ddtrace 1.1.0 → 1.12.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (812) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +707 -1
  3. data/LICENSE-3rdparty.csv +4 -0
  4. data/README.md +15 -12
  5. data/ext/ddtrace_profiling_loader/ddtrace_profiling_loader.c +21 -5
  6. data/ext/ddtrace_profiling_loader/extconf.rb +21 -2
  7. data/ext/ddtrace_profiling_native_extension/NativeExtensionDesign.md +57 -11
  8. data/ext/ddtrace_profiling_native_extension/clock_id.h +22 -1
  9. data/ext/ddtrace_profiling_native_extension/clock_id_from_pthread.c +34 -3
  10. data/ext/ddtrace_profiling_native_extension/clock_id_noop.c +11 -2
  11. data/ext/ddtrace_profiling_native_extension/collectors_cpu_and_wall_time_worker.c +931 -0
  12. data/ext/ddtrace_profiling_native_extension/collectors_dynamic_sampling_rate.c +142 -0
  13. data/ext/ddtrace_profiling_native_extension/collectors_dynamic_sampling_rate.h +14 -0
  14. data/ext/ddtrace_profiling_native_extension/collectors_idle_sampling_helper.c +241 -0
  15. data/ext/ddtrace_profiling_native_extension/collectors_idle_sampling_helper.h +3 -0
  16. data/ext/ddtrace_profiling_native_extension/collectors_stack.c +196 -95
  17. data/ext/ddtrace_profiling_native_extension/collectors_stack.h +20 -0
  18. data/ext/ddtrace_profiling_native_extension/collectors_thread_context.c +1001 -0
  19. data/ext/ddtrace_profiling_native_extension/collectors_thread_context.h +14 -0
  20. data/ext/ddtrace_profiling_native_extension/extconf.rb +104 -27
  21. data/ext/ddtrace_profiling_native_extension/helpers.h +17 -0
  22. data/ext/ddtrace_profiling_native_extension/http_transport.c +347 -0
  23. data/ext/ddtrace_profiling_native_extension/libdatadog_helpers.h +25 -0
  24. data/ext/ddtrace_profiling_native_extension/native_extension_helpers.rb +160 -27
  25. data/ext/ddtrace_profiling_native_extension/private_vm_api_access.c +269 -107
  26. data/ext/ddtrace_profiling_native_extension/private_vm_api_access.h +17 -5
  27. data/ext/ddtrace_profiling_native_extension/profiling.c +223 -3
  28. data/ext/ddtrace_profiling_native_extension/ruby_helpers.c +110 -0
  29. data/ext/ddtrace_profiling_native_extension/ruby_helpers.h +89 -0
  30. data/ext/ddtrace_profiling_native_extension/setup_signal_handler.c +115 -0
  31. data/ext/ddtrace_profiling_native_extension/setup_signal_handler.h +11 -0
  32. data/ext/ddtrace_profiling_native_extension/stack_recorder.c +506 -54
  33. data/ext/ddtrace_profiling_native_extension/stack_recorder.h +12 -26
  34. data/ext/ddtrace_profiling_native_extension/time_helpers.c +17 -0
  35. data/ext/ddtrace_profiling_native_extension/time_helpers.h +10 -0
  36. data/lib/datadog/appsec/assets/blocked.html +98 -3
  37. data/lib/datadog/appsec/assets/blocked.json +1 -0
  38. data/lib/datadog/appsec/assets/blocked.text +5 -0
  39. data/lib/datadog/appsec/assets/waf_rules/recommended.json +2192 -750
  40. data/lib/datadog/appsec/assets/waf_rules/strict.json +367 -120
  41. data/lib/datadog/appsec/assets.rb +2 -4
  42. data/lib/datadog/appsec/autoload.rb +5 -10
  43. data/lib/datadog/appsec/component.rb +75 -0
  44. data/lib/datadog/appsec/configuration/settings.rb +65 -35
  45. data/lib/datadog/appsec/configuration.rb +21 -11
  46. data/lib/datadog/appsec/contrib/auto_instrument.rb +1 -3
  47. data/lib/datadog/appsec/contrib/integration.rb +1 -1
  48. data/lib/datadog/appsec/contrib/patcher.rb +1 -1
  49. data/lib/datadog/appsec/contrib/rack/ext.rb +0 -3
  50. data/lib/datadog/appsec/contrib/rack/gateway/request.rb +100 -0
  51. data/lib/datadog/appsec/contrib/rack/gateway/response.rb +30 -0
  52. data/lib/datadog/appsec/contrib/rack/gateway/watcher.rb +116 -127
  53. data/lib/datadog/appsec/contrib/rack/integration.rb +4 -11
  54. data/lib/datadog/appsec/contrib/rack/patcher.rb +5 -3
  55. data/lib/datadog/appsec/contrib/rack/reactive/request.rb +36 -37
  56. data/lib/datadog/appsec/contrib/rack/reactive/request_body.rb +21 -22
  57. data/lib/datadog/appsec/contrib/rack/reactive/response.rb +27 -22
  58. data/lib/datadog/appsec/contrib/rack/request_body_middleware.rb +10 -8
  59. data/lib/datadog/appsec/contrib/rack/request_middleware.rb +103 -41
  60. data/lib/datadog/appsec/contrib/rails/ext.rb +0 -3
  61. data/lib/datadog/appsec/contrib/rails/framework.rb +2 -14
  62. data/lib/datadog/appsec/contrib/rails/gateway/request.rb +67 -0
  63. data/lib/datadog/appsec/contrib/rails/gateway/watcher.rb +43 -56
  64. data/lib/datadog/appsec/contrib/rails/integration.rb +4 -11
  65. data/lib/datadog/appsec/contrib/rails/patcher.rb +18 -17
  66. data/lib/datadog/appsec/contrib/rails/reactive/action.rb +24 -23
  67. data/lib/datadog/appsec/contrib/rails/request.rb +4 -1
  68. data/lib/datadog/appsec/contrib/rails/request_middleware.rb +1 -1
  69. data/lib/datadog/appsec/contrib/sinatra/ext.rb +1 -3
  70. data/lib/datadog/appsec/contrib/sinatra/framework.rb +2 -14
  71. data/lib/datadog/appsec/contrib/sinatra/gateway/request.rb +17 -0
  72. data/lib/datadog/appsec/contrib/sinatra/gateway/route_params.rb +23 -0
  73. data/lib/datadog/appsec/contrib/sinatra/gateway/watcher.rb +81 -92
  74. data/lib/datadog/appsec/contrib/sinatra/integration.rb +3 -10
  75. data/lib/datadog/appsec/contrib/sinatra/patcher.rb +37 -21
  76. data/lib/datadog/appsec/contrib/sinatra/reactive/routed.rb +21 -20
  77. data/lib/datadog/appsec/contrib/sinatra/request_middleware.rb +1 -1
  78. data/lib/datadog/appsec/event.rb +41 -49
  79. data/lib/datadog/appsec/ext.rb +10 -0
  80. data/lib/datadog/appsec/extensions.rb +48 -22
  81. data/lib/datadog/appsec/instrumentation/gateway/argument.rb +22 -0
  82. data/lib/datadog/appsec/instrumentation/gateway.rb +26 -6
  83. data/lib/datadog/appsec/instrumentation.rb +9 -0
  84. data/lib/datadog/appsec/monitor/gateway/watcher.rb +67 -0
  85. data/lib/datadog/appsec/monitor/reactive/set_user.rb +61 -0
  86. data/lib/datadog/appsec/monitor.rb +11 -0
  87. data/lib/datadog/appsec/processor/rule_loader.rb +63 -0
  88. data/lib/datadog/appsec/processor/rule_merger.rb +132 -0
  89. data/lib/datadog/appsec/processor.rb +37 -58
  90. data/lib/datadog/appsec/rate_limiter.rb +0 -2
  91. data/lib/datadog/appsec/reactive/address_hash.rb +6 -2
  92. data/lib/datadog/appsec/reactive/engine.rb +12 -9
  93. data/lib/datadog/appsec/reactive/operation.rb +22 -5
  94. data/lib/datadog/appsec/reactive/subscriber.rb +2 -1
  95. data/lib/datadog/appsec/remote.rb +123 -0
  96. data/lib/datadog/appsec/response.rb +73 -0
  97. data/lib/datadog/appsec/scope.rb +61 -0
  98. data/lib/datadog/appsec/utils/http/media_range.rb +199 -0
  99. data/lib/datadog/appsec/utils/http/media_type.rb +85 -0
  100. data/lib/datadog/appsec/utils/http.rb +11 -0
  101. data/lib/datadog/appsec/utils.rb +9 -0
  102. data/lib/datadog/appsec.rb +46 -8
  103. data/lib/datadog/ci/configuration/components.rb +2 -2
  104. data/lib/datadog/ci/configuration/settings.rb +2 -2
  105. data/lib/datadog/ci/contrib/cucumber/configuration/settings.rb +3 -3
  106. data/lib/datadog/ci/contrib/cucumber/ext.rb +0 -2
  107. data/lib/datadog/ci/contrib/cucumber/formatter.rb +6 -6
  108. data/lib/datadog/ci/contrib/cucumber/instrumentation.rb +2 -2
  109. data/lib/datadog/ci/contrib/cucumber/integration.rb +4 -6
  110. data/lib/datadog/ci/contrib/cucumber/patcher.rb +3 -3
  111. data/lib/datadog/ci/contrib/rspec/configuration/settings.rb +3 -3
  112. data/lib/datadog/ci/contrib/rspec/example.rb +5 -7
  113. data/lib/datadog/ci/contrib/rspec/ext.rb +0 -2
  114. data/lib/datadog/ci/contrib/rspec/integration.rb +4 -6
  115. data/lib/datadog/ci/contrib/rspec/patcher.rb +3 -3
  116. data/lib/datadog/ci/ext/app_types.rb +0 -2
  117. data/lib/datadog/ci/ext/environment.rb +117 -45
  118. data/lib/datadog/ci/ext/settings.rb +0 -2
  119. data/lib/datadog/ci/ext/test.rb +0 -2
  120. data/lib/datadog/ci/extensions.rb +5 -5
  121. data/lib/datadog/ci/flush.rb +3 -3
  122. data/lib/datadog/ci/test.rb +3 -5
  123. data/lib/datadog/ci.rb +7 -7
  124. data/lib/datadog/core/buffer/cruby.rb +2 -2
  125. data/lib/datadog/core/buffer/random.rb +1 -1
  126. data/lib/datadog/core/buffer/thread_safe.rb +2 -2
  127. data/lib/datadog/core/chunker.rb +1 -1
  128. data/lib/datadog/core/configuration/agent_settings_resolver.rb +75 -44
  129. data/lib/datadog/core/configuration/base.rb +14 -4
  130. data/lib/datadog/core/configuration/components.rb +41 -291
  131. data/lib/datadog/core/configuration/dependency_resolver.rb +1 -1
  132. data/lib/datadog/core/configuration/ext.rb +24 -0
  133. data/lib/datadog/core/configuration/option.rb +1 -1
  134. data/lib/datadog/core/configuration/option_definition.rb +13 -4
  135. data/lib/datadog/core/configuration/option_definition_set.rb +2 -2
  136. data/lib/datadog/core/configuration/option_set.rb +1 -1
  137. data/lib/datadog/core/configuration/options.rb +3 -5
  138. data/lib/datadog/core/configuration/settings.rb +197 -246
  139. data/lib/datadog/core/configuration.rb +14 -11
  140. data/lib/datadog/core/diagnostics/environment_logger.rb +10 -7
  141. data/lib/datadog/core/diagnostics/health.rb +5 -23
  142. data/lib/datadog/core/encoding.rb +0 -4
  143. data/lib/datadog/core/environment/cgroup.rb +1 -5
  144. data/lib/datadog/core/environment/class_count.rb +1 -1
  145. data/lib/datadog/core/environment/container.rb +1 -5
  146. data/lib/datadog/core/environment/ext.rb +1 -3
  147. data/lib/datadog/core/environment/gc.rb +1 -1
  148. data/lib/datadog/core/environment/identity.rb +59 -3
  149. data/lib/datadog/core/environment/platform.rb +38 -0
  150. data/lib/datadog/core/environment/socket.rb +2 -2
  151. data/lib/datadog/core/environment/thread_count.rb +1 -1
  152. data/lib/datadog/core/environment/variable_helpers.rb +66 -12
  153. data/lib/datadog/core/environment/vm_cache.rb +18 -1
  154. data/lib/datadog/core/error.rb +1 -3
  155. data/lib/datadog/core/extensions.rb +2 -2
  156. data/lib/datadog/core/git/ext.rb +0 -2
  157. data/lib/datadog/core/header_collection.rb +43 -0
  158. data/lib/datadog/core/logger.rb +0 -2
  159. data/lib/datadog/core/metrics/client.rb +10 -11
  160. data/lib/datadog/core/metrics/ext.rb +0 -4
  161. data/lib/datadog/core/metrics/helpers.rb +1 -1
  162. data/lib/datadog/core/metrics/logging.rb +0 -2
  163. data/lib/datadog/core/metrics/metric.rb +1 -1
  164. data/lib/datadog/core/metrics/options.rb +3 -5
  165. data/lib/datadog/core/pin.rb +0 -2
  166. data/lib/datadog/core/remote/client/capabilities.rb +57 -0
  167. data/lib/datadog/core/remote/client.rb +229 -0
  168. data/lib/datadog/core/remote/component.rb +158 -0
  169. data/lib/datadog/core/remote/configuration/content.rb +84 -0
  170. data/lib/datadog/core/remote/configuration/digest.rb +62 -0
  171. data/lib/datadog/core/remote/configuration/path.rb +90 -0
  172. data/lib/datadog/core/remote/configuration/repository.rb +292 -0
  173. data/lib/datadog/core/remote/configuration/target.rb +74 -0
  174. data/lib/datadog/core/remote/configuration.rb +18 -0
  175. data/lib/datadog/core/remote/dispatcher.rb +59 -0
  176. data/lib/datadog/core/remote/ext.rb +12 -0
  177. data/lib/datadog/core/remote/negotiation.rb +57 -0
  178. data/lib/datadog/core/remote/worker.rb +96 -0
  179. data/lib/datadog/core/remote.rb +24 -0
  180. data/lib/datadog/core/runtime/ext.rb +3 -3
  181. data/lib/datadog/core/runtime/metrics.rb +27 -13
  182. data/lib/datadog/core/telemetry/client.rb +77 -0
  183. data/lib/datadog/core/telemetry/collector.rb +231 -0
  184. data/lib/datadog/core/telemetry/emitter.rb +46 -0
  185. data/lib/datadog/core/telemetry/event.rb +67 -0
  186. data/lib/datadog/core/telemetry/ext.rb +9 -0
  187. data/lib/datadog/core/telemetry/heartbeat.rb +37 -0
  188. data/lib/datadog/core/telemetry/http/adapters/net.rb +111 -0
  189. data/lib/datadog/core/telemetry/http/env.rb +20 -0
  190. data/lib/datadog/core/telemetry/http/ext.rb +20 -0
  191. data/lib/datadog/core/telemetry/http/response.rb +64 -0
  192. data/lib/datadog/core/telemetry/http/transport.rb +54 -0
  193. data/lib/datadog/core/telemetry/v1/app_event.rb +52 -0
  194. data/lib/datadog/core/telemetry/v1/application.rb +92 -0
  195. data/lib/datadog/core/telemetry/v1/configuration.rb +25 -0
  196. data/lib/datadog/core/telemetry/v1/dependency.rb +43 -0
  197. data/lib/datadog/core/telemetry/v1/host.rb +59 -0
  198. data/lib/datadog/core/telemetry/v1/integration.rb +64 -0
  199. data/lib/datadog/core/telemetry/v1/product.rb +36 -0
  200. data/lib/datadog/core/telemetry/v1/telemetry_request.rb +106 -0
  201. data/lib/datadog/core/transport/config.rb +58 -0
  202. data/lib/datadog/core/transport/http/api/instance.rb +37 -0
  203. data/lib/datadog/core/transport/http/api/spec.rb +19 -0
  204. data/lib/datadog/core/transport/http/api.rb +57 -0
  205. data/lib/datadog/core/transport/http/builder.rb +217 -0
  206. data/lib/datadog/core/transport/http/client.rb +45 -0
  207. data/lib/datadog/core/transport/http/config.rb +268 -0
  208. data/lib/datadog/core/transport/http/negotiation.rb +144 -0
  209. data/lib/datadog/core/transport/http.rb +169 -0
  210. data/lib/datadog/core/transport/negotiation.rb +60 -0
  211. data/lib/datadog/core/utils/compression.rb +6 -2
  212. data/lib/datadog/core/utils/forking.rb +0 -2
  213. data/lib/datadog/core/utils/hash.rb +32 -0
  214. data/lib/datadog/core/utils/network.rb +140 -0
  215. data/lib/datadog/core/utils/object_set.rb +2 -2
  216. data/lib/datadog/core/utils/only_once.rb +0 -2
  217. data/lib/datadog/core/utils/safe_dup.rb +20 -4
  218. data/lib/datadog/core/utils/sequence.rb +6 -1
  219. data/lib/datadog/core/utils/string_table.rb +1 -3
  220. data/lib/datadog/core/utils/time.rb +4 -6
  221. data/lib/datadog/core/utils.rb +1 -24
  222. data/lib/datadog/core/vendor/ipaddr.rb +78 -0
  223. data/lib/datadog/core/vendor/multipart-post/multipart/post/composite_read_io.rb +0 -2
  224. data/lib/datadog/core/vendor/multipart-post/multipart/post/multipartable.rb +2 -4
  225. data/lib/datadog/core/vendor/multipart-post/multipart/post/parts.rb +0 -2
  226. data/lib/datadog/core/vendor/multipart-post/multipart/post/version.rb +0 -2
  227. data/lib/datadog/core/vendor/multipart-post/multipart/post.rb +0 -2
  228. data/lib/datadog/core/vendor/multipart-post/multipart.rb +0 -2
  229. data/lib/datadog/core/vendor/multipart-post/net/http/post/multipart.rb +3 -5
  230. data/lib/datadog/core/worker.rb +1 -1
  231. data/lib/datadog/core/workers/async.rb +7 -7
  232. data/lib/datadog/core/workers/interval_loop.rb +6 -2
  233. data/lib/datadog/core/workers/polling.rb +2 -4
  234. data/lib/datadog/core/workers/queue.rb +1 -1
  235. data/lib/datadog/core/workers/runtime_metrics.rb +5 -5
  236. data/lib/datadog/core.rb +21 -56
  237. data/lib/datadog/kit/appsec/events.rb +119 -0
  238. data/lib/datadog/kit/enable_core_dumps.rb +6 -6
  239. data/lib/datadog/kit/identity.rb +43 -17
  240. data/lib/datadog/kit.rb +2 -2
  241. data/lib/datadog/opentelemetry/api/context.rb +186 -0
  242. data/lib/datadog/opentelemetry/api/trace/span.rb +14 -0
  243. data/lib/datadog/opentelemetry/sdk/configurator.rb +37 -0
  244. data/lib/datadog/opentelemetry/sdk/id_generator.rb +26 -0
  245. data/lib/datadog/opentelemetry/sdk/propagator.rb +90 -0
  246. data/lib/datadog/opentelemetry/sdk/span_processor.rb +91 -0
  247. data/lib/datadog/opentelemetry.rb +47 -0
  248. data/lib/datadog/opentracer/binary_propagator.rb +1 -1
  249. data/lib/datadog/opentracer/carrier.rb +1 -1
  250. data/lib/datadog/opentracer/distributed_headers.rb +7 -11
  251. data/lib/datadog/opentracer/global_tracer.rb +1 -1
  252. data/lib/datadog/opentracer/propagator.rb +1 -1
  253. data/lib/datadog/opentracer/rack_propagator.rb +10 -11
  254. data/lib/datadog/opentracer/scope.rb +1 -1
  255. data/lib/datadog/opentracer/scope_manager.rb +1 -1
  256. data/lib/datadog/opentracer/span.rb +1 -3
  257. data/lib/datadog/opentracer/span_context.rb +1 -1
  258. data/lib/datadog/opentracer/span_context_factory.rb +1 -1
  259. data/lib/datadog/opentracer/text_map_propagator.rb +13 -14
  260. data/lib/datadog/opentracer/thread_local_scope.rb +1 -1
  261. data/lib/datadog/opentracer/thread_local_scope_manager.rb +24 -3
  262. data/lib/datadog/opentracer/tracer.rb +23 -23
  263. data/lib/datadog/opentracer.rb +17 -17
  264. data/lib/datadog/profiling/backtrace_location.rb +1 -1
  265. data/lib/datadog/profiling/buffer.rb +4 -4
  266. data/lib/datadog/profiling/collectors/code_provenance.rb +1 -2
  267. data/lib/datadog/profiling/collectors/cpu_and_wall_time_worker.rb +114 -0
  268. data/lib/datadog/profiling/collectors/dynamic_sampling_rate.rb +14 -0
  269. data/lib/datadog/profiling/collectors/idle_sampling_helper.rb +66 -0
  270. data/lib/datadog/profiling/collectors/old_stack.rb +16 -13
  271. data/lib/datadog/profiling/collectors/stack.rb +4 -7
  272. data/lib/datadog/profiling/collectors/thread_context.rb +46 -0
  273. data/lib/datadog/profiling/component.rb +275 -0
  274. data/lib/datadog/profiling/encoding/profile.rb +8 -14
  275. data/lib/datadog/profiling/event.rb +1 -1
  276. data/lib/datadog/profiling/events/stack.rb +2 -2
  277. data/lib/datadog/profiling/exporter.rb +69 -11
  278. data/lib/datadog/profiling/ext/forking.rb +41 -44
  279. data/lib/datadog/profiling/ext.rb +28 -40
  280. data/lib/datadog/profiling/flush.rb +26 -57
  281. data/lib/datadog/profiling/http_transport.rb +130 -0
  282. data/lib/datadog/profiling/load_native_extension.rb +0 -2
  283. data/lib/datadog/profiling/native_extension.rb +1 -1
  284. data/lib/datadog/profiling/old_recorder.rb +107 -0
  285. data/lib/datadog/profiling/pprof/builder.rb +4 -6
  286. data/lib/datadog/profiling/pprof/converter.rb +1 -3
  287. data/lib/datadog/profiling/pprof/message_set.rb +2 -2
  288. data/lib/datadog/profiling/pprof/payload.rb +1 -1
  289. data/lib/datadog/profiling/pprof/pprof_pb.rb +0 -2
  290. data/lib/datadog/profiling/pprof/stack_sample.rb +4 -6
  291. data/lib/datadog/profiling/pprof/string_table.rb +2 -2
  292. data/lib/datadog/profiling/pprof/template.rb +5 -7
  293. data/lib/datadog/profiling/preload.rb +2 -2
  294. data/lib/datadog/profiling/profiler.rb +7 -2
  295. data/lib/datadog/profiling/scheduler.rb +30 -51
  296. data/lib/datadog/profiling/stack_recorder.rb +31 -8
  297. data/lib/datadog/profiling/tag_builder.rb +7 -2
  298. data/lib/datadog/profiling/tasks/exec.rb +0 -2
  299. data/lib/datadog/profiling/tasks/help.rb +0 -2
  300. data/lib/datadog/profiling/tasks/setup.rb +2 -37
  301. data/lib/datadog/profiling/trace_identifiers/ddtrace.rb +2 -4
  302. data/lib/datadog/profiling/trace_identifiers/helper.rb +1 -3
  303. data/lib/datadog/profiling.rb +70 -28
  304. data/lib/datadog/tracing/analytics.rb +2 -2
  305. data/lib/datadog/tracing/buffer.rb +4 -9
  306. data/lib/datadog/tracing/client_ip.rb +61 -0
  307. data/lib/datadog/tracing/component.rb +176 -0
  308. data/lib/datadog/tracing/configuration/ext.rb +56 -6
  309. data/lib/datadog/tracing/configuration/settings.rb +465 -0
  310. data/lib/datadog/tracing/context.rb +2 -2
  311. data/lib/datadog/tracing/context_provider.rb +18 -4
  312. data/lib/datadog/tracing/contrib/action_cable/configuration/settings.rb +3 -3
  313. data/lib/datadog/tracing/contrib/action_cable/event.rb +5 -6
  314. data/lib/datadog/tracing/contrib/action_cable/events/broadcast.rb +4 -6
  315. data/lib/datadog/tracing/contrib/action_cable/events/perform_action.rb +3 -5
  316. data/lib/datadog/tracing/contrib/action_cable/events/transmit.rb +4 -6
  317. data/lib/datadog/tracing/contrib/action_cable/events.rb +5 -5
  318. data/lib/datadog/tracing/contrib/action_cable/ext.rb +0 -2
  319. data/lib/datadog/tracing/contrib/action_cable/instrumentation.rb +3 -6
  320. data/lib/datadog/tracing/contrib/action_cable/integration.rb +4 -6
  321. data/lib/datadog/tracing/contrib/action_cable/patcher.rb +5 -5
  322. data/lib/datadog/tracing/contrib/action_mailer/configuration/settings.rb +3 -3
  323. data/lib/datadog/tracing/contrib/action_mailer/event.rb +4 -4
  324. data/lib/datadog/tracing/contrib/action_mailer/events/deliver.rb +3 -5
  325. data/lib/datadog/tracing/contrib/action_mailer/events/process.rb +3 -5
  326. data/lib/datadog/tracing/contrib/action_mailer/events.rb +3 -3
  327. data/lib/datadog/tracing/contrib/action_mailer/ext.rb +0 -2
  328. data/lib/datadog/tracing/contrib/action_mailer/integration.rb +4 -6
  329. data/lib/datadog/tracing/contrib/action_mailer/patcher.rb +4 -4
  330. data/lib/datadog/tracing/contrib/action_pack/action_controller/instrumentation.rb +12 -32
  331. data/lib/datadog/tracing/contrib/action_pack/action_controller/patcher.rb +3 -3
  332. data/lib/datadog/tracing/contrib/action_pack/configuration/settings.rb +15 -4
  333. data/lib/datadog/tracing/contrib/action_pack/ext.rb +0 -2
  334. data/lib/datadog/tracing/contrib/action_pack/integration.rb +4 -6
  335. data/lib/datadog/tracing/contrib/action_pack/patcher.rb +3 -3
  336. data/lib/datadog/tracing/contrib/action_pack/utils.rb +1 -3
  337. data/lib/datadog/tracing/contrib/action_view/configuration/settings.rb +2 -4
  338. data/lib/datadog/tracing/contrib/action_view/event.rb +2 -2
  339. data/lib/datadog/tracing/contrib/action_view/events/render_partial.rb +5 -7
  340. data/lib/datadog/tracing/contrib/action_view/events/render_template.rb +5 -7
  341. data/lib/datadog/tracing/contrib/action_view/events.rb +3 -3
