ddtrace 1.11.1 → 1.12.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (113) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +73 -1
  3. data/ext/ddtrace_profiling_native_extension/NativeExtensionDesign.md +6 -4
  4. data/ext/ddtrace_profiling_native_extension/collectors_cpu_and_wall_time_worker.c +34 -16
  5. data/ext/ddtrace_profiling_native_extension/extconf.rb +19 -3
  6. data/ext/ddtrace_profiling_native_extension/native_extension_helpers.rb +2 -2
  7. data/ext/ddtrace_profiling_native_extension/private_vm_api_access.c +38 -4
  8. data/lib/datadog/appsec/assets/waf_rules/recommended.json +489 -133
  9. data/lib/datadog/appsec/assets/waf_rules/strict.json +2 -47
  10. data/lib/datadog/appsec/configuration/settings.rb +2 -10
  11. data/lib/datadog/appsec/configuration.rb +3 -9
  12. data/lib/datadog/appsec/contrib/rack/ext.rb +0 -1
  13. data/lib/datadog/appsec/contrib/rack/gateway/request.rb +17 -3
  14. data/lib/datadog/appsec/contrib/rack/gateway/response.rb +3 -3
  15. data/lib/datadog/appsec/contrib/rack/gateway/watcher.rb +27 -45
  16. data/lib/datadog/appsec/contrib/rack/integration.rb +0 -5
  17. data/lib/datadog/appsec/contrib/rack/reactive/request.rb +7 -1
  18. data/lib/datadog/appsec/contrib/rack/request_body_middleware.rb +1 -1
  19. data/lib/datadog/appsec/contrib/rack/request_middleware.rb +34 -26
  20. data/lib/datadog/appsec/contrib/rails/ext.rb +0 -1
  21. data/lib/datadog/appsec/contrib/rails/framework.rb +1 -13
  22. data/lib/datadog/appsec/contrib/rails/gateway/watcher.rb +9 -27
  23. data/lib/datadog/appsec/contrib/rails/integration.rb +0 -5
  24. data/lib/datadog/appsec/contrib/rails/patcher.rb +1 -1
  25. data/lib/datadog/appsec/contrib/sinatra/ext.rb +0 -1
  26. data/lib/datadog/appsec/contrib/sinatra/framework.rb +1 -13
  27. data/lib/datadog/appsec/contrib/sinatra/gateway/watcher.rb +18 -36
  28. data/lib/datadog/appsec/contrib/sinatra/integration.rb +0 -5
  29. data/lib/datadog/appsec/contrib/sinatra/patcher.rb +5 -4
  30. data/lib/datadog/appsec/event.rb +37 -37
  31. data/lib/datadog/appsec/ext.rb +1 -0
  32. data/lib/datadog/appsec/extensions.rb +2 -6
  33. data/lib/datadog/appsec/monitor/gateway/watcher.rb +9 -28
  34. data/lib/datadog/appsec/processor/rule_merger.rb +13 -7
  35. data/lib/datadog/appsec/processor.rb +0 -45
  36. data/lib/datadog/appsec/remote.rb +6 -0
  37. data/lib/datadog/appsec/response.rb +13 -9
  38. data/lib/datadog/appsec/scope.rb +61 -0
  39. data/lib/datadog/appsec.rb +6 -0
  40. data/lib/datadog/ci/ext/environment.rb +40 -4
  41. data/lib/datadog/core/configuration/settings.rb +74 -14
  42. data/lib/datadog/core/configuration.rb +5 -1
  43. data/lib/datadog/core/remote/client/capabilities.rb +1 -1
  44. data/lib/datadog/core/remote/client.rb +5 -1
  45. data/lib/datadog/core/telemetry/collector.rb +2 -1
  46. data/lib/datadog/core/telemetry/v1/dependency.rb +2 -1
  47. data/lib/datadog/kit/appsec/events.rb +58 -13
  48. data/lib/datadog/kit/identity.rb +29 -10
  49. data/lib/datadog/profiling/collectors/cpu_and_wall_time_worker.rb +2 -0
  50. data/lib/datadog/profiling/component.rb +69 -29
  51. data/lib/datadog/profiling.rb +2 -1
  52. data/lib/datadog/tracing/buffer.rb +0 -1
  53. data/lib/datadog/tracing/contrib/active_support/configuration/settings.rb +9 -1
  54. data/lib/datadog/tracing/contrib/aws/ext.rb +11 -1
  55. data/lib/datadog/tracing/contrib/aws/instrumentation.rb +7 -0
  56. data/lib/datadog/tracing/contrib/aws/parsed_context.rb +4 -0
  57. data/lib/datadog/tracing/contrib/aws/service/base.rb +16 -0
  58. data/lib/datadog/tracing/contrib/aws/service/dynamodb.rb +22 -0
  59. data/lib/datadog/tracing/contrib/aws/service/eventbridge.rb +22 -0
  60. data/lib/datadog/tracing/contrib/aws/service/kinesis.rb +32 -0
  61. data/lib/datadog/tracing/contrib/aws/service/s3.rb +22 -0
  62. data/lib/datadog/tracing/contrib/aws/service/sns.rb +30 -0
  63. data/lib/datadog/tracing/contrib/aws/service/sqs.rb +27 -0
  64. data/lib/datadog/tracing/contrib/aws/service/states.rb +40 -0
  65. data/lib/datadog/tracing/contrib/aws/services.rb +18 -0
  66. data/lib/datadog/tracing/contrib/httpclient/configuration/settings.rb +6 -1
  67. data/lib/datadog/tracing/contrib/httpclient/instrumentation.rb +5 -2
  68. data/lib/datadog/tracing/contrib/httprb/configuration/settings.rb +6 -1
  69. data/lib/datadog/tracing/contrib/httprb/instrumentation.rb +4 -2
  70. data/lib/datadog/tracing/contrib/mongodb/configuration/settings.rb +6 -1
  71. data/lib/datadog/tracing/contrib/mongodb/subscribers.rb +5 -2
