OpenRASP project in April 2017, its original purpose was to provide a common security framework, and improve application protection capabilities for unknown vulnerabilities. Struts2 vulnerability is a typical series of unknown vulnerabilities. From the latest S2-001 to S2-057, wherein it is characterized in changing a request, perform a final statement or deserialize OGNL some way, then acquisition system privileges.
RASP protection engine running and internal applications, can solve this problem. Regardless of vulnerability, its ultimate purpose is: to perform system commands, upload webshell, drag library and so on. So we achieve such a security framework: detecting characteristics of the request is not dependent attack, but when the application performs the above key operation is performed for a self-defined logic checks whether there is an abnormality.
This release OpenRASP 1.2.1 version, Java version adds support for CPU fuse, fix a number of known issues
new features
General improvements
- Support for custom RASP ID
- When using the installation
--rasp-id (PHP)or-raspid (Java)setting - If not specified, according to the previous logical, based on the information card, calculation of a path, and so the RASP
- When using the installation
Management background
- Alarm log to increase the weight, a weight according to the currently request_id + stack_md5
- In the System Settings -> Background settings interface, add a key clean-up alarm data support
- Host management interface, automatically remember
主机状态check case - Alarm Viewer interface, support in accordance with the alarm message, stack MD5 search; Referer, URL support click
Java version
- Increase TongWeb 6.X server part of the support, from @superbaimo
- JBoss 7 and later simplified installation process, from @Lorisy
- Increase HSQL database hook point can be detected WebGoat SQL injection vulnerabilities
- Increase fuse support
- Acquisition time intervals mononuclear CPU usage, and exceeds the threshold value three times, starting fuse mechanism
- When the next acquisition occupancy rate is below the threshold, automatic recovery protection
- This feature is off by default, collection interval, CPU usage can be configured
- Plugin.filter include hook to fix the problem at no point in force
Plug-in system
- Command detection point, increase the environment variable information
- SQL anomaly detection changed plug-in detection and management background can customize to monitor the error code
- Repair command_reflect algorithm, the problem in some cases may be false positives
Bug fixes
General Repair
- Increased support for re-registration, when the host offline after accidentally deleted, can be automatically restored
Java version
- When the repair middleware supports multipart agreement, but the user does not use file causes a problem of false positives
- Fix the problem when communicating with the management server in the background started after a period of time, Java Agent will not get re-registered IP
- Repair some cases, due to the context.language is empty, not interception WebSphere deserialization command execution
- Repair heart failure, sleep failure, will print unlimited log problem
- After the repair log will push, log4j cache does not clear up the problem (Thanks @ memories meet feedback)
- Bug Fixes When there are multiple file upload will only process the first file
- Repair When configuring the update fails, the lack of details of the problem
- Bug Fixes request hook point can not be intercepted (thanks @Looke feedback)
- Cloud.X and other configurations can fix the problem remotely issued
- Repair SQL prepared statements when an exception, does not enter the detection plug-in, will not record SQL unusual problem
PHP version
- Repair PDO Exception Monitoring no filter error code, record a surplus exception log problem