From 589e2244af94346ce880dfcc7a20925316fc64a6 Mon Sep 17 00:00:00 2001 From: Eliott Bouhana Date: Mon, 30 Oct 2023 15:19:18 +0100 Subject: [PATCH] appsec: upgrade appsec-internal-go 1.0.0 -> 1.0.1 Signed-off-by: Eliott Bouhana --- go.mod | 2 +- go.sum | 2 + internal/apps/unit-of-work/go.mod | 12 +- internal/apps/unit-of-work/go.sum | 6 + internal/appsec/config.go | 11 +- internal/appsec/config_test.go | 5 +- internal/appsec/rule_test.go | 7 +- internal/appsec/rules.go | 17 - internal/appsec/rules.json | 7703 ----------------------------- internal/appsec/rules_manager.go | 3 +- 10 files changed, 30 insertions(+), 7738 deletions(-) delete mode 100644 internal/appsec/rules.go delete mode 100644 internal/appsec/rules.json diff --git a/go.mod b/go.mod index edb7790b52..989f702aad 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.19 require ( cloud.google.com/go/pubsub v1.33.0 github.com/99designs/gqlgen v0.17.36 - github.com/DataDog/appsec-internal-go v1.0.0 + github.com/DataDog/appsec-internal-go v1.0.1 github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0 github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.1 github.com/DataDog/datadog-go/v5 v5.3.0 diff --git a/go.sum b/go.sum index 92571cd3c1..66e932ab8e 100644 --- a/go.sum +++ b/go.sum @@ -626,6 +626,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/DataDog/appsec-internal-go v1.0.0 h1:2u5IkF4DBj3KVeQn5Vg2vjPUtt513zxEYglcqnd500U= github.com/DataDog/appsec-internal-go v1.0.0/go.mod h1:+Y+4klVWKPOnZx6XESG7QHydOaUGEXyH2j/vSg9JiNM= +github.com/DataDog/appsec-internal-go v1.0.1 h1:j60HUtXEQ2uRIm8SsNnLp1Ummx/EU8iV9IFvEYmSdUM= +github.com/DataDog/appsec-internal-go v1.0.1/go.mod h1:+Y+4klVWKPOnZx6XESG7QHydOaUGEXyH2j/vSg9JiNM= github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0 h1:bUMSNsw1iofWiju9yc1f+kBd33E3hMJtq9GuU602Iy8= github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0/go.mod h1:HzySONXnAgSmIQfL6gOv9hWprKJkx8CicuXuUbmgWfo= github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.1 h1:5nE6N3JSs2IG3xzMthNFhXfOaXlrsdgqmJ73lndFf8c= diff --git a/internal/apps/unit-of-work/go.mod b/internal/apps/unit-of-work/go.mod index b3e88a4afa..75f8481c55 100644 --- a/internal/apps/unit-of-work/go.mod +++ b/internal/apps/unit-of-work/go.mod @@ -8,7 +8,7 @@ require ( ) require ( - github.com/DataDog/appsec-internal-go v1.0.0 // indirect + github.com/DataDog/appsec-internal-go v1.0.1 // indirect github.com/DataDog/go-libddwaf v1.5.0 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/ebitengine/purego v0.5.0-alpha.1 // indirect @@ -23,17 +23,17 @@ require ( ) require ( - github.com/DataDog/datadog-agent/pkg/obfuscate v0.46.0 // indirect - github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.0-devel.0.20230725154044-2549ba9058df // indirect + github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0 // indirect + github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.1 // indirect github.com/DataDog/datadog-go/v5 v5.3.0 // indirect github.com/DataDog/go-tuf v1.0.2-0.5.2 // indirect - github.com/DataDog/gostackparse v0.6.0 // indirect + github.com/DataDog/gostackparse v0.7.0 // indirect github.com/DataDog/sketches-go v1.4.2 // indirect github.com/Microsoft/go-winio v0.6.1 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect github.com/dustin/go-humanize v1.0.1 // indirect github.com/google/pprof v0.0.0-20230817174616-7a8ec2ada47b // indirect - github.com/google/uuid v1.3.0 // indirect + github.com/google/uuid v1.3.1 // indirect github.com/philhofer/fwd v1.1.2 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/richardartoul/molecule v1.0.1-0.20221107223329-32cfee06a052 // indirect @@ -43,7 +43,7 @@ require ( github.com/tinylib/msgp v1.1.8 // indirect go4.org/intern v0.0.0-20230525184215-6c62f75575cb // indirect go4.org/unsafe/assume-no-moving-gc v0.0.0-20230525183740-e7c30c78aeb2 // indirect - golang.org/x/sys v0.11.0 // indirect + golang.org/x/sys v0.13.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect google.golang.org/protobuf v1.31.0 // indirect diff --git a/internal/apps/unit-of-work/go.sum b/internal/apps/unit-of-work/go.sum index c0bd2becb9..5e0b7fc3b8 100644 --- a/internal/apps/unit-of-work/go.sum +++ b/internal/apps/unit-of-work/go.sum @@ -1,9 +1,12 @@ github.com/DataDog/appsec-internal-go v1.0.0 h1:2u5IkF4DBj3KVeQn5Vg2vjPUtt513zxEYglcqnd500U= github.com/DataDog/appsec-internal-go v1.0.0/go.mod h1:+Y+4klVWKPOnZx6XESG7QHydOaUGEXyH2j/vSg9JiNM= +github.com/DataDog/appsec-internal-go v1.0.1/go.mod h1:+Y+4klVWKPOnZx6XESG7QHydOaUGEXyH2j/vSg9JiNM= github.com/DataDog/datadog-agent/pkg/obfuscate v0.46.0 h1:rUNnUcHC4AlxoImuXmZeOfi6H80BDBHzeagWXWCVhnA= github.com/DataDog/datadog-agent/pkg/obfuscate v0.46.0/go.mod h1:e933RWa4kAWuHi5jpzEuOiULlv21HcCFEVIYegmaB5c= +github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0/go.mod h1:HzySONXnAgSmIQfL6gOv9hWprKJkx8CicuXuUbmgWfo= github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.0-devel.0.20230725154044-2549ba9058df h1:PbzrhHhs2+RRdKKti7JBSM8ATIeiji2T2cVt/d8GT8k= github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.0-devel.0.20230725154044-2549ba9058df/go.mod h1:5Q39ZOIOwZMnFyRadp+5gH1bFdjmb+Pgxe+j5XOwaTg= +github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.1/go.mod h1:Vc+snp0Bey4MrrJyiV2tVxxJb6BmLomPvN1RgAvjGaQ= github.com/DataDog/datadog-go/v5 v5.1.1/go.mod h1:KhiYb2Badlv9/rofz+OznKoEF5XKTonWyhx5K83AP8E= github.com/DataDog/datadog-go/v5 v5.3.0 h1:2q2qjFOb3RwAZNU+ez27ZVDwErJv5/VpbBPprz7Z+s8= github.com/DataDog/datadog-go/v5 v5.3.0/go.mod h1:XRDJk1pTc00gm+ZDiBKsjh7oOOtJfYfglVCmFb8C2+Q= @@ -13,6 +16,7 @@ github.com/DataDog/go-tuf v1.0.2-0.5.2 h1:EeZr937eKAWPxJ26IykAdWA4A0jQXJgkhUjqEI github.com/DataDog/go-tuf v1.0.2-0.5.2/go.mod h1:zBcq6f654iVqmkk8n2Cx81E1JnNTMOAx1UEO/wZR+P0= github.com/DataDog/gostackparse v0.6.0 h1:egCGQviIabPwsyoWpGvIBGrEnNWez35aEO7OJ1vBI4o= github.com/DataDog/gostackparse v0.6.0/go.mod h1:lTfqcJKqS9KnXQGnyQMCugq3u1FP6UZMfWR0aitKFMM= +github.com/DataDog/gostackparse v0.7.0/go.mod h1:lTfqcJKqS9KnXQGnyQMCugq3u1FP6UZMfWR0aitKFMM= github.com/DataDog/sketches-go v1.4.2 h1:gppNudE9d19cQ98RYABOetxIhpTCl4m7CnbRZjvVA/o= github.com/DataDog/sketches-go v1.4.2/go.mod h1:xJIXldczJyyjnbDop7ZZcLxJdV3+7Kra7H1KMgpgkLk= github.com/Microsoft/go-winio v0.5.0/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= @@ -48,6 +52,7 @@ github.com/google/pprof v0.0.0-20230817174616-7a8ec2ada47b h1:h9U78+dx9a4BKdQkBB github.com/google/pprof v0.0.0-20230817174616-7a8ec2ada47b/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0= github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk= @@ -147,6 +152,7 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM= golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA= diff --git a/internal/appsec/config.go b/internal/appsec/config.go index 1aaf419c9b..e556b9887b 100644 --- a/internal/appsec/config.go +++ b/internal/appsec/config.go @@ -16,6 +16,8 @@ import ( "gopkg.in/DataDog/dd-trace-go.v1/internal/log" "gopkg.in/DataDog/dd-trace-go.v1/internal/remoteconfig" + + rules "github.com/DataDog/appsec-internal-go/appsec" ) const ( @@ -74,9 +76,9 @@ func isEnabled() (enabled bool, set bool, err error) { return false, set, nil } else if enabled, err = strconv.ParseBool(enabledStr); err != nil { return false, set, fmt.Errorf("could not parse %s value `%s` as a boolean value", enabledEnvVar, enabledStr) - } else { - return enabled, set, nil } + + return enabled, set, nil } func newConfig() (*Config, error) { @@ -162,12 +164,11 @@ func readObfuscatorConfigRegexp(name, defaultValue string) string { return val } -func readRulesConfig() (rules []byte, err error) { - rules = []byte(staticRecommendedRules) +func readRulesConfig() ([]byte, error) { filepath := os.Getenv(rulesEnvVar) if filepath == "" { log.Debug("appsec: using the default built-in recommended security rules") - return rules, nil + return []byte(rules.StaticRecommendedRules), nil } buf, err := os.ReadFile(filepath) if err != nil { diff --git a/internal/appsec/config_test.go b/internal/appsec/config_test.go index 48e65b08e5..f6d6bd868c 100644 --- a/internal/appsec/config_test.go +++ b/internal/appsec/config_test.go @@ -13,6 +13,7 @@ import ( "testing" "time" + rules "github.com/DataDog/appsec-internal-go/appsec" "github.com/stretchr/testify/require" ) @@ -126,9 +127,9 @@ func TestConfig(t *testing.T) { os.Remove(file.Name()) }() expCfg := *expectedDefaultConfig - expCfg.rulesManager, err = newRulesManager([]byte(staticRecommendedRules)) + expCfg.rulesManager, err = newRulesManager([]byte(rules.StaticRecommendedRules)) require.NoError(t, err) - _, err = file.WriteString(staticRecommendedRules) + _, err = file.WriteString(rules.StaticRecommendedRules) require.NoError(t, err) os.Setenv(rulesEnvVar, file.Name()) cfg, err := newConfig() diff --git a/internal/appsec/rule_test.go b/internal/appsec/rule_test.go index a7b5737a60..24be0288b1 100644 --- a/internal/appsec/rule_test.go +++ b/internal/appsec/rule_test.go @@ -12,6 +12,7 @@ import ( "encoding/json" "testing" + rules "github.com/DataDog/appsec-internal-go/appsec" waf "github.com/DataDog/go-libddwaf" "github.com/stretchr/testify/require" ) @@ -22,9 +23,9 @@ func TestStaticRule(t *testing.T) { return } - var rules rulesFragment - require.NoError(t, json.Unmarshal([]byte(staticRecommendedRules), &rules)) - waf, err := waf.NewHandle(rules, "", "") + var parsedRules rulesFragment + require.NoError(t, json.Unmarshal([]byte(rules.StaticRecommendedRules), &parsedRules)) + waf, err := waf.NewHandle(parsedRules, "", "") require.NoError(t, err) require.NotNil(t, waf) waf.Close() diff --git a/internal/appsec/rules.go b/internal/appsec/rules.go deleted file mode 100644 index 1dadab104f..0000000000 --- a/internal/appsec/rules.go +++ /dev/null @@ -1,17 +0,0 @@ -// Unless explicitly stated otherwise all files in this repository are licensed -// under the Apache License Version 2.0. -// This product includes software developed at Datadog (https://www.datadoghq.com/). -// Copyright 2016 Datadog, Inc. - -//go:build appsec -// +build appsec - -package appsec - -import _ "embed" - -// Static recommended AppSec rule 1.8.0 -// Source: https://github.com/DataDog/appsec-event-rules/blob/1.8.0/build/recommended.json -// -//go:embed rules.json -var staticRecommendedRules string diff --git a/internal/appsec/rules.json b/internal/appsec/rules.json deleted file mode 100644 index a6e0146854..0000000000 --- a/internal/appsec/rules.json +++ /dev/null @@ -1,7703 +0,0 @@ -{ - "version": "2.2", - "metadata": { - "rules_version": "1.8.0" - }, - "rules": [ - { - "id": "blk-001-001", - "name": "Block IP Addresses", - "tags": { - "type": "block_ip", - "category": "security_response" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "http.client_ip" - } - ], - "data": "blocked_ips" - }, - "operator": "ip_match" - } - ], - "transformers": [], - "on_match": [ - "block" - ] - }, - { - "id": "blk-001-002", - "name": "Block User Addresses", - "tags": { - "type": "block_user", - "category": "security_response" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "usr.id" - } - ], - "data": "blocked_users" - }, - "operator": "exact_match" - } - ], - "transformers": [], - "on_match": [ - "block" - ] - }, - { - "id": "crs-913-110", - "name": "Acunetix", - "tags": { - "type": "commercial_scanner", - "crs_id": "913110", - "category": "attack_attempt", - "tool_name": "Acunetix", - "cwe": "200", - "capec": "1000/118/169", - "confidence": "0" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies" - } - ], - "list": [ - "acunetix-product", - "(acunetix web vulnerability scanner", - "acunetix-scanning-agreement", - "acunetix-user-agreement", - "md5(acunetix_wvs_security_test)" - ] - }, - "operator": "phrase_match" - } - ], - "transformers": [ - "lowercase" - ] - }, - { - "id": "crs-913-120", - "name": "Known security scanner filename/argument", - "tags": { - "type": "security_scanner", - "crs_id": "913120", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "list": [ - "/.adsensepostnottherenonobook", - "/hello.html", - "/actsensepostnottherenonotive", - "/acunetix-wvs-test-for-some-inexistent-file", - "/antidisestablishmentarianism", - "/appscan_fingerprint/mac_address", - "/arachni-", - "/cybercop", - "/nessus_is_probing_you_", - "/nessustest", - "/netsparker-", - "/rfiinc.txt", - "/thereisnowaythat-you-canbethere", - "/w3af/remotefileinclude.html", - "appscan_fingerprint", - "w00tw00t.at.isc.sans.dfind", - "w00tw00t.at.blackhats.romanian.anti-sec" - ] - }, - "operator": "phrase_match" - } - ], - "transformers": [ - "lowercase" - ] - }, - { - "id": "crs-920-260", - "name": "Unicode Full/Half Width Abuse Attack Attempt", - "tags": { - "type": "http_protocol_violation", - "crs_id": "920260", - "category": "attack_attempt", - "cwe": "176", - "capec": "1000/255/153/267/71", - "confidence": "0" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.uri.raw" - } - ], - "regex": "\\%u[fF]{2}[0-9a-fA-F]{2}", - "options": { - "case_sensitive": true, - "min_length": 6 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "crs-921-110", - "name": "HTTP Request Smuggling Attack", - "tags": { - "type": "http_protocol_violation", - "crs_id": "921110", - "category": "attack_attempt", - "cwe": "444", - "capec": "1000/210/272/220/33" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - } - ], - "regex": "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\\s+[^\\s]+\\s+http/\\d", - "options": { - "case_sensitive": true, - "min_length": 12 - } - }, - "operator": "match_regex" - } - ], - "transformers": [ - "lowercase" - ] - }, - { - "id": "crs-921-160", - "name": "HTTP Header Injection Attack via payload (CR/LF and header-name detected)", - "tags": { - "type": "http_protocol_violation", - "crs_id": "921160", - "category": "attack_attempt", - "cwe": "113", - "capec": "1000/210/272/220/105" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.path_params" - } - ], - "regex": "[\\n\\r]+(?:refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|via|remote-ip|remote-addr|originating-IP))\\s*:", - "options": { - "case_sensitive": true, - "min_length": 3 - } - }, - "operator": "match_regex" - } - ], - "transformers": [ - "lowercase" - ] - }, - { - "id": "crs-930-100", - "name": "Obfuscated Path Traversal Attack (/../)", - "tags": { - "type": "lfi", - "crs_id": "930100", - "category": "attack_attempt", - "cwe": "22", - "capec": "1000/255/153/126", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.uri.raw" - }, - { - "address": "server.request.headers.no_cookies" - } - ], - "regex": "(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\/|\\x5c)(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\\.))|\\.(?:%0[01])?|0x2e){2,3}(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\/|\\x5c)", - "options": { - "min_length": 4 - } - }, - "operator": "match_regex" - } - ], - "transformers": [ - "normalizePath" - ] - }, - { - "id": "crs-930-110", - "name": "Simple Path Traversal Attack (/../)", - "tags": { - "type": "lfi", - "crs_id": "930110", - "category": "attack_attempt", - "cwe": "22", - "capec": "1000/255/153/126", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.uri.raw" - }, - { - "address": "server.request.headers.no_cookies" - } - ], - "regex": "(?:(?:^|[\\x5c/])\\.{2,3}[\\x5c/]|[\\x5c/]\\.