ddtrace 1.0.0 → 1.10.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (767) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +529 -2
  3. data/LICENSE-3rdparty.csv +7 -2
  4. data/README.md +10 -5
  5. data/ext/ddtrace_profiling_loader/ddtrace_profiling_loader.c +134 -0
  6. data/ext/ddtrace_profiling_loader/extconf.rb +72 -0
  7. data/ext/ddtrace_profiling_native_extension/NativeExtensionDesign.md +79 -9
  8. data/ext/ddtrace_profiling_native_extension/clock_id.h +22 -1
  9. data/ext/ddtrace_profiling_native_extension/clock_id_from_pthread.c +33 -10
  10. data/ext/ddtrace_profiling_native_extension/clock_id_noop.c +11 -2
  11. data/ext/ddtrace_profiling_native_extension/collectors_cpu_and_wall_time_worker.c +821 -0
  12. data/ext/ddtrace_profiling_native_extension/collectors_dynamic_sampling_rate.c +142 -0
  13. data/ext/ddtrace_profiling_native_extension/collectors_dynamic_sampling_rate.h +14 -0
  14. data/ext/ddtrace_profiling_native_extension/collectors_idle_sampling_helper.c +241 -0
  15. data/ext/ddtrace_profiling_native_extension/collectors_idle_sampling_helper.h +3 -0
  16. data/ext/ddtrace_profiling_native_extension/collectors_stack.c +379 -0
  17. data/ext/ddtrace_profiling_native_extension/collectors_stack.h +20 -0
  18. data/ext/ddtrace_profiling_native_extension/collectors_thread_context.c +978 -0
  19. data/ext/ddtrace_profiling_native_extension/collectors_thread_context.h +14 -0
  20. data/ext/ddtrace_profiling_native_extension/extconf.rb +147 -116
  21. data/ext/ddtrace_profiling_native_extension/helpers.h +17 -0
  22. data/ext/ddtrace_profiling_native_extension/http_transport.c +347 -0
  23. data/ext/ddtrace_profiling_native_extension/libdatadog_helpers.h +25 -0
  24. data/ext/ddtrace_profiling_native_extension/native_extension_helpers.rb +319 -0
  25. data/ext/ddtrace_profiling_native_extension/private_vm_api_access.c +706 -9
  26. data/ext/ddtrace_profiling_native_extension/private_vm_api_access.h +42 -0
  27. data/ext/ddtrace_profiling_native_extension/profiling.c +230 -3
  28. data/ext/ddtrace_profiling_native_extension/ruby_helpers.c +110 -0
  29. data/ext/ddtrace_profiling_native_extension/ruby_helpers.h +89 -0
  30. data/ext/ddtrace_profiling_native_extension/setup_signal_handler.c +115 -0
  31. data/ext/ddtrace_profiling_native_extension/setup_signal_handler.h +11 -0
  32. data/ext/ddtrace_profiling_native_extension/stack_recorder.c +591 -0
  33. data/ext/ddtrace_profiling_native_extension/stack_recorder.h +14 -0
  34. data/ext/ddtrace_profiling_native_extension/time_helpers.c +17 -0
  35. data/ext/ddtrace_profiling_native_extension/time_helpers.h +10 -0
  36. data/lib/datadog/appsec/assets/blocked.html +98 -3
  37. data/lib/datadog/appsec/assets/blocked.json +1 -0
  38. data/lib/datadog/appsec/assets/blocked.text +5 -0
  39. data/lib/datadog/appsec/assets/waf_rules/recommended.json +1722 -636
  40. data/lib/datadog/appsec/assets/waf_rules/strict.json +366 -74
  41. data/lib/datadog/appsec/assets.rb +2 -4
  42. data/lib/datadog/appsec/autoload.rb +5 -10
  43. data/lib/datadog/appsec/component.rb +41 -0
  44. data/lib/datadog/appsec/configuration/settings.rb +61 -20
  45. data/lib/datadog/appsec/configuration.rb +20 -4
  46. data/lib/datadog/appsec/contrib/auto_instrument.rb +0 -4
  47. data/lib/datadog/appsec/contrib/configuration/settings.rb +1 -3
  48. data/lib/datadog/appsec/contrib/integration.rb +0 -2
  49. data/lib/datadog/appsec/contrib/patcher.rb +0 -2
  50. data/lib/datadog/appsec/contrib/rack/configuration/settings.rb +2 -4
  51. data/lib/datadog/appsec/contrib/rack/ext.rb +0 -2
  52. data/lib/datadog/appsec/contrib/rack/gateway/request.rb +97 -0
  53. data/lib/datadog/appsec/contrib/rack/gateway/response.rb +30 -0
  54. data/lib/datadog/appsec/contrib/rack/gateway/watcher.rb +137 -87
  55. data/lib/datadog/appsec/contrib/rack/integration.rb +5 -6
  56. data/lib/datadog/appsec/contrib/rack/patcher.rb +4 -5
  57. data/lib/datadog/appsec/contrib/rack/reactive/request.rb +31 -38
  58. data/lib/datadog/appsec/contrib/rack/reactive/request_body.rb +63 -0
  59. data/lib/datadog/appsec/contrib/rack/reactive/response.rb +21 -22
  60. data/lib/datadog/appsec/contrib/rack/request_body_middleware.rb +43 -0
  61. data/lib/datadog/appsec/contrib/rack/request_middleware.rb +117 -21
  62. data/lib/datadog/appsec/contrib/rails/configuration/settings.rb +2 -4
  63. data/lib/datadog/appsec/contrib/rails/ext.rb +0 -2
  64. data/lib/datadog/appsec/contrib/rails/framework.rb +0 -2
  65. data/lib/datadog/appsec/contrib/rails/gateway/request.rb +67 -0
  66. data/lib/datadog/appsec/contrib/rails/gateway/watcher.rb +86 -0
  67. data/lib/datadog/appsec/contrib/rails/integration.rb +5 -7
  68. data/lib/datadog/appsec/contrib/rails/patcher.rb +44 -10
  69. data/lib/datadog/appsec/contrib/rails/reactive/action.rb +69 -0
  70. data/lib/datadog/appsec/contrib/rails/request.rb +34 -0
  71. data/lib/datadog/appsec/contrib/rails/request_middleware.rb +0 -2
  72. data/lib/datadog/appsec/contrib/sinatra/configuration/settings.rb +2 -4
  73. data/lib/datadog/appsec/contrib/sinatra/ext.rb +1 -2
  74. data/lib/datadog/appsec/contrib/sinatra/framework.rb +0 -2
  75. data/lib/datadog/appsec/contrib/sinatra/gateway/request.rb +17 -0
  76. data/lib/datadog/appsec/contrib/sinatra/gateway/route_params.rb +23 -0
  77. data/lib/datadog/appsec/contrib/sinatra/gateway/watcher.rb +131 -0
  78. data/lib/datadog/appsec/contrib/sinatra/integration.rb +4 -6
  79. data/lib/datadog/appsec/contrib/sinatra/patcher.rb +94 -12
  80. data/lib/datadog/appsec/contrib/sinatra/reactive/routed.rb +64 -0
  81. data/lib/datadog/appsec/contrib/sinatra/request_middleware.rb +0 -2
  82. data/lib/datadog/appsec/event.rb +33 -26
  83. data/lib/datadog/appsec/ext.rb +9 -0
  84. data/lib/datadog/appsec/extensions.rb +51 -26
  85. data/lib/datadog/appsec/instrumentation/gateway/argument.rb +24 -0
  86. data/lib/datadog/appsec/instrumentation/gateway.rb +26 -6
  87. data/lib/datadog/appsec/instrumentation.rb +9 -0
  88. data/lib/datadog/appsec/monitor/gateway/watcher.rb +86 -0
  89. data/lib/datadog/appsec/monitor/reactive/set_user.rb +61 -0
  90. data/lib/datadog/appsec/monitor.rb +11 -0
  91. data/lib/datadog/appsec/processor.rb +143 -21
  92. data/lib/datadog/appsec/rate_limiter.rb +5 -2
  93. data/lib/datadog/appsec/reactive/address_hash.rb +6 -2
  94. data/lib/datadog/appsec/reactive/engine.rb +12 -9
  95. data/lib/datadog/appsec/reactive/operation.rb +22 -6
  96. data/lib/datadog/appsec/reactive/subscriber.rb +2 -1
  97. data/lib/datadog/appsec/response.rb +61 -0
  98. data/lib/datadog/appsec/utils/http/media_range.rb +199 -0
  99. data/lib/datadog/appsec/utils/http/media_type.rb +85 -0
  100. data/lib/datadog/appsec/utils/http.rb +9 -0
  101. data/lib/datadog/appsec/utils.rb +7 -0
  102. data/lib/datadog/appsec.rb +25 -7
  103. data/lib/datadog/ci/configuration/components.rb +1 -3
  104. data/lib/datadog/ci/configuration/settings.rb +1 -3
  105. data/lib/datadog/ci/contrib/cucumber/configuration/settings.rb +2 -4
  106. data/lib/datadog/ci/contrib/cucumber/ext.rb +0 -2
  107. data/lib/datadog/ci/contrib/cucumber/formatter.rb +5 -7
  108. data/lib/datadog/ci/contrib/cucumber/instrumentation.rb +1 -3
  109. data/lib/datadog/ci/contrib/cucumber/integration.rb +4 -6
  110. data/lib/datadog/ci/contrib/cucumber/patcher.rb +2 -4
  111. data/lib/datadog/ci/contrib/rspec/configuration/settings.rb +2 -4
  112. data/lib/datadog/ci/contrib/rspec/example.rb +5 -7
  113. data/lib/datadog/ci/contrib/rspec/ext.rb +0 -2
  114. data/lib/datadog/ci/contrib/rspec/integration.rb +4 -6
  115. data/lib/datadog/ci/contrib/rspec/patcher.rb +2 -4
  116. data/lib/datadog/ci/ext/app_types.rb +0 -2
  117. data/lib/datadog/ci/ext/environment.rb +98 -48
  118. data/lib/datadog/ci/ext/settings.rb +0 -2
  119. data/lib/datadog/ci/ext/test.rb +0 -2
  120. data/lib/datadog/ci/extensions.rb +4 -6
  121. data/lib/datadog/ci/flush.rb +2 -4
  122. data/lib/datadog/ci/test.rb +3 -5
  123. data/lib/datadog/ci.rb +6 -8
  124. data/lib/datadog/core/buffer/cruby.rb +1 -3
  125. data/lib/datadog/core/buffer/random.rb +0 -2
  126. data/lib/datadog/core/buffer/thread_safe.rb +1 -3
  127. data/lib/datadog/core/chunker.rb +0 -2
  128. data/lib/datadog/core/configuration/agent_settings_resolver.rb +9 -29
  129. data/lib/datadog/core/configuration/base.rb +14 -4
  130. data/lib/datadog/core/configuration/components.rb +31 -266
  131. data/lib/datadog/core/configuration/dependency_resolver.rb +0 -2
  132. data/lib/datadog/core/configuration/ext.rb +24 -0
  133. data/lib/datadog/core/configuration/option.rb +0 -2
  134. data/lib/datadog/core/configuration/option_definition.rb +12 -5
  135. data/lib/datadog/core/configuration/option_definition_set.rb +1 -3
  136. data/lib/datadog/core/configuration/option_set.rb +0 -2
  137. data/lib/datadog/core/configuration/options.rb +3 -5
  138. data/lib/datadog/core/configuration/settings.rb +92 -255
  139. data/lib/datadog/core/configuration.rb +16 -15
  140. data/lib/datadog/core/diagnostics/environment_logger.rb +10 -7
  141. data/lib/datadog/core/diagnostics/health.rb +4 -24
  142. data/lib/datadog/core/encoding.rb +0 -4
  143. data/lib/datadog/core/environment/cgroup.rb +4 -6
  144. data/lib/datadog/core/environment/class_count.rb +0 -2
  145. data/lib/datadog/core/environment/container.rb +3 -6
  146. data/lib/datadog/core/environment/ext.rb +1 -3
  147. data/lib/datadog/core/environment/gc.rb +0 -2
  148. data/lib/datadog/core/environment/identity.rb +2 -4
  149. data/lib/datadog/core/environment/platform.rb +38 -0
  150. data/lib/datadog/core/environment/socket.rb +1 -3
  151. data/lib/datadog/core/environment/thread_count.rb +0 -2
  152. data/lib/datadog/core/environment/variable_helpers.rb +83 -13
  153. data/lib/datadog/core/environment/vm_cache.rb +17 -2
  154. data/lib/datadog/core/error.rb +1 -3
  155. data/lib/datadog/core/extensions.rb +1 -3
  156. data/lib/datadog/core/git/ext.rb +0 -2
  157. data/lib/datadog/core/header_collection.rb +41 -0
  158. data/lib/datadog/core/logger.rb +0 -2
  159. data/lib/datadog/core/logging/ext.rb +11 -0
  160. data/lib/datadog/core/metrics/client.rb +25 -16
  161. data/lib/datadog/core/metrics/ext.rb +0 -4
  162. data/lib/datadog/core/metrics/helpers.rb +0 -2
  163. data/lib/datadog/core/metrics/logging.rb +0 -2
  164. data/lib/datadog/core/metrics/metric.rb +0 -2
  165. data/lib/datadog/core/metrics/options.rb +3 -5
  166. data/lib/datadog/core/pin.rb +0 -2
  167. data/lib/datadog/core/runtime/ext.rb +3 -3
  168. data/lib/datadog/core/runtime/metrics.rb +28 -14
  169. data/lib/datadog/core/telemetry/client.rb +77 -0
  170. data/lib/datadog/core/telemetry/collector.rb +231 -0
  171. data/lib/datadog/core/telemetry/emitter.rb +46 -0
  172. data/lib/datadog/core/telemetry/event.rb +67 -0
  173. data/lib/datadog/core/telemetry/ext.rb +9 -0
  174. data/lib/datadog/core/telemetry/heartbeat.rb +35 -0
  175. data/lib/datadog/core/telemetry/http/adapters/net.rb +111 -0
  176. data/lib/datadog/core/telemetry/http/env.rb +18 -0
  177. data/lib/datadog/core/telemetry/http/ext.rb +20 -0
  178. data/lib/datadog/core/telemetry/http/response.rb +64 -0
  179. data/lib/datadog/core/telemetry/http/transport.rb +51 -0
  180. data/lib/datadog/core/telemetry/v1/app_event.rb +50 -0
  181. data/lib/datadog/core/telemetry/v1/application.rb +86 -0
  182. data/lib/datadog/core/telemetry/v1/configuration.rb +25 -0
  183. data/lib/datadog/core/telemetry/v1/dependency.rb +36 -0
  184. data/lib/datadog/core/telemetry/v1/host.rb +51 -0
  185. data/lib/datadog/core/telemetry/v1/integration.rb +58 -0
  186. data/lib/datadog/core/telemetry/v1/product.rb +28 -0
  187. data/lib/datadog/core/telemetry/v1/telemetry_request.rb +100 -0
  188. data/lib/datadog/core/utils/compression.rb +5 -3
  189. data/lib/datadog/core/utils/forking.rb +0 -2
  190. data/lib/datadog/core/utils/network.rb +140 -0
  191. data/lib/datadog/core/utils/object_set.rb +1 -3
  192. data/lib/datadog/core/utils/only_once.rb +0 -2
  193. data/lib/datadog/core/utils/safe_dup.rb +0 -2
  194. data/lib/datadog/core/utils/sequence.rb +5 -2
  195. data/lib/datadog/core/utils/string_table.rb +1 -3
  196. data/lib/datadog/core/utils/time.rb +3 -7
  197. data/lib/datadog/core/utils.rb +1 -24
  198. data/lib/datadog/core/vendor/ipaddr.rb +78 -0
  199. data/lib/datadog/core/vendor/multipart-post/multipart/post/composite_read_io.rb +0 -2
  200. data/lib/datadog/core/vendor/multipart-post/multipart/post/multipartable.rb +2 -4
  201. data/lib/datadog/core/vendor/multipart-post/multipart/post/parts.rb +0 -2
  202. data/lib/datadog/core/vendor/multipart-post/multipart/post/version.rb +0 -2
  203. data/lib/datadog/core/vendor/multipart-post/multipart/post.rb +0 -2
  204. data/lib/datadog/core/vendor/multipart-post/multipart.rb +0 -2
  205. data/lib/datadog/core/vendor/multipart-post/net/http/post/multipart.rb +3 -5
  206. data/lib/datadog/core/worker.rb +0 -2
  207. data/lib/datadog/core/workers/async.rb +4 -6
  208. data/lib/datadog/core/workers/interval_loop.rb +0 -2
  209. data/lib/datadog/core/workers/polling.rb +2 -4
  210. data/lib/datadog/core/workers/queue.rb +0 -2
  211. data/lib/datadog/core/workers/runtime_metrics.rb +4 -9
  212. data/lib/datadog/core.rb +27 -56
  213. data/lib/datadog/kit/appsec/events.rb +74 -0
  214. data/lib/datadog/kit/enable_core_dumps.rb +50 -0
  215. data/lib/datadog/kit/identity.rb +70 -0
  216. data/lib/datadog/kit.rb +9 -0
  217. data/lib/datadog/opentelemetry/api/context.rb +186 -0
  218. data/lib/datadog/opentelemetry/api/trace/span.rb +14 -0
  219. data/lib/datadog/opentelemetry/sdk/configurator.rb +37 -0
  220. data/lib/datadog/opentelemetry/sdk/id_generator.rb +26 -0
  221. data/lib/datadog/opentelemetry/sdk/propagator.rb +90 -0
  222. data/lib/datadog/opentelemetry/sdk/span_processor.rb +91 -0
  223. data/lib/datadog/opentelemetry.rb +47 -0
  224. data/lib/datadog/opentracer/binary_propagator.rb +0 -2
  225. data/lib/datadog/opentracer/carrier.rb +0 -2
  226. data/lib/datadog/opentracer/distributed_headers.rb +7 -11
  227. data/lib/datadog/opentracer/global_tracer.rb +0 -2
  228. data/lib/datadog/opentracer/propagator.rb +0 -2
  229. data/lib/datadog/opentracer/rack_propagator.rb +10 -11
  230. data/lib/datadog/opentracer/scope.rb +0 -2
  231. data/lib/datadog/opentracer/scope_manager.rb +0 -2
  232. data/lib/datadog/opentracer/span.rb +1 -3
  233. data/lib/datadog/opentracer/span_context.rb +0 -2
  234. data/lib/datadog/opentracer/span_context_factory.rb +0 -2
  235. data/lib/datadog/opentracer/text_map_propagator.rb +13 -14
  236. data/lib/datadog/opentracer/thread_local_scope.rb +0 -2
  237. data/lib/datadog/opentracer/thread_local_scope_manager.rb +24 -3
  238. data/lib/datadog/opentracer/tracer.rb +23 -25
  239. data/lib/datadog/opentracer.rb +16 -18
  240. data/lib/datadog/profiling/backtrace_location.rb +0 -2
  241. data/lib/datadog/profiling/buffer.rb +3 -5
  242. data/lib/datadog/profiling/collectors/code_provenance.rb +1 -2
  243. data/lib/datadog/profiling/collectors/cpu_and_wall_time_worker.rb +96 -0
  244. data/lib/datadog/profiling/collectors/dynamic_sampling_rate.rb +12 -0
  245. data/lib/datadog/profiling/collectors/idle_sampling_helper.rb +66 -0
  246. data/lib/datadog/profiling/collectors/old_stack.rb +301 -0
  247. data/lib/datadog/profiling/collectors/stack.rb +3 -289
  248. data/lib/datadog/profiling/collectors/thread_context.rb +46 -0
  249. data/lib/datadog/profiling/component.rb +161 -0
  250. data/lib/datadog/profiling/encoding/profile.rb +8 -15
  251. data/lib/datadog/profiling/event.rb +0 -2
  252. data/lib/datadog/profiling/events/stack.rb +1 -3
  253. data/lib/datadog/profiling/exporter.rb +69 -11
  254. data/lib/datadog/profiling/ext/forking.rb +41 -44
  255. data/lib/datadog/profiling/ext.rb +4 -18
  256. data/lib/datadog/profiling/flush.rb +25 -58
  257. data/lib/datadog/profiling/http_transport.rb +130 -0
  258. data/lib/datadog/profiling/load_native_extension.rb +20 -0
  259. data/lib/datadog/profiling/native_extension.rb +0 -2
  260. data/lib/datadog/profiling/old_recorder.rb +107 -0
  261. data/lib/datadog/profiling/pprof/builder.rb +4 -6
  262. data/lib/datadog/profiling/pprof/converter.rb +1 -3
  263. data/lib/datadog/profiling/pprof/message_set.rb +1 -3
  264. data/lib/datadog/profiling/pprof/payload.rb +0 -2
  265. data/lib/datadog/profiling/pprof/pprof_pb.rb +0 -2
  266. data/lib/datadog/profiling/pprof/stack_sample.rb +4 -6
  267. data/lib/datadog/profiling/pprof/string_table.rb +1 -3
  268. data/lib/datadog/profiling/pprof/template.rb +5 -7
  269. data/lib/datadog/profiling/preload.rb +1 -3
  270. data/lib/datadog/profiling/profiler.rb +7 -2
  271. data/lib/datadog/profiling/scheduler.rb +29 -52
  272. data/lib/datadog/profiling/stack_recorder.rb +74 -0
  273. data/lib/datadog/profiling/tag_builder.rb +51 -0
  274. data/lib/datadog/profiling/tasks/exec.rb +2 -4
  275. data/lib/datadog/profiling/tasks/help.rb +0 -2
  276. data/lib/datadog/profiling/tasks/setup.rb +8 -15
  277. data/lib/datadog/profiling/trace_identifiers/ddtrace.rb +2 -4
  278. data/lib/datadog/profiling/trace_identifiers/helper.rb +1 -3
  279. data/lib/datadog/profiling.rb +92 -50
  280. data/lib/datadog/tracing/analytics.rb +1 -3
  281. data/lib/datadog/tracing/buffer.rb +14 -12
  282. data/lib/datadog/tracing/client_ip.rb +61 -0
  283. data/lib/datadog/tracing/component.rb +176 -0
  284. data/lib/datadog/tracing/configuration/ext.rb +49 -6
  285. data/lib/datadog/tracing/configuration/settings.rb +451 -0
  286. data/lib/datadog/tracing/context.rb +1 -3
  287. data/lib/datadog/tracing/context_provider.rb +18 -4
  288. data/lib/datadog/tracing/contrib/action_cable/configuration/settings.rb +2 -4
  289. data/lib/datadog/tracing/contrib/action_cable/event.rb +4 -7
  290. data/lib/datadog/tracing/contrib/action_cable/events/broadcast.rb +4 -6
  291. data/lib/datadog/tracing/contrib/action_cable/events/perform_action.rb +3 -5
  292. data/lib/datadog/tracing/contrib/action_cable/events/transmit.rb +4 -6
  293. data/lib/datadog/tracing/contrib/action_cable/events.rb +4 -6
  294. data/lib/datadog/tracing/contrib/action_cable/ext.rb +0 -2
  295. data/lib/datadog/tracing/contrib/action_cable/instrumentation.rb +3 -6
  296. data/lib/datadog/tracing/contrib/action_cable/integration.rb +4 -6
  297. data/lib/datadog/tracing/contrib/action_cable/patcher.rb +4 -6
  298. data/lib/datadog/tracing/contrib/action_mailer/configuration/settings.rb +2 -4
  299. data/lib/datadog/tracing/contrib/action_mailer/event.rb +3 -5
  300. data/lib/datadog/tracing/contrib/action_mailer/events/deliver.rb +3 -5
  301. data/lib/datadog/tracing/contrib/action_mailer/events/process.rb +3 -5
  302. data/lib/datadog/tracing/contrib/action_mailer/events.rb +2 -4
  303. data/lib/datadog/tracing/contrib/action_mailer/ext.rb +0 -2
  304. data/lib/datadog/tracing/contrib/action_mailer/integration.rb +4 -6
  305. data/lib/datadog/tracing/contrib/action_mailer/patcher.rb +3 -5
  306. data/lib/datadog/tracing/contrib/action_pack/action_controller/instrumentation.rb +10 -8
