Project

General

Profile

ThreatScript Definitions » History » Version 26

Luke Murphey, 05/28/2011 09:52 PM

1 22 Luke Murphey
{{>toc}}
2 22 Luke Murphey
3 1 Luke Murphey
h1. ThreatScript Definitions
4 1 Luke Murphey
5 1 Luke Murphey
ThreatScript Definitions are written in ECMAScript (basically the same as JavaScript). The ThreatScript definitions return a Result object which indicates whether a match was observed.
6 1 Luke Murphey
7 1 Luke Murphey
h2. ThreatScript Example
8 1 Luke Murphey
9 1 Luke Murphey
Below is an example of a ThreatScript that triggers if the web-page has a form element.
10 1 Luke Murphey
11 1 Luke Murphey
<pre><code class="javascript">
12 1 Luke Murphey
/*
13 1 Luke Murphey
 * Name: Example.General.Has_Form_Tag
14 1 Luke Murphey
 * Version: 1
15 1 Luke Murphey
 * ID: 1000000
16 1 Luke Murphey
 * Message: Indicates if the page has as a form tag
17 1 Luke Murphey
 * Severity: Low
18 11 Luke Murphey
 * Reference: url,threatfactor.com
19 1 Luke Murphey
 */
20 1 Luke Murphey
21 1 Luke Murphey
importPackage(Packages.ThreatScript);
22 1 Luke Murphey
importPackage(Packages.HTTP);
23 1 Luke Murphey
24 8 Luke Murphey
function analyze( httpResponse, variables, environment ){
25 1 Luke Murphey
26 1 Luke Murphey
	var parser = httpResponse.getDocumentParser();
27 1 Luke Murphey
	var location = new URL( httpResponse.getLocation() );
28 1 Luke Murphey
29 1 Luke Murphey
	//Get a list of all script tags
30 1 Luke Murphey
	var tagNameFilter = new TagNameFilter("form");
31 1 Luke Murphey
	var nodesList = parser.extractAllNodesThatMatch(tagNameFilter); 
32 1 Luke Murphey
        if( nodesList.size() > 0 ){
33 1 Luke Murphey
	     return new Result( true, "A form was detected" );
34 1 Luke Murphey
	}
35 1 Luke Murphey
        
36 1 Luke Murphey
	return new Result( false, "No forms detected" );
37 1 Luke Murphey
}
38 1 Luke Murphey
</code>
39 1 Luke Murphey
</pre>
40 2 Luke Murphey
41 3 Luke Murphey
h2. Analysis Function
42 3 Luke Murphey
43 12 Luke Murphey
ThreatScripts must provide an analyze function that takes 3 arguments:
44 3 Luke Murphey
45 7 Luke Murphey
| *Name*       | *Type*            | *Note*                                                                           |
46 7 Luke Murphey
| httpResponse | HttpResponseData  | See source:trunk/src/net/lukemurphey/nsia/scan/HttpResponseData.java             |
47 7 Luke Murphey
| variables    | Variables         | See source:trunk/src/net/lukemurphey/nsia/scan/scriptenvironment/Variables.java  |
48 7 Luke Murphey
| environment  | Environment       | See source:trunk/src/net/lukemurphey/nsia/scan/ScriptDefinition.java#L605        |
49 1 Luke Murphey
50 26 Luke Murphey
Note that a couple of static variables are available as well:
51 26 Luke Murphey
52 26 Luke Murphey
| *Name*        | *Type*     | *Note*                                         |
53 26 Luke Murphey
| scanStarted   | Date       | Defines when the rule began to scan            |
54 26 Luke Murphey
| scriptStarted    | Date    | Defines when the ThreatScript began executing  |
55 24 Luke Murphey
56 16 Luke Murphey
h2. Saving / Loading Saved Data (using the environment object)
57 16 Luke Murphey
58 16 Luke Murphey
ThreatScripts can save and load data using the environment object. The environment allows the script to recall information between runs of the definition for a given URL and rule.
