现在的位置: 首页 > 个人作品 > 正文
WAF核心代码分享
2016年01月11日 个人作品, 安全开发 ⁄ 共 27742字 暂无评论 ⁄ 被围观 3,470 次+



init.lua:

------------------------------------------------------------------------------------------------------
--模块名称:init.lua
--模块功能:实现WAF各功能函数和初使化操作
------------------------------------------------------------------------------------------------------

--加载全局配置文件,获取WAF配置信息
local conf = require("config")
--加载lfs.so库
local lfs = require("lfs")
--如果conf返回值true,说明加载配置文件成功;否则,退出WAF程序
if conf == ture then
    --提取WAF安全规则存放路径
    sec_rules_path = sec_rules_path
    --提取WAF开关配置
    waf_open = waf_open
    --提取是否开启WAF阻断功能
    waf_block = waf_block
    --提取攻击日志保存文件路径
    attack_log_path = attack_log_path
    --提取WAF阻断告警页面路径
    waf_alert_page = waf_alert_page
    --提取IP地址白名单列表
    ip_white_list = ip_white_list
    --提取IP地址黑名单列表
    ip_black_list = ip_black_list
end

----------------------------------------------WAF功能函数实现开始---------------------------------------

--实现获取HTTP请求方式(Method)函数

function GetMethod()
    --获取HTTP Method方法
    local method=ngx.req.get_method()
    if method == nil then
        method = "null"
    end
    return method
end

--实现获取客户端真实IP地址函数

function GetClientIP()
    --定义变量,保存IP地址
    local ip
    --判断是否有多个“X-Forwarded-For”值
    if type(ngx.req.get_headers()["X-Forwarded-For"]) == "string" then
        --获取X-Forword-For的值
        ip = ngx.req.get_headers()["X-Forwarded-For"]
    end
    --如果X-Forword-For的值为空,则从ngx.var.remote_addr中取值
    if ip == nil then
        ip = ngx.var.remote_addr
    end
    --如果ngx.var.remote_addr值也为空,则返回未知IP地址
    if ip == nil then
        ip = "null"
    end
    return ip
end

--实现获取完整URI函数

function GetURI()
    local uri = ngx.var.request_uri
    if uri == nil then
        uri = "null"
    end
    --uri = ngx.unescape_uri(uri)
    return uri
end

--实现获取UserAgent字段值的函数

function GetUserAgent()
    --获取UserAgent的值
    local ua = ngx.var.http_user_agent
    if ua == nil then
        ua = "null"
    end
    return ua
end

--实现获取Cookie字段值的函数

function GetCookie()
    local cookie = ngx.req.get_headers()["cookie"]
    if cookie == nil then
        cookie = "null"
    end
    return cookie
end

--实现获取Referer字段值的函数

function GetReferer()
    local referer = ngx.req.get_headers()["referer"]
    if referer == nil then
        referer = "null"
    end
    return referer
end

--实现跳转到WAF阻断页面的函数

function ShowAlertPage()
    ngx.redirect(waf_alert_page)
    ngx.exit(200)
end

--实现检测客户端IP是否在黑名单函数

function CheckBlackList(ipaddr)
    --定义默认返回值为false
    local rs = false
    if ipaddr ~= nil then
        for i=1,#ip_black_list do
            if string.match(ip_black_list[i],ipaddr) == ipaddr then
                rs = true
            end
        end
    end
    return rs
end

--实现检测客户端IP地址是否在白名单函数

function CheckWhiteList(ipaddr)
    --定义默认返回值为false
    local rs = false
    if ipaddr ~= nil then
        for i=1,#ip_white_list do
            if string.match(ip_white_list[i],ipaddr) == ipaddr then
                rs = true
            end
        end
    end
    return rs
end

--实现获取攻击类型名称和相应攻击特征的函数

function GetAttackTypeAndSig()
    --定义一个table,用来保存规则文件名称
    local ruleFileName = {}
    --定义一个table,用来保存提取到的攻击特征
    local attackSig = {}
    --提取文件名称保存至table
    for file in lfs.dir(sec_rules_path) do
        if file ~= "." and file ~= ".." then
            local m = ngx.re.match(file,"^([a-zA-Z]+)$","isjo")
            if m ~= nil then
                --保存攻击类型名称
                table.insert(ruleFileName,file)
                --拼接规则文件路径
                local filePath = sec_rules_path .. file
                --提取攻击特征
                local f = io.open(filePath,"r")
                table.insert(attackSig,f:read("*all"))
                f:close()
            end
        end
    end
    return ruleFileName,attackSig
end

