datadog 2.0.0.beta1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/CHANGELOG.md +4236 -0
- data/LICENSE +6 -0
- data/LICENSE-3rdparty.csv +7 -0
- data/LICENSE.Apache +200 -0
- data/LICENSE.BSD3 +24 -0
- data/NOTICE +4 -0
- data/README.md +25 -0
- data/bin/ddprofrb +15 -0
- data/ext/datadog_profiling_loader/datadog_profiling_loader.c +134 -0
- data/ext/datadog_profiling_loader/extconf.rb +72 -0
- data/ext/datadog_profiling_native_extension/NativeExtensionDesign.md +156 -0
- data/ext/datadog_profiling_native_extension/clock_id.h +22 -0
- data/ext/datadog_profiling_native_extension/clock_id_from_pthread.c +56 -0
- data/ext/datadog_profiling_native_extension/clock_id_noop.c +22 -0
- data/ext/datadog_profiling_native_extension/collectors_cpu_and_wall_time_worker.c +1153 -0
- data/ext/datadog_profiling_native_extension/collectors_discrete_dynamic_sampler.c +422 -0
- data/ext/datadog_profiling_native_extension/collectors_discrete_dynamic_sampler.h +101 -0
- data/ext/datadog_profiling_native_extension/collectors_dynamic_sampling_rate.c +150 -0
- data/ext/datadog_profiling_native_extension/collectors_dynamic_sampling_rate.h +18 -0
- data/ext/datadog_profiling_native_extension/collectors_gc_profiling_helper.c +156 -0
- data/ext/datadog_profiling_native_extension/collectors_gc_profiling_helper.h +5 -0
- data/ext/datadog_profiling_native_extension/collectors_idle_sampling_helper.c +244 -0
- data/ext/datadog_profiling_native_extension/collectors_idle_sampling_helper.h +3 -0
- data/ext/datadog_profiling_native_extension/collectors_stack.c +372 -0
- data/ext/datadog_profiling_native_extension/collectors_stack.h +27 -0
- data/ext/datadog_profiling_native_extension/collectors_thread_context.c +1391 -0
- data/ext/datadog_profiling_native_extension/collectors_thread_context.h +15 -0
- data/ext/datadog_profiling_native_extension/extconf.rb +302 -0
- data/ext/datadog_profiling_native_extension/heap_recorder.c +970 -0
- data/ext/datadog_profiling_native_extension/heap_recorder.h +155 -0
- data/ext/datadog_profiling_native_extension/helpers.h +23 -0
- data/ext/datadog_profiling_native_extension/http_transport.c +375 -0
- data/ext/datadog_profiling_native_extension/libdatadog_helpers.c +62 -0
- data/ext/datadog_profiling_native_extension/libdatadog_helpers.h +42 -0
- data/ext/datadog_profiling_native_extension/native_extension_helpers.rb +319 -0
- data/ext/datadog_profiling_native_extension/private_vm_api_access.c +892 -0
- data/ext/datadog_profiling_native_extension/private_vm_api_access.h +61 -0
- data/ext/datadog_profiling_native_extension/profiling.c +267 -0
- data/ext/datadog_profiling_native_extension/ruby_helpers.c +267 -0
- data/ext/datadog_profiling_native_extension/ruby_helpers.h +119 -0
- data/ext/datadog_profiling_native_extension/setup_signal_handler.c +115 -0
- data/ext/datadog_profiling_native_extension/setup_signal_handler.h +11 -0
- data/ext/datadog_profiling_native_extension/stack_recorder.c +941 -0
- data/ext/datadog_profiling_native_extension/stack_recorder.h +27 -0
- data/ext/datadog_profiling_native_extension/time_helpers.c +53 -0
- data/ext/datadog_profiling_native_extension/time_helpers.h +26 -0
- data/lib/datadog/appsec/assets/blocked.html +99 -0
- data/lib/datadog/appsec/assets/blocked.json +1 -0
- data/lib/datadog/appsec/assets/blocked.text +5 -0
- data/lib/datadog/appsec/assets/waf_rules/README.md +7 -0
- data/lib/datadog/appsec/assets/waf_rules/processors.json +92 -0
- data/lib/datadog/appsec/assets/waf_rules/recommended.json +7703 -0
- data/lib/datadog/appsec/assets/waf_rules/scanners.json +114 -0
- data/lib/datadog/appsec/assets/waf_rules/strict.json +1635 -0
- data/lib/datadog/appsec/assets.rb +46 -0
- data/lib/datadog/appsec/autoload.rb +13 -0
- data/lib/datadog/appsec/component.rb +94 -0
- data/lib/datadog/appsec/configuration/settings.rb +202 -0
- data/lib/datadog/appsec/configuration.rb +11 -0
- data/lib/datadog/appsec/contrib/auto_instrument.rb +25 -0
- data/lib/datadog/appsec/contrib/devise/event.rb +57 -0
- data/lib/datadog/appsec/contrib/devise/ext.rb +13 -0
- data/lib/datadog/appsec/contrib/devise/integration.rb +42 -0
- data/lib/datadog/appsec/contrib/devise/patcher/authenticatable_patch.rb +76 -0
- data/lib/datadog/appsec/contrib/devise/patcher/registration_controller_patch.rb +54 -0
- data/lib/datadog/appsec/contrib/devise/patcher.rb +45 -0
- data/lib/datadog/appsec/contrib/devise/resource.rb +35 -0
- data/lib/datadog/appsec/contrib/devise/tracking.rb +49 -0
- data/lib/datadog/appsec/contrib/integration.rb +37 -0
- data/lib/datadog/appsec/contrib/patcher.rb +12 -0
- data/lib/datadog/appsec/contrib/rack/ext.rb +13 -0
- data/lib/datadog/appsec/contrib/rack/gateway/request.rb +104 -0
- data/lib/datadog/appsec/contrib/rack/gateway/response.rb +30 -0
- data/lib/datadog/appsec/contrib/rack/gateway/watcher.rb +162 -0
- data/lib/datadog/appsec/contrib/rack/integration.rb +44 -0
- data/lib/datadog/appsec/contrib/rack/patcher.rb +34 -0
- data/lib/datadog/appsec/contrib/rack/reactive/request.rb +81 -0
- data/lib/datadog/appsec/contrib/rack/reactive/request_body.rb +60 -0
- data/lib/datadog/appsec/contrib/rack/reactive/response.rb +66 -0
- data/lib/datadog/appsec/contrib/rack/request_body_middleware.rb +44 -0
- data/lib/datadog/appsec/contrib/rack/request_middleware.rb +196 -0
- data/lib/datadog/appsec/contrib/rails/ext.rb +13 -0
- data/lib/datadog/appsec/contrib/rails/framework.rb +16 -0
- data/lib/datadog/appsec/contrib/rails/gateway/request.rb +67 -0
- data/lib/datadog/appsec/contrib/rails/gateway/watcher.rb +71 -0
- data/lib/datadog/appsec/contrib/rails/integration.rb +43 -0
- data/lib/datadog/appsec/contrib/rails/patcher.rb +166 -0
- data/lib/datadog/appsec/contrib/rails/reactive/action.rb +66 -0
- data/lib/datadog/appsec/contrib/rails/request.rb +36 -0
- data/lib/datadog/appsec/contrib/rails/request_middleware.rb +20 -0
- data/lib/datadog/appsec/contrib/sinatra/ext.rb +14 -0
- data/lib/datadog/appsec/contrib/sinatra/framework.rb +20 -0
- data/lib/datadog/appsec/contrib/sinatra/gateway/request.rb +17 -0
- data/lib/datadog/appsec/contrib/sinatra/gateway/route_params.rb +23 -0
- data/lib/datadog/appsec/contrib/sinatra/gateway/watcher.rb +117 -0
- data/lib/datadog/appsec/contrib/sinatra/integration.rb +43 -0
- data/lib/datadog/appsec/contrib/sinatra/patcher.rb +168 -0
- data/lib/datadog/appsec/contrib/sinatra/reactive/routed.rb +61 -0
- data/lib/datadog/appsec/contrib/sinatra/request_middleware.rb +20 -0
- data/lib/datadog/appsec/event.rb +171 -0
- data/lib/datadog/appsec/ext.rb +10 -0
- data/lib/datadog/appsec/extensions.rb +15 -0
- data/lib/datadog/appsec/instrumentation/gateway/argument.rb +22 -0
- data/lib/datadog/appsec/instrumentation/gateway.rb +64 -0
- data/lib/datadog/appsec/instrumentation.rb +9 -0
- data/lib/datadog/appsec/monitor/gateway/watcher.rb +67 -0
- data/lib/datadog/appsec/monitor/reactive/set_user.rb +58 -0
- data/lib/datadog/appsec/monitor.rb +11 -0
- data/lib/datadog/appsec/processor/actions.rb +49 -0
- data/lib/datadog/appsec/processor/rule_loader.rb +123 -0
- data/lib/datadog/appsec/processor/rule_merger.rb +152 -0
- data/lib/datadog/appsec/processor.rb +171 -0
- data/lib/datadog/appsec/rate_limiter.rb +60 -0
- data/lib/datadog/appsec/reactive/address_hash.rb +22 -0
- data/lib/datadog/appsec/reactive/engine.rb +47 -0
- data/lib/datadog/appsec/reactive/operation.rb +68 -0
- data/lib/datadog/appsec/reactive/subscriber.rb +19 -0
- data/lib/datadog/appsec/remote.rb +129 -0
- data/lib/datadog/appsec/response.rb +151 -0
- data/lib/datadog/appsec/sample_rate.rb +21 -0
- data/lib/datadog/appsec/scope.rb +61 -0
- data/lib/datadog/appsec/utils/http/media_range.rb +201 -0
- data/lib/datadog/appsec/utils/http/media_type.rb +87 -0
- data/lib/datadog/appsec/utils/http.rb +11 -0
- data/lib/datadog/appsec/utils.rb +9 -0
- data/lib/datadog/appsec.rb +60 -0
- data/lib/datadog/auto_instrument.rb +16 -0
- data/lib/datadog/auto_instrument_base.rb +8 -0
- data/lib/datadog/core/buffer/cruby.rb +55 -0
- data/lib/datadog/core/buffer/random.rb +134 -0
- data/lib/datadog/core/buffer/thread_safe.rb +58 -0
- data/lib/datadog/core/chunker.rb +35 -0
- data/lib/datadog/core/configuration/agent_settings_resolver.rb +352 -0
- data/lib/datadog/core/configuration/base.rb +91 -0
- data/lib/datadog/core/configuration/components.rb +177 -0
- data/lib/datadog/core/configuration/ext.rb +45 -0
- data/lib/datadog/core/configuration/option.rb +319 -0
- data/lib/datadog/core/configuration/option_definition.rb +165 -0
- data/lib/datadog/core/configuration/options.rb +128 -0
- data/lib/datadog/core/configuration/settings.rb +786 -0
- data/lib/datadog/core/configuration.rb +296 -0
- data/lib/datadog/core/diagnostics/environment_logger.rb +173 -0
- data/lib/datadog/core/diagnostics/health.rb +19 -0
- data/lib/datadog/core/encoding.rb +74 -0
- data/lib/datadog/core/environment/cgroup.rb +53 -0
- data/lib/datadog/core/environment/class_count.rb +21 -0
- data/lib/datadog/core/environment/container.rb +91 -0
- data/lib/datadog/core/environment/execution.rb +103 -0
- data/lib/datadog/core/environment/ext.rb +45 -0
- data/lib/datadog/core/environment/gc.rb +20 -0
- data/lib/datadog/core/environment/git.rb +25 -0
- data/lib/datadog/core/environment/identity.rb +84 -0
- data/lib/datadog/core/environment/platform.rb +40 -0
- data/lib/datadog/core/environment/socket.rb +24 -0
- data/lib/datadog/core/environment/thread_count.rb +20 -0
- data/lib/datadog/core/environment/variable_helpers.rb +53 -0
- data/lib/datadog/core/environment/vm_cache.rb +64 -0
- data/lib/datadog/core/environment/yjit.rb +58 -0
- data/lib/datadog/core/error.rb +100 -0
- data/lib/datadog/core/extensions.rb +16 -0
- data/lib/datadog/core/git/ext.rb +16 -0
- data/lib/datadog/core/header_collection.rb +43 -0
- data/lib/datadog/core/logger.rb +45 -0
- data/lib/datadog/core/logging/ext.rb +13 -0
- data/lib/datadog/core/metrics/client.rb +199 -0
- data/lib/datadog/core/metrics/ext.rb +18 -0
- data/lib/datadog/core/metrics/helpers.rb +25 -0
- data/lib/datadog/core/metrics/logging.rb +44 -0
- data/lib/datadog/core/metrics/metric.rb +14 -0
- data/lib/datadog/core/metrics/options.rb +52 -0
- data/lib/datadog/core/pin.rb +75 -0
- data/lib/datadog/core/remote/client/capabilities.rb +62 -0
- data/lib/datadog/core/remote/client.rb +234 -0
- data/lib/datadog/core/remote/component.rb +162 -0
- data/lib/datadog/core/remote/configuration/content.rb +111 -0
- data/lib/datadog/core/remote/configuration/digest.rb +62 -0
- data/lib/datadog/core/remote/configuration/path.rb +90 -0
- data/lib/datadog/core/remote/configuration/repository.rb +294 -0
- data/lib/datadog/core/remote/configuration/target.rb +74 -0
- data/lib/datadog/core/remote/configuration.rb +18 -0
- data/lib/datadog/core/remote/dispatcher.rb +59 -0
- data/lib/datadog/core/remote/ext.rb +13 -0
- data/lib/datadog/core/remote/negotiation.rb +70 -0
- data/lib/datadog/core/remote/tie/tracing.rb +39 -0
- data/lib/datadog/core/remote/tie.rb +27 -0
- data/lib/datadog/core/remote/transport/config.rb +60 -0
- data/lib/datadog/core/remote/transport/http/api/instance.rb +39 -0
- data/lib/datadog/core/remote/transport/http/api/spec.rb +21 -0
- data/lib/datadog/core/remote/transport/http/api.rb +58 -0
- data/lib/datadog/core/remote/transport/http/builder.rb +219 -0
- data/lib/datadog/core/remote/transport/http/client.rb +48 -0
- data/lib/datadog/core/remote/transport/http/config.rb +280 -0
- data/lib/datadog/core/remote/transport/http/negotiation.rb +146 -0
- data/lib/datadog/core/remote/transport/http.rb +147 -0
- data/lib/datadog/core/remote/transport/negotiation.rb +62 -0
- data/lib/datadog/core/remote/worker.rb +102 -0
- data/lib/datadog/core/remote.rb +24 -0
- data/lib/datadog/core/runtime/ext.rb +38 -0
- data/lib/datadog/core/runtime/metrics.rb +185 -0
- data/lib/datadog/core/telemetry/client.rb +87 -0
- data/lib/datadog/core/telemetry/collector.rb +248 -0
- data/lib/datadog/core/telemetry/emitter.rb +50 -0
- data/lib/datadog/core/telemetry/event.rb +83 -0
- data/lib/datadog/core/telemetry/ext.rb +15 -0
- data/lib/datadog/core/telemetry/heartbeat.rb +35 -0
- data/lib/datadog/core/telemetry/http/adapters/net.rb +113 -0
- data/lib/datadog/core/telemetry/http/env.rb +20 -0
- data/lib/datadog/core/telemetry/http/ext.rb +22 -0
- data/lib/datadog/core/telemetry/http/response.rb +66 -0
- data/lib/datadog/core/telemetry/http/transport.rb +56 -0
- data/lib/datadog/core/telemetry/v1/app_event.rb +59 -0
- data/lib/datadog/core/telemetry/v1/application.rb +94 -0
- data/lib/datadog/core/telemetry/v1/configuration.rb +27 -0
- data/lib/datadog/core/telemetry/v1/dependency.rb +45 -0
- data/lib/datadog/core/telemetry/v1/host.rb +59 -0
- data/lib/datadog/core/telemetry/v1/install_signature.rb +38 -0
- data/lib/datadog/core/telemetry/v1/integration.rb +66 -0
- data/lib/datadog/core/telemetry/v1/product.rb +36 -0
- data/lib/datadog/core/telemetry/v1/telemetry_request.rb +108 -0
- data/lib/datadog/core/telemetry/v2/app_client_configuration_change.rb +41 -0
- data/lib/datadog/core/telemetry/v2/request.rb +29 -0
- data/lib/datadog/core/transport/ext.rb +43 -0
- data/lib/datadog/core/transport/http/adapters/net.rb +159 -0
- data/lib/datadog/core/transport/http/adapters/registry.rb +29 -0
- data/lib/datadog/core/transport/http/adapters/test.rb +89 -0
- data/lib/datadog/core/transport/http/adapters/unix_socket.rb +83 -0
- data/lib/datadog/core/transport/http/api/endpoint.rb +31 -0
- data/lib/datadog/core/transport/http/api/fallbacks.rb +26 -0
- data/lib/datadog/core/transport/http/api/map.rb +18 -0
- data/lib/datadog/core/transport/http/env.rb +62 -0
- data/lib/datadog/core/transport/http/response.rb +60 -0
- data/lib/datadog/core/transport/parcel.rb +22 -0
- data/lib/datadog/core/transport/request.rb +17 -0
- data/lib/datadog/core/transport/response.rb +64 -0
- data/lib/datadog/core/utils/duration.rb +52 -0
- data/lib/datadog/core/utils/forking.rb +63 -0
- data/lib/datadog/core/utils/hash.rb +79 -0
- data/lib/datadog/core/utils/network.rb +121 -0
- data/lib/datadog/core/utils/only_once.rb +42 -0
- data/lib/datadog/core/utils/safe_dup.rb +40 -0
- data/lib/datadog/core/utils/sequence.rb +26 -0
- data/lib/datadog/core/utils/time.rb +52 -0
- data/lib/datadog/core/utils/url.rb +25 -0
- data/lib/datadog/core/utils.rb +94 -0
- data/lib/datadog/core/vendor/multipart-post/LICENSE +11 -0
- data/lib/datadog/core/vendor/multipart-post/multipart/post/composite_read_io.rb +118 -0
- data/lib/datadog/core/vendor/multipart-post/multipart/post/multipartable.rb +59 -0
- data/lib/datadog/core/vendor/multipart-post/multipart/post/parts.rb +137 -0
- data/lib/datadog/core/vendor/multipart-post/multipart/post/version.rb +11 -0
- data/lib/datadog/core/vendor/multipart-post/multipart/post.rb +10 -0
- data/lib/datadog/core/vendor/multipart-post/multipart.rb +14 -0
- data/lib/datadog/core/vendor/multipart-post/net/http/post/multipart.rb +34 -0
- data/lib/datadog/core/worker.rb +24 -0
- data/lib/datadog/core/workers/async.rb +185 -0
- data/lib/datadog/core/workers/interval_loop.rb +123 -0
- data/lib/datadog/core/workers/polling.rb +59 -0
- data/lib/datadog/core/workers/queue.rb +44 -0
- data/lib/datadog/core/workers/runtime_metrics.rb +62 -0
- data/lib/datadog/core.rb +45 -0
- data/lib/datadog/kit/appsec/events.rb +169 -0