  342. data/lib/datadog/tracing/contrib/action_view/ext.rb +0 -2
  343. data/lib/datadog/tracing/contrib/action_view/instrumentation/partial_renderer.rb +2 -4
  344. data/lib/datadog/tracing/contrib/action_view/instrumentation/template_renderer.rb +2 -4
  345. data/lib/datadog/tracing/contrib/action_view/integration.rb +4 -6
  346. data/lib/datadog/tracing/contrib/action_view/patcher.rb +7 -9
  347. data/lib/datadog/tracing/contrib/action_view/utils.rb +1 -3
  348. data/lib/datadog/tracing/contrib/active_job/configuration/settings.rb +4 -4
  349. data/lib/datadog/tracing/contrib/active_job/event.rb +4 -4
  350. data/lib/datadog/tracing/contrib/active_job/events/discard.rb +4 -6
  351. data/lib/datadog/tracing/contrib/active_job/events/enqueue.rb +4 -6
  352. data/lib/datadog/tracing/contrib/active_job/events/enqueue_at.rb +4 -6
  353. data/lib/datadog/tracing/contrib/active_job/events/enqueue_retry.rb +4 -6
  354. data/lib/datadog/tracing/contrib/active_job/events/perform.rb +4 -6
  355. data/lib/datadog/tracing/contrib/active_job/events/retry_stopped.rb +4 -6
  356. data/lib/datadog/tracing/contrib/active_job/events.rb +7 -7
  357. data/lib/datadog/tracing/contrib/active_job/ext.rb +0 -2
  358. data/lib/datadog/tracing/contrib/active_job/integration.rb +4 -6
  359. data/lib/datadog/tracing/contrib/active_job/log_injection.rb +1 -3
  360. data/lib/datadog/tracing/contrib/active_job/patcher.rb +5 -5
  361. data/lib/datadog/tracing/contrib/active_model_serializers/configuration/settings.rb +3 -3
  362. data/lib/datadog/tracing/contrib/active_model_serializers/event.rb +5 -6
  363. data/lib/datadog/tracing/contrib/active_model_serializers/events/render.rb +3 -5
  364. data/lib/datadog/tracing/contrib/active_model_serializers/events/serialize.rb +2 -4
  365. data/lib/datadog/tracing/contrib/active_model_serializers/events.rb +3 -3
  366. data/lib/datadog/tracing/contrib/active_model_serializers/ext.rb +0 -2
  367. data/lib/datadog/tracing/contrib/active_model_serializers/integration.rb +3 -5
  368. data/lib/datadog/tracing/contrib/active_model_serializers/patcher.rb +4 -5
  369. data/lib/datadog/tracing/contrib/active_record/configuration/makara_resolver.rb +0 -2
  370. data/lib/datadog/tracing/contrib/active_record/configuration/resolver.rb +2 -4
  371. data/lib/datadog/tracing/contrib/active_record/configuration/settings.rb +10 -5
  372. data/lib/datadog/tracing/contrib/active_record/event.rb +2 -2
  373. data/lib/datadog/tracing/contrib/active_record/events/instantiation.rb +4 -6
  374. data/lib/datadog/tracing/contrib/active_record/events/sql.rb +10 -9
  375. data/lib/datadog/tracing/contrib/active_record/events.rb +3 -3
  376. data/lib/datadog/tracing/contrib/active_record/ext.rb +0 -2
  377. data/lib/datadog/tracing/contrib/active_record/integration.rb +6 -8
  378. data/lib/datadog/tracing/contrib/active_record/patcher.rb +3 -3
  379. data/lib/datadog/tracing/contrib/active_record/utils.rb +2 -4
  380. data/lib/datadog/tracing/contrib/active_record/vendor/connection_specification.rb +0 -2
  381. data/lib/datadog/tracing/contrib/active_support/cache/instrumentation.rb +24 -12
  382. data/lib/datadog/tracing/contrib/active_support/cache/patcher.rb +3 -3
  383. data/lib/datadog/tracing/contrib/active_support/cache/redis.rb +2 -2
  384. data/lib/datadog/tracing/contrib/active_support/configuration/settings.rb +12 -4
  385. data/lib/datadog/tracing/contrib/active_support/ext.rb +0 -2
  386. data/lib/datadog/tracing/contrib/active_support/integration.rb +5 -7
  387. data/lib/datadog/tracing/contrib/active_support/notifications/event.rb +2 -2
  388. data/lib/datadog/tracing/contrib/active_support/notifications/subscriber.rb +2 -2
  389. data/lib/datadog/tracing/contrib/active_support/notifications/subscription.rb +0 -2
  390. data/lib/datadog/tracing/contrib/active_support/patcher.rb +3 -3
  391. data/lib/datadog/tracing/contrib/analytics.rb +2 -2
  392. data/lib/datadog/tracing/contrib/auto_instrument.rb +5 -5
  393. data/lib/datadog/tracing/contrib/aws/configuration/settings.rb +13 -4
  394. data/lib/datadog/tracing/contrib/aws/ext.rb +12 -3
  395. data/lib/datadog/tracing/contrib/aws/instrumentation.rb +19 -6
  396. data/lib/datadog/tracing/contrib/aws/integration.rb +3 -5
  397. data/lib/datadog/tracing/contrib/aws/parsed_context.rb +4 -2
  398. data/lib/datadog/tracing/contrib/aws/patcher.rb +6 -6
  399. data/lib/datadog/tracing/contrib/aws/service/base.rb +16 -0
  400. data/lib/datadog/tracing/contrib/aws/service/dynamodb.rb +22 -0
  401. data/lib/datadog/tracing/contrib/aws/service/eventbridge.rb +22 -0
  402. data/lib/datadog/tracing/contrib/aws/service/kinesis.rb +32 -0
  403. data/lib/datadog/tracing/contrib/aws/service/s3.rb +22 -0
  404. data/lib/datadog/tracing/contrib/aws/service/sns.rb +30 -0
  405. data/lib/datadog/tracing/contrib/aws/service/sqs.rb +27 -0
  406. data/lib/datadog/tracing/contrib/aws/service/states.rb +40 -0
  407. data/lib/datadog/tracing/contrib/aws/services.rb +17 -3
  408. data/lib/datadog/tracing/contrib/concurrent_ruby/configuration/settings.rb +3 -3
  409. data/lib/datadog/tracing/contrib/concurrent_ruby/context_composite_executor_service.rb +1 -1
  410. data/lib/datadog/tracing/contrib/concurrent_ruby/ext.rb +0 -2
  411. data/lib/datadog/tracing/contrib/concurrent_ruby/future_patch.rb +2 -2
  412. data/lib/datadog/tracing/contrib/concurrent_ruby/integration.rb +3 -5
  413. data/lib/datadog/tracing/contrib/concurrent_ruby/patcher.rb +3 -4
  414. data/lib/datadog/tracing/contrib/configurable.rb +3 -3
  415. data/lib/datadog/tracing/contrib/configuration/resolver.rb +1 -1
  416. data/lib/datadog/tracing/contrib/configuration/resolvers/pattern_resolver.rb +2 -2
  417. data/lib/datadog/tracing/contrib/configuration/settings.rb +2 -6
  418. data/lib/datadog/tracing/contrib/dalli/configuration/settings.rb +12 -4
  419. data/lib/datadog/tracing/contrib/dalli/ext.rb +2 -2
  420. data/lib/datadog/tracing/contrib/dalli/instrumentation.rb +14 -8
  421. data/lib/datadog/tracing/contrib/dalli/integration.rb +3 -5
  422. data/lib/datadog/tracing/contrib/dalli/patcher.rb +4 -4
  423. data/lib/datadog/tracing/contrib/dalli/quantize.rb +1 -3
  424. data/lib/datadog/tracing/contrib/delayed_job/configuration/settings.rb +4 -4
  425. data/lib/datadog/tracing/contrib/delayed_job/ext.rb +2 -2
  426. data/lib/datadog/tracing/contrib/delayed_job/integration.rb +3 -5
  427. data/lib/datadog/tracing/contrib/delayed_job/patcher.rb +9 -3
  428. data/lib/datadog/tracing/contrib/delayed_job/plugin.rb +12 -5
  429. data/lib/datadog/tracing/contrib/delayed_job/server_internal_tracer/worker.rb +34 -0
  430. data/lib/datadog/tracing/contrib/elasticsearch/configuration/settings.rb +13 -4
  431. data/lib/datadog/tracing/contrib/elasticsearch/ext.rb +3 -2
  432. data/lib/datadog/tracing/contrib/elasticsearch/integration.rb +3 -5
  433. data/lib/datadog/tracing/contrib/elasticsearch/patcher.rb +14 -10
  434. data/lib/datadog/tracing/contrib/elasticsearch/quantize.rb +1 -5
  435. data/lib/datadog/tracing/contrib/ethon/configuration/settings.rb +14 -4
  436. data/lib/datadog/tracing/contrib/ethon/easy_patch.rb +11 -12
  437. data/lib/datadog/tracing/contrib/ethon/ext.rb +1 -2
  438. data/lib/datadog/tracing/contrib/ethon/integration.rb +4 -6
  439. data/lib/datadog/tracing/contrib/ethon/multi_patch.rb +10 -7
  440. data/lib/datadog/tracing/contrib/ethon/patcher.rb +4 -5
  441. data/lib/datadog/tracing/contrib/excon/configuration/settings.rb +13 -4
  442. data/lib/datadog/tracing/contrib/excon/ext.rb +1 -2
  443. data/lib/datadog/tracing/contrib/excon/integration.rb +4 -6
  444. data/lib/datadog/tracing/contrib/excon/middleware.rb +13 -11
  445. data/lib/datadog/tracing/contrib/excon/patcher.rb +3 -3
  446. data/lib/datadog/tracing/contrib/ext.rb +30 -0
  447. data/lib/datadog/tracing/contrib/extensions.rb +5 -5
  448. data/lib/datadog/tracing/contrib/faraday/configuration/settings.rb +13 -4
  449. data/lib/datadog/tracing/contrib/faraday/connection.rb +1 -1
  450. data/lib/datadog/tracing/contrib/faraday/ext.rb +1 -2
  451. data/lib/datadog/tracing/contrib/faraday/integration.rb +4 -6
  452. data/lib/datadog/tracing/contrib/faraday/middleware.rb +13 -12
  453. data/lib/datadog/tracing/contrib/faraday/patcher.rb +5 -7
  454. data/lib/datadog/tracing/contrib/faraday/rack_builder.rb +1 -1
  455. data/lib/datadog/tracing/contrib/grape/configuration/settings.rb +4 -4
  456. data/lib/datadog/tracing/contrib/grape/endpoint.rb +4 -9
  457. data/lib/datadog/tracing/contrib/grape/ext.rb +0 -2
  458. data/lib/datadog/tracing/contrib/grape/instrumentation.rb +0 -2
  459. data/lib/datadog/tracing/contrib/grape/integration.rb +3 -5
  460. data/lib/datadog/tracing/contrib/grape/patcher.rb +5 -5
  461. data/lib/datadog/tracing/contrib/graphql/configuration/settings.rb +4 -4
  462. data/lib/datadog/tracing/contrib/graphql/ext.rb +0 -2
  463. data/lib/datadog/tracing/contrib/graphql/integration.rb +3 -5
  464. data/lib/datadog/tracing/contrib/graphql/patcher.rb +2 -5
  465. data/lib/datadog/tracing/contrib/grpc/configuration/settings.rb +16 -5
  466. data/lib/datadog/tracing/contrib/grpc/datadog_interceptor/client.rb +25 -9
  467. data/lib/datadog/tracing/contrib/grpc/datadog_interceptor/server.rb +17 -19
  468. data/lib/datadog/tracing/contrib/grpc/datadog_interceptor.rb +7 -6
  469. data/lib/datadog/tracing/contrib/grpc/distributed/fetcher.rb +26 -0
  470. data/lib/datadog/tracing/contrib/grpc/distributed/propagation.rb +42 -0
  471. data/lib/datadog/tracing/contrib/grpc/ext.rb +4 -2
  472. data/lib/datadog/tracing/contrib/grpc/integration.rb +11 -6
  473. data/lib/datadog/tracing/contrib/grpc/intercept_with_datadog.rb +1 -1
  474. data/lib/datadog/tracing/contrib/grpc/patcher.rb +4 -7
  475. data/lib/datadog/tracing/contrib/hanami/action_tracer.rb +47 -0
  476. data/lib/datadog/tracing/contrib/hanami/configuration/settings.rb +22 -0
  477. data/lib/datadog/tracing/contrib/hanami/ext.rb +22 -0
  478. data/lib/datadog/tracing/contrib/hanami/integration.rb +42 -0
  479. data/lib/datadog/tracing/contrib/hanami/patcher.rb +33 -0
  480. data/lib/datadog/tracing/contrib/hanami/plugin.rb +23 -0
  481. data/lib/datadog/tracing/contrib/hanami/renderer_policy_tracing.rb +41 -0
  482. data/lib/datadog/tracing/contrib/hanami/router_tracing.rb +44 -0
  483. data/lib/datadog/tracing/contrib/http/circuit_breaker.rb +2 -3
  484. data/lib/datadog/tracing/contrib/http/configuration/settings.rb +19 -4
  485. data/lib/datadog/tracing/contrib/http/distributed/fetcher.rb +38 -0
  486. data/lib/datadog/tracing/contrib/http/distributed/propagation.rb +37 -0
  487. data/lib/datadog/tracing/contrib/http/ext.rb +2 -2
  488. data/lib/datadog/tracing/contrib/http/instrumentation.rb +13 -14
  489. data/lib/datadog/tracing/contrib/http/integration.rb +8 -8
  490. data/lib/datadog/tracing/contrib/http/patcher.rb +4 -4
  491. data/lib/datadog/tracing/contrib/http_annotation_helper.rb +1 -1
  492. data/lib/datadog/tracing/contrib/httpclient/configuration/settings.rb +19 -4
  493. data/lib/datadog/tracing/contrib/httpclient/ext.rb +2 -2
  494. data/lib/datadog/tracing/contrib/httpclient/instrumentation.rb +14 -13
  495. data/lib/datadog/tracing/contrib/httpclient/integration.rb +4 -6
  496. data/lib/datadog/tracing/contrib/httpclient/patcher.rb +3 -5
  497. data/lib/datadog/tracing/contrib/httprb/configuration/settings.rb +19 -4
  498. data/lib/datadog/tracing/contrib/httprb/ext.rb +2 -2
  499. data/lib/datadog/tracing/contrib/httprb/instrumentation.rb +13 -13
  500. data/lib/datadog/tracing/contrib/httprb/integration.rb +4 -6
  501. data/lib/datadog/tracing/contrib/httprb/patcher.rb +3 -5
  502. data/lib/datadog/tracing/contrib/integration.rb +4 -4
  503. data/lib/datadog/tracing/contrib/kafka/configuration/settings.rb +3 -3
  504. data/lib/datadog/tracing/contrib/kafka/consumer_event.rb +2 -1
  505. data/lib/datadog/tracing/contrib/kafka/consumer_group_event.rb +1 -1
  506. data/lib/datadog/tracing/contrib/kafka/event.rb +5 -4
  507. data/lib/datadog/tracing/contrib/kafka/events/connection/request.rb +2 -4
  508. data/lib/datadog/tracing/contrib/kafka/events/consumer/process_batch.rb +3 -5
  509. data/lib/datadog/tracing/contrib/kafka/events/consumer/process_message.rb +3 -5
  510. data/lib/datadog/tracing/contrib/kafka/events/consumer_group/heartbeat.rb +4 -6
  511. data/lib/datadog/tracing/contrib/kafka/events/consumer_group/join_group.rb +4 -6
  512. data/lib/datadog/tracing/contrib/kafka/events/consumer_group/leave_group.rb +4 -6
  513. data/lib/datadog/tracing/contrib/kafka/events/consumer_group/sync_group.rb +4 -6
  514. data/lib/datadog/tracing/contrib/kafka/events/produce_operation/send_messages.rb +3 -4
  515. data/lib/datadog/tracing/contrib/kafka/events/producer/deliver_messages.rb +3 -4
  516. data/lib/datadog/tracing/contrib/kafka/events.rb +10 -10
  517. data/lib/datadog/tracing/contrib/kafka/ext.rb +1 -2
  518. data/lib/datadog/tracing/contrib/kafka/integration.rb +3 -5
  519. data/lib/datadog/tracing/contrib/kafka/patcher.rb +4 -4
  520. data/lib/datadog/tracing/contrib/lograge/configuration/settings.rb +3 -3
  521. data/lib/datadog/tracing/contrib/lograge/ext.rb +0 -2
  522. data/lib/datadog/tracing/contrib/lograge/instrumentation.rb +2 -3
  523. data/lib/datadog/tracing/contrib/lograge/integration.rb +3 -5
  524. data/lib/datadog/tracing/contrib/lograge/patcher.rb +3 -3
  525. data/lib/datadog/tracing/contrib/mongodb/configuration/settings.rb +13 -4
  526. data/lib/datadog/tracing/contrib/mongodb/ext.rb +8 -2
  527. data/lib/datadog/tracing/contrib/mongodb/instrumentation.rb +4 -4
  528. data/lib/datadog/tracing/contrib/mongodb/integration.rb +4 -6
  529. data/lib/datadog/tracing/contrib/mongodb/parsers.rb +1 -3
  530. data/lib/datadog/tracing/contrib/mongodb/patcher.rb +4 -4
  531. data/lib/datadog/tracing/contrib/mongodb/subscribers.rb +15 -8
  532. data/lib/datadog/tracing/contrib/mysql2/configuration/settings.rb +24 -4
  533. data/lib/datadog/tracing/contrib/mysql2/ext.rb +2 -2
  534. data/lib/datadog/tracing/contrib/mysql2/instrumentation.rb +26 -8
  535. data/lib/datadog/tracing/contrib/mysql2/integration.rb +3 -5
  536. data/lib/datadog/tracing/contrib/mysql2/patcher.rb +3 -3
  537. data/lib/datadog/tracing/contrib/patchable.rb +1 -1
  538. data/lib/datadog/tracing/contrib/patcher.rb +15 -6
  539. data/lib/datadog/tracing/contrib/pg/configuration/settings.rb +55 -0
  540. data/lib/datadog/tracing/contrib/pg/ext.rb +31 -0
  541. data/lib/datadog/tracing/contrib/pg/instrumentation.rb +171 -0
  542. data/lib/datadog/tracing/contrib/pg/integration.rb +41 -0
  543. data/lib/datadog/tracing/contrib/pg/patcher.rb +31 -0
  544. data/lib/datadog/tracing/contrib/presto/configuration/settings.rb +12 -4
  545. data/lib/datadog/tracing/contrib/presto/ext.rb +2 -2
  546. data/lib/datadog/tracing/contrib/presto/instrumentation.rb +9 -7
  547. data/lib/datadog/tracing/contrib/presto/integration.rb +3 -5
  548. data/lib/datadog/tracing/contrib/presto/patcher.rb +4 -6
  549. data/lib/datadog/tracing/contrib/propagation/sql_comment/comment.rb +41 -0
  550. data/lib/datadog/tracing/contrib/propagation/sql_comment/ext.rb +31 -0
  551. data/lib/datadog/tracing/contrib/propagation/sql_comment/mode.rb +28 -0
  552. data/lib/datadog/tracing/contrib/propagation/sql_comment.rb +53 -0
  553. data/lib/datadog/tracing/contrib/qless/configuration/settings.rb +3 -3
  554. data/lib/datadog/tracing/contrib/qless/ext.rb +0 -2
  555. data/lib/datadog/tracing/contrib/qless/integration.rb +3 -5
  556. data/lib/datadog/tracing/contrib/qless/patcher.rb +2 -4
  557. data/lib/datadog/tracing/contrib/qless/qless_job.rb +5 -5
  558. data/lib/datadog/tracing/contrib/qless/tracer_cleaner.rb +1 -3
  559. data/lib/datadog/tracing/contrib/que/configuration/settings.rb +3 -5
  560. data/lib/datadog/tracing/contrib/que/ext.rb +0 -2
  561. data/lib/datadog/tracing/contrib/que/integration.rb +4 -6
  562. data/lib/datadog/tracing/contrib/que/patcher.rb +1 -3
  563. data/lib/datadog/tracing/contrib/que/tracer.rb +5 -3
  564. data/lib/datadog/tracing/contrib/racecar/configuration/settings.rb +12 -4
  565. data/lib/datadog/tracing/contrib/racecar/event.rb +9 -7
  566. data/lib/datadog/tracing/contrib/racecar/events/batch.rb +6 -5
  567. data/lib/datadog/tracing/contrib/racecar/events/consume.rb +2 -4
  568. data/lib/datadog/tracing/contrib/racecar/events/message.rb +6 -5
  569. data/lib/datadog/tracing/contrib/racecar/events.rb +4 -4
  570. data/lib/datadog/tracing/contrib/racecar/ext.rb +1 -2
  571. data/lib/datadog/tracing/contrib/racecar/integration.rb +3 -5
  572. data/lib/datadog/tracing/contrib/racecar/patcher.rb +4 -4
  573. data/lib/datadog/tracing/contrib/rack/configuration/settings.rb +2 -4
  574. data/lib/datadog/tracing/contrib/rack/ext.rb +5 -2
  575. data/lib/datadog/tracing/contrib/rack/header_collection.rb +35 -0
  576. data/lib/datadog/tracing/contrib/rack/integration.rb +4 -6
  577. data/lib/datadog/tracing/contrib/rack/middlewares.rb +172 -78
  578. data/lib/datadog/tracing/contrib/rack/patcher.rb +12 -4
  579. data/lib/datadog/tracing/contrib/rack/request_queue.rb +0 -2
  580. data/lib/datadog/tracing/contrib/rails/auto_instrument_railtie.rb +1 -3
  581. data/lib/datadog/tracing/contrib/rails/configuration/settings.rb +12 -4
  582. data/lib/datadog/tracing/contrib/rails/ext.rb +0 -2
  583. data/lib/datadog/tracing/contrib/rails/framework.rb +20 -24
  584. data/lib/datadog/tracing/contrib/rails/integration.rb +4 -6
  585. data/lib/datadog/tracing/contrib/rails/log_injection.rb +0 -4
  586. data/lib/datadog/tracing/contrib/rails/middlewares.rb +2 -3
  587. data/lib/datadog/tracing/contrib/rails/patcher.rb +7 -10
  588. data/lib/datadog/tracing/contrib/rails/railtie.rb +3 -5
  589. data/lib/datadog/tracing/contrib/rails/utils.rb +3 -3
  590. data/lib/datadog/tracing/contrib/rake/configuration/settings.rb +18 -3
  591. data/lib/datadog/tracing/contrib/rake/ext.rb +0 -2
  592. data/lib/datadog/tracing/contrib/rake/instrumentation.rb +12 -9
  593. data/lib/datadog/tracing/contrib/rake/integration.rb +3 -5
  594. data/lib/datadog/tracing/contrib/rake/patcher.rb +4 -5
  595. data/lib/datadog/tracing/contrib/redis/configuration/resolver.rb +1 -3
  596. data/lib/datadog/tracing/contrib/redis/configuration/settings.rb +12 -4
  597. data/lib/datadog/tracing/contrib/redis/ext.rb +3 -2
  598. data/lib/datadog/tracing/contrib/redis/instrumentation.rb +36 -28
  599. data/lib/datadog/tracing/contrib/redis/integration.rb +37 -6
  600. data/lib/datadog/tracing/contrib/redis/patcher.rb +56 -14
  601. data/lib/datadog/tracing/contrib/redis/quantize.rb +11 -10
  602. data/lib/datadog/tracing/contrib/redis/tags.rb +17 -12
  603. data/lib/datadog/tracing/contrib/redis/trace_middleware.rb +70 -0
  604. data/lib/datadog/tracing/contrib/redis/vendor/resolver.rb +0 -2
  605. data/lib/datadog/tracing/contrib/registerable.rb +1 -1
  606. data/lib/datadog/tracing/contrib/registry.rb +1 -1
  607. data/lib/datadog/tracing/contrib/resque/configuration/settings.rb +4 -4
  608. data/lib/datadog/tracing/contrib/resque/ext.rb +0 -2
  609. data/lib/datadog/tracing/contrib/resque/integration.rb +3 -5
  610. data/lib/datadog/tracing/contrib/resque/patcher.rb +3 -3
  611. data/lib/datadog/tracing/contrib/resque/resque_job.rb +8 -5
  612. data/lib/datadog/tracing/contrib/rest_client/configuration/settings.rb +15 -4
  613. data/lib/datadog/tracing/contrib/rest_client/ext.rb +1 -2
  614. data/lib/datadog/tracing/contrib/rest_client/integration.rb +3 -5
  615. data/lib/datadog/tracing/contrib/rest_client/patcher.rb +3 -4
  616. data/lib/datadog/tracing/contrib/rest_client/request_patch.rb +12 -8
  617. data/lib/datadog/tracing/contrib/roda/configuration/settings.rb +34 -0
  618. data/lib/datadog/tracing/contrib/roda/ext.rb +18 -0
  619. data/lib/datadog/tracing/contrib/roda/instrumentation.rb +76 -0
  620. data/lib/datadog/tracing/contrib/roda/integration.rb +45 -0
  621. data/lib/datadog/tracing/contrib/roda/patcher.rb +30 -0
  622. data/lib/datadog/tracing/contrib/semantic_logger/configuration/settings.rb +3 -3
  623. data/lib/datadog/tracing/contrib/semantic_logger/ext.rb +0 -2
  624. data/lib/datadog/tracing/contrib/semantic_logger/instrumentation.rb +3 -3
  625. data/lib/datadog/tracing/contrib/semantic_logger/integration.rb +3 -5
  626. data/lib/datadog/tracing/contrib/semantic_logger/patcher.rb +3 -3
  627. data/lib/datadog/tracing/contrib/sequel/configuration/settings.rb +3 -3
  628. data/lib/datadog/tracing/contrib/sequel/database.rb +8 -8
  629. data/lib/datadog/tracing/contrib/sequel/dataset.rb +9 -7
  630. data/lib/datadog/tracing/contrib/sequel/ext.rb +0 -2
  631. data/lib/datadog/tracing/contrib/sequel/integration.rb +3 -5
  632. data/lib/datadog/tracing/contrib/sequel/patcher.rb +4 -4
  633. data/lib/datadog/tracing/contrib/sequel/utils.rb +6 -5
  634. data/lib/datadog/tracing/contrib/shoryuken/configuration/settings.rb +4 -4
  635. data/lib/datadog/tracing/contrib/shoryuken/ext.rb +1 -2
  636. data/lib/datadog/tracing/contrib/shoryuken/integration.rb +4 -6
  637. data/lib/datadog/tracing/contrib/shoryuken/patcher.rb +2 -2
  638. data/lib/datadog/tracing/contrib/shoryuken/tracer.rb +6 -2
  639. data/lib/datadog/tracing/contrib/sidekiq/client_tracer.rb +21 -8
