proxysql/scripts/add_threat_patterns.sh

#!/bin/bash
#
# @file add_threat_patterns.sh
# @brief Add sample threat patterns to Anomaly Detection database
#
# This script populates the anomaly_patterns table with example
# SQL injection and attack patterns for testing the embedding
# similarity detection feature.
#
# Prerequisites:
# - ProxySQL running on localhost:6032 (admin)
# - GenAI module with llama-server running
#
# Usage:
#   ./add_threat_patterns.sh
#
# @date 2025-01-16

set -e

PROXYSQL_ADMIN_HOST=${PROXYSQL_ADMIN_HOST:-127.0.0.1}
PROXYSQL_ADMIN_PORT=${PROXYSQL_ADMIN_PORT:-6032}
PROXYSQL_ADMIN_USER=${PROXYSQL_ADMIN_USER:-admin}
PROXYSQL_ADMIN_PASS=${PROXYSQL_ADMIN_PASS:-admin}

echo "========================================"
echo "Anomaly Detection - Threat Patterns"
echo "========================================"
echo ""

# Note: We would add patterns via the C++ API (add_threat_pattern)
# For now, this script shows what patterns would be added
# In a real deployment, these would be added via MCP tool or admin command

echo "Sample Threat Patterns to Add:"
echo ""

echo "1. SQL Injection - OR 1=1"
echo "   Pattern: OR tautology attack"
echo "   Example: SELECT * FROM users WHERE username='admin' OR 1=1--'"
echo "   Type: sql_injection"
echo "   Severity: 9"
echo ""

echo "2. SQL Injection - UNION SELECT"
echo "   Pattern: UNION SELECT based data extraction"
echo "   Example: SELECT name FROM products WHERE id=1 UNION SELECT password FROM users"
echo "   Type: sql_injection"
echo "   Severity: 8"
echo ""

echo "3. SQL Injection - Comment Injection"
echo "   Pattern: Comment-based injection"
echo "   Example: SELECT * FROM users WHERE id=1-- AND password='xxx'"
echo "   Type: sql_injection"
echo "   Severity: 7"
echo ""

echo "4. DoS - Sleep-based timing attack"
echo "   Pattern: Sleep-based DoS"
echo "   Example: SELECT * FROM users WHERE id=1 AND sleep(10)"
echo "   Type: dos"
echo "   Severity: 6"
echo ""

echo "5. DoS - Benchmark-based attack"
echo "   Pattern: Benchmark-based DoS"
echo "   Example: SELECT * FROM users WHERE id=1 AND benchmark(10000000, MD5(1))"
echo "   Type: dos"
echo "   Severity: 6"
echo ""

echo "6. Data Exfiltration - INTO OUTFILE"
echo "   Pattern: File write exfiltration"
echo "   Example: SELECT * FROM users INTO OUTFILE '/tmp/users.txt'"
echo "   Type: data_exfiltration"
echo "   Severity: 9"
echo ""

echo "7. Privilege Escalation - DROP TABLE"
echo "   Pattern: Destructive SQL"
echo "   Example: SELECT * FROM users; DROP TABLE users--"
echo "   Type: privilege_escalation"
echo "   Severity: 10"
echo ""

echo "8. Reconnaissance - Schema probing"
echo "   Pattern: Information disclosure"
echo "   Example: SELECT * FROM information_schema.tables"
echo "   Type: reconnaissance"
echo "   Severity: 3"
echo ""

echo "9. Second-Order Injection - CONCAT"
echo "   Pattern: Concatenation-based injection"
echo "   Example: SELECT * FROM users WHERE username=CONCAT(0x61, 0x64, 0x6D, 0x69, 0x6E)"
echo "   Type: sql_injection"
echo "   Severity: 8"
echo ""

echo "10. NoSQL Injection - Hex encoding"
echo "   Pattern: Hex-encoded attack"
echo "   Example: SELECT * FROM users WHERE username=0x61646D696E"
echo "   Type: sql_injection"
echo "   Severity: 7"
echo ""

echo "========================================"
echo "Note: These patterns would be added via:"
echo "  1. MCP tool: ai_add_threat_pattern"
echo "  2. C++ API: Anomaly_Detector::add_threat_pattern()"
echo "  3. Admin command (future)"
echo "========================================"
echo ""

echo "To add patterns programmatically, use the Anomaly_Detector API:"
echo ""
echo "C++ example:"
echo '  detector->add_threat_pattern("OR 1=1 Tautology",'
echo '    "SELECT * FROM users WHERE username='"'"' admin' OR 1=1--'"'",'
echo '    "sql_injection", 9);'
echo ""

echo "Or via future MCP tool:"
echo '  {"jsonrpc": "2.0", "method": "tools/call", "params": {'
echo '    "name": "ai_add_threat_pattern",'
echo '    "arguments": {'
echo '      "pattern_name": "OR 1=1 Tautology",'
echo '      "query_example": "...",'
echo '      "pattern_type": "sql_injection",'
echo '      "severity": 9'
echo '    }'
echo '  }}'
echo ""