- data/lib/datadog/kit/enable_core_dumps.rb +49 -0
- data/lib/datadog/kit/identity.rb +104 -0
- data/lib/datadog/kit.rb +11 -0
- data/lib/datadog/opentelemetry/api/context.rb +193 -0
- data/lib/datadog/opentelemetry/api/trace/span.rb +14 -0
- data/lib/datadog/opentelemetry/sdk/configurator.rb +37 -0
- data/lib/datadog/opentelemetry/sdk/id_generator.rb +26 -0
- data/lib/datadog/opentelemetry/sdk/propagator.rb +92 -0
- data/lib/datadog/opentelemetry/sdk/span_processor.rb +134 -0
- data/lib/datadog/opentelemetry/sdk/trace/span.rb +167 -0
- data/lib/datadog/opentelemetry/trace.rb +59 -0
- data/lib/datadog/opentelemetry.rb +51 -0
- data/lib/datadog/profiling/collectors/code_provenance.rb +113 -0
- data/lib/datadog/profiling/collectors/cpu_and_wall_time_worker.rb +114 -0
- data/lib/datadog/profiling/collectors/dynamic_sampling_rate.rb +14 -0
- data/lib/datadog/profiling/collectors/idle_sampling_helper.rb +70 -0
- data/lib/datadog/profiling/collectors/info.rb +103 -0
- data/lib/datadog/profiling/collectors/stack.rb +13 -0
- data/lib/datadog/profiling/collectors/thread_context.rb +61 -0
- data/lib/datadog/profiling/component.rb +418 -0
- data/lib/datadog/profiling/exporter.rb +103 -0
- data/lib/datadog/profiling/ext/forking.rb +98 -0
- data/lib/datadog/profiling/ext.rb +35 -0
- data/lib/datadog/profiling/flush.rb +43 -0
- data/lib/datadog/profiling/http_transport.rb +143 -0
- data/lib/datadog/profiling/load_native_extension.rb +28 -0
- data/lib/datadog/profiling/native_extension.rb +20 -0
- data/lib/datadog/profiling/preload.rb +5 -0
- data/lib/datadog/profiling/profiler.rb +64 -0
- data/lib/datadog/profiling/scheduler.rb +137 -0
- data/lib/datadog/profiling/stack_recorder.rb +69 -0
- data/lib/datadog/profiling/tag_builder.rb +60 -0
- data/lib/datadog/profiling/tasks/exec.rb +50 -0
- data/lib/datadog/profiling/tasks/help.rb +18 -0
- data/lib/datadog/profiling/tasks/setup.rb +60 -0
- data/lib/datadog/profiling.rb +152 -0
- data/lib/datadog/tracing/analytics.rb +25 -0
- data/lib/datadog/tracing/buffer.rb +129 -0
- data/lib/datadog/tracing/client_ip.rb +61 -0
- data/lib/datadog/tracing/component.rb +206 -0
- data/lib/datadog/tracing/configuration/dynamic/option.rb +71 -0
- data/lib/datadog/tracing/configuration/dynamic.rb +64 -0
- data/lib/datadog/tracing/configuration/ext.rb +98 -0
- data/lib/datadog/tracing/configuration/http.rb +74 -0
- data/lib/datadog/tracing/configuration/settings.rb +421 -0
- data/lib/datadog/tracing/context.rb +68 -0
- data/lib/datadog/tracing/context_provider.rb +82 -0
- data/lib/datadog/tracing/contrib/action_cable/configuration/settings.rb +39 -0
- data/lib/datadog/tracing/contrib/action_cable/event.rb +71 -0
- data/lib/datadog/tracing/contrib/action_cable/events/broadcast.rb +58 -0
- data/lib/datadog/tracing/contrib/action_cable/events/perform_action.rb +63 -0
- data/lib/datadog/tracing/contrib/action_cable/events/transmit.rb +59 -0
- data/lib/datadog/tracing/contrib/action_cable/events.rb +37 -0
- data/lib/datadog/tracing/contrib/action_cable/ext.rb +33 -0
- data/lib/datadog/tracing/contrib/action_cable/instrumentation.rb +90 -0
- data/lib/datadog/tracing/contrib/action_cable/integration.rb +50 -0
- data/lib/datadog/tracing/contrib/action_cable/patcher.rb +31 -0
- data/lib/datadog/tracing/contrib/action_mailer/configuration/settings.rb +43 -0
- data/lib/datadog/tracing/contrib/action_mailer/event.rb +52 -0
- data/lib/datadog/tracing/contrib/action_mailer/events/deliver.rb +60 -0
- data/lib/datadog/tracing/contrib/action_mailer/events/process.rb +47 -0
- data/lib/datadog/tracing/contrib/action_mailer/events.rb +34 -0
- data/lib/datadog/tracing/contrib/action_mailer/ext.rb +34 -0
- data/lib/datadog/tracing/contrib/action_mailer/integration.rb +50 -0
- data/lib/datadog/tracing/contrib/action_mailer/patcher.rb +29 -0
- data/lib/datadog/tracing/contrib/action_pack/action_controller/instrumentation.rb +138 -0
- data/lib/datadog/tracing/contrib/action_pack/action_controller/patcher.rb +29 -0
- data/lib/datadog/tracing/contrib/action_pack/configuration/settings.rb +40 -0
- data/lib/datadog/tracing/contrib/action_pack/ext.rb +23 -0
- data/lib/datadog/tracing/contrib/action_pack/integration.rb +51 -0
- data/lib/datadog/tracing/contrib/action_pack/patcher.rb +27 -0
- data/lib/datadog/tracing/contrib/action_pack/utils.rb +40 -0
- data/lib/datadog/tracing/contrib/action_view/configuration/settings.rb +43 -0
- data/lib/datadog/tracing/contrib/action_view/event.rb +35 -0
- data/lib/datadog/tracing/contrib/action_view/events/render_partial.rb +54 -0
- data/lib/datadog/tracing/contrib/action_view/events/render_template.rb +57 -0
- data/lib/datadog/tracing/contrib/action_view/events.rb +34 -0
- data/lib/datadog/tracing/contrib/action_view/ext.rb +25 -0
- data/lib/datadog/tracing/contrib/action_view/integration.rb +58 -0
- data/lib/datadog/tracing/contrib/action_view/patcher.rb +34 -0
- data/lib/datadog/tracing/contrib/action_view/utils.rb +36 -0
- data/lib/datadog/tracing/contrib/active_job/configuration/settings.rb +39 -0
- data/lib/datadog/tracing/contrib/active_job/event.rb +58 -0
- data/lib/datadog/tracing/contrib/active_job/events/discard.rb +50 -0
- data/lib/datadog/tracing/contrib/active_job/events/enqueue.rb +49 -0
- data/lib/datadog/tracing/contrib/active_job/events/enqueue_at.rb +49 -0
- data/lib/datadog/tracing/contrib/active_job/events/enqueue_retry.rb +51 -0
- data/lib/datadog/tracing/contrib/active_job/events/perform.rb +49 -0
- data/lib/datadog/tracing/contrib/active_job/events/retry_stopped.rb +50 -0
- data/lib/datadog/tracing/contrib/active_job/events.rb +42 -0
- data/lib/datadog/tracing/contrib/active_job/ext.rb +40 -0
- data/lib/datadog/tracing/contrib/active_job/integration.rb +50 -0
- data/lib/datadog/tracing/contrib/active_job/log_injection.rb +24 -0
- data/lib/datadog/tracing/contrib/active_job/patcher.rb +36 -0
- data/lib/datadog/tracing/contrib/active_model_serializers/configuration/settings.rb +37 -0
- data/lib/datadog/tracing/contrib/active_model_serializers/event.rb +68 -0
- data/lib/datadog/tracing/contrib/active_model_serializers/events/render.rb +45 -0
- data/lib/datadog/tracing/contrib/active_model_serializers/events/serialize.rb +47 -0
- data/lib/datadog/tracing/contrib/active_model_serializers/events.rb +34 -0
- data/lib/datadog/tracing/contrib/active_model_serializers/ext.rb +25 -0
- data/lib/datadog/tracing/contrib/active_model_serializers/integration.rb +45 -0
- data/lib/datadog/tracing/contrib/active_model_serializers/patcher.rb +32 -0
- data/lib/datadog/tracing/contrib/active_record/configuration/makara_resolver.rb +36 -0
- data/lib/datadog/tracing/contrib/active_record/configuration/resolver.rb +147 -0
- data/lib/datadog/tracing/contrib/active_record/configuration/settings.rb +48 -0
- data/lib/datadog/tracing/contrib/active_record/event.rb +30 -0
- data/lib/datadog/tracing/contrib/active_record/events/instantiation.rb +58 -0
- data/lib/datadog/tracing/contrib/active_record/events/sql.rb +77 -0
- data/lib/datadog/tracing/contrib/active_record/events.rb +34 -0
- data/lib/datadog/tracing/contrib/active_record/ext.rb +30 -0
- data/lib/datadog/tracing/contrib/active_record/integration.rb +57 -0
- data/lib/datadog/tracing/contrib/active_record/patcher.rb +27 -0
- data/lib/datadog/tracing/contrib/active_record/utils.rb +128 -0
- data/lib/datadog/tracing/contrib/active_support/cache/instrumentation.rb +186 -0
- data/lib/datadog/tracing/contrib/active_support/cache/patcher.rb +76 -0
- data/lib/datadog/tracing/contrib/active_support/cache/redis.rb +47 -0
- data/lib/datadog/tracing/contrib/active_support/configuration/settings.rb +47 -0
- data/lib/datadog/tracing/contrib/active_support/ext.rb +32 -0
- data/lib/datadog/tracing/contrib/active_support/integration.rb +52 -0
- data/lib/datadog/tracing/contrib/active_support/notifications/event.rb +71 -0
- data/lib/datadog/tracing/contrib/active_support/notifications/subscriber.rb +71 -0
- data/lib/datadog/tracing/contrib/active_support/notifications/subscription.rb +164 -0
- data/lib/datadog/tracing/contrib/active_support/patcher.rb +27 -0
- data/lib/datadog/tracing/contrib/analytics.rb +28 -0
- data/lib/datadog/tracing/contrib/auto_instrument.rb +53 -0
- data/lib/datadog/tracing/contrib/aws/configuration/settings.rb +53 -0
- data/lib/datadog/tracing/contrib/aws/ext.rb +50 -0
- data/lib/datadog/tracing/contrib/aws/instrumentation.rb +119 -0
- data/lib/datadog/tracing/contrib/aws/integration.rb +47 -0
- data/lib/datadog/tracing/contrib/aws/parsed_context.rb +64 -0
- data/lib/datadog/tracing/contrib/aws/patcher.rb +57 -0
- data/lib/datadog/tracing/contrib/aws/service/base.rb +16 -0
- data/lib/datadog/tracing/contrib/aws/service/dynamodb.rb +22 -0
- data/lib/datadog/tracing/contrib/aws/service/eventbridge.rb +22 -0
- data/lib/datadog/tracing/contrib/aws/service/kinesis.rb +32 -0
- data/lib/datadog/tracing/contrib/aws/service/s3.rb +22 -0
- data/lib/datadog/tracing/contrib/aws/service/sns.rb +30 -0
- data/lib/datadog/tracing/contrib/aws/service/sqs.rb +27 -0
- data/lib/datadog/tracing/contrib/aws/service/states.rb +40 -0
- data/lib/datadog/tracing/contrib/aws/services.rb +139 -0
- data/lib/datadog/tracing/contrib/component.rb +41 -0
- data/lib/datadog/tracing/contrib/concurrent_ruby/async_patch.rb +20 -0
- data/lib/datadog/tracing/contrib/concurrent_ruby/configuration/settings.rb +24 -0
- data/lib/datadog/tracing/contrib/concurrent_ruby/context_composite_executor_service.rb +53 -0
- data/lib/datadog/tracing/contrib/concurrent_ruby/ext.rb +16 -0
- data/lib/datadog/tracing/contrib/concurrent_ruby/future_patch.rb +20 -0
- data/lib/datadog/tracing/contrib/concurrent_ruby/integration.rb +44 -0
- data/lib/datadog/tracing/contrib/concurrent_ruby/patcher.rb +49 -0
- data/lib/datadog/tracing/contrib/concurrent_ruby/promises_future_patch.rb +22 -0
- data/lib/datadog/tracing/contrib/configurable.rb +102 -0
- data/lib/datadog/tracing/contrib/configuration/resolver.rb +85 -0
- data/lib/datadog/tracing/contrib/configuration/resolvers/pattern_resolver.rb +43 -0
- data/lib/datadog/tracing/contrib/configuration/settings.rb +43 -0
- data/lib/datadog/tracing/contrib/dalli/configuration/settings.rb +58 -0
- data/lib/datadog/tracing/contrib/dalli/ext.rb +40 -0
- data/lib/datadog/tracing/contrib/dalli/instrumentation.rb +75 -0
- data/lib/datadog/tracing/contrib/dalli/integration.rb +52 -0
- data/lib/datadog/tracing/contrib/dalli/patcher.rb +28 -0
- data/lib/datadog/tracing/contrib/dalli/quantize.rb +26 -0
- data/lib/datadog/tracing/contrib/delayed_job/configuration/settings.rb +49 -0
- data/lib/datadog/tracing/contrib/delayed_job/ext.rb +29 -0
- data/lib/datadog/tracing/contrib/delayed_job/integration.rb +43 -0
- data/lib/datadog/tracing/contrib/delayed_job/patcher.rb +37 -0
- data/lib/datadog/tracing/contrib/delayed_job/plugin.rb +108 -0
- data/lib/datadog/tracing/contrib/delayed_job/server_internal_tracer/worker.rb +34 -0
- data/lib/datadog/tracing/contrib/elasticsearch/configuration/settings.rb +57 -0
- data/lib/datadog/tracing/contrib/elasticsearch/ext.rb +34 -0
- data/lib/datadog/tracing/contrib/elasticsearch/integration.rb +50 -0
- data/lib/datadog/tracing/contrib/elasticsearch/patcher.rb +164 -0
- data/lib/datadog/tracing/contrib/elasticsearch/quantize.rb +87 -0
- data/lib/datadog/tracing/contrib/ethon/configuration/settings.rb +56 -0
- data/lib/datadog/tracing/contrib/ethon/easy_patch.rb +223 -0
- data/lib/datadog/tracing/contrib/ethon/ext.rb +32 -0
- data/lib/datadog/tracing/contrib/ethon/integration.rb +48 -0
- data/lib/datadog/tracing/contrib/ethon/multi_patch.rb +102 -0
- data/lib/datadog/tracing/contrib/ethon/patcher.rb +30 -0
- data/lib/datadog/tracing/contrib/excon/configuration/settings.rb +74 -0
- data/lib/datadog/tracing/contrib/excon/ext.rb +30 -0
- data/lib/datadog/tracing/contrib/excon/integration.rb +48 -0
- data/lib/datadog/tracing/contrib/excon/middleware.rb +196 -0
- data/lib/datadog/tracing/contrib/excon/patcher.rb +31 -0
- data/lib/datadog/tracing/contrib/ext.rb +55 -0
- data/lib/datadog/tracing/contrib/extensions.rb +228 -0
- data/lib/datadog/tracing/contrib/faraday/configuration/settings.rb +77 -0
- data/lib/datadog/tracing/contrib/faraday/connection.rb +22 -0
- data/lib/datadog/tracing/contrib/faraday/ext.rb +30 -0
- data/lib/datadog/tracing/contrib/faraday/integration.rb +48 -0
- data/lib/datadog/tracing/contrib/faraday/middleware.rb +112 -0
- data/lib/datadog/tracing/contrib/faraday/patcher.rb +56 -0
- data/lib/datadog/tracing/contrib/faraday/rack_builder.rb +22 -0
- data/lib/datadog/tracing/contrib/grape/configuration/settings.rb +55 -0
- data/lib/datadog/tracing/contrib/grape/endpoint.rb +256 -0
- data/lib/datadog/tracing/contrib/grape/ext.rb +30 -0
- data/lib/datadog/tracing/contrib/grape/instrumentation.rb +37 -0
- data/lib/datadog/tracing/contrib/grape/integration.rb +44 -0
- data/lib/datadog/tracing/contrib/grape/patcher.rb +33 -0
- data/lib/datadog/tracing/contrib/graphql/configuration/settings.rb +50 -0
- data/lib/datadog/tracing/contrib/graphql/ext.rb +20 -0
- data/lib/datadog/tracing/contrib/graphql/integration.rb +56 -0
- data/lib/datadog/tracing/contrib/graphql/patcher.rb +55 -0
- data/lib/datadog/tracing/contrib/graphql/trace_patcher.rb +24 -0
- data/lib/datadog/tracing/contrib/graphql/tracing_patcher.rb +28 -0
- data/lib/datadog/tracing/contrib/grpc/configuration/settings.rb +58 -0
- data/lib/datadog/tracing/contrib/grpc/datadog_interceptor/client.rb +117 -0
- data/lib/datadog/tracing/contrib/grpc/datadog_interceptor/server.rb +96 -0
- data/lib/datadog/tracing/contrib/grpc/datadog_interceptor.rb +107 -0
- data/lib/datadog/tracing/contrib/grpc/distributed/fetcher.rb +26 -0
- data/lib/datadog/tracing/contrib/grpc/distributed/propagation.rb +46 -0
- data/lib/datadog/tracing/contrib/grpc/ext.rb +29 -0
- data/lib/datadog/tracing/contrib/grpc/formatting.rb +127 -0
- data/lib/datadog/tracing/contrib/grpc/integration.rb +50 -0
- data/lib/datadog/tracing/contrib/grpc/intercept_with_datadog.rb +53 -0
- data/lib/datadog/tracing/contrib/grpc/patcher.rb +34 -0
- data/lib/datadog/tracing/contrib/grpc.rb +45 -0
- data/lib/datadog/tracing/contrib/hanami/action_tracer.rb +47 -0
- data/lib/datadog/tracing/contrib/hanami/configuration/settings.rb +23 -0
- data/lib/datadog/tracing/contrib/hanami/ext.rb +24 -0
- data/lib/datadog/tracing/contrib/hanami/integration.rb +44 -0
- data/lib/datadog/tracing/contrib/hanami/patcher.rb +33 -0
- data/lib/datadog/tracing/contrib/hanami/plugin.rb +23 -0
- data/lib/datadog/tracing/contrib/hanami/renderer_policy_tracing.rb +41 -0
- data/lib/datadog/tracing/contrib/hanami/router_tracing.rb +44 -0
- data/lib/datadog/tracing/contrib/http/circuit_breaker.rb +40 -0
- data/lib/datadog/tracing/contrib/http/configuration/settings.rb +69 -0
- data/lib/datadog/tracing/contrib/http/distributed/fetcher.rb +38 -0
- data/lib/datadog/tracing/contrib/http/distributed/propagation.rb +45 -0
- data/lib/datadog/tracing/contrib/http/ext.rb +29 -0
- data/lib/datadog/tracing/contrib/http/instrumentation.rb +144 -0
- data/lib/datadog/tracing/contrib/http/integration.rb +49 -0
- data/lib/datadog/tracing/contrib/http/patcher.rb +30 -0
- data/lib/datadog/tracing/contrib/http.rb +45 -0
- data/lib/datadog/tracing/contrib/http_annotation_helper.rb +17 -0
- data/lib/datadog/tracing/contrib/httpclient/configuration/settings.rb +68 -0
