improve security detection

Author: aldotobing

components/LiveDashboard.tsx

@@ -5,75 +5,9 @@ import { aggregateLogData } from '../lib/log-aggregator';
 import { Dashboard } from './Dashboard';
 import { Eye, EyeOff, XCircle } from 'lucide-react';
 
-// A more robust parser for common Nginx log formats.
-const parseLogLine = (line: string) => {
-  try {
-    // This regex handles cases where the request field might be empty ("") or malformed.
-    // It also handles extra fields at the end (like the "-" at the end of some Nginx logs)
-    const match = line.match(/^(?<ip>[\d.]+) - (?<user>\S+) \[(?<timestamp>.+?)\] "(?<method>\S+) (?<path>[^"]*) HTTP\/\d+\.\d+" (?<code>\d+) (?<size>\d+) "(?<referrer>[^"]*)" "(?<agent>[^"]*)" "(?<xForwardedFor>[^"]*)"$/);
-    
-    if (!match || !match.groups) {
-      console.warn("Could not parse log line:", line);
-      return null;
-    }
-
-    const { ip, user, timestamp, method, path, code, size, referrer, agent, xForwardedFor } = match.groups;
-    
-    // Define valid HTTP methods
-    const validHttpMethods = ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT'];
-    
-    // Initialize method and url
-    let finalMethod = 'N/A';
-    let url = 'N/A';
-    
-    // Only parse method and URL if request is not empty
-    if (method && path) {
-      // Check if the method is a valid HTTP method
-      if (validHttpMethods.includes(method)) {
-        finalMethod = method;
-        url = path || 'N/A';
-      } else {
-        // Check for known attack patterns or clearly malformed requests
-        const isAttackPattern = method.includes('%') || 
-                               method.includes(';') || 
-                               method.includes('wget') || 
-                               method.includes('curl') ||
-                               method.length > 100;
-        
-        // Check for clearly non-HTTP method patterns
-        const isNonHttpPattern = method.includes('_DUPLEX_') || 
-                                method.startsWith('SSTP_') ||
-                                method.includes('Mozi') ||
-                                method.includes('->');
-        
-        if (isAttackPattern || isNonHttpPattern) {
-          finalMethod = 'MALFORMED';
-        } else if (method.length <= 25) {
-          // Short, non-attack patterns are classified as OTHER
-          finalMethod = 'OTHER';
-        } else {
-          // Long patterns are classified as MALFORMED
-          finalMethod = 'MALFORMED';
-        }
-        
-        url = `${method} ${path}`; // Keep the full request for analysis
-      }
-    }
-
-    return {
-      ipAddress: ip,
-      timestamp,
-      method: finalMethod,
-      path: url,
-      status: code,
-      bodyBytesSent: size,
-      referer: referrer,
-      userAgent: agent,
-    };
-  } catch (error) {
-    console.error('Error parsing log line:', error);
-    return null;
-  }
+// Create a worker for single line parsing
+const createSingleLineParserWorker = () => {
+  return new Worker(new URL('../workers/singleLineParser.js', import.meta.url));
 };
 
 export interface LogData {
@@ -128,6 +62,7 @@ export function LiveDashboard({ wsUrl: initialWsUrl }: { wsUrl: string }) {
   const pongTimeoutRef = useRef<NodeJS.Timeout | null>(null);
   const lastMessageTime = useRef<number>(Date.now());
   const reconnectDelay = useRef(BASE_RECONNECT_DELAY);
+  const logParserWorkerRef = useRef<Worker | null>(null);
 
   // Update wsUrl and newWsUrl when initialWsUrl changes
   useEffect(() => {
@@ -139,17 +74,44 @@ export function LiveDashboard({ wsUrl: initialWsUrl }: { wsUrl: string }) {
     return Math.min(BASE_RECONNECT_DELAY * Math.pow(2, attempt), MAX_RECONNECT_DELAY);
   };
 