  307. data/lib/datadog/tracing/contrib/action_pack/action_controller/patcher.rb +2 -4
  308. data/lib/datadog/tracing/contrib/action_pack/configuration/settings.rb +2 -4
  309. data/lib/datadog/tracing/contrib/action_pack/ext.rb +0 -2
  310. data/lib/datadog/tracing/contrib/action_pack/integration.rb +4 -6
  311. data/lib/datadog/tracing/contrib/action_pack/patcher.rb +2 -4
  312. data/lib/datadog/tracing/contrib/action_pack/utils.rb +1 -3
  313. data/lib/datadog/tracing/contrib/action_view/configuration/settings.rb +2 -4
  314. data/lib/datadog/tracing/contrib/action_view/event.rb +1 -3
  315. data/lib/datadog/tracing/contrib/action_view/events/render_partial.rb +5 -7
  316. data/lib/datadog/tracing/contrib/action_view/events/render_template.rb +5 -7
  317. data/lib/datadog/tracing/contrib/action_view/events.rb +2 -4
  318. data/lib/datadog/tracing/contrib/action_view/ext.rb +0 -2
  319. data/lib/datadog/tracing/contrib/action_view/instrumentation/partial_renderer.rb +2 -4
  320. data/lib/datadog/tracing/contrib/action_view/instrumentation/template_renderer.rb +2 -4
  321. data/lib/datadog/tracing/contrib/action_view/integration.rb +4 -6
  322. data/lib/datadog/tracing/contrib/action_view/patcher.rb +7 -10
  323. data/lib/datadog/tracing/contrib/action_view/utils.rb +1 -3
  324. data/lib/datadog/tracing/contrib/active_job/configuration/settings.rb +3 -5
  325. data/lib/datadog/tracing/contrib/active_job/event.rb +3 -5
  326. data/lib/datadog/tracing/contrib/active_job/events/discard.rb +4 -6
  327. data/lib/datadog/tracing/contrib/active_job/events/enqueue.rb +4 -6
  328. data/lib/datadog/tracing/contrib/active_job/events/enqueue_at.rb +4 -6
  329. data/lib/datadog/tracing/contrib/active_job/events/enqueue_retry.rb +4 -6
  330. data/lib/datadog/tracing/contrib/active_job/events/perform.rb +4 -6
  331. data/lib/datadog/tracing/contrib/active_job/events/retry_stopped.rb +4 -6
  332. data/lib/datadog/tracing/contrib/active_job/events.rb +6 -8
  333. data/lib/datadog/tracing/contrib/active_job/ext.rb +0 -2
  334. data/lib/datadog/tracing/contrib/active_job/integration.rb +4 -6
  335. data/lib/datadog/tracing/contrib/active_job/log_injection.rb +0 -4
  336. data/lib/datadog/tracing/contrib/active_job/patcher.rb +4 -6
  337. data/lib/datadog/tracing/contrib/active_model_serializers/configuration/settings.rb +2 -4
  338. data/lib/datadog/tracing/contrib/active_model_serializers/event.rb +4 -7
  339. data/lib/datadog/tracing/contrib/active_model_serializers/events/render.rb +3 -5
  340. data/lib/datadog/tracing/contrib/active_model_serializers/events/serialize.rb +2 -4
  341. data/lib/datadog/tracing/contrib/active_model_serializers/events.rb +2 -4
  342. data/lib/datadog/tracing/contrib/active_model_serializers/ext.rb +0 -2
  343. data/lib/datadog/tracing/contrib/active_model_serializers/integration.rb +3 -5
  344. data/lib/datadog/tracing/contrib/active_model_serializers/patcher.rb +3 -6
  345. data/lib/datadog/tracing/contrib/active_record/configuration/makara_resolver.rb +0 -2
  346. data/lib/datadog/tracing/contrib/active_record/configuration/resolver.rb +4 -6
  347. data/lib/datadog/tracing/contrib/active_record/configuration/settings.rb +3 -5
  348. data/lib/datadog/tracing/contrib/active_record/event.rb +1 -3
  349. data/lib/datadog/tracing/contrib/active_record/events/instantiation.rb +4 -6
  350. data/lib/datadog/tracing/contrib/active_record/events/sql.rb +6 -8
  351. data/lib/datadog/tracing/contrib/active_record/events.rb +2 -4
  352. data/lib/datadog/tracing/contrib/active_record/ext.rb +0 -2
  353. data/lib/datadog/tracing/contrib/active_record/integration.rb +6 -8
  354. data/lib/datadog/tracing/contrib/active_record/patcher.rb +2 -4
  355. data/lib/datadog/tracing/contrib/active_record/utils.rb +3 -5
  356. data/lib/datadog/tracing/contrib/active_record/vendor/connection_specification.rb +1 -3
  357. data/lib/datadog/tracing/contrib/active_support/cache/instrumentation.rb +19 -11
  358. data/lib/datadog/tracing/contrib/active_support/cache/patcher.rb +2 -4
  359. data/lib/datadog/tracing/contrib/active_support/cache/redis.rb +1 -3
  360. data/lib/datadog/tracing/contrib/active_support/configuration/settings.rb +2 -4
  361. data/lib/datadog/tracing/contrib/active_support/ext.rb +0 -2
  362. data/lib/datadog/tracing/contrib/active_support/integration.rb +5 -7
  363. data/lib/datadog/tracing/contrib/active_support/notifications/event.rb +1 -3
  364. data/lib/datadog/tracing/contrib/active_support/notifications/subscriber.rb +1 -3
  365. data/lib/datadog/tracing/contrib/active_support/notifications/subscription.rb +4 -4
  366. data/lib/datadog/tracing/contrib/active_support/patcher.rb +2 -4
  367. data/lib/datadog/tracing/contrib/analytics.rb +1 -3
  368. data/lib/datadog/tracing/contrib/auto_instrument.rb +4 -6
  369. data/lib/datadog/tracing/contrib/aws/configuration/settings.rb +6 -5
  370. data/lib/datadog/tracing/contrib/aws/ext.rb +1 -2
  371. data/lib/datadog/tracing/contrib/aws/instrumentation.rb +5 -6
  372. data/lib/datadog/tracing/contrib/aws/integration.rb +3 -5
  373. data/lib/datadog/tracing/contrib/aws/parsed_context.rb +0 -2
  374. data/lib/datadog/tracing/contrib/aws/patcher.rb +5 -7
  375. data/lib/datadog/tracing/contrib/aws/services.rb +0 -4
  376. data/lib/datadog/tracing/contrib/concurrent_ruby/configuration/settings.rb +2 -4
  377. data/lib/datadog/tracing/contrib/concurrent_ruby/context_composite_executor_service.rb +10 -5
  378. data/lib/datadog/tracing/contrib/concurrent_ruby/ext.rb +0 -2
  379. data/lib/datadog/tracing/contrib/concurrent_ruby/future_patch.rb +1 -3
  380. data/lib/datadog/tracing/contrib/concurrent_ruby/integration.rb +3 -5
  381. data/lib/datadog/tracing/contrib/concurrent_ruby/patcher.rb +2 -5
  382. data/lib/datadog/tracing/contrib/configurable.rb +2 -4
  383. data/lib/datadog/tracing/contrib/configuration/resolver.rb +0 -2
  384. data/lib/datadog/tracing/contrib/configuration/resolvers/pattern_resolver.rb +1 -3
  385. data/lib/datadog/tracing/contrib/configuration/settings.rb +2 -6
  386. data/lib/datadog/tracing/contrib/dalli/configuration/settings.rb +6 -5
  387. data/lib/datadog/tracing/contrib/dalli/ext.rb +2 -2
  388. data/lib/datadog/tracing/contrib/dalli/instrumentation.rb +10 -7
  389. data/lib/datadog/tracing/contrib/dalli/integration.rb +3 -5
  390. data/lib/datadog/tracing/contrib/dalli/patcher.rb +3 -6
  391. data/lib/datadog/tracing/contrib/dalli/quantize.rb +1 -3
  392. data/lib/datadog/tracing/contrib/delayed_job/configuration/settings.rb +3 -5
  393. data/lib/datadog/tracing/contrib/delayed_job/ext.rb +2 -2
  394. data/lib/datadog/tracing/contrib/delayed_job/integration.rb +3 -5
  395. data/lib/datadog/tracing/contrib/delayed_job/patcher.rb +8 -5
  396. data/lib/datadog/tracing/contrib/delayed_job/plugin.rb +11 -6
  397. data/lib/datadog/tracing/contrib/delayed_job/server_internal_tracer/worker.rb +32 -0
  398. data/lib/datadog/tracing/contrib/elasticsearch/configuration/settings.rb +7 -5
  399. data/lib/datadog/tracing/contrib/elasticsearch/ext.rb +3 -2
  400. data/lib/datadog/tracing/contrib/elasticsearch/integration.rb +12 -8
  401. data/lib/datadog/tracing/contrib/elasticsearch/patcher.rb +48 -11
  402. data/lib/datadog/tracing/contrib/elasticsearch/quantize.rb +1 -5
  403. data/lib/datadog/tracing/contrib/ethon/configuration/settings.rb +8 -5
  404. data/lib/datadog/tracing/contrib/ethon/easy_patch.rb +6 -9
  405. data/lib/datadog/tracing/contrib/ethon/ext.rb +1 -2
  406. data/lib/datadog/tracing/contrib/ethon/integration.rb +4 -6
  407. data/lib/datadog/tracing/contrib/ethon/multi_patch.rb +5 -6
  408. data/lib/datadog/tracing/contrib/ethon/patcher.rb +3 -7
  409. data/lib/datadog/tracing/contrib/excon/configuration/settings.rb +7 -5
  410. data/lib/datadog/tracing/contrib/excon/ext.rb +1 -2
  411. data/lib/datadog/tracing/contrib/excon/integration.rb +4 -6
  412. data/lib/datadog/tracing/contrib/excon/middleware.rb +8 -9
  413. data/lib/datadog/tracing/contrib/excon/patcher.rb +2 -4
  414. data/lib/datadog/tracing/contrib/ext.rb +30 -0
  415. data/lib/datadog/tracing/contrib/extensions.rb +5 -7
  416. data/lib/datadog/tracing/contrib/faraday/configuration/settings.rb +7 -5
  417. data/lib/datadog/tracing/contrib/faraday/connection.rb +0 -2
  418. data/lib/datadog/tracing/contrib/faraday/ext.rb +1 -2
  419. data/lib/datadog/tracing/contrib/faraday/integration.rb +4 -6
  420. data/lib/datadog/tracing/contrib/faraday/middleware.rb +8 -10
  421. data/lib/datadog/tracing/contrib/faraday/patcher.rb +5 -8
  422. data/lib/datadog/tracing/contrib/faraday/rack_builder.rb +0 -2
  423. data/lib/datadog/tracing/contrib/grape/configuration/settings.rb +3 -5
  424. data/lib/datadog/tracing/contrib/grape/endpoint.rb +4 -9
  425. data/lib/datadog/tracing/contrib/grape/ext.rb +0 -2
  426. data/lib/datadog/tracing/contrib/grape/instrumentation.rb +0 -2
  427. data/lib/datadog/tracing/contrib/grape/integration.rb +3 -5
  428. data/lib/datadog/tracing/contrib/grape/patcher.rb +4 -7
  429. data/lib/datadog/tracing/contrib/graphql/configuration/settings.rb +3 -5
  430. data/lib/datadog/tracing/contrib/graphql/ext.rb +0 -2
  431. data/lib/datadog/tracing/contrib/graphql/integration.rb +3 -5
  432. data/lib/datadog/tracing/contrib/graphql/patcher.rb +2 -6
  433. data/lib/datadog/tracing/contrib/grpc/configuration/settings.rb +10 -6
  434. data/lib/datadog/tracing/contrib/grpc/datadog_interceptor/client.rb +20 -7
  435. data/lib/datadog/tracing/contrib/grpc/datadog_interceptor/server.rb +17 -19
  436. data/lib/datadog/tracing/contrib/grpc/datadog_interceptor.rb +7 -6
  437. data/lib/datadog/tracing/contrib/grpc/distributed/fetcher.rb +26 -0
  438. data/lib/datadog/tracing/contrib/grpc/distributed/propagation.rb +42 -0
  439. data/lib/datadog/tracing/contrib/grpc/ext.rb +4 -2
  440. data/lib/datadog/tracing/contrib/grpc/integration.rb +11 -6
  441. data/lib/datadog/tracing/contrib/grpc/intercept_with_datadog.rb +0 -2
  442. data/lib/datadog/tracing/contrib/grpc/patcher.rb +3 -9
  443. data/lib/datadog/tracing/contrib/hanami/action_tracer.rb +45 -0
  444. data/lib/datadog/tracing/contrib/hanami/configuration/settings.rb +20 -0
  445. data/lib/datadog/tracing/contrib/hanami/ext.rb +22 -0
  446. data/lib/datadog/tracing/contrib/hanami/integration.rb +42 -0
  447. data/lib/datadog/tracing/contrib/hanami/patcher.rb +31 -0
  448. data/lib/datadog/tracing/contrib/hanami/plugin.rb +21 -0
  449. data/lib/datadog/tracing/contrib/hanami/renderer_policy_tracing.rb +39 -0
  450. data/lib/datadog/tracing/contrib/hanami/router_tracing.rb +42 -0
  451. data/lib/datadog/tracing/contrib/http/circuit_breaker.rb +1 -4
  452. data/lib/datadog/tracing/contrib/http/configuration/settings.rb +13 -5
  453. data/lib/datadog/tracing/contrib/http/distributed/fetcher.rb +38 -0
  454. data/lib/datadog/tracing/contrib/http/distributed/propagation.rb +37 -0
  455. data/lib/datadog/tracing/contrib/http/ext.rb +2 -2
  456. data/lib/datadog/tracing/contrib/http/instrumentation.rb +8 -12
  457. data/lib/datadog/tracing/contrib/http/integration.rb +6 -8
  458. data/lib/datadog/tracing/contrib/http/patcher.rb +3 -5
  459. data/lib/datadog/tracing/contrib/http_annotation_helper.rb +0 -2
  460. data/lib/datadog/tracing/contrib/httpclient/configuration/settings.rb +13 -5
  461. data/lib/datadog/tracing/contrib/httpclient/ext.rb +2 -2
  462. data/lib/datadog/tracing/contrib/httpclient/instrumentation.rb +9 -11
  463. data/lib/datadog/tracing/contrib/httpclient/integration.rb +4 -6
  464. data/lib/datadog/tracing/contrib/httpclient/patcher.rb +3 -5
  465. data/lib/datadog/tracing/contrib/httprb/configuration/settings.rb +13 -5
  466. data/lib/datadog/tracing/contrib/httprb/ext.rb +2 -2
  467. data/lib/datadog/tracing/contrib/httprb/instrumentation.rb +9 -11
  468. data/lib/datadog/tracing/contrib/httprb/integration.rb +4 -6
  469. data/lib/datadog/tracing/contrib/httprb/patcher.rb +3 -5
  470. data/lib/datadog/tracing/contrib/integration.rb +3 -5
  471. data/lib/datadog/tracing/contrib/kafka/configuration/settings.rb +2 -4
  472. data/lib/datadog/tracing/contrib/kafka/consumer_event.rb +1 -2
  473. data/lib/datadog/tracing/contrib/kafka/consumer_group_event.rb +0 -2
  474. data/lib/datadog/tracing/contrib/kafka/event.rb +4 -5
  475. data/lib/datadog/tracing/contrib/kafka/events/connection/request.rb +2 -4
  476. data/lib/datadog/tracing/contrib/kafka/events/consumer/process_batch.rb +3 -5
  477. data/lib/datadog/tracing/contrib/kafka/events/consumer/process_message.rb +3 -5
  478. data/lib/datadog/tracing/contrib/kafka/events/consumer_group/heartbeat.rb +4 -6
  479. data/lib/datadog/tracing/contrib/kafka/events/consumer_group/join_group.rb +4 -6
  480. data/lib/datadog/tracing/contrib/kafka/events/consumer_group/leave_group.rb +4 -6
  481. data/lib/datadog/tracing/contrib/kafka/events/consumer_group/sync_group.rb +4 -6
  482. data/lib/datadog/tracing/contrib/kafka/events/produce_operation/send_messages.rb +3 -4
  483. data/lib/datadog/tracing/contrib/kafka/events/producer/deliver_messages.rb +3 -4
  484. data/lib/datadog/tracing/contrib/kafka/events.rb +9 -11
  485. data/lib/datadog/tracing/contrib/kafka/ext.rb +1 -2
  486. data/lib/datadog/tracing/contrib/kafka/integration.rb +3 -5
  487. data/lib/datadog/tracing/contrib/kafka/patcher.rb +3 -6
  488. data/lib/datadog/tracing/contrib/lograge/configuration/settings.rb +2 -4
  489. data/lib/datadog/tracing/contrib/lograge/ext.rb +0 -2
  490. data/lib/datadog/tracing/contrib/lograge/instrumentation.rb +2 -4
  491. data/lib/datadog/tracing/contrib/lograge/integration.rb +3 -5
  492. data/lib/datadog/tracing/contrib/lograge/patcher.rb +2 -4
  493. data/lib/datadog/tracing/contrib/mongodb/configuration/settings.rb +7 -5
  494. data/lib/datadog/tracing/contrib/mongodb/ext.rb +8 -2
  495. data/lib/datadog/tracing/contrib/mongodb/instrumentation.rb +3 -5
  496. data/lib/datadog/tracing/contrib/mongodb/integration.rb +4 -6
  497. data/lib/datadog/tracing/contrib/mongodb/parsers.rb +1 -3
  498. data/lib/datadog/tracing/contrib/mongodb/patcher.rb +3 -5
  499. data/lib/datadog/tracing/contrib/mongodb/subscribers.rb +10 -6
  500. data/lib/datadog/tracing/contrib/mysql2/configuration/settings.rb +17 -4
  501. data/lib/datadog/tracing/contrib/mysql2/ext.rb +2 -2
  502. data/lib/datadog/tracing/contrib/mysql2/instrumentation.rb +20 -7
  503. data/lib/datadog/tracing/contrib/mysql2/integration.rb +3 -5
  504. data/lib/datadog/tracing/contrib/mysql2/patcher.rb +2 -4
  505. data/lib/datadog/tracing/contrib/patchable.rb +0 -2
  506. data/lib/datadog/tracing/contrib/patcher.rb +16 -6
  507. data/lib/datadog/tracing/contrib/pg/configuration/settings.rb +48 -0
  508. data/lib/datadog/tracing/contrib/pg/ext.rb +31 -0
  509. data/lib/datadog/tracing/contrib/pg/instrumentation.rb +166 -0
  510. data/lib/datadog/tracing/contrib/pg/integration.rb +41 -0
  511. data/lib/datadog/tracing/contrib/pg/patcher.rb +29 -0
  512. data/lib/datadog/tracing/contrib/presto/configuration/settings.rb +6 -5
  513. data/lib/datadog/tracing/contrib/presto/ext.rb +2 -2
  514. data/lib/datadog/tracing/contrib/presto/instrumentation.rb +5 -5
  515. data/lib/datadog/tracing/contrib/presto/integration.rb +3 -5
  516. data/lib/datadog/tracing/contrib/presto/patcher.rb +4 -6
  517. data/lib/datadog/tracing/contrib/propagation/sql_comment/comment.rb +41 -0
  518. data/lib/datadog/tracing/contrib/propagation/sql_comment/ext.rb +31 -0
  519. data/lib/datadog/tracing/contrib/propagation/sql_comment/mode.rb +26 -0
  520. data/lib/datadog/tracing/contrib/propagation/sql_comment.rb +45 -0
  521. data/lib/datadog/tracing/contrib/qless/configuration/settings.rb +2 -4
  522. data/lib/datadog/tracing/contrib/qless/ext.rb +0 -2
  523. data/lib/datadog/tracing/contrib/qless/integration.rb +3 -5
  524. data/lib/datadog/tracing/contrib/qless/patcher.rb +1 -6
  525. data/lib/datadog/tracing/contrib/qless/qless_job.rb +5 -5
  526. data/lib/datadog/tracing/contrib/qless/tracer_cleaner.rb +0 -4
  527. data/lib/datadog/tracing/contrib/que/configuration/settings.rb +3 -5
  528. data/lib/datadog/tracing/contrib/que/ext.rb +0 -2
  529. data/lib/datadog/tracing/contrib/que/integration.rb +4 -6
  530. data/lib/datadog/tracing/contrib/que/patcher.rb +1 -4
  531. data/lib/datadog/tracing/contrib/que/tracer.rb +5 -3
  532. data/lib/datadog/tracing/contrib/racecar/configuration/settings.rb +2 -4
  533. data/lib/datadog/tracing/contrib/racecar/event.rb +5 -7
  534. data/lib/datadog/tracing/contrib/racecar/events/batch.rb +6 -5
  535. data/lib/datadog/tracing/contrib/racecar/events/consume.rb +2 -4
  536. data/lib/datadog/tracing/contrib/racecar/events/message.rb +6 -5
  537. data/lib/datadog/tracing/contrib/racecar/events.rb +3 -5
  538. data/lib/datadog/tracing/contrib/racecar/ext.rb +1 -2
  539. data/lib/datadog/tracing/contrib/racecar/integration.rb +3 -5
  540. data/lib/datadog/tracing/contrib/racecar/patcher.rb +3 -6
  541. data/lib/datadog/tracing/contrib/rack/configuration/settings.rb +2 -4
  542. data/lib/datadog/tracing/contrib/rack/ext.rb +5 -2
  543. data/lib/datadog/tracing/contrib/rack/header_collection.rb +35 -0
  544. data/lib/datadog/tracing/contrib/rack/integration.rb +4 -6
  545. data/lib/datadog/tracing/contrib/rack/middlewares.rb +170 -78
  546. data/lib/datadog/tracing/contrib/rack/patcher.rb +12 -4
  547. data/lib/datadog/tracing/contrib/rack/request_queue.rb +0 -2
  548. data/lib/datadog/tracing/contrib/rails/auto_instrument_railtie.rb +1 -3
  549. data/lib/datadog/tracing/contrib/rails/configuration/settings.rb +4 -3
  550. data/lib/datadog/tracing/contrib/rails/ext.rb +0 -2
  551. data/lib/datadog/tracing/contrib/rails/framework.rb +18 -24
  552. data/lib/datadog/tracing/contrib/rails/integration.rb +4 -6
  553. data/lib/datadog/tracing/contrib/rails/log_injection.rb +3 -20
  554. data/lib/datadog/tracing/contrib/rails/middlewares.rb +1 -4
  555. data/lib/datadog/tracing/contrib/rails/patcher.rb +7 -10
  556. data/lib/datadog/tracing/contrib/rails/railtie.rb +3 -5
  557. data/lib/datadog/tracing/contrib/rails/utils.rb +1 -3
  558. data/lib/datadog/tracing/contrib/rake/configuration/settings.rb +16 -3
  559. data/lib/datadog/tracing/contrib/rake/ext.rb +0 -2
  560. data/lib/datadog/tracing/contrib/rake/instrumentation.rb +14 -11
  561. data/lib/datadog/tracing/contrib/rake/integration.rb +3 -5
  562. data/lib/datadog/tracing/contrib/rake/patcher.rb +3 -7
  563. data/lib/datadog/tracing/contrib/redis/configuration/resolver.rb +1 -3
  564. data/lib/datadog/tracing/contrib/redis/configuration/settings.rb +6 -5
  565. data/lib/datadog/tracing/contrib/redis/ext.rb +3 -2
  566. data/lib/datadog/tracing/contrib/redis/instrumentation.rb +36 -28
  567. data/lib/datadog/tracing/contrib/redis/integration.rb +37 -6
  568. data/lib/datadog/tracing/contrib/redis/patcher.rb +56 -15
  569. data/lib/datadog/tracing/contrib/redis/quantize.rb +11 -10
  570. data/lib/datadog/tracing/contrib/redis/tags.rb +12 -12
  571. data/lib/datadog/tracing/contrib/redis/trace_middleware.rb +70 -0
