tcell_agent 0.2.12 → 0.2.13

data/spec/lib/tcell_agent/utils/params_spec.rb

@@ -0,0 +1,119 @@
+require 'spec_helper'
+
+module TCellAgent
+  module Utils
+
+    class ParamsTest
+      include TCellAgent::Utils::Params
+    end
+
+    describe ParamsTest do
+      before(:each) do
+        @p_test = ParamsTest.new
+      end
+
+      context "#param_deep_loop" do
+        context "with a parameter hash" do
+          context "there is no match" do
+            it "should return nil" do
+              result = @p_test.param_deep_loop(
+                "hash_param",
+                {
+                  key_one: "no match",
+                  key_dos: "no match"
+                }
+              ) do |param_name, param_value|
+                nil
+              end
+
+              expect(result).to be_nil
+            end
+          end
+          context "there is a match" do
+            it "should return the match" do
+              result = @p_test.param_deep_loop(
+                "hash_param",
+                {
+                  key_one: "no match",
+                  key_dos: "i'm a match"
+                }
+              ) do |param_name, param_value|
+                if param_value =~ /i'm a match/
+                  "#{param_name} - #{param_value}"
+                else
+                  nil
+                end
+              end
+
+              expect(result).to eq("key_dos - i'm a match")
+            end
+          end
+        end
+
+        context "with a parameter array" do
+          context "there is no match" do
+            it "should return nil" do
+              result = @p_test.param_deep_loop(
+                "array_param",
+                [ "no match", "no match" ]
+              ) do |param_name, param_value|
+                nil
+              end
+
+              expect(result).to be_nil
+            end
+          end
+          context "there is a match" do
+            it "should return the match" do
+              result = @p_test.param_deep_loop(
+                "array_param",
+                [ "no match", "i'm a match" ]
+              ) do |param_name, param_value|
+                if param_value =~ /i'm a match/
+                  "#{param_name} - #{param_value}"
+                else
+                  nil
+                end
+              end
+
+              expect(result).to eq("array_param - i'm a match")
+            end
+          end
+        end
+
+        context "with a paramater string" do
+          context "there is no match" do
+            it "should return nil" do
+              result = @p_test.param_deep_loop(
+                "string_param",
+                "no match",
+              ) do |param_name, param_value|
+                nil
+              end
+
+              expect(result).to be_nil
+            end
+          end
+
+          context "there is a match" do
+            it "should return the match" do
+              result = @p_test.param_deep_loop(
+                "string_param",
+                "i'm a match"
+              ) do |param_name, param_value|
+                if param_value =~ /i'm a match/
+                  "#{param_name} - #{param_value}"
+                else
+                  nil
+                end
+              end
+
+              expect(result).to eq("string_param - i'm a match")
+            end
