tcell_agent 0.2.29 → 0.4.0

data/spec/lib/tcell_agent/policies/appsensor/user_agent_sensor_spec.rb

@@ -1,172 +0,0 @@
-require 'spec_helper'
-
-module TCellAgent
-  module Policies
-
-    describe UserAgentSensor do
-      context "#initialize" do
-        context "default sensor" do
-          it "should have properties set to defaults" do
-            sensor = UserAgentSensor.new
-            expect(sensor.enabled).to eq(false)
-            expect(sensor.empty_enabled).to eq(false)
-            expect(UserAgentSensor::DP_CODE).to eq("uaempty")
-          end
-        end
-
-        context "setting enabled on sensor" do
-          it "should have properties set to defaults" do
-            sensor = UserAgentSensor.new({"enabled" => true, "empty_enabled" => false})
-            expect(sensor.enabled).to eq(true)
-            expect(sensor.empty_enabled).to eq(false)
-          end
-        end
-
-        context "setting empty_enabled on sensor" do
-          it "should have properties set to defaults" do
-            sensor = UserAgentSensor.new({"enabled" => false, "empty_enabled" => true})
-            expect(sensor.enabled).to eq(false)
-            expect(sensor.empty_enabled).to eq(true)
-          end
-        end
-
-        context "setting exclude_routes on sensor" do
-          it "should exclude_routes set" do
-            sensor = UserAgentSensor.new({
-              "enabled" => false,
-              "empty_enabled" => true,
-              "exclude_routes" => ["route_id"]
-            })
-            expect(sensor.enabled).to eq(false)
-            expect(sensor.empty_enabled).to eq(true)
-            expect(sensor.excluded_route_ids).to eq({"route_id" => true})
-          end
-        end
-      end
-
-      context "#check" do
-        before(:each) do
-          @meta = TCellAgent::SensorEvents::AppSensorMetaEvent.new
-          @meta.remote_address = "remote_address"
-          @meta.method = "get"
-          @meta.location = "location"
-          @meta.route_id = "route_id"
-          @meta.session_id = "session_id"
-          @meta.user_id = "user_id"
-          @meta.transaction_id = "transaction_id"
-        end
-
-        context "with disabled sensor" do
-          context "with empty user agent" do
-            it "should not send event" do
-              sensor = UserAgentSensor.new({"enabled" => false, "empty_enabled" => false})
-              @meta.user_agent = nil
-
-              expect(TCellAgent).to_not receive(:send_event)
-              sensor.check(@meta)
-            end
-          end
-
-          context "with user agent present" do
-            it "should not send event" do
-              sensor = UserAgentSensor.new({"enabled" => false, "empty_enabled" => false})
-              @meta.user_agent = "Mozilla"
-
-              expect(TCellAgent).to_not receive(:send_event)
-              sensor.check(@meta)
-            end
-          end
-        end
-
-        context "with enabled sensor" do
-          before(:each) do
-            @sensor = UserAgentSensor.new({"enabled" => true, "empty_enabled" => true})
-          end
-
-          context "with empty user agent" do
-            it "should send event" do
-              @meta.user_agent = ""
-
-              expect(TCellAgent).to receive(:send_event).with({
-                "event_type"=>"as",
-                "dp"=>UserAgentSensor::DP_CODE,
-                "remote_addr"=>"remote_address",
-                "m"=>"get",
-                "rid"=>"route_id"
-              })
-              @sensor.check(@meta)
-            end
