scripts: Add threat pattern documentation script

Add helper script showing sample threat patterns that can be added to the Anomaly Detection system for testing embedding similarity. Includes 10 sample patterns: 1. OR 1=1 tautology (severity 9) 2. UNION SELECT data extraction (severity 8) 3. Comment injection (severity 7) 4. Sleep-based DoS (severity 6) 5. Benchmark-based DoS (severity 6) 6. INTO OUTFILE exfiltration (severity 9) 7. DROP TABLE destruction (severity 10) 8. Schema probing (severity 3) 9. CONCAT injection (severity 8) 10. Hex encoding bypass (severity 7)
3 months ago · f5c18fd8d7
parent 4b0cb9d95a
commit f5c18fd8d7
1 changed files with 134 additions and 0 deletions
--- a/scripts/add_threat_patterns.sh
+++ b/scripts/add_threat_patterns.sh
@ -0,0 +1,134 @@
+#!/bin/bash
+#
+# @file add_threat_patterns.sh
+# @brief Add sample threat patterns to Anomaly Detection database
+#
+# This script populates the anomaly_patterns table with example
+# SQL injection and attack patterns for testing the embedding
+# similarity detection feature.
+#
+# Prerequisites:
+# - ProxySQL running on localhost:6032 (admin)
+# - GenAI module with llama-server running
+#
+# Usage:
+#   ./add_threat_patterns.sh
+#
+# @date 2025-01-16
+
+set -e
+
+PROXYSQL_ADMIN_HOST=${PROXYSQL_ADMIN_HOST:-127.0.0.1}
+PROXYSQL_ADMIN_PORT=${PROXYSQL_ADMIN_PORT:-6032}
+PROXYSQL_ADMIN_USER=${PROXYSQL_ADMIN_USER:-admin}
+PROXYSQL_ADMIN_PASS=${PROXYSQL_ADMIN_PASS:-admin}
+
+echo "========================================"
+echo "Anomaly Detection - Threat Patterns"
+echo "========================================"
+echo ""
+
+# Note: We would add patterns via the C++ API (add_threat_pattern)
+# For now, this script shows what patterns would be added
+# In a real deployment, these would be added via MCP tool or admin command
+
+echo "Sample Threat Patterns to Add:"
+echo ""
+
+echo "1. SQL Injection - OR 1=1"
+echo "   Pattern: OR tautology attack"
+echo "   Example: SELECT * FROM users WHERE username='admin' OR 1=1--'"
+echo "   Type: sql_injection"
+echo "   Severity: 9"
+echo ""
+
+echo "2. SQL Injection - UNION SELECT"
+echo "   Pattern: UNION SELECT based data extraction"
+echo "   Example: SELECT name FROM products WHERE id=1 UNION SELECT password FROM users"
+echo "   Type: sql_injection"
+echo "   Severity: 8"
+echo ""
+
+echo "3. SQL Injection - Comment Injection"
+echo "   Pattern: Comment-based injection"
+echo "   Example: SELECT * FROM users WHERE id=1-- AND password='xxx'"
+echo "   Type: sql_injection"
+echo "   Severity: 7"
+echo ""
+
+echo "4. DoS - Sleep-based timing attack"
+echo "   Pattern: Sleep-based DoS"
+echo "   Example: SELECT * FROM users WHERE id=1 AND sleep(10)"
+echo "   Type: dos"
+echo "   Severity: 6"
+echo ""
+
+echo "5. DoS - Benchmark-based attack"
+echo "   Pattern: Benchmark-based DoS"
+echo "   Example: SELECT * FROM users WHERE id=1 AND benchmark(10000000, MD5(1))"
+echo "   Type: dos"
+echo "   Severity: 6"
+echo ""
+
+echo "6. Data Exfiltration - INTO OUTFILE"
+echo "   Pattern: File write exfiltration"
+echo "   Example: SELECT * FROM users INTO OUTFILE '/tmp/users.txt'"
+echo "   Type: data_exfiltration"
+echo "   Severity: 9"
+echo ""
+
+echo "7. Privilege Escalation - DROP TABLE"
+echo "   Pattern: Destructive SQL"
+echo "   Example: SELECT * FROM users; DROP TABLE users--"
+echo "   Type: privilege_escalation"
+echo "   Severity: 10"
+echo ""
+
+echo "8. Reconnaissance - Schema probing"
+echo "   Pattern: Information disclosure"
+echo "   Example: SELECT * FROM information_schema.tables"
+echo "   Type: reconnaissance"
+echo "   Severity: 3"
+echo ""
+
+echo "9. Second-Order Injection - CONCAT"
+echo "   Pattern: Concatenation-based injection"
+echo "   Example: SELECT * FROM users WHERE username=CONCAT(0x61, 0x64, 0x6D, 0x69, 0x6E)"
+echo "   Type: sql_injection"
+echo "   Severity: 8"
+echo ""
+
+echo "10. NoSQL Injection - Hex encoding"
+echo "   Pattern: Hex-encoded attack"
+echo "   Example: SELECT * FROM users WHERE username=0x61646D696E"
+echo "   Type: sql_injection"
+echo "   Severity: 7"
+echo ""
+
+echo "========================================"
+echo "Note: These patterns would be added via:"
+echo "  1. MCP tool: ai_add_threat_pattern"
+echo "  2. C++ API: Anomaly_Detector::add_threat_pattern()"
+echo "  3. Admin command (future)"
+echo "========================================"
+echo ""
+
+echo "To add patterns programmatically, use the Anomaly_Detector API:"
+echo ""
+echo "C++ example:"
+echo '  detector->add_threat_pattern("OR 1=1 Tautology",'
+echo '    "SELECT * FROM users WHERE username='"'"' admin' OR 1=1--'"'",'
+echo '    "sql_injection", 9);'
+echo ""
+
+echo "Or via future MCP tool:"
+echo '  {"jsonrpc": "2.0", "method": "tools/call", "params": {'
+echo '    "name": "ai_add_threat_pattern",'
+echo '    "arguments": {'
+echo '      "pattern_name": "OR 1=1 Tautology",'
+echo '      "query_example": "...",'
+echo '      "pattern_type": "sql_injection",'
+echo '      "severity": 9'
+echo '    }'
+echo '  }}'
+echo ""