dd-trace 3.12.1 → 3.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (101) hide show
  1. package/LICENSE-3rdparty.csv +1 -0
  2. package/README.md +5 -5
  3. package/ci/init.js +3 -1
  4. package/index.d.ts +100 -1
  5. package/package.json +5 -4
  6. package/packages/datadog-instrumentations/src/aws-sdk.js +86 -0
  7. package/packages/datadog-instrumentations/src/cucumber.js +74 -15
  8. package/packages/datadog-instrumentations/src/cypress.js +1 -1
  9. package/packages/datadog-instrumentations/src/fs.js +358 -0
  10. package/packages/datadog-instrumentations/src/helpers/hooks.js +4 -0
  11. package/packages/datadog-instrumentations/src/helpers/register.js +1 -1
  12. package/packages/datadog-instrumentations/src/jest.js +24 -23
  13. package/packages/datadog-instrumentations/src/ldapjs.js +12 -2
  14. package/packages/datadog-instrumentations/src/mocha.js +10 -7
  15. package/packages/datadog-instrumentations/src/mongoose.js +1 -1
  16. package/packages/datadog-instrumentations/src/mysql.js +7 -1
  17. package/packages/datadog-instrumentations/src/mysql2.js +7 -1
  18. package/packages/datadog-instrumentations/src/next.js +2 -1
  19. package/packages/datadog-instrumentations/src/playwright.js +263 -0
  20. package/packages/datadog-plugin-aws-sdk/src/base.js +12 -5
  21. package/packages/datadog-plugin-aws-sdk/src/services/kinesis.js +2 -2
  22. package/packages/datadog-plugin-aws-sdk/src/services/sns.js +29 -24
  23. package/packages/datadog-plugin-aws-sdk/src/services/sqs.js +31 -16
  24. package/packages/datadog-plugin-cucumber/src/index.js +42 -11
  25. package/packages/datadog-plugin-cypress/src/plugin.js +129 -4
  26. package/packages/datadog-plugin-cypress/src/support.js +5 -0
  27. package/packages/datadog-plugin-fs/src/index.js +45 -0
  28. package/packages/datadog-plugin-hapi/src/index.js +5 -1
  29. package/packages/datadog-plugin-http/src/server.js +1 -1
  30. package/packages/datadog-plugin-http2/src/server.js +1 -1
  31. package/packages/datadog-plugin-jest/src/index.js +40 -70
  32. package/packages/datadog-plugin-mocha/src/index.js +44 -64
  33. package/packages/datadog-plugin-mysql/src/index.js +8 -7
  34. package/packages/datadog-plugin-playwright/src/index.js +112 -0
  35. package/packages/datadog-shimmer/src/shimmer.js +28 -11
  36. package/packages/dd-trace/src/appsec/addresses.js +3 -1
  37. package/packages/dd-trace/src/appsec/blocking.js +35 -9
  38. package/packages/dd-trace/src/appsec/callbacks/ddwaf.js +1 -1
  39. package/packages/dd-trace/src/appsec/iast/analyzers/analyzers.js +1 -0
  40. package/packages/dd-trace/src/appsec/iast/analyzers/path-traversal-analyzer.js +60 -0
  41. package/packages/dd-trace/src/appsec/iast/iast-context.js +6 -2
  42. package/packages/dd-trace/src/appsec/iast/index.js +3 -2
  43. package/packages/dd-trace/src/appsec/iast/taint-tracking/rewriter.js +5 -2
  44. package/packages/dd-trace/src/appsec/index.js +5 -5
  45. package/packages/dd-trace/src/appsec/recommended.json +320 -184
  46. package/packages/dd-trace/src/appsec/remote_config/capabilities.js +2 -1
  47. package/packages/dd-trace/src/appsec/remote_config/index.js +3 -0
  48. package/packages/dd-trace/src/appsec/reporter.js +14 -14
  49. package/packages/dd-trace/src/appsec/sdk/index.js +41 -0
  50. package/packages/dd-trace/src/appsec/sdk/noop.js +17 -0
  51. package/packages/dd-trace/src/appsec/sdk/set_user.js +30 -0
  52. package/packages/dd-trace/src/appsec/sdk/track_event.js +74 -0
  53. package/packages/dd-trace/src/appsec/sdk/user_blocking.js +73 -0
  54. package/packages/dd-trace/src/appsec/sdk/utils.js +10 -0
  55. package/packages/dd-trace/src/ci-visibility/exporters/agent-proxy/index.js +1 -5
  56. package/packages/dd-trace/src/ci-visibility/exporters/agentless/index.js +1 -5
  57. package/packages/dd-trace/src/ci-visibility/exporters/ci-visibility-exporter.js +48 -11
  58. package/packages/dd-trace/src/ci-visibility/exporters/git/git_metadata.js +7 -1
  59. package/packages/dd-trace/src/ci-visibility/intelligent-test-runner/get-itr-configuration.js +4 -2
  60. package/packages/dd-trace/src/ci-visibility/intelligent-test-runner/get-skippable-suites.js +5 -3
  61. package/packages/dd-trace/src/config.js +63 -7
  62. package/packages/dd-trace/src/encode/0.4.js +1 -1
  63. package/packages/dd-trace/src/encode/0.5.js +1 -1
  64. package/packages/dd-trace/src/encode/agentless-ci-visibility.js +44 -4
  65. package/packages/dd-trace/src/encode/coverage-ci-visibility.js +52 -37
  66. package/packages/dd-trace/src/encode/tags-processors.js +3 -2
  67. package/packages/dd-trace/src/exporters/common/request.js +10 -3
  68. package/packages/dd-trace/src/lambda/handler.js +5 -6
  69. package/packages/dd-trace/src/log/channels.js +47 -0
  70. package/packages/dd-trace/src/log/index.js +79 -0
  71. package/packages/dd-trace/src/log/writer.js +124 -0
  72. package/packages/dd-trace/src/metrics.js +18 -0
  73. package/packages/dd-trace/src/noop/proxy.js +5 -2
  74. package/packages/dd-trace/src/opentracing/propagation/text_map.js +188 -36
  75. package/packages/dd-trace/src/opentracing/propagation/tracestate.js +99 -0
  76. package/packages/dd-trace/src/opentracing/span.js +2 -1
  77. package/packages/dd-trace/src/opentracing/span_context.js +6 -3
  78. package/packages/dd-trace/src/plugins/ci_plugin.js +72 -12
  79. package/packages/dd-trace/src/plugins/index.js +2 -0
  80. package/packages/dd-trace/src/plugins/util/ci.js +13 -21
  81. package/packages/dd-trace/src/plugins/util/exec.js +2 -2
  82. package/packages/dd-trace/src/plugins/util/git.js +16 -1
  83. package/packages/dd-trace/src/{appsec → plugins/util}/ip_extractor.js +1 -1
