ddtrace 1.11.1 → 1.12.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +73 -1
- data/ext/ddtrace_profiling_native_extension/NativeExtensionDesign.md +6 -4
- data/ext/ddtrace_profiling_native_extension/collectors_cpu_and_wall_time_worker.c +34 -16
- data/ext/ddtrace_profiling_native_extension/extconf.rb +19 -3
- data/ext/ddtrace_profiling_native_extension/native_extension_helpers.rb +2 -2
- data/ext/ddtrace_profiling_native_extension/private_vm_api_access.c +38 -4
- data/lib/datadog/appsec/assets/waf_rules/recommended.json +489 -133
- data/lib/datadog/appsec/assets/waf_rules/strict.json +2 -47
- data/lib/datadog/appsec/configuration/settings.rb +2 -10
- data/lib/datadog/appsec/configuration.rb +3 -9
- data/lib/datadog/appsec/contrib/rack/ext.rb +0 -1
- data/lib/datadog/appsec/contrib/rack/gateway/request.rb +17 -3
- data/lib/datadog/appsec/contrib/rack/gateway/response.rb +3 -3
- data/lib/datadog/appsec/contrib/rack/gateway/watcher.rb +27 -45
- data/lib/datadog/appsec/contrib/rack/integration.rb +0 -5
- data/lib/datadog/appsec/contrib/rack/reactive/request.rb +7 -1
- data/lib/datadog/appsec/contrib/rack/request_body_middleware.rb +1 -1
- data/lib/datadog/appsec/contrib/rack/request_middleware.rb +34 -26
- data/lib/datadog/appsec/contrib/rails/ext.rb +0 -1
- data/lib/datadog/appsec/contrib/rails/framework.rb +1 -13
- data/lib/datadog/appsec/contrib/rails/gateway/watcher.rb +9 -27
- data/lib/datadog/appsec/contrib/rails/integration.rb +0 -5
- data/lib/datadog/appsec/contrib/rails/patcher.rb +1 -1
- data/lib/datadog/appsec/contrib/sinatra/ext.rb +0 -1
- data/lib/datadog/appsec/contrib/sinatra/framework.rb +1 -13
- data/lib/datadog/appsec/contrib/sinatra/gateway/watcher.rb +18 -36
- data/lib/datadog/appsec/contrib/sinatra/integration.rb +0 -5
- data/lib/datadog/appsec/contrib/sinatra/patcher.rb +5 -4
- data/lib/datadog/appsec/event.rb +37 -37
- data/lib/datadog/appsec/ext.rb +1 -0
- data/lib/datadog/appsec/extensions.rb +2 -6
- data/lib/datadog/appsec/monitor/gateway/watcher.rb +9 -28
- data/lib/datadog/appsec/processor/rule_merger.rb +13 -7
- data/lib/datadog/appsec/processor.rb +0 -45
- data/lib/datadog/appsec/remote.rb +6 -0
- data/lib/datadog/appsec/response.rb +13 -9
- data/lib/datadog/appsec/scope.rb +61 -0
- data/lib/datadog/appsec.rb +6 -0
- data/lib/datadog/ci/ext/environment.rb +40 -4
- data/lib/datadog/core/configuration/settings.rb +74 -14
- data/lib/datadog/core/configuration.rb +5 -1
- data/lib/datadog/core/remote/client/capabilities.rb +1 -1
- data/lib/datadog/core/remote/client.rb +5 -1
- data/lib/datadog/core/telemetry/collector.rb +2 -1
- data/lib/datadog/core/telemetry/v1/dependency.rb +2 -1
- data/lib/datadog/kit/appsec/events.rb +58 -13
- data/lib/datadog/kit/identity.rb +29 -10
- data/lib/datadog/profiling/collectors/cpu_and_wall_time_worker.rb +2 -0
- data/lib/datadog/profiling/component.rb +69 -29
- data/lib/datadog/profiling.rb +2 -1
- data/lib/datadog/tracing/buffer.rb +0 -1
- data/lib/datadog/tracing/contrib/active_support/configuration/settings.rb +9 -1
- data/lib/datadog/tracing/contrib/aws/ext.rb +11 -1
- data/lib/datadog/tracing/contrib/aws/instrumentation.rb +7 -0
- data/lib/datadog/tracing/contrib/aws/parsed_context.rb +4 -0
- data/lib/datadog/tracing/contrib/aws/service/base.rb +16 -0
- data/lib/datadog/tracing/contrib/aws/service/dynamodb.rb +22 -0
- data/lib/datadog/tracing/contrib/aws/service/eventbridge.rb +22 -0
- data/lib/datadog/tracing/contrib/aws/service/kinesis.rb +32 -0
- data/lib/datadog/tracing/contrib/aws/service/s3.rb +22 -0
- data/lib/datadog/tracing/contrib/aws/service/sns.rb +30 -0
- data/lib/datadog/tracing/contrib/aws/service/sqs.rb +27 -0
- data/lib/datadog/tracing/contrib/aws/service/states.rb +40 -0
- data/lib/datadog/tracing/contrib/aws/services.rb +18 -0
- data/lib/datadog/tracing/contrib/httpclient/configuration/settings.rb +6 -1
- data/lib/datadog/tracing/contrib/httpclient/instrumentation.rb +5 -2
- data/lib/datadog/tracing/contrib/httprb/configuration/settings.rb +6 -1
- data/lib/datadog/tracing/contrib/httprb/instrumentation.rb +4 -2
- data/lib/datadog/tracing/contrib/mongodb/configuration/settings.rb +6 -1
- data/lib/datadog/tracing/contrib/mongodb/subscribers.rb +5 -2
- data/lib/datadog/tracing/contrib/mysql2/configuration/settings.rb +6 -1
- data/lib/datadog/tracing/contrib/mysql2/instrumentation.rb +5 -2
- data/lib/datadog/tracing/contrib/patcher.rb +0 -1
- data/lib/datadog/tracing/contrib/pg/configuration/settings.rb +6 -1
- data/lib/datadog/tracing/contrib/pg/instrumentation.rb +5 -2
- data/lib/datadog/tracing/contrib/presto/configuration/settings.rb +6 -1
- data/lib/datadog/tracing/contrib/presto/instrumentation.rb +4 -2
- data/lib/datadog/tracing/contrib/propagation/sql_comment.rb +10 -2
- data/lib/datadog/tracing/contrib/racecar/configuration/settings.rb +9 -1
- data/lib/datadog/tracing/contrib/racecar/event.rb +3 -1
- data/lib/datadog/tracing/contrib/rack/middlewares.rb +3 -1
- data/lib/datadog/tracing/contrib/redis/configuration/settings.rb +6 -1
- data/lib/datadog/tracing/contrib/redis/tags.rb +4 -1
- data/lib/datadog/tracing/contrib/rest_client/configuration/settings.rb +6 -1
- data/lib/datadog/tracing/contrib/rest_client/request_patch.rb +4 -1
- data/lib/datadog/tracing/contrib/roda/patcher.rb +1 -1
- data/lib/datadog/tracing/contrib/sequel/database.rb +4 -1
- data/lib/datadog/tracing/contrib/sequel/dataset.rb +4 -1
- data/lib/datadog/tracing/contrib/sequel/utils.rb +4 -1
- data/lib/datadog/tracing/contrib/status_code_matcher.rb +0 -1
- data/lib/datadog/tracing/correlation.rb +0 -1
- data/lib/datadog/tracing/distributed/headers/ext.rb +1 -1
- data/lib/datadog/tracing/event.rb +0 -2
- data/lib/datadog/tracing/pipeline.rb +0 -2
- data/lib/datadog/tracing/runtime/metrics.rb +0 -2
- data/lib/datadog/tracing/sampling/rate_by_service_sampler.rb +0 -1
- data/lib/datadog/tracing/sampling/rate_sampler.rb +0 -2
- data/lib/datadog/tracing/sampling/rule.rb +0 -2
- data/lib/datadog/tracing/sampling/rule_sampler.rb +0 -2
- data/lib/datadog/tracing/span_operation.rb +0 -1
- data/lib/datadog/tracing/sync_writer.rb +0 -2
- data/lib/datadog/tracing/trace_operation.rb +0 -1
- data/lib/datadog/tracing/tracer.rb +0 -1
- data/lib/datadog/tracing/workers/trace_writer.rb +0 -1
- data/lib/datadog/tracing/workers.rb +0 -2
- data/lib/datadog/tracing/writer.rb +0 -2
- data/lib/ddtrace/version.rb +1 -1
- metadata +18 -19
- data/lib/datadog/appsec/contrib/configuration/settings.rb +0 -20
- data/lib/datadog/appsec/contrib/rack/configuration/settings.rb +0 -22
- data/lib/datadog/appsec/contrib/rails/configuration/settings.rb +0 -22
- data/lib/datadog/appsec/contrib/sinatra/configuration/settings.rb +0 -22
@@ -1,7 +1,7 @@
|
|
1
1
|
{
|
2
2
|
"version": "2.2",
|
3
3
|
"metadata": {
|
4
|
-
"rules_version": "1.
