webapp/flowlist: immediately show tags selection

ANSSI-FR · Aug 1, 2024 · 4fb9c81 · 4fb9c81
1 parent fba9428
commit 4fb9c81
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 27 deletions.
diff --git a/suricata/rules/suricata.rules b/suricata/rules/suricata.rules
@@ -118,31 +118,33 @@ rejectboth ip any any -> any any (msg: "Found LDAP 'userPassword='"; flow:to_ser
 rejectboth ip any any -> any any (msg: "Found NodeJS serialized function '_$$ND_FUNC$$_'"; flow:to_server; content: "_$$ND_FUNC$$_"; nocase; metadata: tag NODEJS NDFUNC, color warning; sid: 4151;)
 rejectboth ip any any -> any any (msg: "Found path '/dev/tcp/'"; flow:to_server; content: "/dev/tcp/"; metadata: tag DEV TCP, color warning; sid: 4201;)
 rejectboth ip any any -> any any (msg: "Found path '/dev/tcp/' (URL encoded)"; flow:to_server; content: "%2Fdev%2Ftcp"; metadata: tag DEV TCP, color warning; sid: 4202;)
-rejectboth ip any any -> any any (msg: "Found path '/var/lib/'"; flow:to_server; content: "/var/lib/"; metadata: tag VARLIB PATH, color warning; sid: 4203;)
-rejectboth ip any any -> any any (msg: "Found path '/var/lib/' (URL encoded)"; flow:to_server; content: "%2Fvar%2Flib%2F"; metadata: tag VARLIB PATH, color warning; sid: 4204;)
-rejectboth ip any any -> any any (msg: "Found path '/var/log/'"; flow:to_server; content: "/var/log/"; metadata: tag VARLOG PATH, color warning; sid: 4205;)
-rejectboth ip any any -> any any (msg: "Found path '/var/log/ (URL encoded)'"; flow:to_server; content: "%2Fvar%2Flog%2F"; metadata: tag VARLOG PATH, color warning; sid: 4206;)
-rejectboth ip any any -> any any (msg: "Found path '/bin/nc'"; flow:to_server; content: "/bin/nc"; metadata: tag BIN NC, color warning; sid: 4207;)
-rejectboth ip any any -> any any (msg: "Found path '/bin/nc' (URL encoded)"; flow:to_server; content: "%2Fbin%2Fnc"; metadata: tag BIN NC, color warning; sid: 4208;)
-rejectboth ip any any -> any any (msg: "Found path '/bin/sh'"; flow:to_server; content: "/bin/sh"; metadata: tag BIN SH, color warning; sid: 4209;)
-rejectboth ip any any -> any any (msg: "Found path '/bin/sh' (URL encoded)"; flow:to_server; content: "%2Fbin%2Fsh"; metadata: tag BIN SH, color warning; sid: 4210;)
-rejectboth ip any any -> any any (msg: "Found path '/bin/bash'"; flow:to_server; content: "/bin/bash"; metadata: tag BIN BASH, color warning; sid: 4211;)
-rejectboth ip any any -> any any (msg: "Found path '/bin/bash' (URL encoded)"; flow:to_server; content: "%2Fbin%2Fbash"; metadata: tag BIN BASH, color warning; sid: 4212;)
-rejectboth ip any any -> any any (msg: "Found path 'file://'"; flow:to_server; content: "file|3A|//"; nocase; metadata: tag FILE PATH, color warning; sid: 4213;)
-rejectboth ip any any -> any any (msg: "Found path 'file://' (URL encoded)"; flow:to_server; content: "file%3A%2F%2F"; nocase; metadata: tag FILE PATH, color warning; sid: 4214;)
-rejectboth ip any any -> any any (msg: "Found path 'gopher://'"; flow:to_server; content: "gopher|3A|//"; nocase; metadata: tag GOPHER PATH, color warning; sid: 4215;)
-rejectboth ip any any -> any any (msg: "Found path 'gopher://' (URL encoded)"; flow:to_server; content: "gopher%3A%2F%2F"; nocase; metadata: tag GOPHER PATH, color warning; sid: 4216;)
-rejectboth ip any any -> any any (msg: "Found path 'ldap://'"; flow:to_server; content: "ldap|3A|//"; nocase; metadata: tag LDAP PATH, color warning; sid: 4217;)