+  
+
   const handleNewLogLine = useCallback((line: string) => {
-    const parsedLog = parseLogLine(line);
-    if (parsedLog) {
-      setParsedLines(prevLines => {
-        // Keep all logs, just prepend the new one
-        const updatedLines = [parsedLog, ...prevLines];
-        const aggregatedData = aggregateLogData(updatedLines);
-        setLogData(aggregatedData);
-        return updatedLines;
-      });
-    }
+    // console.log('Received log line:', line);
+    
+    // Create a new worker for each line to avoid queueing issues
+    const worker = createSingleLineParserWorker();
+    
+    worker.onmessage = (event) => {
+      if (event.data.error) {
+        console.error('Error parsing log line:', event.data.error);
+      } else if (event.data.parsedLine) {
+        const parsedLine = event.data.parsedLine;
+        // console.log('Parsed line:', parsedLine);
+        
+        if (parsedLine.attackType) {
+          // console.log('ATTACK DETECTED:', parsedLine.attackType, 'in line:', line);
+        }
+        
+        setParsedLines(prevLines => {
+          const updatedLines = [parsedLine, ...prevLines];
+          setLogData(aggregateLogData(updatedLines));
+          return updatedLines;
+        });
+      }
+      worker.terminate();
+    };
+    
+    worker.onerror = (error) => {
+      console.error('Worker error:', error);
+      worker.terminate();
+    };
+    
+    // Send the log line to the worker for parsing
+    worker.postMessage({
+      line: line,
+      format: 'nginx' // or make this configurable
+    });
   }, []);
 
   const setupPingPong = useCallback(() => {
@@ -214,7 +176,7 @@ export function LiveDashboard({ wsUrl: initialWsUrl }: { wsUrl: string }) {
       wsRef.current = ws;
 
       ws.onopen = () => {
-        console.log('WebSocket connected');
+        // console.log('WebSocket connected to:', url);
         // Check if component is still mounted before updating state
         if (!wsRef.current) return;
         setIsConnected(true);
@@ -234,6 +196,7 @@ export function LiveDashboard({ wsUrl: initialWsUrl }: { wsUrl: string }) {
 
         if (typeof event.data === 'string') {
           lastMessageTime.current = Date.now();
+          // console.log('WebSocket message received:', event.data);
 
           try {
             const data = JSON.parse(event.data);
@@ -242,17 +205,19 @@ export function LiveDashboard({ wsUrl: initialWsUrl }: { wsUrl: string }) {
                 clearTimeout(pongTimeoutRef.current);
                 pongTimeoutRef.current = null;
               }
+              // console.log('Pong received');
               return;
             }
           } catch (e) {
             // Not a JSON message, treat as log line
+            // console.log('Treating message as log line');
             handleNewLogLine(event.data);
           }
         }
       };
 
       ws.onclose = (event) => {
-        console.log('WebSocket closed:', event.code, event.reason);
+        // console.log('WebSocket closed:', event.code, event.reason);
         // Don't update state if component is unmounting
         if (!wsRef.current) return;
 
@@ -271,7 +236,7 @@ export function LiveDashboard({ wsUrl: initialWsUrl }: { wsUrl: string }) {
 
         // Special handling for our forced reconnection
         if (event.code === 4001) { // Our custom code for visibility change
-          console.log('Reconnecting after visibility change...');
+            // console.log('Reconnecting after visibility change...');
           connectWebSocket();
           return;
         }
@@ -285,7 +250,7 @@ export function LiveDashboard({ wsUrl: initialWsUrl }: { wsUrl: string }) {
             reconnectDelay.current = calculateReconnectDelay(nextAttempt);
 
             reconnectTimeoutRef.current = setTimeout(() => {
-              console.log(`Attempting to reconnect (${nextAttempt + 1}/${MAX_RECONNECT_ATTEMPTS})...`);
+              // console.log(`Attempting to reconnect (${nextAttempt + 1}/${MAX_RECONNECT_ATTEMPTS})...`);
               connectWebSocket();
             }, reconnectDelay.current);
 
@@ -573,7 +538,13 @@ export function LiveDashboard({ wsUrl: initialWsUrl }: { wsUrl: string }) {
         </div>
       )}
 