{2,3}(?:[\\x5c/]|$))", - "options": { - "case_sensitive": true, - "min_length": 3 - } - }, - "operator": "match_regex" - } - ], - "transformers": [ - "removeNulls" - ] - }, - { - "id": "crs-930-120", - "name": "OS File Access Attempt", - "tags": { - "type": "lfi", - "crs_id": "930120", - "category": "attack_attempt", - "cwe": "22", - "capec": "1000/255/153/126", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "list": [ - "/.htaccess", - "/.htdigest", - "/.htpasswd", - "/.addressbook", - "/.aptitude/config", - ".aws/config", - ".aws/credentials", - "/.bash_config", - "/.bash_history", - "/.bash_logout", - "/.bash_profile", - "/.bashrc", - ".cache/notify-osd.log", - ".config/odesk/odesk team.conf", - "/.cshrc", - "/.dockerignore", - ".drush/", - "/.eslintignore", - "/.fbcindex", - "/.forward", - "/.git", - ".git/", - "/.gitattributes", - "/.gitconfig", - ".gnupg/", - ".hplip/hplip.conf", - "/.ksh_history", - "/.lesshst", - ".lftp/", - "/.lhistory", - "/.lldb-history", - ".local/share/mc/", - "/.lynx_cookies", - "/.my.cnf", - "/.mysql_history", - "/.nano_history", - "/.node_repl_history", - "/.pearrc", - "/.pgpass", - "/.php_history", - "/.pinerc", - ".pki/", - "/.proclog", - "/.procmailrc", - "/.psql_history", - "/.python_history", - "/.rediscli_history", - "/.rhistory", - "/.rhosts", - "/.sh_history", - "/.sqlite_history", - ".ssh/authorized_keys", - ".ssh/config", - ".ssh/id_dsa", - ".ssh/id_dsa.pub", - ".ssh/id_rsa", - ".ssh/id_rsa.pub", - ".ssh/identity", - ".ssh/identity.pub", - ".ssh/id_ecdsa", - ".ssh/id_ecdsa.pub", - ".ssh/known_hosts", - ".subversion/auth", - ".subversion/config", - ".subversion/servers", - ".tconn/tconn.conf", - "/.tcshrc", - ".vidalia/vidalia.conf", - "/.viminfo", - "/.vimrc", - "/.www_acl", - "/.wwwacl", - "/.xauthority", - "/.zhistory", - "/.zshrc", - "/.zsh_history", - "/.nsconfig", - "data/elasticsearch", - "data/kafka", - "etc/ansible", - "etc/bind", - "etc/centos-release", - "etc/centos-release-upstream", - "etc/clam.d", - "etc/elasticsearch", - "etc/freshclam.conf", - "etc/gshadow", - "etc/gshadow-", - "etc/httpd", - "etc/kafka", - "etc/kibana", - "etc/logstash", - "etc/lvm", - "etc/mongod.conf", - "etc/my.cnf", - "etc/nuxeo.conf", - "etc/pki", - "etc/postfix", - "etc/scw-release", - "etc/subgid", - "etc/subgid-", - "etc/sudoers.d", - "etc/sysconfig", - "etc/system-release-cpe", - "opt/nuxeo", - "opt/tomcat", - "tmp/kafka-logs", - "usr/lib/rpm/rpm.log", - "var/data/elasticsearch", - "var/lib/elasticsearch", - "etc/.java", - "etc/acpi", - "etc/alsa", - "etc/alternatives", - "etc/apache2", - "etc/apm", - "etc/apparmor", - "etc/apparmor.d", - "etc/apport", - "etc/apt", - "etc/asciidoc", - "etc/avahi", - "etc/bash_completion.d", - "etc/binfmt.d", - "etc/bluetooth", - "etc/bonobo-activation", - "etc/brltty", - "etc/ca-certificates", - "etc/calendar", - "etc/chatscripts", - "etc/chromium-browser", - "etc/clamav", - "etc/cni", - "etc/console-setup", - "etc/coraza-waf", - "etc/cracklib", - "etc/cron.d", - "etc/cron.daily", - "etc/cron.hourly", - "etc/cron.monthly", - "etc/cron.weekly", - "etc/cups", - "etc/cups.save", - "etc/cupshelpers", - "etc/dbus-1", - "etc/dconf", - "etc/default", - "etc/depmod.d", - "etc/dhcp", - "etc/dictionaries-common", - "etc/dkms", - "etc/dnsmasq.d", - "etc/dockeretc/dpkg", - "etc/emacs", - "etc/environment.d", - "etc/fail2ban", - "etc/firebird", - "etc/firefox", - "etc/fonts", - "etc/fwupd", - "etc/gconf", - "etc/gdb", - "etc/gdm3", - "etc/geoclue", - "etc/ghostscript", - "etc/gimp", - "etc/glvnd", - "etc/gnome", - "etc/gnome-vfs-2.0", - "etc/gnucash", - "etc/gnustep", - "etc/groff", - "etc/grub.d", - "etc/gss", - "etc/gtk-2.0", - "etc/gtk-3.0", - "etc/hp", - "etc/ifplugd", - "etc/imagemagick-6", - "etc/init", - "etc/init.d", - "etc/initramfs-tools", - "etc/insserv.conf.d", - "etc/iproute2", - "etc/iptables", - "etc/java", - "etc/java-11-openjdk", - "etc/java-17-oracle", - "etc/java-8-openjdk", - "etc/kernel", - "etc/ld.so.conf.d", - "etc/ldap", - "etc/libblockdev", - "etc/libibverbs.d", - "etc/libnl-3", - "etc/libpaper.d", - "etc/libreoffice", - "etc/lighttpd", - "etc/logcheck", - "etc/logrotate.d", - "etc/lynx", - "etc/mail", - "etc/mc", - "etc/menu", - "etc/menu-methods", - "etc/modprobe.d", - "etc/modsecurity", - "etc/modules-load.d", - "etc/monit", - "etc/mono", - "etc/mplayer", - "etc/mpv", - "etc/muttrc.d", - "etc/mysql", - "etc/netplan", - "etc/network", - "etc/networkd-dispatcher", - "etc/networkmanager", - "etc/newt", - "etc/nghttpx", - "etc/nikto", - "etc/odbcdatasources", - "etc/openal", - "etc/openmpi", - "etc/opt", - "etc/osync", - "etc/packagekit", - "etc/pam.d", - "etc/pcmcia", - "etc/perl", - "etc/php", - "etc/pki", - "etc/pm", - "etc/polkit-1", - "etc/postfix", - "etc/ppp", - "etc/profile.d", - "etc/proftpd", - "etc/pulse", - "etc/python", - "etc/rc0.d", - "etc/rc1.d", - "etc/rc2.d", - "etc/rc3.d", - "etc/rc4.d", - "etc/rc5.d", - "etc/rc6.d", - "etc/rcs.d", - "etc/resolvconf", - "etc/rsyslog.d", - "etc/samba", - "etc/sane.d", - "etc/security", - "etc/selinux", - "etc/sensors.d", - "etc/sgml", - "etc/signon-ui", - "etc/skel", - "etc/snmp", - "etc/sound", - "etc/spamassassin", - "etc/speech-dispatcher", - "etc/ssh", - "etc/ssl", - "etc/sudoers.d", - "etc/sysctl.d", - "etc/sysstat", - "etc/systemd", - "etc/terminfo", - "etc/texmf", - "etc/thermald", - "etc/thnuclnt", - "etc/thunderbird", - "etc/timidity", - "etc/tmpfiles.d", - "etc/ubuntu-advantage", - "etc/udev", - "etc/udisks2", - "etc/ufw", - "etc/update-manager", - "etc/update-motd.d", - "etc/update-notifier", - "etc/upower", - "etc/urlview", - "etc/usb_modeswitch.d", - "etc/vim", - "etc/vmware", - "etc/vmware-installer", - "etc/vmware-vix", - "etc/vulkan", - "etc/w3m", - "etc/wireshark", - "etc/wpa_supplicant", - "etc/x11", - "etc/xdg", - "etc/xml", - "etc/redis.conf", - "etc/redis-sentinel.conf", - "etc/php.ini", - "bin/php.ini", - "etc/httpd/php.ini", - "usr/lib/php.ini", - "usr/lib/php/php.ini", - "usr/local/etc/php.ini", - "usr/local/lib/php.ini", - "usr/local/php/lib/php.ini", - "usr/local/php4/lib/php.ini", - "usr/local/php5/lib/php.ini", - "usr/local/apache/conf/php.ini", - "etc/php4.4/fcgi/php.ini", - "etc/php4/apache/php.ini", - "etc/php4/apache2/php.ini", - "etc/php5/apache/php.ini", - "etc/php5/apache2/php.ini", - "etc/php/php.ini", - "etc/php/php4/php.ini", - "etc/php/apache/php.ini", - "etc/php/apache2/php.ini", - "web/conf/php.ini", - "usr/local/zend/etc/php.ini", - "opt/xampp/etc/php.ini", - "var/local/www/conf/php.ini", - "etc/php/cgi/php.ini", - "etc/php4/cgi/php.ini", - "etc/php5/cgi/php.ini", - "home2/bin/stable/apache/php.ini", - "home/bin/stable/apache/php.ini", - "etc/httpd/conf.d/php.conf", - "php5/php.ini", - "php4/php.ini", - "php/php.ini", - "windows/php.ini", - "winnt/php.ini", - "apache/php/php.ini", - "xampp/apache/bin/php.ini", - "netserver/bin/stable/apache/php.ini", - "volumes/macintosh_hd1/usr/local/php/lib/php.ini", - "etc/mono/1.0/machine.config", - "etc/mono/2.0/machine.config", - "etc/mono/2.0/web.config", - "etc/mono/config", - "usr/local/cpanel/logs/stats_log", - "usr/local/cpanel/logs/access_log", - "usr/local/cpanel/logs/error_log", - "usr/local/cpanel/logs/license_log", - "usr/local/cpanel/logs/login_log", - "var/cpanel/cpanel.config", - "usr/local/psa/admin/logs/httpsd_access_log", - "usr/local/psa/admin/logs/panel.log", - "usr/local/psa/admin/conf/php.ini", - "etc/sw-cp-server/applications.d/plesk.conf", - "usr/local/psa/admin/conf/site_isolation_settings.ini", - "usr/local/sb/config", - "etc/sw-cp-server/applications.d/00-sso-cpserver.conf", - "etc/sso/sso_config.ini", - "etc/mysql/conf.d/old_passwords.cnf", - "var/mysql.log", - "var/mysql-bin.index", - "var/data/mysql-bin.index", - "program files/mysql/mysql server 5.0/data/{host}.err", - "program files/mysql/mysql server 5.0/data/mysql.log", - "program files/mysql/mysql server 5.0/data/mysql.err", - "program files/mysql/mysql server 5.0/data/mysql-bin.log", - "program files/mysql/mysql server 5.0/data/mysql-bin.index", - "program files/mysql/data/{host}.err", - "program files/mysql/data/mysql.log", - "program files/mysql/data/mysql.err", - "program files/mysql/data/mysql-bin.log", - "program files/mysql/data/mysql-bin.index", - "mysql/data/{host}.err", - "mysql/data/mysql.log", - "mysql/data/mysql.err", - "mysql/data/mysql-bin.log", - "mysql/data/mysql-bin.index", - "usr/local/mysql/data/mysql.log", - "usr/local/mysql/data/mysql.err", - "usr/local/mysql/data/mysql-bin.log", - "usr/local/mysql/data/mysql-slow.log", - "usr/local/mysql/data/mysqlderror.log", - "usr/local/mysql/data/{host}.err", - "usr/local/mysql/data/mysql-bin.index", - "var/lib/mysql/my.cnf", - "etc/mysql/my.cnf", - "etc/my.cnf", - "program files/mysql/mysql server 5.0/my.ini", - "program files/mysql/mysql server 5.0/my.cnf", - "program files/mysql/my.ini", - "program files/mysql/my.cnf", - "mysql/my.ini", - "mysql/my.cnf", - "mysql/bin/my.ini", - "var/postgresql/log/postgresql.log", - "usr/internet/pgsql/data/postmaster.log", - "usr/local/pgsql/data/postgresql.log", - "usr/local/pgsql/data/pg_log", - "postgresql/log/pgadmin.log", - "var/lib/pgsql/data/postgresql.conf", - "var/postgresql/db/postgresql.conf", - "var/nm2/postgresql.conf", - "usr/local/pgsql/data/postgresql.conf", - "usr/local/pgsql/data/pg_hba.conf", - "usr/internet/pgsql/data/pg_hba.conf", - "usr/local/pgsql/data/passwd", - "usr/local/pgsql/bin/pg_passwd", - "etc/postgresql/postgresql.conf", - "etc/postgresql/pg_hba.conf", - "home/postgres/data/postgresql.conf", - "home/postgres/data/pg_version", - "home/postgres/data/pg_ident.conf", - "home/postgres/data/pg_hba.conf", - "program files/postgresql/8.3/data/pg_hba.conf", - "program files/postgresql/8.3/data/pg_ident.conf", - "program files/postgresql/8.3/data/postgresql.conf", - "program files/postgresql/8.4/data/pg_hba.conf", - "program files/postgresql/8.4/data/pg_ident.conf", - "program files/postgresql/8.4/data/postgresql.conf", - "program files/postgresql/9.0/data/pg_hba.conf", - "program files/postgresql/9.0/data/pg_ident.conf", - "program files/postgresql/9.0/data/postgresql.conf", - "program files/postgresql/9.1/data/pg_hba.conf", - "program files/postgresql/9.1/data/pg_ident.conf", - "program files/postgresql/9.1/data/postgresql.conf", - "wamp/logs/access.log", - "wamp/logs/apache_error.log", - "wamp/logs/genquery.log", - "wamp/logs/mysql.log", - "wamp/logs/slowquery.log", - "wamp/bin/apache/apache2.2.22/logs/access.log", - "wamp/bin/apache/apache2.2.22/logs/error.log", - "wamp/bin/apache/apache2.2.21/logs/access.log", - "wamp/bin/apache/apache2.2.21/logs/error.log", - "wamp/bin/mysql/mysql5.5.24/data/mysql-bin.index", - "wamp/bin/mysql/mysql5.5.16/data/mysql-bin.index", - "wamp/bin/apache/apache2.2.21/conf/httpd.conf", - "wamp/bin/apache/apache2.2.22/conf/httpd.conf", - "wamp/bin/apache/apache2.2.21/wampserver.conf", - "wamp/bin/apache/apache2.2.22/wampserver.conf", - "wamp/bin/apache/apache2.2.22/conf/wampserver.conf", - "wamp/bin/mysql/mysql5.5.24/my.ini", - "wamp/bin/mysql/mysql5.5.24/wampserver.conf", - "wamp/bin/mysql/mysql5.5.16/my.ini", - "wamp/bin/mysql/mysql5.5.16/wampserver.conf", - "wamp/bin/php/php5.3.8/php.ini", - "wamp/bin/php/php5.4.3/php.ini", - "xampp/apache/logs/access.log", - "xampp/apache/logs/error.log", - "xampp/mysql/data/mysql-bin.index", - "xampp/mysql/data/mysql.err", - "xampp/mysql/data/{host}.err", - "xampp/sendmail/sendmail.log", - "xampp/apache/conf/httpd.conf", - "xampp/filezillaftp/filezilla server.xml", - "xampp/mercurymail/mercury.ini", - "xampp/php/php.ini", - "xampp/phpmyadmin/config.inc.php", - "xampp/sendmail/sendmail.ini", - "xampp/webalizer/webalizer.conf", - "opt/lampp/etc/httpd.conf", - "xampp/htdocs/aca.txt", - "xampp/htdocs/admin.php", - "xampp/htdocs/leer.txt", - "usr/local/apache/logs/audit_log", - "usr/local/apache2/logs/audit_log", - "logs/security_debug_log", - "logs/security_log", - "usr/local/apache/conf/modsec.conf", - "usr/local/apache2/conf/modsec.conf", - "winnt/system32/logfiles/msftpsvc", - "winnt/system32/logfiles/msftpsvc1", - "winnt/system32/logfiles/msftpsvc2", - "windows/system32/logfiles/msftpsvc", - "windows/system32/logfiles/msftpsvc1", - "windows/system32/logfiles/msftpsvc2", - "etc/logrotate.d/proftpd", - "www/logs/proftpd.system.log", - "etc/pam.d/proftpd", - "etc/proftp.conf", - "etc/protpd/proftpd.conf", - "etc/vhcs2/proftpd/proftpd.conf", - "etc/proftpd/modules.conf", - "etc/vsftpd.chroot_list", - "etc/logrotate.d/vsftpd.log", - "etc/vsftpd/vsftpd.conf", - "etc/vsftpd.conf", - "etc/chrootusers", - "var/adm/log/xferlog", - "etc/wu-ftpd/ftpaccess", - "etc/wu-ftpd/ftphosts", - "etc/wu-ftpd/ftpusers", - "logs/pure-ftpd.log", - "usr/sbin/pure-config.pl", - "usr/etc/pure-ftpd.conf", - "etc/pure-ftpd/pure-ftpd.conf", - "usr/local/etc/pure-ftpd.conf", - "usr/local/etc/pureftpd.pdb", - "usr/local/pureftpd/etc/pureftpd.pdb", - "usr/local/pureftpd/sbin/pure-config.pl", - "usr/local/pureftpd/etc/pure-ftpd.conf", - "etc/pure-ftpd.conf", - "etc/pure-ftpd/pure-ftpd.pdb", - "etc/pureftpd.pdb", - "etc/pureftpd.passwd", - "etc/pure-ftpd/pureftpd.pdb", - "usr/ports/ftp/pure-ftpd/pure-ftpd.conf", - "usr/ports/ftp/pure-ftpd/pureftpd.pdb", - "usr/ports/ftp/pure-ftpd/pureftpd.passwd", - "usr/ports/net/pure-ftpd/pure-ftpd.conf", - "usr/ports/net/pure-ftpd/pureftpd.pdb", - "usr/ports/net/pure-ftpd/pureftpd.passwd", - "usr/pkgsrc/net/pureftpd/pure-ftpd.conf", - "usr/pkgsrc/net/pureftpd/pureftpd.pdb", - "usr/pkgsrc/net/pureftpd/pureftpd.passwd", - "usr/ports/contrib/pure-ftpd/pure-ftpd.conf", - "usr/ports/contrib/pure-ftpd/pureftpd.pdb", - "usr/ports/contrib/pure-ftpd/pureftpd.passwd", - "usr/sbin/mudlogd", - "etc/muddleftpd/mudlog", - "etc/muddleftpd.com", - "etc/muddleftpd/mudlogd.conf", - "etc/muddleftpd/muddleftpd.conf", - "usr/sbin/mudpasswd", - "etc/muddleftpd/muddleftpd.passwd", - "etc/muddleftpd/passwd", - "etc/logrotate.d/ftp", - "etc/ftpchroot", - "etc/ftphosts", - "etc/ftpusers", - "winnt/system32/logfiles/smtpsvc", - "winnt/system32/logfiles/smtpsvc1", - "winnt/system32/logfiles/smtpsvc2", - "winnt/system32/logfiles/smtpsvc3", - "winnt/system32/logfiles/smtpsvc4", - "winnt/system32/logfiles/smtpsvc5", - "windows/system32/logfiles/smtpsvc", - "windows/system32/logfiles/smtpsvc1", - "windows/system32/logfiles/smtpsvc2", - "windows/system32/logfiles/smtpsvc3", - "windows/system32/logfiles/smtpsvc4", - "windows/system32/logfiles/smtpsvc5", - "etc/osxhttpd/osxhttpd.conf", - "system/library/webobjects/adaptors/apache2.2/apache.conf", - "etc/apache2/sites-available/default", - "etc/apache2/sites-available/default-ssl", - "etc/apache2/sites-enabled/000-default", - "etc/apache2/sites-enabled/default", - "etc/apache2/apache2.conf", - "etc/apache2/ports.conf", - "usr/local/etc/apache/httpd.conf", - "usr/pkg/etc/httpd/httpd.conf", - "usr/pkg/etc/httpd/httpd-default.conf", - "usr/pkg/etc/httpd/httpd-vhosts.conf", - "etc/httpd/mod_php.conf", - "etc/httpd/extra/httpd-ssl.conf", - "etc/rc.d/rc.httpd", - "usr/local/apache/conf/httpd.conf.default", - "usr/local/apache/conf/access.conf", - "usr/local/apache22/conf/httpd.conf", - "usr/local/apache22/httpd.conf", - "usr/local/etc/apache22/conf/httpd.conf", - "usr/local/apps/apache22/conf/httpd.conf", - "etc/apache22/conf/httpd.conf", - "etc/apache22/httpd.conf", - "opt/apache22/conf/httpd.conf", - "usr/local/etc/apache2/vhosts.conf", - "usr/local/apache/conf/vhosts.conf", - "usr/local/apache2/conf/vhosts.conf", - "usr/local/apache/conf/vhosts-custom.conf", - "usr/local/apache2/conf/vhosts-custom.conf", - "etc/apache/default-server.conf", - "etc/apache2/default-server.conf", - "usr/local/apache2/conf/extra/httpd-ssl.conf", - "usr/local/apache2/conf/ssl.conf", - "etc/httpd/conf.d", - "usr/local/etc/apache22/httpd.conf", - "usr/local/etc/apache2/httpd.conf", - "etc/apache2/httpd2.conf", - "etc/apache2/ssl-global.conf", - "etc/apache2/vhosts.d/00_default_vhost.conf", - "apache/conf/httpd.conf", - "etc/apache/httpd.conf", - "etc/httpd/conf", - "http/httpd.conf", - "usr/local/apache1.3/conf/httpd.conf", - "usr/local/etc/httpd/conf", - "var/apache/conf/httpd.conf", - "var/www/conf", - "www/apache/conf/httpd.conf", - "www/conf/httpd.conf", - "etc/init.d", - "etc/apache/access.conf", - "etc/rc.conf", - "www/logs/freebsddiary-error.log", - "www/logs/freebsddiary-access_log", - "library/webserver/documents/index.html", - "library/webserver/documents/index.htm", - "library/webserver/documents/default.html", - "library/webserver/documents/default.htm", - "library/webserver/documents/index.php", - "library/webserver/documents/default.php", - "usr/local/etc/webmin/miniserv.conf", - "etc/webmin/miniserv.conf", - "usr/local/etc/webmin/miniserv.users", - "etc/webmin/miniserv.users", - "winnt/system32/logfiles/w3svc/inetsvn1.log", - "winnt/system32/logfiles/w3svc1/inetsvn1.log", - "winnt/system32/logfiles/w3svc2/inetsvn1.log", - "winnt/system32/logfiles/w3svc3/inetsvn1.log", - "windows/system32/logfiles/w3svc/inetsvn1.log", - "windows/system32/logfiles/w3svc1/inetsvn1.log", - "windows/system32/logfiles/w3svc2/inetsvn1.log", - "windows/system32/logfiles/w3svc3/inetsvn1.log", - "apache/logs/error.log", - "apache/logs/access.log", - "apache2/logs/error.log", - "apache2/logs/access.log", - "logs/error.log", - "logs/access.log", - "etc/httpd/logs/access_log", - "etc/httpd/logs/access.log", - "etc/httpd/logs/error_log", - "etc/httpd/logs/error.log", - "usr/local/apache/logs/access_log", - "usr/local/apache/logs/access.log", - "usr/local/apache/logs/error_log", - "usr/local/apache/logs/error.log", - "usr/local/apache2/logs/access_log", - "usr/local/apache2/logs/access.log", - "usr/local/apache2/logs/error_log", - "usr/local/apache2/logs/error.log", - "var/www/logs/access_log", - "var/www/logs/access.log", - "var/www/logs/error_log", - "var/www/logs/error.log", - "opt/lampp/logs/access_log", - "opt/lampp/logs/error_log", - "opt/xampp/logs/access_log", - "opt/xampp/logs/error_log", - "opt/lampp/logs/access.log", - "opt/lampp/logs/error.log", - "opt/xampp/logs/access.log", - "opt/xampp/logs/error.log", - "program