  84. package/packages/dd-trace/src/plugins/util/test.js +53 -10
  85. package/packages/dd-trace/src/plugins/util/user-provided-git.js +2 -7
  86. package/packages/dd-trace/src/plugins/util/web.js +11 -0
  87. package/packages/dd-trace/src/profiler.js +3 -0
  88. package/packages/dd-trace/src/profiling/config.js +8 -3
  89. package/packages/dd-trace/src/profiling/exporters/file.js +13 -2
  90. package/packages/dd-trace/src/profiling/profiler.js +23 -6
  91. package/packages/dd-trace/src/profiling/profilers/wall.js +1 -0
  92. package/packages/dd-trace/src/proxy.js +2 -0
  93. package/packages/dd-trace/src/span_processor.js +1 -1
  94. package/packages/dd-trace/src/span_sampler.js +68 -52
  95. package/packages/dd-trace/src/startup-log.js +3 -6
  96. package/packages/dd-trace/src/telemetry/index.js +23 -2
  97. package/packages/dd-trace/src/telemetry/send-data.js +4 -1
  98. package/packages/dd-trace/src/tracer.js +0 -16
  99. package/scripts/check-proposal-labels.js +71 -0
  100. package/packages/dd-trace/src/log.js +0 -143
  101. /package/packages/dd-trace/src/{appsec → plugins/util}/ip_blocklist.js +0 -0
package/packages/dd-trace/src/appsec/recommended.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "version": "2.2",
3
3
  "metadata": {
4
- "rules_version": "1.4.3"
4
+ "rules_version": "1.5.2"
5
5
  },
6
6
  "rules": [
7
7
  {
@@ -29,13 +29,39 @@
29
29
  "block"
30
30
  ]
31
31
  },
32
+ {
33
+ "id": "blk-001-002",
34
+ "name": "Block User Addresses",
35
+ "tags": {
36
+ "type": "block_user",
37
+ "category": "security_response"
38
+ },
39
+ "conditions": [
40
+ {
41
+ "parameters": {
42
+ "inputs": [
43
+ {
44
+ "address": "usr.id"
45
+ }
46
+ ],
47
+ "data": "blocked_users"
48
+ },
49
+ "operator": "exact_match"
50
+ }
51
+ ],
52
+ "transformers": [],
53
+ "on_match": [
54
+ "block"
55
+ ]
56
+ },
32
57
  {
33
58
  "id": "crs-913-110",
34
59
  "name": "Acunetix",
35
60
  "tags": {
36
61
  "type": "security_scanner",
37
62
  "crs_id": "913110",
38
- "category": "attack_attempt"
63
+ "category": "attack_attempt",
64
+ "confidence": "1"
39
65
  },
40
66
  "conditions": [
41
67
  {
@@ -66,7 +92,8 @@
66
92
  "tags": {
67
93
  "type": "security_scanner",
68
94
  "crs_id": "913120",
69
- "category": "attack_attempt"
95
+ "category": "attack_attempt",
96
+ "confidence": "1"
70
97
  },
71
98
  "conditions": [
72
99
  {
@@ -115,7 +142,8 @@
115
142
  "tags": {
116
143
  "type": "http_protocol_violation",
117
144
  "crs_id": "920260",
118
- "category": "attack_attempt"
145
+ "category": "attack_attempt",
146
+ "confidence": "0"
119
147
  },
120
148
  "conditions": [
121
149
  {
@@ -171,33 +199,6 @@
171
199
  "lowercase"
172
200
  ]
173
201
  },
174
- {
175
- "id": "crs-921-140",
176
- "name": "HTTP Header Injection Attack via headers",
177
- "tags": {
178
- "type": "http_protocol_violation",
179
- "crs_id": "921140",
180
- "category": "attack_attempt"
181
- },
182
- "conditions": [
183
- {
184
- "parameters": {
185
- "inputs": [
186
- {
187
- "address": "server.request.headers.no_cookies"
188
- }
189
- ],
190
- "regex": "[\\n\\r]",
191
- "options": {
192
- "case_sensitive": true,
193
- "min_length": 1
194
- }
195
- },
196
- "operator": "match_regex"
197
- }
198
- ],
199
- "transformers": []
200
- },
201
202
  {
202
203
  "id": "crs-921-160",
203
204
  "name": "HTTP Header Injection Attack via payload (CR/LF and header-name detected)",
@@ -217,7 +218,7 @@
217
218
  "address": "server.request.path_params"
218
219
  }
219
220
  ],
220
- "regex": "[\\n\\r]+(?:\\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\\s*:",
221
+ "regex": "[\\n\\r]+(?:refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|via|remote-ip|remote-addr|originating-IP))\\s*:",
221
222
  "options": {
222
223
  "case_sensitive": true,
223
224
  "min_length": 3
@@ -236,7 +237,8 @@
236
237
  "tags": {
237
238
  "type": "lfi",
238
239
  "crs_id": "930100",
239
- "category": "attack_attempt"
240
+ "category": "attack_attempt",
241
+ "confidence": "1"
240
242
  },
241
243
  "conditions": [
242
244
  {
@@ -249,7 +251,7 @@
249
251
  "address": "server.request.headers.no_cookies"
250
252
  }
251
253
  ],
252
- "regex": "(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\/|\\x5c)(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\\.))|\\.(?:%0[01]|\\?)?|\\?\\.?|0x2e){2,3}(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\/|\\x5c)",
254
+ "regex": "(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\/|\\x5c)(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\\.))|\\.(?:%0[01])?|0x2e){2,3}(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\/|\\x5c)",
253
255
  "options": {
254
256
  "min_length": 4
255
257
  }
@@ -267,7 +269,8 @@
267
269
  "tags": {
268
270
  "type": "lfi",
269
271
  "crs_id": "930110",
270
- "category": "attack_attempt"
272
+ "category": "attack_attempt",
273
+ "confidence": "1"
271
274
  },
272
275
  "conditions": [
273
276
  {
@@ -299,7 +302,8 @@
299
302
  "tags": {
300
303
  "type": "lfi",
301
304
  "crs_id": "930120",
302
- "category": "attack_attempt"
305
+ "category": "attack_attempt",
306
+ "confidence": "1"
303
307
  },
304
308
  "conditions": [
305
309
  {
@@ -1347,16 +1351,11 @@
1347
1351
  "etc/timezone",
1348
1352
  "etc/modules",
1349
1353
  "etc/passwd",
1350
- "etc/passwd~",
1351
- "etc/passwd-",
1352
1354
  "etc/shadow",
1353
- "etc/shadow~",
1354
- "etc/shadow-",
1355
1355
  "etc/fstab",
1356
1356
  "etc/motd",
1357
1357
  "etc/hosts",
1358
1358
  "etc/group",
1359
- "etc/group-",
1360
1359
  "etc/alias",
1361
1360
  "etc/crontab",
1362
1361
  "etc/crypttab",
@@ -1760,7 +1759,8 @@
1760
1759
  "tags": {
1761
1760
  "type": "rfi",
1762
1761
  "crs_id": "931110",
