This article is originally written by a SafeLine user: 爱吃麦当劳.
Disclaimer
This tutorial is prepared for legitimate educational purposes only. It is strictly prohibited to use it for any illegal activities or commercial purposes. Before using this tutorial, ensure that your actions comply with local laws and regulations.
Background
As the webmaster of a small website, you often face limited resources (no budget) and a lack of personnel (just yourself). Typically, one person is responsible for operating one or multiple websites.
To improve operational efficiency and the security of the website, we need to address the following issues:
- Avoid frequent switching between security systems to check logs.
- Avoid the manual IP banning process.
- Provide timely notifications of supply details and alert dispositions to the website manager.
- Reduce operational issues caused by network security.
This article mainly introduces the scenario of SafeLine WAF and DingTalk integration. However, in practice, there might be more linkage effects, such as SafeLine automatically intercepting notifications, honeypot capture alerts, and so on.
Preface
In the previous case study on automated security operations with SafeLine WAF, we recorded WAF alerts through log text and used inotify-tools to monitor log file changes to trigger DingTalk alerts. However, this method might cause issues such as abnormal log extraction and log content truncation. Additionally, I prefer to directly obtain the complete attack payload to reproduce the attack and verify its success.
SafeLine WAF also provides a blacklist feature with rate limiting, such as banning IPs by limiting frequent access or attacks. To improve operational efficiency, I want to receive real-time notifications of banned IPs through tools like DingTalk and Feishu, instead of manually logging into the web page to check.
In the previous case study, we used multiple shell scripts, making the process somewhat cumbersome. Therefore, I developed an automated program that extracts data directly from the SafeLine WAF database, no longer relying on log storage. This program can automatically push attack alerts and rate limit blacklist alerts, simplifying the entire security operation process.
Software Introduction
SafeLine Community Edition
SafeLine is a WAF (Web Application Firewall) developed by Chaitin Technology over nearly 10 years. Its core detection capability is driven by intelligent semantic analysis algorithms. It is available in community, professional, and enterprise editions.
SafeLine_Push
SafeLine WAF push assistant can automate the push of WAF alert logs and rate limit alert IPs (partially unlocking features of the paid version).
Expected Results
Current Effect
Desired Effect
To capture the complete request packet, you need to manipulate another table in the WAF database, which is PUBLIC.MGT_DETECT_LOG_DETAIL
.
Previously, I only queried the PUBLIC.MGT_DETECT_LOG_BASIC table, as mentioned in the last article. Now, there are two methods: either querying the original database or migrating these two tables to a new database for operation.
The expected effect of rate limit alerts in SafeLine WAF is as follows:
Preparatory Work
Mapping SafeLine WAF Database Ports
#!/bin/bash
# Run the install/update script
bash -c "$(curl -fsSLk https://waf-ce.chaitin.cn/release/latest/upgrade.sh)"
# Enter the /data/safeline directory
cd /data/safeline || { echo "/data/safeline not found!"; exit 1; }
# Check if compose.yaml exists and back it up
if [ -f compose.yaml ]; then
echo "Backing up the current compose.yaml"
cp compose.yaml compose.yaml.bak
else
echo "compose.yaml not found in /data/safeline!"
exit 1
fi
# Check if port mapping already exists
if grep -q "5433:5432" compose.yaml; then
echo "PostgreSQL port mapping already exists."
else
# Use sed to insert ports field into the postgres service
sed -i '/container_name: safeline-pg/a\ ports:\n - 5433:5432' compose.yaml
echo "PostgreSQL port mapping added to 5433:5432."
fi
# Restart the containers to apply changes
docker compose down --remove-orphans && docker compose up -d
echo "Containers restarted with the updated compose.yaml"
This script is suitable for re-mapping the database port each time it is updated. If it is already the latest version, you can comment out the update script command.
Configuring the Database Configuration File
Check the database password using:
cat /data/safeline/.env | grep POSTGRES_PASSWORD | tail -n 1 | awk -F '=' '{print $2}'
Then write the following code into /var/scripts/.pgpass
and set the file permission to 600.
localhost:5433:safeline-ce:safeline-ce:abcd # Replace "abcd" with the password obtained in step 2
Message Push Configuration
Download the files from GitHub:
git clone https://github.com/Fiary-Tale/SafeLine_Push
The above downloads the source code and compiled versions (stored in the mark folder).
Configuration Files
VulConfig.json
This configuration file maps some field data from SafeLine WAF database for alert push trigger rules. You can customize this file as needed. Currently, it does not fully cover all trigger rules (I did not find corresponding Chinese trigger rules in the database).
Note: This file must be placed in /var/scripts/VulConfig.json
{
"replacements": {
"m_sqli": "SQL Injection",
"m_xss": "Cross-site Scripting",
"m_csrf": "Cross-site Request Forgery",
"m_cmd_injection": "Command Execution"
}
}
config.yaml
This configuration file contains the token and push method used for message push. Currently, only DingTalk and ServerChan are implemented. Others can be added as needed!
Note: This file must be placed in /var/scripts/config.yaml
token: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
method: "dingtalk" # Can be "dingtalk" or "serverchan"
GeoLite2-City.mmdb
This file is not a configuration file but an open-source Geo database. It is a required file used to query the IP location. In some aspects, it cannot compare to the SafeLine WAF database’s own location data, but querying the database’s location can be cumbersome, so Geo is used for location queries.
Note: The GeoLite2-City.mmdb file must be in the same directory as the program.
Note: In the security settings of DingTalk push, I set the custom keyword: Intrusion Detection Event.
build.bat
I developed this in a Windows environment, so I wrote a bat file. If needed, you can compile it yourself. Remember to install the Golang development environment!
Current Results
Attack Alert Notification
Rate Limit Handling Notification
Setting Up Autostart
Add the following to /etc/rc.local
:
nohup /var/scripts/SafeLine_Push_linux_amd64 > /dev/null 2>&1 &
Afterword
During testing, I found that frequent alerts can be annoying. For example, to generate a large number of attacks from the same IP within a short period and trigger rate limit ban alerts, I started frequent attacks and received numerous attack alert pushes and other issues to be fixed!
Open for Discussion
- How to handle alert pushes for a large number of attacks in a short time?
- Optimization of IP location.
- Optimization of trigger rules and interception results in rate limit alert pushes.
- Automated retention of frequently attacking IPs and uploading threat intelligence.
Top comments (0)