-rejectboth ip any any -> any any (msg: "Found path 'ldap://' (URL encoded)"; flow:to_server; content: "ldap%3A%2F%2F"; nocase; metadata: tag LDAP PATH, color warning; sid: 4218;)
-rejectboth ip any any -> any any (msg: "Found path 'phar://'"; flow:to_server; content: "phar|3A|//"; nocase; metadata: tag PHAR PATH, color warning; sid: 4219;)
-rejectboth ip any any -> any any (msg: "Found path 'phar://' (URL encoded)"; flow:to_server; content: "phar%3A%2F%2F"; nocase; metadata: tag PHAR PATH, color warning; sid: 4220;)
-rejectboth ip any any -> any any (msg: "Found path 'php://'"; flow:to_server; content: "php|3A|//"; nocase; metadata: tag PHP PATH, color warning; sid: 4221;)
-rejectboth ip any any -> any any (msg: "Found path 'php://' (URL encoded)"; flow:to_server; content: "php%3A%2F%2F"; nocase; metadata: tag PHP PATH, color warning; sid: 4222;)
-rejectboth ip any any -> any any (msg: "Found path 'tftp://'"; flow:to_server; content: "tftp|3A|//"; nocase; metadata: tag TFTP PATH, color warning; sid: 4223;)
-rejectboth ip any any -> any any (msg: "Found path 'tftp://' (URL encoded)"; flow:to_server; content: "tftp%3A%2F%2F"; nocase; metadata: tag TFTP PATH, color warning; sid: 4224;)
-rejectboth ip any any -> any any (msg: "Found path 'zip://'"; flow:to_server; content: "zip|3A|//"; nocase; metadata: tag ZIP PATH, color warning; sid: 4225;)
-rejectboth ip any any -> any any (msg: "Found path 'zip://' (URL encoded)"; flow:to_server; content: "zip%3A%2F%2F"; nocase; metadata: tag ZIP PATH, color warning; sid: 4226;)
-rejectboth ip any any -> any any (msg: "Found path traversal '../../' (URL encoded)"; flow:to_server; content: "..%2F..%2F"; metadata: tag PATH TRAVERSAL, color warning; sid: 4227;)
+rejectboth ip any any -> any any (msg: "Found path '/etc/passwd'"; flow:to_server; content: "/etc/passwd"; metadata: tag DEV TCP, color warning; sid: 4203;)
+rejectboth ip any any -> any any (msg: "Found path '/etc/passwd' (URL encoded)"; flow:to_server; content: "%2Fetc%2Fpasswd"; metadata: tag DEV TCP, color warning; sid: 4204;)
+rejectboth ip any any -> any any (msg: "Found path '/var/lib/'"; flow:to_server; content: "/var/lib/"; metadata: tag VARLIB PATH, color warning; sid: 4205;)
+rejectboth ip any any -> any any (msg: "Found path '/var/lib/' (URL encoded)"; flow:to_server; content: "%2Fvar%2Flib%2F"; metadata: tag VARLIB PATH, color warning; sid: 4206;)
+rejectboth ip any any -> any any (msg: "Found path '/var/log/'"; flow:to_server; content: "/var/log/"; metadata: tag VARLOG PATH, color warning; sid: 4207;)
+rejectboth ip any any -> any any (msg: "Found path '/var/log/ (URL encoded)'"; flow:to_server; content: "%2Fvar%2Flog%2F"; metadata: tag VARLOG PATH, color warning; sid: 4208;)
+rejectboth ip any any -> any any (msg: "Found path '/bin/nc'"; flow:to_server; content: "/bin/nc"; metadata: tag BIN NC, color warning; sid: 4209;)
+rejectboth ip any any -> any any (msg: "Found path '/bin/nc' (URL encoded)"; flow:to_server; content: "%2Fbin%2Fnc"; metadata: tag BIN NC, color warning; sid: 4210;)
+rejectboth ip any any -> any any (msg: "Found path '/bin/sh'"; flow:to_server; content: "/bin/sh"; metadata: tag BIN SH, color warning; sid: 4211;)