  640. data/lib/datadog/tracing/contrib/sidekiq/configuration/settings.rb +5 -4
  641. data/lib/datadog/tracing/contrib/sidekiq/distributed/propagation.rb +38 -0
  642. data/lib/datadog/tracing/contrib/sidekiq/ext.rb +6 -2
  643. data/lib/datadog/tracing/contrib/sidekiq/integration.rb +11 -5
  644. data/lib/datadog/tracing/contrib/sidekiq/patcher.rb +28 -9
  645. data/lib/datadog/tracing/contrib/sidekiq/server_internal_tracer/heartbeat.rb +29 -2
  646. data/lib/datadog/tracing/contrib/sidekiq/server_internal_tracer/job_fetch.rb +3 -1
  647. data/lib/datadog/tracing/contrib/sidekiq/server_internal_tracer/{scheduled_push.rb → redis_info.rb} +8 -7
  648. data/lib/datadog/tracing/contrib/sidekiq/server_internal_tracer/scheduled_poller.rb +57 -0
  649. data/lib/datadog/tracing/contrib/sidekiq/server_internal_tracer/stop.rb +34 -0
  650. data/lib/datadog/tracing/contrib/sidekiq/server_tracer.rb +28 -8
  651. data/lib/datadog/tracing/contrib/sidekiq/{tracing.rb → utils.rb} +4 -4
  652. data/lib/datadog/tracing/contrib/sinatra/configuration/settings.rb +2 -4
  653. data/lib/datadog/tracing/contrib/sinatra/env.rb +14 -27
  654. data/lib/datadog/tracing/contrib/sinatra/ext.rb +7 -5
  655. data/lib/datadog/tracing/contrib/sinatra/framework.rb +0 -4
  656. data/lib/datadog/tracing/contrib/sinatra/headers.rb +2 -2
  657. data/lib/datadog/tracing/contrib/sinatra/integration.rb +3 -5
  658. data/lib/datadog/tracing/contrib/sinatra/patcher.rb +7 -8
  659. data/lib/datadog/tracing/contrib/sinatra/tracer.rb +15 -90
  660. data/lib/datadog/tracing/contrib/sinatra/tracer_middleware.rb +21 -17
  661. data/lib/datadog/tracing/contrib/sneakers/configuration/settings.rb +2 -4
  662. data/lib/datadog/tracing/contrib/sneakers/ext.rb +1 -2
  663. data/lib/datadog/tracing/contrib/sneakers/integration.rb +4 -6
  664. data/lib/datadog/tracing/contrib/sneakers/patcher.rb +2 -4
  665. data/lib/datadog/tracing/contrib/sneakers/tracer.rb +7 -5
  666. data/lib/datadog/tracing/contrib/span_attribute_schema.rb +28 -0
  667. data/lib/datadog/tracing/contrib/status_code_matcher.rb +1 -4
  668. data/lib/datadog/tracing/contrib/stripe/configuration/settings.rb +33 -0
  669. data/lib/datadog/tracing/contrib/stripe/ext.rb +26 -0
  670. data/lib/datadog/tracing/contrib/stripe/integration.rb +43 -0
  671. data/lib/datadog/tracing/contrib/stripe/patcher.rb +28 -0
  672. data/lib/datadog/tracing/contrib/stripe/request.rb +67 -0
  673. data/lib/datadog/tracing/contrib/sucker_punch/configuration/settings.rb +3 -3
  674. data/lib/datadog/tracing/contrib/sucker_punch/exception_handler.rb +1 -1
  675. data/lib/datadog/tracing/contrib/sucker_punch/ext.rb +0 -2
  676. data/lib/datadog/tracing/contrib/sucker_punch/instrumentation.rb +3 -6
  677. data/lib/datadog/tracing/contrib/sucker_punch/integration.rb +3 -5
  678. data/lib/datadog/tracing/contrib/sucker_punch/patcher.rb +5 -7
  679. data/lib/datadog/tracing/contrib/utils/database.rb +0 -2
  680. data/lib/datadog/tracing/contrib/utils/quantization/hash.rb +0 -2
  681. data/lib/datadog/tracing/contrib/utils/quantization/http.rb +92 -14
  682. data/lib/datadog/tracing/contrib.rb +52 -48
  683. data/lib/datadog/tracing/correlation.rb +25 -14
  684. data/lib/datadog/{core → tracing}/diagnostics/ext.rb +1 -8
  685. data/lib/datadog/tracing/diagnostics/health.rb +40 -0
  686. data/lib/datadog/tracing/distributed/b3_multi.rb +72 -0
  687. data/lib/datadog/tracing/distributed/b3_single.rb +68 -0
  688. data/lib/datadog/tracing/distributed/datadog.rb +200 -0
  689. data/lib/datadog/tracing/distributed/datadog_tags_codec.rb +84 -0
  690. data/lib/datadog/tracing/distributed/fetcher.rb +21 -0
  691. data/lib/datadog/tracing/distributed/headers/ext.rb +19 -16
  692. data/lib/datadog/tracing/distributed/helpers.rb +34 -13
  693. data/lib/datadog/tracing/distributed/none.rb +18 -0
  694. data/lib/datadog/tracing/distributed/propagation.rb +126 -0
  695. data/lib/datadog/tracing/distributed/trace_context.rb +380 -0
  696. data/lib/datadog/tracing/event.rb +0 -4
  697. data/lib/datadog/tracing/flush.rb +58 -36
  698. data/lib/datadog/tracing/metadata/analytics.rb +3 -3
  699. data/lib/datadog/tracing/metadata/errors.rb +3 -3
  700. data/lib/datadog/tracing/metadata/ext.rb +40 -3
  701. data/lib/datadog/tracing/metadata/tagging.rb +23 -4
  702. data/lib/datadog/tracing/metadata.rb +4 -4
  703. data/lib/datadog/tracing/pipeline/span_filter.rb +11 -7
  704. data/lib/datadog/tracing/pipeline/span_processor.rb +1 -1
  705. data/lib/datadog/tracing/pipeline.rb +2 -6
  706. data/lib/datadog/tracing/propagation/http.rb +4 -99
  707. data/lib/datadog/tracing/runtime/metrics.rb +1 -3
  708. data/lib/datadog/tracing/sampling/all_sampler.rb +2 -2
  709. data/lib/datadog/tracing/sampling/ext.rb +30 -1
  710. data/lib/datadog/tracing/sampling/matcher.rb +1 -1
  711. data/lib/datadog/tracing/sampling/priority_sampler.rb +63 -10
  712. data/lib/datadog/tracing/sampling/rate_by_key_sampler.rb +10 -13
  713. data/lib/datadog/tracing/sampling/rate_by_service_sampler.rb +31 -10
  714. data/lib/datadog/tracing/sampling/rate_limiter.rb +4 -3
  715. data/lib/datadog/tracing/sampling/rate_sampler.rb +26 -13
  716. data/lib/datadog/tracing/sampling/rule.rb +2 -6
  717. data/lib/datadog/tracing/sampling/rule_sampler.rb +7 -10
  718. data/lib/datadog/tracing/sampling/sampler.rb +0 -2
  719. data/lib/datadog/tracing/sampling/span/ext.rb +25 -0
  720. data/lib/datadog/tracing/sampling/span/matcher.rb +89 -0
  721. data/lib/datadog/tracing/sampling/span/rule.rb +82 -0
  722. data/lib/datadog/tracing/sampling/span/rule_parser.rb +104 -0
  723. data/lib/datadog/tracing/sampling/span/sampler.rb +77 -0
  724. data/lib/datadog/tracing/span.rb +24 -22
  725. data/lib/datadog/tracing/span_operation.rb +12 -15
  726. data/lib/datadog/tracing/sync_writer.rb +5 -7
  727. data/lib/datadog/tracing/trace_digest.rb +89 -3
  728. data/lib/datadog/tracing/trace_operation.rb +58 -16
  729. data/lib/datadog/tracing/trace_segment.rb +20 -10
  730. data/lib/datadog/tracing/tracer.rb +48 -23
  731. data/lib/datadog/tracing/utils.rb +83 -0
  732. data/lib/datadog/tracing/workers/trace_writer.rb +8 -11
  733. data/lib/datadog/tracing/workers.rb +2 -6
  734. data/lib/datadog/tracing/writer.rb +11 -8
  735. data/lib/datadog/tracing.rb +9 -9
  736. data/lib/ddtrace/auto_instrument.rb +10 -3
  737. data/lib/ddtrace/auto_instrument_base.rb +1 -1
  738. data/lib/ddtrace/profiling/preload.rb +0 -2
  739. data/lib/ddtrace/transport/ext.rb +7 -3
  740. data/lib/ddtrace/transport/http/adapters/net.rb +15 -4
  741. data/lib/ddtrace/transport/http/adapters/registry.rb +1 -1
  742. data/lib/ddtrace/transport/http/adapters/test.rb +1 -3
  743. data/lib/ddtrace/transport/http/adapters/unix_socket.rb +2 -4
  744. data/lib/ddtrace/transport/http/api/endpoint.rb +1 -1
  745. data/lib/ddtrace/transport/http/api/fallbacks.rb +1 -1
  746. data/lib/ddtrace/transport/http/api/instance.rb +1 -1
  747. data/lib/ddtrace/transport/http/api/map.rb +2 -2
  748. data/lib/ddtrace/transport/http/api/spec.rb +1 -1
  749. data/lib/ddtrace/transport/http/api.rb +4 -6
  750. data/lib/ddtrace/transport/http/builder.rb +5 -7
  751. data/lib/ddtrace/transport/http/client.rb +2 -4
  752. data/lib/ddtrace/transport/http/env.rb +1 -1
  753. data/lib/ddtrace/transport/http/response.rb +2 -2
  754. data/lib/ddtrace/transport/http/statistics.rb +1 -3
  755. data/lib/ddtrace/transport/http/traces.rb +6 -8
  756. data/lib/ddtrace/transport/http.rb +11 -12
  757. data/lib/ddtrace/transport/io/client.rb +2 -4
  758. data/lib/ddtrace/transport/io/response.rb +2 -2
  759. data/lib/ddtrace/transport/io/traces.rb +4 -6
  760. data/lib/ddtrace/transport/io.rb +4 -4
  761. data/lib/ddtrace/transport/parcel.rb +1 -3
  762. data/lib/ddtrace/transport/request.rb +2 -2
  763. data/lib/ddtrace/transport/response.rb +0 -2
  764. data/lib/ddtrace/transport/serializable_trace.rb +9 -5
  765. data/lib/ddtrace/transport/statistics.rb +3 -3
  766. data/lib/ddtrace/transport/trace_formatter.rb +22 -11
  767. data/lib/ddtrace/transport/traces.rb +9 -9
  768. data/lib/ddtrace/version.rb +8 -6
  769. data/lib/ddtrace.rb +7 -9
  770. metadata +186 -58
  771. data/.editorconfig +0 -22
  772. data/.gitignore +0 -58
  773. data/CONTRIBUTING.md +0 -81
  774. data/ddtrace.gemspec +0 -68
  775. data/docs/0.x-trace.png +0 -0
  776. data/docs/1.0-trace.png +0 -0
  777. data/docs/AutoInstrumentation.md +0 -36
  778. data/docs/Deprecation.md +0 -8
  779. data/docs/DevelopmentGuide.md +0 -259
  780. data/docs/GettingStarted.md +0 -2688
  781. data/docs/ProfilingDevelopment.md +0 -110
  782. data/docs/PublicApi.md +0 -14
  783. data/docs/UpgradeGuide.md +0 -736
  784. data/ext/ddtrace_profiling_native_extension/libddprof_helpers.h +0 -13
  785. data/lib/datadog/appsec/assets/waf_rules/risky.json +0 -1499
  786. data/lib/datadog/appsec/contrib/configuration/settings.rb +0 -20
  787. data/lib/datadog/appsec/contrib/rack/configuration/settings.rb +0 -22
  788. data/lib/datadog/appsec/contrib/rack/request.rb +0 -58
  789. data/lib/datadog/appsec/contrib/rack/response.rb +0 -24
  790. data/lib/datadog/appsec/contrib/rails/configuration/settings.rb +0 -22
  791. data/lib/datadog/appsec/contrib/sinatra/configuration/settings.rb +0 -22
  792. data/lib/datadog/profiling/recorder.rb +0 -117
  793. data/lib/datadog/profiling/transport/client.rb +0 -16
  794. data/lib/datadog/profiling/transport/http/api/endpoint.rb +0 -107
  795. data/lib/datadog/profiling/transport/http/api/instance.rb +0 -38
  796. data/lib/datadog/profiling/transport/http/api/spec.rb +0 -42
  797. data/lib/datadog/profiling/transport/http/api.rb +0 -45
  798. data/lib/datadog/profiling/transport/http/builder.rb +0 -30
  799. data/lib/datadog/profiling/transport/http/client.rb +0 -35
  800. data/lib/datadog/profiling/transport/http/response.rb +0 -23
  801. data/lib/datadog/profiling/transport/http.rb +0 -112
  802. data/lib/datadog/profiling/transport/io/client.rb +0 -29
  803. data/lib/datadog/profiling/transport/io/response.rb +0 -18
  804. data/lib/datadog/profiling/transport/io.rb +0 -32
  805. data/lib/datadog/profiling/transport/parcel.rb +0 -19
  806. data/lib/datadog/profiling/transport/request.rb +0 -17
  807. data/lib/datadog/profiling/transport/response.rb +0 -10
  808. data/lib/datadog/tracing/distributed/headers/b3.rb +0 -55
  809. data/lib/datadog/tracing/distributed/headers/b3_single.rb +0 -67
  810. data/lib/datadog/tracing/distributed/headers/datadog.rb +0 -52
  811. data/lib/datadog/tracing/distributed/parser.rb +0 -70
  812. data/lib/datadog/tracing/propagation/grpc.rb +0 -88
data/lib/datadog/appsec/assets/waf_rules/recommended.json CHANGED
@@ -1,16 +1,68 @@
1
1
  {
2
2
  "version": "2.2",
3
3
  "metadata": {
4
- "rules_version": "1.3.1"
4
+ "rules_version": "1.7.0"
5
5
  },
6
6
  "rules": [
7
+ {
8
+ "id": "blk-001-001",
9
+ "name": "Block IP Addresses",
10
+ "tags": {
11
+ "type": "block_ip",
12
+ "category": "security_response"
13
+ },
14
+ "conditions": [
15
+ {
16
+ "parameters": {
17
+ "inputs": [
18
+ {
19
+ "address": "http.client_ip"
20
+ }
21
+ ],
22
+ "data": "blocked_ips"
23
+ },
24
+ "operator": "ip_match"
25
+ }
26
+ ],
27
+ "transformers": [],
28
+ "on_match": [
29
+ "block"
30
+ ]
31
+ },
32
+ {
33
+ "id": "blk-001-002",
34
+ "name": "Block User Addresses",
35
+ "tags": {
36
+ "type": "block_user",
37
+ "category": "security_response"
38
+ },
39
+ "conditions": [
40
+ {
41
+ "parameters": {
42
+ "inputs": [
43
+ {
44
+ "address": "usr.id"
45
+ }
46
+ ],
47
+ "data": "blocked_users"
48
+ },
49
+ "operator": "exact_match"
50
+ }
51
+ ],
52
+ "transformers": [],
53
+ "on_match": [
54
+ "block"
55
+ ]
56
+ },
7
57
  {
8
58
  "id": "crs-913-110",
9
59
  "name": "Acunetix",
10
60
  "tags": {
11
- "type": "security_scanner",
61
+ "type": "commercial_scanner",
12
62
  "crs_id": "913110",
13
- "category": "attack_attempt"
63
+ "category": "attack_attempt",
64
+ "tool_name": "Acunetix",
65
+ "confidence": "0"
14
66
  },
15
67
  "conditions": [
16
68
  {
@@ -41,7 +93,8 @@
41
93
  "tags": {
42
94
  "type": "security_scanner",
43
95
  "crs_id": "913120",
44
- "category": "attack_attempt"
96
+ "category": "attack_attempt",
97
+ "confidence": "1"
45
98
  },
46
99
  "conditions": [
47
100
  {
@@ -90,7 +143,8 @@
90
143
  "tags": {
91
144
  "type": "http_protocol_violation",
92
145
  "crs_id": "920260",
93
- "category": "attack_attempt"
146
+ "category": "attack_attempt",
147
+ "confidence": "0"
94
148
  },
95
149
  "conditions": [
96
150
  {
@@ -146,33 +200,6 @@
146
200
  "lowercase"
147
201
  ]
148
202
  },
149
- {
150
- "id": "crs-921-140",
151
- "name": "HTTP Header Injection Attack via headers",
152
- "tags": {
153
- "type": "http_protocol_violation",
154
- "crs_id": "921140",
155
- "category": "attack_attempt"
156
- },
157
- "conditions": [
158
- {
159
- "parameters": {
160
- "inputs": [
161
- {
162
- "address": "server.request.headers.no_cookies"
163
- }
164
- ],
165
- "regex": "[\\n\\r]",
166
- "options": {
167
- "case_sensitive": true,
168
- "min_length": 1
169
- }
170
- },
171
- "operator": "match_regex"
172
- }
173
- ],
174
- "transformers": []
175
- },
176
203
  {
177
204
  "id": "crs-921-160",
178
205
  "name": "HTTP Header Injection Attack via payload (CR/LF and header-name detected)",
@@ -192,7 +219,7 @@
192
219
  "address": "server.request.path_params"
193
220
  }
194
221
  ],
195
- "regex": "[\\n\\r]+(?:\\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\\s*:",
222
+ "regex": "[\\n\\r]+(?:refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|via|remote-ip|remote-addr|originating-IP))\\s*:",
196
223
  "options": {
197
224
  "case_sensitive": true,
198
225
  "min_length": 3
@@ -211,7 +238,8 @@
211
238
  "tags": {
212
239
  "type": "lfi",
213
240
  "crs_id": "930100",
214
- "category": "attack_attempt"
241
+ "category": "attack_attempt",
242
+ "confidence": "1"
215
243
  },
216
244
  "conditions": [
217
245
  {
@@ -224,7 +252,7 @@
224
252
  "address": "server.request.headers.no_cookies"
225
253
  }
226
254
  ],
227
- "regex": "(?:\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\\.))|\\.(?:%0[01]|\\?)?|\\?\\.?|0x2e){2}(?:\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|/))",
255
+ "regex": "(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\/|\\x5c)(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\\.))|\\.(?:%0[01])?|0x2e){2,3}(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\/|\\x5c)",
228
256
  "options": {
229
257
  "min_length": 4
230
258
  }
@@ -242,7 +270,8 @@
242
270
  "tags": {
243
271
  "type": "lfi",
244
272
  "crs_id": "930110",
245
- "category": "attack_attempt"
273
+ "category": "attack_attempt",
274
+ "confidence": "1"
246
275
  },
247
276
  "conditions": [
248
277
  {
@@ -255,7 +284,7 @@
255
284
  "address": "server.request.headers.no_cookies"
256
285
  }
257
286
  ],
258
- "regex": "(?:(?:^|[\\\\/])\\.\\.[\\\\/]|[\\\\/]\\.\\.(?:[\\\\/]|$))",
287
+ "regex": "(?:(?:^|[\\x5c/])\\.{2,3}[\\x5c/]|[\\x5c/]\\.{2,3}(?:[\\x5c/]|$))",
259
288
  "options": {
260
289
  "case_sensitive": true,
261
290
  "min_length": 3
@@ -274,7 +303,8 @@
274
303
  "tags": {
275
304
  "type": "lfi",
276
305
  "crs_id": "930120",
277
- "category": "attack_attempt"
306
+ "category": "attack_attempt",
307
+ "confidence": "1"
278
308
  },
279
309
  "conditions": [
280
310
  {
@@ -299,6 +329,8 @@
299
329
  "/.htpasswd",
300
330
  "/.addressbook",
301
331
  "/.aptitude/config",
332
+ ".aws/config",
333
+ ".aws/credentials",
302
334
  "/.bash_config",
303
335
  "/.bash_history",
304
336
  "/.bash_logout",
@@ -330,6 +362,7 @@
330
362
  "/.nano_history",
331
363
  "/.node_repl_history",
332
364
  "/.pearrc",
365
+ "/.pgpass",
333
366
  "/.php_history",
334
367
  "/.pinerc",
335
368
  ".pki/",
@@ -350,6 +383,8 @@
350
383
  ".ssh/id_rsa.pub",
351
384
  ".ssh/identity",
352
385
  ".ssh/identity.pub",
386
+ ".ssh/id_ecdsa",
387
+ ".ssh/id_ecdsa.pub",
353
388
  ".ssh/known_hosts",
354
389
  ".subversion/auth",
355
390
  ".subversion/config",
@@ -366,6 +401,225 @@
366
401
  "/.zshrc",
367
402
  "/.zsh_history",
368
403
  "/.nsconfig",
404
+ "data/elasticsearch",
405
+ "data/kafka",
406
+ "etc/ansible",
407
+ "etc/bind",
408
+ "etc/centos-release",
409
+ "etc/centos-release-upstream",
410
+ "etc/clam.d",
411
+ "etc/elasticsearch",
412
+ "etc/freshclam.conf",
413
+ "etc/gshadow",
414
+ "etc/gshadow-",
415
+ "etc/httpd",
416
+ "etc/kafka",
417
+ "etc/kibana",
418
+ "etc/logstash",
419
+ "etc/lvm",
420
+ "etc/mongod.conf",
421
+ "etc/my.cnf",
422
+ "etc/nuxeo.conf",
423
+ "etc/pki",
424
+ "etc/postfix",
425
+ "etc/scw-release",
426
+ "etc/subgid",
427
+ "etc/subgid-",
428
+ "etc/sudoers.d",
429
+ "etc/sysconfig",
430
+ "etc/system-release-cpe",
431
+ "opt/nuxeo",
432
+ "opt/tomcat",
433
+ "tmp/kafka-logs",
434
+ "usr/lib/rpm/rpm.log",
435
+ "var/data/elasticsearch",
436
+ "var/lib/elasticsearch",
437
+ "etc/.java",
438
+ "etc/acpi",
439
+ "etc/alsa",
440
+ "etc/alternatives",
441
+ "etc/apache2",
442
+ "etc/apm",
443
+ "etc/apparmor",
444
+ "etc/apparmor.d",
445
+ "etc/apport",
446
+ "etc/apt",
447
+ "etc/asciidoc",
448
+ "etc/avahi",
449
+ "etc/bash_completion.d",
450
+ "etc/binfmt.d",
451
+ "etc/bluetooth",
452
+ "etc/bonobo-activation",
453
+ "etc/brltty",
454
+ "etc/ca-certificates",
455
+ "etc/calendar",
456
+ "etc/chatscripts",
457
+ "etc/chromium-browser",
458
+ "etc/clamav",
459
+ "etc/cni",
460
+ "etc/console-setup",
461
+ "etc/coraza-waf",
462
+ "etc/cracklib",
463
+ "etc/cron.d",
464
+ "etc/cron.daily",
465
+ "etc/cron.hourly",
466
+ "etc/cron.monthly",
467
+ "etc/cron.weekly",
468
+ "etc/cups",
469
+ "etc/cups.save",
470
+ "etc/cupshelpers",
471
+ "etc/dbus-1",
472
+ "etc/dconf",
473
+ "etc/default",
474
+ "etc/depmod.d",
475
+ "etc/dhcp",
476
+ "etc/dictionaries-common",
477
+ "etc/dkms",
478
+ "etc/dnsmasq.d",
479
+ "etc/dockeretc/dpkg",
480
+ "etc/emacs",
481
+ "etc/environment.d",
482
+ "etc/fail2ban",
483
+ "etc/firebird",
484
+ "etc/firefox",
485
+ "etc/fonts",
486
+ "etc/fwupd",
487
+ "etc/gconf",
488
+ "etc/gdb",
489
+ "etc/gdm3",
490
+ "etc/geoclue",
491
+ "etc/ghostscript",
492
+ "etc/gimp",
493
+ "etc/glvnd",
494
+ "etc/gnome",
495
+ "etc/gnome-vfs-2.0",
496
+ "etc/gnucash",
497
+ "etc/gnustep",
498
+ "etc/groff",
499
+ "etc/grub.d",
500
+ "etc/gss",
501
+ "etc/gtk-2.0",
502
+ "etc/gtk-3.0",
503
+ "etc/hp",
504
+ "etc/ifplugd",
505
+ "etc/imagemagick-6",
506
+ "etc/init",
507
+ "etc/init.d",
508
+ "etc/initramfs-tools",
509
+ "etc/insserv.conf.d",
510
+ "etc/iproute2",
511
+ "etc/iptables",
512
+ "etc/java",
513
+ "etc/java-11-openjdk",
514
+ "etc/java-17-oracle",
515
+ "etc/java-8-openjdk",
516
+ "etc/kernel",
517
+ "etc/ld.so.conf.d",
518
+ "etc/ldap",
519
+ "etc/libblockdev",
520
+ "etc/libibverbs.d",
521
+ "etc/libnl-3",
522
+ "etc/libpaper.d",
523
+ "etc/libreoffice",
524
+ "etc/lighttpd",
525
+ "etc/logcheck",
526
+ "etc/logrotate.d",
527
+ "etc/lynx",
528
+ "etc/mail",
529
+ "etc/mc",
530
+ "etc/menu",
531
+ "etc/menu-methods",
532
+ "etc/modprobe.d",
533
+ "etc/modsecurity",
534
+ "etc/modules-load.d",
535
+ "etc/monit",
536
+ "etc/mono",
537
+ "etc/mplayer",
538
+ "etc/mpv",
539
+ "etc/muttrc.d",
540
+ "etc/mysql",
541
+ "etc/netplan",
542
+ "etc/network",
543
+ "etc/networkd-dispatcher",
544
+ "etc/networkmanager",
545
+ "etc/newt",
546
+ "etc/nghttpx",
547
+ "etc/nikto",
548
+ "etc/odbcdatasources",
549
+ "etc/openal",
550
+ "etc/openmpi",
551
+ "etc/opt",
552
+ "etc/osync",
553
+ "etc/packagekit",
554
+ "etc/pam.d",
555
+ "etc/pcmcia",
556
+ "etc/perl",
557
+ "etc/php",
558
+ "etc/pki",
559
+ "etc/pm",
560
+ "etc/polkit-1",
561
+ "etc/postfix",
562
+ "etc/ppp",
563
+ "etc/profile.d",
564
+ "etc/proftpd",
565
+ "etc/pulse",
566
+ "etc/python",
567
+ "etc/rc0.d",
568
+ "etc/rc1.d",
569
+ "etc/rc2.d",
570
+ "etc/rc3.d",
571
+ "etc/rc4.d",
572
+ "etc/rc5.d",
573
+ "etc/rc6.d",
574
+ "etc/rcs.d",
575
+ "etc/resolvconf",
576
+ "etc/rsyslog.d",
577
+ "etc/samba",
578
+ "etc/sane.d",
579
+ "etc/security",
580
+ "etc/selinux",
581
+ "etc/sensors.d",
582
+ "etc/sgml",
583
+ "etc/signon-ui",
584
+ "etc/skel",
585
+ "etc/snmp",
586
+ "etc/sound",
587
+ "etc/spamassassin",
588
+ "etc/speech-dispatcher",
589
+ "etc/ssh",
590
+ "etc/ssl",
591
+ "etc/sudoers.d",
592
+ "etc/sysctl.d",
593
+ "etc/sysstat",
594
+ "etc/systemd",
595
+ "etc/terminfo",
596
+ "etc/texmf",
597
+ "etc/thermald",
598
+ "etc/thnuclnt",
599
+ "etc/thunderbird",
600
+ "etc/timidity",
601
+ "etc/tmpfiles.d",
602
+ "etc/ubuntu-advantage",
603
+ "etc/udev",
604
+ "etc/udisks2",
605
+ "etc/ufw",
606
+ "etc/update-manager",
607
+ "etc/update-motd.d",
608
+ "etc/update-notifier",
609
+ "etc/upower",
610
+ "etc/urlview",
611
+ "etc/usb_modeswitch.d",
612
+ "etc/vim",
613
+ "etc/vmware",
614
+ "etc/vmware-installer",
615
+ "etc/vmware-vix",
616
+ "etc/vulkan",
617
+ "etc/w3m",
618
+ "etc/wireshark",
619
+ "etc/wpa_supplicant",
620
+ "etc/x11",
621
+ "etc/xdg",
622
+ "etc/xml",
369
623
  "etc/redis.conf",
370
624
  "etc/redis-sentinel.conf",
371
625
  "etc/php.ini",
@@ -417,10 +671,8 @@
417
671
  "usr/local/cpanel/logs/license_log",
418
672
  "usr/local/cpanel/logs/login_log",
419
673
  "var/cpanel/cpanel.config",
420
- "var/log/sw-cp-server/error_log",
421
674
  "usr/local/psa/admin/logs/httpsd_access_log",
422
675
  "usr/local/psa/admin/logs/panel.log",
423
- "var/log/sso/sso.log",
424
676
  "usr/local/psa/admin/conf/php.ini",
425
677
  "etc/sw-cp-server/applications.d/plesk.conf",
426
678
  "usr/local/psa/admin/conf/site_isolation_settings.ini",
@@ -428,16 +680,6 @@
428
680
  "etc/sw-cp-server/applications.d/00-sso-cpserver.conf",
429
681
  "etc/sso/sso_config.ini",
430
682
  "etc/mysql/conf.d/old_passwords.cnf",
431
- "var/log/mysql/mysql-bin.log",
432
- "var/log/mysql/mysql-bin.index",
433
- "var/log/mysql/data/mysql-bin.index",
434
- "var/log/mysql.log",
435
- "var/log/mysql.err",
436
- "var/log/mysqlderror.log",
437
- "var/log/mysql/mysql.log",
438
- "var/log/mysql/mysql-slow.log",
439
- "var/log/mysql-bin.index",
440
- "var/log/data/mysql-bin.index",
441
683
  "var/mysql.log",
442
684
  "var/mysql-bin.index",
443
685
  "var/data/mysql-bin.index",
@@ -474,21 +716,6 @@
474
716
  "mysql/my.cnf",
475
717
  "mysql/bin/my.ini",
476
718
  "var/postgresql/log/postgresql.log",
477
- "var/log/postgresql/postgresql.log",
478
- "var/log/postgres/pg_backup.log",
479
- "var/log/postgres/postgres.log",
480
- "var/log/postgresql.log",
481
- "var/log/pgsql/pgsql.log",
482
- "var/log/postgresql/postgresql-8.1-main.log",
483
- "var/log/postgresql/postgresql-8.3-main.log",
484
- "var/log/postgresql/postgresql-8.4-main.log",
485
- "var/log/postgresql/postgresql-9.0-main.log",
486
- "var/log/postgresql/postgresql-9.1-main.log",
487
- "var/log/pgsql8.log",
488
- "var/log/postgresql/postgres.log",
489
- "var/log/pgsql_log",
490
- "var/log/postgresql/main.log",
491
- "var/log/cron/var/log/postgres.log",
492
719
  "usr/internet/pgsql/data/postmaster.log",
493
720
  "usr/local/pgsql/data/postgresql.log",
494
721
  "usr/local/pgsql/data/pg_log",
@@ -572,29 +799,21 @@
572
799
  "windows/system32/logfiles/msftpsvc2",
573
800
  "etc/logrotate.d/proftpd",
574
801
  "www/logs/proftpd.system.log",
575
- "var/log/proftpd",
576
- "var/log/proftpd/xferlog.legacy",
577
- "var/log/proftpd.access_log",
578
- "var/log/proftpd.xferlog",
579
802
  "etc/pam.d/proftpd",
580
803
  "etc/proftp.conf",
581
804
  "etc/protpd/proftpd.conf",
582
805
  "etc/vhcs2/proftpd/proftpd.conf",
583
806
  "etc/proftpd/modules.conf",
584
- "var/log/vsftpd.log",
585
807
  "etc/vsftpd.chroot_list",
586
808
  "etc/logrotate.d/vsftpd.log",
587
809
  "etc/vsftpd/vsftpd.conf",
588
810
  "etc/vsftpd.conf",
589
811
  "etc/chrootusers",
590
- "var/log/xferlog",
591
812
  "var/adm/log/xferlog",
592
813
  "etc/wu-ftpd/ftpaccess",
593
814
  "etc/wu-ftpd/ftphosts",
594
815
  "etc/wu-ftpd/ftpusers",
595
- "var/log/pure-ftpd/pure-ftpd.log",
596
816
  "logs/pure-ftpd.log",
597
- "var/log/pureftpd.log",
598
817
  "usr/sbin/pure-config.pl",
599
818
  "usr/etc/pure-ftpd.conf",
600
819
  "etc/pure-ftpd/pure-ftpd.conf",
@@ -620,30 +839,18 @@
620
839
  "usr/ports/contrib/pure-ftpd/pure-ftpd.conf",
621
840
  "usr/ports/contrib/pure-ftpd/pureftpd.pdb",
622
841
  "usr/ports/contrib/pure-ftpd/pureftpd.passwd",
623
- "var/log/muddleftpd",
624
842
  "usr/sbin/mudlogd",
625
843
  "etc/muddleftpd/mudlog",
626
844
  "etc/muddleftpd.com",
627
845
  "etc/muddleftpd/mudlogd.conf",
628
846
  "etc/muddleftpd/muddleftpd.conf",
629
- "var/log/muddleftpd.conf",
630
847
  "usr/sbin/mudpasswd",
631
848
  "etc/muddleftpd/muddleftpd.passwd",
632
849
  "etc/muddleftpd/passwd",
633
- "var/log/ftp-proxy/ftp-proxy.log",
634
- "var/log/ftp-proxy",
635
- "var/log/ftplog",
636
850
  "etc/logrotate.d/ftp",
637
851
  "etc/ftpchroot",
638
852
  "etc/ftphosts",
639
853
  "etc/ftpusers",
640
- "var/log/exim_mainlog",
641
- "var/log/exim/mainlog",
642
- "var/log/maillog",
643
- "var/log/exim_paniclog",
644
- "var/log/exim/paniclog",
645
- "var/log/exim/rejectlog",
646
- "var/log/exim_rejectlog",
647
854
  "winnt/system32/logfiles/smtpsvc",
648
855
  "winnt/system32/logfiles/smtpsvc1",
649
856
  "winnt/system32/logfiles/smtpsvc2",
@@ -716,7 +923,6 @@
716
923
  "library/webserver/documents/default.htm",
717
924
  "library/webserver/documents/index.php",
718
925
  "library/webserver/documents/default.php",
719
- "var/log/webmin/miniserv.log",
720
926
  "usr/local/etc/webmin/miniserv.conf",
721
927
  "etc/webmin/miniserv.conf",
722
928
  "usr/local/etc/webmin/miniserv.users",
@@ -729,8 +935,6 @@
729
935
  "windows/system32/logfiles/w3svc1/inetsvn1.log",
730
936
  "windows/system32/logfiles/w3svc2/inetsvn1.log",
731
937
  "windows/system32/logfiles/w3svc3/inetsvn1.log",
732
- "var/log/httpd/access_log",
733
- "var/log/httpd/error_log",
734
938
  "apache/logs/error.log",
735
939
  "apache/logs/access.log",
736
940
  "apache2/logs/error.log",
@@ -753,20 +957,6 @@
753
957
  "var/www/logs/access.log",
754
958
  "var/www/logs/error_log",
755
959
  "var/www/logs/error.log",
756
- "var/log/httpd/access.log",
757
- "var/log/httpd/error.log",
758
- "var/log/apache/access_log",
759
- "var/log/apache/access.log",
760
- "var/log/apache/error_log",
761
- "var/log/apache/error.log",
762
- "var/log/apache2/access_log",
763
- "var/log/apache2/access.log",
764
- "var/log/apache2/error_log",
765
- "var/log/apache2/error.log",
766
- "var/log/access_log",
767
- "var/log/access.log",
768
- "var/log/error_log",
769
- "var/log/error.log",
770
960
  "opt/lampp/logs/access_log",
771
961
  "opt/lampp/logs/error_log",
772
962
  "opt/xampp/logs/access_log",
@@ -905,7 +1095,6 @@
905
1095
  "usr/share/tomcat6/conf/context.xml",
906
1096
  "usr/share/tomcat6/conf/workers.properties",
907
1097
  "usr/share/tomcat6/conf/logging.properties",
908
- "var/log/tomcat6/catalina.out",
909
1098
  "var/cpanel/tomcat.options",
910
1099
  "usr/local/jakarta/tomcat/logs/catalina.out",
911
1100
  "usr/local/jakarta/tomcat/logs/catalina.err",
@@ -986,23 +1175,14 @@
986
1175
  "program files/[jboss]/server/default/log/boot.log",
987
1176
  "[jboss]/server/default/log/server.log",
988
1177
  "[jboss]/server/default/log/boot.log",
989
- "var/log/lighttpd.error.log",
990
- "var/log/lighttpd.access.log",
991
1178
  "var/lighttpd.log",
992
1179
  "var/logs/access.log",
993
- "var/log/lighttpd/",
994
- "var/log/lighttpd/error.log",
995
- "var/log/lighttpd/access.www.log",
996
- "var/log/lighttpd/error.www.log",
997
- "var/log/lighttpd/access.log",
998
1180
  "usr/local/apache2/logs/lighttpd.error.log",
999
1181
  "usr/local/apache2/logs/lighttpd.log",
1000
1182
  "usr/local/apache/logs/lighttpd.error.log",
1001
1183
  "usr/local/apache/logs/lighttpd.log",
1002
1184
  "usr/local/lighttpd/log/lighttpd.error.log",
1003
1185
  "usr/local/lighttpd/log/access.log",
1004
- "var/log/lighttpd/{domain}/access.log",
1005
- "var/log/lighttpd/{domain}/error.log",
1006
1186
  "usr/home/user/var/log/lighttpd.error.log",
1007
1187
  "usr/home/user/var/log/apache.log",
1008
1188
  "home/user/lighttpd/lighttpd.conf",
@@ -1012,12 +1192,6 @@
1012
1192
  "usr/local/lighttpd/conf/lighttpd.conf",
1013
1193
  "usr/local/etc/lighttpd.conf.new",
1014
1194
  "var/www/.lighttpdpassword",
1015
- "var/log/nginx/access_log",
1016
- "var/log/nginx/error_log",
1017
- "var/log/nginx/access.log",
1018
- "var/log/nginx/error.log",
1019
- "var/log/nginx.access_log",
1020
- "var/log/nginx.error_log",
1021
1195
  "logs/access_log",
1022
1196
  "logs/error_log",
1023
1197
  "etc/nginx/nginx.conf",
@@ -1033,12 +1207,6 @@
1033
1207
  "usr/local/logs/access.log",
1034
1208
  "usr/local/samba/lib/log.user",
1035
1209
  "usr/local/logs/samba.log",
1036
- "var/log/samba/log.smbd",
1037
- "var/log/samba/log.nmbd",
1038
- "var/log/samba.log",
1039
- "var/log/samba.log1",
1040
- "var/log/samba.log2",
1041
- "var/log/log.smb",
1042
1210
  "etc/samba/netlogon",
1043
1211
  "etc/smbpasswd",
1044
1212
  "etc/smb.conf",
@@ -1067,10 +1235,6 @@
1067
1235
  "etc/wicd/manager-settings.conf",
1068
1236
  "etc/wicd/wired-settings.conf",
1069
1237
  "etc/wicd/wireless-settings.conf",
1070
- "var/log/ipfw.log",
1071
- "var/log/ipfw",
1072
- "var/log/ipfw/ipfw.log",
1073
- "var/log/ipfw.today",
1074
1238
  "etc/ipfw.rules",
1075
1239
  "etc/ipfw.conf",
1076
1240
  "etc/firewall.rules",
@@ -1089,33 +1253,6 @@
1089
1253
  "etc/bluetooth/main.conf",
1090
1254
  "etc/bluetooth/network.conf",
1091
1255
  "etc/bluetooth/rfcomm.conf",
1092
- "proc/self/environ",
1093
- "proc/self/mounts",
1094
- "proc/self/stat",
1095
- "proc/self/status",
1096
- "proc/self/cmdline",
1097
- "proc/self/fd/0",
1098
- "proc/self/fd/1",
1099
- "proc/self/fd/2",
1100
- "proc/self/fd/3",
1101
- "proc/self/fd/4",
1102
- "proc/self/fd/5",
1103
- "proc/self/fd/6",
1104
- "proc/self/fd/7",
1105
- "proc/self/fd/8",
1106
- "proc/self/fd/9",
1107
- "proc/self/fd/10",
1108
- "proc/self/fd/11",
1109
- "proc/self/fd/12",
1110
- "proc/self/fd/13",
1111
- "proc/self/fd/14",
1112
- "proc/self/fd/15",
1113
- "proc/version",
1114
- "proc/devices",
1115
- "proc/cpuinfo",
1116
- "proc/meminfo",
1117
- "proc/net/tcp",
1118
- "proc/net/udp",
1119
1256
  "etc/bash_completion.d/debconf",
1120
1257
  "root/.bash_logout",
1121
1258
  "root/.bash_history",
@@ -1153,39 +1290,12 @@
1153
1290
  "var/adm/aculog",
1154
1291
  "var/adm/vold.log",
1155
1292
  "var/adm/log/asppp.log",
1156
- "var/log/poplog",
1157
- "var/log/authlog",
1158
1293
  "var/lp/logs/lpsched",
1159
1294
  "var/lp/logs/lpnet",
1160
1295
  "var/lp/logs/requests",
1161
1296
  "var/cron/log",
1162
1297
  "var/saf/_log",
1163
1298
  "var/saf/port/log",
1164
- "var/log/news.all",
1165
- "var/log/news/news.all",
1166
- "var/log/news/news.crit",
1167
- "var/log/news/news.err",
1168
- "var/log/news/news.notice",
1169
- "var/log/news/suck.err",
1170
- "var/log/news/suck.notice",
1171
- "var/log/messages",
1172
- "var/log/messages.1",
1173
- "var/log/user.log",
1174
- "var/log/user.log.1",
1175
- "var/log/auth.log",
1176
- "var/log/pm-powersave.log",
1177
- "var/log/xorg.0.log",
1178
- "var/log/daemon.log",
1179
- "var/log/daemon.log.1",
1180
- "var/log/kern.log",
1181
- "var/log/kern.log.1",
1182
- "var/log/mail.err",
1183
- "var/log/mail.info",
1184
- "var/log/mail.warn",
1185
- "var/log/ufw.log",
1186
- "var/log/boot.log",
1187
- "var/log/syslog",
1188
- "var/log/syslog.1",
1189
1299
  "tmp/access.log",
1190
1300
  "etc/sensors.conf",
1191
1301
  "etc/sensors3.conf",
@@ -1242,16 +1352,11 @@
1242
1352
  "etc/timezone",
1243
1353
  "etc/modules",
1244
1354
  "etc/passwd",
1245
- "etc/passwd~",
1246
- "etc/passwd-",
1247
1355
  "etc/shadow",
1248
- "etc/shadow~",
1249
- "etc/shadow-",
1250
1356
  "etc/fstab",
1251
1357
  "etc/motd",
1252
1358
  "etc/hosts",
1253
1359
  "etc/group",
1254
- "etc/group-",
1255
1360
  "etc/alias",
1256
1361
  "etc/crontab",
1257
1362
  "etc/crypttab",
@@ -1271,6 +1376,8 @@
1271
1376
  "etc/sudoers",
1272
1377
  "etc/sysconfig/network-scripts/ifcfg-eth0",
1273
1378
  "etc/redhat-release",
1379
+ "etc/scw-release",
1380
+ "etc/system-release-cpe",
1274
1381
  "etc/debian_version",
1275
1382
  "etc/fedora-release",
1276
1383
  "etc/mandrake-release",
@@ -1287,11 +1394,7 @@
1287
1394
  "root/.ksh_history",
1288
1395
  "root/.xauthority",
1289
1396
  "usr/lib/security/mkuser.default",
1290
- "var/log/squirrelmail.log",
1291
- "var/log/apache2/squirrelmail.log",
1292
- "var/log/apache2/squirrelmail.err.log",
1293
1397
  "var/lib/squirrelmail/prefs/squirrelmail.log",
1294
- "var/log/mail.log",
1295
1398
  "etc/squirrelmail/apache.conf",
1296
1399
  "etc/squirrelmail/config_local.php",
1297
1400
  "etc/squirrelmail/default_pref",
@@ -1345,59 +1448,302 @@
1345
1448
  "etc/vmware-tools/config",
1346
1449
  "etc/vmware-tools/tpvmlp.conf",
1347
1450
  "etc/vmware-tools/vmware-tools-libraries.conf",
1348
- "var/log/vmware/hostd.log",
1349
- "var/log/vmware/hostd-1.log",
1350
- "/wp-config.php",
1351
- "/wp-config.bak",
1352
- "/wp-config.old",
1353
- "/wp-config.temp",
1354
- "/wp-config.tmp",
1355
- "/wp-config.txt",
1356
- "/config.yml",
1357
- "/config_dev.yml",
1358
- "/config_prod.yml",
1359
- "/config_test.yml",
1360
- "/parameters.yml",
1361
- "/routing.yml",
1362
- "/security.yml",
1363
- "/services.yml",
1364
- "sites/default/default.settings.php",
1365
- "sites/default/settings.php",
1366
- "sites/default/settings.local.php",
1367
- "app/etc/local.xml",
1368
- "/sftp-config.json",
1369
- "/web.config",
1370
- "includes/config.php",
1371
- "includes/configure.php",
1372
- "config.inc.php",
1373
- "localsettings.php",
1374
- "inc/config.php",
1375
- "typo3conf/localconf.php",
1376
- "config/app.php",
1377
- "config/custom.php",
1378
- "config/database.php",
1379
- "/configuration.php",
1380
- "/config.php",
1381
- "var/mail/www-data",
1382
- "etc/network/",
1383
- "etc/init/",
1384
- "inetpub/wwwroot/global.asa",
1385
- "system32/inetsrv/config/applicationhost.config",
1386
- "system32/inetsrv/config/administration.config",
1387
- "system32/inetsrv/config/redirection.config",
1388
- "system32/config/default",
1389
- "system32/config/sam",
1390
- "system32/config/system",
1391
- "system32/config/software",
1392
- "winnt/repair/sam._",
1393
- "/package.json",
1394
- "/package-lock.json",
1395
- "/gruntfile.js",
1396
- "/npm-debug.log",
1397
- "/ormconfig.json",
1451
+ "var/log",
1452
+ "var/log/sw-cp-server/error_log",
1453
+ "var/log/sso/sso.log",
1454
+ "var/log/dpkg.log",
1455
+ "var/log/btmp",
1456
+ "var/log/utmp",
1457
+ "var/log/wtmp",
1458
+ "var/log/mysql/mysql-bin.log",
1459
+ "var/log/mysql/mysql-bin.index",
1460
+ "var/log/mysql/data/mysql-bin.index",
1461
+ "var/log/mysql.log",
1462
+ "var/log/mysql.err",
1463
+ "var/log/mysqlderror.log",
1464
+ "var/log/mysql/mysql.log",
1465
+ "var/log/mysql/mysql-slow.log",
1466
+ "var/log/mysql-bin.index",
1467
+ "var/log/data/mysql-bin.index",
1468
+ "var/log/postgresql/postgresql.log",
1469
+ "var/log/postgres/pg_backup.log",
1470
+ "var/log/postgres/postgres.log",
1471
+ "var/log/postgresql.log",
1472
+ "var/log/pgsql/pgsql.log",
1473
+ "var/log/postgresql/postgresql-8.1-main.log",
1474
+ "var/log/postgresql/postgresql-8.3-main.log",
1475
+ "var/log/postgresql/postgresql-8.4-main.log",
1476
+ "var/log/postgresql/postgresql-9.0-main.log",
1477
+ "var/log/postgresql/postgresql-9.1-main.log",
1478
+ "var/log/pgsql8.log",
1479
+ "var/log/postgresql/postgres.log",
1480
+ "var/log/pgsql_log",
1481
+ "var/log/postgresql/main.log",
1482
+ "var/log/cron",
1483
+ "var/log/postgres.log",
1484
+ "var/log/proftpd",
1485
+ "var/log/proftpd/xferlog.legacy",
1486
+ "var/log/proftpd.access_log",
1487
+ "var/log/proftpd.xferlog",
1488
+ "var/log/vsftpd.log",
1489
+ "var/log/xferlog",
1490
+ "var/log/pure-ftpd/pure-ftpd.log",
1491
+ "var/log/pureftpd.log",
1492
+ "var/log/muddleftpd",
1493
+ "var/log/muddleftpd.conf",
1494
+ "var/log/ftp-proxy/ftp-proxy.log",
1495
+ "var/log/ftp-proxy",
1496
+ "var/log/ftplog",
1497
+ "var/log/exim_mainlog",
1498
+ "var/log/exim/mainlog",
1499
+ "var/log/maillog",
1500
+ "var/log/exim_paniclog",
1501
+ "var/log/exim/paniclog",
1502
+ "var/log/exim/rejectlog",
1503
+ "var/log/exim_rejectlog",
1504
+ "var/log/webmin/miniserv.log",
1505
+ "var/log/httpd/access_log",
1506
+ "var/log/httpd/error_log",
1507
+ "var/log/httpd/access.log",
1508
+ "var/log/httpd/error.log",
1509
+ "var/log/apache/access_log",
1510
+ "var/log/apache/access.log",
1511
+ "var/log/apache/error_log",
1512
+ "var/log/apache/error.log",
1513
+ "var/log/apache2/access_log",
1514
+ "var/log/apache2/access.log",
1515
+ "var/log/apache2/error_log",
1516
+ "var/log/apache2/error.log",
1517
+ "var/log/access_log",
1518
+ "var/log/access.log",
1519
+ "var/log/error_log",
1520
+ "var/log/error.log",
1521
+ "var/log/tomcat6/catalina.out",
1522
+ "var/log/lighttpd.error.log",
1523
+ "var/log/lighttpd.access.log",
1524
+ "var/logs/access.log",
1525
+ "var/log/lighttpd/",
1526
+ "var/log/lighttpd/error.log",
1527
+ "var/log/lighttpd/access.www.log",
1528
+ "var/log/lighttpd/error.www.log",
1529
+ "var/log/lighttpd/access.log",
1530
+ "var/log/lighttpd/{domain}/access.log",
1531
+ "var/log/lighttpd/{domain}/error.log",
1532
+ "var/log/nginx/access_log",
1533
+ "var/log/nginx/error_log",
1534
+ "var/log/nginx/access.log",
1535
+ "var/log/nginx/error.log",
1536
+ "var/log/nginx.access_log",
1537
+ "var/log/nginx.error_log",
1538
+ "var/log/samba/log.smbd",
1539
+ "var/log/samba/log.nmbd",
1540
+ "var/log/samba.log",
1541
+ "var/log/samba.log1",
1542
+ "var/log/samba.log2",
1543
+ "var/log/log.smb",
1544
+ "var/log/ipfw.log",
1545
+ "var/log/ipfw",
1546
+ "var/log/ipfw/ipfw.log",
1547
+ "var/log/ipfw.today",
1548
+ "var/log/poplog",
1549
+ "var/log/authlog",
1550
+ "var/log/news.all",
1551
+ "var/log/news/news.all",
1552
+ "var/log/news/news.crit",
1553
+ "var/log/news/news.err",
1554
+ "var/log/news/news.notice",
1555
+ "var/log/news/suck.err",
1556
+ "var/log/news/suck.notice",
1557
+ "var/log/messages",
1558
+ "var/log/messages.1",
1559
+ "var/log/user.log",
1560
+ "var/log/user.log.1",
1561
+ "var/log/auth.log",
1562
+ "var/log/pm-powersave.log",
1563
+ "var/log/xorg.0.log",
1564
+ "var/log/daemon.log",
1565
+ "var/log/daemon.log.1",
1566
+ "var/log/kern.log",
1567
+ "var/log/kern.log.1",
1568
+ "var/log/mail.err",
1569
+ "var/log/mail.info",
1570
+ "var/log/mail.warn",
1571
+ "var/log/ufw.log",
1572
+ "var/log/boot.log",
1573
+ "var/log/syslog",
1574
+ "var/log/syslog.1",
1575
+ "var/log/squirrelmail.log",
1576
+ "var/log/apache2/squirrelmail.log",
1577
+ "var/log/apache2/squirrelmail.err.log",
1578
+ "var/log/mail.log",
1579
+ "var/log/vmware/hostd.log",
1580
+ "var/log/vmware/hostd-1.log",
1581
+ "/wp-config.php",
1582
+ "/wp-config.bak",
1583
+ "/wp-config.old",
1584
+ "/wp-config.temp",
1585
+ "/wp-config.tmp",
1586
+ "/wp-config.txt",
1587
+ "/config.yml",
1588
+ "/config_dev.yml",
1589
+ "/config_prod.yml",
1590
+ "/config_test.yml",
1591
+ "/parameters.yml",
1592
+ "/routing.yml",
1593
+ "/security.yml",
1594
+ "/services.yml",
1595
+ "sites/default/default.settings.php",
1596
+ "sites/default/settings.php",
1597
+ "sites/default/settings.local.php",
1598
+ "app/etc/local.xml",
1599
+ "/sftp-config.json",
1600
+ "/web.config",
1601
+ "includes/config.php",
1602
+ "includes/configure.php",
1603
+ "/config.inc.php",
1604
+ "/localsettings.php",
1605
+ "inc/config.php",
1606
+ "typo3conf/localconf.php",
1607
+ "config/app.php",
1608
+ "config/custom.php",
1609
+ "config/database.php",
1610
+ "/configuration.php",
1611
+ "/config.php",
1612
+ "var/mail/www-data",
1613
+ "etc/network/",
1614
+ "etc/init/",
1615
+ "inetpub/wwwroot/global.asa",
1616
+ "system32/inetsrv/config/applicationhost.config",
1617
+ "system32/inetsrv/config/administration.config",
1618
+ "system32/inetsrv/config/redirection.config",
1619
+ "system32/config/default",
1620
+ "system32/config/sam",
1621
+ "system32/config/system",
1622
+ "system32/config/software",
1623
+ "winnt/repair/sam._",
1624
+ "/package.json",
1625
+ "/package-lock.json",
1626
+ "/gruntfile.js",
1627
+ "/npm-debug.log",
1628
+ "/ormconfig.json",
1398
1629
  "/tsconfig.json",
1399
1630
  "/webpack.config.js",
1400
- "/yarn.lock"
1631
+ "/yarn.lock",
1632
+ "proc/0",
1633
+ "proc/1",
1634
+ "proc/2",
1635
+ "proc/3",
1636
+ "proc/4",
1637
+ "proc/5",
1638
+ "proc/6",
1639
+ "proc/7",
1640
+ "proc/8",
1641
+ "proc/9",
1642
+ "proc/acpi",
1643
+ "proc/asound",
1644
+ "proc/bootconfig",
1645
+ "proc/buddyinfo",
1646
+ "proc/bus",
1647
+ "proc/cgroups",
1648
+ "proc/cmdline",
1649
+ "proc/config.gz",
1650
+ "proc/consoles",
1651
+ "proc/cpuinfo",
1652
+ "proc/crypto",
1653
+ "proc/devices",
1654
+ "proc/diskstats",
1655
+ "proc/dma",
1656
+ "proc/docker",
1657
+ "proc/driver",
1658
+ "proc/dynamic_debug",
1659
+ "proc/execdomains",
1660
+ "proc/fb",
1661
+ "proc/filesystems",
1662
+ "proc/fs",
1663
+ "proc/interrupts",
1664
+ "proc/iomem",
1665
+ "proc/ioports",
1666
+ "proc/ipmi",
1667
+ "proc/irq",
1668
+ "proc/kallsyms",
1669
+ "proc/kcore",
1670
+ "proc/keys",
1671
+ "proc/keys",
1672
+ "proc/key-users",
1673
+ "proc/kmsg",
1674
+ "proc/kpagecgroup",
1675
+ "proc/kpagecount",
1676
+ "proc/kpageflags",
1677
+ "proc/latency_stats",
1678
+ "proc/loadavg",
1679
+ "proc/locks",
1680
+ "proc/mdstat",
1681
+ "proc/meminfo",
1682
+ "proc/misc",
1683
+ "proc/modules",
1684
+ "proc/mounts",
1685
+ "proc/mpt",
1686
+ "proc/mtd",
1687
+ "proc/mtrr",
1688
+ "proc/net",
1689
+ "proc/net/tcp",
1690
+ "proc/net/udp",
1691
+ "proc/pagetypeinfo",
1692
+ "proc/partitions",
1693
+ "proc/pressure",
1694
+ "proc/sched_debug",
1695
+ "proc/schedstat",
1696
+ "proc/scsi",
1697
+ "proc/self",
1698
+ "proc/self/cmdline",
1699
+ "proc/self/environ",
1700
+ "proc/self/fd/0",
1701
+ "proc/self/fd/1",
1702
+ "proc/self/fd/10",
1703
+ "proc/self/fd/11",
1704
+ "proc/self/fd/12",
1705
+ "proc/self/fd/13",
1706
+ "proc/self/fd/14",
1707
+ "proc/self/fd/15",
1708
+ "proc/self/fd/2",
1709
+ "proc/self/fd/3",
1710
+ "proc/self/fd/4",
1711
+ "proc/self/fd/5",
1712
+ "proc/self/fd/6",
1713
+ "proc/self/fd/7",
1714
+ "proc/self/fd/8",
1715
+ "proc/self/fd/9",
1716
+ "proc/self/mounts",
1717
+ "proc/self/stat",
1718
+ "proc/self/status",
1719
+ "proc/slabinfo",
1720
+ "proc/softirqs",
1721
+ "proc/stat",
1722
+ "proc/swaps",
1723
+ "proc/sys",
1724
+ "proc/sysrq-trigger",
1725
+ "proc/sysvipc",
1726
+ "proc/thread-self",
1727
+ "proc/timer_list",
1728
+ "proc/timer_stats",
1729
+ "proc/tty",
1730
+ "proc/uptime",
1731
+ "proc/version",
1732
+ "proc/version_signature",
1733
+ "proc/vmallocinfo",
1734
+ "proc/vmstat",
1735
+ "proc/zoneinfo",