--检测HTTP流量是否存在恶意攻击行为的函数

function CheckAttack(http,attackType,attackSig)
    local rs = {}
    if http ~= nil then
        for i = 1,#attackSig do
        local m = ngx.re.match(http,attackSig[i],"isjo")
        if m ~= nil then
            rs[1] = true
            rs[2] = attackType[i]
            rs[3] = m[0]
        end
    end
    end
    return rs
end

--实现将检测到的攻击信息写入日志文件

function WriteLog(log)
    --定义攻击日志文件名称
    --local logFile = attack_log_path .. ngx.today() .. "_sec.log"
    local logFile = attack_log_path .. "sec.log"
    local open = io.open(logFile,"ab")
    if open ~= nil then
        open:write(log .. '\r\n')
    open:flush()
    open:close()
    end
end

--实现获取Content-Type=application/x-www-form-urlencoded类型的POST请求数据包的函数

function GetPostArgs()
    --获取Content-Type类型
    local contentType = ngx.req.get_headers()["Content-Type"]
    local vals = {}
    local postArgs = {}
    if contentType ~= nil and ngx.re.match(contentType,"x-www-form-urlencoded") ~= nil then
        --获取POST请求参数
        ngx.req.read_body()
        local body_data = ngx.req.get_body_data()
        if body_data ~= nil then
            local args = ngx.req.get_post_args()
            for key,val in pairs(args) do
                if type(val) == "string" then
                    table.insert(vals,val)
                    local line = key .. "=" .. val
                    table.insert(postArgs,line)
                end
            end
        end
    end
    return vals,postArgs
end

--实现检测HTTP Header是否合法的函数

function CheckMethod(method)
    --定义返回值
    local rs = true
    --检测Method方法是否合法
    --local methods = {"^GET$","^POST$","^HEAD$","^PUT$","^MOVE$","^OPTIONS$","^DELETE$","^TRACE$","^CONNECT$"}
    local methods = {"^GET$","^POST$","^HEAD$"}
    for i = 1,#methods do
        local m = ngx.re.match(method,methods[i],"isjo")
        if m ~= nil then
            rs = false
        end
    end
    return rs
end

--实现检测URL长度是否合法的函数

function CheckURL(url)
    local rs = false
    if string.len(url) > 3000 then
        rs = true
    end
    return rs
end

--实现以特定分隔符分隔字符串功能的函数

string.split = function(s, p)
    local rt= {}
    string.gsub(s, '[^'..p..']+', function(w) table.insert(rt, w) end )
    return rt
end

--实现检测HTTP协议版本是否合法的函数

function CheckHttpVersion(rawHeader)
    local rs = true
    local tmp = string.split(rawHeader,'\n')
    --提取HTTP协议版本号
    local version = string.split(tmp[1],' ')[3]
    local m = string.match(version,"^(HTTP/[0-1]%.[0-9])")
    if m ~= nil then
        rs = false
    end
    return rs
end
----------------------------------------------WAF功能函数实现结束-----------------------------------

 

main.lua:

 

------------------------------------------------------------------------------------------------------
--模块名称:main.lua
--模块功能:WAF主流程文件
------------------------------------------------------------------------------------------------------

--获取客户端HTTP请求相关数据

local clientIP = GetClientIP()
local method = GetMethod()
local uri = GetURI()
local userAgent = GetUserAgent()
local cookie = GetCookie()
local referer = GetReferer()
local rawHeader = ngx.req.raw_header()
local url = "http://" ..  ngx.req.get_headers()["host"] .. uri

--调用加载攻击类型和攻击特征的方法,获取其返回值

local attackType,attackSig = GetAttackTypeAndSig()

-----------------------------------------检测流程开始-------------------------------------------------

