dd-trace 2.31.0 → 2.32.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (58) hide show
  1. package/package.json +6 -6
  2. package/packages/datadog-instrumentations/src/body-parser.js +15 -9
  3. package/packages/datadog-instrumentations/src/express.js +32 -0
  4. package/packages/datadog-instrumentations/src/http/server.js +2 -1
  5. package/packages/datadog-instrumentations/src/playwright.js +3 -0
  6. package/packages/datadog-plugin-amqp10/src/consumer.js +1 -3
  7. package/packages/datadog-plugin-amqp10/src/producer.js +1 -3
  8. package/packages/datadog-plugin-amqplib/src/client.js +4 -3
  9. package/packages/datadog-plugin-amqplib/src/consumer.js +1 -3
  10. package/packages/datadog-plugin-amqplib/src/producer.js +1 -3
  11. package/packages/datadog-plugin-google-cloud-pubsub/src/client.js +4 -3
  12. package/packages/datadog-plugin-google-cloud-pubsub/src/consumer.js +1 -3
  13. package/packages/datadog-plugin-google-cloud-pubsub/src/producer.js +1 -3
  14. package/packages/datadog-plugin-http/src/server.js +2 -2
  15. package/packages/datadog-plugin-http2/src/server.js +0 -5
  16. package/packages/datadog-plugin-kafkajs/src/consumer.js +1 -4
  17. package/packages/datadog-plugin-kafkajs/src/producer.js +1 -3
  18. package/packages/datadog-plugin-rhea/src/consumer.js +1 -3
  19. package/packages/datadog-plugin-rhea/src/producer.js +1 -5
  20. package/packages/dd-trace/src/appsec/addresses.js +0 -3
  21. package/packages/dd-trace/src/appsec/blocked_templates.js +2 -9
  22. package/packages/dd-trace/src/appsec/blocking.js +1 -1
  23. package/packages/dd-trace/src/appsec/{gateway/channels.js → channels.js} +4 -4
  24. package/packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js +1 -1
  25. package/packages/dd-trace/src/appsec/index.js +87 -79
  26. package/packages/dd-trace/src/appsec/recommended.json +448 -121
  27. package/packages/dd-trace/src/appsec/remote_config/apply_states.js +7 -0
  28. package/packages/dd-trace/src/appsec/remote_config/capabilities.js +2 -0
  29. package/packages/dd-trace/src/appsec/remote_config/index.js +29 -10
  30. package/packages/dd-trace/src/appsec/remote_config/manager.js +33 -12
  31. package/packages/dd-trace/src/appsec/reporter.js +27 -58
  32. package/packages/dd-trace/src/appsec/rule_manager.js +160 -32
  33. package/packages/dd-trace/src/appsec/sdk/user_blocking.js +4 -12
  34. package/packages/dd-trace/src/appsec/waf/index.js +75 -0
  35. package/packages/dd-trace/src/appsec/waf/waf_context_wrapper.js +57 -0
  36. package/packages/dd-trace/src/appsec/waf/waf_manager.js +66 -0
  37. package/packages/dd-trace/src/config.js +17 -1
  38. package/packages/dd-trace/src/encode/0.4.js +12 -4
  39. package/packages/dd-trace/src/plugin_manager.js +2 -0
  40. package/packages/dd-trace/src/plugins/client.js +3 -2
  41. package/packages/dd-trace/src/plugins/consumer.js +17 -2
  42. package/packages/dd-trace/src/plugins/inbound.js +7 -0
  43. package/packages/dd-trace/src/plugins/{outgoing.js → outbound.js} +2 -2
  44. package/packages/dd-trace/src/plugins/producer.js +17 -2
  45. package/packages/dd-trace/src/plugins/server.js +2 -2
  46. package/packages/dd-trace/src/plugins/tracing.js +11 -0
  47. package/packages/dd-trace/src/service-naming/index.js +41 -0
  48. package/packages/dd-trace/src/service-naming/schemas/definition.js +28 -0
  49. package/packages/dd-trace/src/service-naming/schemas/index.js +6 -0
  50. package/packages/dd-trace/src/service-naming/schemas/v0.js +66 -0
  51. package/packages/dd-trace/src/service-naming/schemas/v1.js +58 -0
  52. package/packages/dd-trace/src/appsec/callbacks/ddwaf.js +0 -137
  53. package/packages/dd-trace/src/appsec/callbacks/index.js +0 -7
  54. package/packages/dd-trace/src/appsec/gateway/als.js +0 -6
  55. package/packages/dd-trace/src/appsec/gateway/engine/engine.js +0 -140
