agent-threat-rules 0.1.0

package/rules/tool-poisoning/ATR-2026-013-tool-ssrf.yaml

@@ -0,0 +1,208 @@
+title: "SSRF via Agent Tool Calls"
+id: ATR-2026-013
+status: experimental
+description: >
+  Detects Server-Side Request Forgery (SSRF) attempts through agent tool calls.
+  Attackers manipulate agents into making requests to internal network endpoints,
+  cloud metadata services, localhost, or private IP ranges through tool parameters.
+  Detection covers: AWS/GCP/Azure/DigitalOcean metadata endpoints, localhost and
+  loopback variants (including decimal, hex, octal IP encoding), private RFC1918
+  ranges, internal hostnames, exotic URI schemes (file, gopher, dict, tftp, ldap),
+  DNS rebinding indicators, redirect-based SSRF patterns, cloud-specific IMDS
+  token headers, IPv6 loopback and mapped addresses, and hostname-based internal
+  service discovery. IP encoding evasion techniques (decimal, octal, hex) are
+  specifically addressed.
+author: "Panguard AI"
+date: "2026/03/08"
+schema_version: "0.1"
+detection_tier: pattern
+maturity: test
+severity: critical
+
+references:
+  owasp_llm:
+    - "LLM06:2025 - Excessive Agency"
+    - "LLM05:2025 - Improper Output Handling"
+  owasp_agentic:
+    - "ASI02:2026 - Tool Misuse and Exploitation"
+  mitre_atlas:
+    - "AML.T0049 - Exploit Public-Facing Application"
+  mitre_attack:
+    - "T1090 - Proxy"
+    - "T1071 - Application Layer Protocol"
+  cve:
+    - "CVE-2019-5418"
+    - "CVE-2021-21311"
+
+tags:
+  category: tool-poisoning
+  subcategory: ssrf
+  confidence: high
+
+agent_source:
+  type: tool_call
+  framework:
+    - any
+  provider:
+    - any
+
+detection:
+  conditions:
+    # -- Layer 1: AWS IMDS (both v1 and v2) --
+    - field: tool_args
+      operator: regex
+      value: "(?i)(https?://)?169\\.254\\.169\\.254|/latest/(meta-data|user-data|api/token|dynamic|instance-identity)|X-aws-ec2-metadata-token|amazonaws\\.com.{0,50}(credentials|security-credentials|role)|iam[\\/\\\\]security-credentials"
+      description: "AWS Instance Metadata Service (IMDSv1/v2) and credential endpoints"
+
+    # -- Layer 2: GCP metadata --
+    - field: tool_args
+      operator: regex
+      value: "(?i)(https?://)?metadata\\.google\\.internal|/computeMetadata/v1|Metadata-Flavor:\\s*Google"
+      description: "GCP metadata service endpoints and required headers"
+
+    # -- Layer 3: Azure IMDS --
+    - field: tool_args
+      operator: regex
+      value: "(?i)(https?://)?169\\.254\\.169\\.254/metadata|Metadata:\\s*true|api-version=\\d{4}-\\d{2}-\\d{2}.*metadata|management\\.azure\\.com.{0,50}(subscriptions|resourceGroups)"
+      description: "Azure Instance Metadata Service and management endpoints"
+
+    # -- Layer 4: DigitalOcean / Oracle / Alibaba cloud metadata --
+    - field: tool_args
+      operator: regex
+      value: "(?i)(https?://)?169\\.254\\.169\\.254/metadata/v1|/opc/v[12]/|100\\.100\\.100\\.200"
+      description: "DigitalOcean, Oracle Cloud, and Alibaba Cloud metadata endpoints"
+
+    # -- Layer 5: Localhost and loopback (standard) --
+    - field: tool_args
+      operator: regex
+      value: "(?i)(https?://)\\b(localhost|127\\.0\\.0\\.1|0\\.0\\.0\\.0|\\[?::1\\]?|0177\\.0\\.0\\.1|0x7f\\.0\\.0\\.1|2130706433)\\b(:\\d+)?|\\b(localhost|127\\.0\\.0\\.1|0\\.0\\.0\\.0|\\[?::1\\]?|0177\\.0\\.0\\.1|0x7f\\.0\\.0\\.1|2130706433)(:\\d+)/|\\b(localhost|127\\.0\\.0\\.1|0\\.0\\.0\\.0)(:\\d+)(?=\\s|$|[\"'\\]}>])"
+      description: "Localhost/loopback in URL context (with scheme, port+path, or port at boundary)"
+
+    # -- Layer 6: Loopback IP encoding evasion --
+    - field: tool_args
+      operator: regex
+      value: "(?i)(https?://)?(0x7f000001|0x7f\\.0x0\\.0x0\\.0x1|017700000001|0177\\.0000\\.0000\\.0001|127\\.0?0?1|127\\.1|0\\.0\\.0\\.0|0x0\\.0x0\\.0x0\\.0x0|0000\\.0000\\.0000\\.0000)"
+      description: "Encoded loopback addresses (hex, octal, short forms)"
+
+    # -- Layer 7: Private RFC1918 ranges --
+    - field: tool_args
+      operator: regex
+      value: "(?i)(https?://)?\\b(10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|172\\.(1[6-9]|2[0-9]|3[01])\\.\\d{1,3}\\.\\d{1,3}|192\\.168\\.\\d{1,3}\\.\\d{1,3})\\b(:\\d+)?"