  572. data/lib/datadog/tracing/contrib/redis/vendor/resolver.rb +0 -2
  573. data/lib/datadog/tracing/contrib/registerable.rb +0 -2
  574. data/lib/datadog/tracing/contrib/registry.rb +0 -2
  575. data/lib/datadog/tracing/contrib/resque/configuration/settings.rb +3 -5
  576. data/lib/datadog/tracing/contrib/resque/ext.rb +0 -2
  577. data/lib/datadog/tracing/contrib/resque/integration.rb +3 -5
  578. data/lib/datadog/tracing/contrib/resque/patcher.rb +2 -5
  579. data/lib/datadog/tracing/contrib/resque/resque_job.rb +7 -6
  580. data/lib/datadog/tracing/contrib/rest_client/configuration/settings.rb +9 -5
  581. data/lib/datadog/tracing/contrib/rest_client/ext.rb +1 -2
  582. data/lib/datadog/tracing/contrib/rest_client/integration.rb +3 -5
  583. data/lib/datadog/tracing/contrib/rest_client/patcher.rb +2 -6
  584. data/lib/datadog/tracing/contrib/rest_client/request_patch.rb +7 -8
  585. data/lib/datadog/tracing/contrib/semantic_logger/configuration/settings.rb +2 -4
  586. data/lib/datadog/tracing/contrib/semantic_logger/ext.rb +0 -2
  587. data/lib/datadog/tracing/contrib/semantic_logger/instrumentation.rb +2 -4
  588. data/lib/datadog/tracing/contrib/semantic_logger/integration.rb +3 -5
  589. data/lib/datadog/tracing/contrib/semantic_logger/patcher.rb +2 -4
  590. data/lib/datadog/tracing/contrib/sequel/configuration/settings.rb +2 -4
  591. data/lib/datadog/tracing/contrib/sequel/database.rb +4 -7
  592. data/lib/datadog/tracing/contrib/sequel/dataset.rb +4 -7
  593. data/lib/datadog/tracing/contrib/sequel/ext.rb +0 -2
  594. data/lib/datadog/tracing/contrib/sequel/integration.rb +3 -5
  595. data/lib/datadog/tracing/contrib/sequel/patcher.rb +3 -5
  596. data/lib/datadog/tracing/contrib/sequel/utils.rb +2 -4
  597. data/lib/datadog/tracing/contrib/shoryuken/configuration/settings.rb +3 -5
  598. data/lib/datadog/tracing/contrib/shoryuken/ext.rb +1 -2
  599. data/lib/datadog/tracing/contrib/shoryuken/integration.rb +4 -6
  600. data/lib/datadog/tracing/contrib/shoryuken/patcher.rb +1 -3
  601. data/lib/datadog/tracing/contrib/shoryuken/tracer.rb +5 -3
  602. data/lib/datadog/tracing/contrib/sidekiq/client_tracer.rb +11 -7
  603. data/lib/datadog/tracing/contrib/sidekiq/configuration/settings.rb +4 -5
  604. data/lib/datadog/tracing/contrib/sidekiq/ext.rb +6 -2
  605. data/lib/datadog/tracing/contrib/sidekiq/integration.rb +3 -5
  606. data/lib/datadog/tracing/contrib/sidekiq/patcher.rb +14 -9
  607. data/lib/datadog/tracing/contrib/sidekiq/server_internal_tracer/heartbeat.rb +23 -3
  608. data/lib/datadog/tracing/contrib/sidekiq/server_internal_tracer/job_fetch.rb +2 -2
  609. data/lib/datadog/tracing/contrib/sidekiq/server_internal_tracer/{scheduled_push.rb → redis_info.rb} +7 -8
  610. data/lib/datadog/tracing/contrib/sidekiq/server_internal_tracer/scheduled_poller.rb +55 -0
  611. data/lib/datadog/tracing/contrib/sidekiq/server_tracer.rb +31 -8
  612. data/lib/datadog/tracing/contrib/sidekiq/tracing.rb +2 -4
  613. data/lib/datadog/tracing/contrib/sinatra/configuration/settings.rb +2 -4
  614. data/lib/datadog/tracing/contrib/sinatra/env.rb +14 -27
  615. data/lib/datadog/tracing/contrib/sinatra/ext.rb +7 -5
  616. data/lib/datadog/tracing/contrib/sinatra/framework.rb +11 -4
  617. data/lib/datadog/tracing/contrib/sinatra/headers.rb +1 -3
  618. data/lib/datadog/tracing/contrib/sinatra/integration.rb +3 -5
  619. data/lib/datadog/tracing/contrib/sinatra/patcher.rb +6 -10
  620. data/lib/datadog/tracing/contrib/sinatra/tracer.rb +15 -90
  621. data/lib/datadog/tracing/contrib/sinatra/tracer_middleware.rb +20 -18
  622. data/lib/datadog/tracing/contrib/sneakers/configuration/settings.rb +2 -4
  623. data/lib/datadog/tracing/contrib/sneakers/ext.rb +1 -2
  624. data/lib/datadog/tracing/contrib/sneakers/integration.rb +4 -6
  625. data/lib/datadog/tracing/contrib/sneakers/patcher.rb +2 -5
  626. data/lib/datadog/tracing/contrib/sneakers/tracer.rb +7 -5
  627. data/lib/datadog/tracing/contrib/status_code_matcher.rb +2 -4
  628. data/lib/datadog/tracing/contrib/stripe/configuration/settings.rb +33 -0
  629. data/lib/datadog/tracing/contrib/stripe/ext.rb +26 -0
  630. data/lib/datadog/tracing/contrib/stripe/integration.rb +43 -0
  631. data/lib/datadog/tracing/contrib/stripe/patcher.rb +28 -0
  632. data/lib/datadog/tracing/contrib/stripe/request.rb +67 -0
  633. data/lib/datadog/tracing/contrib/sucker_punch/configuration/settings.rb +2 -4
  634. data/lib/datadog/tracing/contrib/sucker_punch/exception_handler.rb +0 -2
  635. data/lib/datadog/tracing/contrib/sucker_punch/ext.rb +0 -2
  636. data/lib/datadog/tracing/contrib/sucker_punch/instrumentation.rb +3 -6
  637. data/lib/datadog/tracing/contrib/sucker_punch/integration.rb +3 -5
  638. data/lib/datadog/tracing/contrib/sucker_punch/patcher.rb +4 -9
  639. data/lib/datadog/tracing/contrib/utils/database.rb +0 -2
  640. data/lib/datadog/tracing/contrib/utils/quantization/hash.rb +0 -2
  641. data/lib/datadog/tracing/contrib/utils/quantization/http.rb +92 -14
  642. data/lib/datadog/tracing/contrib.rb +50 -49
  643. data/lib/datadog/tracing/correlation.rb +16 -4
  644. data/lib/datadog/{core → tracing}/diagnostics/ext.rb +1 -8
  645. data/lib/datadog/tracing/diagnostics/health.rb +38 -0
  646. data/lib/datadog/tracing/distributed/b3_multi.rb +72 -0
  647. data/lib/datadog/tracing/distributed/b3_single.rb +68 -0
  648. data/lib/datadog/tracing/distributed/datadog.rb +200 -0
  649. data/lib/datadog/tracing/distributed/datadog_tags_codec.rb +84 -0
  650. data/lib/datadog/tracing/distributed/fetcher.rb +21 -0
  651. data/lib/datadog/tracing/distributed/headers/ext.rb +19 -16
  652. data/lib/datadog/tracing/distributed/helpers.rb +34 -13
  653. data/lib/datadog/tracing/distributed/none.rb +18 -0
  654. data/lib/datadog/tracing/distributed/propagation.rb +126 -0
  655. data/lib/datadog/tracing/distributed/trace_context.rb +373 -0
  656. data/lib/datadog/tracing/event.rb +3 -4
  657. data/lib/datadog/tracing/flush.rb +57 -37
  658. data/lib/datadog/tracing/metadata/analytics.rb +2 -4
  659. data/lib/datadog/tracing/metadata/errors.rb +2 -4
  660. data/lib/datadog/tracing/metadata/ext.rb +34 -3
  661. data/lib/datadog/tracing/metadata/tagging.rb +23 -4
  662. data/lib/datadog/tracing/metadata.rb +3 -5
  663. data/lib/datadog/tracing/pipeline/span_filter.rb +10 -8
  664. data/lib/datadog/tracing/pipeline/span_processor.rb +0 -2
  665. data/lib/datadog/tracing/pipeline.rb +3 -5
  666. data/lib/datadog/tracing/propagation/http.rb +3 -100
  667. data/lib/datadog/tracing/runtime/metrics.rb +1 -3
  668. data/lib/datadog/tracing/sampling/all_sampler.rb +1 -3
  669. data/lib/datadog/tracing/sampling/ext.rb +30 -1
  670. data/lib/datadog/tracing/sampling/matcher.rb +0 -2
  671. data/lib/datadog/tracing/sampling/priority_sampler.rb +64 -14
  672. data/lib/datadog/tracing/sampling/rate_by_key_sampler.rb +10 -13
  673. data/lib/datadog/tracing/sampling/rate_by_service_sampler.rb +32 -10
  674. data/lib/datadog/tracing/sampling/rate_limiter.rb +4 -3
  675. data/lib/datadog/tracing/sampling/rate_sampler.rb +27 -12
  676. data/lib/datadog/tracing/sampling/rule.rb +15 -11
  677. data/lib/datadog/tracing/sampling/rule_sampler.rb +11 -14
  678. data/lib/datadog/tracing/sampling/sampler.rb +0 -2
  679. data/lib/datadog/tracing/sampling/span/ext.rb +25 -0
  680. data/lib/datadog/tracing/sampling/span/matcher.rb +89 -0
  681. data/lib/datadog/tracing/sampling/span/rule.rb +82 -0
  682. data/lib/datadog/tracing/sampling/span/rule_parser.rb +104 -0
  683. data/lib/datadog/tracing/sampling/span/sampler.rb +75 -0
  684. data/lib/datadog/tracing/span.rb +24 -22
  685. data/lib/datadog/tracing/span_operation.rb +15 -18
  686. data/lib/datadog/tracing/sync_writer.rb +5 -7
  687. data/lib/datadog/tracing/trace_digest.rb +88 -4
  688. data/lib/datadog/tracing/trace_operation.rb +60 -18
  689. data/lib/datadog/tracing/trace_segment.rb +20 -10
  690. data/lib/datadog/tracing/tracer.rb +49 -23
  691. data/lib/datadog/tracing/utils.rb +81 -0
  692. data/lib/datadog/tracing/workers/trace_writer.rb +9 -11
  693. data/lib/datadog/tracing/workers.rb +3 -5
  694. data/lib/datadog/tracing/writer.rb +12 -7
  695. data/lib/datadog/tracing.rb +8 -10
  696. data/lib/ddtrace/auto_instrument.rb +9 -4
  697. data/lib/ddtrace/auto_instrument_base.rb +0 -2
  698. data/lib/ddtrace/profiling/preload.rb +0 -2
  699. data/lib/ddtrace/transport/ext.rb +7 -3
  700. data/lib/ddtrace/transport/http/adapters/net.rb +3 -4
  701. data/lib/ddtrace/transport/http/adapters/registry.rb +0 -2
  702. data/lib/ddtrace/transport/http/adapters/test.rb +1 -3
  703. data/lib/ddtrace/transport/http/adapters/unix_socket.rb +2 -4
  704. data/lib/ddtrace/transport/http/api/endpoint.rb +0 -2
  705. data/lib/ddtrace/transport/http/api/fallbacks.rb +0 -2
  706. data/lib/ddtrace/transport/http/api/instance.rb +0 -2
  707. data/lib/ddtrace/transport/http/api/map.rb +1 -3
  708. data/lib/ddtrace/transport/http/api/spec.rb +0 -2
  709. data/lib/ddtrace/transport/http/api.rb +4 -6
  710. data/lib/ddtrace/transport/http/builder.rb +5 -7
  711. data/lib/ddtrace/transport/http/client.rb +4 -5
  712. data/lib/ddtrace/transport/http/env.rb +0 -2
  713. data/lib/ddtrace/transport/http/response.rb +35 -7
  714. data/lib/ddtrace/transport/http/statistics.rb +1 -3
  715. data/lib/ddtrace/transport/http/traces.rb +6 -8
  716. data/lib/ddtrace/transport/http.rb +11 -12
  717. data/lib/ddtrace/transport/io/client.rb +5 -5
  718. data/lib/ddtrace/transport/io/response.rb +1 -3
  719. data/lib/ddtrace/transport/io/traces.rb +3 -7
  720. data/lib/ddtrace/transport/io.rb +3 -5
  721. data/lib/ddtrace/transport/parcel.rb +0 -4
  722. data/lib/ddtrace/transport/request.rb +0 -2
  723. data/lib/ddtrace/transport/response.rb +0 -2
  724. data/lib/ddtrace/transport/serializable_trace.rb +9 -5
  725. data/lib/ddtrace/transport/statistics.rb +2 -4
  726. data/lib/ddtrace/transport/trace_formatter.rb +21 -12
  727. data/lib/ddtrace/transport/traces.rb +9 -9
  728. data/lib/ddtrace/version.rb +2 -4
  729. data/lib/ddtrace.rb +6 -9
  730. metadata +176 -47
  731. data/.editorconfig +0 -22
  732. data/.gitignore +0 -70
  733. data/CONTRIBUTING.md +0 -81
  734. data/ddtrace.gemspec +0 -59
  735. data/docs/0.x-trace.png +0 -0
  736. data/docs/1.0-trace.png +0 -0
  737. data/docs/AutoInstrumentation.md +0 -36
  738. data/docs/Deprecation.md +0 -8
  739. data/docs/DevelopmentGuide.md +0 -259
  740. data/docs/GettingStarted.md +0 -2671
  741. data/docs/ProfilingDevelopment.md +0 -110
  742. data/docs/PublicApi.md +0 -14
  743. data/docs/UpgradeGuide.md +0 -736
  744. data/lib/datadog/appsec/assets/waf_rules/risky.json +0 -1499
  745. data/lib/datadog/appsec/contrib/rack/request.rb +0 -52
  746. data/lib/datadog/appsec/contrib/rack/response.rb +0 -24
  747. data/lib/datadog/profiling/recorder.rb +0 -117
  748. data/lib/datadog/profiling/transport/client.rb +0 -16
  749. data/lib/datadog/profiling/transport/http/api/endpoint.rb +0 -107
  750. data/lib/datadog/profiling/transport/http/api/instance.rb +0 -38
  751. data/lib/datadog/profiling/transport/http/api/spec.rb +0 -42
  752. data/lib/datadog/profiling/transport/http/api.rb +0 -45
  753. data/lib/datadog/profiling/transport/http/builder.rb +0 -30
  754. data/lib/datadog/profiling/transport/http/client.rb +0 -35
  755. data/lib/datadog/profiling/transport/http/response.rb +0 -23
  756. data/lib/datadog/profiling/transport/http.rb +0 -112
  757. data/lib/datadog/profiling/transport/io/client.rb +0 -29
  758. data/lib/datadog/profiling/transport/io/response.rb +0 -18
  759. data/lib/datadog/profiling/transport/io.rb +0 -32
  760. data/lib/datadog/profiling/transport/parcel.rb +0 -19
  761. data/lib/datadog/profiling/transport/request.rb +0 -17
  762. data/lib/datadog/profiling/transport/response.rb +0 -10
  763. data/lib/datadog/tracing/distributed/headers/b3.rb +0 -55
  764. data/lib/datadog/tracing/distributed/headers/b3_single.rb +0 -67
  765. data/lib/datadog/tracing/distributed/headers/datadog.rb +0 -52
  766. data/lib/datadog/tracing/distributed/parser.rb +0 -70
  767. data/lib/datadog/tracing/propagation/grpc.rb +0 -88
@@ -1,16 +1,67 @@
1
1
  {
2
2
  "version": "2.2",
3
3
  "metadata": {
4
- "rules_version": "1.3.1"
4
+ "rules_version": "1.5.2"
5
5
  },
6
6
  "rules": [
7
+ {
8
+ "id": "blk-001-001",
9
+ "name": "Block IP Addresses",
10
+ "tags": {
11
+ "type": "block_ip",
12
+ "category": "security_response"
13
+ },
14
+ "conditions": [
15
+ {
16
+ "parameters": {
17
+ "inputs": [
18
+ {
19
+ "address": "http.client_ip"
20
+ }
21
+ ],
22
+ "data": "blocked_ips"
23
+ },
24
+ "operator": "ip_match"
25
+ }
26
+ ],
27
+ "transformers": [],
28
+ "on_match": [
29
+ "block"
30
+ ]
31
+ },
32
+ {
33
+ "id": "blk-001-002",
34
+ "name": "Block User Addresses",
35
+ "tags": {
36
+ "type": "block_user",
37
+ "category": "security_response"
38
+ },
39
+ "conditions": [
40
+ {
41
+ "parameters": {
42
+ "inputs": [
43
+ {
44
+ "address": "usr.id"
45
+ }
46
+ ],
47
+ "data": "blocked_users"
48
+ },
49
+ "operator": "exact_match"
50
+ }
51
+ ],
52
+ "transformers": [],
53
+ "on_match": [
54
+ "block"
55
+ ]
56
+ },
7
57
  {
8
58
  "id": "crs-913-110",
9
59
  "name": "Acunetix",
10
60
  "tags": {
11
61
  "type": "security_scanner",
12
62
  "crs_id": "913110",
13
- "category": "attack_attempt"
63
+ "category": "attack_attempt",
64
+ "confidence": "1"
14
65
  },
15
66
  "conditions": [
16
67
  {
@@ -41,7 +92,8 @@
41
92
  "tags": {
42
93
  "type": "security_scanner",
43
94
  "crs_id": "913120",
44
- "category": "attack_attempt"
95
+ "category": "attack_attempt",
96
+ "confidence": "1"
45
97
  },
46
98
  "conditions": [
47
99
  {
@@ -90,7 +142,8 @@
90
142
  "tags": {
91
143
  "type": "http_protocol_violation",
92
144
  "crs_id": "920260",
93
- "category": "attack_attempt"
145
+ "category": "attack_attempt",
146
+ "confidence": "0"
94
147
  },
95
148
  "conditions": [
96
149
  {
@@ -146,33 +199,6 @@
146
199
  "lowercase"
147
200
  ]
148
201
  },
149
- {
150
- "id": "crs-921-140",
151
- "name": "HTTP Header Injection Attack via headers",
152
- "tags": {
153
- "type": "http_protocol_violation",
154
- "crs_id": "921140",
155
- "category": "attack_attempt"
156
- },
157
- "conditions": [
158
- {
159
- "parameters": {
160
- "inputs": [
161
- {
162
- "address": "server.request.headers.no_cookies"
163
- }
164
- ],
165
- "regex": "[\\n\\r]",
166
- "options": {
167
- "case_sensitive": true,
168
- "min_length": 1
169
- }
170
- },
171
- "operator": "match_regex"
172
- }
173
- ],
174
- "transformers": []
175
- },
176
202
  {
177
203
  "id": "crs-921-160",
178
204
  "name": "HTTP Header Injection Attack via payload (CR/LF and header-name detected)",
@@ -192,7 +218,7 @@
192
218
  "address": "server.request.path_params"
193
219
  }
194
220
  ],
195
- "regex": "[\\n\\r]+(?:\\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\\s*:",
221
+ "regex": "[\\n\\r]+(?:refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|via|remote-ip|remote-addr|originating-IP))\\s*:",
196
222
  "options": {
197
223
  "case_sensitive": true,
198
224
  "min_length": 3
@@ -211,7 +237,8 @@
211
237
  "tags": {
212
238
  "type": "lfi",
213
239
  "crs_id": "930100",
214
- "category": "attack_attempt"
240
+ "category": "attack_attempt",
241
+ "confidence": "1"
215
242
  },
216
243
  "conditions": [
217
244
  {
@@ -224,7 +251,7 @@
224
251
  "address": "server.request.headers.no_cookies"
225
252
  }
226
253
  ],
227
- "regex": "(?:\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\\.))|\\.(?:%0[01]|\\?)?|\\?\\.?|0x2e){2}(?:\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|/))",
254
+ "regex": "(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\/|\\x5c)(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\\.))|\\.(?:%0[01])?|0x2e){2,3}(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\/|\\x5c)",
228
255
  "options": {
229
256
  "min_length": 4
230
257
  }
@@ -242,7 +269,8 @@
242
269
  "tags": {
243
270
  "type": "lfi",
244
271
  "crs_id": "930110",
245
- "category": "attack_attempt"
272
+ "category": "attack_attempt",
273
+ "confidence": "1"
246
274
  },
247
275
  "conditions": [
248
276
  {
@@ -255,7 +283,7 @@
255
283
  "address": "server.request.headers.no_cookies"
256
284
  }
257
285
  ],
258
- "regex": "(?:(?:^|[\\\\/])\\.\\.[\\\\/]|[\\\\/]\\.\\.(?:[\\\\/]|$))",
286
+ "regex": "(?:(?:^|[\\x5c/])\\.{2,3}[\\x5c/]|[\\x5c/]\\.{2,3}(?:[\\x5c/]|$))",
259
287
  "options": {
260
288
  "case_sensitive": true,
261
289
  "min_length": 3
@@ -274,7 +302,8 @@
274
302
  "tags": {
275
303
  "type": "lfi",
276
304
  "crs_id": "930120",
277
- "category": "attack_attempt"
305
+ "category": "attack_attempt",
306
+ "confidence": "1"
278
307
  },
279
308
  "conditions": [
280
309
  {
@@ -299,6 +328,8 @@
299
328
  "/.htpasswd",
300
329
  "/.addressbook",
301
330
  "/.aptitude/config",
331
+ ".aws/config",
332
+ ".aws/credentials",
302
333
  "/.bash_config",
303
334
  "/.bash_history",
304
335
  "/.bash_logout",
@@ -330,6 +361,7 @@
330
361
  "/.nano_history",
331
362
  "/.node_repl_history",
332
363
  "/.pearrc",
364
+ "/.pgpass",
333
365
  "/.php_history",
334
366
  "/.pinerc",
335
367
  ".pki/",
@@ -350,6 +382,8 @@
350
382
  ".ssh/id_rsa.pub",
351
383
  ".ssh/identity",
352
384
  ".ssh/identity.pub",
385
+ ".ssh/id_ecdsa",
386
+ ".ssh/id_ecdsa.pub",
353
387
  ".ssh/known_hosts",
354
388
  ".subversion/auth",
355
389
  ".subversion/config",
@@ -366,6 +400,225 @@
366
400
  "/.zshrc",
367
401
  "/.zsh_history",
368
402
  "/.nsconfig",
403
+ "data/elasticsearch",
404
+ "data/kafka",
405
+ "etc/ansible",
406
+ "etc/bind",
407
+ "etc/centos-release",
408
+ "etc/centos-release-upstream",
409
+ "etc/clam.d",
410
+ "etc/elasticsearch",
411
+ "etc/freshclam.conf",
412
+ "etc/gshadow",
413
+ "etc/gshadow-",
414
+ "etc/httpd",
415
+ "etc/kafka",
416
+ "etc/kibana",
417
+ "etc/logstash",
418
+ "etc/lvm",
419
+ "etc/mongod.conf",
420
+ "etc/my.cnf",
421
+ "etc/nuxeo.conf",
422
+ "etc/pki",
423
+ "etc/postfix",
424
+ "etc/scw-release",
425
+ "etc/subgid",
426
+ "etc/subgid-",
427
+ "etc/sudoers.d",
428
+ "etc/sysconfig",
429
+ "etc/system-release-cpe",
430
+ "opt/nuxeo",
431
+ "opt/tomcat",
432
+ "tmp/kafka-logs",
433
+ "usr/lib/rpm/rpm.log",
434
+ "var/data/elasticsearch",
435
+ "var/lib/elasticsearch",
436
+ "etc/.java",
437
+ "etc/acpi",
438
+ "etc/alsa",
439
+ "etc/alternatives",
440
+ "etc/apache2",
441
+ "etc/apm",
442
+ "etc/apparmor",
443
+ "etc/apparmor.d",
444
+ "etc/apport",
445
+ "etc/apt",
446
+ "etc/asciidoc",
447
+ "etc/avahi",
448
+ "etc/bash_completion.d",
449
+ "etc/binfmt.d",
450
+ "etc/bluetooth",
451
+ "etc/bonobo-activation",
452
+ "etc/brltty",
453
+ "etc/ca-certificates",
454
+ "etc/calendar",
455
+ "etc/chatscripts",
456
+ "etc/chromium-browser",
457
+ "etc/clamav",
458
+ "etc/cni",
459
+ "etc/console-setup",
460
+ "etc/coraza-waf",
461
+ "etc/cracklib",
462
+ "etc/cron.d",
463
+ "etc/cron.daily",
464
+ "etc/cron.hourly",
465
+ "etc/cron.monthly",
466
+ "etc/cron.weekly",
467
+ "etc/cups",
468
+ "etc/cups.save",