-      {logData && parsedLines.length > 0 ? (
+      {isConnected && !logData && parsedLines.length === 0 ? (
+        <div className="flex items-center justify-center h-64 bg-gray-50 dark:bg-gray-800/50 rounded-xl">
+          <div className="text-center">
+            <p className="text-gray-500 dark:text-gray-400">Connected to WebSocket. Waiting for log data...</p>
+          </div>
+        </div>
+      ) : logData && parsedLines.length > 0 ? (
         <Dashboard stats={logData} parsedLines={parsedLines} />
       ) : (
         <div className="flex items-center justify-center h-64 bg-gray-50 dark:bg-gray-800/50 rounded-xl">

lib/log-aggregator.ts

@@ -20,6 +20,8 @@ interface SuspiciousIpInfo {
 }
 
 export const aggregateLogData = (parsedLines: any[], filters: Record<string, any> = {}) => {
+  // console.log('Aggregating log data, parsedLines:', parsedLines.length);
+  
   const stats = {
     requestStats: {
       totalRequests: 0,
@@ -67,6 +69,8 @@ export const aggregateLogData = (parsedLines: any[], filters: Record<string, any
   //console.log('=== Starting to process', parsedLines.length, 'log entries with filters:', filters);
 
   parsedLines.forEach((parsedLine, index) => {
+    // console.log(`Processing line ${index}:`, parsedLine);
+    
     // Apply filters if any
     let filterMatch = true;
 
@@ -115,7 +119,11 @@ export const aggregateLogData = (parsedLines: any[], filters: Record<string, any
       }
     }
 
-    if (!filterMatch) return;
+    if (!filterMatch) {
+        // console.log(`Line ${index} filtered out`);
+      return;
+    }
+    
     const {
       ipAddress,
       remoteUser,
@@ -129,7 +137,18 @@ export const aggregateLogData = (parsedLines: any[], filters: Record<string, any
       attackType,
     } = parsedLine;
 
-    if (!ipAddress || !method || !status) return;
+    // console.log(`Line ${index} details:`, {
+    //   ipAddress,
+    //   method,
+    //   path,
+    //   status,
+    //   attackType
+    // });
+
+    if (!ipAddress || !method || !status) {
+      // console.log(`Line ${index} missing required fields, skipping`);
+      return;
+    }
 
     initIpStats(ipAddress);
     const bytes = parseInt(bodyBytesSent, 10) || 0;
@@ -184,26 +203,42 @@ export const aggregateLogData = (parsedLines: any[], filters: Record<string, any
           const hour = parseInt(hourStr, 10);
           if (!isNaN(hour) && hour >= 0 && hour < 24) {
             stats.trafficOverTime[hour].count++;
-            return; // Successfully processed
+            // Removed the return statement that was preventing attack counting
           }
         }
       }
-      console.warn('Could not parse timestamp:', timestamp);
+      // console.warn('Could not parse timestamp:', timestamp);
     } catch (error) {
       console.error('Error parsing timestamp:', timestamp, error);
     }
 
     if (attackType) {
+      // console.log('ATTACK COUNTING SECTION REACHED for:', attackType);
+      console.log('Aggregator found attack:', attackType, 'for line:', {
+        ipAddress,
+        method,
+        path,
+        attackType
+      });
+      
       stats.attackDistribution[attackType]++;
       stats.requestStats.totalAttackAttempts++;
       stats.ipStats.attackCounts[ipAddress]++;
+      
       stats.recentAttacks.push({
         timestamp,
         ipAddress,
         remoteUser,
         attackType: attackType,
         requestPath: path,
       });
+    } else {
+      // console.log('No attack type found for line:', {
+      //   ipAddress,
+      //   method,
+      //   path,
+      //   attackType
+      // });
     }
   });
 
@@ -214,7 +249,7 @@ export const aggregateLogData = (parsedLines: any[], filters: Record<string, any
   }));
 
   //console.log('Processed traffic data:', processedTrafficData.filter(x => x.count > 0));
-
+  
   return {
     requestStats: {
       ...stats.requestStats,