--如果WAF开启,进入下面检测流程,否则退出

if waf_open ~= nil and waf_open == "true" then
    --判断是否开启阻断模式
    if waf_block ~= nil and waf_block == "true" then
        --检测IP是否在白名单
        if CheckWhiteList(clientIP) ~= nil and CheckWhiteList(clientIP) == true then
            ngx.flush()
        --检测IP是否在黑名单
        elseif CheckBlackList(clientIP) ~= nil and CheckBlackList(clientIP) == true then
            local log
            --获取nginx当前时间戳
            local datetime = ngx.time()
            --根据相应请求方法(method)记录日志
            if method ~= "POST" then
                --对原始HTTP请求进行Base64编码
                rawHeader = ngx.encode_base64(rawHeader)
                log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. rawHeader .. "|" .. "black_ip" .. "|" .. ngx.encode_base64("black_ip")
            else
                --读取POST请求数据
                ngx.req.read_body()
                body_data = ngx.req.get_body_data()
                if body_data ~= nil then
                    --拼接POST请求数据包
                    local post = rawHeader .. body_data
                    --对POST请求进行Base64编码
                    post = ngx.encode_base64(post)
                    log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. post .. "|" .. "black_ip" .. "|" .. ngx.encode_base64("black_ip")
                end
            end
            --记录日志
            WriteLog(log)
            --返回WAF阻断页面
            ShowAlertPage()
        --检测HTTP请求方法(method)是否合法
        elseif CheckMethod(method) ~= nil and CheckMethod(method) == true then
            local log
            --获取nginx当前时间戳
            local datetime = ngx.time()
            --根据相应请求方法(method)记录日志
            if method ~= "POST" then
                --对原始HTTP请求进行Base64编码
                rawHeader = ngx.encode_base64(rawHeader)
                log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. rawHeader .. "|" .. "http_method_err" .. "|" .. ngx.encode_base64("http_method_err")
            else
                --读取POST请求数据
                ngx.req.read_body()
                body_data = ngx.req.get_body_data()
                if body_data ~= nil then
                    --拼接POST请求数据包
                    local post = rawHeader .. body_data
                    --对POST请求进行Base64编码
                    post = ngx.encode_base64(post)
                    log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. post .. "|" .. "http_method_err" .. "|" .. ngx.encode_base64("http_method_err")
                end
            end
            --记录日志
            WriteLog(log)
            --返回WAF阻断页面
            ShowAlertPage()
        --检测URI长度是否合法
        elseif CheckURL(uri) ~= nil and CheckURL(uri) == true then
            local log
            --获取nginx当前时间戳
            local datetime = ngx.time()
            --根据相应请求方法(method)记录日志
            if method ~= "POST" then
                --对原始HTTP请求进行Base64编码
                rawHeader = ngx.encode_base64(rawHeader)
                log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. rawHeader .. "|" .. "url_len_err" .. "|" .. ngx.encode_base64("url_len_err")
            else
                --读取POST请求数据
                ngx.req.read_body()
                body_data = ngx.req.get_body_data()
                if body_data ~= nil then
                    --拼接POST请求数据包
                    local post = rawHeader .. body_data
                    --对POST请求进行Base64编码
                    post = ngx.encode_base64(post)
                    log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. post .. "|" .. "url_len_err" .. "|" .. ngx.encode_base64("url_len_err")
                end               
            end
            --记录日志
            WriteLog(log)
            --返回WAF阻断页面
            ShowAlertPage()
        --检测HTTP协议版本是否合法
        elseif CheckHttpVersion(rawHeader) ~= nil and CheckHttpVersion(rawHeader) == true then
            local log
            --获取nginx当前时间戳
            local datetime = ngx.time()
            --根据相应请求方法(method)记录日志
            if method ~= "POST" then
                --对原始HTTP请求进行Base64编码
                rawHeader = ngx.encode_base64(rawHeader)
                log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. rawHeader .. "|" .. "http_ver_err" .. "|" .. ngx.encode_base64("http_ver_err")
            else
                --读取POST请求数据
                ngx.req.read_body()
                body_data = ngx.req.get_body_data()
                if body_data ~= nil then
                    --拼接POST请求数据包
                    local post = rawHeader .. body_data
                    --对POST请求进行Base64编码
                    post = ngx.encode_base64(post)
