search

jensvoid / lorg

Apache Logfile Security Analyzer
GNU General Public License v2.0
209 stars 50 forks source link

Is PHPIDS (or other data) outdated? #11

Closed Kentoseth closed 7 years ago

Kentoseth commented 7 years ago

Is any of the data being used for log-forensics outdated here?

I am testing a log-file from a common CMS using the -d phpids option and it doesn't output much. Further inspection of the ./phpids folder shows that it was last updated 4 years ago.

jensvoid commented 7 years ago

Unfortunatelly, PHPIDS itself was updated 4 years ago - https://github.com/PHPIDS/PHPIDS - and has not released any new rules since then. I started to test some newer ModSecurity based rules last week which may be used in a new release of LORG scheduled this month. There will also be a new detection module which simply checks for "evil" user agents and HTTP response codes (e.g. lots of 404) to detect noisy scans.

However, detection techniques based on HTTP GET parameters (PHPIDS, Hidden Markov Models, statistics-based) will not improve dramatically. This is usually because many attacks are simply not logged (e.g. because the payloads are contained in POST data which cannot be found in standard access.log) or because the do not directly target web applications (e.g. simple CGI/pathname scanners).

If you have found any false negatives (sample log line where you know it's an attack but which was not detected), i'd be interested.

Kentoseth commented 7 years ago

Apart from ModSecurity, will using the rules from here: https://ossec.github.io/

not be possible for usage in Lorg as well?

because the payloads are contained in POST data which cannot be found in standard access.log

This is true, but does there not exist any rules to detect when the POST request itself is unusual? eg.

somefile.php?see=../etc/passwd/

That example isn't the best out there, but it shows what I am talking about concerning the request itself being unusual/malicious.

jensvoid commented 7 years ago

https://ossec.github.io/

Didn't know of that one. Thanks, will look into their web rules.

Rules to detect malicious POST request only exist in a live perspecive (for example using an IDS like ModSecurity/PHPIDS/whatever). From a forensics perspective you are doomed to the limited data you have. For example, LORG with -d phpids should match with a score of 15 for the following GET request:

1.2.3.4 - - [27/Aug/2016:17:12:01 -0700] "GET /somefile.php?see=../etc/passwd/ HTTP/1.1" 200 12345

If the attacker however includes the same payload in POST data, the logline will simply look like:

1.2.3.4 - - [27/Aug/2016:17:12:01 -0700] "POST /somefile.php HTTP/1.1" 200 12345

No way to tell if it's an attack (at least based on URL query parameters, because we simply cannot see them from the logline).

Kentoseth commented 7 years ago

Yes, you are correct about POST data. I will investigate this on my end.

Thanks for the awesome project. I will wait for the update to test on ModSecurity.