1763
- "category": "attack_attempt"
1762
+ "category": "attack_attempt",
1763
+ "confidence": "1"
1764
1764
  },
1765
1765
  "conditions": [
1766
1766
  {
@@ -1802,7 +1802,7 @@
1802
1802
  "address": "server.request.path_params"
1803
1803
  }
1804
1804
  ],
1805
- "regex": "^(?i:file|ftps?|http)://.*?\\?+$",
1805
+ "regex": "^(?i:file|ftps?)://.*?\\?+$",
1806
1806
  "options": {
1807
1807
  "case_sensitive": true,
1808
1808
  "min_length": 4
@@ -1819,7 +1819,8 @@
1819
1819
  "tags": {
1820
1820
  "type": "command_injection",
1821
1821
  "crs_id": "932160",
1822
- "category": "attack_attempt"
1822
+ "category": "attack_attempt",
1823
+ "confidence": "1"
1823
1824
  },
1824
1825
  "conditions": [
1825
1826
  {
@@ -1865,11 +1866,8 @@
1865
1866
  "dev/tcp/",
1866
1867
  "dev/udp/",
1867
1868
  "dev/zero",
1868
- "etc/group",
1869
1869
  "etc/master.passwd",
1870
- "etc/passwd",
1871
1870
  "etc/pwd.db",
1872
- "etc/shadow",
1873
1871
  "etc/shells",
1874
1872
  "etc/spwd.db",
1875
1873
  "proc/self/",
@@ -2322,7 +2320,8 @@
2322
2320
  "tags": {
2323
2321
  "type": "command_injection",
2324
2322
  "crs_id": "932171",
2325
- "category": "attack_attempt"
2323
+ "category": "attack_attempt",
2324
+ "confidence": "1"
2326
2325
  },
2327
2326
  "conditions": [
2328
2327
  {
@@ -2361,7 +2360,8 @@
2361
2360
  "tags": {
2362
2361
  "type": "command_injection",
2363
2362
  "crs_id": "932180",
2364
- "category": "attack_attempt"
2363
+ "category": "attack_attempt",
2364
+ "confidence": "1"
2365
2365
  },
2366
2366
  "conditions": [
2367
2367
  {
@@ -2419,7 +2419,8 @@
2419
2419
  "tags": {
2420
2420
  "type": "unrestricted_file_upload",
2421
2421
  "crs_id": "933111",
2422
- "category": "attack_attempt"
2422
+ "category": "attack_attempt",
2423
+ "confidence": "1"
2423
2424
  },
2424
2425
  "conditions": [
2425
2426
  {
@@ -2469,7 +2470,8 @@
2469
2470
  "tags": {
2470
2471
  "type": "php_code_injection",
2471
2472
  "crs_id": "933130",
2472
- "category": "attack_attempt"
2473
+ "category": "attack_attempt",
2474
+ "confidence": "1"
2473
2475
  },
2474
2476
  "conditions": [
2475
2477
  {
@@ -2561,7 +2563,8 @@
2561
2563
  "tags": {
2562
2564
  "type": "php_code_injection",
2563
2565
  "crs_id": "933140",
2564
- "category": "attack_attempt"
2566
+ "category": "attack_attempt",
2567
+ "confidence": "1"
2565
2568
  },
2566
2569
  "conditions": [
2567
2570
  {
@@ -2596,7 +2599,8 @@
2596
2599
  "tags": {
2597
2600
  "type": "php_code_injection",
2598
2601
  "crs_id": "933150",
2599
- "category": "attack_attempt"
2602
+ "category": "attack_attempt",
2603
+ "confidence": "1"
2600
2604
  },
2601
2605
  "conditions": [
2602
2606
  {
@@ -2711,7 +2715,8 @@
2711
2715
  "tags": {
2712
2716
  "type": "php_code_injection",
2713
2717
  "crs_id": "933170",
2714
- "category": "attack_attempt"
2718
+ "category": "attack_attempt",
2719
+ "confidence": "1"
2715
2720
  },
2716
2721
  "conditions": [
2717
2722
  {
@@ -2824,7 +2829,8 @@
2824
2829
  "tags": {
2825
2830
  "type": "js_code_injection",
2826
2831
  "crs_id": "934101",
2827
- "category": "attack_attempt"
2832
+ "category": "attack_attempt",
2833
+ "confidence": "1"
2828
2834
  },
2829
2835
  "conditions": [
2830
2836
  {
@@ -2860,7 +2866,8 @@
2860
2866
  "tags": {
2861
2867
  "type": "xss",
2862
2868
  "crs_id": "941110",
2863
- "category": "attack_attempt"
2869
+ "category": "attack_attempt",
2870
+ "confidence": "1"
2864
2871
  },
2865
2872
  "conditions": [
2866
2873
  {
@@ -2909,7 +2916,8 @@
2909
2916
  "tags": {
2910
2917
  "type": "xss",
2911
2918
  "crs_id": "941120",
2912
- "category": "attack_attempt"
2919
+ "category": "attack_attempt",
2920
+ "confidence": "1"
2913
2921
  },
2914
2922
  "conditions": [
2915
2923
  {
@@ -2958,7 +2966,8 @@
2958
2966
  "tags": {
2959
2967
  "type": "xss",
2960
2968
  "crs_id": "941140",
2961
- "category": "attack_attempt"
2969
+ "category": "attack_attempt",
2970
+ "confidence": "1"
2962
2971
  },
2963
2972
  "conditions": [
2964
2973
  {
@@ -3007,7 +3016,8 @@
3007
3016
  "tags": {
3008
3017
  "type": "xss",
3009
3018
  "crs_id": "941170",
3010
- "category": "attack_attempt"
3019
+ "category": "attack_attempt",
3020
+ "confidence": "1"
3011
3021
  },
3012
3022
  "conditions": [
3013
3023
  {
@@ -3096,7 +3106,8 @@
3096
3106
  "tags": {
3097
3107
  "type": "xss",
3098
3108
  "crs_id": "941200",
3099
- "category": "attack_attempt"
3109
+ "category": "attack_attempt",
3110
+ "confidence": "1"
3100
3111
  },
3101
3112
  "conditions": [
3102
3113
  {
@@ -3134,7 +3145,8 @@
3134
3145
  "tags": {
3135
3146
  "type": "xss",
3136
3147
  "crs_id": "941210",
3137
- "category": "attack_attempt"
3148
+ "category": "attack_attempt",
3149
+ "confidence": "1"
3138
3150
  },
3139
3151
  "conditions": [
3140
3152
  {
@@ -3172,7 +3184,8 @@
3172
3184
  "tags": {
3173
3185
  "type": "xss",
3174
3186
  "crs_id": "941220",
3175
- "category": "attack_attempt"
3187
+ "category": "attack_attempt",
3188
+ "confidence": "1"
3176
3189
  },
3177
3190
  "conditions": [
3178
3191
  {
@@ -3210,7 +3223,8 @@
3210
3223
  "tags": {
3211
3224
  "type": "xss",
3212
3225
  "crs_id": "941230",
3213
- "category": "attack_attempt"
3226
+ "category": "attack_attempt",
3227
+ "confidence": "1"
3214
3228
  },
3215
3229
  "conditions": [
3216
3230
  {
@@ -3247,7 +3261,8 @@
3247
3261
  "tags": {
3248
3262
  "type": "xss",
3249
3263
  "crs_id": "941240",
3250
- "category": "attack_attempt"
3264
+ "category": "attack_attempt",
3265
+ "confidence": "1"
3251
3266
  },
3252
3267
  "conditions": [
3253
3268
  {
@@ -3323,7 +3338,8 @@
3323
3338
  "tags": {
3324
3339
  "type": "xss",
3325
3340
  "crs_id": "941280",
3326
- "category": "attack_attempt"