                    log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. post .. "|" .. "http_ver_err" .. "|" .. ngx.encode_base64("http_ver_err")
                end       
            end
            --记录日志
            WriteLog(log)
            --返回WAF阻断页面
            ShowAlertPage()
        end
        --检测Cookie是否存在攻击特征
        if cookie ~= nil and cookie ~= "null" then
            --调用攻击检测函数
            local rs = CheckAttack(cookie,attackType,attackSig)
            --如果rs[1]的值为true,说明检测到攻击
            if rs[1] ~= nil and rs[1] == true then
                local log
                --获取nginx当前时间戳
                local datetime = ngx.time()
                --根据相应请求方法(method)记录日志
                if method ~= "POST" then
                    --对原始HTTP请求进行Base64编码
                    rawHeader = ngx.encode_base64(rawHeader)
                    log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. rawHeader .. "|" .. rs[2] .. "|" .. ngx.encode_base64(rs[3])
                else
                    --读取POST请求数据
                    ngx.req.read_body()
                    body_data = ngx.req.get_body_data()
                    if body_data ~= nil then
                        --拼接POST请求数据包
                        local post = rawHeader .. body_data
                        --对POST请求进行Base64编码
                        post = ngx.encode_base64(post)
                        log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. post .. "|" .. rs[2] .. "|" .. ngx.encode_base64(rs[3])
                    end
                end
                --记录日志
                WriteLog(log)
                --返回WAF阻断页面
                ShowAlertPage()
            end
        end
        --检测UserAgent是否存在攻击特征
        if userAgent ~= nil and userAgent ~= "null" then
            --调用攻击检测函数
            local rs = CheckAttack(userAgent,attackType,attackSig)
            --如果rs[1]的值为true,说明检测到攻击
            if rs[1] ~= nil and rs[1] == true then
                local log
                --获取nginx当前时间戳
                local datetime = ngx.time()
                --根据相应请求方法(method)记录日志
                if method ~= "POST" then
                    --对原始HTTP请求进行Base64编码
                    rawHeader = ngx.encode_base64(rawHeader)
                    log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. rawHeader .. "|" .. rs[2] .. "|" .. ngx.encode_base64(rs[3])
                else
                    --读取POST请求数据
                    ngx.req.read_body()
                    body_data = ngx.req.get_body_data()
                    if body_data ~= nil then
                        --拼接POST请求数据包
                        local post = rawHeader .. body_data
                        --对POST请求进行Base64编码
                        post = ngx.encode_base64(post)
                        log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. post .. "|" .. rs[2] .. "|" .. ngx.encode_base64(rs[3])
                    end           
                end
                --记录日志
                WriteLog(log)
                --返回WAF阻断页面
                ShowAlertPage()
            end
        end
        --检测Referer是否存在攻击特征
        if referer ~= nil and referer ~= "null" then
            --调用攻击检测函数
            local rs = CheckAttack(referer,attackType,attackSig)
            --如果rs[1]的值为true,说明检测到攻击
            if rs[1] ~= nil and rs[1] == true then
                local log
                --获取nginx当前时间戳
                local datetime = ngx.time()
                --根据相应请求方法(method)记录日志
                if method ~= "POST" then
                    --对原始HTTP请求进行Base64编码
                    rawHeader = ngx.encode_base64(rawHeader)
                    log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. rawHeader .. "|" .. rs[2] .. "|" .. ngx.encode_base64(rs[3])
                else
                    --读取POST请求数据
                    ngx.req.read_body()
                    body_data = ngx.req.get_body_data()
                    if body_data ~= nil then
                        --拼接POST请求数据包
                        local post = rawHeader .. body_data
                        --对POST请求进行Base64编码
                        post = ngx.encode_base64(post)
                        log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. post .. "|" .. rs[2] .. "|" .. ngx.encode_base64(rs[3])
                    end
                end
                --记录日志
                WriteLog(log)
                --返回WAF阻断页面
                ShowAlertPage()
            end
        end
        --如果请求方法为POST,检测POST参数中是否存在攻击特征
        if method == "POST" then
            --调用获取POST请求参数的函数
            local vals,postArgs = GetPostArgs()
            --提取POST请求参数,并检测是否存在攻击
            if #vals > 0 then
                for i=1,#vals do
