ddtrace 1.5.0 → 1.5.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (26) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +24 -1
  3. data/LICENSE-3rdparty.csv +1 -0
  4. data/lib/datadog/appsec/assets/waf_rules/recommended.json +1169 -275
  5. data/lib/datadog/appsec/assets/waf_rules/risky.json +78 -78
  6. data/lib/datadog/appsec/assets/waf_rules/strict.json +278 -88
  7. data/lib/datadog/appsec/contrib/rack/gateway/watcher.rb +25 -18
  8. data/lib/datadog/appsec/contrib/rack/reactive/request.rb +11 -11
  9. data/lib/datadog/appsec/contrib/rack/reactive/request_body.rb +11 -11
  10. data/lib/datadog/appsec/contrib/rack/reactive/response.rb +11 -11
  11. data/lib/datadog/appsec/contrib/rack/request.rb +3 -0
  12. data/lib/datadog/appsec/contrib/rack/request_middleware.rb +2 -1
  13. data/lib/datadog/appsec/contrib/rails/gateway/watcher.rb +7 -6
  14. data/lib/datadog/appsec/contrib/rails/reactive/action.rb +11 -11
  15. data/lib/datadog/appsec/contrib/rails/request.rb +3 -0
  16. data/lib/datadog/appsec/contrib/sinatra/gateway/watcher.rb +14 -12
  17. data/lib/datadog/appsec/contrib/sinatra/reactive/routed.rb +11 -11
  18. data/lib/datadog/appsec/event.rb +0 -8
  19. data/lib/datadog/appsec/instrumentation/gateway.rb +16 -2
  20. data/lib/datadog/appsec/processor.rb +18 -2
  21. data/lib/datadog/core/configuration/settings.rb +2 -2
  22. data/lib/datadog/tracing/contrib/rack/middlewares.rb +1 -1
  23. data/lib/datadog/tracing/contrib/utils/quantization/http.rb +14 -6
  24. data/lib/ddtrace/transport/traces.rb +2 -0
  25. data/lib/ddtrace/version.rb +1 -1
  26. metadata +3 -3
data/lib/datadog/appsec/assets/waf_rules/recommended.json CHANGED
@@ -1,9 +1,34 @@
1
1
  {
2
2
  "version": "2.2",
3
3
  "metadata": {
4
- "rules_version": "1.3.1"
4
+ "rules_version": "1.4.1"
5
5
  },
6
6
  "rules": [
7
+ {
8
+ "id": "blk-001-001",
9
+ "name": "Block IP Addresses",
10
+ "tags": {
11
+ "type": "block_ip",
12
+ "category": "security_response"
13
+ },
14
+ "conditions": [
15
+ {
16
+ "parameters": {
17
+ "inputs": [
18
+ {
19
+ "address": "http.client_ip"
20
+ }
21
+ ],
22
+ "data": "blocked_ips"
23
+ },
24
+ "operator": "ip_match"
25
+ }
26
+ ],
27
+ "transformers": [],
28
+ "on_match": [
29
+ "block"
30
+ ]
31
+ },
7
32
  {
8
33
  "id": "crs-913-110",
9
34
  "name": "Acunetix",
@@ -224,7 +249,7 @@
224
249
  "address": "server.request.headers.no_cookies"
225
250
  }
226
251
  ],
227
- "regex": "(?:\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\\.))|\\.(?:%0[01]|\\?)?|\\?\\.?|0x2e){2}(?:\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|/))",
252
+ "regex": "(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\/|\\x5c)(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\\.))|\\.(?:%0[01]|\\?)?|\\?\\.?|0x2e){2,3}(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\/|\\x5c)",
228
253
  "options": {
229
254
  "min_length": 4
230
255
  }
@@ -255,7 +280,7 @@
255
280
  "address": "server.request.headers.no_cookies"
256
281
  }
257
282
  ],
258
- "regex": "(?:(?:^|[\\\\/])\\.\\.[\\\\/]|[\\\\/]\\.\\.(?:[\\\\/]|$))",
283
+ "regex": "(?:(?:^|[\\x5c/])\\.{2,3}[\\x5c/]|[\\x5c/]\\.{2,3}(?:[\\x5c/]|$))",
259
284
  "options": {
260
285
  "case_sensitive": true,
261
286
  "min_length": 3
@@ -299,6 +324,8 @@
299
324
  "/.htpasswd",
300
325
  "/.addressbook",
301
326
  "/.aptitude/config",
327
+ ".aws/config",
328
+ ".aws/credentials",
302
329
  "/.bash_config",
303
330
  "/.bash_history",
304
331
  "/.bash_logout",
@@ -330,6 +357,7 @@
330
357
  "/.nano_history",
331
358
  "/.node_repl_history",
332
359
  "/.pearrc",
360
+ "/.pgpass",
333
361
  "/.php_history",
334
362
  "/.pinerc",
335
363
  ".pki/",
@@ -350,6 +378,8 @@
350
378
  ".ssh/id_rsa.pub",
351
379
  ".ssh/identity",
352
380
  ".ssh/identity.pub",
381
+ ".ssh/id_ecdsa",
382
+ ".ssh/id_ecdsa.pub",
353
383
  ".ssh/known_hosts",
354
384
  ".subversion/auth",
355
385
  ".subversion/config",
@@ -366,6 +396,225 @@
366
396
  "/.zshrc",
367
397
  "/.zsh_history",
368
398
  "/.nsconfig",
399
+ "data/elasticsearch",
400
+ "data/kafka",
401
+ "etc/ansible",
402
+ "etc/bind",
403
+ "etc/centos-release",
404
+ "etc/centos-release-upstream",
405
+ "etc/clam.d",
406
+ "etc/elasticsearch",
407
+ "etc/freshclam.conf",
408
+ "etc/gshadow",
409
+ "etc/gshadow-",
410
+ "etc/httpd",
411
+ "etc/kafka",
412
+ "etc/kibana",
413
+ "etc/logstash",
414
+ "etc/lvm",
415
+ "etc/mongod.conf",
416
+ "etc/my.cnf",
417
+ "etc/nuxeo.conf",
418
+ "etc/pki",
419
+ "etc/postfix",
420
+ "etc/scw-release",
421
+ "etc/subgid",
422
+ "etc/subgid-",
423
+ "etc/sudoers.d",
424
+ "etc/sysconfig",
425
+ "etc/system-release-cpe",
426
+ "opt/nuxeo",
427
+ "opt/tomcat",
428
+ "tmp/kafka-logs",
429
+ "usr/lib/rpm/rpm.log",
430
+ "var/data/elasticsearch",
431
+ "var/lib/elasticsearch",
432
+ "etc/.java",
433
+ "etc/acpi",
434
+ "etc/alsa",
435
+ "etc/alternatives",
436
+ "etc/apache2",
437
+ "etc/apm",
438
+ "etc/apparmor",
439
+ "etc/apparmor.d",
440
+ "etc/apport",
441
+ "etc/apt",
442
+ "etc/asciidoc",
443
+ "etc/avahi",
444
+ "etc/bash_completion.d",
445
+ "etc/binfmt.d",
446
+ "etc/bluetooth",
447
+ "etc/bonobo-activation",
448
+ "etc/brltty",
449
+ "etc/ca-certificates",
450
+ "etc/calendar",
451
+ "etc/chatscripts",
452
+ "etc/chromium-browser",
453
+ "etc/clamav",
454
+ "etc/cni",
455
+ "etc/console-setup",
456
+ "etc/coraza-waf",
457
+ "etc/cracklib",
458
+ "etc/cron.d",
459
+ "etc/cron.daily",
460
+ "etc/cron.hourly",
461
+ "etc/cron.monthly",
462
+ "etc/cron.weekly",
463
+ "etc/cups",
464
+ "etc/cups.save",
465
+ "etc/cupshelpers",
466
+ "etc/dbus-1",
467
+ "etc/dconf",
468
+ "etc/default",
469
+ "etc/depmod.d",
470
+ "etc/dhcp",
471
+ "etc/dictionaries-common",
472
+ "etc/dkms",
473
+ "etc/dnsmasq.d",
474
+ "etc/dockeretc/dpkg",
475
+ "etc/emacs",
476
+ "etc/environment.d",
477
+ "etc/fail2ban",
478
+ "etc/firebird",
479
+ "etc/firefox",
480
+ "etc/fonts",
481
+ "etc/fwupd",
482
+ "etc/gconf",
483
+ "etc/gdb",
484
+ "etc/gdm3",
485
+ "etc/geoclue",
486
+ "etc/ghostscript",
487
+ "etc/gimp",
488
+ "etc/glvnd",
489
+ "etc/gnome",
490
+ "etc/gnome-vfs-2.0",
491
+ "etc/gnucash",
492
+ "etc/gnustep",
493
+ "etc/groff",
494
+ "etc/grub.d",
495
+ "etc/gss",
496
+ "etc/gtk-2.0",
497
+ "etc/gtk-3.0",
498
+ "etc/hp",
499
+ "etc/ifplugd",
500
+ "etc/imagemagick-6",
501
+ "etc/init",
502
+ "etc/init.d",
503
+ "etc/initramfs-tools",
504
+ "etc/insserv.conf.d",
505
+ "etc/iproute2",
506
+ "etc/iptables",
507
+ "etc/java",
508
+ "etc/java-11-openjdk",
509
+ "etc/java-17-oracle",
510
+ "etc/java-8-openjdk",
511
+ "etc/kernel",
512
+ "etc/ld.so.conf.d",
513
+ "etc/ldap",
514
+ "etc/libblockdev",
515
+ "etc/libibverbs.d",
516
+ "etc/libnl-3",
517
+ "etc/libpaper.d",
518
+ "etc/libreoffice",
519
+ "etc/lighttpd",