- data/lib/datadog/tracing/contrib/httpclient/ext.rb +30 -0
- data/lib/datadog/tracing/contrib/httpclient/instrumentation.rb +137 -0
- data/lib/datadog/tracing/contrib/httpclient/integration.rb +48 -0
- data/lib/datadog/tracing/contrib/httpclient/patcher.rb +42 -0
- data/lib/datadog/tracing/contrib/httprb/configuration/settings.rb +68 -0
- data/lib/datadog/tracing/contrib/httprb/ext.rb +29 -0
- data/lib/datadog/tracing/contrib/httprb/instrumentation.rb +145 -0
- data/lib/datadog/tracing/contrib/httprb/integration.rb +48 -0
- data/lib/datadog/tracing/contrib/httprb/patcher.rb +42 -0
- data/lib/datadog/tracing/contrib/integration.rb +78 -0
- data/lib/datadog/tracing/contrib/kafka/configuration/settings.rb +39 -0
- data/lib/datadog/tracing/contrib/kafka/consumer_event.rb +19 -0
- data/lib/datadog/tracing/contrib/kafka/consumer_group_event.rb +18 -0
- data/lib/datadog/tracing/contrib/kafka/event.rb +53 -0
- data/lib/datadog/tracing/contrib/kafka/events/connection/request.rb +42 -0
- data/lib/datadog/tracing/contrib/kafka/events/consumer/process_batch.rb +49 -0
- data/lib/datadog/tracing/contrib/kafka/events/consumer/process_message.rb +47 -0
- data/lib/datadog/tracing/contrib/kafka/events/consumer_group/heartbeat.rb +47 -0
- data/lib/datadog/tracing/contrib/kafka/events/consumer_group/join_group.rb +37 -0
- data/lib/datadog/tracing/contrib/kafka/events/consumer_group/leave_group.rb +37 -0
- data/lib/datadog/tracing/contrib/kafka/events/consumer_group/sync_group.rb +37 -0
- data/lib/datadog/tracing/contrib/kafka/events/produce_operation/send_messages.rb +41 -0
- data/lib/datadog/tracing/contrib/kafka/events/producer/deliver_messages.rb +44 -0
- data/lib/datadog/tracing/contrib/kafka/events.rb +48 -0
- data/lib/datadog/tracing/contrib/kafka/ext.rb +55 -0
- data/lib/datadog/tracing/contrib/kafka/integration.rb +44 -0
- data/lib/datadog/tracing/contrib/kafka/patcher.rb +29 -0
- data/lib/datadog/tracing/contrib/lograge/configuration/settings.rb +24 -0
- data/lib/datadog/tracing/contrib/lograge/ext.rb +15 -0
- data/lib/datadog/tracing/contrib/lograge/instrumentation.rb +31 -0
- data/lib/datadog/tracing/contrib/lograge/integration.rb +50 -0
- data/lib/datadog/tracing/contrib/lograge/patcher.rb +29 -0
- data/lib/datadog/tracing/contrib/mongodb/configuration/settings.rb +56 -0
- data/lib/datadog/tracing/contrib/mongodb/ext.rb +38 -0
- data/lib/datadog/tracing/contrib/mongodb/instrumentation.rb +47 -0
- data/lib/datadog/tracing/contrib/mongodb/integration.rb +48 -0
- data/lib/datadog/tracing/contrib/mongodb/parsers.rb +49 -0
- data/lib/datadog/tracing/contrib/mongodb/patcher.rb +34 -0
- data/lib/datadog/tracing/contrib/mongodb/subscribers.rb +141 -0
- data/lib/datadog/tracing/contrib/mysql2/configuration/settings.rb +64 -0
- data/lib/datadog/tracing/contrib/mysql2/ext.rb +28 -0
- data/lib/datadog/tracing/contrib/mysql2/instrumentation.rb +95 -0
- data/lib/datadog/tracing/contrib/mysql2/integration.rb +43 -0
- data/lib/datadog/tracing/contrib/mysql2/patcher.rb +31 -0
- data/lib/datadog/tracing/contrib/opensearch/configuration/settings.rb +54 -0
- data/lib/datadog/tracing/contrib/opensearch/ext.rb +38 -0
- data/lib/datadog/tracing/contrib/opensearch/integration.rb +44 -0
- data/lib/datadog/tracing/contrib/opensearch/patcher.rb +135 -0
- data/lib/datadog/tracing/contrib/opensearch/quantize.rb +81 -0
- data/lib/datadog/tracing/contrib/patchable.rb +109 -0
- data/lib/datadog/tracing/contrib/patcher.rb +85 -0
- data/lib/datadog/tracing/contrib/pg/configuration/settings.rb +64 -0
- data/lib/datadog/tracing/contrib/pg/ext.rb +35 -0
- data/lib/datadog/tracing/contrib/pg/instrumentation.rb +211 -0
- data/lib/datadog/tracing/contrib/pg/integration.rb +43 -0
- data/lib/datadog/tracing/contrib/pg/patcher.rb +31 -0
- data/lib/datadog/tracing/contrib/presto/configuration/settings.rb +52 -0
- data/lib/datadog/tracing/contrib/presto/ext.rb +38 -0
- data/lib/datadog/tracing/contrib/presto/instrumentation.rb +138 -0
- data/lib/datadog/tracing/contrib/presto/integration.rb +43 -0
- data/lib/datadog/tracing/contrib/presto/patcher.rb +37 -0
- data/lib/datadog/tracing/contrib/propagation/sql_comment/comment.rb +41 -0
- data/lib/datadog/tracing/contrib/propagation/sql_comment/ext.rb +33 -0
- data/lib/datadog/tracing/contrib/propagation/sql_comment/mode.rb +28 -0
- data/lib/datadog/tracing/contrib/propagation/sql_comment.rb +55 -0
- data/lib/datadog/tracing/contrib/que/configuration/settings.rb +55 -0
- data/lib/datadog/tracing/contrib/que/ext.rb +33 -0
- data/lib/datadog/tracing/contrib/que/integration.rb +44 -0
- data/lib/datadog/tracing/contrib/que/patcher.rb +26 -0
- data/lib/datadog/tracing/contrib/que/tracer.rb +63 -0
- data/lib/datadog/tracing/contrib/racecar/configuration/settings.rb +47 -0
- data/lib/datadog/tracing/contrib/racecar/event.rb +81 -0
- data/lib/datadog/tracing/contrib/racecar/events/batch.rb +38 -0
- data/lib/datadog/tracing/contrib/racecar/events/consume.rb +35 -0
- data/lib/datadog/tracing/contrib/racecar/events/message.rb +38 -0
- data/lib/datadog/tracing/contrib/racecar/events.rb +36 -0
- data/lib/datadog/tracing/contrib/racecar/ext.rb +33 -0
- data/lib/datadog/tracing/contrib/racecar/integration.rb +44 -0
- data/lib/datadog/tracing/contrib/racecar/patcher.rb +29 -0
- data/lib/datadog/tracing/contrib/rack/configuration/settings.rb +59 -0
- data/lib/datadog/tracing/contrib/rack/ext.rb +30 -0
- data/lib/datadog/tracing/contrib/rack/header_collection.rb +40 -0
- data/lib/datadog/tracing/contrib/rack/header_tagging.rb +63 -0
- data/lib/datadog/tracing/contrib/rack/integration.rb +50 -0
- data/lib/datadog/tracing/contrib/rack/middlewares.rb +265 -0
- data/lib/datadog/tracing/contrib/rack/patcher.rb +119 -0
- data/lib/datadog/tracing/contrib/rack/request_queue.rb +48 -0
- data/lib/datadog/tracing/contrib/rack/trace_proxy_middleware.rb +52 -0
- data/lib/datadog/tracing/contrib/rails/auto_instrument_railtie.rb +10 -0
- data/lib/datadog/tracing/contrib/rails/configuration/settings.rb +76 -0
- data/lib/datadog/tracing/contrib/rails/ext.rb +23 -0
- data/lib/datadog/tracing/contrib/rails/framework.rb +148 -0
- data/lib/datadog/tracing/contrib/rails/integration.rb +52 -0
- data/lib/datadog/tracing/contrib/rails/log_injection.rb +29 -0
- data/lib/datadog/tracing/contrib/rails/middlewares.rb +46 -0
- data/lib/datadog/tracing/contrib/rails/patcher.rb +88 -0
- data/lib/datadog/tracing/contrib/rails/railtie.rb +19 -0
- data/lib/datadog/tracing/contrib/rails/utils.rb +26 -0
- data/lib/datadog/tracing/contrib/rake/configuration/settings.rb +55 -0
- data/lib/datadog/tracing/contrib/rake/ext.rb +27 -0
- data/lib/datadog/tracing/contrib/rake/instrumentation.rb +103 -0
- data/lib/datadog/tracing/contrib/rake/integration.rb +43 -0
- data/lib/datadog/tracing/contrib/rake/patcher.rb +33 -0
- data/lib/datadog/tracing/contrib/redis/configuration/resolver.rb +49 -0
- data/lib/datadog/tracing/contrib/redis/configuration/settings.rb +57 -0
- data/lib/datadog/tracing/contrib/redis/ext.rb +35 -0
- data/lib/datadog/tracing/contrib/redis/instrumentation.rb +53 -0
- data/lib/datadog/tracing/contrib/redis/integration.rb +80 -0
- data/lib/datadog/tracing/contrib/redis/patcher.rb +92 -0
- data/lib/datadog/tracing/contrib/redis/quantize.rb +80 -0
- data/lib/datadog/tracing/contrib/redis/tags.rb +68 -0
- data/lib/datadog/tracing/contrib/redis/trace_middleware.rb +85 -0
- data/lib/datadog/tracing/contrib/redis/vendor/LICENSE +20 -0
- data/lib/datadog/tracing/contrib/redis/vendor/resolver.rb +160 -0
- data/lib/datadog/tracing/contrib/registerable.rb +50 -0
- data/lib/datadog/tracing/contrib/registry.rb +52 -0
- data/lib/datadog/tracing/contrib/resque/configuration/settings.rb +42 -0
- data/lib/datadog/tracing/contrib/resque/ext.rb +22 -0
- data/lib/datadog/tracing/contrib/resque/integration.rb +48 -0
- data/lib/datadog/tracing/contrib/resque/patcher.rb +29 -0
- data/lib/datadog/tracing/contrib/resque/resque_job.rb +106 -0
- data/lib/datadog/tracing/contrib/rest_client/configuration/settings.rb +55 -0
- data/lib/datadog/tracing/contrib/rest_client/ext.rb +28 -0
- data/lib/datadog/tracing/contrib/rest_client/integration.rb +43 -0
- data/lib/datadog/tracing/contrib/rest_client/patcher.rb +28 -0
- data/lib/datadog/tracing/contrib/rest_client/request_patch.rb +129 -0
- data/lib/datadog/tracing/contrib/roda/configuration/settings.rb +38 -0
- data/lib/datadog/tracing/contrib/roda/ext.rb +19 -0
- data/lib/datadog/tracing/contrib/roda/instrumentation.rb +76 -0
- data/lib/datadog/tracing/contrib/roda/integration.rb +45 -0
- data/lib/datadog/tracing/contrib/roda/patcher.rb +30 -0
- data/lib/datadog/tracing/contrib/semantic_logger/configuration/settings.rb +24 -0
- data/lib/datadog/tracing/contrib/semantic_logger/ext.rb +15 -0
- data/lib/datadog/tracing/contrib/semantic_logger/instrumentation.rb +35 -0
- data/lib/datadog/tracing/contrib/semantic_logger/integration.rb +52 -0
- data/lib/datadog/tracing/contrib/semantic_logger/patcher.rb +29 -0
- data/lib/datadog/tracing/contrib/sequel/configuration/settings.rb +37 -0
- data/lib/datadog/tracing/contrib/sequel/database.rb +62 -0
- data/lib/datadog/tracing/contrib/sequel/dataset.rb +67 -0
- data/lib/datadog/tracing/contrib/sequel/ext.rb +23 -0
- data/lib/datadog/tracing/contrib/sequel/integration.rb +43 -0
- data/lib/datadog/tracing/contrib/sequel/patcher.rb +37 -0
- data/lib/datadog/tracing/contrib/sequel/utils.rb +90 -0
- data/lib/datadog/tracing/contrib/shoryuken/configuration/settings.rb +43 -0
- data/lib/datadog/tracing/contrib/shoryuken/ext.rb +27 -0
- data/lib/datadog/tracing/contrib/shoryuken/integration.rb +44 -0
- data/lib/datadog/tracing/contrib/shoryuken/patcher.rb +28 -0
- data/lib/datadog/tracing/contrib/shoryuken/tracer.rb +65 -0
- data/lib/datadog/tracing/contrib/sidekiq/client_tracer.rb +62 -0
- data/lib/datadog/tracing/contrib/sidekiq/configuration/settings.rb +47 -0
- data/lib/datadog/tracing/contrib/sidekiq/distributed/propagation.rb +46 -0
- data/lib/datadog/tracing/contrib/sidekiq/ext.rb +44 -0
- data/lib/datadog/tracing/contrib/sidekiq/integration.rb +61 -0
- data/lib/datadog/tracing/contrib/sidekiq/patcher.rb +90 -0
- data/lib/datadog/tracing/contrib/sidekiq/server_internal_tracer/heartbeat.rb +61 -0
- data/lib/datadog/tracing/contrib/sidekiq/server_internal_tracer/job_fetch.rb +36 -0
- data/lib/datadog/tracing/contrib/sidekiq/server_internal_tracer/redis_info.rb +34 -0
- data/lib/datadog/tracing/contrib/sidekiq/server_internal_tracer/scheduled_poller.rb +57 -0
- data/lib/datadog/tracing/contrib/sidekiq/server_internal_tracer/stop.rb +34 -0
- data/lib/datadog/tracing/contrib/sidekiq/server_tracer.rb +88 -0
- data/lib/datadog/tracing/contrib/sidekiq/utils.rb +44 -0
- data/lib/datadog/tracing/contrib/sidekiq.rb +37 -0
- data/lib/datadog/tracing/contrib/sinatra/configuration/settings.rb +46 -0
- data/lib/datadog/tracing/contrib/sinatra/env.rb +38 -0
- data/lib/datadog/tracing/contrib/sinatra/ext.rb +31 -0
- data/lib/datadog/tracing/contrib/sinatra/framework.rb +116 -0
- data/lib/datadog/tracing/contrib/sinatra/integration.rb +43 -0
- data/lib/datadog/tracing/contrib/sinatra/patcher.rb +75 -0
- data/lib/datadog/tracing/contrib/sinatra/tracer.rb +86 -0
- data/lib/datadog/tracing/contrib/sinatra/tracer_middleware.rb +109 -0
- data/lib/datadog/tracing/contrib/sneakers/configuration/settings.rb +43 -0
- data/lib/datadog/tracing/contrib/sneakers/ext.rb +27 -0
- data/lib/datadog/tracing/contrib/sneakers/integration.rb +44 -0
- data/lib/datadog/tracing/contrib/sneakers/patcher.rb +27 -0
- data/lib/datadog/tracing/contrib/sneakers/tracer.rb +60 -0
- data/lib/datadog/tracing/contrib/span_attribute_schema.rb +92 -0
- data/lib/datadog/tracing/contrib/status_range_env_parser.rb +33 -0
- data/lib/datadog/tracing/contrib/status_range_matcher.rb +25 -0
- data/lib/datadog/tracing/contrib/stripe/configuration/settings.rb +37 -0
- data/lib/datadog/tracing/contrib/stripe/ext.rb +27 -0
- data/lib/datadog/tracing/contrib/stripe/integration.rb +43 -0
- data/lib/datadog/tracing/contrib/stripe/patcher.rb +28 -0
- data/lib/datadog/tracing/contrib/stripe/request.rb +67 -0
- data/lib/datadog/tracing/contrib/sucker_punch/configuration/settings.rb +39 -0
- data/lib/datadog/tracing/contrib/sucker_punch/exception_handler.rb +28 -0
- data/lib/datadog/tracing/contrib/sucker_punch/ext.rb +28 -0
- data/lib/datadog/tracing/contrib/sucker_punch/instrumentation.rb +104 -0
- data/lib/datadog/tracing/contrib/sucker_punch/integration.rb +43 -0
- data/lib/datadog/tracing/contrib/sucker_punch/patcher.rb +35 -0
- data/lib/datadog/tracing/contrib/trilogy/configuration/settings.rb +58 -0
- data/lib/datadog/tracing/contrib/trilogy/ext.rb +27 -0
- data/lib/datadog/tracing/contrib/trilogy/instrumentation.rb +94 -0
- data/lib/datadog/tracing/contrib/trilogy/integration.rb +43 -0
- data/lib/datadog/tracing/contrib/trilogy/patcher.rb +31 -0
- data/lib/datadog/tracing/contrib/utils/database.rb +31 -0
- data/lib/datadog/tracing/contrib/utils/quantization/hash.rb +111 -0
- data/lib/datadog/tracing/contrib/utils/quantization/http.rb +179 -0
- data/lib/datadog/tracing/contrib.rb +81 -0
- data/lib/datadog/tracing/correlation.rb +103 -0
- data/lib/datadog/tracing/diagnostics/environment_logger.rb +159 -0
- data/lib/datadog/tracing/diagnostics/ext.rb +36 -0
- data/lib/datadog/tracing/diagnostics/health.rb +40 -0
- data/lib/datadog/tracing/distributed/b3_multi.rb +73 -0
- data/lib/datadog/tracing/distributed/b3_single.rb +69 -0
- data/lib/datadog/tracing/distributed/datadog.rb +200 -0
- data/lib/datadog/tracing/distributed/datadog_tags_codec.rb +84 -0
- data/lib/datadog/tracing/distributed/fetcher.rb +21 -0
- data/lib/datadog/tracing/distributed/helpers.rb +65 -0
- data/lib/datadog/tracing/distributed/none.rb +18 -0
- data/lib/datadog/tracing/distributed/propagation.rb +121 -0
- data/lib/datadog/tracing/distributed/trace_context.rb +436 -0
- data/lib/datadog/tracing/event.rb +76 -0
- data/lib/datadog/tracing/flush.rb +96 -0
- data/lib/datadog/tracing/metadata/analytics.rb +26 -0
- data/lib/datadog/tracing/metadata/errors.rb +24 -0
- data/lib/datadog/tracing/metadata/ext.rb +193 -0
- data/lib/datadog/tracing/metadata/tagging.rb +131 -0
- data/lib/datadog/tracing/metadata.rb +20 -0
- data/lib/datadog/tracing/pipeline/span_filter.rb +46 -0
- data/lib/datadog/tracing/pipeline/span_processor.rb +39 -0
- data/lib/datadog/tracing/pipeline.rb +63 -0
- data/lib/datadog/tracing/remote.rb +78 -0
- data/lib/datadog/tracing/runtime/metrics.rb +17 -0
- data/lib/datadog/tracing/sampling/all_sampler.rb +24 -0
- data/lib/datadog/tracing/sampling/ext.rb +56 -0
- data/lib/datadog/tracing/sampling/matcher.rb +65 -0
- data/lib/datadog/tracing/sampling/priority_sampler.rb +160 -0
- data/lib/datadog/tracing/sampling/rate_by_key_sampler.rb +87 -0
- data/lib/datadog/tracing/sampling/rate_by_service_sampler.rb +63 -0
- data/lib/datadog/tracing/sampling/rate_limiter.rb +185 -0
- data/lib/datadog/tracing/sampling/rate_sampler.rb +58 -0
- data/lib/datadog/tracing/sampling/rule.rb +61 -0
- data/lib/datadog/tracing/sampling/rule_sampler.rb +148 -0
- data/lib/datadog/tracing/sampling/sampler.rb +32 -0
- data/lib/datadog/tracing/sampling/span/ext.rb +25 -0
- data/lib/datadog/tracing/sampling/span/matcher.rb +89 -0
- data/lib/datadog/tracing/sampling/span/rule.rb +78 -0