                    --对参数进行URL解码
                    vals[i] = ngx.unescape_uri(vals[i])
                    local rs = CheckAttack(vals[i],attackType,attackSig)
                    --如果rs[1]返回true,说明检测到攻击
                    if rs[1] ~= nil and rs[1] == true then
                        local log
                        --获取nginx当前时间戳
                        local datetime = ngx.time()
                        --根据相应请求方法(method)记录日志
                        if method ~= "POST" then
                            --对原始HTTP请求进行Base64编码
                            rawHeader = ngx.encode_base64(rawHeader)
                            log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. rawHeader .. "|" .. rs[2] .. "|" .. ngx.encode_base64(rs[3])
                        else
                            --读取POST请求数据
                            ngx.req.read_body()
                            body_data = ngx.req.get_body_data()
                            if body_data ~= nil then
                                --拼接POST请求数据包
                                local post = rawHeader .. body_data
                                --对POST请求进行Base64编码
                                post = ngx.encode_base64(post)
                                log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. post .. "|" .. rs[2] .. "|" .. ngx.encode_base64(rs[3])
                            end
                        end
                        --记录日志
                        WriteLog(log)
                        --返回WAF阻断页面
                        ShowAlertPage()
                    end
                end
            end
        --检测URI中是否存在攻击特征
        else
            if uri ~= nil and uri ~= "null" then
                --对URI进行URL解码
                uri = ngx.unescape_uri(uri)
                --检测URI中是否存在攻击特征
                local rs = CheckAttack(uri,attackType,attackSig)
                --如果rs[1]返回true,说明检测到攻击
                if rs[1] ~= nil and rs[1] == true then
                    --对原始HTTP请求进行Base64编码
                    rawHeader = ngx.encode_base64(rawHeader)
                    --获取nginx当前时间戳
                    local datetime = ngx.time()
                    local log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. rawHeader .. "|" .. rs[2] .. "|" .. ngx.encode_base64(rs[3])
                    --记录日志
                    WriteLog(log)
                    --返回WAF阻断页面
                    ShowAlertPage()
                end
            end
        end
    --进入告警模式,只记录日志不阻断
    else
        --检测IP是否在白名单
        if CheckWhiteList(clientIP) ~= nil and CheckWhiteList(clientIP) == true then
            ngx.flush()
        --检测IP是否在黑名单
        elseif CheckBlackList(clientIP) ~= nil and CheckBlackList(clientIP) == true then
            local log
            --获取nginx当前时间戳
            local datetime = ngx.time()
            --根据相应请求方法(method)记录日志
            if method ~= "POST" then
                --对原始HTTP请求进行Base64编码
                rawHeader = ngx.encode_base64(rawHeader) 
                log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. rawHeader .. "|" .. "black_ip" .. "|" .. ngx.encode_base64("black_ip")
            else
                --读取POST请求数据
                ngx.req.read_body()
                body_data = ngx.req.get_body_data()
                if body_data ~= nil then
                    --拼接POST请求数据包
                    local post = rawHeader .. body_data
                    --对POST请求进行Base64编码
                    post = ngx.encode_base64(post)
                    log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. post .. "|" .. "black_ip" .. "|" .. ngx.encode_base64("black_ip")
                end
            end
            --记录日志
            WriteLog(log)
            ngx.flush()
        --检测HTTP请求方法(method)是否合法
        elseif CheckMethod(method) ~= nil and CheckMethod(method) == true then
            local log
            --获取nginx当前时间戳
            local datetime = ngx.time()
            --根据相应请求方法(method)记录日志
            if method ~= "POST" then
                --对原始HTTP请求进行Base64编码
                rawHeader = ngx.encode_base64(rawHeader)
                log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. rawHeader .. "|" .. "http_method_err" .. "|" .. ngx.encode_base64("http_method_err")
            else
                --读取POST请求数据
                ngx.req.read_body()
                body_data = ngx.req.get_body_data()
                if body_data ~= nil then
                    --拼接POST请求数据包
                    local post = rawHeader .. body_data
                    --对POST请求进行Base64编码
                    post = ngx.encode_base64(post)