|
4
|
+
"rules_version": "1.7.0"
|
5
5
|
},
|
6
6
|
"rules": [
|
7
7
|
{
|
@@ -58,10 +58,11 @@
|
|
58
58
|
"id": "crs-913-110",
|
59
59
|
"name": "Acunetix",
|
60
60
|
"tags": {
|
61
|
-
"type": "
|
61
|
+
"type": "commercial_scanner",
|
62
62
|
"crs_id": "913110",
|
63
63
|
"category": "attack_attempt",
|
64
|
-
"
|
64
|
+
"tool_name": "Acunetix",
|
65
|
+
"confidence": "0"
|
65
66
|
},
|
66
67
|
"conditions": [
|
67
68
|
{
|
@@ -2698,7 +2699,7 @@
|
|
2698
2699
|
"address": "grpc.server.request.message"
|
2699
2700
|
}
|
2700
2701
|
],
|
2701
|
-
"regex": "\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?|
|
2702
|
+
"regex": "\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?|tob)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|b(?:(?:son_(?:de|en)|ase64_en)code|zopen|toa)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|var_dump)(?:\\s|/\\*.*\\*/|//.*|#.*|\\\"|')*\\((?:(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:\\$\\w+|[A-Z\\d]\\w*|\\w+\\(.*\\)|\\\\?\"(?:[^\"]|\\\\\"|\"\"|\"\\+\")*\\\\?\"|\\\\?'(?:[^']|''|'\\+')*\\\\?')(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:(?:::|\\.|->)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\w+(?:\\(.*\\))?)?,)*(?:(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:\\$\\w+|[A-Z\\d]\\w*|\\w+\\(.*\\)|\\\\?\"(?:[^\"]|\\\\\"|\"\"|\"\\+\")*\\\\?\"|\\\\?'(?:[^']|''|'\\+')*\\\\?')(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:(?:::|\\.|->)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\w+(?:\\(.*\\))?)?)?\\)",
|
2702
2703
|
"options": {
|
2703
2704
|
"case_sensitive": true,
|
2704
2705
|
"min_length": 5
|
@@ -2907,7 +2908,8 @@
|
|
2907
2908
|
}
|
2908
2909
|
],
|
2909
2910
|
"transformers": [
|
2910
|
-
"removeNulls"
|
2911
|
+
"removeNulls",
|
2912
|
+
"urlDecodeUni"
|
2911
2913
|
]
|
2912
2914
|
},
|
2913
2915
|
{
|
@@ -2957,7 +2959,8 @@
|
|
2957
2959
|
}
|
2958
2960
|
],
|
2959
2961
|
"transformers": [
|
2960
|
-
"removeNulls"
|
2962
|
+
"removeNulls",
|
2963
|
+
"urlDecodeUni"
|
2961
2964
|
]
|
2962
2965
|
},
|
2963
2966
|
{
|
@@ -3007,7 +3010,8 @@
|
|
3007
3010
|
}
|
3008
3011
|
],
|
3009
3012
|
"transformers": [
|
3010
|
-
"removeNulls"
|
3013
|
+
"removeNulls",
|
3014
|
+
"urlDecodeUni"
|
3011
3015
|
]
|
3012
3016
|
},
|
3013
3017
|
{
|
@@ -3054,7 +3058,8 @@
|
|
3054
3058
|
}
|
3055
3059
|
],
|
3056
3060
|
"transformers": [
|
3057
|
-
"removeNulls"
|
3061
|
+
"removeNulls",
|
3062
|
+
"urlDecodeUni"
|
3058
3063
|
]
|
3059
3064
|
},
|
3060
3065
|
{
|
@@ -3088,8 +3093,7 @@
|
|
3088
3093
|
".parentnode",
|
3089
3094
|
".innerhtml",
|
3090
3095
|
"window.location",
|
3091
|
-
"-moz-binding"
|
3092
|
-
"<![cdata["
|
3096
|
+
"-moz-binding"
|
3093
3097
|
]
|
3094
3098
|
},
|
3095
3099
|
"operator": "phrase_match"
|
@@ -3545,7 +3549,7 @@
|
|
3545
3549
|
"address": "grpc.server.request.message"
|
3546
3550
|
}
|
3547
3551
|
],
|
3548
|
-
"regex": "\\b(?i:eval|settimeout|setinterval|new\\s+Function|alert|prompt)\\s*\\([^\\)]",
|
3552
|
+
"regex": "\\b(?i:eval|settimeout|setinterval|new\\s+Function|alert|prompt)[\\s+]*\\([^\\)]",
|
3549
3553
|
"options": {
|
3550
3554
|
"case_sensitive": true,
|
3551
3555
|
"min_length": 5
|
@@ -4382,6 +4386,256 @@
|
|
4382
4386
|
],
|
4383
4387
|
"transformers": []
|
4384
4388
|
},
|
4389
|
+
{
|
4390
|
+
"id": "dog-913-001",
|
4391
|
+
"name": "BurpCollaborator OOB domain",
|
4392
|
+
"tags": {
|
4393
|
+
"type": "security_scanner",
|
4394
|
+
"category": "attack_attempt",
|
4395
|
+
"tool_name": "BurpCollaborator",
|
4396
|
+
"confidence": "1"
|
4397
|
+
},
|
4398
|
+
"conditions": [
|
4399
|
+
{
|
4400
|
+
"parameters": {
|
4401
|
+
"inputs": [
|
4402
|
+
{
|
4403
|
+
"address": "server.request.query"
|
4404
|
+
},
|
4405
|
+
{
|
4406
|
+
"address": "server.request.body"
|
4407
|
+
},
|
4408
|
+
{
|
4409
|
+
"address": "server.request.path_params"
|
4410
|
+
},
|
4411
|
+
{
|
4412
|
+
"address": "server.request.headers.no_cookies"
|
4413
|
+
},
|
4414
|
+
{
|
4415
|
+
"address": "grpc.server.request.message"
|
4416
|
+
}
|
4417
|
+
],
|
4418
|
+
"regex": "\\b(?:burpcollaborator\\.net|oastify\\.com)\\b"
|
4419
|
+
},
|
4420
|
+
"operator": "match_regex"
|
4421
|
+
}
|
4422
|
+
],
|
4423
|
+
"transformers": []
|
4424
|
+
},
|
4425
|
+
{
|
4426
|
+
"id": "dog-913-002",
|
4427
|
+
"name": "Qualys OOB domain",
|
4428
|
+
"tags": {
|
4429
|
+
"type": "commercial_scanner",
|
4430
|
+