59 16 Luke Murphey
60 16 Luke Murphey
h3. Retrieving Values
61 16 Luke Murphey
62 16 Luke Murphey
Values can be retrieved using the _get_ function of the environment object. Call _getValue_ on the returned object to get the value. Below is an example:
63 16 Luke Murphey
64 16 Luke Murphey
<pre><code class="javascript">
65 16 Luke Murphey
var saved = environment.get("ValueName");
66 16 Luke Murphey
var value = saved.getValue();
67 16 Luke Murphey
</code></pre>
68 16 Luke Murphey
69 16 Luke Murphey
h3. Saving Values
70 16 Luke Murphey
71 16 Luke Murphey
Values can be saved using the _set_ function of the environment object. Optionally, the set argument accepts a boolean indicating if the provided value should only be returned when the definition is running against the same URL. Below is an example:
72 16 Luke Murphey
73 16 Luke Murphey
<pre><code class="javascript">
74 16 Luke Murphey
var test = "1234ABCD";
75 17 Luke Murphey
76 17 Luke Murphey
//Will only be returned when the given definition is executed against the current URL:
77 17 Luke Murphey
environment.set("ValueName", test);
78 17 Luke Murphey
79 23 Luke Murphey
//Will be returned when the given definition is executed against any URL (within the given rule):
80 17 Luke Murphey
environment.set("ValueName", test, false);
81 16 Luke Murphey
</code></pre>
82 16 Luke Murphey
83 25 Luke Murphey
h3. Removing Values
84 25 Luke Murphey
85 25 Luke Murphey
Values can be saved using the _remove_ function of the environment object. Below is an example:
86 25 Luke Murphey
87 25 Luke Murphey
<pre><code class="javascript">
88 25 Luke Murphey
//Removes the object named "RemoveMe" if it exists
89 25 Luke Murphey
environment.remove("RemoveMe");
90 25 Luke Murphey
</code></pre>
91 25 Luke Murphey
92 20 Luke Murphey
h3. Saving / Loading Collections
93 20 Luke Murphey
94 20 Luke Murphey
If your script needs to load collections then you ought to use the Vector class since it will perform the necessary conversions that are required to make sure that the contents are the same when loaded.
95 20 Luke Murphey
96 20 Luke Murphey
<pre><code class="javascript">
97 20 Luke Murphey
v = new Vector();
98 20 Luke Murphey
v.push("one");
99 20 Luke Murphey
v.get(0);
100 20 Luke Murphey
v.pop();
101 20 Luke Murphey
v.remove();
102 20 Luke Murphey
environment.set("Vector", test);
103 20 Luke Murphey
</code></pre>
104 20 Luke Murphey
105 1 Luke Murphey
h2. Baseline Function
106 1 Luke Murphey
107 4 Luke Murphey
ThreatScripts may declare a baseline function that will allow the definition to be configured to baseline itself against the previous set of scan results. The baseline function is called by NSIA when a user presses the baseline method for a rule. The objective of the baseline function is to view the provided scan results and ignore the particular finding for the given resource in the future. For example, a definition that triggers when the hash of the web-page changes may define a baseline function that causes it to not trigger unless the web-page hashes changes to yet another value.