                    log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. post .. "|" .. "http_method_err" .. "|" .. ngx.encode_base64("http_method_err")
                end
            end
            --记录日志
            WriteLog(log)
            ngx.flush()
        --检测URI长度是否合法
        elseif CheckURL(uri) ~= nil and CheckURL(uri) == true then
            local log
            --获取nginx当前时间戳
            local datetime = ngx.time()
            --根据相应请求方法(method)记录日志
            if method ~= "POST" then
                --对原始HTTP请求进行Base64编码
                rawHeader = ngx.encode_base64(rawHeader)
                log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. rawHeader .. "|" .. "url_len_err" .. "|" .. ngx.encode_base64("url_len_err")
            else
                --读取POST请求数据
                ngx.req.read_body()
                body_data = ngx.req.get_body_data()
                if body_data ~= nil then
                    --拼接POST请求数据包
                    local post = rawHeader .. body_data
                    --对POST请求进行Base64编码
                    post = ngx.encode_base64(post)
                    log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. post .. "|" .. "url_len_err" .. "|" .. ngx.encode_base64("url_len_err")
                end   
            end
            --记录日志
            WriteLog(log)
            ngx.flush()
        --检测HTTP协议版本是否合法
        elseif CheckHttpVersion(rawHeader) ~= nil and CheckHttpVersion(rawHeader) == true then
            local log
            --获取nginx当前时间戳
            local datetime = ngx.time()
            --根据相应请求方法(method)记录日志
            if method ~= "POST" then
                --对原始HTTP请求进行Base64编码
                rawHeader = ngx.encode_base64(rawHeader)
                log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. rawHeader .. "|" .. "http_ver_err" .. "|" .. ngx.encode_base64("http_ver_err")
            else
                --读取POST请求数据
                ngx.req.read_body()
                body_data = ngx.req.get_body_data()
                if body_data ~= nil then
                    --拼接POST请求数据包
                    local post = rawHeader .. body_data
                    --对POST请求进行Base64编码
                    post = ngx.encode_base64(post)
                    log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. post .. "|" .. "http_ver_err" .. "|" .. ngx.encode_base64("http_ver_err")
                end   
            end
            --记录日志
            WriteLog(log)
            ngx.flush()
        end
        --检测Cookie是否存在攻击特征
        if cookie ~= nil and cookie ~= "null" then
            --调用攻击检测函数
            local rs = CheckAttack(cookie,attackType,attackSig)
            --如果rs[1]的值为true,说明检测到攻击
            if rs[1] ~= nil and rs[1] == true then
                local log
                --获取nginx当前时间戳
                local datetime = ngx.time()
                --根据相应请求方法(method)记录日志
                if method ~= "POST" then
                    --对原始HTTP请求进行Base64编码
                    rawHeader = ngx.encode_base64(rawHeader)
                    log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. rawHeader .. "|" .. rs[2] .. "|" .. ngx.encode_base64(rs[3])
                else
                    --读取POST请求数据
                    ngx.req.read_body()
                    body_data = ngx.req.get_body_data()
                    if body_data ~= nil then
                        --拼接POST请求数据包
                        local post = rawHeader .. body_data
                        --对POST请求进行Base64编码
                        post = ngx.encode_base64(post)
                        log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. post .. "|" .. rs[2] .. "|" .. ngx.encode_base64(rs[3])
                    end
                end
                --记录日志
                WriteLog(log)
                ngx.flush()
            end
        end
        --检测UserAgent是否存在攻击特征
        if userAgent ~= nil and userAgent ~= "null" then
            --调用攻击检测函数
            local rs = CheckAttack(userAgent,attackType,attackSig)
            --如果rs[1]的值为true,说明检测到攻击
            if rs[1] ~= nil and rs[1] == true then
                local log
                --获取nginx当前时间戳
                local datetime = ngx.time()
                --根据相应请求方法(method)记录日志
                if method ~= "POST" then
                    --对原始HTTP请求进行Base64编码
                    rawHeader = ngx.encode_base64(rawHeader)
                    log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. rawHeader .. "|" .. rs[2] .. "|" .. ngx.encode_base64(rs[3])
                else
                    --读取POST请求数据
                    ngx.req.read_body()
                    body_data = ngx.req.get_body_data()
                    if body_data ~= nil then
