|
| 1 | +--- |
| 2 | +last_modified_date: 2024-10-28 17:07:36 |
| 3 | +layout: default |
| 4 | +title: gatewayd-plugin-sql-ids-ips |
| 5 | +description: GatewayD plugin for SQL injection detection and prevention. |
| 6 | +nav_order: 2 |
| 7 | +parent: Plugins |
| 8 | +--- |
| 9 | + |
| 10 | +# gatewayd-plugin-sql-ids-ips |
| 11 | + |
| 12 | +The `gatewayd-plugin-sql-ids-ips` is a security-focused GatewayD plugin designed to detect and prevent SQL injection attacks. By utilizing advanced detection methods, it provides robust protection against malicious SQL queries and offers configurable response mechanisms to safeguard databases effectively. |
| 13 | + |
| 14 | +## How It Works |
| 15 | + |
| 16 | +1. **Query Detection**: The plugin analyzes incoming SQL queries from clients, looking for patterns that match known SQL injection attacks. |
| 17 | +2. **Blocking Malicious Queries**: If a query is deemed malicious, the plugin blocks it, either returning an error or an empty response to the client. |
| 18 | +3. **Audit Logging**: All detections are logged with details, including the original query and a prediction score. |
| 19 | +4. **Prometheus Metrics**: Metrics are generated for monitoring detection events, enabling administrators to track potential threats and plugin performance. |
| 20 | + |
| 21 | +## Features |
| 22 | + |
| 23 | +- **Advanced Detection Methods**: |
| 24 | + - **Signature-Based Detection**: Uses a trained model with Tensorflow and Keras to match queries against known SQL injection patterns. |
| 25 | + - **Syntax-Based Detection**: Examines SQL syntax to detect anomalies using `libinjection`. |
| 26 | +- **Defense Mechanisms**: |
| 27 | + - **MITRE ATT&CK T1190**: Detects and prevents SQL injection attacks under the MITRE framework. |
| 28 | + - **OWASP Top 10:2021 A3 Compliance**: Addresses injection vulnerabilities as per OWASP standards. |
| 29 | + - **CAPEC-66 and CWE-89 Compliance**: Adheres to Common Weakness Enumeration guidelines. |
| 30 | +- **Response Customization**: Configure responses to SQL injection attempts, choosing between an error or empty response. |
| 31 | +- **Prometheus Metrics Integration**: Captures detection metrics for insights into plugin performance. |
| 32 | +- **Logging**: Detailed logs are maintained for each detected injection attempt, including a prediction confidence score. |
| 33 | +- **Configurable via Environment Variables**: Control plugin behavior and thresholds easily. |
| 34 | + |
| 35 | +## Installation |
| 36 | + |
| 37 | +### Automatic Installation |
| 38 | + |
| 39 | +Install the latest version of the plugin from [GitHub releases](https://github.com/gatewayd-io/gatewayd-plugin-sql-ids-ips/releases): |
| 40 | + |
| 41 | +```bash |
| 42 | +gatewayd plugin install github.com/gatewayd-io/gatewayd-plugin-sql-ids-ips@latest |
| 43 | +``` |
| 44 | + |
| 45 | +### Manual Installation |
| 46 | + |
| 47 | +1. Download and install the latest release by copying the binary to a directory accessible to GatewayD. |
| 48 | +2. Update the configuration file in `gatewayd_plugins.yaml`. |
| 49 | + |
| 50 | +After installation, start GatewayD and test the plugin by sending queries to verify SQL injection detection. |
| 51 | + |
| 52 | +## Configuration |
| 53 | + |
| 54 | +The plugin can be configured using environment variables and command-line arguments. Below is a sample configuration: |
| 55 | + |
| 56 | +```yaml |
| 57 | +plugins: |
| 58 | + - name: gatewayd-plugin-sql-ids-ips |
| 59 | + enabled: True |
| 60 | + localPath: ../gatewayd-plugin-sql-ids-ips/gatewayd-plugin-sql-ids-ips |
| 61 | + url: github.com/gatewayd-io/gatewayd-plugin-sql-ids-ips@latest |
| 62 | + args: ["--log-level", "info"] |
| 63 | + env: |
| 64 | + - MAGIC_COOKIE_KEY=GATEWAYD_PLUGIN |