1736
+ "sys/block",
1737
+ "sys/bus",
1738
+ "sys/class",
1739
+ "sys/dev",
1740
+ "sys/devices",
1741
+ "sys/firmware",
1742
+ "sys/fs",
1743
+ "sys/hypervisor",
1744
+ "sys/kernel",
1745
+ "sys/module",
1746
+ "sys/power"
1401
1747
  ]
1402
1748
  },
1403
1749
  "operator": "phrase_match"
@@ -1414,7 +1760,8 @@
1414
1760
  "tags": {
1415
1761
  "type": "rfi",
1416
1762
  "crs_id": "931110",
1417
- "category": "attack_attempt"
1763
+ "category": "attack_attempt",
1764
+ "confidence": "1"
1418
1765
  },
1419
1766
  "conditions": [
1420
1767
  {
@@ -1456,7 +1803,7 @@
1456
1803
  "address": "server.request.path_params"
1457
1804
  }
1458
1805
  ],
1459
- "regex": "^(?i:file|ftps?|https?).*?\\?+$",
1806
+ "regex": "^(?i:file|ftps?)://.*?\\?+$",
1460
1807
  "options": {
1461
1808
  "case_sensitive": true,
1462
1809
  "min_length": 4
@@ -1473,7 +1820,8 @@
1473
1820
  "tags": {
1474
1821
  "type": "command_injection",
1475
1822
  "crs_id": "932160",
1476
- "category": "attack_attempt"
1823
+ "category": "attack_attempt",
1824
+ "confidence": "1"
1477
1825
  },
1478
1826
  "conditions": [
1479
1827
  {
@@ -1511,103 +1859,453 @@
1511
1859
  "$ostype",
1512
1860
  "$path",
1513
1861
  "$pwd",
1862
+ "dev/fd/",
1863
+ "dev/null",
1864
+ "dev/stderr",
1865
+ "dev/stdin",
1866
+ "dev/stdout",
1867
+ "dev/tcp/",
1868
+ "dev/udp/",
1869
+ "dev/zero",
1870
+ "etc/master.passwd",
1871
+ "etc/pwd.db",
1872
+ "etc/shells",
1873
+ "etc/spwd.db",
1874
+ "proc/self/",
1875
+ "bin/7z",
1876
+ "bin/7za",
1877
+ "bin/7zr",
1878
+ "bin/ab",
1879
+ "bin/agetty",
1880
+ "bin/ansible-playbook",
1881
+ "bin/apt",
1882
+ "bin/apt-get",
1883
+ "bin/ar",
1884
+ "bin/aria2c",
1885
+ "bin/arj",
1886
+ "bin/arp",
1887
+ "bin/as",
1888
+ "bin/ascii-xfr",
1889
+ "bin/ascii85",
1890
+ "bin/ash",
1891
+ "bin/aspell",
1892
+ "bin/at",
1893
+ "bin/atobm",
1894
+ "bin/awk",
1895
+ "bin/base32",
1896
+ "bin/base64",
1897
+ "bin/basenc",
1514
1898
  "bin/bash",
1899
+ "bin/bpftrace",
1900
+ "bin/bridge",
1901
+ "bin/bundler",
1902
+ "bin/bunzip2",
1903
+ "bin/busctl",
1904
+ "bin/busybox",
1905
+ "bin/byebug",
1906
+ "bin/bzcat",
1907
+ "bin/bzcmp",
1908
+ "bin/bzdiff",
1909
+ "bin/bzegrep",
1910
+ "bin/bzexe",
1911
+ "bin/bzfgrep",
1912
+ "bin/bzgrep",
1913
+ "bin/bzip2",
1914
+ "bin/bzip2recover",
1915
+ "bin/bzless",
1916
+ "bin/bzmore",
1917
+ "bin/bzz",
1918
+ "bin/c89",
1919
+ "bin/c99",
1920
+ "bin/cancel",
1921
+ "bin/capsh",
1515
1922
  "bin/cat",
1923
+ "bin/cc",
1924
+ "bin/certbot",
1925
+ "bin/check_by_ssh",
1926
+ "bin/check_cups",
1927
+ "bin/check_log",
1928
+ "bin/check_memory",
1929
+ "bin/check_raid",
1930
+ "bin/check_ssl_cert",
1931
+ "bin/check_statusfile",
1932
+ "bin/chmod",
1933
+ "bin/choom",
1934
+ "bin/chown",
1935
+ "bin/chroot",
1936
+ "bin/clang",
1937
+ "bin/clang++",
1938
+ "bin/cmp",
1939
+ "bin/cobc",
1940
+ "bin/column",
1941
+ "bin/comm",
1942
+ "bin/composer",
1943
+ "bin/core_perl/zipdetails",
1944
+ "bin/cowsay",
1945
+ "bin/cowthink",
1946
+ "bin/cp",
1947
+ "bin/cpan",
1948
+ "bin/cpio",
1949
+ "bin/cpulimit",
1950
+ "bin/crash",
1951
+ "bin/crontab",
1516
1952
  "bin/csh",
1953
+ "bin/csplit",
1954
+ "bin/csvtool",
1955
+ "bin/cupsfilter",
1956
+ "bin/curl",
1957
+ "bin/cut",
1517
1958
  "bin/dash",
1959
+ "bin/date",
1960
+ "bin/dd",
1961
+ "bin/dev/fd/",
1962
+ "bin/dev/null",
1963
+ "bin/dev/stderr",
1964
+ "bin/dev/stdin",
1965
+ "bin/dev/stdout",
1966
+ "bin/dev/tcp/",
1967
+ "bin/dev/udp/",
1968
+ "bin/dev/zero",
1969
+ "bin/dialog",
1970
+ "bin/diff",
1971
+ "bin/dig",
1972
+ "bin/dmesg",
1973
+ "bin/dmidecode",
1974
+ "bin/dmsetup",
1975
+ "bin/dnf",
1976
+ "bin/docker",
1977
+ "bin/dosbox",
1978
+ "bin/dpkg",
1518
1979
  "bin/du",
1980
+ "bin/dvips",
1981
+ "bin/easy_install",
1982
+ "bin/eb",
1519
1983
  "bin/echo",
1984
+ "bin/ed",
1985
+ "bin/efax",
1986
+ "bin/emacs",
1987
+ "bin/env",
1988
+ "bin/eqn",
1989
+ "bin/es",
1990
+ "bin/esh",
1991
+ "bin/etc/group",
1992
+ "bin/etc/master.passwd",
1993
+ "bin/etc/passwd",
1994
+ "bin/etc/pwd.db",
1995
+ "bin/etc/shadow",
1996
+ "bin/etc/shells",
1997
+ "bin/etc/spwd.db",
1998
+ "bin/ex",
1999
+ "bin/exiftool",
2000
+ "bin/expand",
2001
+ "bin/expect",
2002
+ "bin/expr",
2003
+ "bin/facter",
2004
+ "bin/fetch",
2005
+ "bin/file",
2006
+ "bin/find",
2007
+ "bin/finger",
2008
+ "bin/fish",
2009
+ "bin/flock",
2010
+ "bin/fmt",
2011
+ "bin/fold",
2012
+ "bin/fping",
2013
+ "bin/ftp",
2014
+ "bin/gawk",
2015
+ "bin/gcc",
2016
+ "bin/gcore",
2017
+ "bin/gdb",
2018
+ "bin/gem",
2019
+ "bin/genie",
2020
+ "bin/genisoimage",
2021
+ "bin/ghc",
2022
+ "bin/ghci",
2023
+ "bin/gimp",
2024
+ "bin/ginsh",
2025
+ "bin/git",
2026
+ "bin/grc",
1520
2027
  "bin/grep",
2028
+ "bin/gtester",
2029
+ "bin/gunzip",
2030
+ "bin/gzexe",
2031
+ "bin/gzip",
2032
+ "bin/hd",
2033
+ "bin/head",
2034
+ "bin/hexdump",
2035
+ "bin/highlight",
2036
+ "bin/hping3",
2037
+ "bin/iconv",
2038
+ "bin/id",
2039
+ "bin/iftop",
2040
+ "bin/install",
2041
+ "bin/ionice",
2042
+ "bin/ip",
2043
+ "bin/irb",
2044
+ "bin/ispell",
2045
+ "bin/jjs",
2046
+ "bin/join",
2047
+ "bin/journalctl",
2048
+ "bin/jq",
2049
+ "bin/jrunscript",
2050
+ "bin/knife",
2051
+ "bin/ksh",
2052
+ "bin/ksshell",
2053
+ "bin/latex",
2054
+ "bin/ld",
2055
+ "bin/ldconfig",
1521
2056
  "bin/less",
2057
+ "bin/lftp",
2058
+ "bin/ln",
2059
+ "bin/loginctl",
2060
+ "bin/logsave",
2061
+ "bin/look",
2062
+ "bin/lp",
1522
2063
  "bin/ls",
2064
+ "bin/ltrace",
2065
+ "bin/lua",
2066
+ "bin/lualatex",
2067
+ "bin/luatex",
2068
+ "bin/lwp-download",
2069
+ "bin/lwp-request",
2070
+ "bin/lz",
2071
+ "bin/lz4",
2072
+ "bin/lz4c",
2073
+ "bin/lz4cat",
2074
+ "bin/lzcat",
2075
+ "bin/lzcmp",
2076
+ "bin/lzdiff",
2077
+ "bin/lzegrep",
2078
+ "bin/lzfgrep",
2079
+ "bin/lzgrep",
2080
+ "bin/lzless",
2081
+ "bin/lzma",
2082
+ "bin/lzmadec",
2083
+ "bin/lzmainfo",
2084
+ "bin/lzmore",
2085
+ "bin/mail",
2086
+ "bin/make",
2087
+ "bin/man",
2088
+ "bin/mawk",
2089
+ "bin/mkfifo",
1523
2090
  "bin/mknod",
1524
2091
  "bin/more",
2092
+ "bin/mosquitto",
2093
+ "bin/mount",
2094
+ "bin/msgattrib",
2095
+ "bin/msgcat",
2096
+ "bin/msgconv",
2097
+ "bin/msgfilter",
2098
+ "bin/msgmerge",
2099
+ "bin/msguniq",
2100
+ "bin/mtr",
2101
+ "bin/mv",
2102
+ "bin/mysql",
2103
+ "bin/nano",
2104
+ "bin/nasm",
2105
+ "bin/nawk",
1525
2106
  "bin/nc",
2107
+ "bin/ncat",
2108
+ "bin/neofetch",
2109
+ "bin/nice",
2110
+ "bin/nl",
2111
+ "bin/nm",
2112
+ "bin/nmap",
2113
+ "bin/node",
2114
+ "bin/nohup",
2115
+ "bin/npm",
2116
+ "bin/nroff",
2117
+ "bin/nsenter",
2118
+ "bin/octave",
2119
+ "bin/od",
2120
+ "bin/openssl",
2121
+ "bin/openvpn",
2122
+ "bin/openvt",
2123
+ "bin/opkg",
2124
+ "bin/paste",
2125
+ "bin/pax",
2126
+ "bin/pdb",
2127
+ "bin/pdflatex",
2128
+ "bin/pdftex",
2129
+ "bin/pdksh",
2130
+ "bin/perf",
2131
+ "bin/perl",
2132
+ "bin/pg",
2133
+ "bin/php",
2134
+ "bin/php-cgi",
2135
+ "bin/php5",
2136
+ "bin/php7",
2137
+ "bin/pic",
2138
+ "bin/pico",
2139
+ "bin/pidstat",
2140
+ "bin/pigz",
2141
+ "bin/pip",
2142
+ "bin/pkexec",
2143
+ "bin/pkg",
2144
+ "bin/pr",
2145
+ "bin/printf",
2146
+ "bin/proc/self/",
2147
+ "bin/pry",
1526
2148
  "bin/ps",
2149
+ "bin/psed",
2150
+ "bin/psftp",
2151
+ "bin/psql",
2152
+ "bin/ptx",
2153
+ "bin/puppet",
2154
+ "bin/pxz",
2155
+ "bin/python",
2156
+ "bin/python2",
2157
+ "bin/python3",
2158
+ "bin/rake",
1527
2159
  "bin/rbash",
2160
+ "bin/rc",
2161
+ "bin/readelf",
2162
+ "bin/red",
2163
+ "bin/redcarpet",
2164
+ "bin/restic",
2165
+ "bin/rev",
2166
+ "bin/rlogin",
2167
+ "bin/rlwrap",
2168
+ "bin/rpm",
2169
+ "bin/rpmquery",
2170
+ "bin/rsync",
2171
+ "bin/ruby",
2172
+ "bin/run-mailcap",
2173
+ "bin/run-parts",
2174
+ "bin/rview",
2175
+ "bin/rvim",
2176
+ "bin/sash",
2177
+ "bin/sbin/capsh",
2178
+ "bin/sbin/logsave",
2179
+ "bin/sbin/service",
2180
+ "bin/sbin/start-stop-daemon",
2181
+ "bin/scp",
2182
+ "bin/screen",
2183
+ "bin/script",
2184
+ "bin/sed",
2185
+ "bin/service",
2186
+ "bin/setarch",
2187
+ "bin/sftp",
2188
+ "bin/sg",
1528
2189
  "bin/sh",
2190
+ "bin/shuf",
1529
2191
  "bin/sleep",
2192
+ "bin/slsh",
2193
+ "bin/smbclient",
2194
+ "bin/snap",
2195
+ "bin/socat",
2196
+ "bin/soelim",
2197
+ "bin/sort",
2198
+ "bin/split",
2199
+ "bin/sqlite3",
2200
+ "bin/ss",
2201
+ "bin/ssh",
2202
+ "bin/ssh-keygen",
2203
+ "bin/ssh-keyscan",
2204
+ "bin/sshpass",
2205
+ "bin/start-stop-daemon",
2206
+ "bin/stdbuf",
2207
+ "bin/strace",
2208
+ "bin/strings",
1530
2209
  "bin/su",
2210
+ "bin/sysctl",
2211
+ "bin/systemctl",
2212
+ "bin/systemd-resolve",
2213
+ "bin/tac",
2214
+ "bin/tail",
2215
+ "bin/tar",
2216
+ "bin/task",
2217
+ "bin/taskset",
2218
+ "bin/tbl",
2219
+ "bin/tclsh",
2220
+ "bin/tcpdump",
1531
2221
  "bin/tcsh",
2222
+ "bin/tee",
2223
+ "bin/telnet",
2224
+ "bin/tex",
2225
+ "bin/tftp",
2226
+ "bin/tic",
2227
+ "bin/time",
2228
+ "bin/timedatectl",
2229
+ "bin/timeout",
2230
+ "bin/tmux",
2231
+ "bin/top",
2232
+ "bin/troff",
2233
+ "bin/tshark",
2234
+ "bin/ul",
1532
2235
  "bin/uname",
1533
- "dev/fd/",
1534
- "dev/null",
1535
- "dev/stderr",
1536
- "dev/stdin",
1537
- "dev/stdout",
1538
- "dev/tcp/",
1539
- "dev/udp/",
1540
- "dev/zero",
1541
- "etc/group",
1542
- "etc/master.passwd",
1543
- "etc/passwd",
1544
- "etc/pwd.db",
1545
- "etc/shadow",
1546
- "etc/shells",
1547
- "etc/spwd.db",
1548
- "proc/self/",
1549
- "usr/bin/awk",
1550
- "usr/bin/base64",
1551
- "usr/bin/cat",
1552
- "usr/bin/cc",
1553
- "usr/bin/clang",
1554
- "usr/bin/clang++",
1555
- "usr/bin/curl",
1556
- "usr/bin/diff",
1557
- "usr/bin/env",
1558
- "usr/bin/fetch",
1559
- "usr/bin/file",
1560
- "usr/bin/find",
1561
- "usr/bin/ftp",
1562
- "usr/bin/gawk",
1563
- "usr/bin/gcc",
1564
- "usr/bin/head",
1565
- "usr/bin/hexdump",
1566
- "usr/bin/id",
1567
- "usr/bin/less",
1568
- "usr/bin/ln",
1569
- "usr/bin/mkfifo",
1570
- "usr/bin/more",
1571
- "usr/bin/nc",
1572
- "usr/bin/ncat",
1573
- "usr/bin/nice",
1574
- "usr/bin/nmap",
1575
- "usr/bin/perl",
1576
- "usr/bin/php",
1577
- "usr/bin/php5",
1578
- "usr/bin/php7",
1579
- "usr/bin/php-cgi",
1580
- "usr/bin/printf",
1581
- "usr/bin/psed",
1582
- "usr/bin/python",
1583
- "usr/bin/python2",
1584
- "usr/bin/python3",
1585
- "usr/bin/ruby",
1586
- "usr/bin/sed",
1587
- "usr/bin/socat",
1588
- "usr/bin/tail",
1589
- "usr/bin/tee",
1590
- "usr/bin/telnet",
1591
- "usr/bin/top",
1592
- "usr/bin/uname",
1593
- "usr/bin/wget",
1594
- "usr/bin/who",
1595
- "usr/bin/whoami",
1596
- "usr/bin/xargs",
1597
- "usr/bin/xxd",
1598
- "usr/bin/yes",
1599
- "usr/local/bin/bash",
1600
- "usr/local/bin/curl",
1601
- "usr/local/bin/ncat",
1602
- "usr/local/bin/nmap",
1603
- "usr/local/bin/perl",
1604
- "usr/local/bin/php",
1605
- "usr/local/bin/python",
1606
- "usr/local/bin/python2",
1607
- "usr/local/bin/python3",
1608
- "usr/local/bin/rbash",
1609
- "usr/local/bin/ruby",
1610
- "usr/local/bin/wget"
2236
+ "bin/uncompress",
2237
+ "bin/unexpand",
2238
+ "bin/uniq",
2239
+ "bin/unlz4",
2240
+ "bin/unlzma",
2241
+ "bin/unpigz",
2242
+ "bin/unrar",
2243
+ "bin/unshare",
2244
+ "bin/unxz",
2245
+ "bin/unzip",
2246
+ "bin/unzstd",
2247
+ "bin/update-alternatives",
2248
+ "bin/uudecode",
2249
+ "bin/uuencode",
2250
+ "bin/valgrind",
2251
+ "bin/vi",
2252
+ "bin/view",
2253
+ "bin/vigr",
2254
+ "bin/vim",
2255
+ "bin/vimdiff",
2256
+ "bin/vipw",
2257
+ "bin/virsh",
2258
+ "bin/volatility",
2259
+ "bin/wall",
2260
+ "bin/watch",
2261
+ "bin/wc",
2262
+ "bin/wget",
2263
+ "bin/whiptail",
2264
+ "bin/who",
2265
+ "bin/whoami",
2266
+ "bin/whois",
2267
+ "bin/wireshark",
2268
+ "bin/wish",
2269
+ "bin/xargs",
2270
+ "bin/xelatex",
2271
+ "bin/xetex",
2272
+ "bin/xmodmap",
2273
+ "bin/xmore",
2274
+ "bin/xpad",
2275
+ "bin/xxd",
2276
+ "bin/xz",
2277
+ "bin/xzcat",
2278
+ "bin/xzcmp",
2279
+ "bin/xzdec",
2280
+ "bin/xzdiff",
2281
+ "bin/xzegrep",
2282
+ "bin/xzfgrep",
2283
+ "bin/xzgrep",
2284
+ "bin/xzless",
2285
+ "bin/xzmore",
2286
+ "bin/yarn",
2287
+ "bin/yelp",
2288
+ "bin/yes",
2289
+ "bin/yum",
2290
+ "bin/zathura",
2291
+ "bin/zip",
2292
+ "bin/zipcloak",
2293
+ "bin/zipcmp",
2294
+ "bin/zipdetails",
2295
+ "bin/zipgrep",
2296
+ "bin/zipinfo",
2297
+ "bin/zipmerge",
2298
+ "bin/zipnote",
2299
+ "bin/zipsplit",
2300
+ "bin/ziptool",
2301
+ "bin/zsh",
2302
+ "bin/zsoelim",
2303
+ "bin/zstd",
2304
+ "bin/zstdcat",
2305
+ "bin/zstdgrep",
2306
+ "bin/zstdless",
2307
+ "bin/zstdmt",
2308
+ "bin/zypper"
1611
2309
  ]
1612
2310
  },
1613
2311
  "operator": "phrase_match"
@@ -1623,7 +2321,8 @@
1623
2321
  "tags": {
1624
2322
  "type": "command_injection",
1625
2323
  "crs_id": "932171",
1626
- "category": "attack_attempt"
2324
+ "category": "attack_attempt",
2325
+ "confidence": "1"
1627
2326
  },
1628
2327
  "conditions": [
1629
2328
  {
@@ -1662,7 +2361,8 @@
1662
2361
  "tags": {
1663
2362
  "type": "command_injection",
1664
2363
  "crs_id": "932180",
1665
- "category": "attack_attempt"
2364
+ "category": "attack_attempt",
2365
+ "confidence": "1"
1666
2366
  },
1667
2367
  "conditions": [
1668
2368
  {
@@ -1720,7 +2420,8 @@
1720
2420
  "tags": {
1721
2421
  "type": "unrestricted_file_upload",
1722
2422
  "crs_id": "933111",
1723
- "category": "attack_attempt"
2423
+ "category": "attack_attempt",
2424
+ "confidence": "1"
1724
2425
  },
1725
2426
  "conditions": [
1726
2427
  {
@@ -1770,7 +2471,8 @@
1770
2471
  "tags": {
1771
2472
  "type": "php_code_injection",
1772
2473
  "crs_id": "933130",
1773
- "category": "attack_attempt"
2474
+ "category": "attack_attempt",
2475
+ "confidence": "1"
1774
2476
  },
1775
2477
  "conditions": [
1776
2478
  {
@@ -1791,14 +2493,6 @@
1791
2493
  ],
1792
2494
  "list": [
1793
2495
  "$globals",
1794
- "$http_cookie_vars",
1795
- "$http_env_vars",
1796
- "$http_get_vars",
1797
- "$http_post_files",
1798
- "$http_post_vars",
1799
- "$http_raw_post_data",
1800
- "$http_request_vars",
1801
- "$http_server_vars",
1802
2496
  "$_cookie",
1803
2497
  "$_env",
1804
2498
  "$_files",
@@ -1808,7 +2502,17 @@
1808
2502
  "$_server",
1809
2503
  "$_session",
1810
2504
  "$argc",
1811
- "$argv"
2505
+ "$argv",
2506
+ "$http_\\u200bresponse_\\u200bheader",
2507
+ "$php_\\u200berrormsg",
2508
+ "$http_cookie_vars",
2509
+ "$http_env_vars",
2510
+ "$http_get_vars",
2511
+ "$http_post_files",
2512
+ "$http_post_vars",
2513
+ "$http_raw_post_data",
2514
+ "$http_request_vars",
2515
+ "$http_server_vars"
1812
2516
  ]
1813
2517
  },
1814
2518
  "operator": "phrase_match"
@@ -1860,7 +2564,8 @@
1860
2564
  "tags": {
1861
2565
  "type": "php_code_injection",
1862
2566
  "crs_id": "933140",
1863
- "category": "attack_attempt"
2567
+ "category": "attack_attempt",
2568
+ "confidence": "1"
1864
2569
  },
1865
2570
  "conditions": [
1866
2571
  {
@@ -1895,7 +2600,8 @@
1895
2600
  "tags": {
1896
2601
  "type": "php_code_injection",
1897
2602
  "crs_id": "933150",
1898
- "category": "attack_attempt"
2603
+ "category": "attack_attempt",
2604
+ "confidence": "1"
1899
2605
  },
1900
2606
  "conditions": [
1901
2607
  {
@@ -1993,8 +2699,9 @@
1993
2699
  "address": "grpc.server.request.message"
1994
2700
  }
1995
2701
  ],
1996
- "regex": "\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|b(?:(?:son_(?:de|en)|ase64_en)code|zopen)|var_dump)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\(.*\\)",
2702
+ "regex": "\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?|tob)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|b(?:(?:son_(?:de|en)|ase64_en)code|zopen|toa)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|var_dump)(?:\\s|/\\*.*\\*/|//.*|#.*|\\\"|')*\\((?:(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:\\$\\w+|[A-Z\\d]\\w*|\\w+\\(.*\\)|\\\\?\"(?:[^\"]|\\\\\"|\"\"|\"\\+\")*\\\\?\"|\\\\?'(?:[^']|''|'\\+')*\\\\?')(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:(?:::|\\.|->)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\w+(?:\\(.*\\))?)?,)*(?:(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:\\$\\w+|[A-Z\\d]\\w*|\\w+\\(.*\\)|\\\\?\"(?:[^\"]|\\\\\"|\"\"|\"\\+\")*\\\\?\"|\\\\?'(?:[^']|''|'\\+')*\\\\?')(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:(?:::|\\.|->)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\w+(?:\\(.*\\))?)?)?\\)",
1997
2703
  "options": {
2704
+ "case_sensitive": true,
1998
2705
  "min_length": 5
1999
2706
  }
2000
2707
  },
@@ -2009,7 +2716,8 @@
2009
2716
  "tags": {
2010
2717
  "type": "php_code_injection",
2011
2718
  "crs_id": "933170",
2012
- "category": "attack_attempt"
2719
+ "category": "attack_attempt",
2720
+ "confidence": "1"
2013
2721
  },
2014
2722
  "conditions": [
2015
2723
  {
@@ -2067,7 +2775,7 @@
2067
2775
  "address": "grpc.server.request.message"
2068
2776
  }
2069
2777
  ],
2070
- "regex": "(?i:zlib|glob|phar|ssh2|rar|ogg|expect|zip)://",
2778
+ "regex": "(?:(?:bzip|ssh)2|z(?:lib|ip)|(?:ph|r)ar|expect|glob|ogg)://",
2071
2779
  "options": {
2072
2780
  "case_sensitive": true,
2073
2781
  "min_length": 6
@@ -2082,7 +2790,7 @@
2082
2790
  },
2083
2791
  {
2084
2792
  "id": "crs-934-100",
2085
- "name": "Node.js Injection Attack",
2793
+ "name": "Node.js Injection Attack 1/2",
2086
2794
  "tags": {
2087
2795
  "type": "js_code_injection",
2088
2796
  "crs_id": "934100",
@@ -2105,10 +2813,10 @@
2105
2813
  "address": "grpc.server.request.message"
2106
2814
  }
2107
2815
  ],
2108
- "regex": "(?:(?:_(?:\\$\\$ND_FUNC\\$\\$_|_js_function)|(?:new\\s+Function|\\beval)\\s*\\(|String\\s*\\.\\s*fromCharCode|function\\s*\\(\\s*\\)\\s*{|this\\.constructor)|module\\.exports\\s*=)",
2816
+ "regex": "\\b(?:(?:l(?:(?:utimes|chmod)(?:Sync)?|(?:stat|ink)Sync)|w(?:rite(?:(?:File|v)(?:Sync)?|Sync)|atchFile)|u(?:n(?:watchFile|linkSync)|times(?:Sync)?)|s(?:(?:ymlink|tat)Sync|pawn(?:File|Sync))|ex(?:ec(?:File(?:Sync)?|Sync)|istsSync)|a(?:ppendFile|ccess)(?:Sync)?|(?:Caveat|Inode)s|open(?:dir)?Sync|new\\s+Function|Availability|\\beval)\\s*\\(|m(?:ain(?:Module\\s*(?:\\W*\\s*(?:constructor|require)|\\[)|\\s*(?:\\W*\\s*(?:constructor|require)|\\[))|kd(?:temp(?:Sync)?|irSync)\\s*\\(|odule\\.exports\\s*=)|c(?:(?:(?:h(?:mod|own)|lose)Sync|reate(?:Write|Read)Stream|p(?:Sync)?)\\s*\\(|o(?:nstructor\\s*(?:\\W*\\s*_load|\\[)|pyFile(?:Sync)?\\s*\\())|f(?:(?:(?:s(?:(?:yncS)?|tatS)|datas(?:yncS)?)ync|ch(?:mod|own)(?:Sync)?)\\s*\\(|u(?:nction\\s*\\(\\s*\\)\\s*{|times(?:Sync)?\\s*\\())|r(?:e(?:(?:ad(?:(?:File|link|dir)?Sync|v(?:Sync)?)|nameSync)\\s*\\(|quire\\s*(?:\\W*\\s*main|\\[))|m(?:Sync)?\\s*\\()|process\\s*(?:\\W*\\s*(?:mainModule|binding)|\\[)|t(?:his\\.constructor|runcateSync\\s*\\()|_(?:\\$\\$ND_FUNC\\$\\$_|_js_function)|global\\s*(?:\\W*\\s*process|\\[)|String\\s*\\.\\s*fromCharCode|binding\\s*\\[)",
2109
2817
  "options": {
2110
2818
  "case_sensitive": true,
2111
- "min_length": 5
2819
+ "min_length": 3
2112
2820
  }
2113
2821
  },
2114
2822
  "operator": "match_regex"
@@ -2117,29 +2825,18 @@
2117
2825
  "transformers": []
2118
2826
  },
2119
2827
  {
2120
- "id": "crs-941-100",
2121
- "name": "XSS Attack Detected via libinjection",
2828
+ "id": "crs-934-101",
2829
+ "name": "Node.js Injection Attack 2/2",
2122
2830
  "tags": {
2123
- "type": "xss",
2124
- "crs_id": "941100",
2125
- "category": "attack_attempt"
2831
+ "type": "js_code_injection",
2832
+ "crs_id": "934101",
2833
+ "category": "attack_attempt",
2834
+ "confidence": "1"
2126
2835
  },
2127
2836
  "conditions": [
2128
2837
  {
2129
2838
  "parameters": {
2130
2839
  "inputs": [
2131
- {
2132
- "address": "server.request.headers.no_cookies",
2133
- "key_path": [
2134
- "user-agent"
2135
- ]
2136
- },
2137
- {
2138
- "address": "server.request.headers.no_cookies",
2139
- "key_path": [
2140
- "referer"
2141
- ]
2142
- },
2143
2840
  {
2144
2841
  "address": "server.request.query"
2145
2842
  },
@@ -2152,14 +2849,17 @@
2152
2849
  {
2153
2850
  "address": "grpc.server.request.message"
2154
2851
  }
2155
- ]
2852
+ ],
2853
+ "regex": "\\b(?:w(?:atch|rite)|(?:spaw|ope)n|exists|close|fork|read)\\s*\\(",
2854
+ "options": {
2855
+ "case_sensitive": true,
2856
+ "min_length": 5
2857
+ }
2156
2858
  },
2157
- "operator": "is_xss"
2859
+ "operator": "match_regex"
2158
2860
  }
2159
2861
  ],
2160
- "transformers": [
2161
- "removeNulls"
2162
- ]
2862
+ "transformers": []
2163
2863
  },
2164
2864
  {
2165
2865
  "id": "crs-941-110",
@@ -2167,7 +2867,8 @@
2167
2867
  "tags": {
2168
2868
  "type": "xss",
2169
2869
  "crs_id": "941110",
2170
- "category": "attack_attempt"
2870
+ "category": "attack_attempt",
2871
+ "confidence": "1"
2171
2872
  },
2172
2873
  "conditions": [
2173
2874
  {
@@ -2207,7 +2908,8 @@
2207
2908
  }
2208
2909
  ],
2209
2910
  "transformers": [
2210
- "removeNulls"
2911
+ "removeNulls",
2912
+ "urlDecodeUni"
2211
2913
  ]
2212
2914
  },
2213
2915
  {
@@ -2216,7 +2918,8 @@
2216
2918
  "tags": {
2217
2919
  "type": "xss",
2218
2920
  "crs_id": "941120",
2219
- "category": "attack_attempt"
2921
+ "category": "attack_attempt",
2922
+ "confidence": "1"
2220
2923
  },
2221
2924
  "conditions": [
2222
2925
  {
@@ -2247,7 +2950,7 @@
2247
2950
  "address": "grpc.server.request.message"
2248
2951
  }
2249
2952
  ],
2250
- "regex": "[\\s\\\"'`;\\/0-9=\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]on[a-zA-Z]{3,25}[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=[^=]",
2953
