#!/bin/bash # # Attack Signature Database # Extracted from Emerging Threats Open Ruleset (BSD License) # Source: https://rules.emergingthreats.net/ # # Copyright (c) 2003-2025, Emerging Threats # All rights reserved. # Redistribution and use permitted under BSD license terms. # # This file contains attack pattern signatures for detecting web-based attacks # in HTTP access logs. Patterns are extracted and adapted from ET Open rules. # Initialize associative arrays for attack patterns declare -A ATTACK_SQLI # SQL Injection patterns declare -A ATTACK_XSS # Cross-Site Scripting declare -A ATTACK_CMD # Command Injection declare -A ATTACK_TRAVERSAL # Path Traversal declare -A ATTACK_INCLUSION # File Inclusion (LFI/RFI) declare -A ATTACK_WEBSHELL # Webshell detection declare -A ATTACK_CVE # Known CVE exploits declare -A ATTACK_UPLOAD # File upload attacks # Pattern format: [category_name]="regex_pattern||severity||||description" # Severity: 1-100 (higher = more dangerous) # Note: Using || as delimiter to allow | in regex patterns # ============================================================================ # SQL INJECTION PATTERNS (extracted from emerging-sql.rules) # ============================================================================ # UNION-based SQL injection ATTACK_SQLI["union_select"]="union.*select|union.*all.*select||90||UNION SELECT injection" ATTACK_SQLI["union_from"]="union.*from|union.*all.*from||90||UNION FROM injection" # Basic SQL injection attempts ATTACK_SQLI["basic_sqli"]="' or '1'='1|' or 1=1--|';--||85||Basic SQL injection" ATTACK_SQLI["basic_sqli2"]="\" or \"1\"=\"1|\" or 1=1--||85||Basic SQL injection (double quotes)" ATTACK_SQLI["comment_bypass"]="--[[:space:]]|#[[:space:]]|/\*|\*/||75||SQL comment injection" # Blind SQL injection ATTACK_SQLI["blind_sqli"]="sleep\(|benchmark\(|waitfor.*delay||80||Blind SQL injection" ATTACK_SQLI["time_based"]="pg_sleep\(|dbms_lock\.sleep||85||Time-based blind SQLi" # Stacked queries ATTACK_SQLI["stacked_query"]="';.*drop|';.*insert|';.*delete|';.*update||90||Stacked query injection" ATTACK_SQLI["stacked_exec"]="';.*exec|';.*execute||85||Stacked execution injection" # SQL functions abuse ATTACK_SQLI["sqli_functions"]="concat\(|group_concat\(|load_file\(|into.*outfile||85||SQL function abuse" ATTACK_SQLI["sqli_info"]="information_schema|mysql\.user|sys\.databases||90||Database metadata access" # Boolean-based injection ATTACK_SQLI["sqli_operators"]="and.*1=1|or.*1=1|xor.*1=1||70||Boolean-based injection" ATTACK_SQLI["sqli_boolean"]="and.*true|or.*false|and.*null||80||Boolean logic injection" # Encoded SQL injection ATTACK_SQLI["sqli_hex"]="0x[0-9a-f]{8,}|char\(|ascii\(||75||Hex-encoded injection" ATTACK_SQLI["sqli_encoded"]="%27%20or%20|%27%20union%20|%22%20or%20||80||URL-encoded SQL injection" # ============================================================================ # CROSS-SITE SCRIPTING (XSS) PATTERNS (from emerging-web_server.rules) # ============================================================================ # Script tag injection ATTACK_XSS["script_tag"]="|||80||Script tag injection" ATTACK_XSS["script_src"]="/dev/null; then echo "$severity||$pattern_name||$description" return 0 fi done return 1 } # Get all matching patterns across all categories # Usage: detect_all_attack_signatures "$request_line" # Returns: max_severity|match_count|matches (space-separated) # Each match format: severity|category|pattern_name|description # Note: Renamed to avoid conflict with legacy detect_all_attacks in attack-patterns.sh detect_all_attack_signatures() { local request="$1" local matches=() local max_severity=0 # Check all categories local categories=("ATTACK_SQLI" "ATTACK_XSS" "ATTACK_CMD" "ATTACK_TRAVERSAL" "ATTACK_INCLUSION" "ATTACK_WEBSHELL" "ATTACK_CVE" "ATTACK_UPLOAD") for category in "${categories[@]}"; do local result=$(check_attack_pattern "$request" "$category") if [ -n "$result" ]; then local severity="${result%%||*}" local temp="${result#*||}" local pattern_name="${temp%%||*}" local description="${temp#*||}" # Format: severity||category||pattern_name||description matches+=("$severity||${category#ATTACK_}||$pattern_name||$description") # Track max severity (with validation) if [[ "$severity" =~ ^[0-9]+$ ]] && [ "$severity" -gt "$max_severity" ]; then max_severity="$severity" fi fi done # Return results if [ ${#matches[@]} -gt 0 ]; then echo "$max_severity||${#matches[@]}||${matches[*]}" return 0 fi return 1 } # Get attack category name (human-readable) get_category_name() { local category="$1" case "$category" in SQLI) echo "SQL Injection" ;; XSS) echo "Cross-Site Scripting" ;; CMD) echo "Command Injection" ;; TRAVERSAL) echo "Path Traversal" ;; INCLUSION) echo "File Inclusion" ;; WEBSHELL) echo "Webshell" ;; CVE) echo "CVE Exploit" ;; UPLOAD) echo "Malicious Upload" ;; *) echo "$category" ;; esac } # Export functions for use in subshells export -f check_attack_pattern export -f detect_all_attack_signatures export -f get_category_name