From e1a24372999a41e9677536b39f30924547730abc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rodrigo=20Arg=C3=BCello?= Date: Mon, 23 Oct 2023 11:18:10 +0200 Subject: [PATCH 1/4] contrib: implement http.route in missing contribs (#2234) --- contrib/dimfeld/httptreemux.v5/httptreemux.go | 16 ++++++- .../httptreemux.v5/httptreemux_test.go | 4 ++ contrib/emicklei/go-restful.v3/restful.go | 11 +++-- .../emicklei/go-restful.v3/restful_test.go | 1 + contrib/gofiber/fiber.v2/fiber.go | 7 ++- contrib/gofiber/fiber.v2/fiber_test.go | 3 ++ contrib/gorilla/mux/mux_test.go | 46 ++++++++++++++----- contrib/labstack/echo.v4/echotrace_test.go | 1 + contrib/urfave/negroni/negroni.go | 9 ++-- contrib/zenazn/goji.v1/web/goji.go | 5 +- contrib/zenazn/goji.v1/web/goji_test.go | 2 + 11 files changed, 82 insertions(+), 23 deletions(-) diff --git a/contrib/dimfeld/httptreemux.v5/httptreemux.go b/contrib/dimfeld/httptreemux.v5/httptreemux.go index 50e2ed6a7d..10cfc94e9b 100644 --- a/contrib/dimfeld/httptreemux.v5/httptreemux.go +++ b/contrib/dimfeld/httptreemux.v5/httptreemux.go @@ -49,11 +49,13 @@ func New(opts ...RouterOption) *Router { // ServeHTTP implements http.Handler. func (r *Router) ServeHTTP(w http.ResponseWriter, req *http.Request) { resource := r.config.resourceNamer(r.TreeMux, w, req) + route, _ := getRoute(r.TreeMux, w, req) // pass r.TreeMux to avoid a circular reference panic on calling r.ServeHTTP httptrace.TraceAndServe(r.TreeMux, w, req, &httptrace.ServeConfig{ Service: r.config.serviceName, Resource: resource, SpanOpts: r.config.spanOpts, + Route: route, }) } @@ -82,11 +84,13 @@ func NewWithContext(opts ...RouterOption) *ContextRouter { // ServeHTTP implements http.Handler. func (r *ContextRouter) ServeHTTP(w http.ResponseWriter, req *http.Request) { resource := r.config.resourceNamer(r.TreeMux, w, req) + route, _ := getRoute(r.TreeMux, w, req) // pass r.TreeMux to avoid a circular reference panic on calling r.ServeHTTP httptrace.TraceAndServe(r.TreeMux, w, req, &httptrace.ServeConfig{ Service: r.config.serviceName, Resource: resource, SpanOpts: r.config.spanOpts, + Route: route, }) } @@ -95,10 +99,18 @@ func (r *ContextRouter) ServeHTTP(w http.ResponseWriter, req *http.Request) { // route from the request. If the lookup fails to find a match the route is set // to "unknown". func defaultResourceNamer(router *httptreemux.TreeMux, w http.ResponseWriter, req *http.Request) string { + route, ok := getRoute(router, w, req) + if !ok { + route = "unknown" + } + return req.Method + " " + route +} + +func getRoute(router *httptreemux.TreeMux, w http.ResponseWriter, req *http.Request) (string, bool) { route := req.URL.Path lr, found := router.Lookup(w, req) if !found { - return req.Method + " unknown" + return "", false } for k, v := range lr.Params { // replace parameter surrounded by a set of "/", i.e. ".../:param/..." @@ -113,5 +125,5 @@ func defaultResourceNamer(router *httptreemux.TreeMux, w http.ResponseWriter, re newP = "/:" + k route = strings.Replace(route, oldP, newP, 1) } - return req.Method + " " + route + return route, true } diff --git a/contrib/dimfeld/httptreemux.v5/httptreemux_test.go b/contrib/dimfeld/httptreemux.v5/httptreemux_test.go index d478fc3218..c1c4b7a9a8 100644 --- a/contrib/dimfeld/httptreemux.v5/httptreemux_test.go +++ b/contrib/dimfeld/httptreemux.v5/httptreemux_test.go @@ -44,6 +44,7 @@ func TestHttpTracer200(t *testing.T) { assert.Equal("http://example.com"+url, s.Tag(ext.HTTPURL)) assert.Equal("testvalue", s.Tag("testkey")) assert.Equal(nil, s.Tag(ext.Error)) + assert.Equal("/200", s.Tag(ext.HTTPRoute)) } func TestHttpTracer404(t *testing.T) { @@ -71,6 +72,7 @@ func TestHttpTracer404(t *testing.T) { assert.Equal("http://example.com"+url, s.Tag(ext.HTTPURL)) assert.Equal("testvalue", s.Tag("testkey")) assert.Equal(nil, s.Tag(ext.Error)) + assert.NotContains(s.Tags(), ext.HTTPRoute) } func TestHttpTracer500(t *testing.T) { @@ -98,6 +100,7 @@ func TestHttpTracer500(t *testing.T) { assert.Equal("http://example.com"+url, s.Tag(ext.HTTPURL)) assert.Equal("testvalue", s.Tag("testkey")) assert.Equal("500: Internal Server Error", s.Tag(ext.Error).(error).Error()) + assert.Equal("/500", s.Tag(ext.HTTPRoute)) } func TestDefaultResourceNamer(t *testing.T) { @@ -170,6 +173,7 @@ func TestDefaultResourceNamer(t *testing.T) { assert.Equal(tc.method, s.Tag(ext.HTTPMethod)) assert.Equal("http://example.com"+tc.url, s.Tag(ext.HTTPURL)) assert.Equal(nil, s.Tag(ext.Error)) + assert.Equal(tc.path, s.Tag(ext.HTTPRoute)) }) } } diff --git a/contrib/emicklei/go-restful.v3/restful.go b/contrib/emicklei/go-restful.v3/restful.go index b0a005cb02..1d1e153c2d 100644 --- a/contrib/emicklei/go-restful.v3/restful.go +++ b/contrib/emicklei/go-restful.v3/restful.go @@ -35,10 +35,13 @@ func FilterFunc(configOpts ...Option) restful.FilterFunction { log.Debug("contrib/emicklei/go-restful/v3: Creating tracing filter: %#v", cfg) spanOpts := []ddtrace.StartSpanOption{tracer.ServiceName(cfg.serviceName)} return func(req *restful.Request, resp *restful.Response, chain *restful.FilterChain) { - spanOpts := append(spanOpts, tracer.ResourceName(req.SelectedRoutePath())) - spanOpts = append(spanOpts, tracer.Tag(ext.Component, componentName)) - spanOpts = append(spanOpts, tracer.Tag(ext.SpanKind, ext.SpanKindServer)) - + spanOpts := append( + spanOpts, + tracer.ResourceName(req.SelectedRoutePath()), + tracer.Tag(ext.Component, componentName), + tracer.Tag(ext.SpanKind, ext.SpanKindServer), + tracer.Tag(ext.HTTPRoute, req.SelectedRoutePath()), + ) if !math.IsNaN(cfg.analyticsRate) { spanOpts = append(spanOpts, tracer.Tag(ext.EventSampleRate, cfg.analyticsRate)) } diff --git a/contrib/emicklei/go-restful.v3/restful_test.go b/contrib/emicklei/go-restful.v3/restful_test.go index 52f43a5f1f..0fdcf3a20b 100644 --- a/contrib/emicklei/go-restful.v3/restful_test.go +++ b/contrib/emicklei/go-restful.v3/restful_test.go @@ -161,6 +161,7 @@ func TestTrace200(t *testing.T) { assert.Equal("http://example.com/user/123", span.Tag(ext.HTTPURL)) assert.Equal(ext.SpanKindServer, span.Tag(ext.SpanKind)) assert.Equal("emicklei/go-restful.v3", span.Tag(ext.Component)) + assert.Equal("/user/{id}", span.Tag(ext.HTTPRoute)) } func TestError(t *testing.T) { diff --git a/contrib/gofiber/fiber.v2/fiber.go b/contrib/gofiber/fiber.v2/fiber.go index f8cf2ac92e..f60a4b46bb 100644 --- a/contrib/gofiber/fiber.v2/fiber.go +++ b/contrib/gofiber/fiber.v2/fiber.go @@ -61,8 +61,10 @@ func Middleware(opts ...Option) func(c *fiber.Ctx) error { opts = append(opts, tracer.ChildOf(spanctx)) } opts = append(opts, cfg.spanOpts...) - opts = append(opts, tracer.Tag(ext.Component, componentName)) - opts = append(opts, tracer.Tag(ext.SpanKind, ext.SpanKindServer)) + opts = append(opts, + tracer.Tag(ext.Component, componentName), + tracer.Tag(ext.SpanKind, ext.SpanKindServer), + ) span, ctx := tracer.StartSpanFromContext(c.Context(), cfg.spanName, opts...) defer span.Finish() @@ -74,6 +76,7 @@ func Middleware(opts ...Option) func(c *fiber.Ctx) error { err := c.Next() span.SetTag(ext.ResourceName, cfg.resourceNamer(c)) + span.SetTag(ext.HTTPRoute, c.Route().Path) status := c.Response().StatusCode() // on the off chance we don't yet have a status after the rest of the things have run diff --git a/contrib/gofiber/fiber.v2/fiber_test.go b/contrib/gofiber/fiber.v2/fiber_test.go index 2646d3a970..c48a4f6391 100644 --- a/contrib/gofiber/fiber.v2/fiber_test.go +++ b/contrib/gofiber/fiber.v2/fiber_test.go @@ -70,6 +70,7 @@ func TestTrace200(t *testing.T) { assert.Equal("/user/123", span.Tag(ext.HTTPURL)) assert.Equal(ext.SpanKindServer, span.Tag(ext.SpanKind)) assert.Equal("gofiber/fiber.v2", span.Tag(ext.Component)) + assert.Equal("/user/:id", span.Tag(ext.HTTPRoute)) } t.Run("response", func(t *testing.T) { @@ -132,6 +133,7 @@ func TestStatusError(t *testing.T) { assert.Equal("http.request", span.OperationName()) assert.Equal("foobar", span.Tag(ext.ServiceName)) assert.Equal("500", span.Tag(ext.HTTPCode)) + assert.Equal("/err", span.Tag(ext.HTTPRoute)) assert.Equal(wantErr, span.Tag(ext.Error).