"category": "attack_attempt",
|
4431
|
+
"tool_name": "Qualys",
|
4432
|
+
"confidence": "0"
|
4433
|
+
},
|
4434
|
+
"conditions": [
|
4435
|
+
{
|
4436
|
+
"parameters": {
|
4437
|
+
"inputs": [
|
4438
|
+
{
|
4439
|
+
"address": "server.request.query"
|
4440
|
+
},
|
4441
|
+
{
|
4442
|
+
"address": "server.request.body"
|
4443
|
+
},
|
4444
|
+
{
|
4445
|
+
"address": "server.request.path_params"
|
4446
|
+
},
|
4447
|
+
{
|
4448
|
+
"address": "server.request.headers.no_cookies"
|
4449
|
+
},
|
4450
|
+
{
|
4451
|
+
"address": "grpc.server.request.message"
|
4452
|
+
}
|
4453
|
+
],
|
4454
|
+
"regex": "\\bqualysperiscope\\.com\\b"
|
4455
|
+
},
|
4456
|
+
"operator": "match_regex"
|
4457
|
+
}
|
4458
|
+
],
|
4459
|
+
"transformers": []
|
4460
|
+
},
|
4461
|
+
{
|
4462
|
+
"id": "dog-913-003",
|
4463
|
+
"name": "Probely OOB domain",
|
4464
|
+
"tags": {
|
4465
|
+
"type": "commercial_scanner",
|
4466
|
+
"category": "attack_attempt",
|
4467
|
+
"tool_name": "Probely",
|
4468
|
+
"confidence": "0"
|
4469
|
+
},
|
4470
|
+
"conditions": [
|
4471
|
+
{
|
4472
|
+
"parameters": {
|
4473
|
+
"inputs": [
|
4474
|
+
{
|
4475
|
+
"address": "server.request.query"
|
4476
|
+
},
|
4477
|
+
{
|
4478
|
+
"address": "server.request.body"
|
4479
|
+
},
|
4480
|
+
{
|
4481
|
+
"address": "server.request.path_params"
|
4482
|
+
},
|
4483
|
+
{
|
4484
|
+
"address": "server.request.headers.no_cookies"
|
4485
|
+
},
|
4486
|
+
{
|
4487
|
+
"address": "grpc.server.request.message"
|
4488
|
+
}
|
4489
|
+
],
|
4490
|
+
"regex": "\\bprbly\\.win\\b"
|
4491
|
+
},
|
4492
|
+
"operator": "match_regex"
|
4493
|
+
}
|
4494
|
+
],
|
4495
|
+
"transformers": []
|
4496
|
+
},
|
4497
|
+
{
|
4498
|
+
"id": "dog-913-004",
|
4499
|
+
"name": "Known malicious out-of-band interaction domain",
|
4500
|
+
"tags": {
|
4501
|
+
"type": "security_scanner",
|
4502
|
+
"category": "attack_attempt",
|
4503
|
+
"confidence": "1"
|
4504
|
+
},
|
4505
|
+
"conditions": [
|
4506
|
+
{
|
4507
|
+
"parameters": {
|
4508
|
+
"inputs": [
|
4509
|
+
{
|
4510
|
+
"address": "server.request.query"
|
4511
|
+
},
|
4512
|
+
{
|
4513
|
+
"address": "server.request.body"
|
4514
|
+
},
|
4515
|
+
{
|
4516
|
+
"address": "server.request.path_params"
|
4517
|
+
},
|
4518
|
+
{
|
4519
|
+
"address": "server.request.headers.no_cookies"
|
4520
|
+
},
|
4521
|
+
{
|
4522
|
+
"address": "grpc.server.request.message"
|
4523
|
+
}
|
4524
|
+
],
|
4525
|
+
"regex": "\\b(?:webhook\\.site|\\.canarytokens\\.com|vii\\.one|act1on3\\.ru|gdsburp\\.com)\\b"
|
4526
|
+
},
|
4527
|
+
"operator": "match_regex"
|
4528
|
+
}
|
4529
|
+
],
|
4530
|
+
"transformers": []
|
4531
|
+
},
|
4532
|
+
{
|
4533
|
+
"id": "dog-913-005",
|
4534
|
+
"name": "Known suspicious out-of-band interaction domain",
|
4535
|
+
"tags": {
|
4536
|
+
"type": "security_scanner",
|
4537
|
+
"category": "attack_attempt",
|
4538
|
+
"confidence": "0"
|
4539
|
+
},
|
4540
|
+
"conditions": [
|
4541
|
+
{
|
4542
|
+
"parameters": {
|
4543
|
+
"inputs": [
|
4544
|
+
{
|
4545
|
+
"address": "server.request.query"
|
4546
|
+
},
|
4547
|
+
{
|
4548
|
+
"address": "server.request.body"
|
4549
|
+
},
|
4550
|
+
{
|
4551
|
+
"address": "server.request.path_params"
|
4552
|
+
},
|
4553
|
+
{
|
4554
|
+
"address": "server.request.headers.no_cookies"
|
4555
|
+
},
|
4556
|
+
{
|
4557
|
+
"address": "grpc.server.request.message"
|
4558
|
+
}
|
4559
|
+
],
|
4560
|
+
"regex": "\\b(?:\\.ngrok\\.io|requestbin\\.com|requestbin\\.net)\\b"
|
4561
|
+
},
|
4562
|
+
"operator": "match_regex"
|
4563
|
+
}
|
4564
|
+
],
|
4565
|
+
"transformers": []
|
4566
|
+
},
|
4567
|
+
{
|
4568
|
+
"id": "dog-913-006",
|
4569
|
+
"name": "Rapid7 OOB domain",
|
4570
|
+
"tags": {
|
4571
|
+
"type": "commercial_scanner",
|
4572
|
+
"category": "attack_attempt",
|
4573
|
+
"tool_name": "Rapid7",
|
4574
|
+
"confidence": "0"
|
4575
|
+
},
|
4576
|
+
"conditions": [
|
4577
|
+
{
|
4578
|
+
"parameters": {
|
4579
|
+
"inputs": [
|
4580
|
+
{
|
4581
|
+
"address": "server.request.query"
|
4582
|
+
},
|
4583
|
+
{
|
4584
|
+
"address": "server.request.body"
|
4585
|
+
},
|
4586
|
+
{
|
4587
|
+
"address": "server.request.path_params"
|
4588
|
+
},
|
4589
|
+
{
|
4590
|
+
"address": "server.request.headers.no_cookies"
|
4591
|
+
},
|
4592
|
+
{
|
4593
|
+
"address": "grpc.server.request.message"
|
4594
|
+
}
|
4595
|
+
],
|
4596
|
+
"regex": "\\bappspidered\\.rapid7\\."
