Skip to content

simplify-framework/intrusion

Repository files navigation

SimplifyFramework - IDS/IPS (Network/Module) : NodeJS version >= 12.x

NPM Downloads Package Version

  • Host Intrusion Detection and Prevention

    • Detect modules are loaded by require('module').
    • Detect modules are compiled by module._compile('code').
    • Block or allow some modules by names or by hashcodes.
  • Network Intrusion Detection and Prevention

    • Detect HTTP/HTTPS/UDP/TCP outbound connection.
    • Block or allow by domain names or IP addresses.
    • Redirect the outbound connection to a honeypot.
WARNING: This library does not handle the require('net').Socket.connect() function.

Node Environment Variables Setup

  • Set process.env.IDS_ENABLE_METRIC_LOGGING=true|false turns ON/OFF the AWS CloudWatch metric collector.
  • Set process.env.IDS_ENABLE_MODULE_TRACKER=true|false turns ON/OFF the Host Tracker (HIDS/HIPS).
  • Set process.env.IDS_PRINT_OUTPUT_LOG=true|false turns ON/OFF the console output logs (silent mode).

Setup your AWS environment or IAM Role in your Lambdas with this permission:

This library requires AWS IAM Role to allow publishing the CloudWatch Metrics to a custom namespace:

Policies:
  - PolicyName: cloudwatch-metrics
    PolicyDocument:
      Statement:
      - Effect: Allow
        Action:
        - cloudwatch:PutMetricData
        Resource: "*"

The metrics' namespace is set in the constructor at 2nd parameter:

  • new IDS({}, 'TestApp/IDS' /* Custom Namespace /, '127.0.0.255'/ honeypot /, true / enable metric logging */)

AWS/Lambda - Make a build then attach to a Lambda function by using command line

  • simplify-intrusion --bucket=YOUR_BUCKET_NAME --layer-name=YOUR_IDS_LAYER_NAME make
  • simplify-intrusion --function-name=YOUR_TARGET_FUNCTION [--layer-version-arn=YOUR_LAYER_ARN] attach

SDK/Library - Use the { IDS } module to detect the intrustion outbound network from your code:

  1. Load the library with IDS configuration:
var { IDS } = require('simplify-intrusion')
var nodeFirewall = new IDS({
    network: { allowDomainsOrHostIPs: [
      /* a whitelist of domains or IPs that is allowed to access from your code, startsWith('string') rule */
    ], blockDomainsOrHostIPs: [
      /* the blacklist of domains or IPs you want to BLOCK them from your code, startsWith('string') rule */
      /* example: ['*'] => block all outbound network connection from host, allowed all connections by default */
    ] },
    host: { allowModuleOrSHA256OfCode: [
      /* a whitelist of module name or SHA-256('code') that will be embeded by using module._complie(), startsWith('string') rule */
    ], blockModuleOrSHA256OfCode: [
      /* the blacklist of module name or SHA-256('code') that contains the untrusted HASH of modules, startsWith('string') rule */
      /* example: ['QsPV5N10sTZExAjkbZuQn5yEe0Jkpd4rHRnSxH9dF7Y=', 'buffer:4.9.2', 'request:2.88.'] */
    ] }
  },
  'YourApp/IDS' /* log metrics to your custom CloudWatch NameSpace if the CloudWatch Metrics is enabled */,
  'dev.null.org' /* if BLOCKED, reflect the requests to a honeypot server: dev.null.org */,
  false /* true = set the CloudWatch Metrics is enabled */)
  1. Write your code with all the require('...') after the line above.
var http = require('http')
var https = require('https')
var { ClientRequest } = require('_http_client_')
var module = require('module')

/*an example of your lambda code*/
module.exports.handler = function(event, context, callback) {
  //DO SOMETHING LIKE CALL EXTERNAL APIS
  var r = https.request("https://google.com/api/...", (res) => {
      console.log(res)
  })
  r && r.end()
}
  1. Detaching the library when everything is done:
somePromiseOrCallbackFunction().then(response => {
  nodeFirewall.detach()
  callback(null, response)
})

EXAMPLE - Running an example of intrusion code.

  1. Install Simplify Framework - Intrustion library
  • npm install simplify-intrustion
  1. Create example.js node application
var { IDS } = require('simplify-intrusion')
var nodeFirewall = new IDS({
    network: { allowDomainsOrHostIPs: [], blockDomainsOrHostIPs: [] },
    host: { allowModuleOrSHA256OfCode: ['OtbUd5po/kQtu2FweSNa42kOfFYZvlsFuen1xXeOPKs='], blockModuleOrSHA256OfCode: ['*'] }
}, 'TestApp/IDS', 'dev.null.org')

var path = require('path')
var https = require('https')

var httpClient = require('_http_client')

eval('console.log("eval() is not allowed.")')
var requireFromString = require('require-from-string')
var rq = requireFromString('module.exports = function(){console.log("require-from-string: OK")}', 'Test')
typeof rq == 'function' && rq()
var res = new httpClient.ClientRequest("http://google.com", { headers: { "Content-Type": "application/json" }, method: 'GET' }, (res) => {
    var r = https.request("https://google.com", (res) => {
        nodeFirewall.detach()
    })
    r && r.end()
})
res && res.end()
  1. Run node example.js

Expected outcome:

$ node example.js

  >>>> [Blocked] (function:eval) EXEC - console.log("eval() is not allowed.")
require-from-string: OK
  >>>> [Warning] (_http_client) GET - http://google.com
  >>>> [Allowed] (module:compile) Test - OtbUd5po/kQtu2FweSNa42kOfFYZvlsFuen1xXeOPKs=
  >>>> [Warning] (https:request) GET - https://google.com/

About

Simplify Intrusion Detection/Prevention for NodeJS

Resources

Stars

Watchers

Forks

Packages

No packages published