- data/lib/datadog/tracing/sampling/span/rule_parser.rb +104 -0
- data/lib/datadog/tracing/sampling/span/sampler.rb +77 -0
- data/lib/datadog/tracing/span.rb +207 -0
- data/lib/datadog/tracing/span_operation.rb +498 -0
- data/lib/datadog/tracing/sync_writer.rb +67 -0
- data/lib/datadog/tracing/trace_digest.rb +185 -0
- data/lib/datadog/tracing/trace_operation.rb +492 -0
- data/lib/datadog/tracing/trace_segment.rb +222 -0
- data/lib/datadog/tracing/tracer.rb +531 -0
- data/lib/datadog/tracing/transport/http/api/instance.rb +37 -0
- data/lib/datadog/tracing/transport/http/api/spec.rb +19 -0
- data/lib/datadog/tracing/transport/http/api.rb +43 -0
- data/lib/datadog/tracing/transport/http/builder.rb +162 -0
- data/lib/datadog/tracing/transport/http/client.rb +57 -0
- data/lib/datadog/tracing/transport/http/statistics.rb +47 -0
- data/lib/datadog/tracing/transport/http/traces.rb +152 -0
- data/lib/datadog/tracing/transport/http.rb +97 -0
- data/lib/datadog/tracing/transport/io/client.rb +89 -0
- data/lib/datadog/tracing/transport/io/response.rb +27 -0
- data/lib/datadog/tracing/transport/io/traces.rb +101 -0
- data/lib/datadog/tracing/transport/io.rb +30 -0
- data/lib/datadog/tracing/transport/serializable_trace.rb +126 -0
- data/lib/datadog/tracing/transport/statistics.rb +77 -0
- data/lib/datadog/tracing/transport/trace_formatter.rb +240 -0
- data/lib/datadog/tracing/transport/traces.rb +224 -0
- data/lib/datadog/tracing/utils.rb +83 -0
- data/lib/datadog/tracing/workers/trace_writer.rb +196 -0
- data/lib/datadog/tracing/workers.rb +125 -0
- data/lib/datadog/tracing/writer.rb +188 -0
- data/lib/datadog/tracing.rb +169 -0
- data/lib/datadog/version.rb +26 -0
- data/lib/datadog.rb +10 -0
- metadata +886 -0
@@ -0,0 +1,1635 @@
|
|
1
|
+
{
|
2
|
+
"version": "2.2",
|
3
|
+
"metadata": {
|
4
|
+
"rules_version": "1.8.0"
|
5
|
+
},
|
6
|
+
"rules": [
|
7
|
+
{
|
8
|
+
"id": "crs-913-100",
|
9
|
+
"name": "Found User-Agent associated with security scanner",
|
10
|
+
"tags": {
|
11
|
+
"type": "security_scanner",
|
12
|
+
"crs_id": "913100",
|
13
|
+
"category": "attack_attempt"
|
14
|
+
},
|
15
|
+
"conditions": [
|
16
|
+
{
|
17
|
+
"parameters": {
|
18
|
+
"inputs": [
|
19
|
+
{
|
20
|
+
"address": "server.request.headers.no_cookies",
|
21
|
+
"key_path": [
|
22
|
+
"user-agent"
|
23
|
+
]
|
24
|
+
}
|
25
|
+
],
|
26
|
+
"list": [
|
27
|
+
"(hydra)",
|
28
|
+
"absinthe",
|
29
|
+
"autogetcontent",
|
30
|
+
"bilbo",
|
31
|
+
"bfac",
|
32
|
+
"cisco-torch",
|
33
|
+
"core-project/1.0",
|
34
|
+
"crimscanner/",
|
35
|
+
"datacha0s",
|
36
|
+
"domino hunter",
|
37
|
+
"dotdotpwn",
|
38
|
+
"email extractor",
|
39
|
+
"fhscan core 1.",
|
40
|
+
"floodgate",
|
41
|
+
"f-secure radar",
|
42
|
+
"get-minimal",
|
43
|
+
"gootkit auto-rooter scanner",
|
44
|
+
"grabber",
|
45
|
+
"grendel-scan",
|
46
|
+
"inspath",
|
47
|
+
"internet ninja",
|
48
|
+
"masscan",
|
49
|
+
"morfeus fucking scanner",
|
50
|
+
"mysqloit",
|
51
|
+
"prog.customcrawler",
|
52
|
+
"qqgamehall",
|
53
|
+
"s.t.a.l.k.e.r.",
|
54
|
+
"springenwerk",
|
55
|
+
"sql power injector",
|
56
|
+
"struts-pwn",
|
57
|
+
"sysscan",
|
58
|
+
"tbi-webscanner",
|
59
|
+
"teh forest lobster",
|
60
|
+
"toata dragostea",
|
61
|
+
"uil2pn",
|
62
|
+
"user-agent:",
|
63
|
+
"vega/",
|
64
|
+
"voideye",
|
65
|
+
"webbandit",
|
66
|
+
"webshag",
|
67
|
+
"webvulnscan",
|
68
|
+
"whatweb",
|
69
|
+
"whcc/",
|
70
|
+
"wordpress hash grabber",
|
71
|
+
"xmlrpc exploit"
|
72
|
+
]
|
73
|
+
},
|
74
|
+
"operator": "phrase_match"
|
75
|
+
}
|
76
|
+
],
|
77
|
+
"transformers": [
|
78
|
+
"lowercase"
|
79
|
+
]
|
80
|
+
},
|
81
|
+
{
|
82
|
+
"id": "crs-921-120",
|
83
|
+
"name": "HTTP Response Splitting Attack",
|
84
|
+
"tags": {
|
85
|
+
"type": "http_protocol_violation",
|
86
|
+
"crs_id": "921120",
|
87
|
+
"category": "attack_attempt"
|
88
|
+
},
|
89
|
+
"conditions": [
|
90
|
+
{
|
91
|
+
"parameters": {
|
92
|
+
"inputs": [
|
93
|
+
{
|
94
|
+
"address": "server.request.query"
|
95
|
+
},
|
96
|
+
{
|
97
|
+
"address": "server.request.body"
|
98
|
+
},
|
99
|
+
{
|
100
|
+
"address": "server.request.path_params"
|
101
|
+
},
|
102
|
+
{
|
103
|
+
"address": "graphql.server.all_resolvers"
|
104
|
+
}
|
105
|
+
],
|
106
|
+
"regex": "[\\r\\n]\\W*?(?:content-(?:type|length)|set-cookie|location):\\s*\\w",
|
107
|
+
"options": {
|
108
|
+
"case_sensitive": true,
|
109
|
+
"min_length": 11
|
110
|
+
}
|
111
|
+
},
|
112
|
+
"operator": "match_regex"
|
113
|
+
}
|
114
|
+
],
|
115
|
+
"transformers": [
|
116
|
+
"lowercase"
|
117
|
+
]
|
118
|
+
},
|
119
|
+
{
|
120
|
+
"id": "crs-921-140",
|
121
|
+
"name": "HTTP Header Injection Attack via headers",
|
122
|
+
"tags": {
|
123
|
+
"type": "http_protocol_violation",
|
124
|
+
"crs_id": "921140",
|
125
|
+
"category": "attack_attempt",
|
126
|
+
"capec": "1000/210/272/220/273",
|
127
|
+
"cwe": "113"
|
128
|
+
},
|
129
|
+
"conditions": [
|
130
|
+
{
|
131
|
+
"parameters": {
|
132
|
+
"inputs": [
|
133
|
+
{
|
134
|
+
"address": "server.request.headers.no_cookies"
|
135
|
+
}
|
136
|
+
],
|
137
|
+
"regex": "[\\n\\r]",
|
138
|
+
"options": {
|
139
|
+
"case_sensitive": true,
|
140
|
+
"min_length": 1
|
141
|
+
}
|
142
|
+
},
|
143
|
+
"operator": "match_regex"
|
144
|
+
}
|
145
|
+
],
|
146
|
+
"transformers": []
|
147
|
+
},
|
148
|
+
{
|
149
|
+
"id": "crs-932-100",
|
150
|
+
"name": "Remote Command Execution: Unix Command Injection",
|
151
|
+
"tags": {
|
152
|
+
"type": "command_injection",
|
153
|
+
"crs_id": "932100",
|
154
|
+
"category": "attack_attempt"
|
155
|
+
},
|
156
|
+
"conditions": [
|
157
|
+
{
|
158
|
+
"parameters": {
|
159
|
+
"inputs": [
|
160
|
+
{
|
161
|
+
"address": "server.request.query"
|
162
|
+
},
|
163
|
+
{
|
164
|
+
"address": "server.request.body"
|
165
|
+
},
|
166
|
+
{
|
167
|
+
"address": "server.request.path_params"
|
168
|
+
},
|
169
|
+
{
|
170
|
+
"address": "graphql.server.all_resolvers"
|
171
|
+
}
|
172
|
+
],
|
173
|
+
"regex": "(?:[;\\n\\r`]|\\$(?:\\(?\\(|{)|(?:\\|)?\\||\\(\\s*\\)|[<>]\\(|&?&|\\{)\\s*(?:(?:\\w+=(?:[^\\s]*|\\$.*|\\$.*|<.*|>.*|\\'.*\\'|\\\".*\\\")\\s+|(?:\\s*\\(|!)\\s*|\\{|\\$))*\\s*(?:['\\\"])*(?:[\\?\\*\\[\\]\\(\\)\\-\\|+\\w'\\\"\\./\\x5c]+/)?[\\x5c'\\\"]*(?:l[\\x5c'\\\"]*(?:w[\\x5c'\\\"]*p[\\x5c'\\\"]*-[\\x5c'\\\"]*(?:d[\\x5c'\\\"]*(?:o[\\x5c'\\\"]*w[\\x5c'\\\"]*n[\\x5c'\\\"]*l[\\x5c'\\\"]*o[\\x5c'\\\"]*a[\\x5c'\\\"]*d|u[\\x5c'\\\"]*m[\\x5c'\\\"]*p)|r[\\x5c'\\\"]*e[\\x5c'\\\"]*q[\\x5c'\\\"]*u[\\x5c'\\\"]*e[\\x5c'\\\"]*s[\\x5c'\\\"]*t|m[\\x5c'\\\"]*i[\\x5c'\\\"]*r[\\x5c'\\\"]*r[\\x5c'\\\"]*o[\\x5c'\\\"]*r)|s(?:[\\x5c'\\\"]*(?:b[\\x5c'\\\"]*_[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*l[\\x5c'\\\"]*e[\\x5c'\\\"]*a[\\x5c'\\\"]*s[\\x5c'\\\"]*e|c[\\x5c'\\\"]*p[\\x5c'\\\"]*u|m[\\x5c'\\\"]*o[\\x5c'\\\"]*d|p[\\x5c'\\\"]*c[\\x5c'\\\"]*i|u[\\x5c'\\\"]*s[\\x5c'\\\"]*b|-[\\x5c'\\\"]*F|h[\\x5c'\\\"]*w|o[\\x5c'\\\"]*f))?|z[\\x5c'\\\"]*(?:(?:[ef][\\x5c'\\\"]*)?g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p|c[\\x5c'\\\"]*(?:a[\\x5c'\\\"]*t|m[\\x5c'\\\"]*p)|m[\\x5c'\\\"]*(?:o[\\x5c'\\\"]*r[\\x5c'\\\"]*e|a)|d[\\x5c'\\\"]*i[\\x5c'\\\"]*f[\\x5c'\\\"]*f|l[\\x5c'\\\"]*e[\\x5c'\\\"]*s[\\x5c'\\\"]*s)|o[\\x5c'\\\"]*(?:g[\\x5c'\\\"]*(?:(?:n[\\x5c'\\\"]*a[\\x5c'\\\"]*m|s[\\x5c'\\\"]*a[\\x5c'\\\"]*v)[\\x5c'\\\"]*e|i[\\x5c'\\\"]*n[\\x5c'\\\"]*c[\\x5c'\\\"]*t[\\x5c'\\\"]*l)|c[\\x5c'\\\"]*a[\\x5c'\\\"]*(?:t[\\x5c'\\\"]*e|l)[\\x5c'\\\"]*(?:\\s|<|>).*)|e[\\x5c'\\\"]*s[\\x5c'\\\"]*s[\\x5c'\\\"]*(?:(?:f[\\x5c'\\\"]*i[\\x5c'\\\"]*l|p[\\x5c'\\\"]*i[\\x5c'\\\"]*p)[\\x5c'\\\"]*e|e[\\x5c'\\\"]*c[\\x5c'\\\"]*h[\\x5c'\\\"]*o|(?:\\s|<|>).*)|a[\\x5c'\\\"]*s[\\x5c'\\\"]*t[\\x5c'\\\"]*(?:l[\\x5c'\\\"]*o[\\x5c'\\\"]*g(?:[\\x5c'\\\"]*i[\\x5c'\\\"]*n)?|c[\\x5c'\\\"]*o[\\x5c'\\\"]*m[\\x5c'\\\"]*m|(?:\\s|<|>).*)|d[\\x5c'\\\"]*(?:c[\\x5c'\\\"]*o[\\x5c'\\\"]*n[\\x5c'\\\"]*f[\\x5c'\\\"]*i[\\x5c'\\\"]*g|d[\\x5c'\\\"]*(?:\\s|<|>).*)|(?:[np]|i[\\x5c'\\\"]*n[\\x5c'\\\"]*k[\\x5c'\\\"]*s|y[\\x5c'\\\"]*n[\\x5c'\\\"]*x)[\\x5c'\\\"]*(?:\\s|<|>).*|u[\\x5c'\\\"]*a[\\x5c'\\\"]*(?:5[\\x5c'\\\"]*\\.[\\x5c'\\\"]*[1234]|(?:\\s|<|>).*)|f[\\x5c'\\\"]*t[\\x5c'\\\"]*p(?:[\\x5c'\\\"]*g[\\x5c'\\\"]*e[\\x5c'\\\"]*t)?|t[\\x5c'\\\"]*r[\\x5c'\\\"]*a[\\x5c'\\\"]*c[\\x5c'\\\"]*e)|c[\\x5c'\\\"]*(?:o[\\x5c'\\\"]*(?:m[\\x5c'\\\"]*(?:p[\\x5c'\\\"]*(?:r[\\x5c'\\\"]*e[\\x5c'\\\"]*s[\\x5c'\\\"]*s[\\x5c'\\\"]*(?:\\s|<|>).*|o[\\x5c'\\\"]*s[\\x5c'\\\"]*e[\\x5c'\\\"]*r)|m[\\x5c'\\\"]*a[\\x5c'\\\"]*n[\\x5c'\\\"]*d[\\x5c'\\\"]*(?:\\s|<|>).*)|p[\\x5c'\\\"]*r[\\x5c'\\\"]*o[\\x5c'\\\"]*c)|h[\\x5c'\\\"]*(?:d[\\x5c'\\\"]*i[\\x5c'\\\"]*r[\\x5c'\\\"]*(?:\\s|<|>).*|f[\\x5c'\\\"]*l[\\x5c'\\\"]*a[\\x5c'\\\"]*g[\\x5c'\\\"]*s|a[\\x5c'\\\"]*t[\\x5c'\\\"]*t[\\x5c'\\\"]*r|m[\\x5c'\\\"]*o[\\x5c'\\\"]*d)|p[\\x5c'\\\"]*(?:u[\\x5c'\\\"]*l[\\x5c'\\\"]*i[\\x5c'\\\"]*m[\\x5c'\\\"]*i[\\x5c'\\\"]*t|(?:\\s|<|>).*|a[\\x5c'\\\"]*n|i[\\x5c'\\\"]*o)|(?:a[\\x5c'\\\"]*(?:p[\\x5c'\\\"]*s[\\x5c'\\\"]*h|t)|c)[\\x5c'\\\"]*(?:\\s|<|>).*|e[\\x5c'\\\"]*r[\\x5c'\\\"]*t[\\x5c'\\\"]*b[\\x5c'\\\"]*o[\\x5c'\\\"]*t|r[\\x5c'\\\"]*o[\\x5c'\\\"]*n[\\x5c'\\\"]*t[\\x5c'\\\"]*a[\\x5c'\\\"]*b|u[\\x5c'\\\"]*r[\\x5c'\\\"]*l|[89][\\x5c'\\\"]*9|s[\\x5c'\\\"]*h)|b[\\x5c'\\\"]*(?:z[\\x5c'\\\"]*(?:(?:[ef][\\x5c'\\\"]*)?g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p|d[\\x5c'\\\"]*i[\\x5c'\\\"]*f[\\x5c'\\\"]*f|l[\\x5c'\\\"]*e[\\x5c'\\\"]*s[\\x5c'\\\"]*s|m[\\x5c'\\\"]*o[\\x5c'\\\"]*r[\\x5c'\\\"]*e|c[\\x5c'\\\"]*a[\\x5c'\\\"]*t|i[\\x5c'\\\"]*p[\\x5c'\\\"]*2)|u[\\x5c'\\\"]*(?:s[\\x5c'\\\"]*(?:y[\\x5c'\\\"]*b[\\x5c'\\\"]*o[\\x5c'\\\"]*x|c[\\x5c'\\\"]*t[\\x5c'\\\"]*l)|n[\\x5c'\\\"]*d[\\x5c'\\\"]*l[\\x5c'\\\"]*e[\\x5c'\\\"]*r[\\x5c'\\\"]*(?:\\s|<|>).*|i[\\x5c'\\\"]*l[\\x5c'\\\"]*t[\\x5c'\\\"]*i[\\x5c'\\\"]*n)|s[\\x5c'\\\"]*d[\\x5c'\\\"]*(?:c[\\x5c'\\\"]*a[\\x5c'\\\"]*t|i[\\x5c'\\\"]*f[\\x5c'\\\"]*f|t[\\x5c'\\\"]*a[\\x5c'\\\"]*r)|a[\\x5c'\\\"]*(?:t[\\x5c'\\\"]*c[\\x5c'\\\"]*h[\\x5c'\\\"]*(?:\\s|<|>).*|s[\\x5c'\\\"]*h)|r[\\x5c'\\\"]*e[\\x5c'\\\"]*a[\\x5c'\\\"]*k[\\x5c'\\\"]*s[\\x5c'\\\"]*w)|e[\\x5c'\\\"]*(?:x[\\x5c'\\\"]*(?:p[\\x5c'\\\"]*(?:e[\\x5c'\\\"]*c[\\x5c'\\\"]*t[\\x5c'\\\"]*(?:\\s|<|>).*|a[\\x5c'\\\"]*n[\\x5c'\\\"]*d|o[\\x5c'\\\"]*r[\\x5c'\\\"]*t|r)|(?:e[\\x5c'\\\"]*c[\\x5c'\\\"]*)?(?:\\s|<|>).*)|n[\\x5c'\\\"]*(?:v(?:[\\x5c'\\\"]*-[\\x5c'\\\"]*u[\\x5c'\\\"]*p[\\x5c'\\\"]*d[\\x5c'\\\"]*a[\\x5c'\\\"]*t[\\x5c'\\\"]*e)?|d[\\x5c'\\\"]*(?:i[\\x5c'\\\"]*f|s[\\x5c'\\\"]*w))|(?:a[\\x5c'\\\"]*s[\\x5c'\\\"]*y[\\x5c'\\\"]*_[\\x5c'\\\"]*i[\\x5c'\\\"]*n[\\x5c'\\\"]*s[\\x5c'\\\"]*t[\\x5c'\\\"]*a[\\x5c'\\\"]*l|v[\\x5c'\\\"]*a)[\\x5c'\\\"]*l|(?:c[\\x5c'\\\"]*h[\\x5c'\\\"]*o|d)[\\x5c'\\\"]*(?:\\s|<|>).*|g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p|m[\\x5c'\\\"]*a[\\x5c'\\\"]*c[\\x5c'\\\"]*s|s[\\x5c'\\\"]*a[\\x5c'\\\"]*c)|f[\\x5c'\\\"]*(?:i(?:[\\x5c'\\\"]*(?:l[\\x5c'\\\"]*e[\\x5c'\\\"]*(?:t[\\x5c'\\\"]*e[\\x5c'\\\"]*s[\\x5c'\\\"]*t|(?:\\s|<|>).*)|n[\\x5c'\\\"]*d[\\x5c'\\\"]*(?:\\s|<|>).*|s[\\x5c'\\\"]*h))?|t[\\x5c'\\\"]*p[\\x5c'\\\"]*(?:s[\\x5c'\\\"]*t[\\x5c'\\\"]*a[\\x5c'\\\"]*t[\\x5c'\\\"]*s|w[\\x5c'\\\"]*h[\\x5c'\\\"]*o|(?:\\s|<|>).*)|(?:e[\\x5c'\\\"]*t[\\x5c'\\\"]*c[\\x5c'\\\"]*h|l[\\x5c'\\\"]*o[\\x5c'\\\"]*c[\\x5c'\\\"]*k|c)[\\x5c'\\\"]*(?:\\s|<|>).*|u[\\x5c'\\\"]*n[\\x5c'\\\"]*c[\\x5c'\\\"]*t[\\x5c'\\\"]*i[\\x5c'\\\"]*o[\\x5c'\\\"]*n|o[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*a[\\x5c'\\\"]*c[\\x5c'\\\"]*h|g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p)|i[\\x5c'\\\"]*(?:p[\\x5c'\\\"]*(?:(?:6[\\x5c'\\\"]*)?t[\\x5c'\\\"]*a[\\x5c'\\\"]*b[\\x5c'\\\"]*l[\\x5c'\\\"]*e[\\x5c'\\\"]*s|c[\\x5c'\\\"]*o[\\x5c'\\\"]*n[\\x5c'\\\"]*f[\\x5c'\\\"]*i[\\x5c'\\\"]*g)|r[\\x5c'\\\"]*b(?:[\\x5c'\\\"]*(?:2[\\x5c'\\\"]*[01234567]|1(?:[\\x5c'\\\"]*[89])?|3[\\x5c'\\\"]*0))?|f[\\x5c'\\\"]*c[\\x5c'\\\"]*o[\\x5c'\\\"]*n[\\x5c'\\\"]*f[\\x5c'\\\"]*i[\\x5c'\\\"]*g|o[\\x5c'\\\"]*n[\\x5c'\\\"]*i[\\x5c'\\\"]*c[\\x5c'\\\"]*e|d[\\x5c'\\\"]*(?:\\s|<|>).*)|h[\\x5c'\\\"]*(?:t[\\x5c'\\\"]*(?:d[\\x5c'\\\"]*i[\\x5c'\\\"]*g[\\x5c'\\\"]*e[\\x5c'\\\"]*s[\\x5c'\\\"]*t|p[\\x5c'\\\"]*a[\\x5c'\\\"]*s[\\x5c'\\\"]*s[\\x5c'\\\"]*w[\\x5c'\\\"]*d)|o[\\x5c'\\\"]*s[\\x5c'\\\"]*t[\\x5c'\\\"]*(?:n[\\x5c'\\\"]*a[\\x5c'\\\"]*m[\\x5c'\\\"]*e|i[\\x5c'\\\"]*d)|(?:e[\\x5c'\\\"]*a[\\x5c'\\\"]*d|u[\\x5c'\\\"]*p)[\\x5c'\\\"]*(?:\\s|<|>).*|i[\\x5c'\\\"]*s[\\x5c'\\\"]*t[\\x5c'\\\"]*o[\\x5c'\\\"]*r[\\x5c'\\\"]*y)|a[\\x5c'\\\"]*(?:l[\\x5c'\\\"]*(?:i[\\x5c'\\\"]*a[\\x5c'\\\"]*s[\\x5c'\\\"]*(?:\\s|<|>).*|p[\\x5c'\\\"]*i[\\x5c'\\\"]*n[\\x5c'\\\"]*e)|p[\\x5c'\\\"]*t[\\x5c'\\\"]*(?:-[\\x5c'\\\"]*g[\\x5c'\\\"]*e[\\x5c'\\\"]*t|(?:\\s|<|>).*)|d[\\x5c'\\\"]*d[\\x5c'\\\"]*u[\\x5c'\\\"]*s[\\x5c'\\\"]*e[\\x5c'\\\"]*r|r[\\x5c'\\\"]*(?:c[\\x5c'\\\"]*h[\\x5c'\\\"]*(?:\\s|<|>).*|p)|(?:w[\\x5c'\\\"]*[ks]|t)[\\x5c'\\\"]*(?:\\s|<|>).*)|g[\\x5c'\\\"]*(?:(?:e[\\x5c'\\\"]*(?:t[\\x5c'\\\"]*f[\\x5c'\\\"]*a[\\x5c'\\\"]*c[\\x5c'\\\"]*l|m)|r[\\x5c'\\\"]*e[\\x5c'\\\"]*p|o)[\\x5c'\\\"]*(?:\\s|<|>).*|z[\\x5c'\\\"]*(?:c[\\x5c'\\\"]*a[\\x5c'\\\"]*t|i[\\x5c'\\\"]*p)|u[\\x5c'\\\"]*n[\\x5c'\\\"]*z[\\x5c'\\\"]*i[\\x5c'\\\"]*p|c[\\x5c'\\\"]*c(?:[\\x5c'\\\"]*(?:\\s|<|>).*)?|i[\\x5c'\\\"]*t(?:[\\x5c'\\\"]*(?:\\s|<|>).*)?|d[\\x5c'\\\"]*b)|d[\\x5c'\\\"]*(?:h[\\x5c'\\\"]*c[\\x5c'\\\"]*l[\\x5c'\\\"]*i[\\x5c'\\\"]*e[\\x5c'\\\"]*n[\\x5c'\\\"]*t|(?:i[\\x5c'\\\"]*f[\\x5c'\\\"]*f|u)[\\x5c'\\\"]*(?:\\s|<|>).*|(?:m[\\x5c'\\\"]*e[\\x5c'\\\"]*s|p[\\x5c'\\\"]*k)[\\x5c'\\\"]*g|o[\\x5c'\\\"]*(?:a[\\x5c'\\\"]*s|n[\\x5c'\\\"]*e)|a[\\x5c'\\\"]*s[\\x5c'\\\"]*h)|j[\\x5c'\\\"]*(?:o[\\x5c'\\\"]*(?:u[\\x5c'\\\"]*r[\\x5c'\\\"]*n[\\x5c'\\\"]*a[\\x5c'\\\"]*l[\\x5c'\\\"]*c[\\x5c'\\\"]*t[\\x5c'\\\"]*l|b[\\x5c'\\\"]*s[\\x5c'\\\"]*(?:\\s|<|>).*)|a[\\x5c'\\\"]*v[\\x5c'\\\"]*a[\\x5c'\\\"]*(?:\\s|<|>).*|e[\\x5c'\\\"]*x[\\x5c'\\\"]*e[\\x5c'\\\"]*c)|k[\\x5c'\\\"]*(?:i[\\x5c'\\\"]*l[\\x5c'\\\"]*l[\\x5c'\\\"]*(?:a[\\x5c'\\\"]*l[\\x5c'\\\"]*l|(?:\\s|<|>).*)|s[\\x5c'\\\"]*h)|G[\\x5c'\\\"]*E[\\x5c'\\\"]*T[\\x5c'\\\"]*(?:\\s|<|>).*|7[\\x5c'\\\"]*z(?:[\\x5c'\\\"]*[ar])?)\\b",
|
174
|
+
"options": {
|
175
|
+
"case_sensitive": true,
|
176
|
+
"min_length": 3
|
177
|
+
}
|
178
|
+
},
|
179
|
+
"operator": "match_regex"
|
180
|
+
}
|
181
|
+
],
|
182
|
+
"transformers": []
|
183
|
+
},
|
184
|
+
{
|
185
|
+
"id": "crs-932-115",
|
186
|
+
"name": "Remote Command Execution: Windows Command Injection",
|
187
|
+
"tags": {
|
188
|
+
"type": "command_injection",
|
189
|
+
"crs_id": "932115",
|
190
|
+
"category": "attack_attempt"
|
191
|
+
},
|
192
|
+
"conditions": [
|
193
|
+
{
|
194
|
+
"parameters": {
|
195
|
+
"inputs": [
|
196
|
+
{
|
197
|
+
"address": "server.request.query"
|
198
|
+
},
|
199
|
+
{
|
200
|
+
"address": "server.request.body"
|
201
|
+
},
|
202
|
+
{
|
203
|
+
"address": "server.request.path_params"
|
204
|
+
},
|
205
|
+
{
|
206
|
+
"address": "graphql.server.all_resolvers"
|
207
|
+
}
|
208
|
+
],
|
209
|
+
