-
Notifications
You must be signed in to change notification settings - Fork 271
Authoring Analysis Rules
Attack Surface Analyzer allows the user to specify a set of Rules which contain triggers to flag results found by Attack Surface Analyzer. This page documents the format for specifying those rules.
If you have an interesting rule you think would make a good fit for the default ruleset please open an issue with your contribution.
Starting with ASA 2.3 we use the Object Analysis Toolkit library, which was originally developed as the Analyzer engine in ASA. The main user facing change is the changes to the Operation enum. If you have custom rules written for ASA 2.2 they will need to be slightly modified for 2.3.
The Operation Enum previous to 2.3 was called OPERATION and the earlier values map to new values like this:
CUSTOM => Custom
REGEX => Regex
EQUALS => Equals
LT => LessThan
GT => GreaterThan
CONTAINS => Contains
WAS_MODIFIED => WasModified
ENDS_WITH => EndsWith
STARTS_WITH => StartsWith
CONTAINS_ANY => ContainsAny
IS_NULL => IsNull
IS_TRUE => IsTrue
IS_BEFORE => IsBefore
IS_AFTER => IsAfter
IS_EXPIRED => IsExpired
CONTAINS_KEY => ContainsKey
Attack Surface Analyzer comes with a default set of rules you can view here.
Rules are defined in a JSON file provided by the user or embedded in the build. The Rules file is Deserialized into a RuleFile Object and processed by the Analysis engine against each object with a matching Result Type.
This is a simple analyses.json file with a single rule.
{
"Rules": [
{
"Name": "Privileged ports",
"Description": "Flag when privileged ports are opened.",
"Flag": "WARNING",
"ResultType": "PORT",
"Clauses": [
{
"Field": "port",
"Operation": "LT",
"Data": [
"1024"
]
}
]
}
],
"DefaultLevels": {
"PORT": "INFORMATION",
"FILE": "DEBUG",
"SERVICE": "INFORMATION",
"CERTIFICATE": "INFORMATION",
"USER": "INFORMATION",
"REGISTRY": "DEBUG",
"FIREWALL": "INFORMATION",
"COM": "INFORMATION",
"LOG": "DEBUG"
}
}The Rules section is a List of ASA Rules which derive from OAT Rule. If no Rules are present, only the DefaultLevels (if present) will be applied.
The DefaultLevels, if present, override the hardcoded default information level of INFORMATION.
A Rule contains
- a
Flag(ANALYSIS_RESULT_TYPE) - a
Name - a
ResultType(RESULT_TYPE specifying a CollectObject type the Rule should apply to) - an optional
Description - an optional list of 0 or more
Clauses(Clause) - an optional boolean
Expression - an optional list of
Platformsto restrict the rule to (PLATFORM) - an optional list of
ChangeTypesto restrict the rule to (CHANGE_TYPE)
A Rule matches an Object when:
- The Object's type maps to the specified
ResultTypeAND any of- the rule has no
Clauses - the rule has no
ExpressionAND all itsClausesare true - the evaluation of the
Expressionis true
- the rule has no
The Flag levels are defined in ANALYSIS_RESULT_TYPE. Results will be flagged with the most severe flag of any of the rules applied to them.
Flag levels in increasing order of severity are:
NONE
VERBOSE
DEBUG
INFORMATION
WARNING
ERROR
FATAL
A Clause contains:
- An
Operation(Operation) - A
Fieldthat the Clause applies to. Any Public Property or Sub-property of Any Object which inherits from CollectObject. - An optional
Label(required if using anExpressionin the associatedRule). The Label may contain any characters other than spaces and parenthesis. - An optional List,
Dataas appropriate depending on theOperation. - An optional Dictionary,
DictDataas appropriate depending on theOperation.
The Expression in a rule is a user specified boolean expression across the defined Clauses' Labels in the Rule.
These are some examples of Valid Expressions:
FOO
FOO AND BAR
FOO OR BAR NAND BAZ (BAT123 XOR $B@A%N)
Expressions can be created using any of the standard boolean operators in addition to parenthesis.
OR
AND
NOR
NAND
XOR
NOT
To verify your rules run asa verify --AnalysisFile path/to/file.json. You should receive a list of any found issues in your rule definitions.
The following examples are JSON snippets from the default ruleset.
This is an example of a simple rule which flags open ports below 1024.
{
"Name": "Privileged ports",
"Description": "Flag when privileged ports are opened.",
"Flag": "WARNING",
"ResultType": "PORT",
"Clauses": [
{
"Field": "port",
"Operation": "LessThan",
"Data": [
"1024"
]
}
]
}
This is an example of a more complicated rule which uses an OR based Expression in order to match the hosts file on Windows, Linux and Mac systems with one rule.