3341
+ "category": "attack_attempt",
3342
+ "confidence": "1"
3327
3343
  },
3328
3344
  "conditions": [
3329
3345
  {
@@ -3360,7 +3376,8 @@
3360
3376
  "tags": {
3361
3377
  "type": "xss",
3362
3378
  "crs_id": "941290",
3363
- "category": "attack_attempt"
3379
+ "category": "attack_attempt",
3380
+ "confidence": "1"
3364
3381
  },
3365
3382
  "conditions": [
3366
3383
  {
@@ -3397,7 +3414,8 @@
3397
3414
  "tags": {
3398
3415
  "type": "xss",
3399
3416
  "crs_id": "941300",
3400
- "category": "attack_attempt"
3417
+ "category": "attack_attempt",
3418
+ "confidence": "1"
3401
3419
  },
3402
3420
  "conditions": [
3403
3421
  {
@@ -3434,7 +3452,8 @@
3434
3452
  "tags": {
3435
3453
  "type": "xss",
3436
3454
  "crs_id": "941350",
3437
- "category": "attack_attempt"
3455
+ "category": "attack_attempt",
3456
+ "confidence": "1"
3438
3457
  },
3439
3458
  "conditions": [
3440
3459
  {
@@ -3506,7 +3525,8 @@
3506
3525
  "tags": {
3507
3526
  "type": "xss",
3508
3527
  "crs_id": "941390",
3509
- "category": "attack_attempt"
3528
+ "category": "attack_attempt",
3529
+ "confidence": "1"
3510
3530
  },
3511
3531
  "conditions": [
3512
3532
  {
@@ -3575,7 +3595,8 @@
3575
3595
  "tags": {
3576
3596
  "type": "sql_injection",
3577
3597
  "crs_id": "942160",
3578
- "category": "attack_attempt"
3598
+ "category": "attack_attempt",
3599
+ "confidence": "1"
3579
3600
  },
3580
3601
  "conditions": [
3581
3602
  {
@@ -3611,7 +3632,8 @@
3611
3632
  "tags": {
3612
3633
  "type": "sql_injection",
3613
3634
  "crs_id": "942240",
3614
- "category": "attack_attempt"
3635
+ "category": "attack_attempt",
3636
+ "confidence": "1"
3615
3637
  },
3616
3638
  "conditions": [
3617
3639
  {
@@ -3717,7 +3739,8 @@
3717
3739
  "tags": {
3718
3740
  "type": "sql_injection",
3719
3741
  "crs_id": "942280",
3720
- "category": "attack_attempt"
3742
+ "category": "attack_attempt",
3743
+ "confidence": "1"
3721
3744
  },
3722
3745
  "conditions": [
3723
3746
  {
@@ -3861,7 +3884,8 @@
3861
3884
  "tags": {
3862
3885
  "type": "http_protocol_violation",
3863
3886
  "crs_id": "943100",
3864
- "category": "attack_attempt"
3887
+ "category": "attack_attempt",
3888
+ "confidence": "1"
3865
3889
  },
3866
3890
  "conditions": [
3867
3891
  {
@@ -3894,7 +3918,8 @@
3894
3918
  "tags": {
3895
3919
  "type": "java_code_injection",
3896
3920
  "crs_id": "944100",
3897
- "category": "attack_attempt"
3921
+ "category": "attack_attempt",
3922
+ "confidence": "1"
3898
3923
  },
3899
3924
  "conditions": [
3900
3925
  {
@@ -4057,9 +4082,7 @@
4057
4082
  "java.lang.number",
4058
4083
  "java.lang.object",
4059
4084
  "java.lang.process",
4060
- "java.lang.processbuilder",
4061
4085
  "java.lang.reflect",
4062
- "java.lang.runtime",
4063
4086
  "java.lang.string",
4064
4087
  "java.lang.stringbuilder",
4065
4088
  "java.lang.system",
@@ -4084,7 +4107,8 @@
4084
4107
  "tags": {
4085
4108
  "type": "java_code_injection",
4086
4109
  "crs_id": "944260",
4087
- "category": "attack_attempt"
4110
+ "category": "attack_attempt",
4111
+ "confidence": "1"
4088
4112
  },
4089
4113
  "conditions": [
4090
4114
  {
@@ -4192,7 +4216,8 @@
4192
4216
  "name": "OGNL - Detect OGNL exploitation primitives",
4193
4217
  "tags": {
4194
4218
  "type": "java_code_injection",
4195
- "category": "attack_attempt"
4219
+ "category": "attack_attempt",
4220
+ "confidence": "1"
4196
4221
  },
4197
4222
  "conditions": [
4198
4223
  {
@@ -4229,7 +4254,8 @@
4229
4254
  "name": "Spring4Shell - Attempts to exploit the Spring4shell vulnerability",
4230
4255
  "tags": {
4231
4256
  "type": "exploit_detection",
4232
- "category": "attack_attempt"
4257
+ "category": "attack_attempt",
4258
+ "confidence": "1"
4233
4259
  },
4234
4260
  "conditions": [
4235
4261
  {
@@ -4256,7 +4282,8 @@
4256
4282
  "name": "Node.js: Prototype pollution through __proto__",
4257
4283
  "tags": {
4258
4284
  "type": "js_code_injection",
4259
- "category": "attack_attempt"
4285
+ "category": "attack_attempt",
4286
+ "confidence": "1"
4260
4287
  },
4261
4288
  "conditions": [
4262
4289
  {
@@ -4283,7 +4310,8 @@
4283
4310
  "name": "Node.js: Prototype pollution through constructor.prototype",
4284
4311
  "tags": {
4285
4312
  "type": "js_code_injection",
4286
- "category": "attack_attempt"
4313
+ "category": "attack_attempt",
4314
+ "confidence": "1"
4287
4315
  },
4288
4316
  "conditions": [
4289
4317
  {
@@ -4324,7 +4352,8 @@
4324
4352
  "name": "Server side template injection: Velocity & Freemarker",
4325
4353
  "tags": {
4326
4354
  "type": "java_code_injection",
4327
- "category": "attack_attempt"
4355
+ "category": "attack_attempt",
4356
+ "confidence": "1"
4328
4357
  },
4329
4358
  "conditions": [
4330
4359
  {
@@ -4358,7 +4387,8 @@
4358
4387
  "name": "RFI: URL Payload to well known RFI target",
4359
4388
  "tags": {
4360
4389
  "type": "rfi",
4361
- "category": "attack_attempt"
4390
+ "category": "attack_attempt",
4391
+ "confidence": "1"
4362
4392
  },
4363
4393
  "conditions": [
4364
4394
  {
@@ -4385,12 +4415,81 @@
4385
4415
  ],
4386
4416
  "transformers": []
4387
4417
  },
4418
+ {
4419
+ "id": "dog-934-001",
4420
+ "name": "XXE - XML file loads external entity",
4421
+ "tags": {
4422
+ "type": "xxe",
4423
+ "category": "attack_attempt",
4424
+ "confidence": "0"
4425
+ },
4426
+ "conditions": [
4427
+ {
4428
+ "parameters": {
4429
+ "inputs": [
4430
+ {
4431
+ "address": "server.request.body"
4432
+ },
4433
+ {
4434
+ "address": "grpc.server.request.message"
4435
+ }
4436
+ ],
4437
+ "regex": "(?:<\\?xml[^>]*>.*)<!ENTITY[^>]+SYSTEM\\s+[^>]+>",
4438
+ "options": {
4439
+ "case_sensitive": false,
4440
+ "min_length": 24
4441
+ }
4442
+ },
4443
+ "operator": "match_regex"