+      description: "Private IP addresses in RFC1918 ranges"
+
+    # -- Layer 8: Link-local and APIPA --
+    - field: tool_args
+      operator: regex
+      value: "(?i)(https?://)?169\\.254\\.\\d{1,3}\\.\\d{1,3}(:\\d+)?|fe80::"
+      description: "Link-local addresses (169.254.x.x, fe80::)"
+
+    # -- Layer 9: Internal hostnames --
+    - field: tool_args
+      operator: regex
+      value: "(?i)(https?://)?[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?\\.\\b(internal|local|localhost|localdomain|home|corp|intranet|private|lan|cluster\\.local|svc\\.cluster|consul|vault|etcd|k8s)\\b(:\\d+)?(/|$)"
+      description: "Internal DNS names and Kubernetes/service mesh hostnames"
+
+    # -- Layer 10: Exotic URI schemes --
+    - field: tool_args
+      operator: regex
+      value: "(?i)\\b(file|gopher|dict|ftp|tftp|ldap|ldaps|sftp|ssh|telnet|jar|netdoc|mailto|view-source|ws|wss)\\s*://\\s*(localhost|127\\.|10\\.|172\\.(1[6-9]|2[0-9]|3[01])|192\\.168\\.|0\\.0\\.0\\.0|\\[?::1\\]?|0x|0177)"
+      description: "Exotic URI schemes targeting internal addresses"
+
+    # -- Layer 11: DNS rebinding indicators --
+    - field: tool_args
+      operator: regex
+      value: "(?i)(https?://)?[a-zA-Z0-9-]+\\.(xip\\.io|nip\\.io|sslip\\.io|localtest\\.me|vcap\\.me|lvh\\.me|lacolhost\\.com|127\\.0\\.0\\.1\\.[a-z]+\\.\\w+)(:\\d+)?"
+      description: "DNS rebinding services that resolve to internal IPs"
+
+    # -- Layer 12: Redirect-based SSRF --
+    - field: tool_args
+      operator: regex
+      value: "(?i)(redirect|redir|url|next|return|returnUrl|returnTo|continue|dest|destination|go|goto|target|link|out|view|ref|callback|forward)\\s*=\\s*(https?%3A%2F%2F|https?://)(localhost|127\\.0\\.0\\.1|10\\.|172\\.(1[6-9]|2[0-9])|192\\.168|169\\.254|0\\.0\\.0|\\[?::1\\]?)"
+      description: "URL redirect parameters targeting internal addresses"
+
+    # -- Layer 13: IPv6 internal addresses --
+    - field: tool_args
+      operator: regex
+      value: "(?i)(https?://)?\\[?(::1|::ffff:127\\.0\\.0\\.1|::ffff:10\\.|::ffff:172\\.(1[6-9]|2[0-9]|3[01])|::ffff:192\\.168|fc[0-9a-f]{2}:|fd[0-9a-f]{2}:)\\]?(:\\d+)?"
+      description: "IPv6 loopback, IPv4-mapped, and unique local addresses (fc/fd)"
+
+    # -- Layer 14: Cloud-specific service endpoints --
+    - field: tool_args
+      operator: regex
+      value: "(?i)(https?://)?(\\w+\\.)?\\b(vault\\.service\\.consul|consul\\.service\\.consul|etcd\\.service|kubernetes\\.default\\.svc|kube-apiserver|kubelet|elasticsearch|redis|memcached|mysql|postgres|mongodb|rabbitmq|kafka|zookeeper)\\b(:\\d+|/)"
+      description: "Common internal service names (databases, caches, orchestrators)"
+
+    # -- Layer 15: URL shortener or redirect service to internal --
+    - field: tool_args
+      operator: regex
+      value: "(?i)(https?://)?(bit\\.ly|tinyurl\\.com|t\\.co|goo\\.gl|is\\.gd|v\\.gd|rb\\.gy|cutt\\.ly|short\\.io|tiny\\.cc)/[a-zA-Z0-9]+"
+      description: "URL shorteners that may redirect to internal services"
+
+  condition: any
+  false_positives:
+    - "Agents with legitimate access to internal services explicitly allowlisted"
+    - "Development environments where localhost access is expected"
+    - "Private network tools designed for internal infrastructure management"
+    - "Cloud management tools that legitimately query metadata endpoints"
+    - "Service mesh tools that use .internal or .consul DNS names by design"
+
+response:
+  actions:
+    - block_tool
+    - alert
+    - snapshot
+    - kill_agent
+  auto_response_threshold: critical
+  message_template: >
+    [ATR-2026-013] CRITICAL: SSRF attempt detected via agent tool call.
+    Rule: ATR-2026-013. Tool: {tool_name}. Pattern: {matched_pattern}.
+    The tool call has been blocked and the agent terminated.
+
+test_cases:
+  true_positives:
+    - tool_args: "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
+      expected: triggered
+      description: "AWS IMDS credential endpoint"
+    - tool_args: "http://localhost:8080/admin/config"
+      expected: triggered
+      description: "Localhost admin endpoint"
+    - tool_args: "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/"
+      expected: triggered
+      description: "GCP metadata service"
+    - tool_args: "http://0x7f000001:8080/secret"
+      expected: triggered
+      description: "Hex-encoded loopback IP"
+    - tool_args: "gopher://127.0.0.1:6379/_SET%20exploit"
+      expected: triggered
+      description: "Gopher protocol targeting internal Redis"
+    - tool_args: "http://app.internal:3000/api/admin"
+      expected: triggered
+      description: "Internal hostname"
+    - tool_args: "http://evil.127.0.0.1.nip.io/api"
+      expected: triggered
+      description: "DNS rebinding via nip.io"
+    - tool_args: "redirect=http://169.254.169.254/latest/meta-data/"
+      expected: triggered
+      description: "Redirect-based SSRF to AWS IMDS"
+    - tool_args: "http://[::ffff:127.0.0.1]:8080/admin"
+      expected: triggered
+      description: "IPv6-mapped IPv4 loopback"
+    - tool_args: "http://kubernetes.default.svc:443/api/v1/secrets"
+      expected: triggered
+      description: "Kubernetes API server internal endpoint"
+  true_negatives:
+    - tool_args: "https://api.github.com/repos/user/repo"
+      expected: not_triggered
+      description: "Public GitHub API endpoint"
+    - tool_args: "https://www.example.com/public/data.json"
+      expected: not_triggered
+      description: "Public website"
+    - tool_args: "https://cdn.jsdelivr.net/npm/package@latest"
+      expected: not_triggered
+      description: "Public CDN"
+    - tool_args: "https://docs.google.com/spreadsheets/d/abc123"
+      expected: not_triggered
+      description: "Public Google Docs URL"
+    - tool_args: "search_query=localhost development guide"
+      expected: not_triggered
+      description: "Text containing localhost as a search term, not a URL"

package/spec/atr-schema.yaml

@@ -0,0 +1,375 @@
+# ATR Rule Schema -- Agent Threat Rules
+# Version: 0.1.0-draft
+#
+# Inspired by Sigma rule format, extended for AI Agent attack surfaces.
+# This schema defines the structure for all ATR detection rules.
