-
Notifications
You must be signed in to change notification settings - Fork 0
/
RuleMakeEvent.py
64 lines (56 loc) · 1.89 KB
/
RuleMakeEvent.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
import csv
#file_name="not_require.csv"
#file_name="require.csv"
file_name= "csv/total.csv"
def MakeRegex():
"(?i)([<<](xss|a) -)[\s\S]*?onactivate[\s\S]*?[>>]"
f = open(file_name, 'r', encoding='utf-8')
rdr = csv.reader(f)
event_check=""
tag_or=""
for line in rdr:
event=line[0]
tag=line[1]
#print(tag)
if event_check=="":
event_check = event
if event_check!=event:
if tag_or[0]=="|":
tag_or=tag_or[1:]
#regex=f"(?i)([<<]({tag_or})[ /])[\s\S]*?({event_check})[\s\S]*?[>>]"
regex = f"(?i)([<<]({tag_or})[ ,/])[^>>]*?({event_check})[^>>]*?[>>]"
#print(regex)
#return
event_check=event
tag_or = tag
yield regex
else:
tag_or+="|"+tag
#print(event)
regex = f"(?i)([<<]({tag_or})[ ,/])[^>>]*?({event_check})[^>>]*?[>>]"
f.close()
yield regex
def main():
rule_id=111111111
with open("rule/event-handle.conf", "w", encoding='utf-8') as f:
for i in MakeRegex():
#print(i)
matched_data="%{TX.0}"
matched_var_name="%{MATCHED_VAR_NAME}"
matched_var="%{MATCHED_VAR}"
secRule=f'''SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "{i}" \\
"msg:'NoScript XSS InjectionChecker: HTML Injection',\\
id:{rule_id},\\
severity:'CRITICAL',\\
capture,\\
phase:request,\\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\\
tag:'attack-xss',\\
logdata:'Matched Data: {matched_data} found within {matched_var_name}: {matched_var}'
'''
print(secRule)
f.write(secRule)
f.write("\n")
rule_id+=1
if __name__ == '__main__':
main()