(error).Error()) } @@ -166,6 +168,7 @@ func TestCustomError(t *testing.T) { assert.Equal(fiber.ErrBadRequest, span.Tag(ext.Error).(*fiber.Error)) assert.Equal(ext.SpanKindServer, span.Tag(ext.SpanKind)) assert.Equal("gofiber/fiber.v2", span.Tag(ext.Component)) + assert.Equal("/err", span.Tag(ext.HTTPRoute)) } func TestUserContext(t *testing.T) { diff --git a/contrib/gorilla/mux/mux_test.go b/contrib/gorilla/mux/mux_test.go index a338a14246..06f96a1002 100644 --- a/contrib/gorilla/mux/mux_test.go +++ b/contrib/gorilla/mux/mux_test.go @@ -29,39 +29,57 @@ import ( func TestHttpTracer(t *testing.T) { for _, ht := range []struct { + name string code int method string url string - resourceName string - errorStr string + wantResource string + wantErr string + wantRoute string }{ { + name: "200", code: http.StatusOK, method: "GET", url: "/200", - resourceName: "GET /200", + wantResource: "GET /200", + wantRoute: "/200", }, { + name: "users/{id}", + code: http.StatusOK, + method: "GET", + url: "/users/123", + wantResource: "GET /users/{id}", + wantRoute: "/users/{id}", + }, + { + name: "404", code: http.StatusNotFound, method: "GET", url: "/not_a_real_route", - resourceName: "GET unknown", + wantResource: "GET unknown", + wantRoute: "", }, { + name: "405", code: http.StatusMethodNotAllowed, method: "POST", url: "/405", - resourceName: "POST unknown", + wantResource: "POST unknown", + wantRoute: "", }, { + name: "500", code: http.StatusInternalServerError, method: "GET", url: "/500", - resourceName: "GET /500", - errorStr: "500: Internal Server Error", + wantResource: "GET /500", + wantErr: "500: Internal Server Error", + wantRoute: "/500", }, } { - t.Run(http.StatusText(ht.code), func(t *testing.T) { + t.Run(ht.name, func(t *testing.T) { assert := assert.New(t) mt := mocktracer.Start() defer mt.Stop() @@ -83,12 +101,17 @@ func TestHttpTracer(t *testing.T) { assert.Equal(codeStr, s.Tag(ext.HTTPCode)) assert.Equal(ht.method, s.Tag(ext.HTTPMethod)) assert.Equal("http://example.com"+ht.url, s.Tag(ext.HTTPURL)) - assert.Equal(ht.resourceName, s.Tag(ext.ResourceName)) + assert.Equal(ht.wantResource, s.Tag(ext.ResourceName)) assert.Equal(ext.SpanKindServer, s.Tag(ext.SpanKind)) assert.Equal("gorilla/mux", s.Tag(ext.Component)) + if ht.wantRoute != "" { + assert.Equal(ht.wantRoute, s.Tag(ext.HTTPRoute)) + } else { + assert.NotContains(s.Tags(), ext.HTTPRoute) + } - if ht.errorStr != "" { - assert.Equal(ht.errorStr, s.Tag(ext.Error).(error).Error()) + if ht.wantErr != "" { + assert.Equal(ht.wantErr, s.Tag(ext.Error).(error).Error()) } }) } @@ -365,6 +388,7 @@ func router() http.Handler { mux.Handle("/200", okHandler()) mux.Handle("/500", errorHandler(http.StatusInternalServerError)) mux.Handle("/405", okHandler()).Methods("GET") + mux.Handle("/users/{id}", okHandler()) mux.NotFoundHandler = errorHandler(http.StatusNotFound) mux.MethodNotAllowedHandler = errorHandler(http.StatusMethodNotAllowed) return mux diff --git a/contrib/labstack/echo.v4/echotrace_test.go b/contrib/labstack/echo.v4/echotrace_test.go index 6ac98fe3e1..b400dfd75a 100644 --- a/contrib/labstack/echo.v4/echotrace_test.go +++ b/contrib/labstack/echo.v4/echotrace_test.go @@ -92,6 +92,7 @@ func TestTrace200(t *testing.T) { assert.Equal(root.Context().SpanID(), span.ParentID()) assert.Equal("labstack/echo.v4", span.Tag(ext.Component)) assert.Equal(ext.SpanKindServer, span.Tag(ext.SpanKind)) + assert.Equal("/user/:id", span.Tag(ext.HTTPRoute)) assert.Equal("http://example.com/user/123", span.Tag(ext.HTTPURL)) } diff --git a/contrib/urfave/negroni/negroni.go b/contrib/urfave/negroni/negroni.go index fa72670bf4..7fac9bdbe4 100644 --- a/contrib/urfave/negroni/negroni.go +++ b/contrib/urfave/negroni/negroni.go @@ -33,12 +33,15 @@ type DatadogMiddleware struct { } func (m *DatadogMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) { - opts := append(m.cfg.spanOpts, tracer.ServiceName(m.cfg.serviceName), tracer.ResourceName(m.cfg.resourceNamer(r))) - opts = append(opts, httptrace.HeaderTagsFromRequest(r, m.cfg.headerTags)) + opts := append( + m.cfg.spanOpts, + tracer.ServiceName(m.cfg.serviceName), + tracer.ResourceName(m.cfg.resourceNamer(r)), + httptrace.HeaderTagsFromRequest(r, m.cfg.headerTags), + ) if !math.IsNaN(m.cfg.analyticsRate) { opts = append(opts, tracer.Tag(ext.EventSampleRate, m.cfg.analyticsRate)) } - span, ctx := httptrace.StartRequestSpan(r, opts...) defer func() { // check if the responseWriter is of type negroni.ResponseWriter diff --git a/contrib/zenazn/goji.v1/web/goji.go b/contrib/zenazn/goji.v1/web/goji.go index 784b8de08e..7efe46d8aa 100644 --- a/contrib/zenazn/goji.v1/web/goji.go +++ b/contrib/zenazn/goji.v1/web/goji.go @@ -52,8 +52,10 @@ func Middleware(opts ...Option) func(*web.C, http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { resource := r.Method p := web.GetMatch(*c).RawPattern() + route := "" if p != nil { - resource += fmt.Sprintf(" %s", p) + route = fmt.Sprintf("%s", p) + resource = resource + " " + route } else { warnonce.Do(func() { log.Warn("contrib/zenazn/goji.v1/web: routes are unavailable. To enable them add the goji Router middleware before the tracer middleware.") @@ -64,6 +66,7 @@ func Middleware(opts ...Option) func(*web.C, http.Handler) http.Handler { Resource: resource, FinishOpts: cfg.finishOpts, SpanOpts: cfg.spanOpts, + Route: route, }) }) } diff --git a/contrib/zenazn/goji.v1/web/goji_test.go b/contrib/zenazn/goji.v1/web/goji_test.go index 03db7a73bf..d9f9d924f0 100644 --- a/contrib/zenazn/goji.v1/web/goji_test.go +++ b/contrib/zenazn/goji.v1/web/goji_test.go @@ -52,6 +52,7 @@ func TestNoRouter(t *testing.T) { assert.Equal("http://example.com/user/123", span.Tag(ext.HTTPURL)) assert.Equal("zenazn/goji.v1/web", span.Tag(ext.Component)) assert.Equal(ext.SpanKindServer, span.Tag(ext.SpanKind)) + assert.NotContains(span.Tags(), ext.HTTPRoute) } func TestTraceWithRouter(t *testing.T) { @@ -91,6 +92,7 @@ func TestTraceWithRouter(t *testing.T) { assert.Equal("http://example.com/user/123", span.Tag(ext.HTTPURL)) assert.Equal("zenazn/goji.v1/web", span.Tag(ext.Component)) assert.Equal(ext.SpanKindServer, span.Tag(ext.SpanKind)) + assert.Equal("/user/:id", span.Tag(ext.HTTPRoute)) } func TestError(t *testing.T) { From 5e9b0b1fb7ff458c744c66211ba8cf11b901c100 Mon Sep 17 00:00:00 2001 From: Nick Ripley Date: Mon, 23 Oct 2023 09:15:34 -0400 Subject: [PATCH 2/4] ddtrace/tracer: encode span IDs in execution traces efficiently (#2268) We were previously encoding span IDs into execution traces as base-10 strings. This is wasteful, in terms of CPU time to encode the ID and more importantly in terms of how much of the limited execution trace data the profiler collects