+#
+# Status: RFC (Request for Comments)
+# License: MIT
+
+$schema: "https://json-schema.org/draft/2020-12/schema"
+title: ATR Rule Schema
+description: Schema for Agent Threat Rules (ATR) detection rules
+version: "0.1.0-draft"
+
+type: object
+required:
+  - schema_version
+  - title
+  - id
+  - status
+  - description
+  - author
+  - date
+  - severity
+  - detection_tier
+  - maturity
+  - tags
+  - agent_source
+  - detection
+  - response
+
+properties:
+
+  # === Metadata ===
+
+  schema_version:
+    type: string
+    description: "ATR schema version this rule conforms to (e.g., \"0.1\")"
+
+  title:
+    type: string
+    description: Human-readable rule name
+
+  id:
+    type: string
+    pattern: "^ATR-\\d{4}-\\d{3}$"
+    description: "Unique rule identifier. Format: ATR-YYYY-NNN (e.g., ATR-2026-001)"
+
+  status:
+    type: string
+    enum: [draft, experimental, stable, deprecated]
+    description: Rule maturity status
+
+  description:
+    type: string
+    description: Detailed description of the attack this rule detects
+
+  author:
+    type: string
+    description: Rule author or organization
+
+  date:
+    type: string
+    pattern: "^\\d{4}/\\d{2}/\\d{2}$"
+    description: "Creation date in YYYY/MM/DD format"
+
+  modified:
+    type: string
+    pattern: "^\\d{4}/\\d{2}/\\d{2}$"
+    description: "Last modification date in YYYY/MM/DD format"
+
+  # === Classification ===
+
+  detection_tier:
+    type: string
+    enum: [pattern, behavioral, protocol]
+    description: Detection approach used by this rule
+
+  maturity:
+    type: string
+    enum: [experimental, test, stable, deprecated]
+    description: Maturity level of this rule
+
+  # === Severity ===
+
+  severity:
+    type: string
+    enum: [critical, high, medium, low, informational]
+    description: Severity level of the detected threat
+
+  # === References (alignment with existing frameworks) ===
+
+  references:
+    type: object
+    description: Mappings to established security frameworks
+    properties:
+      owasp_llm:
+        type: array
+        items:
+          type: string
+        description: "OWASP LLM Top 10 references (e.g., LLM01:2025)"
+      mitre_atlas:
+        type: array
+        items:
+          type: string
+        description: "MITRE ATLAS technique IDs (e.g., AML.T0054)"
+      mitre_attack:
+        type: array
+        items:
+          type: string
+        description: "MITRE ATT&CK technique IDs (if applicable)"
+      cve:
+        type: array
+        items:
+          type: string
+        description: Related CVE identifiers
+
+  # === Tags (ATR classification) ===
+
+  tags:
+    type: object
+    required: [category]
+    properties:
+      category:
+        type: string
+        enum:
+          - prompt-injection
+          - tool-poisoning
+          - context-exfiltration
+          - agent-manipulation
+          - privilege-escalation
+          - excessive-autonomy
+          - data-poisoning
+          - model-abuse
+          - skill-compromise
+        description: Primary attack category
+      subcategory:
+        type: string
+        description: More specific classification within the category
+      confidence:
+        type: string
+        enum: [high, medium, low]
+        description: Expected accuracy of this rule (high = low false positive rate)
+
+  # === Agent Source (analogous to Sigma's logsource) ===
+
+  agent_source:
+    type: object
+    required: [type]
+    description: >
+      Defines what kind of agent data this rule inspects.
+      Analogous to Sigma's logsource, but for agent behaviors.
+    properties:
+      type:
+        type: string
+        enum:
+          - llm_io            # LLM input/output (prompts and completions)
+          - tool_call         # Function/tool call requests
+          - mcp_exchange      # MCP protocol messages
+          - agent_behavior    # Agent behavioral metrics and patterns
+          - multi_agent_comm  # Inter-agent communication
+          - context_window    # Context window contents
+          - memory_access     # Agent memory read/write operations
+          - skill_lifecycle   # MCP skill registration, update, removal events
+          - skill_permission  # Skill permission requests and boundary checks
+          - skill_chain       # Multi-skill invocation sequences
+        description: Type of agent data stream to monitor
+      framework:
+        type: array
+        items:
+          type: string
+        description: >
+          Applicable AI frameworks (e.g., langchain, crewai, autogen,
+          openai, anthropic, custom, any)
+      provider:
+        type: array
+        items:
+          type: string
+        description: >
+          Applicable LLM providers (e.g., ollama, openai, anthropic, any)
+
+  # === Detection Logic ===
+
+  detection:
+    type: object
+    required: [conditions, condition]
+    properties:
+      conditions:
+        description: >
+          Detection conditions. Supports two formats:
+          1. Array format (recommended): List of {field, operator, value} objects
+          2. Named-map format: Named condition blocks for complex detection logic
+        oneOf:
+          # -- Array format (used by most rules) --
+          - type: array
+            items:
+              type: object
+              required: [field, operator, value]
+              properties:
+                field:
+                  type: string
+                  description: >
+                    Field to inspect (e.g., user_input, agent_output,
+                    tool_response, tool_name, tool_args, content)
+                operator:
+                  type: string
+                  enum: [regex, contains, exact, starts_with]
+                  description: How the value is matched against the field