  72. data/lib/datadog/tracing/contrib/mysql2/configuration/settings.rb +6 -1
  73. data/lib/datadog/tracing/contrib/mysql2/instrumentation.rb +5 -2
  74. data/lib/datadog/tracing/contrib/patcher.rb +0 -1
  75. data/lib/datadog/tracing/contrib/pg/configuration/settings.rb +6 -1
  76. data/lib/datadog/tracing/contrib/pg/instrumentation.rb +5 -2
  77. data/lib/datadog/tracing/contrib/presto/configuration/settings.rb +6 -1
  78. data/lib/datadog/tracing/contrib/presto/instrumentation.rb +4 -2
  79. data/lib/datadog/tracing/contrib/propagation/sql_comment.rb +10 -2
  80. data/lib/datadog/tracing/contrib/racecar/configuration/settings.rb +9 -1
  81. data/lib/datadog/tracing/contrib/racecar/event.rb +3 -1
  82. data/lib/datadog/tracing/contrib/rack/middlewares.rb +3 -1
  83. data/lib/datadog/tracing/contrib/redis/configuration/settings.rb +6 -1
  84. data/lib/datadog/tracing/contrib/redis/tags.rb +4 -1
  85. data/lib/datadog/tracing/contrib/rest_client/configuration/settings.rb +6 -1
  86. data/lib/datadog/tracing/contrib/rest_client/request_patch.rb +4 -1
  87. data/lib/datadog/tracing/contrib/roda/patcher.rb +1 -1
  88. data/lib/datadog/tracing/contrib/sequel/database.rb +4 -1
  89. data/lib/datadog/tracing/contrib/sequel/dataset.rb +4 -1
  90. data/lib/datadog/tracing/contrib/sequel/utils.rb +4 -1
  91. data/lib/datadog/tracing/contrib/status_code_matcher.rb +0 -1
  92. data/lib/datadog/tracing/correlation.rb +0 -1
  93. data/lib/datadog/tracing/distributed/headers/ext.rb +1 -1
  94. data/lib/datadog/tracing/event.rb +0 -2
  95. data/lib/datadog/tracing/pipeline.rb +0 -2
  96. data/lib/datadog/tracing/runtime/metrics.rb +0 -2
  97. data/lib/datadog/tracing/sampling/rate_by_service_sampler.rb +0 -1
  98. data/lib/datadog/tracing/sampling/rate_sampler.rb +0 -2
  99. data/lib/datadog/tracing/sampling/rule.rb +0 -2
  100. data/lib/datadog/tracing/sampling/rule_sampler.rb +0 -2
  101. data/lib/datadog/tracing/span_operation.rb +0 -1
  102. data/lib/datadog/tracing/sync_writer.rb +0 -2
  103. data/lib/datadog/tracing/trace_operation.rb +0 -1
  104. data/lib/datadog/tracing/tracer.rb +0 -1
  105. data/lib/datadog/tracing/workers/trace_writer.rb +0 -1
  106. data/lib/datadog/tracing/workers.rb +0 -2
  107. data/lib/datadog/tracing/writer.rb +0 -2
  108. data/lib/ddtrace/version.rb +1 -1
  109. metadata +18 -19
  110. data/lib/datadog/appsec/contrib/configuration/settings.rb +0 -20
  111. data/lib/datadog/appsec/contrib/rack/configuration/settings.rb +0 -22
  112. data/lib/datadog/appsec/contrib/rails/configuration/settings.rb +0 -22
  113. data/lib/datadog/appsec/contrib/sinatra/configuration/settings.rb +0 -22
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "version": "2.2",
3
3
  "metadata": {
4
- "rules_version": "1.5.2"
4
+ "rules_version": "1.7.0"
5
5
  },
6
6
  "rules": [
7
7
  {
@@ -58,10 +58,11 @@
58
58
  "id": "crs-913-110",
59
59
  "name": "Acunetix",
60
60
  "tags": {
61
- "type": "security_scanner",
61
+ "type": "commercial_scanner",
62
62
  "crs_id": "913110",
63
63
  "category": "attack_attempt",
64
- "confidence": "1"
64
+ "tool_name": "Acunetix",
65
+ "confidence": "0"
65
66
  },
66
67
  "conditions": [
67
68
  {
@@ -2698,7 +2699,7 @@
2698
2699
  "address": "grpc.server.request.message"
2699
2700
  }
2700
2701
  ],
2701
- "regex": "\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?|lert|tob)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|b(?:(?:son_(?:de|en)|ase64_en)code|zopen|toa)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|var_dump)(?:\\s|/\\*.*\\*/|//.*|#.*|\\\"|')*\\((?:(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:\\$\\w+|[A-Z\\d]\\w*|\\w+\\(.*\\)|\\\\?\"(?:[^\"]|\\\\\"|\"\"|\"\\+\")*\\\\?\"|\\\\?'(?:[^']|''|'\\+')*\\\\?')(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:(?:::|\\.|->)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\w+(?:\\(.*\\))?)?,)*(?:(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:\\$\\w+|[A-Z\\d]\\w*|\\w+\\(.*\\)|\\\\?\"(?:[^\"]|\\\\\"|\"\"|\"\\+\")*\\\\?\"|\\\\?'(?:[^']|''|'\\+')*\\\\?')(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:(?:::|\\.|->)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\w+(?:\\(.*\\))?)?)?\\)",
2702