"regex": "(?:[;\\n\\r`]|(?:$\\(|<)\\(|(?:\\|)?\\||\\(\\s*\\)|\\$[(?:{]|&?&|>\\|\\{)\\s*(?:(?:\\w+=(?:[^\\s]*|\\$.*|\\$.*|<.*|>.*|\\'.*\\'|\\\".*\\\")\\s+|(?:\\s*\\(|!)\\s*|\\{|\\$))*\\s*(?:['\\\"])*(?:[\\?\\*\\[\\]\\(\\)\\-\\|+\\w'\\\"\\./\\x5c]+/)?[\\x5c'\\\"]*(?:s[\\\"\\^]*(?:y[\\\"\\^]*s[\\\"\\^]*(?:t[\\\"\\^]*e[\\\"\\^]*m[\\\"\\^]*(?:p[\\\"\\^]*r[\\\"\\^]*o[\\\"\\^]*p[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*e[\\\"\\^]*s[\\\"\\^]*(?:d[\\\"\\^]*a[\\\"\\^]*t[\\\"\\^]*a[\\\"\\^]*e[\\\"\\^]*x[\\\"\\^]*e[\\\"\\^]*c[\\\"\\^]*u[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*o[\\\"\\^]*n[\\\"\\^]*p[\\\"\\^]*r[\\\"\\^]*e[\\\"\\^]*v[\\\"\\^]*e[\\\"\\^]*n[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*o[\\\"\\^]*n|(?:p[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*f[\\\"\\^]*o[\\\"\\^]*r[\\\"\\^]*m[\\\"\\^]*a[\\\"\\^]*n[\\\"\\^]*c|h[\\\"\\^]*a[\\\"\\^]*r[\\\"\\^]*d[\\\"\\^]*w[\\\"\\^]*a[\\\"\\^]*r)[\\\"\\^]*e|a[\\\"\\^]*d[\\\"\\^]*v[\\\"\\^]*a[\\\"\\^]*n[\\\"\\^]*c[\\\"\\^]*e[\\\"\\^]*d)|i[\\\"\\^]*n[\\\"\\^]*f[\\\"\\^]*o)|k[\\\"\\^]*e[\\\"\\^]*y|d[\\\"\\^]*m)|h[\\\"\\^]*(?:o[\\\"\\^]*(?:w[\\\"\\^]*(?:g[\\\"\\^]*r[\\\"\\^]*p|m[\\\"\\^]*b[\\\"\\^]*r)[\\\"\\^]*s|r[\\\"\\^]*t[\\\"\\^]*c[\\\"\\^]*u[\\\"\\^]*t)|e[\\\"\\^]*l[\\\"\\^]*l[\\\"\\^]*r[\\\"\\^]*u[\\\"\\^]*n[\\\"\\^]*a[\\\"\\^]*s|u[\\\"\\^]*t[\\\"\\^]*d[\\\"\\^]*o[\\\"\\^]*w[\\\"\\^]*n|r[\\\"\\^]*p[\\\"\\^]*u[\\\"\\^]*b[\\\"\\^]*w|a[\\\"\\^]*r[\\\"\\^]*e|i[\\\"\\^]*f[\\\"\\^]*t)|e[\\\"\\^]*(?:t[\\\"\\^]*(?:(?:x[\\\"\\^]*)?(?:[\\s,;]|\\.|/|<|>).*|l[\\\"\\^]*o[\\\"\\^]*c[\\\"\\^]*a[\\\"\\^]*l)|c[\\\"\\^]*p[\\\"\\^]*o[\\\"\\^]*l|l[\\\"\\^]*e[\\\"\\^]*c[\\\"\\^]*t)|c[\\\"\\^]*(?:h[\\\"\\^]*t[\\\"\\^]*a[\\\"\\^]*s[\\\"\\^]*k[\\\"\\^]*s|l[\\\"\\^]*i[\\\"\\^]*s[\\\"\\^]*t)|u[\\\"\\^]*b[\\\"\\^]*(?:i[\\\"\\^]*n[\\\"\\^]*a[\\\"\\^]*c[\\\"\\^]*l|s[\\\"\\^]*t)|(?:t[\\\"\\^]*a|o)[\\\"\\^]*r[\\\"\\^]*t[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|i[\\\"\\^]*g[\\\"\\^]*v[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*i[\\\"\\^]*f|l[\\\"\\^]*(?:e[\\\"\\^]*e[\\\"\\^]*p|m[\\\"\\^]*g[\\\"\\^]*r)|f[\\\"\\^]*c|v[\\\"\\^]*n)|p[\\\"\\^]*(?:s[\\\"\\^]*(?:s[\\\"\\^]*(?:h[\\\"\\^]*u[\\\"\\^]*t[\\\"\\^]*d[\\\"\\^]*o[\\\"\\^]*w[\\\"\\^]*n|e[\\\"\\^]*r[\\\"\\^]*v[\\\"\\^]*i[\\\"\\^]*c[\\\"\\^]*e|u[\\\"\\^]*s[\\\"\\^]*p[\\\"\\^]*e[\\\"\\^]*n[\\\"\\^]*d)|l[\\\"\\^]*(?:o[\\\"\\^]*g[\\\"\\^]*(?:g[\\\"\\^]*e[\\\"\\^]*d[\\\"\\^]*o[\\\"\\^]*n|l[\\\"\\^]*i[\\\"\\^]*s[\\\"\\^]*t)|i[\\\"\\^]*s[\\\"\\^]*t)|p[\\\"\\^]*(?:a[\\\"\\^]*s[\\\"\\^]*s[\\\"\\^]*w[\\\"\\^]*d|i[\\\"\\^]*n[\\\"\\^]*g)|g[\\\"\\^]*e[\\\"\\^]*t[\\\"\\^]*s[\\\"\\^]*i[\\\"\\^]*d|e[\\\"\\^]*x[\\\"\\^]*e[\\\"\\^]*c|f[\\\"\\^]*i[\\\"\\^]*l[\\\"\\^]*e|i[\\\"\\^]*n[\\\"\\^]*f[\\\"\\^]*o|k[\\\"\\^]*i[\\\"\\^]*l[\\\"\\^]*l)|o[\\\"\\^]*(?:w[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*(?:s[\\\"\\^]*h[\\\"\\^]*e[\\\"\\^]*l[\\\"\\^]*l(?:[\\\"\\^]*_[\\\"\\^]*i[\\\"\\^]*s[\\\"\\^]*e)?|c[\\\"\\^]*f[\\\"\\^]*g)|r[\\\"\\^]*t[\\\"\\^]*q[\\\"\\^]*r[\\\"\\^]*y|p[\\\"\\^]*d)|r[\\\"\\^]*(?:i[\\\"\\^]*n[\\\"\\^]*t[\\\"\\^]*(?:(?:[\\s,;]|\\.|/|<|>).*|b[\\\"\\^]*r[\\\"\\^]*m)|n[\\\"\\^]*(?:c[\\\"\\^]*n[\\\"\\^]*f[\\\"\\^]*g|m[\\\"\\^]*n[\\\"\\^]*g[\\\"\\^]*r)|o[\\\"\\^]*m[\\\"\\^]*p[\\\"\\^]*t)|a[\\\"\\^]*t[\\\"\\^]*h[\\\"\\^]*(?:p[\\\"\\^]*i[\\\"\\^]*n[\\\"\\^]*g|(?:[\\s,;]|\\.|/|<|>).*)|e[\\\"\\^]*r[\\\"\\^]*(?:l(?:[\\\"\\^]*(?:s[\\\"\\^]*h|5))?|f[\\\"\\^]*m[\\\"\\^]*o[\\\"\\^]*n)|y[\\\"\\^]*t[\\\"\\^]*h[\\\"\\^]*o[\\\"\\^]*n(?:[\\\"\\^]*(?:3(?:[\\\"\\^]*m)?|2))?|k[\\\"\\^]*g[\\\"\\^]*m[\\\"\\^]*g[\\\"\\^]*r|h[\\\"\\^]*p(?:[\\\"\\^]*[57])?|u[\\\"\\^]*s[\\\"\\^]*h[\\\"\\^]*d|i[\\\"\\^]*n[\\\"\\^]*g)|r[\\\"\\^]*(?:e[\\\"\\^]*(?:(?:p[\\\"\\^]*l[\\\"\\^]*a[\\\"\\^]*c[\\\"\\^]*e|n(?:[\\\"\\^]*a[\\\"\\^]*m[\\\"\\^]*e)?|s[\\\"\\^]*e[\\\"\\^]*t)[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|g[\\\"\\^]*(?:s[\\\"\\^]*v[\\\"\\^]*r[\\\"\\^]*3[\\\"\\^]*2|e[\\\"\\^]*d[\\\"\\^]*i[\\\"\\^]*t|(?:[\\s,;]|\\.|/|<|>).*|i[\\\"\\^]*n[\\\"\\^]*i)|c[\\\"\\^]*(?:d[\\\"\\^]*i[\\\"\\^]*s[\\\"\\^]*c|o[\\\"\\^]*v[\\\"\\^]*e[\\\"\\^]*r)|k[\\\"\\^]*e[\\\"\\^]*y[\\\"\\^]*w[\\\"\\^]*i[\\\"\\^]*z)|u[\\\"\\^]*(?:n[\\\"\\^]*(?:d[\\\"\\^]*l[\\\"\\^]*l[\\\"\\^]*3[\\\"\\^]*2|a[\\\"\\^]*s)|b[\\\"\\^]*y[\\\"\\^]*(?:1(?:[\\\"\\^]*[89])?|2[\\\"\\^]*[012]))|a[\\\"\\^]*(?:s[\\\"\\^]*(?:p[\\\"\\^]*h[\\\"\\^]*o[\\\"\\^]*n[\\\"\\^]*e|d[\\\"\\^]*i[\\\"\\^]*a[\\\"\\^]*l)|r[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*)|m[\\\"\\^]*(?:(?:d[\\\"\\^]*i[\\\"\\^]*r[\\\"\\^]*)?(?:[\\s,;]|\\.|/|<|>).*|t[\\\"\\^]*s[\\\"\\^]*h[\\\"\\^]*a[\\\"\\^]*r[\\\"\\^]*e)|o[\\\"\\^]*(?:u[\\\"\\^]*t[\\\"\\^]*e[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|b[\\\"\\^]*o[\\\"\\^]*c[\\\"\\^]*o[\\\"\\^]*p[\\\"\\^]*y)|s[\\\"\\^]*(?:t[\\\"\\^]*r[\\\"\\^]*u[\\\"\\^]*i|y[\\\"\\^]*n[\\\"\\^]*c)|d[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*)|t[\\\"\\^]*(?:a[\\\"\\^]*(?:s[\\\"\\^]*k[\\\"\\^]*(?:k[\\\"\\^]*i[\\\"\\^]*l[\\\"\\^]*l|l[\\\"\\^]*i[\\\"\\^]*s[\\\"\\^]*t|s[\\\"\\^]*c[\\\"\\^]*h[\\\"\\^]*d|m[\\\"\\^]*g[\\\"\\^]*r)|k[\\\"\\^]*e[\\\"\\^]*o[\\\"\\^]*w[\\\"\\^]*n)|(?:i[\\\"\\^]*m[\\\"\\^]*e[\\\"\\^]*o[\\\"\\^]*u|p[\\\"\\^]*m[\\\"\\^]*i[\\\"\\^]*n[\\\"\\^]*i|e[\\\"\\^]*l[\\\"\\^]*n[\\\"\\^]*e|l[\\\"\\^]*i[\\\"\\^]*s)[\\\"\\^]*t|s[\\\"\\^]*(?:d[\\\"\\^]*i[\\\"\\^]*s[\\\"\\^]*c[\\\"\\^]*o|s[\\\"\\^]*h[\\\"\\^]*u[\\\"\\^]*t[\\\"\\^]*d)[\\\"\\^]*n|y[\\\"\\^]*p[\\\"\\^]*e[\\\"\\^]*(?:p[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*f|(?:[\\s,;]|\\.|/|<|>).*)|r[\\\"\\^]*(?:a[\\\"\\^]*c[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*t|e[\\\"\\^]*e))|w[\\\"\\^]*(?:i[\\\"\\^]*n[\\\"\\^]*(?:d[\\\"\\^]*i[\\\"\\^]*f[\\\"\\^]*f|m[\\\"\\^]*s[\\\"\\^]*d[\\\"\\^]*p|v[\\\"\\^]*a[\\\"\\^]*r|r[\\\"\\^]*[ms])|u[\\\"\\^]*(?:a[\\\"\\^]*(?:u[\\\"\\^]*c[\\\"\\^]*l[\\\"\\^]*t|p[\\\"\\^]*p)|s[\\\"\\^]*a)|s[\\\"\\^]*c[\\\"\\^]*(?:r[\\\"\\^]*i[\\\"\\^]*p[\\\"\\^]*t|u[\\\"\\^]*i)|e[\\\"\\^]*v[\\\"\\^]*t[\\\"\\^]*u[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*l|m[\\\"\\^]*i[\\\"\\^]*(?:m[\\\"\\^]*g[\\\"\\^]*m[\\\"\\^]*t|c)|a[\\\"\\^]*i[\\\"\\^]*t[\\\"\\^]*f[\\\"\\^]*o[\\\"\\^]*r|h[\\\"\\^]*o[\\\"\\^]*a[\\\"\\^]*m[\\\"\\^]*i|g[\\\"\\^]*e[\\\"\\^]*t)|u[\\\"\\^]*(?:s[\\\"\\^]*(?:e[\\\"\\^]*r[\\\"\\^]*a[\\\"\\^]*c[\\\"\\^]*c[\\\"\\^]*o[\\\"\\^]*u[\\\"\\^]*n[\\\"\\^]*t[\\\"\\^]*c[\\\"\\^]*o[\\\"\\^]*n[\\\"\\^]*t[\\\"\\^]*r[\\\"\\^]*o[\\\"\\^]*l[\\\"\\^]*s[\\\"\\^]*e[\\\"\\^]*t[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*n[\\\"\\^]*g[\\\"\\^]*s|r[\\\"\\^]*s[\\\"\\^]*t[\\\"\\^]*a[\\\"\\^]*t)|n[\\\"\\^]*(?:r[\\\"\\^]*a[\\\"\\^]*r|z[\\\"\\^]*i[\\\"\\^]*p))|q[\\\"\\^]*(?:u[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*y[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|p[\\\"\\^]*r[\\\"\\^]*o[\\\"\\^]*c[\\\"\\^]*e[\\\"\\^]*s[\\\"\\^]*s|w[\\\"\\^]*i[\\\"\\^]*n[\\\"\\^]*s[\\\"\\^]*t[\\\"\\^]*a|g[\\\"\\^]*r[\\\"\\^]*e[\\\"\\^]*p)|o[\\\"\\^]*(?:d[\\\"\\^]*b[\\\"\\^]*c[\\\"\\^]*(?:a[\\\"\\^]*d[\\\"\\^]*3[\\\"\\^]*2|c[\\\"\\^]*o[\\\"\\^]*n[\\\"\\^]*f)|p[\\\"\\^]*e[\\\"\\^]*n[\\\"\\^]*f[\\\"\\^]*i[\\\"\\^]*l[\\\"\\^]*e[\\\"\\^]*s)|v[\\\"\\^]*(?:o[\\\"\\^]*l[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|e[\\\"\\^]*r[\\\"\\^]*i[\\\"\\^]*f[\\\"\\^]*y)|x[\\\"\\^]*c[\\\"\\^]*(?:a[\\\"\\^]*c[\\\"\\^]*l[\\\"\\^]*s|o[\\\"\\^]*p[\\\"\\^]*y)|z[\\\"\\^]*i[\\\"\\^]*p[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*)",
|
210
|
+
"options": {
|
211
|
+
"min_length": 4
|
212
|
+
}
|
213
|
+
},
|
214
|
+
"operator": "match_regex"
|
215
|
+
}
|
216
|
+
],
|
217
|
+
"transformers": []
|
218
|
+
},
|
219
|
+
{
|
220
|
+
"id": "crs-932-120",
|
221
|
+
"name": "Remote Command Execution: Windows PowerShell Command Found",
|
222
|
+
"tags": {
|
223
|
+
"type": "command_injection",
|
224
|
+
"crs_id": "932120",
|
225
|
+
"category": "attack_attempt"
|
226
|
+
},
|
227
|
+
"conditions": [
|
228
|
+
{
|
229
|
+
"parameters": {
|
230
|
+
"inputs": [
|
231
|
+
{
|
232
|
+
"address": "server.request.query"
|
233
|
+
},
|
234
|
+
{
|
235
|
+
"address": "server.request.body"
|
236
|
+
},
|
237
|
+
{
|
238
|
+
"address": "server.request.path_params"
|
239
|
+
},
|
240
|
+
{
|
241
|
+
"address": "graphql.server.all_resolvers"
|
242
|
+
}
|
243
|
+
],
|
244
|
+
"list": [
|
245
|
+
"powershell",
|
246
|
+
"add-computer",
|
247
|
+
"add-content",
|
248
|
+
"add-history",
|
249
|
+
"add-jobtrigger",
|
250
|
+
"add-localgroupmember",
|
251
|
+
"add-member",
|
252
|
+
"add-pssnapin",
|
253
|
+
"add-type",
|
254
|
+
"checkpoint-computer",
|
255
|
+
"clear-content",
|
256
|
+
"clear-eventlog",
|
257
|
+
"clear-history",
|
258
|
+
"clear-host",
|
259
|
+
"clear-item",
|
260
|
+
"clear-itemproperty",
|
261
|
+
"clear-recyclebin",
|
262
|
+
"clear-variable",
|
263
|
+
"compare-object",
|
264
|
+
"complete-transaction",
|
265
|
+
"compress-archive",
|
266
|
+
"connect-pssession",
|
267
|
+
"connect-wsman",
|
268
|
+
"convert-path",
|
269
|
+
"convert-string",
|
270
|
+
"convertfrom-csv",
|
271
|
+
"convertfrom-json",
|
272
|
+
"convertfrom-markdown",
|
273
|
+
"convertfrom-sddlstring",
|
274
|
+
"convertfrom-securestring",
|
275
|
+
"convertfrom-string",
|
276
|
+
"convertfrom-stringdata",
|
277
|
+
"convertto-csv",
|
278
|
+
"convertto-html",
|
279
|
+
"convertto-json",
|
280
|
+
"convertto-securestring",
|
281
|
+
"convertto-xml",
|
282
|
+
"copy-item",
|
283
|
+
"copy-itemproperty",
|
284
|
+
"debug-job",
|
285
|
+
"debug-process",
|
286
|
+
"debug-runspace",
|
287
|
+
"disable-computerrestore",
|
288
|
+
"disable-experimentalfeature",
|
289
|
+
"disable-jobtrigger",
|
290
|
+
"disable-localuser",
|
291
|
+
"disable-psbreakpoint",
|
292
|
+
"disable-psremoting",
|
293
|
+
"disable-pssessionconfiguration",
|
294
|
+
"disable-pstrace",
|
295
|
+
"disable-pswsmancombinedtrace",
|
296
|
+
"disable-runspacedebug",
|
297
|
+
"disable-scheduledjob",
|
298
|
+
"disable-wsmancredssp",
|
299
|
+
"disable-wsmantrace",
|
300
|
+
"disconnect-pssession",
|
301
|
+
"disconnect-wsman",
|
302
|
+
"enable-computerrestore",
|
303
|
+
"enable-experimentalfeature",
|
304
|
+
"enable-jobtrigger",
|
305
|
+
"enable-localuser",
|
306
|
+
"enable-psbreakpoint",
|
307
|
+
"enable-psremoting",
|
308
|
+
"enable-pssessionconfiguration",
|
309
|
+
"enable-pstrace",
|
310
|
+
"enable-pswsmancombinedtrace",
|
311
|
+
"enable-runspacedebug",
|
312
|
+
"enable-scheduledjob",
|
313
|
+
"enable-wsmancredssp",
|
314
|
+
"enable-wsmantrace",
|
315
|
+
"enter-pshostprocess",
|
316
|
+
"enter-pssession",
|
317
|
+
"exit-pshostprocess",
|
318
|
+
"exit-pssession",
|
319
|
+
"expand-archive",
|
320
|
+
"export-alias",
|
321
|
+
"export-binarymilog",
|
322
|
+
"export-clixml",
|
323
|
+
"export-console",
|
324
|
+
"export-counter",
|
325
|
+
"export-csv",
|
326
|
+
"export-formatdata",
|
327
|
+
"export-modulemember",
|
328
|
+
"export-odataendpointproxy",
|
329
|
+
"export-pssession",
|
330
|
+
"find-command",
|
331
|
+
"find-dscresource",
|
332
|
+
"find-module",
|
333
|
+
"find-package",
|
334
|
+
"find-packageprovider",
|
335
|
+
"find-rolecapability",
|
336
|
+
"find-script",
|
337
|
+
"foreach-object",
|
338
|
+
"format-custom",
|
339
|
+
"format-hex",
|
340
|
+
"format-list",
|
341
|
+
"format-table",
|
342
|
+
"format-wide",
|
343
|
+
"get-acl",
|
344
|
+
"get-alias",
|
345
|
+
"get-authenticodesignature",
|
346
|
+
"get-childitem",
|
347
|
+
"get-cimassociatedinstance",
|
348
|
+
"get-cimclass",
|
349
|
+
"get-ciminstance",
|
350
|
+
"get-cimsession",
|
351
|
+
"get-clipboard",
|
352
|
+
"get-cmsmessage",
|
353
|
+
"get-command",
|
354
|
+
"get-computerinfo",
|
355
|
+
"get-computerrestorepoint",
|
356
|
+
"get-content",
|
357
|
+
"get-controlpanelitem",
|
358
|
+
"get-counter",
|
359
|
+
"get-credential",
|
360
|
+
"get-date",
|
361
|
+
"get-error",
|
362
|
+
"get-event",
|
363
|
+
"get-eventlog",
|
364
|
+
"get-eventsubscriber",
|
365
|
+
"get-executionpolicy",
|
366
|
+
"get-experimentalfeature",
|
367
|
+
"get-filehash",
|
368
|
+
"get-formatdata",
|
369
|
+
"get-help",
|
370
|
+
"get-history",
|
371
|
+
"get-host",
|
372
|
+
"get-hotfix",
|
373
|
+
"get-installedmodule",
|
374
|
+
"get-installedscript",
|
375
|
+
"get-isesnippet",
|
376
|
+
"get-item",
|
377
|
+
"get-itemproperty",
|
378
|
+
"get-itempropertyvalue",
|
379
|
+
"get-job",
|
380
|
+
"get-jobtrigger",
|
381
|
+
"get-localgroup",
|
382
|
+
"get-localgroupmember",
|
383
|
+
"get-localuser",
|
384
|
+
"get-location",
|
385
|
+
"get-logproperties",
|
386
|
+
"get-markdownoption",
|
387
|
+
"get-module",
|
388
|
+
"get-operationvalidation",
|
389
|
+
"get-psbreakpoint",
|
390
|
+
"get-pscallstack",
|
391
|
+
"get-psdrive",
|
392
|
+
"get-pshostprocessinfo",
|
393
|
+
"get-psprovider",
|
394
|
+
"get-psreadlinekeyhandler",
|
395
|
+
"get-psreadlineoption",
|
396
|
+
"get-psrepository",
|
397
|
+
"get-pssession",
|
398
|
+
"get-pssessioncapability",
|
399
|
+
"get-pssessionconfiguration",
|
400
|
+
"get-pssnapin",
|
401
|
+
"get-pssubsystem",
|
402
|
+
"get-package",
|
403
|
+
"get-packageprovider",
|
404
|
+
"get-packagesource",
|
405
|
+
"get-pfxcertificate",
|
406
|
+
"get-process",
|
407
|
+
"get-random",
|
408
|
+
"get-runspace",
|
409
|
+
"get-runspacedebug",
|
410
|
+
"get-scheduledjob",
|
411
|
+
"get-scheduledjoboption",
|
412
|
+
"get-service",
|
413
|
+
"get-timezone",
|
414
|
+
"get-tracesource",
|
415
|
+
"get-transaction",
|
416
|
+
"get-typedata",
|
417
|
+
"get-uiculture",
|
418
|
+
"get-unique",
|
419
|
+
"get-uptime",
|
420
|
+
"get-variable",
|
421
|
+
"get-verb",
|
422
|
+
"get-wsmancredssp",
|
423
|
+
"get-wsmaninstance",
|
424
|
+
"get-winevent",
|
425
|
+
"get-wmiobject",
|
426
|
+
"group-object",
|
427
|
+
"import-alias",
|
428
|
+
"import-binarymilog",
|
429
|
+
"import-clixml",
|
430
|
+
"import-counter",
|
431
|
+
"import-csv",
|
432
|
+
"import-isesnippet",
|
433
|
+
"import-localizeddata",
|
434
|
+
"import-module",
|
435
|
+
"import-pssession",
|
436
|
+
"import-packageprovider",
|
437
|
+
"import-powershelldatafile",
|
438
|
+
"install-module",
|
439
|
+
"install-package",
|
440
|
+
"install-packageprovider",
|
441
|
+
"install-script",
|
442
|
+
"invoke-asworkflow",
|
443
|
+
"invoke-cimmethod",
|
444
|
+
"invoke-command",
|
445
|
+
"invoke-expression",
|
446
|
+
"invoke-history",
|
447
|
+
"invoke-item",
|
448
|
+
"invoke-operationvalidation",
|
449
|
+
"invoke-restmethod",
|
450
|
+
"invoke-wsmanaction",
|
451
|
+
"invoke-webrequest",
|
452
|
+
"invoke-wmimethod",
|
453
|
+
"join-path",
|
454
|
+
"join-string",
|
455
|
+
"limit-eventlog",
|
456
|
+
"measure-command",
|
457
|
+
"measure-object",
|
458
|
+
"move-item",
|
459
|
+
"move-itemproperty",
|
460
|
+
"new-alias",
|
461
|
+
"new-ciminstance",
|
462
|
+
"new-cimsession",
|
463
|
+
"new-cimsessionoption",
|
464
|
+
"new-event",
|
465
|
+
"new-eventlog",
|
466
|
+
"new-filecatalog",
|
467
|
+
"new-guid",
|
468
|
+
"new-isesnippet",
|
469
|
+
"new-item",
|
470
|
+
"new-itemproperty",
|
471
|
+
"new-jobtrigger",
|
472
|
+
"new-localgroup",
|
473
|
+
"new-localuser",
|
474
|
+
"new-module",
|
475
|
+
"new-modulemanifest",
|
476
|
+
"new-object",
|
477
|
+
"new-psdrive",
|
478
|
+
"new-psrolecapabilityfile",
|
479
|
+
"new-pssession",
|
480
|
+
"new-pssessionconfigurationfile",
|
481
|
+
"new-pssessionoption",
|
482
|
+
"new-pstransportoption",
|
483
|
+
"new-psworkflowexecutionoption",
|
484
|
+
"new-psworkflowsession",
|
485
|
+
"new-scheduledjoboption",
|
486
|
+
"new-scriptfileinfo",
|
487
|
+
"new-service",
|
488
|
+
"new-temporaryfile",
|
489
|
+
"new-timespan",
|
490
|
+
"new-variable",
|
491
|
+
"new-wsmaninstance",
|
492
|
+
"new-wsmansessionoption",
|
493
|
+
"new-webserviceproxy",
|
494
|
+
"new-winevent",
|
495
|
+
"out-default",
|
496
|
+
"out-file",
|
497
|
+
"out-gridview",
|
498
|
+
"out-host",
|
499
|
+
"out-null",
|
500
|
+
"out-printer",
|
501
|
+
"out-string",
|
502
|
+
"pop-location",
|
503
|
+
"protect-cmsmessage",
|
504
|
+
"publish-module",
|
505
|
+
"publish-script",
|
506
|
+
"push-location",
|
507
|
+
"read-host",
|
508
|
+
"receive-job",
|
509
|
+
"receive-pssession",
|
510
|
+
"register-argumentcompleter",
|
511
|
+
"register-cimindicationevent",
|
512
|
+
"register-engineevent",
|
513
|
+
"register-objectevent",
|
514
|
+
"register-psrepository",
|
515
|
+
"register-pssessionconfiguration",
|
516
|
+
"register-packagesource",
|
517
|
+
"register-scheduledjob",
|
518
|
+
"register-wmievent",
|
519
|
+
"remove-alias",
|
520
|
+
"remove-ciminstance",
|
521
|
+
"remove-cimsession",
|
522
|
+
"remove-computer",
|
523
|
+
"remove-event",
|
524
|
+
"remove-eventlog",
|
525
|
+
"remove-item",
|
526
|
+
"remove-itemproperty",
|
527
|
+
"remove-job",
|
528
|
+
"remove-jobtrigger",
|
529
|
+
"remove-localgroup",
|
530
|
+
"remove-localgroupmember",
|
531
|
+
"remove-localuser",
|
532
|
+
"remove-module",
|
533
|
+
"remove-psbreakpoint",
|
534
|
+
"remove-psdrive",
|
535
|
+
"remove-psreadlinekeyhandler",
|
536
|
+
"remove-pssession",
|
537
|
+
"remove-pssnapin",
|
538
|
+
"remove-service",
|
539
|
+
"remove-typedata",
|
540
|
+
"remove-variable",
|
541
|
+
"remove-wsmaninstance",
|
542
|
+
"remove-wmiobject",
|
543
|
+
"rename-computer",
|
544
|
+
"rename-item",
|
545
|
+
"rename-itemproperty",
|
546
|
+
"rename-localgroup",
|
547
|
+
"rename-localuser",
|
548
|
+
"reset-computermachinepassword",
|
549
|
+
"resolve-path",
|
550
|
+
"restart-computer",
|
551
|
+
"restart-service",
|
552
|
+
"restore-computer",
|
553
|
+
"resume-job",
|
554
|
+
"resume-service",
|
555
|
+
"save-help",
|
556
|
+
"save-module",
|
557
|
+
"save-package",
|
558
|
+
"save-script",
|
559
|
+
"select-object",
|
560
|
+
"select-string",
|
561
|
+
"select-xml",
|
562
|
+
"send-mailmessage",
|
563
|
+
"set-acl",
|
564
|
+
"set-alias",
|
565
|
+
"set-authenticodesignature",
|
566
|
+
"set-ciminstance",
|
567
|
+
"set-clipboard",
|
568
|
+
"set-content",
|
569
|
+
"set-date",
|
570
|
+
"set-executionpolicy",
|
571
|
+
"set-item",
|
572
|
+
"set-itemproperty",
|
573
|
+
"set-jobtrigger",
|
574
|
+
"set-localgroup",
|
575
|
+
"set-localuser",
|
576
|
+
"set-location",
|
577
|
+
"set-logproperties",
|
578
|
+
"set-markdownoption",
|
579
|
+
"set-psbreakpoint",
|
580
|
+
"set-psdebug",
|
581
|
+
"set-psreadlinekeyhandler",
|
582
|
+
"set-psreadlineoption",
|
583
|
+
"set-psrepository",
|
584
|
+
"set-pssessionconfiguration",
|
585
|
+
"set-packagesource",
|
586
|
+
"set-scheduledjob",
|
587
|
+
"set-scheduledjoboption",
|
588
|
+
"set-service",
|
589
|
+
"set-strictmode",
|
590
|
+
"set-timezone",
|
591
|
+
"set-tracesource",
|
592
|
+
"set-variable",
|
593
|
+
"set-wsmaninstance",
|
594
|
+
"set-wsmanquickconfig",
|
595
|
+
"set-wmiinstance",
|
596
|
+
"show-command",
|
597
|
+
"show-controlpanelitem",
|
598
|
+
"show-eventlog",
|
599
|
+
"show-markdown",
|
600
|
+
"sort-object",
|
601
|
+
"split-path",
|
602
|
+
"start-job",
|
603
|
+
"start-process",
|
604
|
+
"start-service",
|
605
|
+
"start-sleep",
|
606
|
+
"start-threadjob",
|
607
|
+
"start-trace",
|
608
|
+
"start-transaction",
|
609
|
+
"stop-computer",
|
610
|
+
"stop-job",
|
611
|
+
"stop-process",
|
612
|
+
"stop-service",
|
613
|
+
"stop-trace",
|
614
|
+
"stop-transcript",
|
615
|
+
"suspend-job",
|
616
|
+
"suspend-service",
|
617
|
+
"switch-process",
|
618
|
+
"tee-object",
|
619
|
+
"test-computersecurechannel",
|
620
|
+
"test-connection",
|
621
|
+
"test-filecatalog",
|
622
|
+
"test-json",
|
623
|
+
"test-modulemanifest",
|
624
|
+
"test-pssessionconfigurationfile",
|
625
|
+
"test-path",
|
626
|
+
"test-scriptfileinfo",
|
627
|
+
"test-wsman",
|
628
|
+
"trace-command",
|
629
|
+
"unblock-file",
|
630
|
+
"undo-transaction",
|
631
|
+
"uninstall-module",
|
632
|
+
"uninstall-package",
|
633
|
+
"uninstall-script",
|
634
|
+
"unprotect-cmsmessage",
|
635
|
+
"unregister-event",
|
636
|
+
"unregister-psrepository",
|
637
|
+
"unregister-pssessionconfiguration",
|
638
|
+
"unregister-packagesource",
|
639
|
+
"unregister-scheduledjob",
|
640
|
+
"update-formatdata",
|
641
|
+
"update-help",
|
642
|
+
"update-list",
|
643
|
+
"update-module",
|
644
|
+
"update-modulemanifest",
|
645
|
+
"update-script",
|
646
|
+
"update-scriptfileinfo",
|
647
|
+
"update-typedata",
|
648
|
+
"use-transaction",
|
649
|
+
"wait-debugger",
|
650
|
+
"wait-event",
|
651
|
+
"wait-job",
|
652
|
+
"wait-process",
|
653
|
+
"where-object",
|
654
|
+
"write-debug",
|
655
|
+
"write-error",
|
656
|
+
"write-eventlog",
|
657
|
+
"write-host",
|
658
|
+
"write-information",
|
659
|
+
"write-output",
|
660
|
+
"write-progress",
|
661
|
+
"write-verbose",
|
662
|
+
"write-warning"
|
663
|
+
]
|
664
|
+
},
|
665
|
+
"operator": "phrase_match"
|
666
|
+
}
|
667
|
+
],
|
668
|
+
"transformers": [
|
669
|
+
"lowercase"
|
670
|
+
]
|
671
|
+
},
|
672
|
+
{
|
673
|
+
"id": "crs-932-130",
|
674
|
+
"name": "Remote Command Execution: Unix Shell Expression Found",
|
675
|
+
"tags": {
|
676
|
+
"type": "command_injection",
|
677
|
+
"crs_id": "932130",
|
678
|
+
"category": "attack_attempt"
|
679
|
+
},
|
680
|
+
"conditions": [
|
681
|
+
{
|
682
|
+
"parameters": {
|
683
|
+
"inputs": [
|
684
|
+
{
|
685
|
+
"address": "server.request.query"
|
686
|
+
},
|
687
|
+
{
|
688
|
+
"address": "server.request.body"
|
689
|
+
},
|
690
|
+
{
|
691
|
+
"address": "server.request.path_params"
|
692
|
+
},
|
693
|
+
{
|
694
|
+
"address": "graphql.server.all_resolvers"
|
695
|
+
}
|
696
|
+
],
|
697
|
+
"regex": "(?:\\$(?:\\((?:\\(.*\\)|.*)\\)|\\{.*})|\\/\\w*\\[!?.+\\]|[<>]\\(.*\\))",
|
698
|
+
"options": {
|
699
|
+
"case_sensitive": true,
|
700
|
+
"min_length": 3
|
701
|
+
}
|
702
|
+
},
|
703
|
+
"operator": "match_regex"
|
704
|
+
}
|
705
|
+
],
|
706
|
+
"transformers": []
|
707
|
+
},
|
708
|
+
{
|
709
|
+
"id": "crs-932-150",
|
710
|
+
"name": "Remote Command Execution: Direct Unix Command Execution",
|
711
|
+
"tags": {
|
712
|
+
"type": "command_injection",
|
713
|
+
"crs_id": "932150",
|
714
|
+
"category": "attack_attempt"
|
715
|
+
},
|
716
|
+
"conditions": [
|
717
|
+
{
|
718
|
+
"parameters": {
|
719
|
+
"inputs": [
|
720
|
+
{
|
721
|
+
"address": "server.request.query"
|
722
|
+
},
|
723
|
+
{
|
724
|
+
"address": "server.request.body"
|
725
|
+
},
|
726
|
+
{
|
727
|
+
"address": "server.request.path_params"
|
728
|
+
},
|
729
|
+
{
|
730
|
+
"address": "graphql.server.all_resolvers"
|
731
|
+
}
|
732
|
+
],
|
733
|
+
"regex": "(?:(?:^|=)\\s*(?:(?:\\w+=(?:[^\\s]*|\\$.*|\\$.*|<.*|>.*|\\'.*\\'|\\\".*\\\")\\s+|(?:\\s*\\(|!)\\s*|\\{|\\$))*\\s*(?:[\\\"'])*(?:[\\?\\*\\[\\]\\(\\)\\-\\|+\\w'\\\"\\./\\x5c]+/)?[\\x5c'\\\"]*(?:l[\\x5c'\\\"]*(?:z(?:[\\x5c'\\\"]*(?:m[\\x5c'\\\"]*(?:a(?:[\\x5c'\\\"]*(?:i[\\x5c'\\\"]*n[\\x5c'\\\"]*f[\\x5c'\\\"]*o|d[\\x5c'\\\"]*e[\\x5c'\\\"]*c))?|o[\\x5c'\\\"]*r[\\x5c'\\\"]*e)|(?:[ef][\\x5c'\\\"]*)?g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p|4(?:[\\x5c'\\\"]*c(?:[\\x5c'\\\"]*a[\\x5c'\\\"]*t)?)?|c[\\x5c'\\\"]*(?:a[\\x5c'\\\"]*t|m[\\x5c'\\\"]*p)|d[\\x5c'\\\"]*i[\\x5c'\\\"]*f[\\x5c'\\\"]*f|l[\\x5c'\\\"]*e[\\x5c'\\\"]*s[\\x5c'\\\"]*s))?|s(?:[\\x5c'\\\"]*(?:b[\\x5c'\\\"]*_[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*l[\\x5c'\\\"]*e[\\x5c'\\\"]*a[\\x5c'\\\"]*s[\\x5c'\\\"]*e|c[\\x5c'\\\"]*p[\\x5c'\\\"]*u|m[\\x5c'\\\"]*o[\\x5c'\\\"]*d|p[\\x5c'\\\"]*c[\\x5c'\\\"]*i|u[\\x5c'\\\"]*s[\\x5c'\\\"]*b|-[\\x5c'\\\"]*F|o[\\x5c'\\\"]*f))?|e[\\x5c'\\\"]*s[\\x5c'\\\"]*s[\\x5c'\\\"]*(?:(?:f[\\x5c'\\\"]*i[\\x5c'\\\"]*l|p[\\x5c'\\\"]*i[\\x5c'\\\"]*p)[\\x5c'\\\"]*e|e[\\x5c'\\\"]*c[\\x5c'\\\"]*h[\\x5c'\\\"]*o)|a[\\x5c'\\\"]*s[\\x5c'\\\"]*t[\\x5c'\\\"]*(?:l[\\x5c'\\\"]*o[\\x5c'\\\"]*g(?:[\\x5c'\\\"]*i[\\x5c'\\\"]*n)?|c[\\x5c'\\\"]*o[\\x5c'\\\"]*m[\\x5c'\\\"]*m)|w[\\x5c'\\\"]*p(?:[\\x5c'\\\"]*-[\\x5c'\\\"]*d[\\x5c'\\\"]*o[\\x5c'\\\"]*w[\\x5c'\\\"]*n[\\x5c'\\\"]*l[\\x5c'\\\"]*o[\\x5c'\\\"]*a[\\x5c'\\\"]*d)?|f[\\x5c'\\\"]*t[\\x5c'\\\"]*p(?:[\\x5c'\\\"]*g[\\x5c'\\\"]*e[\\x5c'\\\"]*t)?|y[\\x5c'\\\"]*n[\\x5c'\\\"]*x)|z[\\x5c'\\\"]*(?:i[\\x5c'\\\"]*p(?:[\\x5c'\\\"]*(?:(?:m[\\x5c'\\\"]*e[\\x5c'\\\"]*r[\\x5c'\\\"]*g|n[\\x5c'\\\"]*o[\\x5c'\\\"]*t)[\\x5c'\\\"]*e|d[\\x5c'\\\"]*e[\\x5c'\\\"]*t[\\x5c'\\\"]*a[\\x5c'\\\"]*i[\\x5c'\\\"]*l[\\x5c'\\\"]*s|c[\\x5c'\\\"]*(?:l[\\x5c'\\\"]*o[\\x5c'\\\"]*a[\\x5c'\\\"]*k|m[\\x5c'\\\"]*p)|s[\\x5c'\\\"]*p[\\x5c'\\\"]*l[\\x5c'\\\"]*i[\\x5c'\\\"]*t|g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p|i[\\x5c'\\\"]*n[\\x5c'\\\"]*f[\\x5c'\\\"]*o|t[\\x5c'\\\"]*o[\\x5c'\\\"]*o[\\x5c'\\\"]*l))?|s[\\x5c'\\\"]*(?:t[\\x5c'\\\"]*d(?:[\\x5c'\\\"]*(?:g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p|l[\\x5c'\\\"]*e[\\x5c'\\\"]*s[\\x5c'\\\"]*s|(?:c[\\x5c'\\\"]*a|m)[\\x5c'\\\"]*t))?|h)|(?:[ef][\\x5c'\\\"]*)?g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p|c[\\x5c'\\\"]*(?:a[\\x5c'\\\"]*t|m[\\x5c'\\\"]*p)|d[\\x5c'\\\"]*i[\\x5c'\\\"]*f[\\x5c'\\\"]*f|l[\\x5c'\\\"]*e[\\x5c'\\\"]*s[\\x5c'\\\"]*s|m[\\x5c'\\\"]*o[\\x5c'\\\"]*r[\\x5c'\\\"]*e|r[\\x5c'\\\"]*u[\\x5c'\\\"]*n)|b[\\x5c'\\\"]*(?:z[\\x5c'\\\"]*(?:i[\\x5c'\\\"]*p[\\x5c'\\\"]*2(?:[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*c[\\x5c'\\\"]*o[\\x5c'\\\"]*v[\\x5c'\\\"]*e[\\x5c'\\\"]*r)?|e[\\x5c'\\\"]*(?:g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p|x[\\x5c'\\\"]*e)|(?:f[\\x5c'\\\"]*)?g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p|c[\\x5c'\\\"]*(?:a[\\x5c'\\\"]*t|m[\\x5c'\\\"]*p)|d[\\x5c'\\\"]*i[\\x5c'\\\"]*f[\\x5c'\\\"]*f|l[\\x5c'\\\"]*e[\\x5c'\\\"]*s[\\x5c'\\\"]*s|m[\\x5c'\\\"]*o[\\x5c'\\\"]*r[\\x5c'\\\"]*e|z)|u[\\x5c'\\\"]*(?:i[\\x5c'\\\"]*l[\\x5c'\\\"]*t[\\x5c'\\\"]*i[\\x5c'\\\"]*n|n[\\x5c'\\\"]*z[\\x5c'\\\"]*i[\\x5c'\\\"]*p[\\x5c'\\\"]*2|s[\\x5c'\\\"]*y[\\x5c'\\\"]*b[\\x5c'\\\"]*o[\\x5c'\\\"]*x)|s[\\x5c'\\\"]*d[\\x5c'\\\"]*(?:c[\\x5c'\\\"]*a[\\x5c'\\\"]*t|i[\\x5c'\\\"]*f[\\x5c'\\\"]*f|t[\\x5c'\\\"]*a[\\x5c'\\\"]*r)|a[\\x5c'\\\"]*s[\\x5c'\\\"]*(?:e[\\x5c'\\\"]*(?:3[\\x5c'\\\"]*2|6[\\x5c'\\\"]*4|n[\\x5c'\\\"]*c)|h))|s[\\x5c'\\\"]*(?:e[\\x5c'\\\"]*(?:t[\\x5c'\\\"]*(?:e[\\x5c'\\\"]*n[\\x5c'\\\"]*v|s[\\x5c'\\\"]*i[\\x5c'\\\"]*d)|n[\\x5c'\\\"]*d[\\x5c'\\\"]*m[\\x5c'\\\"]*a[\\x5c'\\\"]*i[\\x5c'\\\"]*l|d)|h(?:[\\x5c'\\\"]*\\.[\\x5c'\\\"]*d[\\x5c'\\\"]*i[\\x5c'\\\"]*s[\\x5c'\\\"]*t[\\x5c'\\\"]*r[\\x5c'\\\"]*i[\\x5c'\\\"]*b)?|o[\\x5c'\\\"]*(?:u[\\x5c'\\\"]*r[\\x5c'\\\"]*c[\\x5c'\\\"]*e|c[\\x5c'\\\"]*a[\\x5c'\\\"]*t)|t[\\x5c'\\\"]*r[\\x5c'\\\"]*i[\\x5c'\\\"]*n[\\x5c'\\\"]*g[\\x5c'\\\"]*s|y[\\x5c'\\\"]*s[\\x5c'\\\"]*c[\\x5c'\\\"]*t[\\x5c'\\\"]*l|c[\\x5c'\\\"]*(?:h[\\x5c'\\\"]*e[\\x5c'\\\"]*d|p)|d[\\x5c'\\\"]*i[\\x5c'\\\"]*f[\\x5c'\\\"]*f|f[\\x5c'\\\"]*t[\\x5c'\\\"]*p|u[\\x5c'\\\"]*d[\\x5c'\\\"]*o|s[\\x5c'\\\"]*h|v[\\x5c'\\\"]*n)|p[\\x5c'\\\"]*(?:t[\\x5c'\\\"]*a[\\x5c'\\\"]*r(?:[\\x5c'\\\"]*(?:d[\\x5c'\\\"]*i[\\x5c'\\\"]*f[\\x5c'\\\"]*f|g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p))?|y[\\x5c'\\\"]*t[\\x5c'\\\"]*h[\\x5c'\\\"]*o[\\x5c'\\\"]*n[\\x5c'\\\"]*[23]?[\\x5c'\\\"]*(?:\\.[0-9.\\x5c'\\\"]+)?(?:[dmu]+)?|k[\\x5c'\\\"]*(?:e[\\x5c'\\\"]*x[\\x5c'\\\"]*e[\\x5c'\\\"]*c|i[\\x5c'\\\"]*l[\\x5c'\\\"]*l)|r[\\x5c'\\\"]*i[\\x5c'\\\"]*n[\\x5c'\\\"]*t[\\x5c'\\\"]*(?:e[\\x5c'\\\"]*n[\\x5c'\\\"]*v|f)|(?:g[\\x5c'\\\"]*r[\\x5c'\\\"]*e|f[\\x5c'\\\"]*t)[\\x5c'\\\"]*p|e[\\x5c'\\\"]*r[\\x5c'\\\"]*l(?:[\\x5c'\\\"]*5)?|h[\\x5c'\\\"]*p(?:[\\x5c'\\\"]*[57])?|(?:i[\\x5c'\\\"]*g|x)[\\x5c'\\\"]*z|o[\\x5c'\\\"]*p[\\x5c'\\\"]*d)|n[\\x5c'\\\"]*(?:c(?:[\\x5c'\\\"]*(?:\\.[\\x5c'\\\"]*(?:t[\\x5c'\\\"]*r[\\x5c'\\\"]*a[\\x5c'\\\"]*d[\\x5c'\\\"]*i[\\x5c'\\\"]*t[\\x5c'\\\"]*i[\\x5c'\\\"]*o[\\x5c'\\\"]*n[\\x5c'\\\"]*a[\\x5c'\\\"]*l|o[\\x5c'\\\"]*p[\\x5c'\\\"]*e[\\x5c'\\\"]*n[\\x5c'\\\"]*b[\\x5c'\\\"]*s[\\x5c'\\\"]*d)|a[\\x5c'\\\"]*t))?|e[\\x5c'\\\"]*t[\\x5c'\\\"]*(?:k[\\x5c'\\\"]*i[\\x5c'\\\"]*t[\\x5c'\\\"]*-[\\x5c'\\\"]*f[\\x5c'\\\"]*t[\\x5c'\\\"]*p|(?:s[\\x5c'\\\"]*t|c)[\\x5c'\\\"]*a[\\x5c'\\\"]*t)|o[\\x5c'\\\"]*h[\\x5c'\\\"]*u[\\x5c'\\\"]*p|p[\\x5c'\\\"]*i[\\x5c'\\\"]*n[\\x5c'\\\"]*g|s[\\x5c'\\\"]*t[\\x5c'\\\"]*a[\\x5c'\\\"]*t)|t[\\x5c'\\\"]*(?:c[\\x5c'\\\"]*(?:p[\\x5c'\\\"]*(?:t[\\x5c'\\\"]*r[\\x5c'\\\"]*a[\\x5c'\\\"]*c[\\x5c'\\\"]*e[\\x5c'\\\"]*r[\\x5c'\\\"]*o[\\x5c'\\\"]*u[\\x5c'\\\"]*t[\\x5c'\\\"]*e|i[\\x5c'\\\"]*n[\\x5c'\\\"]*g)|s[\\x5c'\\\"]*h)|r[\\x5c'\\\"]*a[\\x5c'\\\"]*c[\\x5c'\\\"]*e[\\x5c'\\\"]*r[\\x5c'\\\"]*o[\\x5c'\\\"]*u[\\x5c'\\\"]*t[\\x5c'\\\"]*e(?:[\\x5c'\\\"]*6)?|(?:i[\\x5c'\\\"]*m[\\x5c'\\\"]*e[\\x5c'\\\"]*o[\\x5c'\\\"]*u|e[\\x5c'\\\"]*l[\\x5c'\\\"]*n[\\x5c'\\\"]*e)[\\x5c'\\\"]*t|a[\\x5c'\\\"]*(?:i[\\x5c'\\\"]*l(?:[\\x5c'\\\"]*f)?|r))|r[\\x5c'\\\"]*(?:e[\\x5c'\\\"]*(?:p[\\x5c'\\\"]*(?:l[\\x5c'\\\"]*a[\\x5c'\\\"]*c[\\x5c'\\\"]*e|e[\\x5c'\\\"]*a[\\x5c'\\\"]*t)|a[\\x5c'\\\"]*l[\\x5c'\\\"]*p[\\x5c'\\\"]*a[\\x5c'\\\"]*t[\\x5c'\\\"]*h|n[\\x5c'\\\"]*a[\\x5c'\\\"]*m[\\x5c'\\\"]*e)|u[\\x5c'\\\"]*b[\\x5c'\\\"]*y(?:[\\x5c'\\\"]*(?:1(?:[\\x5c'\\\"]*[89])?|2[\\x5c'\\\"]*[012]))?|m[\\x5c'\\\"]*(?:u[\\x5c'\\\"]*s[\\x5c'\\\"]*e|d[\\x5c'\\\"]*i)[\\x5c'\\\"]*r|n[\\x5c'\\\"]*a[\\x5c'\\\"]*n[\\x5c'\\\"]*o|s[\\x5c'\\\"]*y[\\x5c'\\\"]*n[\\x5c'\\\"]*c|c[\\x5c'\\\"]*p)|u[\\x5c'\\\"]*(?:n[\\x5c'\\\"]*(?:c[\\x5c'\\\"]*o[\\x5c'\\\"]*m[\\x5c'\\\"]*p[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*s[\\x5c'\\\"]*s|z[\\x5c'\\\"]*(?:s[\\x5c'\\\"]*t[\\x5c'\\\"]*d|i[\\x5c'\\\"]*p)|(?:p[\\x5c'\\\"]*i[\\x5c'\\\"]*g|x)[\\x5c'\\\"]*z|l[\\x5c'\\\"]*z[\\x5c'\\\"]*(?:m[\\x5c'\\\"]*a|4)|a[\\x5c'\\\"]*m[\\x5c'\\\"]*e|r[\\x5c'\\\"]*a[\\x5c'\\\"]*r|s[\\x5c'\\\"]*e[\\x5c'\\\"]*t)|s[\\x5c'\\\"]*e[\\x5c'\\\"]*r[\\x5c'\\\"]*(?:(?:a[\\x5c'\\\"]*d|m[\\x5c'\\\"]*o)[\\x5c'\\\"]*d|d[\\x5c'\\\"]*e[\\x5c'\\\"]*l))|m[\\x5c'\\\"]*(?:y[\\x5c'\\\"]*s[\\x5c'\\\"]*q[\\x5c'\\\"]*l[\\x5c'\\\"]*(?:d[\\x5c'\\\"]*u[\\x5c'\\\"]*m[\\x5c'\\\"]*p(?:[\\x5c'\\\"]*s[\\x5c'\\\"]*l[\\x5c'\\\"]*o[\\x5c'\\\"]*w)?|h[\\x5c'\\\"]*o[\\x5c'\\\"]*t[\\x5c'\\\"]*c[\\x5c'\\\"]*o[\\x5c'\\\"]*p[\\x5c'\\\"]*y|a[\\x5c'\\\"]*d[\\x5c'\\\"]*m[\\x5c'\\\"]*i[\\x5c'\\\"]*n|s[\\x5c'\\\"]*h[\\x5c'\\\"]*o[\\x5c'\\\"]*w)|l[\\x5c'\\\"]*o[\\x5c'\\\"]*c[\\x5c'\\\"]*a[\\x5c'\\\"]*t[\\x5c'\\\"]*e|a[\\x5c'\\\"]*i[\\x5c'\\\"]*l[\\x5c'\\\"]*q)|c[\\x5c'\\\"]*(?:o[\\x5c'\\\"]*(?:r[\\x5c'\\\"]*e[\\x5c'\\\"]*_[\\x5c'\\\"]*p[\\x5c'\\\"]*e[\\x5c'\\\"]*r[\\x5c'\\\"]*l[\\x5c'\\\"]*\\/[\\x5c'\\\"]*z[\\x5c'\\\"]*i[\\x5c'\\\"]*p[\\x5c'\\\"]*d[\\x5c'\\\"]*e[\\x5c'\\\"]*t[\\x5c'\\\"]*a[\\x5c'\\\"]*i[\\x5c'\\\"]*l[\\x5c'\\\"]*s|m[\\x5c'\\\"]*m[\\x5c'\\\"]*a[\\x5c'\\\"]*n[\\x5c'\\\"]*d|p[\\x5c'\\\"]*r[\\x5c'\\\"]*o[\\x5c'\\\"]*c)|u[\\x5c'\\\"]*r[\\x5c'\\\"]*l|9[\\x5c'\\\"]*9|s[\\x5c'\\\"]*h|c)|x[\\x5c'\\\"]*(?:z(?:[\\x5c'\\\"]*(?:(?:[ef][\\x5c'\\\"]*)?g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p|d[\\x5c'\\\"]*(?:i[\\x5c'\\\"]*f[\\x5c'\\\"]*f|e[\\x5c'\\\"]*c)|c[\\x5c'\\\"]*(?:a[\\x5c'\\\"]*t|m[\\x5c'\\\"]*p)|l[\\x5c'\\\"]*e[\\x5c'\\\"]*s[\\x5c'\\\"]*s|m[\\x5c'\\\"]*o[\\x5c'\\\"]*r[\\x5c'\\\"]*e))?|a[\\x5c'\\\"]*r[\\x5c'\\\"]*g[\\x5c'\\\"]*s)|f[\\x5c'\\\"]*(?:t[\\x5c'\\\"]*p[\\x5c'\\\"]*(?:s[\\x5c'\\\"]*t[\\x5c'\\\"]*a[\\x5c'\\\"]*t[\\x5c'\\\"]*s|w[\\x5c'\\\"]*h[\\x5c'\\\"]*o)|i[\\x5c'\\\"]*l[\\x5c'\\\"]*e[\\x5c'\\\"]*t[\\x5c'\\\"]*e[\\x5c'\\\"]*s[\\x5c'\\\"]*t|e[\\x5c'\\\"]*t[\\x5c'\\\"]*c[\\x5c'\\\"]*h|g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p)|g[\\x5c'\\\"]*(?:z[\\x5c'\\\"]*(?:c[\\x5c'\\\"]*a[\\x5c'\\\"]*t|e[\\x5c'\\\"]*x[\\x5c'\\\"]*e|i[\\x5c'\\\"]*p)|(?:u[\\x5c'\\\"]*n[\\x5c'\\\"]*z[\\x5c'\\\"]*i|r[\\x5c'\\\"]*e)[\\x5c'\\\"]*p|c[\\x5c'\\\"]*c)|e[\\x5c'\\\"]*(?:g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p|c[\\x5c'\\\"]*h[\\x5c'\\\"]*o|v[\\x5c'\\\"]*a[\\x5c'\\\"]*l|x[\\x5c'\\\"]*e[\\x5c'\\\"]*c|n[\\x5c'\\\"]*v)|d[\\x5c'\\\"]*(?:m[\\x5c'\\\"]*e[\\x5c'\\\"]*s[\\x5c'\\\"]*g|a[\\x5c'\\\"]*s[\\x5c'\\\"]*h|i[\\x5c'\\\"]*f[\\x5c'\\\"]*f|o[\\x5c'\\\"]*a[\\x5c'\\\"]*s)|j[\\x5c'\\\"]*(?:o[\\x5c'\\\"]*b[\\x5c'\\\"]*s[\\x5c'\\\"]*\\s+[\\x5c'\\\"]*-[\\x5c'\\\"]*x|a[\\x5c'\\\"]*v[\\x5c'\\\"]*a)|w[\\x5c'\\\"]*(?:h[\\x5c'\\\"]*o[\\x5c'\\\"]*a[\\x5c'\\\"]*m[\\x5c'\\\"]*i|g[\\x5c'\\\"]*e[\\x5c'\\\"]*t|3[\\x5c'\\\"]*m)|i[\\x5c'\\\"]*r[\\x5c'\\\"]*b(?:[\\x5c'\\\"]*(?:1(?:[\\x5c'\\\"]*[89])?|2[\\x5c'\\\"]*[012]))?|o[\\x5c'\\\"]*n[\\x5c'\\\"]*i[\\x5c'\\\"]*n[\\x5c'\\\"]*t[\\x5c'\\\"]*r|h[\\x5c'\\\"]*(?:e[\\x5c'\\\"]*a[\\x5c'\\\"]*d|u[\\x5c'\\\"]*p)|v[\\x5c'\\\"]*i[\\x5c'\\\"]*(?:g[\\x5c'\\\"]*r|p[\\x5c'\\\"]*w)|7[\\x5c'\\\"]*z(?:[\\x5c'\\\"]*[ar])?|G[\\x5c'\\\"]*E[\\x5c'\\\"]*T|k[\\x5c'\\\"]*s[\\x5c'\\\"]*h)|\\$[\\x5c'\\\"]*(?:\\{[\\x5c'\\\"]*S[\\x5c'\\\"]*H[\\x5c'\\\"]*E[\\x5c'\\\"]*L[\\x5c'\\\"]*L[\\x5c'\\\"]*}|S[\\x5c'\\\"]*H[\\x5c'\\\"]*E[\\x5c'\\\"]*L[\\x5c'\\\"]*L))[\\x5c'\\\"]*(?:\\s|;|\\||&|<|>)",
|
734
|
+
"options": {
|
735
|
+
"case_sensitive": true,
|
736
|
+
"min_length": 3
|
737
|
+
}
|
738
|
+
},
|
739
|
+
"operator": "match_regex"
|
740
|
+
}
|
741
|
+
],
|
742
|
+
"transformers": []
|
743
|
+
},
|
744
|
+
{
|
745
|
+
"id": "crs-933-110",
|
746
|
+
"name": "PHP Injection Attack: PHP Script File Upload Found",
|
747
|
+
"tags": {
|
748
|
+
"type": "php_code_injection",
|
749
|
+
"crs_id": "933110",
|
750
|
+
"category": "attack_attempt"
|
751
|
+
},
|
752
|
+
"conditions": [
|
753
|
+
{
|
754
|
+
"parameters": {
|
755
|
+
"inputs": [
|
756
|
+
{
|
757
|
+
"address": "server.request.headers.no_cookies",
|
758
|
+
"key_path": [
|
759
|
+
"x-filename"
|
760
|
+
]
|
761
|
+
},
|
762
|
+
{
|
763
|
+
"address": "server.request.headers.no_cookies",
|
764
|
+
"key_path": [
|
765
|
+
"x_filename"
|
766
|
+
]
|
767
|
+
},
|
768
|
+
{
|
769
|
+
"address": "server.request.headers.no_cookies",
|
770
|
+
"key_path": [
|
771
|
+
"x.filename"
|
772
|
+
]
|
773
|
+
},
|
774
|
+
{
|
775
|
+
"address": "server.request.headers.no_cookies",
|
776
|
+
"key_path": [
|
777
|
+
"x-file-name"
|
778
|
+
]
|
779
|
+
}
|
780
|
+
],
|
781
|
+
"regex": ".*\\.ph(?:p\\d*|tml|ar|ps|t|pt)\\.*$",
|
782
|
+
"options": {
|
783
|
+
"case_sensitive": true,
|
784
|
+
"min_length": 4
|
785
|
+
}
|
786
|
+
},
|
787
|
+
"operator": "match_regex"
|
788
|
+
}
|
789
|
+
],
|
790
|
+
"transformers": [
|
791
|
+
"lowercase"
|
792
|
+
]
|
793
|
+
},
|
794
|
+
{
|
795
|
+
"id": "crs-933-180",
|
796
|
+
"name": "PHP Injection Attack: Variable Function Call Found",
|
797
|
+
"tags": {
|
798
|
+
"type": "php_code_injection",
|
799
|
+
"crs_id": "933180",
|
800
|
+
"category": "attack_attempt"
|
801
|
+
},
|
802
|
+
"conditions": [
|
803
|
+
{
|
804
|
+
"parameters": {
|
805
|
+
"inputs": [
|
806
|
+
{
|
807
|
+
"address": "server.request.query"
|
808
|
+
},
|
809
|
+
{
|
810
|
+
"address": "server.request.body"
|
811
|
+
},
|
812
|
+
{
|
813
|
+
"address": "server.request.path_params"
|
814
|
+
},
|
815
|
+
{
|
816
|
+
"address": "graphql.server.all_resolvers"
|
817
|
+
}
|
818
|
+
],
|
819
|
+
"regex": "\\$+(?:[a-zA-Z_\\x7f-\\xff][a-zA-Z0-9_\\x7f-\\xff]*|\\s*{.+})(?:\\s|\\[.+\\]|{.+}|/\\*.*\\*/|//.*|#.*)*\\(.*\\)",
|
820
|
+
"options": {
|
821
|
+
"case_sensitive": true,
|
822
|
+
"min_length": 4
|
823
|
+
}
|
824
|
+
},
|
825
|
+
"operator": "match_regex"
|
826
|
+
}
|
827
|
+
],
|
828
|
+
"transformers": []
|
829
|
+
},
|
830
|
+
{
|
831
|
+
"id": "crs-933-210",
|
832
|
+
"name": "PHP Injection Attack: Variable Function Call Found",
|
833
|
+
"tags": {
|
834
|
+
"type": "php_code_injection",
|
835
|
+
"crs_id": "933210",
|
836
|
+
"category": "attack_attempt"
|
837
|
+
},
|
838
|
+
"conditions": [
|
839
|
+
{
|
840
|
+
"parameters": {
|
841
|
+
"inputs": [
|
842
|
+
{
|
843
|
+
"address": "server.request.query"
|
844
|
+
},
|
845
|
+
{
|
846
|
+
"address": "server.request.body"
|
847
|
+
},
|
848
|
+
{
|
849
|
+
"address": "server.request.path_params"
|
850
|
+
},
|
851
|
+
{
|
852
|
+
"address": "graphql.server.all_resolvers"
|
853
|
+
}
|
854
|
+
],
|
855
|
+
"regex": "(?:\\(.+\\)\\(.+\\)|\\(.+\\)['\\\"][a-zA-Z-_0-9]+['\\\"]\\(.+\\)|\\[\\d+\\]\\(.+\\)|\\{\\d+\\}\\(.+\\)|\\$[^(?:\\),.;\\x5c/]+\\(.+\\)|[\\\"'][a-zA-Z0-9-_\\x5c]+[\\\"']\\(.+\\)|\\([^\\)]*string[^\\)]*\\)[a-zA-Z-_0-9\\\"'.{}\\[\\]\\s]+\\([^\\)]*\\));",
|
856
|
+
"options": {
|
857
|
+
"case_sensitive": true,
|
858
|
+
"min_length": 6
|
859
|
+
}
|
860
|
+
},
|
861
|
+
"operator": "match_regex"
|
862
|
+
}
|
863
|
+
],
|
864
|
+
"transformers": []
|
865
|
+
},
|
866
|
+
{
|
867
|
+
"id": "crs-941-100",
|
868
|
+
"name": "XSS Attack Detected via libinjection",
|
869
|
+
"tags": {
|
870
|
+
"type": "xss",
|
871
|
+
"crs_id": "941100",
|
872
|
+
"category": "attack_attempt",
|
873
|
+
"cwe": "79"
|
874
|
+
},
|
875
|
+
"conditions": [
|
876
|
+
{
|
877
|
+
"parameters": {
|
878
|
+
"inputs": [
|
879
|
+
{
|
880
|
+
"address": "server.request.headers.no_cookies",
|
881
|
+
"key_path": [
|
882
|
+
"user-agent"
|
883
|
+
]
|
884
|
+
},
|
885
|
+
{
|
886
|
+
"address": "server.request.headers.no_cookies",
|
887
|
+
"key_path": [
|
888
|
+
"referer"
|
889
|
+
]
|
890
|
+
},
|
891
|
+
{
|
892
|
+
"address": "server.request.query"
|
893
|
+
},
|
894
|
+
{
|
895
|
+
"address": "server.request.body"
|
896
|
+
},
|
897
|
+
{
|
898
|
+
"address": "server.request.path_params"
|
899
|
+
},
|
900
|
+
{
|
901
|
+
"address": "grpc.server.request.message"
|
902
|
+
},
|
903
|
+
{
|
904
|
+
"address": "graphql.server.all_resolvers"
|
905
|
+
}
|
906
|
+
]
|
907
|
+
},
|
908
|
+
"operator": "is_xss"
|
909
|
+
}
|
910
|
+
],
|
911
|
+
"transformers": [
|
912
|
+
"removeNulls"
|
913
|
+
]
|
914
|
+
},
|
915
|
+
{
|
916
|
+
"id": "crs-941-130",
|
917
|
+
"name": "XSS Filter - Category 3: Attribute Vector",
|
918
|
+
"tags": {
|
919
|
+
"type": "xss",
|
920
|
+
"crs_id": "941130",
|
921
|
+
"category": "attack_attempt"
|
922
|
+
},
|
923
|
+
"conditions": [
|
924
|
+
{
|
925
|
+
"parameters": {
|
926
|
+
"inputs": [
|
927
|
+
{
|
928
|
+
"address": "server.request.headers.no_cookies",
|
929
|
+
"key_path": [
|
930
|
+
"user-agent"
|
931
|
+
]
|
932
|
+
},
|
933
|
+
{
|
934
|
+
"address": "server.request.query"
|
935
|
+
},
|
936
|
+
{
|
937
|
+
"address": "server.request.body"
|
938
|
+
},
|
939
|
+
{
|
940
|
+
"address": "server.request.path_params"
|
941
|
+
},
|
942
|
+
{
|
943
|
+
"address": "graphql.server.all_resolvers"
|
944
|
+
}
|
945
|
+
],
|
946
|
+
"regex": "[\\s\\S](?:\\b(?:x(?:link:href|html|mlns)|data:text\\/html|pattern\\b.*?=|formaction)|!ENTITY\\s+(?:\\S+|%\\s+\\S+)\\s+(?:PUBLIC|SYSTEM)|;base64|@import)\\b",
|
947
|
+
"options": {
|
948
|
+
"min_length": 6
|
949
|
+
}
|
950
|
+
},
|
951
|
+
"operator": "match_regex"
|
952
|
+
}
|
953
|
+
],
|
954
|
+
"transformers": [
|
955
|
+
"removeNulls"
|
956
|
+
]
|
957
|
+
},
|
958
|
+
{
|
959
|
+
"id": "crs-941-150",
|
960
|
+
"name": "XSS Filter - Category 5: Disallowed HTML Attributes",
|
961
|
+
"tags": {
|
962
|
+
"type": "xss",
|
963
|
+
"crs_id": "941150",
|
964
|
+
"category": "attack_attempt"
|
965
|
+
},
|
966
|
+
"conditions": [
|
967
|
+
{
|
968
|
+
"parameters": {
|
969
|
+
"inputs": [
|
970
|
+
{
|
971
|
+
"address": "server.request.headers.no_cookies",
|
972
|
+
"key_path": [
|
973
|
+
"user-agent"
|
974
|
+
]
|
975
|
+
},
|
976
|
+
{
|
977
|
+
"address": "server.request.query"
|
978
|
+
},
|
979
|
+
{
|
980
|
+
"address": "server.request.body"
|
981
|
+
},
|
982
|
+
{
|
983
|
+
"address": "server.request.path_params"
|
984
|
+
},
|
985
|
+
{
|
986
|
+
"address": "graphql.server.all_resolvers"
|
987
|
+
}
|
988
|
+
],
|
989
|
+
"regex": "\\b(?:s(?:tyle|rc)|href)\\b\\s*?=",
|
990
|
+
"options": {
|
991
|
+
"case_sensitive": true,
|
992
|
+
"min_length": 4
|
993
|
+
}
|
994
|
+
},
|
995
|
+
"operator": "match_regex"
|
996
|
+
}
|
997
|
+
],
|
998
|
+
"transformers": [
|
999
|
+
"removeNulls"
|
1000
|
+
]
|
1001
|
+
},
|
1002
|
+
{
|
1003
|
+
"id": "crs-941-160",
|
1004
|
+
"name": "NoScript XSS InjectionChecker: HTML Injection",
|
1005
|
+
"tags": {
|
1006
|
+
"type": "xss",
|
1007
|
+
"crs_id": "941160",
|
1008
|
+
"category": "attack_attempt"
|
1009
|
+
},
|
1010
|
+
"conditions": [
|
1011
|
+
{
|
1012
|
+
"parameters": {
|
1013
|
+
"inputs": [
|
1014
|
+
{
|
1015
|
+
"address": "server.request.headers.no_cookies",
|
1016
|
+
"key_path": [
|
1017
|
+
"user-agent"
|
1018
|
+
]
|
1019
|
+
},
|
1020
|
+
{
|
1021
|
+
"address": "server.request.headers.no_cookies",
|
1022
|
+
"key_path": [
|
1023
|
+
"referer"
|
1024
|
+
]
|
1025
|
+
},
|
1026
|
+
{
|
1027
|
+
"address": "server.request.query"
|
1028
|
+
},
|
1029
|
+
{
|
1030
|
+
"address": "server.request.body"
|
1031
|
+
},
|
1032
|
+
{
|
1033
|
+
"address": "server.request.path_params"
|
1034
|
+
},
|
1035
|
+
{
|
1036
|
+
"address": "graphql.server.all_resolvers"
|
1037
|
+
}
|
1038
|
+
],
|
1039
|
+
"regex": "(?:(?:<\\w[\\s\\S]*[\\s/]|['\\\"](?:[\\s\\S]*[\\s/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)|op)|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed))|abled)|aling)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|(?:(?:Press)?TapGestur|BeforeResiz)e|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|A(?:udioAvailable|fterPaint))|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rolselect|extmenu)|nect(?:ing|ed))|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|(?:fstate|ell)change|u(?:echange|t)|l(?:ick|ose))|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:ek(?:complete|ing|ed)|(?:lec(?:tstar)?)?t|n(?:ding|t))|(?:peech|ound)(?:start|end)|u(?:ccess|spend|bmit)|croll|how)|m(?:o(?:z(?:(?:pointerlock|fullscreen)(?:change|error)|(?:orientation|time)change|network(?:down|up)load)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|a(?:n(?:imation(?:iteration|start|end)|tennastatechange)|fter(?:(?:scriptexecu|upda)te|print)|udio(?:process|start|end)|d(?:apteradded|dtrack)|ctivate|lerting|bort)|b(?:e(?:fore(?:(?:(?:de)?activa|scriptexecu)te|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut)|editfocus)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|r(?:e(?:s(?:u(?:m(?:ing|e)|lt)|ize|et)|adystatechange|pea(?:tEven)?t|movetrack|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|atechange)|p(?:op(?:up(?:hid(?:den|ing)|show(?:ing|n))|state)|a(?:ge(?:hide|show)|(?:st|us)e|int)|ro(?:pertychange|gress)|lay(?:ing)?)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ransition(?:cancel|end|run)|ime(?:update|out)|ext)|u(?:s(?:erproximity|sdreceived)|p(?:gradeneeded|dateready)|n(?:derflow|load))|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|ailed)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)|secapture)|evelchange|y)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|et)|e(?:n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|mptied|xit)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|valid|put))|o(?:(?:(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Abort|Error|Zoom)|h(?:e(?:adphoneschange|l[dp])|ashchange|olding)|v(?:o(?:lum|ic)e|ersion)change|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|no(?:update|match)|Request|zoom)|s(?:tyle|rc)|background|formaction|lowsrc|ping)[\\s\\x08]*?=|<[^\\w<>]*(?:[^<>\\\"'\\s]*:)?[^\\w<>]*\\W*?(?:(?:a\\W*?(?:n\\W*?i\\W*?m\\W*?a\\W*?t\\W*?e|p\\W*?p\\W*?l\\W*?e\\W*?t|u\\W*?d\\W*?i\\W*?o)|b\\W*?(?:i\\W*?n\\W*?d\\W*?i\\W*?n\\W*?g\\W*?s|a\\W*?s\\W*?e|o\\W*?d\\W*?y)|i?\\W*?f\\W*?r\\W*?a\\W*?m\\W*?e|o\\W*?b\\W*?j\\W*?e\\W*?c\\W*?t|i\\W*?m\\W*?a?\\W*?g\\W*?e?|e\\W*?m\\W*?b\\W*?e\\W*?d|p\\W*?a\\W*?r\\W*?a\\W*?m|v\\W*?i\\W*?d\\W*?e\\W*?o|l\\W*?i\\W*?n\\W*?k)[^>\\w]|s\\W*?(?:c\\W*?r\\W*?i\\W*?p\\W*?t|t\\W*?y\\W*?l\\W*?e|e\\W*?t[^>\\w]|v\\W*?g)|m\\W*?(?:a\\W*?r\\W*?q\\W*?u\\W*?e\\W*?e|e\\W*?t\\W*?a[^>\\w])|f\\W*?o\\W*?r\\W*?m))",
|
1040
|
+
"options": {
|
1041
|
+
"min_length": 4
|
1042
|
+
}
|
1043
|
+
},
|
1044
|
+
"operator": "match_regex"
|
1045
|
+
}
|
1046
|
+
],
|
1047
|
+
"transformers": [
|
1048
|
+
"removeNulls"
|
1049
|
+
]
|
1050
|
+
},
|
1051
|
+
{
|
1052
|
+
"id": "crs-941-190",
|
1053
|
+
"name": "IE XSS Filters - Attack Detected",
|
1054
|
+
"tags": {
|
1055
|
+
"type": "xss",
|
1056
|
+
"crs_id": "941190",
|
1057
|
+
"category": "attack_attempt"
|
1058
|
+
},
|
1059
|
+
"conditions": [
|
1060
|
+
{
|
1061
|
+
"parameters": {
|
1062
|
+
"inputs": [
|
1063
|
+
{
|
1064
|
+
"address": "server.request.query"
|
1065
|
+
},
|
1066
|
+
{
|
1067
|
+
"address": "server.request.body"
|
1068
|
+
},
|
1069
|
+
{
|
1070
|
+
"address": "server.request.path_params"
|
1071
|
+
},
|
1072
|
+
{
|
1073
|
+
"address": "graphql.server.all_resolvers"
|
1074
|
+
}
|
1075
|
+
],
|
1076
|
+
"regex": "(?i:<style.*?>.*?(?:@[i\\x5c]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(?:\\x5c]|&#x?0*(?:40|28|92|5C);?)))",
|
1077
|
+
"options": {
|
1078
|
+
"case_sensitive": true,
|
1079
|
+
"min_length": 9
|
1080
|
+
}
|
1081
|
+
},
|
1082
|
+
"operator": "match_regex"
|
1083
|
+
}
|
1084
|
+
],
|
1085
|
+
"transformers": [
|
1086
|
+
"removeNulls"
|
1087
|
+
]
|
1088
|
+
},
|
1089
|
+
{
|
1090
|
+
"id": "crs-941-250",
|
1091
|
+
"name": "IE XSS Filters - Attack Detected",
|
1092
|
+
"tags": {
|
1093
|
+
"type": "xss",
|
1094
|
+
"crs_id": "941250",
|
1095
|
+
"category": "attack_attempt"
|
1096
|
+
},
|
1097
|
+
"conditions": [
|
1098
|
+
{
|
1099
|
+
"parameters": {
|
1100
|
+
"inputs": [
|
1101
|
+
{
|
1102
|
+
"address": "server.request.query"
|
1103
|
+
},
|
1104
|
+
{
|
1105
|
+
"address": "server.request.body"
|
1106
|
+
},
|
1107
|
+
{
|
1108
|
+
"address": "server.request.path_params"
|
1109
|
+
},
|
1110
|
+
{
|
1111
|
+
"address": "graphql.server.all_resolvers"
|
1112
|
+
}
|
1113
|
+
],
|
1114
|
+
"regex": "(?i:<META[\\s/+].*?http-equiv[\\s/+]*=[\\s/+]*[\\\"'`]?(?:(?:c|&#x?0*(?:67|43|99|63);?)|(?:r|&#x?0*(?:82|52|114|72);?)|(?:s|&#x?0*(?:83|53|115|73);?)))",
|
1115
|
+
"options": {
|
1116
|
+
"case_sensitive": true,
|
1117
|
+
"min_length": 18
|
1118
|
+
}
|
1119
|
+
},
|
1120
|
+
"operator": "match_regex"
|
1121
|
+
}
|
1122
|
+
],
|
1123
|
+
"transformers": [
|
1124
|
+
"removeNulls"
|
1125
|
+
]
|
1126
|
+
},
|
1127
|
+
{
|
1128
|
+
"id": "crs-941-260",
|
1129
|
+
"name": "IE XSS Filters - Attack Detected",
|
1130
|
+
"tags": {
|
1131
|
+
"type": "xss",
|
1132
|
+
"crs_id": "941260",
|
1133
|
+
"category": "attack_attempt"
|
1134
|
+
},
|
1135
|
+
"conditions": [
|
1136
|
+
{
|
1137
|
+
"parameters": {
|
1138
|
+
"inputs": [
|
1139
|
+
{
|
1140
|
+
"address": "server.request.query"
|
1141
|
+
},
|
1142
|
+
{
|
1143
|
+
"address": "server.request.body"
|
1144
|
+
},
|
1145
|
+
{
|
1146
|
+
"address": "server.request.path_params"
|
1147
|
+
},
|
1148
|
+
{
|
1149
|
+
"address": "graphql.server.all_resolvers"
|
1150
|
+
}
|
1151
|
+
],
|
1152
|
+
"regex": "(?i:<META[\\s/+].*?charset[\\s/+]*=)",
|
1153
|
+
"options": {
|
1154
|
+
"case_sensitive": true,
|
1155
|
+