520
+ "etc/logcheck",
521
+ "etc/logrotate.d",
522
+ "etc/lynx",
523
+ "etc/mail",
524
+ "etc/mc",
525
+ "etc/menu",
526
+ "etc/menu-methods",
527
+ "etc/modprobe.d",
528
+ "etc/modsecurity",
529
+ "etc/modules-load.d",
530
+ "etc/monit",
531
+ "etc/mono",
532
+ "etc/mplayer",
533
+ "etc/mpv",
534
+ "etc/muttrc.d",
535
+ "etc/mysql",
536
+ "etc/netplan",
537
+ "etc/network",
538
+ "etc/networkd-dispatcher",
539
+ "etc/networkmanager",
540
+ "etc/newt",
541
+ "etc/nghttpx",
542
+ "etc/nikto",
543
+ "etc/odbcdatasources",
544
+ "etc/openal",
545
+ "etc/openmpi",
546
+ "etc/opt",
547
+ "etc/osync",
548
+ "etc/packagekit",
549
+ "etc/pam.d",
550
+ "etc/pcmcia",
551
+ "etc/perl",
552
+ "etc/php",
553
+ "etc/pki",
554
+ "etc/pm",
555
+ "etc/polkit-1",
556
+ "etc/postfix",
557
+ "etc/ppp",
558
+ "etc/profile.d",
559
+ "etc/proftpd",
560
+ "etc/pulse",
561
+ "etc/python",
562
+ "etc/rc0.d",
563
+ "etc/rc1.d",
564
+ "etc/rc2.d",
565
+ "etc/rc3.d",
566
+ "etc/rc4.d",
567
+ "etc/rc5.d",
568
+ "etc/rc6.d",
569
+ "etc/rcs.d",
570
+ "etc/resolvconf",
571
+ "etc/rsyslog.d",
572
+ "etc/samba",
573
+ "etc/sane.d",
574
+ "etc/security",
575
+ "etc/selinux",
576
+ "etc/sensors.d",
577
+ "etc/sgml",
578
+ "etc/signon-ui",
579
+ "etc/skel",
580
+ "etc/snmp",
581
+ "etc/sound",
582
+ "etc/spamassassin",
583
+ "etc/speech-dispatcher",
584
+ "etc/ssh",
585
+ "etc/ssl",
586
+ "etc/sudoers.d",
587
+ "etc/sysctl.d",
588
+ "etc/sysstat",
589
+ "etc/systemd",
590
+ "etc/terminfo",
591
+ "etc/texmf",
592
+ "etc/thermald",
593
+ "etc/thnuclnt",
594
+ "etc/thunderbird",
595
+ "etc/timidity",
596
+ "etc/tmpfiles.d",
597
+ "etc/ubuntu-advantage",
598
+ "etc/udev",
599
+ "etc/udisks2",
600
+ "etc/ufw",
601
+ "etc/update-manager",
602
+ "etc/update-motd.d",
603
+ "etc/update-notifier",
604
+ "etc/upower",
605
+ "etc/urlview",
606
+ "etc/usb_modeswitch.d",
607
+ "etc/vim",
608
+ "etc/vmware",
609
+ "etc/vmware-installer",
610
+ "etc/vmware-vix",
611
+ "etc/vulkan",
612
+ "etc/w3m",
613
+ "etc/wireshark",
614
+ "etc/wpa_supplicant",
615
+ "etc/x11",
616
+ "etc/xdg",
617
+ "etc/xml",
369
618
  "etc/redis.conf",
370
619
  "etc/redis-sentinel.conf",
371
620
  "etc/php.ini",
@@ -417,10 +666,8 @@
417
666
  "usr/local/cpanel/logs/license_log",
418
667
  "usr/local/cpanel/logs/login_log",
419
668
  "var/cpanel/cpanel.config",
420
- "var/log/sw-cp-server/error_log",
421
669
  "usr/local/psa/admin/logs/httpsd_access_log",
422
670
  "usr/local/psa/admin/logs/panel.log",
423
- "var/log/sso/sso.log",
424
671
  "usr/local/psa/admin/conf/php.ini",
425
672
  "etc/sw-cp-server/applications.d/plesk.conf",
426
673
  "usr/local/psa/admin/conf/site_isolation_settings.ini",
@@ -428,16 +675,6 @@
428
675
  "etc/sw-cp-server/applications.d/00-sso-cpserver.conf",
429
676
  "etc/sso/sso_config.ini",
430
677
  "etc/mysql/conf.d/old_passwords.cnf",
431
- "var/log/mysql/mysql-bin.log",
432
- "var/log/mysql/mysql-bin.index",
433
- "var/log/mysql/data/mysql-bin.index",
434
- "var/log/mysql.log",
435
- "var/log/mysql.err",
436
- "var/log/mysqlderror.log",
437
- "var/log/mysql/mysql.log",
438
- "var/log/mysql/mysql-slow.log",
439
- "var/log/mysql-bin.index",
440
- "var/log/data/mysql-bin.index",
441
678
  "var/mysql.log",
442
679
  "var/mysql-bin.index",
443
680
  "var/data/mysql-bin.index",
@@ -474,21 +711,6 @@
474
711
  "mysql/my.cnf",
475
712
  "mysql/bin/my.ini",
476
713
  "var/postgresql/log/postgresql.log",
477
- "var/log/postgresql/postgresql.log",
478
- "var/log/postgres/pg_backup.log",
479
- "var/log/postgres/postgres.log",
480
- "var/log/postgresql.log",
481
- "var/log/pgsql/pgsql.log",
482
- "var/log/postgresql/postgresql-8.1-main.log",
483
- "var/log/postgresql/postgresql-8.3-main.log",
484
- "var/log/postgresql/postgresql-8.4-main.log",
485
- "var/log/postgresql/postgresql-9.0-main.log",
486
- "var/log/postgresql/postgresql-9.1-main.log",
487
- "var/log/pgsql8.log",
488
- "var/log/postgresql/postgres.log",
489
- "var/log/pgsql_log",
490
- "var/log/postgresql/main.log",
491
- "var/log/cron/var/log/postgres.log",
492
714
  "usr/internet/pgsql/data/postmaster.log",
493
715
  "usr/local/pgsql/data/postgresql.log",
494
716
  "usr/local/pgsql/data/pg_log",
@@ -572,29 +794,21 @@
572
794
  "windows/system32/logfiles/msftpsvc2",
573
795
  "etc/logrotate.d/proftpd",
574
796
  "www/logs/proftpd.system.log",
575
- "var/log/proftpd",
576
- "var/log/proftpd/xferlog.legacy",
577
- "var/log/proftpd.access_log",
578
- "var/log/proftpd.xferlog",
579
797
  "etc/pam.d/proftpd",
580
798
  "etc/proftp.conf",
581
799
  "etc/protpd/proftpd.conf",
582
800
  "etc/vhcs2/proftpd/proftpd.conf",
583
801
  "etc/proftpd/modules.conf",
584
- "var/log/vsftpd.log",
585
802
  "etc/vsftpd.chroot_list",
586
803
  "etc/logrotate.d/vsftpd.log",
587
804
  "etc/vsftpd/vsftpd.conf",
588
805
  "etc/vsftpd.conf",
589
806
  "etc/chrootusers",
590
- "var/log/xferlog",
591
807
  "var/adm/log/xferlog",
592
808
  "etc/wu-ftpd/ftpaccess",
593
809
  "etc/wu-ftpd/ftphosts",
594
810
  "etc/wu-ftpd/ftpusers",
595
- "var/log/pure-ftpd/pure-ftpd.log",
596
811
  "logs/pure-ftpd.log",
597
- "var/log/pureftpd.log",
598
812
  "usr/sbin/pure-config.pl",
599
813
  "usr/etc/pure-ftpd.conf",
600
814
  "etc/pure-ftpd/pure-ftpd.conf",
@@ -620,30 +834,18 @@
620
834
  "usr/ports/contrib/pure-ftpd/pure-ftpd.conf",
621
835
  "usr/ports/contrib/pure-ftpd/pureftpd.pdb",
622
836
  "usr/ports/contrib/pure-ftpd/pureftpd.passwd",
623
- "var/log/muddleftpd",
624
837
  "usr/sbin/mudlogd",
625
838
  "etc/muddleftpd/mudlog",
626
839
  "etc/muddleftpd.com",
627
840
  "etc/muddleftpd/mudlogd.conf",
628
841
  "etc/muddleftpd/muddleftpd.conf",
629
- "var/log/muddleftpd.conf",
630
842
  "usr/sbin/mudpasswd",
631
843
  "etc/muddleftpd/muddleftpd.passwd",
632
844
  "etc/muddleftpd/passwd",
633
- "var/log/ftp-proxy/ftp-proxy.log",
634
- "var/log/ftp-proxy",
635
- "var/log/ftplog",
636
845
  "etc/logrotate.d/ftp",
637
846
  "etc/ftpchroot",
638
847
  "etc/ftphosts",
639
848
  "etc/ftpusers",
640
- "var/log/exim_mainlog",
641
- "var/log/exim/mainlog",
642
- "var/log/maillog",
643
- "var/log/exim_paniclog",
644
- "var/log/exim/paniclog",
645
- "var/log/exim/rejectlog",
646
- "var/log/exim_rejectlog",
647
849
  "winnt/system32/logfiles/smtpsvc",
648
850
  "winnt/system32/logfiles/smtpsvc1",
649
851
  "winnt/system32/logfiles/smtpsvc2",
@@ -716,7 +918,6 @@
716
918
  "library/webserver/documents/default.htm",
717
919
  "library/webserver/documents/index.php",
718
920
  "library/webserver/documents/default.php",
719
- "var/log/webmin/miniserv.log",
720
921
  "usr/local/etc/webmin/miniserv.conf",
721
922
  "etc/webmin/miniserv.conf",
722
923
  "usr/local/etc/webmin/miniserv.users",
@@ -729,8 +930,6 @@
729
930
  "windows/system32/logfiles/w3svc1/inetsvn1.log",