  56. package/packages/dd-trace/src/appsec/gateway/engine/index.js +0 -51
  57. package/packages/dd-trace/src/appsec/gateway/engine/runner.js +0 -42
  58. package/packages/dd-trace/src/plugins/incoming.js +0 -7
package/packages/dd-trace/src/appsec/recommended.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "version": "2.2",
3
3
  "metadata": {
4
- "rules_version": "1.6.0"
4
+ "rules_version": "1.7.0"
5
5
  },
6
6
  "rules": [
7
7
  {
@@ -58,10 +58,11 @@
58
58
  "id": "crs-913-110",
59
59
  "name": "Acunetix",
60
60
  "tags": {
61
- "type": "security_scanner",
61
+ "type": "commercial_scanner",
62
62
  "crs_id": "913110",
63
63
  "category": "attack_attempt",
64
- "confidence": "1"
64
+ "tool_name": "Acunetix",
65
+ "confidence": "0"
65
66
  },
66
67
  "conditions": [
67
68
  {
@@ -2698,7 +2699,7 @@
2698
2699
  "address": "grpc.server.request.message"
2699
2700
  }
2700
2701
  ],
2701
- "regex": "\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?|lert|tob)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|b(?:(?:son_(?:de|en)|ase64_en)code|zopen|toa)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|var_dump)(?:\\s|/\\*.*\\*/|//.*|#.*|\\\"|')*\\((?:(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:\\$\\w+|[A-Z\\d]\\w*|\\w+\\(.*\\)|\\\\?\"(?:[^\"]|\\\\\"|\"\"|\"\\+\")*\\\\?\"|\\\\?'(?:[^']|''|'\\+')*\\\\?')(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:(?:::|\\.|->)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\w+(?:\\(.*\\))?)?,)*(?:(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:\\$\\w+|[A-Z\\d]\\w*|\\w+\\(.*\\)|\\\\?\"(?:[^\"]|\\\\\"|\"\"|\"\\+\")*\\\\?\"|\\\\?'(?:[^']|''|'\\+')*\\\\?')(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:(?:::|\\.|->)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\w+(?:\\(.*\\))?)?)?\\)",
2702
+ "regex": "\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?|tob)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|b(?:(?:son_(?:de|en)|ase64_en)code|zopen|toa)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|var_dump)(?:\\s|/\\*.*\\*/|//.*|#.*|\\\"|')*\\((?:(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:\\$\\w+|[A-Z\\d]\\w*|\\w+\\(.*\\)|\\\\?\"(?:[^\"]|\\\\\"|\"\"|\"\\+\")*\\\\?\"|\\\\?'(?:[^']|''|'\\+')*\\\\?')(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:(?:::|\\.|->)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\w+(?:\\(.*\\))?)?,)*(?:(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:\\$\\w+|[A-Z\\d]\\w*|\\w+\\(.*\\)|\\\\?\"(?:[^\"]|\\\\\"|\"\"|\"\\+\")*\\\\?\"|\\\\?'(?:[^']|''|'\\+')*\\\\?')(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:(?:::|\\.|->)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\w+(?:\\(.*\\))?)?)?\\)",
2702
2703
  "options": {
2703
2704
  "case_sensitive": true,
2704
2705
  "min_length": 5
@@ -4385,6 +4386,256 @@
4385
4386
  ],
4386
4387
  "transformers": []
4387
4388
  },
4389
+ {
4390
+ "id": "dog-913-001",
4391
+ "name": "BurpCollaborator OOB domain",
4392
+ "tags": {
4393
+ "type": "security_scanner",
4394
+ "category": "attack_attempt",
4395
+ "tool_name": "BurpCollaborator",
4396
+ "confidence": "1"
4397
+ },
4398
+ "conditions": [
4399
+ {
4400
+ "parameters": {
4401
+ "inputs": [
4402
+ {
4403
+ "address": "server.request.query"
4404
+ },
4405
+ {
4406
+ "address": "server.request.body"
4407
+ },
4408
+ {
4409
+ "address": "server.request.path_params"
4410
+ },
4411
+ {
4412
+ "address": "server.request.headers.no_cookies"
4413
+ },
4414
+ {
4415
+ "address": "grpc.server.request.message"
4416
+ }
4417
+ ],
4418
+ "regex": "\\b(?:burpcollaborator\\.net|oastify\\.com)\\b"
4419
+ },
4420
+ "operator": "match_regex"
4421
+ }
4422
+ ],
4423
+ "transformers": []
4424
+ },
4425
+ {
4426
+ "id": "dog-913-002",
4427
+ "name": "Qualys OOB domain",