108 4 Luke Murphey
109 4 Luke Murphey
Below is an example:
110 4 Luke Murphey
111 4 Luke Murphey
<pre>
112 4 Luke Murphey
<code class="javascript">
113 4 Luke Murphey
function baseline( environment ){
114 4 Luke Murphey
	var previousValue = environment.get("LastObservedHash");
115 4 Luke Murphey
116 4 Luke Murphey
	if( previousValue != null && previousValue.getValue() != null ){
117 4 Luke Murphey
		environment.set("Hash", previousValue.getValue() );
118 4 Luke Murphey
	}
119 4 Luke Murphey
120 4 Luke Murphey
	return true;
121 4 Luke Murphey
}
122 4 Luke Murphey
</code>
123 4 Luke Murphey
</pre>
124 4 Luke Murphey
125 21 Luke Murphey
h2. Link Extraction
126 21 Luke Murphey
127 21 Luke Murphey
ThreatScript definitions can add URLs to the list that will be scanned. This allows ThreatScripts to parse content and enumerate other content that is linked. URLs can be added by calling addURL on the Result object or by specifying the URLs in the Result constructor. See below for an example:
128 21 Luke Murphey
129 21 Luke Murphey
<pre>
130 21 Luke Murphey
<code class="javascript">
131 21 Luke Murphey
importPackage(Packages.ThreatScript);
132 21 Luke Murphey
importPackage(Packages.HTTP);
133 21 Luke Murphey
134 21 Luke Murphey
function analyze( httpResponse, operation, environment ){
135 21 Luke Murphey
    a = new Array();
136 21 Luke Murphey
    a[0] = new URL("http://mydomain.com/");
137 21 Luke Murphey
    a[1] = new URL("http://someotherdomain.com/");
138 21 Luke Murphey
139 21 Luke Murphey
    // You can add URLs via the results constructor (or add them manually via the "addURL" methods) 
140 21 Luke Murphey
    result = new Result( false, "Two URLs extracted", a);
141 21 Luke Murphey
142 21 Luke Murphey
    // This URL will not be scanned unless it matches the domain restriction in the rule
143 21 Luke Murphey
    result.addURL( new URL("http://mydomain.com/") );
144 21 Luke Murphey
145 21 Luke Murphey
    // This URL will be scanned regardless of whether it matches the domain restriction in the rule
146 21 Luke Murphey
    result.addURL( new URL("http://someotherdomain.com"), true);
147 21 Luke Murphey
    return result;
148 21 Luke Murphey
}
149 21 Luke Murphey
</code>
150 21 Luke Murphey
</pre>
151 21 Luke Murphey
152 21 Luke Murphey
153 14 Luke Murphey
h2. Terminate Function
154 3 Luke Murphey
155 14 Luke Murphey
ThreatScripts can also declare a terminate function that allows the scan engine to terminate the definition it execution exceeds the maximum execution time.
156 14 Luke Murphey
157 14 Luke Murphey
Below is an example of a (useless) rule that uses the terminate function to stop execution:
158 14 Luke Murphey
159 14 Luke Murphey
<pre>
160 14 Luke Murphey
<code class="javascript">
161 14 Luke Murphey
importPackage(Packages.ThreatScript);
162 14 Luke Murphey
163 14 Luke Murphey
var keep_going = true;
164 14 Luke Murphey
165 14 Luke Murphey
function analyze( httpResponse, operation, environment ){
166 14 Luke Murphey
167 14 Luke Murphey
    while(keep_going ){
168 14 Luke Murphey
        //Infinite loop
169 14 Luke Murphey
    }
170 14 Luke Murphey
171 14 Luke Murphey
    return new Result( false, "Definition did not match the input");
172 14 Luke Murphey
}
173 14 Luke Murphey
174 14 Luke Murphey
function terminate(){
175 14 Luke Murphey
    keep_going = false; //Will cause the analysis to stop
176 14 Luke Murphey
}
177 14 Luke Murphey
</code>
178 14 Luke Murphey
</pre>
179 3 Luke Murphey
180 1 Luke Murphey
h2. Meta-Data
181 1 Luke Murphey
182 1 Luke Murphey
ThreatScripts must provide a meta-data that indicates the following information:
183 1 Luke Murphey
184 3 Luke Murphey
| *Name*  | *Valid Input*                                      | *Notes* |
185 3 Luke Murphey
| Name    | <category>.<sub_category>.<definition_name>        |         |
186 3 Luke Murphey
| Version | integer                                            | Should be incremented each time the definition is updated |
187 3 Luke Murphey
| ID      | integer                                            | Must be 1000000 or greater (only official definitions can be less than 1000000)        |
188 3 Luke Murphey
| Message | message to be displayed when definition matches    |         |
189 3 Luke Murphey
| Severity| Either: Low, Medium or High                        |         |
190 3 Luke Murphey
| Invasive| Either: True or False (this argument is optional)  |         |
191 1 Luke Murphey
192 1 Luke Murphey
This meta-data is provided in a comment as name-value pairs (see above ThreatScript example).
193 1 Luke Murphey
194 9 Luke Murphey
h3. Definition Name
195 8 Luke Murphey
196 1 Luke Murphey
{{include(Definition_Naming_Convention)}}
197 1 Luke Murphey
198 9 Luke Murphey
h3. Definition Severity
199 9 Luke Murphey
200 9 Luke Murphey
{{include(Definition_Severity)}}
201 11 Luke Murphey
202 11 Luke Murphey
h3. Definition References 
203 11 Luke Murphey
204 11 Luke Murphey
{{include(Definition_References)}}
205 11 Luke Murphey
206 11 Luke Murphey
Note that definition references are defined a comment block with the "Reference:" as a prefix (Example: "// Reference: url,threatfactor.com").
