Data flows
Last updated 2022-12-05
This document demonstrates various data flows between the Module and Agent. While MessagePack is the serialization protocol, the data is displayed here in JSON format for ease of reading.
Benign Post Request
Notice how in HeadersIn the Cookie value was redacted, and also that TLSProtocol and TLSCipher are filled in.
1{2 "ModuleVersion": "sigsci-module-apache 0.214",3 "ServerVersion": "Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.11 OpenSSL/1.0.1f",4 "ServerFlavor": "prefork",5 "ServerName": "soysauce.in",6 "Timestamp": 1438838135,7 "RemoteAddr": "198.51.100.209",8 "Method": "POST",9 "Scheme": "https",10 "URI": "/add-data"11 "Protocol": "HTTP/1.1",12 "TLSProtocol": "TLSv1.2",13 "TLSCipher": "ECDHE-RSA-AES128-SHA256",14 "HeadersIn": [15 [ "Host", "soysauce.in" ],16 [ "Accept", "*/*" ],17 [ "Connection", "keep-alive" ],18 [ "Cookie", "" ],19 [ "User-Agent", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/600.7.12 (KHTML, like Gecko) Version/8.0.7 Safari/600.7.12"],20 [ "Accept-Language", "en-us" ],21 [ "Referer", "https://soysauce.in/" ],22 [ "Accept-Encoding", "gzip, deflate" ],23 ],24 "PostData": "foo=bar&company=something"25}This request was completely benign, so all that is returned is a 200
response (allow the request to proceed).
1{2 "WAFResponse": 2003}And that is end of the request.
Benign request (with 404 error)
$ curl -v '127.0.0.1:8085/junk'* Trying 127.0.0.1...* Connected to 127.0.0.1 (127.0.0.1) port 8085 (#0)> GET /junk HTTP/1.1> User-Agent: curl/7.37.1> Host: 127.0.0.1:8085> Accept: */*>< HTTP/1.1 404 Not Found< Content-Type: text/plain; charset=utf-8< Date: Wed, 05 Aug 2015 18:38:24 GMT< Content-Length: 19<would be converted into the following:
1{2 "ModuleVersion": "sigsci-sdk-golang 1.0",3 "ServerVersion": "go1.4.2",4 "ServerFlavor": "",5 "ServerName": "127.0.0.1:8085",6 "Timestamp": 1438799904,7 "RemoteAddr": "127.0.0.1",8 "Method": "GET",9 "Scheme": "http",10 "URI": "/junk",11 "Protocol": "HTTP/1.1",12 "HeadersIn": [13 [ "User-Agent", "curl/7.37.1" ],14 [ "Accept", "*/*" ],15 ],16}Response is just 200 or allow the response to pass through.
1{2 "WAFResponse": 2003}The server proceeds normally. If at the end of the request, we find that a error condition occurred or that it had an exceptionally large output or took an exceptionally long time to process, we would followup with a PostRequest. Notice how ResponseCode, ResponseMillis, ResponseSize and filled out as well as HeadersOut.
1{2 "ModuleVersion": "sigsci-sdk-golang 1.0",3 "ServerVersion": "go1.4.2",4 "ServerFlavor": "",5 "ServerName": "127.0.0.1:8085",6 "Timestamp": 1438799904,7 "RemoteAddr": "127.0.0.1",8 "Method": "GET",9 "Scheme": "http",10 "URI": "/junk",11 "Protocol": "HTTP/1.1",12 "WAFResponse": 200,13 "ResponseCode": 404,14 "ResponseMillis": 1,15 "ResponseSize": 19,16 "HeadersIn": [17 [ "User-Agent", "curl/7.37.1" ],18 [ "Accept", "*/*" ],19 ],20 "HeadersOut": [21 [ "Content-Type", "text/plain; charset=utf-8" ]22 ]23}Blocked Request with SQLI and 406
Here are the raw HTTP headers:
$ curl -v '127.0.0.1:8085/junk?id=1+UNION+ALL+SELECT+1'* Connected to 127.0.0.1 (127.0.0.1) port 8085 (#0)> GET /junk?id=1+UNION+ALL+SELECT+1 HTTP/1.1> User-Agent: curl/7.37.1> Host: 127.0.0.1:8085> Accept: */*>< HTTP/1.1 406 Not Acceptable< Content-Type: text/plain; charset=utf-8< Date: Wed, 05 Aug 2015 17:59:46 GMT< Content-Length: 19<406 not acceptableThis translates to the following flow.
Server/Module sends the following to the agent:
1{2 "ModuleVersion": "sigsci-sdk-golang 1.0",3 "ServerVersion": "go1.4.2",4 "ServerFlavor": "",5 "ServerName": "127.0.0.1:8085",6 "Timestamp": 1438796694,7 "RemoteAddr": "127.0.0.1",8 "Method": "GET",9 "Scheme": "http",10 "URI": "/junk?id=1+UNION+ALL+SELECT+1",11 "Protocol": "HTTP/1.1",12 "HeadersIn": [13 [ "Accept", "*/*" ],14 [ "User-Agent", "curl/7.37.1" ],15 ],16}The Agent replies with the following. Notice the RequestID is
filled in, along with an X-SigSci-Tags header describing was found
(SQLi in this case).
1{2 "WAFResponse": 406,3 "RequestID": "55c24b96ca84c02201000001",4 "RequestHeaders": [5 [ "X-SigSci-Tags", "SQLI" ]6 ]7}The request should be blocked, and at the end of the request, and UpdateRequest message.
1{2 "RequestID": "55c24b96ca84c02201000001",3 "ResponseCode": 406,4 "ResponseMillis": 1,5 "ResponseSize": 19,6 "HeadersOut": [7 [ "Content-Type", "text/plain; charset=utf-8" ],8 ]9}Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