+          end
+        end
+      end
+    end
+
+  end
+end

data/spec/support/resources/baserules.json

@@ -0,0 +1,155 @@
+{
+  "version":"20160322",
+  "sensors":{
+    "xss":{
+      "patterns":[
+        {
+          "title":"Basic Injection",
+          "sophistication":1,
+          "common": "(?:<(script|iframe|embed|frame|frameset|object|img|applet|body|html|style|layer|link|ilayer|meta|bgsound))",
+          "id": "1"
+        },
+        {
+          "title":"Alert or Event XSS",
+          "sophistication":2,
+          "common": "(?:(alert|on\\w+|function\\s+\\w+)\\s*\\(\\s*(['+\\d\\w](,?\\s*['+\\d\\w]*)*)*\\s*\\))",
+          "id": "2"
+        },
+        {
+          "title":"Tag Breaks",
+          "sophistication":2,
+          "common": "(?:\\\"[^\\\"]*[^-]?>)|(?:[^\\w\\s]\\s*\\/>)|(?:>\\\")",
+          "id": "3"
+        },
+        {
+          "title":"Attribute Breaks",
+          "sophistication":3,
+         "common": "(?:\\\"+.*[<=]\\s*\\\"[^\\\"]+\\\")|(?:\\\"\\s*\\w+\\s*=)|(?:>\\w=\\/)|(?:#.+\\)[\\\"\\s]*>)|(?:\\\"\\s*(?:src|style|on\\w+)\\s*=\\s*\\\")|(?:[^\\\"]?\\\"[,;\\s]+\\w*[\\[\\(])(?:^>[\\w\\s]*<\\/?\\w{2,}>)",
+          "id": "4"
+        },
+        {
+          "title":"Basic Obfuscation",
+          "sophistication":3,
+          "common": "(?:[\\\".]script\\s*\\()|(?:\\$\\$?\\s*\\(\\s*[\\w\\\"])|(?:\\/[\\w\\s]+\\/\\.)|(?:=\\s*\\/\\w+\\/\\s*\\.)|(?:(?:this|window|top|parent|frames|self|content)\\[\\s*[(,\\\"]*\\s*[\\w\\$])|(?:,\\s*new\\s+\\w+\\s*[,;)])",
+          "id": "5"
+        },
+        {
+          "title":"Common Concatenation",
+          "sophistication":3,
+          "common": "(?:=\\s*\\w+\\s*\\+\\s*\\\")|(?:\\+=\\s*\\(\\s\\\")|(?:!+\\s*[\\d.,]+\\w?\\d*\\s*\\?)|(?:=\\s*\\[s*\\])|(?:\\\"\\s*\\+\\s*\\\")|(?:[^\\s]\\[\\s*\\d+\\s*\\]\\s*[;+])|(?:\\\"\\s*[&|]+\\s*\\\")|(?:\\/\\s*\\?\\s*\\\")|(?:\\/\\s*\\)\\s*\\[)|(?:\\d\\?.+:\\d)|(?:\\]\\s*\\[\\W*\\w)|(?:[^\\s]\\s*=\\s*\\/)",
+          "id": "6"
+        },
+        {
+          "title":"IFrame Tag Injection",
+          "sophistication":1,
+          "common": "<iframe.*",
+          "id": "7"
+        }
+      ]
+    },
+    "cmdi":{
+      "safe_pattern":"^[a-zA-Z0-9_\\s\\r\\n\\t]*$",
+      "patterns":[
+        {
+          "title":"Common Remote Attempts",
+          "sophistication":2,
+          "id":"1",
+          "common":"(?:[\\;\\|\\`]\\W*?\\bcc|\\b(wget|curl))\\b|\\/cc(?:[\\'\\\"\\|\\;\\`\\-\\s]|$)",
+          "ruby":"(?i:(?:[\\;\\|\\`]\\W*?\\bcc|\\b(wget|curl))\\b|\\/cc(?:[\\'\\\"\\|\\;\\`\\-\\s]|$))"
+        },
+        {
+          "title":"Common Command Attempts",
+          "sophistication":1,
+          "id":"2",
+          "common":"(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:\\.exe|32)\\b|\\b\\W*?\\\\\\/c)|d(?:\\b\\W*?[\\\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*?\\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\\b|g(?:\\+\\+|cc\\b)))"
+        }
+      ]
+    },
+    "sqli":{
+      "safe_pattern":"^[a-zA-Z0-9_\\s\\r\\n\\t]*$",
+      "patterns":[
+        {
+          "title":"Common Encoding Obfuscations",
+          "sophistication":3,