4444
+ }
4445
+ ],
4446
+ "transformers": []
4447
+ },
4448
+ {
4449
+ "id": "dog-942-001",
4450
+ "name": "Blind XSS callback domains",
4451
+ "tags": {
4452
+ "type": "xss",
4453
+ "category": "attack_attempt",
4454
+ "confidence": "1"
4455
+ },
4456
+ "conditions": [
4457
+ {
4458
+ "parameters": {
4459
+ "inputs": [
4460
+ {
4461
+ "address": "server.request.query"
4462
+ },
4463
+ {
4464
+ "address": "server.request.body"
4465
+ },
4466
+ {
4467
+ "address": "server.request.path_params"
4468
+ },
4469
+ {
4470
+ "address": "server.request.headers.no_cookies"
4471
+ },
4472
+ {
4473
+ "address": "grpc.server.request.message"
4474
+ }
4475
+ ],
4476
+ "regex": "https?:\\/\\/(?:.*\\.)?(?:bxss\\.in|xss\\.ht|js\\.rip)",
4477
+ "options": {
4478
+ "case_sensitive": false
4479
+ }
4480
+ },
4481
+ "operator": "match_regex"
4482
+ }
4483
+ ],
4484
+ "transformers": []
4485
+ },
4388
4486
  {
4389
4487
  "id": "nfd-000-001",
4390
4488
  "name": "Detect common directory discovery scans",
4391
4489
  "tags": {
4392
4490
  "type": "security_scanner",
4393
- "category": "attack_attempt"
4491
+ "category": "attack_attempt",
4492
+ "confidence": "1"
4394
4493
  },
4395
4494
  "conditions": [
4396
4495
  {
@@ -4624,7 +4723,8 @@
4624
4723
  "name": "Detect failed attempt to fetch readme files",
4625
4724
  "tags": {
4626
4725
  "type": "security_scanner",
4627
- "category": "attack_attempt"
4726
+ "category": "attack_attempt",
4727
+ "confidence": "1"
4628
4728
  },
4629
4729
  "conditions": [
4630
4730
  {
@@ -4663,7 +4763,8 @@
4663
4763
  "name": "Detect failed attempt to fetch Java EE resource files",
4664
4764
  "tags": {
4665
4765
  "type": "security_scanner",
4666
- "category": "attack_attempt"
4766
+ "category": "attack_attempt",
4767
+ "confidence": "1"
4667
4768
  },
4668
4769
  "conditions": [
4669
4770
  {
@@ -4702,7 +4803,8 @@
4702
4803
  "name": "Detect failed attempt to fetch code files",
4703
4804
  "tags": {
4704
4805
  "type": "security_scanner",
4705
- "category": "attack_attempt"
4806
+ "category": "attack_attempt",
4807
+ "confidence": "1"
4706
4808
  },
4707
4809
  "conditions": [
4708
4810
  {
@@ -4741,7 +4843,8 @@
4741
4843
  "name": "Detect failed attempt to fetch source code archives",
4742
4844
  "tags": {
4743
4845
  "type": "security_scanner",
4744
- "category": "attack_attempt"
4846
+ "category": "attack_attempt",
4847
+ "confidence": "1"
4745
4848
  },
4746
4849
  "conditions": [
4747
4850
  {
@@ -4780,7 +4883,8 @@
4780
4883
  "name": "Detect failed attempt to fetch sensitive files",
4781
4884
  "tags": {
4782
4885
  "type": "security_scanner",
4783
- "category": "attack_attempt"
4886
+ "category": "attack_attempt",
4887
+ "confidence": "1"
4784
4888
  },
4785
4889
  "conditions": [
4786
4890
  {
@@ -4819,7 +4923,8 @@
4819
4923
  "name": "Detect failed attempt to fetch archives",
4820
4924
  "tags": {
4821
4925
  "type": "security_scanner",
4822
- "category": "attack_attempt"
4926
+ "category": "attack_attempt",
4927
+ "confidence": "1"
4823
4928
  },
4824
4929
  "conditions": [
4825
4930
  {
@@ -4858,7 +4963,8 @@
4858
4963
  "name": "Detect failed attempt to trigger incorrect application behavior",
4859
4964
  "tags": {
4860
4965
  "type": "security_scanner",
4861
- "category": "attack_attempt"
4966
+ "category": "attack_attempt",
4967
+ "confidence": "1"
4862
4968
  },
4863
4969
  "conditions": [
4864
4970
  {
@@ -4897,7 +5003,8 @@
4897
5003
  "name": "Detect failed attempt to leak the structure of the application",
4898
5004
  "tags": {
4899
5005
  "type": "security_scanner",
4900
- "category": "attack_attempt"
5006
+ "category": "attack_attempt",
5007
+ "confidence": "1"
4901
5008
  },
4902
5009
  "conditions": [
4903
5010
  {
@@ -4936,7 +5043,8 @@
4936
5043
  "name": "SSRF: Try to access the credential manager of the main cloud services",
4937
5044
  "tags": {
4938
5045
  "type": "ssrf",
4939
- "category": "attack_attempt"
5046
+ "category": "attack_attempt",
5047
+ "confidence": "1"
4940
5048
  },
4941
5049
  "conditions": [
4942
5050
  {
@@ -5003,42 +5111,13 @@
5003
5111
  "removeNulls"
5004
5112
  ]
5005
5113
  },
5006
- {
5007
- "id": "sqr-000-007",
5008
- "name": "NoSQL: Detect common exploitation strategy",
5009
- "tags": {
5010
- "type": "nosql_injection",
5011
- "category": "attack_attempt"
5012
- },
5013
- "conditions": [
5014
- {
5015
- "parameters": {
5016
- "inputs": [
5017
- {
5018
- "address": "server.request.query"
5019
- },
5020
- {
5021
- "address": "server.request.body"
5022
- },
5023
- {
5024
- "address": "server.request.path_params"
5025
- }
5026
- ],
5027
- "regex": "^\\$(eq|ne|(l|g)te?|n?in|not|(n|x|)or|and|regex|where|expr|exists)$"
5028
- },
5029
- "operator": "match_regex"
5030
- }
5031
- ],
5032
- "transformers": [
5033
- "keys_only"
5034
- ]
5035
- },
5036
5114
  {
5037
5115
  "id": "sqr-000-008",
5038
5116
  "name": "Windows: Detect attempts to exfiltrate .ini files",
5039
5117
  "tags": {
5040
5118
  "type": "command_injection",
5041
- "category": "attack_attempt"
5119
+ "category": "attack_attempt",
5120
+ "confidence": "1"
5042
5121
  },
5043
5122
  "conditions": [
5044
5123
  {
@@ -5072,7 +5151,8 @@
5072
5151
  "name": "Linux: Detect attempts to exfiltrate passwd files",
5073
5152
  "tags": {
5074
5153
  "type": "command_injection",
5075
- "category": "attack_attempt"
5154
+ "category": "attack_attempt",
5155
+ "confidence": "1"
5076
5156
  },
5077
5157
  "conditions": [
5078
5158
  {
@@ -5106,7 +5186,8 @@
5106
5186
  "name": "Windows: Detect attempts to timeout a shell",
5107
5187
  "tags": {
5108
5188
  "type": "command_injection",
5109
- "category": "attack_attempt"
5189
+ "category": "attack_attempt",