4428
+ "tags": {
4429
+ "type": "commercial_scanner",
4430
+ "category": "attack_attempt",
4431
+ "tool_name": "Qualys",
4432
+ "confidence": "0"
4433
+ },
4434
+ "conditions": [
4435
+ {
4436
+ "parameters": {
4437
+ "inputs": [
4438
+ {
4439
+ "address": "server.request.query"
4440
+ },
4441
+ {
4442
+ "address": "server.request.body"
4443
+ },
4444
+ {
4445
+ "address": "server.request.path_params"
4446
+ },
4447
+ {
4448
+ "address": "server.request.headers.no_cookies"
4449
+ },
4450
+ {
4451
+ "address": "grpc.server.request.message"
4452
+ }
4453
+ ],
4454
+ "regex": "\\bqualysperiscope\\.com\\b"
4455
+ },
4456
+ "operator": "match_regex"
4457
+ }
4458
+ ],
4459
+ "transformers": []
4460
+ },
4461
+ {
4462
+ "id": "dog-913-003",
4463
+ "name": "Probely OOB domain",
4464
+ "tags": {
4465
+ "type": "commercial_scanner",
4466
+ "category": "attack_attempt",
4467
+ "tool_name": "Probely",
4468
+ "confidence": "0"
4469
+ },
4470
+ "conditions": [
4471
+ {
4472
+ "parameters": {
4473
+ "inputs": [
4474
+ {
4475
+ "address": "server.request.query"
4476
+ },
4477
+ {
4478
+ "address": "server.request.body"
4479
+ },
4480
+ {
4481
+ "address": "server.request.path_params"
4482
+ },
4483
+ {
4484
+ "address": "server.request.headers.no_cookies"
4485
+ },
4486
+ {
4487
+ "address": "grpc.server.request.message"
4488
+ }
4489
+ ],
4490
+ "regex": "\\bprbly\\.win\\b"
4491
+ },
4492
+ "operator": "match_regex"
4493
+ }
4494
+ ],
4495
+ "transformers": []
4496
+ },
4497
+ {
4498
+ "id": "dog-913-004",
4499
+ "name": "Known malicious out-of-band interaction domain",
4500
+ "tags": {
4501
+ "type": "security_scanner",
4502
+ "category": "attack_attempt",
4503
+ "confidence": "1"
4504
+ },
4505
+ "conditions": [
4506
+ {
4507
+ "parameters": {
4508
+ "inputs": [
4509
+ {
4510
+ "address": "server.request.query"
4511
+ },
4512
+ {
4513
+ "address": "server.request.body"
4514
+ },
4515
+ {
4516
+ "address": "server.request.path_params"
4517
+ },
4518
+ {
4519
+ "address": "server.request.headers.no_cookies"
4520
+ },
4521
+ {
4522
+ "address": "grpc.server.request.message"
4523
+ }
4524
+ ],
4525
+ "regex": "\\b(?:webhook\\.site|\\.canarytokens\\.com|vii\\.one|act1on3\\.ru|gdsburp\\.com)\\b"
4526
+ },
4527
+ "operator": "match_regex"
4528
+ }
4529
+ ],
4530
+ "transformers": []
4531
+ },
4532
+ {
4533
+ "id": "dog-913-005",
4534
+ "name": "Known suspicious out-of-band interaction domain",
4535
+ "tags": {
4536
+ "type": "security_scanner",
4537
+ "category": "attack_attempt",
4538
+ "confidence": "0"
4539
+ },
4540
+ "conditions": [
4541
+ {
4542
+ "parameters": {
4543
+ "inputs": [
4544
+ {
4545
+ "address": "server.request.query"
4546
+ },
4547
+ {
4548
+ "address": "server.request.body"
4549
+ },
4550
+ {
4551
+ "address": "server.request.path_params"
4552
+ },
4553
+ {
4554
+ "address": "server.request.headers.no_cookies"
4555
+ },
4556
+ {
4557
+ "address": "grpc.server.request.message"
4558
+ }
4559
+ ],
4560
+ "regex": "\\b(?:\\.ngrok\\.io|requestbin\\.com|requestbin\\.net)\\b"
4561
+ },
4562
+ "operator": "match_regex"
4563
+ }
4564
+ ],
4565
+ "transformers": []
4566
+ },
4567
+ {
4568
+ "id": "dog-913-006",
4569
+ "name": "Rapid7 OOB domain",
4570
+ "tags": {
4571
+ "type": "commercial_scanner",
4572
+ "category": "attack_attempt",
4573
+ "tool_name": "Rapid7",
4574
+ "confidence": "0"
4575
+ },
4576
+ "conditions": [
4577
+ {
4578
+ "parameters": {
4579
+ "inputs": [
4580
+ {
4581
+ "address": "server.request.query"
4582
+ },
4583
+ {
4584
+ "address": "server.request.body"
4585
+ },
4586
+ {
4587
+ "address": "server.request.path_params"
4588
+ },
4589
+ {
4590
+ "address": "server.request.headers.no_cookies"
4591
+ },
4592
+ {
4593
+ "address": "grpc.server.request.message"
4594
+ }
4595
+ ],
4596
+ "regex": "\\bappspidered\\.rapid7\\."