+          "common": "(?:(?:\\d[\\\"'`\u00b4\u2019\u2018]\\s+[\\\"'`\u00b4\u2019\u2018]\\s+\\d)|(?:^admin\\s*?[\\\"'`\u00b4\u2019\u2018]|(\\/\\*)+[\\\"'`\u00b4\u2019\u2018]+\\s?(?:--|#|\\/\\*|{)?)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?\\b(x?or|div|like|between|and)\\b\\s*?[+<>=(),-]\\s*?[\\d\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[^\\w\\s]?=\\s*?[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\W*?[+=]+\\W*?[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=+-]+.*?[\\\"'`\u00b4\u2019\u2018(].*?$)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=]+.*?\\d+$)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?like\\W+[\\w\\\"'`\u00b4\u2019\u2018(])|(?:\\sis\\s*?0\\W)|(?:where\\s[\\s\\w\\.,-]+\\s=)|(?:[\\\"'`\u00b4\u2019\u2018][<>~]+[\\\"'`\u00b4\u2019\u2018]))",
+          "id": "1"
+        },
+        {
+          "title":"Common Probes/Executions",
+          "sophistication":1,
+          "common": "\\b(?:having)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=<>]|(?:\\bexecute(\\s{1,5}[\\w\\.$]{1,5}\\s{0,3})?\\()|\\bhaving\\b ?(?:\\d{1,10}|[\\'\\\"][^=]{1,10}[\\'\\\"]) ?[=<>]+|(?:\\bcreate\\s+?table.{0,20}?\\()|(?:\\blike\\W*?char\\W*?\\()|(?:(?:(select(.*?)case|from(.*?)limit|order\\sby)))|exists\\s(\\sselect|select\\Sif(null)?\\s\\(|select\\Stop|select\\Sconcat|system\\s\\(|\\b(?:having)\\b\\s+(\\d{1,10})|'[^=]{1,10}')",
+          "id": "2"
+        },
+        {
+          "title":"Comment Injection",
+          "sophistication":1,
+          "common": "([';]--|--[\\s\\r\\n\\v\\f]|(?:--[^-]*?-)|([^\\-&])#.*?[\\s\\r\\n\\v\\f]|;?\\\\x00)",
+          "id": "3"
+        },
+        {
+          "title":"Extraction Attempts 1",
+          "sophistication":1,
+          "common": "(?:(?:@.+=\\s*?\\(\\s*?select)|(?:\\d+\\s*?(x?or|div|like|between|and)\\s*?\\d+\\s*?[\\-+])|(?:\\/\\w+;?\\s+(?:having|and|x?or|div|like|between|and|select)\\W)|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*?(?:drop|alter))|(?:(?:;|#|--)\\s*?(?:update|insert)\\s*?\\w{2,})|(?:[^\\w]SET\\s*?@\\w+)|(?:(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)[\\s(]+\\w+[\\s)]*?[!=+]+[\\s\\d]*?[\\\"'`\u00b4\u2019\u2018=()]))",
+          "id": "4"
+        },
+        {
+          "title":"Extraction Attempts 2",
+          "sophistication":2,
+          "pattern": "(?:(?:in\\s*?\\(+\\s*?select)|(?:(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)\\s+[\\s\\w+]+(?:regexp\\s*?\\(|sounds\\s+like\\s*?[\\\"'`\u00b4\u2019\u2018]|[=\\d]+x))|([\\\"'`\u00b4\u2019\u2018]\\s*?\\d\\s*?(?:--|#))|(?:[\\\"'`\u00b4\u2019\u2018][\\%&<>^=]+\\d\\s*?(=|x?or|div|like|between|and))|(?:[\\\"'`\u00b4\u2019\u2018]\\W+[\\w+-]+\\s*?=\\s*?\\d\\W+[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?is\\s*?\\d.+[\\\"'`\u00b4\u2019\u2018]?\\w)|(?:[\\\"'`\u00b4\u2019\u2018]\\|?[\\w-]{3,}[^\\w\\s.,]+[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?is\\s*?[\\d.]+\\s*?\\W.*?[\\\"'`\u00b4\u2019\u2018]))",
+          "id": "5"
+        },
+        {
+          "title":"Extraction Attempts 3",
+          "sophistication":3,
+          "pattern": "(?:(?:\\d[\\\"'`\u00b4\u2019\u2018]\\s+[\\\"'`\u00b4\u2019\u2018]\\s+\\d)|(?:^admin\\s*?[\\\"'`\u00b4\u2019\u2018]|(\\/\\*)+[\\\"'`\u00b4\u2019\u2018]+\\s?(?:--|#|\\/\\*|{)?)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?\\b(x?or|div|like|between|and)\\b\\s*?[+<>=(),-]\\s*?[\\d\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[^\\w\\s]?=\\s*?[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\W*?[+=]+\\W*?[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=+-]+.*?[\\\"'`\u00b4\u2019\u2018(].*?$)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=]+.*?\\d+$)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?like\\W+[\\w\\\"'`\u00b4\u2019\u2018(])|(?:\\sis\\s*?0\\W)|(?:where\\s[\\s\\w\\.,-]+\\s=)|(?:[\\\"'`\u00b4\u2019\u2018][<>~]+[\\\"'`\u00b4\u2019\u2018]))",