files/apache group/apache/logs/access.log", - "program files/apache group/apache/logs/error.log", - "program files/apache software foundation/apache2.2/logs/error.log", - "program files/apache software foundation/apache2.2/logs/access.log", - "opt/apache/apache.conf", - "opt/apache/conf/apache.conf", - "opt/apache2/apache.conf", - "opt/apache2/conf/apache.conf", - "opt/httpd/apache.conf", - "opt/httpd/conf/apache.conf", - "etc/httpd/apache.conf", - "etc/apache2/apache.conf", - "etc/httpd/conf/apache.conf", - "usr/local/apache/apache.conf", - "usr/local/apache/conf/apache.conf", - "usr/local/apache2/apache.conf", - "usr/local/apache2/conf/apache.conf", - "usr/local/php/apache.conf.php", - "usr/local/php4/apache.conf.php", - "usr/local/php5/apache.conf.php", - "usr/local/php/apache.conf", - "usr/local/php4/apache.conf", - "usr/local/php5/apache.conf", - "private/etc/httpd/apache.conf", - "opt/apache/apache2.conf", - "opt/apache/conf/apache2.conf", - "opt/apache2/apache2.conf", - "opt/apache2/conf/apache2.conf", - "opt/httpd/apache2.conf", - "opt/httpd/conf/apache2.conf", - "etc/httpd/apache2.conf", - "etc/httpd/conf/apache2.conf", - "usr/local/apache/apache2.conf", - "usr/local/apache/conf/apache2.conf", - "usr/local/apache2/apache2.conf", - "usr/local/apache2/conf/apache2.conf", - "usr/local/php/apache2.conf.php", - "usr/local/php4/apache2.conf.php", - "usr/local/php5/apache2.conf.php", - "usr/local/php/apache2.conf", - "usr/local/php4/apache2.conf", - "usr/local/php5/apache2.conf", - "private/etc/httpd/apache2.conf", - "usr/local/apache/conf/httpd.conf", - "usr/local/apache2/conf/httpd.conf", - "etc/httpd/conf/httpd.conf", - "etc/apache/apache.conf", - "etc/apache/conf/httpd.conf", - "etc/apache2/httpd.conf", - "usr/apache2/conf/httpd.conf", - "usr/apache/conf/httpd.conf", - "usr/local/etc/apache/conf/httpd.conf", - "usr/local/apache/httpd.conf", - "usr/local/apache2/httpd.conf", - "usr/local/httpd/conf/httpd.conf", - "usr/local/etc/apache2/conf/httpd.conf", - "usr/local/etc/httpd/conf/httpd.conf", - "usr/local/apps/apache2/conf/httpd.conf", - "usr/local/apps/apache/conf/httpd.conf", - "usr/local/php/httpd.conf.php", - "usr/local/php4/httpd.conf.php", - "usr/local/php5/httpd.conf.php", - "usr/local/php/httpd.conf", - "usr/local/php4/httpd.conf", - "usr/local/php5/httpd.conf", - "etc/apache2/conf/httpd.conf", - "etc/http/conf/httpd.conf", - "etc/httpd/httpd.conf", - "etc/http/httpd.conf", - "etc/httpd.conf", - "opt/apache/conf/httpd.conf", - "opt/apache2/conf/httpd.conf", - "var/www/conf/httpd.conf", - "private/etc/httpd/httpd.conf", - "private/etc/httpd/httpd.conf.default", - "etc/apache2/vhosts.d/default_vhost.include", - "etc/apache2/conf.d/charset", - "etc/apache2/conf.d/security", - "etc/apache2/envvars", - "etc/apache2/mods-available/autoindex.conf", - "etc/apache2/mods-available/deflate.conf", - "etc/apache2/mods-available/dir.conf", - "etc/apache2/mods-available/mem_cache.conf", - "etc/apache2/mods-available/mime.conf", - "etc/apache2/mods-available/proxy.conf", - "etc/apache2/mods-available/setenvif.conf", - "etc/apache2/mods-available/ssl.conf", - "etc/apache2/mods-enabled/alias.conf", - "etc/apache2/mods-enabled/deflate.conf", - "etc/apache2/mods-enabled/dir.conf", - "etc/apache2/mods-enabled/mime.conf", - "etc/apache2/mods-enabled/negotiation.conf", - "etc/apache2/mods-enabled/php5.conf", - "etc/apache2/mods-enabled/status.conf", - "program files/apache group/apache/conf/httpd.conf", - "program files/apache group/apache2/conf/httpd.conf", - "program files/xampp/apache/conf/apache.conf", - "program files/xampp/apache/conf/apache2.conf", - "program files/xampp/apache/conf/httpd.conf", - "program files/apache group/apache/apache.conf", - "program files/apache group/apache/conf/apache.conf", - "program files/apache group/apache2/conf/apache.conf", - "program files/apache group/apache/apache2.conf", - "program files/apache group/apache/conf/apache2.conf", - "program files/apache group/apache2/conf/apache2.conf", - "program files/apache software foundation/apache2.2/conf/httpd.conf", - "volumes/macintosh_hd1/opt/httpd/conf/httpd.conf", - "volumes/macintosh_hd1/opt/apache/conf/httpd.conf", - "volumes/macintosh_hd1/opt/apache2/conf/httpd.conf", - "volumes/macintosh_hd1/usr/local/php/httpd.conf.php", - "volumes/macintosh_hd1/usr/local/php4/httpd.conf.php", - "volumes/macintosh_hd1/usr/local/php5/httpd.conf.php", - "volumes/webbackup/opt/apache2/conf/httpd.conf", - "volumes/webbackup/private/etc/httpd/httpd.conf", - "volumes/webbackup/private/etc/httpd/httpd.conf.default", - "usr/local/etc/apache/vhosts.conf", - "usr/local/jakarta/tomcat/conf/jakarta.conf", - "usr/local/jakarta/tomcat/conf/server.xml", - "usr/local/jakarta/tomcat/conf/context.xml", - "usr/local/jakarta/tomcat/conf/workers.properties", - "usr/local/jakarta/tomcat/conf/logging.properties", - "usr/local/jakarta/dist/tomcat/conf/jakarta.conf", - "usr/local/jakarta/dist/tomcat/conf/server.xml", - "usr/local/jakarta/dist/tomcat/conf/context.xml", - "usr/local/jakarta/dist/tomcat/conf/workers.properties", - "usr/local/jakarta/dist/tomcat/conf/logging.properties", - "usr/share/tomcat6/conf/server.xml", - "usr/share/tomcat6/conf/context.xml", - "usr/share/tomcat6/conf/workers.properties", - "usr/share/tomcat6/conf/logging.properties", - "var/cpanel/tomcat.options", - "usr/local/jakarta/tomcat/logs/catalina.out", - "usr/local/jakarta/tomcat/logs/catalina.err", - "opt/tomcat/logs/catalina.out", - "opt/tomcat/logs/catalina.err", - "usr/share/logs/catalina.out", - "usr/share/logs/catalina.err", - "usr/share/tomcat/logs/catalina.out", - "usr/share/tomcat/logs/catalina.err", - "usr/share/tomcat6/logs/catalina.out", - "usr/share/tomcat6/logs/catalina.err", - "usr/local/apache/logs/mod_jk.log", - "usr/local/jakarta/tomcat/logs/mod_jk.log", - "usr/local/jakarta/dist/tomcat/logs/mod_jk.log", - "opt/[jboss]/server/default/conf/jboss-minimal.xml", - "opt/[jboss]/server/default/conf/jboss-service.xml", - "opt/[jboss]/server/default/conf/jndi.properties", - "opt/[jboss]/server/default/conf/log4j.xml", - "opt/[jboss]/server/default/conf/login-config.xml", - "opt/[jboss]/server/default/conf/standardjaws.xml", - "opt/[jboss]/server/default/conf/standardjboss.xml", - "opt/[jboss]/server/default/conf/server.log.properties", - "opt/[jboss]/server/default/deploy/jboss-logging.xml", - "usr/local/[jboss]/server/default/conf/jboss-minimal.xml", - "usr/local/[jboss]/server/default/conf/jboss-service.xml", - "usr/local/[jboss]/server/default/conf/jndi.properties", - "usr/local/[jboss]/server/default/conf/log4j.xml", - "usr/local/[jboss]/server/default/conf/login-config.xml", - "usr/local/[jboss]/server/default/conf/standardjaws.xml", - "usr/local/[jboss]/server/default/conf/standardjboss.xml", - "usr/local/[jboss]/server/default/conf/server.log.properties", - "usr/local/[jboss]/server/default/deploy/jboss-logging.xml", - "private/tmp/[jboss]/server/default/conf/jboss-minimal.xml", - "private/tmp/[jboss]/server/default/conf/jboss-service.xml", - "private/tmp/[jboss]/server/default/conf/jndi.properties", - "private/tmp/[jboss]/server/default/conf/log4j.xml", - "private/tmp/[jboss]/server/default/conf/login-config.xml", - "private/tmp/[jboss]/server/default/conf/standardjaws.xml", - "private/tmp/[jboss]/server/default/conf/standardjboss.xml", - "private/tmp/[jboss]/server/default/conf/server.log.properties", - "private/tmp/[jboss]/server/default/deploy/jboss-logging.xml", - "tmp/[jboss]/server/default/conf/jboss-minimal.xml", - "tmp/[jboss]/server/default/conf/jboss-service.xml", - "tmp/[jboss]/server/default/conf/jndi.properties", - "tmp/[jboss]/server/default/conf/log4j.xml", - "tmp/[jboss]/server/default/conf/login-config.xml", - "tmp/[jboss]/server/default/conf/standardjaws.xml", - "tmp/[jboss]/server/default/conf/standardjboss.xml", - "tmp/[jboss]/server/default/conf/server.log.properties", - "tmp/[jboss]/server/default/deploy/jboss-logging.xml", - "program files/[jboss]/server/default/conf/jboss-minimal.xml", - "program files/[jboss]/server/default/conf/jboss-service.xml", - "program files/[jboss]/server/default/conf/jndi.properties", - "program files/[jboss]/server/default/conf/log4j.xml", - "program files/[jboss]/server/default/conf/login-config.xml", - "program files/[jboss]/server/default/conf/standardjaws.xml", - "program files/[jboss]/server/default/conf/standardjboss.xml", - "program files/[jboss]/server/default/conf/server.log.properties", - "program files/[jboss]/server/default/deploy/jboss-logging.xml", - "[jboss]/server/default/conf/jboss-minimal.xml", - "[jboss]/server/default/conf/jboss-service.xml", - "[jboss]/server/default/conf/jndi.properties", - "[jboss]/server/default/conf/log4j.xml", - "[jboss]/server/default/conf/login-config.xml", - "[jboss]/server/default/conf/standardjaws.xml", - "[jboss]/server/default/conf/standardjboss.xml", - "[jboss]/server/default/conf/server.log.properties", - "[jboss]/server/default/deploy/jboss-logging.xml", - "opt/[jboss]/server/default/log/server.log", - "opt/[jboss]/server/default/log/boot.log", - "usr/local/[jboss]/server/default/log/server.log", - "usr/local/[jboss]/server/default/log/boot.log", - "private/tmp/[jboss]/server/default/log/server.log", - "private/tmp/[jboss]/server/default/log/boot.log", - "tmp/[jboss]/server/default/log/server.log", - "tmp/[jboss]/server/default/log/boot.log", - "program files/[jboss]/server/default/log/server.log", - "program files/[jboss]/server/default/log/boot.log", - "[jboss]/server/default/log/server.log", - "[jboss]/server/default/log/boot.log", - "var/lighttpd.log", - "var/logs/access.log", - "usr/local/apache2/logs/lighttpd.error.log", - "usr/local/apache2/logs/lighttpd.log", - "usr/local/apache/logs/lighttpd.error.log", - "usr/local/apache/logs/lighttpd.log", - "usr/local/lighttpd/log/lighttpd.error.log", - "usr/local/lighttpd/log/access.log", - "usr/home/user/var/log/lighttpd.error.log", - "usr/home/user/var/log/apache.log", - "home/user/lighttpd/lighttpd.conf", - "usr/home/user/lighttpd/lighttpd.conf", - "etc/lighttpd/lighthttpd.conf", - "usr/local/etc/lighttpd.conf", - "usr/local/lighttpd/conf/lighttpd.conf", - "usr/local/etc/lighttpd.conf.new", - "var/www/.lighttpdpassword", - "logs/access_log", - "logs/error_log", - "etc/nginx/nginx.conf", - "usr/local/etc/nginx/nginx.conf", - "usr/local/nginx/conf/nginx.conf", - "usr/local/zeus/web/global.cfg", - "usr/local/zeus/web/log/errors", - "opt/lsws/conf/httpd_conf.xml", - "usr/local/lsws/conf/httpd_conf.xml", - "opt/lsws/logs/error.log", - "opt/lsws/logs/access.log", - "usr/local/lsws/logs/error.log", - "usr/local/logs/access.log", - "usr/local/samba/lib/log.user", - "usr/local/logs/samba.log", - "etc/samba/netlogon", - "etc/smbpasswd", - "etc/smb.conf", - "etc/samba/dhcp.conf", - "etc/samba/smb.conf", - "etc/samba/samba.conf", - "etc/samba/smb.conf.user", - "etc/samba/smbpasswd", - "etc/samba/smbusers", - "etc/samba/private/smbpasswd", - "usr/local/etc/smb.conf", - "usr/local/samba/lib/smb.conf.user", - "etc/dhcp3/dhclient.conf", - "etc/dhcp3/dhcpd.conf", - "etc/dhcp/dhclient.conf", - "program files/vidalia bundle/polipo/polipo.conf", - "etc/tor/tor-tsocks.conf", - "etc/stunnel/stunnel.conf", - "etc/tsocks.conf", - "etc/tinyproxy/tinyproxy.conf", - "etc/miredo-server.conf", - "etc/miredo.conf", - "etc/miredo/miredo-server.conf", - "etc/miredo/miredo.conf", - "etc/wicd/dhclient.conf.template.default", - "etc/wicd/manager-settings.conf", - "etc/wicd/wired-settings.conf", - "etc/wicd/wireless-settings.conf", - "etc/ipfw.rules", - "etc/ipfw.conf", - "etc/firewall.rules", - "winnt/system32/logfiles/firewall/pfirewall.log", - "winnt/system32/logfiles/firewall/pfirewall.log.old", - "windows/system32/logfiles/firewall/pfirewall.log", - "windows/system32/logfiles/firewall/pfirewall.log.old", - "etc/clamav/clamd.conf", - "etc/clamav/freshclam.conf", - "etc/x11/xorg.conf", - "etc/x11/xorg.conf-vesa", - "etc/x11/xorg.conf-vmware", - "etc/x11/xorg.conf.beforevmwaretoolsinstall", - "etc/x11/xorg.conf.orig", - "etc/bluetooth/input.conf", - "etc/bluetooth/main.conf", - "etc/bluetooth/network.conf", - "etc/bluetooth/rfcomm.conf", - "etc/bash_completion.d/debconf", - "root/.bash_logout", - "root/.bash_history", - "root/.bash_config", - "root/.bashrc", - "etc/bash.bashrc", - "var/adm/syslog", - "var/adm/sulog", - "var/adm/utmp", - "var/adm/utmpx", - "var/adm/wtmp", - "var/adm/wtmpx", - "var/adm/lastlog/username", - "usr/spool/lp/log", - "var/adm/lp/lpd-errs", - "usr/lib/cron/log", - "var/adm/loginlog", - "var/adm/pacct", - "var/adm/dtmp", - "var/adm/acct/sum/loginlog", - "var/adm/x0msgs", - "var/adm/crash/vmcore", - "var/adm/crash/unix", - "etc/newsyslog.conf", - "var/adm/qacct", - "var/adm/ras/errlog", - "var/adm/ras/bootlog", - "var/adm/cron/log", - "etc/utmp", - "etc/security/lastlog", - "etc/security/failedlogin", - "usr/spool/mqueue/syslog", - "var/adm/messages", - "var/adm/aculogs", - "var/adm/aculog", - "var/adm/vold.log", - "var/adm/log/asppp.log", - "var/lp/logs/lpsched", - "var/lp/logs/lpnet", - "var/lp/logs/requests", - "var/cron/log", - "var/saf/_log", - "var/saf/port/log", - "tmp/access.log", - "etc/sensors.conf", - "etc/sensors3.conf", - "etc/host.conf", - "etc/pam.conf", - "etc/resolv.conf", - "etc/apt/apt.conf", - "etc/inetd.conf", - "etc/syslog.conf", - "etc/sysctl.conf", - "etc/sysctl.d/10-console-messages.conf", - "etc/sysctl.d/10-network-security.conf", - "etc/sysctl.d/10-process-security.conf", - "etc/sysctl.d/wine.sysctl.conf", - "etc/security/access.conf", - "etc/security/group.conf", - "etc/security/limits.conf", - "etc/security/namespace.conf", - "etc/security/pam_env.conf", - "etc/security/sepermit.conf", - "etc/security/time.conf", - "etc/ssh/sshd_config", - "etc/adduser.conf", - "etc/deluser.conf", - "etc/avahi/avahi-daemon.conf", - "etc/ca-certificates.conf", - "etc/ca-certificates.conf.dpkg-old", - "etc/casper.conf", - "etc/chkrootkit.conf", - "etc/debconf.conf", - "etc/dns2tcpd.conf", - "etc/e2fsck.conf", - "etc/esound/esd.conf", - "etc/etter.conf", - "etc/fuse.conf", - "etc/foremost.conf", - "etc/hdparm.conf", - "etc/kernel-img.conf", - "etc/kernel-pkg.conf", - "etc/ld.so.conf", - "etc/ltrace.conf", - "etc/mail/sendmail.conf", - "etc/manpath.config", - "etc/kbd/config", - "etc/ldap/ldap.conf", - "etc/logrotate.conf", - "etc/mtools.conf", - "etc/smi.conf", - "etc/updatedb.conf", - "etc/pulse/client.conf", - "usr/share/adduser/adduser.conf", - "etc/hostname", - "etc/networks", - "etc/timezone", - "etc/modules", - "etc/passwd", - "etc/shadow", - "etc/fstab", - "etc/motd", - "etc/hosts", - "etc/group", - "etc/alias", - "etc/crontab", - "etc/crypttab", - "etc/exports", - "etc/mtab", - "etc/hosts.allow", - "etc/hosts.deny", - "etc/os-release", - "etc/password.master", - "etc/profile", - "etc/default/grub", - "etc/resolvconf/update-libc.d/sendmail", - "etc/inittab", - "etc/issue", - "etc/issue.net", - "etc/login.defs", - "etc/sudoers", - "etc/sysconfig/network-scripts/ifcfg-eth0", - "etc/redhat-release", - "etc/scw-release", - "etc/system-release-cpe", - "etc/debian_version", - "etc/fedora-release", - "etc/mandrake-release", - "etc/slackware-release", - "etc/suse-release", - "etc/security/group", - "etc/security/passwd", - "etc/security/user", - "etc/security/environ", - "etc/security/limits", - "etc/security/opasswd", - "boot/grub/