will be taken up by span IDs. They can be encoded directly as 8-byte unsigned integers. --- ddtrace/tracer/exec_tracer_test.go | 95 ++++++++++++++++++++++++++++++ ddtrace/tracer/tracer.go | 8 ++- 2 files changed, 102 insertions(+), 1 deletion(-) create mode 100644 ddtrace/tracer/exec_tracer_test.go diff --git a/ddtrace/tracer/exec_tracer_test.go b/ddtrace/tracer/exec_tracer_test.go new file mode 100644 index 0000000000..0ff8e239f9 --- /dev/null +++ b/ddtrace/tracer/exec_tracer_test.go @@ -0,0 +1,95 @@ +// Unless explicitly stated otherwise all files in this repository are licensed +// under the Apache License Version 2.0. +// This product includes software developed at Datadog (https://www.datadoghq.com/). +// Copyright 2016 Datadog, Inc. + +// Tests in this file rely on parsing execution tracer data, which can change +// formats across Go releases. This guard should be updated as the Go trace +// parser library is upgraded to support new versions. +//go:build !go1.21 + +package tracer + +import ( + "bytes" + "context" + "encoding/binary" + rt "runtime/trace" + "testing" + + "github.com/stretchr/testify/assert" + gotraceui "honnef.co/go/gotraceui/trace" +) + +func TestExecutionTraceSpans(t *testing.T) { + if rt.IsEnabled() { + t.Skip("runtime execution tracing is already enabled") + } + + buf := new(bytes.Buffer) + if err := rt.Start(buf); err != nil { + t.Fatal(err) + } + // Ensure we unconditionally stop tracing. It's safe to call this + // multiple times. + defer rt.Stop() + + _, _, _, stop := startTestTracer(t) + defer stop() + + root, ctx := StartSpanFromContext(context.Background(), "root") + child, _ := StartSpanFromContext(ctx, "child") + root.Finish() + child.Finish() + + rt.Stop() + + execTrace, err := gotraceui.Parse(buf, nil) + if err != nil { + t.Fatalf("parsing trace: %s", err) + } + + type traceSpan struct { + name string + parent string + spanID uint64 + } + + spans := make(map[int]*traceSpan) + for _, ev := range execTrace.Events { + switch ev.Type { + case gotraceui.EvUserTaskCreate: + id := int(ev.Args[0]) + name := execTrace.Strings[ev.Args[2]] + var parent string + if p, ok := spans[int(ev.Args[1])]; ok { + parent = p.name + } + spans[id] = &traceSpan{ + name: name, + parent: parent, + } + case gotraceui.EvUserLog: + id := int(ev.Args[0]) + span, ok := spans[id] + if !ok { + continue + } + key := execTrace.Strings[ev.Args[1]] + if key == "datadog.uint64_span_id" { + span.spanID = binary.LittleEndian.Uint64([]byte(execTrace.Strings[ev.Args[3]])) + } + } + } + + want := []traceSpan{ + {name: "root", spanID: root.Context().SpanID()}, + {name: "child", parent: "root", spanID: child.Context().SpanID()}, + } + var got []traceSpan + for _, v := range spans { + got = append(got, *v) + } + + assert.ElementsMatch(t, want, got) +} diff --git a/ddtrace/tracer/tracer.go b/ddtrace/tracer/tracer.go index 0c333d2d5c..97a948d45d 100644 --- a/ddtrace/tracer/tracer.go +++ b/ddtrace/tracer/tracer.go @@ -7,6 +7,7 @@ package tracer import ( gocontext "context" + "encoding/binary" "os" "runtime/pprof" rt "runtime/trace" @@ -702,7 +703,12 @@ func startExecutionTracerTask(ctx gocontext.Context, span *span) (gocontext.Cont // skipped. ctx = globalinternal.WithExecutionNotTraced(ctx) } - rt.Log(ctx, "span id", strconv.FormatUint(span.SpanID, 10)) + var b [8]byte + binary.LittleEndian.PutUint64(b[:], span.SpanID) + // TODO: can we make string(b[:]) not allocate? e.g. with unsafe + // shenanigans? rt.Log won't retain the message string, though perhaps + // we can't assume that will always be the case. + rt.Log(ctx, "datadog.uint64_span_id", string(b[:])) return ctx, end } From 5f985bba7fe9513df796684c22ecb774b1ce9318 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dario=20Casta=C3=B1=C3=A9?= Date: Wed, 25 Oct 2023 11:01:47 +0200 Subject: [PATCH 3/4] internal/log: fix potential integer conversion issue from parsed value (#2289) Co-authored-by: Katie Hockman --- internal/log/log.go | 13 +++++++++++-- internal/log/log_test.go | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+), 2 deletions(-) diff --git a/internal/log/log.go b/internal/log/log.go index b6f732913e..c32b1ed9ba 100644 --- a/internal/log/log.go +++ b/internal/log/log.go @@ -100,9 +100,18 @@ var ( func init() { if v := os.Getenv("DD_LOGGING_RATE"); v != "" { - if sec, err := strconv.ParseUint(v, 10, 64); err != nil { - Warn("Invalid value for DD_LOGGING_RATE: %v", err) + setLoggingRate(v) + } +} + +func setLoggingRate(v string) { + if sec, err := strconv.ParseInt(v, 10, 64); err != nil { + Warn("Invalid value for DD_LOGGING_RATE: %v", err) + } else { + if sec < 0 { + Warn("Invalid value for DD_LOGGING_RATE: negative value") } else { + // DD_LOGGING_RATE = 0 allows to log errors immediately. errrate = time.Duration(sec) * time.Second } } diff --git a/internal/log/log_test.go b/internal/log/log_test.go index ce7b84036e..3840d5151b 100644 --- a/internal/log/log_test.go +++ b/internal/log/log_test.go @@ -140,6 +140,42 @@ func TestRecordLoggerIgnore(t *testing.T) { assert.Contains(t, tp.Logs()[0], "appsec") } +func TestSetLoggingRate(t *testing.T) { + testCases := []struct { + input string + result time.Duration + }{ + { + input: "", + result: time.Minute, + }, + { + input: "0", + result: 0 * time.Second, + }, + { + input: "10", + result: 10 * time.Second, + }, + { + input: "-1", + result: time.Minute, + }, + { + input: "this is not a number", + result: time.Minute, + }, + } + for _, tC := range testCases { + tC := tC + errrate = time.Minute // reset global variable + t.Run(tC.input, func(t *testing.T) { + setLoggingRate(tC.input) + assert.Equal(t, tC.result, errrate) + }) + } +} + func BenchmarkError(b *testing.B) { Error("k %s", "a") // warm up cache for i := 0; i < b.N; i++ { From 1dd3dd43e1cc223b98b8399660328afec953133a Mon Sep 17 00:00:00 2001 From: Eliott Bouhana <47679741+eliottness@users.noreply.github.com> Date: Wed, 25 Oct 2023 14:48:37 +0200 Subject: [PATCH 4/4] appsec: update event rules 1.7.1 -> 1.8.0 (#2292) appsec: update event rules 1.7.1 -> 1.8.0 --- internal/appsec/rules.go | 4 +- internal/appsec/rules.json | 684 +++++++++++++++++++++++++++++++++++-- 2 files changed, 656 insertions(+), 32 deletions(-) diff --git a/internal/appsec/rules.go b/internal/appsec/rules.go index f34e2a49a1..1dadab104f 100644 --- a/internal/appsec/rules.go +++ b/internal/appsec/rules.go @@ -10,8 +10,8 @@ package appsec import _ "embed" -// Static recommended AppSec rule 1.7.1 -// Source: https://github.com/DataDog/appsec-event-rules/blob/1.7.1/build/recommended.json +// Static recommended AppSec rule 1.8.0 +// Source: https://github.com/DataDog/appsec-event-rules/blob/1.8.0/build/recommended.json // //go:embed rules.json var staticRecommendedRules string diff --git a/internal/appsec/rules.json b/internal/appsec/rules.json index ba65c5cf5c..a6e0146854 100644 --- a/internal/appsec/rules.json +++ b/internal/appsec/rules.json @@ -1,7 +1,7 @@ { "version": "2.2", "metadata": { - "rules_version": "1.7.1" + "rules_version": "1.8.0" }, "rules": [ { @@ -62,6 +62,8 @@ "crs_id": "913110", "category": "attack_attempt", "tool_name": "Acunetix", + "cwe": "200", + "capec": "1000/118/169", "confidence": "0" }, "conditions": [ @@ -94,6 +96,8 @@ "type": "security_scanner", "crs_id": "913120", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "confidence": "1" }, "conditions": [ @@ -108,6 +112,12 @@ }, { "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "list": [ @@ -144,6 +154,8 @@ "type": "http_protocol_violation", "crs_id": "920260", "category": "attack_attempt", + "cwe": "176", + "capec": "1000/255/153/267/71", "confidence": "0" }, "conditions": [ @@ -171,7 +183,9 @@ "tags": { "type": "http_protocol_violation", "crs_id": "921110", - "category": "attack_attempt" + "category": "attack_attempt", + "cwe": "444", + "capec": "1000/210/272/220/33" }, "conditions": [ { @@ -206,7 +220,9 @@ "tags": { "type": "http_protocol_violation", "crs_id": "921160", - "category": "attack_attempt" + "category": "attack_attempt", + "cwe": "113", + "capec": "1000/210/272/220/105" }, "conditions": [ { @@ -239,6 +255,8 @@ "type": "lfi", "crs_id": "930100", "category": "attack_attempt", + "cwe": "22", + "capec": "1000/255/153/126", "confidence": "1" }, "conditions": [ @@ -271,6 +289,8 @@ "type": "lfi", "crs_id": "930110", "category": "attack_attempt", + "cwe": "22", + "capec": "1000/255/153/126", "confidence": "1" }, "conditions": [ @@ -304,6 +324,8 @@ "type": "lfi", "crs_id": "930120", "category": "attack_attempt", + "cwe": "22", + "capec": "1000/255/153/126", "confidence": "1" }, "conditions": [ @@ -321,6 +343,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "list": [ @@ -1743,7 +1768,10 @@ "sys/hypervisor", "sys/kernel", "sys/module", - "sys/power" + "sys/power", + "windows\\win.ini", + "default\\ntuser.dat", + "/var/run/secrets/kubernetes.io/serviceaccount" ] }, "operator": "phrase_match" @@ -1761,6 +1789,8 @@ "type": "rfi", "crs_id": "931110", "category": "attack_attempt", + "cwe": "98", + "capec": "1000/152/175/253/193", "confidence": "1" }, "conditions": [ @@ -1787,7 +1817,9 @@ "tags": { "type": "rfi", "crs_id": "931120", - "category": "attack_attempt" + "category": "attack_attempt", + "cwe": "98", + "capec": "1000/152/175/253/193" }, "conditions": [ { @@ -1801,6 +1833,12 @@ }, { "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "^(?i:file|ftps?)://.*?\\?+$", @@ -1821,6 +1859,8 @@ "type": "command_injection", "crs_id": "932160", "category": "attack_attempt", + "cwe": "77", + "capec": "1000/152/248/88", "confidence": "1" }, "conditions": [ @@ -1838,6 +1878,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "list": [ @@ -2312,7 +2355,8 @@ } ], "transformers": [ - "lowercase" + "lowercase", + "cmdLine" ] }, { @@ -2322,6 +2366,8 @@ "type": "command_injection", "crs_id": "932171", "category": "attack_attempt", + "cwe": "77", + "capec": "1000/152/248/88", "confidence": "1" }, "conditions": [ @@ -2342,6 +2388,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "^\\(\\s*\\)\\s+{", @@ -2362,6 +2411,8 @@ "type": "command_injection", "crs_id": "932180", "category": "attack_attempt", + "cwe": "706", + "capec": "1000/225/122/17/177", "confidence": "1" }, "conditions": [ @@ -2421,6 +2472,8 @@ "type": "unrestricted_file_upload", "crs_id": "933111", "category": "attack_attempt", + "cwe": "434", + "capec": "1000/225/122/17/650", "confidence": "1" }, "conditions": [ @@ -2472,6 +2525,8 @@ "type": "php_code_injection", "crs_id": "933130", "category": "attack_attempt", + "cwe": "94", + "capec": "1000/225/122/17/650", "confidence": "1" }, "conditions": [ @@ -2489,6 +2544,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "list": [ @@ -2528,7 +2586,9 @@ "tags": { "type": "php_code_injection", "crs_id": "933131", - "category": "attack_attempt" + "category": "attack_attempt", + "cwe": "94", + "capec": "1000/225/122/17/650" }, "conditions": [ { @@ -2545,6 +2605,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "(?:HTTP_(?:ACCEPT(?:_(?:ENCODING|LANGUAGE|CHARSET))?|(?:X_FORWARDED_FO|REFERE)R|(?:USER_AGEN|HOS)T|CONNECTION|KEEP_ALIVE)|PATH_(?:TRANSLATED|INFO)|ORIG_PATH_INFO|QUERY_STRING|REQUEST_URI|AUTH_TYPE)", @@ -2565,6 +2628,8 @@ "type": "php_code_injection", "crs_id": "933140", "category": "attack_attempt", + "cwe": "94", + "capec": "1000/225/122/17/650", "confidence": "1" }, "conditions": [ @@ -2582,6 +2647,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)", @@ -2601,6 +2669,8 @@ "type": "php_code_injection", "crs_id": "933150", "category": "attack_attempt", + "cwe": "94", + "capec": "1000/225/122/17/650", "confidence": "1" }, "conditions": [ @@ -2618,6 +2688,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "list": [ @@ -2680,7 +2753,9 @@ "tags": { "type": "php_code_injection", "crs_id": "933160", - "category": "attack_attempt" + "category": "attack_attempt", + "cwe": "94", + "capec": "1000/225/122/17/650" }, "conditions": [ { @@ -2697,6 +2772,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?|tob)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|b(?:(?:son_(?:de|en)|ase64_en)code|zopen|toa)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|var_dump)(?:\\s|/\\*.*\\*/|//.*|#.*|\\\"|')*\\((?:(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:\\$\\w+|[A-Z\\d]\\w*|\\w+\\(.*\\)|\\\\?\"(?:[^\"]|\\\\\"|\"\"|\"\\+\")*\\\\?\"|\\\\?'(?:[^']|''|'\\+')*\\\\?')(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:(?:::|\\.|->)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\w+(?:\\(.*\\))?)?,)*(?:(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:\\$\\w+|[A-Z\\d]\\w*|\\w+\\(.*\\)|\\\\?\"(?:[^\"]|\\\\\"|\"\"|\"\\+\")*\\\\?\"|\\\\?'(?:[^']|''|'\\+')*\\\\?')(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:(?:::|\\.|->)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\w+(?:\\(.*\\))?)?)?\\)", @@ -2717,6 +2795,8 @@ "type": "php_code_injection", "crs_id": "933170", "category": "attack_attempt", + "cwe": "502", + "capec": "1000/152/586", "confidence": "1" }, "conditions": [ @@ -2737,6 +2817,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "[oOcC]:\\d+:\\\".+?\\\":\\d+:{[\\W\\w]*}", @@ -2756,7 +2839,9 @@ "tags": { "type": "php_code_injection", "crs_id": "933200", - "category": "attack_attempt" + "category": "attack_attempt", + "cwe": "502", + "capec": "1000/152/586" }, "conditions": [ { @@ -2773,6 +2858,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "(?:(?:bzip|ssh)2|z(?:lib|ip)|(?:ph|r)ar|expect|glob|ogg)://", @@ -2794,7 +2882,9 @@ "tags": { "type": "js_code_injection", "crs_id": "934100", - "category": "attack_attempt" + "category": "attack_attempt", + "cwe": "94", + "capec": "1000/152/242" }, "conditions": [ { @@ -2811,6 +2901,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "\\b(?:(?:l(?:(?:utimes|chmod)(?:Sync)?|(?:stat|ink)Sync)|w(?:rite(?:(?:File|v)(?:Sync)?|Sync)|atchFile)|u(?:n(?:watchFile|linkSync)|times(?:Sync)?)|s(?:(?:ymlink|tat)Sync|pawn(?:File|Sync))|ex(?:ec(?:File(?:Sync)?|Sync)|istsSync)|a(?:ppendFile|ccess)(?:Sync)?|(?:Caveat|Inode)s|open(?:dir)?Sync|new\\s+Function|Availability|\\beval)\\s*\\(|m(?:ain(?:Module\\s*(?:\\W*\\s*(?:constructor|require)|\\[)|\\s*(?:\\W*\\s*(?:constructor|require)|\\[))|kd(?:temp(?:Sync)?|irSync)\\s*\\(|odule\\.exports\\s*=)|c(?:(?:(?:h(?:mod|own)|lose)Sync|reate(?:Write|Read)Stream|p(?:Sync)?)\\s*\\(|o(?:nstructor\\s*(?:\\W*\\s*_load|\\[)|pyFile(?:Sync)?\\s*\\())|f(?:(?:(?:s(?:(?:yncS)?|tatS)|datas(?:yncS)?)ync|ch(?:mod|own)(?:Sync)?)\\s*\\(|u(?:nction\\s*\\(\\s*\\)\\s*{|times(?:Sync)?\\s*\\())|r(?:e(?:(?:ad(?:(?:File|link|dir)?Sync|v(?:Sync)?)|nameSync)\\s*\\(|quire\\s*(?:\\W*\\s*main|\\[))|m(?:Sync)?\\s*\\()|process\\s*(?:\\W*\\s*(?:mainModule|binding)|\\[)|t(?:his\\.constructor|runcateSync\\s*\\()|_(?:\\$\\$ND_FUNC\\$\\$_|_js_function)|global\\s*(?:\\W*\\s*process|\\[)|String\\s*\\.