4597
+ },
4598
+ "operator": "match_regex"
4599
+ }
4600
+ ],
4601
+ "transformers": []
4602
+ },
4603
+ {
4604
+ "id": "dog-913-007",
4605
+ "name": "Interact.sh OOB domain",
4606
+ "tags": {
4607
+ "type": "security_scanner",
4608
+ "category": "attack_attempt",
4609
+ "tool_name": "interact.sh",
4610
+ "confidence": "1"
4611
+ },
4612
+ "conditions": [
4613
+ {
4614
+ "parameters": {
4615
+ "inputs": [
4616
+ {
4617
+ "address": "server.request.query"
4618
+ },
4619
+ {
4620
+ "address": "server.request.body"
4621
+ },
4622
+ {
4623
+ "address": "server.request.path_params"
4624
+ },
4625
+ {
4626
+ "address": "server.request.headers.no_cookies"
4627
+ },
4628
+ {
4629
+ "address": "grpc.server.request.message"
4630
+ }
4631
+ ],
4632
+ "regex": "\\b(?:interact\\.sh|oast\\.(?:pro|live|site|online|fun|me))\\b"
4633
+ },
4634
+ "operator": "match_regex"
4635
+ }
4636
+ ],
4637
+ "transformers": []
4638
+ },
4388
4639
  {
4389
4640
  "id": "dog-931-001",
4390
4641
  "name": "RFI: URL Payload to well known RFI target",
@@ -5440,6 +5691,7 @@
5440
5691
  "tags": {
5441
5692
  "type": "security_scanner",
5442
5693
  "category": "attack_attempt",
5694
+ "tool_name": "Joomla exploitation tool",
5443
5695
  "confidence": "1"
5444
5696
  },
5445
5697
  "conditions": [
@@ -5466,6 +5718,7 @@
5466
5718
  "tags": {
5467
5719
  "type": "security_scanner",
5468
5720
  "category": "attack_attempt",
5721
+ "tool_name": "Nessus",
5469
5722
  "confidence": "1"
5470
5723
  },
5471
5724
  "conditions": [
@@ -5492,6 +5745,7 @@
5492
5745
  "tags": {
5493
5746
  "type": "security_scanner",
5494
5747
  "category": "attack_attempt",
5748
+ "tool_name": "Arachni",
5495
5749
  "confidence": "1"
5496
5750
  },
5497
5751
  "conditions": [
@@ -5518,6 +5772,7 @@
5518
5772
  "tags": {
5519
5773
  "type": "security_scanner",
5520
5774
  "category": "attack_attempt",
5775
+ "tool_name": "Jorgee",
5521
5776
  "confidence": "1"
5522
5777
  },
5523
5778
  "conditions": [
@@ -5542,9 +5797,10 @@
5542
5797
  "id": "ua0-600-14x",
5543
5798
  "name": "Probely",
5544
5799
  "tags": {
5545
- "type": "security_scanner",
5800
+ "type": "commercial_scanner",
5546
5801
  "category": "attack_attempt",
5547
- "confidence": "1"
5802
+ "tool_name": "Probely",
5803
+ "confidence": "0"
5548
5804
  },
5549
5805
  "conditions": [
5550
5806
  {
@@ -5570,6 +5826,7 @@
5570
5826
  "tags": {
5571
5827
  "type": "security_scanner",
5572
5828
  "category": "attack_attempt",
5829
+ "tool_name": "Metis",
5573
5830
  "confidence": "1"
5574
5831
  },
5575
5832
  "conditions": [
@@ -5596,6 +5853,7 @@
5596
5853
  "tags": {
5597
5854
  "type": "security_scanner",
5598
5855
  "category": "attack_attempt",
5856
+ "tool_name": "SQLPowerInjector",
5599
5857
  "confidence": "1"
5600
5858
  },
5601
5859
  "conditions": [
@@ -5622,6 +5880,7 @@
5622
5880
  "tags": {
5623
5881
  "type": "security_scanner",
5624
5882
  "category": "attack_attempt",
5883
+ "tool_name": "N-Stealth",
5625
5884
  "confidence": "1"
5626
5885
  },
5627
5886
  "conditions": [
@@ -5648,6 +5907,7 @@
5648
5907
  "tags": {
5649
5908
  "type": "security_scanner",
5650
5909
  "category": "attack_attempt",
5910
+ "tool_name": "Brutus",
5651
5911
  "confidence": "1"
5652
5912
  },
5653
5913
  "conditions": [
@@ -5674,6 +5934,7 @@
5674
5934
  "tags": {
5675
5935
  "type": "security_scanner",
5676
5936
  "category": "attack_attempt",
5937
+ "tool_name": "Shellshock",
5677
5938
  "confidence": "1"
5678
5939
  },
5679
5940
  "conditions": [
@@ -5698,9 +5959,10 @@
5698
5959
  "id": "ua0-600-20x",
5699
5960
  "name": "Netsparker",
5700
5961
  "tags": {
5701
- "type": "security_scanner",
5962
+ "type": "commercial_scanner",
5702
5963
  "category": "attack_attempt",
5703
- "confidence": "1"
5964