grub.cfg", - "boot/grub/menu.lst", - "root/.ksh_history", - "root/.xauthority", - "usr/lib/security/mkuser.default", - "var/lib/squirrelmail/prefs/squirrelmail.log", - "etc/squirrelmail/apache.conf", - "etc/squirrelmail/config_local.php", - "etc/squirrelmail/default_pref", - "etc/squirrelmail/index.php", - "etc/squirrelmail/config_default.php", - "etc/squirrelmail/config.php", - "etc/squirrelmail/filters_setup.php", - "etc/squirrelmail/sqspell_config.php", - "etc/squirrelmail/config/config.php", - "etc/httpd/conf.d/squirrelmail.conf", - "usr/share/squirrelmail/config/config.php", - "private/etc/squirrelmail/config/config.php", - "srv/www/htdos/squirrelmail/config/config.php", - "var/www/squirrelmail/config/config.php", - "var/www/html/squirrelmail/config/config.php", - "var/www/html/squirrelmail-1.2.9/config/config.php", - "usr/share/squirrelmail/plugins/squirrel_logger/setup.php", - "usr/local/squirrelmail/www/readme", - "windows/system32/drivers/etc/hosts", - "windows/system32/drivers/etc/lmhosts.sam", - "windows/system32/drivers/etc/networks", - "windows/system32/drivers/etc/protocol", - "windows/system32/drivers/etc/services", - "/boot.ini", - "windows/debug/netsetup.log", - "windows/comsetup.log", - "windows/repair/setup.log", - "windows/setupact.log", - "windows/setupapi.log", - "windows/setuperr.log", - "windows/updspapi.log", - "windows/wmsetup.log", - "windows/windowsupdate.log", - "windows/odbc.ini", - "usr/local/psa/admin/htdocs/domains/databases/phpmyadmin/libraries/config.default.php", - "etc/apache2/conf.d/phpmyadmin.conf", - "etc/phpmyadmin/config.inc.php", - "etc/openldap/ldap.conf", - "etc/cups/acroread.conf", - "etc/cups/cupsd.conf", - "etc/cups/cupsd.conf.default", - "etc/cups/pdftops.conf", - "etc/cups/printers.conf", - "windows/system32/macromed/flash/flashinstall.log", - "windows/system32/macromed/flash/install.log", - "etc/cvs-cron.conf", - "etc/cvs-pserver.conf", - "etc/subversion/config", - "etc/modprobe.d/vmware-tools.conf", - "etc/updatedb.conf.beforevmwaretoolsinstall", - "etc/vmware-tools/config", - "etc/vmware-tools/tpvmlp.conf", - "etc/vmware-tools/vmware-tools-libraries.conf", - "var/log", - "var/log/sw-cp-server/error_log", - "var/log/sso/sso.log", - "var/log/dpkg.log", - "var/log/btmp", - "var/log/utmp", - "var/log/wtmp", - "var/log/mysql/mysql-bin.log", - "var/log/mysql/mysql-bin.index", - "var/log/mysql/data/mysql-bin.index", - "var/log/mysql.log", - "var/log/mysql.err", - "var/log/mysqlderror.log", - "var/log/mysql/mysql.log", - "var/log/mysql/mysql-slow.log", - "var/log/mysql-bin.index", - "var/log/data/mysql-bin.index", - "var/log/postgresql/postgresql.log", - "var/log/postgres/pg_backup.log", - "var/log/postgres/postgres.log", - "var/log/postgresql.log", - "var/log/pgsql/pgsql.log", - "var/log/postgresql/postgresql-8.1-main.log", - "var/log/postgresql/postgresql-8.3-main.log", - "var/log/postgresql/postgresql-8.4-main.log", - "var/log/postgresql/postgresql-9.0-main.log", - "var/log/postgresql/postgresql-9.1-main.log", - "var/log/pgsql8.log", - "var/log/postgresql/postgres.log", - "var/log/pgsql_log", - "var/log/postgresql/main.log", - "var/log/cron", - "var/log/postgres.log", - "var/log/proftpd", - "var/log/proftpd/xferlog.legacy", - "var/log/proftpd.access_log", - "var/log/proftpd.xferlog", - "var/log/vsftpd.log", - "var/log/xferlog", - "var/log/pure-ftpd/pure-ftpd.log", - "var/log/pureftpd.log", - "var/log/muddleftpd", - "var/log/muddleftpd.conf", - "var/log/ftp-proxy/ftp-proxy.log", - "var/log/ftp-proxy", - "var/log/ftplog", - "var/log/exim_mainlog", - "var/log/exim/mainlog", - "var/log/maillog", - "var/log/exim_paniclog", - "var/log/exim/paniclog", - "var/log/exim/rejectlog", - "var/log/exim_rejectlog", - "var/log/webmin/miniserv.log", - "var/log/httpd/access_log", - "var/log/httpd/error_log", - "var/log/httpd/access.log", - "var/log/httpd/error.log", - "var/log/apache/access_log", - "var/log/apache/access.log", - "var/log/apache/error_log", - "var/log/apache/error.log", - "var/log/apache2/access_log", - "var/log/apache2/access.log", - "var/log/apache2/error_log", - "var/log/apache2/error.log", - "var/log/access_log", - "var/log/access.log", - "var/log/error_log", - "var/log/error.log", - "var/log/tomcat6/catalina.out", - "var/log/lighttpd.error.log", - "var/log/lighttpd.access.log", - "var/logs/access.log", - "var/log/lighttpd/", - "var/log/lighttpd/error.log", - "var/log/lighttpd/access.www.log", - "var/log/lighttpd/error.www.log", - "var/log/lighttpd/access.log", - "var/log/lighttpd/{domain}/access.log", - "var/log/lighttpd/{domain}/error.log", - "var/log/nginx/access_log", - "var/log/nginx/error_log", - "var/log/nginx/access.log", - "var/log/nginx/error.log", - "var/log/nginx.access_log", - "var/log/nginx.error_log", - "var/log/samba/log.smbd", - "var/log/samba/log.nmbd", - "var/log/samba.log", - "var/log/samba.log1", - "var/log/samba.log2", - "var/log/log.smb", - "var/log/ipfw.log", - "var/log/ipfw", - "var/log/ipfw/ipfw.log", - "var/log/ipfw.today", - "var/log/poplog", - "var/log/authlog", - "var/log/news.all", - "var/log/news/news.all", - "var/log/news/news.crit", - "var/log/news/news.err", - "var/log/news/news.notice", - "var/log/news/suck.err", - "var/log/news/suck.notice", - "var/log/messages", - "var/log/messages.1", - "var/log/user.log", - "var/log/user.log.1", - "var/log/auth.log", - "var/log/pm-powersave.log", - "var/log/xorg.0.log", - "var/log/daemon.log", - "var/log/daemon.log.1", - "var/log/kern.log", - "var/log/kern.log.1", - "var/log/mail.err", - "var/log/mail.info", - "var/log/mail.warn", - "var/log/ufw.log", - "var/log/boot.log", - "var/log/syslog", - "var/log/syslog.1", - "var/log/squirrelmail.log", - "var/log/apache2/squirrelmail.log", - "var/log/apache2/squirrelmail.err.log", - "var/log/mail.log", - "var/log/vmware/hostd.log", - "var/log/vmware/hostd-1.log", - "/wp-config.php", - "/wp-config.bak", - "/wp-config.old", - "/wp-config.temp", - "/wp-config.tmp", - "/wp-config.txt", - "/config.yml", - "/config_dev.yml", - "/config_prod.yml", - "/config_test.yml", - "/parameters.yml", - "/routing.yml", - "/security.yml", - "/services.yml", - "sites/default/default.settings.php", - "sites/default/settings.php", - "sites/default/settings.local.php", - "app/etc/local.xml", - "/sftp-config.json", - "/web.config", - "includes/config.php", - "includes/configure.php", - "/config.inc.php", - "/localsettings.php", - "inc/config.php", - "typo3conf/localconf.php", - "config/app.php", - "config/custom.php", - "config/database.php", - "/configuration.php", - "/config.php", - "var/mail/www-data", - "etc/network/", - "etc/init/", - "inetpub/wwwroot/global.asa", - "system32/inetsrv/config/applicationhost.config", - "system32/inetsrv/config/administration.config", - "system32/inetsrv/config/redirection.config", - "system32/config/default", - "system32/config/sam", - "system32/config/system", - "system32/config/software", - "winnt/repair/sam._", - "/package.json", - "/package-lock.json", - "/gruntfile.js", - "/npm-debug.log", - "/ormconfig.json", - "/tsconfig.json", - "/webpack.config.js", - "/yarn.lock", - "proc/0", - "proc/1", - "proc/2", - "proc/3", - "proc/4", - "proc/5", - "proc/6", - "proc/7", - "proc/8", - "proc/9", - "proc/acpi", - "proc/asound", - "proc/bootconfig", - "proc/buddyinfo", - "proc/bus", - "proc/cgroups", - "proc/cmdline", - "proc/config.gz", - "proc/consoles", - "proc/cpuinfo", - "proc/crypto", - "proc/devices", - "proc/diskstats", - "proc/dma", - "proc/docker", - "proc/driver", - "proc/dynamic_debug", - "proc/execdomains", - "proc/fb", - "proc/filesystems", - "proc/fs", - "proc/interrupts", - "proc/iomem", - "proc/ioports", - "proc/ipmi", - "proc/irq", - "proc/kallsyms", - "proc/kcore", - "proc/keys", - "proc/keys", - "proc/key-users", - "proc/kmsg", - "proc/kpagecgroup", - "proc/kpagecount", - "proc/kpageflags", - "proc/latency_stats", - "proc/loadavg", - "proc/locks", - "proc/mdstat", - "proc/meminfo", - "proc/misc", - "proc/modules", - "proc/mounts", - "proc/mpt", - "proc/mtd", - "proc/mtrr", - "proc/net", - "proc/net/tcp", - "proc/net/udp", - "proc/pagetypeinfo", - "proc/partitions", - "proc/pressure", - "proc/sched_debug", - "proc/schedstat", - "proc/scsi", - "proc/self", - "proc/self/cmdline", - "proc/self/environ", - "proc/self/fd/0", - "proc/self/fd/1", - "proc/self/fd/10", - "proc/self/fd/11", - "proc/self/fd/12", - "proc/self/fd/13", - "proc/self/fd/14", - "proc/self/fd/15", - "proc/self/fd/2", - "proc/self/fd/3", - "proc/self/fd/4", - "proc/self/fd/5", - "proc/self/fd/6", - "proc/self/fd/7", - "proc/self/fd/8", - "proc/self/fd/9", - "proc/self/mounts", - "proc/self/stat", - "proc/self/status", - "proc/slabinfo", - "proc/softirqs", - "proc/stat", - "proc/swaps", - "proc/sys", - "proc/sysrq-trigger", - "proc/sysvipc", - "proc/thread-self", - "proc/timer_list", - "proc/timer_stats", - "proc/tty", - "proc/uptime", - "proc/version", - "proc/version_signature", - "proc/vmallocinfo", - "proc/vmstat", - "proc/zoneinfo", - "sys/block", - "sys/bus", - "sys/class", - "sys/dev", - "sys/devices", - "sys/firmware", - "sys/fs", - "sys/hypervisor", - "sys/kernel", - "sys/module", - "sys/power", - "windows\\win.ini", - "default\\ntuser.dat", - "/var/run/secrets/kubernetes.io/serviceaccount" - ] - }, - "operator": "phrase_match" - } - ], - "transformers": [ - "lowercase", - "normalizePath" - ] - }, - { - "id": "crs-931-110", - "name": "RFI: Common RFI Vulnerable Parameter Name used w/ URL Payload", - "tags": { - "type": "rfi", - "crs_id": "931110", - "category": "attack_attempt", - "cwe": "98", - "capec": "1000/152/175/253/193", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - } - ], - "regex": "(?:\\binclude\\s*\\([^)]*|mosConfig_absolute_path|_CONF\\[path\\]|_SERVER\\[DOCUMENT_ROOT\\]|GALLERY_BASEDIR|path\\[docroot\\]|appserv_root|config\\[root_dir\\])=(?:file|ftps?|https?)://", - "options": { - "min_length": 15 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "crs-931-120", - "name": "RFI: URL Payload Used w/Trailing Question Mark Character (?)", - "tags": { - "type": "rfi", - "crs_id": "931120", - "category": "attack_attempt", - "cwe": "98", - "capec": "1000/152/175/253/193" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "^(?i:file|ftps?)://.*?\\?+$", - "options": { - "case_sensitive": true, - "min_length": 4 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "crs-932-160", - "name": "Remote Command Execution: Unix Shell Code Found", - "tags": { - "type": "command_injection", - "crs_id": "932160", - "category": "attack_attempt", - "cwe": "77", - "capec": "1000/152/248/88", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "list": [ - "${cdpath}", - "${dirstack}", - "${home}", - "${hostname}", - "${ifs}", - "${oldpwd}", - "${ostype}", - "${path}", - "${pwd}", - "$cdpath", - "$dirstack", - "$home", - "$hostname", - "$ifs", - "$oldpwd", - "$ostype", - "$path", - "$pwd", - "dev/fd/", - "dev/null", - "dev/stderr", - "dev/stdin", - "dev/stdout", - "dev/tcp/", - "dev/udp/", - "dev/zero", - "etc/master.passwd", - "etc/pwd.db", - "etc/shells", - "etc/spwd.db", - "proc/self/", - "bin/7z", - "bin/7za", - "bin/7zr", - "bin/ab", - "bin/agetty", - "bin/ansible-playbook", - "bin/apt", - "bin/apt-get", - "bin/ar", - "bin/aria2c", - "bin/arj", - "bin/arp", - "bin/as", - "bin/ascii-xfr", - "bin/ascii85", - "bin/ash", - "bin/aspell", - "bin/at", - "bin/atobm", - "bin/awk", - "bin/base32", - "bin/base64", - "bin/basenc", - "bin/bash", - "bin/bpftrace", - "bin/bridge", - "bin/bundler", - "bin/bunzip2", - "bin/busctl", - "bin/busybox", - "bin/byebug", - "bin/bzcat", - "bin/bzcmp", - "bin/bzdiff", - "bin/bzegrep", - "bin/bzexe", - "bin/bzfgrep", - "bin/bzgrep", - "bin/bzip2", - "bin/bzip2recover", - "bin/bzless", - "bin/bzmore", - "bin/bzz", - "bin/c89", - "bin/c99", - "bin/cancel", - "bin/capsh", - "bin/cat", - "bin/cc", - "bin/certbot", - "bin/check_by_ssh", - "bin/check_cups", - "bin/check_log", - "bin/check_memory", - "bin/check_raid", - "bin/check_ssl_cert", - "bin/check_statusfile", - "bin/chmod", - "bin/choom", - "bin/chown", - "bin/chroot", - "bin/clang", - "bin/clang++", - "bin/cmp", - "bin/cobc", - "bin/column", - "bin/comm", - "bin/composer", - "bin/core_perl/zipdetails", - "bin/cowsay", - "bin/cowthink", - "bin/cp", - "bin/cpan", - "bin/cpio", - "bin/cpulimit", - "bin/crash", - "bin/crontab", - "bin/csh", - "bin/csplit", - "bin/csvtool", - "bin/cupsfilter", - "bin/curl", - "bin/cut", - "bin/dash", - "bin/date", - "bin/dd", - "bin/dev/fd/", - "bin/dev/null", - "bin/dev/stderr", - "bin/dev/stdin", - "bin/dev/stdout", - "bin/dev/tcp/", - "bin/dev/udp/", - "bin/dev/zero", - "bin/dialog", - "bin/diff", - "bin/dig", - "bin/dmesg", - "bin/dmidecode", - "bin/dmsetup", - "bin/dnf", - "bin/docker", - "bin/dosbox", - "bin/dpkg", - "bin/du", - "bin/dvips", - "bin/easy_install", - "bin/eb", - "bin/echo", - "bin/ed", - "bin/efax", - "bin/emacs", - "bin/env", - "bin/eqn", - "bin/es", - "bin/esh", - "bin/etc/group", - "bin/etc/master.passwd", - "bin/etc/passwd", - "bin/etc/pwd.db", - "bin/etc/shadow", - "bin/etc/shells", - "bin/etc/spwd.db", - "bin/ex", - "bin/exiftool", - "bin/expand", - "bin/expect", - "bin/expr", - "bin/facter", - "bin/fetch", - "bin/file", - "bin/find", - "bin/finger", - "bin/fish", - "bin/flock", - "bin/fmt", - "bin/fold", - "bin/fping", - "bin/ftp", - "bin/gawk", - "bin/gcc", - "bin/gcore", - "bin/gdb", - "bin/gem", - "bin/genie", - "bin/genisoimage", - "bin/ghc", - "bin/ghci", - "bin/gimp", - "bin/ginsh", - "bin/git", - "bin/grc", - "bin/grep", - "bin/gtester", - "bin/gunzip", - "bin/gzexe", - "bin/gzip", - "bin/hd", - "bin/head", - "bin/hexdump", - "bin/highlight", - "bin/hping3", - "bin/iconv", - "bin/id", - "bin/iftop", - "bin/install", - "bin/ionice", - "bin/ip", - "bin/irb", - "bin/ispell", - "bin/jjs", - "bin/join", - "bin/journalctl", - "bin/jq", - "bin/jrunscript", - "bin/knife", - "bin/ksh", - "bin/ksshell", - "bin/latex", - "bin/ld", - "bin/ldconfig", - "bin/less", - "bin/lftp", - "bin/ln", - "bin/loginctl", - "bin/logsave", - "bin/look", - "bin/lp", - "bin/ls", - "bin/ltrace", - "bin/lua", - "bin/lualatex", - "bin/luatex", - "bin/lwp-download", - "bin/lwp-request", - "bin/lz", - "bin/lz4", - "bin/lz4c", - "bin/lz4cat", - "bin/lzcat", - "bin/lzcmp", - "bin/lzdiff", - "bin/lzegrep", - "bin/lzfgrep", - "bin/lzgrep", - "bin/lzless", - "bin/lzma", - "bin/lzmadec", - "bin/lzmainfo", - "bin/lzmore", - "bin/mail", - "bin/make", - "bin/man", - "bin/mawk", - "bin/mkfifo", - "bin/mknod", - "bin/more", - "bin/mosquitto", - "bin/mount", - "bin/msgattrib", - "bin/msgcat", - "bin/msgconv", - "bin/msgfilter", - "bin/msgmerge", - "bin/msguniq", - "bin/mtr", - "bin/mv", - "bin/mysql", - "bin/nano", - "bin/nasm", - "bin/nawk", - "bin/nc", - "bin/ncat", - "bin/neofetch", - "bin/nice", - "bin/nl", - "bin/nm", - "bin/nmap", - "bin/node", - "bin/nohup", - "bin/npm", - "bin/nroff", - "bin/nsenter", - "bin/octave", - "bin/od", - "bin/openssl", - "bin/openvpn", - "bin/openvt", - "bin/opkg", - "bin/paste", - "bin/pax", - "bin/pdb", - "bin/pdflatex", - "bin/pdftex", - "bin/pdksh", - "bin/perf", - "bin/perl", - "bin/pg", - "bin/php", - "bin/php-cgi", - "bin/php5", - "bin/php7", - "bin/pic", - "bin/pico", - "bin/pidstat", - "bin/pigz", - "bin/pip", - "bin/pkexec", - "bin/pkg", - "bin/pr", - "bin/printf", - "bin/proc/self/", - "bin/pry", - "bin/ps", - "bin/psed", - "bin/psftp", - "bin/psql", - "bin/ptx", - "bin/puppet", - "bin/pxz", - "bin/python", - "bin/python2", - "bin/python3", - "bin/rake", - "bin/rbash", - "bin/rc", - "bin/readelf", - "bin/red", - "bin/redcarpet", - "bin/restic", - "bin/rev", - "bin/rlogin", - "bin/rlwrap", - "bin/rpm", - "bin/rpmquery", - "bin/rsync", - "bin/ruby", - "bin/run-mailcap", - "bin/run-parts", - "bin/rview", - "bin/rvim", - "bin/sash", - "bin/sbin/capsh", - "bin/sbin/logsave", - "bin/sbin/service", - "bin/sbin/start-stop-daemon", - "bin/scp", - "bin/screen", - "bin/script", - "bin/sed", - "bin/service", - "bin/setarch", - "bin/sftp", - "bin/sg", - "bin/sh", - "bin/shuf", - "bin/sleep", - "bin/slsh", - "bin/smbclient", - "bin/snap", - "bin/socat", - "bin/soelim", - "bin/sort", - "bin/split", - "bin/sqlite3", - "bin/ss", - "bin/ssh", - "bin/ssh-keygen", - "bin/ssh-keyscan", - "bin/sshpass", - "bin/start-stop-daemon", - "bin/stdbuf", - "bin/strace", - "bin/strings", - "bin/su", - "bin/sysctl", - "bin/systemctl", - "bin/systemd-resolve", - "bin/tac", - "bin/tail", - "bin/tar", - "bin/task", - "bin/taskset", - "bin/tbl", - "bin/tclsh", - "bin/tcpdump", - "bin/tcsh", - "bin/tee", - "bin/telnet", - "bin/tex", - "bin/tftp", - "bin/tic", - "bin/time", - "bin/timedatectl", - "bin/timeout", - "bin/tmux", - "bin/top", - "bin/troff", - "bin/tshark", - "bin/ul", - "bin/uname", - "bin/uncompress", - "bin/unexpand", - "bin/uniq", - "bin/unlz4", - "bin/unlzma", - "bin/unpigz", - "bin/unrar", - "bin/unshare", - "bin/unxz", - "bin/unzip", - "bin/unzstd", - "bin/update-alternatives", - "bin/uudecode", - "bin/uuencode", - "bin/valgrind", - "bin/vi", - "bin/view", - "bin/vigr", - "bin/vim", - "bin/vimdiff", - "bin/vipw", - "bin/virsh", - "bin/volatility", - "bin/wall", - "bin/watch", - "bin/wc", - "bin/wget", - "bin/whiptail", - "bin/who", - "bin/whoami", - "bin/whois", - "bin/wireshark", - "bin/wish", - "bin/xargs", - "bin/xelatex", - "bin/xetex", - "bin/xmodmap", - "bin/xmore", - "bin/xpad", - "bin/xxd", - "bin/xz", - "bin/xzcat", - "bin/xzcmp", - "bin/xzdec", - "bin/xzdiff", - "bin/xzegrep", - "bin/xzfgrep", - "bin/xzgrep", - "bin/xzless", - "bin/xzmore", - "bin/yarn", - "bin/yelp", - "bin/yes", - "bin/yum", - "bin/zathura", - "bin/zip", - "bin/zipcloak", - "bin/zipcmp", - "bin/zipdetails", - "bin/zipgrep", - "bin/zipinfo", - "bin/zipmerge", - "bin/zipnote", - "bin/zipsplit", - "bin/ziptool", - "bin/zsh", - "bin/zsoelim", - "bin/zstd", - "bin/zstdcat", - "bin/zstdgrep", - "bin/zstdless", - "bin/zstdmt", - "bin/zypper" - ] - }, - "operator": "phrase_match" - } - ], - "transformers": [ - "lowercase", - "cmdLine" - ] - }, - { - "id": "crs-932-171", - "name": "Remote Command Execution: Shellshock (CVE-2014-6271)", - "tags": { - "type": "command_injection", - "crs_id": "932171", - "category": "attack_attempt", - "cwe": "77", - "capec": "1000/152/248/88", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "server.request.headers.no_cookies" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "^\\(\\s*\\)\\s+{", - "options": { - "case_sensitive": true, - "min_length": 4 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "crs-932-180", - "name": "Restricted File Upload Attempt", - "tags": { - "type": "command_injection", - "crs_id": "932180", - "category": "attack_attempt", - "cwe": "706", - "capec": "1000/225/122/17/177", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "x-filename" - ] - }, - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "x_filename" - ] - }, - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "x-file-name" - ] - } - ], - "list": [ - ".htaccess", - ".htdigest", - ".htpasswd", - "wp-config.php", - "config.yml", - "config_dev.yml", - "config_prod.yml", - "config_test.yml", - "parameters.yml", - "routing.yml", - "security.yml", - "services.yml", - "default.settings.php", - "settings.php", - "settings.local.php", - "local.xml", - ".env" - ] - }, - "operator": "phrase_match" - } - ], - "transformers": [ - "lowercase" - ] - }, - { - "id": "crs-933-111", - "name": "PHP Injection Attack: PHP Script File Upload Found", - "tags": { - "type": "unrestricted_file_upload", - "crs_id": "933111", - "category": "attack_attempt", - "cwe": "434", - "capec": "1000/225/122/17/650", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "x-filename" - ] - }, - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "x_filename" - ] - }, - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "x.filename" - ] - }, - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "x-file-name" - ] - } - ], - "regex": ".*\\.(?:php\\d*|phtml)\\..*$", - "options": { - "case_sensitive": true, - "min_length": 5 - } - }, - "operator": "match_regex" - } - ], - "transformers": [ - "lowercase" - ] - }, - { - "id": "crs-933-130", - "name": "PHP Injection Attack: Global Variables Found", - "tags": { - "type": "php_code_injection", - "crs_id": "933130", - "category": "attack_attempt", - "cwe": "94", - "capec": "1000/225/122/17/650", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "list": [ - "$globals", - "$_cookie", - "$_env", - "$_files", - "$_get", - "$_post", - "$_request", - "$_server", - "$_session", - "$argc", - "$argv", - "$http_\\u200bresponse_\\u200bheader", - "$php_\\u200berrormsg", - "$http_cookie_vars", - "$http_env_vars", - "$http_get_vars", - "$http_post_files", - "$http_post_vars", - "$http_raw_post_data", - "$http_request_vars", - "$http_server_vars" - ] - }, - "operator": "phrase_match" - } - ], - "transformers": [ - "lowercase" - ] - }, - { - "id": "crs-933-131", - "name": "PHP Injection Attack: HTTP Headers Values Found", - "tags": { - "type": "php_code_injection", - "crs_id": "933131", - "category": "attack_attempt", - "cwe": "94", - "capec": "1000/225/122/17/650" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "(?:HTTP_(?:ACCEPT(?:_(?:ENCODING|LANGUAGE|CHARSET))?|(?:X_FORWARDED_FO|REFERE)R|(?:USER_AGEN|HOS)T|CONNECTION|KEEP_ALIVE)|PATH_(?:TRANSLATED|INFO)|ORIG_PATH_INFO|QUERY_STRING|REQUEST_URI|AUTH_TYPE)", - "options": { - "case_sensitive": true, - "min_length": 9 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "crs-933-140", - "name": "PHP Injection Attack: I/O Stream Found", - "tags": { - "type": "php_code_injection", - "crs_id": "933140", - "category": "attack_attempt", - "cwe": "94", - "capec": "1000/225/122/17/650", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)", - "options": { - "min_length": 8 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "crs-933-150", - "name": "PHP Injection Attack: High-Risk PHP Function Name Found", - "tags": { - "type": "php_code_injection", - "crs_id": "933150", - "category": "attack_attempt", - "cwe": "94", - "capec": "1000/225/122/17/650", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "list": [ - "__halt_compiler", - "apache_child_terminate", - "base64_decode", - "bzdecompress", - "call_user_func", - "call_user_func_array", - "call_user_method", - "call_user_method_array", - "convert_uudecode", - "file_get_contents", - "file_put_contents", - "fsockopen", - "get_class_methods", - "get_class_vars", - "get_defined_constants", - "get_defined_functions", - "get_defined_vars", - "gzdecode", - "gzinflate", - "gzuncompress", - "include_once", - "invokeargs", - "pcntl_exec", - "pcntl_fork", - "pfsockopen", - "posix_getcwd", - "posix_getpwuid", - "posix_getuid", - "posix_uname", - "reflectionfunction", - "require_once", - "shell_exec", - "str_rot13", - "sys_get_temp_dir", - "wp_remote_fopen", - "wp_remote_get", - "wp_remote_head", - "wp_remote_post", - "wp_remote_request", - "wp_safe_remote_get", - "wp_safe_remote_head", - "wp_safe_remote_post", - "wp_safe_remote_request", - "zlib_decode" - ] - }, - "operator": "phrase_match" - } - ], - "transformers": [ - "lowercase" - ] - }, - { - "id": "crs-933-160", - "name": "PHP Injection Attack: High-Risk PHP Function Call Found", - "tags": { - "type": "php_code_injection", - "crs_id": "933160", - "category": "attack_attempt", - "cwe": "94", - "capec": "1000/225/122/17/650" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?|tob)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|b(?:(?:son_(?:de|en)|ase64_en)code|zopen|toa)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|var_dump)(?:\\s|/\\*.*\\*/|//.*|#.*|\\\"|')*\\((?:(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:\\$\\w+|[A-Z\\d]\\w*|\\w+\\(.*\\)|\\\\?\"(?:[^\"]|\\\\\"|\"\"|\"\\+\")*\\\\?\"|\\\\?'(?:[^']|''|'\\+')*\\\\?')(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:(?:::|\\.|->)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\w+(?:\\(.*\\))?)?,)*(?:(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:\\$\\w+|[A-Z\\d]\\w*|\\w+\\(.*\\)|\\\\?\"(?:[^\"]|\\\\\"|\"\"|\"\\+\")*\\\\?\"|\\\\?'(?:[^']|''|'\\+')*\\\\?')(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:(?:::|\\.|->)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\w+(?:\\(.*\\))?)?)?\\)", - "options": { - "case_sensitive": true, - "min_length": 5 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "crs-933-170", - "name": "PHP Injection Attack: Serialized Object Injection", - "tags": { - "type": "php_code_injection", - "crs_id": "933170", - "category": "attack_attempt", - "cwe": "502", - "capec": "1000/152/586", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies" - }, - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "[oOcC]:\\d+:\\\".+?\\\":\\d+:{[\\W\\w]*}", - "options": { - "case_sensitive": true, - "min_length": 12 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "crs-933-200", - "name": "PHP Injection Attack: Wrapper scheme detected", - "tags": { - "type": "php_code_injection", - "crs_id": "933200", - "category": "attack_attempt", - "cwe": "502", - "capec": "1000/152/586" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "(?:(?:bzip|ssh)2|z(?:lib|ip)|(?:ph|r)ar|expect|glob|ogg)://", - "options": { - "case_sensitive": true, - "min_length": 6 - } - }, - "operator": "match_regex" - } - ], - "transformers": [ - "removeNulls" - ] - }, - { - "id": "crs-934-100", - "name": "Node.js Injection Attack 1/2", - "tags": { - "type": "js_code_injection", - "crs_id": "934100", - "category": "attack_attempt", - "cwe": "94", - "capec": "1000/152/242" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "\\b(?:(?:l(?:(?:utimes|chmod)(?:Sync)?|(?:stat|ink)Sync)|w(?:rite(?:(?:File|v)(?:Sync)?|Sync)|atchFile)|u(?:n(?:watchFile|linkSync)|times(?:Sync)?)|s(?:(?:ymlink|tat)Sync|pawn(?:File|Sync))|ex(?:ec(?:File(?:Sync)?|Sync)|istsSync)|a(?:ppendFile|ccess)(?:Sync)?|(?:Caveat|Inode)s|open(?:dir)?Sync|new\\s+Function|Availability|\\beval)\\s*\\(|m(?:ain(?:Module\\s*(?:\\W*\\s*(?:constructor|require)|\\[)|\\s*(?:\\W*\\s*(?:constructor|require)|\\[))|kd(?:temp(?:Sync)?|irSync)\\s*\\(|odule\\.exports\\s*=)|c(?:(?:(?:h(?:mod|own)|lose)Sync|reate(?:Write|Read)Stream|p(?:Sync)?)\\s*\\(|o(?:nstructor\\s*(?:\\W*\\s*_load|\\[)|pyFile(?:Sync)?\\s*\\())|f(?:(?:(?:s(?:(?:yncS)?|tatS)|datas(?:yncS)?)ync|ch(?:mod|own)(?:Sync)?)\\s*\\(|u(?:nction\\s*\\(\\s*\\)\\s*{|times(?:Sync)?\\s*\\())|r(?:e(?:(?:ad(?:(?:File|link|dir)?Sync|v(?:Sync)?)|nameSync)\\s*\\(|quire\\s*(?:\\W*\\s*main|\\[))|m(?:Sync)?\\s*\\()|process\\s*(?:\\W*\\s*(?:mainModule|binding)|\\[)|t(?:his\\.constructor|runcateSync\\s*\\()|_(?:\\$\\$ND_FUNC\\$\\$_|_js_function)|global\\s*(?:\\W*\\s*process|\\[)|String\\s*\\.\\s*fromCharCode|binding\\s*\\[)", - "options": { - "case_sensitive": true, - "min_length": 3 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "crs-934-101", - "name": "Node.js Injection Attack 2/2", - "tags": { - "type": "js_code_injection", - "crs_id": "934101", - "category": "attack_attempt", - "confidence": "1", - "cwe": "94", - "capec": "1000/152/242" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "\\b(?:w(?:atch|rite)|(?:spaw|ope)n|exists|close|fork|read)\\s*\\(", - "options": { - "case_sensitive": true, - "min_length": 5 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "crs-941-110", - "name": "XSS Filter - Category 1: Script Tag Vector", - "tags": { - "type": "xss", - "crs_id": "941110", - "category": "attack_attempt", - "cwe": "80", - "capec": "1000/152/242/63/591", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - }, - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "referer" - ] - }, - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "]*>[\\s\\S]*?", - "options": { - "min_length": 8 - } - }, - "operator": "match_regex" - } - ], - "transformers": [ - "removeNulls", - "urlDecodeUni" - ] - }, - { - "id": "crs-941-120", - "name": "XSS Filter - Category 2: Event Handler Vector", - "tags": { - "type": "xss", - "crs_id": "941120", - "category": "attack_attempt", - "cwe": "83", - "capec": "1000/152/242/63/591/243", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - }, - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "referer" - ] - }, - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "\\bon(?:d(?:r(?:ag(?:en(?:ter|d)|leave|start|over)?|op)|urationchange|blclick)|s(?:e(?:ek(?:ing|ed)|arch|lect)|u(?:spend|bmit)|talled|croll|how)|m(?:ouse(?:(?:lea|mo)ve|o(?:ver|ut)|enter|down|up)|essage)|p(?:a(?:ge(?:hide|show)|(?:st|us)e)|lay(?:ing)?|rogress|aste|ointer(?:cancel|down|enter|leave|move|out|over|rawupdate|up))|c(?:anplay(?:through)?|o(?:ntextmenu|py)|hange|lick|ut)|a(?:nimation(?:iteration|start|end)|(?:fterprin|bor)t|uxclick|fterscriptexecute)|t(?:o(?:uch(?:cancel|start|move|end)|ggle)|imeupdate)|f(?:ullscreen(?:change|error)|ocus(?:out|in)?|inish)|(?:(?:volume|hash)chang|o(?:ff|n)lin)e|b(?:efore(?:unload|print)|lur)|load(?:ed(?:meta)?data|start|end)?|r(?:es(?:ize|et)|atechange)|key(?:press|down|up)|w(?:aiting|heel)|in(?:valid|put)|e(?:nded|rror)|unload)[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=[^=]", - "options": { - "min_length": 8 - } - }, - "operator": "match_regex" - } - ], - "transformers": [ - "removeNulls", - "urlDecodeUni" - ] - }, - { - "id": "crs-941-140", - "name": "XSS Filter - Category 4: Javascript URI Vector", - "tags": { - "type": "xss", - "crs_id": "941140", - "category": "attack_attempt", - "cwe": "84", - "capec": "1000/152/242/63/591/244", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - }, - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "referer" - ] - }, - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url\\(javascript", - "options": { - "min_length": 18 - } - }, - "operator": "match_regex" - } - ], - "transformers": [ - "removeNulls", - "urlDecodeUni" - ] - }, - { - "id": "crs-941-170", - "name": "NoScript XSS InjectionChecker: Attribute Injection", - "tags": { - "type": "xss", - "crs_id": "941170", - "category": "attack_attempt", - "cwe": "83", - "capec": "1000/152/242/63/591/243", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - }, - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "referer" - ] - }, - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "(?:\\W|^)(?:javascript:(?:[\\s\\S]+[=\\x5c\\(\\[\\.<]|[\\s\\S]*?(?:\\bname\\b|\\x5c[ux]\\d)))|@\\W*?i\\W*?m\\W*?p\\W*?o\\W*?r\\W*?t\\W*?(?:/\\*[\\s\\S]*?)?(?:[\\\"']|\\W*?u\\W*?r\\W*?l[\\s\\S]*?\\()|[^-]*?-\\W*?m\\W*?o\\W*?z\\W*?-\\W*?b\\W*?i\\W*?n\\W*?d\\W*?i\\W*?n\\W*?g[^:]*?:\\W*?u\\W*?r\\W*?l[\\s\\S]*?\\(", - "options": { - "min_length": 6 - } - }, - "operator": "match_regex" - } - ], - "transformers": [ - "removeNulls", - "urlDecodeUni" - ] - }, - { - "id": "crs-941-180", - "name": "Node-Validator Deny List Keywords", - "tags": { - "type": "xss", - "crs_id": "941180", - "category": "attack_attempt", - "cwe": "79", - "capec": "1000/152/242/63/591" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "list": [ - "document.cookie", - "document.write", - ".parentnode", - ".innerhtml", - "window.location", - "-moz-binding" - ] - }, - "operator": "phrase_match" - } - ], - "transformers": [ - "removeNulls", - "lowercase" - ] - }, - { - "id": "crs-941-200", - "name": "IE XSS Filters - Attack Detected via vmlframe tag", - "tags": { - "type": "xss", - "crs_id": "941200", - "category": "attack_attempt", - "cwe": "80", - "capec": "1000/152/242/63/591", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "(?i:<.*[:]?vmlframe.*?[\\s/+]*?src[\\s/+]*=)", - "options": { - "case_sensitive": true, - "min_length": 13 - } - }, - "operator": "match_regex" - } - ], - "transformers": [ - "removeNulls" - ] - }, - { - "id": "crs-941-210", - "name": "IE XSS Filters - Obfuscated Attack Detected via javascript injection", - "tags": { - "type": "xss", - "crs_id": "941210", - "category": "attack_attempt", - "cwe": "80", - "capec": "1000/152/242/63/591", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "(?i:(?:j|&#x?0*(?:74|4A|106|6A);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:v|&#x?0*(?:86|56|118|76);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)", - "options": { - "case_sensitive": true, - "min_length": 12 - } - }, - "operator": "match_regex" - } - ], - "transformers": [ - "removeNulls" - ] - }, - { - "id": "crs-941-220", - "name": "IE XSS Filters - Obfuscated Attack Detected via vbscript injection", - "tags": { - "type": "xss", - "crs_id": "941220", - "category": "attack_attempt", - "cwe": "80", - "capec": "1000/152/242/63/591", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "(?i:(?:v|&#x?0*(?:86|56|118|76);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:b|&#x?0*(?:66|42|98|62);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)", - "options": { - "case_sensitive": true, - "min_length": 10 - } - }, - "operator": "match_regex" - } - ], - "transformers": [ - "removeNulls" - ] - }, - { - "id": "crs-941-230", - "name": "IE XSS Filters - Attack Detected via embed tag", - "tags": { - "type": "xss", - "crs_id": "941230", - "category": "attack_attempt", - "cwe": "83", - "capec": "1000/152/242/63/591/243", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "]", - "options": { - "min_length": 8 - } - }, - "operator": "match_regex" - } - ], - "transformers": [ - "removeNulls" - ] - }, - { - "id": "crs-941-300", - "name": "IE XSS Filters - Attack Detected via object tag", - "tags": { - "type": "xss", - "crs_id": "941300", - "category": "attack_attempt", - "cwe": "83", - "capec": "1000/152/242/63/591/243", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": ")|<.