730
931
  "windows/system32/logfiles/w3svc2/inetsvn1.log",
731
932
  "windows/system32/logfiles/w3svc3/inetsvn1.log",
732
- "var/log/httpd/access_log",
733
- "var/log/httpd/error_log",
734
933
  "apache/logs/error.log",
735
934
  "apache/logs/access.log",
736
935
  "apache2/logs/error.log",
@@ -753,20 +952,6 @@
753
952
  "var/www/logs/access.log",
754
953
  "var/www/logs/error_log",
755
954
  "var/www/logs/error.log",
756
- "var/log/httpd/access.log",
757
- "var/log/httpd/error.log",
758
- "var/log/apache/access_log",
759
- "var/log/apache/access.log",
760
- "var/log/apache/error_log",
761
- "var/log/apache/error.log",
762
- "var/log/apache2/access_log",
763
- "var/log/apache2/access.log",
764
- "var/log/apache2/error_log",
765
- "var/log/apache2/error.log",
766
- "var/log/access_log",
767
- "var/log/access.log",
768
- "var/log/error_log",
769
- "var/log/error.log",
770
955
  "opt/lampp/logs/access_log",
771
956
  "opt/lampp/logs/error_log",
772
957
  "opt/xampp/logs/access_log",
@@ -905,7 +1090,6 @@
905
1090
  "usr/share/tomcat6/conf/context.xml",
906
1091
  "usr/share/tomcat6/conf/workers.properties",
907
1092
  "usr/share/tomcat6/conf/logging.properties",
908
- "var/log/tomcat6/catalina.out",
909
1093
  "var/cpanel/tomcat.options",
910
1094
  "usr/local/jakarta/tomcat/logs/catalina.out",
911
1095
  "usr/local/jakarta/tomcat/logs/catalina.err",
@@ -986,23 +1170,14 @@
986
1170
  "program files/[jboss]/server/default/log/boot.log",
987
1171
  "[jboss]/server/default/log/server.log",
988
1172
  "[jboss]/server/default/log/boot.log",
989
- "var/log/lighttpd.error.log",
990
- "var/log/lighttpd.access.log",
991
1173
  "var/lighttpd.log",
992
1174
  "var/logs/access.log",
993
- "var/log/lighttpd/",
994
- "var/log/lighttpd/error.log",
995
- "var/log/lighttpd/access.www.log",
996
- "var/log/lighttpd/error.www.log",
997
- "var/log/lighttpd/access.log",
998
1175
  "usr/local/apache2/logs/lighttpd.error.log",
999
1176
  "usr/local/apache2/logs/lighttpd.log",
1000
1177
  "usr/local/apache/logs/lighttpd.error.log",
1001
1178
  "usr/local/apache/logs/lighttpd.log",
1002
1179
  "usr/local/lighttpd/log/lighttpd.error.log",
1003
1180
  "usr/local/lighttpd/log/access.log",
1004
- "var/log/lighttpd/{domain}/access.log",
1005
- "var/log/lighttpd/{domain}/error.log",
1006
1181
  "usr/home/user/var/log/lighttpd.error.log",
1007
1182
  "usr/home/user/var/log/apache.log",
1008
1183
  "home/user/lighttpd/lighttpd.conf",
@@ -1012,12 +1187,6 @@
1012
1187
  "usr/local/lighttpd/conf/lighttpd.conf",
1013
1188
  "usr/local/etc/lighttpd.conf.new",
1014
1189
  "var/www/.lighttpdpassword",
1015
- "var/log/nginx/access_log",
1016
- "var/log/nginx/error_log",
1017
- "var/log/nginx/access.log",
1018
- "var/log/nginx/error.log",
1019
- "var/log/nginx.access_log",
1020
- "var/log/nginx.error_log",
1021
1190
  "logs/access_log",
1022
1191
  "logs/error_log",
1023
1192
  "etc/nginx/nginx.conf",
@@ -1033,12 +1202,6 @@
1033
1202
  "usr/local/logs/access.log",
1034
1203
  "usr/local/samba/lib/log.user",
1035
1204
  "usr/local/logs/samba.log",
1036
- "var/log/samba/log.smbd",
1037
- "var/log/samba/log.nmbd",
1038
- "var/log/samba.log",
1039
- "var/log/samba.log1",
1040
- "var/log/samba.log2",
1041
- "var/log/log.smb",
1042
1205
  "etc/samba/netlogon",
1043
1206
  "etc/smbpasswd",
1044
1207
  "etc/smb.conf",
@@ -1067,10 +1230,6 @@
1067
1230
  "etc/wicd/manager-settings.conf",
1068
1231
  "etc/wicd/wired-settings.conf",
1069
1232
  "etc/wicd/wireless-settings.conf",
1070
- "var/log/ipfw.log",
1071
- "var/log/ipfw",
1072
- "var/log/ipfw/ipfw.log",
1073
- "var/log/ipfw.today",
1074
1233
  "etc/ipfw.rules",
1075
1234
  "etc/ipfw.conf",
1076
1235
  "etc/firewall.rules",
@@ -1089,33 +1248,6 @@
1089
1248
  "etc/bluetooth/main.conf",
1090
1249
  "etc/bluetooth/network.conf",
1091
1250
  "etc/bluetooth/rfcomm.conf",
1092
- "proc/self/environ",
1093
- "proc/self/mounts",
1094
- "proc/self/stat",
1095
- "proc/self/status",
1096
- "proc/self/cmdline",
1097
- "proc/self/fd/0",
1098
- "proc/self/fd/1",
1099
- "proc/self/fd/2",
1100
- "proc/self/fd/3",
1101
- "proc/self/fd/4",
1102
- "proc/self/fd/5",
1103
- "proc/self/fd/6",
1104
- "proc/self/fd/7",
1105
- "proc/self/fd/8",
1106
- "proc/self/fd/9",
1107
- "proc/self/fd/10",
1108
- "proc/self/fd/11",
1109
- "proc/self/fd/12",
1110
- "proc/self/fd/13",
1111
- "proc/self/fd/14",
1112
- "proc/self/fd/15",
1113
- "proc/version",
1114
- "proc/devices",
1115
- "proc/cpuinfo",
1116
- "proc/meminfo",
1117
- "proc/net/tcp",
1118
- "proc/net/udp",
1119
1251
  "etc/bash_completion.d/debconf",
1120
1252
  "root/.bash_logout",
1121
1253
  "root/.bash_history",
@@ -1153,39 +1285,12 @@
1153
1285
  "var/adm/aculog",
1154
1286
  "var/adm/vold.log",
1155
1287
  "var/adm/log/asppp.log",
1156
- "var/log/poplog",
1157
- "var/log/authlog",
1158
1288
  "var/lp/logs/lpsched",
1159
1289
  "var/lp/logs/lpnet",
1160
1290
  "var/lp/logs/requests",
1161
1291
  "var/cron/log",
1162
1292
  "var/saf/_log",
1163
1293
  "var/saf/port/log",
1164
- "var/log/news.all",
1165
- "var/log/news/news.all",
1166
- "var/log/news/news.crit",
1167
- "var/log/news/news.err",
1168
- "var/log/news/news.notice",
1169
- "var/log/news/suck.err",
1170
- "var/log/news/suck.notice",
1171
- "var/log/messages",
1172
- "var/log/messages.1",
1173
- "var/log/user.log",
1174
- "var/log/user.log.1",
1175
- "var/log/auth.log",
1176
- "var/log/pm-powersave.log",
1177
- "var/log/xorg.0.log",
1178
- "var/log/daemon.log",
1179
- "var/log/daemon.log.1",
1180
- "var/log/kern.log",
1181
- "var/log/kern.log.1",
1182
- "var/log/mail.err",
1183
- "var/log/mail.info",
1184
- "var/log/mail.warn",
1185
- "var/log/ufw.log",
1186
- "var/log/boot.log",
1187
- "var/log/syslog",
1188
- "var/log/syslog.1",
1189
1294
  "tmp/access.log",
1190
1295
  "etc/sensors.conf",
1191
1296
  "etc/sensors3.conf",
@@ -1271,6 +1376,8 @@
1271
1376
  "etc/sudoers",
1272
1377
  "etc/sysconfig/network-scripts/ifcfg-eth0",
1273
1378
  "etc/redhat-release",
1379
+ "etc/scw-release",
1380
+ "etc/system-release-cpe",
1274
1381
  "etc/debian_version",
1275
1382
  "etc/fedora-release",
1276
1383
  "etc/mandrake-release",
@@ -1287,11 +1394,7 @@
1287
1394
  "root/.ksh_history",
1288
1395
  "root/.xauthority",
1289
1396
  "usr/lib/security/mkuser.default",
1290
- "var/log/squirrelmail.log",
1291
- "var/log/apache2/squirrelmail.log",
1292
- "var/log/apache2/squirrelmail.err.log",
1293
1397
  "var/lib/squirrelmail/prefs/squirrelmail.log",
1294
- "var/log/mail.log",
1295
1398
  "etc/squirrelmail/apache.conf",
1296
1399
  "etc/squirrelmail/config_local.php",
1297
1400
  "etc/squirrelmail/default_pref",
@@ -1345,6 +1448,134 @@
1345
1448
  "etc/vmware-tools/config",
1346
1449
  "etc/vmware-tools/tpvmlp.conf",
1347