+ "tool_name": "Netsparker",
5965
+ "confidence": "0"
5704
5966
  },
5705
5967
  "conditions": [
5706
5968
  {
@@ -5713,7 +5975,7 @@
5713
5975
  ]
5714
5976
  }
5715
5977
  ],
5716
- "regex": "(?i)(<script>netsparker\\(0x0|ns:netsparker.*=vuln)"
5978
+ "regex": "\\bnetsparker\\b"
5717
5979
  },
5718
5980
  "operator": "match_regex"
5719
5981
  }
@@ -5726,6 +5988,7 @@
5726
5988
  "tags": {
5727
5989
  "type": "security_scanner",
5728
5990
  "category": "attack_attempt",
5991
+ "tool_name": "JAASCois",
5729
5992
  "confidence": "1"
5730
5993
  },
5731
5994
  "conditions": [
@@ -5746,64 +6009,13 @@
5746
6009
  ],
5747
6010
  "transformers": []
5748
6011
  },
5749
- {
5750
- "id": "ua0-600-23x",
5751
- "name": "PMAFind",
5752
- "tags": {
5753
- "type": "security_scanner",
5754
- "category": "attack_attempt",
5755
- "confidence": "1"
5756
- },
5757
- "conditions": [
5758
- {
5759
- "parameters": {
5760
- "inputs": [
5761
- {
5762
- "address": "server.request.headers.no_cookies",
5763
- "key_path": [
5764
- "user-agent"
5765
- ]
5766
- }
5767
- ],
5768
- "regex": "(?i)\\bpmafind\\b"
5769
- },
5770
- "operator": "match_regex"
5771
- }
5772
- ],
5773
- "transformers": []
5774
- },
5775
- {
5776
- "id": "ua0-600-25x",
5777
- "name": "Webtrends",
5778
- "tags": {
5779
- "type": "security_scanner",
5780
- "category": "attack_attempt",
5781
- "confidence": "1"
5782
- },
5783
- "conditions": [
5784
- {
5785
- "parameters": {
5786
- "inputs": [
5787
- {
5788
- "address": "server.request.headers.no_cookies",
5789
- "key_path": [
5790
- "user-agent"
5791
- ]
5792
- }
5793
- ],
5794
- "regex": "webtrends security analyzer"
5795
- },
5796
- "operator": "match_regex"
5797
- }
5798
- ],
5799
- "transformers": []
5800
- },
5801
6012
  {
5802
6013
  "id": "ua0-600-26x",
5803
6014
  "name": "Nsauditor",
5804
6015
  "tags": {
5805
6016
  "type": "security_scanner",
5806
6017
  "category": "attack_attempt",
6018
+ "tool_name": "Nsauditor",
5807
6019
  "confidence": "1"
5808
6020
  },
5809
6021
  "conditions": [
@@ -5830,6 +6042,7 @@
5830
6042
  "tags": {
5831
6043
  "type": "security_scanner",
5832
6044
  "category": "attack_attempt",
6045
+ "tool_name": "Paros",
5833
6046
  "confidence": "1"
5834
6047
  },
5835
6048
  "conditions": [
@@ -5856,6 +6069,7 @@
5856
6069
  "tags": {
5857
6070
  "type": "security_scanner",
5858
6071
  "category": "attack_attempt",
6072
+ "tool_name": "DirBuster",
5859
6073
  "confidence": "1"
5860
6074
  },
5861
6075
  "conditions": [
@@ -5882,6 +6096,7 @@
5882
6096
  "tags": {
5883
6097
  "type": "security_scanner",
5884
6098
  "category": "attack_attempt",
6099
+ "tool_name": "Pangolin",
5885
6100
  "confidence": "1"
5886
6101
  },
5887
6102
  "conditions": [
@@ -5906,8 +6121,9 @@
5906
6121
  "id": "ua0-600-2xx",
5907
6122
  "name": "Qualys",
5908
6123
  "tags": {
5909
- "type": "security_scanner",
6124
+ "type": "commercial_scanner",
5910
6125
  "category": "attack_attempt",
6126
+ "tool_name": "Qualys",
5911
6127
  "confidence": "0"
5912
6128
  },
5913
6129
  "conditions": [
@@ -5934,6 +6150,7 @@
5934
6150
  "tags": {
5935
6151
  "type": "security_scanner",
5936
6152
  "category": "attack_attempt",
6153
+ "tool_name": "SQLNinja",
5937
6154
  "confidence": "1"
5938
6155
  },
5939
6156
  "conditions": [
@@ -5960,6 +6177,7 @@
5960
6177
  "tags": {
5961
6178
  "type": "security_scanner",
5962
6179
  "category": "attack_attempt",
6180
+ "tool_name": "Nikto",
5963
6181
  "confidence": "1"
5964
6182
  },
5965
6183
  "conditions": [
@@ -5980,38 +6198,13 @@
5980
6198
  ],
5981
6199
  "transformers": []
5982
6200
  },
5983
- {
5984
- "id": "ua0-600-32x",
5985
- "name": "WebInspect",
5986
- "tags": {
5987
- "type": "security_scanner",
5988
- "category": "attack_attempt",
5989