207 9 Luke Murphey
208 3 Luke Murphey
h2. Available Packages
209 1 Luke Murphey
210 3 Luke Murphey
A series of packages are available to ThreatScripts in order to perform analysis.
211 3 Luke Murphey
212 1 Luke Murphey
| *Package*            | *Class*            | *Description*                                     |
213 13 Luke Murphey
|/9.HTTP               | URL                | Same as java.net.URL                              |
214 1 Luke Murphey
                       | TagNameFilter      | See http://htmlparser.sourceforge.net/javadoc/org/htmlparser/filters/TagNameFilter.html |
215 15 Luke Murphey
                       | GetRequest         | [[ThreatScript Web client|Web-client]] for performing HTTP Get requests  |
216 15 Luke Murphey
                       | PostRequest        | [[ThreatScript Web client|Web-client]] for performing HTTP Post requests |
217 15 Luke Murphey
                       | DeleteRequest      | [[ThreatScript Web client|Web-client]] for performing HTTP Delete requests |
218 15 Luke Murphey
                       | PutRequest         | [[ThreatScript Web client|Web-client]] for performing HTTP Put requests |
219 15 Luke Murphey
                       | TraceRequest       | [[ThreatScript Web client|Web-client]] for performing HTTP Trace requests |
220 15 Luke Murphey
                       | HeadRequest        | [[ThreatScript Web client|Web-client]] for performing HTTP Head requests |
221 15 Luke Murphey
                       | OptionsRequest     | [[ThreatScript Web client|Web-client]] for performing HTTP Option requests |
222 13 Luke Murphey
|/2.<default>          | StringUtils        | Provides a trim function for Strings, see source:/trunk/src/net/lukemurphey/nsia/scan/scriptenvironment/StringUtils.java              |
223 13 Luke Murphey
| Debug                | Provides method that allows scripts to create log messages, see source:/trunk/src/net/lukemurphey/nsia/scan/scriptenvironment/Debug.java              |
224 19 Luke Murphey
|/3.ThreatScript       | Result             | Indicates the results of analysis, see source:/trunk/src/net/lukemurphey/nsia/scan/scriptenvironment/Result.java                 |
225 19 Luke Murphey
                       | DataAnalysis       | Provides functions useful for analysis, see source:/trunk/src/net/lukemurphey/nsia/scan/ScriptSignatureUtils.java            |
226 18 Luke Murphey
                       | Vector             | Provides a storage class for scripts, see source:/trunk/src/net/lukemurphey/nsia/scan/scriptenvironment/Vector.java            |
227 1 Luke Murphey
228 1 Luke Murphey
229 1 Luke Murphey
h2. Debugging ThreatScripts
230 8 Luke Murphey
231 8 Luke Murphey
ThreatScripts can create event log messages by using the sendMessage() function in the Debug class. Simply call _Debug.sendMessage_ with a string as an argument to create an event log message. The event log messages can be viewed in the event log for NSIA.
232 8 Luke Murphey
233 8 Luke Murphey
Generally, script created log messages are used only for debugging and should be disabled on rules you want to use in production.
234 8 Luke Murphey
235 8 Luke Murphey
h2. General Notes When Writing Definitions
236 8 Luke Murphey
237 8 Luke Murphey
h3. ThreatScript Maximum Runtime
238 8 Luke Murphey
239 8 Luke Murphey
ThreatScript  definitions are forceably terminated by the scan engine if the script runs for longer than 10 seconds. Thus, it is important to write definitions that can complete within the timeframe alloted; otherwise, the definition will be flagged as having an error.
240 8 Luke Murphey
241 8 Luke Murphey
h3. Maximum Data Size
242 8 Luke Murphey
243 8 Luke Murphey
The scan engine only provides the first 1 MB of the data observed to the scan engine. Therefore, do not design ThreatScripts that won't work if only the first 1 MB of a larger file is provided.