1450
  "etc/vmware-tools/vmware-tools-libraries.conf",
1451
+ "var/log",
1452
+ "var/log/sw-cp-server/error_log",
1453
+ "var/log/sso/sso.log",
1454
+ "var/log/dpkg.log",
1455
+ "var/log/btmp",
1456
+ "var/log/utmp",
1457
+ "var/log/wtmp",
1458
+ "var/log/mysql/mysql-bin.log",
1459
+ "var/log/mysql/mysql-bin.index",
1460
+ "var/log/mysql/data/mysql-bin.index",
1461
+ "var/log/mysql.log",
1462
+ "var/log/mysql.err",
1463
+ "var/log/mysqlderror.log",
1464
+ "var/log/mysql/mysql.log",
1465
+ "var/log/mysql/mysql-slow.log",
1466
+ "var/log/mysql-bin.index",
1467
+ "var/log/data/mysql-bin.index",
1468
+ "var/log/postgresql/postgresql.log",
1469
+ "var/log/postgres/pg_backup.log",
1470
+ "var/log/postgres/postgres.log",
1471
+ "var/log/postgresql.log",
1472
+ "var/log/pgsql/pgsql.log",
1473
+ "var/log/postgresql/postgresql-8.1-main.log",
1474
+ "var/log/postgresql/postgresql-8.3-main.log",
1475
+ "var/log/postgresql/postgresql-8.4-main.log",
1476
+ "var/log/postgresql/postgresql-9.0-main.log",
1477
+ "var/log/postgresql/postgresql-9.1-main.log",
1478
+ "var/log/pgsql8.log",
1479
+ "var/log/postgresql/postgres.log",
1480
+ "var/log/pgsql_log",
1481
+ "var/log/postgresql/main.log",
1482
+ "var/log/cron",
1483
+ "var/log/postgres.log",
1484
+ "var/log/proftpd",
1485
+ "var/log/proftpd/xferlog.legacy",
1486
+ "var/log/proftpd.access_log",
1487
+ "var/log/proftpd.xferlog",
1488
+ "var/log/vsftpd.log",
1489
+ "var/log/xferlog",
1490
+ "var/log/pure-ftpd/pure-ftpd.log",
1491
+ "var/log/pureftpd.log",
1492
+ "var/log/muddleftpd",
1493
+ "var/log/muddleftpd.conf",
1494
+ "var/log/ftp-proxy/ftp-proxy.log",
1495
+ "var/log/ftp-proxy",
1496
+ "var/log/ftplog",
1497
+ "var/log/exim_mainlog",
1498
+ "var/log/exim/mainlog",
1499
+ "var/log/maillog",
1500
+ "var/log/exim_paniclog",
1501
+ "var/log/exim/paniclog",
1502
+ "var/log/exim/rejectlog",
1503
+ "var/log/exim_rejectlog",
1504
+ "var/log/webmin/miniserv.log",
1505
+ "var/log/httpd/access_log",
1506
+ "var/log/httpd/error_log",
1507
+ "var/log/httpd/access.log",
1508
+ "var/log/httpd/error.log",
1509
+ "var/log/apache/access_log",
1510
+ "var/log/apache/access.log",
1511
+ "var/log/apache/error_log",
1512
+ "var/log/apache/error.log",
1513
+ "var/log/apache2/access_log",
1514
+ "var/log/apache2/access.log",
1515
+ "var/log/apache2/error_log",
1516
+ "var/log/apache2/error.log",
1517
+ "var/log/access_log",
1518
+ "var/log/access.log",
1519
+ "var/log/error_log",
1520
+ "var/log/error.log",
1521
+ "var/log/tomcat6/catalina.out",
1522
+ "var/log/lighttpd.error.log",
1523
+ "var/log/lighttpd.access.log",
1524
+ "var/logs/access.log",
1525
+ "var/log/lighttpd/",
1526
+ "var/log/lighttpd/error.log",
1527
+ "var/log/lighttpd/access.www.log",
1528
+ "var/log/lighttpd/error.www.log",
1529
+ "var/log/lighttpd/access.log",
1530
+ "var/log/lighttpd/{domain}/access.log",
1531
+ "var/log/lighttpd/{domain}/error.log",
1532
+ "var/log/nginx/access_log",
1533
+ "var/log/nginx/error_log",
1534
+ "var/log/nginx/access.log",
1535
+ "var/log/nginx/error.log",
1536
+ "var/log/nginx.access_log",
1537
+ "var/log/nginx.error_log",
1538
+ "var/log/samba/log.smbd",
1539
+ "var/log/samba/log.nmbd",
1540
+ "var/log/samba.log",
1541
+ "var/log/samba.log1",
1542
+ "var/log/samba.log2",
1543
+ "var/log/log.smb",
1544
+ "var/log/ipfw.log",
1545
+ "var/log/ipfw",
1546
+ "var/log/ipfw/ipfw.log",
1547
+ "var/log/ipfw.today",
1548
+ "var/log/poplog",
1549
+ "var/log/authlog",
1550
+ "var/log/news.all",
1551
+ "var/log/news/news.all",
1552
+ "var/log/news/news.crit",
1553
+ "var/log/news/news.err",
1554
+ "var/log/news/news.notice",
1555
+ "var/log/news/suck.err",
1556
+ "var/log/news/suck.notice",
1557
+ "var/log/messages",
1558
+ "var/log/messages.1",
1559
+ "var/log/user.log",
1560
+ "var/log/user.log.1",
1561
+ "var/log/auth.log",
1562
+ "var/log/pm-powersave.log",
1563
+ "var/log/xorg.0.log",
1564
+ "var/log/daemon.log",
1565
+ "var/log/daemon.log.1",
1566
+ "var/log/kern.log",
1567
+ "var/log/kern.log.1",
1568
+ "var/log/mail.err",
1569
+ "var/log/mail.info",
1570
+ "var/log/mail.warn",
1571
+ "var/log/ufw.log",
1572
+ "var/log/boot.log",
1573
+ "var/log/syslog",
1574
+ "var/log/syslog.1",
1575
+ "var/log/squirrelmail.log",
1576
+ "var/log/apache2/squirrelmail.log",
1577
+ "var/log/apache2/squirrelmail.err.log",
1578
+ "var/log/mail.log",
1348
1579
  "var/log/vmware/hostd.log",
1349
1580
  "var/log/vmware/hostd-1.log",
1350
1581
  "/wp-config.php",
@@ -1369,8 +1600,8 @@
1369
1600
  "/web.config",
1370
1601
  "includes/config.php",
1371
1602
  "includes/configure.php",
1372
- "config.inc.php",
1373
- "localsettings.php",
1603
+ "/config.inc.php",
1604
+ "/localsettings.php",
1374
1605
  "inc/config.php",
1375
1606
  "typo3conf/localconf.php",
1376
1607
  "config/app.php",
@@ -1397,7 +1628,122 @@
1397
1628
  "/ormconfig.json",
1398
1629
  "/tsconfig.json",
1399
1630
  "/webpack.config.js",
1400
- "/yarn.lock"
1631
+ "/yarn.lock",
1632
+ "proc/0",
1633
+ "proc/1",
1634
+ "proc/2",
1635
+ "proc/3",
1636
+ "proc/4",
1637
+ "proc/5",
1638
+ "proc/6",
1639
+ "proc/7",
1640
+ "proc/8",
1641
+ "proc/9",
1642
+ "proc/acpi",
1643
+ "proc/asound",
1644
+ "proc/bootconfig",
1645
+ "proc/buddyinfo",
1646
+ "proc/bus",
1647
+ "proc/cgroups",
1648
+ "proc/cmdline",
1649
+ "proc/config.gz",
1650
+ "proc/consoles",
1651
+ "proc/cpuinfo",
1652
+ "proc/crypto",
1653
+ "proc/devices",
1654
+ "proc/diskstats",
1655
+ "proc/dma",
1656
+ "proc/docker",
1657
+ "proc/driver",
1658
+ "proc/dynamic_debug",
1659
+ "proc/execdomains",
1660
+ "proc/fb",
1661
+ "proc/filesystems",
1662
+ "proc/fs",
1663
+ "proc/interrupts",
1664
+ "proc/iomem",
1665
+ "proc/ioports",
1666
+ "proc/ipmi",
1667
+ "proc/irq",
1668
+ "proc/kallsyms",
1669
+ "proc/kcore",
1670
+ "proc/keys",
1671
+ "proc/keys",
1672
+ "proc/key-users",
1673
+ "proc/kmsg",
1674
+ "proc/kpagecgroup",
1675
+ "proc/kpagecount",
1676
+ "proc/kpageflags",
1677
+ "proc/latency_stats",
1678
+ "proc/loadavg",
1679
+ "proc/locks",
1680
+ "proc/mdstat",
1681
+ "proc/meminfo",
1682
+ "proc/misc",
1683
+ "proc/modules",
1684
+ "proc/mounts",
1685
+ "proc/mpt",
1686
+ "proc/mtd",
1687
+ "proc/mtrr",
1688
+ "proc/net",
1689
+ "proc/net/tcp",
1690
+ "proc/net/udp",
1691
+ "proc/pagetypeinfo",
1692
+ "proc/partitions",
1693
+ "proc/pressure",
1694
+ "proc/sched_debug",
1695
+ "proc/schedstat",
1696
+ "proc/scsi",
1697
+ "proc/self",
1698
+ "proc/self/cmdline",
1699
+ "proc/self/environ",
1700
+ "proc/self/fd/0",
1701
+ "proc/self/fd/1",
1702
+ "proc/self/fd/10",
1703
+ "proc/self/fd/11",
1704
+ "proc/self/fd/12",
1705
+ "proc/self/fd/13",
1706
+ "proc/self/fd/14",
1707
+ "proc/self/fd/15",
1708
+ "proc/self/fd/2",
1709
+ "proc/self/fd/3",
1710
+ "proc/self/fd/4",
1711
+ "proc/self/fd/5",