469
+ "etc/cupshelpers",
470
+ "etc/dbus-1",
471
+ "etc/dconf",
472
+ "etc/default",
473
+ "etc/depmod.d",
474
+ "etc/dhcp",
475
+ "etc/dictionaries-common",
476
+ "etc/dkms",
477
+ "etc/dnsmasq.d",
478
+ "etc/dockeretc/dpkg",
479
+ "etc/emacs",
480
+ "etc/environment.d",
481
+ "etc/fail2ban",
482
+ "etc/firebird",
483
+ "etc/firefox",
484
+ "etc/fonts",
485
+ "etc/fwupd",
486
+ "etc/gconf",
487
+ "etc/gdb",
488
+ "etc/gdm3",
489
+ "etc/geoclue",
490
+ "etc/ghostscript",
491
+ "etc/gimp",
492
+ "etc/glvnd",
493
+ "etc/gnome",
494
+ "etc/gnome-vfs-2.0",
495
+ "etc/gnucash",
496
+ "etc/gnustep",
497
+ "etc/groff",
498
+ "etc/grub.d",
499
+ "etc/gss",
500
+ "etc/gtk-2.0",
501
+ "etc/gtk-3.0",
502
+ "etc/hp",
503
+ "etc/ifplugd",
504
+ "etc/imagemagick-6",
505
+ "etc/init",
506
+ "etc/init.d",
507
+ "etc/initramfs-tools",
508
+ "etc/insserv.conf.d",
509
+ "etc/iproute2",
510
+ "etc/iptables",
511
+ "etc/java",
512
+ "etc/java-11-openjdk",
513
+ "etc/java-17-oracle",
514
+ "etc/java-8-openjdk",
515
+ "etc/kernel",
516
+ "etc/ld.so.conf.d",
517
+ "etc/ldap",
518
+ "etc/libblockdev",
519
+ "etc/libibverbs.d",
520
+ "etc/libnl-3",
521
+ "etc/libpaper.d",
522
+ "etc/libreoffice",
523
+ "etc/lighttpd",
524
+ "etc/logcheck",
525
+ "etc/logrotate.d",
526
+ "etc/lynx",
527
+ "etc/mail",
528
+ "etc/mc",
529
+ "etc/menu",
530
+ "etc/menu-methods",
531
+ "etc/modprobe.d",
532
+ "etc/modsecurity",
533
+ "etc/modules-load.d",
534
+ "etc/monit",
535
+ "etc/mono",
536
+ "etc/mplayer",
537
+ "etc/mpv",
538
+ "etc/muttrc.d",
539
+ "etc/mysql",
540
+ "etc/netplan",
541
+ "etc/network",
542
+ "etc/networkd-dispatcher",
543
+ "etc/networkmanager",
544
+ "etc/newt",
545
+ "etc/nghttpx",
546
+ "etc/nikto",
547
+ "etc/odbcdatasources",
548
+ "etc/openal",
549
+ "etc/openmpi",
550
+ "etc/opt",
551
+ "etc/osync",
552
+ "etc/packagekit",
553
+ "etc/pam.d",
554
+ "etc/pcmcia",
555
+ "etc/perl",
556
+ "etc/php",
557
+ "etc/pki",
558
+ "etc/pm",
559
+ "etc/polkit-1",
560
+ "etc/postfix",
561
+ "etc/ppp",
562
+ "etc/profile.d",
563
+ "etc/proftpd",
564
+ "etc/pulse",
565
+ "etc/python",
566
+ "etc/rc0.d",
567
+ "etc/rc1.d",
568
+ "etc/rc2.d",
569
+ "etc/rc3.d",
570
+ "etc/rc4.d",
571
+ "etc/rc5.d",
572
+ "etc/rc6.d",
573
+ "etc/rcs.d",
574
+ "etc/resolvconf",
575
+ "etc/rsyslog.d",
576
+ "etc/samba",
577
+ "etc/sane.d",
578
+ "etc/security",
579
+ "etc/selinux",
580
+ "etc/sensors.d",
581
+ "etc/sgml",
582
+ "etc/signon-ui",
583
+ "etc/skel",
584
+ "etc/snmp",
585
+ "etc/sound",
586
+ "etc/spamassassin",
587
+ "etc/speech-dispatcher",
588
+ "etc/ssh",
589
+ "etc/ssl",
590
+ "etc/sudoers.d",
591
+ "etc/sysctl.d",
592
+ "etc/sysstat",
593
+ "etc/systemd",
594
+ "etc/terminfo",
595
+ "etc/texmf",
596
+ "etc/thermald",
597
+ "etc/thnuclnt",
598
+ "etc/thunderbird",
599
+ "etc/timidity",
600
+ "etc/tmpfiles.d",
601
+ "etc/ubuntu-advantage",
602
+ "etc/udev",
603
+ "etc/udisks2",
604
+ "etc/ufw",
605
+ "etc/update-manager",
606
+ "etc/update-motd.d",
607
+ "etc/update-notifier",
608
+ "etc/upower",
609
+ "etc/urlview",
610
+ "etc/usb_modeswitch.d",
611
+ "etc/vim",
612
+ "etc/vmware",
613
+ "etc/vmware-installer",
614
+ "etc/vmware-vix",
615
+ "etc/vulkan",
616
+ "etc/w3m",
617
+ "etc/wireshark",
618
+ "etc/wpa_supplicant",
619
+ "etc/x11",
620
+ "etc/xdg",
621
+ "etc/xml",
369
622
  "etc/redis.conf",
370
623
  "etc/redis-sentinel.conf",
371
624
  "etc/php.ini",
@@ -417,10 +670,8 @@
417
670
  "usr/local/cpanel/logs/license_log",
418
671
  "usr/local/cpanel/logs/login_log",
419
672
  "var/cpanel/cpanel.config",
420
- "var/log/sw-cp-server/error_log",
421
673
  "usr/local/psa/admin/logs/httpsd_access_log",
422
674
  "usr/local/psa/admin/logs/panel.log",
423
- "var/log/sso/sso.log",
424
675
  "usr/local/psa/admin/conf/php.ini",
425
676
  "etc/sw-cp-server/applications.d/plesk.conf",
426
677
  "usr/local/psa/admin/conf/site_isolation_settings.ini",
@@ -428,16 +679,6 @@
428
679
  "etc/sw-cp-server/applications.d/00-sso-cpserver.conf",
429
680
  "etc/sso/sso_config.ini",
430
681
  "etc/mysql/conf.d/old_passwords.cnf",
431
- "var/log/mysql/mysql-bin.log",
432
- "var/log/mysql/mysql-bin.index",
433
- "var/log/mysql/data/mysql-bin.index",
434
- "var/log/mysql.log",
435
- "var/log/mysql.err",
436
- "var/log/mysqlderror.log",
437
- "var/log/mysql/mysql.log",
438
- "var/log/mysql/mysql-slow.log",
439
- "var/log/mysql-bin.index",
440
- "var/log/data/mysql-bin.index",
441
682
  "var/mysql.log",
442
683
  "var/mysql-bin.index",
443
684
  "var/data/mysql-bin.index",
@@ -474,21 +715,6 @@
474
715
  "mysql/my.cnf",
475
716
  "mysql/bin/my.ini",
476
717
  "var/postgresql/log/postgresql.log",
477
- "var/log/postgresql/postgresql.log",
478
- "var/log/postgres/pg_backup.log",
479
- "var/log/postgres/postgres.log",
480
- "var/log/postgresql.log",
481
- "var/log/pgsql/pgsql.log",
482
- "var/log/postgresql/postgresql-8.1-main.log",
483
- "var/log/postgresql/postgresql-8.3-main.log",
484
- "var/log/postgresql/postgresql-8.4-main.log",
485
- "var/log/postgresql/postgresql-9.0-main.log",
486
- "var/log/postgresql/postgresql-9.1-main.log",
487
- "var/log/pgsql8.log",
488
- "var/log/postgresql/postgres.log",
489
- "var/log/pgsql_log",
490
- "var/log/postgresql/main.log",
491
- "var/log/cron/var/log/postgres.log",
492
718
  "usr/internet/pgsql/data/postmaster.log",
493
719
  "usr/local/pgsql/data/postgresql.log",
494
720
  "usr/local/pgsql/data/pg_log",
@@ -572,29 +798,21 @@
572
798
  "windows/system32/logfiles/msftpsvc2",
573
799
  "etc/logrotate.d/proftpd",
574
800
  "www/logs/proftpd.system.log",
575
- "var/log/proftpd",
576
- "var/log/proftpd/xferlog.legacy",
577
- "var/log/proftpd.access_log",
578
- "var/log/proftpd.xferlog",
579
801
  "etc/pam.d/proftpd",
580
802
  "etc/proftp.conf",
581
803
  "etc/protpd/proftpd.conf",
582
804
  "etc/vhcs2/proftpd/proftpd.conf",
583
805
  "etc/proftpd/modules.conf",
584
- "var/log/vsftpd.log",
585
806
  "etc/vsftpd.chroot_list",
586
807
  "etc/logrotate.d/vsftpd.log",
587
808
  "etc/vsftpd/vsftpd.conf",
588
809
  "etc/vsftpd.conf",
589
810
  "etc/chrootusers",
590
- "var/log/xferlog",
591
811
  "var/adm/log/xferlog",
592
812
  "etc/wu-ftpd/ftpaccess",
593
813
  "etc/wu-ftpd/ftphosts",
594
814
  "etc/wu-ftpd/ftpusers",
595
- "var/log/pure-ftpd/pure-ftpd.log",
596
815
  "logs/pure-ftpd.log",
597
- "var/log/pureftpd.log",
598
816
  "usr/sbin/pure-config.pl",
599
817
  "usr/etc/pure-ftpd.conf",
600
818
  "etc/pure-ftpd/pure-ftpd.conf",
@@ -620,30 +838,18 @@
620
838
  "usr/ports/contrib/pure-ftpd/pure-ftpd.conf",
621
839
  "usr/ports/contrib/pure-ftpd/pureftpd.pdb",
622
840
  "usr/ports/contrib/pure-ftpd/pureftpd.passwd",
623
- "var/log/muddleftpd",
624
841
  "usr/sbin/mudlogd",
625
842
  "etc/muddleftpd/mudlog",
626
843
  "etc/muddleftpd.com",
627
844
  "etc/muddleftpd/mudlogd.conf",
628
845
  "etc/muddleftpd/muddleftpd.conf",
629
- "var/log/muddleftpd.conf",
630
846
  "usr/sbin/mudpasswd",
631
847
  "etc/muddleftpd/muddleftpd.passwd",
632
848
  "etc/muddleftpd/passwd",
633
- "var/log/ftp-proxy/ftp-proxy.log",
634
- "var/log/ftp-proxy",
635
- "var/log/ftplog",
636
849
  "etc/logrotate.d/ftp",
637
850
  "etc/ftpchroot",
638
851
  "etc/ftphosts",
639
852
  "etc/ftpusers",
640
- "var/log/exim_mainlog",
641
- "var/log/exim/mainlog",
642
- "var/log/maillog",
643
- "var/log/exim_paniclog",
644
- "var/log/exim/paniclog",
645
- "var/log/exim/rejectlog",
646
- "var/log/exim_rejectlog",
647
853
  "winnt/system32/logfiles/smtpsvc",
648
854
  "winnt/system32/logfiles/smtpsvc1",
649
855
  "winnt/system32/logfiles/smtpsvc2",
@@ -716,7 +922,6 @@
716
922
  "library/webserver/documents/default.htm",
717
923
  "library/webserver/documents/index.php",
718
924
  "library/webserver/documents/default.php",
719
- "var/log/webmin/miniserv.log",
720
925
  "usr/local/etc/webmin/miniserv.conf",
721
926
  "etc/webmin/miniserv.conf",
722
927
  "usr/local/etc/webmin/miniserv.users",
@@ -729,8 +934,6 @@
729
934
  "windows/system32/logfiles/w3svc1/inetsvn1.log",
730
935
  "windows/system32/logfiles/w3svc2/inetsvn1.log",
731
936
  "windows/system32/logfiles/w3svc3/inetsvn1.log",
732
- "var/log/httpd/access_log",
733
- "var/log/httpd/error_log",
734
937
  "apache/logs/error.log",
735
938
  "apache/logs/access.log",
736
939
  "apache2/logs/error.log",
@@ -753,20 +956,6 @@
753
956
  "var/www/logs/access.log",
754
957
  "var/www/logs/error_log",
755
958
  "var/www/logs/error.log",
756
- "var/log/httpd/access.log",
757
- "var/log/httpd/error.log",
758
- "var/log/apache/access_log",
759
- "var/log/apache/access.log",
760
- "var/log/apache/error_log",
761
- "var/log/apache/error.log",
762
- "var/log/apache2/access_log",
763
- "var/log/apache2/access.log",
764
- "var/log/apache2/error_log",
765
- "var/log/apache2/error.log",
766
- "var/log/access_log",
767
- "var/log/access.log",
768
- "var/log/error_log",
769
- "var/log/error.log",
770
959
  "opt/lampp/logs/access_log",
771
960
  "opt/lampp/logs/error_log",
772
961
  "opt/xampp/logs/access_log",
@@ -905,7 +1094,6 @@
905
1094
  "usr/share/tomcat6/conf/context.xml",
906
1095
  "usr/share/tomcat6/conf/workers.properties",
907
1096
  "usr/share/tomcat6/conf/logging.properties",
908
- "var/log/tomcat6/catalina.out",
909
1097
  "var/cpanel/tomcat.options",
910
1098
  "usr/local/jakarta/tomcat/logs/catalina.out",
911
1099
  "usr/local/jakarta/tomcat/logs/catalina.err",
@@ -986,23 +1174,14 @@
986
1174
  "program files/[jboss]/server/default/log/boot.log",
987
1175
  "[jboss]/server/default/log/server.log",
988
1176
  "[jboss]/server/default/log/boot.log",
989
- "var/log/lighttpd.error.log",
990
- "var/log/lighttpd.access.log",
991
1177
  "var/lighttpd.log",
992
1178
  "var/logs/access.log",
993
- "var/log/lighttpd/",
994
- "var/log/lighttpd/error.log",
995
- "var/log/lighttpd/access.www.log",
996
- "var/log/lighttpd/error.www.log",
997
- "var/log/lighttpd/access.log",
998
1179
  "usr/local/apache2/logs/lighttpd.error.log",
999
1180
  "usr/local/apache2/logs/lighttpd.log",
1000
1181
  "usr/local/apache/logs/lighttpd.error.log",
1001
1182
  "usr/local/apache/logs/lighttpd.log",
1002
1183
  "usr/local/lighttpd/log/lighttpd.error.log",
1003
1184
  "usr/local/lighttpd/log/access.log",
1004
- "var/log/lighttpd/{domain}/access.log",
1005
- "var/log/lighttpd/{domain}/error.log",
1006
1185
  "usr/home/user/var/log/lighttpd.error.log",
1007
1186
  "usr/home/user/var/log/apache.log",
1008
1187
  "home/user/lighttpd/lighttpd.conf",
@@ -1012,12 +1191,6 @@
1012
1191
  "usr/local/lighttpd/conf/lighttpd.conf",
1013
1192
  "usr/local/etc/lighttpd.conf.new",
1014
1193
  "var/www/.lighttpdpassword",
1015
- "var/log/nginx/access_log",
1016
- "var/log/nginx/error_log",
1017
- "var/log/nginx/access.log",
1018
- "var/log/nginx/error.log",
1019
- "var/log/nginx.access_log",
1020
- "var/log/nginx.error_log",
1021
1194
  "logs/access_log",
1022
1195
  "logs/error_log",
1023
1196
  "etc/nginx/nginx.conf",
@@ -1033,12 +1206,6 @@
1033
1206
  "usr/local/logs/access.log",
1034
1207
  "usr/local/samba/lib/log.user",
1035
1208
  "usr/local/logs/samba.log",
1036
- "var/log/samba/log.smbd",
1037
- "var/log/samba/log.nmbd",
1038
- "var/log/samba.log",
1039
- "var/log/samba.log1",
1040
- "var/log/samba.log2",
1041
- "var/log/log.smb",
1042
1209
  "etc/samba/netlogon",
1043
1210
  "etc/smbpasswd",
1044
1211
  "etc/smb.conf",
@@ -1067,10 +1234,6 @@
1067
1234
  "etc/wicd/manager-settings.conf",
1068
1235
  "etc/wicd/wired-settings.conf",
1069
1236
  "etc/wicd/wireless-settings.conf",
1070
- "var/log/ipfw.log",
1071
- "var/log/ipfw",
1072
- "var/log/ipfw/ipfw.log",
1073
- "var/log/ipfw.today",
1074
1237
  "etc/ipfw.rules",
1075
1238
  "etc/ipfw.conf",
1076
1239
  "etc/firewall.rules",
@@ -1089,33 +1252,6 @@
1089
1252
  "etc/bluetooth/main.conf",
1090
1253
  "etc/bluetooth/network.conf",
1091
1254
  "etc/bluetooth/rfcomm.conf",
1092
- "proc/self/environ",
1093
- "proc/self/mounts",
1094
- "proc/self/stat",
1095
- "proc/self/status",
1096
- "proc/self/cmdline",
1097
- "proc/self/fd/0",
1098
- "proc/self/fd/1",
1099
- "proc/self/fd/2",
1100
- "proc/self/fd/3",
1101
- "proc/self/fd/4",
1102
- "proc/self/fd/5",
1103
- "proc/self/fd/6",
1104
- "proc/self/fd/7",
1105
- "proc/self/fd/8",
1106
- "proc/self/fd/9",
1107
- "proc/self/fd/10",
1108
- "proc/self/fd/11",
1109
- "proc/self/fd/12",
1110
- "proc/self/fd/13",
1111
- "proc/self/fd/14",
1112
- "proc/self/fd/15",
1113
- "proc/version",
1114
- "proc/devices",
1115
- "proc/cpuinfo",
1116
- "proc/meminfo",
1117
- "proc/net/tcp",
1118
- "proc/net/udp",
1119
1255
  "etc/bash_completion.d/debconf",
1120
1256
  "root/.bash_logout",
1121
1257
  "root/.bash_history",
@@ -1153,39 +1289,12 @@
1153
1289
  "var/adm/aculog",
1154
1290
  "var/adm/vold.log",
1155
1291
  "var/adm/log/asppp.log",
1156
- "var/log/poplog",
1157
- "var/log/authlog",
1158
1292
  "var/lp/logs/lpsched",
1159
1293
  "var/lp/logs/lpnet",
1160
1294
  "var/lp/logs/requests",
1161
1295
  "var/cron/log",
1162
1296
  "var/saf/_log",
1163
1297
  "var/saf/port/log",
1164
- "var/log/news.all",
1165
- "var/log/news/news.all",
1166
- "var/log/news/news.crit",
1167
- "var/log/news/news.err",
1168
- "var/log/news/news.notice",
1169
- "var/log/news/suck.err",
1170
- "var/log/news/suck.notice",
1171
- "var/log/messages",
1172
- "var/log/messages.1",
1173
- "var/log/user.log",
1174
- "var/log/user.log.1",
1175
- "var/log/auth.log",
1176
- "var/log/pm-powersave.log",
1177
- "var/log/xorg.0.log",
1178
- "var/log/daemon.log",
1179
- "var/log/daemon.log.1",
1180
- "var/log/kern.log",
1181
- "var/log/kern.log.1",
1182
- "var/log/mail.err",
1183
- "var/log/mail.info",
1184
- "var/log/mail.warn",
1185
- "var/log/ufw.log",
1186
- "var/log/boot.log",
1187
- "var/log/syslog",
1188
- "var/log/syslog.1",
1189
1298
  "tmp/access.log",
1190
1299
  "etc/sensors.conf",
1191
1300
  "etc/sensors3.conf",
@@ -1242,16 +1351,11 @@
1242
1351
  "etc/timezone",
1243
1352
  "etc/modules",
1244
1353
  "etc/passwd",
1245
- "etc/passwd~",
1246
- "etc/passwd-",
1247
1354
  "etc/shadow",
1248
- "etc/shadow~",
1249
- "etc/shadow-",
1250
1355
  "etc/fstab",
1251
1356
  "etc/motd",
1252
1357
  "etc/hosts",
1253
1358
  "etc/group",
1254
- "etc/group-",
1255
1359
  "etc/alias",
1256
1360
  "etc/crontab",
1257
1361
  "etc/crypttab",
@@ -1271,6 +1375,8 @@
1271
1375
  "etc/sudoers",
1272
1376
  "etc/sysconfig/network-scripts/ifcfg-eth0",
1273
1377
  "etc/redhat-release",
1378
+ "etc/scw-release",
1379
+ "etc/system-release-cpe",
1274
1380
  "etc/debian_version",
1275
1381
  "etc/fedora-release",
1276
1382
  "etc/mandrake-release",
@@ -1287,11 +1393,7 @@
1287
1393
  "root/.ksh_history",
1288
1394
  "root/.xauthority",
1289
1395
  "usr/lib/security/mkuser.default",
1290
- "var/log/squirrelmail.log",
1291
- "var/log/apache2/squirrelmail.log",
1292
- "var/log/apache2/squirrelmail.err.log",
1293
1396
  "var/lib/squirrelmail/prefs/squirrelmail.log",
1294
- "var/log/mail.log",
1295
1397
  "etc/squirrelmail/apache.conf",
1296
1398
  "etc/squirrelmail/config_local.php",
1297
1399
  "etc/squirrelmail/default_pref",
@@ -1345,59 +1447,302 @@
1345
1447
  "etc/vmware-tools/config",
1346
1448
  "etc/vmware-tools/tpvmlp.conf",
1347
1449
  "etc/vmware-tools/vmware-tools-libraries.conf",
1348
- "var/log/vmware/hostd.log",
1349
- "var/log/vmware/hostd-1.log",
1350
- "/wp-config.php",
1351
- "/wp-config.bak",
1352
- "/wp-config.old",
1353
- "/wp-config.temp",
1354
- "/wp-config.tmp",
1355
- "/wp-config.txt",
1356
- "/config.yml",
1357
- "/config_dev.yml",
1358
- "/config_prod.yml",
1359
- "/config_test.yml",
1360
- "/parameters.yml",
1361
- "/routing.yml",
1362
- "/security.yml",
1363
- "/services.yml",
1364
- "sites/default/default.settings.php",
1365
- "sites/default/settings.php",
1366
- "sites/default/settings.local.php",
1367
- "app/etc/local.xml",
1368
- "/sftp-config.json",
1369
- "/web.config",
1370
- "includes/config.php",
1371
- "includes/configure.php",
1372
- "config.inc.php",
1373
- "localsettings.php",
1374
- "inc/config.php",
1375
- "typo3conf/localconf.php",
1376
- "config/app.php",
1377
- "config/custom.php",
1378
- "config/database.php",
1379
- "/configuration.php",
1380
- "/config.php",
1381
- "var/mail/www-data",
1382
- "etc/network/",
1383
- "etc/init/",
1384
- "inetpub/wwwroot/global.asa",
1385
- "system32/inetsrv/config/applicationhost.config",
1386
- "system32/inetsrv/config/administration.config",
1387
- "system32/inetsrv/config/redirection.config",
1388
- "system32/config/default",
1389
- "system32/config/sam",
1390
- "system32/config/system",
1391
- "system32/config/software",
1392
- "winnt/repair/sam._",
1393
- "/package.json",
1394
- "/package-lock.json",
1395
- "/gruntfile.js",
1396
- "/npm-debug.log",
1397
- "/ormconfig.json",
1398
- "/tsconfig.json",
1450
+ "var/log",
1451
+ "var/log/sw-cp-server/error_log",
1452
+ "var/log/sso/sso.log",
1453
+ "var/log/dpkg.log",
1454
+ "var/log/btmp",
1455
+ "var/log/utmp",
1456
+ "var/log/wtmp",
1457
+ "var/log/mysql/mysql-bin.log",
1458
+ "var/log/mysql/mysql-bin.index",
1459
+ "var/log/mysql/data/mysql-bin.index",
1460
+ "var/log/mysql.log",
1461
+ "var/log/mysql.err",
1462
+ "var/log/mysqlderror.log",
1463
+ "var/log/mysql/mysql.log",
1464
+ "var/log/mysql/mysql-slow.log",
1465
+ "var/log/mysql-bin.index",
1466
+ "var/log/data/mysql-bin.index",
1467
+ "var/log/postgresql/postgresql.log",
1468
+ "var/log/postgres/pg_backup.log",
1469
+ "var/log/postgres/postgres.log",
1470
+ "var/log/postgresql.log",
1471
+ "var/log/pgsql/pgsql.log",
1472
+ "var/log/postgresql/postgresql-8.1-main.log",
1473
+ "var/log/postgresql/postgresql-8.3-main.log",
1474
+ "var/log/postgresql/postgresql-8.4-main.log",
1475
+ "var/log/postgresql/postgresql-9.0-main.log",
1476
+ "var/log/postgresql/postgresql-9.1-main.log",
1477
+ "var/log/pgsql8.log",
1478
+ "var/log/postgresql/postgres.log",
1479
+ "var/log/pgsql_log",
1480
+ "var/log/postgresql/main.log",
1481
+ "var/log/cron",
1482
+ "var/log/postgres.log",
1483
+ "var/log/proftpd",
1484
+ "var/log/proftpd/xferlog.legacy",
1485
+ "var/log/proftpd.access_log",
1486
+ "var/log/proftpd.xferlog",
1487
+ "var/log/vsftpd.log",
1488
+ "var/log/xferlog",
1489
+ "var/log/pure-ftpd/pure-ftpd.log",
1490
+ "var/log/pureftpd.log",
1491
+ "var/log/muddleftpd",
1492
+ "var/log/muddleftpd.conf",
1493
+ "var/log/ftp-proxy/ftp-proxy.log",
1494
+ "var/log/ftp-proxy",
1495
+ "var/log/ftplog",
1496
+ "var/log/exim_mainlog",
1497
+ "var/log/exim/mainlog",
1498
+ "var/log/maillog",
1499
+ "var/log/exim_paniclog",
1500
+ "var/log/exim/paniclog",
1501
+ "var/log/exim/rejectlog",
1502
+ "var/log/exim_rejectlog",
1503
+ "var/log/webmin/miniserv.log",
1504
+ "var/log/httpd/access_log",
1505
+ "var/log/httpd/error_log",
1506
+ "var/log/httpd/access.log",
1507
+ "var/log/httpd/error.log",
1508
+ "var/log/apache/access_log",
1509
+ "var/log/apache/access.log",
1510
+ "var/log/apache/error_log",
1511
+ "var/log/apache/error.log",
1512
+ "var/log/apache2/access_log",
1513
+ "var/log/apache2/access.log",
1514
+ "var/log/apache2/error_log",
1515
+ "var/log/apache2/error.log",
1516
+ "var/log/access_log",
1517
+ "var/log/access.log",
1518
+ "var/log/error_log",