+          "id": "6"
+        }
+      ]
+    },
+    "fpt":{
+      "patterns":[
+        {
+          "title":"Windows Probing",
+          "sophistication":1,
+          "common": "(?:(?:\\/|\\\\)?\\.+(\\/|\\\\)(?:\\.+)?)|(?:\\w+\\.exe\\??\\s)|(?:;\\s*\\w+\\s*\\/[\\w*-]+\\/)|(?:\\d\\.\\dx\\|)|(?:%(?:c0\\.|af\\.|5c\\.))|(?:\\/(?:%2e){2})",
+          "ruby": "(?:(?:\\/|\\\\)?\\.+(\\/|\\\\)(?:\\.*))|(?:\\w+\\.exe\\??\\s)|(?:;\\s*\\w+\\s*\\/[\\w*-]+\\/)|(?:\\d\\.\\dx\\|)|(?:%(?:c0\\.|af\\.|5c\\.))|(?:\\/(?:%2e){2})",
+          "id": "1"
+        },
+        {
+          "title":"Unix Probing",
+          "sophistication":1,
+          "common": "(?:%c0%ae\\/)|(?:(?:\\/|\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\\/|\\\\))|(?:(?:\\/|\\\\)inetpub|localstart\\.asp|boot\\.ini)",
+          "id": "2"
+        },
+        {
+          "title":"Attempt for /etc/passwd",
+          "sophistication":1,
+          "common": "(?:etc\\/\\W*passwd)",
+          "id": "3"
+        }
+      ]
+    },
+    "nullbyte":{
+      "safe_pattern":"^[a-zA-Z0-9_\\s\\r\\n\\t]*$",
+      "patterns":[
+        {
+          "title":"Any Null Byte",
+          "sophistication":1,
+          "id":"1",
+          "common":"\\0"
+        }
+      ]
+    },
+    "retr":{
+      "safe_pattern":"^[a-zA-Z0-9_\\s\\r\\n\\t]*$",
+      "patterns":[
+        {
+          "title":"Any Line-Break Character",
+          "sophistication":1,
+          "id":"1",
+          "common":"(\\n|\\r)"
+        }
+      ]
+    }
+  }
+}

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tcell_agent
 version: !ruby/object:Gem::Version
-  version: 0.2.12
+  version: 0.2.13
 platform: ruby
 authors:
 - Garrett
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-04-28 00:00:00.000000000 Z
+date: 2016-05-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rest-client
@@ -126,16 +126,27 @@ files:
 - lib/tcell_agent/agent/static_agent.rb
 - lib/tcell_agent/agent.rb
 - lib/tcell_agent/api.rb
-- lib/tcell_agent/appsensor/cmdi.rb
-- lib/tcell_agent/appsensor/path_traversal.rb
-- lib/tcell_agent/appsensor/sqli.rb
-- lib/tcell_agent/appsensor/xss.rb
-- lib/tcell_agent/appsensor.rb
+- lib/tcell_agent/appsensor/rules/appsensor_rule_manager.rb
+- lib/tcell_agent/appsensor/rules/appsensor_rule_set.rb
+- lib/tcell_agent/appsensor/rules/baserules.json
 - lib/tcell_agent/authlogic.rb
 - lib/tcell_agent/configuration.rb
 - lib/tcell_agent/devise.rb
 - lib/tcell_agent/instrumentation.rb
 - lib/tcell_agent/logger.rb
+- lib/tcell_agent/policies/appsensor/cmdi_sensor.rb
+- lib/tcell_agent/policies/appsensor/fpt_sensor.rb
+- lib/tcell_agent/policies/appsensor/injection_sensor.rb
+- lib/tcell_agent/policies/appsensor/login_sensor.rb
+- lib/tcell_agent/policies/appsensor/nullbyte_sensor.rb
+- lib/tcell_agent/policies/appsensor/request_size_sensor.rb
+- lib/tcell_agent/policies/appsensor/response_codes_sensor.rb
+- lib/tcell_agent/policies/appsensor/response_size_sensor.rb
+- lib/tcell_agent/policies/appsensor/retr_sensor.rb