\\s*fromCharCode|binding\\s*\\[)", @@ -2831,7 +2924,9 @@ "type": "js_code_injection", "crs_id": "934101", "category": "attack_attempt", - "confidence": "1" + "confidence": "1", + "cwe": "94", + "capec": "1000/152/242" }, "conditions": [ { @@ -2848,6 +2943,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "\\b(?:w(?:atch|rite)|(?:spaw|ope)n|exists|close|fork|read)\\s*\\(", @@ -2868,6 +2966,8 @@ "type": "xss", "crs_id": "941110", "category": "attack_attempt", + "cwe": "80", + "capec": "1000/152/242/63/591", "confidence": "1" }, "conditions": [ @@ -2897,6 +2997,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "]*>[\\s\\S]*?", @@ -2919,6 +3022,8 @@ "type": "xss", "crs_id": "941120", "category": "attack_attempt", + "cwe": "83", + "capec": "1000/152/242/63/591/243", "confidence": "1" }, "conditions": [ @@ -2948,9 +3053,12 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], - "regex": "[\\s\\\"'`;\\/0-9=\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]on(?:d(?:r(?:ag(?:en(?:ter|d)|leave|start|over)?|op)|urationchange|blclick)|s(?:e(?:ek(?:ing|ed)|arch|lect)|u(?:spend|bmit)|talled|croll|how)|m(?:ouse(?:(?:lea|mo)ve|o(?:ver|ut)|enter|down|up)|essage)|p(?:a(?:ge(?:hide|show)|(?:st|us)e)|lay(?:ing)?|rogress)|c(?:anplay(?:through)?|o(?:ntextmenu|py)|hange|lick|ut)|a(?:nimation(?:iteration|start|end)|(?:fterprin|bor)t)|t(?:o(?:uch(?:cancel|start|move|end)|ggle)|imeupdate)|f(?:ullscreen(?:change|error)|ocus(?:out|in)?)|(?:(?:volume|hash)chang|o(?:ff|n)lin)e|b(?:efore(?:unload|print)|lur)|load(?:ed(?:meta)?data|start)?|r(?:es(?:ize|et)|atechange)|key(?:press|down|up)|w(?:aiting|heel)|in(?:valid|put)|e(?:nded|rror)|unload)[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=[^=]", + "regex": "\\bon(?:d(?:r(?:ag(?:en(?:ter|d)|leave|start|over)?|op)|urationchange|blclick)|s(?:e(?:ek(?:ing|ed)|arch|lect)|u(?:spend|bmit)|talled|croll|how)|m(?:ouse(?:(?:lea|mo)ve|o(?:ver|ut)|enter|down|up)|essage)|p(?:a(?:ge(?:hide|show)|(?:st|us)e)|lay(?:ing)?|rogress|aste|ointer(?:cancel|down|enter|leave|move|out|over|rawupdate|up))|c(?:anplay(?:through)?|o(?:ntextmenu|py)|hange|lick|ut)|a(?:nimation(?:iteration|start|end)|(?:fterprin|bor)t|uxclick|fterscriptexecute)|t(?:o(?:uch(?:cancel|start|move|end)|ggle)|imeupdate)|f(?:ullscreen(?:change|error)|ocus(?:out|in)?|inish)|(?:(?:volume|hash)chang|o(?:ff|n)lin)e|b(?:efore(?:unload|print)|lur)|load(?:ed(?:meta)?data|start|end)?|r(?:es(?:ize|et)|atechange)|key(?:press|down|up)|w(?:aiting|heel)|in(?:valid|put)|e(?:nded|rror)|unload)[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=[^=]", "options": { "min_length": 8 } @@ -2970,6 +3078,8 @@ "type": "xss", "crs_id": "941140", "category": "attack_attempt", + "cwe": "84", + "capec": "1000/152/242/63/591/244", "confidence": "1" }, "conditions": [ @@ -2999,6 +3109,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url\\(javascript", @@ -3021,6 +3134,8 @@ "type": "xss", "crs_id": "941170", "category": "attack_attempt", + "cwe": "83", + "capec": "1000/152/242/63/591/243", "confidence": "1" }, "conditions": [ @@ -3047,6 +3162,12 @@ }, { "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "(?:\\W|^)(?:javascript:(?:[\\s\\S]+[=\\x5c\\(\\[\\.<]|[\\s\\S]*?(?:\\bname\\b|\\x5c[ux]\\d)))|@\\W*?i\\W*?m\\W*?p\\W*?o\\W*?r\\W*?t\\W*?(?:/\\*[\\s\\S]*?)?(?:[\\\"']|\\W*?u\\W*?r\\W*?l[\\s\\S]*?\\()|[^-]*?-\\W*?m\\W*?o\\W*?z\\W*?-\\W*?b\\W*?i\\W*?n\\W*?d\\W*?i\\W*?n\\W*?g[^:]*?:\\W*?u\\W*?r\\W*?l[\\s\\S]*?\\(", @@ -3068,7 +3189,9 @@ "tags": { "type": "xss", "crs_id": "941180", - "category": "attack_attempt" + "category": "attack_attempt", + "cwe": "79", + "capec": "1000/152/242/63/591" }, "conditions": [ { @@ -3085,6 +3208,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "list": [ @@ -3111,6 +3237,8 @@ "type": "xss", "crs_id": "941200", "category": "attack_attempt", + "cwe": "80", + "capec": "1000/152/242/63/591", "confidence": "1" }, "conditions": [ @@ -3128,6 +3256,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "(?i:<.*[:]?vmlframe.*?[\\s/+]*?src[\\s/+]*=)", @@ -3150,6 +3281,8 @@ "type": "xss", "crs_id": "941210", "category": "attack_attempt", + "cwe": "80", + "capec": "1000/152/242/63/591", "confidence": "1" }, "conditions": [ @@ -3167,6 +3300,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "(?i:(?:j|&#x?0*(?:74|4A|106|6A);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:v|&#x?0*(?:86|56|118|76);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)", @@ -3189,6 +3325,8 @@ "type": "xss", "crs_id": "941220", "category": "attack_attempt", + "cwe": "80", + "capec": "1000/152/242/63/591", "confidence": "1" }, "conditions": [ @@ -3206,6 +3344,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "(?i:(?:v|&#x?0*(?:86|56|118|76);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:b|&#x?0*(?:66|42|98|62);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)", @@ -3228,6 +3369,8 @@ "type": "xss", "crs_id": "941230", "category": "attack_attempt", + "cwe": "83", + "capec": "1000/152/242/63/591/243", "confidence": "1" }, "conditions": [ @@ -3245,6 +3388,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "]", @@ -3419,6 +3585,8 @@ "type": "xss", "crs_id": "941300", "category": "attack_attempt", + "cwe": "83", + "capec": "1000/152/242/63/591/243", "confidence": "1" }, "conditions": [ @@ -3436,6 +3604,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": ")|<.*\\+AD4-", @@ -3493,7 +3669,9 @@ "tags": { "type": "xss", "crs_id": "941360", - "category": "attack_attempt" + "category": "attack_attempt", + "cwe": "87", + "capec": "1000/152/242/63/591/199" }, "conditions": [ { @@ -3510,6 +3688,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "![!+ ]\\[\\]", @@ -3530,7 +3711,9 @@ "type": "xss", "crs_id": "941390", "category": "attack_attempt", - "confidence": "1" + "confidence": "1", + "cwe": "79", + "capec": "1000/152/242/63/591" }, "conditions": [ { @@ -3547,6 +3730,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "\\b(?i:eval|settimeout|setinterval|new\\s+Function|alert|prompt)[\\s+]*\\([^\\)]", @@ -3566,7 +3752,9 @@ "tags": { "type": "sql_injection", "crs_id": "942100", - "category": "attack_attempt" + "category": "attack_attempt", + "cwe": "89", + "capec": "1000/152/248/66" }, "conditions": [ { @@ -3583,6 +3771,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ] }, @@ -3600,6 +3791,8 @@ "type": "sql_injection", "crs_id": "942160", "category": "attack_attempt", + "cwe": "89", + "capec": "1000/152/248/66/7", "confidence": "1" }, "conditions": [ @@ -3617,6 +3810,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "(?i:sleep\\(\\s*?\\d*?\\s*?\\)|benchmark\\(.*?\\,.*?\\))", @@ -3637,6 +3833,8 @@ "type": "sql_injection", "crs_id": "942240", "category": "attack_attempt", + "cwe": "89", + "capec": "1000/152/248/66/7", "confidence": "1" }, "conditions": [ @@ -3654,6 +3852,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "(?:[\\\"'`](?:;*?\\s*?waitfor\\s+(?:delay|time)\\s+[\\\"'`]|;.*?:\\s*?goto)|alter\\s*?\\w+.*?cha(?:racte)?r\\s+set\\s+\\w+)", @@ -3672,7 +3873,9 @@ "tags": { "type": "sql_injection", "crs_id": "942250", - "category": "attack_attempt" + "category": "attack_attempt", + "cwe": "89", + "capec": "1000/152/248/66" }, "conditions": [ { @@ -3689,6 +3892,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "(?i:merge.*?using\\s*?\\(|execute\\s*?immediate\\s*?[\\\"'`]|match\\s*?[\\w(?:),+-]+\\s*?against\\s*?