1519
+ "var/log/error.log",
1520
+ "var/log/tomcat6/catalina.out",
1521
+ "var/log/lighttpd.error.log",
1522
+ "var/log/lighttpd.access.log",
1523
+ "var/logs/access.log",
1524
+ "var/log/lighttpd/",
1525
+ "var/log/lighttpd/error.log",
1526
+ "var/log/lighttpd/access.www.log",
1527
+ "var/log/lighttpd/error.www.log",
1528
+ "var/log/lighttpd/access.log",
1529
+ "var/log/lighttpd/{domain}/access.log",
1530
+ "var/log/lighttpd/{domain}/error.log",
1531
+ "var/log/nginx/access_log",
1532
+ "var/log/nginx/error_log",
1533
+ "var/log/nginx/access.log",
1534
+ "var/log/nginx/error.log",
1535
+ "var/log/nginx.access_log",
1536
+ "var/log/nginx.error_log",
1537
+ "var/log/samba/log.smbd",
1538
+ "var/log/samba/log.nmbd",
1539
+ "var/log/samba.log",
1540
+ "var/log/samba.log1",
1541
+ "var/log/samba.log2",
1542
+ "var/log/log.smb",
1543
+ "var/log/ipfw.log",
1544
+ "var/log/ipfw",
1545
+ "var/log/ipfw/ipfw.log",
1546
+ "var/log/ipfw.today",
1547
+ "var/log/poplog",
1548
+ "var/log/authlog",
1549
+ "var/log/news.all",
1550
+ "var/log/news/news.all",
1551
+ "var/log/news/news.crit",
1552
+ "var/log/news/news.err",
1553
+ "var/log/news/news.notice",
1554
+ "var/log/news/suck.err",
1555
+ "var/log/news/suck.notice",
1556
+ "var/log/messages",
1557
+ "var/log/messages.1",
1558
+ "var/log/user.log",
1559
+ "var/log/user.log.1",
1560
+ "var/log/auth.log",
1561
+ "var/log/pm-powersave.log",
1562
+ "var/log/xorg.0.log",
1563
+ "var/log/daemon.log",
1564
+ "var/log/daemon.log.1",
1565
+ "var/log/kern.log",
1566
+ "var/log/kern.log.1",
1567
+ "var/log/mail.err",
1568
+ "var/log/mail.info",
1569
+ "var/log/mail.warn",
1570
+ "var/log/ufw.log",
1571
+ "var/log/boot.log",
1572
+ "var/log/syslog",
1573
+ "var/log/syslog.1",
1574
+ "var/log/squirrelmail.log",
1575
+ "var/log/apache2/squirrelmail.log",
1576
+ "var/log/apache2/squirrelmail.err.log",
1577
+ "var/log/mail.log",
1578
+ "var/log/vmware/hostd.log",
1579
+ "var/log/vmware/hostd-1.log",
1580
+ "/wp-config.php",
1581
+ "/wp-config.bak",
1582
+ "/wp-config.old",
1583
+ "/wp-config.temp",
1584
+ "/wp-config.tmp",
1585
+ "/wp-config.txt",
1586
+ "/config.yml",
1587
+ "/config_dev.yml",
1588
+ "/config_prod.yml",
1589
+ "/config_test.yml",
1590
+ "/parameters.yml",
1591
+ "/routing.yml",
1592
+ "/security.yml",
1593
+ "/services.yml",
1594
+ "sites/default/default.settings.php",
1595
+ "sites/default/settings.php",
1596
+ "sites/default/settings.local.php",
1597
+ "app/etc/local.xml",
1598
+ "/sftp-config.json",
1599
+ "/web.config",
1600
+ "includes/config.php",
1601
+ "includes/configure.php",
1602
+ "/config.inc.php",
1603
+ "/localsettings.php",
1604
+ "inc/config.php",
1605
+ "typo3conf/localconf.php",
1606
+ "config/app.php",
1607
+ "config/custom.php",
1608
+ "config/database.php",
1609
+ "/configuration.php",
1610
+ "/config.php",
1611
+ "var/mail/www-data",
1612
+ "etc/network/",
1613
+ "etc/init/",
1614
+ "inetpub/wwwroot/global.asa",
1615
+ "system32/inetsrv/config/applicationhost.config",
1616
+ "system32/inetsrv/config/administration.config",
1617
+ "system32/inetsrv/config/redirection.config",
1618
+ "system32/config/default",
1619
+ "system32/config/sam",
1620
+ "system32/config/system",
1621
+ "system32/config/software",
1622
+ "winnt/repair/sam._",
1623
+ "/package.json",
1624
+ "/package-lock.json",
1625
+ "/gruntfile.js",
1626
+ "/npm-debug.log",
1627
+ "/ormconfig.json",
1628
+ "/tsconfig.json",
1399
1629
  "/webpack.config.js",
1400
- "/yarn.lock"
1630
+ "/yarn.lock",
1631
+ "proc/0",
1632
+ "proc/1",
1633
+ "proc/2",
1634
+ "proc/3",
1635
+ "proc/4",
1636
+ "proc/5",
1637
+ "proc/6",
1638
+ "proc/7",
1639
+ "proc/8",
1640
+ "proc/9",
1641
+ "proc/acpi",
1642
+ "proc/asound",
1643
+ "proc/bootconfig",
1644
+ "proc/buddyinfo",
1645
+ "proc/bus",
1646
+ "proc/cgroups",
1647
+ "proc/cmdline",
1648
+ "proc/config.gz",
1649
+ "proc/consoles",
1650
+ "proc/cpuinfo",
1651
+ "proc/crypto",
1652
+ "proc/devices",
1653
+ "proc/diskstats",
1654
+ "proc/dma",
1655
+ "proc/docker",
1656
+ "proc/driver",
1657
+ "proc/dynamic_debug",
1658
+ "proc/execdomains",
1659
+ "proc/fb",
1660
+ "proc/filesystems",
1661
+ "proc/fs",
1662
+ "proc/interrupts",
1663
+ "proc/iomem",
1664
+ "proc/ioports",
1665
+ "proc/ipmi",
1666
+ "proc/irq",
1667
+ "proc/kallsyms",
1668
+ "proc/kcore",
1669
+ "proc/keys",
1670
+ "proc/keys",
1671
+ "proc/key-users",
1672
+ "proc/kmsg",
1673
+ "proc/kpagecgroup",
1674
+ "proc/kpagecount",
1675
+ "proc/kpageflags",
1676
+ "proc/latency_stats",
1677
+ "proc/loadavg",
1678
+ "proc/locks",
1679
+ "proc/mdstat",
1680
+ "proc/meminfo",
1681
+ "proc/misc",
1682
+ "proc/modules",
1683
+ "proc/mounts",
1684
+ "proc/mpt",
1685
+ "proc/mtd",
1686
+ "proc/mtrr",
1687
+ "proc/net",
1688
+ "proc/net/tcp",
1689
+ "proc/net/udp",
1690
+ "proc/pagetypeinfo",
1691
+ "proc/partitions",
1692
+ "proc/pressure",
1693
+ "proc/sched_debug",
1694
+ "proc/schedstat",
1695
+ "proc/scsi",
1696
+ "proc/self",
1697
+ "proc/self/cmdline",
1698
+ "proc/self/environ",
1699
+ "proc/self/fd/0",
1700
+ "proc/self/fd/1",
1701
+ "proc/self/fd/10",
1702
+ "proc/self/fd/11",
1703
+ "proc/self/fd/12",
1704
+ "proc/self/fd/13",
1705
+ "proc/self/fd/14",
1706
+ "proc/self/fd/15",
1707
+ "proc/self/fd/2",
1708
+ "proc/self/fd/3",
1709
+ "proc/self/fd/4",
1710
+ "proc/self/fd/5",
1711
+ "proc/self/fd/6",
1712
+ "proc/self/fd/7",
1713
+ "proc/self/fd/8",
1714
+ "proc/self/fd/9",
1715
+ "proc/self/mounts",
1716
+ "proc/self/stat",
1717
+ "proc/self/status",
1718
+ "proc/slabinfo",
1719
+ "proc/softirqs",
1720
+ "proc/stat",
1721
+ "proc/swaps",
1722
+ "proc/sys",
1723
+ "proc/sysrq-trigger",
1724
+ "proc/sysvipc",
1725
+ "proc/thread-self",
1726
+ "proc/timer_list",
1727
+ "proc/timer_stats",
1728
+ "proc/tty",
1729
+ "proc/uptime",
1730
+ "proc/version",
1731
+ "proc/version_signature",
1732
+ "proc/vmallocinfo",
1733
+ "proc/vmstat",
1734
+ "proc/zoneinfo",
1735
+ "sys/block",
1736
+ "sys/bus",
1737
+ "sys/class",
1738
+ "sys/dev",
1739
+ "sys/devices",
1740
+ "sys/firmware",
1741
+ "sys/fs",
1742
+ "sys/hypervisor",
1743
+ "sys/kernel",
1744
+ "sys/module",
1745
+ "sys/power"
1401
1746
  ]
1402
1747
  },
1403
1748
  "operator": "phrase_match"
@@ -1414,7 +1759,8 @@
1414
1759
  "tags": {
1415
1760
  "type": "rfi",
1416
1761
  "crs_id": "931110",
1417
- "category": "attack_attempt"
1762
+ "category": "attack_attempt",
1763
+ "confidence": "1"
1418
1764
  },
1419
1765
  "conditions": [
1420
1766
  {
@@ -1456,7 +1802,7 @@
1456
1802
  "address": "server.request.path_params"
1457
1803
  }
1458
1804
  ],
1459
- "regex": "^(?i:file|ftps?|https?).*?\\?+$",
1805
+ "regex": "^(?i:file|ftps?)://.*?\\?+$",
1460
1806
  "options": {
1461
1807
  "case_sensitive": true,
1462
1808
  "min_length": 4
@@ -1473,7 +1819,8 @@
1473
1819
  "tags": {
1474
1820
  "type": "command_injection",
1475
1821
  "crs_id": "932160",
1476
- "category": "attack_attempt"
1822
+ "category": "attack_attempt",
1823
+ "confidence": "1"
1477
1824
  },
1478
1825
  "conditions": [
1479
1826
  {
@@ -1511,103 +1858,453 @@
1511
1858
  "$ostype",
1512
1859
  "$path",
1513
1860
  "$pwd",
1861
+ "dev/fd/",
1862
+ "dev/null",
1863
+ "dev/stderr",
1864
+ "dev/stdin",
1865
+ "dev/stdout",
1866
+ "dev/tcp/",
1867
+ "dev/udp/",
1868
+ "dev/zero",
1869
+ "etc/master.passwd",
1870
+ "etc/pwd.db",
1871
+ "etc/shells",
1872
+ "etc/spwd.db",
1873
+ "proc/self/",
1874
+ "bin/7z",
1875
+ "bin/7za",
1876
+ "bin/7zr",
1877
+ "bin/ab",
1878
+ "bin/agetty",
1879
+ "bin/ansible-playbook",
1880
+ "bin/apt",
1881
+ "bin/apt-get",
1882
+ "bin/ar",
1883
+ "bin/aria2c",
1884
+ "bin/arj",
1885
+ "bin/arp",
1886
+ "bin/as",
1887
+ "bin/ascii-xfr",
1888
+ "bin/ascii85",
1889
+ "bin/ash",
1890
+ "bin/aspell",
1891
+ "bin/at",
1892
+ "bin/atobm",
1893
+ "bin/awk",
1894
+ "bin/base32",
1895
+ "bin/base64",
1896
+ "bin/basenc",
1514
1897
  "bin/bash",
1898
+ "bin/bpftrace",
1899
+ "bin/bridge",
1900
+ "bin/bundler",
1901
+ "bin/bunzip2",
1902
+ "bin/busctl",
1903
+ "bin/busybox",
1904
+ "bin/byebug",
1905
+ "bin/bzcat",
1906
+ "bin/bzcmp",
1907
+ "bin/bzdiff",
1908
+ "bin/bzegrep",
1909
+ "bin/bzexe",
1910
+ "bin/bzfgrep",
1911
+ "bin/bzgrep",
1912
+ "bin/bzip2",
1913
+ "bin/bzip2recover",
1914
+ "bin/bzless",
1915
+ "bin/bzmore",
1916
+ "bin/bzz",
1917
+ "bin/c89",
1918
+ "bin/c99",
1919
+ "bin/cancel",
1920
+ "bin/capsh",
1515
1921
  "bin/cat",
1922
+ "bin/cc",
1923
+ "bin/certbot",
1924
+ "bin/check_by_ssh",
1925
+ "bin/check_cups",
1926
+ "bin/check_log",
1927
+ "bin/check_memory",
1928
+ "bin/check_raid",
1929
+ "bin/check_ssl_cert",
1930
+ "bin/check_statusfile",
1931
+ "bin/chmod",
1932
+ "bin/choom",
1933
+ "bin/chown",
1934
+ "bin/chroot",
1935
+ "bin/clang",
1936
+ "bin/clang++",
1937
+ "bin/cmp",
1938
+ "bin/cobc",
1939
+ "bin/column",
1940
+ "bin/comm",
1941
+ "bin/composer",
1942
+ "bin/core_perl/zipdetails",
1943
+ "bin/cowsay",
1944
+ "bin/cowthink",
1945
+ "bin/cp",
1946
+ "bin/cpan",
1947
+ "bin/cpio",
1948
+ "bin/cpulimit",
1949
+ "bin/crash",
1950
+ "bin/crontab",
1516
1951
  "bin/csh",
1952
+ "bin/csplit",
1953
+ "bin/csvtool",
1954
+ "bin/cupsfilter",
1955
+ "bin/curl",
1956
+ "bin/cut",
1517
1957
  "bin/dash",
1958
+ "bin/date",
1959
+ "bin/dd",
1960
+ "bin/dev/fd/",
1961
+ "bin/dev/null",
1962
+ "bin/dev/stderr",
1963
+ "bin/dev/stdin",
1964
+ "bin/dev/stdout",
1965
+ "bin/dev/tcp/",
1966
+ "bin/dev/udp/",
1967
+ "bin/dev/zero",
1968
+ "bin/dialog",
1969
+ "bin/diff",
1970
+ "bin/dig",
1971
+ "bin/dmesg",
1972
+ "bin/dmidecode",
1973
+ "bin/dmsetup",
1974
+ "bin/dnf",
1975
+ "bin/docker",
1976
+ "bin/dosbox",
1977
+ "bin/dpkg",
1518
1978
  "bin/du",
1979
+ "bin/dvips",
1980
+ "bin/easy_install",
1981
+ "bin/eb",
1519
1982
  "bin/echo",
1983
+ "bin/ed",
1984
+ "bin/efax",
1985
+ "bin/emacs",
1986
+ "bin/env",
1987
+ "bin/eqn",
1988
+ "bin/es",
1989
+ "bin/esh",
1990
+ "bin/etc/group",
1991
+ "bin/etc/master.passwd",
1992
+ "bin/etc/passwd",
1993
+ "bin/etc/pwd.db",
1994
+ "bin/etc/shadow",
1995
+ "bin/etc/shells",
1996
+ "bin/etc/spwd.db",
1997
+ "bin/ex",
1998
+ "bin/exiftool",
1999
+ "bin/expand",
2000
+ "bin/expect",
2001
+ "bin/expr",
2002
+ "bin/facter",
2003
+ "bin/fetch",
2004
+ "bin/file",
2005
+ "bin/find",
2006
+ "bin/finger",
2007
+ "bin/fish",
2008
+ "bin/flock",
2009
+ "bin/fmt",
2010
+ "bin/fold",
2011
+ "bin/fping",
2012
+ "bin/ftp",
2013
+ "bin/gawk",
2014
+ "bin/gcc",
2015
+ "bin/gcore",
2016
+ "bin/gdb",
2017
+ "bin/gem",
2018
+ "bin/genie",
2019
+ "bin/genisoimage",
2020
+ "bin/ghc",
2021
+ "bin/ghci",
2022
+ "bin/gimp",
2023
+ "bin/ginsh",
2024
+ "bin/git",
2025
+ "bin/grc",
1520
2026
  "bin/grep",
2027
+ "bin/gtester",
2028
+ "bin/gunzip",
2029
+ "bin/gzexe",
2030
+ "bin/gzip",
2031
+ "bin/hd",
2032
+ "bin/head",
2033
+ "bin/hexdump",
2034
+ "bin/highlight",
2035
+ "bin/hping3",
2036
+ "bin/iconv",
2037
+ "bin/id",
2038
+ "bin/iftop",
2039
+ "bin/install",
2040
+ "bin/ionice",
2041
+ "bin/ip",
2042
+ "bin/irb",
2043
+ "bin/ispell",
2044
+ "bin/jjs",
2045
+ "bin/join",
2046
+ "bin/journalctl",
2047
+ "bin/jq",
2048
+ "bin/jrunscript",
2049
+ "bin/knife",
2050
+ "bin/ksh",
2051
+ "bin/ksshell",
2052
+ "bin/latex",
2053
+ "bin/ld",
2054
+ "bin/ldconfig",
1521
2055
  "bin/less",
2056
+ "bin/lftp",
2057
+ "bin/ln",
2058
+ "bin/loginctl",
2059
+ "bin/logsave",
2060
+ "bin/look",
2061
+ "bin/lp",
1522
2062
  "bin/ls",
2063
+ "bin/ltrace",
2064
+ "bin/lua",
2065
+ "bin/lualatex",
2066
+ "bin/luatex",
2067
+ "bin/lwp-download",
2068
+ "bin/lwp-request",
2069
+ "bin/lz",
2070
+ "bin/lz4",
2071
+ "bin/lz4c",
2072
+ "bin/lz4cat",
2073
+ "bin/lzcat",
2074
+ "bin/lzcmp",
2075
+ "bin/lzdiff",
2076
+ "bin/lzegrep",
2077
+ "bin/lzfgrep",
2078
+ "bin/lzgrep",
2079
+ "bin/lzless",
2080
+ "bin/lzma",
2081
+ "bin/lzmadec",
2082
+ "bin/lzmainfo",
2083
+ "bin/lzmore",
2084
+ "bin/mail",
2085
+ "bin/make",
2086
+ "bin/man",
2087
+ "bin/mawk",
2088
+ "bin/mkfifo",
1523
2089
  "bin/mknod",
1524
2090
  "bin/more",
2091
+ "bin/mosquitto",
2092
+ "bin/mount",
2093
+ "bin/msgattrib",
2094
+ "bin/msgcat",
2095
+ "bin/msgconv",
2096
+ "bin/msgfilter",
2097
+ "bin/msgmerge",
2098
+ "bin/msguniq",
2099
+ "bin/mtr",
2100
+ "bin/mv",
2101
+ "bin/mysql",
2102
+ "bin/nano",
2103
+ "bin/nasm",
2104
+ "bin/nawk",
1525
2105
  "bin/nc",
2106
+ "bin/ncat",
2107
+ "bin/neofetch",
2108
+ "bin/nice",
2109
+ "bin/nl",
2110
+ "bin/nm",
2111
+ "bin/nmap",
2112
+ "bin/node",
2113
+ "bin/nohup",
2114
+ "bin/npm",
2115
+ "bin/nroff",
2116
+ "bin/nsenter",
2117
+ "bin/octave",
2118
+ "bin/od",
2119
+ "bin/openssl",
2120
+ "bin/openvpn",
2121
+ "bin/openvt",
2122
+ "bin/opkg",
2123
+ "bin/paste",
2124
+ "bin/pax",
2125
+ "bin/pdb",
2126
+ "bin/pdflatex",
2127
+ "bin/pdftex",
2128
+ "bin/pdksh",
2129
+ "bin/perf",
2130
+ "bin/perl",
2131
+ "bin/pg",
2132
+ "bin/php",
2133
+ "bin/php-cgi",
2134
+ "bin/php5",
2135
+ "bin/php7",
2136
+ "bin/pic",
2137
+ "bin/pico",
2138
+ "bin/pidstat",
2139
+ "bin/pigz",
2140
+ "bin/pip",
2141
+ "bin/pkexec",
2142
+ "bin/pkg",
2143
+ "bin/pr",
2144
+ "bin/printf",
2145
+ "bin/proc/self/",
2146
+ "bin/pry",
1526
2147
  "bin/ps",
2148
+ "bin/psed",
2149
+ "bin/psftp",
2150
+ "bin/psql",
2151
+ "bin/ptx",
2152
+ "bin/puppet",
2153
+ "bin/pxz",
2154
+ "bin/python",
2155
+ "bin/python2",
2156
+ "bin/python3",
2157
+ "bin/rake",
1527
2158
  "bin/rbash",
2159
+ "bin/rc",
2160
+ "bin/readelf",
2161
+ "bin/red",
2162
+ "bin/redcarpet",
2163
+ "bin/restic",
2164
+ "bin/rev",
2165
+ "bin/rlogin",
2166
+ "bin/rlwrap",
2167
+ "bin/rpm",
2168
+ "bin/rpmquery",
2169
+ "bin/rsync",
2170
+ "bin/ruby",
2171
+ "bin/run-mailcap",
2172
+ "bin/run-parts",
2173
+ "bin/rview",
2174
+ "bin/rvim",
2175
+ "bin/sash",
2176
+ "bin/sbin/capsh",
2177
+ "bin/sbin/logsave",
2178
+ "bin/sbin/service",
2179
+ "bin/sbin/start-stop-daemon",
2180
+ "bin/scp",
2181
+ "bin/screen",
2182
+ "bin/script",
2183
+ "bin/sed",
2184
+ "bin/service",
2185
+ "bin/setarch",
2186
+ "bin/sftp",
2187
+ "bin/sg",
1528
2188
  "bin/sh",
2189
+ "bin/shuf",
1529
2190
  "bin/sleep",
2191
+ "bin/slsh",
2192
+ "bin/smbclient",
2193
+ "bin/snap",
2194
+ "bin/socat",
2195
+ "bin/soelim",
2196
+ "bin/sort",
2197
+ "bin/split",
2198
+ "bin/sqlite3",
2199
+ "bin/ss",
2200
+ "bin/ssh",
2201
+ "bin/ssh-keygen",
2202
+ "bin/ssh-keyscan",
2203
+ "bin/sshpass",
2204
+ "bin/start-stop-daemon",
2205
+ "bin/stdbuf",
2206
+ "bin/strace",
2207
+ "bin/strings",
1530
2208
  "bin/su",
2209
+ "bin/sysctl",
2210
+ "bin/systemctl",
2211
+ "bin/systemd-resolve",
2212
+ "bin/tac",
2213
+ "bin/tail",
2214
+ "bin/tar",
2215
+ "bin/task",
2216
+ "bin/taskset",
2217
+ "bin/tbl",
2218
+ "bin/tclsh",
2219
+ "bin/tcpdump",
1531
2220
  "bin/tcsh",
2221
+ "bin/tee",
2222
+ "bin/telnet",
2223
+ "bin/tex",
2224
+ "bin/tftp",
2225
+ "bin/tic",
2226
+ "bin/time",
2227
+ "bin/timedatectl",
2228
+ "bin/timeout",
2229
+ "bin/tmux",
2230
+ "bin/top",
2231
+ "bin/troff",
2232
+ "bin/tshark",
2233
+ "bin/ul",
1532
2234
  "bin/uname",
1533
- "dev/fd/",
1534
- "dev/null",
1535
- "dev/stderr",
1536
- "dev/stdin",
1537
- "dev/stdout",
1538
- "dev/tcp/",
1539
- "dev/udp/",
1540
- "dev/zero",
1541
- "etc/group",
1542
- "etc/master.passwd",
1543
- "etc/passwd",
1544
- "etc/pwd.db",
1545
- "etc/shadow",
1546
- "etc/shells",
1547
- "etc/spwd.db",
1548
- "proc/self/",
1549
- "usr/bin/awk",
1550
- "usr/bin/base64",
1551
- "usr/bin/cat",
1552
- "usr/bin/cc",
1553
- "usr/bin/clang",
1554
- "usr/bin/clang++",
1555
- "usr/bin/curl",
1556
- "usr/bin/diff",
1557
- "usr/bin/env",
1558
- "usr/bin/fetch",
1559
- "usr/bin/file",
1560
- "usr/bin/find",
1561
- "usr/bin/ftp",
1562
- "usr/bin/gawk",
1563
- "usr/bin/gcc",
1564
- "usr/bin/head",
1565
- "usr/bin/hexdump",
1566
- "usr/bin/id",
1567
- "usr/bin/less",
1568
- "usr/bin/ln",
1569
- "usr/bin/mkfifo",
1570
- "usr/bin/more",
1571
- "usr/bin/nc",
1572
- "usr/bin/ncat",
1573
- "usr/bin/nice",
1574
- "usr/bin/nmap",
1575
- "usr/bin/perl",
1576
- "usr/bin/php",
1577
- "usr/bin/php5",
1578
- "usr/bin/php7",
1579
- "usr/bin/php-cgi",
1580
- "usr/bin/printf",
1581
- "usr/bin/psed",
1582
- "usr/bin/python",
1583
- "usr/bin/python2",
1584
- "usr/bin/python3",
1585
- "usr/bin/ruby",
1586
- "usr/bin/sed",
1587
- "usr/bin/socat",
1588
- "usr/bin/tail",
1589
- "usr/bin/tee",
1590
- "usr/bin/telnet",
1591
- "usr/bin/top",
1592
- "usr/bin/uname",
1593
- "usr/bin/wget",
1594
- "usr/bin/who",
1595
- "usr/bin/whoami",
1596
- "usr/bin/xargs",
1597
- "usr/bin/xxd",
1598
- "usr/bin/yes",
1599
- "usr/local/bin/bash",
1600
- "usr/local/bin/curl",
1601
- "usr/local/bin/ncat",
1602
- "usr/local/bin/nmap",
1603
- "usr/local/bin/perl",
1604
- "usr/local/bin/php",
1605
- "usr/local/bin/python",
1606
- "usr/local/bin/python2",
1607
- "usr/local/bin/python3",
1608
- "usr/local/bin/rbash",
1609
- "usr/local/bin/ruby",
1610
- "usr/local/bin/wget"
2235
+ "bin/uncompress",
2236
+ "bin/unexpand",
2237
+ "bin/uniq",
2238
+ "bin/unlz4",
2239
+ "bin/unlzma",
2240
+ "bin/unpigz",
2241
+ "bin/unrar",
2242
+ "bin/unshare",
2243
+ "bin/unxz",
2244
+ "bin/unzip",
2245
+ "bin/unzstd",
2246
+ "bin/update-alternatives",
2247
+ "bin/uudecode",
2248
+ "bin/uuencode",
2249
+ "bin/valgrind",
2250
+ "bin/vi",
2251
+ "bin/view",
2252
+ "bin/vigr",
2253
+ "bin/vim",
2254
+ "bin/vimdiff",
2255
+ "bin/vipw",
2256
+ "bin/virsh",
2257
+ "bin/volatility",
2258
+ "bin/wall",
2259
+ "bin/watch",
2260
+ "bin/wc",
2261
+ "bin/wget",
2262
+ "bin/whiptail",
2263
+ "bin/who",
2264
+ "bin/whoami",
2265
+ "bin/whois",
2266
+ "bin/wireshark",
2267
+ "bin/wish",
2268
+ "bin/xargs",
2269
+ "bin/xelatex",
2270
+ "bin/xetex",
2271
+ "bin/xmodmap",
2272
+ "bin/xmore",
2273
+ "bin/xpad",
2274
+ "bin/xxd",
2275
+ "bin/xz",
2276
+ "bin/xzcat",
2277
+ "bin/xzcmp",
2278
+ "bin/xzdec",
2279
+ "bin/xzdiff",
2280
+ "bin/xzegrep",
2281
+ "bin/xzfgrep",
2282
+ "bin/xzgrep",
2283
+ "bin/xzless",
2284
+ "bin/xzmore",
2285
+ "bin/yarn",
2286
+ "bin/yelp",
2287
+ "bin/yes",
2288
+ "bin/yum",
2289
+ "bin/zathura",
2290
+ "bin/zip",
2291
+ "bin/zipcloak",
2292
+ "bin/zipcmp",
2293
+ "bin/zipdetails",
2294
+ "bin/zipgrep",
2295
+ "bin/zipinfo",
2296
+ "bin/zipmerge",
2297
+ "bin/zipnote",
2298
+ "bin/zipsplit",
2299
+ "bin/ziptool",
2300
+ "bin/zsh",
2301
+ "bin/zsoelim",
2302
+ "bin/zstd",
2303
+ "bin/zstdcat",
2304
+ "bin/zstdgrep",
2305
+ "bin/zstdless",
2306
+ "bin/zstdmt",
2307
+ "bin/zypper"
1611
2308
  ]
1612
2309
  },
1613
2310
  "operator": "phrase_match"
@@ -1623,7 +2320,8 @@
1623
2320
  "tags": {
1624
2321
  "type": "command_injection",
1625
2322
  "crs_id": "932171",
1626
- "category": "attack_attempt"
2323
+ "category": "attack_attempt",
2324
+ "confidence": "1"
1627
2325
  },
1628
2326
  "conditions": [
1629
2327
  {
@@ -1662,7 +2360,8 @@
1662
2360
  "tags": {
1663
2361
  "type": "command_injection",
1664
2362
  "crs_id": "932180",
1665
- "category": "attack_attempt"
2363
+ "category": "attack_attempt",
2364
+ "confidence": "1"
1666
2365
  },
1667
2366
  "conditions": [
1668
2367
  {
@@ -1720,7 +2419,8 @@
1720
2419
  "tags": {
1721
2420
  "type": "unrestricted_file_upload",
1722
2421
  "crs_id": "933111",
1723
- "category": "attack_attempt"
2422