1712
+ "proc/self/fd/6",
1713
+ "proc/self/fd/7",
1714
+ "proc/self/fd/8",
1715
+ "proc/self/fd/9",
1716
+ "proc/self/mounts",
1717
+ "proc/self/stat",
1718
+ "proc/self/status",
1719
+ "proc/slabinfo",
1720
+ "proc/softirqs",
1721
+ "proc/stat",
1722
+ "proc/swaps",
1723
+ "proc/sys",
1724
+ "proc/sysrq-trigger",
1725
+ "proc/sysvipc",
1726
+ "proc/thread-self",
1727
+ "proc/timer_list",
1728
+ "proc/timer_stats",
1729
+ "proc/tty",
1730
+ "proc/uptime",
1731
+ "proc/version",
1732
+ "proc/version_signature",
1733
+ "proc/vmallocinfo",
1734
+ "proc/vmstat",
1735
+ "proc/zoneinfo",
1736
+ "sys/block",
1737
+ "sys/bus",
1738
+ "sys/class",
1739
+ "sys/dev",
1740
+ "sys/devices",
1741
+ "sys/firmware",
1742
+ "sys/fs",
1743
+ "sys/hypervisor",
1744
+ "sys/kernel",
1745
+ "sys/module",
1746
+ "sys/power"
1401
1747
  ]
1402
1748
  },
1403
1749
  "operator": "phrase_match"
@@ -1511,103 +1857,456 @@
1511
1857
  "$ostype",
1512
1858
  "$path",
1513
1859
  "$pwd",
1860
+ "dev/fd/",
1861
+ "dev/null",
1862
+ "dev/stderr",
1863
+ "dev/stdin",
1864
+ "dev/stdout",
1865
+ "dev/tcp/",
1866
+ "dev/udp/",
1867
+ "dev/zero",
1868
+ "etc/group",
1869
+ "etc/master.passwd",
1870
+ "etc/passwd",
1871
+ "etc/pwd.db",
1872
+ "etc/shadow",
1873
+ "etc/shells",
1874
+ "etc/spwd.db",
1875
+ "proc/self/",
1876
+ "bin/7z",
1877
+ "bin/7za",
1878
+ "bin/7zr",
1879
+ "bin/ab",
1880
+ "bin/agetty",
1881
+ "bin/ansible-playbook",
1882
+ "bin/apt",
1883
+ "bin/apt-get",
1884
+ "bin/ar",
1885
+ "bin/aria2c",
1886
+ "bin/arj",
1887
+ "bin/arp",
1888
+ "bin/as",
1889
+ "bin/ascii-xfr",
1890
+ "bin/ascii85",
1891
+ "bin/ash",
1892
+ "bin/aspell",
1893
+ "bin/at",
1894
+ "bin/atobm",
1895
+ "bin/awk",
1896
+ "bin/base32",
1897
+ "bin/base64",
1898
+ "bin/basenc",
1514
1899
  "bin/bash",
1900
+ "bin/bpftrace",
1901
+ "bin/bridge",
1902
+ "bin/bundler",
1903
+ "bin/bunzip2",
1904
+ "bin/busctl",
1905
+ "bin/busybox",
1906
+ "bin/byebug",
1907
+ "bin/bzcat",
1908
+ "bin/bzcmp",
1909
+ "bin/bzdiff",
1910
+ "bin/bzegrep",
1911
+ "bin/bzexe",
1912
+ "bin/bzfgrep",
1913
+ "bin/bzgrep",
1914
+ "bin/bzip2",
1915
+ "bin/bzip2recover",
1916
+ "bin/bzless",
1917
+ "bin/bzmore",
1918
+ "bin/bzz",
1919
+ "bin/c89",
1920
+ "bin/c99",
1921
+ "bin/cancel",
1922
+ "bin/capsh",
1515
1923
  "bin/cat",
1924
+ "bin/cc",
1925
+ "bin/certbot",
1926
+ "bin/check_by_ssh",
1927
+ "bin/check_cups",
1928
+ "bin/check_log",
1929
+ "bin/check_memory",
1930
+ "bin/check_raid",
1931
+ "bin/check_ssl_cert",
1932
+ "bin/check_statusfile",
1933
+ "bin/chmod",
1934
+ "bin/choom",
1935
+ "bin/chown",
1936
+ "bin/chroot",
1937
+ "bin/clang",
1938
+ "bin/clang++",
1939
+ "bin/cmp",
1940
+ "bin/cobc",
1941
+ "bin/column",
1942
+ "bin/comm",
1943
+ "bin/composer",
1944
+ "bin/core_perl/zipdetails",
1945
+ "bin/cowsay",
1946
+ "bin/cowthink",
1947
+ "bin/cp",
1948
+ "bin/cpan",
1949
+ "bin/cpio",
1950
+ "bin/cpulimit",
1951
+ "bin/crash",
1952
+ "bin/crontab",
1516
1953
  "bin/csh",
1954
+ "bin/csplit",
1955
+ "bin/csvtool",
1956
+ "bin/cupsfilter",
1957
+ "bin/curl",
1958
+ "bin/cut",
1517
1959
  "bin/dash",
1960
+ "bin/date",
1961
+ "bin/dd",
1962
+ "bin/dev/fd/",
1963
+ "bin/dev/null",
1964
+ "bin/dev/stderr",
1965
+ "bin/dev/stdin",
1966
+ "bin/dev/stdout",
1967
+ "bin/dev/tcp/",
1968
+ "bin/dev/udp/",
1969
+ "bin/dev/zero",
1970
+ "bin/dialog",
1971
+ "bin/diff",
1972
+ "bin/dig",
1973
+ "bin/dmesg",
1974
+ "bin/dmidecode",
1975
+ "bin/dmsetup",
1976
+ "bin/dnf",
1977
+ "bin/docker",
1978
+ "bin/dosbox",
1979
+ "bin/dpkg",
1518
1980
  "bin/du",
1981
+ "bin/dvips",
1982
+ "bin/easy_install",
1983
+ "bin/eb",
1519
1984
  "bin/echo",
1985
+ "bin/ed",
1986
+ "bin/efax",
1987
+ "bin/emacs",
1988
+ "bin/env",
1989
+ "bin/eqn",
1990
+ "bin/es",
1991
+ "bin/esh",
1992
+ "bin/etc/group",
1993
+ "bin/etc/master.passwd",
1994
+ "bin/etc/passwd",
1995
+ "bin/etc/pwd.db",
1996
+ "bin/etc/shadow",
1997
+ "bin/etc/shells",
1998
+ "bin/etc/spwd.db",
1999
+ "bin/ex",
2000
+ "bin/exiftool",
2001
+ "bin/expand",
2002
+ "bin/expect",
2003
+ "bin/expr",
2004
+ "bin/facter",
2005
+ "bin/fetch",
2006
+ "bin/file",
2007
+ "bin/find",
2008
+ "bin/finger",
2009
+ "bin/fish",
2010
+ "bin/flock",
2011
+ "bin/fmt",
2012
+ "bin/fold",
2013
+ "bin/fping",
2014
+ "bin/ftp",
2015
+ "bin/gawk",
2016
+ "bin/gcc",
2017
+ "bin/gcore",
2018
+ "bin/gdb",
2019
+ "bin/gem",
2020
+ "bin/genie",
2021
+ "bin/genisoimage",
2022
+ "bin/ghc",
2023
+ "bin/ghci",
2024
+ "bin/gimp",
2025
+ "bin/ginsh",
2026
+ "bin/git",
2027
+ "bin/grc",
1520
2028
  "bin/grep",
2029
+ "bin/gtester",
2030
+ "bin/gunzip",
2031
+ "bin/gzexe",
2032
+ "bin/gzip",
2033
+ "bin/hd",
2034
+ "bin/head",
2035
+ "bin/hexdump",
2036
+ "bin/highlight",
2037
+ "bin/hping3",
2038
+ "bin/iconv",
2039
+ "bin/id",
2040
+ "bin/iftop",
2041
+ "bin/install",
2042
+ "bin/ionice",
2043
+ "bin/ip",
2044
+ "bin/irb",
2045
+ "bin/ispell",
2046
+ "bin/jjs",
2047
+ "bin/join",
2048
+ "bin/journalctl",
2049
+ "bin/jq",
2050
+ "bin/jrunscript",
2051
+ "bin/knife",
2052
+ "bin/ksh",
2053
+ "bin/ksshell",
2054
+ "bin/latex",
2055
+ "bin/ld",
2056
+ "bin/ldconfig",
1521
2057
  "bin/less",
2058
+ "bin/lftp",
2059
+ "bin/ln",
2060
+ "bin/loginctl",
2061
+ "bin/logsave",
2062
+ "bin/look",
2063
+ "bin/lp",
1522
2064
  "bin/ls",
2065
+ "bin/ltrace",
2066
+ "bin/lua",
2067
+ "bin/lualatex",
2068
+ "bin/luatex",
2069
+ "bin/lwp-download",
2070
+ "bin/lwp-request",
2071
+ "bin/lz",
2072
+ "bin/lz4",
2073
+ "bin/lz4c",
2074
+ "bin/lz4cat",
2075
+ "bin/lzcat",
2076
+ "bin/lzcmp",
2077
+ "bin/lzdiff",
2078
+ "bin/lzegrep",
2079
+ "bin/lzfgrep",
2080
+ "bin/lzgrep",
2081
+ "bin/lzless",
2082
+ "bin/lzma",
2083
+ "bin/lzmadec",
2084
+ "bin/lzmainfo",
2085
+ "bin/lzmore",
2086
+ "bin/mail",
2087
+ "bin/make",
2088
+ "bin/man",
2089
+ "bin/mawk",
2090
+ "bin/mkfifo",
1523
2091
  "bin/mknod",
1524
2092
  "bin/more",
2093
+ "bin/mosquitto",
2094
+ "bin/mount",
2095
+ "bin/msgattrib",
2096
+ "bin/msgcat",
2097
+ "bin/msgconv",
2098
+ "bin/msgfilter",
2099
+ "bin/msgmerge",
2100
+ "bin/msguniq",
2101
+ "bin/mtr",
2102
+ "bin/mv",
2103
+ "bin/mysql",
2104
+ "bin/nano",
2105
+ "bin/nasm",
2106
+ "bin/nawk",
1525
2107
  "bin/nc",
2108
+ "bin/ncat",
2109
+ "bin/neofetch",
2110
+ "bin/nice",
2111
+ "bin/nl",
2112
+ "bin/nm",
2113
+ "bin/nmap",
2114
+ "bin/node",
2115
+ "bin/nohup",
2116
+ "bin/npm",
2117
+ "bin/nroff",
2118
+ "bin/nsenter",
2119
+ "bin/octave",
2120
+ "bin/od",
2121
+ "bin/openssl",
2122
+ "bin/openvpn",
2123
+ "bin/openvt",
2124
+ "bin/opkg",
2125
+ "bin/paste",
2126
+ "bin/pax",
2127
+ "bin/pdb",
2128
+ "bin/pdflatex",
2129
+ "bin/pdftex",
2130
+ "bin/pdksh",
2131
+ "bin/perf",
2132
+ "bin/perl",
2133
+ "bin/pg",
2134
+ "bin/php",
2135
+ "bin/php-cgi",
2136
+ "bin/php5",
2137