+rejectboth ip any any -> any any (msg: "Found path '/bin/sh' (URL encoded)"; flow:to_server; content: "%2Fbin%2Fsh"; metadata: tag BIN SH, color warning; sid: 4212;)
+rejectboth ip any any -> any any (msg: "Found path '/bin/bash'"; flow:to_server; content: "/bin/bash"; metadata: tag BIN BASH, color warning; sid: 4213;)
+rejectboth ip any any -> any any (msg: "Found path '/bin/bash' (URL encoded)"; flow:to_server; content: "%2Fbin%2Fbash"; metadata: tag BIN BASH, color warning; sid: 4214;)
+rejectboth ip any any -> any any (msg: "Found path 'file://'"; flow:to_server; content: "file|3A|//"; nocase; metadata: tag FILE PATH, color warning; sid: 4215;)
+rejectboth ip any any -> any any (msg: "Found path 'file://' (URL encoded)"; flow:to_server; content: "file%3A%2F%2F"; nocase; metadata: tag FILE PATH, color warning; sid: 4216;)
+rejectboth ip any any -> any any (msg: "Found path 'gopher://'"; flow:to_server; content: "gopher|3A|//"; nocase; metadata: tag GOPHER PATH, color warning; sid: 4217;)
+rejectboth ip any any -> any any (msg: "Found path 'gopher://' (URL encoded)"; flow:to_server; content: "gopher%3A%2F%2F"; nocase; metadata: tag GOPHER PATH, color warning; sid: 4218;)
+rejectboth ip any any -> any any (msg: "Found path 'ldap://'"; flow:to_server; content: "ldap|3A|//"; nocase; metadata: tag LDAP PATH, color warning; sid: 4219;)
+rejectboth ip any any -> any any (msg: "Found path 'ldap://' (URL encoded)"; flow:to_server; content: "ldap%3A%2F%2F"; nocase; metadata: tag LDAP PATH, color warning; sid: 4220;)
+rejectboth ip any any -> any any (msg: "Found path 'phar://'"; flow:to_server; content: "phar|3A|//"; nocase; metadata: tag PHAR PATH, color warning; sid: 4221;)
+rejectboth ip any any -> any any (msg: "Found path 'phar://' (URL encoded)"; flow:to_server; content: "phar%3A%2F%2F"; nocase; metadata: tag PHAR PATH, color warning; sid: 4222;)
+rejectboth ip any any -> any any (msg: "Found path 'php://'"; flow:to_server; content: "php|3A|//"; nocase; metadata: tag PHP PATH, color warning; sid: 4223;)
+rejectboth ip any any -> any any (msg: "Found path 'php://' (URL encoded)"; flow:to_server; content: "php%3A%2F%2F"; nocase; metadata: tag PHP PATH, color warning; sid: 4224;)
+rejectboth ip any any -> any any (msg: "Found path 'tftp://'"; flow:to_server; content: "tftp|3A|//"; nocase; metadata: tag TFTP PATH, color warning; sid: 4225;)
+rejectboth ip any any -> any any (msg: "Found path 'tftp://' (URL encoded)"; flow:to_server; content: "tftp%3A%2F%2F"; nocase; metadata: tag TFTP PATH, color warning; sid: 4226;)
+rejectboth ip any any -> any any (msg: "Found path 'zip://'"; flow:to_server; content: "zip|3A|//"; nocase; metadata: tag ZIP PATH, color warning; sid: 4227;)
+rejectboth ip any any -> any any (msg: "Found path 'zip://' (URL encoded)"; flow:to_server; content: "zip%3A%2F%2F"; nocase; metadata: tag ZIP PATH, color warning; sid: 4228;)
+rejectboth ip any any -> any any (msg: "Found path traversal '../../' (URL encoded)"; flow:to_server; content: "..%2F..%2F"; metadata: tag PATH TRAVERSAL, color warning; sid: 4229;)
 rejectboth ip any any -> any any (msg: "Found Java '${jndi:'"; flow:to_server; content: "${jndi:"; metadata: tag JAVA JNDI, color warning; sid: 4251;)
 rejectboth ip any any -> any any (msg: "Found PHP '<?php' opening tag"; flow:to_server; content: "<?php"; nocase; metadata: tag PHP TAG, color warning; sid: 4301;)