+ "category": "attack_attempt",
2423
+ "confidence": "1"
1724
2424
  },
1725
2425
  "conditions": [
1726
2426
  {
@@ -1770,7 +2470,8 @@
1770
2470
  "tags": {
1771
2471
  "type": "php_code_injection",
1772
2472
  "crs_id": "933130",
1773
- "category": "attack_attempt"
2473
+ "category": "attack_attempt",
2474
+ "confidence": "1"
1774
2475
  },
1775
2476
  "conditions": [
1776
2477
  {
@@ -1791,14 +2492,6 @@
1791
2492
  ],
1792
2493
  "list": [
1793
2494
  "$globals",
1794
- "$http_cookie_vars",
1795
- "$http_env_vars",
1796
- "$http_get_vars",
1797
- "$http_post_files",
1798
- "$http_post_vars",
1799
- "$http_raw_post_data",
1800
- "$http_request_vars",
1801
- "$http_server_vars",
1802
2495
  "$_cookie",
1803
2496
  "$_env",
1804
2497
  "$_files",
@@ -1808,7 +2501,17 @@
1808
2501
  "$_server",
1809
2502
  "$_session",
1810
2503
  "$argc",
1811
- "$argv"
2504
+ "$argv",
2505
+ "$http_\\u200bresponse_\\u200bheader",
2506
+ "$php_\\u200berrormsg",
2507
+ "$http_cookie_vars",
2508
+ "$http_env_vars",
2509
+ "$http_get_vars",
2510
+ "$http_post_files",
2511
+ "$http_post_vars",
2512
+ "$http_raw_post_data",
2513
+ "$http_request_vars",
2514
+ "$http_server_vars"
1812
2515
  ]
1813
2516
  },
1814
2517
  "operator": "phrase_match"
@@ -1860,7 +2563,8 @@
1860
2563
  "tags": {
1861
2564
  "type": "php_code_injection",
1862
2565
  "crs_id": "933140",
1863
- "category": "attack_attempt"
2566
+ "category": "attack_attempt",
2567
+ "confidence": "1"
1864
2568
  },
1865
2569
  "conditions": [
1866
2570
  {
@@ -1895,7 +2599,8 @@
1895
2599
  "tags": {
1896
2600
  "type": "php_code_injection",
1897
2601
  "crs_id": "933150",
1898
- "category": "attack_attempt"
2602
+ "category": "attack_attempt",
2603
+ "confidence": "1"
1899
2604
  },
1900
2605
  "conditions": [
1901
2606
  {
@@ -1993,8 +2698,9 @@
1993
2698
  "address": "grpc.server.request.message"
1994
2699
  }
1995
2700
  ],
1996
- "regex": "\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|b(?:(?:son_(?:de|en)|ase64_en)code|zopen)|var_dump)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\(.*\\)",
2701
+ "regex": "\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?|lert|tob)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|b(?:(?:son_(?:de|en)|ase64_en)code|zopen|toa)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|var_dump)(?:\\s|/\\*.*\\*/|//.*|#.*|\\\"|')*\\((?:(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:\\$\\w+|[A-Z\\d]\\w*|\\w+\\(.*\\)|\\\\?\"(?:[^\"]|\\\\\"|\"\"|\"\\+\")*\\\\?\"|\\\\?'(?:[^']|''|'\\+')*\\\\?')(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:(?:::|\\.|->)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\w+(?:\\(.*\\))?)?,)*(?:(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:\\$\\w+|[A-Z\\d]\\w*|\\w+\\(.*\\)|\\\\?\"(?:[^\"]|\\\\\"|\"\"|\"\\+\")*\\\\?\"|\\\\?'(?:[^']|''|'\\+')*\\\\?')(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:(?:::|\\.|->)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\w+(?:\\(.*\\))?)?)?\\)",
1997
2702
  "options": {
2703
+ "case_sensitive": true,
1998
2704
  "min_length": 5
1999
2705
  }
2000
2706
  },
@@ -2009,7 +2715,8 @@
2009
2715
  "tags": {
2010
2716
  "type": "php_code_injection",
2011
2717
  "crs_id": "933170",
2012
- "category": "attack_attempt"
2718
+ "category": "attack_attempt",
2719
+ "confidence": "1"
2013
2720
  },
2014
2721
  "conditions": [
2015
2722
  {
@@ -2067,7 +2774,7 @@
2067
2774
  "address": "grpc.server.request.message"
2068
2775
  }
2069
2776
  ],
2070
- "regex": "(?i:zlib|glob|phar|ssh2|rar|ogg|expect|zip)://",
2777
+ "regex": "(?:(?:bzip|ssh)2|z(?:lib|ip)|(?:ph|r)ar|expect|glob|ogg)://",
2071
2778
  "options": {
2072
2779
  "case_sensitive": true,
2073
2780
  "min_length": 6
@@ -2082,7 +2789,7 @@
2082
2789
  },
2083
2790
  {
2084
2791
  "id": "crs-934-100",
2085
- "name": "Node.js Injection Attack",
2792
+ "name": "Node.js Injection Attack 1/2",
2086
2793
  "tags": {
2087
2794
  "type": "js_code_injection",
2088
2795
  "crs_id": "934100",
@@ -2105,10 +2812,10 @@
2105
2812
  "address": "grpc.server.request.message"
2106
2813
  }
2107
2814
  ],
2108
- "regex": "(?:(?:_(?:\\$\\$ND_FUNC\\$\\$_|_js_function)|(?:new\\s+Function|\\beval)\\s*\\(|String\\s*\\.\\s*fromCharCode|function\\s*\\(\\s*\\)\\s*{|this\\.constructor)|module\\.exports\\s*=)",
2815
+ "regex": "\\b(?:(?:l(?:(?:utimes|chmod)(?:Sync)?|(?:stat|ink)Sync)|w(?:rite(?:(?:File|v)(?:Sync)?|Sync)|atchFile)|u(?:n(?:watchFile|linkSync)|times(?:Sync)?)|s(?:(?:ymlink|tat)Sync|pawn(?:File|Sync))|ex(?:ec(?:File(?:Sync)?|Sync)|istsSync)|a(?:ppendFile|ccess)(?:Sync)?|(?:Caveat|Inode)s|open(?:dir)?Sync|new\\s+Function|Availability|\\beval)\\s*\\(|m(?:ain(?:Module\\s*(?:\\W*\\s*(?:constructor|require)|\\[)|\\s*(?:\\W*\\s*(?:constructor|require)|\\[))|kd(?:temp(?:Sync)?|irSync)\\s*\\(|odule\\.exports\\s*=)|c(?:(?:(?:h(?:mod|own)|lose)Sync|reate(?:Write|Read)Stream|p(?:Sync)?)\\s*\\(|o(?:nstructor\\s*(?:\\W*\\s*_load|\\[)|pyFile(?:Sync)?\\s*\\())|f(?:(?:(?:s(?:(?:yncS)?|tatS)|datas(?:yncS)?)ync|ch(?:mod|own)(?:Sync)?)\\s*\\(|u(?:nction\\s*\\(\\s*\\)\\s*{|times(?:Sync)?\\s*\\())|r(?:e(?:(?:ad(?:(?:File|link|dir)?Sync|v(?:Sync)?)|nameSync)\\s*\\(|quire\\s*(?:\\W*\\s*main|\\[))|m(?:Sync)?\\s*\\()|process\\s*(?:\\W*\\s*(?:mainModule|binding)|\\[)|t(?:his\\.constructor|runcateSync\\s*\\()|_(?:\\$\\$ND_FUNC\\$\\$_|_js_function)|global\\s*(?:\\W*\\s*process|\\[)|String\\s*\\.\\s*fromCharCode|binding\\s*\\[)",
2109
2816
  "options": {
2110
2817
  "case_sensitive": true,
2111
- "min_length": 5
2818
+ "min_length": 3
2112
2819
  }
2113
2820
  },
2114
2821
  "operator": "match_regex"
@@ -2117,29 +2824,18 @@
2117
2824
  "transformers": []
2118
2825
  },
2119
2826
  {
2120
- "id": "crs-941-100",
2121
- "name": "XSS Attack Detected via libinjection",
2827
+ "id": "crs-934-101",
2828
+ "name": "Node.js Injection Attack 2/2",
2122
2829
  "tags": {
2123
- "type": "xss",
2124
- "crs_id": "941100",
2125
- "category": "attack_attempt"
2830
+ "type": "js_code_injection",
2831
+ "crs_id": "934101",
2832
+ "category": "attack_attempt",
2833
+ "confidence": "1"
2126
2834
  },
2127
2835
  "conditions": [
2128
2836
  {
2129
2837
  "parameters": {
2130
2838
  "inputs": [
2131
- {
2132
- "address": "server.request.headers.no_cookies",
2133
- "key_path": [
2134
- "user-agent"
2135
- ]
2136
- },
2137
- {
2138
- "address": "server.request.headers.no_cookies",
2139
- "key_path": [
2140
- "referer"
2141
- ]
2142
- },
2143
2839
  {
2144
2840
  "address": "server.request.query"
2145
2841
  },
@@ -2152,14 +2848,17 @@
2152
2848
  {
2153
2849
  "address": "grpc.server.request.message"
2154
2850
  }
2155
- ]
2851
+ ],
2852
+ "regex": "\\b(?:w(?:atch|rite)|(?:spaw|ope)n|exists|close|fork|read)\\s*\\(",
2853
+ "options": {
2854
+ "case_sensitive": true,
2855
+ "min_length": 5
2856
+ }
2156
2857
  },
2157
- "operator": "is_xss"
2858
+ "operator": "match_regex"
2158
2859
  }
2159
2860
  ],
2160
- "transformers": [
2161
- "removeNulls"
2162
- ]
2861
+ "transformers": []
2163
2862
  },
2164
2863
  {
2165
2864
  "id": "crs-941-110",
@@ -2167,7 +2866,8 @@
2167
2866
  "tags": {
2168
2867
  "type": "xss",
2169
2868
  "crs_id": "941110",
2170
- "category": "attack_attempt"
2869
+ "category": "attack_attempt",
2870
+ "confidence": "1"
2171
2871
  },
2172
2872
  "conditions": [
2173
2873
  {
@@ -2216,7 +2916,8 @@
2216
2916
  "tags": {
2217
2917
  "type": "xss",
2218
2918
  "crs_id": "941120",
2219
- "category": "attack_attempt"
2919
+ "category": "attack_attempt",
2920
+ "confidence": "1"
2220
2921
  },
2221
2922
  "conditions": [
2222
2923
  {
@@ -2247,7 +2948,7 @@
2247
2948
  "address": "grpc.server.request.message"
2248
2949
  }
2249
2950
  ],
2250
- "regex": "[\\s\\\"'`;\\/0-9=\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]on[a-zA-Z]{3,25}[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=[^=]",
2951
+ "regex": "[\\s\\\"'`;\\/0-9=\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]on(?:d(?:r(?:ag(?:en(?:ter|d)|leave|start|over)?|op)|urationchange|blclick)|s(?:e(?:ek(?:ing|ed)|arch|lect)|u(?:spend|bmit)|talled|croll|how)|m(?:ouse(?:(?:lea|mo)ve|o(?:ver|ut)|enter|down|up)|essage)|p(?:a(?:ge(?:hide|show)|(?:st|us)e)|lay(?:ing)?|rogress)|c(?:anplay(?:through)?|o(?:ntextmenu|py)|hange|lick|ut)|a(?:nimation(?:iteration|start|end)|(?:fterprin|bor)t)|t(?:o(?:uch(?:cancel|start|move|end)|ggle)|imeupdate)|f(?:ullscreen(?:change|error)|ocus(?:out|in)?)|(?:(?:volume|hash)chang|o(?:ff|n)lin)e|b(?:efore(?:unload|print)|lur)|load(?:ed(?:meta)?data|start)?|r(?:es(?:ize|et)|atechange)|key(?:press|down|up)|w(?:aiting|heel)|in(?:valid|put)|e(?:nded|rror)|unload)[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=[^=]",
2251
2952
  "options": {
2252
2953
  "min_length": 8
2253
2954
  }
@@ -2265,7 +2966,8 @@
2265
2966
  "tags": {
2266
2967
  "type": "xss",
2267
2968
  "crs_id": "941140",
2268
- "category": "attack_attempt"
2969
+ "category": "attack_attempt",
2970
+ "confidence": "1"
2269
2971
  },
2270
2972
  "conditions": [
2271
2973
  {
@@ -2308,6 +3010,53 @@
2308
3010
  "removeNulls"
2309
3011
  ]
2310
3012
  },
3013
+ {
3014
+ "id": "crs-941-170",
3015
+ "name": "NoScript XSS InjectionChecker: Attribute Injection",
3016
+ "tags": {
3017
+ "type": "xss",
3018
+ "crs_id": "941170",
3019
+ "category": "attack_attempt",
3020
+ "confidence": "1"
3021
+ },
3022
+ "conditions": [
3023
+ {
3024
+ "parameters": {
3025
+ "inputs": [
3026
+ {
3027
+ "address": "server.request.headers.no_cookies",
3028
+ "key_path": [
3029
+ "user-agent"
3030
+ ]
3031
+ },
3032
+ {
3033
+ "address": "server.request.headers.no_cookies",
3034
+ "key_path": [
3035
+ "referer"
3036
+ ]
3037
+ },
3038
+ {
3039
+ "address": "server.request.query"
3040
+ },
3041
+ {
3042
+ "address": "server.request.body"
3043
+ },
3044
+ {
3045
+ "address": "server.request.path_params"
3046
+ }
3047
+ ],
3048
+ "regex": "(?:\\W|^)(?:javascript:(?:[\\s\\S]+[=\\x5c\\(\\[\\.<]|[\\s\\S]*?(?:\\bname\\b|\\x5c[ux]\\d)))|@\\W*?i\\W*?m\\W*?p\\W*?o\\W*?r\\W*?t\\W*?(?:/\\*[\\s\\S]*?)?(?:[\\\"']|\\W*?u\\W*?r\\W*?l[\\s\\S]*?\\()|[^-]*?-\\W*?m\\W*?o\\W*?z\\W*?-\\W*?b\\W*?i\\W*?n\\W*?d\\W*?i\\W*?n\\W*?g[^:]*?:\\W*?u\\W*?r\\W*?l[\\s\\S]*?\\(",
3049
+ "options": {
3050
+ "min_length": 6
3051
+ }
3052
+ },
3053
+ "operator": "match_regex"
3054
+ }
3055
+ ],
3056
+ "transformers": [
3057
+ "removeNulls"
3058
+ ]
3059
+ },
2311
3060
  {
2312
3061
  "id": "crs-941-180",
2313
3062
  "name": "Node-Validator Deny List Keywords",
@@ -2357,7 +3106,8 @@
2357
3106
  "tags": {
2358
3107
  "type": "xss",
2359
3108
  "crs_id": "941200",
2360
- "category": "attack_attempt"
3109
+ "category": "attack_attempt",
3110
+ "confidence": "1"
2361
3111
  },
2362
3112
  "conditions": [
2363
3113
  {
@@ -2395,7 +3145,8 @@
2395
3145
  "tags": {
2396
3146
  "type": "xss",
2397
3147
  "crs_id": "941210",
2398
- "category": "attack_attempt"
3148
+ "category": "attack_attempt",
3149
+ "confidence": "1"
2399
3150
  },
2400
3151
  "conditions": [
2401
3152
  {
@@ -2414,7 +3165,7 @@
2414
3165
  "address": "grpc.server.request.message"
2415
3166
  }
2416
3167
  ],
2417
- "regex": "(?i:(?:j|&#x?0*(?:74|4A|106|6A);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:v|&#x?0*(?:86|56|118|76);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)",
3168
+ "regex": "(?i:(?:j|&#x?0*(?:74|4A|106|6A);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:v|&#x?0*(?:86|56|118|76);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)",
2418
3169
  "options": {
2419
3170
  "case_sensitive": true,
2420
3171
  "min_length": 12
@@ -2433,7 +3184,8 @@
2433
3184
  "tags": {
2434
3185
  "type": "xss",
2435
3186
  "crs_id": "941220",
2436
- "category": "attack_attempt"
3187
+ "category": "attack_attempt",
3188
+ "confidence": "1"
2437
3189
  },
2438
3190
  "conditions": [
2439
3191
  {
@@ -2471,7 +3223,8 @@
2471
3223
  "tags": {
2472
3224
  "type": "xss",
2473
3225
  "crs_id": "941230",
2474
- "category": "attack_attempt"
3226
+ "category": "attack_attempt",
3227
+ "confidence": "1"
2475
3228
  },
2476
3229
  "conditions": [
2477
3230
  {
@@ -2508,7 +3261,8 @@
2508
3261
  "tags": {
2509
3262
  "type": "xss",
2510
3263
  "crs_id": "941240",
2511
- "category": "attack_attempt"
3264
+ "category": "attack_attempt",
3265
+ "confidence": "1"
2512
3266
  },
2513
3267
  "conditions": [
2514
3268
  {
@@ -2584,7 +3338,8 @@
2584
3338
  "tags": {
2585
3339
  "type": "xss",
2586
3340
  "crs_id": "941280",
2587
- "category": "attack_attempt"
3341
+ "category": "attack_attempt",
3342
+ "confidence": "1"
2588
3343
  },
2589
3344
  "conditions": [
2590
3345
  {
@@ -2621,7 +3376,8 @@
2621
3376
  "tags": {
2622
3377
  "type": "xss",
2623
3378
  "crs_id": "941290",
2624
- "category": "attack_attempt"
3379
+ "category": "attack_attempt",
3380
+ "confidence": "1"
2625
3381
  },
2626
3382
  "conditions": [
2627
3383
  {
@@ -2658,7 +3414,8 @@
2658
3414
  "tags": {
2659
3415
  "type": "xss",
2660
3416
  "crs_id": "941300",
2661
- "category": "attack_attempt"
3417
+ "category": "attack_attempt",
3418
+ "confidence": "1"
2662
3419
  },
2663
3420
  "conditions": [
2664
3421
  {
@@ -2695,7 +3452,8 @@
2695
3452
  "tags": {
2696
3453
  "type": "xss",
2697
3454
  "crs_id": "941350",
2698
- "category": "attack_attempt"
3455
+ "category": "attack_attempt",
3456
+ "confidence": "1"
2699
3457
  },
2700
3458
  "conditions": [
2701
3459
  {
@@ -2762,12 +3520,13 @@
2762
3520
  "transformers": []
2763
3521
  },
2764
3522
  {
2765
- "id": "crs-942-100",
2766
- "name": "SQL Injection Attack Detected via libinjection",
3523
+ "id": "crs-941-390",
3524
+ "name": "Javascript method detected",
2767
3525
  "tags": {
2768
- "type": "sql_injection",
2769
- "crs_id": "942100",
2770
- "category": "attack_attempt"
3526
+ "type": "xss",
3527
+ "crs_id": "941390",
3528
+ "category": "attack_attempt",
3529
+ "confidence": "1"
2771
3530
  },
2772
3531
  "conditions": [
2773
3532
  {
@@ -2785,21 +3544,24 @@
2785
3544
  {
2786
3545
  "address": "grpc.server.request.message"
2787
3546
  }
2788
- ]
3547
+ ],
3548
+ "regex": "\\b(?i:eval|settimeout|setinterval|new\\s+Function|alert|prompt)\\s*\\([^\\)]",
3549
+ "options": {
3550
+ "case_sensitive": true,
3551
+ "min_length": 5
3552
+ }
2789
3553
  },
2790
- "operator": "is_sqli"
3554
+ "operator": "match_regex"
2791
3555
  }
2792
3556
  ],
2793
- "transformers": [
2794
- "removeNulls"
2795
- ]
3557
+ "transformers": []
2796
3558
  },
2797
3559
  {
2798
- "id": "crs-942-160",
2799
- "name": "Detects blind sqli tests using sleep() or benchmark()",
3560
+ "id": "crs-942-100",
3561
+ "name": "SQL Injection Attack Detected via libinjection",
2800
3562
  "tags": {
2801
3563
  "type": "sql_injection",
2802
- "crs_id": "942160",
3564
+ "crs_id": "942100",
2803
3565
  "category": "attack_attempt"
2804
3566
  },
2805
3567
  "conditions": [
@@ -2818,25 +3580,23 @@
2818
3580
  {
2819
3581
  "address": "grpc.server.request.message"
2820
3582
  }
2821
- ],
2822
- "regex": "(?i:sleep\\(\\s*?\\d*?\\s*?\\)|benchmark\\(.*?\\,.*?\\))",
2823
- "options": {
2824
- "case_sensitive": true,
2825
- "min_length": 7
2826
- }
3583
+ ]
2827
3584
  },
2828
- "operator": "match_regex"
3585
+ "operator": "is_sqli"
2829
3586
  }
2830
3587
  ],
2831
- "transformers": []
3588
+ "transformers": [
3589
+ "removeNulls"
3590
+ ]
2832
3591
  },
2833
3592
  {
2834
- "id": "crs-942-190",
2835
- "name": "Detects MSSQL code execution and information gathering attempts",
3593
+ "id": "crs-942-160",
3594
+ "name": "Detects blind sqli tests using sleep() or benchmark()",
2836
3595
  "tags": {
2837
3596
  "type": "sql_injection",
2838
- "crs_id": "942190",
2839
- "category": "attack_attempt"
3597
+ "crs_id": "942160",
3598
+ "category": "attack_attempt",
3599
+ "confidence": "1"
2840
3600
  },
2841
3601
  "conditions": [
2842
3602
  {
@@ -2855,9 +3615,10 @@
2855
3615
  "address": "grpc.server.request.message"
2856
3616
  }
2857
3617
  ],
2858
- "regex": "(?:\\b(?:(?:c(?:onnection_id|urrent_user)|database)\\s*?\\([^\\)]*?|u(?:nion(?:[\\w(?:\\s]*?select| select @)|ser\\s*?\\([^\\)]*?)|s(?:chema\\s*?\\([^\\)]*?|elect.*?\\w?user\\()|into[\\s+]+(?:dump|out)file\\s*?[\\\"'`]|from\\W+information_schema\\W|exec(?:ute)?\\s+master\\.)|[\\\"'`](?:;?\\s*?(?:union\\b\\s*?(?:(?:distin|sele)ct|all)|having|select)\\b\\s*?[^\\s]|\\s*?!\\s*?[\\\"'`\\w])|\\s*?exec(?:ute)?.*?\\Wxp_cmdshell|\\Wiif\\s*?\\()",
3618
+ "regex": "(?i:sleep\\(\\s*?\\d*?\\s*?\\)|benchmark\\(.*?\\,.*?\\))",
2859
3619
  "options": {
2860
- "min_length": 3
3620
+ "case_sensitive": true,
3621
+ "min_length": 7
2861
3622
  }
2862
3623
  },
2863
3624
  "operator": "match_regex"
@@ -2871,7 +3632,8 @@
2871
3632
  "tags": {
2872
3633
  "type": "sql_injection",
2873
3634
  "crs_id": "942240",
2874
- "category": "attack_attempt"
3635
+ "category": "attack_attempt",
3636
+ "confidence": "1"
2875
3637
  },
2876
3638
  "conditions": [
2877
3639
  {
@@ -2977,7 +3739,8 @@
2977
3739
  "tags": {
2978
3740
  "type": "sql_injection",
2979
3741
  "crs_id": "942280",
2980
- "category": "attack_attempt"
3742
+ "category": "attack_attempt",
3743
+ "confidence": "1"
2981
3744
  },
2982
3745
  "conditions": [
2983
3746
  {
@@ -3031,10 +3794,10 @@
3031
3794
  "address": "grpc.server.request.message"
3032
3795
  }
3033
3796
  ],
3034
- "regex": "(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))",
3797
+ "regex": "(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)",
3035
3798
  "options": {
3036
3799
  "case_sensitive": true,
3037
- "min_length": 5
3800
+ "min_length": 3
3038
3801
  }
3039
3802
  },
3040
3803
  "operator": "match_regex"
@@ -3069,7 +3832,7 @@
3069
3832
  "address": "grpc.server.request.message"
3070
3833
  }
3071
3834
  ],
3072
- "regex": "(?:^[\\W\\d]+\\s*?(?:alter\\s*(?:a(?:(?:pplication\\s*rol|ggregat)e|s(?:ymmetric\\s*ke|sembl)y|u(?:thorization|dit)|vailability\\s*group)|c(?:r(?:yptographic\\s*provider|edential)|o(?:l(?:latio|um)|nversio)n|ertificate|luster)|s(?:e(?:rv(?:ice|er)|curity|quence|ssion|arch)|y(?:mmetric\\s*key|nonym)|togroup|chema)|m(?:a(?:s(?:ter\\s*key|k)|terialized)|e(?:ssage\\s*type|thod)|odule)|l(?:o(?:g(?:file\\s*group|in)|ckdown)|a(?:ngua|r)ge|ibrary)|t(?:(?:abl(?:espac)?|yp)e|r(?:igger|usted)|hreshold|ext)|p(?:a(?:rtition|ckage)|ro(?:cedur|fil)e|ermission)|d(?:i(?:mension|skgroup)|atabase|efault|omain)|r(?:o(?:l(?:lback|e)|ute)|e(?:sourc|mot)e)|f(?:u(?:lltext|nction)|lashback|oreign)|e(?:xte(?:nsion|rnal)|(?:ndpoi|ve)nt)|in(?:dex(?:type)?|memory|stance)|b(?:roker\\s*priority|ufferpool)|x(?:ml\\s*schema|srobject)|w(?:ork(?:load)?|rapper)|hi(?:erarchy|stogram)|o(?:perator|utline)|(?:nicknam|queu)e|us(?:age|er)|group|java|view)\\b|(?:(?:(?:trunc|cre)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)\\s+\\w+|u(?:nion\\s*(?:(?:distin|sele)ct|all)\\b|pdate\\s+\\w+))|\\b(?:(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\\s+(?:group_concat|load_file|char)\\b\\s*\\(?|end\\s*?\\);)|[\\\"'`\\w]\\s+as\\b\\s*[\\\"'`\\w]+\\s*\\bfrom|[\\s(?:]load_file\\s*?\\(|[\\\"'`]\\s+regexp\\W)",
3835