\\()", @@ -3708,7 +3914,9 @@ "tags": { "type": "sql_injection", "crs_id": "942270", - "category": "attack_attempt" + "category": "attack_attempt", + "cwe": "89", + "capec": "1000/152/248/66" }, "conditions": [ { @@ -3725,6 +3933,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "union.*?select.*?from", @@ -3744,6 +3955,8 @@ "type": "sql_injection", "crs_id": "942280", "category": "attack_attempt", + "cwe": "89", + "capec": "1000/152/248/66/7", "confidence": "1" }, "conditions": [ @@ -3761,6 +3974,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "(?:;\\s*?shutdown\\s*?(?:[#;{]|\\/\\*|--)|waitfor\\s*?delay\\s?[\\\"'`]+\\s?\\d|select\\s*?pg_sleep)", @@ -3779,7 +3995,9 @@ "tags": { "type": "nosql_injection", "crs_id": "942290", - "category": "attack_attempt" + "category": "attack_attempt", + "cwe": "943", + "capec": "1000/152/248/676" }, "conditions": [ { @@ -3796,6 +4014,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)", @@ -3817,7 +4038,9 @@ "tags": { "type": "sql_injection", "crs_id": "942360", - "category": "attack_attempt" + "category": "attack_attempt", + "cwe": "89", + "capec": "1000/152/248/66/470" }, "conditions": [ { @@ -3834,6 +4057,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "(?:^[\\W\\d]+\\s*?(?:alter\\s*(?:a(?:(?:pplication\\s*rol|ggregat)e|s(?:ymmetric\\s*ke|sembl)y|u(?:thorization|dit)|vailability\\s*group)|c(?:r(?:yptographic\\s*provider|edential)|o(?:l(?:latio|um)|nversio)n|ertificate|luster)|s(?:e(?:rv(?:ice|er)|curity|quence|ssion|arch)|y(?:mmetric\\s*key|nonym)|togroup|chema)|m(?:a(?:s(?:ter\\s*key|k)|terialized)|e(?:ssage\\s*type|thod)|odule)|l(?:o(?:g(?:file\\s*group|in)|ckdown)|a(?:ngua|r)ge|ibrary)|t(?:(?:abl(?:espac)?|yp)e|r(?:igger|usted)|hreshold|ext)|p(?:a(?:rtition|ckage)|ro(?:cedur|fil)e|ermission)|d(?:i(?:mension|skgroup)|atabase|efault|omain)|r(?:o(?:l(?:lback|e)|ute)|e(?:sourc|mot)e)|f(?:u(?:lltext|nction)|lashback|oreign)|e(?:xte(?:nsion|rnal)|(?:ndpoi|ve)nt)|in(?:dex(?:type)?|memory|stance)|b(?:roker\\s*priority|ufferpool)|x(?:ml\\s*schema|srobject)|w(?:ork(?:load)?|rapper)|hi(?:erarchy|stogram)|o(?:perator|utline)|(?:nicknam|queu)e|us(?:age|er)|group|java|view)|union\\s*(?:(?:distin|sele)ct|all))\\b|\\b(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\\s+(?:group_concat|load_file|char)\\b\\s*\\(?|[\\s(]load_file\\s*?\\(|[\\\"'`]\\s+regexp\\W)", @@ -3852,7 +4078,9 @@ "tags": { "type": "sql_injection", "crs_id": "942500", - "category": "attack_attempt" + "category": "attack_attempt", + "cwe": "89", + "capec": "1000/152/248/66" }, "conditions": [ { @@ -3869,6 +4097,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "(?i:/\\*[!+](?:[\\w\\s=_\\-(?:)]+)?\\*/)", @@ -3889,6 +4120,8 @@ "type": "http_protocol_violation", "crs_id": "943100", "category": "attack_attempt", + "cwe": "384", + "capec": "1000/225/21/593/61", "confidence": "1" }, "conditions": [ @@ -3903,6 +4136,12 @@ }, { "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "(?i:\\.cookie\\b.*?;\\W*?(?:expires|domain)\\W*?=|\\bhttp-equiv\\W+set-cookie\\b)", @@ -3923,6 +4162,8 @@ "type": "java_code_injection", "crs_id": "944100", "category": "attack_attempt", + "cwe": "94", + "capec": "1000/152/242", "confidence": "1" }, "conditions": [ @@ -3943,6 +4184,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "java\\.lang\\.(?:runtime|processbuilder)", @@ -3964,7 +4208,9 @@ "tags": { "type": "java_code_injection", "crs_id": "944110", - "category": "attack_attempt" + "category": "attack_attempt", + "cwe": "94", + "capec": "1000/152/242" }, "conditions": [ { @@ -3984,6 +4230,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "(?:runtime|processbuilder)", @@ -4011,6 +4260,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "(?:unmarshaller|base64data|java\\.)", @@ -4032,7 +4284,9 @@ "tags": { "type": "java_code_injection", "crs_id": "944130", - "category": "attack_attempt" + "category": "attack_attempt", + "cwe": "94", + "capec": "1000/152/242" }, "conditions": [ { @@ -4052,6 +4306,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "list": [ @@ -4112,6 +4369,8 @@ "type": "java_code_injection", "crs_id": "944260", "category": "attack_attempt", + "cwe": "94", + "capec": "1000/152/242", "confidence": "1" }, "conditions": [ @@ -4132,6 +4391,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "(?:class\\.module\\.classLoader\\.resources\\.context\\.parent\\.pipeline|springframework\\.context\\.support\\.FileSystemXmlApplicationContext)", @@ -4150,7 +4412,9 @@ "name": "Look for Cassandra injections", "tags": { "type": "nosql_injection", - "category": "attack_attempt" + "category": "attack_attempt", + "cwe": "943", + "capec": "1000/152/248/676" }, "conditions": [ { @@ -4165,6 +4429,12 @@ { "address": "server.request.path_params" }, + { + "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" + }, { "address": "server.request.headers.no_cookies" } @@ -4183,7 +4453,9 @@ "name": "OGNL - Look for formatting injection patterns", "tags": { "type": "java_code_injection", - "category": "attack_attempt" + "category": "attack_attempt", + "cwe": "94", + "capec": "1000/152/242" }, "conditions": [ { @@ -4204,6 +4476,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "[#%$]{(?:[^}]+[^\\w\\s}\\-_][^}]+|\\d+-\\d+)}", @@ -4221,6 +4496,8 @@ "tags": { "type": "java_code_injection", "category": "attack_attempt", + "cwe": "94", + "capec": "1000/152/242", "confidence": "1" }, "conditions": [ @@ -4242,6 +4519,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "[@#]ognl", @@ -4259,6 +4539,8 @@ "tags": { "type": "exploit_detection", "category": "attack_attempt", + "cwe": "94", + "capec": "1000/152/242", "confidence": "1" }, "conditions": [ @@ -4287,6 +4569,8 @@ "tags": { "type": "js_code_injection", "category": "attack_attempt", + "cwe": "1321", + "capec": "1000/152/242", "confidence": "1" }, "conditions": [ @@ -4315,6 +4599,8 @@ "tags": { "type": "js_code_injection", "category": "attack_attempt", + "cwe": "1321", + "capec": "1000/152/242", "confidence": "1" }, "conditions": [ @@ -4357,6 +4643,8 @@ "tags": { "type": "java_code_injection", "category": "attack_attempt", + "cwe": "1336", + "capec": "1000/152/242/19", "confidence": "1" }, "conditions": [ @@ -4377,6 +4665,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "#(?:set|foreach|macro|parse|if)\\(.*\\)|<#assign.*>" @@ -4393,6 +4684,8 @@ "type": "attack_tool", "category": "attack_attempt", "tool_name": "BurpCollaborator", + "cwe": "200", + "capec": "1000/118/169", "confidence": "1" }, "conditions": [ @@ -4413,6 +4706,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "\\b(?:burpcollaborator\\.net|oastify\\.com)\\b" @@ -4429,6 +4725,8 @@ "type": "commercial_scanner", "category": "attack_attempt", "tool_name": "Qualys", + "cwe": "200", + "capec": "1000/118/169", "confidence": "0" }, "conditions": [ @@ -4449,6 +4747,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "\\bqualysperiscope\\.com\\b" @@ -4465,6 +4766,8 @@ "type": "commercial_scanner", "category": "attack_attempt", "tool_name": "Probely", + "cwe": "200", + "capec": "1000/118/169", "confidence": "0" }, "conditions": [ @@ -4485,6 +4788,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "\\bprbly\\.win\\b" @@ -4500,6 +4806,8 @@ "tags": { "type": "security_scanner", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "confidence": "1" }, "conditions": [ @@ -4520,6 +4828,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "\\b(?:webhook\\.site|\\.canarytokens\\.com|vii\\.one|act1on3\\.ru|gdsburp\\.com)\\b" @@ -4535,6 +4846,8 @@ "tags": { "type": "security_scanner", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "confidence": "0" }, "conditions": [ @@ -4555,6 +4868,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "\\b(?:\\.ngrok\\.io|requestbin\\.com|requestbin\\.net)\\b" @@ -4571,6 +4887,8 @@ "type": "commercial_scanner", "category": "attack_attempt", "tool_name": "Rapid7", + "cwe": "200", + "capec": "1000/118/169", "confidence": "0" }, "conditions": [ @@ -4591,6 +4909,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "\\bappspidered\\.rapid7\\." @@ -4607,6 +4928,8 @@ "type": "attack_tool", "category": "attack_attempt", "tool_name": "interact.sh", + "cwe": "200", + "capec": "1000/118/169", "confidence": "1" }, "conditions": [ @@ -4627,6 +4950,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "\\b(?:interact\\.sh|oast\\.