-
-            context "no excluded routes" do
-              it "should send an event" do
-                @meta.user_agent = ""
-                @sensor.excluded_route_ids = {}
-
-                expect(TCellAgent).to receive(:send_event).with({
-                  "event_type"=>"as",
-                  "dp"=>UserAgentSensor::DP_CODE,
-                  "remote_addr"=>"remote_address",
-                  "m"=>"get",
-                  "rid"=>"route_id"
-                })
-                @sensor.check(@meta)
-              end
-            end
-
-            context "has excluded routes" do
-              context "route id matches" do
-                it "should not send an event" do
-                  @meta.user_agent = ""
-                  @sensor.excluded_route_ids = {"route_id" => true}
-
-                  expect(TCellAgent).to_not receive(:send_event)
-                  @sensor.check(@meta)
-                end
-              end
-              context "route id does not match" do
-                it "should send an event" do
-                  @meta.user_agent = ""
-                  @sensor.excluded_route_ids = {"nonmatching" => true}
-
-                  expect(TCellAgent).to receive(:send_event).with({
-                    "event_type"=>"as",
-                    "dp"=>UserAgentSensor::DP_CODE,
-                    "remote_addr"=>"remote_address",
-                    "m"=>"get",
-                    "rid"=>"route_id"
-                  })
-                  @sensor.check(@meta)
-                end
-              end
-            end
-          end
-
-          context "with blank space user agent" do
-            it "should not send event" do
-              @meta.user_agent = "\n  \t  \s"
-
-              expect(TCellAgent).to receive(:send_event).with({
-                "event_type"=>"as",
-                "dp"=>UserAgentSensor::DP_CODE,
-                "remote_addr"=>"remote_address",
-                "m"=>"get",
-                "rid"=>"route_id"
-              })
-              @sensor.check(@meta)
-            end
-          end
-
-          context "with user agent present" do
-            it "should not send event" do
-              @meta.user_agent = "Mozilla"
-
-              expect(TCellAgent).to_not receive(:send_event)
-              @sensor.check(@meta)
-            end
-          end
-        end
-      end
-    end
-
-  end
-end

data/spec/lib/tcell_agent/rails/auth/hooks_spec.rb

@@ -1,246 +0,0 @@
-require 'spec_helper'
-
-module TCellAgent
-
-  module Hooks
-    module V1
-      module Frameworks
-        module Rails
-          module Login
-            def self.register_login_event(status, rails_request, user_id, user_valid=nil)
-            end
-          end
-        end
-      end
-    end
-  end
-
-  module Hooks
-    module V1
-      module Login
-        LOGIN_SUCCESS = "success"
-        LOGIN_FAILURE = "failure"
-        def self.register_login_event(status, session_id, user_agent, referrer, remote_addr, header_keys, user_id, document_uri, user_valid=nil)
-        end
-      end
-    end
-  end
-
-  describe "manually requiring auth hooks" do
-    before(:all) do
-      require 'tcell_agent/rails/auth/hooks'
-    end
-
-    describe "Using generic interface" do
-      context "with a login failure" do
-        it "should report the login failure" do
-          login_fraud = double("login_fraud", enabled: true, login_failed_enabled: true)
-
-          expect(TCellAgent).to receive(:policy).with(TCellAgent::PolicyTypes::LoginFraud).and_return(
-            login_fraud