workers/logParser.js

@@ -61,8 +61,8 @@ self.onmessage = (e) => {
       "(?:%27|'|--|;|--\\s|/\\*.*?\\*/|#|%23|%2527)",
       // SQL commands and patterns
       "\\b(?:UNION\\s+(?:ALL\\s+)?SELECT|SELECT\\s+.*?\\bFROM|INSERT\\s+INTO|DELETE\\s+FROM|UPDATE\\s+\\w+\\s+SET|DROP\\s+(?:TABLE|DATABASE)|CREATE\\s+(?:TABLE|DATABASE)|ALTER\\s+TABLE)\\b",
-      // Logical operators and comparisons
-      "\\b(?:OR|AND|X?OR|NOT|LIKE|RLIKE|REGEXP)\\s+['\\d]\\s*[=<>~!]?=",
+      // Logical operators and comparisons (both in query params and general)
+      "(?:[?&][^=]*=(?:%27|'|%2527).*?(?:OR|AND|X?OR|NOT).*?=|\\b(?:OR|AND|X?OR|NOT)\\s+['\\d]\\s*[=<>~!]?=)",
       // Database functions and procedures
       "\\b(?:EXEC(?:UTE)?(?:\\(|\\s)|EXEC\\s+SP_|XP_|sp_|xp_|WAITFOR\\s+DELAY|SLEEP\\s*\\(|BENCHMARK\\s*\\(|PG_SLEEP\\s*\\(|UPDATEXML\\s*\\(|EXTRACTVALUE\\s*\\()",
       // String operations
@@ -88,7 +88,7 @@ self.onmessage = (e) => {
     "Command Injection": new RegExp([
       // More comprehensive command injection patterns
       "\\b(?:cat|ls|uname|whoami|pwd|rm|touch|wget|curl|scp|rsync|ftp|nc|ncat|nmap|ping|traceroute|telnet|ssh|bash|sh|zsh|dash|powershell|cmd\\.exe|cmd\\/c|\\|\\||&&|;)\\b",
-      "\\$\s*\\(.*\\)",              // $(command)
+      "\\$\\s*\\(.*\\)",              // $(command)
       "`.*`",                         // `command`
       "\\|\\|\\s*\\w+",               // || command
       "&&\\s*\\w+",                   // && command
@@ -98,23 +98,22 @@ self.onmessage = (e) => {
       "\\b(?:exec|system|passthru|shell_exec|popen|proc_open|pcntl_exec)\\s*\\("
     ].join('|'), 'i'),
 
-    "Directory Traversal": new RegExp(
+    "Directory Traversal": new RegExp([
       // Match directory traversal sequences with at least two levels up
-      '(?:^|/|\\\\)(?:\\.{1,2}[\./\\]){2,}' +
+      "(?:^|/|\\\\)(?:\\.{1,2}[\\./\\\\]){2,}",
       // Match encoded traversal sequences
-      '|(?:^|/|\\)(?:%2e%2e|%252e%252e|%c0%ae%c0%ae|%u002e%u002e)[/\\\\]' +
+      "(?:^|/|\\\\)(?:%2e%2e|%252e%252e|%c0%ae%c0%ae|%u002e%u002e)[/\\\\]",
       // Match absolute paths to sensitive files
-      '|/(?:etc/(?:passwd|shadow|group|hosts)|proc/self/environ|windows/win\.ini|boot\.ini|php\.ini|my\.cnf)(?:/|$|\\0)' +
+      "/(?:etc/(?:passwd|shadow|group|hosts)|proc/self/environ|windows/win\\.ini|boot\\.ini|php\\.ini|my\\.cnf)(?:/|$|\\x00)",
       // Match Windows-style absolute paths
-      '|^[a-zA-Z]:\\\\[^\\/]+' +
+      "^[a-zA-Z]:\\\\[^/]+",
       // Match common path traversal patterns
-      '|\\.\\.(?:%2f|%252f|%5c|%255c)' +
+      "\\.\\.\\.(?:%2f|%252f|%5c|%255c)",
       // Match null byte injection
-      '|\\x00|%00|\\0' +
+      "\\\\x00|%00|\\\\0",
       // Match double encoding
-      '|%25(?:2e|25|5c|2f|5f|3d|3f|26|3a|3b)',
-      'i'
-    ),
+      "%25(?:2e|25|5c|2f|5f|3d|3f|26|3a|3b)"
+    ].join('|'), 'i'),
 
     "Brute Force": new RegExp([
       // More specific brute force patterns - focusing on common attack paths
@@ -419,4 +418,4 @@ self.onmessage = (e) => {
   };
 
   self.postMessage({ stats: finalStats, parsedLines });
-};
+};