|
4597
|
+
},
|
4598
|
+
"operator": "match_regex"
|
4599
|
+
}
|
4600
|
+
],
|
4601
|
+
"transformers": []
|
4602
|
+
},
|
4603
|
+
{
|
4604
|
+
"id": "dog-913-007",
|
4605
|
+
"name": "Interact.sh OOB domain",
|
4606
|
+
"tags": {
|
4607
|
+
"type": "security_scanner",
|
4608
|
+
"category": "attack_attempt",
|
4609
|
+
"tool_name": "interact.sh",
|
4610
|
+
"confidence": "1"
|
4611
|
+
},
|
4612
|
+
"conditions": [
|
4613
|
+
{
|
4614
|
+
"parameters": {
|
4615
|
+
"inputs": [
|
4616
|
+
{
|
4617
|
+
"address": "server.request.query"
|
4618
|
+
},
|
4619
|
+
{
|
4620
|
+
"address": "server.request.body"
|
4621
|
+
},
|
4622
|
+
{
|
4623
|
+
"address": "server.request.path_params"
|
4624
|
+
},
|
4625
|
+
{
|
4626
|
+
"address": "server.request.headers.no_cookies"
|
4627
|
+
},
|
4628
|
+
{
|
4629
|
+
"address": "grpc.server.request.message"
|
4630
|
+
}
|
4631
|
+
],
|
4632
|
+
"regex": "\\b(?:interact\\.sh|oast\\.(?:pro|live|site|online|fun|me))\\b"
|
4633
|
+
},
|
4634
|
+
"operator": "match_regex"
|
4635
|
+
}
|
4636
|
+
],
|
4637
|
+
"transformers": []
|
4638
|
+
},
|
4385
4639
|
{
|
4386
4640
|
"id": "dog-931-001",
|
4387
4641
|
"name": "RFI: URL Payload to well known RFI target",
|
@@ -5347,14 +5601,12 @@
|
|
5347
5601
|
"address": "grpc.server.request.message"
|
5348
5602
|
}
|
5349
5603
|
],
|
5350
|
-
"regex": "(http|https):\\/\\/(?:.*\\.)?(?:burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io|oastify\\.com|oast\\.(?:pro|live|site|online|fun|me)|sslip\\.io|requestbin\\.com|requestbin\\.net|hookbin\\.com|webhook\\.site|canarytokens\\.com|interact\\.sh|ngrok\\.io|bugbounty\\.click|prbly\\.win|qualysperiscope\\.com)"
|
5604
|
+
"regex": "(http|https):\\/\\/(?:.*\\.)?(?:burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io|oastify\\.com|oast\\.(?:pro|live|site|online|fun|me)|sslip\\.io|requestbin\\.com|requestbin\\.net|hookbin\\.com|webhook\\.site|canarytokens\\.com|interact\\.sh|ngrok\\.io|bugbounty\\.click|prbly\\.win|qualysperiscope\\.com|vii.one|act1on3.ru)"
|
5351
5605
|
},
|
5352
5606
|
"operator": "match_regex"
|
5353
5607
|
}
|
5354
5608
|
],
|
5355
|
-
"transformers": [
|
5356
|
-
"lowercase"
|
5357
|
-
]
|
5609
|
+
"transformers": []
|
5358
5610
|
},
|
5359
5611
|
{
|
5360
5612
|
"id": "sqr-000-015",
|
@@ -5429,7 +5681,9 @@
|
|
5429
5681
|
"operator": "match_regex"
|
5430
5682
|
}
|
5431
5683
|
],
|
5432
|
-
"transformers": [
|
5684
|
+
"transformers": [
|
5685
|
+
"unicode_normalize"
|
5686
|
+
]
|
5433
5687
|
},
|
5434
5688
|
{
|
5435
5689
|
"id": "ua0-600-0xx",
|
@@ -5437,6 +5691,7 @@
|
|
5437
5691
|
"tags": {
|
5438
5692
|
"type": "security_scanner",
|
5439
5693
|
"category": "attack_attempt",
|
5694
|
+
"tool_name": "Joomla exploitation tool",
|
5440
5695
|
"confidence": "1"
|
5441
5696
|
},
|
5442
5697
|
"conditions": [
|
@@ -5463,6 +5718,7 @@
|
|
5463
5718
|
"tags": {
|
5464
5719
|
"type": "security_scanner",
|
5465
5720
|
"category": "attack_attempt",
|
5721
|
+
"tool_name": "Nessus",
|
5466
5722
|
"confidence": "1"
|
5467
5723
|
},
|
5468
5724
|
"conditions": [
|
@@ -5489,6 +5745,7 @@
|
|
5489
5745
|
"tags": {
|
5490
5746
|
"type": "security_scanner",
|
5491
5747
|
"category": "attack_attempt",
|
5748
|
+
"tool_name": "Arachni",
|
5492
5749
|
"confidence": "1"
|
5493
5750
|
},
|
5494
5751
|
"conditions": [
|
@@ -5515,6 +5772,7 @@
|
|
5515
5772
|
"tags": {
|
5516
5773
|
"type": "security_scanner",
|
5517
5774
|
"category": "attack_attempt",
|
5775
|
+
"tool_name": "Jorgee",
|
5518
5776
|
"confidence": "1"
|
5519
5777
|
},
|
5520
5778
|
"conditions": [
|
@@ -5539,9 +5797,10 @@
|
|
5539
5797
|
"id": "ua0-600-14x",
|
5540
5798
|
"name": "Probely",
|
5541
5799
|
"tags": {
|
5542
|
-
"type": "
|
5800
|
+
"type": "commercial_scanner",
|
5543
5801
|
"category": "attack_attempt",
|
5544
|
-
"
|
5802
|
+
"tool_name": "Probely",
|
5803
|
+
"confidence": "0"
|
5545
5804
|
},
|
5546
5805
|
"conditions": [
|
5547
5806
|
{
|
@@ -5567,6 +5826,7 @@
|
|
5567
5826
|
"tags": {
|
5568
5827
|
"type": "security_scanner",
|
5569
5828
|
"category": "attack_attempt",
|
5829
|
+
"tool_name": "Metis",
|
5570
5830
|
"confidence": "1"
|
5571
5831
|
},
|
5572
5832
|
"conditions": [
|
@@ -5593,6 +5853,7 @@
|
|
5593
5853
|
"tags": {
|
5594
5854
|
"type": "security_scanner",
|
5595
5855
|
"category": "attack_attempt",
|
5856
|
+
"tool_name": "SQLPowerInjector",
|
5596
5857
|
"confidence": "1"
|
5597
5858
|
},
|
5598
5859
|
"conditions": [
|
@@ -5619,6 +5880,7 @@
|
|
5619
5880
|
"tags": {
|
5620
5881
|