-          )
-          expect(TCellAgent).to receive(:send_event).with(
-            {
-              "event_type" => "login",
-              "header_keys" => ["USER_AGENT", "X_FORWARDED_FOR"],
-              "user_agent" => "user_agent",
-              "referrer" => "referrer",
-              "remote_addr" => "1.1.1.1",
-              "user_id" => "user_id",
-              "document_uri" => "http://tcell.tcell.io/login?param_name=",
-              "session" => "48c0ce7961d8d5d4bd57bd77976b3d38",
-              "event_name" => "login-failure"
-            }
-          )
-
-          status = Hooks::V1::Login::LOGIN_FAILURE
-          header_keys = ["HTTP_USER_AGENT", "HTTP_X_FORWARDED_FOR"]
-          document_uri = "http://tcell.tcell.io/login?param_name=param_value"
-
-          Hooks::V1::Login.register_login_event(
-            status, "session_id", "user_agent", "referrer", "1.1.1.1", header_keys, "user_id", document_uri
-          )
-        end
-      end
-
-      context "with a login success" do
-        it "should report the login success" do
-          login_fraud = double("login_fraud", enabled: true, login_failed_enabled: true)
-
-          expect(TCellAgent).to receive(:policy).with(TCellAgent::PolicyTypes::LoginFraud).and_return(
-            login_fraud
-          )
-          expect(TCellAgent).to receive(:send_event).with(
-            {
-              "event_type" => "login",
-              "header_keys" => ["USER_AGENT", "X_FORWARDED_FOR"],
-              "user_agent" => "user_agent",
-              "referrer" => "referrer",
-              "remote_addr" => "1.1.1.1",
-              "user_id" => "user_id",
-              "document_uri" => "http://tcell.tcell.io/login?param_name=",
-              "session" => "48c0ce7961d8d5d4bd57bd77976b3d38",
-              "event_name" => "login-success"
-            }
-          )
-
-          status = Hooks::V1::Login::LOGIN_SUCCESS
-          header_keys = ["HTTP_USER_AGENT", "HTTP_X_FORWARDED_FOR"]
-          document_uri = "http://tcell.tcell.io/login?param_name=param_value"
-
-          Hooks::V1::Login.register_login_event(
-            status, "session_id", "user_agent", "referrer", "1.1.1.1", header_keys, "user_id", document_uri
-          )
-        end
-      end
-
-      context "with an unknown status" do
-        it "should log the error" do
-          login_fraud = double("login_fraud", enabled: true, login_failed_enabled: true)
-          logger = double("logger")
-
-          expect(TCellAgent).to receive(:policy).with(TCellAgent::PolicyTypes::LoginFraud).and_return(
-            login_fraud
-          )
-          expect(TCellAgent).to_not receive(:send_event)
-          expect(TCellAgent).to receive(:logger).and_return(logger)
-          expect(logger).to receive(:error).with("Unkown login status: mumbo-jumbo")
-
-          status = "mumbo-jumbo"
-          header_keys = ["HTTP_USER_AGENT", "HTTP_X_FORWARDED_FOR"]
-          document_uri = "http://tcell.tcell.io/login?param_name=param_value"
-
-          Hooks::V1::Login.register_login_event(
-            status, "session_id", "user_agent", "referrer", "1.1.1.1", header_keys, "user_id", document_uri
-          )
-        end
-      end
-    end
-
-    describe "Using rails interface" do
-      context "with a login failure" do
-        it "should report the login failure" do
-          login_fraud = double("login_fraud", enabled: true, login_failed_enabled: true)
-          rails_request = double("rails_request")
-          tcell_data = TCellAgent::Instrumentation::TCellData.new
