Last active
August 23, 2016 13:57
-
-
Save dtateii/e6af0d28578f36aa2d2b to your computer and use it in GitHub Desktop.
Watch for suspicious requests and notify on Slack. For use on hosts lacking adequate logging capabilities. This file can be loaded on every request using .htaccess `php_value auto_prepend_file {/path/to/security_watch.php}`
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /** | |
| * @file | |
| * Simple processing on requests with notification. | |
| */ | |
| _njisec_check_querystring(); | |
| _njisec_check_method(); | |
| _njisec_check_language(); | |
| /** | |
| * Trigger Slack Notice. | |
| */ | |
| function _njisec_slack($message, $channel = "#devops", $icon = ":oncoming_police_car:") { | |
| $data = "payload=" . json_encode(array( | |
| "text" => $message, | |
| "channel" => $channel, | |
| "icon_emoji" => $icon, | |
| )); | |
| $ch = curl_init("https://hooks.slack.com/services/------/------"); | |
| curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST"); | |
| curl_setopt($ch, CURLOPT_POSTFIELDS, $data); | |
| curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); | |
| $result = curl_exec($ch); | |
| curl_close($ch); | |
| return $result; | |
| } | |
| /** | |
| * Include URL and header info. | |
| */ | |
| function _njisec_msg_basic($title, $pre = NULL) { | |
| $headers = apache_request_headers(); | |
| $msg = "\n---------------------------------------------\n"; | |
| $msg .= "_Site Name _ \n"; | |
| $msg .= '_' . date("Y-m-d H:i:s") . "_ \n"; | |
| $msg .= "*{$title}*\n"; | |
| if ($pre) { | |
| $msg .= $pre . "\n"; | |
| } | |
| $msg .= "URL: `" . $_SERVER['REQUEST_URI'] . "`\n"; | |
| $msg .= "HEADERS: " . json_encode($headers) . "\n"; | |
| return $msg; | |
| } | |
| /** | |
| * Investigate POST data. | |
| */ | |
| function _njisec_check_language() { | |
| $headers = apache_request_headers(); | |
| $suspect_languages = array('zh-CN', 'ja', 'ja-jp'); | |
| if (in_array($headers['Accept-Language'], $suspect_languages)) { | |
| $msg = _njisec_msg_basic('Suspect Language Header'); | |
| _njisec_slack($msg); | |
| } | |
| } | |
| /** | |
| * Investigate POST data. | |
| */ | |
| function _njisec_check_method() { | |
| $normal_methods = array('post', 'get'); | |
| $method = strtolower($_SERVER['REQUEST_METHOD']); | |
| if ('post' == $method) { | |
| $msg = _njisec_msg_basic('Post Data', 'POST: ' . json_encode($_POST)); | |
| _njisec_slack($msg); | |
| } | |
| if (!in_array($method, $normal_methods)) { | |
| $msg = _njisec_msg_basic('Suspicious Method', "METHOD: " . $method); | |
| _njisec_slack($msg); | |
| } | |
| } | |
| /** | |
| * Investigate Query Strings. | |
| */ | |
| function _njisec_check_querystring() { | |
| if (!empty($_SERVER['QUERY_STRING'])) { | |
| // Disregard pagination. | |
| if (FALSE !== stripos($_SERVER['QUERY_STRING'], 'page=')) { | |
| return; | |
| } | |
| // Disregard security tests. | |
| if (FALSE !== stripos($_SERVER['REQUEST_URI'], '_security_test.php')) { | |
| return; | |
| } | |
| $msg = _njisec_msg_basic('Query Data'); | |
| _njisec_slack($msg); | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment