RubyGems - datadog - Versions diffs - 2.16.0 → 2.18.0 - Mend

datadog 2.16.0 → 2.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (164) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +72 -1
data/ext/datadog_profiling_native_extension/collectors_cpu_and_wall_time_worker.c +12 -46
data/ext/datadog_profiling_native_extension/collectors_stack.c +227 -49
data/ext/datadog_profiling_native_extension/collectors_stack.h +19 -3
data/ext/datadog_profiling_native_extension/collectors_thread_context.c +63 -12
data/ext/datadog_profiling_native_extension/collectors_thread_context.h +1 -0
data/ext/datadog_profiling_native_extension/encoded_profile.c +22 -12
data/ext/datadog_profiling_native_extension/encoded_profile.h +1 -0
data/ext/datadog_profiling_native_extension/extconf.rb +7 -0
data/ext/datadog_profiling_native_extension/heap_recorder.c +239 -363
data/ext/datadog_profiling_native_extension/heap_recorder.h +4 -6
data/ext/datadog_profiling_native_extension/http_transport.c +45 -72
data/ext/datadog_profiling_native_extension/libdatadog_helpers.c +22 -0
data/ext/datadog_profiling_native_extension/libdatadog_helpers.h +8 -5
data/ext/datadog_profiling_native_extension/private_vm_api_access.c +1 -0
data/ext/datadog_profiling_native_extension/private_vm_api_access.h +6 -3
data/ext/datadog_profiling_native_extension/ruby_helpers.c +1 -13
data/ext/datadog_profiling_native_extension/ruby_helpers.h +2 -10
data/ext/datadog_profiling_native_extension/stack_recorder.c +156 -60
data/ext/libdatadog_api/crashtracker.c +10 -3
data/ext/libdatadog_api/extconf.rb +2 -2
data/ext/libdatadog_api/library_config.c +54 -12
data/ext/libdatadog_api/library_config.h +6 -0
data/ext/libdatadog_api/macos_development.md +3 -3
data/ext/libdatadog_api/process_discovery.c +2 -7
data/ext/libdatadog_extconf_helpers.rb +2 -2
data/lib/datadog/appsec/api_security/lru_cache.rb +56 -0
data/lib/datadog/appsec/api_security/route_extractor.rb +65 -0
data/lib/datadog/appsec/api_security/sampler.rb +59 -0
data/lib/datadog/appsec/api_security.rb +23 -0
data/lib/datadog/appsec/assets/waf_rules/recommended.json +257 -85
data/lib/datadog/appsec/assets/waf_rules/strict.json +10 -78
data/lib/datadog/appsec/component.rb +30 -54
data/lib/datadog/appsec/configuration/settings.rb +60 -2
data/lib/datadog/appsec/context.rb +6 -6
data/lib/datadog/appsec/contrib/devise/tracking_middleware.rb +1 -1
data/lib/datadog/appsec/contrib/rack/request_middleware.rb +27 -16
data/lib/datadog/appsec/processor/rule_loader.rb +5 -6
data/lib/datadog/appsec/remote.rb +15 -55
data/lib/datadog/appsec/security_engine/engine.rb +194 -0
data/lib/datadog/appsec/security_engine/runner.rb +10 -11
data/lib/datadog/appsec.rb +4 -7
data/lib/datadog/core/buffer/random.rb +18 -2
data/lib/datadog/core/configuration/agent_settings.rb +52 -0
data/lib/datadog/core/configuration/agent_settings_resolver.rb +4 -46
data/lib/datadog/core/configuration/components.rb +31 -24
data/lib/datadog/core/configuration/components_state.rb +23 -0
data/lib/datadog/core/configuration/option.rb +27 -27
data/lib/datadog/core/configuration/option_definition.rb +4 -4
data/lib/datadog/core/configuration/options.rb +1 -1
data/lib/datadog/core/configuration/settings.rb +32 -20
