Menu
I am no genius with Regex but wondered if it is possible to write some kind of Regex pattern to detect these complex attack strings which I am sure many people have seen in their web server logs.
These strings change so frequently and I'm sure someone skilled in Regex could find a way to detect these and one could use this regex in a custom Fail2Ban filter.
Here's just a few samples of some of the Attack strings.
\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00
\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00
\x16\x03\x01\x01\x22\x01\x00\x01\x1E\x03\x03\xB2\xF2\x5CF\x0C\xD8eb\x92m\x19\xBB\x81\xCE\x90\x9C\xC5\x90r+\x98@\xC00\x1AS4\xF3\xB9\x86\xF6\xC2\x00\x00\x88\xC00\xC0,\xC0(\xC0$\xC0\x14\xC0
Gh0st\xAD\x00\x00\x00\xE0\x00\x00\x00x\x9CKS``\x98\xC3\xC0\xC0\xC0\x06\xC4\x8C@\xBCQ\x96\x81\x81\x09H\x07\xA7\x16\x95e&\xA7*\x04$&g+\x182\x94\xF6\xB000\xAC\xA8rc\x00\x01\x11\xA0\x82\x1F\x5C`&\x83\xC7K7\x86\x19\xE5n\x0C9\x95n\x0C;\x84\x0F3\xAC\xE8sch\xA8^\xCF4'J\x97\xA9\x82\xE30\xC3\x91h]&\x90\xF8\xCE\x97S\xCBA4L?2=\xE1\xC4\x92\x86\x0B@\xF5`\x0CT\x1F\xAE\xAF]
\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\xCF#vw\x1Ew\x8A(7~R\x9F\xEF\xFFo\x1D\xDC\x97\x8A\xBC\xD4\x82\x1C\x81\x06\xC1\x93@mv\xF5\x15\x00\x00\xD8\x00\x05\x00\x04\x00\x02\x00\x01\x00\x16\x003\x009\x00:\x00\x18\x005\x00
\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\xE0^\xF6\x15\x9A\xA1\xD8\x02\x9A\xF2\x0B\x07\x89\xC7o\x83\xBE\xF4e\xC0\xC4\x0B\xA4\xA7_X\xFAItf\xA9\x00\x00\x00\xD8\x00\x05\x00\x04\x00\x02\x00\x01\x00\x16\x003\x009\x00:\x00\x18\x005\x00
\x16\x03\x01\x00\x8B\x01\x00\x00\x87\x03\x03\x22\xFCk\x07L\x07=\x22\xE9\x97\x82\xD9qu\x8C \x06\xE0\x10\x1E\x8A\xC5\xB1\xC7\xF2>6x
%D0%A2%D0%B8%D0%BC%D0%BE%D1%82%D0%B8%20%D0%A0%D0%B5%D0%B4%D1%84%D0%BE%D1%80%D0%B4
%D0%A7%D0%B0%D0%B4%20%D0%A1%D1%82%D0%B0%D1%85%D0%B5%D0%BB%D1%81%D0%BA%D0%B8
Update: The requests come in looking like this. No use of GET, HEAD or POST.
164.52.7.132 - - [07/Sep/2017:11:07:29 +0200] "\x16\x03\x01\x01\x22\x01\x00\x01\x1E\x03\x03\xB2\xF2\x5CF\x0C\xD8eb\x92m\x19\xBB\x81\xCE\x90\x9C\xC5\x90r+\x98@\xC00\x1AS4\xF3\xB9\x86\xF6\xC2\x00\x00\x88\xC00\xC0,\xC0(\xC0$\xC0\x14\xC0" 400 166 "-" "-"
316
The attacker might use the above knowledge to look for applications that use Regular Expressions, containing an Evil Regex, and send a well-crafted input, that will hang the system. Alternatively, if a Regex itself is affected by a user input, the attacker can inject an Evil Regex, and make the system vulnerable.
An attacker can then cause a program using a Regular Expression (Regex) to enter these extreme situations and then hang for a very long time. The Regex naïve algorithm builds a Nondeterministic Finite Automaton (NFA) , which is a finite state machine where for each pair of state and input symbol there may be several possible next states.
Just enter your string and a regular expression and this utility will automatically check if the string matches the given regexp. There are no intrusive ads, popups or nonsense, just an awesome regex tester. Load a string – perform a regex check. Created for developers by developers from team Browserling . We have created our own comic!
This is an online Regex tutorial for learning Regular expressions effectively and efficiently with examples and exercises. Regular expressions are very useful tool and they are not that much difficult to learn however on internet their are not that much ample resources to learn regex online.
There is a solution to ban complex attack strings at the fail2ban level and hence block the ip address for a predetermined time period.
It was discussed in this thread below:
https://github.com/mariusv/nginx-badbot-blocker/issues/157
jail.local
[nginx-x00]
enabled = true
port = http,https
filter = nginx-x00
logpath = /var/log/nginx/access.log
bantime = 86400
findtime = 86400
maxretry = 2
filter.d/nginx-x00.conf
[Definition]
failregex = ^<HOST> .* ".*\\x.*" .*$
ignoreregex =
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