(?:pro|live|site|online|fun|me))\\b" @@ -4636,12 +4962,59 @@ ], "transformers": [] }, + { + "id": "dog-913-008", + "name": "Netsparker OOB domain", + "tags": { + "type": "commercial_scanner", + "category": "attack_attempt", + "tool_name": "Netsparker", + "cwe": "200", + "capec": "1000/118/169", + "confidence": "0" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "server.request.headers.no_cookies" + }, + { + "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" + } + ], + "regex": "\\b(?:\\.|(?:\\\\|&#)(?:0*46|x0*2e);)r87(?:\\.|(?:\\\\|&#)(?:0*46|x0*2e);)(?:me|com)\\b", + "options": { + "case_sensitive": false, + "min_length": 7 + } + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, { "id": "dog-931-001", "name": "RFI: URL Payload to well known RFI target", "tags": { "type": "rfi", "category": "attack_attempt", + "cwe": "98", + "capec": "1000/152/175/253/193", "confidence": "1" }, "conditions": [ @@ -4656,6 +5029,12 @@ }, { "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "^(?i:file|ftps?|https?).*/rfiinc\\.txt\\?+$", @@ -4675,6 +5054,8 @@ "tags": { "type": "xxe", "category": "attack_attempt", + "cwe": "91", + "capec": "1000/152/248/250", "confidence": "0" }, "conditions": [ @@ -4686,6 +5067,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "(?:<\\?xml[^>]*>.*)]+SYSTEM\\s+[^>]+>", @@ -4699,12 +5083,69 @@ ], "transformers": [] }, + { + "id": "dog-941-001", + "name": "XSS in source property", + "tags": { + "type": "xss", + "category": "attack_attempt", + "cwe": "83", + "capec": "1000/152/242/63/591/243", + "confidence": "0" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "user-agent" + ] + }, + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "referer" + ] + }, + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" + } + ], + "regex": "<(?:iframe|esi:include)(?:(?:\\s|/)*\\w+=[\"'\\w]+)*(?:\\s|/)*src(?:doc)?=[\"']?(?:data:|javascript:|http:|//)[^\\s'\"]+['\"]?", + "options": { + "min_length": 14 + } + }, + "operator": "match_regex" + } + ], + "transformers": [ + "removeNulls", + "urlDecodeUni" + ] + }, { "id": "dog-942-001", "name": "Blind XSS callback domains", "tags": { "type": "xss", "category": "attack_attempt", + "cwe": "83", + "capec": "1000/152/242/63/591/243", "confidence": "1" }, "conditions": [ @@ -4725,6 +5166,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "https?:\\/\\/(?:.*\\.)?(?:bxss\\.in|xss\\.ht|js\\.rip)", @@ -4743,6 +5187,8 @@ "tags": { "type": "security_scanner", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "confidence": "1" }, "conditions": [ @@ -4978,6 +5424,8 @@ "tags": { "type": "security_scanner", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "confidence": "1" }, "conditions": [ @@ -5018,6 +5466,8 @@ "tags": { "type": "security_scanner", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "confidence": "1" }, "conditions": [ @@ -5058,6 +5508,8 @@ "tags": { "type": "security_scanner", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "confidence": "1" }, "conditions": [ @@ -5098,6 +5550,8 @@ "tags": { "type": "security_scanner", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "confidence": "1" }, "conditions": [ @@ -5138,6 +5592,8 @@ "tags": { "type": "security_scanner", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "confidence": "1" }, "conditions": [ @@ -5178,6 +5634,8 @@ "tags": { "type": "security_scanner", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "confidence": "1" }, "conditions": [ @@ -5218,6 +5676,8 @@ "tags": { "type": "security_scanner", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "confidence": "1" }, "conditions": [ @@ -5258,6 +5718,8 @@ "tags": { "type": "security_scanner", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "confidence": "1" }, "conditions": [ @@ -5298,6 +5760,8 @@ "tags": { "type": "ssrf", "category": "attack_attempt", + "cwe": "918", + "capec": "1000/225/115/664", "confidence": "1" }, "conditions": [ @@ -5315,6 +5779,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "(?i)^\\W*((http|ftp)s?://)?\\W*((::f{4}:)?(169|(0x)?0*a9|0+251)\\.?(254|(0x)?0*fe|0+376)[0-9a-fx\\.:]+|metadata\\.google\\.internal|metadata\\.goog)\\W*/", @@ -5334,7 +5801,9 @@ "name": "Server-side Javascript injection: Try to detect obvious JS injection", "tags": { "type": "js_code_injection", - "category": "attack_attempt" + "category": "attack_attempt", + "cwe": "94", + "capec": "1000/152/242" }, "conditions": [ { @@ -5351,6 +5820,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "require\\(['\"][\\w\\.]+['\"]\\)|process\\.\\w+\\([\\w\\.]*\\)|\\.toString\\(\\)", @@ -5371,6 +5843,8 @@ "tags": { "type": "command_injection", "category": "attack_attempt", + "cwe": "78", + "capec": "1000/152/248/88", "confidence": "1" }, "conditions": [ @@ -5391,6 +5865,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "(?i)[&|]\\s*type\\s+%\\w+%\\\\+\\w+\\.ini\\s*[&|]" @@ -5406,6 +5883,8 @@ "tags": { "type": "command_injection", "category": "attack_attempt", + "cwe": "78", + "capec": "1000/152/248/88", "confidence": "1" }, "conditions": [ @@ -5426,14 +5905,19 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], - "regex": "(?i)[&|]\\s*cat\\s+\\/etc\\/[\\w\\.\\/]*passwd\\s*[&|]" + "regex": "(?i)[&|]\\s*cat\\s*\\/etc\\/[\\w\\.\\/]*passwd\\s*[&|]" }, "operator": "match_regex" } ], - "transformers": [] + "transformers": [ + "cmdLine" + ] }, { "id": "sqr-000-010", @@ -5441,6 +5925,8 @@ "tags": { "type": "command_injection", "category": "attack_attempt", + "cwe": "78", + "capec": "1000/152/248/88", "confidence": "1" }, "conditions": [ @@ -5461,6 +5947,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "(?i)[&|]\\s*timeout\\s+/t\\s+\\d+\\s*[&|]" @@ -5476,6 +5965,8 @@ "tags": { "type": "ssrf", "category": "attack_attempt", + "cwe": "918", + "capec": "1000/225/115/664", "confidence": "1" }, "conditions": [ @@ -5493,6 +5984,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "http(s?):\\/\\/([A-Za-z0-9\\.\\-\\_]+|\\[[A-Fa-f0-9\\:]+\\]|):5986\\/wsman", @@ -5511,6 +6005,8 @@ "tags": { "type": "ssrf", "category": "attack_attempt", + "cwe": "918", + "capec": "1000/225/115/664", "confidence": "0" }, "conditions": [ @@ -5528,6 +6024,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "^(jar:)?(http|https):\\/\\/([0-9oq]{1,5}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}|[0-9]{1,10})(:[0-9]{1,5})?(\\/[^:@]*)?$" @@ -5545,6 +6044,8 @@ "tags": { "type": "ssrf", "category": "attack_attempt", + "cwe": "918", + "capec": "1000/225/115/664", "confidence": "0" }, "conditions": [ @@ -5562,6 +6063,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "^(jar:)?