-          tcell_data.user_agent = "user_agent"
-          tcell_data.referrer = "referrer"
-          tcell_data.ip_address = "1.1.1.1"
-          tcell_data.path = "http://tcell.tcell.io/login?param_name=param_value"
-          tcell_data.hmac_session_id = TCellAgent::SensorEvents::Util.hmac("session_id")
-          request_env = {
-            TCellAgent::Instrumentation::TCELL_ID => tcell_data,
-            "HTTP_USER_AGENT" => true,
-            "HTTP_X_FORWARDED_FOR" => true
-          }
-
-
-          expect(TCellAgent).to receive(:policy).with(TCellAgent::PolicyTypes::LoginFraud).and_return(
-            login_fraud
-          )
-          expect(rails_request).to receive(:env).and_return(request_env)
-          expect(rails_request).to receive(:env).and_return(request_env)
-          expect(TCellAgent).to receive(:send_event).with(
-            {
-              "event_type" => "login",
-              "header_keys" => ["USER_AGENT", "X_FORWARDED_FOR"],
-              "user_agent" => "user_agent",
-              "referrer" => "referrer",
-              "remote_addr" => "1.1.1.1",
-              "user_id" => "user_id",
-              "document_uri" => "http://tcell.tcell.io/login?param_name=",
-              "session" => "48c0ce7961d8d5d4bd57bd77976b3d38",
-              "event_name" => "login-failure"
-            }
-          )
-
-          status = Hooks::V1::Login::LOGIN_FAILURE
-
-          Hooks::V1::Frameworks::Rails::Login.register_login_event(
-            status, rails_request, "user_id"
-          )
-        end
-      end
-
-      context "with a login success" do
-        it "should report the login success" do
-          login_fraud = double("login_fraud", enabled: true, login_failed_enabled: true)
-          rails_request = double("rails_request")
-          tcell_data = TCellAgent::Instrumentation::TCellData.new
-          tcell_data.user_agent = "user_agent"
-          tcell_data.referrer = "referrer"
-          tcell_data.ip_address = "1.1.1.1"
-          tcell_data.path = "http://tcell.tcell.io/login?param_name=param_value"
-          tcell_data.hmac_session_id = TCellAgent::SensorEvents::Util.hmac("session_id")
-          request_env = {
-            TCellAgent::Instrumentation::TCELL_ID => tcell_data,
-            "HTTP_USER_AGENT" => true,
-            "HTTP_X_FORWARDED_FOR" => true
-          }
-
-
-          expect(TCellAgent).to receive(:policy).with(TCellAgent::PolicyTypes::LoginFraud).and_return(
-            login_fraud
-          )
-          expect(rails_request).to receive(:env).and_return(request_env)
-          expect(rails_request).to receive(:env).and_return(request_env)
-          expect(TCellAgent).to receive(:send_event).with(
-            {
-              "event_type" => "login",
-              "header_keys" => ["USER_AGENT", "X_FORWARDED_FOR"],
-              "user_agent" => "user_agent",
-              "referrer" => "referrer",
-              "remote_addr" => "1.1.1.1",
-              "user_id" => "user_id",
-              "document_uri" => "http://tcell.tcell.io/login?param_name=",
-              "session" => "48c0ce7961d8d5d4bd57bd77976b3d38",
-              "event_name" => "login-success"
-            }
-          )
-
-          status = Hooks::V1::Login::LOGIN_SUCCESS
-
-          Hooks::V1::Frameworks::Rails::Login.register_login_event(
-            status, rails_request, "user_id"
-          )
-        end
-      end
-
-      context "with an unknown status" do
-        it "should log the error" do
-          login_fraud = double("login_fraud", enabled: true, login_failed_enabled: true)