{
"Name": "Modified Hosts File",
"Description": "Flag when the hosts file is modified.",
"Flag": "WARNING",
"ChangeTypes": [
"MODIFIED"
],
"ResultType": "FILE",
"Expression": "WINDOWS OR NIX",
"Clauses": [
{
"Label": "WINDOWS",
"Field": "Path",
"Operation": "Regex",
"Data": [
"[A-Z]:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts"
]
},
{
"Label": "NIX",
"Field": "Path",
"Operation": "Equals",
"Data": [
"/etc/hosts"
]
}
]
}ASA Rules inherit from the Object Analysis Toolkit Rule class and all OAT functionality is available.
For more information see Authoring Rules on the OAT Wiki
Attack Surface Analyzer comes with a default set of rules you can view here.
Rules are defined in a JSON file provided by the user or embedded in the build. The Rules file is Deserialized into a RuleFile Object and processed by the Analysis engine against each object with a matching Result Type.
This is a simple analyses.json file with a single rule.
{
"Rules": [
{
"Name": "Privileged ports",
"Description": "Flag when privileged ports are opened.",
"Flag": "WARNING",
"ResultType": "PORT",
"Clauses": [
{
"Field": "port",
"Operation": "LT",
"Data": [
"1024"
]
}
]
}
],
"DefaultLevels": {
"PORT": "INFORMATION",
"FILE": "DEBUG",
"SERVICE": "INFORMATION",
"CERTIFICATE": "INFORMATION",
"USER": "INFORMATION",
"REGISTRY": "DEBUG",
"FIREWALL": "INFORMATION",
"COM": "INFORMATION",
"LOG": "DEBUG"
}
}The Rules section is a List of Rules. If no Rules are present, only the DefaultLevels (if present) will be applied.
The DefaultLevels, if present, override the hardcoded default information level of INFORMATION.
A Rule contains
- a
Flag(ANALYSIS_RESULT_TYPE) - a
Name - a
ResultType(RESULT_TYPE specifying a CollectObject type the Rule should apply to) - an optional
Description - an optional list of 0 or more
Clauses(Clause) - an optional boolean
Expression - an optional list of
Platformsto restrict the rule to (PLATFORM) - an optional list of
ChangeTypesto restrict the rule to (CHANGE_TYPE)
A Rule matches an Object when:
- The Object's type maps to the specified
ResultTypeAND any of- the rule has no
Clauses - the rule has no
ExpressionAND all itsClausesare true - the evaluation of the
Expressionis true
- the rule has no
The Flag levels are defined in ANALYSIS_RESULT_TYPE. Results will be flagged with the most severe flag of any of the rules applied to them.
Flag levels in increasing order of severity are:
NONE
VERBOSE
DEBUG
INFORMATION
WARNING
ERROR
FATAL
A Clause contains:
- An
Operation(OPERATION) - A
Fieldthat the Clause applies to. Any Public Property or Sub-property of Any Object which inherits from CollectObject. - An optional
Label(required if using anExpressionin the associatedRule). The Label may contain any characters other than spaces and parenthesis. - An optional List,
Dataas appropriate depending on theOperation. - An optional Dictionary,
DictDataas appropriate depending on theOperation.
The Expression in a rule is a user specified boolean expression across the defined Clauses' Labels in the Rule.
These are some examples of Valid Expressions:
FOO
FOO AND BAR
FOO OR BAR NAND BAZ (BAT123 XOR $B@A%N)
Expressions can be created using any of the standard boolean operators in addition to parenthesis.
OR
AND
NOR
NAND
XOR
NOT
To verify your rules run asa verify --filename path/to/file.json. You should receive a list of any found issues in your rule definitions.
The following examples are JSON snippets from the default ruleset.
This is an example of a simple rule which flags open ports below 1024.
{
"Name": "Privileged ports",
"Description": "Flag when privileged ports are opened.",
"Flag": "WARNING",
"ResultType": "PORT",
"Clauses": [
{
"Field": "port",
"Operation": "LT",
"Data": [
"1024"
]
}
]
}
This is an example of a more complicated rule which uses an OR based Expression in order to match the hosts file on Windows, Linux and Mac systems with one rule.
{
"Name": "Modified Hosts File",
"Description": "Flag when the hosts file is modified.",
"Flag": "WARNING",
"ChangeTypes": [
"MODIFIED"
],
"ResultType": "FILE",
"Expression": "WINDOWS OR NIX",
"Clauses": [
{
"Label": "WINDOWS",
"Field": "Path",
"Operation": "REGEX",
"Data": [
"[A-Z]:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts"
]
},
{
"Label": "NIX",
"Field": "Path",
"Operation": "EQ",
"Data": [
"/etc/hosts"
]
}
]
}