+ "regex": "[\\s\\\"'`;\\/0-9=\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]on(?:d(?:r(?:ag(?:en(?:ter|d)|leave|start|over)?|op)|urationchange|blclick)|s(?:e(?:ek(?:ing|ed)|arch|lect)|u(?:spend|bmit)|talled|croll|how)|m(?:ouse(?:(?:lea|mo)ve|o(?:ver|ut)|enter|down|up)|essage)|p(?:a(?:ge(?:hide|show)|(?:st|us)e)|lay(?:ing)?|rogress)|c(?:anplay(?:through)?|o(?:ntextmenu|py)|hange|lick|ut)|a(?:nimation(?:iteration|start|end)|(?:fterprin|bor)t)|t(?:o(?:uch(?:cancel|start|move|end)|ggle)|imeupdate)|f(?:ullscreen(?:change|error)|ocus(?:out|in)?)|(?:(?:volume|hash)chang|o(?:ff|n)lin)e|b(?:efore(?:unload|print)|lur)|load(?:ed(?:meta)?data|start)?|r(?:es(?:ize|et)|atechange)|key(?:press|down|up)|w(?:aiting|heel)|in(?:valid|put)|e(?:nded|rror)|unload)[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=[^=]",
2251
2954
  "options": {
2252
2955
  "min_length": 8
2253
2956
  }
@@ -2256,7 +2959,8 @@
2256
2959
  }
2257
2960
  ],
2258
2961
  "transformers": [
2259
- "removeNulls"
2962
+ "removeNulls",
2963
+ "urlDecodeUni"
2260
2964
  ]
2261
2965
  },
2262
2966
  {
@@ -2265,7 +2969,8 @@
2265
2969
  "tags": {
2266
2970
  "type": "xss",
2267
2971
  "crs_id": "941140",
2268
- "category": "attack_attempt"
2972
+ "category": "attack_attempt",
2973
+ "confidence": "1"
2269
2974
  },
2270
2975
  "conditions": [
2271
2976
  {
@@ -2305,7 +3010,56 @@
2305
3010
  }
2306
3011
  ],
2307
3012
  "transformers": [
2308
- "removeNulls"
3013
+ "removeNulls",
3014
+ "urlDecodeUni"
3015
+ ]
3016
+ },
3017
+ {
3018
+ "id": "crs-941-170",
3019
+ "name": "NoScript XSS InjectionChecker: Attribute Injection",
3020
+ "tags": {
3021
+ "type": "xss",
3022
+ "crs_id": "941170",
3023
+ "category": "attack_attempt",
3024
+ "confidence": "1"
3025
+ },
3026
+ "conditions": [
3027
+ {
3028
+ "parameters": {
3029
+ "inputs": [
3030
+ {
3031
+ "address": "server.request.headers.no_cookies",
3032
+ "key_path": [
3033
+ "user-agent"
3034
+ ]
3035
+ },
3036
+ {
3037
+ "address": "server.request.headers.no_cookies",
3038
+ "key_path": [
3039
+ "referer"
3040
+ ]
3041
+ },
3042
+ {
3043
+ "address": "server.request.query"
3044
+ },
3045
+ {
3046
+ "address": "server.request.body"
3047
+ },
3048
+ {
3049
+ "address": "server.request.path_params"
3050
+ }
3051
+ ],
3052
+ "regex": "(?:\\W|^)(?:javascript:(?:[\\s\\S]+[=\\x5c\\(\\[\\.<]|[\\s\\S]*?(?:\\bname\\b|\\x5c[ux]\\d)))|@\\W*?i\\W*?m\\W*?p\\W*?o\\W*?r\\W*?t\\W*?(?:/\\*[\\s\\S]*?)?(?:[\\\"']|\\W*?u\\W*?r\\W*?l[\\s\\S]*?\\()|[^-]*?-\\W*?m\\W*?o\\W*?z\\W*?-\\W*?b\\W*?i\\W*?n\\W*?d\\W*?i\\W*?n\\W*?g[^:]*?:\\W*?u\\W*?r\\W*?l[\\s\\S]*?\\(",
3053
+ "options": {
3054
+ "min_length": 6
3055
+ }
3056
+ },
3057
+ "operator": "match_regex"
3058
+ }
3059
+ ],
3060
+ "transformers": [
3061
+ "removeNulls",
3062
+ "urlDecodeUni"
2309
3063
  ]
2310
3064
  },
2311
3065
  {
@@ -2339,8 +3093,7 @@
2339
3093
  ".parentnode",
2340
3094
  ".innerhtml",
2341
3095
  "window.location",
2342
- "-moz-binding",
2343
- "<![cdata["
3096
+ "-moz-binding"
2344
3097
  ]
2345
3098
  },
2346
3099
  "operator": "phrase_match"
@@ -2357,7 +3110,8 @@
2357
3110
  "tags": {
2358
3111
  "type": "xss",
2359
3112
  "crs_id": "941200",
2360
- "category": "attack_attempt"
3113
+ "category": "attack_attempt",
3114
+ "confidence": "1"
2361
3115
  },
2362
3116
  "conditions": [
2363
3117
  {
@@ -2395,7 +3149,8 @@
2395
3149
  "tags": {
2396
3150
  "type": "xss",
2397
3151
  "crs_id": "941210",
2398
- "category": "attack_attempt"
3152
+ "category": "attack_attempt",
3153
+ "confidence": "1"
2399
3154
  },
2400
3155
  "conditions": [
2401
3156
  {
@@ -2414,7 +3169,7 @@
2414
3169
  "address": "grpc.server.request.message"
2415
3170
  }
2416
3171
  ],
2417
- "regex": "(?i:(?:j|&#x?0*(?:74|4A|106|6A);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:v|&#x?0*(?:86|56|118|76);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)",
3172
+ "regex": "(?i:(?:j|&#x?0*(?:74|4A|106|6A);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:v|&#x?0*(?:86|56|118|76);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)",
2418
3173
  "options": {
2419
3174
  "case_sensitive": true,
2420
3175
  "min_length": 12
@@ -2433,7 +3188,8 @@
2433
3188
  "tags": {
2434
3189
  "type": "xss",
2435
3190
  "crs_id": "941220",
2436
- "category": "attack_attempt"
3191
+ "category": "attack_attempt",
3192
+ "confidence": "1"
2437
3193
  },
2438
3194
  "conditions": [
2439
3195
  {
@@ -2471,7 +3227,8 @@
2471
3227
  "tags": {
2472
3228
  "type": "xss",
2473
3229
  "crs_id": "941230",
2474
- "category": "attack_attempt"
3230
+ "category": "attack_attempt",
3231
+ "confidence": "1"
2475
3232
  },
2476
3233
  "conditions": [
2477
3234
  {
@@ -2508,7 +3265,8 @@
2508
3265
  "tags": {
2509
3266
  "type": "xss",
2510
3267
  "crs_id": "941240",
2511
- "category": "attack_attempt"
3268
+ "category": "attack_attempt",
3269
+ "confidence": "1"
2512
3270
  },
2513
3271
  "conditions": [
2514
3272
  {
@@ -2584,7 +3342,8 @@
2584
3342
  "tags": {
2585
3343
  "type": "xss",
2586
3344
  "crs_id": "941280",
2587
- "category": "attack_attempt"
3345
+ "category": "attack_attempt",
3346
+ "confidence": "1"
2588
3347
  },
2589
3348
  "conditions": [
2590
3349
  {
@@ -2621,7 +3380,8 @@
2621
3380
  "tags": {
2622
3381
  "type": "xss",
2623
3382
  "crs_id": "941290",
2624
- "category": "attack_attempt"
3383
+ "category": "attack_attempt",
3384
+ "confidence": "1"
2625
3385
  },
2626
3386
  "conditions": [
2627
3387
  {
@@ -2658,7 +3418,8 @@
2658
3418
  "tags": {
2659
3419
  "type": "xss",
2660
3420
  "crs_id": "941300",
2661
- "category": "attack_attempt"
3421
+ "category": "attack_attempt",
3422
+ "confidence": "1"
2662
3423
  },
2663
3424
  "conditions": [
2664
3425
  {
@@ -2695,7 +3456,8 @@
2695
3456
  "tags": {
2696
3457
  "type": "xss",
2697
3458
  "crs_id": "941350",
2698
- "category": "attack_attempt"
3459
+ "category": "attack_attempt",
3460
+ "confidence": "1"
2699
3461
  },
2700
3462
  "conditions": [
2701
3463
  {
@@ -2762,12 +3524,13 @@
2762
3524
  "transformers": []
2763
3525
  },
2764
3526
  {
2765
- "id": "crs-942-100",
2766
- "name": "SQL Injection Attack Detected via libinjection",
3527
+ "id": "crs-941-390",
3528
+ "name": "Javascript method detected",
2767
3529
  "tags": {
2768
- "type": "sql_injection",
2769
- "crs_id": "942100",
2770
- "category": "attack_attempt"
3530
+ "type": "xss",
3531
+ "crs_id": "941390",
3532
+ "category": "attack_attempt",
3533
+ "confidence": "1"
2771
3534
  },
2772
3535
  "conditions": [
2773
3536
  {
@@ -2785,21 +3548,24 @@
2785
3548
  {
2786
3549
  "address": "grpc.server.request.message"
2787
3550
  }
2788
- ]
3551
+ ],
3552
+ "regex": "\\b(?i:eval|settimeout|setinterval|new\\s+Function|alert|prompt)[\\s+]*\\([^\\)]",
3553
+ "options": {
3554
+ "case_sensitive": true,
3555
+ "min_length": 5
3556
+ }
2789
3557
  },
2790
- "operator": "is_sqli"
3558
+ "operator": "match_regex"
2791
3559
  }
2792
3560
  ],
2793
- "transformers": [
2794
- "removeNulls"
2795
- ]
3561
+ "transformers": []
2796
3562
  },
2797
3563
  {
2798
- "id": "crs-942-160",
2799
- "name": "Detects blind sqli tests using sleep() or benchmark()",
3564
+ "id": "crs-942-100",
3565
+ "name": "SQL Injection Attack Detected via libinjection",
2800
3566
  "tags": {
2801
3567
  "type": "sql_injection",
2802
- "crs_id": "942160",
3568
+ "crs_id": "942100",
2803
3569
  "category": "attack_attempt"
2804
3570
  },
2805
3571
  "conditions": [
@@ -2818,25 +3584,23 @@
2818
3584
  {
2819
3585
  "address": "grpc.server.request.message"
2820
3586
  }
2821
- ],
2822
- "regex": "(?i:sleep\\(\\s*?\\d*?\\s*?\\)|benchmark\\(.*?\\,.*?\\))",
2823
- "options": {
2824
- "case_sensitive": true,
2825
- "min_length": 7
2826
- }
3587
+ ]
2827
3588
  },
2828
- "operator": "match_regex"
3589
+ "operator": "is_sqli"
2829
3590
  }
2830
3591
  ],
2831
- "transformers": []
3592
+ "transformers": [
3593
+ "removeNulls"
3594
+ ]
2832
3595
  },
2833
3596
  {
2834
- "id": "crs-942-190",
2835
- "name": "Detects MSSQL code execution and information gathering attempts",
3597
+ "id": "crs-942-160",
3598
+ "name": "Detects blind sqli tests using sleep() or benchmark()",
2836
3599
  "tags": {
2837
3600
  "type": "sql_injection",
2838
- "crs_id": "942190",
2839
- "category": "attack_attempt"
3601
+ "crs_id": "942160",
3602
+ "category": "attack_attempt",
3603
+ "confidence": "1"
2840
3604
  },
2841
3605
  "conditions": [
2842
3606
  {
@@ -2855,9 +3619,10 @@
2855
3619
  "address": "grpc.server.request.message"
2856
3620
  }
2857
3621
  ],
2858
- "regex": "(?:\\b(?:(?:c(?:onnection_id|urrent_user)|database)\\s*?\\([^\\)]*?|u(?:nion(?:[\\w(?:\\s]*?select| select @)|ser\\s*?\\([^\\)]*?)|s(?:chema\\s*?\\([^\\)]*?|elect.*?\\w?user\\()|into[\\s+]+(?:dump|out)file\\s*?[\\\"'`]|from\\W+information_schema\\W|exec(?:ute)?\\s+master\\.)|[\\\"'`](?:;?\\s*?(?:union\\b\\s*?(?:(?:distin|sele)ct|all)|having|select)\\b\\s*?[^\\s]|\\s*?!\\s*?[\\\"'`\\w])|\\s*?exec(?:ute)?.*?\\Wxp_cmdshell|\\Wiif\\s*?\\()",
3622
+ "regex": "(?i:sleep\\(\\s*?\\d*?\\s*?\\)|benchmark\\(.*?\\,.*?\\))",
2859
3623
  "options": {
2860
- "min_length": 3
3624
+ "case_sensitive": true,
3625
+ "min_length": 7
2861
3626
  }
2862
3627
  },
2863
3628
  "operator": "match_regex"
@@ -2871,7 +3636,8 @@
2871
3636
  "tags": {
2872
3637
  "type": "sql_injection",
2873
3638
  "crs_id": "942240",
2874
- "category": "attack_attempt"
3639
+ "category": "attack_attempt",
3640
+ "confidence": "1"
2875
3641
  },
2876
3642
  "conditions": [
2877
3643
  {
@@ -2977,7 +3743,8 @@
2977
3743
  "tags": {
2978
3744
  "type": "sql_injection",
2979
3745
  "crs_id": "942280",
2980
- "category": "attack_attempt"
3746
+ "category": "attack_attempt",
3747
+ "confidence": "1"
2981
3748
  },
2982
3749
  "conditions": [
2983
3750
  {
@@ -3031,10 +3798,10 @@
3031
3798
  "address": "grpc.server.request.message"
3032
3799
  }
3033
3800
  ],
3034
- "regex": "(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))",
3801
+ "regex": "(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)",
3035
3802
  "options": {
3036
3803
  "case_sensitive": true,
3037
- "min_length": 5
3804
+ "min_length": 3
3038
3805
  }
3039
3806
  },
3040
3807
  "operator": "match_regex"
@@ -3069,7 +3836,7 @@
3069
3836
  "address": "grpc.server.request.message"
3070
3837
  }
3071
3838
  ],
3072
- "regex": "(?:^[\\W\\d]+\\s*?(?:alter\\s*(?:a(?:(?:pplication\\s*rol|ggregat)e|s(?:ymmetric\\s*ke|sembl)y|u(?:thorization|dit)|vailability\\s*group)|c(?:r(?:yptographic\\s*provider|edential)|o(?:l(?:latio|um)|nversio)n|ertificate|luster)|s(?:e(?:rv(?:ice|er)|curity|quence|ssion|arch)|y(?:mmetric\\s*key|nonym)|togroup|chema)|m(?:a(?:s(?:ter\\s*key|k)|terialized)|e(?:ssage\\s*type|thod)|odule)|l(?:o(?:g(?:file\\s*group|in)|ckdown)|a(?:ngua|r)ge|ibrary)|t(?:(?:abl(?:espac)?|yp)e|r(?:igger|usted)|hreshold|ext)|p(?:a(?:rtition|ckage)|ro(?:cedur|fil)e|ermission)|d(?:i(?:mension|skgroup)|atabase|efault|omain)|r(?:o(?:l(?:lback|e)|ute)|e(?:sourc|mot)e)|f(?:u(?:lltext|nction)|lashback|oreign)|e(?:xte(?:nsion|rnal)|(?:ndpoi|ve)nt)|in(?:dex(?:type)?|memory|stance)|b(?:roker\\s*priority|ufferpool)|x(?:ml\\s*schema|srobject)|w(?:ork(?:load)?|rapper)|hi(?:erarchy|stogram)|o(?:perator|utline)|(?:nicknam|queu)e|us(?:age|er)|group|java|view)\\b|(?:(?:(?:trunc|cre)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)\\s+\\w+|u(?:nion\\s*(?:(?:distin|sele)ct|all)\\b|pdate\\s+\\w+))|\\b(?:(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\\s+(?:group_concat|load_file|char)\\b\\s*\\(?|end\\s*?\\);)|[\\\"'`\\w]\\s+as\\b\\s*[\\\"'`\\w]+\\s*\\bfrom|[\\s(?:]load_file\\s*?\\(|[\\\"'`]\\s+regexp\\W)",
3839
+ "regex": "(?:^[\\W\\d]+\\s*?(?:alter\\s*(?:a(?:(?:pplication\\s*rol|ggregat)e|s(?:ymmetric\\s*ke|sembl)y|u(?:thorization|dit)|vailability\\s*group)|c(?:r(?:yptographic\\s*provider|edential)|o(?:l(?:latio|um)|nversio)n|ertificate|luster)|s(?:e(?:rv(?:ice|er)|curity|quence|ssion|arch)|y(?:mmetric\\s*key|nonym)|togroup|chema)|m(?:a(?:s(?:ter\\s*key|k)|terialized)|e(?:ssage\\s*type|thod)|odule)|l(?:o(?:g(?:file\\s*group|in)|ckdown)|a(?:ngua|r)ge|ibrary)|t(?:(?:abl(?:espac)?|yp)e|r(?:igger|usted)|hreshold|ext)|p(?:a(?:rtition|ckage)|ro(?:cedur|fil)e|ermission)|d(?:i(?:mension|skgroup)|atabase|efault|omain)|r(?:o(?:l(?:lback|e)|ute)|e(?:sourc|mot)e)|f(?:u(?:lltext|nction)|lashback|oreign)|e(?:xte(?:nsion|rnal)|(?:ndpoi|ve)nt)|in(?:dex(?:type)?|memory|stance)|b(?:roker\\s*priority|ufferpool)|x(?:ml\\s*schema|srobject)|w(?:ork(?:load)?|rapper)|hi(?:erarchy|stogram)|o(?:perator|utline)|(?:nicknam|queu)e|us(?:age|er)|group|java|view)|union\\s*(?:(?:distin|sele)ct|all))\\b|\\b(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\\s+(?:group_concat|load_file|char)\\b\\s*\\(?|[\\s(]load_file\\s*?\\(|[\\\"'`]\\s+regexp\\W)",
3073
3840
  "options": {
3074
3841
  "min_length": 5
3075
3842
  }
@@ -3121,7 +3888,8 @@
3121
3888
  "tags": {
3122
3889
  "type": "http_protocol_violation",
3123
3890
  "crs_id": "943100",
3124
- "category": "attack_attempt"
3891
+ "category": "attack_attempt",
3892
+ "confidence": "1"
3125
3893
  },
3126
3894
  "conditions": [
3127
3895
  {
@@ -3154,7 +3922,8 @@
3154
3922
  "tags": {
3155
3923
  "type": "java_code_injection",
3156
3924
  "crs_id": "944100",
3157
- "category": "attack_attempt"
3925
+ "category": "attack_attempt",
3926
+ "confidence": "1"
3158
3927
  },
3159
3928
  "conditions": [
3160
3929
  {
@@ -3244,26 +4013,565 @@
3244
4013
  "address": "grpc.server.request.message"
3245
4014
  }
3246
4015
  ],
3247
- "regex": "(?:unmarshaller|base64data|java\\.)",
3248
- "options": {
3249
- "case_sensitive": true,
3250
- "min_length": 5
3251
- }
4016
+ "regex": "(?:unmarshaller|base64data|java\\.)",
4017
+ "options": {
4018
+ "case_sensitive": true,
4019
+ "min_length": 5
4020
+ }
4021
+ },
4022
+ "operator": "match_regex"
4023
+ }
4024
+ ],
4025
+ "transformers": [
4026
+ "lowercase"
4027
+ ]
4028
+ },
4029
+ {
4030
+ "id": "crs-944-130",
4031
+ "name": "Suspicious Java class detected",
4032
+ "tags": {
4033
+ "type": "java_code_injection",
4034
+ "crs_id": "944130",
4035
+ "category": "attack_attempt"
4036
+ },
4037
+ "conditions": [
4038
+ {
4039
+ "parameters": {
4040
+ "inputs": [
4041
+ {
4042
+ "address": "server.request.query"
4043
+ },
4044
+ {
4045
+ "address": "server.request.body"
4046
+ },
4047
+ {
4048
+ "address": "server.request.path_params"
4049
+ },
4050
+ {
4051
+ "address": "server.request.headers.no_cookies"
4052
+ },
4053
+ {
4054
+ "address": "grpc.server.request.message"
4055
+ }
4056
+ ],
4057
+ "list": [
4058
+ "com.opensymphony.xwork2",
4059
+ "com.sun.org.apache",
4060
+ "java.io.bufferedinputstream",
4061
+ "java.io.bufferedreader",
4062
+ "java.io.bytearrayinputstream",
4063
+ "java.io.bytearrayoutputstream",
4064
+ "java.io.chararrayreader",
4065
+ "java.io.datainputstream",
4066
+ "java.io.file",
4067
+ "java.io.fileoutputstream",
4068
+ "java.io.filepermission",
4069
+ "java.io.filewriter",
4070
+ "java.io.filterinputstream",
4071
+ "java.io.filteroutputstream",
4072
+ "java.io.filterreader",
4073
+ "java.io.inputstream",
4074
+ "java.io.inputstreamreader",
4075
+ "java.io.linenumberreader",
4076
+ "java.io.objectoutputstream",
4077
+ "java.io.outputstream",
4078
+ "java.io.pipedoutputstream",
4079
+ "java.io.pipedreader",
4080
+ "java.io.printstream",
4081
+ "java.io.pushbackinputstream",
4082
+ "java.io.reader",
4083
+ "java.io.stringreader",
4084
+ "java.lang.class",
4085
+ "java.lang.integer",
4086
+ "java.lang.number",
4087
+ "java.lang.object",
4088
+ "java.lang.process",
4089
+ "java.lang.reflect",
4090
+ "java.lang.string",
4091
+ "java.lang.stringbuilder",
4092
+ "java.lang.system",
4093
+ "javax.script.scriptenginemanager",
4094
+ "org.apache.commons",
4095
+ "org.apache.struts",
4096
+ "org.apache.struts2",
4097
+ "org.omg.corba",
4098
+ "java.beans.xmldecode"
4099
+ ]
4100
+ },
4101
+ "operator": "phrase_match"
4102
+ }
4103
+ ],
4104
+ "transformers": [
4105
+ "lowercase"
4106
+ ]
4107
+ },
4108
+ {
4109
+ "id": "crs-944-260",
4110
+ "name": "Remote Command Execution: Malicious class-loading payload",
4111
+ "tags": {
4112
+ "type": "java_code_injection",
4113
+ "crs_id": "944260",
4114
+ "category": "attack_attempt",
4115
+ "confidence": "1"
4116
+ },
4117
+ "conditions": [
4118
+ {
4119
+ "parameters": {
4120
+ "inputs": [
4121
+ {
4122
+ "address": "server.request.query"
4123
+ },
4124
+ {
4125
+ "address": "server.request.body"
4126
+ },
4127
+ {
4128
+ "address": "server.request.path_params"
4129
+ },
4130
+ {
4131
+ "address": "server.request.headers.no_cookies"
4132
+ },
4133
+ {
4134
+ "address": "grpc.server.request.message"
4135
+ }
4136
+ ],
4137
+ "regex": "(?:class\\.module\\.classLoader\\.resources\\.context\\.parent\\.pipeline|springframework\\.context\\.support\\.FileSystemXmlApplicationContext)",
4138
+ "options": {
4139
+ "case_sensitive": true,
4140
+ "min_length": 58
4141
+ }
4142
+ },
4143
+ "operator": "match_regex"
4144
+ }
4145
+ ],
4146
+ "transformers": []
4147
+ },
4148
+ {
4149
+ "id": "dog-000-001",
4150
+ "name": "Look for Cassandra injections",
4151
+ "tags": {
4152
+ "type": "nosql_injection",
4153
+ "category": "attack_attempt"
4154
+ },
4155
+ "conditions": [
4156
+ {
4157
+ "parameters": {
4158
+ "inputs": [
4159
+ {
4160
+ "address": "server.request.query"
4161
+ },
4162
+ {
4163
+ "address": "server.request.body"
4164
+ },
4165
+ {
4166
+ "address": "server.request.path_params"
4167
+ },
4168
+ {
4169
+ "address": "server.request.headers.no_cookies"
4170
+ }
4171
+ ],
4172
+ "regex": "\\ballow\\s+filtering\\b"
4173
+ },
4174
+ "operator": "match_regex"
4175
+ }
4176
+ ],
4177
+ "transformers": [
4178
+ "removeComments"
4179
+ ]
4180
+ },
4181
+ {
4182
+ "id": "dog-000-002",
4183
+ "name": "OGNL - Look for formatting injection patterns",
4184
+ "tags": {
4185
+ "type": "java_code_injection",
4186
+ "category": "attack_attempt"
4187
+ },
4188
+ "conditions": [
4189
+ {
4190
+ "operator": "match_regex",
4191
+ "parameters": {
4192
+ "inputs": [
4193
+ {
4194
+ "address": "server.request.uri.raw"
4195
+ },
4196
+ {
4197
+ "address": "server.request.query"
4198
+ },
4199
+ {
4200
+ "address": "server.request.body"
4201
+ },
4202
+ {
4203
+ "address": "server.request.path_params"
4204
+ },
4205
+ {
4206
+ "address": "grpc.server.request.message"
4207
+ }
4208
+ ],
4209
+ "regex": "[#%$]{(?:[^}]+[^\\w\\s}\\-_][^}]+|\\d+-\\d+)}",
4210
+ "options": {
4211
+ "case_sensitive": true
4212
+ }
4213
+ }
4214
+ }
4215
+ ],
4216
+ "transformers": []
4217
+ },
4218
+ {
4219
+ "id": "dog-000-003",
4220
+ "name": "OGNL - Detect OGNL exploitation primitives",
4221
+ "tags": {
4222
+ "type": "java_code_injection",
4223
+ "category": "attack_attempt",
4224
+ "confidence": "1"
4225
+ },
4226
+ "conditions": [
4227
+ {
4228
+ "operator": "match_regex",
4229
+ "parameters": {
4230
+ "inputs": [
4231
+ {
4232
+ "address": "server.request.query"
4233
+ },
4234
+ {
4235
+ "address": "server.request.body"
4236
+ },
4237
+ {
4238
+ "address": "server.request.path_params"
4239
+ },
4240
+ {
4241
+ "address": "server.request.headers.no_cookies"
4242
+ },
4243
+ {
4244
+ "address": "grpc.server.request.message"
4245
+ }
4246
+ ],
4247
+ "regex": "[@#]ognl",
4248
+ "options": {
4249
+ "case_sensitive": true
4250
+ }
4251
+ }
4252
+ }
4253
+ ],
4254
+ "transformers": []
4255
+ },
4256
+ {
4257
+ "id": "dog-000-004",
4258
+ "name": "Spring4Shell - Attempts to exploit the Spring4shell vulnerability",
4259
+ "tags": {
4260
+ "type": "exploit_detection",
4261
+ "category": "attack_attempt",
4262
+ "confidence": "1"
4263
+ },
4264
+ "conditions": [
4265
+ {
4266
+ "operator": "match_regex",
4267
+ "parameters": {
4268
+ "inputs": [
4269
+ {
4270
+ "address": "server.request.body"
4271
+ }
4272
+ ],
4273
+ "regex": "^class\\.module\\.classLoader\\.",
4274
+ "options": {
4275
+ "case_sensitive": false
4276
+ }
4277
+ }
4278
+ }
4279
+ ],
4280
+ "transformers": [
4281
+ "keys_only"
4282
+ ]
4283
+ },
4284
+ {
4285
+ "id": "dog-000-005",
4286
+ "name": "Node.js: Prototype pollution through __proto__",
4287
+ "tags": {
4288
+ "type": "js_code_injection",
4289
+ "category": "attack_attempt",
4290
+ "confidence": "1"
4291
+ },
4292
+ "conditions": [
4293
+ {
4294
+ "parameters": {
4295
+ "inputs": [
4296
+ {
4297
+ "address": "server.request.query"
4298
+ },
4299
+ {
4300
+ "address": "server.request.body"
4301
+ }
4302
+ ],
4303
+ "regex": "^__proto__$"
4304
+ },
4305
+ "operator": "match_regex"
4306
+ }
4307
+ ],
4308
+ "transformers": [
4309
+ "keys_only"
4310
+ ]
4311
+ },
4312
+ {
4313
+ "id": "dog-000-006",
4314
+ "name": "Node.js: Prototype pollution through constructor.prototype",
4315
+ "tags": {
4316
+ "type": "js_code_injection",
4317
+ "category": "attack_attempt",
4318
+ "confidence": "1"
4319
+ },
4320
+ "conditions": [
4321
+ {
4322
+ "parameters": {
4323
+ "inputs": [
4324
+ {
4325
+ "address": "server.request.query"
4326
+ },
4327
+ {
4328
+ "address": "server.request.body"
4329
+ }
4330
+ ],
4331
+ "regex": "^constructor$"
4332
+ },
4333
+ "operator": "match_regex"
4334
+ },
4335
+ {
4336
+ "parameters": {
4337
+ "inputs": [
4338
+ {
4339
+ "address": "server.request.query"
4340
+ },
4341
+ {
4342
+ "address": "server.request.body"
4343
+ }
4344
+ ],
4345
+ "regex": "^prototype$"
4346
+ },
4347
+ "operator": "match_regex"
4348
+ }
4349
+ ],
4350
+ "transformers": [
4351
+ "keys_only"
4352
+ ]
4353
+ },
4354
+ {
4355
+ "id": "dog-000-007",
4356
+ "name": "Server side template injection: Velocity & Freemarker",