-          logger = double("logger")
-          rails_request = double("rails_request")
-          tcell_data = TCellAgent::Instrumentation::TCellData.new
-          tcell_data.user_agent = "user_agent"
-          tcell_data.referrer = "referrer"
-          tcell_data.ip_address = "1.1.1.1"
-          tcell_data.path = "http://tcell.tcell.io/login?param_name=param_value"
-          tcell_data.hmac_session_id = TCellAgent::SensorEvents::Util.hmac("session_id")
-          request_env = {
-            TCellAgent::Instrumentation::TCELL_ID => tcell_data,
-            "HTTP_USER_AGENT" => true,
-            "HTTP_X_FORWARDED_FOR" => true
-          }
-
-
-          expect(TCellAgent).to receive(:policy).with(TCellAgent::PolicyTypes::LoginFraud).and_return(
-            login_fraud
-          )
-          expect(rails_request).to receive(:env).and_return(request_env)
-          expect(TCellAgent).to_not receive(:send_event)
-          expect(TCellAgent).to receive(:logger).and_return(logger)
-          expect(logger).to receive(:error).with("Unkown login status: mumbo-jumbo")
-
-          status = "mumbo-jumbo"
-
-          Hooks::V1::Frameworks::Rails::Login.register_login_event(
-            status, rails_request, "user_id"
-          )
-        end
-      end
-    end
-
-  end
-
-end

data/spec/lib/tcell_agent/sensor_events/util/redirect_utils_spec.rb

@@ -1,25 +0,0 @@
-require 'spec_helper'
-
-module TCellAgent
-  module SensorEvents
-    module Util
-      describe Util do
-        context "Domain from Url" do
-          it "Test Simple Domain" do
-            expect(Util.domainFromUrl("https://www.google.com")).to eq("www.google.com")
-          end
-          it "Test More Complex Domain" do
-            expect(Util.domainFromUrl("https://www.test.com:8000/abc/def")).to eq("www.test.com")
-          end
-        end
-        context "abc" do
-          it "abc" do
-            expect(Util.wildcardMatch("test","test")).to eq(true)
-            expect(Util.wildcardMatch("www.google.com","*.google.com")).to eq(true)
-            expect(Util.wildcardMatch("google.com","*.google.com")).to eq(false)
-          end
-        end
-      end
-    end
-  end
-end

data/spec/support/resources/baserules.json

@@ -1,155 +0,0 @@
-{
-  "version":"20160322",
-  "sensors":{
-    "xss":{
-      "patterns":[
-        {
-          "title":"Basic Injection",
-          "sophistication":1,
-          "common": "(?:<(script|iframe|embed|frame|frameset|object|img|applet|body|html|style|layer|link|ilayer|meta|bgsound))",
-          "id": "1"
-        },
-        {
-          "title":"Alert or Event XSS",
-          "sophistication":2,
-          "common": "(?:(alert|on\\w+|function\\s+\\w+)\\s*\\(\\s*(['+\\d\\w](,?\\s*['+\\d\\w]*)*)*\\s*\\))",
-          "id": "2"
-        },
-        {
-          "title":"Tag Breaks",
-          "sophistication":2,
-          "common": "(?:\\\"[^\\\"]*[^-]?>)|(?:[^\\w\\s]\\s*\\/>)|(?:>\\\")",
-          "id": "3"
-        },
-        {
-          "title":"Attribute Breaks",
-          "sophistication":3,
-         "common": "(?:\\\"+.*[<=]\\s*\\\"[^\\\"]+\\\")|(?:\\\"\\s*\\w+\\s*=)|(?:>\\w=\\/)|(?:#.+\\)[\\\"\\s]*>)|(?:\\\"\\s*(?:src|style|on\\w+)\\s*=\\s*\\\")|(?:[^\\\"]?\\\"[,;\\s]+\\w*[\\[\\(])(?:^>[\\w\\s]*<\\/?\\w{2,}>)",
-          "id": "4"
-        },
-        {
-          "title":"Basic Obfuscation",
-          "sophistication":3,
-          "common": "(?:[\\\".]script\\s*\\()|(?:\\$\\$?\\s*\\(\\s*[\\w\\\"])|(?:\\/[\\w\\s]+\\/\\.)|(?:=\\s*\\/\\w+\\/\\s*\\.)|(?:(?:this|window|top|parent|frames|self|content)\\[\\s*[(,\\\"]*\\s*[\\w\\$])|(?:,\\s*new\\s+\\w+\\s*[,;)])",