*\\+AD4-", - "options": { - "case_sensitive": true, - "min_length": 6 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "crs-941-360", - "name": "JSFuck / Hieroglyphy obfuscation detected", - "tags": { - "type": "xss", - "crs_id": "941360", - "category": "attack_attempt", - "cwe": "87", - "capec": "1000/152/242/63/591/199" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "![!+ ]\\[\\]", - "options": { - "case_sensitive": true, - "min_length": 4 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "crs-941-390", - "name": "Javascript method detected", - "tags": { - "type": "xss", - "crs_id": "941390", - "category": "attack_attempt", - "confidence": "1", - "cwe": "79", - "capec": "1000/152/242/63/591" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "\\b(?i:eval|settimeout|setinterval|new\\s+Function|alert|prompt)[\\s+]*\\([^\\)]", - "options": { - "case_sensitive": true, - "min_length": 5 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "crs-942-100", - "name": "SQL Injection Attack Detected via libinjection", - "tags": { - "type": "sql_injection", - "crs_id": "942100", - "category": "attack_attempt", - "cwe": "89", - "capec": "1000/152/248/66" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ] - }, - "operator": "is_sqli" - } - ], - "transformers": [ - "removeNulls" - ] - }, - { - "id": "crs-942-160", - "name": "Detects blind sqli tests using sleep() or benchmark()", - "tags": { - "type": "sql_injection", - "crs_id": "942160", - "category": "attack_attempt", - "cwe": "89", - "capec": "1000/152/248/66/7", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "(?i:sleep\\(\\s*?\\d*?\\s*?\\)|benchmark\\(.*?\\,.*?\\))", - "options": { - "case_sensitive": true, - "min_length": 7 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "crs-942-240", - "name": "Detects MySQL charset switch and MSSQL DoS attempts", - "tags": { - "type": "sql_injection", - "crs_id": "942240", - "category": "attack_attempt", - "cwe": "89", - "capec": "1000/152/248/66/7", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "(?:[\\\"'`](?:;*?\\s*?waitfor\\s+(?:delay|time)\\s+[\\\"'`]|;.*?:\\s*?goto)|alter\\s*?\\w+.*?cha(?:racte)?r\\s+set\\s+\\w+)", - "options": { - "min_length": 7 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "crs-942-250", - "name": "Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections", - "tags": { - "type": "sql_injection", - "crs_id": "942250", - "category": "attack_attempt", - "cwe": "89", - "capec": "1000/152/248/66" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "(?i:merge.*?using\\s*?\\(|execute\\s*?immediate\\s*?[\\\"'`]|match\\s*?[\\w(?:),+-]+\\s*?against\\s*?\\()", - "options": { - "case_sensitive": true, - "min_length": 11 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "crs-942-270", - "name": "Basic SQL injection", - "tags": { - "type": "sql_injection", - "crs_id": "942270", - "category": "attack_attempt", - "cwe": "89", - "capec": "1000/152/248/66" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "union.*?select.*?from", - "options": { - "min_length": 15 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "crs-942-280", - "name": "SQL Injection with delay functions", - "tags": { - "type": "sql_injection", - "crs_id": "942280", - "category": "attack_attempt", - "cwe": "89", - "capec": "1000/152/248/66/7", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "(?:;\\s*?shutdown\\s*?(?:[#;{]|\\/\\*|--)|waitfor\\s*?delay\\s?[\\\"'`]+\\s?\\d|select\\s*?pg_sleep)", - "options": { - "min_length": 10 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "crs-942-290", - "name": "Finds basic MongoDB SQL injection attempts", - "tags": { - "type": "nosql_injection", - "crs_id": "942290", - "category": "attack_attempt", - "cwe": "943", - "capec": "1000/152/248/676" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)", - "options": { - "case_sensitive": true, - "min_length": 3 - } - }, - "operator": "match_regex" - } - ], - "transformers": [ - "keys_only" - ] - }, - { - "id": "crs-942-360", - "name": "Detects concatenated basic SQL injection and SQLLFI attempts", - "tags": { - "type": "sql_injection", - "crs_id": "942360", - "category": "attack_attempt", - "cwe": "89", - "capec": "1000/152/248/66/470" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "(?:^[\\W\\d]+\\s*?(?:alter\\s*(?:a(?:(?:pplication\\s*rol|ggregat)e|s(?:ymmetric\\s*ke|sembl)y|u(?:thorization|dit)|vailability\\s*group)|c(?:r(?:yptographic\\s*provider|edential)|o(?:l(?:latio|um)|nversio)n|ertificate|luster)|s(?:e(?:rv(?:ice|er)|curity|quence|ssion|arch)|y(?:mmetric\\s*key|nonym)|togroup|chema)|m(?:a(?:s(?:ter\\s*key|k)|terialized)|e(?:ssage\\s*type|thod)|odule)|l(?:o(?:g(?:file\\s*group|in)|ckdown)|a(?:ngua|r)ge|ibrary)|t(?:(?:abl(?:espac)?|yp)e|r(?:igger|usted)|hreshold|ext)|p(?:a(?:rtition|ckage)|ro(?:cedur|fil)e|ermission)|d(?:i(?:mension|skgroup)|atabase|efault|omain)|r(?:o(?:l(?:lback|e)|ute)|e(?:sourc|mot)e)|f(?:u(?:lltext|nction)|lashback|oreign)|e(?:xte(?:nsion|rnal)|(?:ndpoi|ve)nt)|in(?:dex(?:type)?|memory|stance)|b(?:roker\\s*priority|ufferpool)|x(?:ml\\s*schema|srobject)|w(?:ork(?:load)?|rapper)|hi(?:erarchy|stogram)|o(?:perator|utline)|(?:nicknam|queu)e|us(?:age|er)|group|java|view)|union\\s*(?:(?:distin|sele)ct|all))\\b|\\b(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\\s+(?:group_concat|load_file|char)\\b\\s*\\(?|[\\s(]load_file\\s*?\\(|[\\\"'`]\\s+regexp\\W)", - "options": { - "min_length": 5 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "crs-942-500", - "name": "MySQL in-line comment detected", - "tags": { - "type": "sql_injection", - "crs_id": "942500", - "category": "attack_attempt", - "cwe": "89", - "capec": "1000/152/248/66" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "(?i:/\\*[!+](?:[\\w\\s=_\\-(?:)]+)?\\*/)", - "options": { - "case_sensitive": true, - "min_length": 5 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "crs-943-100", - "name": "Possible Session Fixation Attack: Setting Cookie Values in HTML", - "tags": { - "type": "http_protocol_violation", - "crs_id": "943100", - "category": "attack_attempt", - "cwe": "384", - "capec": "1000/225/21/593/61", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "(?i:\\.cookie\\b.*?;\\W*?(?:expires|domain)\\W*?=|\\bhttp-equiv\\W+set-cookie\\b)", - "options": { - "case_sensitive": true, - "min_length": 15 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "crs-944-100", - "name": "Remote Command Execution: Suspicious Java class detected", - "tags": { - "type": "java_code_injection", - "crs_id": "944100", - "category": "attack_attempt", - "cwe": "94", - "capec": "1000/152/242", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "server.request.headers.no_cookies" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "java\\.lang\\.(?:runtime|processbuilder)", - "options": { - "case_sensitive": true, - "min_length": 17 - } - }, - "operator": "match_regex" - } - ], - "transformers": [ - "lowercase" - ] - }, - { - "id": "crs-944-110", - "name": "Remote Command Execution: Java process spawn (CVE-2017-9805)", - "tags": { - "type": "java_code_injection", - "crs_id": "944110", - "category": "attack_attempt", - "cwe": "94", - "capec": "1000/152/242" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "server.request.headers.no_cookies" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "(?:runtime|processbuilder)", - "options": { - "case_sensitive": true, - "min_length": 7 - } - }, - "operator": "match_regex" - }, - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "server.request.headers.no_cookies" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "(?:unmarshaller|base64data|java\\.)", - "options": { - "case_sensitive": true, - "min_length": 5 - } - }, - "operator": "match_regex" - } - ], - "transformers": [ - "lowercase" - ] - }, - { - "id": "crs-944-130", - "name": "Suspicious Java class detected", - "tags": { - "type": "java_code_injection", - "crs_id": "944130", - "category": "attack_attempt", - "cwe": "94", - "capec": "1000/152/242" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "server.request.headers.no_cookies" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "list": [ - "com.opensymphony.xwork2", - "com.sun.org.apache", - "java.io.bufferedinputstream", - "java.io.bufferedreader", - "java.io.bytearrayinputstream", - "java.io.bytearrayoutputstream", - "java.io.chararrayreader", - "java.io.datainputstream", - "java.io.file", - "java.io.fileoutputstream", - "java.io.filepermission", - "java.io.filewriter", - "java.io.filterinputstream", - "java.io.filteroutputstream", - "java.io.filterreader", - "java.io.inputstream", - "java.io.inputstreamreader", - "java.io.linenumberreader", - "java.io.objectoutputstream", - "java.io.outputstream", - "java.io.pipedoutputstream", - "java.io.pipedreader", - "java.io.printstream", - "java.io.pushbackinputstream", - "java.io.reader", - "java.io.stringreader", - "java.lang.class", - "java.lang.integer", - "java.lang.number", - "java.lang.object", - "java.lang.process", - "java.lang.reflect", - "java.lang.string", - "java.lang.stringbuilder", - "java.lang.system", - "javax.script.scriptenginemanager", - "org.apache.commons", - "org.apache.struts", - "org.apache.struts2", - "org.omg.corba", - "java.beans.xmldecode" - ] - }, - "operator": "phrase_match" - } - ], - "transformers": [ - "lowercase" - ] - }, - { - "id": "crs-944-260", - "name": "Remote Command Execution: Malicious class-loading payload", - "tags": { - "type": "java_code_injection", - "crs_id": "944260", - "category": "attack_attempt", - "cwe": "94", - "capec": "1000/152/242", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "server.request.headers.no_cookies" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "(?:class\\.module\\.classLoader\\.resources\\.context\\.parent\\.pipeline|springframework\\.context\\.support\\.FileSystemXmlApplicationContext)", - "options": { - "case_sensitive": true, - "min_length": 58 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "dog-000-001", - "name": "Look for Cassandra injections", - "tags": { - "type": "nosql_injection", - "category": "attack_attempt", - "cwe": "943", - "capec": "1000/152/248/676" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - }, - { - "address": "server.request.headers.no_cookies" - } - ], - "regex": "\\ballow\\s+filtering\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [ - "removeComments" - ] - }, - { - "id": "dog-000-002", - "name": "OGNL - Look for formatting injection patterns", - "tags": { - "type": "java_code_injection", - "category": "attack_attempt", - "cwe": "94", - "capec": "1000/152/242" - }, - "conditions": [ - { - "operator": "match_regex", - "parameters": { - "inputs": [ - { - "address": "server.request.uri.raw" - }, - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "[#%$]{(?:[^}]+[^\\w\\s}\\-_][^}]+|\\d+-\\d+)}", - "options": { - "case_sensitive": true - } - } - } - ], - "transformers": [] - }, - { - "id": "dog-000-003", - "name": "OGNL - Detect OGNL exploitation primitives", - "tags": { - "type": "java_code_injection", - "category": "attack_attempt", - "cwe": "94", - "capec": "1000/152/242", - "confidence": "1" - }, - "conditions": [ - { - "operator": "match_regex", - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "server.request.headers.no_cookies" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "[@#]ognl", - "options": { - "case_sensitive": true - } - } - } - ], - "transformers": [] - }, - { - "id": "dog-000-004", - "name": "Spring4Shell - Attempts to exploit the Spring4shell vulnerability", - "tags": { - "type": "exploit_detection", - "category": "attack_attempt", - "cwe": "94", - "capec": "1000/152/242", - "confidence": "1" - }, - "conditions": [ - { - "operator": "match_regex", - "parameters": { - "inputs": [ - { - "address": "server.request.body" - } - ], - "regex": "^class\\.module\\.classLoader\\.", - "options": { - "case_sensitive": false - } - } - } - ], - "transformers": [ - "keys_only" - ] - }, - { - "id": "dog-000-005", - "name": "Node.js: Prototype pollution through __proto__", - "tags": { - "type": "js_code_injection", - "category": "attack_attempt", - "cwe": "1321", - "capec": "1000/152/242", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - } - ], - "regex": "^__proto__$" - }, - "operator": "match_regex" - } - ], - "transformers": [ - "keys_only" - ] - }, - { - "id": "dog-000-006", - "name": "Node.js: Prototype pollution through constructor.prototype", - "tags": { - "type": "js_code_injection", - "category": "attack_attempt", - "cwe": "1321", - "capec": "1000/152/242", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - } - ], - "regex": "^constructor$" - }, - "operator": "match_regex" - }, - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - } - ], - "regex": "^prototype$" - }, - "operator": "match_regex" - } - ], - "transformers": [ - "keys_only" - ] - }, - { - "id": "dog-000-007", - "name": "Server side template injection: Velocity & Freemarker", - "tags": { - "type": "java_code_injection", - "category": "attack_attempt", - "cwe": "1336", - "capec": "1000/152/242/19", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "server.request.headers.no_cookies" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "#(?:set|foreach|macro|parse|if)\\(.*\\)|<#assign.*>" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "dog-913-001", - "name": "BurpCollaborator OOB domain", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "tool_name": "BurpCollaborator", - "cwe": "200", - "capec": "1000/118/169", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "server.request.headers.no_cookies" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "\\b(?:burpcollaborator\\.net|oastify\\.com)\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "dog-913-002", - "name": "Qualys OOB domain", - "tags": { - "type": "commercial_scanner", - "category": "attack_attempt", - "tool_name": "Qualys", - "cwe": "200", - "capec": "1000/118/169", - "confidence": "0" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "server.request.headers.no_cookies" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "\\bqualysperiscope\\.com\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "dog-913-003", - "name": "Probely OOB domain", - "tags": { - "type": "commercial_scanner", - "category": "attack_attempt", - "tool_name": "Probely", - "cwe": "200", - "capec": "1000/118/169", - "confidence": "0" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "server.request.headers.no_cookies" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "\\bprbly\\.win\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "dog-913-004", - "name": "Known malicious out-of-band interaction domain", - "tags": { - "type": "security_scanner", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "server.request.headers.no_cookies" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "\\b(?:webhook\\.site|\\.canarytokens\\.com|vii\\.one|act1on3\\.ru|gdsburp\\.com)\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "dog-913-005", - "name": "Known suspicious out-of-band interaction domain", - "tags": { - "type": "security_scanner", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "confidence": "0" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "server.request.headers.no_cookies" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "\\b(?:\\.ngrok\\.io|requestbin\\.com|requestbin\\.net)\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "dog-913-006", - "name": "Rapid7 OOB domain", - "tags": { - "type": "commercial_scanner", - "category": "attack_attempt", - "tool_name": "Rapid7", - "cwe": "200", - "capec": "1000/118/169", - "confidence": "0" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "server.request.headers.no_cookies" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "\\bappspidered\\.rapid7\\." - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "dog-913-007", - "name": "Interact.sh OOB domain", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "tool_name": "interact.sh", - "cwe": "200", - "capec": "1000/118/169", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "server.request.headers.no_cookies" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "\\b(?:interact\\.sh|oast\\.