- "confidence": "1"
5990
- },
5991
- "conditions": [
5992
- {
5993
- "parameters": {
5994
- "inputs": [
5995
- {
5996
- "address": "server.request.headers.no_cookies",
5997
- "key_path": [
5998
- "user-agent"
5999
- ]
6000
- }
6001
- ],
6002
- "regex": "(?i)\\bwebinspect\\b"
6003
- },
6004
- "operator": "match_regex"
6005
- }
6006
- ],
6007
- "transformers": []
6008
- },
6009
6201
  {
6010
6202
  "id": "ua0-600-33x",
6011
6203
  "name": "BlackWidow",
6012
6204
  "tags": {
6013
6205
  "type": "security_scanner",
6014
6206
  "category": "attack_attempt",
6207
+ "tool_name": "BlackWidow",
6015
6208
  "confidence": "1"
6016
6209
  },
6017
6210
  "conditions": [
@@ -6038,6 +6231,7 @@
6038
6231
  "tags": {
6039
6232
  "type": "security_scanner",
6040
6233
  "category": "attack_attempt",
6234
+ "tool_name": "Grendel-Scan",
6041
6235
  "confidence": "1"
6042
6236
  },
6043
6237
  "conditions": [
@@ -6064,6 +6258,7 @@
6064
6258
  "tags": {
6065
6259
  "type": "security_scanner",
6066
6260
  "category": "attack_attempt",
6261
+ "tool_name": "Havij",
6067
6262
  "confidence": "1"
6068
6263
  },
6069
6264
  "conditions": [
@@ -6090,6 +6285,7 @@
6090
6285
  "tags": {
6091
6286
  "type": "security_scanner",
6092
6287
  "category": "attack_attempt",
6288
+ "tool_name": "w3af",
6093
6289
  "confidence": "1"
6094
6290
  },
6095
6291
  "conditions": [
@@ -6116,6 +6312,7 @@
6116
6312
  "tags": {
6117
6313
  "type": "security_scanner",
6118
6314
  "category": "attack_attempt",
6315
+ "tool_name": "Nmap",
6119
6316
  "confidence": "1"
6120
6317
  },
6121
6318
  "conditions": [
@@ -6142,6 +6339,7 @@
6142
6339
  "tags": {
6143
6340
  "type": "security_scanner",
6144
6341
  "category": "attack_attempt",
6342
+ "tool_name": "Nessus",
6145
6343
  "confidence": "1"
6146
6344
  },
6147
6345
  "conditions": [
@@ -6155,7 +6353,7 @@
6155
6353
  ]
6156
6354
  }
6157
6355
  ],
6158
- "regex": "(?i)^'?[a-z0-9]+\\.nasl'?$"
6356
+ "regex": "(?i)^'?[a-z0-9_]+\\.nasl'?$"
6159
6357
  },
6160
6358
  "operator": "match_regex"
6161
6359
  }
@@ -6168,6 +6366,7 @@
6168
6366
  "tags": {
6169
6367
  "type": "security_scanner",
6170
6368
  "category": "attack_attempt",
6369
+ "tool_name": "EvilScanner",
6171
6370
  "confidence": "1"
6172
6371
  },
6173
6372
  "conditions": [
@@ -6194,6 +6393,7 @@
6194
6393
  "tags": {
6195
6394
  "type": "security_scanner",
6196
6395
  "category": "attack_attempt",
6396
+ "tool_name": "WebFuck",
6197
6397
  "confidence": "1"
6198
6398
  },
6199
6399
  "conditions": [
@@ -6220,6 +6420,7 @@
6220
6420
  "tags": {
6221
6421
  "type": "security_scanner",
6222
6422
  "category": "attack_attempt",
6423
+ "tool_name": "OpenVAS",
6223
6424
  "confidence": "1"
6224
6425
  },
6225
6426
  "conditions": [
@@ -6246,6 +6447,7 @@
6246
6447
  "tags": {
6247
6448
  "type": "security_scanner",
6248
6449
  "category": "attack_attempt",
6450
+ "tool_name": "Spider-Pig",
6249
6451
  "confidence": "1"
6250
6452
  },
6251
6453
  "conditions": [
@@ -6272,6 +6474,7 @@
6272
6474
  "tags": {
6273
6475
  "type": "security_scanner",
6274
6476
  "category": "attack_attempt",
6477
+ "tool_name": "Zgrab",
6275
6478
  "confidence": "1"
6276
6479
  },
6277
6480
  "conditions": [
@@ -6298,6 +6501,7 @@
6298
6501
  "tags": {
6299
6502
  "type": "security_scanner",
6300
6503
  "category": "attack_attempt",
6504
+ "tool_name": "Zmeu",
6301
6505
  "confidence": "1"
6302
6506
  },
6303
6507
  "conditions": [
@@ -6318,39 +6522,14 @@
6318
6522
  ],
6319
6523
  "transformers": []
6320
6524
  },
6321
- {
6322
- "id": "ua0-600-46x",
6323
- "name": "Crowdstrike",
6324
- "tags": {
6325
- "type": "security_scanner",
6326
- "category": "attack_attempt",
6327
- "confidence": "1"
6328
- },
6329
- "conditions": [
6330
- {
6331
- "parameters": {