-          "id": "5"
-        },
-        {
-          "title":"Common Concatenation",
-          "sophistication":3,
-          "common": "(?:=\\s*\\w+\\s*\\+\\s*\\\")|(?:\\+=\\s*\\(\\s\\\")|(?:!+\\s*[\\d.,]+\\w?\\d*\\s*\\?)|(?:=\\s*\\[s*\\])|(?:\\\"\\s*\\+\\s*\\\")|(?:[^\\s]\\[\\s*\\d+\\s*\\]\\s*[;+])|(?:\\\"\\s*[&|]+\\s*\\\")|(?:\\/\\s*\\?\\s*\\\")|(?:\\/\\s*\\)\\s*\\[)|(?:\\d\\?.+:\\d)|(?:\\]\\s*\\[\\W*\\w)|(?:[^\\s]\\s*=\\s*\\/)",
-          "id": "6"
-        },
-        {
-          "title":"IFrame Tag Injection",
-          "sophistication":1,
-          "common": "<iframe.*",
-          "id": "7"
-        }
-      ]
-    },
-    "cmdi":{
-      "safe_pattern":"^[a-zA-Z0-9_\\s\\r\\n\\t]*$",
-      "patterns":[
-        {
-          "title":"Common Remote Attempts",
-          "sophistication":2,
-          "id":"1",
-          "common":"(?:[\\;\\|\\`]\\W*?\\bcc|\\b(wget|curl))\\b|\\/cc(?:[\\'\\\"\\|\\;\\`\\-\\s]|$)",
-          "ruby":"(?i:(?:[\\;\\|\\`]\\W*?\\bcc|\\b(wget|curl))\\b|\\/cc(?:[\\'\\\"\\|\\;\\`\\-\\s]|$))"
-        },
-        {
-          "title":"Common Command Attempts",
-          "sophistication":1,
-          "id":"2",
-          "common":"(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:\\.exe|32)\\b|\\b\\W*?\\\\\\/c)|d(?:\\b\\W*?[\\\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*?\\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\\b|g(?:\\+\\+|cc\\b)))"
-        }
-      ]
-    },
-    "sqli":{
-      "safe_pattern":"^[a-zA-Z0-9_\\s\\r\\n\\t]*$",
-      "patterns":[
-        {
-          "title":"Common Encoding Obfuscations",
-          "sophistication":3,
-          "common": "(?:(?:\\d[\\\"'`\u00b4\u2019\u2018]\\s+[\\\"'`\u00b4\u2019\u2018]\\s+\\d)|(?:^admin\\s*?[\\\"'`\u00b4\u2019\u2018]|(\\/\\*)+[\\\"'`\u00b4\u2019\u2018]+\\s?(?:--|#|\\/\\*|{)?)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?\\b(x?or|div|like|between|and)\\b\\s*?[+<>=(),-]\\s*?[\\d\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[^\\w\\s]?=\\s*?[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\W*?[+=]+\\W*?[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=+-]+.*?[\\\"'`\u00b4\u2019\u2018(].*?$)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=]+.*?\\d+$)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?like\\W+[\\w\\\"'`\u00b4\u2019\u2018(])|(?:\\sis\\s*?0\\W)|(?:where\\s[\\s\\w\\.,-]+\\s=)|(?:[\\\"'`\u00b4\u2019\u2018][<>~]+[\\\"'`\u00b4\u2019\u2018]))",
-          "id": "1"
-        },
-        {
-          "title":"Common Probes/Executions",
-          "sophistication":1,
-          "common": "\\b(?:having)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=<>]|(?:\\bexecute(\\s{1,5}[\\w\\.$]{1,5}\\s{0,3})?\\()|\\bhaving\\b ?(?:\\d{1,10}|[\\'\\\"][^=]{1,10}[\\'\\\"]) ?[=<>]+|(?:\\bcreate\\s+?table.{0,20}?\\()|(?:\\blike\\W*?char\\W*?\\()|(?:(?:(select(.*?)case|from(.*?)limit|order\\sby)))|exists\\s(\\sselect|select\\Sif(null)?\\s\\(|select\\Stop|select\\Sconcat|system\\s\\(|\\b(?:having)\\b\\s+(\\d{1,10})|'[^=]{1,10}')",
-          "id": "2"
-        },
-        {
-          "title":"Comment Injection",
-          "sophistication":1,
-          "common": "([';]--|--[\\s\\r\\n\\v\\f]|(?:--[^-]*?-)|([^\\-&])#.*?[\\s\\r\\n\\v\\f]|;?\\\\x00)",
-          "id": "3"
-        },
-        {
-          "title":"Extraction Attempts 1",
-          "sophistication":1,
