refactor: improve honeypot request tracking and documentation
This commit is contained in:
Lorenzo Venerandi
@@ -576,6 +576,7 @@ wordlists:
|
||||
xxe_injection: "(<!ENTITY|<!DOCTYPE|SYSTEM\\s+[\"']|PUBLIC\\s+[\"']|&\\w+;|file://|php://filter|expect://)"
|
||||
ldap_injection: "(\\*\\)|\\(\\||\\(&)"
|
||||
command_injection: "(cmd=|exec=|command=|execute=|system=|ping=|host=|&&|\\|\\||;|\\$\\{|\\$\\(|`|\\bid\\b|\\bwhoami\\b|\\buname\\b|\\bcat\\b|\\bls\\b|\\bpwd\\b|\\becho\\b|\\bwget\\b|\\bcurl\\b|\\bnc\\b|\\bnetcat\\b|\\bbash\\b|\\bsh\\b|\\bps\\b|\\bkill\\b|\\bchmod\\b|\\bchown\\b|\\bcp\\b|\\bmv\\b|\\brm\\b|/bin/bash|/bin/sh|cmd\\.exe|/bin/|/usr/bin/|/sbin/)"
|
||||
common_probes: "(/admin|/backup|/config|/database|/private|/uploads|/wp-admin|/login|/phpMyAdmin|/phpmyadmin|/users|/search|/contact|/info|/input|/feedback|/server|/api/v1/|/api/v2/|/api/search|/api/sql|/api/database|\\.env|/credentials\\.txt|/passwords\\.txt|\\.git|/backup\\.sql|/db_backup\\.sql)"
|
||||
suspicious_patterns:
|
||||
- bot
|
||||
- crawler
|
||||
|
||||
@@ -43,11 +43,11 @@ from logger import get_app_logger, get_access_logger, get_credential_logger
|
||||
|
||||
|
||||
# --- Auto-tracking dependency ---
|
||||
# Only records requests where an attack pattern is detected in the path or body.
|
||||
# Records requests that match attack patterns or honeypot trap paths.
|
||||
|
||||
|
||||
async def _track_honeypot_request(request: Request):
|
||||
"""Record access only for requests with detected attack patterns."""
|
||||
"""Record access for requests with attack patterns or honeypot path hits."""
|
||||
tracker = request.app.state.tracker
|
||||
client_ip = get_client_ip(request)
|
||||
user_agent = request.headers.get("User-Agent", "")
|
||||
@@ -58,7 +58,7 @@ async def _track_honeypot_request(request: Request):
|
||||
body_bytes = await request.body()
|
||||
body = body_bytes.decode("utf-8", errors="replace")
|
||||
|
||||
# Only record if an attack pattern is detected in the path or body
|
||||
# Check attack patterns in path and body
|
||||
attack_findings = tracker.detect_attack_type(path)
|
||||
|
||||
if body:
|
||||
@@ -66,7 +66,8 @@ async def _track_honeypot_request(request: Request):
|
||||
decoded_body = urllib.parse.unquote(body)
|
||||
attack_findings.extend(tracker.detect_attack_type(decoded_body))
|
||||
|
||||
if attack_findings:
|
||||
# Record if attack pattern detected OR path is a honeypot trap
|
||||
if attack_findings or tracker.is_honeypot_path(path):
|
||||
tracker.record_access(
|
||||
ip=client_ip,
|
||||
path=path,
|
||||
@@ -398,15 +399,16 @@ async def trap_page(request: Request, path: str):
|
||||
f"[SUSPICIOUS] {client_ip} - {user_agent[:50]} - {full_path}"
|
||||
)
|
||||
|
||||
# Always record trap page access (feeds total counter + suspicious panel).
|
||||
# Only store raw_request for suspicious/attack requests to avoid DB bloat.
|
||||
tracker.record_access(
|
||||
ip=client_ip,
|
||||
path=full_path,
|
||||
user_agent=user_agent,
|
||||
method=request.method,
|
||||
raw_request=build_raw_request(request) if is_suspicious else "",
|
||||
)
|
||||
# Record access unless the router dependency already handled it
|
||||
# (attack pattern or honeypot path → already recorded by _track_honeypot_request)
|
||||
if not tracker.detect_attack_type(full_path) and not tracker.is_honeypot_path(full_path):
|
||||
tracker.record_access(
|
||||
ip=client_ip,
|
||||
path=full_path,
|
||||
user_agent=user_agent,
|
||||
method=request.method,
|
||||
raw_request=build_raw_request(request) if is_suspicious else "",
|
||||
)
|
||||
|
||||
# Random error response
|
||||
if _should_return_error(config):
|
||||
|
||||
Reference in New Issue
Block a user