Version 6 - History - ThreatScript Definitions - ThreatFactor NSIA - LukeMurphey.net

ThreatScript Definitions » History » Version 6

Luke Murphey, 04/10/2010 04:22 PM

-Luke Murphey
+h1. ThreatScript Definitions
 Luke Murphey
-Luke Murphey
+ThreatScript Definitions are written in ECMAScript (basically the same as JavaScript). The ThreatScript definitions return a Result object which indicates whether a match was observed.
 Luke Murphey
-Luke Murphey
+h2. ThreatScript Example
 Luke Murphey
-Luke Murphey
+Below is an example of a ThreatScript that triggers if the web-page has a form element.
 Luke Murphey
-Luke Murphey
+<pre><code class="javascript">
-Luke Murphey
+/*
-Luke Murphey
+ * Name: Example.General.Has_Form_Tag
-Luke Murphey
+ * Version: 1
-Luke Murphey
+ * ID: 1000000
-Luke Murphey
+ * Message: Indicates if the page has as a form tag
-Luke Murphey
+ * Severity: Low
-Luke Murphey
+ */
 Luke Murphey
-Luke Murphey
+importPackage(Packages.ThreatScript);
-Luke Murphey
+importPackage(Packages.HTTP);
 Luke Murphey
-Luke Murphey
+function analyze( httpResponse, operation, variables, environment, defaultRule ){
 Luke Murphey
-Luke Murphey
+	var parser = httpResponse.getDocumentParser();
-Luke Murphey
+	var location = new URL( httpResponse.getLocation() );
 Luke Murphey
-Luke Murphey
+	//Get a list of all script tags
-Luke Murphey
+	var tagNameFilter = new TagNameFilter("form");
-Luke Murphey
+	var nodesList = parser.extractAllNodesThatMatch(tagNameFilter);
-Luke Murphey
+        if( nodesList.size() > 0 ){
-Luke Murphey
+	     return new Result( true, "A form was detected" );
 Luke Murphey
 Luke Murphey
-Luke Murphey
+	return new Result( false, "No forms detected" );
 Luke Murphey
-Luke Murphey
+</code>
-Luke Murphey
+</pre>
 Luke Murphey
-Luke Murphey
+h2. Analysis Function
 Luke Murphey
-Luke Murphey
+ThreatScripts must provide an analyze function that takes 5 arguments:
 Luke Murphey
-Luke Murphey
+| *Name*       | *Type* | *Note* |
-Luke Murphey
+| httpResponse |        | See source:trunk/src/net/lukemurphey/nsia/scan/HttpResponseData.java       |
-Luke Murphey
+| operation    |        | See source:trunk/src/net/lukemurphey/nsia/scan/ScriptDefinition.java#L40       |
-Luke Murphey
+| variables    |        | See source:trunk/src/net/lukemurphey/nsia/scan/scriptenvironment/Variables.java       |
-Luke Murphey
+| environment  |        | See source:trunk/src/net/lukemurphey/nsia/scan/ScriptDefinition.java#L605       |
-Luke Murphey
+| defaultRule  |        |        |
 Luke Murphey
-Luke Murphey
+h2. Baseline Function
 Luke Murphey
-Luke Murphey
+ThreatScripts may declare a baseline function that will allow the definition to be configured to baseline itself against the previous set of scan results. The baseline function is called by NSIA when a user presses the baseline method for a rule. The objective of the baseline function is to view the provided scan results and ignore the particular finding for the given resource in the future. For example, a definition that triggers when the hash of the web-page changes may define a baseline function that causes it to not trigger unless the web-page hashes changes to yet another value.
 Luke Murphey
-Luke Murphey
+Below is an example:
 Luke Murphey
-Luke Murphey
+<pre>
-Luke Murphey
+<code class="javascript">
-Luke Murphey
+function baseline( environment ){
-Luke Murphey
+	var previousValue = environment.get("LastObservedHash");
 Luke Murphey
-Luke Murphey
+	if( previousValue != null && previousValue.getValue() != null ){
-Luke Murphey
+		environment.set("Hash", previousValue.getValue() );
 Luke Murphey
 Luke Murphey
-Luke Murphey
+	return true;
 Luke Murphey
-Luke Murphey
+</code>
-Luke Murphey
+</pre>
 Luke Murphey
 Luke Murphey
 Luke Murphey
-Luke Murphey
+h2. Meta-Data
 Luke Murphey
-Luke Murphey
+ThreatScripts must provide a meta-data that indicates the following information:
 Luke Murphey
-Luke Murphey
+| *Name*  | *Valid Input*                                      | *Notes* |
-Luke Murphey
+| Name    | <category>.<sub_category>.<definition_name>        |         |
-Luke Murphey
+| Version | integer                                            | Should be incremented each time the definition is updated |
-Luke Murphey
+| ID      | integer                                            | Must be 1000000 or greater (only official definitions can be less than 1000000)        |
-Luke Murphey
+| Message | message to be displayed when definition matches    |         |
-Luke Murphey
+| Severity| Either: Low, Medium or High                        |         |
-Luke Murphey
+| Invasive| Either: True or False (this argument is optional)  |         |
 Luke Murphey
-Luke Murphey
+This meta-data is provided in a comment as name-value pairs (see above ThreatScript example).
 Luke Murphey
-Luke Murphey
+{{include(Definition_Naming_Convention)}}
 Luke Murphey
-Luke Murphey
+h2. Available Packages
 Luke Murphey
-Luke Murphey
+A series of packages are available to ThreatScripts in order to perform analysis.
 Luke Murphey
-Luke Murphey
+| *Package*            | *Class*            | *Description*                                     |
-Luke Murphey
+|/2.HTTP               | URL                | Same as java.net.URL                              |
-Luke Murphey
+                       | TagNameFilter      | See http://htmlparser.sourceforge.net/javadoc/org/htmlparser/filters/TagNameFilter.html |
-Luke Murphey
+|<default>             | StringUtils        | Provides a trim function for Strings, see source:/trunk/src/net/lukemurphey/nsia/scan/scriptenvironment/StringUtils.java              |
-Luke Murphey
+|/2.ThreatScript       | Result             | Indicates the results of analysis, see source:/trunk/src/net/lukemurphey/nsia/scan/scriptenvironment.Result.java                 |
-Luke Murphey
+                       | DataAnalysis       | Provides functions useful for analysis, see source:/trunk/src/net/lukemurphey/nsia/scan/ScriptSignatureUtils.java            |

Project

General

Profile

ThreatFactor NSIA

ThreatScript Definitions » History » Version 6