"type": "security_scanner",
|
5621
5882
|
"category": "attack_attempt",
|
5883
|
+
"tool_name": "N-Stealth",
|
5622
5884
|
"confidence": "1"
|
5623
5885
|
},
|
5624
5886
|
"conditions": [
|
@@ -5645,6 +5907,7 @@
|
|
5645
5907
|
"tags": {
|
5646
5908
|
"type": "security_scanner",
|
5647
5909
|
"category": "attack_attempt",
|
5910
|
+
"tool_name": "Brutus",
|
5648
5911
|
"confidence": "1"
|
5649
5912
|
},
|
5650
5913
|
"conditions": [
|
@@ -5671,6 +5934,7 @@
|
|
5671
5934
|
"tags": {
|
5672
5935
|
"type": "security_scanner",
|
5673
5936
|
"category": "attack_attempt",
|
5937
|
+
"tool_name": "Shellshock",
|
5674
5938
|
"confidence": "1"
|
5675
5939
|
},
|
5676
5940
|
"conditions": [
|
@@ -5695,9 +5959,10 @@
|
|
5695
5959
|
"id": "ua0-600-20x",
|
5696
5960
|
"name": "Netsparker",
|
5697
5961
|
"tags": {
|
5698
|
-
"type": "
|
5962
|
+
"type": "commercial_scanner",
|
5699
5963
|
"category": "attack_attempt",
|
5700
|
-
"
|
5964
|
+
"tool_name": "Netsparker",
|
5965
|
+
"confidence": "0"
|
5701
5966
|
},
|
5702
5967
|
"conditions": [
|
5703
5968
|
{
|
@@ -5710,7 +5975,7 @@
|
|
5710
5975
|
]
|
5711
5976
|
}
|
5712
5977
|
],
|
5713
|
-
"regex": "
|
5978
|
+
"regex": "\\bnetsparker\\b"
|
5714
5979
|
},
|
5715
5980
|
"operator": "match_regex"
|
5716
5981
|
}
|
@@ -5723,6 +5988,7 @@
|
|
5723
5988
|
"tags": {
|
5724
5989
|
"type": "security_scanner",
|
5725
5990
|
"category": "attack_attempt",
|
5991
|
+
"tool_name": "JAASCois",
|
5726
5992
|
"confidence": "1"
|
5727
5993
|
},
|
5728
5994
|
"conditions": [
|
@@ -5743,64 +6009,13 @@
|
|
5743
6009
|
],
|
5744
6010
|
"transformers": []
|
5745
6011
|
},
|
5746
|
-
{
|
5747
|
-
"id": "ua0-600-23x",
|
5748
|
-
"name": "PMAFind",
|
5749
|
-
"tags": {
|
5750
|
-
"type": "security_scanner",
|
5751
|
-
"category": "attack_attempt",
|
5752
|
-
"confidence": "1"
|
5753
|
-
},
|
5754
|
-
"conditions": [
|
5755
|
-
{
|
5756
|
-
"parameters": {
|
5757
|
-
"inputs": [
|
5758
|
-
{
|
5759
|
-
"address": "server.request.headers.no_cookies",
|
5760
|
-
"key_path": [
|
5761
|
-
"user-agent"
|
5762
|
-
]
|
5763
|
-
}
|
5764
|
-
],
|
5765
|
-
"regex": "(?i)\\bpmafind\\b"
|
5766
|
-
},
|
5767
|
-
"operator": "match_regex"
|
5768
|
-
}
|
5769
|
-
],
|
5770
|
-
"transformers": []
|
5771
|
-
},
|
5772
|
-
{
|
5773
|
-
"id": "ua0-600-25x",
|
5774
|
-
"name": "Webtrends",
|
5775
|
-
"tags": {
|
5776
|
-
"type": "security_scanner",
|
5777
|
-
"category": "attack_attempt",
|
5778
|
-
"confidence": "1"
|
5779
|
-
},
|
5780
|
-
"conditions": [
|
5781
|
-
{
|
5782
|
-
"parameters": {
|
5783
|
-
"inputs": [
|
5784
|
-
{
|
5785
|
-
"address": "server.request.headers.no_cookies",
|
5786
|
-
"key_path": [
|
5787
|
-
"user-agent"
|
5788
|
-
]
|
5789
|
-
}
|
5790
|
-
],
|
5791
|
-
"regex": "webtrends security analyzer"
|
5792
|
-
},
|
5793
|
-
"operator": "match_regex"
|
5794
|
-
}
|
5795
|
-
],
|
5796
|
-
"transformers": []
|
5797
|
-
},
|
5798
6012
|
{
|
5799
6013
|
"id": "ua0-600-26x",
|
5800
6014
|
"name": "Nsauditor",
|
5801
6015
|
"tags": {
|
5802
6016
|
"type": "security_scanner",
|
5803
6017
|
"category": "attack_attempt",
|
6018
|
+
"tool_name": "Nsauditor",
|
5804
6019
|
"confidence": "1"
|
5805
6020
|
},
|
5806
6021
|
"conditions": [
|
@@ -5827,6 +6042,7 @@
|
|
5827
6042
|
"tags": {
|
5828
6043
|
"type": "security_scanner",
|
5829
6044
|
"category": "attack_attempt",
|
6045
|
+
"tool_name": "Paros",
|
5830
6046
|
"confidence": "1"
|
5831
6047
|
},
|
5832
6048
|
"conditions": [
|
@@ -5853,6 +6069,7 @@
|
|
5853
6069
|
"tags": {
|
5854
6070
|
"type": "security_scanner",
|
5855
6071
|
"category": "attack_attempt",
|
6072
|
+
"tool_name": "DirBuster",
|
5856
6073
|
"confidence": "1"
|
5857
6074
|
},
|
5858
6075
|
"conditions": [
|
@@ -5879,6 +6096,7 @@
|
|
5879
6096
|
"tags": {
|
5880
6097
|
"type": "security_scanner",
|
5881
6098
|
"category": "attack_attempt",
|
6099
|
+
"tool_name": "Pangolin",
|
5882
6100
|
"confidence": "1"
|
5883
6101
|
},
|
5884
6102
|
"conditions": [
|
@@ -5903,9 +6121,10 @@
|
|
5903
6121
|
"id": "ua0-600-2xx",
|
5904
6122
|
"name": "Qualys",
|
5905
6123
|
"tags": {
|
5906
|
-
"type": "
|
6124
|
+
"type": "commercial_scanner",
|
5907
6125
|
"category": "attack_attempt",
|
5908
|
-
"
|
6126
|
+
"tool_name": "Qualys",
|
6127
|
+
"confidence": "0"
|
5909
6128
|
},
|
5910
6129
|
"conditions": [
|
5911
6130
|
{
|
@@ -5931,6 +6150,7 @@
|
|
5931
6150
|
"tags": {
|
5932
6151
|
"type": "security_scanner",
|
5933
6152
|
"category": "attack_attempt",
|
6153
|
+
"tool_name": "SQLNinja",
