【FreeBuf福利群招新啦!
群内不定期开启各种抽奖活动;
FreeBuf盲盒、大象公仔......
在这里,拓宽网安边界
甲方安全建设干货;
乙方最新技术理念;
全球最新的网络安全资讯;
如群已满,请添加FreeBuf小助手微信(freebee2022)】
WAFARAY是一款基于Web应用防火墙和YARA规则的强大安全工具,该工具可以帮助广大研究人员增强自身的恶意软件检测能力。WAFARAY是一个基于Debian 11.3.0(稳定版) x64实现的实验环境,能够基于Web应用防火墙和YARA规则来检测通过Web功能(例如文件上传)感染的恶意文件,例如Webshell、病毒、恶意软件和恶意代码等等。
1、通过使用自定义规则的ModSecurity(WAF)预编译并准备使用YARA规则;
2、工具将使用该自定义规则对可能包含恶意代码的文件进行检查和检测;
3、一般来说,如果通过Web功能(例如上传文件)上传了可疑文件,那么ModSecurity将会拒绝接收该文件并返回403错误代码;
Yara编译规则: /YaraRules/Compiled
Yara默认规则: /YaraRules/rules
Yara脚本: /YaraRules/YaraScripts
Apache vhosts: /etc/apache2/sites-enabled
Temporal文件: /temporal
Blueteamers:规则执行,发送警报,检测通过Web上传文件功能上传的恶意软件;
Redteamers/pentesters:灰盒范围,上传和绕过恶意文件,规则执行;
Security Officers:持续警报、威胁搜索;
SOC:监控恶意文件;
CERT:恶意软件分析,判断新的IoC;
项目提供了一个wafaray_install.sh,项目提供的manual_instructions.txt中也包含了手动安装的指引。除此之外,还提供了一个PHP页面来帮助我们于工具交互并使用WAF+YARA来检测恶意文件。
首先,我们需要安装并配置好Debian 11.3.0环境:
https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/debian-11.3.0-amd64-DVD-1.iso
接下来,使用VMware或VirtualBox部署Debian。
安装完成之后,请运行下列命令:
alex@waf-labs:~$ su rootroot@waf-labs:/home/alex#
建议修改YOUR_USER为你自己的用户名,例如waf:
root-labs:/home/alex# sed -i 's/^\(# User privi.*\)/\1\nalex ALL=(ALL) NOPASSWD:ALL/g' /etc/sudoersroot-labs:/home/alex# exitalex-labs:~$ sudo sed -i 's/^\(deb cdrom.*\)/#\1/g' /etc/apt/sources.listalex-labs:~$ sudo sed -i 's/^# \(deb\-src http.*\)/ \1/g' /etc/apt/sources.listalex-labs:~$ sudo sed -i 's/^# \(deb http.*\)/ \1/g' /etc/apt/sources.listalex-labs:~$ echo -ne "\n\ndeb http://deb.debian.org/debian/ bullseye main\ndeb-src http://deb.debian.org/debian/ bullseye main\n" | sudo tee -a /etc/apt/sources.listalex-labs:~$ sudo apt-get updatealex-labs:~$ sudo apt-get install sudo -yalex-labs:~$ sudo apt-get install git vim dos2unix net-tools -yalex-labs:~$ git clone https://github.com/alt3kx/wafarayalex-labs:~$ cd wafarayalex-labs:~$ dos2unix wafaray_install.shalex-labs:~$ chmod +x wafaray_install.shalex-labs:~$ sudo ./wafaray_install.sh >> log_install.log
(向右滑动,查看更多)
测试你的实验环境:
alex@waf-labs:~$ firefox localhost:8080/upload.php当Yara规则下载并编译完毕之后,我们还需要自定义需要部署的规则类型。下面的日志中,显示的是当Web应用防火墙+Yara规则检测到恶意文件时的场景:
Message: Access denied with code 403 (phase 2). File "/temporal/20220812-184146-YvbXKilOKdNkDfySME10ywAAAAA-file-Wx1hQA" rejected bythe approver script "/YaraRules/YaraScripts/modsec_yara.py": 0 SUSPECTED [YaraSignature: eicar][file "/etc/apache2/sites-enabled/test.conf"] [line "56"] [id "500002"][msg "Suspected File Upload:eicar.com.txt -> /temporal/20220812-184146-YvbXKilOKdNkDfySME10ywAAAAA-file-Wx1hQA - URI: /upload.php"]
(向右滑动,查看更多)
终止/运行ModSecurity
sudo service apache2 stop$ sudo service apache2 start
Apache日志
cd /var/log$ sudo tail -f apache2/test_access.log apache2/test_audit.log apache2/test_error.log
(向右滑动,查看更多)
本项目的开发与发布遵循GPL-3.0开源许可证协议。
WAFARAY:
https://mp.weixin.qq.com/cgi-bin/appmsg?t=media/appmsg_edit_v2&action=edit&isNew=1&type=77&createType=0&token=41151176&lang=zh_CN#---3
https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
https://kifarunix.com/intercept-malicious-file-upload-with-modsecurity-and-clamav/
https://portswigger.net/daily-swig/waf-reloaded-modsecurity-3-1-showcased-at-black-hat-asia
https://yara.readthedocs.io/en/latest/gettingstarted.html
https://yara.readthedocs.io/en/v3.4.0/yarapython.html
https://virustotal.github.io/yara/
https://www.tutorialspoint.com/perl/perl_introduction.htm
https://malware.expert/scan-every-file-clam-antivirus-scanner-modsecurity/
https://xael.org/pages/pyclamd-en.html
https://docs.clamav.net/
https://www.decalage.info/en/python/pyclamd
https://opensource.apple.com/source/clamav/clamav-116.2/clamav.Conf/clamd.conf.auto.html
https://c99.sh/hunting-0days-with-yara-rules/
https://github.com/claroty/arya
https://isc.sans.edu/diary/YARA%27s+Console+Module/28288
文章引用微信公众号"FreeBuf",如有侵权,请联系管理员删除!