+ "regex": "\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?|tob)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|b(?:(?:son_(?:de|en)|ase64_en)code|zopen|toa)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|var_dump)(?:\\s|/\\*.*\\*/|//.*|#.*|\\\"|')*\\((?:(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:\\$\\w+|[A-Z\\d]\\w*|\\w+\\(.*\\)|\\\\?\"(?:[^\"]|\\\\\"|\"\"|\"\\+\")*\\\\?\"|\\\\?'(?:[^']|''|'\\+')*\\\\?')(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:(?:::|\\.|->)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\w+(?:\\(.*\\))?)?,)*(?:(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:\\$\\w+|[A-Z\\d]\\w*|\\w+\\(.*\\)|\\\\?\"(?:[^\"]|\\\\\"|\"\"|\"\\+\")*\\\\?\"|\\\\?'(?:[^']|''|'\\+')*\\\\?')(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:(?:::|\\.|->)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\w+(?:\\(.*\\))?)?)?\\)",
2702
2703
  "options": {
2703
2704
  "case_sensitive": true,
2704
2705
  "min_length": 5
@@ -2907,7 +2908,8 @@
2907
2908
  }
2908
2909
  ],
2909
2910
  "transformers": [
2910
- "removeNulls"
2911
+ "removeNulls",
2912
+ "urlDecodeUni"
2911
2913
  ]
2912
2914
  },
2913
2915
  {
@@ -2957,7 +2959,8 @@
2957
2959
  }
2958
2960
  ],
2959
2961
  "transformers": [
2960
- "removeNulls"
2962
+ "removeNulls",
2963
+ "urlDecodeUni"
2961
2964
  ]
2962
2965
  },
2963
2966
  {
@@ -3007,7 +3010,8 @@
3007
3010
  }
3008
3011
  ],
3009
3012
  "transformers": [
3010
- "removeNulls"
3013
+ "removeNulls",
3014
+ "urlDecodeUni"
3011
3015
  ]
3012
3016
  },
3013
3017
  {
@@ -3054,7 +3058,8 @@
3054
3058
  }
3055
3059
  ],
3056
3060
  "transformers": [
3057
- "removeNulls"
3061
+ "removeNulls",
3062
+ "urlDecodeUni"
3058
3063
  ]
3059
3064
  },
3060
3065
  {
@@ -3088,8 +3093,7 @@
3088
3093
  ".parentnode",
3089
3094
  ".innerhtml",
3090
3095
  "window.location",
3091
- "-moz-binding",
3092
- "<![cdata["
3096
+ "-moz-binding"
3093
3097
  ]
3094
3098
  },
3095
3099
  "operator": "phrase_match"
@@ -3545,7 +3549,7 @@
3545
3549
  "address": "grpc.server.request.message"
3546
3550
  }
3547
3551
  ],
3548
- "regex": "\\b(?i:eval|settimeout|setinterval|new\\s+Function|alert|prompt)\\s*\\([^\\)]",
3552
+ "regex": "\\b(?i:eval|settimeout|setinterval|new\\s+Function|alert|prompt)[\\s+]*\\([^\\)]",
3549
3553
  "options": {
3550
3554
  "case_sensitive": true,
3551
3555
  "min_length": 5
@@ -4382,6 +4386,256 @@
4382
4386
  ],
4383
4387
  "transformers": []
4384
4388
  },
4389
+ {
4390
+ "id": "dog-913-001",
4391
+ "name": "BurpCollaborator OOB domain",
4392
+ "tags": {
4393
+ "type": "security_scanner",
4394
+ "category": "attack_attempt",
4395
+ "tool_name": "BurpCollaborator",
4396
+ "confidence": "1"
4397
+ },
4398
+ "conditions": [
4399
+ {
4400
+ "parameters": {
4401
+ "inputs": [
4402
+ {
4403
+ "address": "server.request.query"
4404
+ },
4405
+ {
4406
+ "address": "server.request.body"
4407
+ },
4408
+ {
4409
+ "address": "server.request.path_params"
4410
+ },
4411
+ {
4412
+ "address": "server.request.headers.no_cookies"
4413
+ },
4414
+ {
4415
+ "address": "grpc.server.request.message"
4416
+ }
4417
+ ],
4418
+ "regex": "\\b(?:burpcollaborator\\.net|oastify\\.com)\\b"
4419
+ },
4420
+ "operator": "match_regex"
4421
+ }
4422
+ ],
4423
+ "transformers": []
4424
+ },
4425
+ {
4426
+ "id": "dog-913-002",
4427
+ "name": "Qualys OOB domain",
4428
+ "tags": {
4429
+ "type": "commercial_scanner",
4430
+ "category": "attack_attempt",
4431
+ "tool_name": "Qualys",
4432
+ "confidence": "0"
4433
+ },
4434
+ "conditions": [
4435
+ {
4436
+ "parameters": {
4437
+ "inputs": [
4438
+ {
4439
+ "address": "server.request.query"
4440
+ },
4441
+ {
4442
+ "address": "server.request.body"
4443
+ },
4444
+ {
4445
+ "address": "server.request.path_params"
4446
+ },
4447
+ {
4448
+ "address": "server.request.headers.no_cookies"
4449
+ },
4450
+ {
4451
+ "address": "grpc.server.request.message"
4452
+ }
4453
+ ],
4454
+ "regex": "\\bqualysperiscope\\.com\\b"
4455
+ },
4456
+ "operator": "match_regex"
4457
+ }
4458
+ ],
4459
+ "transformers": []
4460
+ },
4461
+ {
4462
+ "id": "dog-913-003",
4463
+ "name": "Probely OOB domain",
4464
+ "tags": {
4465
+ "type": "commercial_scanner",
4466
+ "category": "attack_attempt",
4467
+ "tool_name": "Probely",
4468
+ "confidence": "0"
4469
+ },
4470
+ "conditions": [
4471
+ {
4472
+ "parameters": {
4473
+ "inputs": [
4474
+ {
4475
+ "address": "server.request.query"
4476
+ },
4477
+ {
4478
+ "address": "server.request.body"
4479
+ },
4480
+ {
4481
+ "address": "server.request.path_params"
4482
+ },
4483
+ {
4484
+ "address": "server.request.headers.no_cookies"
4485
+ },
4486
+ {
4487
+ "address": "grpc.server.request.message"
4488
+ }
4489
+ ],
4490
+ "regex": "\\bprbly\\.win\\b"
4491
+ },
4492
+ "operator": "match_regex"
4493
+ }
4494
+ ],
4495
+ "transformers": []