|
5934
6154
|
"confidence": "1"
|
5935
6155
|
},
|
5936
6156
|
"conditions": [
|
@@ -5957,6 +6177,7 @@
|
|
5957
6177
|
"tags": {
|
5958
6178
|
"type": "security_scanner",
|
5959
6179
|
"category": "attack_attempt",
|
6180
|
+
"tool_name": "Nikto",
|
5960
6181
|
"confidence": "1"
|
5961
6182
|
},
|
5962
6183
|
"conditions": [
|
@@ -5977,38 +6198,13 @@
|
|
5977
6198
|
],
|
5978
6199
|
"transformers": []
|
5979
6200
|
},
|
5980
|
-
{
|
5981
|
-
"id": "ua0-600-32x",
|
5982
|
-
"name": "WebInspect",
|
5983
|
-
"tags": {
|
5984
|
-
"type": "security_scanner",
|
5985
|
-
"category": "attack_attempt",
|
5986
|
-
"confidence": "1"
|
5987
|
-
},
|
5988
|
-
"conditions": [
|
5989
|
-
{
|
5990
|
-
"parameters": {
|
5991
|
-
"inputs": [
|
5992
|
-
{
|
5993
|
-
"address": "server.request.headers.no_cookies",
|
5994
|
-
"key_path": [
|
5995
|
-
"user-agent"
|
5996
|
-
]
|
5997
|
-
}
|
5998
|
-
],
|
5999
|
-
"regex": "(?i)\\bwebinspect\\b"
|
6000
|
-
},
|
6001
|
-
"operator": "match_regex"
|
6002
|
-
}
|
6003
|
-
],
|
6004
|
-
"transformers": []
|
6005
|
-
},
|
6006
6201
|
{
|
6007
6202
|
"id": "ua0-600-33x",
|
6008
6203
|
"name": "BlackWidow",
|
6009
6204
|
"tags": {
|
6010
6205
|
"type": "security_scanner",
|
6011
6206
|
"category": "attack_attempt",
|
6207
|
+
"tool_name": "BlackWidow",
|
6012
6208
|
"confidence": "1"
|
6013
6209
|
},
|
6014
6210
|
"conditions": [
|
@@ -6035,6 +6231,7 @@
|
|
6035
6231
|
"tags": {
|
6036
6232
|
"type": "security_scanner",
|
6037
6233
|
"category": "attack_attempt",
|
6234
|
+
"tool_name": "Grendel-Scan",
|
6038
6235
|
"confidence": "1"
|
6039
6236
|
},
|
6040
6237
|
"conditions": [
|
@@ -6061,6 +6258,7 @@
|
|
6061
6258
|
"tags": {
|
6062
6259
|
"type": "security_scanner",
|
6063
6260
|
"category": "attack_attempt",
|
6261
|
+
"tool_name": "Havij",
|
6064
6262
|
"confidence": "1"
|
6065
6263
|
},
|
6066
6264
|
"conditions": [
|
@@ -6087,6 +6285,7 @@
|
|
6087
6285
|
"tags": {
|
6088
6286
|
"type": "security_scanner",
|
6089
6287
|
"category": "attack_attempt",
|
6288
|
+
"tool_name": "w3af",
|
6090
6289
|
"confidence": "1"
|
6091
6290
|
},
|
6092
6291
|
"conditions": [
|
@@ -6113,6 +6312,7 @@
|
|
6113
6312
|
"tags": {
|
6114
6313
|
"type": "security_scanner",
|
6115
6314
|
"category": "attack_attempt",
|
6315
|
+
"tool_name": "Nmap",
|
6116
6316
|
"confidence": "1"
|
6117
6317
|
},
|
6118
6318
|
"conditions": [
|
@@ -6139,6 +6339,7 @@
|
|
6139
6339
|
"tags": {
|
6140
6340
|
"type": "security_scanner",
|
6141
6341
|
"category": "attack_attempt",
|
6342
|
+
"tool_name": "Nessus",
|
6142
6343
|
"confidence": "1"
|
6143
6344
|
},
|
6144
6345
|
"conditions": [
|
@@ -6152,7 +6353,7 @@
|
|
6152
6353
|
]
|
6153
6354
|
}
|
6154
6355
|
],
|
6155
|
-
"regex": "(?i)^'?[a-z0-
|
6356
|
+
"regex": "(?i)^'?[a-z0-9_]+\\.nasl'?$"
|
6156
6357
|
},
|
6157
6358
|
"operator": "match_regex"
|
6158
6359
|
}
|
@@ -6165,6 +6366,7 @@
|
|
6165
6366
|
"tags": {
|
6166
6367
|
"type": "security_scanner",
|
6167
6368
|
"category": "attack_attempt",
|
6369
|
+
"tool_name": "EvilScanner",
|
6168
6370
|
"confidence": "1"
|
6169
6371
|
},
|
6170
6372
|
"conditions": [
|
@@ -6191,6 +6393,7 @@
|
|
6191
6393
|
"tags": {
|
6192
6394
|
"type": "security_scanner",
|
6193
6395
|
"category": "attack_attempt",
|
6396
|
+
"tool_name": "WebFuck",
|
6194
6397
|
"confidence": "1"
|
6195
6398
|
},
|
6196
6399
|
"conditions": [
|
@@ -6217,6 +6420,7 @@
|
|
6217
6420
|
"tags": {
|
6218
6421
|
"type": "security_scanner",
|
6219
6422
|
"category": "attack_attempt",
|
6423
|
+
"tool_name": "OpenVAS",
|
6220
6424
|
"confidence": "1"
|
6221
6425
|
},
|
6222
6426
|
"conditions": [
|
@@ -6243,6 +6447,7 @@
|
|
6243
6447
|
"tags": {
|
6244
6448
|
"type": "security_scanner",
|
6245
6449
|
"category": "attack_attempt",
|
6450
|
+
"tool_name": "Spider-Pig",
|
6246
6451
|
"confidence": "1"
|
6247
6452
|
},
|
6248
6453
|
"conditions": [
|
@@ -6269,6 +6474,7 @@
|
|
6269
6474
|
"tags": {
|
6270
6475
|
"type": "security_scanner",
|
6271
6476
|
"category": "attack_attempt",
|
6477
|
+
"tool_name": "Zgrab",
|
6272
6478
|
"confidence": "1"
|
6273
6479
|
},
|
6274
6480
|
"conditions": [
|
@@ -6295,6 +6501,7 @@
|
|
6295
6501
|
"tags": {
|
6296
6502
|
"type": "security_scanner",
|
6297
6503
|
"category": "attack_attempt",
|
6504
|
+
"tool_name": "Zmeu",
|
6298
6505
|
"confidence": "1"
|
6299
6506
|
},
|
6300
6507
|
"conditions": [
|
@@ -6315,39 +6522,14 @@
|
|
6315
6522
|
],
|
6316
6523
|
"transformers": []
|
6317
6524
|
},
|
6318
|
-
{
|
6319
|
-
"id": "ua0-600-46x",