(?:pro|live|site|online|fun|me))\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "dog-913-008", - "name": "Netsparker OOB domain", - "tags": { - "type": "commercial_scanner", - "category": "attack_attempt", - "tool_name": "Netsparker", - "cwe": "200", - "capec": "1000/118/169", - "confidence": "0" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "server.request.headers.no_cookies" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "\\b(?:\\.|(?:\\\\|&#)(?:0*46|x0*2e);)r87(?:\\.|(?:\\\\|&#)(?:0*46|x0*2e);)(?:me|com)\\b", - "options": { - "case_sensitive": false, - "min_length": 7 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "dog-931-001", - "name": "RFI: URL Payload to well known RFI target", - "tags": { - "type": "rfi", - "category": "attack_attempt", - "cwe": "98", - "capec": "1000/152/175/253/193", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "^(?i:file|ftps?|https?).*/rfiinc\\.txt\\?+$", - "options": { - "case_sensitive": true, - "min_length": 17 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "dog-934-001", - "name": "XXE - XML file loads external entity", - "tags": { - "type": "xxe", - "category": "attack_attempt", - "cwe": "91", - "capec": "1000/152/248/250", - "confidence": "0" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.body" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "(?:<\\?xml[^>]*>.*)]+SYSTEM\\s+[^>]+>", - "options": { - "case_sensitive": false, - "min_length": 24 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "dog-941-001", - "name": "XSS in source property", - "tags": { - "type": "xss", - "category": "attack_attempt", - "cwe": "83", - "capec": "1000/152/242/63/591/243", - "confidence": "0" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - }, - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "referer" - ] - }, - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "<(?:iframe|esi:include)(?:(?:\\s|/)*\\w+=[\"'\\w]+)*(?:\\s|/)*src(?:doc)?=[\"']?(?:data:|javascript:|http:|//)[^\\s'\"]+['\"]?", - "options": { - "min_length": 14 - } - }, - "operator": "match_regex" - } - ], - "transformers": [ - "removeNulls", - "urlDecodeUni" - ] - }, - { - "id": "dog-942-001", - "name": "Blind XSS callback domains", - "tags": { - "type": "xss", - "category": "attack_attempt", - "cwe": "83", - "capec": "1000/152/242/63/591/243", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "server.request.headers.no_cookies" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "https?:\\/\\/(?:.*\\.)?(?:bxss\\.in|xss\\.ht|js\\.rip)", - "options": { - "case_sensitive": false - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "nfd-000-001", - "name": "Detect common directory discovery scans", - "tags": { - "type": "security_scanner", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "confidence": "1" - }, - "conditions": [ - { - "operator": "match_regex", - "parameters": { - "inputs": [ - { - "address": "server.response.status" - } - ], - "regex": "^404$", - "options": { - "case_sensitive": true - } - } - }, - { - "operator": "phrase_match", - "parameters": { - "inputs": [ - { - "address": "server.request.uri.raw" - } - ], - "list": [ - "/wordpress/", - "/etc/", - "/login.php", - "/install.php", - "/administrator", - "/admin.php", - "/wp-config", - "/phpmyadmin", - "/fckeditor", - "/mysql", - "/manager/html", - ".htaccess", - "/config.php", - "/configuration", - "/cgi-bin/php", - "/search.php", - "/tinymce", - "/tiny_mce", - "/settings.php", - "../../..", - "/install/", - "/download.php", - "/webdav", - "/forum.php", - "/user.php", - "/style.php", - "/jmx-console", - "/modules.php", - "/include.php", - "/default.asp", - "/help.php", - "/database.yml", - "/database.yml.pgsql", - "/database.yml.sqlite3", - "/database.yml.sqlite", - "/database.yml.mysql", - ".%2e/", - "/view.php", - "/header.php", - "/search.asp", - "%5c%5c", - "/server/php/", - "/invoker/jmxinvokerservlet", - "/phpmyadmin/index.php", - "/data/admin/allowurl.txt", - "/verify.php", - "/misc/ajax.js", - "/.idea", - "/module.php", - "/backup.rar", - "/backup.tar", - "/backup.zip", - "/backup.7z", - "/backup.gz", - "/backup.tgz", - "/backup.tar.gz", - "waitfor%20delay", - "/calendar.php", - "/news.php", - "/dompdf.php", - "))))))))))))))))", - "/web.config", - "tree.php", - "/cgi-bin-sdb/printenv", - "/comments.php", - "/detail.asp", - "/license.txt", - "/admin.asp", - "/auth.php", - "/list.php", - "/content.php", - "/mod.php", - "/mini.php", - "/install.pgsql", - "/install.mysql", - "/install.sqlite", - "/install.sqlite3", - "/install.txt", - "/install.md", - "/doku.php", - "/main.asp", - "/myadmin", - "/force-download.php", - "/iisprotect/admin", - "/.gitignore", - "/print.php", - "/common.php", - "/mainfile.php", - "/functions.php", - "/scripts/setup.php", - "/faq.php", - "/op/op.login.php", - "/home.php", - "/includes/hnmain.inc.php3", - "/preview.php", - "/dump.rar", - "/dump.tar", - "/dump.zip", - "/dump.7z", - "/dump.gz", - "/dump.tgz", - "/dump.tar.gz", - "/thumbnail.php", - "/sendcard.php", - "/global.asax", - "/directory.php", - "/footer.php", - "/error.asp", - "/forum.asp", - "/save.php", - "/htmlsax3.php", - "/adm/krgourl.php", - "/includes/converter.inc.php", - "/nucleus/libs/pluginadmin.php", - "/base_qry_common.php", - "/fileadmin", - "/bitrix/admin/", - "/adm.php", - "/util/barcode.php", - "/action.php", - "/rss.asp", - "/downloads.php", - "/page.php", - "/snarf_ajax.php", - "/fck/editor", - "/sendmail.php", - "/detail.php", - "/iframe.php", - "/swfupload.swf", - "/jenkins/login", - "/phpmyadmin/main.php", - "/phpmyadmin/scripts/setup.php", - "/user/index.php", - "/checkout.php", - "/process.php", - "/ks_inc/ajax.js", - "/export.php", - "/register.php", - "/cart.php", - "/console.php", - "/friend.php", - "/readmsg.php", - "/install.asp", - "/dagent/downloadreport.asp", - "/system/index.php", - "/core/changelog.txt", - "/js/util.js", - "/interna.php", - "/gallery.php", - "/links.php", - "/data/admin/ver.txt", - "/language/zh-cn.xml", - "/productdetails.asp", - "/admin/template/article_more/config.htm", - "/components/com_moofaq/includes/file_includer.php", - "/licence.txt", - "/rss.xsl", - "/vtigerservice.php", - "/mysql/main.php", - "/passwiki.php", - "/scr/soustab.php", - "/global.php", - "/email.php", - "/user.asp", - "/msd", - "/products.php", - "/cultbooking.php", - "/cron.php", - "/static/js/admincp.js", - "/comment.php", - "/maintainers", - "/modules/plain/adminpart/addplain.php", - "/wp-content/plugins/ungallery/source_vuln.php", - "/upgrade.txt", - "/category.php", - "/index_logged.php", - "/members.asp", - "/script/html.js", - "/images/ad.js", - "/awstats/awstats.pl", - "/includes/esqueletos/skel_null.php", - "/modules/profile/user.php", - "/window_top.php", - "/openbrowser.php", - "/thread.php", - "tinfoil_xss", - "/includes/include.php", - "/urheber.php", - "/header.inc.php", - "/mysqldumper", - "/display.php", - "/website.php", - "/stats.php", - "/assets/plugins/mp3_id/mp3_id.php", - "/siteminderagent/forms/smpwservices.fcc" - ] - } - } - ], - "transformers": [ - "lowercase" - ] - }, - { - "id": "nfd-000-002", - "name": "Detect failed attempt to fetch readme files", - "tags": { - "type": "security_scanner", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "confidence": "1" - }, - "conditions": [ - { - "operator": "match_regex", - "parameters": { - "inputs": [ - { - "address": "server.response.status" - } - ], - "regex": "^404$", - "options": { - "case_sensitive": true - } - } - }, - { - "operator": "match_regex", - "parameters": { - "inputs": [ - { - "address": "server.request.uri.raw" - } - ], - "regex": "readme\\.[\\.a-z0-9]+$", - "options": { - "case_sensitive": false - } - } - } - ], - "transformers": [] - }, - { - "id": "nfd-000-003", - "name": "Detect failed attempt to fetch Java EE resource files", - "tags": { - "type": "security_scanner", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "confidence": "1" - }, - "conditions": [ - { - "operator": "match_regex", - "parameters": { - "inputs": [ - { - "address": "server.response.status" - } - ], - "regex": "^404$", - "options": { - "case_sensitive": true - } - } - }, - { - "operator": "match_regex", - "parameters": { - "inputs": [ - { - "address": "server.request.uri.raw" - } - ], - "regex": "^(?:.*web\\-inf)(?:.*web\\.xml).*$", - "options": { - "case_sensitive": false - } - } - } - ], - "transformers": [] - }, - { - "id": "nfd-000-004", - "name": "Detect failed attempt to fetch code files", - "tags": { - "type": "security_scanner", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "confidence": "1" - }, - "conditions": [ - { - "operator": "match_regex", - "parameters": { - "inputs": [ - { - "address": "server.response.status" - } - ], - "regex": "^404$", - "options": { - "case_sensitive": true - } - } - }, - { - "operator": "match_regex", - "parameters": { - "inputs": [ - { - "address": "server.request.uri.raw" - } - ], - "regex": "\\.(java|pyc?|rb|class)\\b", - "options": { - "case_sensitive": false - } - } - } - ], - "transformers": [] - }, - { - "id": "nfd-000-005", - "name": "Detect failed attempt to fetch source code archives", - "tags": { - "type": "security_scanner", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "confidence": "1" - }, - "conditions": [ - { - "operator": "match_regex", - "parameters": { - "inputs": [ - { - "address": "server.response.status" - } - ], - "regex": "^404$", - "options": { - "case_sensitive": true - } - } - }, - { - "operator": "match_regex", - "parameters": { - "inputs": [ - { - "address": "server.request.uri.raw" - } - ], - "regex": "\\.(sql|log|ndb|gz|zip|tar\\.gz|tar|regVV|reg|conf|bz2|ini|db|war|bat|inc|btr|server|ds|conf|config|admin|master|sln|bak)\\b(?:[^.]|$)", - "options": { - "case_sensitive": false - } - } - } - ], - "transformers": [] - }, - { - "id": "nfd-000-006", - "name": "Detect failed attempt to fetch sensitive files", - "tags": { - "type": "security_scanner", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "confidence": "1" - }, - "conditions": [ - { - "operator": "match_regex", - "parameters": { - "inputs": [ - { - "address": "server.response.status" - } - ], - "regex": "^404$", - "options": { - "case_sensitive": true - } - } - }, - { - "operator": "match_regex", - "parameters": { - "inputs": [ - { - "address": "server.request.uri.raw" - } - ], - "regex": "\\.(cgi|bat|dll|exe|key|cert|crt|pem|der|pkcs|pkcs|pkcs[0-9]*|nsf|jsa|war|java|class|vb|vba|so|git|svn|hg|cvs)([^a-zA-Z0-9_]|$)", - "options": { - "case_sensitive": false - } - } - } - ], - "transformers": [] - }, - { - "id": "nfd-000-007", - "name": "Detect failed attempt to fetch archives", - "tags": { - "type": "security_scanner", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "confidence": "1" - }, - "conditions": [ - { - "operator": "match_regex", - "parameters": { - "inputs": [ - { - "address": "server.response.status" - } - ], - "regex": "^404$", - "options": { - "case_sensitive": true - } - } - }, - { - "operator": "match_regex", - "parameters": { - "inputs": [ - { - "address": "server.request.uri.raw" - } - ], - "regex": "/[\\d\\-_]*\\.(rar|tar|zip|7z|gz|tgz|tar.gz)", - "options": { - "case_sensitive": false - } - } - } - ], - "transformers": [] - }, - { - "id": "nfd-000-008", - "name": "Detect failed attempt to trigger incorrect application behavior", - "tags": { - "type": "security_scanner", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "confidence": "1" - }, - "conditions": [ - { - "operator": "match_regex", - "parameters": { - "inputs": [ - { - "address": "server.response.status" - } - ], - "regex": "^404$", - "options": { - "case_sensitive": true - } - } - }, - { - "operator": "match_regex", - "parameters": { - "inputs": [ - { - "address": "server.request.uri.raw" - } - ], - "regex": "(/(administrator/components/com.*\\.php|response\\.write\\(.+\\))|select\\(.+\\)from|\\(.*sleep\\(.+\\)|(%[a-zA-Z0-9]{2}[a-zA-Z]{0,1})+\\))", - "options": { - "case_sensitive": false - } - } - } - ], - "transformers": [] - }, - { - "id": "nfd-000-009", - "name": "Detect failed attempt to leak the structure of the application", - "tags": { - "type": "security_scanner", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "confidence": "1" - }, - "conditions": [ - { - "operator": "match_regex", - "parameters": { - "inputs": [ - { - "address": "server.response.status" - } - ], - "regex": "^404$", - "options": { - "case_sensitive": true - } - } - }, - { - "operator": "match_regex", - "parameters": { - "inputs": [ - { - "address": "server.request.uri.raw" - } - ], - "regex": "/(login\\.rol|LICENSE|[\\w-]+\\.(plx|pwd))$", - "options": { - "case_sensitive": false - } - } - } - ], - "transformers": [] - }, - { - "id": "sqr-000-001", - "name": "SSRF: Try to access the credential manager of the main cloud services", - "tags": { - "type": "ssrf", - "category": "attack_attempt", - "cwe": "918", - "capec": "1000/225/115/664", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "(?i)^\\W*((http|ftp)s?://)?\\W*((::f{4}:)?(169|(0x)?0*a9|0+251)\\.?(254|(0x)?0*fe|0+376)[0-9a-fx\\.:]+|metadata\\.google\\.internal|metadata\\.goog)\\W*/", - "options": { - "min_length": 4 - } - }, - "operator": "match_regex" - } - ], - "transformers": [ - "removeNulls" - ] - }, - { - "id": "sqr-000-002", - "name": "Server-side Javascript injection: Try to detect obvious JS injection", - "tags": { - "type": "js_code_injection", - "category": "attack_attempt", - "cwe": "94", - "capec": "1000/152/242" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "require\\(['\"][\\w\\.]+['\"]\\)|process\\.\\w+\\([\\w\\.]*\\)|\\.toString\\(\\)", - "options": { - "min_length": 4 - } - }, - "operator": "match_regex" - } - ], - "transformers": [ - "removeNulls" - ] - }, - { - "id": "sqr-000-008", - "name": "Windows: Detect attempts to exfiltrate .ini files", - "tags": { - "type": "command_injection", - "category": "attack_attempt", - "cwe": "78", - "capec": "1000/152/248/88", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "server.request.headers.no_cookies" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "(?i)[&|]\\s*type\\s+%\\w+%\\\\+\\w+\\.ini\\s*[&|]" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "sqr-000-009", - "name": "Linux: Detect attempts to exfiltrate passwd files", - "tags": { - "type": "command_injection", - "category": "attack_attempt", - "cwe": "78", - "capec": "1000/152/248/88", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "server.request.headers.no_cookies" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "(?i)[&|]\\s*cat\\s*\\/etc\\/[\\w\\.\\/]*passwd\\s*[&|]" - }, - "operator": "match_regex" - } - ], - "transformers": [ - "cmdLine" - ] - }, - { - "id": "sqr-000-010", - "name": "Windows: Detect attempts to timeout a shell", - "tags": { - "type": "command_injection", - "category": "attack_attempt", - "cwe": "78", - "capec": "1000/152/248/88", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "server.request.headers.no_cookies" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "(?i)[&|]\\s*timeout\\s+/t\\s+\\d+\\s*[&|]" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "sqr-000-011", - "name": "SSRF: Try to access internal OMI service (CVE-2021-38647)", - "tags": { - "type": "ssrf", - "category": "attack_attempt", - "cwe": "918", - "capec": "1000/225/115/664", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "http(s?):\\/\\/([A-Za-z0-9\\.