+- lib/tcell_agent/policies/appsensor/sensor.rb
+- lib/tcell_agent/policies/appsensor/size_sensor.rb
+- lib/tcell_agent/policies/appsensor/sqli_sensor.rb
+- lib/tcell_agent/policies/appsensor/xss_sensor.rb
 - lib/tcell_agent/policies/appsensor_policy.rb
 - lib/tcell_agent/policies/clickjacking_policy.rb
 - lib/tcell_agent/policies/content_security_policy.rb
@@ -158,7 +169,8 @@ files:
 - lib/tcell_agent/rails.rb
 - lib/tcell_agent/routes/table.rb
 - lib/tcell_agent/sensor_events/app_config.rb
-- lib/tcell_agent/sensor_events/app_sensor.rb
+- lib/tcell_agent/sensor_events/appsensor_event.rb
+- lib/tcell_agent/sensor_events/appsensor_meta_event.rb
 - lib/tcell_agent/sensor_events/discovery.rb
 - lib/tcell_agent/sensor_events/dlp.rb
 - lib/tcell_agent/sensor_events/honeytokens.rb
@@ -178,6 +190,7 @@ files:
 - lib/tcell_agent/start_background_thread.rb
 - lib/tcell_agent/system_info.rb
 - lib/tcell_agent/userinfo.rb
+- lib/tcell_agent/utils/params.rb
 - lib/tcell_agent/utils/queue_with_timeout.rb
 - lib/tcell_agent/version.rb
 - lib/tcell_agent.rb
@@ -230,9 +243,20 @@ files:
 - spec/lib/tcell_agent/agent/policy_manager_spec.rb
 - spec/lib/tcell_agent/agent/static_agent_spec.rb
 - spec/lib/tcell_agent/api/api_spec.rb
-- spec/lib/tcell_agent/appsensor_spec.rb
+- spec/lib/tcell_agent/appsensor/rules/appsensor_rule_manager_spec.rb
+- spec/lib/tcell_agent/appsensor/rules/appsensor_rule_set_spec.rb
 - spec/lib/tcell_agent/configuration_spec.rb
 - spec/lib/tcell_agent/instrumentation_spec.rb
+- spec/lib/tcell_agent/policies/appsensor/cmdi_sensor_spec.rb
+- spec/lib/tcell_agent/policies/appsensor/fpt_sensor_spec.rb
+- spec/lib/tcell_agent/policies/appsensor/login_sensor_spec.rb
+- spec/lib/tcell_agent/policies/appsensor/nullbyte_sensor_spec.rb
+- spec/lib/tcell_agent/policies/appsensor/request_size_sensor_spec.rb
+- spec/lib/tcell_agent/policies/appsensor/response_codes_sensor_spec.rb
+- spec/lib/tcell_agent/policies/appsensor/response_size_sensor_spec.rb
+- spec/lib/tcell_agent/policies/appsensor/retr_sensor_spec.rb
+- spec/lib/tcell_agent/policies/appsensor/sqli_sensor_spec.rb
+- spec/lib/tcell_agent/policies/appsensor/xss_sensor_spec.rb
 - spec/lib/tcell_agent/policies/appsensor_policy_spec.rb
 - spec/lib/tcell_agent/policies/clickjacking_policy_spec.rb
 - spec/lib/tcell_agent/policies/content_security_policy_spec.rb
@@ -248,15 +272,17 @@ files:
 - spec/lib/tcell_agent/rails/middleware/global_middleware_spec.rb
 - spec/lib/tcell_agent/rails/middleware/redirect_middleware_spec.rb
 - spec/lib/tcell_agent/rails_spec.rb
+- spec/lib/tcell_agent/sensor_events/appsensor_meta_event_spec.rb
 - spec/lib/tcell_agent/sensor_events/dlp_spec.rb
 - spec/lib/tcell_agent/sensor_events/sessions_metric_spec.rb
-- spec/lib/tcell_agent/sensor_events/tcell_app_sensor_event_processor_spec.rb
 - spec/lib/tcell_agent/sensor_events/util/redirect_utils_spec.rb
 - spec/lib/tcell_agent/sensor_events/util/sanitizer_utilities_spec.rb
 - spec/lib/tcell_agent/utils/bounded_queue_spec.rb
+- spec/lib/tcell_agent/utils/params_spec.rb
 - spec/lib/tcell_agent_spec.rb
 - spec/spec_helper.rb
 - spec/support/middleware_helper.rb
+- spec/support/resources/baserules.json
 - spec/support/resources/normal_config.json
 - spec/support/static_agent_overrides.rb
 - README.md
@@ -339,9 +365,20 @@ test_files:
 - spec/lib/tcell_agent/agent/policy_manager_spec.rb