5190
+ "confidence": "1"
5110
5191
  },
5111
5192
  "conditions": [
5112
5193
  {
@@ -5140,7 +5221,8 @@
5140
5221
  "name": "SSRF: Try to access internal OMI service (CVE-2021-38647)",
5141
5222
  "tags": {
5142
5223
  "type": "ssrf",
5143
- "category": "attack_attempt"
5224
+ "category": "attack_attempt",
5225
+ "confidence": "1"
5144
5226
  },
5145
5227
  "conditions": [
5146
5228
  {
@@ -5174,7 +5256,8 @@
5174
5256
  "name": "SSRF: Detect SSRF attempt on internal service",
5175
5257
  "tags": {
5176
5258
  "type": "ssrf",
5177
- "category": "attack_attempt"
5259
+ "category": "attack_attempt",
5260
+ "confidence": "0"
5178
5261
  },
5179
5262
  "conditions": [
5180
5263
  {
@@ -5193,7 +5276,7 @@
5193
5276
  "address": "grpc.server.request.message"
5194
5277
  }
5195
5278
  ],
5196
- "regex": "^(jar:)?(http|https):\\/\\/([0-9oq]{1,5}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}|[0-9]{1,10})(:[0-9]{1,5})?(\\/.*|)$"
5279
+ "regex": "^(jar:)?(http|https):\\/\\/([0-9oq]{1,5}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}|[0-9]{1,10})(:[0-9]{1,5})?(\\/[^:@]*)?$"
5197
5280
  },
5198
5281
  "operator": "match_regex"
5199
5282
  }
@@ -5207,7 +5290,8 @@
5207
5290
  "name": "SSRF: Detect SSRF attempts using IPv6 or octal/hexdecimal obfuscation",
5208
5291
  "tags": {
5209
5292
  "type": "ssrf",
5210
- "category": "attack_attempt"
5293
+ "category": "attack_attempt",
5294
+ "confidence": "0"
5211
5295
  },
5212
5296
  "conditions": [
5213
5297
  {
@@ -5226,7 +5310,7 @@
5226
5310
  "address": "grpc.server.request.message"
5227
5311
  }
5228
5312
  ],
5229
- "regex": "^(jar:)?(http|https):\\/\\/((\\[)?[:0-9a-f\\.x]{2,}(\\])?)(:[0-9]{1,5})?(\\/.*)?$"
5313
+ "regex": "^(jar:)?(http|https):\\/\\/((\\[)?[:0-9a-f\\.x]{2,}(\\])?)(:[0-9]{1,5})?(\\/[^:@]*)?$"
5230
5314
  },
5231
5315
  "operator": "match_regex"
5232
5316
  }
@@ -5240,7 +5324,8 @@
5240
5324
  "name": "SSRF: Detect SSRF domain redirection bypass",
5241
5325
  "tags": {
5242
5326
  "type": "ssrf",
5243
- "category": "attack_attempt"
5327
+ "category": "attack_attempt",
5328
+ "confidence": "1"
5244
5329
  },
5245
5330
  "conditions": [
5246
5331
  {
@@ -5262,7 +5347,7 @@
5262
5347
  "address": "grpc.server.request.message"
5263
5348
  }
5264
5349
  ],
5265
- "regex": "(http|https):\\/\\/(?:.*\\.)?(?:burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io|oastify\\.com|oast\\.(?:pro|live|site|online|fun|me)|sslip\\.io|requestbin\\.com|requestbin\\.net|hookbin\\.com|webhook\\.site|canarytokens\\.com|interact\\.sh|ngrok\\.io|bugbounty\\.click)"
5350
+ "regex": "(http|https):\\/\\/(?:.*\\.)?(?:burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io|oastify\\.com|oast\\.(?:pro|live|site|online|fun|me)|sslip\\.io|requestbin\\.com|requestbin\\.net|hookbin\\.com|webhook\\.site|canarytokens\\.com|interact\\.sh|ngrok\\.io|bugbounty\\.click|prbly\\.win|qualysperiscope\\.com)"
5266
5351
  },
5267
5352
  "operator": "match_regex"
5268
5353
  }
@@ -5276,7 +5361,8 @@
5276
5361
  "name": "SSRF: Detect SSRF attempt using non HTTP protocol",
5277
5362
  "tags": {
5278
5363
  "type": "ssrf",
5279
- "category": "attack_attempt"
5364
+ "category": "attack_attempt",
5365
+ "confidence": "0"
5280
5366
  },
5281
5367
  "conditions": [
5282
5368
  {
@@ -5312,7 +5398,8 @@
5312
5398
  "name": "Log4shell: Attempt to exploit log4j CVE-2021-44228",
5313
5399
  "tags": {
5314
5400
  "type": "exploit_detection",
5315
- "category": "attack_attempt"
5401
+ "category": "attack_attempt",
5402
+ "confidence": "1"
5316
5403
  },
5317
5404
  "conditions": [
5318
5405
  {
@@ -5349,7 +5436,8 @@
5349
5436
  "name": "Joomla exploitation tool",
5350
5437
  "tags": {
5351
5438
  "type": "security_scanner",
5352
- "category": "attack_attempt"
5439
+ "category": "attack_attempt",
5440
+ "confidence": "1"
5353
5441
  },
5354
5442
  "conditions": [
5355
5443
  {
@@ -5374,7 +5462,8 @@
5374
5462
  "name": "Nessus",
5375
5463
  "tags": {
5376
5464
  "type": "security_scanner",
5377
- "category": "attack_attempt"
5465
+ "category": "attack_attempt",
5466
+ "confidence": "1"
5378
5467
  },
5379
5468
  "conditions": [
5380
5469
  {
@@ -5399,7 +5488,8 @@
5399
5488
  "name": "Arachni",
5400
5489
  "tags": {
5401
5490
  "type": "security_scanner",
5402
- "category": "attack_attempt"
5491
+ "category": "attack_attempt",
5492
+ "confidence": "1"
5403
5493
  },
5404
5494
  "conditions": [
5405
5495
  {
@@ -5424,7 +5514,8 @@
5424
5514
  "name": "Jorgee",
5425
5515
  "tags": {
5426
5516
  "type": "security_scanner",
5427
- "category": "attack_attempt"
5517
+ "category": "attack_attempt",
5518
+ "confidence": "1"
5428
5519
  },
5429
5520
  "conditions": [
5430
5521
  {
@@ -5449,7 +5540,8 @@
5449
5540
  "name": "Probely",
5450
5541
  "tags": {
5451
5542
  "type": "security_scanner",
5452
- "category": "attack_attempt"
5543
+ "category": "attack_attempt",
5544
+ "confidence": "1"
5453
5545
  },
5454
5546
  "conditions": [
5455
5547
  {
@@ -5474,7 +5566,8 @@
5474
5566
  "name": "Metis",
5475
5567
  "tags": {
5476
5568
  "type": "security_scanner",
5477
- "category": "attack_attempt"
5569
+ "category": "attack_attempt",
5570
+ "confidence": "1"
5478
5571
  },
5479
5572
  "conditions": [
5480
5573
  {
@@ -5499,7 +5592,8 @@
5499
5592
  "name": "SQL power injector",
5500
5593
  "tags": {
5501
5594
  "type": "security_scanner",
5502
- "category": "attack_attempt"
5595
+ "category": "attack_attempt",
5596
+ "confidence": "1"
5503
5597
  },
5504
5598
  "conditions": [
5505
5599
  {
@@ -5524,7 +5618,8 @@
5524
5618
  "name": "N-Stealth",
5525
5619
  "tags": {
5526
5620
  "type": "security_scanner",
5527
- "category": "attack_attempt"
5621
+ "category": "attack_attempt",