data/lib/datadog/core/configuration/stable_config.rb +1 -2
data/lib/datadog/core/configuration.rb +16 -16
data/lib/datadog/core/crashtracking/component.rb +2 -1
data/lib/datadog/core/crashtracking/tag_builder.rb +4 -22
data/lib/datadog/core/encoding.rb +1 -1
data/lib/datadog/core/environment/cgroup.rb +10 -12
data/lib/datadog/core/environment/container.rb +38 -40
data/lib/datadog/core/environment/ext.rb +6 -6
data/lib/datadog/core/environment/identity.rb +3 -3
data/lib/datadog/core/environment/platform.rb +3 -3
data/lib/datadog/core/error.rb +11 -9
data/lib/datadog/core/logger.rb +2 -2
data/lib/datadog/core/metrics/client.rb +12 -14
data/lib/datadog/core/metrics/logging.rb +5 -5
data/lib/datadog/core/process_discovery/tracer_memfd.rb +15 -0
data/lib/datadog/core/process_discovery.rb +5 -1
data/lib/datadog/core/rate_limiter.rb +4 -2
data/lib/datadog/core/remote/client.rb +32 -31
data/lib/datadog/core/remote/component.rb +3 -3
data/lib/datadog/core/remote/configuration/digest.rb +7 -7
data/lib/datadog/core/remote/configuration/path.rb +1 -1
data/lib/datadog/core/remote/configuration/repository.rb +12 -0
data/lib/datadog/core/remote/transport/http/client.rb +1 -1
data/lib/datadog/core/remote/transport/http/config.rb +21 -5
data/lib/datadog/core/remote/transport/http/negotiation.rb +1 -1
data/lib/datadog/core/runtime/metrics.rb +3 -3
data/lib/datadog/core/tag_builder.rb +56 -0
data/lib/datadog/core/telemetry/component.rb +39 -24
data/lib/datadog/core/telemetry/emitter.rb +7 -1
data/lib/datadog/core/telemetry/event/app_client_configuration_change.rb +66 -0
data/lib/datadog/core/telemetry/event/app_closing.rb +18 -0
data/lib/datadog/core/telemetry/event/app_dependencies_loaded.rb +33 -0
data/lib/datadog/core/telemetry/event/app_heartbeat.rb +18 -0
data/lib/datadog/core/telemetry/event/app_integrations_change.rb +58 -0
data/lib/datadog/core/telemetry/event/app_started.rb +269 -0
data/lib/datadog/core/telemetry/event/base.rb +40 -0
data/lib/datadog/core/telemetry/event/distributions.rb +18 -0
data/lib/datadog/core/telemetry/event/generate_metrics.rb +43 -0
data/lib/datadog/core/telemetry/event/log.rb +76 -0
data/lib/datadog/core/telemetry/event/message_batch.rb +42 -0
data/lib/datadog/core/telemetry/event/synth_app_client_configuration_change.rb +43 -0
data/lib/datadog/core/telemetry/event.rb +17 -475
data/lib/datadog/core/telemetry/logger.rb +5 -4
data/lib/datadog/core/telemetry/logging.rb +11 -5
data/lib/datadog/core/telemetry/metric.rb +3 -3
data/lib/datadog/core/telemetry/transport/http/telemetry.rb +2 -2
data/lib/datadog/core/telemetry/transport/telemetry.rb +0 -1
data/lib/datadog/core/telemetry/worker.rb +48 -27
data/lib/datadog/core/transport/http/adapters/net.rb +17 -2
data/lib/datadog/core/transport/http/adapters/test.rb +2 -1
data/lib/datadog/core/transport/http/builder.rb +14 -14
data/lib/datadog/core/transport/http/env.rb +8 -0
data/lib/datadog/core/utils/at_fork_monkey_patch.rb +6 -6
data/lib/datadog/core/utils/duration.rb +32 -32
data/lib/datadog/core/utils/forking.rb +2 -2
data/lib/datadog/core/utils/network.rb +6 -6
data/lib/datadog/core/utils/only_once_successful.rb +16 -5
data/lib/datadog/core/utils/time.rb +10 -2
data/lib/datadog/core/utils/truncation.rb +21 -0
data/lib/datadog/core/utils.rb +7 -0
data/lib/datadog/core/vendor/multipart-post/multipart/post/composite_read_io.rb +1 -1
data/lib/datadog/core/vendor/multipart-post/multipart/post/multipartable.rb +8 -8
data/lib/datadog/core/vendor/multipart-post/multipart/post/parts.rb +7 -7
data/lib/datadog/core/worker.rb +1 -1
data/lib/datadog/core/workers/async.rb +9 -10
data/lib/datadog/di/instrumenter.rb +52 -2
data/lib/datadog/di/probe_notification_builder.rb +31 -41
data/lib/datadog/di/probe_notifier_worker.rb +9 -1
data/lib/datadog/di/serializer.rb +6 -2
data/lib/datadog/di/transport/http/input.rb +10 -0
data/lib/datadog/di/transport/input.rb +10 -2
data/lib/datadog/error_tracking/component.rb +2 -2
data/lib/datadog/profiling/collectors/code_provenance.rb +18 -9
data/lib/datadog/profiling/collectors/cpu_and_wall_time_worker.rb +4 -0
data/lib/datadog/profiling/collectors/idle_sampling_helper.rb +1 -0
data/lib/datadog/profiling/collectors/thread_context.rb +16 -1
data/lib/datadog/profiling/component.rb +7 -9
data/lib/datadog/profiling/ext.rb +0 -13
data/lib/datadog/profiling/flush.rb +1 -1
data/lib/datadog/profiling/http_transport.rb +3 -8
data/lib/datadog/profiling/profiler.rb +2 -0
data/lib/datadog/profiling/scheduler.rb +10 -2
data/lib/datadog/profiling/stack_recorder.rb +5 -5
data/lib/datadog/profiling/tag_builder.rb +5 -41
data/lib/datadog/profiling/tasks/setup.rb +2 -0
data/lib/datadog/tracing/contrib/action_pack/action_controller/instrumentation.rb +15 -0
data/lib/datadog/tracing/contrib/action_pack/action_dispatch/instrumentation.rb +19 -12
data/lib/datadog/tracing/contrib/action_pack/ext.rb +2 -0
data/lib/datadog/tracing/contrib/active_support/cache/events/cache.rb +4 -1
data/lib/datadog/tracing/contrib/active_support/cache/instrumentation.rb +33 -0
data/lib/datadog/tracing/contrib/active_support/cache/patcher.rb +4 -0
data/lib/datadog/tracing/contrib/active_support/cache/redis.rb +2 -4
data/lib/datadog/tracing/contrib/aws/instrumentation.rb +10 -0
data/lib/datadog/tracing/contrib/aws/parsed_context.rb +5 -1
data/lib/datadog/tracing/contrib/http/instrumentation.rb +1 -5
data/lib/datadog/tracing/contrib/httpclient/instrumentation.rb +1 -5
data/lib/datadog/tracing/contrib/httprb/instrumentation.rb +1 -5
data/lib/datadog/tracing/contrib/lograge/patcher.rb +4 -2
data/lib/datadog/tracing/contrib/patcher.rb +5 -2
data/lib/datadog/tracing/contrib/sidekiq/ext.rb +1 -0
data/lib/datadog/tracing/contrib/sidekiq/server_tracer.rb +5 -2
data/lib/datadog/tracing/contrib/support.rb +28 -0
data/lib/datadog/tracing/metadata/errors.rb +4 -4
data/lib/datadog/tracing/sync_writer.rb +1 -1
data/lib/datadog/tracing/trace_operation.rb +12 -4
data/lib/datadog/tracing/tracer.rb +6 -2
data/lib/datadog/version.rb +1 -1
metadata +31 -12
data/lib/datadog/appsec/assets/waf_rules/processors.json +0 -321
data/lib/datadog/appsec/assets/waf_rules/scanners.json +0 -1023
data/lib/datadog/appsec/processor/rule_merger.rb +0 -171
data/lib/datadog/appsec/processor.rb +0 -107

data/lib/datadog/appsec/api_security/route_extractor.rb ADDED Viewed

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+module Datadog
+  module AppSec
+    module APISecurity
+      # This is a helper module to extract the route pattern from the Rack::Request.