+ "bin/php7",
2138
+ "bin/pic",
2139
+ "bin/pico",
2140
+ "bin/pidstat",
2141
+ "bin/pigz",
2142
+ "bin/pip",
2143
+ "bin/pkexec",
2144
+ "bin/pkg",
2145
+ "bin/pr",
2146
+ "bin/printf",
2147
+ "bin/proc/self/",
2148
+ "bin/pry",
1526
2149
  "bin/ps",
2150
+ "bin/psed",
2151
+ "bin/psftp",
2152
+ "bin/psql",
2153
+ "bin/ptx",
2154
+ "bin/puppet",
2155
+ "bin/pxz",
2156
+ "bin/python",
2157
+ "bin/python2",
2158
+ "bin/python3",
2159
+ "bin/rake",
1527
2160
  "bin/rbash",
2161
+ "bin/rc",
2162
+ "bin/readelf",
2163
+ "bin/red",
2164
+ "bin/redcarpet",
2165
+ "bin/restic",
2166
+ "bin/rev",
2167
+ "bin/rlogin",
2168
+ "bin/rlwrap",
2169
+ "bin/rpm",
2170
+ "bin/rpmquery",
2171
+ "bin/rsync",
2172
+ "bin/ruby",
2173
+ "bin/run-mailcap",
2174
+ "bin/run-parts",
2175
+ "bin/rview",
2176
+ "bin/rvim",
2177
+ "bin/sash",
2178
+ "bin/sbin/capsh",
2179
+ "bin/sbin/logsave",
2180
+ "bin/sbin/service",
2181
+ "bin/sbin/start-stop-daemon",
2182
+ "bin/scp",
2183
+ "bin/screen",
2184
+ "bin/script",
2185
+ "bin/sed",
2186
+ "bin/service",
2187
+ "bin/setarch",
2188
+ "bin/sftp",
2189
+ "bin/sg",
1528
2190
  "bin/sh",
2191
+ "bin/shuf",
1529
2192
  "bin/sleep",
2193
+ "bin/slsh",
2194
+ "bin/smbclient",
2195
+ "bin/snap",
2196
+ "bin/socat",
2197
+ "bin/soelim",
2198
+ "bin/sort",
2199
+ "bin/split",
2200
+ "bin/sqlite3",
2201
+ "bin/ss",
2202
+ "bin/ssh",
2203
+ "bin/ssh-keygen",
2204
+ "bin/ssh-keyscan",
2205
+ "bin/sshpass",
2206
+ "bin/start-stop-daemon",
2207
+ "bin/stdbuf",
2208
+ "bin/strace",
2209
+ "bin/strings",
1530
2210
  "bin/su",
2211
+ "bin/sysctl",
2212
+ "bin/systemctl",
2213
+ "bin/systemd-resolve",
2214
+ "bin/tac",
2215
+ "bin/tail",
2216
+ "bin/tar",
2217
+ "bin/task",
2218
+ "bin/taskset",
2219
+ "bin/tbl",
2220
+ "bin/tclsh",
2221
+ "bin/tcpdump",
1531
2222
  "bin/tcsh",
2223
+ "bin/tee",
2224
+ "bin/telnet",
2225
+ "bin/tex",
2226
+ "bin/tftp",
2227
+ "bin/tic",
2228
+ "bin/time",
2229
+ "bin/timedatectl",
2230
+ "bin/timeout",
2231
+ "bin/tmux",
2232
+ "bin/top",
2233
+ "bin/troff",
2234
+ "bin/tshark",
2235
+ "bin/ul",
1532
2236
  "bin/uname",
1533
- "dev/fd/",
1534
- "dev/null",
1535
- "dev/stderr",
1536
- "dev/stdin",
1537
- "dev/stdout",
1538
- "dev/tcp/",
1539
- "dev/udp/",
1540
- "dev/zero",
1541
- "etc/group",
1542
- "etc/master.passwd",
1543
- "etc/passwd",
1544
- "etc/pwd.db",
1545
- "etc/shadow",
1546
- "etc/shells",
1547
- "etc/spwd.db",
1548
- "proc/self/",
1549
- "usr/bin/awk",
1550
- "usr/bin/base64",
1551
- "usr/bin/cat",
1552
- "usr/bin/cc",
1553
- "usr/bin/clang",
1554
- "usr/bin/clang++",
1555
- "usr/bin/curl",
1556
- "usr/bin/diff",
1557
- "usr/bin/env",
1558
- "usr/bin/fetch",
1559
- "usr/bin/file",
1560
- "usr/bin/find",
1561
- "usr/bin/ftp",
1562
- "usr/bin/gawk",
1563
- "usr/bin/gcc",
1564
- "usr/bin/head",
1565
- "usr/bin/hexdump",
1566
- "usr/bin/id",
1567
- "usr/bin/less",
1568
- "usr/bin/ln",
1569
- "usr/bin/mkfifo",
1570
- "usr/bin/more",
1571
- "usr/bin/nc",
1572
- "usr/bin/ncat",
1573
- "usr/bin/nice",
1574
- "usr/bin/nmap",
1575
- "usr/bin/perl",
1576
- "usr/bin/php",
1577
- "usr/bin/php5",
1578
- "usr/bin/php7",
1579
- "usr/bin/php-cgi",
1580
- "usr/bin/printf",
1581
- "usr/bin/psed",
1582
- "usr/bin/python",
1583
- "usr/bin/python2",
1584
- "usr/bin/python3",
1585
- "usr/bin/ruby",
1586
- "usr/bin/sed",
1587
- "usr/bin/socat",
1588
- "usr/bin/tail",
1589
- "usr/bin/tee",
1590
- "usr/bin/telnet",
1591
- "usr/bin/top",
1592
- "usr/bin/uname",
1593
- "usr/bin/wget",
1594
- "usr/bin/who",
1595
- "usr/bin/whoami",
1596
- "usr/bin/xargs",
1597
- "usr/bin/xxd",
1598
- "usr/bin/yes",
1599
- "usr/local/bin/bash",
1600
- "usr/local/bin/curl",
1601
- "usr/local/bin/ncat",
1602
- "usr/local/bin/nmap",
1603
- "usr/local/bin/perl",
1604
- "usr/local/bin/php",
1605
- "usr/local/bin/python",
1606
- "usr/local/bin/python2",
1607
- "usr/local/bin/python3",
1608
- "usr/local/bin/rbash",
1609
- "usr/local/bin/ruby",
1610
- "usr/local/bin/wget"
2237
+ "bin/uncompress",
2238
+ "bin/unexpand",
2239
+ "bin/uniq",
2240
+ "bin/unlz4",
2241
+ "bin/unlzma",
2242
+ "bin/unpigz",
2243
+ "bin/unrar",
2244
+ "bin/unshare",
2245
+ "bin/unxz",
2246
+ "bin/unzip",
2247
+ "bin/unzstd",
2248
+ "bin/update-alternatives",
2249
+ "bin/uudecode",
2250
+ "bin/uuencode",
2251
+ "bin/valgrind",
2252
+ "bin/vi",
2253
+ "bin/view",
2254
+ "bin/vigr",
2255
+ "bin/vim",
2256
+ "bin/vimdiff",
2257
+ "bin/vipw",
2258
+ "bin/virsh",
2259
+ "bin/volatility",
2260
+ "bin/wall",
2261
+ "bin/watch",
2262
+ "bin/wc",
2263
+ "bin/wget",
2264
+ "bin/whiptail",
2265
+ "bin/who",
2266
+ "bin/whoami",
2267
+ "bin/whois",
2268
+ "bin/wireshark",
2269
+ "bin/wish",
2270
+ "bin/xargs",
2271
+ "bin/xelatex",
2272
+ "bin/xetex",
2273
+ "bin/xmodmap",
2274
+ "bin/xmore",
2275
+ "bin/xpad",
2276
+ "bin/xxd",
2277
+ "bin/xz",
2278
+ "bin/xzcat",
2279
+ "bin/xzcmp",
2280
+ "bin/xzdec",
2281
+ "bin/xzdiff",
2282
+ "bin/xzegrep",
2283
+ "bin/xzfgrep",
2284
+ "bin/xzgrep",
2285
+ "bin/xzless",
2286
+ "bin/xzmore",
2287
+ "bin/yarn",
2288
+ "bin/yelp",
2289
+ "bin/yes",
2290
+ "bin/yum",
2291
+ "bin/zathura",
2292
+ "bin/zip",
2293
+ "bin/zipcloak",
2294
+ "bin/zipcmp",
2295
+ "bin/zipdetails",
2296
+ "bin/zipgrep",
2297
+ "bin/zipinfo",
2298
+ "bin/zipmerge",
2299
+ "bin/zipnote",
2300
+ "bin/zipsplit",
2301
+ "bin/ziptool",
2302
+ "bin/zsh",
2303
+ "bin/zsoelim",
2304
+ "bin/zstd",
2305
+ "bin/zstdcat",
2306
+ "bin/zstdgrep",
2307
+ "bin/zstdless",
2308
+ "bin/zstdmt",
2309
+ "bin/zypper"
1611
2310
  ]
1612
2311
  },
1613
2312
  "operator": "phrase_match"
@@ -1791,14 +2490,6 @@
1791
2490
  ],
1792
2491
  "list": [
1793
2492
  "$globals",
1794
- "$http_cookie_vars",
1795
- "$http_env_vars",
1796
- "$http_get_vars",
1797
- "$http_post_files",
1798
- "$http_post_vars",
1799
- "$http_raw_post_data",
1800
- "$http_request_vars",
1801
- "$http_server_vars",
1802
2493
  "$_cookie",
1803
2494
  "$_env",
1804
2495
  "$_files",
@@ -1808,7 +2499,17 @@
1808
2499
  "$_server",
1809
2500
  "$_session",
1810
2501
  "$argc",
1811
- "$argv"
2502
+ "$argv",
2503
+ "$http_\\u200bresponse_\\u200bheader",
2504
+ "$php_\\u200berrormsg",
2505
+ "$http_cookie_vars",
2506
+ "$http_env_vars",
2507
+ "$http_get_vars",
2508
+ "$http_post_files",
2509
+ "$http_post_vars",
2510
+ "$http_raw_post_data",
2511
+ "$http_request_vars",
2512
+ "$http_server_vars"
1812
2513
  ]
1813
2514
  },
1814
2515
  "operator": "phrase_match"
@@ -1993,7 +2694,7 @@
1993
2694
  "address": "grpc.server.request.message"
1994
2695
  }
1995
2696
  ],
1996
- "regex": "\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|b(?:(?:son_(?:de|en)|ase64_en)code|zopen)|var_dump)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\(.*\\)",
2697