"min_length": 14
|
1156
|
+
}
|
1157
|
+
},
|
1158
|
+
"operator": "match_regex"
|
1159
|
+
}
|
1160
|
+
],
|
1161
|
+
"transformers": [
|
1162
|
+
"removeNulls"
|
1163
|
+
]
|
1164
|
+
},
|
1165
|
+
{
|
1166
|
+
"id": "crs-941-370",
|
1167
|
+
"name": "JavaScript global variable found",
|
1168
|
+
"tags": {
|
1169
|
+
"type": "xss",
|
1170
|
+
"crs_id": "941370",
|
1171
|
+
"category": "attack_attempt"
|
1172
|
+
},
|
1173
|
+
"conditions": [
|
1174
|
+
{
|
1175
|
+
"parameters": {
|
1176
|
+
"inputs": [
|
1177
|
+
{
|
1178
|
+
"address": "server.request.query"
|
1179
|
+
},
|
1180
|
+
{
|
1181
|
+
"address": "server.request.body"
|
1182
|
+
},
|
1183
|
+
{
|
1184
|
+
"address": "server.request.path_params"
|
1185
|
+
},
|
1186
|
+
{
|
1187
|
+
"address": "graphql.server.all_resolvers"
|
1188
|
+
}
|
1189
|
+
],
|
1190
|
+
"regex": "(?:self|document|this|top|window)\\s*(?:/\\*|[\\[)]).+?(?:\\]|\\*/)",
|
1191
|
+
"options": {
|
1192
|
+
"case_sensitive": true,
|
1193
|
+
"min_length": 6
|
1194
|
+
}
|
1195
|
+
},
|
1196
|
+
"operator": "match_regex"
|
1197
|
+
}
|
1198
|
+
],
|
1199
|
+
"transformers": []
|
1200
|
+
},
|
1201
|
+
{
|
1202
|
+
"id": "crs-941-380",
|
1203
|
+
"name": "AngularJS client side template injection detected",
|
1204
|
+
"tags": {
|
1205
|
+
"type": "js_code_injection",
|
1206
|
+
"crs_id": "941380",
|
1207
|
+
"category": "attack_attempt"
|
1208
|
+
},
|
1209
|
+
"conditions": [
|
1210
|
+
{
|
1211
|
+
"parameters": {
|
1212
|
+
"inputs": [
|
1213
|
+
{
|
1214
|
+
"address": "server.request.query"
|
1215
|
+
},
|
1216
|
+
{
|
1217
|
+
"address": "server.request.body"
|
1218
|
+
},
|
1219
|
+
{
|
1220
|
+
"address": "server.request.path_params"
|
1221
|
+
},
|
1222
|
+
{
|
1223
|
+
"address": "graphql.server.all_resolvers"
|
1224
|
+
}
|
1225
|
+
],
|
1226
|
+
"regex": "^{{[\\w\\s\\.]*[^\\w\\.\\s}][^}]*}}$",
|
1227
|
+
"options": {
|
1228
|
+
"case_sensitive": true,
|
1229
|
+
"min_length": 5
|
1230
|
+
}
|
1231
|
+
},
|
1232
|
+
"operator": "match_regex"
|
1233
|
+
}
|
1234
|
+
],
|
1235
|
+
"transformers": []
|
1236
|
+
},
|
1237
|
+
{
|
1238
|
+
"id": "crs-942-151",
|
1239
|
+
"name": "SQL function injection Attack",
|
1240
|
+
"tags": {
|
1241
|
+
"type": "sql_injection",
|
1242
|
+
"crs_id": "942151",
|
1243
|
+
"category": "attack_attempt"
|
1244
|
+
},
|
1245
|
+
"conditions": [
|
1246
|
+
{
|
1247
|
+
"parameters": {
|
1248
|
+
"inputs": [
|
1249
|
+
{
|
1250
|
+
"address": "server.request.query"
|
1251
|
+
},
|
1252
|
+
{
|
1253
|
+
"address": "server.request.body"
|
1254
|
+
},
|
1255
|
+
{
|
1256
|
+
"address": "server.request.path_params"
|
1257
|
+
},
|
1258
|
+
{
|
1259
|
+
"address": "graphql.server.all_resolvers"
|
1260
|
+
}
|
1261
|
+
],
|
1262
|
+
"regex": "\\b(?:s(?:q(?:lite_(?:compileoption_(?:used|get)|source_id)|rt)|t(?:d(?:dev_(?:sam|po)p)?|r(?:_to_date|cmp))|ub(?:str(?:ing(?:_index)?)?|(?:dat|tim)e)|e(?:ssion_user|c_to_time)|ys(?:tem_user|date)|ha[12]?|oundex|chema|pace|in)|c(?:o(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|llation|alesce|t)|ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|ha(?:racte)?r_length|iel(?:ing)?|r32)|i(?:s(?:_(?:ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|(?:free|used)_lock)|null)|n(?:et(?:6_(?:aton|ntoa)|_(?:aton|ntoa))|s(?:ert|tr)|terval)|fnull)|l(?:o(?:ca(?:ltimestamp|te)|g(?:10|2)|ad_file|wer)|i(?:kel(?:ihood|y)|nestring)|ast_(?:inser_id|day)|e(?:as|f)t|case|trim|pad)|d(?:a(?:t(?:e(?:_(?:format|add|sub)|diff)|abase)|y(?:of(?:month|week|year)|name))|e(?:s_(?:de|en)crypt|grees|code)|count|ump)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|likely|hex)|tc_(?:time(?:stamp)?|date)|uid(?:_short)?|pdatexml|case)|t(?:ime(?:_(?:format|to_sec)|stamp(?:diff|add)?|diff)|o(?:(?:second|day)s|_base64|n?char)|r(?:uncate|im))|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|ulti(?:po(?:lygon|int)|linestring)|i(?:crosecon)?d|onthname|d5)|g(?:e(?:t_(?:format|lock)|ometrycollection)|(?:r(?:oup_conca|eates)|tid_subse)t)|p(?:o(?:(?:siti|lyg)on|w)|eriod_(?:diff|add)|rocedure_analyse|g_sleep)|a(?:s(?:cii(?:str)?|in)|es_(?:de|en)crypt|dd(?:dat|tim)e|tan2?)|f(?:rom_(?:unixtime|base64|days)|i(?:el|n)d_in_set|ound_rows)|e(?:x(?:tract(?:value)?|p(?:ort_set)?)|nc(?:rypt|ode)|lt)|b(?:i(?:t_(?:length|count|x?or|and)|n_to_num)|enchmark)|r(?:a(?:wtohex|dians|nd)|elease_lock|ow_count|trim|pad)|o(?:(?:ld_passwo)?rd|ct(?:et_length)?)|we(?:ek(?:ofyear|day)|ight_string)|json(?:_(?:object|array))?|n(?:ame_const|ot_in|ullif)|var(?:_(?:sam|po)p|iance)|qu(?:arter|ote)|hex(?:toraw)?|yearweek|xmltype)\\W*\\(",
|
1263
|
+
"options": {
|
1264
|
+
"case_sensitive": false,
|
1265
|
+
"min_length": 4
|
1266
|
+
}
|
1267
|
+
},
|
1268
|
+
"operator": "match_regex"
|
1269
|
+
}
|
1270
|
+
],
|
1271
|
+
"transformers": []
|
1272
|
+
},
|
1273
|
+
{
|
1274
|
+
"id": "crs-942-170",
|
1275
|
+
"name": "Detects SQL benchmark and sleep injection attempts including conditional queries",
|
1276
|
+
"tags": {
|
1277
|
+
"type": "sql_injection",
|
1278
|
+
"crs_id": "942170",
|
1279
|
+
"category": "attack_attempt"
|
1280
|
+
},
|
1281
|
+
"conditions": [
|
1282
|
+
{
|
1283
|
+
"parameters": {
|
1284
|
+
"inputs": [
|
1285
|
+
{
|
1286
|
+
"address": "server.request.query"
|
1287
|
+
},
|
1288
|
+
{
|
1289
|
+
"address": "server.request.body"
|
1290
|
+
},
|
1291
|
+
{
|
1292
|
+
"address": "server.request.path_params"
|
1293
|
+
},
|
1294
|
+
{
|
1295
|
+
"address": "graphql.server.all_resolvers"
|
1296
|
+
}
|
1297
|
+
],
|
1298
|
+
"regex": "(?:select|;)\\s+(?:benchmark|sleep|if)\\s*?\\(\\s*?\\(?\\s*?\\w+",
|
1299
|
+
"options": {
|
1300
|
+
"min_length": 6
|
1301
|
+
}
|
1302
|
+
},
|
1303
|
+
"operator": "match_regex"
|
1304
|
+
}
|
1305
|
+
],
|
1306
|
+
"transformers": []
|
1307
|
+
},
|
1308
|
+
{
|
1309
|
+
"id": "crs-942-190",
|
1310
|
+
"name": "Detects MSSQL code execution and information gathering attempts",
|
1311
|
+
"tags": {
|
1312
|
+
"type": "sql_injection",
|
1313
|
+
"crs_id": "942190",
|
1314
|
+
"category": "attack_attempt",
|
1315
|
+
"cwe": "89"
|
1316
|
+
},
|
1317
|
+
"conditions": [
|
1318
|
+
{
|
1319
|
+
"parameters": {
|
1320
|
+
"inputs": [
|
1321
|
+
{
|
1322
|
+
"address": "server.request.query"
|
1323
|
+
},
|
1324
|
+
{
|
1325
|
+
"address": "server.request.body"
|
1326
|
+
},
|
1327
|
+
{
|
1328
|
+
"address": "server.request.path_params"
|
1329
|
+
},
|
1330
|
+
{
|
1331
|
+
"address": "grpc.server.request.message"
|
1332
|
+
},
|
1333
|
+
{
|
1334
|
+
"address": "graphql.server.all_resolvers"
|
1335
|
+
}
|
1336
|
+
],
|
1337
|
+
"regex": "(?:\\b(?:u(?:nion(?:[\\w(?:\\s]*?select|\\sselect\\s@)|ser\\s*?\\([^\\)]*?)|(?:c(?:onnection_id|urrent_user)|database)\\s*?\\([^\\)]*?|s(?:chema\\s*?\\([^\\)]*?|elect.*?\\w?user\\()|into[\\s+]+(?:dump|out)file\\s*?[\\\"'`]|from\\W+information_schema\\W|exec(?:ute)?\\s+master\\.)|[\\\"'`](?:;?\\s*?(?:union\\b\\s*?(?:(?:distin|sele)ct|all)|having|select)\\b\\s*?[^\\s]|\\s*?!\\s*?[\\\"'`\\w])|\\s*?exec(?:ute)?.*?\\Wxp_cmdshell|\\Wiif\\s*?\\()",
|
1338
|
+
"options": {
|
1339
|
+
"min_length": 3
|
1340
|
+
}
|
1341
|
+
},
|
1342
|
+
"operator": "match_regex"
|
1343
|
+
}
|
1344
|
+
],
|
1345
|
+
"transformers": []
|
1346
|
+
},
|
1347
|
+
{
|
1348
|
+
"id": "crs-942-230",
|
1349
|
+
"name": "Detects conditional SQL injection attempts",
|
1350
|
+
"tags": {
|
1351
|
+
"type": "sql_injection",
|
1352
|
+
"crs_id": "942230",
|
1353
|
+
"category": "attack_attempt"
|
1354
|
+
},
|
1355
|
+
"conditions": [
|
1356
|
+
{
|
1357
|
+
"parameters": {
|
1358
|
+
"inputs": [
|
1359
|
+
{
|
1360
|
+
"address": "server.request.query"
|
1361
|
+
},
|
1362
|
+
{
|
1363
|
+
"address": "server.request.body"
|
1364
|
+
},
|
1365
|
+
{
|
1366
|
+
"address": "server.request.path_params"
|
1367
|
+
},
|
1368
|
+
{
|
1369
|
+
"address": "graphql.server.all_resolvers"
|
1370
|
+
}
|
1371
|
+
],
|
1372
|
+
"regex": "(?:select.*?having\\s*?[^\\s]+\\s*?[^\\w\\s]|[\\s(?:)]case\\s+when.*?then|\\)\\s*?like\\s*?\\()",
|
1373
|
+
"options": {
|
1374
|
+
"case_sensitive": false,
|
1375
|
+
"min_length": 5
|
1376
|
+
}
|
1377
|
+
},
|
1378
|
+
"operator": "match_regex"
|
1379
|
+
}
|
1380
|
+
],
|
1381
|
+
"transformers": []
|
1382
|
+
},
|
1383
|
+
{
|
1384
|
+
"id": "crs-942-320",
|
1385
|
+
"name": "Detects MySQL and PostgreSQL stored procedure/function injections",
|
1386
|
+
"tags": {
|
1387
|
+
"type": "sql_injection",
|
1388
|
+
"crs_id": "942320",
|
1389
|
+
"category": "attack_attempt"
|
1390
|
+
},
|
1391
|
+
"conditions": [
|
1392
|
+
{
|
1393
|
+
"parameters": {
|
1394
|
+
"inputs": [
|
1395
|
+
{
|
1396
|
+
"address": "server.request.query"
|
1397
|
+
},
|
1398
|
+
{
|
1399
|
+
"address": "server.request.body"
|
1400
|
+
},
|
1401
|
+
{
|
1402
|
+
"address": "server.request.path_params"
|
1403
|
+
},
|
1404
|
+
{
|
1405
|
+
"address": "graphql.server.all_resolvers"
|
1406
|
+
}
|
1407
|
+
],
|
1408
|
+
"regex": "(?:create\\s+(?:procedure|function)\\s*?\\w+\\s*?\\(\\s*?\\)\\s*?-|;\\s*?(?:declare|open)\\s+[\\w-]+|procedure\\s+analyse\\s*?\\(|declare[^\\w]+[@#]\\s*?\\w+|exec\\s*?\\(\\s*?@)",
|
1409
|
+
"options": {
|
1410
|
+
"min_length": 6
|
1411
|
+
}
|
1412
|
+
},
|
1413
|
+
"operator": "match_regex"
|
1414
|
+
}
|
1415
|
+
],
|
1416
|
+
"transformers": []
|
1417
|
+
},
|
1418
|
+
{
|
1419
|
+
"id": "crs-942-350",
|
1420
|
+
"name": "Detects MySQL UDF injection and other data/structure manipulation attempts",
|
1421
|
+
"tags": {
|
1422
|
+
"type": "sql_injection",
|
1423
|
+
"crs_id": "942350",
|
1424
|
+
"category": "attack_attempt"
|
1425
|
+
},
|
1426
|
+
"conditions": [
|
1427
|
+
{
|
1428
|
+
"parameters": {
|
1429
|
+
"inputs": [
|
1430
|
+
{
|
1431
|
+
"address": "server.request.query"
|
1432
|
+
},
|
1433
|
+
{
|
1434
|
+
"address": "server.request.body"
|
1435
|
+
},
|
1436
|
+
{
|
1437
|
+
"address": "server.request.path_params"
|
1438
|
+
},
|
1439
|
+
{
|
1440
|
+
"address": "graphql.server.all_resolvers"
|
1441
|
+
}
|
1442
|
+
],
|
1443
|
+
"regex": "(?:;\\s*?(?:(?:(?:trunc|cre|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|alter|load)\\b\\s*?[\\[(?:]?\\w{2,}|create\\s+function\\s.+\\sreturns)",
|
1444
|
+
"options": {
|
1445
|
+
"min_length": 7
|
1446
|
+
}
|
1447
|
+
},
|
1448
|
+
"operator": "match_regex"
|
1449
|
+
}
|
1450
|
+
],
|
1451
|
+
"transformers": []
|
1452
|
+
},
|
1453
|
+
{
|
1454
|
+
"id": "crs-944-240",
|
1455
|
+
"name": "Remote Command Execution: Java serialization (CVE-2015-4852)",
|
1456
|
+
"tags": {
|
1457
|
+
"type": "java_code_injection",
|
1458
|
+
"crs_id": "944240",
|
1459
|
+
"category": "attack_attempt"
|
1460
|
+
},
|
1461
|
+
"conditions": [
|
1462
|
+
{
|
1463
|
+
"parameters": {
|
1464
|
+
"inputs": [
|
1465
|
+
{
|
1466
|
+
"address": "server.request.query"
|
1467
|
+
},
|
1468
|
+
{
|
1469
|
+
"address": "server.request.body"
|
1470
|
+
},
|
1471
|
+
{
|
1472
|
+
"address": "server.request.path_params"
|
1473
|
+
},
|
1474
|
+
{
|
1475
|
+
"address": "graphql.server.all_resolvers"
|
1476
|
+
},
|
1477
|
+
{
|
1478
|
+
"address": "server.request.headers.no_cookies"
|
1479
|
+
}
|
1480
|
+
],
|
1481
|
+
"regex": "(?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)",
|
1482
|
+
"options": {
|
1483
|
+
"case_sensitive": true,
|
1484
|
+
"min_length": 10
|
1485
|
+
}
|
1486
|
+
},
|
1487
|
+
"operator": "match_regex"
|
1488
|
+
}
|
1489
|
+
],
|
1490
|
+
"transformers": [
|
1491
|
+
"lowercase"
|
1492
|
+
]
|
1493
|
+
},
|
1494
|
+
{
|
1495
|
+
"id": "sqr-000-003",
|
1496
|
+
"name": "Obfuscated Path Traversal Attack (/../) on any parameter",
|
1497
|
+
"tags": {
|
1498
|
+
"type": "lfi",
|
1499
|
+
"category": "attack_attempt",
|
1500
|
+
"cwe": "22",
|
1501
|
+
"capec": "1000/255/153/126"
|
1502
|
+
},
|
1503
|
+
"conditions": [
|
1504
|
+
{
|
1505
|
+
"parameters": {
|
1506
|
+
"inputs": [
|
1507
|
+
{
|
1508
|
+
"address": "server.request.query"
|
1509
|
+
},
|
1510
|
+
{
|
1511
|
+
"address": "server.request.body"
|
1512
|
+
},
|
1513
|
+
{
|
1514
|
+
"address": "server.request.path_params"
|
1515
|
+
},
|
1516
|
+
{
|
1517
|
+
"address": "graphql.server.all_resolvers"
|
1518
|
+
}
|
1519
|
+
],
|
1520
|
+
"regex": "(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\/|\\x5c)(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\\.))|\\.(?:%0[01]|\\?)?|\\?\\.?|0x2e){2,3}(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\/|\\x5c)",
|
1521
|
+
"options": {
|
1522
|
+
"min_length": 4
|
1523
|
+
}
|
1524
|
+
},
|
1525
|
+
"operator": "match_regex"
|
1526
|
+
}
|
1527
|
+
],
|
1528
|
+
"transformers": []
|
1529
|
+
},
|
1530
|
+
{
|
1531
|
+
"id": "sqr-000-004",
|
1532
|
+
"name": "Obfuscated Path Traversal Attack (/../) on any parameter",
|
1533
|
+
"tags": {
|
1534
|
+
"type": "lfi",
|
1535
|
+
"category": "attack_attempt",
|
1536
|
+
"cwe": "22",
|
1537
|
+
"capec": "1000/255/153/126"
|
1538
|
+
},
|
1539
|
+
"conditions": [
|
1540
|
+
{
|
1541
|
+
"parameters": {
|
1542
|
+
"inputs": [
|
1543
|
+
{
|
1544
|
+
"address": "server.request.query"
|
1545
|
+
},
|
1546
|
+
{
|
1547
|
+
"address": "server.request.body"
|
1548
|
+
},
|
1549
|
+
{
|
1550
|
+
"address": "server.request.path_params"
|
1551
|
+
},
|
1552
|
+
{
|
1553
|
+
"address": "graphql.server.all_resolvers"
|
1554
|
+
}
|
1555
|
+
],
|
1556
|
+
"regex": "(?:(?:^|[\\x5c/])\\.{2,3}[\\x5c/]|[\\x5c/]\\.{2,3}(?:[\\x5c/]|$))",
|
1557
|
+
"options": {
|
1558
|
+
"case_sensitive": true,
|
1559
|
+
"min_length": 3
|
1560
|
+
}
|
1561
|
+
},
|
1562
|
+
"operator": "match_regex"
|
1563
|
+
}
|
1564
|
+
],
|
1565
|
+
"transformers": [
|
1566
|
+
"removeNulls"
|
1567
|
+
]
|
1568
|
+
},
|
1569
|
+
{
|
1570
|
+
"id": "sqr-000-007",
|
1571
|
+
"name": "NoSQL: Detect common exploitation strategy",
|
1572
|
+
"tags": {
|
1573
|
+
"type": "nosql_injection",
|
1574
|
+
"category": "attack_attempt",
|
1575
|
+
"cwe": "943"
|
1576
|
+
},
|
1577
|
+
"conditions": [
|
1578
|
+
{
|
1579
|
+
"parameters": {
|
1580
|
+
"inputs": [
|
1581
|
+
{
|
1582
|
+
"address": "server.request.query"
|
1583
|
+
},
|
1584
|
+
{
|
1585
|
+
"address": "server.request.body"
|
1586
|
+
},
|
1587
|
+
{
|
1588
|
+
"address": "server.request.path_params"
|
1589
|
+
},
|
1590
|
+
{
|
1591
|
+
"address": "graphql.server.all_resolvers"
|
1592
|
+
}
|
1593
|
+
],
|
1594
|
+
"regex": "^\\$(eq|ne|(l|g)te?|n?in|not|(n|x|)or|and|regex|where|expr|exists)$"
|
1595
|
+
},
|
1596
|
+
"operator": "match_regex"
|
1597
|
+
}
|
1598
|
+
],
|
1599
|
+
"transformers": [
|
1600
|
+
"keys_only"
|
1601
|
+
]
|
1602
|
+
},
|
1603
|
+
{
|
1604
|
+
"id": "sqr-000-011",
|
1605
|
+
"name": "Node.js: Prototype pollution",
|
1606
|
+
"tags": {
|
1607
|
+
"type": "js_code_injection",
|
1608
|
+
"category": "attack_attempt"
|
1609
|
+
},
|
1610
|
+
"conditions": [
|
1611
|
+
{
|
1612
|
+
"parameters": {
|
1613
|
+
"inputs": [
|
1614
|
+
{
|
1615
|
+
"address": "server.request.query"
|
1616
|
+
},
|
1617
|
+
{
|
1618
|
+
"address": "server.request.body"
|
1619
|
+
},
|
1620
|
+
{
|
1621
|
+
"address": "server.request.path_params"
|
1622
|
+
},
|
1623
|
+
{
|
1624
|
+
"address": "server.request.headers.no_cookies"
|
1625
|
+
}
|
1626
|
+
],
|
1627
|
+
"regex": "__proto__[\\.\\[]"
|
1628
|
+
},
|
1629
|
+
"operator": "match_regex"
|
1630
|
+
}
|
1631
|
+
],
|
1632
|
+
"transformers": []
|
1633
|
+
}
|
1634
|
+
]
|
1635
|
+
}
|