+      module RouteExtractor
+        SINATRA_ROUTE_KEY = 'sinatra.route'
+        SINATRA_ROUTE_SEPARATOR = ' '
+        GRAPE_ROUTE_KEY = 'grape.routing_args'
+        RAILS_ROUTE_KEY = 'action_dispatch.route_uri_pattern'
+        RAILS_ROUTES_KEY = 'action_dispatch.routes'
+        RAILS_FORMAT_SUFFIX = '(.:format)'
+        # HACK: We rely on the fact that each contrib will modify `request.env`
+        #       and store information sufficient to compute the canonical
+        #       route (ex: `/users/:id`).
+        #
+        #       When contribs like Sinatra or Grape are used, they could be mounted
+        #       into the Rails app, hence you can see the use of the `script_name`
+        #       that will contain the path prefix of the mounted app.
+        #
+        #       Rack
+        #         does not support named arguments, so we have to use `path`
+        #       Sinatra
+        #         uses `sinatra.route` with a string like "GET /users/:id"
+        #       Grape
+        #         uses `grape.routing_args` with a hash with a `:route_info` key
+        #         that contains a `Grape::Router::Route` object that contains
+        #         `Grape::Router::Pattern` object with an `origin` method
+        #       Rails < 7.1 (slow path)
+        #         uses `action_dispatch.routes` to store `ActionDispatch::Routing::RouteSet`
+        #         which can recognize requests
+        #       Rails > 7.1 (fast path)
+        #         uses `action_dispatch.route_uri_pattern` with a string like
+        #         "/users/:id(.:format)"
+        #
+        # WARNING: This method works only *after* the request has been routed.
+        def self.route_pattern(request)
+          if request.env.key?(GRAPE_ROUTE_KEY)
+            pattern = request.env[GRAPE_ROUTE_KEY][:route_info]&.pattern&.origin
+            "#{request.script_name}#{pattern}"
+          elsif request.env.key?(SINATRA_ROUTE_KEY)
+            pattern = request.env[SINATRA_ROUTE_KEY].split(SINATRA_ROUTE_SEPARATOR, 2)[1]
+            "#{request.script_name}#{pattern}"
+          elsif request.env.key?(RAILS_ROUTE_KEY)
+            request.env[RAILS_ROUTE_KEY].delete_suffix(RAILS_FORMAT_SUFFIX)
+          elsif request.env.key?(RAILS_ROUTES_KEY)
+            pattern = request.env[RAILS_ROUTES_KEY].router
+              .recognize(request) { |route, _| break route.path.spec.to_s }
+            # NOTE: If rails is unable to recognize request it returns empty Array
+            pattern = nil if pattern&.empty?
+            # NOTE: If rails can't recognize the request, we are going to fallback
+            #       to generic request path
+            (pattern || request.path).delete_suffix(RAILS_FORMAT_SUFFIX)
+          else
+            request.path
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/api_security/sampler.rb ADDED Viewed

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+require 'zlib'
+require_relative 'lru_cache'
+require_relative 'route_extractor'
+require_relative '../../core/utils/time'
+module Datadog
+  module AppSec
+    module APISecurity
+      # A thread-local sampler for API security based on defined delay between
+      # samples with caching capability.
+      class Sampler
+        THREAD_KEY = :datadog_appsec_api_security_sampler
+        MAX_CACHE_SIZE = 4096
+        class << self
+          def thread_local
+            sampler = Thread.current.thread_variable_get(THREAD_KEY)
+            return sampler unless sampler.nil?
+            Thread.current.thread_variable_set(THREAD_KEY, new(sample_delay))
+          end
+          # @api private
+          def reset!
+            Thread.current.thread_variable_set(THREAD_KEY, nil)
+          end
+          private
+          def sample_delay
+            Datadog.configuration.appsec.api_security.sample_delay
+          end
+        end
+        def initialize(sample_delay)
+          raise ArgumentError, 'sample_delay must be an Integer' unless sample_delay.is_a?(Integer)
+          @cache = LRUCache.new(MAX_CACHE_SIZE)
+          @sample_delay_seconds = sample_delay
+        end
+        def sample?(request, response)
+          return true if @sample_delay_seconds.zero?