                        --拼接POST请求数据包
                        local post = rawHeader .. body_data
                        --对POST请求进行Base64编码
                        post = ngx.encode_base64(post)
                        log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. post .. "|" .. rs[2] .. "|" .. ngx.encode_base64(rs[3])
                    end
                end
                --记录日志
                WriteLog(log)
                ngx.flush()
            end
        end
        --检测Referer是否存在攻击特征
        if referer ~= nil and referer ~= "null" then
            --调用攻击检测函数
            local rs = CheckAttack(referer,attackType,attackSig)
            --如果rs[1]的值为true,说明检测到攻击
            if rs[1] ~= nil and rs[1] == true then
                local log
                --获取nginx当前时间戳
                local datetime = ngx.time()
                --根据相应请求方法(method)记录日志
                if method ~= "POST" then
                    --对原始HTTP请求进行Base64编码
                    rawHeader = ngx.encode_base64(rawHeader)
                    log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. rawHeader .. "|" .. rs[2] .. "|" .. ngx.encode_base64(rs[3])
                else
                    --读取POST请求数据
                    ngx.req.read_body()
                    body_data = ngx.req.get_body_data()
                    if body_data ~= nil then
                        --拼接POST请求数据包
                        local post = rawHeader .. body_data
                        --对POST请求进行Base64编码
                        post = ngx.encode_base64(post)
                        log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. post .. "|" .. rs[2] .. "|" .. ngx.encode_base64(rs[3])
                    end
                end
                --记录日志
                WriteLog(log)
                ngx.flush()
            end
        end
        --如果请求方法为POST,检测POST参数中是否存在攻击特征
        if method == "POST" then
            --调用获取POST请求参数的函数
            local vals,postArgs = GetPostArgs()
            --提取POST请求参数,并检测是否存在攻击
            if #vals > 0 then
                for i=1,#vals do
                    --对参数进行URL解码
                    vals[i] = ngx.unescape_uri(vals[i])
                    local rs = CheckAttack(vals[i],attackType,attackSig)
                    --如果rs[1]返回true,说明检测到攻击
                    if rs[1] ~= nil and rs[1] == true then
                        local log
                        --获取nginx当前时间戳
                        local datetime = ngx.time()
                        --根据相应请求方法(method)记录日志
                        if method ~= "POST" then
                            --对原始HTTP请求进行Base64编码
                            rawHeader = ngx.encode_base64(rawHeader)
                            log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. rawHeader .. "|" .. rs[2] .. "|" .. ngx.encode_base64(rs[3])
                        else
                            --读取POST请求数据
                            ngx.req.read_body()
                            body_data = ngx.req.get_body_data()
                            if body_data ~= nil then
                                --拼接POST请求数据包
                                local post = rawHeader .. body_data
                                --对POST请求进行Base64编码
                                post = ngx.encode_base64(post)
                                log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. post .. "|" .. rs[2] .. "|" .. ngx.encode_base64(rs[3])
                            end
                        end
                        --记录日志
                        WriteLog(log)
                        ngx.flush()
                    end
                end
            end
        --检测URI中是否存在攻击特征
        else
            if uri ~= nil and uri ~= "null" then
                --对URI进行URL解码
                uri = ngx.unescape_uri(uri)
                --检测URI中是否存在攻击特征
                local rs = CheckAttack(uri,attackType,attackSig)
                --如果rs[1]返回true,说明检测到攻击
                if rs[1] ~= nil and rs[1] == true then
                    --对原始HTTP请求进行Base64编码
                    rawHeader = ngx.encode_base64(rawHeader)
                    --获取nginx当前时间戳
                    local datetime = ngx.time()
                    local log = datetime .. "|" .. clientIP .. "|" .. url .. "|" .. userAgent .. "|" .. rawHeader .. "|" .. rs[2] .. "|" .. ngx.encode_base64(rs[3])
                    --记录日志
                    WriteLog(log)
                    ngx.flush()
                end
            end
        end
    end
else
    ngx.flush()
end

-----------------------------------------检测流程结束-------------------------------------------------

给我留言

留言无头像?