 rejectboth ip any any -> any any (msg: "Found PHP '$_FILES'"; flow:to_server; content: "$_FILES"; metadata: tag PHP FILES, color warning; sid: 4302;)
@@ -161,9 +163,10 @@ rejectboth ip any any -> any any (msg: "Found SQL '::bytea'"; flow:to_server; co
 rejectboth ip any any -> any any (msg: "Found SQL 'CAST(. as bytea)'"; flow:to_server; content: "CAST("; content: " as bytea)"; nocase; metadata: tag SQL CAST, color warning; sid: 4358;)
 rejectboth ip any any -> any any (msg: "Found SQL 'COALESCE('"; flow:to_server; content: "COALESCE("; nocase; metadata: tag SQL COAL, color warning; sid: 4359;)
 rejectboth ip any any -> any any (msg: "Found SQL 'VARCHAR('"; flow:to_server; content: "VARCHAR("; nocase; metadata: tag SQL VARC, color warning; sid: 4360;)
-rejectboth ip any any -> any any (msg: "Found XML '<!ENTITY'"; flow:to_server; content: "|3c 21|ENTITY"; nocase; metadata: tag XML ENTITY, color warning; sid: 4501;)
+rejectboth ip any any -> any any (msg: "Found XML '<!ENTITY'"; flow:to_server; content: "|3C|!ENTITY"; nocase; metadata: tag XML ENTITY, color warning; sid: 4501;)
 rejectboth ip any any -> any any (msg: "Found XML '<!ENTITY' (URL encoded)"; flow:to_server; content: "|25|3C|25|21ENTITY"; nocase; metadata: tag XML ENTITY, color warning; sid: 4502;)
-rejectboth ip any any -> any any (msg: "Found XML '<!ENTITY' (base64)"; flow:to_server; content: "PCFFTlRJVF"; nocase; metadata: tag XML ENTITY, color warning; sid: 4503;)
+rejectboth ip any any -> any any (msg: "Found XML '<!ENTITY' (URL encoded variant)"; flow:to_server; content: "|25|3C|21|ENTITY"; nocase; metadata: tag XML ENTITY, color warning; sid: 4503;)
+rejectboth ip any any -> any any (msg: "Found XML '<!ENTITY' (base64)"; flow:to_server; content: "PCFFTlRJVF"; nocase; metadata: tag XML ENTITY, color warning; sid: 4504;)
 
 # Common indicators, but might cause false positives
 alert ip any any -> any any (msg: "tag"; flow.age:>10; flowbits: isnotset, slowflow; flowbits: set, slowflow; metadata: tag SLOW, color warning; sid: 5001;)

diff --git a/webapp/static/js/flowlist.js b/webapp/static/js/flowlist.js
@@ -226,6 +226,7 @@ class FlowList {
     const appData = document.getElementById('app').dataset
     this.startTs = Math.floor(Date.parse(appData.startDate) / 1000)
     this.tickLength = Number(appData.tickLength)
+    this.tags = []
     this.update()
   }
 
@@ -457,12 +458,19 @@ class FlowList {
       }
       document.getElementById('filter-time-until').classList.toggle('is-active', toTs)
 
+      // Update tags filter before API response
+      this.updateTagFilter(this.tags, filterTagsRequire, filterTagsDeny)
+
       // Empty flow list
       const flowList = document.getElementById('flow-list')
       while (flowList.lastChild) {
         flowList.removeChild(flowList.lastChild)
       }
       this.lastTick = -1
+
+      // Show loading indicator
+      // As the list is empty, the infinite scroll callback won't be triggered
+      document.getElementById('flow-list-loading-indicator').classList.remove('d-none')
     }
 
     // Fetch API and update
@@ -475,6 +483,7 @@ class FlowList {
       filterTagsRequire,
       filterTagsDeny
     )
+    this.tags = tags
     await this.updateProtocolFilter(appProto)
     this.updateTagFilter(tags, filterTagsRequire, filterTagsDeny)
     if (fillTo) {