4496
+ },
4497
+ {
4498
+ "id": "dog-913-004",
4499
+ "name": "Known malicious out-of-band interaction domain",
4500
+ "tags": {
4501
+ "type": "security_scanner",
4502
+ "category": "attack_attempt",
4503
+ "confidence": "1"
4504
+ },
4505
+ "conditions": [
4506
+ {
4507
+ "parameters": {
4508
+ "inputs": [
4509
+ {
4510
+ "address": "server.request.query"
4511
+ },
4512
+ {
4513
+ "address": "server.request.body"
4514
+ },
4515
+ {
4516
+ "address": "server.request.path_params"
4517
+ },
4518
+ {
4519
+ "address": "server.request.headers.no_cookies"
4520
+ },
4521
+ {
4522
+ "address": "grpc.server.request.message"
4523
+ }
4524
+ ],
4525
+ "regex": "\\b(?:webhook\\.site|\\.canarytokens\\.com|vii\\.one|act1on3\\.ru|gdsburp\\.com)\\b"
4526
+ },
4527
+ "operator": "match_regex"
4528
+ }
4529
+ ],
4530
+ "transformers": []
4531
+ },
4532
+ {
4533
+ "id": "dog-913-005",
4534
+ "name": "Known suspicious out-of-band interaction domain",
4535
+ "tags": {
4536
+ "type": "security_scanner",
4537
+ "category": "attack_attempt",
4538
+ "confidence": "0"
4539
+ },
4540
+ "conditions": [
4541
+ {
4542
+ "parameters": {
4543
+ "inputs": [
4544
+ {
4545
+ "address": "server.request.query"
4546
+ },
4547
+ {
4548
+ "address": "server.request.body"
4549
+ },
4550
+ {
4551
+ "address": "server.request.path_params"
4552
+ },
4553
+ {
4554
+ "address": "server.request.headers.no_cookies"
4555
+ },
4556
+ {
4557
+ "address": "grpc.server.request.message"
4558
+ }
4559
+ ],
4560
+ "regex": "\\b(?:\\.ngrok\\.io|requestbin\\.com|requestbin\\.net)\\b"
4561
+ },
4562
+ "operator": "match_regex"
4563
+ }
4564
+ ],
4565
+ "transformers": []
4566
+ },
4567
+ {
4568
+ "id": "dog-913-006",
4569
+ "name": "Rapid7 OOB domain",
4570
+ "tags": {
4571
+ "type": "commercial_scanner",
4572
+ "category": "attack_attempt",
4573
+ "tool_name": "Rapid7",
4574
+ "confidence": "0"
4575
+ },
4576
+ "conditions": [
4577
+ {
4578
+ "parameters": {
4579
+ "inputs": [
4580
+ {
4581
+ "address": "server.request.query"
4582
+ },
4583
+ {
4584
+ "address": "server.request.body"
4585
+ },
4586
+ {
4587
+ "address": "server.request.path_params"
4588
+ },
4589
+ {
4590
+ "address": "server.request.headers.no_cookies"
4591
+ },
4592
+ {
4593
+ "address": "grpc.server.request.message"
4594
+ }
4595
+ ],
4596
+ "regex": "\\bappspidered\\.rapid7\\."
4597
+ },
4598
+ "operator": "match_regex"
4599
+ }
4600
+ ],
4601
+ "transformers": []
4602
+ },
4603
+ {
4604
+ "id": "dog-913-007",
4605
+ "name": "Interact.sh OOB domain",
4606
+ "tags": {
4607
+ "type": "security_scanner",
4608
+ "category": "attack_attempt",
4609
+ "tool_name": "interact.sh",
4610
+ "confidence": "1"
4611
+ },
4612
+ "conditions": [
4613
+ {
4614
+ "parameters": {
4615
+ "inputs": [
4616
+ {
4617
+ "address": "server.request.query"
4618
+ },
4619
+ {
4620
+ "address": "server.request.body"
4621
+ },
4622
+ {
4623
+ "address": "server.request.path_params"
4624
+ },
4625
+ {
4626
+ "address": "server.request.headers.no_cookies"
4627
+ },
4628
+ {
4629
+ "address": "grpc.server.request.message"
4630
+ }
4631
+ ],
4632
+ "regex": "\\b(?:interact\\.sh|oast\\.(?:pro|live|site|online|fun|me))\\b"
4633
+ },
4634
+ "operator": "match_regex"
4635
+ }
4636
+ ],
4637
+ "transformers": []
4638
+ },
4385
4639
  {
4386
4640
  "id": "dog-931-001",
4387
4641
  "name": "RFI: URL Payload to well known RFI target",
@@ -5347,14 +5601,12 @@
5347
5601
  "address": "grpc.server.request.message"
5348
5602
  }
5349
5603
  ],
5350
- "regex": "(http|https):\\/\\/(?:.*\\.)?(?:burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io|oastify\\.com|oast\\.(?:pro|live|site|online|fun|me)|sslip\\.io|requestbin\\.com|requestbin\\.net|hookbin\\.com|webhook\\.site|canarytokens\\.com|interact\\.sh|ngrok\\.io|bugbounty\\.click|prbly\\.win|qualysperiscope\\.com)"
5604
+ "regex": "(http|https):\\/\\/(?:.*\\.)?(?:burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io|oastify\\.com|oast\\.(?:pro|live|site|online|fun|me)|sslip\\.io|requestbin\\.com|requestbin\\.net|hookbin\\.com|webhook\\.site|canarytokens\\.com|interact\\.sh|ngrok\\.io|bugbounty\\.click|prbly\\.win|qualysperiscope\\.com|vii.one|act1on3.ru)"
5351
5605
  },
5352
5606
  "operator": "match_regex"
5353
5607
  }
5354
5608
  ],
5355
- "transformers": [
5356
- "lowercase"
5357
- ]
5609
+ "transformers": []
5358
5610
  },
5359
5611
  {
5360
5612
  "id": "sqr-000-015",
@@ -5429,7 +5681,9 @@
5429
5681
  "operator": "match_regex"
5430
5682
  }
5431
5683
  ],
5432
- "transformers": []
5684