+          key = Zlib.crc32("#{request.request_method}#{RouteExtractor.route_pattern(request)}#{response.status}")
+          current_timestamp = Core::Utils::Time.now.to_i
+          cached_timestamp = @cache[key] || 0
+          return false if current_timestamp - cached_timestamp <= @sample_delay_seconds
+          @cache.store(key, current_timestamp)
+          true
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/api_security.rb ADDED Viewed

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+require_relative 'api_security/sampler'
+module Datadog
+  module AppSec
+    # A namespace for API Security features.
+    module APISecurity
+      def self.enabled?
+        Datadog.configuration.appsec.api_security.enabled?
+      end
+      def self.sample?(request, response)
+        Sampler.thread_local.sample?(request, response)
+      end
+      def self.sample_trace?(trace)
+        # NOTE: Reads as "if trace is priority sampled or if in standalone mode"
+        trace&.priority_sampled? || !Datadog.configuration.apm.tracing.enabled
+      end
+    end
+  end
+end

data/lib/datadog/appsec/assets/waf_rules/recommended.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": "2.2",
   "metadata": {
-    "rules_version": "1.13.3"
+    "rules_version": "1.14.2"
   },
   "rules": [
     {
@@ -4864,6 +4864,36 @@
       ],
       "transformers": []
     },
+    {
+      "id": "ua0-600-68x",
+      "name": "xorbot",
+      "tags": {
+        "type": "attack_tool",
+        "category": "attack_attempt",
+        "cwe": "200",
+        "capec": "1000/118/169",
+        "tool_name": "xorbot",
+        "confidence": "0",
+        "module": "waf"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.headers.no_cookies",
+                "key_path": [
+                  "user-agent"
+                ]
+              }
+            ],
+            "regex": "\\bmasjesu\\b"
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": []
+    },
     {
       "id": "dog-913-001",
       "name": "BurpCollaborator OOB domain",
@@ -5422,6 +5452,82 @@
       ],
       "transformers": []
     },
+    {
+      "id": "dog-913-013",
+      "name": "Public PoC for CVE-2025-24813",
+      "tags": {
+        "type": "attack_tool",
+        "category": "attack_attempt",
+        "cwe": "200",
+        "capec": "1000/118/169",
+        "confidence": "1",
+        "module": "waf"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.uri.raw"
+              }
+            ],
+            "regex": "/iSee857/session",
+            "options": {
+              "case_sensitive": false,
+              "min_length": 16
+            }
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": []
+    },
+    {
+      "id": "dog-913-014",
+      "name": "Exploit attempt for Next.js Middleware Exploit (CVE-2025-29927)",
+      "tags": {
+        "type": "security_scanner",
+        "category": "attack_attempt",
+        "cwe": "200",
+        "capec": "1000/118/169",
+        "confidence": "0",
+        "module": "waf"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.headers.no_cookies",
+                "key_path": [
+                  "x-middleware-subrequest"
+                ]
+              }
+            ],
+            "regex": ".*",
+            "options": {
+              "min_length": 1
+            }
+          },
+          "operator": "match_regex"
+        },
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.headers.no_cookies",
+                "key_path": [
+                  "x-middleware-subrequest"
+                ]
+              }
+            ],
+            "regex": "[0-9a-fA-F]{40}|\\[\\w+\\]"
+          },
+          "operator": "!match_regex"
+        }
+      ],
+      "transformers": []
+    },
     {
       "id": "dog-920-001",
       "name": "JWT authentication bypass",
@@ -6314,7 +6420,7 @@
                 "address": "server.request.uri.raw"
               }
             ],
-            "regex": "(?:/swagger\\b|/api[-/]docs?\\b)",
+            "regex": "(?:^|/)(?:swagger|api[-/]?docs?|openapi)\\b",
             "options": {
               "case_sensitive": false
             }
@@ -6331,7 +6437,7 @@
         "category": "vulnerability_trigger",
         "cwe": "22",
         "capec": "1000/255/153/126",
-        "confidence": "0",
