File Coverage

lib/ThreatDetector/Handlers/CommandInjection.pm

Criterion	Covered	Total	%
statement	21	21	100.0
branch	1	2	50.0
condition			n/a
subroutine	7	7	100.0
pod	0	2	0.0
total	29	32	90.6

line	stmt	bran	sub	pod	time	code
1						package ThreatDetector::Handlers::CommandInjection;
2
3	3		3		85781	use strict;
	3				7
	3				106
4	3		3		23	use warnings;
	3				5
	3				213
5	3		3		19	use Exporter 'import';
	3				18
	3				89
6	3		3		648	use JSON;
	3				13297
	3				19
7	3		3		418	use Time::HiRes qw(gettimeofday);
	3				6
	3				24
8
9						our $VERBOSE = 0;
10						our @EXPORT_OK = qw(handle_command_injection get_command_injection_events);
11						our @COMMAND_INJECTION_EVENTS;
12						our $VERSION = '0.04';
13
14						sub handle_command_injection {
15	1		1	0	282985	my ($entry) = @_;
16	1				6	my ($sec, $micro) = gettimeofday();
17
18						my $alert = {
19						timestamp => "$sec.$micro",
20						type => 'command_injection',
21						ip => $entry->{ip},
22						method => $entry->{method},
23						uri => $entry->{uri},
24						status => $entry->{status},
25						user_agent => $entry->{user_agent},
26	1				15	};
27	1				3	push @COMMAND_INJECTION_EVENTS, $alert;
28	1	50			12	print encode_json($alert) . "\n" if $VERBOSE;
29						}
30
31						sub get_command_injection_events {
32	1		1	0	7	return @COMMAND_INJECTION_EVENTS;
33						}
34
35						1;
36
37						=head1 NAME
38
39						ThreatDetector::Handlers::CommandInjection - Handler for command injection/RFI/LFI attempts
40
41						=head1 SYNOPSIS
42
43						use ThreatDetector::Handlers::CommandInjection qw(handle_command_injection);
44
45						handle_command_injection($entry);
46
47						=head1 DESCRIPTION
48
49						Prints a JSON alert for requests that appear to contain command injection or remote/local file inclusion attempts. These are serious indicators of active exploitation attempts.
50
51						=head1 AUTHOR
52
53						Jason Hall
54
55						=cut