+ "transformers": [
5685
+ "unicode_normalize"
5686
+ ]
5433
5687
  },
5434
5688
  {
5435
5689
  "id": "ua0-600-0xx",
@@ -5437,6 +5691,7 @@
5437
5691
  "tags": {
5438
5692
  "type": "security_scanner",
5439
5693
  "category": "attack_attempt",
5694
+ "tool_name": "Joomla exploitation tool",
5440
5695
  "confidence": "1"
5441
5696
  },
5442
5697
  "conditions": [
@@ -5463,6 +5718,7 @@
5463
5718
  "tags": {
5464
5719
  "type": "security_scanner",
5465
5720
  "category": "attack_attempt",
5721
+ "tool_name": "Nessus",
5466
5722
  "confidence": "1"
5467
5723
  },
5468
5724
  "conditions": [
@@ -5489,6 +5745,7 @@
5489
5745
  "tags": {
5490
5746
  "type": "security_scanner",
5491
5747
  "category": "attack_attempt",
5748
+ "tool_name": "Arachni",
5492
5749
  "confidence": "1"
5493
5750
  },
5494
5751
  "conditions": [
@@ -5515,6 +5772,7 @@
5515
5772
  "tags": {
5516
5773
  "type": "security_scanner",
5517
5774
  "category": "attack_attempt",
5775
+ "tool_name": "Jorgee",
5518
5776
  "confidence": "1"
5519
5777
  },
5520
5778
  "conditions": [
@@ -5539,9 +5797,10 @@
5539
5797
  "id": "ua0-600-14x",
5540
5798
  "name": "Probely",
5541
5799
  "tags": {
5542
- "type": "security_scanner",
5800
+ "type": "commercial_scanner",
5543
5801
  "category": "attack_attempt",
5544
- "confidence": "1"
5802
+ "tool_name": "Probely",
5803
+ "confidence": "0"
5545
5804
  },
5546
5805
  "conditions": [
5547
5806
  {
@@ -5567,6 +5826,7 @@
5567
5826
  "tags": {
5568
5827
  "type": "security_scanner",
5569
5828
  "category": "attack_attempt",
5829
+ "tool_name": "Metis",
5570
5830
  "confidence": "1"
5571
5831
  },
5572
5832
  "conditions": [
@@ -5593,6 +5853,7 @@
5593
5853
  "tags": {
5594
5854
  "type": "security_scanner",
5595
5855
  "category": "attack_attempt",
5856
+ "tool_name": "SQLPowerInjector",
5596
5857
  "confidence": "1"
5597
5858
  },
5598
5859
  "conditions": [
@@ -5619,6 +5880,7 @@
5619
5880
  "tags": {
5620
5881
  "type": "security_scanner",
5621
5882
  "category": "attack_attempt",
5883
+ "tool_name": "N-Stealth",
5622
5884
  "confidence": "1"
5623
5885
  },
5624
5886
  "conditions": [
@@ -5645,6 +5907,7 @@
5645
5907
  "tags": {
5646
5908
  "type": "security_scanner",
5647
5909
  "category": "attack_attempt",
5910
+ "tool_name": "Brutus",
5648
5911
  "confidence": "1"
5649
5912
  },
5650
5913
  "conditions": [
@@ -5671,6 +5934,7 @@
5671
5934
  "tags": {
5672
5935
  "type": "security_scanner",
5673
5936
  "category": "attack_attempt",
5937
+ "tool_name": "Shellshock",
5674
5938
  "confidence": "1"
5675
5939
  },
5676
5940
  "conditions": [
@@ -5695,9 +5959,10 @@
5695
5959
  "id": "ua0-600-20x",
5696
5960
  "name": "Netsparker",
5697
5961
  "tags": {
5698
- "type": "security_scanner",
5962
+ "type": "commercial_scanner",
5699
5963
  "category": "attack_attempt",
5700
- "confidence": "1"
5964
+ "tool_name": "Netsparker",
5965
+ "confidence": "0"
5701
5966
  },
5702
5967
  "conditions": [
5703
5968
  {
@@ -5710,7 +5975,7 @@
5710
5975
  ]
5711
5976
  }
5712
5977
  ],
5713
- "regex": "(?i)(<script>netsparker\\(0x0|ns:netsparker.*=vuln)"
5978
+ "regex": "\\bnetsparker\\b"
5714
5979
  },
5715
5980
  "operator": "match_regex"
5716
5981
  }
@@ -5723,6 +5988,7 @@
5723
5988
  "tags": {
5724
5989
  "type": "security_scanner",
5725
5990
  "category": "attack_attempt",
5991
+ "tool_name": "JAASCois",
5726
5992
  "confidence": "1"
5727
5993
  },
5728
5994
  "conditions": [
@@ -5743,64 +6009,13 @@
5743
6009
  ],
5744
6010
  "transformers": []
5745
6011
  },
5746
- {
5747
- "id": "ua0-600-23x",
5748
- "name": "PMAFind",
5749
- "tags": {
5750
- "type": "security_scanner",
5751
- "category": "attack_attempt",
5752
- "confidence": "1"
5753
- },
5754
- "conditions": [
5755
- {
5756
- "parameters": {
5757
- "inputs": [
5758
- {
5759
- "address": "server.request.headers.no_cookies",
5760
- "key_path": [
5761
- "user-agent"
5762
- ]
5763
- }
5764
- ],
5765
- "regex": "(?i)\\bpmafind\\b"
5766
- },
5767
- "operator": "match_regex"
5768
- }
5769
- ],
5770
- "transformers": []
5771
- },
5772
- {
5773
- "id": "ua0-600-25x",
5774
- "name": "Webtrends",
5775
- "tags": {
5776
- "type": "security_scanner",
5777
- "category": "attack_attempt",
5778
- "confidence": "1"
5779
- },
5780
- "conditions": [
5781
- {
5782
- "parameters": {
5783
- "inputs": [
5784
- {
5785
- "address": "server.request.headers.no_cookies",
5786
- "key_path": [
5787
- "user-agent"
5788
- ]
5789
- }
5790
- ],
5791
- "regex": "webtrends security analyzer"
5792
- },
5793
- "operator": "match_regex"
5794
- }
5795