| 65 | + - MAGIC_COOKIE_VALUE=5712b87aa5d7e9f9e9ab643e6603181c5b796015cb1c09d6f5ada882bf2a1872 |
| 66 | + - METRICS_ENABLED=True |
| 67 | + - METRICS_UNIX_DOMAIN_SOCKET=/tmp/gatewayd-plugin-sql-ids-ips.sock |
| 68 | + - METRICS_PATH=/metrics |
| 69 | + - PREDICTION_API_ADDRESS=http://localhost:8000 |
| 70 | + - THRESHOLD=0.8 |
| 71 | + - ENABLE_LIBINJECTION=True |
| 72 | + - LIBINJECTION_PERMISSIVE_MODE=True |
| 73 | + - RESPONSE_TYPE=error |
| 74 | + - ERROR_SEVERITY=EXCEPTION |
| 75 | + - ERROR_NUMBER=42000 |
| 76 | + - ERROR_MESSAGE=SQL injection detected |
| 77 | + - ERROR_DETAIL=Back off, you're not welcome here. |
| 78 | + - LOG_LEVEL=error |
| 79 | + - SENTRY_DSN=https://379ef59ea0c55742957b06c94bc496e1@o4504550475038720.ingest.us.sentry.io/4507282732810240 |
| 80 | + checksum: dee4aa014a722e1865d91744a4fd310772152467d9c6ab4ba17fd9dd40d3f724 |
| 81 | +``` |
| 82 | +
|
| 83 | +## Environment Variables |
| 84 | +
|
| 85 | +| Name | Description | Default | |
| 86 | +| ------------------------------ | --------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------- | |
| 87 | +| `MAGIC_COOKIE_KEY` | The key for the magic cookie. | `GATEWAYD_PLUGIN` | |
| 88 | +| `MAGIC_COOKIE_VALUE` | The value for the magic cookie. | `5712b87aa5d7e9f9e9ab643e6603181c5b796015cb1c09d6f5ada882bf2a1872` | |
| 89 | +| `METRICS_ENABLED` | Whether to enable metrics. | `True` | |
| 90 | +| `METRICS_UNIX_DOMAIN_SOCKET` | The path to the Unix domain socket for exposing metrics. This must be accessible to GatewayD. | `/tmp/gatewayd-plugin-sql-ids-ips.sock` | |
| 91 | +| `METRICS_PATH` | The path for exposing metrics. | `/metrics` | |
| 92 | +| `PREDICTION_API_ADDRESS` | The address for the prediction API server. | `http://localhost:8000` | |
| 93 | +| `THRESHOLD` | The threshold for the prediction confidence score. | `0.8` | |
| 94 | +| `ENABLE_LIBINJECTION` | Whether to enable syntax-based detection using `libinjection`. | `True` | |
| 95 | +| `LIBINJECTION_PERMISSIVE_MODE` | Whether to enable permissive mode for `libinjection`. | `True` | |
| 96 | +| `RESPONSE_TYPE` | The response type for SQL injection attempts. Choose between `error` or `empty`. | `error` | |
| 97 | +| `ERROR_SEVERITY` | The severity level for the error response. | `EXCEPTION`. See [this](https://www.postgresql.org/docs/current/protocol-error-fields.html) for more information. | |
| 98 | +| `ERROR_NUMBER` | The error number for the error response. | `42000`. See [this](https://www.postgresql.org/docs/current/errcodes-appendix.html) for more information. | |
| 99 | +| `ERROR_MESSAGE` | The error message for the error response. | `SQL injection detected` | |
| 100 | +| `ERROR_DETAIL` | The error detail for the error response. | `Back off, you're not welcome here.` | |
| 101 | +| `LOG_LEVEL` | The log level for the plugin. | `error` | |
| 102 | +| `SENTRY_DSN` | Sentry DSN. Set to empty string to disable Sentry. | `https://379ef59ea0c55742957b06c94bc496e1@o4504550475038720.ingest.us.sentry.io/4507282732810240` | |
| 103 | + |
| 104 | +### Command-line arguments |
| 105 | + |
| 106 | +| Name | Description | Default | |
| 107 | +| ------------- | -------------- | ------- | |
| 108 | +| `--log-level` | The log level. | `info` | |
| 109 | + |
| 110 | +## Build for testing |
| 111 | + |
| 112 | +To build the plugin for development and testing, run the following command in the project's root directory after cloning the repository. |
| 113 | + |
| 114 | +```bash |
| 115 | +git clone [email protected]:gatewayd-io/gatewayd-plugin-sql-ids-ips.git |
| 116 | +cd gatewayd-plugin-sql-ids-ips |
| 117 | +make build-dev |
| 118 | +``` |
| 119 | + |
| 120 | +Running the above commands clones the repository, changes the current directory and runs the `go mod tidy` and `go build` commands to compile and generate the plugin binary. |
0 commit comments