&url=ecrire%2F HTTP/1.1", host: "site"\n is an invalid extlog or nxlog, string "ip=" not found.'] while parsing 2017/06/16 12:10:04 [error] 8765#0: *717762 access forbidden by rule, client: 5.6.7.8, server: site, request: "GET /spip.php?page=login&url=ecrire%2F HTTP/1.1", host: "site"

[+] ['2017/06/16 12:10:15 [error] 8764#0: *717763 access forbidden by rule, client: 5.6.7.8, server: site, request: "GET /ecrire/ HTTP/1.1", host: "site"\n is an invalid extlog or nxlog, string "ip=" not found.'] while parsing 2017/06/16 12:10:15 [error] 8764#0: *717763 access forbidden by rule, client: 5.6.7.8, server: site, request: "GET /ecrire/ HTTP/1.1", host: "site"

[+] ['2017/06/16 12:14:32 [error] 8798#0: *718044 access forbidden by rule, client: 5.6.7.8, server: site, request: "GET /spip.php?page=login&url=ecrire%2F HTTP/1.1", host: "site"\n is an invalid extlog or nxlog, string "ip=" not found.'] while parsing 2017/06/16 12:14:32 [error] 8798#0: *718044 access forbidden by rule, client: 5.6.7.8, server: site, request: "GET /spip.php?page=login&url=ecrire%2F HTTP/1.1", host: "site"

[+] Generating Google analytics rules
[+] Generating Image 1002 rules
[+] Generating array-like variable name rules
Traceback (most recent call last):
  File "nxtool.py", line 145, in <module>
    sys.exit(main())
  File "nxtool.py", line 130, in main
    rules = module.generate_whitelist(source, whitelist)
  File "/var/opt/nxtool-ng/nxtool/whitelists_generators/__init__.py", line 4, in wrapper
    return func(provider, wl)
  File "/var/opt/nxtool-ng/nxtool/whitelists_generators/array_like_variables_names.py", line 35, in generate_whitelist
    variables = provider.get_top('var_name')
  File "/var/opt/nxtool-ng/nxtool/log_providers/flat_file.py", line 63, in get_top
    for key, value in collections.Counter(values).most_common(10):
  File "/usr/lib/python2.7/collections.py", line 453, in __init__
    self.update(iterable, **kwds)
  File "/usr/lib/python2.7/collections.py", line 534, in update
    for elem in iterable:
  File "/var/opt/nxtool-ng/nxtool/log_providers/flat_file.py", line 62, in <genexpr>
    values = (log[field] for log in self.__get_filtered_logs())
KeyError: 'var_name'

error.txt

Whitelist generation

Given some naxsi logs, nxtool should be able to generate whitelists, for example:

cookies is a specific case of WL generation
some variables have [ and ] in their names (eg array[1]=2&array[2]=1337)

<<
Traceback (most recent call last):
  File "nxtool.py", line 5, in <module>
    from nxapi import whitelist as nxapi_whitelist
ImportError: cannot import name whitelist
>>

Where can I get this "whitelist" ?

Thx !

No search type for [count]

Hello again, I try running python nxtool.py --stats --elastic and the command fails with

elasticsearch.exceptions.RequestError: TransportError(400, u'illegal_argument_exception', u'No search type for [count]')

This works using the original nxtool, elasticsearch is 5.3.0 on a ubuntu 16.04 system.

jvoisin@mim 18:00 ~/Dev/nxtool python3 ./nxtool.py --elastic --whitelist www.example.com                                                                                                [master] git:nxtool
/home/jvoisin/.local/lib/python3.5/site-packages/elasticsearch/connection/http_urllib3.py:70: UserWarning: Connecting to 10.0.9.25 using SSL with verify_certs=False is insecure.
  'Connecting to %s using SSL with verify_certs=False is insecure.' % host)
[+] Generating Google analytics rules
[+] Generating Image 1002 rules
[+] Generating array-like variable name rules
[+] Generating cookies rules
[+] Generating var + zone rules
[+] Generating url rules
[+] Generating var + zone rules
[+] Generating zone rules
[+] Generating site rules

Generated whitelists:
	BasicRule wl:1015 "mz:$URL:/poll/8|$BODY_VAR:ajax_page_state[libraries]" "msg:Variable zone-wide on a specific url";
	BasicRule wl:1001,1311,1310,1303 "mz:$URL:/politique/<img src="https:/s372.example.net/bb-mx/prime|$ARGS_VAR:tm" "msg:Variable zone-wide on a specific url";
	BasicRule wl:1302 "mz:$URL:/<img" "msg:url-wide ID whitelist";
	BasicRule wl:1302 "mz:$URL:/politique/<img src="https:/s372.example.net/bb-mx/prime" "msg:url-wide ID whitelist";
	BasicRule wl:1009,18 "mz:ARGS:" width" "msg:Variable zone-wide";
	BasicRule wl:1011,1010 "mz:ARGS" "msg:zone-wide ID whitelist"

jvoisin@mim 18:00 ~/Dev/nxtool

The " width variable isn't properly escaped.

Implement var_name reduction

It would be great to be able to reduce rules up to var_name, like HEADERS:content-type

Imports

It would be cool if nxtool could import naxsi logs from