 - spec/lib/tcell_agent/agent/static_agent_spec.rb
 - spec/lib/tcell_agent/api/api_spec.rb
-- spec/lib/tcell_agent/appsensor_spec.rb
+- spec/lib/tcell_agent/appsensor/rules/appsensor_rule_manager_spec.rb
+- spec/lib/tcell_agent/appsensor/rules/appsensor_rule_set_spec.rb
 - spec/lib/tcell_agent/configuration_spec.rb
 - spec/lib/tcell_agent/instrumentation_spec.rb
+- spec/lib/tcell_agent/policies/appsensor/cmdi_sensor_spec.rb
+- spec/lib/tcell_agent/policies/appsensor/fpt_sensor_spec.rb
+- spec/lib/tcell_agent/policies/appsensor/login_sensor_spec.rb
+- spec/lib/tcell_agent/policies/appsensor/nullbyte_sensor_spec.rb
+- spec/lib/tcell_agent/policies/appsensor/request_size_sensor_spec.rb
+- spec/lib/tcell_agent/policies/appsensor/response_codes_sensor_spec.rb
+- spec/lib/tcell_agent/policies/appsensor/response_size_sensor_spec.rb
+- spec/lib/tcell_agent/policies/appsensor/retr_sensor_spec.rb
+- spec/lib/tcell_agent/policies/appsensor/sqli_sensor_spec.rb
+- spec/lib/tcell_agent/policies/appsensor/xss_sensor_spec.rb
 - spec/lib/tcell_agent/policies/appsensor_policy_spec.rb
 - spec/lib/tcell_agent/policies/clickjacking_policy_spec.rb
 - spec/lib/tcell_agent/policies/content_security_policy_spec.rb
@@ -357,14 +394,16 @@ test_files:
 - spec/lib/tcell_agent/rails/middleware/global_middleware_spec.rb
 - spec/lib/tcell_agent/rails/middleware/redirect_middleware_spec.rb
 - spec/lib/tcell_agent/rails_spec.rb
+- spec/lib/tcell_agent/sensor_events/appsensor_meta_event_spec.rb
 - spec/lib/tcell_agent/sensor_events/dlp_spec.rb
 - spec/lib/tcell_agent/sensor_events/sessions_metric_spec.rb
-- spec/lib/tcell_agent/sensor_events/tcell_app_sensor_event_processor_spec.rb
 - spec/lib/tcell_agent/sensor_events/util/redirect_utils_spec.rb
 - spec/lib/tcell_agent/sensor_events/util/sanitizer_utilities_spec.rb
 - spec/lib/tcell_agent/utils/bounded_queue_spec.rb
+- spec/lib/tcell_agent/utils/params_spec.rb
 - spec/lib/tcell_agent_spec.rb
 - spec/spec_helper.rb
 - spec/support/middleware_helper.rb
+- spec/support/resources/baserules.json
 - spec/support/resources/normal_config.json
 - spec/support/static_agent_overrides.rb

data/lib/tcell_agent/appsensor.rb

@@ -1,42 +0,0 @@
-# encoding: utf-8
-# See the file "LICENSE" for the full license governing this code.
-
-require 'tcell_agent/appsensor/xss'
-require 'tcell_agent/appsensor/sqli'
-require 'tcell_agent/appsensor/cmdi'
-require 'tcell_agent/appsensor/path_traversal'
-
-module TCellAgent
-    class AppSensor
- 
-        GENERALLY_SAFE_REGEX = /^[a-zA-Z0-9_\s\r\n\t]*$/
-        NULL_CHARS_REGEX=/\0/
-        RETURN_CHARS_REGEX=/(\n|\r)/
- 
-        def self.generallySafe(value)
-            if !value.instance_of? String
-                return false
-            end
-            return (value.match(AppSensor::GENERALLY_SAFE_REGEX)!=nil)
-        end
-        def self.containsNull(value)
-            if !value.instance_of? String
-                return false
-            end
-            if value.match(AppSensor::NULL_CHARS_REGEX)
-                return true
-            end
-            return false
-        end
-        def self.containsReturnChars(value)
-            if !value.instance_of? String
-                return false
-            end
-            if value.match(AppSensor::RETURN_CHARS_REGEX)
-                return true
-            end
-            return false
-        end
-    end
-end
-