5622
+ "confidence": "1"
5528
5623
  },
5529
5624
  "conditions": [
5530
5625
  {
@@ -5549,7 +5644,8 @@
5549
5644
  "name": "Brutus",
5550
5645
  "tags": {
5551
5646
  "type": "security_scanner",
5552
- "category": "attack_attempt"
5647
+ "category": "attack_attempt",
5648
+ "confidence": "1"
5553
5649
  },
5554
5650
  "conditions": [
5555
5651
  {
@@ -5574,7 +5670,8 @@
5574
5670
  "name": "Shellshock exploitation tool",
5575
5671
  "tags": {
5576
5672
  "type": "security_scanner",
5577
- "category": "attack_attempt"
5673
+ "category": "attack_attempt",
5674
+ "confidence": "1"
5578
5675
  },
5579
5676
  "conditions": [
5580
5677
  {
@@ -5599,7 +5696,8 @@
5599
5696
  "name": "Netsparker",
5600
5697
  "tags": {
5601
5698
  "type": "security_scanner",
5602
- "category": "attack_attempt"
5699
+ "category": "attack_attempt",
5700
+ "confidence": "1"
5603
5701
  },
5604
5702
  "conditions": [
5605
5703
  {
@@ -5624,7 +5722,8 @@
5624
5722
  "name": "JAASCois",
5625
5723
  "tags": {
5626
5724
  "type": "security_scanner",
5627
- "category": "attack_attempt"
5725
+ "category": "attack_attempt",
5726
+ "confidence": "1"
5628
5727
  },
5629
5728
  "conditions": [
5630
5729
  {
@@ -5649,7 +5748,8 @@
5649
5748
  "name": "PMAFind",
5650
5749
  "tags": {
5651
5750
  "type": "security_scanner",
5652
- "category": "attack_attempt"
5751
+ "category": "attack_attempt",
5752
+ "confidence": "1"
5653
5753
  },
5654
5754
  "conditions": [
5655
5755
  {
@@ -5674,7 +5774,8 @@
5674
5774
  "name": "Webtrends",
5675
5775
  "tags": {
5676
5776
  "type": "security_scanner",
5677
- "category": "attack_attempt"
5777
+ "category": "attack_attempt",
5778
+ "confidence": "1"
5678
5779
  },
5679
5780
  "conditions": [
5680
5781
  {
@@ -5699,7 +5800,8 @@
5699
5800
  "name": "Nsauditor",
5700
5801
  "tags": {
5701
5802
  "type": "security_scanner",
5702
- "category": "attack_attempt"
5803
+ "category": "attack_attempt",
5804
+ "confidence": "1"
5703
5805
  },
5704
5806
  "conditions": [
5705
5807
  {
@@ -5724,7 +5826,8 @@
5724
5826
  "name": "Paros",
5725
5827
  "tags": {
5726
5828
  "type": "security_scanner",
5727
- "category": "attack_attempt"
5829
+ "category": "attack_attempt",
5830
+ "confidence": "1"
5728
5831
  },
5729
5832
  "conditions": [
5730
5833
  {
@@ -5749,7 +5852,8 @@
5749
5852
  "name": "DirBuster",
5750
5853
  "tags": {
5751
5854
  "type": "security_scanner",
5752
- "category": "attack_attempt"
5855
+ "category": "attack_attempt",
5856
+ "confidence": "1"
5753
5857
  },
5754
5858
  "conditions": [
5755
5859
  {
@@ -5774,7 +5878,8 @@
5774
5878
  "name": "Pangolin",
5775
5879
  "tags": {
5776
5880
  "type": "security_scanner",
5777
- "category": "attack_attempt"
5881
+ "category": "attack_attempt",
5882
+ "confidence": "1"
5778
5883
  },
5779
5884
  "conditions": [
5780
5885
  {
@@ -5799,7 +5904,8 @@
5799
5904
  "name": "Qualys",
5800
5905
  "tags": {
5801
5906
  "type": "security_scanner",
5802
- "category": "attack_attempt"
5907
+ "category": "attack_attempt",
5908
+ "confidence": "1"
5803
5909
  },
5804
5910
  "conditions": [
5805
5911
  {
@@ -5824,7 +5930,8 @@
5824
5930
  "name": "SQLNinja",
5825
5931
  "tags": {
5826
5932
  "type": "security_scanner",
5827
- "category": "attack_attempt"
5933
+ "category": "attack_attempt",
5934
+ "confidence": "1"
5828
5935
  },
5829
5936
  "conditions": [
5830
5937
  {
@@ -5849,7 +5956,8 @@
5849
5956
  "name": "Nikto",
5850
5957
  "tags": {
5851
5958
  "type": "security_scanner",
5852
- "category": "attack_attempt"
5959
+ "category": "attack_attempt",
5960
+ "confidence": "1"
5853
5961
  },
5854
5962
  "conditions": [
5855
5963
  {
@@ -5874,7 +5982,8 @@
5874
5982
  "name": "WebInspect",
5875
5983
  "tags": {
5876
5984
  "type": "security_scanner",
5877
- "category": "attack_attempt"
5985
+ "category": "attack_attempt",
5986
+ "confidence": "1"
5878
5987
  },
5879
5988
  "conditions": [
5880
5989
  {
@@ -5899,7 +6008,8 @@
5899
6008
  "name": "BlackWidow",
5900
6009
  "tags": {
5901
6010
  "type": "security_scanner",
5902
- "category": "attack_attempt"
6011
+ "category": "attack_attempt",
6012
+ "confidence": "1"
5903
6013
  },
5904
6014
  "conditions": [
5905
6015
  {
@@ -5924,7 +6034,8 @@
5924
6034
  "name": "Grendel-Scan",
5925
6035
  "tags": {
5926
6036
  "type": "security_scanner",
5927
- "category": "attack_attempt"
6037
+ "category": "attack_attempt",
6038
+ "confidence": "1"
5928
6039
  },
5929
6040
  "conditions": [
5930
6041
  {
@@ -5949,7 +6060,8 @@
5949
6060
  "name": "Havij",
5950
6061
  "tags": {
5951
6062
  "type": "security_scanner",
5952
- "category": "attack_attempt"
6063
+ "category": "attack_attempt",
6064
+ "confidence": "1"
5953
6065
  },
5954
6066
  "conditions": [
5955
6067
  {
@@ -5974,7 +6086,8 @@
5974
6086
  "name": "w3af",
5975
6087
  "tags": {
5976
6088
  "type": "security_scanner",
5977
- "category": "attack_attempt"
6089
+ "category": "attack_attempt",
6090
+ "confidence": "1"
5978
6091
  },
5979
6092
  "conditions": [
5980
6093
  {
@@ -5999,7 +6112,8 @@
5999
6112
  "name": "Nmap",
6000
6113
  "tags": {
6001
6114
  "type": "security_scanner",
6002
- "category": "attack_attempt"
6115
+ "category": "attack_attempt",
6116
+ "confidence": "1"
6003
6117
  },
6004
6118
  "conditions": [
6005
6119
  {
@@ -6024,7 +6138,8 @@
6024
6138
  "name": "Nessus Scripted",
6025
6139
  "tags": {
6026
6140
  "type": "security_scanner",
6027
- "category": "attack_attempt"
6141
+ "category": "attack_attempt",
6142
+ "confidence": "1"
6028
6143
  },
6029
6144
  "conditions": [
6030
6145
  {
@@ -6049,7 +6164,8 @@
6049
6164
  "name": "Evil Scanner",
6050
6165
  "tags": {
6051
6166
  "type": "security_scanner",
6052