(http|https):\\/\\/((\\[)?[:0-9a-f\\.x]{2,}(\\])?)(:[0-9]{1,5})?(\\/[^:@]*)?$" @@ -5579,6 +6083,8 @@ "tags": { "type": "ssrf", "category": "attack_attempt", + "cwe": "918", + "capec": "1000/225/115/664", "confidence": "1" }, "conditions": [ @@ -5599,6 +6105,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "(http|https):\\/\\/(?:.*\\.)?(?:burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io|oastify\\.com|oast\\.(?:pro|live|site|online|fun|me)|sslip\\.io|requestbin\\.com|requestbin\\.net|hookbin\\.com|webhook\\.site|canarytokens\\.com|interact\\.sh|ngrok\\.io|bugbounty\\.click|prbly\\.win|qualysperiscope\\.com|vii.one|act1on3.ru)" @@ -5614,6 +6123,8 @@ "tags": { "type": "ssrf", "category": "attack_attempt", + "cwe": "918", + "capec": "1000/225/115/664", "confidence": "0" }, "conditions": [ @@ -5634,6 +6145,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "^(jar:)?((file|netdoc):\\/\\/[\\\\\\/]+|(dict|gopher|ldap|sftp|tftp):\\/\\/.*:[0-9]{1,5})" @@ -5651,6 +6165,8 @@ "tags": { "type": "exploit_detection", "category": "attack_attempt", + "cwe": "94", + "capec": "1000/152/242", "confidence": "1" }, "conditions": [ @@ -5674,6 +6190,9 @@ }, { "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" } ], "regex": "\\${[^j]*j[^n]*n[^d]*d[^i]*i[^:]*:[^}]*}" @@ -5691,6 +6210,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "Joomla exploitation tool", "confidence": "1" }, @@ -5718,6 +6239,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "Nessus", "confidence": "1" }, @@ -5745,6 +6268,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "Arachni", "confidence": "1" }, @@ -5772,6 +6297,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "Jorgee", "confidence": "1" }, @@ -5799,6 +6326,8 @@ "tags": { "type": "commercial_scanner", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "Probely", "confidence": "0" }, @@ -5826,6 +6355,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "Metis", "confidence": "1" }, @@ -5853,6 +6384,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "SQLPowerInjector", "confidence": "1" }, @@ -5880,6 +6413,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "N-Stealth", "confidence": "1" }, @@ -5907,6 +6442,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "Brutus", "confidence": "1" }, @@ -5934,6 +6471,8 @@ "tags": { "type": "security_scanner", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "confidence": "1" }, "conditions": [ @@ -5960,6 +6499,8 @@ "tags": { "type": "commercial_scanner", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "Netsparker", "confidence": "0" }, @@ -5987,6 +6528,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "JAASCois", "confidence": "1" }, @@ -6014,6 +6557,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "Nsauditor", "confidence": "1" }, @@ -6041,6 +6586,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "Paros", "confidence": "1" }, @@ -6068,6 +6615,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "DirBuster", "confidence": "1" }, @@ -6095,6 +6644,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "Pangolin", "confidence": "1" }, @@ -6122,6 +6673,8 @@ "tags": { "type": "commercial_scanner", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "Qualys", "confidence": "0" }, @@ -6149,6 +6702,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "SQLNinja", "confidence": "1" }, @@ -6176,6 +6731,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "Nikto", "confidence": "1" }, @@ -6203,6 +6760,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "BlackWidow", "confidence": "1" }, @@ -6230,6 +6789,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "Grendel-Scan", "confidence": "1" }, @@ -6257,6 +6818,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "Havij", "confidence": "1" }, @@ -6284,6 +6847,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "w3af", "confidence": "1" }, @@ -6311,6 +6876,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "Nmap", "confidence": "1" }, @@ -6338,6 +6905,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "Nessus", "confidence": "1" }, @@ -6365,6 +6934,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "EvilScanner", "confidence": "1" }, @@ -6392,6 +6963,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "WebFuck", "confidence": "1" }, @@ -6419,6 +6992,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "OpenVAS", "confidence": "1" }, @@ -6446,6 +7021,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "Spider-Pig", "confidence": "1" }, @@ -6473,6 +7050,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "Zgrab", "confidence": "1" }, @@ -6500,6 +7079,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "Zmeu", "confidence": "1" }, @@ -6527,6 +7108,8 @@ "tags": { "type": "commercial_scanner", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "GoogleSecurityScanner", "confidence": "0" }, @@ -6554,6 +7137,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "Commix", "confidence": "1" }, @@ -6581,6 +7166,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "Gobuster", "confidence": "1" }, @@ -6608,6 +7195,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "CGIchk", "confidence": "1" }, @@ -6635,6 +7224,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "FFUF", "confidence": "1" }, @@ -6662,6 +7253,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "Nuclei", "confidence": "1" }, @@ -6689,6 +7282,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "Tsunami", "confidence": "1" }, @@ -6716,6 +7311,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "Nimbostratus", "confidence": "1" }, @@ -6743,6 +7340,8 @@ "tags": { "type": "security_scanner", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "Datadog Canary Test", "confidence": "1" }, @@ -6776,6 +7375,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "Datadog Canary Test", "confidence": "1" }, @@ -6812,6 +7413,8 @@ "tags": { "type": "commercial_scanner", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "AlertLogic", "confidence": "0" }, @@ -6839,6 +7442,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "wfuzz", "confidence": "1" }, @@ -6866,6 +7471,8 @@ "tags": { "type": "commercial_scanner", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "Detectify", "confidence": "0" }, @@ -6893,6 +7500,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "BSQLBF", "confidence": "1" }, @@ -6920,6 +7529,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "masscan", "confidence": "1" }, @@ -6947,6 +7558,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "WPScan", "confidence": "1" }, @@ -6974,6 +7587,8 @@ "tags": { "type": "commercial_scanner", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "Aon", "confidence": "0" }, @@ -7001,6 +7616,8 @@ "tags": { "type": "security_scanner", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "confidence": "1" }, "conditions": [ @@ -7014,7 +7631,10 @@ ] } ], - "regex": "mozilla/4\\.0 \\(compatible(; msie 6\\.0; win32)?\\)" + "regex": "mozilla/4\\.0 \\(compatible(; msie (?:6\\.0; win32|4\\.0; Windows NT))?\\)", + "options": { + "case_sensitive": false + } }, "operator": "match_regex" } @@ -7027,6 +7647,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "SQLmap", "confidence": "1" }, @@ -7054,6 +7676,8 @@ "tags": { "type": "attack_tool", "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", "tool_name": "Skipfish", "confidence": "1" },