+        "confidence": "1",
         "module": "rasp"
       },
       "conditions": [
@@ -6379,7 +6485,7 @@
         "category": "vulnerability_trigger",
         "cwe": "77",
         "capec": "1000/152/248/88",
-        "confidence": "0",
+        "confidence": "1",
         "module": "rasp"
       },
       "conditions": [
@@ -6427,7 +6533,7 @@
         "category": "vulnerability_trigger",
         "cwe": "77",
         "capec": "1000/152/248/88",
-        "confidence": "0",
+        "confidence": "1",
         "module": "rasp"
       },
       "conditions": [
@@ -6479,6 +6585,20 @@
         "module": "rasp"
       },
       "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.io.net.url"
+              }
+            ],
+            "regex": "^(jar:)?https?:\\/\\/\\W*([0-9oq]{1,5}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}|[0-9]{1,10}|(\\[)?[:0-9a-f\\.x]{2,}(\\])?|metadata\\.google\\.internal|(?:[a-z0-9:@\\.\\-]*\\.)?(?:burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io|oastify\\.com|oast\\.(?:pro|live|site|online|fun|me)|sslip\\.io|requestbin\\.com|requestbin\\.net|hookbin\\.com|webhook\\.site|canarytokens\\.com|interact\\.sh|ngrok\\.io|bugbounty\\.click|prbly\\.win|qualysperiscope\\.com|vii\\.one|act1on3\\.ru|ifconfig\\.pro|dnslog\\.\\w+))(:[0-9]{1,5})?(\\/[^:@]*)?$",
+            "options": {
+              "case_sensitive": false
+            }
+          },
+          "operator": "match_regex"
+        },
         {
           "parameters": {
             "resource": [
@@ -6523,7 +6643,7 @@
         "category": "vulnerability_trigger",
         "cwe": "89",
         "capec": "1000/152/248/66",
-        "confidence": "0",
+        "confidence": "1",
         "module": "rasp"
       },
       "conditions": [
@@ -6957,7 +7077,7 @@
                 "address": "graphql.server.resolver"
               }
             ],
-            "regex": "(http|https):\\/\\/(?:.*\\.)?(?:burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io|oastify\\.com|oast\\.(?:pro|live|site|online|fun|me)|sslip\\.io|requestbin\\.com|requestbin\\.net|hookbin\\.com|webhook\\.site|canarytokens\\.com|interact\\.sh|ngrok\\.io|bugbounty\\.click|prbly\\.win|qualysperiscope\\.com|vii\\.one|act1on3\\.ru)"
+            "regex": "(http|https):\\/\\/(?:.*\\.)?(?:burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io|oastify\\.com|oast\\.(?:pro|live|site|online|fun|me)|sslip\\.io|requestbin\\.com|requestbin\\.net|hookbin\\.com|webhook\\.site|canarytokens\\.com|interact\\.sh|ngrok\\.io|bugbounty\\.click|prbly\\.win|qualysperiscope\\.com|vii\\.one|act1on3\\.ru|dnslog\\.\\w+)"
           },
           "operator": "match_regex"
         }
@@ -7765,7 +7885,7 @@
                 ]
               }
             ],
-            "regex": "nmap (nse|scripting engine)"
+            "regex": "nmap (nse|scripting engine|icap-client/)"
           },
           "operator": "match_regex"
         }
@@ -8537,6 +8657,126 @@
       ],
       "transformers": []
     },
+    {
+      "id": "ua0-600-64x",
+      "name": "ddg_win",
+      "tags": {
+        "type": "attack_tool",
+        "category": "attack_attempt",
+        "cwe": "200",
+        "capec": "1000/118/169",
+        "tool_name": "ddg_win",
+        "confidence": "1",
+        "module": "waf"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.headers.no_cookies",
+                "key_path": [
+                  "user-agent"
+                ]
+              }
+            ],
+            "regex": "\\bddg_win\\b"
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": []
+    },
+    {
+      "id": "ua0-600-65x",
+      "name": "ISS",
+      "tags": {
+        "type": "commercial_scanner",
+        "category": "attack_attempt",
+        "cwe": "200",
+        "capec": "1000/118/169",
+        "tool_name": "iss",
+        "confidence": "0",
+        "module": "waf"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.headers.no_cookies",
+                "key_path": [
+                  "user-agent"
+                ]
+              }
+            ],
+            "regex": "\\bisscyberriskcrawler/\\d\\.\\d"
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": []
+    },
+    {
+      "id": "ua0-600-66x",
+      "name": "BountyBot",
+      "tags": {
+        "type": "attack_tool",
+        "category": "attack_attempt",