- "category": "attack_attempt"
6167
+ "category": "attack_attempt",
6168
+ "confidence": "1"
6053
6169
  },
6054
6170
  "conditions": [
6055
6171
  {
@@ -6074,7 +6190,8 @@
6074
6190
  "name": "WebFuck",
6075
6191
  "tags": {
6076
6192
  "type": "security_scanner",
6077
- "category": "attack_attempt"
6193
+ "category": "attack_attempt",
6194
+ "confidence": "1"
6078
6195
  },
6079
6196
  "conditions": [
6080
6197
  {
@@ -6099,7 +6216,8 @@
6099
6216
  "name": "OpenVAS",
6100
6217
  "tags": {
6101
6218
  "type": "security_scanner",
6102
- "category": "attack_attempt"
6219
+ "category": "attack_attempt",
6220
+ "confidence": "1"
6103
6221
  },
6104
6222
  "conditions": [
6105
6223
  {
@@ -6124,7 +6242,8 @@
6124
6242
  "name": "Spider-Pig",
6125
6243
  "tags": {
6126
6244
  "type": "security_scanner",
6127
- "category": "attack_attempt"
6245
+ "category": "attack_attempt",
6246
+ "confidence": "1"
6128
6247
  },
6129
6248
  "conditions": [
6130
6249
  {
@@ -6149,7 +6268,8 @@
6149
6268
  "name": "Zgrab",
6150
6269
  "tags": {
6151
6270
  "type": "security_scanner",
6152
- "category": "attack_attempt"
6271
+ "category": "attack_attempt",
6272
+ "confidence": "1"
6153
6273
  },
6154
6274
  "conditions": [
6155
6275
  {
@@ -6174,7 +6294,8 @@
6174
6294
  "name": "Zmeu",
6175
6295
  "tags": {
6176
6296
  "type": "security_scanner",
6177
- "category": "attack_attempt"
6297
+ "category": "attack_attempt",
6298
+ "confidence": "1"
6178
6299
  },
6179
6300
  "conditions": [
6180
6301
  {
@@ -6199,7 +6320,8 @@
6199
6320
  "name": "Crowdstrike",
6200
6321
  "tags": {
6201
6322
  "type": "security_scanner",
6202
- "category": "attack_attempt"
6323
+ "category": "attack_attempt",
6324
+ "confidence": "1"
6203
6325
  },
6204
6326
  "conditions": [
6205
6327
  {
@@ -6224,7 +6346,8 @@
6224
6346
  "name": "GoogleSecurityScanner",
6225
6347
  "tags": {
6226
6348
  "type": "security_scanner",
6227
- "category": "attack_attempt"
6349
+ "category": "attack_attempt",
6350
+ "confidence": "1"
6228
6351
  },
6229
6352
  "conditions": [
6230
6353
  {
@@ -6249,7 +6372,8 @@
6249
6372
  "name": "Commix",
6250
6373
  "tags": {
6251
6374
  "type": "security_scanner",
6252
- "category": "attack_attempt"
6375
+ "category": "attack_attempt",
6376
+ "confidence": "1"
6253
6377
  },
6254
6378
  "conditions": [
6255
6379
  {
@@ -6274,7 +6398,8 @@
6274
6398
  "name": "Gobuster",
6275
6399
  "tags": {
6276
6400
  "type": "security_scanner",
6277
- "category": "attack_attempt"
6401
+ "category": "attack_attempt",
6402
+ "confidence": "1"
6278
6403
  },
6279
6404
  "conditions": [
6280
6405
  {
@@ -6299,7 +6424,8 @@
6299
6424
  "name": "CGIchk",
6300
6425
  "tags": {
6301
6426
  "type": "security_scanner",
6302
- "category": "attack_attempt"
6427
+ "category": "attack_attempt",
6428
+ "confidence": "1"
6303
6429
  },
6304
6430
  "conditions": [
6305
6431
  {
@@ -6324,7 +6450,8 @@
6324
6450
  "name": "FFUF",
6325
6451
  "tags": {
6326
6452
  "type": "security_scanner",
6327
- "category": "attack_attempt"
6453
+ "category": "attack_attempt",
6454
+ "confidence": "1"
6328
6455
  },
6329
6456
  "conditions": [
6330
6457
  {
@@ -6349,7 +6476,8 @@
6349
6476
  "name": "Nuclei",
6350
6477
  "tags": {
6351
6478
  "type": "security_scanner",
6352
- "category": "attack_attempt"
6479
+ "category": "attack_attempt",
6480
+ "confidence": "1"
6353
6481
  },
6354
6482
  "conditions": [
6355
6483
  {
@@ -6374,7 +6502,8 @@
6374
6502
  "name": "Tsunami",
6375
6503
  "tags": {
6376
6504
  "type": "security_scanner",
6377
- "category": "attack_attempt"
6505
+ "category": "attack_attempt",
6506
+ "confidence": "1"
6378
6507
  },
6379
6508
  "conditions": [
6380
6509
  {
@@ -6399,7 +6528,8 @@
6399
6528
  "name": "Nimbostratus",
6400
6529
  "tags": {
6401
6530
  "type": "security_scanner",
6402
- "category": "attack_attempt"
6531
+ "category": "attack_attempt",
6532
+ "confidence": "1"
6403
6533
  },
6404
6534
  "conditions": [
6405
6535
  {
@@ -6424,7 +6554,8 @@
6424
6554
  "name": "Datadog test scanner: user-agent",
6425
6555
  "tags": {
6426
6556
  "type": "security_scanner",
6427
- "category": "attack_attempt"
6557
+ "category": "attack_attempt",
6558
+ "confidence": "1"
6428
6559
  },
6429
6560
  "conditions": [
6430
6561
  {
@@ -6455,7 +6586,8 @@
6455
6586
  "name": "Datadog test scanner - blocking version: user-agent",
6456
6587
  "tags": {
6457
6588
  "type": "security_scanner",
6458
- "category": "attack_attempt"
6589
+ "category": "attack_attempt",
6590
+ "confidence": "1"
6459
6591
  },
6460
6592
  "conditions": [
6461
6593
  {
@@ -6489,7 +6621,8 @@
6489
6621
  "name": "Blind SQL Injection Brute Forcer",
6490
6622
  "tags": {
6491
6623
  "type": "security_scanner",
6492
- "category": "attack_attempt"
6624
+ "category": "attack_attempt",
6625
+ "confidence": "1"
6493
6626
  },
6494
6627
  "conditions": [
6495
6628
  {
@@ -6514,7 +6647,8 @@
6514
6647
  "name": "Suspicious user agent",
6515
6648
  "tags": {
6516
6649
  "type": "security_scanner",
6517
- "category": "attack_attempt"
6650
+ "category": "attack_attempt",
6651
+ "confidence": "1"
6518
6652
  },
6519
6653
  "conditions": [
6520
6654
  {
@@ -6539,7 +6673,8 @@
6539
6673
  "name": "SQLmap",
6540
6674
  "tags": {
6541
6675
  "type": "security_scanner",
6542
- "category": "attack_attempt"
6676
+ "category": "attack_attempt",
6677
+ "confidence": "1"
6543
6678
  },
6544
6679
  "conditions": [
6545
6680
  {
@@ -6564,7 +6699,8 @@
6564
6699
  "name": "Skipfish",
6565
6700
  "tags": {
6566
6701
  "type": "security_scanner",
6567
- "category": "attack_attempt"
6702
+ "category": "attack_attempt",
6703
+ "confidence": "1"
6568
6704
  },
6569
6705
  "conditions": [
6570
6706
  {