4357
+ "tags": {
4358
+ "type": "java_code_injection",
4359
+ "category": "attack_attempt",
4360
+ "confidence": "1"
4361
+ },
4362
+ "conditions": [
4363
+ {
4364
+ "parameters": {
4365
+ "inputs": [
4366
+ {
4367
+ "address": "server.request.query"
4368
+ },
4369
+ {
4370
+ "address": "server.request.body"
4371
+ },
4372
+ {
4373
+ "address": "server.request.path_params"
4374
+ },
4375
+ {
4376
+ "address": "server.request.headers.no_cookies"
4377
+ },
4378
+ {
4379
+ "address": "grpc.server.request.message"
4380
+ }
4381
+ ],
4382
+ "regex": "#(?:set|foreach|macro|parse|if)\\(.*\\)|<#assign.*>"
4383
+ },
4384
+ "operator": "match_regex"
4385
+ }
4386
+ ],
4387
+ "transformers": []
4388
+ },
4389
+ {
4390
+ "id": "dog-913-001",
4391
+ "name": "BurpCollaborator OOB domain",
4392
+ "tags": {
4393
+ "type": "security_scanner",
4394
+ "category": "attack_attempt",
4395
+ "tool_name": "BurpCollaborator",
4396
+ "confidence": "1"
4397
+ },
4398
+ "conditions": [
4399
+ {
4400
+ "parameters": {
4401
+ "inputs": [
4402
+ {
4403
+ "address": "server.request.query"
4404
+ },
4405
+ {
4406
+ "address": "server.request.body"
4407
+ },
4408
+ {
4409
+ "address": "server.request.path_params"
4410
+ },
4411
+ {
4412
+ "address": "server.request.headers.no_cookies"
4413
+ },
4414
+ {
4415
+ "address": "grpc.server.request.message"
4416
+ }
4417
+ ],
4418
+ "regex": "\\b(?:burpcollaborator\\.net|oastify\\.com)\\b"
4419
+ },
4420
+ "operator": "match_regex"
4421
+ }
4422
+ ],
4423
+ "transformers": []
4424
+ },
4425
+ {
4426
+ "id": "dog-913-002",
4427
+ "name": "Qualys OOB domain",
4428
+ "tags": {
4429
+ "type": "commercial_scanner",
4430
+ "category": "attack_attempt",
4431
+ "tool_name": "Qualys",
4432
+ "confidence": "0"
4433
+ },
4434
+ "conditions": [
4435
+ {
4436
+ "parameters": {
4437
+ "inputs": [
4438
+ {
4439
+ "address": "server.request.query"
4440
+ },
4441
+ {
4442
+ "address": "server.request.body"
4443
+ },
4444
+ {
4445
+ "address": "server.request.path_params"
4446
+ },
4447
+ {
4448
+ "address": "server.request.headers.no_cookies"
4449
+ },
4450
+ {
4451
+ "address": "grpc.server.request.message"
4452
+ }
4453
+ ],
4454
+ "regex": "\\bqualysperiscope\\.com\\b"
4455
+ },
4456
+ "operator": "match_regex"
4457
+ }
4458
+ ],
4459
+ "transformers": []
4460
+ },
4461
+ {
4462
+ "id": "dog-913-003",
4463
+ "name": "Probely OOB domain",
4464
+ "tags": {
4465
+ "type": "commercial_scanner",
4466
+ "category": "attack_attempt",
4467
+ "tool_name": "Probely",
4468
+ "confidence": "0"
4469
+ },
4470
+ "conditions": [
4471
+ {
4472
+ "parameters": {
4473
+ "inputs": [
4474
+ {
4475
+ "address": "server.request.query"
4476
+ },
4477
+ {
4478
+ "address": "server.request.body"
4479
+ },
4480
+ {
4481
+ "address": "server.request.path_params"
4482
+ },
4483
+ {
4484
+ "address": "server.request.headers.no_cookies"
4485
+ },
4486
+ {
4487
+ "address": "grpc.server.request.message"
4488
+ }
4489
+ ],
4490
+ "regex": "\\bprbly\\.win\\b"
4491
+ },
4492
+ "operator": "match_regex"
4493
+ }
4494
+ ],
4495
+ "transformers": []
4496
+ },
4497
+ {
4498
+ "id": "dog-913-004",
4499
+ "name": "Known malicious out-of-band interaction domain",
4500
+ "tags": {
4501
+ "type": "security_scanner",
4502
+ "category": "attack_attempt",
4503
+ "confidence": "1"
4504
+ },
4505
+ "conditions": [
4506
+ {
4507
+ "parameters": {
4508
+ "inputs": [
4509
+ {
4510
+ "address": "server.request.query"
4511
+ },
4512
+ {
4513
+ "address": "server.request.body"
4514
+ },
4515
+ {
4516
+ "address": "server.request.path_params"
4517
+ },
4518
+ {
4519
+ "address": "server.request.headers.no_cookies"
4520
+ },
4521
+ {
4522
+ "address": "grpc.server.request.message"
4523
+ }
4524
+ ],
4525
+ "regex": "\\b(?:webhook\\.site|\\.canarytokens\\.com|vii\\.one|act1on3\\.ru|gdsburp\\.com)\\b"
4526
+ },
4527
+ "operator": "match_regex"
4528
+ }
4529
+ ],
4530
+ "transformers": []
4531
+ },
4532
+ {
4533
+ "id": "dog-913-005",
4534
+ "name": "Known suspicious out-of-band interaction domain",
4535
+ "tags": {
4536
+ "type": "security_scanner",
4537
+ "category": "attack_attempt",
4538
+ "confidence": "0"
4539
+ },
4540
+ "conditions": [
4541
+ {
4542
+ "parameters": {
4543
+ "inputs": [
4544
+ {
4545
+ "address": "server.request.query"
4546
+ },
4547
+ {
4548
+ "address": "server.request.body"
4549
+ },
4550
+ {
4551
+ "address": "server.request.path_params"
4552
+ },
4553
+ {
4554
+ "address": "server.request.headers.no_cookies"
4555
+ },
4556
+ {
4557
+ "address": "grpc.server.request.message"
4558
+ }
4559
+ ],
4560
+ "regex": "\\b(?:\\.ngrok\\.io|requestbin\\.com|requestbin\\.net)\\b"
3252
4561
  },
3253
4562
  "operator": "match_regex"
3254
4563
  }
3255
4564
  ],
3256
- "transformers": [
3257
- "lowercase"
3258
- ]
4565
+ "transformers": []
3259
4566
  },
3260
4567
  {
3261
- "id": "crs-944-130",
3262
- "name": "Suspicious Java class detected",
4568
+ "id": "dog-913-006",
4569
+ "name": "Rapid7 OOB domain",
3263
4570
  "tags": {
3264
- "type": "java_code_injection",
3265
- "crs_id": "944130",
3266
- "category": "attack_attempt"
4571
+ "type": "commercial_scanner",
4572
+ "category": "attack_attempt",
4573
+ "tool_name": "Rapid7",
4574
+ "confidence": "0"
3267
4575
  },
3268
4576
  "conditions": [
3269
4577
  {
@@ -3285,65 +4593,21 @@
3285
4593
  "address": "grpc.server.request.message"
3286
4594
  }
3287
4595
  ],
3288
- "list": [
3289
- "com.opensymphony.xwork2",
3290
- "com.sun.org.apache",
3291
- "java.io.bufferedinputstream",
3292
- "java.io.bufferedreader",
3293
- "java.io.bytearrayinputstream",
3294
- "java.io.bytearrayoutputstream",
3295
- "java.io.chararrayreader",
3296
- "java.io.datainputstream",
3297
- "java.io.file",
3298
- "java.io.fileoutputstream",
3299
- "java.io.filepermission",
3300
- "java.io.filewriter",
3301
- "java.io.filterinputstream",
3302
- "java.io.filteroutputstream",
3303
- "java.io.filterreader",
3304
- "java.io.inputstream",
3305
- "java.io.inputstreamreader",
3306
- "java.io.linenumberreader",
3307
- "java.io.objectoutputstream",
3308
- "java.io.outputstream",
3309
- "java.io.pipedoutputstream",
3310
- "java.io.pipedreader",
3311
- "java.io.printstream",
3312
- "java.io.pushbackinputstream",
3313
- "java.io.reader",
3314
- "java.io.stringreader",
3315
- "java.lang.class",
3316
- "java.lang.integer",
3317
- "java.lang.number",
3318
- "java.lang.object",
3319
- "java.lang.process",
3320
- "java.lang.processbuilder",
3321
- "java.lang.reflect",
3322
- "java.lang.runtime",
3323
- "java.lang.string",
3324
- "java.lang.stringbuilder",
3325
- "java.lang.system",
3326
- "javax.script.scriptenginemanager",
3327
- "org.apache.commons",
3328
- "org.apache.struts",
3329
- "org.apache.struts2",
3330
- "org.omg.corba",
3331
- "java.beans.xmldecode"
3332
- ]
4596
+ "regex": "\\bappspidered\\.rapid7\\."
3333
4597
  },
3334
- "operator": "phrase_match"
4598
+ "operator": "match_regex"
3335
4599
  }
3336
4600
  ],
3337
- "transformers": [
3338
- "lowercase"
3339
- ]
4601
+ "transformers": []
3340
4602
  },
3341
4603
  {
3342
- "id": "dog-000-001",
3343
- "name": "Look for Cassandra injections",
4604
+ "id": "dog-913-007",
4605
+ "name": "Interact.sh OOB domain",
3344
4606
  "tags": {
3345
- "type": "nosql_injection",
3346
- "category": "attack_attempt"
4607
+ "type": "security_scanner",
4608
+ "category": "attack_attempt",
4609
+ "tool_name": "interact.sh",
4610
+ "confidence": "1"
3347
4611
  },
3348
4612
  "conditions": [
3349
4613
  {
@@ -3360,27 +4624,28 @@
3360
4624
  },
3361
4625
  {
3362
4626
  "address": "server.request.headers.no_cookies"
4627
+ },
4628
+ {
4629
+ "address": "grpc.server.request.message"
3363
4630
  }
3364
4631
  ],
3365
- "regex": "\\ballow\\s+filtering\\b"
4632
+ "regex": "\\b(?:interact\\.sh|oast\\.(?:pro|live|site|online|fun|me))\\b"
3366
4633
  },
3367
4634
  "operator": "match_regex"
3368
4635
  }
3369
4636
  ],
3370
- "transformers": [
3371
- "removeComments"
3372
- ]
4637
+ "transformers": []
3373
4638
  },
3374
4639
  {
3375
- "id": "dog-000-002",
3376
- "name": "OGNL - Look for formatting injection patterns",
4640
+ "id": "dog-931-001",
4641
+ "name": "RFI: URL Payload to well known RFI target",
3377
4642
  "tags": {
3378
- "type": "java_code_injection",
3379
- "category": "attack_attempt"
4643
+ "type": "rfi",
4644
+ "category": "attack_attempt",
4645
+ "confidence": "1"
3380
4646
  },
3381
4647
  "conditions": [
3382
4648
  {
3383
- "operator": "match_regex",
3384
4649
  "parameters": {
3385
4650
  "inputs": [
3386
4651
  {
@@ -3391,90 +4656,94 @@
3391
4656
  },
3392
4657
  {
3393
4658
  "address": "server.request.path_params"
3394
- },
3395
- {
3396
- "address": "grpc.server.request.message"
3397
4659
  }
3398
4660
  ],
3399
- "regex": "[#%$]{[^}]+[^\\w\\s][^}]+}",
4661
+ "regex": "^(?i:file|ftps?|https?).*/rfiinc\\.txt\\?+$",
3400
4662
  "options": {
3401
- "case_sensitive": true
4663
+ "case_sensitive": true,
4664
+ "min_length": 17
3402
4665
  }
3403
- }
4666
+ },
4667
+ "operator": "match_regex"
3404
4668
  }
3405
4669
  ],
3406
4670
  "transformers": []
3407
4671
  },
3408
4672
  {
3409
- "id": "dog-000-003",
3410
- "name": "OGNL - Detect OGNL exploitation primitives",
4673
+ "id": "dog-934-001",
4674
+ "name": "XXE - XML file loads external entity",
3411
4675
  "tags": {
3412
- "type": "java_code_injection",
3413
- "category": "attack_attempt"
4676
+ "type": "xxe",
4677
+ "category": "attack_attempt",
4678
+ "confidence": "0"
3414
4679
  },
3415
4680
  "conditions": [
3416
4681
  {
3417
- "operator": "match_regex",
3418
4682
  "parameters": {
3419
4683
  "inputs": [
3420
- {
3421
- "address": "server.request.query"
3422
- },
3423
4684
  {
3424
4685
  "address": "server.request.body"
3425
4686
  },
3426
- {
3427
- "address": "server.request.path_params"
3428
- },
3429
- {
3430
- "address": "server.request.headers.no_cookies"
3431
- },
3432
4687
  {
3433
4688
  "address": "grpc.server.request.message"
3434
4689
  }
3435
4690
  ],
3436
- "regex": "[@#]ognl",
4691
+ "regex": "(?:<\\?xml[^>]*>.*)<!ENTITY[^>]+SYSTEM\\s+[^>]+>",
3437
4692
  "options": {
3438
- "case_sensitive": true
4693
+ "case_sensitive": false,
4694
+ "min_length": 24
3439
4695
  }
3440
- }
4696
+ },
4697
+ "operator": "match_regex"
3441
4698
  }
3442
4699
  ],
3443
4700
  "transformers": []
3444
4701
  },
3445
4702
  {
3446
- "id": "dog-000-004",
3447
- "name": "Spring4Shell - Attempts to exploit the Spring4shell vulnerability",
4703
+ "id": "dog-942-001",
4704
+ "name": "Blind XSS callback domains",
3448
4705
  "tags": {
3449
- "type": "exploit_detection",
3450
- "category": "attack_attempt"
4706
+ "type": "xss",
4707
+ "category": "attack_attempt",
4708
+ "confidence": "1"
3451
4709
  },
3452
4710
  "conditions": [
3453
4711
  {
3454
- "operator": "match_regex",
3455
4712
  "parameters": {
3456
4713
  "inputs": [
4714
+ {
4715
+ "address": "server.request.query"
4716
+ },
3457
4717
  {
3458
4718
  "address": "server.request.body"
4719
+ },
4720
+ {
4721
+ "address": "server.request.path_params"
4722
+ },
4723
+ {
4724
+ "address": "server.request.headers.no_cookies"
4725
+ },
4726
+ {
4727
+ "address": "grpc.server.request.message"
3459
4728
  }
3460
4729
  ],
3461
- "regex": "^class\\.module\\.classLoader\\.",
4730
+ "regex": "https?:\\/\\/(?:.*\\.)?(?:bxss\\.in|xss\\.ht|js\\.rip)",
3462
4731
  "options": {
3463
4732
  "case_sensitive": false
3464
4733
  }
3465
- }
4734
+ },
4735
+ "operator": "match_regex"
3466
4736
  }
3467
4737
  ],
3468
- "transformers": [
3469
- "keys_only"
3470
- ]
4738
+ "transformers": []
3471
4739
  },
3472
4740
  {
3473
4741
  "id": "nfd-000-001",
3474
4742
  "name": "Detect common directory discovery scans",
3475
4743
  "tags": {
3476
4744
  "type": "security_scanner",
3477
- "category": "attack_attempt"
4745
+ "category": "attack_attempt",
4746
+ "confidence": "1"
3478
4747
  },
3479
4748
  "conditions": [
3480
4749
  {
@@ -3708,7 +4977,8 @@
3708
4977
  "name": "Detect failed attempt to fetch readme files",
3709
4978
  "tags": {
3710
4979
  "type": "security_scanner",
3711
- "category": "attack_attempt"
4980
+ "category": "attack_attempt",
4981
+ "confidence": "1"
3712
4982
  },
3713
4983
  "conditions": [
3714
4984
  {
@@ -3747,7 +5017,8 @@
3747
5017
  "name": "Detect failed attempt to fetch Java EE resource files",
3748
5018
  "tags": {
3749
5019
  "type": "security_scanner",
3750
- "category": "attack_attempt"
5020
+ "category": "attack_attempt",
5021
+ "confidence": "1"
3751
5022
  },
3752
5023
  "conditions": [
3753
5024
  {
@@ -3786,7 +5057,8 @@
3786
5057
  "name": "Detect failed attempt to fetch code files",
3787
5058
  "tags": {
3788
5059
  "type": "security_scanner",
3789
- "category": "attack_attempt"
5060
+ "category": "attack_attempt",
5061
+ "confidence": "1"
3790
5062
  },
3791
5063
  "conditions": [
3792
5064
  {
@@ -3825,7 +5097,8 @@
3825
5097
  "name": "Detect failed attempt to fetch source code archives",
3826
5098
  "tags": {
3827
5099
  "type": "security_scanner",
3828
- "category": "attack_attempt"
5100
+ "category": "attack_attempt",
5101
+ "confidence": "1"
3829
5102
  },
3830
5103
  "conditions": [
3831
5104
  {
@@ -3864,7 +5137,8 @@
3864
5137
  "name": "Detect failed attempt to fetch sensitive files",
3865
5138
  "tags": {
3866
5139
  "type": "security_scanner",
3867
- "category": "attack_attempt"
5140
+ "category": "attack_attempt",
5141
+ "confidence": "1"
3868
5142
  },
3869
5143
  "conditions": [
3870
5144
  {
@@ -3903,7 +5177,8 @@
3903
5177
  "name": "Detect failed attempt to fetch archives",
3904
5178
  "tags": {
3905
5179
  "type": "security_scanner",
3906
- "category": "attack_attempt"
5180
+ "category": "attack_attempt",
5181
+ "confidence": "1"
3907
5182
  },
3908
5183
  "conditions": [
3909
5184
  {
@@ -3942,7 +5217,8 @@
3942
5217
  "name": "Detect failed attempt to trigger incorrect application behavior",
3943
5218
  "tags": {
3944
5219
  "type": "security_scanner",
3945
- "category": "attack_attempt"
5220
+ "category": "attack_attempt",
5221
+ "confidence": "1"
3946
5222
  },
3947
5223
  "conditions": [
3948
5224
  {
@@ -3981,7 +5257,8 @@
3981
5257
  "name": "Detect failed attempt to leak the structure of the application",
3982
5258
  "tags": {
3983
5259
  "type": "security_scanner",
3984
- "category": "attack_attempt"
5260
+ "category": "attack_attempt",
5261
+ "confidence": "1"
3985
5262
  },
3986
5263
  "conditions": [
3987
5264
  {
@@ -4020,7 +5297,8 @@
4020
5297
  "name": "SSRF: Try to access the credential manager of the main cloud services",
4021
5298
  "tags": {
4022
5299
  "type": "ssrf",
4023
- "category": "attack_attempt"
5300
+ "category": "attack_attempt",
5301
+ "confidence": "1"
4024
5302
  },
4025
5303
  "conditions": [
4026
5304
  {
@@ -4087,42 +5365,13 @@
4087
5365
  "removeNulls"
4088
5366
  ]
4089
5367
  },
4090
- {
4091
- "id": "sqr-000-007",
4092
- "name": "NoSQL: Detect common exploitation strategy",
4093
- "tags": {
4094
- "type": "nosql_injection",
4095
- "category": "attack_attempt"
4096
- },
4097
- "conditions": [
4098
- {
4099
- "parameters": {
4100
- "inputs": [
4101
- {
4102
- "address": "server.request.query"
4103
- },
4104
- {
4105
- "address": "server.request.body"
4106
- },
4107
- {
4108
- "address": "server.request.path_params"
4109
- }
4110
- ],
4111
- "regex": "^\\$(eq|ne|(l|g)te?|n?in|not|(n|x|)or|and|regex|where|expr|exists)$"
4112
- },
4113
- "operator": "match_regex"
4114
- }
4115
- ],
4116
- "transformers": [
4117
- "keys_only"
4118
- ]
4119
- },
4120
5368
  {
4121
5369
  "id": "sqr-000-008",
4122
5370
  "name": "Windows: Detect attempts to exfiltrate .ini files",
4123
5371
  "tags": {
4124
5372
  "type": "command_injection",
4125
- "category": "attack_attempt"
5373
+ "category": "attack_attempt",
5374
+ "confidence": "1"
4126
5375
  },
4127
5376
  "conditions": [
4128
5377
  {
@@ -4156,7 +5405,8 @@
4156
5405
  "name": "Linux: Detect attempts to exfiltrate passwd files",
4157
5406
  "tags": {
4158
5407
  "type": "command_injection",
4159
- "category": "attack_attempt"
5408
+ "category": "attack_attempt",
5409
+ "confidence": "1"
4160
5410
  },
4161
5411
  "conditions": [
4162
5412
  {
@@ -4190,7 +5440,8 @@
4190
5440
  "name": "Windows: Detect attempts to timeout a shell",
4191
5441
  "tags": {
4192
5442
  "type": "command_injection",
4193
- "category": "attack_attempt"
5443
+ "category": "attack_attempt",
5444
+ "confidence": "1"
4194
5445
  },
4195
5446
  "conditions": [
4196
5447
  {
@@ -4224,7 +5475,8 @@
4224
5475
  "name": "SSRF: Try to access internal OMI service (CVE-2021-38647)",
4225
5476
  "tags": {
4226
5477
  "type": "ssrf",
4227
- "category": "attack_attempt"
5478
+ "category": "attack_attempt",
5479
+ "confidence": "1"
4228
5480
  },
4229
5481
  "conditions": [
4230
5482
  {
@@ -4258,7 +5510,8 @@
4258
5510
  "name": "SSRF: Detect SSRF attempt on internal service",
4259
5511
  "tags": {
4260
5512
  "type": "ssrf",
4261
- "category": "attack_attempt"
5513
+ "category": "attack_attempt",
5514
+ "confidence": "0"
4262
5515
  },
4263
5516
  "conditions": [
4264
5517
  {
@@ -4277,7 +5530,7 @@
4277
5530
  "address": "grpc.server.request.message"
4278
5531
  }
4279
5532
  ],
4280
- "regex": "^(jar:)?(http|https):\\/\\/([0-9oq]{1,5}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}|[0-9]{1,10}|localhost)(:[0-9]{1,5})?(\\/.*|)$"
5533
+ "regex": "^(jar:)?(http|https):\\/\\/([0-9oq]{1,5}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}|[0-9]{1,10})(:[0-9]{1,5})?(\\/[^:@]*)?$"
4281
5534
  },
4282
5535
  "operator": "match_regex"
4283
5536
  }
@@ -4291,7 +5544,8 @@
4291
5544
  "name": "SSRF: Detect SSRF attempts using IPv6 or octal/hexdecimal obfuscation",
4292
5545
  "tags": {
4293
5546
  "type": "ssrf",
4294
- "category": "attack_attempt"
5547
+ "category": "attack_attempt",
5548
+ "confidence": "0"
4295
5549
  },
4296
5550
  "conditions": [
4297
5551
  {
@@ -4310,7 +5564,7 @@
4310
5564
  "address": "grpc.server.request.message"
4311
5565
  }
4312
5566
  ],
4313
- "regex": "^(jar:)?(http|https):\\/\\/((\\[)?[:0-9a-f\\.x]{2,}(\\])?)(:[0-9]{1,5})?(\\/.*)?$"
5567
+ "regex": "^(jar:)?(http|https):\\/\\/((\\[)?[:0-9a-f\\.x]{2,}(\\])?)(:[0-9]{1,5})?(\\/[^:@]*)?$"
4314
5568
  },
4315
5569
  "operator": "match_regex"
4316
5570
  }
@@ -4324,7 +5578,8 @@
4324
5578
  "name": "SSRF: Detect SSRF domain redirection bypass",
4325
5579
  "tags": {
4326
5580
  "type": "ssrf",
4327
- "category": "attack_attempt"
5581
+ "category": "attack_attempt",
5582
+ "confidence": "1"
4328
5583
  },
4329
5584
  "conditions": [
4330
5585
  {
@@ -4346,21 +5601,20 @@
4346
5601
  "address": "grpc.server.request.message"
4347
5602
  }
4348
5603
  ],
4349
- "regex": "^(http|https):\\/\\/(.*burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io)"
5604
+ "regex": "(http|https):\\/\\/(?:.*\\.)?(?:burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io|oastify\\.com|oast\\.(?:pro|live|site|online|fun|me)|sslip\\.io|requestbin\\.com|requestbin\\.net|hookbin\\.com|webhook\\.site|canarytokens\\.com|interact\\.sh|ngrok\\.io|bugbounty\\.click|prbly\\.win|qualysperiscope\\.com|vii.one|act1on3.ru)"
4350
5605
  },
4351
5606
  "operator": "match_regex"
4352
5607
  }
4353
5608
  ],
4354
- "transformers": [
4355
- "lowercase"
4356
- ]
5609
+ "transformers": []
4357
5610
  },
4358
5611
  {
4359
5612
  "id": "sqr-000-015",
4360
5613
  "name": "SSRF: Detect SSRF attempt using non HTTP protocol",
4361
5614
  "tags": {
4362
5615
  "type": "ssrf",
4363
- "category": "attack_attempt"
5616
+ "category": "attack_attempt",
5617
+ "confidence": "0"
4364
5618
  },
4365
5619
  "conditions": [
4366
5620
  {
@@ -4396,7 +5650,8 @@
4396
5650
  "name": "Log4shell: Attempt to exploit log4j CVE-2021-44228",
4397
5651
  "tags": {
4398
5652
  "type": "exploit_detection",
4399
- "category": "attack_attempt"
5653
+ "category": "attack_attempt",
5654
+ "confidence": "1"
4400
5655
  },
4401
5656
  "conditions": [
4402
5657
  {
@@ -4426,14 +5681,18 @@
4426
5681
  "operator": "match_regex"
4427
5682
  }
4428
5683
  ],
4429
- "transformers": []
5684
+ "transformers": [
5685
+ "unicode_normalize"
5686
+ ]
4430
5687
  },
4431
5688
  {
4432
5689
  "id": "ua0-600-0xx",
4433
5690
  "name": "Joomla exploitation tool",
4434
5691
  "tags": {
4435
5692
  "type": "security_scanner",
4436
- "category": "attack_attempt"
5693
+ "category": "attack_attempt",
5694
+ "tool_name": "Joomla exploitation tool",
5695
+ "confidence": "1"
4437
5696
  },
4438
5697
  "conditions": [
4439
5698
  {
@@ -4458,7 +5717,9 @@
4458
5717
  "name": "Nessus",
4459
5718
  "tags": {
4460
5719
  "type": "security_scanner",
4461
- "category": "attack_attempt"
5720
+ "category": "attack_attempt",
5721
+ "tool_name": "Nessus",
5722
+ "confidence": "1"
4462
5723
  },
4463
5724
  "conditions": [
4464
5725
  {
@@ -4483,7 +5744,9 @@
4483
5744
  "name": "Arachni",
4484
5745
  "tags": {
4485
5746
  "type": "security_scanner",
4486
- "category": "attack_attempt"
5747
+ "category": "attack_attempt",
5748
+ "tool_name": "Arachni",
5749
+ "confidence": "1"
4487
5750
  },
4488
5751
  "conditions": [
4489
5752
  {
@@ -4508,7 +5771,9 @@
4508
5771
  "name": "Jorgee",
4509
5772
  "tags": {
4510
5773
  "type": "security_scanner",
4511
- "category": "attack_attempt"
5774
+ "category": "attack_attempt",
5775
+ "tool_name": "Jorgee",
5776
+ "confidence": "1"
4512
5777
  },
4513