|
6320
|
-
"name": "Crowdstrike",
|
6321
|
-
"tags": {
|
6322
|
-
"type": "security_scanner",
|
6323
|
-
"category": "attack_attempt",
|
6324
|
-
"confidence": "1"
|
6325
|
-
},
|
6326
|
-
"conditions": [
|
6327
|
-
{
|
6328
|
-
"parameters": {
|
6329
|
-
"inputs": [
|
6330
|
-
{
|
6331
|
-
"address": "server.request.headers.no_cookies",
|
6332
|
-
"key_path": [
|
6333
|
-
"user-agent"
|
6334
|
-
]
|
6335
|
-
}
|
6336
|
-
],
|
6337
|
-
"regex": "(?i)\\bcrowdstrike\\b"
|
6338
|
-
},
|
6339
|
-
"operator": "match_regex"
|
6340
|
-
}
|
6341
|
-
],
|
6342
|
-
"transformers": []
|
6343
|
-
},
|
6344
6525
|
{
|
6345
6526
|
"id": "ua0-600-47x",
|
6346
6527
|
"name": "GoogleSecurityScanner",
|
6347
6528
|
"tags": {
|
6348
|
-
"type": "
|
6529
|
+
"type": "commercial_scanner",
|
6349
6530
|
"category": "attack_attempt",
|
6350
|
-
"
|
6531
|
+
"tool_name": "GoogleSecurityScanner",
|
6532
|
+
"confidence": "0"
|
6351
6533
|
},
|
6352
6534
|
"conditions": [
|
6353
6535
|
{
|
@@ -6373,6 +6555,7 @@
|
|
6373
6555
|
"tags": {
|
6374
6556
|
"type": "security_scanner",
|
6375
6557
|
"category": "attack_attempt",
|
6558
|
+
"tool_name": "Commix",
|
6376
6559
|
"confidence": "1"
|
6377
6560
|
},
|
6378
6561
|
"conditions": [
|
@@ -6399,6 +6582,7 @@
|
|
6399
6582
|
"tags": {
|
6400
6583
|
"type": "security_scanner",
|
6401
6584
|
"category": "attack_attempt",
|
6585
|
+
"tool_name": "Gobuster",
|
6402
6586
|
"confidence": "1"
|
6403
6587
|
},
|
6404
6588
|
"conditions": [
|
@@ -6425,6 +6609,7 @@
|
|
6425
6609
|
"tags": {
|
6426
6610
|
"type": "security_scanner",
|
6427
6611
|
"category": "attack_attempt",
|
6612
|
+
"tool_name": "CGIchk",
|
6428
6613
|
"confidence": "1"
|
6429
6614
|
},
|
6430
6615
|
"conditions": [
|
@@ -6451,6 +6636,7 @@
|
|
6451
6636
|
"tags": {
|
6452
6637
|
"type": "security_scanner",
|
6453
6638
|
"category": "attack_attempt",
|
6639
|
+
"tool_name": "FFUF",
|
6454
6640
|
"confidence": "1"
|
6455
6641
|
},
|
6456
6642
|
"conditions": [
|
@@ -6477,6 +6663,7 @@
|
|
6477
6663
|
"tags": {
|
6478
6664
|
"type": "security_scanner",
|
6479
6665
|
"category": "attack_attempt",
|
6666
|
+
"tool_name": "Nuclei",
|
6480
6667
|
"confidence": "1"
|
6481
6668
|
},
|
6482
6669
|
"conditions": [
|
@@ -6503,6 +6690,7 @@
|
|
6503
6690
|
"tags": {
|
6504
6691
|
"type": "security_scanner",
|
6505
6692
|
"category": "attack_attempt",
|
6693
|
+
"tool_name": "Tsunami",
|
6506
6694
|
"confidence": "1"
|
6507
6695
|
},
|
6508
6696
|
"conditions": [
|
@@ -6529,6 +6717,7 @@
|
|
6529
6717
|
"tags": {
|
6530
6718
|
"type": "security_scanner",
|
6531
6719
|
"category": "attack_attempt",
|
6720
|
+
"tool_name": "Nimbostratus",
|
6532
6721
|
"confidence": "1"
|
6533
6722
|
},
|
6534
6723
|
"conditions": [
|
@@ -6555,6 +6744,7 @@
|
|
6555
6744
|
"tags": {
|
6556
6745
|
"type": "security_scanner",
|
6557
6746
|
"category": "attack_attempt",
|
6747
|
+
"tool_name": "Datadog Canary Test",
|
6558
6748
|
"confidence": "1"
|
6559
6749
|
},
|
6560
6750
|
"conditions": [
|
@@ -6574,7 +6764,7 @@
|
|
6574
6764
|
]
|
6575
6765
|
}
|
6576
6766
|
],
|
6577
|
-
"regex": "^dd-test-scanner-log
|
6767
|
+
"regex": "^dd-test-scanner-log(?:$|/|\\s)"
|
6578
6768
|
},
|
6579
6769
|
"operator": "match_regex"
|
6580
6770
|
}
|
@@ -6587,6 +6777,7 @@
|
|
6587
6777
|
"tags": {
|
6588
6778
|
"type": "security_scanner",
|
6589
6779
|
"category": "attack_attempt",
|
6780
|
+
"tool_name": "Datadog Canary Test",
|
6590
6781
|
"confidence": "1"
|
6591
6782
|
},
|
6592
6783
|
"conditions": [
|
@@ -6606,7 +6797,7 @@
|
|
6606
6797
|
]
|
6607
6798
|
}
|
6608
6799
|
],
|
6609
|
-
"regex": "^dd-test-scanner-log-block
|
6800
|
+
"regex": "^dd-test-scanner-log-block(?:$|/|\\s)"
|
6610
6801
|
},
|
6611
6802
|
"operator": "match_regex"
|
6612
6803
|
}
|
@@ -6616,12 +6807,94 @@
|
|
6616
6807
|
"block"
|
6617
6808
|
]
|
6618
6809
|
},
|
6810
|
+
{
|
6811
|
+
"id": "ua0-600-57x",
|
6812
|
+
"name": "AlertLogic",
|
6813
|
+
"tags": {
|
6814
|
+
"type": "commercial_scanner",
|
6815
|
+
"category": "attack_attempt",
|
6816
|
+
"tool_name": "AlertLogic",
|
6817
|
+
"confidence": "0"
|
6818
|
+
},
|
6819
|
+
"conditions": [
|
6820
|
+
{
|
6821
|
+
"parameters": {
|
6822
|
+
"inputs": [
|
6823
|
+
{
|
6824
|
+
"address": "server.request.headers.no_cookies",
|
6825
|
+
"key_path": [
|
6826
|
+
"user-agent"
|
6827
|
+
]
|
6828
|
+
}
|
6829
|
+
],
|
6830
|
+
"regex": "\\bAlertLogic-MDR-"
|
6831
|
+
},
|
6832
|
+
"operator": "match_regex"
|
6833
|
+
}
|
6834
|
+
],
|
6835
|
+