- ],
5796
- "transformers": []
5797
- },
5798
6012
  {
5799
6013
  "id": "ua0-600-26x",
5800
6014
  "name": "Nsauditor",
5801
6015
  "tags": {
5802
6016
  "type": "security_scanner",
5803
6017
  "category": "attack_attempt",
6018
+ "tool_name": "Nsauditor",
5804
6019
  "confidence": "1"
5805
6020
  },
5806
6021
  "conditions": [
@@ -5827,6 +6042,7 @@
5827
6042
  "tags": {
5828
6043
  "type": "security_scanner",
5829
6044
  "category": "attack_attempt",
6045
+ "tool_name": "Paros",
5830
6046
  "confidence": "1"
5831
6047
  },
5832
6048
  "conditions": [
@@ -5853,6 +6069,7 @@
5853
6069
  "tags": {
5854
6070
  "type": "security_scanner",
5855
6071
  "category": "attack_attempt",
6072
+ "tool_name": "DirBuster",
5856
6073
  "confidence": "1"
5857
6074
  },
5858
6075
  "conditions": [
@@ -5879,6 +6096,7 @@
5879
6096
  "tags": {
5880
6097
  "type": "security_scanner",
5881
6098
  "category": "attack_attempt",
6099
+ "tool_name": "Pangolin",
5882
6100
  "confidence": "1"
5883
6101
  },
5884
6102
  "conditions": [
@@ -5903,9 +6121,10 @@
5903
6121
  "id": "ua0-600-2xx",
5904
6122
  "name": "Qualys",
5905
6123
  "tags": {
5906
- "type": "security_scanner",
6124
+ "type": "commercial_scanner",
5907
6125
  "category": "attack_attempt",
5908
- "confidence": "1"
6126
+ "tool_name": "Qualys",
6127
+ "confidence": "0"
5909
6128
  },
5910
6129
  "conditions": [
5911
6130
  {
@@ -5931,6 +6150,7 @@
5931
6150
  "tags": {
5932
6151
  "type": "security_scanner",
5933
6152
  "category": "attack_attempt",
6153
+ "tool_name": "SQLNinja",
5934
6154
  "confidence": "1"
5935
6155
  },
5936
6156
  "conditions": [
@@ -5957,6 +6177,7 @@
5957
6177
  "tags": {
5958
6178
  "type": "security_scanner",
5959
6179
  "category": "attack_attempt",
6180
+ "tool_name": "Nikto",
5960
6181
  "confidence": "1"
5961
6182
  },
5962
6183
  "conditions": [
@@ -5977,38 +6198,13 @@
5977
6198
  ],
5978
6199
  "transformers": []
5979
6200
  },
5980
- {
5981
- "id": "ua0-600-32x",
5982
- "name": "WebInspect",
5983
- "tags": {
5984
- "type": "security_scanner",
5985
- "category": "attack_attempt",
5986
- "confidence": "1"
5987
- },
5988
- "conditions": [
5989
- {
5990
- "parameters": {
5991
- "inputs": [
5992
- {
5993
- "address": "server.request.headers.no_cookies",
5994
- "key_path": [
5995
- "user-agent"
5996
- ]
5997
- }
5998
- ],
5999
- "regex": "(?i)\\bwebinspect\\b"
6000
- },
6001
- "operator": "match_regex"
6002
- }
6003
- ],
6004
- "transformers": []
6005
- },
6006
6201
  {
6007
6202
  "id": "ua0-600-33x",
6008
6203
  "name": "BlackWidow",
6009
6204
  "tags": {
6010
6205
  "type": "security_scanner",
6011
6206
  "category": "attack_attempt",
6207
+ "tool_name": "BlackWidow",
6012
6208
  "confidence": "1"
6013
6209
  },
6014
6210
  "conditions": [
@@ -6035,6 +6231,7 @@
6035
6231
  "tags": {
6036
6232
  "type": "security_scanner",
6037
6233
  "category": "attack_attempt",
6234
+ "tool_name": "Grendel-Scan",
6038
6235
  "confidence": "1"
6039
6236
  },
6040
6237
  "conditions": [
@@ -6061,6 +6258,7 @@
6061
6258
  "tags": {
6062
6259
  "type": "security_scanner",
6063
6260
  "category": "attack_attempt",
6261
+ "tool_name": "Havij",
6064
6262
  "confidence": "1"
6065
6263
  },
6066
6264
  "conditions": [
@@ -6087,6 +6285,7 @@
6087
6285
  "tags": {
6088
6286
  "type": "security_scanner",
6089
6287
  "category": "attack_attempt",
6288
+ "tool_name": "w3af",
6090
6289
  "confidence": "1"
6091
6290
  },
6092
6291
  "conditions": [
@@ -6113,6 +6312,7 @@
6113
6312
  "tags": {
6114
6313
  "type": "security_scanner",
6115
6314
  "category": "attack_attempt",
6315
+ "tool_name": "Nmap",
6116
6316
  "confidence": "1"
6117
6317
  },
6118
6318
  "conditions": [
@@ -6139,6 +6339,7 @@
6139
6339
  "tags": {
6140
6340
  "type": "security_scanner",
6141
6341
  "category": "attack_attempt",
6342
+ "tool_name": "Nessus",
6142
6343
  "confidence": "1"
6143
6344
  },
6144
6345
  "conditions": [
@@ -6152,7 +6353,7 @@
6152
6353
  ]
6153
6354
  }
6154
6355
  ],
6155
- "regex": "(?i)^'?[a-z0-9]+\\.nasl'?$"
6356
+ "regex": "(?i)^'?[a-z0-9_]+\\.nasl'?$"
6156
6357
  },
6157
6358
  "operator": "match_regex"
6158
6359
  }
@@ -6165,6 +6366,7 @@
6165
6366
  "tags": {
6166
6367
  "type": "security_scanner",
6167
6368
  "category": "attack_attempt",
6369
+ "tool_name": "EvilScanner",
6168
6370
  "confidence": "1"
6169
6371
  },
6170
6372
  "conditions": [
@@ -6191,6 +6393,7 @@
6191
6393
  "tags": {
6192
6394
  "type": "security_scanner",
6193
6395
  "category": "attack_attempt",
6396
+ "tool_name": "WebFuck",
6194