6332
- "inputs": [
6333
- {
6334
- "address": "server.request.headers.no_cookies",
6335
- "key_path": [
6336
- "user-agent"
6337
- ]
6338
- }
6339
- ],
6340
- "regex": "(?i)\\bcrowdstrike\\b"
6341
- },
6342
- "operator": "match_regex"
6343
- }
6344
- ],
6345
- "transformers": []
6346
- },
6347
6525
  {
6348
6526
  "id": "ua0-600-47x",
6349
6527
  "name": "GoogleSecurityScanner",
6350
6528
  "tags": {
6351
- "type": "security_scanner",
6529
+ "type": "commercial_scanner",
6352
6530
  "category": "attack_attempt",
6353
- "confidence": "1"
6531
+ "tool_name": "GoogleSecurityScanner",
6532
+ "confidence": "0"
6354
6533
  },
6355
6534
  "conditions": [
6356
6535
  {
@@ -6376,6 +6555,7 @@
6376
6555
  "tags": {
6377
6556
  "type": "security_scanner",
6378
6557
  "category": "attack_attempt",
6558
+ "tool_name": "Commix",
6379
6559
  "confidence": "1"
6380
6560
  },
6381
6561
  "conditions": [
@@ -6402,6 +6582,7 @@
6402
6582
  "tags": {
6403
6583
  "type": "security_scanner",
6404
6584
  "category": "attack_attempt",
6585
+ "tool_name": "Gobuster",
6405
6586
  "confidence": "1"
6406
6587
  },
6407
6588
  "conditions": [
@@ -6428,6 +6609,7 @@
6428
6609
  "tags": {
6429
6610
  "type": "security_scanner",
6430
6611
  "category": "attack_attempt",
6612
+ "tool_name": "CGIchk",
6431
6613
  "confidence": "1"
6432
6614
  },
6433
6615
  "conditions": [
@@ -6454,6 +6636,7 @@
6454
6636
  "tags": {
6455
6637
  "type": "security_scanner",
6456
6638
  "category": "attack_attempt",
6639
+ "tool_name": "FFUF",
6457
6640
  "confidence": "1"
6458
6641
  },
6459
6642
  "conditions": [
@@ -6480,6 +6663,7 @@
6480
6663
  "tags": {
6481
6664
  "type": "security_scanner",
6482
6665
  "category": "attack_attempt",
6666
+ "tool_name": "Nuclei",
6483
6667
  "confidence": "1"
6484
6668
  },
6485
6669
  "conditions": [
@@ -6506,6 +6690,7 @@
6506
6690
  "tags": {
6507
6691
  "type": "security_scanner",
6508
6692
  "category": "attack_attempt",
6693
+ "tool_name": "Tsunami",
6509
6694
  "confidence": "1"
6510
6695
  },
6511
6696
  "conditions": [
@@ -6532,6 +6717,7 @@
6532
6717
  "tags": {
6533
6718
  "type": "security_scanner",
6534
6719
  "category": "attack_attempt",
6720
+ "tool_name": "Nimbostratus",
6535
6721
  "confidence": "1"
6536
6722
  },
6537
6723
  "conditions": [
@@ -6558,6 +6744,7 @@
6558
6744
  "tags": {
6559
6745
  "type": "security_scanner",
6560
6746
  "category": "attack_attempt",
6747
+ "tool_name": "Datadog Canary Test",
6561
6748
  "confidence": "1"
6562
6749
  },
6563
6750
  "conditions": [
@@ -6577,7 +6764,7 @@
6577
6764
  ]
6578
6765
  }
6579
6766
  ],
6580
- "regex": "^dd-test-scanner-log$"
6767
+ "regex": "^dd-test-scanner-log(?:$|/|\\s)"
6581
6768
  },
6582
6769
  "operator": "match_regex"
6583
6770
  }
@@ -6590,6 +6777,7 @@
6590
6777
  "tags": {
6591
6778
  "type": "security_scanner",
6592
6779
  "category": "attack_attempt",
6780
+ "tool_name": "Datadog Canary Test",
6593
6781
  "confidence": "1"
6594
6782
  },
6595
6783
  "conditions": [
@@ -6609,7 +6797,7 @@
6609
6797
  ]
6610
6798
  }
6611
6799
  ],
6612
- "regex": "^dd-test-scanner-log-block$"
6800
+ "regex": "^dd-test-scanner-log-block(?:$|/|\\s)"
6613
6801
  },
6614
6802
  "operator": "match_regex"
6615
6803
  }
@@ -6623,8 +6811,9 @@
6623
6811
  "id": "ua0-600-57x",
6624
6812
  "name": "AlertLogic",
6625
6813
  "tags": {
6626
- "type": "security_scanner",
6814
+ "type": "commercial_scanner",
6627
6815
  "category": "attack_attempt",
6816
+ "tool_name": "AlertLogic",
6628
6817
  "confidence": "0"
6629
6818
  },
6630
6819
  "conditions": [
@@ -6645,12 +6834,67 @@
6645
6834
  ],
6646
6835
  "transformers": []
6647
6836
  },
6837
+ {
6838
+ "id": "ua0-600-58x",
6839
+ "name": "wfuzz",
6840
+ "tags": {
6841
+ "type": "security_scanner",
6842
+ "category": "attack_attempt",
6843
+ "tool_name": "wfuzz",
6844
+ "confidence": "1"
6845
+ },
6846
+ "conditions": [
6847
+ {
6848
+ "parameters": {
6849
+ "inputs": [
6850
+ {
6851
+ "address": "server.request.headers.no_cookies",
6852
+ "key_path": [
6853
+ "user-agent"
6854
+ ]
6855
+ }
6856
+ ],
6857
+ "regex": "\\bwfuzz\\b"
6858
+ },
6859
+ "operator": "match_regex"
6860
+ }
6861
+ ],
6862
+ "transformers": []
6863
+ },
6864
+ {
6865
+ "id": "ua0-600-59x",
6866
+ "name": "Detectify",
6867
+ "tags": {
6868
+ "type": "commercial_scanner",
6869
+ "category": "attack_attempt",
6870
+ "tool_name": "Detectify",
6871
+ "confidence": "0"
6872
+ },
6873
+ "conditions": [
6874
+ {
6875
+ "parameters": {
6876
+ "inputs": [
6877
+ {
6878
+ "address": "server.request.headers.no_cookies",
6879
+ "key_path": [
6880
+ "user-agent"
6881
+ ]
6882
+ }
6883
+ ],
6884
+ "regex": "\\bdetectify\\b"
6885
+ },
6886
+ "operator": "match_regex"
6887
+ }
6888
+ ],
6889
+ "transformers": []
6890
+ },
6648
6891
  {
6649
6892
  "id": "ua0-600-5xx",
6650
6893
  "name": "Blind SQL Injection Brute Forcer",
6651
6894
  "tags": {
6652
6895
  "type": "security_scanner",
6653
6896
  "category": "attack_attempt",
6897
+ "tool_name": "BSQLBF",
6654
6898
  "confidence": "1"
6655
6899
  },
6656
6900
  "conditions": [
@@ -6671,9 +6915,90 @@
6671
6915
  ],
6672
6916
  "transformers": []
6673
6917
  },
6918
+ {
6919
+ "id": "ua0-600-60x",
6920
+ "name": "masscan",
6921
+ "tags": {
6922
+ "type": "security_scanner",
6923
+ "category": "attack_attempt",
6924
+ "tool_name": "masscan",
6925
+ "confidence": "1"
6926
+ },
6927
+ "conditions": [
6928
+ {
6929
+ "parameters": {
6930
+ "inputs": [
6931
+ {
6932
+ "address": "server.request.headers.no_cookies",
6933
+ "key_path": [
6934
+ "user-agent"
6935
+ ]
6936
+ }
6937
+ ],
6938
+ "regex": "^masscan/"
6939
+ },
6940
+ "operator": "match_regex"
6941
+ }
6942
+ ],
6943
+ "transformers": []
6944
+ },
6945
+ {
6946
+ "id": "ua0-600-61x",
6947
+ "name": "WPScan",
6948
+ "tags": {
6949
+ "type": "security_scanner",
6950
+ "category": "attack_attempt",
6951
+ "tool_name": "WPScan",
6952
+ "confidence": "1"
6953
+ },
6954
+ "conditions": [
6955
+ {
6956
+ "parameters": {
6957
+ "inputs": [
6958
+ {
6959
+ "address": "server.request.headers.no_cookies",
6960
+ "key_path": [
6961
+ "user-agent"
6962
+ ]
6963
+ }
6964
+ ],
6965
+ "regex": "^wpscan\\b"
6966
+ },
6967
+ "operator": "match_regex"
6968
+ }
6969
+ ],
6970
+ "transformers": []
6971
+ },
6972
+ {
6973
+ "id": "ua0-600-62x",
6974
+ "name": "Aon pentesting services",
6975
+ "tags": {
6976
+ "type": "commercial_scanner",
6977
+ "category": "attack_attempt",
6978
+ "tool_name": "Aon",
6979
+ "confidence": "0"
6980
+ },
6981
+ "conditions": [
6982
+ {
6983
+ "parameters": {
6984
+ "inputs": [
6985
+ {
6986
+ "address": "server.request.headers.no_cookies",
6987
+ "key_path": [
6988
+ "user-agent"
6989
+ ]
6990
+ }
6991
+ ],
6992
+ "regex": "^Aon/"
6993
+ },
6994
+ "operator": "match_regex"
6995
+ }
6996
+ ],
6997
+ "transformers": []
6998
+ },
6674
6999
  {
6675
7000
  "id": "ua0-600-6xx",
6676
- "name": "Suspicious user agent",
7001
+ "name": "Stealthy scanner",
6677
7002
  "tags": {
6678
7003
  "type": "security_scanner",
6679
7004
  "category": "attack_attempt",
@@ -6703,6 +7028,7 @@
6703
7028
  "tags": {
6704
7029
  "type": "security_scanner",
6705
7030
  "category": "attack_attempt",
7031
+ "tool_name": "SQLmap",
6706
7032
  "confidence": "1"
6707
7033
  },
6708
7034
  "conditions": [
@@ -6729,6 +7055,7 @@
6729
7055
  "tags": {
6730
7056
  "type": "security_scanner",
6731
7057
  "category": "attack_attempt",
7058
+ "tool_name": "Skipfish",
6732
7059
  "confidence": "1"
6733
7060
  },
6734
7061
  "conditions": [