+ "regex": "\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?|lert|tob)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|b(?:(?:son_(?:de|en)|ase64_en)code|zopen|toa)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|var_dump)(?:\\s|/\\*.*\\*/|//.*|#.*|\\\")*\\(.*\\)",
1997
2698
  "options": {
1998
2699
  "min_length": 5
1999
2700
  }
@@ -2067,7 +2768,7 @@
2067
2768
  "address": "grpc.server.request.message"
2068
2769
  }
2069
2770
  ],
2070
- "regex": "(?i:zlib|glob|phar|ssh2|rar|ogg|expect|zip)://",
2771
+ "regex": "(?:(?:bzip|ssh)2|z(?:lib|ip)|(?:ph|r)ar|expect|glob|ogg)://",
2071
2772
  "options": {
2072
2773
  "case_sensitive": true,
2073
2774
  "min_length": 6
@@ -2082,7 +2783,7 @@
2082
2783
  },
2083
2784
  {
2084
2785
  "id": "crs-934-100",
2085
- "name": "Node.js Injection Attack",
2786
+ "name": "Node.js Injection Attack 1/2",
2086
2787
  "tags": {
2087
2788
  "type": "js_code_injection",
2088
2789
  "crs_id": "934100",
@@ -2105,7 +2806,43 @@
2105
2806
  "address": "grpc.server.request.message"
2106
2807
  }
2107
2808
  ],
2108
- "regex": "(?:(?:_(?:\\$\\$ND_FUNC\\$\\$_|_js_function)|(?:new\\s+Function|\\beval)\\s*\\(|String\\s*\\.\\s*fromCharCode|function\\s*\\(\\s*\\)\\s*{|this\\.constructor)|module\\.exports\\s*=)",
2809
+ "regex": "\\b(?:(?:l(?:(?:utimes|chmod)(?:Sync)?|(?:stat|ink)Sync)|w(?:rite(?:(?:File|v)(?:Sync)?|Sync)|atchFile)|u(?:n(?:watchFile|linkSync)|times(?:Sync)?)|s(?:(?:ymlink|tat)Sync|pawn(?:File|Sync))|ex(?:ec(?:File(?:Sync)?|Sync)|istsSync)|a(?:ppendFile|ccess)(?:Sync)?|(?:Caveat|Inode)s|open(?:dir)?Sync|new\\s+Function|Availability|\\beval)\\s*\\(|m(?:ain(?:Module\\s*(?:\\W*\\s*(?:constructor|require)|\\[)|\\s*(?:\\W*\\s*(?:constructor|require)|\\[))|kd(?:temp(?:Sync)?|irSync)\\s*\\(|odule\\.exports\\s*=)|c(?:(?:(?:h(?:mod|own)|lose)Sync|reate(?:Write|Read)Stream|p(?:Sync)?)\\s*\\(|o(?:nstructor\\s*(?:\\W*\\s*_load|\\[)|pyFile(?:Sync)?\\s*\\())|f(?:(?:(?:s(?:(?:yncS)?|tatS)|datas(?:yncS)?)ync|ch(?:mod|own)(?:Sync)?)\\s*\\(|u(?:nction\\s*\\(\\s*\\)\\s*{|times(?:Sync)?\\s*\\())|r(?:e(?:(?:ad(?:(?:File|link|dir)?Sync|v(?:Sync)?)|nameSync)\\s*\\(|quire\\s*(?:\\W*\\s*main|\\[))|m(?:Sync)?\\s*\\()|process\\s*(?:\\W*\\s*(?:mainModule|binding)|\\[)|t(?:his\\.constructor|runcateSync\\s*\\()|_(?:\\$\\$ND_FUNC\\$\\$_|_js_function)|global\\s*(?:\\W*\\s*process|\\[)|String\\s*\\.\\s*fromCharCode|binding\\s*\\[)",
2810
+ "options": {
2811
+ "case_sensitive": true,
2812
+ "min_length": 3
2813
+ }
2814
+ },
2815
+ "operator": "match_regex"
2816
+ }
2817
+ ],
2818
+ "transformers": []
2819
+ },
2820
+ {
2821
+ "id": "crs-934-101",
2822
+ "name": "Node.js Injection Attack 2/2",
2823
+ "tags": {
2824
+ "type": "js_code_injection",
2825
+ "crs_id": "934101",
2826
+ "category": "attack_attempt"
2827
+ },
2828
+ "conditions": [
2829
+ {
2830
+ "parameters": {
2831
+ "inputs": [
2832
+ {
2833
+ "address": "server.request.query"
2834
+ },
2835
+ {
2836
+ "address": "server.request.body"
2837
+ },
2838
+ {
2839
+ "address": "server.request.path_params"
2840
+ },
2841
+ {
2842
+ "address": "grpc.server.request.message"
2843
+ }
2844
+ ],
2845
+ "regex": "\\b(?:w(?:atch|rite)|(?:spaw|ope)n|exists|close|fork|read)\\s*\\(",
2109
2846
  "options": {
2110
2847
  "case_sensitive": true,
2111
2848
  "min_length": 5
@@ -2247,7 +2984,7 @@
2247
2984
  "address": "grpc.server.request.message"
2248
2985
  }
2249
2986
  ],
2250
- "regex": "[\\s\\\"'`;\\/0-9=\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]on[a-zA-Z]{3,25}[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=[^=]",
2987
+ "regex": "[\\s\\\"'`;\\/0-9=\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]on(?:d(?:r(?:ag(?:en(?:ter|d)|leave|start|over)?|op)|urationchange|blclick)|s(?:e(?:ek(?:ing|ed)|arch|lect)|u(?:spend|bmit)|talled|croll|how)|m(?:ouse(?:(?:lea|mo)ve|o(?:ver|ut)|enter|down|up)|essage)|p(?:a(?:ge(?:hide|show)|(?:st|us)e)|lay(?:ing)?|rogress)|c(?:anplay(?:through)?|o(?:ntextmenu|py)|hange|lick|ut)|a(?:nimation(?:iteration|start|end)|(?:fterprin|bor)t)|t(?:o(?:uch(?:cancel|start|move|end)|ggle)|imeupdate)|f(?:ullscreen(?:change|error)|ocus(?:out|in)?)|(?:(?:volume|hash)chang|o(?:ff|n)lin)e|b(?:efore(?:unload|print)|lur)|load(?:ed(?:meta)?data|start)?|r(?:es(?:ize|et)|atechange)|key(?:press|down|up)|w(?:aiting|heel)|in(?:valid|put)|e(?:nded|rror)|unload)[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=[^=]",
2251
2988
  "options": {
2252
2989
  "min_length": 8
2253
2990
  }
@@ -2308,6 +3045,52 @@
2308
3045
  "removeNulls"
2309
3046
  ]
2310
3047
  },
3048
+ {
3049
+ "id": "crs-941-170",
3050
+ "name": "NoScript XSS InjectionChecker: Attribute Injection",
3051
+ "tags": {
3052
+ "type": "xss",
3053
+ "crs_id": "941170",
3054
+ "category": "attack_attempt"
3055
+ },
3056
+ "conditions": [
3057
+ {
3058
+ "parameters": {
3059
+ "inputs": [
3060
+ {
3061
+ "address": "server.request.headers.no_cookies",
3062
+ "key_path": [
3063
+ "user-agent"
3064
+ ]
3065
+ },
3066
+ {
3067
+ "address": "server.request.headers.no_cookies",
3068
+ "key_path": [
3069
+ "referer"
3070
+ ]
3071
+ },
3072
+ {
3073
+ "address": "server.request.query"
3074
+ },
3075
+ {
3076
+ "address": "server.request.body"
3077
+ },
3078
+ {
3079
+ "address": "server.request.path_params"
3080
+ }
3081
+ ],
3082
+ "regex": "(?:\\W|^)(?:javascript:(?:[\\s\\S]+[=\\x5c\\(\\[\\.<]|[\\s\\S]*?(?:\\bname\\b|\\x5c[ux]\\d)))|@\\W*?i\\W*?m\\W*?p\\W*?o\\W*?r\\W*?t\\W*?(?:/\\*[\\s\\S]*?)?(?:[\\\"']|\\W*?u\\W*?r\\W*?l[\\s\\S]*?\\()|[^-]*?-\\W*?m\\W*?o\\W*?z\\W*?-\\W*?b\\W*?i\\W*?n\\W*?d\\W*?i\\W*?n\\W*?g[^:]*?:\\W*?u\\W*?r\\W*?l[\\s\\S]*?\\(",
3083
+ "options": {
3084
+ "min_length": 6
3085
+ }
3086
+ },
3087
+ "operator": "match_regex"
3088
+ }
3089
+ ],
3090
+ "transformers": [
3091
+ "removeNulls"
3092
+ ]
3093
+ },
2311
3094
  {
2312
3095
  "id": "crs-941-180",
2313
3096
  "name": "Node-Validator Deny List Keywords",
@@ -2414,7 +3197,7 @@
2414
3197
  "address": "grpc.server.request.message"
2415
3198
  }
2416
3199
  ],
2417
- "regex": "(?i:(?:j|&#x?0*(?:74|4A|106|6A);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:v|&#x?0*(?:86|56|118|76);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)",
3200
+ "regex": "(?i:(?:j|&#x?0*(?:74|4A|106|6A);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:v|&#x?0*(?:86|56|118|76);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)",
2418
3201
  "options": {
2419
3202
  "case_sensitive": true,
2420
3203
  "min_length": 12
@@ -2762,11 +3545,11 @@
2762
3545
  "transformers": []
2763
3546
  },
2764
3547
  {
2765
- "id": "crs-942-100",
2766
- "name": "SQL Injection Attack Detected via libinjection",
3548
+ "id": "crs-941-390",
3549
+ "name": "Javascript method detected",
2767
3550
  "tags": {
2768
- "type": "sql_injection",
2769
- "crs_id": "942100",
3551