"transformers": []
|
6836
|
+
},
|
6837
|
+
{
|
6838
|
+
"id": "ua0-600-58x",
|
6839
|
+
"name": "wfuzz",
|
6840
|
+
"tags": {
|
6841
|
+
"type": "security_scanner",
|
6842
|
+
"category": "attack_attempt",
|
6843
|
+
"tool_name": "wfuzz",
|
6844
|
+
"confidence": "1"
|
6845
|
+
},
|
6846
|
+
"conditions": [
|
6847
|
+
{
|
6848
|
+
"parameters": {
|
6849
|
+
"inputs": [
|
6850
|
+
{
|
6851
|
+
"address": "server.request.headers.no_cookies",
|
6852
|
+
"key_path": [
|
6853
|
+
"user-agent"
|
6854
|
+
]
|
6855
|
+
}
|
6856
|
+
],
|
6857
|
+
"regex": "\\bwfuzz\\b"
|
6858
|
+
},
|
6859
|
+
"operator": "match_regex"
|
6860
|
+
}
|
6861
|
+
],
|
6862
|
+
"transformers": []
|
6863
|
+
},
|
6864
|
+
{
|
6865
|
+
"id": "ua0-600-59x",
|
6866
|
+
"name": "Detectify",
|
6867
|
+
"tags": {
|
6868
|
+
"type": "commercial_scanner",
|
6869
|
+
"category": "attack_attempt",
|
6870
|
+
"tool_name": "Detectify",
|
6871
|
+
"confidence": "0"
|
6872
|
+
},
|
6873
|
+
"conditions": [
|
6874
|
+
{
|
6875
|
+
"parameters": {
|
6876
|
+
"inputs": [
|
6877
|
+
{
|
6878
|
+
"address": "server.request.headers.no_cookies",
|
6879
|
+
"key_path": [
|
6880
|
+
"user-agent"
|
6881
|
+
]
|
6882
|
+
}
|
6883
|
+
],
|
6884
|
+
"regex": "\\bdetectify\\b"
|
6885
|
+
},
|
6886
|
+
"operator": "match_regex"
|
6887
|
+
}
|
6888
|
+
],
|
6889
|
+
"transformers": []
|
6890
|
+
},
|
6619
6891
|
{
|
6620
6892
|
"id": "ua0-600-5xx",
|
6621
6893
|
"name": "Blind SQL Injection Brute Forcer",
|
6622
6894
|
"tags": {
|
6623
6895
|
"type": "security_scanner",
|
6624
6896
|
"category": "attack_attempt",
|
6897
|
+
"tool_name": "BSQLBF",
|
6625
6898
|
"confidence": "1"
|
6626
6899
|
},
|
6627
6900
|
"conditions": [
|
@@ -6642,9 +6915,90 @@
|
|
6642
6915
|
],
|
6643
6916
|
"transformers": []
|
6644
6917
|
},
|
6918
|
+
{
|
6919
|
+
"id": "ua0-600-60x",
|
6920
|
+
"name": "masscan",
|
6921
|
+
"tags": {
|
6922
|
+
"type": "security_scanner",
|
6923
|
+
"category": "attack_attempt",
|
6924
|
+
"tool_name": "masscan",
|
6925
|
+
"confidence": "1"
|
6926
|
+
},
|
6927
|
+
"conditions": [
|
6928
|
+
{
|
6929
|
+
"parameters": {
|
6930
|
+
"inputs": [
|
6931
|
+
{
|
6932
|
+
"address": "server.request.headers.no_cookies",
|
6933
|
+
"key_path": [
|
6934
|
+
"user-agent"
|
6935
|
+
]
|
6936
|
+
}
|
6937
|
+
],
|
6938
|
+
"regex": "^masscan/"
|
6939
|
+
},
|
6940
|
+
"operator": "match_regex"
|
6941
|
+
}
|
6942
|
+
],
|
6943
|
+
"transformers": []
|
6944
|
+
},
|
6945
|
+
{
|
6946
|
+
"id": "ua0-600-61x",
|
6947
|
+
"name": "WPScan",
|
6948
|
+
"tags": {
|
6949
|
+
"type": "security_scanner",
|
6950
|
+
"category": "attack_attempt",
|
6951
|
+
"tool_name": "WPScan",
|
6952
|
+
"confidence": "1"
|
6953
|
+
},
|
6954
|
+
"conditions": [
|
6955
|
+
{
|
6956
|
+
"parameters": {
|
6957
|
+
"inputs": [
|
6958
|
+
{
|
6959
|
+
"address": "server.request.headers.no_cookies",
|
6960
|
+
"key_path": [
|
6961
|
+
"user-agent"
|
6962
|
+
]
|
6963
|
+
}
|
6964
|
+
],
|
6965
|
+
"regex": "^wpscan\\b"
|
6966
|
+
},
|
6967
|
+
"operator": "match_regex"
|
6968
|
+
}
|
6969
|
+
],
|
6970
|
+
"transformers": []
|
6971
|
+
},
|
6972
|
+
{
|
6973
|
+
"id": "ua0-600-62x",
|
6974
|
+
"name": "Aon pentesting services",
|
6975
|
+
"tags": {
|
6976
|
+
"type": "commercial_scanner",
|
6977
|
+
"category": "attack_attempt",
|
6978
|
+
"tool_name": "Aon",
|
6979
|
+
"confidence": "0"
|
6980
|
+
},
|
6981
|
+
"conditions": [
|
6982
|
+
{
|
6983
|
+
"parameters": {
|
6984
|
+
"inputs": [
|
6985
|
+
{
|
6986
|
+
"address": "server.request.headers.no_cookies",
|
6987
|
+
"key_path": [
|
6988
|
+
"user-agent"
|
6989
|
+
]
|
6990
|
+
}
|
6991
|
+
],
|
6992
|
+
"regex": "^Aon/"
|
6993
|
+
},
|
6994
|
+
"operator": "match_regex"
|
6995
|
+
}
|
6996
|
+
],
|
6997
|
+
"transformers": []
|
6998
|
+
},
|
6645
6999
|
{
|
6646
7000
|
"id": "ua0-600-6xx",
|
6647
|
-
"name": "
|
7001
|
+
"name": "Stealthy scanner",
|
6648
7002
|
"tags": {
|
6649
7003
|
"type": "security_scanner",
|
6650
7004
|
"category": "attack_attempt",
|
@@ -6674,6 +7028,7 @@
|
|
6674
7028
|
"tags": {
|
6675
7029
|
"type": "security_scanner",
|
6676
7030
|
"category": "attack_attempt",
|
7031
|
+
"tool_name": "SQLmap",
|
6677
7032
|
"confidence": "1"
|
6678
7033
|
},
|
6679
7034
|
"conditions": [
|
@@ -6700,6 +7055,7 @@
|
|
6700
7055
|
"tags": {
|
6701
7056
|
"type": "security_scanner",
|
6702
7057
|
"category": "attack_attempt",
|
7058
|
+
"tool_name": "Skipfish",
|
6703
7059
|
"confidence": "1"
|
6704
7060
|
},
|
6705
7061
|
"conditions": [
|