+        "cwe": "200",
+        "capec": "1000/118/169",
+        "tool_name": "bountybot",
+        "confidence": "1",
+        "module": "waf"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.headers.no_cookies",
+                "key_path": [
+                  "user-agent"
+                ]
+              }
+            ],
+            "regex": "\\bbountybot\\b"
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": []
+    },
+    {
+      "id": "ua0-600-67x",
+      "name": "ZumBot",
+      "tags": {
+        "type": "attack_tool",
+        "category": "attack_attempt",
+        "cwe": "200",
+        "capec": "1000/118/169",
+        "tool_name": "zumbot",
+        "confidence": "1",
+        "module": "waf"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.headers.no_cookies",
+                "key_path": [
+                  "user-agent"
+                ]
+              }
+            ],
+            "regex": "\\bzumbot\\b"
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": []
+    },
     {
       "id": "ua0-600-6xx",
       "name": "Stealthy scanner",
@@ -8634,24 +8874,7 @@
     {
       "id": "http-endpoint-fingerprint",
       "generator": "http_endpoint_fingerprint",
-      "conditions": [
-        {
-          "operator": "exists",
-          "parameters": {
-            "inputs": [
-              {
-                "address": "waf.context.event"
-              },
-              {
-                "address": "server.business_logic.users.login.failure"
-              },
-              {
-                "address": "server.business_logic.users.login.success"
-              }
-            ]
-          }
-        }
-      ],
+      "conditions": [],
       "parameters": {
         "mappings": [
           {
@@ -8679,7 +8902,7 @@
           }
         ]
       },
-      "evaluate": false,
+      "evaluate": true,
       "output": true
     },
     {
@@ -8835,24 +9058,7 @@
     {
       "id": "http-header-fingerprint",
       "generator": "http_header_fingerprint",
-      "conditions": [
-        {
-          "operator": "exists",
-          "parameters": {
-            "inputs": [
-              {
-                "address": "waf.context.event"
-              },
-              {
-                "address": "server.business_logic.users.login.failure"
-              },
-              {
-                "address": "server.business_logic.users.login.success"
-              }
-            ]
-          }
-        }
-      ],
+      "conditions": [],
       "parameters": {
         "mappings": [
           {
@@ -8865,30 +9071,13 @@
           }
         ]
       },
-      "evaluate": false,
+      "evaluate": true,
       "output": true
     },
     {
       "id": "http-network-fingerprint",
       "generator": "http_network_fingerprint",
-      "conditions": [
-        {
-          "operator": "exists",
-          "parameters": {
-            "inputs": [
-              {
-                "address": "waf.context.event"
-              },
-              {
-                "address": "server.business_logic.users.login.failure"
-              },
-              {
-                "address": "server.business_logic.users.login.success"
-              }
-            ]
-          }
-        }
-      ],
+      "conditions": [],
       "parameters": {
         "mappings": [
           {
@@ -8901,30 +9090,13 @@
           }
         ]
       },
-      "evaluate": false,
+      "evaluate": true,
       "output": true
     },
     {
       "id": "session-fingerprint",
       "generator": "session_fingerprint",
-      "conditions": [
-        {
-          "operator": "exists",
-          "parameters": {
-            "inputs": [
-              {
-                "address": "waf.context.event"
-              },
-              {
-                "address": "server.business_logic.users.login.failure"
-              },
-              {
-                "address": "server.business_logic.users.login.success"
-              }
-            ]
-          }
-        }
-      ],
+      "conditions": [],
       "parameters": {
         "mappings": [
           {
@@ -8947,7 +9119,7 @@
           }
         ]
       },
-      "evaluate": false,
+      "evaluate": true,
       "output": true
     }
   ],
@@ -9974,4 +10146,4 @@
       }
     }
   ]
-}
+}