5778
  "conditions": [
4514
5779
  {
@@ -4532,8 +5797,10 @@
4532
5797
  "id": "ua0-600-14x",
4533
5798
  "name": "Probely",
4534
5799
  "tags": {
4535
- "type": "security_scanner",
4536
- "category": "attack_attempt"
5800
+ "type": "commercial_scanner",
5801
+ "category": "attack_attempt",
5802
+ "tool_name": "Probely",
5803
+ "confidence": "0"
4537
5804
  },
4538
5805
  "conditions": [
4539
5806
  {
@@ -4558,7 +5825,9 @@
4558
5825
  "name": "Metis",
4559
5826
  "tags": {
4560
5827
  "type": "security_scanner",
4561
- "category": "attack_attempt"
5828
+ "category": "attack_attempt",
5829
+ "tool_name": "Metis",
5830
+ "confidence": "1"
4562
5831
  },
4563
5832
  "conditions": [
4564
5833
  {
@@ -4583,7 +5852,9 @@
4583
5852
  "name": "SQL power injector",
4584
5853
  "tags": {
4585
5854
  "type": "security_scanner",
4586
- "category": "attack_attempt"
5855
+ "category": "attack_attempt",
5856
+ "tool_name": "SQLPowerInjector",
5857
+ "confidence": "1"
4587
5858
  },
4588
5859
  "conditions": [
4589
5860
  {
@@ -4604,61 +5875,13 @@
4604
5875
  "transformers": []
4605
5876
  },
4606
5877
  {
4607
- "id": "ua0-600-18x",
4608
- "name": "N-Stealth",
4609
- "tags": {
4610
- "type": "security_scanner",
4611
- "category": "attack_attempt"
4612
- },
4613
- "conditions": [
4614
- {
4615
- "parameters": {
4616
- "inputs": [
4617
- {
4618
- "address": "server.request.headers.no_cookies",
4619
- "key_path": [
4620
- "user-agent"
4621
- ]
4622
- }
4623
- ],
4624
- "regex": "(?i)\\bn-stealth\\b"
4625
- },
4626
- "operator": "match_regex"
4627
- }
4628
- ],
4629
- "transformers": []
4630
- },
4631
- {
4632
- "id": "ua0-600-19x",
4633
- "name": "Brutus",
4634
- "tags": {
4635
- "type": "security_scanner",
4636
- "category": "attack_attempt"
4637
- },
4638
- "conditions": [
4639
- {
4640
- "parameters": {
4641
- "inputs": [
4642
- {
4643
- "address": "server.request.headers.no_cookies",
4644
- "key_path": [
4645
- "user-agent"
4646
- ]
4647
- }
4648
- ],
4649
- "regex": "(?i)\\bbrutus\\b"
4650
- },
4651
- "operator": "match_regex"
4652
- }
4653
- ],
4654
- "transformers": []
4655
- },
4656
- {
4657
- "id": "ua0-600-1xx",
4658
- "name": "Shellshock exploitation tool",
5878
+ "id": "ua0-600-18x",
5879
+ "name": "N-Stealth",
4659
5880
  "tags": {
4660
5881
  "type": "security_scanner",
4661
- "category": "attack_attempt"
5882
+ "category": "attack_attempt",
5883
+ "tool_name": "N-Stealth",
5884
+ "confidence": "1"
4662
5885
  },
4663
5886
  "conditions": [
4664
5887
  {
@@ -4671,7 +5894,7 @@
4671
5894
  ]
4672
5895
  }
4673
5896
  ],
4674
- "regex": "\\(\\) \\{ :; *\\}"
5897
+ "regex": "(?i)\\bn-stealth\\b"
4675
5898
  },
4676
5899
  "operator": "match_regex"
4677
5900
  }
@@ -4679,11 +5902,13 @@
4679
5902
  "transformers": []
4680
5903
  },
4681
5904
  {
4682
- "id": "ua0-600-20x",
4683
- "name": "Netsparker",
5905
+ "id": "ua0-600-19x",
5906
+ "name": "Brutus",
4684
5907
  "tags": {
4685
5908
  "type": "security_scanner",
4686
- "category": "attack_attempt"
5909
+ "category": "attack_attempt",
5910
+ "tool_name": "Brutus",
5911
+ "confidence": "1"
4687
5912
  },
4688
5913
  "conditions": [
4689
5914
  {
@@ -4696,7 +5921,7 @@
4696
5921
  ]
4697
5922
  }
4698
5923
  ],
4699
- "regex": "(?i)(<script>netsparker\\(0x0|ns:netsparker.*=vuln)"
5924
+ "regex": "(?i)\\bbrutus\\b"
4700
5925
  },
4701
5926
  "operator": "match_regex"
4702
5927
  }
@@ -4704,11 +5929,13 @@
4704
5929
  "transformers": []
4705
5930
  },
4706
5931
  {
4707
- "id": "ua0-600-22x",
4708
- "name": "JAASCois",
5932
+ "id": "ua0-600-1xx",
5933
+ "name": "Shellshock exploitation tool",
4709
5934
  "tags": {
4710
5935
  "type": "security_scanner",
4711
- "category": "attack_attempt"
5936
+ "category": "attack_attempt",
5937
+ "tool_name": "Shellshock",
5938
+ "confidence": "1"
4712
5939
  },
4713
5940
  "conditions": [
4714
5941
  {
@@ -4721,7 +5948,7 @@
4721
5948
  ]
4722
5949
  }
4723
5950
  ],
4724
- "regex": "(?i)\\bjaascois\\b"
5951
+ "regex": "\\(\\) \\{ :; *\\}"
4725
5952
  },
4726
5953
  "operator": "match_regex"
4727
5954
  }
@@ -4729,11 +5956,13 @@
4729
5956
  "transformers": []
4730
5957
  },
4731
5958
  {
4732
- "id": "ua0-600-23x",
4733
- "name": "PMAFind",
5959
+ "id": "ua0-600-20x",
5960
+ "name": "Netsparker",
4734
5961
  "tags": {
4735
- "type": "security_scanner",
4736
- "category": "attack_attempt"
5962
+ "type": "commercial_scanner",
5963
+ "category": "attack_attempt",
5964
+ "tool_name": "Netsparker",
5965
+ "confidence": "0"
4737
5966
  },
4738
5967
  "conditions": [
4739
5968
  {
@@ -4746,7 +5975,7 @@
4746
5975
  ]
4747
5976
  }
4748
5977
  ],
4749
- "regex": "(?i)\\bpmafind\\b"
5978
+ "regex": "\\bnetsparker\\b"
4750
5979
  },
4751
5980
  "operator": "match_regex"
4752
5981
  }
@@ -4754,11 +5983,13 @@
4754
5983
  "transformers": []
4755
5984
  },
4756
5985
  {
4757
- "id": "ua0-600-25x",
4758
- "name": "Webtrends",
5986
+ "id": "ua0-600-22x",
5987
+ "name": "JAASCois",
4759
5988
  "tags": {
4760
5989
  "type": "security_scanner",
4761
- "category": "attack_attempt"
5990
+ "category": "attack_attempt",
5991
+ "tool_name": "JAASCois",
5992
+ "confidence": "1"
4762
5993
  },
4763
5994
  "conditions": [
4764
5995
  {
@@ -4771,7 +6002,7 @@
4771
6002
  ]
4772
6003
  }
4773
6004
  ],
4774
- "regex": "webtrends security analyzer"
6005
+ "regex": "(?i)\\bjaascois\\b"
4775
6006
  },
4776
6007
  "operator": "match_regex"
4777
6008
  }
@@ -4783,7 +6014,9 @@
4783
6014
  "name": "Nsauditor",
4784
6015
  "tags": {
4785
6016
  "type": "security_scanner",
4786
- "category": "attack_attempt"
6017
+ "category": "attack_attempt",
6018
+ "tool_name": "Nsauditor",
6019
+ "confidence": "1"
4787
6020
  },
4788
6021
  "conditions": [
4789
6022
  {
@@ -4808,7 +6041,9 @@
4808
6041
  "name": "Paros",
4809
6042
  "tags": {
4810
6043
  "type": "security_scanner",
4811
- "category": "attack_attempt"
6044
+ "category": "attack_attempt",
6045
+ "tool_name": "Paros",
6046
+ "confidence": "1"
4812
6047
  },
4813
6048
  "conditions": [
4814
6049
  {
@@ -4833,7 +6068,9 @@
4833
6068
  "name": "DirBuster",
4834
6069
  "tags": {
4835
6070
  "type": "security_scanner",
4836
- "category": "attack_attempt"
6071
+ "category": "attack_attempt",
6072
+ "tool_name": "DirBuster",
6073
+ "confidence": "1"
4837
6074
  },
4838
6075
  "conditions": [
4839
6076
  {
@@ -4858,7 +6095,9 @@
4858
6095
  "name": "Pangolin",
4859
6096
  "tags": {
4860
6097
  "type": "security_scanner",
4861
- "category": "attack_attempt"
6098
+ "category": "attack_attempt",
6099
+ "tool_name": "Pangolin",
6100
+ "confidence": "1"
4862
6101
  },
4863
6102
  "conditions": [
4864
6103
  {
@@ -4882,8 +6121,10 @@
4882
6121
  "id": "ua0-600-2xx",
4883
6122
  "name": "Qualys",
4884
6123
  "tags": {
4885
- "type": "security_scanner",
4886
- "category": "attack_attempt"
6124
+ "type": "commercial_scanner",
6125
+ "category": "attack_attempt",
6126
+ "tool_name": "Qualys",
6127
+ "confidence": "0"
4887
6128
  },
4888
6129
  "conditions": [
4889
6130
  {
@@ -4908,7 +6149,9 @@
4908
6149
  "name": "SQLNinja",
4909
6150
  "tags": {
4910
6151
  "type": "security_scanner",
4911
- "category": "attack_attempt"
6152
+ "category": "attack_attempt",
6153
+ "tool_name": "SQLNinja",
6154
+ "confidence": "1"
4912
6155
  },
4913
6156
  "conditions": [
4914
6157
  {
@@ -4933,7 +6176,9 @@
4933
6176
  "name": "Nikto",
4934
6177
  "tags": {
4935
6178
  "type": "security_scanner",
4936
- "category": "attack_attempt"
6179
+ "category": "attack_attempt",
6180
+ "tool_name": "Nikto",
6181
+ "confidence": "1"
4937
6182
  },
4938
6183
  "conditions": [
4939
6184
  {
@@ -4953,37 +6198,14 @@
4953
6198
  ],
4954
6199
  "transformers": []
4955
6200
  },
4956
- {
4957
- "id": "ua0-600-32x",
4958
- "name": "WebInspect",
4959
- "tags": {
4960
- "type": "security_scanner",
4961
- "category": "attack_attempt"
4962
- },
4963
- "conditions": [
4964
- {
4965
- "parameters": {
4966
- "inputs": [
4967
- {
4968
- "address": "server.request.headers.no_cookies",
4969
- "key_path": [
4970
- "user-agent"
4971
- ]
4972
- }
4973
- ],
4974
- "regex": "(?i)\\bwebinspect\\b"
4975
- },
4976
- "operator": "match_regex"
4977
- }
4978
- ],
4979
- "transformers": []
4980
- },
4981
6201
  {
4982
6202
  "id": "ua0-600-33x",
4983
6203
  "name": "BlackWidow",
4984
6204
  "tags": {
4985
6205
  "type": "security_scanner",
4986
- "category": "attack_attempt"
6206
+ "category": "attack_attempt",
6207
+ "tool_name": "BlackWidow",
6208
+ "confidence": "1"
4987
6209
  },
4988
6210
  "conditions": [
4989
6211
  {
@@ -5008,7 +6230,9 @@
5008
6230
  "name": "Grendel-Scan",
5009
6231
  "tags": {
5010
6232
  "type": "security_scanner",
5011
- "category": "attack_attempt"
6233
+ "category": "attack_attempt",
6234
+ "tool_name": "Grendel-Scan",
6235
+ "confidence": "1"
5012
6236
  },
5013
6237
  "conditions": [
5014
6238
  {
@@ -5033,7 +6257,9 @@
5033
6257
  "name": "Havij",
5034
6258
  "tags": {
5035
6259
  "type": "security_scanner",
5036
- "category": "attack_attempt"
6260
+ "category": "attack_attempt",
6261
+ "tool_name": "Havij",
6262
+ "confidence": "1"
5037
6263
  },
5038
6264
  "conditions": [
5039
6265
  {
@@ -5058,7 +6284,9 @@
5058
6284
  "name": "w3af",
5059
6285
  "tags": {
5060
6286
  "type": "security_scanner",
5061
- "category": "attack_attempt"
6287
+ "category": "attack_attempt",
6288
+ "tool_name": "w3af",
6289
+ "confidence": "1"
5062
6290
  },
5063
6291
  "conditions": [
5064
6292
  {
@@ -5083,7 +6311,9 @@
5083
6311
  "name": "Nmap",
5084
6312
  "tags": {
5085
6313
  "type": "security_scanner",
5086
- "category": "attack_attempt"
6314
+ "category": "attack_attempt",
6315
+ "tool_name": "Nmap",
6316
+ "confidence": "1"
5087
6317
  },
5088
6318
  "conditions": [
5089
6319
  {
@@ -5108,7 +6338,9 @@
5108
6338
  "name": "Nessus Scripted",
5109
6339
  "tags": {
5110
6340
  "type": "security_scanner",
5111
- "category": "attack_attempt"
6341
+ "category": "attack_attempt",
6342
+ "tool_name": "Nessus",
6343
+ "confidence": "1"
5112
6344
  },
5113
6345
  "conditions": [
5114
6346
  {
@@ -5121,7 +6353,7 @@
5121
6353
  ]
5122
6354
  }
5123
6355
  ],
5124
- "regex": "(?i)^'?[a-z0-9]+\\.nasl'?$"
6356
+ "regex": "(?i)^'?[a-z0-9_]+\\.nasl'?$"
5125
6357
  },
5126
6358
  "operator": "match_regex"
5127
6359
  }
@@ -5133,7 +6365,9 @@
5133
6365
  "name": "Evil Scanner",
5134
6366
  "tags": {
5135
6367
  "type": "security_scanner",
5136
- "category": "attack_attempt"
6368
+ "category": "attack_attempt",
6369
+ "tool_name": "EvilScanner",
6370
+ "confidence": "1"
5137
6371
  },
5138
6372
  "conditions": [
5139
6373
  {
@@ -5158,7 +6392,9 @@
5158
6392
  "name": "WebFuck",
5159
6393
  "tags": {
5160
6394
  "type": "security_scanner",
5161
- "category": "attack_attempt"
6395
+ "category": "attack_attempt",
6396
+ "tool_name": "WebFuck",
6397
+ "confidence": "1"
5162
6398
  },
5163
6399
  "conditions": [
5164
6400
  {
@@ -5183,7 +6419,9 @@
5183
6419
  "name": "OpenVAS",
5184
6420
  "tags": {
5185
6421
  "type": "security_scanner",
5186
- "category": "attack_attempt"
6422
+ "category": "attack_attempt",
6423
+ "tool_name": "OpenVAS",
6424
+ "confidence": "1"
5187
6425
  },
5188
6426
  "conditions": [
5189
6427
  {
@@ -5208,7 +6446,9 @@
5208
6446
  "name": "Spider-Pig",
5209
6447
  "tags": {
5210
6448
  "type": "security_scanner",
5211
- "category": "attack_attempt"
6449
+ "category": "attack_attempt",
6450
+ "tool_name": "Spider-Pig",
6451
+ "confidence": "1"
5212
6452
  },
5213
6453
  "conditions": [
5214
6454
  {
@@ -5233,7 +6473,9 @@
5233
6473
  "name": "Zgrab",
5234
6474
  "tags": {
5235
6475
  "type": "security_scanner",
5236
- "category": "attack_attempt"
6476
+ "category": "attack_attempt",
6477
+ "tool_name": "Zgrab",
6478
+ "confidence": "1"
5237
6479
  },
5238
6480
  "conditions": [
5239
6481
  {
@@ -5258,7 +6500,9 @@
5258
6500
  "name": "Zmeu",
5259
6501
  "tags": {
5260
6502
  "type": "security_scanner",
5261
- "category": "attack_attempt"
6503
+ "category": "attack_attempt",
6504
+ "tool_name": "Zmeu",
6505
+ "confidence": "1"
5262
6506
  },
5263
6507
  "conditions": [
5264
6508
  {
@@ -5278,37 +6522,14 @@
5278
6522
  ],
5279
6523
  "transformers": []
5280
6524
  },
5281
- {
5282
- "id": "ua0-600-46x",
5283
- "name": "Crowdstrike",
5284
- "tags": {
5285
- "type": "security_scanner",
5286
- "category": "attack_attempt"
5287
- },
5288
- "conditions": [
5289
- {
5290
- "parameters": {
5291
- "inputs": [
5292
- {
5293
- "address": "server.request.headers.no_cookies",
5294
- "key_path": [
5295
- "user-agent"
5296
- ]
5297
- }
5298
- ],
5299
- "regex": "(?i)\\bcrowdstrike\\b"
5300
- },
5301
- "operator": "match_regex"
5302
- }
5303
- ],
5304
- "transformers": []
5305
- },
5306
6525
  {
5307
6526
  "id": "ua0-600-47x",
5308
6527
  "name": "GoogleSecurityScanner",
5309
6528
  "tags": {
5310
- "type": "security_scanner",
5311
- "category": "attack_attempt"
6529
+ "type": "commercial_scanner",
6530
+ "category": "attack_attempt",
6531
+ "tool_name": "GoogleSecurityScanner",
6532
+ "confidence": "0"
5312
6533
  },
5313
6534
  "conditions": [
5314
6535
  {
@@ -5333,7 +6554,9 @@
5333
6554
  "name": "Commix",
5334
6555
  "tags": {
5335
6556
  "type": "security_scanner",
5336
- "category": "attack_attempt"
6557
+ "category": "attack_attempt",
6558
+ "tool_name": "Commix",
6559
+ "confidence": "1"
5337
6560
  },
5338
6561
  "conditions": [
5339
6562
  {
@@ -5358,7 +6581,9 @@
5358
6581
  "name": "Gobuster",
5359
6582
  "tags": {
5360
6583
  "type": "security_scanner",
5361
- "category": "attack_attempt"
6584
+ "category": "attack_attempt",
6585
+ "tool_name": "Gobuster",
6586
+ "confidence": "1"
5362
6587
  },
5363
6588
  "conditions": [
5364
6589
  {
@@ -5383,7 +6608,9 @@
5383
6608
  "name": "CGIchk",
5384
6609
  "tags": {
5385
6610
  "type": "security_scanner",
5386
- "category": "attack_attempt"
6611
+ "category": "attack_attempt",
6612
+ "tool_name": "CGIchk",
6613
+ "confidence": "1"
5387
6614
  },
5388
6615
  "conditions": [
5389
6616
  {
@@ -5408,7 +6635,9 @@
5408
6635
  "name": "FFUF",
5409
6636
  "tags": {
5410
6637
  "type": "security_scanner",
5411
- "category": "attack_attempt"
6638
+ "category": "attack_attempt",
6639
+ "tool_name": "FFUF",
6640
+ "confidence": "1"
5412
6641
  },
5413
6642
  "conditions": [
5414
6643
  {
@@ -5433,7 +6662,9 @@
5433
6662
  "name": "Nuclei",
5434
6663
  "tags": {
5435
6664
  "type": "security_scanner",
5436
- "category": "attack_attempt"
6665
+ "category": "attack_attempt",
6666
+ "tool_name": "Nuclei",
6667
+ "confidence": "1"
5437
6668
  },
5438
6669
  "conditions": [
5439
6670
  {
@@ -5458,7 +6689,9 @@
5458
6689
  "name": "Tsunami",
5459
6690
  "tags": {
5460
6691
  "type": "security_scanner",
5461
- "category": "attack_attempt"
6692
+ "category": "attack_attempt",
6693
+ "tool_name": "Tsunami",
6694
+ "confidence": "1"
5462
6695
  },
5463
6696
  "conditions": [
5464
6697
  {
@@ -5483,7 +6716,9 @@
5483
6716
  "name": "Nimbostratus",
5484
6717
  "tags": {
5485
6718
  "type": "security_scanner",
5486
- "category": "attack_attempt"
6719
+ "category": "attack_attempt",
6720
+ "tool_name": "Nimbostratus",
6721
+ "confidence": "1"
5487
6722
  },
5488
6723
  "conditions": [
5489
6724
  {
@@ -5508,7 +6743,42 @@
5508
6743
  "name": "Datadog test scanner: user-agent",
5509
6744
  "tags": {
5510
6745
  "type": "security_scanner",
5511
- "category": "attack_attempt"
6746
+ "category": "attack_attempt",
6747
+ "tool_name": "Datadog Canary Test",
6748
+ "confidence": "1"
6749
+ },
6750
+ "conditions": [
6751
+ {
6752
+ "parameters": {
6753
+ "inputs": [
6754
+ {
6755
+ "address": "server.request.headers.no_cookies",
6756
+ "key_path": [
6757
+ "user-agent"
6758
+ ]
6759
+ },
6760
+ {
6761
+ "address": "grpc.server.request.metadata",
6762
+ "key_path": [
6763
+ "dd-canary"
6764
+ ]
6765
+ }
6766
+ ],
6767
+ "regex": "^dd-test-scanner-log(?:$|/|\\s)"
6768
+ },
6769
+ "operator": "match_regex"
6770
+ }
6771
+ ],
6772
+ "transformers": []
6773
+ },
6774
+ {
6775
+ "id": "ua0-600-56x",
6776
+ "name": "Datadog test scanner - blocking version: user-agent",
6777
+ "tags": {
6778
+ "type": "security_scanner",
6779
+ "category": "attack_attempt",
6780
+ "tool_name": "Datadog Canary Test",
6781
+ "confidence": "1"
5512
6782
  },
5513
6783
  "conditions": [
5514
6784
  {
@@ -5527,7 +6797,91 @@
5527
6797
  ]
5528
6798
  }
5529
6799
  ],
5530
- "regex": "^dd-test-scanner-log$"
6800
+ "regex": "^dd-test-scanner-log-block(?:$|/|\\s)"
6801
+ },
6802
+ "operator": "match_regex"
6803
+ }
6804
+ ],
6805
+ "transformers": [],
6806
+ "on_match": [
6807
+ "block"
6808
+ ]
6809
+ },
6810
+ {
6811
+ "id": "ua0-600-57x",
6812
+ "name": "AlertLogic",
6813
+ "tags": {
6814
+ "type": "commercial_scanner",
6815
+ "category": "attack_attempt",
6816
+ "tool_name": "AlertLogic",
6817
+ "confidence": "0"
6818
+ },
6819
+ "conditions": [
6820
+ {
6821
+ "parameters": {
6822
+ "inputs": [
6823
+ {
6824
+ "address": "server.request.headers.no_cookies",
6825
+ "key_path": [
6826
+ "user-agent"
6827
+ ]
6828
+ }
6829
+ ],
6830
+ "regex": "\\bAlertLogic-MDR-"
6831
+ },
6832
+ "operator": "match_regex"
6833
+ }
6834
+ ],
6835
+ "transformers": []
6836
+ },
6837
+ {
6838
+ "id": "ua0-600-58x",
6839
+ "name": "wfuzz",
6840
+ "tags": {
6841
+ "type": "security_scanner",
6842
+ "category": "attack_attempt",
6843
+ "tool_name": "wfuzz",
6844
+ "confidence": "1"
6845
+ },
6846
+ "conditions": [
6847
+ {
6848
+ "parameters": {
6849
+ "inputs": [
6850
+ {
6851
+ "address": "server.request.headers.no_cookies",
6852
+ "key_path": [
6853
+ "user-agent"
6854
+ ]
6855
+ }
6856
+ ],
6857
+ "regex": "\\bwfuzz\\b"
6858
+ },
6859
+ "operator": "match_regex"
6860
+ }
6861
+ ],
6862
+ "transformers": []
6863
+ },
6864
+ {
6865
+ "id": "ua0-600-59x",
6866
+ "name": "Detectify",
6867
+ "tags": {
6868
+ "type": "commercial_scanner",
6869
+ "category": "attack_attempt",
6870
+ "tool_name": "Detectify",
6871
+ "confidence": "0"
6872
+ },
6873
+ "conditions": [
6874
+ {
6875
+ "parameters": {
6876
+ "inputs": [
6877
+ {
6878
+ "address": "server.request.headers.no_cookies",
6879
+ "key_path": [
6880
+ "user-agent"
6881
+ ]
6882
+ }
6883
+ ],
6884
+ "regex": "\\bdetectify\\b"
5531
6885
  },
5532
6886
  "operator": "match_regex"
5533
6887
  }
@@ -5539,7 +6893,9 @@
5539
6893
  "name": "Blind SQL Injection Brute Forcer",
5540
6894
  "tags": {
5541
6895
  "type": "security_scanner",
5542
- "category": "attack_attempt"
6896
+ "category": "attack_attempt",
6897
+ "tool_name": "BSQLBF",
6898
+ "confidence": "1"
5543
6899
  },
5544
6900
  "conditions": [
5545
6901
  {
@@ -5559,12 +6915,94 @@
5559
6915
  ],
5560
6916
  "transformers": []
5561
6917
  },
6918
+ {
6919
+ "id": "ua0-600-60x",
6920
+ "name": "masscan",
6921
+ "tags": {
6922
+ "type": "security_scanner",
6923
+ "category": "attack_attempt",
6924
+ "tool_name": "masscan",
6925
+ "confidence": "1"
6926
+ },
6927
+ "conditions": [
6928
+ {
6929
+ "parameters": {
6930
+ "inputs": [
6931
+ {
6932
+ "address": "server.request.headers.no_cookies",
6933
+ "key_path": [
6934
+ "user-agent"
6935
+ ]
6936
+ }
6937
+ ],
6938
+ "regex": "^masscan/"
6939
+ },
6940
+ "operator": "match_regex"
6941
+ }
6942
+ ],
6943
+ "transformers": []
6944
+ },
6945
+ {
6946
+ "id": "ua0-600-61x",
6947
+ "name": "WPScan",
6948
+ "tags": {
6949
+ "type": "security_scanner",
6950
+ "category": "attack_attempt",
6951
+ "tool_name": "WPScan",
6952
+ "confidence": "1"
6953
+ },
6954
+ "conditions": [
6955
+ {
6956
+ "parameters": {
6957
+ "inputs": [
6958
+ {
6959
+ "address": "server.request.headers.no_cookies",
6960
+ "key_path": [
6961
+ "user-agent"
6962
+ ]
6963
+ }
6964
+ ],
6965
+ "regex": "^wpscan\\b"
6966
+ },
6967
+ "operator": "match_regex"
6968
+ }
6969
+ ],
6970
+ "transformers": []
6971
+ },
6972
+ {
6973
+ "id": "ua0-600-62x",
6974
+ "name": "Aon pentesting services",
6975
+ "tags": {
6976
+ "type": "commercial_scanner",
6977
+ "category": "attack_attempt",
6978
+ "tool_name": "Aon",
6979
+ "confidence": "0"
6980
+ },
6981
+ "conditions": [
6982
+ {
6983
+ "parameters": {
6984
+ "inputs": [
6985
+ {
6986
+ "address": "server.request.headers.no_cookies",
6987
+ "key_path": [
6988
+ "user-agent"
6989
+ ]
6990
+ }
6991
+ ],
6992
+ "regex": "^Aon/"
6993
+ },
6994
+ "operator": "match_regex"
6995
+ }
6996
+ ],
6997
+ "transformers": []
6998
+ },
5562
6999
  {
5563
7000
  "id": "ua0-600-6xx",
5564
- "name": "Suspicious user agent",
7001
+ "name": "Stealthy scanner",
5565
7002
  "tags": {
5566
7003
  "type": "security_scanner",
5567
- "category": "attack_attempt"
7004
+ "category": "attack_attempt",
7005
+ "confidence": "1"
5568
7006
  },
5569
7007
  "conditions": [
5570
7008
  {
@@ -5589,7 +7027,9 @@
5589
7027
  "name": "SQLmap",
5590
7028
  "tags": {
5591
7029
  "type": "security_scanner",
5592
- "category": "attack_attempt"
7030
+ "category": "attack_attempt",
7031
+ "tool_name": "SQLmap",
7032
+ "confidence": "1"
5593
7033
  },
5594
7034
  "conditions": [
5595
7035
  {
@@ -5614,7 +7054,9 @@
5614
7054
  "name": "Skipfish",
5615
7055
  "tags": {
5616
7056
  "type": "security_scanner",
5617
- "category": "attack_attempt"
7057
+ "category": "attack_attempt",
7058
+ "tool_name": "Skipfish",
7059
+ "confidence": "1"
5618
7060
  },
5619
7061
  "conditions": [
5620
7062
  {
@@ -5635,4 +7077,4 @@
5635
7077
  "transformers": []
5636
7078
  }
5637
7079
  ]
5638
- }
7080
+ }