-          "common": "(?:(?:@.+=\\s*?\\(\\s*?select)|(?:\\d+\\s*?(x?or|div|like|between|and)\\s*?\\d+\\s*?[\\-+])|(?:\\/\\w+;?\\s+(?:having|and|x?or|div|like|between|and|select)\\W)|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*?(?:drop|alter))|(?:(?:;|#|--)\\s*?(?:update|insert)\\s*?\\w{2,})|(?:[^\\w]SET\\s*?@\\w+)|(?:(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)[\\s(]+\\w+[\\s)]*?[!=+]+[\\s\\d]*?[\\\"'`\u00b4\u2019\u2018=()]))",
-          "id": "4"
-        },
-        {
-          "title":"Extraction Attempts 2",
-          "sophistication":2,
-          "pattern": "(?:(?:in\\s*?\\(+\\s*?select)|(?:(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)\\s+[\\s\\w+]+(?:regexp\\s*?\\(|sounds\\s+like\\s*?[\\\"'`\u00b4\u2019\u2018]|[=\\d]+x))|([\\\"'`\u00b4\u2019\u2018]\\s*?\\d\\s*?(?:--|#))|(?:[\\\"'`\u00b4\u2019\u2018][\\%&<>^=]+\\d\\s*?(=|x?or|div|like|between|and))|(?:[\\\"'`\u00b4\u2019\u2018]\\W+[\\w+-]+\\s*?=\\s*?\\d\\W+[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?is\\s*?\\d.+[\\\"'`\u00b4\u2019\u2018]?\\w)|(?:[\\\"'`\u00b4\u2019\u2018]\\|?[\\w-]{3,}[^\\w\\s.,]+[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?is\\s*?[\\d.]+\\s*?\\W.*?[\\\"'`\u00b4\u2019\u2018]))",
-          "id": "5"
-        },
-        {
-          "title":"Extraction Attempts 3",
-          "sophistication":3,
-          "pattern": "(?:(?:\\d[\\\"'`\u00b4\u2019\u2018]\\s+[\\\"'`\u00b4\u2019\u2018]\\s+\\d)|(?:^admin\\s*?[\\\"'`\u00b4\u2019\u2018]|(\\/\\*)+[\\\"'`\u00b4\u2019\u2018]+\\s?(?:--|#|\\/\\*|{)?)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?\\b(x?or|div|like|between|and)\\b\\s*?[+<>=(),-]\\s*?[\\d\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[^\\w\\s]?=\\s*?[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\W*?[+=]+\\W*?[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=+-]+.*?[\\\"'`\u00b4\u2019\u2018(].*?$)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=]+.*?\\d+$)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?like\\W+[\\w\\\"'`\u00b4\u2019\u2018(])|(?:\\sis\\s*?0\\W)|(?:where\\s[\\s\\w\\.,-]+\\s=)|(?:[\\\"'`\u00b4\u2019\u2018][<>~]+[\\\"'`\u00b4\u2019\u2018]))",
-          "id": "6"
-        }
-      ]
-    },
-    "fpt":{
-      "patterns":[
-        {
-          "title":"Windows Probing",
-          "sophistication":1,
-          "common": "(?:(?:\\/|\\\\)?\\.+(\\/|\\\\)(?:\\.+)?)|(?:\\w+\\.exe\\??\\s)|(?:;\\s*\\w+\\s*\\/[\\w*-]+\\/)|(?:\\d\\.\\dx\\|)|(?:%(?:c0\\.|af\\.|5c\\.))|(?:\\/(?:%2e){2})",
-          "ruby": "(?:(?:\\/|\\\\)?\\.+(\\/|\\\\)(?:\\.*))|(?:\\w+\\.exe\\??\\s)|(?:;\\s*\\w+\\s*\\/[\\w*-]+\\/)|(?:\\d\\.\\dx\\|)|(?:%(?:c0\\.|af\\.|5c\\.))|(?:\\/(?:%2e){2})",
-          "id": "1"
-        },
-        {
-          "title":"Unix Probing",
-          "sophistication":1,
-          "common": "(?:%c0%ae\\/)|(?:(?:\\/|\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\\/|\\\\))|(?:(?:\\/|\\\\)inetpub|localstart\\.asp|boot\\.ini)",
-          "id": "2"
-        },
-        {
-          "title":"Attempt for /etc/passwd",
-          "sophistication":1,
-          "common": "(?:etc\\/\\W*passwd)",
-          "id": "3"
-        }
-      ]
-    },
-    "nullbyte":{
-      "safe_pattern":"^[a-zA-Z0-9_\\s\\r\\n\\t]*$",
-      "patterns":[
-        {
-          "title":"Any Null Byte",
-          "sophistication":1,
-          "id":"1",
-          "common":"\\0"
-        }
-      ]
-    },
-    "retr":{
-      "safe_pattern":"^[a-zA-Z0-9_\\s\\r\\n\\t]*$",
-      "patterns":[
-        {
-          "title":"Any Line-Break Character",
-          "sophistication":1,
-          "id":"1",
-          "common":"(\\n|\\r)"
-        }
-      ]
-    }
-  }
-}