cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1565c991a7a2814282894c15955780874d3805a1
Linux-Server-Management-Too…/lib
T
History
cschantz 1565c991a7 Enhance attack detection with 5 modern attack patterns 
ATTACK DETECTION ENHANCEMENTS:
Added detection for critical modern attack vectors not in OWASP Top 10:

1. XXE (XML External Entity) Detection - detect_xxe()
   - XML entity patterns (<!ENTITY, <!DOCTYPE)
   - External entity references (SYSTEM, file://, php://, expect://)
   - URL-encoded variants (%3c!entity)
   - XML-specific patterns (jar:, .dtd)
   - Threat Score: 18 (HIGH)
   - Icon: 📄

2. SSRF (Server-Side Request Forgery) Detection - detect_ssrf()
   - Internal network targeting (localhost, 127.0.0.1, 169.254.x.x)
   - Private IP ranges (10.x.x.x, 192.168.x.x, 172.16-31.x.x)
   - Cloud metadata endpoints (metadata.google, 169.254.169.254, metadata.aws)
   - Protocol abuse (file://, gopher://, dict://, ftp://localhost)
   - URL parameter patterns (url=http, redirect.*http, proxy.*http)
   - Threat Score: 18 (HIGH)
   - Icon: 🌐

3. NoSQL Injection Detection - detect_nosql_injection()
   - MongoDB operators ($ne, $gt, $lt, $regex, $where, $in, $nin)
   - URL-encoded variants (%24ne, %24gt, %24where)
   - NoSQL-specific patterns (sleep(), this., function(), javascript:)
   - Threat Score: 15 (HIGH)
   - Icon: 🗄️

4. Template Injection (SSTI) Detection - detect_template_injection()
   - Jinja2/Twig patterns ({{ }}, {% %})
   - FreeMarker patterns (${ })
   - JSP patterns (<% %>)
   - URL-encoded variants (%7b%7b, %7b%25, %24%7b)
   - SSTI probe patterns (7*7, config., self., request., env.)
   - Threat Score: 20 (CRITICAL)
   - Icon: 📝
   - Color: White on Red (highest severity)

5. Encoding Bypass Detection - detect_encoding_bypass()
   - Double/triple URL encoding (%25XX, %252X, %2525)
   - WAF bypass attempts (%c0%af, %e0%80%af)
   - Unicode/UTF-8 bypass (%uXXXX, \uXXXX)
   - Threat Score: 12 (MEDIUM)
   - Icon: 🔀

CHANGES TO lib/attack-patterns.sh:
- Added 5 new detection functions (lines 128-206)
- Updated detect_all_attacks() to call new detections (lines 222-226)
- Updated calculate_attack_score() with new scoring (lines 251-255)
- Added icons for new attack types (lines 273-277)
- Added color coding (CRITICAL/HIGH/MEDIUM) (lines 289-291)
- Exported all new functions (lines 303-307)

IMPACT:
- Detection coverage expanded from 7 to 12 attack types
- Now covers modern attack vectors (API attacks, cloud exploits, WAF bypasses)
- Better threat scoring with 3-tier severity (CRITICAL/HIGH/MEDIUM)
- Real-time detection in live-attack-monitor
- Historical detection in bot-analyzer

NEXT STEPS:
- Consider User-Agent rotation detection (bot fingerprinting)
- Consider Tor/VPN/Proxy detection (anonymizer identification)
2025-12-01 18:58:16 -05:00
..
attack-patterns.sh
Enhance attack detection with 5 modern attack patterns
2025-12-01 18:58:16 -05:00
bot-signatures.sh
Security Intelligence Suite - Complete Overhaul
2025-11-13 23:01:13 -05:00
common-functions.sh
Fix division by zero in progress indicator
2025-11-19 16:44:24 -05:00
ip-reputation.sh
Security Intelligence Suite - Complete Overhaul
2025-11-13 23:01:13 -05:00
mysql-analyzer.sh
Fix critical integer expression and regex errors across multiple modules
2025-11-21 15:17:04 -05:00
reference-db.sh
CRITICAL: Fix grep regex errors when usernames contain special characters
2025-11-21 17:35:02 -05:00
system-detect.sh
Add error suppression to all remaining grep -P patterns with bracket expressions
2025-11-21 17:27:52 -05:00
threat-intelligence.sh
Add error suppression to all remaining grep -P patterns with bracket expressions
2025-11-21 17:27:52 -05:00
user-manager.sh
Fix remaining grep regex errors in cPanel user functions
2025-11-21 18:03:31 -05:00