6397
  "confidence": "1"
6195
6398
  },
6196
6399
  "conditions": [
@@ -6217,6 +6420,7 @@
6217
6420
  "tags": {
6218
6421
  "type": "security_scanner",
6219
6422
  "category": "attack_attempt",
6423
+ "tool_name": "OpenVAS",
6220
6424
  "confidence": "1"
6221
6425
  },
6222
6426
  "conditions": [
@@ -6243,6 +6447,7 @@
6243
6447
  "tags": {
6244
6448
  "type": "security_scanner",
6245
6449
  "category": "attack_attempt",
6450
+ "tool_name": "Spider-Pig",
6246
6451
  "confidence": "1"
6247
6452
  },
6248
6453
  "conditions": [
@@ -6269,6 +6474,7 @@
6269
6474
  "tags": {
6270
6475
  "type": "security_scanner",
6271
6476
  "category": "attack_attempt",
6477
+ "tool_name": "Zgrab",
6272
6478
  "confidence": "1"
6273
6479
  },
6274
6480
  "conditions": [
@@ -6295,6 +6501,7 @@
6295
6501
  "tags": {
6296
6502
  "type": "security_scanner",
6297
6503
  "category": "attack_attempt",
6504
+ "tool_name": "Zmeu",
6298
6505
  "confidence": "1"
6299
6506
  },
6300
6507
  "conditions": [
@@ -6315,39 +6522,14 @@
6315
6522
  ],
6316
6523
  "transformers": []
6317
6524
  },
6318
- {
6319
- "id": "ua0-600-46x",
6320
- "name": "Crowdstrike",
6321
- "tags": {
6322
- "type": "security_scanner",
6323
- "category": "attack_attempt",
6324
- "confidence": "1"
6325
- },
6326
- "conditions": [
6327
- {
6328
- "parameters": {
6329
- "inputs": [
6330
- {
6331
- "address": "server.request.headers.no_cookies",
6332
- "key_path": [
6333
- "user-agent"
6334
- ]
6335
- }
6336
- ],
6337
- "regex": "(?i)\\bcrowdstrike\\b"
6338
- },
6339
- "operator": "match_regex"
6340
- }
6341
- ],
6342
- "transformers": []
6343
- },
6344
6525
  {
6345
6526
  "id": "ua0-600-47x",
6346
6527
  "name": "GoogleSecurityScanner",
6347
6528
  "tags": {
6348
- "type": "security_scanner",
6529
+ "type": "commercial_scanner",
6349
6530
  "category": "attack_attempt",
6350
- "confidence": "1"
6531
+ "tool_name": "GoogleSecurityScanner",
6532
+ "confidence": "0"
6351
6533
  },
6352
6534
  "conditions": [
6353
6535
  {
@@ -6373,6 +6555,7 @@
6373
6555
  "tags": {
6374
6556
  "type": "security_scanner",
6375
6557
  "category": "attack_attempt",
6558
+ "tool_name": "Commix",
6376
6559
  "confidence": "1"
6377
6560
  },
6378
6561
  "conditions": [
@@ -6399,6 +6582,7 @@
6399
6582
  "tags": {
6400
6583
  "type": "security_scanner",
6401
6584
  "category": "attack_attempt",
6585
+ "tool_name": "Gobuster",
6402
6586
  "confidence": "1"
6403
6587
  },
6404
6588
  "conditions": [
@@ -6425,6 +6609,7 @@
6425
6609
  "tags": {
6426
6610
  "type": "security_scanner",
6427
6611
  "category": "attack_attempt",
6612
+ "tool_name": "CGIchk",
6428
6613
  "confidence": "1"
6429
6614
  },
6430
6615
  "conditions": [
@@ -6451,6 +6636,7 @@
6451
6636
  "tags": {
6452
6637
  "type": "security_scanner",
6453
6638
  "category": "attack_attempt",
6639
+ "tool_name": "FFUF",
6454
6640
  "confidence": "1"
6455
6641
  },
6456
6642
  "conditions": [
@@ -6477,6 +6663,7 @@
6477
6663
  "tags": {
6478
6664
  "type": "security_scanner",
6479
6665
  "category": "attack_attempt",
6666
+ "tool_name": "Nuclei",
6480
6667
  "confidence": "1"
6481
6668
  },
6482
6669
  "conditions": [
@@ -6503,6 +6690,7 @@
6503
6690
  "tags": {
6504
6691
  "type": "security_scanner",
6505
6692
  "category": "attack_attempt",
6693
+ "tool_name": "Tsunami",
6506
6694
  "confidence": "1"
6507
6695
  },
6508
6696
  "conditions": [
@@ -6529,6 +6717,7 @@
6529
6717
  "tags": {
6530
6718
  "type": "security_scanner",
6531
6719
  "category": "attack_attempt",
6720
+ "tool_name": "Nimbostratus",
6532
6721
  "confidence": "1"
6533
6722
  },
6534
6723
  "conditions": [
@@ -6555,6 +6744,7 @@
6555
6744
  "tags": {
6556
6745
  "type": "security_scanner",
6557
6746
  "category": "attack_attempt",
6747
+ "tool_name": "Datadog Canary Test",
6558
6748
  "confidence": "1"
6559
6749
  },
6560
6750
  "conditions": [
@@ -6574,7 +6764,7 @@
6574
6764
  ]
6575
6765
  }
6576
6766
  ],
6577
- "regex": "^dd-test-scanner-log$"
6767
+ "regex": "^dd-test-scanner-log(?:$|/|\\s)"
6578
6768
  },
6579
6769
  "operator": "match_regex"
6580
6770
  }
@@ -6587,6 +6777,7 @@
6587
6777
  "tags": {
6588
6778
  "type": "security_scanner",
6589
6779
  "category": "attack_attempt",
6780
+ "tool_name": "Datadog Canary Test",
6590
6781
  "confidence": "1"
6591
6782
  },
6592
6783
  "conditions": [
@@ -6606,7 +6797,7 @@
6606
6797
  ]
6607
6798
  }
6608
6799
  ],
6609
- "regex": "^dd-test-scanner-log-block$"
6800
+ "regex": "^dd-test-scanner-log-block(?:$|/|\\s)"
6610
6801
  },
6611
6802
  "operator": "match_regex"