+                value:
+                  type: string
+                  description: Pattern to match (regex string if operator is regex)
+                description:
+                  type: string
+                  description: Human-readable description of what this condition detects
+
+          # -- Named-map format (for complex/behavioral detection) --
+          - type: object
+            description: Named condition blocks (referenced by the condition expression)
+            additionalProperties:
+              type: object
+              properties:
+                field:
+                  type: string
+                  description: Field to inspect
+                patterns:
+                  type: array
+                  items:
+                    type: string
+                  description: Patterns to match against the field value
+                match_type:
+                  type: string
+                  enum: [contains, regex, exact, starts_with]
+                  description: How patterns are matched
+                case_sensitive:
+                  type: boolean
+                  default: false
+                metric:
+                  type: string
+                  description: Behavioral metric to evaluate (v0.2+)
+                operator:
+                  type: string
+                  enum: [gt, lt, eq, gte, lte, deviation_from_baseline]
+                  description: Comparison operator for behavioral thresholds
+                threshold:
+                  type: number
+                  description: Numeric threshold for the metric
+                window:
+                  type: string
+                  description: "Time window for behavioral analysis (e.g., 5m, 1h, 30s)"
+                ordered:
+                  type: boolean
+                  description: Whether steps must occur in order
+                within:
+                  type: string
+                  description: Maximum time span for the full sequence
+                steps:
+                  type: array
+                  items:
+                    type: object
+                  description: Ordered list of conditions that form the attack sequence
+
+      condition:
+        type: string
+        description: >
+          How to combine conditions. Use "any" or "or" for match-any,
+          "all" or "and" for match-all.
+          Example: "pattern_match AND behavioral"
+
+      false_positives:
+        type: array
+        items:
+          type: string
+        description: Known scenarios that may trigger false positives
+
+  # === Response Actions (ATR-specific, not in Sigma) ===
+
+  response:
+    type: object
+    required: [actions]
+    properties:
+      actions:
+        type: array
+        items:
+          type: string
+          enum:
+            - block_input        # Reject the user/agent input
+            - block_output       # Suppress the agent output
+            - block_tool         # Prevent the tool call from executing
+            - quarantine_session # Isolate the entire session
+            - reset_context      # Clear agent context/memory
+            - alert              # Send alert to security team
+            - snapshot           # Capture full session state for forensics
+            - escalate           # Escalate to human reviewer
+            - reduce_permissions # Reduce agent's available tools/capabilities
+            - kill_agent         # Terminate the agent process
+        description: Actions to take when the rule triggers
+      auto_response_threshold:
+        type: string
+        enum:
+          - low
+          - medium
+          - high
+          - critical
+        description: >
+          Severity threshold for automatic response.
+          Below this threshold, only alert; above, execute response actions.
+      message_template:
+        type: string
+        description: >
+          Template for alert messages. Supports placeholders:
+          {matched_pattern}, {truncated_input}, {truncated_output},
+          {source_ip_or_user}, {tool_name}, {mcp_server_url},
+          {rule_id}, {severity}
+
+  # === Test Cases ===
+
+  test_cases:
+    type: object
+    description: Validation test cases shipped with the rule
+    properties:
+      true_positives:
+        type: array
+        items:
+          type: object
+          properties:
+            input:
+              type: string
+            tool_response:
+              type: string
+            agent_output:
+              type: string
+            expected:
+              type: string
+              enum: [triggered]
+            description:
+              type: string
+        description: Inputs that SHOULD trigger this rule
+      true_negatives:
+        type: array
+        items:
+          type: object
+          properties:
+            input:
+              type: string
+            tool_response:
+              type: string
+            agent_output:
+              type: string
+            expected:
+              type: string
+              enum: [not_triggered]
+            description:
+              type: string
+        description: Inputs that should NOT trigger this rule
+
+  # === Evasion Tests ===
+
+  evasion_tests:
+    type: array
+    description: Optional test cases for known evasion/bypass techniques
+    items:
+      type: object
+      properties:
+        input:
+          type: string
+          description: The evasion attempt input
+        expected:
+          type: string
+          description: Expected detection outcome
+        bypass_technique:
+          type: string
+          description: Name or description of the bypass technique used
+        notes:
+          type: string
+          description: Additional notes about the evasion test