+ "regex": "(?:^[\\W\\d]+\\s*?(?:alter\\s*(?:a(?:(?:pplication\\s*rol|ggregat)e|s(?:ymmetric\\s*ke|sembl)y|u(?:thorization|dit)|vailability\\s*group)|c(?:r(?:yptographic\\s*provider|edential)|o(?:l(?:latio|um)|nversio)n|ertificate|luster)|s(?:e(?:rv(?:ice|er)|curity|quence|ssion|arch)|y(?:mmetric\\s*key|nonym)|togroup|chema)|m(?:a(?:s(?:ter\\s*key|k)|terialized)|e(?:ssage\\s*type|thod)|odule)|l(?:o(?:g(?:file\\s*group|in)|ckdown)|a(?:ngua|r)ge|ibrary)|t(?:(?:abl(?:espac)?|yp)e|r(?:igger|usted)|hreshold|ext)|p(?:a(?:rtition|ckage)|ro(?:cedur|fil)e|ermission)|d(?:i(?:mension|skgroup)|atabase|efault|omain)|r(?:o(?:l(?:lback|e)|ute)|e(?:sourc|mot)e)|f(?:u(?:lltext|nction)|lashback|oreign)|e(?:xte(?:nsion|rnal)|(?:ndpoi|ve)nt)|in(?:dex(?:type)?|memory|stance)|b(?:roker\\s*priority|ufferpool)|x(?:ml\\s*schema|srobject)|w(?:ork(?:load)?|rapper)|hi(?:erarchy|stogram)|o(?:perator|utline)|(?:nicknam|queu)e|us(?:age|er)|group|java|view)|union\\s*(?:(?:distin|sele)ct|all))\\b|\\b(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\\s+(?:group_concat|load_file|char)\\b\\s*\\(?|[\\s(]load_file\\s*?\\(|[\\\"'`]\\s+regexp\\W)",
3073
3836
  "options": {
3074
3837
  "min_length": 5
3075
3838
  }
@@ -3121,7 +3884,8 @@
3121
3884
  "tags": {
3122
3885
  "type": "http_protocol_violation",
3123
3886
  "crs_id": "943100",
3124
- "category": "attack_attempt"
3887
+ "category": "attack_attempt",
3888
+ "confidence": "1"
3125
3889
  },
3126
3890
  "conditions": [
3127
3891
  {
@@ -3154,7 +3918,8 @@
3154
3918
  "tags": {
3155
3919
  "type": "java_code_injection",
3156
3920
  "crs_id": "944100",
3157
- "category": "attack_attempt"
3921
+ "category": "attack_attempt",
3922
+ "confidence": "1"
3158
3923
  },
3159
3924
  "conditions": [
3160
3925
  {
@@ -3238,32 +4003,357 @@
3238
4003
  "address": "server.request.path_params"
3239
4004
  },
3240
4005
  {
3241
- "address": "server.request.headers.no_cookies"
4006
+ "address": "server.request.headers.no_cookies"
4007
+ },
4008
+ {
4009
+ "address": "grpc.server.request.message"
4010
+ }
4011
+ ],
4012
+ "regex": "(?:unmarshaller|base64data|java\\.)",
4013
+ "options": {
4014
+ "case_sensitive": true,
4015
+ "min_length": 5
4016
+ }
4017
+ },
4018
+ "operator": "match_regex"
4019
+ }
4020
+ ],
4021
+ "transformers": [
4022
+ "lowercase"
4023
+ ]
4024
+ },
4025
+ {
4026
+ "id": "crs-944-130",
4027
+ "name": "Suspicious Java class detected",
4028
+ "tags": {
4029
+ "type": "java_code_injection",
4030
+ "crs_id": "944130",
4031
+ "category": "attack_attempt"
4032
+ },
4033
+ "conditions": [
4034
+ {
4035
+ "parameters": {
4036
+ "inputs": [
4037
+ {
4038
+ "address": "server.request.query"
4039
+ },
4040
+ {
4041
+ "address": "server.request.body"
4042
+ },
4043
+ {
4044
+ "address": "server.request.path_params"
4045
+ },
4046
+ {
4047
+ "address": "server.request.headers.no_cookies"
4048
+ },
4049
+ {
4050
+ "address": "grpc.server.request.message"
4051
+ }
4052
+ ],
4053
+ "list": [
4054
+ "com.opensymphony.xwork2",
4055
+ "com.sun.org.apache",
4056
+ "java.io.bufferedinputstream",
4057
+ "java.io.bufferedreader",
4058
+ "java.io.bytearrayinputstream",
4059
+ "java.io.bytearrayoutputstream",
4060
+ "java.io.chararrayreader",
4061
+ "java.io.datainputstream",
4062
+ "java.io.file",
4063
+ "java.io.fileoutputstream",
4064
+ "java.io.filepermission",
4065
+ "java.io.filewriter",
4066
+ "java.io.filterinputstream",
4067
+ "java.io.filteroutputstream",
4068
+ "java.io.filterreader",
4069
+ "java.io.inputstream",
4070
+ "java.io.inputstreamreader",
4071
+ "java.io.linenumberreader",
4072
+ "java.io.objectoutputstream",
4073
+ "java.io.outputstream",
4074
+ "java.io.pipedoutputstream",
4075
+ "java.io.pipedreader",
4076
+ "java.io.printstream",
4077
+ "java.io.pushbackinputstream",
4078
+ "java.io.reader",
4079
+ "java.io.stringreader",
4080
+ "java.lang.class",
4081
+ "java.lang.integer",
4082
+ "java.lang.number",
4083
+ "java.lang.object",
4084
+ "java.lang.process",
4085
+ "java.lang.reflect",
4086
+ "java.lang.string",
4087
+ "java.lang.stringbuilder",
4088
+ "java.lang.system",
4089
+ "javax.script.scriptenginemanager",
4090
+ "org.apache.commons",
4091
+ "org.apache.struts",
4092
+ "org.apache.struts2",
4093
+ "org.omg.corba",
4094
+ "java.beans.xmldecode"
4095
+ ]
4096
+ },
4097
+ "operator": "phrase_match"
4098
+ }
4099
+ ],
4100
+ "transformers": [
4101
+ "lowercase"
4102
+ ]
4103
+ },
4104
+ {
4105
+ "id": "crs-944-260",
4106
+ "name": "Remote Command Execution: Malicious class-loading payload",
4107
+ "tags": {
4108
+ "type": "java_code_injection",
4109
+ "crs_id": "944260",
4110
+ "category": "attack_attempt",
4111
+ "confidence": "1"
4112
+ },
4113
+ "conditions": [
4114
+ {
4115
+ "parameters": {
4116
+ "inputs": [
4117
+ {
4118
+ "address": "server.request.query"
4119
+ },
4120
+ {
4121
+ "address": "server.request.body"
4122
+ },
4123
+ {
4124
+ "address": "server.request.path_params"
4125
+ },
4126
+ {
4127
+ "address": "server.request.headers.no_cookies"
4128
+ },
4129
+ {
4130
+ "address": "grpc.server.request.message"
4131
+ }
4132
+ ],
4133
+ "regex": "(?:class\\.module\\.classLoader\\.resources\\.context\\.parent\\.pipeline|springframework\\.context\\.support\\.FileSystemXmlApplicationContext)",
4134
+ "options": {
4135
+ "case_sensitive": true,
4136
+ "min_length": 58
4137
+ }
4138
+ },
4139
+ "operator": "match_regex"
4140
+ }
4141
+ ],
4142
+ "transformers": []
4143
+ },
4144
+ {
4145
+ "id": "dog-000-001",
4146
+ "name": "Look for Cassandra injections",
4147
+ "tags": {
4148
+ "type": "nosql_injection",
4149
+ "category": "attack_attempt"
4150
+ },
4151
+ "conditions": [
4152
+ {
4153
+ "parameters": {
4154
+ "inputs": [
4155
+ {
4156
+ "address": "server.request.query"
4157
+ },
4158
+ {
4159
+ "address": "server.request.body"
4160
+ },
4161
+ {
4162
+ "address": "server.request.path_params"
4163
+ },
4164
+ {
4165
+ "address": "server.request.headers.no_cookies"
4166
+ }
4167
+ ],
4168
+ "regex": "\\ballow\\s+filtering\\b"
4169
+ },
4170
+ "operator": "match_regex"
4171
+ }
4172
+ ],
4173
+ "transformers": [
4174
+ "removeComments"
4175
+ ]
4176
+ },
4177
+ {
4178
+ "id": "dog-000-002",
4179
+ "name": "OGNL - Look for formatting injection patterns",
4180
+ "tags": {
4181
+ "type": "java_code_injection",
4182
+ "category": "attack_attempt"
4183
+ },
4184
+ "conditions": [
4185
+ {
4186
+ "operator": "match_regex",
4187
+ "parameters": {
4188
+ "inputs": [
4189
+ {
4190
+ "address": "server.request.uri.raw"
4191
+ },
4192
+ {
4193
+ "address": "server.request.query"
4194
+ },
4195
+ {
4196
+ "address": "server.request.body"
4197
+ },
4198
+ {
4199
+ "address": "server.request.path_params"
4200
+ },
4201
+ {
4202
+ "address": "grpc.server.request.message"
4203
+ }
4204
+ ],
4205
+ "regex": "[#%$]{(?:[^}]+[^\\w\\s}\\-_][^}]+|\\d+-\\d+)}",
4206
+ "options": {
4207
+ "case_sensitive": true
4208
+ }
4209
+ }
4210
+ }
4211
+ ],
4212
+ "transformers": []
4213
+ },
4214
+ {
4215
+ "id": "dog-000-003",
4216
+ "name": "OGNL - Detect OGNL exploitation primitives",
4217
+ "tags": {
4218
+ "type": "java_code_injection",
4219
+ "category": "attack_attempt",
4220
+ "confidence": "1"
4221
+ },
4222
+ "conditions": [
4223
+ {
4224
+ "operator": "match_regex",
4225
+ "parameters": {
4226
+ "inputs": [
4227
+ {
4228
+ "address": "server.request.query"
4229
+ },
4230
+ {
4231
+ "address": "server.request.body"
4232
+ },
4233
+ {
4234
+ "address": "server.request.path_params"
4235
+ },
4236
+ {
4237
+ "address": "server.request.headers.no_cookies"
4238
+ },
4239
+ {
4240
+ "address": "grpc.server.request.message"
4241
+ }
4242
+ ],
4243
+ "regex": "[@#]ognl",
4244
+ "options": {
4245
+ "case_sensitive": true
4246
+ }
4247
+ }
4248
+ }
4249
+ ],
4250
+ "transformers": []
4251
+ },
4252
+ {
4253
+ "id": "dog-000-004",
4254
+ "name": "Spring4Shell - Attempts to exploit the Spring4shell vulnerability",
4255
+ "tags": {
4256
+ "type": "exploit_detection",
4257
+ "category": "attack_attempt",
4258
+ "confidence": "1"
4259
+ },
4260
+ "conditions": [
4261
+ {
4262
+ "operator": "match_regex",
4263
+ "parameters": {
4264
+ "inputs": [
4265
+ {
4266
+ "address": "server.request.body"
4267
+ }
4268
+ ],
4269
+ "regex": "^class\\.module\\.classLoader\\.",
4270
+ "options": {
4271
+ "case_sensitive": false
4272
+ }
4273
+ }
4274
+ }
4275
+ ],
4276
+ "transformers": [
4277
+ "keys_only"
4278
+ ]
4279
+ },
4280
+ {
4281
+ "id": "dog-000-005",
4282
+ "name": "Node.js: Prototype pollution through __proto__",
4283
+ "tags": {
4284
+ "type": "js_code_injection",
4285
+ "category": "attack_attempt",
4286
+ "confidence": "1"
4287
+ },
4288
+ "conditions": [
4289
+ {
4290
+ "parameters": {
4291
+ "inputs": [
4292
+ {
4293
+ "address": "server.request.query"
4294
+ },
4295
+ {
4296
+ "address": "server.request.body"
4297
+ }
4298
+ ],
4299
+ "regex": "^__proto__$"
4300
+ },
4301
+ "operator": "match_regex"
4302
+ }
4303
+ ],
4304
+ "transformers": [
4305
+ "keys_only"
4306
+ ]
4307
+ },
4308
+ {
4309
+ "id": "dog-000-006",
4310
+ "name": "Node.js: Prototype pollution through constructor.prototype",
4311
+ "tags": {
4312
+ "type": "js_code_injection",
4313
+ "category": "attack_attempt",
4314
+ "confidence": "1"
4315
+ },
4316
+ "conditions": [
4317
+ {
4318
+ "parameters": {
4319
+ "inputs": [
4320
+ {
4321
+ "address": "server.request.query"
4322
+ },
4323
+ {
4324
+ "address": "server.request.body"
4325
+ }
4326
+ ],
4327
+ "regex": "^constructor$"
4328
+ },
4329
+ "operator": "match_regex"
4330
+ },
4331
+ {
4332
+ "parameters": {
4333
+ "inputs": [
4334
+ {
4335
+ "address": "server.request.query"
3242
4336
  },
3243
4337
  {
3244
- "address": "grpc.server.request.message"
4338
+ "address": "server.request.body"
3245
4339
  }
3246
4340
  ],
3247
- "regex": "(?:unmarshaller|base64data|java\\.)",
3248
- "options": {
3249
- "case_sensitive": true,
3250
- "min_length": 5
3251
- }
4341
+ "regex": "^prototype$"
3252
4342
  },
3253
4343
  "operator": "match_regex"
3254
4344
  }
3255
4345
  ],
3256
4346
  "transformers": [
3257
- "lowercase"
4347
+ "keys_only"
3258
4348
  ]
3259
4349
  },
3260
4350
  {
3261
- "id": "crs-944-130",
3262
- "name": "Suspicious Java class detected",
4351
+ "id": "dog-000-007",
4352
+ "name": "Server side template injection: Velocity & Freemarker",
3263
4353
  "tags": {
3264
4354
  "type": "java_code_injection",
3265
- "crs_id": "944130",
3266
- "category": "attack_attempt"
4355
+ "category": "attack_attempt",
4356
+ "confidence": "1"
3267
4357
  },
3268
4358
  "conditions": [
3269
4359
  {
@@ -3285,65 +4375,20 @@
3285
4375
  "address": "grpc.server.request.message"
3286
4376
  }
3287
4377
  ],
3288
- "list": [
3289
- "com.opensymphony.xwork2",
3290
- "com.sun.org.apache",
3291
- "java.io.bufferedinputstream",
3292
- "java.io.bufferedreader",
3293
- "java.io.bytearrayinputstream",
3294
- "java.io.bytearrayoutputstream",
3295
- "java.io.chararrayreader",
3296
- "java.io.datainputstream",
3297
- "java.io.file",
3298
- "java.io.fileoutputstream",
3299
- "java.io.filepermission",
3300
- "java.io.filewriter",
3301
- "java.io.filterinputstream",
3302
- "java.io.filteroutputstream",
3303
- "java.io.filterreader",
3304
- "java.io.inputstream",
3305
- "java.io.inputstreamreader",
3306
- "java.io.linenumberreader",
3307
- "java.io.objectoutputstream",
3308
- "java.io.outputstream",
3309
- "java.io.pipedoutputstream",
3310
- "java.io.pipedreader",
3311
- "java.io.printstream",
3312
- "java.io.pushbackinputstream",
3313
- "java.io.reader",
3314
- "java.io.stringreader",
3315
- "java.lang.class",
3316
- "java.lang.integer",
3317
- "java.lang.number",
3318
- "java.lang.object",
3319
- "java.lang.process",
3320
- "java.lang.processbuilder",
3321
- "java.lang.reflect",
3322
- "java.lang.runtime",
3323
- "java.lang.string",
3324
- "java.lang.stringbuilder",
3325
- "java.lang.system",
3326
- "javax.script.scriptenginemanager",
3327
- "org.apache.commons",
3328
- "org.apache.struts",
3329
- "org.apache.struts2",
3330
- "org.omg.corba",
3331
- "java.beans.xmldecode"
3332
- ]
4378
+ "regex": "#(?:set|foreach|macro|parse|if)\\(.*\\)|<#assign.*>"
3333
4379
  },
3334
- "operator": "phrase_match"
4380
+ "operator": "match_regex"
3335
4381
  }
3336
4382
  ],
3337
- "transformers": [
3338
- "lowercase"
3339
- ]
4383
+ "transformers": []
3340
4384
  },
3341
4385
  {
3342
- "id": "dog-000-001",
3343
- "name": "Look for Cassandra injections",
4386
+ "id": "dog-931-001",
4387
+ "name": "RFI: URL Payload to well known RFI target",
3344
4388
  "tags": {
3345
- "type": "nosql_injection",
3346
- "category": "attack_attempt"
4389
+ "type": "rfi",
4390
+ "category": "attack_attempt",
4391
+ "confidence": "1"
3347
4392
  },
3348
4393
  "conditions": [
3349
4394
  {
@@ -3357,64 +4402,59 @@
3357
4402
  },
3358
4403
  {
3359
4404
  "address": "server.request.path_params"
3360
- },
3361
- {
3362
- "address": "server.request.headers.no_cookies"
3363
4405
  }
3364
4406
  ],
3365
- "regex": "\\ballow\\s+filtering\\b"
4407
+ "regex": "^(?i:file|ftps?|https?).*/rfiinc\\.txt\\?+$",
4408
+ "options": {
4409
+ "case_sensitive": true,
4410
+ "min_length": 17
4411
+ }
3366
4412
  },
3367
4413
  "operator": "match_regex"
3368
4414
  }
3369
4415
  ],
3370
- "transformers": [
3371
- "removeComments"
3372
- ]
4416
+ "transformers": []
3373
4417
  },
3374
4418
  {
3375
- "id": "dog-000-002",
3376
- "name": "OGNL - Look for formatting injection patterns",
4419
+ "id": "dog-934-001",
4420
+ "name": "XXE - XML file loads external entity",
3377
4421
  "tags": {
3378
- "type": "java_code_injection",
3379
- "category": "attack_attempt"
4422
+ "type": "xxe",
4423
+ "category": "attack_attempt",
4424
+ "confidence": "0"
3380
4425
  },
3381
4426
  "conditions": [
3382
4427
  {
3383
- "operator": "match_regex",
3384
4428
  "parameters": {
3385
4429
  "inputs": [
3386
- {
3387
- "address": "server.request.query"
3388
- },
3389
4430
  {
3390
4431
  "address": "server.request.body"
3391
4432
  },
3392
- {
3393
- "address": "server.request.path_params"
3394
- },
3395
4433
  {
3396
4434
  "address": "grpc.server.request.message"
3397
4435
  }
3398
4436
  ],
3399
- "regex": "[#%$]{[^}]+[^\\w\\s][^}]+}",
4437
+ "regex": "(?:<\\?xml[^>]*>.*)<!ENTITY[^>]+SYSTEM\\s+[^>]+>",
3400
4438
  "options": {
3401
- "case_sensitive": true
4439
+ "case_sensitive": false,
4440
+ "min_length": 24
3402
4441
  }
3403
- }
4442
+ },
4443
+ "operator": "match_regex"
3404
4444
  }
3405
4445
  ],
3406
4446
  "transformers": []
3407
4447
  },
3408
4448
  {
3409
- "id": "dog-000-003",
3410
- "name": "OGNL - Detect OGNL exploitation primitives",
4449
+ "id": "dog-942-001",
4450
+ "name": "Blind XSS callback domains",
3411
4451
  "tags": {
3412
- "type": "java_code_injection",
3413
- "category": "attack_attempt"
4452
+ "type": "xss",
4453
+ "category": "attack_attempt",
4454
+ "confidence": "1"
3414
4455
  },
3415
4456
  "conditions": [
3416
4457
  {
3417
- "operator": "match_regex",
3418
4458
  "parameters": {
3419
4459
  "inputs": [
3420
4460
  {
@@ -3433,48 +4473,23 @@
3433
4473
  "address": "grpc.server.request.message"
3434
4474
  }
3435
4475
  ],
3436
- "regex": "[@#]ognl",
3437
- "options": {
3438
- "case_sensitive": true
3439
- }
3440
- }
3441
- }
3442
- ],
3443
- "transformers": []
3444
- },
3445
- {
3446
- "id": "dog-000-004",
3447
- "name": "Spring4Shell - Attempts to exploit the Spring4shell vulnerability",
3448
- "tags": {
3449
- "type": "exploit_detection",
3450
- "category": "attack_attempt"
3451
- },
3452
- "conditions": [
3453
- {
3454
- "operator": "match_regex",
3455
- "parameters": {
3456
- "inputs": [
3457
- {
3458
- "address": "server.request.body"
3459
- }
3460
- ],
3461
- "regex": "^class\\.module\\.classLoader\\.",
4476
+ "regex": "https?:\\/\\/(?:.*\\.)?(?:bxss\\.in|xss\\.ht|js\\.rip)",
3462
4477
  "options": {
3463
4478
  "case_sensitive": false
3464
4479
  }
3465
- }
4480
+ },
4481
+ "operator": "match_regex"
3466
4482
  }
3467
4483
  ],
3468
- "transformers": [
3469
- "keys_only"
3470
- ]
4484
+ "transformers": []
3471
4485
  },
3472
4486
  {
3473
4487
  "id": "nfd-000-001",
3474
4488
  "name": "Detect common directory discovery scans",
3475
4489
  "tags": {
3476
4490
  "type": "security_scanner",
3477
- "category": "attack_attempt"
4491
+ "category": "attack_attempt",
4492
+ "confidence": "1"
3478
4493
  },
3479
4494
  "conditions": [
3480
4495
  {
@@ -3708,7 +4723,8 @@
3708
4723
  "name": "Detect failed attempt to fetch readme files",
3709
4724
  "tags": {
3710
4725
  "type": "security_scanner",
3711
- "category": "attack_attempt"
4726
+ "category": "attack_attempt",
4727
+ "confidence": "1"
3712
4728
  },
3713
4729
  "conditions": [
3714
4730
  {
@@ -3747,7 +4763,8 @@
3747
4763
  "name": "Detect failed attempt to fetch Java EE resource files",
3748
4764
  "tags": {
3749
4765
  "type": "security_scanner",
3750
- "category": "attack_attempt"
4766
+ "category": "attack_attempt",
4767
+ "confidence": "1"
3751
4768
  },
3752
4769
  "conditions": [
3753
4770
  {
@@ -3786,7 +4803,8 @@
3786
4803
  "name": "Detect failed attempt to fetch code files",
3787
4804
  "tags": {
3788
4805
  "type": "security_scanner",
3789
- "category": "attack_attempt"
4806
+ "category": "attack_attempt",
4807
+ "confidence": "1"
3790
4808
  },
3791
4809
  "conditions": [
3792
4810
  {
@@ -3825,7 +4843,8 @@
3825
4843
  "name": "Detect failed attempt to fetch source code archives",
3826
4844
  "tags": {
3827
4845
  "type": "security_scanner",
3828
- "category": "attack_attempt"
4846
+ "category": "attack_attempt",
4847
+ "confidence": "1"
3829
4848
  },
3830
4849
  "conditions": [
3831
4850
  {
@@ -3864,7 +4883,8 @@
3864
4883
  "name": "Detect failed attempt to fetch sensitive files",
3865
4884
  "tags": {
3866
4885
  "type": "security_scanner",
3867
- "category": "attack_attempt"
4886
+ "category": "attack_attempt",
4887
+ "confidence": "1"
3868
4888
  },
3869
4889
  "conditions": [
3870
4890
  {
@@ -3903,7 +4923,8 @@
3903
4923
  "name": "Detect failed attempt to fetch archives",
3904
4924
  "tags": {
3905
4925
  "type": "security_scanner",
3906
- "category": "attack_attempt"
4926
+ "category": "attack_attempt",
4927
+ "confidence": "1"
3907
4928
  },
3908
4929
  "conditions": [
3909
4930
  {
@@ -3942,7 +4963,8 @@
3942
4963
  "name": "Detect failed attempt to trigger incorrect application behavior",
3943
4964
  "tags": {
3944
4965
  "type": "security_scanner",
3945
- "category": "attack_attempt"
4966
+ "category": "attack_attempt",
4967
+ "confidence": "1"
3946
4968
  },
3947
4969
  "conditions": [
3948
4970
  {
@@ -3981,7 +5003,8 @@
3981
5003
  "name": "Detect failed attempt to leak the structure of the application",
3982
5004
  "tags": {
3983
5005
  "type": "security_scanner",
3984
- "category": "attack_attempt"
5006
+ "category": "attack_attempt",
5007
+ "confidence": "1"
3985
5008
  },
3986
5009
  "conditions": [
3987
5010
  {
@@ -4020,7 +5043,8 @@
4020
5043
  "name": "SSRF: Try to access the credential manager of the main cloud services",
4021
5044
  "tags": {
4022
5045
  "type": "ssrf",
4023
- "category": "attack_attempt"
5046
+ "category": "attack_attempt",
5047
+ "confidence": "1"
4024
5048
  },
4025
5049
  "conditions": [
4026
5050
  {
@@ -4087,42 +5111,13 @@
4087
5111