6612
6803
  }
@@ -6616,12 +6807,94 @@
6616
6807
  "block"
6617
6808
  ]
6618
6809
  },
6810
+ {
6811
+ "id": "ua0-600-57x",
6812
+ "name": "AlertLogic",
6813
+ "tags": {
6814
+ "type": "commercial_scanner",
6815
+ "category": "attack_attempt",
6816
+ "tool_name": "AlertLogic",
6817
+ "confidence": "0"
6818
+ },
6819
+ "conditions": [
6820
+ {
6821
+ "parameters": {
6822
+ "inputs": [
6823
+ {
6824
+ "address": "server.request.headers.no_cookies",
6825
+ "key_path": [
6826
+ "user-agent"
6827
+ ]
6828
+ }
6829
+ ],
6830
+ "regex": "\\bAlertLogic-MDR-"
6831
+ },
6832
+ "operator": "match_regex"
6833
+ }
6834
+ ],
6835
+ "transformers": []
6836
+ },
6837
+ {
6838
+ "id": "ua0-600-58x",
6839
+ "name": "wfuzz",
6840
+ "tags": {
6841
+ "type": "security_scanner",
6842
+ "category": "attack_attempt",
6843
+ "tool_name": "wfuzz",
6844
+ "confidence": "1"
6845
+ },
6846
+ "conditions": [
6847
+ {
6848
+ "parameters": {
6849
+ "inputs": [
6850
+ {
6851
+ "address": "server.request.headers.no_cookies",
6852
+ "key_path": [
6853
+ "user-agent"
6854
+ ]
6855
+ }
6856
+ ],
6857
+ "regex": "\\bwfuzz\\b"
6858
+ },
6859
+ "operator": "match_regex"
6860
+ }
6861
+ ],
6862
+ "transformers": []
6863
+ },
6864
+ {
6865
+ "id": "ua0-600-59x",
6866
+ "name": "Detectify",
6867
+ "tags": {
6868
+ "type": "commercial_scanner",
6869
+ "category": "attack_attempt",
6870
+ "tool_name": "Detectify",
6871
+ "confidence": "0"
6872
+ },
6873
+ "conditions": [
6874
+ {
6875
+ "parameters": {
6876
+ "inputs": [
6877
+ {
6878
+ "address": "server.request.headers.no_cookies",
6879
+ "key_path": [
6880
+ "user-agent"
6881
+ ]
6882
+ }
6883
+ ],
6884
+ "regex": "\\bdetectify\\b"
6885
+ },
6886
+ "operator": "match_regex"
6887
+ }
6888
+ ],
6889
+ "transformers": []
6890
+ },
6619
6891
  {
6620
6892
  "id": "ua0-600-5xx",
6621
6893
  "name": "Blind SQL Injection Brute Forcer",
6622
6894
  "tags": {
6623
6895
  "type": "security_scanner",
6624
6896
  "category": "attack_attempt",
6897
+ "tool_name": "BSQLBF",
6625
6898
  "confidence": "1"
6626
6899
  },
6627
6900
  "conditions": [
@@ -6642,9 +6915,90 @@
6642
6915
  ],
6643
6916
  "transformers": []
6644
6917
  },
6918
+ {
6919
+ "id": "ua0-600-60x",
6920
+ "name": "masscan",
6921
+ "tags": {
6922
+ "type": "security_scanner",
6923
+ "category": "attack_attempt",
6924
+ "tool_name": "masscan",
6925
+ "confidence": "1"
6926
+ },
6927
+ "conditions": [
6928
+ {
6929
+ "parameters": {
6930
+ "inputs": [
6931
+ {
6932
+ "address": "server.request.headers.no_cookies",
6933
+ "key_path": [
6934
+ "user-agent"
6935
+ ]
6936
+ }
6937
+ ],
6938
+ "regex": "^masscan/"
6939
+ },
6940
+ "operator": "match_regex"
6941
+ }
6942
+ ],
6943
+ "transformers": []
6944
+ },
6945
+ {
6946
+ "id": "ua0-600-61x",
6947
+ "name": "WPScan",
6948
+ "tags": {
6949
+ "type": "security_scanner",
6950
+ "category": "attack_attempt",
6951
+ "tool_name": "WPScan",
6952
+ "confidence": "1"
6953
+ },
6954
+ "conditions": [
6955
+ {
6956
+ "parameters": {
6957
+ "inputs": [
6958
+ {
6959
+ "address": "server.request.headers.no_cookies",
6960
+ "key_path": [
6961
+ "user-agent"
6962
+ ]
6963
+ }
6964
+ ],
6965
+ "regex": "^wpscan\\b"
6966
+ },
6967
+ "operator": "match_regex"
6968
+ }
6969
+ ],
6970
+ "transformers": []
6971
+ },
6972
+ {
6973
+ "id": "ua0-600-62x",
6974
+ "name": "Aon pentesting services",
6975
+ "tags": {
6976
+ "type": "commercial_scanner",
6977
+ "category": "attack_attempt",
6978
+ "tool_name": "Aon",
6979
+ "confidence": "0"
6980
+ },
6981
+ "conditions": [
6982
+ {
6983
+ "parameters": {
6984
+ "inputs": [
6985
+ {
6986
+ "address": "server.request.headers.no_cookies",
6987
+ "key_path": [
6988
+ "user-agent"
6989
+ ]
6990
+ }
6991
+ ],
6992
+ "regex": "^Aon/"
6993
+ },
6994
+ "operator": "match_regex"
6995
+ }
6996
+ ],
6997
+ "transformers": []
6998
+ },
6645
6999
  {
6646
7000
  "id": "ua0-600-6xx",
6647
- "name": "Suspicious user agent",
7001
+ "name": "Stealthy scanner",
6648
7002
  "tags": {
6649
7003
  "type": "security_scanner",
6650
7004
  "category": "attack_attempt",
@@ -6674,6 +7028,7 @@
6674
7028
  "tags": {
6675
7029
  "type": "security_scanner",
6676
7030
  "category": "attack_attempt",
7031
+ "tool_name": "SQLmap",
6677
7032
  "confidence": "1"
6678
7033
  },
6679
7034
  "conditions": [
@@ -6700,6 +7055,7 @@
6700
7055
  "tags": {
6701
7056
  "type": "security_scanner",
6702
7057
  "category": "attack_attempt",
7058
+ "tool_name": "Skipfish",
6703
7059
  "confidence": "1"
6704
7060
  },
6705
7061
  "conditions": [