\\-\\_]+|\\[[A-Fa-f0-9\\:]+\\]|):5986\\/wsman", - "options": { - "min_length": 4 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "sqr-000-012", - "name": "SSRF: Detect SSRF attempt on internal service", - "tags": { - "type": "ssrf", - "category": "attack_attempt", - "cwe": "918", - "capec": "1000/225/115/664", - "confidence": "0" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "^(jar:)?(http|https):\\/\\/([0-9oq]{1,5}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}|[0-9]{1,10})(:[0-9]{1,5})?(\\/[^:@]*)?$" - }, - "operator": "match_regex" - } - ], - "transformers": [ - "lowercase" - ] - }, - { - "id": "sqr-000-013", - "name": "SSRF: Detect SSRF attempts using IPv6 or octal/hexdecimal obfuscation", - "tags": { - "type": "ssrf", - "category": "attack_attempt", - "cwe": "918", - "capec": "1000/225/115/664", - "confidence": "0" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "^(jar:)?(http|https):\\/\\/((\\[)?[:0-9a-f\\.x]{2,}(\\])?)(:[0-9]{1,5})?(\\/[^:@]*)?$" - }, - "operator": "match_regex" - } - ], - "transformers": [ - "lowercase" - ] - }, - { - "id": "sqr-000-014", - "name": "SSRF: Detect SSRF domain redirection bypass", - "tags": { - "type": "ssrf", - "category": "attack_attempt", - "cwe": "918", - "capec": "1000/225/115/664", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "server.request.headers.no_cookies" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "(http|https):\\/\\/(?:.*\\.)?(?:burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io|oastify\\.com|oast\\.(?:pro|live|site|online|fun|me)|sslip\\.io|requestbin\\.com|requestbin\\.net|hookbin\\.com|webhook\\.site|canarytokens\\.com|interact\\.sh|ngrok\\.io|bugbounty\\.click|prbly\\.win|qualysperiscope\\.com|vii.one|act1on3.ru)" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "sqr-000-015", - "name": "SSRF: Detect SSRF attempt using non HTTP protocol", - "tags": { - "type": "ssrf", - "category": "attack_attempt", - "cwe": "918", - "capec": "1000/225/115/664", - "confidence": "0" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "server.request.headers.no_cookies" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "^(jar:)?((file|netdoc):\\/\\/[\\\\\\/]+|(dict|gopher|ldap|sftp|tftp):\\/\\/.*:[0-9]{1,5})" - }, - "operator": "match_regex" - } - ], - "transformers": [ - "lowercase" - ] - }, - { - "id": "sqr-000-017", - "name": "Log4shell: Attempt to exploit log4j CVE-2021-44228", - "tags": { - "type": "exploit_detection", - "category": "attack_attempt", - "cwe": "94", - "capec": "1000/152/242", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.uri.raw" - }, - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "server.request.headers.no_cookies" - }, - { - "address": "grpc.server.request.message" - }, - { - "address": "graphql.server.all_resolvers" - } - ], - "regex": "\\${[^j]*j[^n]*n[^d]*d[^i]*i[^:]*:[^}]*}" - }, - "operator": "match_regex" - } - ], - "transformers": [ - "unicode_normalize" - ] - }, - { - "id": "ua0-600-0xx", - "name": "Joomla exploitation tool", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "Joomla exploitation tool", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "JDatabaseDriverMysqli" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-10x", - "name": "Nessus", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "Nessus", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "(?i)^Nessus(/|([ :]+SOAP))" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-12x", - "name": "Arachni", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "Arachni", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "^Arachni\\/v" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-13x", - "name": "Jorgee", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "Jorgee", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "(?i)\\bJorgee\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-14x", - "name": "Probely", - "tags": { - "type": "commercial_scanner", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "Probely", - "confidence": "0" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "(?i)\\bProbely\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-15x", - "name": "Metis", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "Metis", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "(?i)\\bmetis\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-16x", - "name": "SQL power injector", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "SQLPowerInjector", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "sql power injector" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-18x", - "name": "N-Stealth", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "N-Stealth", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "(?i)\\bn-stealth\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-19x", - "name": "Brutus", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "Brutus", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "(?i)\\bbrutus\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-1xx", - "name": "Shellshock exploitation tool", - "tags": { - "type": "security_scanner", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "\\(\\) \\{ :; *\\}" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-20x", - "name": "Netsparker", - "tags": { - "type": "commercial_scanner", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "Netsparker", - "confidence": "0" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "\\bnetsparker\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-22x", - "name": "JAASCois", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "JAASCois", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "(?i)\\bjaascois\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-26x", - "name": "Nsauditor", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "Nsauditor", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "(?i)\\bnsauditor\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-27x", - "name": "Paros", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "Paros", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "(?i)Mozilla/.* Paros/" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-28x", - "name": "DirBuster", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "DirBuster", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "(?i)\\bdirbuster\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-29x", - "name": "Pangolin", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "Pangolin", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "(?i)\\bpangolin\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-2xx", - "name": "Qualys", - "tags": { - "type": "commercial_scanner", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "Qualys", - "confidence": "0" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "(?i)\\bqualys\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-30x", - "name": "SQLNinja", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "SQLNinja", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "(?i)\\bsqlninja\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-31x", - "name": "Nikto", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "Nikto", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "\\(Nikto/[\\d\\.]+\\)" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-33x", - "name": "BlackWidow", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "BlackWidow", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "(?i)\\bblack\\s?widow\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-34x", - "name": "Grendel-Scan", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "Grendel-Scan", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "(?i)\\bgrendel-scan\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-35x", - "name": "Havij", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "Havij", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "(?i)\\bhavij\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-36x", - "name": "w3af", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "w3af", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "(?i)\\bw3af\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-37x", - "name": "Nmap", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "Nmap", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "nmap (nse|scripting engine)" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-39x", - "name": "Nessus Scripted", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "Nessus", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "(?i)^'?[a-z0-9_]+\\.nasl'?$" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-3xx", - "name": "Evil Scanner", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "EvilScanner", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "(?i)\\bevilScanner\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-40x", - "name": "WebFuck", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "WebFuck", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "(?i)\\bWebFuck\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-42x", - "name": "OpenVAS", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "OpenVAS", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "(?i)OpenVAS\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-43x", - "name": "Spider-Pig", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "Spider-Pig", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "Powered by Spider-Pig by tinfoilsecurity\\.com" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-44x", - "name": "Zgrab", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "Zgrab", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "Mozilla/\\d+.\\d+ zgrab" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-45x", - "name": "Zmeu", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "Zmeu", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "(?i)\\bZmEu\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-47x", - "name": "GoogleSecurityScanner", - "tags": { - "type": "commercial_scanner", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "GoogleSecurityScanner", - "confidence": "0" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "(?i)\\bGoogleSecurityScanner\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-48x", - "name": "Commix", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "Commix", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "^commix\\/" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-49x", - "name": "Gobuster", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "Gobuster", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "^gobuster\\/" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-4xx", - "name": "CGIchk", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "CGIchk", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "(?i)\\bcgichk\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-51x", - "name": "FFUF", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "FFUF", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "(?i)^Fuzz Faster U Fool\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-52x", - "name": "Nuclei", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "Nuclei", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "(?i)^Nuclei\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-53x", - "name": "Tsunami", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "Tsunami", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "(?i)\\bTsunamiSecurityScanner\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-54x", - "name": "Nimbostratus", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "Nimbostratus", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "(?i)\\bnimbostratus-bot\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-55x", - "name": "Datadog test scanner: user-agent", - "tags": { - "type": "security_scanner", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "Datadog Canary Test", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - }, - { - "address": "grpc.server.request.metadata", - "key_path": [ - "dd-canary" - ] - } - ], - "regex": "^dd-test-scanner-log(?:$|/|\\s)" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-56x", - "name": "Datadog test scanner - blocking version: user-agent", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "Datadog Canary Test", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - }, - { - "address": "grpc.server.request.metadata", - "key_path": [ - "dd-canary" - ] - } - ], - "regex": "^dd-test-scanner-log-block(?:$|/|\\s)" - }, - "operator": "match_regex" - } - ], - "transformers": [], - "on_match": [ - "block" - ] - }, - { - "id": "ua0-600-57x", - "name": "AlertLogic", - "tags": { - "type": "commercial_scanner", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "AlertLogic", - "confidence": "0" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "\\bAlertLogic-MDR-" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-58x", - "name": "wfuzz", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "wfuzz", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "\\bwfuzz\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-59x", - "name": "Detectify", - "tags": { - "type": "commercial_scanner", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "Detectify", - "confidence": "0" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "\\bdetectify\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-5xx", - "name": "Blind SQL Injection Brute Forcer", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "BSQLBF", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "(?i)\\bbsqlbf\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-60x", - "name": "masscan", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "masscan", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "^masscan/" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-61x", - "name": "WPScan", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "WPScan", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "^wpscan\\b" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-62x", - "name": "Aon pentesting services", - "tags": { - "type": "commercial_scanner", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "Aon", - "confidence": "0" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "^Aon/" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-6xx", - "name": "Stealthy scanner", - "tags": { - "type": "security_scanner", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "mozilla/4\\.0 \\(compatible(; msie (?:6\\.0; win32|4\\.0; Windows NT))?\\)", - "options": { - "case_sensitive": false - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-7xx", - "name": "SQLmap", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "SQLmap", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "^sqlmap/" - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "ua0-600-9xx", - "name": "Skipfish", - "tags": { - "type": "attack_tool", - "category": "attack_attempt", - "cwe": "200", - "capec": "1000/118/169", - "tool_name": "Skipfish", - "confidence": "1" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - } - ], - "regex": "(?i)mozilla/5\\.0 sf/" - }, - "operator": "match_regex" - } - ], - "transformers": [] - } - ] -} \ No newline at end of file diff --git a/internal/appsec/rules_manager.go b/internal/appsec/rules_manager.go index 8bf12b1821..af7be195f6 100644 --- a/internal/appsec/rules_manager.go +++ b/internal/appsec/rules_manager.go @@ -11,6 +11,7 @@ import ( "gopkg.in/DataDog/dd-trace-go.v1/internal/log" + rules "github.com/DataDog/appsec-internal-go/appsec" rc "github.com/DataDog/datadog-agent/pkg/remoteconfig/state" ) @@ -57,7 +58,7 @@ type ( // defaultRulesFragment returns a rulesFragment created using the default static recommended rules func defaultRulesFragment() rulesFragment { var f rulesFragment - if err := json.Unmarshal([]byte(staticRecommendedRules), &f); err != nil { + if err := json.Unmarshal([]byte(rules.StaticRecommendedRules), &f); err != nil { log.Debug("appsec: error unmarshalling default rules: %v", err) } return f