+ "type": "xss",
3552
+ "crs_id": "941390",
2770
3553
  "category": "attack_attempt"
2771
3554
  },
2772
3555
  "conditions": [
@@ -2785,21 +3568,24 @@
2785
3568
  {
2786
3569
  "address": "grpc.server.request.message"
2787
3570
  }
2788
- ]
3571
+ ],
3572
+ "regex": "\\b(?i:eval|settimeout|setinterval|new\\s+Function)\\s*\\(",
3573
+ "options": {
3574
+ "case_sensitive": true,
3575
+ "min_length": 5
3576
+ }
2789
3577
  },
2790
- "operator": "is_sqli"
3578
+ "operator": "match_regex"
2791
3579
  }
2792
3580
  ],
2793
- "transformers": [
2794
- "removeNulls"
2795
- ]
3581
+ "transformers": []
2796
3582
  },
2797
3583
  {
2798
- "id": "crs-942-160",
2799
- "name": "Detects blind sqli tests using sleep() or benchmark()",
3584
+ "id": "crs-942-100",
3585
+ "name": "SQL Injection Attack Detected via libinjection",
2800
3586
  "tags": {
2801
3587
  "type": "sql_injection",
2802
- "crs_id": "942160",
3588
+ "crs_id": "942100",
2803
3589
  "category": "attack_attempt"
2804
3590
  },
2805
3591
  "conditions": [
@@ -2818,24 +3604,21 @@
2818
3604
  {
2819
3605
  "address": "grpc.server.request.message"
2820
3606
  }
2821
- ],
2822
- "regex": "(?i:sleep\\(\\s*?\\d*?\\s*?\\)|benchmark\\(.*?\\,.*?\\))",
2823
- "options": {
2824
- "case_sensitive": true,
2825
- "min_length": 7
2826
- }
3607
+ ]
2827
3608
  },
2828
- "operator": "match_regex"
3609
+ "operator": "is_sqli"
2829
3610
  }
2830
3611
  ],
2831
- "transformers": []
3612
+ "transformers": [
3613
+ "removeNulls"
3614
+ ]
2832
3615
  },
2833
3616
  {
2834
- "id": "crs-942-190",
2835
- "name": "Detects MSSQL code execution and information gathering attempts",
3617
+ "id": "crs-942-160",
3618
+ "name": "Detects blind sqli tests using sleep() or benchmark()",
2836
3619
  "tags": {
2837
3620
  "type": "sql_injection",
2838
- "crs_id": "942190",
3621
+ "crs_id": "942160",
2839
3622
  "category": "attack_attempt"
2840
3623
  },
2841
3624
  "conditions": [
@@ -2855,9 +3638,10 @@
2855
3638
  "address": "grpc.server.request.message"
2856
3639
  }
2857
3640
  ],
2858
- "regex": "(?:\\b(?:(?:c(?:onnection_id|urrent_user)|database)\\s*?\\([^\\)]*?|u(?:nion(?:[\\w(?:\\s]*?select| select @)|ser\\s*?\\([^\\)]*?)|s(?:chema\\s*?\\([^\\)]*?|elect.*?\\w?user\\()|into[\\s+]+(?:dump|out)file\\s*?[\\\"'`]|from\\W+information_schema\\W|exec(?:ute)?\\s+master\\.)|[\\\"'`](?:;?\\s*?(?:union\\b\\s*?(?:(?:distin|sele)ct|all)|having|select)\\b\\s*?[^\\s]|\\s*?!\\s*?[\\\"'`\\w])|\\s*?exec(?:ute)?.*?\\Wxp_cmdshell|\\Wiif\\s*?\\()",
3641
+ "regex": "(?i:sleep\\(\\s*?\\d*?\\s*?\\)|benchmark\\(.*?\\,.*?\\))",
2859
3642
  "options": {
2860
- "min_length": 3
3643
+ "case_sensitive": true,
3644
+ "min_length": 7
2861
3645
  }
2862
3646
  },
2863
3647
  "operator": "match_regex"
@@ -3031,10 +3815,10 @@
3031
3815
  "address": "grpc.server.request.message"
3032
3816
  }
3033
3817
  ],
3034
- "regex": "(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))",
3818
+ "regex": "(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?))",
3035
3819
  "options": {
3036
3820
  "case_sensitive": true,
3037
- "min_length": 5
3821
+ "min_length": 3
3038
3822
  }
3039
3823
  },
3040
3824
  "operator": "match_regex"
@@ -3338,6 +4122,45 @@
3338
4122
  "lowercase"
3339
4123
  ]
3340
4124
  },
4125
+ {
4126
+ "id": "crs-944-260",
4127
+ "name": "Remote Command Execution: Malicious class-loading payload",
4128
+ "tags": {
4129
+ "type": "java_code_injection",
4130
+ "crs_id": "944260",
4131
+ "category": "attack_attempt"
4132
+ },
4133
+ "conditions": [
4134
+ {
4135
+ "parameters": {
4136
+ "inputs": [
4137
+ {
4138
+ "address": "server.request.query"
4139
+ },
4140
+ {
4141
+ "address": "server.request.body"
4142
+ },
4143
+ {
4144
+ "address": "server.request.path_params"
4145
+ },
4146
+ {
4147
+ "address": "server.request.headers.no_cookies"
4148
+ },
4149
+ {
4150
+ "address": "grpc.server.request.message"
4151
+ }
4152
+ ],
4153
+ "regex": "(?:class\\.module\\.classLoader\\.resources\\.context\\.parent\\.pipeline|springframework\\.context\\.support\\.FileSystemXmlApplicationContext)",
4154
+ "options": {
4155
+ "case_sensitive": true,
4156
+ "min_length": 58
4157
+ }
4158
+ },
4159
+ "operator": "match_regex"
4160
+ }
4161
+ ],
4162
+ "transformers": []
4163
+ },
3341
4164
  {
3342
4165
  "id": "dog-000-001",
3343
4166
  "name": "Look for Cassandra injections",
@@ -3383,6 +4206,9 @@
3383
4206
  "operator": "match_regex",
3384
4207
  "parameters": {
3385
4208
  "inputs": [
4209
+ {
4210
+ "address": "server.request.uri.raw"
4211
+ },
3386
4212
  {
3387
4213
  "address": "server.request.query"
3388
4214
  },
@@ -3469,6 +4295,74 @@
3469
4295
  "keys_only"
3470
4296
  ]
3471
4297
  },
4298
+ {
4299
+ "id": "dog-000-005",
4300
+ "name": "Node.js: Prototype pollution through __proto__",
4301
+ "tags": {
4302
+ "type": "js_code_injection",
4303
+ "category": "attack_attempt"
4304
+ },
4305
+ "conditions": [
4306
+ {
4307
+ "parameters": {
4308
+ "inputs": [
4309
+ {
4310
+ "address": "server.request.query"
4311
+ },
4312
+ {
4313
+ "address": "server.request.body"
4314
+ }
4315
+ ],
4316
+ "regex": "^__proto__$"
4317
+ },
4318
+ "operator": "match_regex"
4319
+ }
4320
+ ],
4321
+ "transformers": [
4322
+ "keys_only"
4323
+ ]
4324
+ },
4325
+ {
4326
+ "id": "dog-000-006",
4327
+ "name": "Node.js: Prototype pollution through constructor.prototype",
4328
+ "tags": {
4329
+ "type": "js_code_injection",
4330
+ "category": "attack_attempt"
4331
+ },
4332
+ "conditions": [
4333
+ {
4334
+ "parameters": {
4335
+ "inputs": [
4336
+ {
4337
+ "address": "server.request.query"
4338
+ },
4339
+ {
4340
+ "address": "server.request.body"
4341
+ }
4342
+ ],
4343
+ "regex": "^constructor$"
4344
+ },
4345
+ "operator": "match_regex"
4346
+ },
4347
+ {
4348
+ "parameters": {
4349
+ "inputs": [
4350
+ {
4351
+ "address": "server.request.query"
4352
+ },
4353
+ {
4354
+ "address": "server.request.body"
4355
+ }
4356
+ ],
4357
+ "regex": "^prototype$"
4358
+ },
4359
+ "operator": "match_regex"
4360
+ }
4361
+ ],
4362
+ "transformers": [
4363
+ "keys_only"
4364
+ ]
4365
+ },
3472
4366
  {
3473
4367
  "id": "nfd-000-001",
3474
4368
  "name": "Detect common directory discovery scans",
@@ -4346,7 +5240,7 @@
4346
5240
  "address": "grpc.server.request.message"
4347
5241
  }
4348
5242
  ],
4349
- "regex": "^(http|https):\\/\\/(.*burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io)"
5243
+ "regex": "(http|https):\\/\\/(?:.*\\.)?(?:burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io|oastify\\.com|oast\\.(?:pro|live|site|online|fun|me)|sslip\\.io|requestbin\\.com|requestbin\\.net|hookbin\\.com|webhook\\.site|canarytokens\\.com|interact\\.sh|ngrok\\.io|bugbounty\\.click)"
4350
5244
  },
4351
5245
  "operator": "match_regex"
4352
5246
  }