File Coverage

lib/ThreatDetector/Handlers/MethodAbuse.pm

Criterion	Covered	Total	%
statement	21	21	100.0
branch	1	2	50.0
condition	2	2	100.0
subroutine	7	7	100.0
pod	0	2	0.0
total	31	34	91.1

line	stmt	bran	cond	sub	pod	time	code
1							package ThreatDetector::Handlers::MethodAbuse;
2
3	3			3		139140	use strict;
	3					6
	3					121
4	3			3		15	use warnings;
	3					10
	3					172
5	3			3		38	use Exporter 'import';
	3					5
	3					143
6	3			3		884	use JSON;
	3					18560
	3					21
7	3			3		823	use Time::HiRes qw(gettimeofday);
	3					21
	3					25
8
9							our $VERBOSE = 0;
10							our @EXPORT_OK = qw(handle_http_method get_http_method_abuse_events);
11							our @HTTP_METHOD_EVENTS;
12							our $VERSION = '0.04';
13
14							sub handle_http_method {
15	2			2	0	203263	my ($entry) = @_;
16	2					13	my ($sec, $micro) = gettimeofday();
17
18							my $alert = {
19							timestamp => "$sec.$micro",
20							type => 'http_method_abuse',
21							ip => $entry->{ip},
22							method => $entry->{method},
23							uri => $entry->{uri},
24							status => $entry->{status},
25							user_agent => $entry->{user_agent},
26	2		100			29	referer => $entry->{referer} \|\| '',
27							};
28	2					5	push @HTTP_METHOD_EVENTS, $alert;
29	2	50				9	print encode_json($alert) . "\n" if $VERBOSE;
30							}
31
32							sub get_http_method_abuse_events {
33	1			1	0	7	return @HTTP_METHOD_EVENTS;
34							}
35
36							1;
37
38
39							=head1 NAME
40
41							ThreatDetector::Handlers::MethodAbuse - Handler for abuse of uncommon or dangerous HTTP methods
42
43							=head1 SYNOPSIS
44
45							use ThreatDetector::Handlers::MethodAbuse qw(handle_http_method);
46
47							handle_http_method($entry);
48
49							=head1 DESCRIPTION
50
51							Prints a JSON alert when a request uses suspicious HTTP methods such as PUT, DELETE, TRACE, or CONNECT. These methods are rarely needed in normal web traffic and are often associated with probing or misuse.
52
53							=head1 AUTHOR
54
55							Jason Hall
56
57							=cut