gatewayd-plugin-sql-ids-ips
The gatewayd-plugin-sql-ids-ips
is a security-focused GatewayD plugin designed to detect and prevent SQL injection attacks. By utilizing advanced detection methods, it provides robust protection against malicious SQL queries and offers configurable response mechanisms to safeguard databases effectively.
How It Works
- Injection Detection: The plugin analyzes incoming SQL queries from clients, looking for patterns that match known SQL injection attacks.
- Blocking Malicious Queries: If a query is deemed malicious, the plugin blocks it, either returning an error or an empty response to the client.
- Audit Logging: All detections are logged with details, including the original query and a prediction score.
- Prometheus Metrics: Metrics are generated for monitoring detection events, enabling administrators to track potential threats and plugin performance.
Features
- Advanced Detection Methods:
- Signature-Based Detection: Uses a trained model with Tensorflow and Keras to match queries against known SQL injection patterns.
- Syntax-Based Detection: Examines SQL syntax to detect anomalies using
libinjection
.
- Defense Mechanisms:
- MITRE ATT&CK T1190: Detects and prevents SQL injection attacks under the MITRE framework.
- OWASP Top 10:2021 A3 Compliance: Addresses injection vulnerabilities as per OWASP standards.
- CAPEC-66 and CWE-89 Compliance: Adheres to Common Weakness Enumeration guidelines.
- Response Customization: Configure responses to SQL injection attempts, choosing between an error or empty response.
- Prometheus Metrics Integration: Captures detection metrics for insights into plugin performance.
- Logging: Detailed logs are maintained for each detected injection attempt, including a prediction confidence score.
- Configurable via Environment Variables: Control plugin behavior and thresholds easily.
DeepSQLi
The plugin must be used in conjunction with DeepSQLi, a deep-learning model for SQL injection detection. DeepSQLi is available as a separate service and must be started before the plugin. For more information, refer to the DeepSQLi documentation.
Installation
Automatic Installation
Install the latest version of the plugin from GitHub releases:
gatewayd plugin install github.com/gatewayd-io/gatewayd-plugin-sql-ids-ips@latest
Manual Installation
- Download and install the latest release by copying the binary to a directory accessible to GatewayD.
- Update the configuration file in
gatewayd_plugins.yaml
.
After installation, start GatewayD and test the plugin by sending queries to verify SQL injection detection.
Configuration
The plugin can be configured using environment variables and command-line arguments. Below is a sample configuration:
plugins:
- name: gatewayd-plugin-sql-ids-ips
enabled: True
localPath: ../gatewayd-plugin-sql-ids-ips/gatewayd-plugin-sql-ids-ips
url: github.com/gatewayd-io/gatewayd-plugin-sql-ids-ips@latest
args: ["--log-level", "info"]
env:
- MAGIC_COOKIE_KEY=GATEWAYD_PLUGIN
- MAGIC_COOKIE_VALUE=5712b87aa5d7e9f9e9ab643e6603181c5b796015cb1c09d6f5ada882bf2a1872
- METRICS_ENABLED=True
- METRICS_UNIX_DOMAIN_SOCKET=/tmp/gatewayd-plugin-sql-ids-ips.sock
- METRICS_PATH=/metrics
- PREDICTION_API_ADDRESS=http://localhost:8000
- THRESHOLD=0.8
- ENABLE_LIBINJECTION=True
- LIBINJECTION_PERMISSIVE_MODE=True
- RESPONSE_TYPE=error
- ERROR_SEVERITY=EXCEPTION
- ERROR_NUMBER=42000
- ERROR_MESSAGE=SQL injection detected
- ERROR_DETAIL=Back off, you're not welcome here.
- LOG_LEVEL=error
- SENTRY_DSN=https://379ef59ea0c55742957b06c94bc496e1@o4504550475038720.ingest.us.sentry.io/4507282732810240
checksum: dee4aa014a722e1865d91744a4fd310772152467d9c6ab4ba17fd9dd40d3f724
Environment Variables
Name | Description | Default |
---|---|---|
MAGIC_COOKIE_KEY | The key for the magic cookie. | GATEWAYD_PLUGIN |
MAGIC_COOKIE_VALUE | The value for the magic cookie. | 5712b87aa5d7e9f9e9ab643e6603181c5b796015cb1c09d6f5ada882bf2a1872 |
METRICS_ENABLED | Whether to enable metrics. | True |
METRICS_UNIX_DOMAIN_SOCKET | The path to the Unix domain socket for exposing metrics. This must be accessible to GatewayD. | /tmp/gatewayd-plugin-sql-ids-ips.sock |
METRICS_PATH | The path for exposing metrics. | /metrics |
PREDICTION_API_ADDRESS | The address for the prediction API server. | http://localhost:8000 |
THRESHOLD | The threshold for the prediction confidence score. | 0.8 |
ENABLE_LIBINJECTION | Whether to enable syntax-based detection using libinjection . | True |
LIBINJECTION_PERMISSIVE_MODE | Whether to enable permissive mode for libinjection . | True |
RESPONSE_TYPE | The response type for SQL injection attempts. Choose between error or empty . | error |
ERROR_SEVERITY | The severity level for the error response. | EXCEPTION . See this for more information. |
ERROR_NUMBER | The error number for the error response. | 42000 . See this for more information. |
ERROR_MESSAGE | The error message for the error response. | SQL injection detected |
ERROR_DETAIL | The error detail for the error response. | Back off, you're not welcome here. |
LOG_LEVEL | The log level for the plugin. | error |
SENTRY_DSN | Sentry DSN. Set to empty string to disable Sentry. | https://379ef59ea0c55742957b06c94bc496e1@o4504550475038720.ingest.us.sentry.io/4507282732810240 |
Command-line arguments
Name | Description | Default |
---|---|---|
--log-level | The log level. | info |
Build for testing
To build the plugin for development and testing, run the following command in the project’s root directory after cloning the repository.
git clone [email protected]:gatewayd-io/gatewayd-plugin-sql-ids-ips.git
cd gatewayd-plugin-sql-ids-ips
make build-dev
Running the above commands clones the repository, changes the current directory and runs the go mod tidy
and go build
commands to compile and generate the plugin binary.