  "removeNulls"
4088
5112
  ]
4089
5113
  },
4090
- {
4091
- "id": "sqr-000-007",
4092
- "name": "NoSQL: Detect common exploitation strategy",
4093
- "tags": {
4094
- "type": "nosql_injection",
4095
- "category": "attack_attempt"
4096
- },
4097
- "conditions": [
4098
- {
4099
- "parameters": {
4100
- "inputs": [
4101
- {
4102
- "address": "server.request.query"
4103
- },
4104
- {
4105
- "address": "server.request.body"
4106
- },
4107
- {
4108
- "address": "server.request.path_params"
4109
- }
4110
- ],
4111
- "regex": "^\\$(eq|ne|(l|g)te?|n?in|not|(n|x|)or|and|regex|where|expr|exists)$"
4112
- },
4113
- "operator": "match_regex"
4114
- }
4115
- ],
4116
- "transformers": [
4117
- "keys_only"
4118
- ]
4119
- },
4120
5114
  {
4121
5115
  "id": "sqr-000-008",
4122
5116
  "name": "Windows: Detect attempts to exfiltrate .ini files",
4123
5117
  "tags": {
4124
5118
  "type": "command_injection",
4125
- "category": "attack_attempt"
5119
+ "category": "attack_attempt",
5120
+ "confidence": "1"
4126
5121
  },
4127
5122
  "conditions": [
4128
5123
  {
@@ -4156,7 +5151,8 @@
4156
5151
  "name": "Linux: Detect attempts to exfiltrate passwd files",
4157
5152
  "tags": {
4158
5153
  "type": "command_injection",
4159
- "category": "attack_attempt"
5154
+ "category": "attack_attempt",
5155
+ "confidence": "1"
4160
5156
  },
4161
5157
  "conditions": [
4162
5158
  {
@@ -4190,7 +5186,8 @@
4190
5186
  "name": "Windows: Detect attempts to timeout a shell",
4191
5187
  "tags": {
4192
5188
  "type": "command_injection",
4193
- "category": "attack_attempt"
5189
+ "category": "attack_attempt",
5190
+ "confidence": "1"
4194
5191
  },
4195
5192
  "conditions": [
4196
5193
  {
@@ -4224,7 +5221,8 @@
4224
5221
  "name": "SSRF: Try to access internal OMI service (CVE-2021-38647)",
4225
5222
  "tags": {
4226
5223
  "type": "ssrf",
4227
- "category": "attack_attempt"
5224
+ "category": "attack_attempt",
5225
+ "confidence": "1"
4228
5226
  },
4229
5227
  "conditions": [
4230
5228
  {
@@ -4258,7 +5256,8 @@
4258
5256
  "name": "SSRF: Detect SSRF attempt on internal service",
4259
5257
  "tags": {
4260
5258
  "type": "ssrf",
4261
- "category": "attack_attempt"
5259
+ "category": "attack_attempt",
5260
+ "confidence": "0"
4262
5261
  },
4263
5262
  "conditions": [
4264
5263
  {
@@ -4277,7 +5276,7 @@
4277
5276
  "address": "grpc.server.request.message"
4278
5277
  }
4279
5278
  ],
4280
- "regex": "^(jar:)?(http|https):\\/\\/([0-9oq]{1,5}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}|[0-9]{1,10}|localhost)(:[0-9]{1,5})?(\\/.*|)$"
5279
+ "regex": "^(jar:)?(http|https):\\/\\/([0-9oq]{1,5}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}|[0-9]{1,10})(:[0-9]{1,5})?(\\/[^:@]*)?$"
4281
5280
  },
4282
5281
  "operator": "match_regex"
4283
5282
  }
@@ -4291,7 +5290,8 @@
4291
5290
  "name": "SSRF: Detect SSRF attempts using IPv6 or octal/hexdecimal obfuscation",
4292
5291
  "tags": {
4293
5292
  "type": "ssrf",
4294
- "category": "attack_attempt"
5293
+ "category": "attack_attempt",
5294
+ "confidence": "0"
4295
5295
  },
4296
5296
  "conditions": [
4297
5297
  {
@@ -4310,7 +5310,7 @@
4310
5310
  "address": "grpc.server.request.message"
4311
5311
  }
4312
5312
  ],
4313
- "regex": "^(jar:)?(http|https):\\/\\/((\\[)?[:0-9a-f\\.x]{2,}(\\])?)(:[0-9]{1,5})?(\\/.*)?$"
5313
+ "regex": "^(jar:)?(http|https):\\/\\/((\\[)?[:0-9a-f\\.x]{2,}(\\])?)(:[0-9]{1,5})?(\\/[^:@]*)?$"
4314
5314
  },
4315
5315
  "operator": "match_regex"
4316
5316
  }
@@ -4324,7 +5324,8 @@
4324
5324
  "name": "SSRF: Detect SSRF domain redirection bypass",
4325
5325
  "tags": {
4326
5326
  "type": "ssrf",
4327
- "category": "attack_attempt"
5327
+ "category": "attack_attempt",
5328
+ "confidence": "1"
4328
5329
  },
4329
5330
  "conditions": [
4330
5331
  {
@@ -4346,7 +5347,7 @@
4346
5347
  "address": "grpc.server.request.message"
4347
5348
  }
4348
5349
  ],
4349
- "regex": "^(http|https):\\/\\/(.*burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io)"
5350
+ "regex": "(http|https):\\/\\/(?:.*\\.)?(?:burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io|oastify\\.com|oast\\.(?:pro|live|site|online|fun|me)|sslip\\.io|requestbin\\.com|requestbin\\.net|hookbin\\.com|webhook\\.site|canarytokens\\.com|interact\\.sh|ngrok\\.io|bugbounty\\.click|prbly\\.win|qualysperiscope\\.com)"
4350
5351
  },
4351
5352
  "operator": "match_regex"
4352
5353
  }
@@ -4360,7 +5361,8 @@
4360
5361
  "name": "SSRF: Detect SSRF attempt using non HTTP protocol",
4361
5362
  "tags": {
4362
5363
  "type": "ssrf",
4363
- "category": "attack_attempt"
5364
+ "category": "attack_attempt",
5365
+ "confidence": "0"
4364
5366
  },
4365
5367
  "conditions": [
4366
5368
  {
@@ -4396,7 +5398,8 @@
4396
5398
  "name": "Log4shell: Attempt to exploit log4j CVE-2021-44228",
4397
5399
  "tags": {
4398
5400
  "type": "exploit_detection",
4399
- "category": "attack_attempt"
5401
+ "category": "attack_attempt",
5402
+ "confidence": "1"
4400
5403
  },
4401
5404
  "conditions": [
4402
5405
  {
@@ -4433,7 +5436,8 @@
4433
5436
  "name": "Joomla exploitation tool",
4434
5437
  "tags": {
4435
5438
  "type": "security_scanner",
4436
- "category": "attack_attempt"
5439
+ "category": "attack_attempt",
5440
+ "confidence": "1"
4437
5441
  },
4438
5442
  "conditions": [
4439
5443
  {
@@ -4458,7 +5462,8 @@
4458
5462
  "name": "Nessus",
4459
5463
  "tags": {
4460
5464
  "type": "security_scanner",
4461
- "category": "attack_attempt"
5465
+ "category": "attack_attempt",
5466
+ "confidence": "1"
4462
5467
  },
4463
5468
  "conditions": [
4464
5469
  {
@@ -4483,7 +5488,8 @@
4483
5488
  "name": "Arachni",
4484
5489
  "tags": {
4485
5490
  "type": "security_scanner",
4486
- "category": "attack_attempt"
5491
+ "category": "attack_attempt",
5492
+ "confidence": "1"
4487
5493
  },
4488
5494
  "conditions": [
4489
5495
  {
@@ -4508,7 +5514,8 @@
4508
5514
  "name": "Jorgee",
4509
5515
  "tags": {
4510
5516
  "type": "security_scanner",
4511
- "category": "attack_attempt"
5517
+ "category": "attack_attempt",
5518
+ "confidence": "1"
4512
5519
  },
4513
5520
  "conditions": [
4514
5521
  {
@@ -4533,7 +5540,8 @@
4533
5540
  "name": "Probely",
4534
5541
  "tags": {
4535
5542
  "type": "security_scanner",
4536
- "category": "attack_attempt"
5543
+ "category": "attack_attempt",
5544
+ "confidence": "1"
4537
5545
  },
4538
5546
  "conditions": [
4539
5547
  {
@@ -4558,7 +5566,8 @@
4558
5566
  "name": "Metis",
4559
5567
  "tags": {
4560
5568
  "type": "security_scanner",
4561
- "category": "attack_attempt"
5569
+ "category": "attack_attempt",
5570
+ "confidence": "1"
4562
5571
  },
4563
5572
  "conditions": [
4564
5573
  {
@@ -4583,7 +5592,8 @@
4583
5592
  "name": "SQL power injector",
4584
5593
  "tags": {
4585
5594
  "type": "security_scanner",
4586
- "category": "attack_attempt"
5595
+ "category": "attack_attempt",
5596
+ "confidence": "1"
4587
5597
  },
4588
5598
  "conditions": [
4589
5599
  {
@@ -4608,7 +5618,8 @@
4608
5618
  "name": "N-Stealth",
4609
5619
  "tags": {
4610
5620
  "type": "security_scanner",
4611
- "category": "attack_attempt"
5621
+ "category": "attack_attempt",
5622
+ "confidence": "1"
4612
5623
  },
4613
5624
  "conditions": [
4614
5625
  {
@@ -4633,7 +5644,8 @@
4633
5644
  "name": "Brutus",
4634
5645
  "tags": {
4635
5646
  "type": "security_scanner",
4636
- "category": "attack_attempt"
5647
+ "category": "attack_attempt",
5648
+ "confidence": "1"
4637
5649
  },
4638
5650
  "conditions": [
4639
5651
  {
@@ -4658,7 +5670,8 @@
4658
5670
  "name": "Shellshock exploitation tool",
4659
5671
  "tags": {
4660
5672
  "type": "security_scanner",
4661
- "category": "attack_attempt"
5673
+ "category": "attack_attempt",
5674
+ "confidence": "1"
4662
5675
  },
4663
5676
  "conditions": [
4664
5677
  {
@@ -4683,7 +5696,8 @@
4683
5696
  "name": "Netsparker",
4684
5697
  "tags": {
4685
5698
  "type": "security_scanner",
4686
- "category": "attack_attempt"
5699
+ "category": "attack_attempt",
5700
+ "confidence": "1"
4687
5701
  },
4688
5702
  "conditions": [
4689
5703
  {
@@ -4708,7 +5722,8 @@
4708
5722
  "name": "JAASCois",
4709
5723
  "tags": {
4710
5724
  "type": "security_scanner",
4711
- "category": "attack_attempt"
5725
+ "category": "attack_attempt",
5726
+ "confidence": "1"
4712
5727
  },
4713
5728
  "conditions": [
4714
5729
  {
@@ -4733,7 +5748,8 @@
4733
5748
  "name": "PMAFind",
4734
5749
  "tags": {
4735
5750
  "type": "security_scanner",
4736
- "category": "attack_attempt"
5751
+ "category": "attack_attempt",
5752
+ "confidence": "1"
4737
5753
  },
4738
5754
  "conditions": [
4739
5755
  {
@@ -4758,7 +5774,8 @@
4758
5774
  "name": "Webtrends",
4759
5775
  "tags": {
4760
5776
  "type": "security_scanner",
4761
- "category": "attack_attempt"
5777
+ "category": "attack_attempt",
5778
+ "confidence": "1"
4762
5779
  },
4763
5780
  "conditions": [
4764
5781
  {
@@ -4783,7 +5800,8 @@
4783
5800
  "name": "Nsauditor",
4784
5801
  "tags": {
4785
5802
  "type": "security_scanner",
4786
- "category": "attack_attempt"
5803
+ "category": "attack_attempt",
5804
+ "confidence": "1"
4787
5805
  },
4788
5806
  "conditions": [
4789
5807
  {
@@ -4808,7 +5826,8 @@
4808
5826
  "name": "Paros",
4809
5827
  "tags": {
4810
5828
  "type": "security_scanner",
4811
- "category": "attack_attempt"
5829
+ "category": "attack_attempt",
5830
+ "confidence": "1"
4812
5831
  },
4813
5832
  "conditions": [
4814
5833
  {
@@ -4833,7 +5852,8 @@
4833
5852
  "name": "DirBuster",
4834
5853
  "tags": {
4835
5854
  "type": "security_scanner",
4836
- "category": "attack_attempt"
5855
+ "category": "attack_attempt",
5856
+ "confidence": "1"
4837
5857
  },
4838
5858
  "conditions": [
4839
5859
  {
@@ -4858,7 +5878,8 @@
4858
5878
  "name": "Pangolin",
4859
5879
  "tags": {
4860
5880
  "type": "security_scanner",
4861
- "category": "attack_attempt"
5881
+ "category": "attack_attempt",
5882
+ "confidence": "1"
4862
5883
  },
4863
5884
  "conditions": [
4864
5885
  {
@@ -4883,7 +5904,8 @@
4883
5904
  "name": "Qualys",
4884
5905
  "tags": {
4885
5906
  "type": "security_scanner",
4886
- "category": "attack_attempt"
5907
+ "category": "attack_attempt",
5908
+ "confidence": "1"
4887
5909
  },
4888
5910
  "conditions": [
4889
5911
  {
@@ -4908,7 +5930,8 @@
4908
5930
  "name": "SQLNinja",
4909
5931
  "tags": {
4910
5932
  "type": "security_scanner",
4911
- "category": "attack_attempt"
5933
+ "category": "attack_attempt",
5934
+ "confidence": "1"
4912
5935
  },
4913
5936
  "conditions": [
4914
5937
  {
@@ -4933,7 +5956,8 @@
4933
5956
  "name": "Nikto",
4934
5957
  "tags": {
4935
5958
  "type": "security_scanner",
4936
- "category": "attack_attempt"
5959
+ "category": "attack_attempt",
5960
+ "confidence": "1"
4937
5961
  },
4938
5962
  "conditions": [
4939
5963
  {
@@ -4958,7 +5982,8 @@
4958
5982
  "name": "WebInspect",
4959
5983
  "tags": {
4960
5984
  "type": "security_scanner",
4961
- "category": "attack_attempt"
5985
+ "category": "attack_attempt",
5986
+ "confidence": "1"
4962
5987
  },
4963
5988
  "conditions": [
4964
5989
  {
@@ -4983,7 +6008,8 @@
4983
6008
  "name": "BlackWidow",
4984
6009
  "tags": {
4985
6010
  "type": "security_scanner",
4986
- "category": "attack_attempt"
6011
+ "category": "attack_attempt",
6012
+ "confidence": "1"
4987
6013
  },
4988
6014
  "conditions": [
4989
6015
  {
@@ -5008,7 +6034,8 @@
5008
6034
  "name": "Grendel-Scan",
5009
6035
  "tags": {
5010
6036
  "type": "security_scanner",
5011
- "category": "attack_attempt"
6037
+ "category": "attack_attempt",
6038
+ "confidence": "1"
5012
6039
  },
5013
6040
  "conditions": [
5014
6041
  {
@@ -5033,7 +6060,8 @@
5033
6060
  "name": "Havij",
5034
6061
  "tags": {
5035
6062
  "type": "security_scanner",
5036
- "category": "attack_attempt"
6063
+ "category": "attack_attempt",
6064
+ "confidence": "1"
5037
6065
  },
5038
6066
  "conditions": [
5039
6067
  {
@@ -5058,7 +6086,8 @@
5058
6086
  "name": "w3af",
5059
6087
  "tags": {
5060
6088
  "type": "security_scanner",
5061
- "category": "attack_attempt"
6089
+ "category": "attack_attempt",
6090
+ "confidence": "1"
5062
6091
  },
5063
6092
  "conditions": [
5064
6093
  {
@@ -5083,7 +6112,8 @@
5083
6112
  "name": "Nmap",
5084
6113
  "tags": {
5085
6114
  "type": "security_scanner",
5086
- "category": "attack_attempt"
6115
+ "category": "attack_attempt",
6116
+ "confidence": "1"
5087
6117
  },
5088
6118
  "conditions": [
5089
6119
  {
@@ -5108,7 +6138,8 @@
5108
6138
  "name": "Nessus Scripted",
5109
6139
  "tags": {
5110
6140
  "type": "security_scanner",
5111
- "category": "attack_attempt"
6141
+ "category": "attack_attempt",
6142
+ "confidence": "1"
5112
6143
  },
5113
6144
  "conditions": [
5114
6145
  {
@@ -5133,7 +6164,8 @@
5133
6164
  "name": "Evil Scanner",
5134
6165
  "tags": {
5135
6166
  "type": "security_scanner",
5136
- "category": "attack_attempt"
6167
+ "category": "attack_attempt",
6168
+ "confidence": "1"
5137
6169
  },
5138
6170
  "conditions": [
5139
6171
  {
@@ -5158,7 +6190,8 @@
5158
6190
  "name": "WebFuck",
5159
6191
  "tags": {
5160
6192
  "type": "security_scanner",
5161
- "category": "attack_attempt"
6193
+ "category": "attack_attempt",
6194
+ "confidence": "1"
5162
6195
  },
5163
6196
  "conditions": [
5164
6197
  {
@@ -5183,7 +6216,8 @@
5183
6216
  "name": "OpenVAS",
5184
6217
  "tags": {
5185
6218
  "type": "security_scanner",
5186
- "category": "attack_attempt"
6219
+ "category": "attack_attempt",
6220
+ "confidence": "1"
5187
6221
  },
5188
6222
  "conditions": [
5189
6223
  {
@@ -5208,7 +6242,8 @@
5208
6242
  "name": "Spider-Pig",
5209
6243
  "tags": {
5210
6244
  "type": "security_scanner",
5211
- "category": "attack_attempt"
6245
+ "category": "attack_attempt",
6246
+ "confidence": "1"
5212
6247
  },
5213
6248
  "conditions": [
5214
6249
  {
@@ -5233,7 +6268,8 @@
5233
6268
  "name": "Zgrab",
5234
6269
  "tags": {
5235
6270
  "type": "security_scanner",
5236
- "category": "attack_attempt"
6271
+ "category": "attack_attempt",
6272
+ "confidence": "1"
5237
6273
  },
5238
6274
  "conditions": [
5239
6275
  {
@@ -5258,7 +6294,8 @@
5258
6294
  "name": "Zmeu",
5259
6295
  "tags": {
5260
6296
  "type": "security_scanner",
5261
- "category": "attack_attempt"
6297
+ "category": "attack_attempt",
6298
+ "confidence": "1"
5262
6299
  },
5263
6300
  "conditions": [
5264
6301
  {
@@ -5283,7 +6320,8 @@
5283
6320
  "name": "Crowdstrike",
5284
6321
  "tags": {
5285
6322
  "type": "security_scanner",
5286
- "category": "attack_attempt"
6323
+ "category": "attack_attempt",
6324
+ "confidence": "1"
5287
6325
  },
5288
6326
  "conditions": [
5289
6327
  {
@@ -5308,7 +6346,8 @@
5308
6346
  "name": "GoogleSecurityScanner",
5309
6347
  "tags": {
5310
6348
  "type": "security_scanner",
5311
- "category": "attack_attempt"
6349
+ "category": "attack_attempt",
6350
+ "confidence": "1"
5312
6351
  },
5313
6352
  "conditions": [
5314
6353
  {
@@ -5333,7 +6372,8 @@
5333
6372
  "name": "Commix",
5334
6373
  "tags": {
5335
6374
  "type": "security_scanner",
5336
- "category": "attack_attempt"
6375
+ "category": "attack_attempt",
6376
+ "confidence": "1"
5337
6377
  },
5338
6378
  "conditions": [
5339
6379
  {
@@ -5358,7 +6398,8 @@
5358
6398
  "name": "Gobuster",
5359
6399
  "tags": {
5360
6400
  "type": "security_scanner",
5361
- "category": "attack_attempt"
6401
+ "category": "attack_attempt",
6402
+ "confidence": "1"
5362
6403
  },
5363
6404
  "conditions": [
5364
6405
  {
@@ -5383,7 +6424,8 @@
5383
6424
  "name": "CGIchk",
5384
6425
  "tags": {
5385
6426
  "type": "security_scanner",
5386
- "category": "attack_attempt"
6427
+ "category": "attack_attempt",
6428
+ "confidence": "1"
5387
6429
  },
5388
6430
  "conditions": [
5389
6431
  {
@@ -5408,7 +6450,8 @@
5408
6450
  "name": "FFUF",
5409
6451
  "tags": {
5410
6452
  "type": "security_scanner",
5411
- "category": "attack_attempt"
6453
+ "category": "attack_attempt",
6454
+ "confidence": "1"
5412
6455
  },
5413
6456
  "conditions": [
5414
6457
  {
@@ -5433,7 +6476,8 @@
5433
6476
  "name": "Nuclei",
5434
6477
  "tags": {
5435
6478
  "type": "security_scanner",
5436
- "category": "attack_attempt"
6479
+ "category": "attack_attempt",
6480
+ "confidence": "1"
5437
6481
  },
5438
6482
  "conditions": [
5439
6483
  {
@@ -5458,7 +6502,8 @@
5458
6502
  "name": "Tsunami",
5459
6503
  "tags": {
5460
6504
  "type": "security_scanner",
5461
- "category": "attack_attempt"
6505
+ "category": "attack_attempt",
6506
+ "confidence": "1"
5462
6507
  },
5463
6508
  "conditions": [
5464
6509
  {
@@ -5483,7 +6528,8 @@
5483
6528
  "name": "Nimbostratus",
5484
6529
  "tags": {
5485
6530
  "type": "security_scanner",
5486
- "category": "attack_attempt"
6531
+ "category": "attack_attempt",
6532
+ "confidence": "1"
5487
6533
  },
5488
6534
  "conditions": [
5489
6535
  {
@@ -5508,7 +6554,8 @@
5508
6554
  "name": "Datadog test scanner: user-agent",
5509
6555
  "tags": {
5510
6556
  "type": "security_scanner",
5511
- "category": "attack_attempt"
6557
+ "category": "attack_attempt",
6558
+ "confidence": "1"
5512
6559
  },
5513
6560
  "conditions": [
5514
6561
  {
@@ -5534,12 +6581,48 @@
5534
6581
  ],
5535
6582
  "transformers": []
5536
6583
  },
6584
+ {
6585
+ "id": "ua0-600-56x",
6586
+ "name": "Datadog test scanner - blocking version: user-agent",
6587
+ "tags": {
6588
+ "type": "security_scanner",
6589
+ "category": "attack_attempt",
6590
+ "confidence": "1"
6591
+ },
6592
+ "conditions": [
6593
+ {
6594
+ "parameters": {
6595
+ "inputs": [
6596
+ {
6597
+ "address": "server.request.headers.no_cookies",
6598
+ "key_path": [
6599
+ "user-agent"
6600
+ ]
6601
+ },
6602
+ {
6603
+ "address": "grpc.server.request.metadata",
6604
+ "key_path": [
6605
+ "dd-canary"
6606
+ ]
6607
+ }
6608
+ ],
6609
+ "regex": "^dd-test-scanner-log-block$"
6610
+ },
6611
+ "operator": "match_regex"
6612
+ }
6613
+ ],
6614
+ "transformers": [],
6615
+ "on_match": [
6616
+ "block"
6617
+ ]
6618
+ },
5537
6619
  {
5538
6620
  "id": "ua0-600-5xx",
5539
6621
  "name": "Blind SQL Injection Brute Forcer",
5540
6622
  "tags": {
5541
6623
  "type": "security_scanner",
5542
- "category": "attack_attempt"
6624
+ "category": "attack_attempt",
6625
+ "confidence": "1"
5543
6626
  },
5544
6627
  "conditions": [
5545
6628
  {
@@ -5564,7 +6647,8 @@
5564
6647
  "name": "Suspicious user agent",
5565
6648
  "tags": {
5566
6649
  "type": "security_scanner",
5567
- "category": "attack_attempt"
6650
+ "category": "attack_attempt",
6651
+ "confidence": "1"
5568
6652
  },
5569
6653
  "conditions": [
5570
6654
  {
@@ -5589,7 +6673,8 @@
5589
6673
  "name": "SQLmap",
5590
6674
  "tags": {
5591
6675
  "type": "security_scanner",
5592
- "category": "attack_attempt"
6676
+ "category": "attack_attempt",
6677
+ "confidence": "1"
5593
6678
  },
5594
6679
  "conditions": [
5595
6680
  {
@@ -5614,7 +6699,8 @@
5614
6699
  "name": "Skipfish",
5615
6700
  "tags": {
5616
6701
  "type": "security_scanner",
5617
- "category": "attack_attempt"
6702
+ "category": "attack_attempt",
6703
+ "confidence": "1"
5618
6704
  },
5619
6705
  "conditions": [
5620
6706
  {
@@ -5635,4 +6721,4 @@
5635
6721
  "transformers": []
5636
6722
  }
5637
6723
  ]
5638
- }
6724
+ }