dd-trace 3.2.0 → 3.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (28) hide show
  1. package/LICENSE-3rdparty.csv +2 -1
  2. package/README.md +4 -0
  3. package/package.json +5 -4
  4. package/packages/datadog-instrumentations/src/crypto.js +14 -12
  5. package/packages/datadog-instrumentations/src/grpc/server.js +15 -7
  6. package/packages/datadog-instrumentations/src/helpers/hooks.js +3 -0
  7. package/packages/datadog-instrumentations/src/jest.js +136 -14
  8. package/packages/datadog-instrumentations/src/mocha.js +77 -31
  9. package/packages/datadog-instrumentations/src/next.js +7 -3
  10. package/packages/datadog-plugin-jest/src/index.js +106 -6
  11. package/packages/datadog-plugin-mocha/src/index.js +15 -7
  12. package/packages/dd-trace/src/appsec/iast/analyzers/analyzers.js +1 -0
  13. package/packages/dd-trace/src/appsec/iast/analyzers/weak-cipher-analyzer.js +27 -0
  14. package/packages/dd-trace/src/appsec/iast/vulnerability-reporter.js +13 -5
  15. package/packages/dd-trace/src/appsec/recommended.json +1144 -275
  16. package/packages/dd-trace/src/ci-visibility/exporters/agentless/coverage-writer.js +1 -1
  17. package/packages/dd-trace/src/ci-visibility/exporters/agentless/index.js +3 -3
  18. package/packages/dd-trace/src/config.js +16 -2
  19. package/packages/dd-trace/src/encode/0.4.js +7 -1
  20. package/packages/dd-trace/src/encode/0.5.js +7 -1
  21. package/packages/dd-trace/src/encode/agentless-ci-visibility.js +2 -2
  22. package/packages/dd-trace/src/encode/coverage-ci-visibility.js +32 -20
  23. package/packages/dd-trace/src/exporters/common/request.js +3 -3
  24. package/packages/dd-trace/src/opentracing/span.js +6 -0
  25. package/packages/dd-trace/src/plugins/index.js +3 -0
  26. package/packages/dd-trace/src/plugins/util/ip_blocklist.js +30 -4
  27. package/packages/dd-trace/src/plugins/util/redis.js +0 -74
  28. package/packages/dd-trace/src/plugins/util/tx.js +0 -75
package/packages/dd-trace/src/appsec/recommended.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "version": "2.2",
3
3
  "metadata": {
4
- "rules_version": "1.3.1"
4
+ "rules_version": "1.4.0"
5
5
  },
6
6
  "rules": [
7
7
  {
@@ -224,7 +224,7 @@
224
224
  "address": "server.request.headers.no_cookies"
225
225
  }
226
226
  ],
227
- "regex": "(?:\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\\.))|\\.(?:%0[01]|\\?)?|\\?\\.?|0x2e){2}(?:\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|/))",
227
+ "regex": "(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\/|\\x5c)(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\\.))|\\.(?:%0[01]|\\?)?|\\?\\.?|0x2e){2,3}(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\/|\\x5c)",
228
228
  "options": {
229
229
  "min_length": 4
230
230
  }
@@ -255,7 +255,7 @@
255
255
  "address": "server.request.headers.no_cookies"
256
256
  }
257
257
  ],
258
- "regex": "(?:(?:^|[\\\\/])\\.\\.[\\\\/]|[\\\\/]\\.\\.(?:[\\\\/]|$))",
258
+ "regex": "(?:(?:^|[\\x5c/])\\.{2,3}[\\x5c/]|[\\x5c/]\\.{2,3}(?:[\\x5c/]|$))",
259
259
  "options": {
260
260
  "case_sensitive": true,
261
261
  "min_length": 3
@@ -299,6 +299,8 @@
299
299
  "/.htpasswd",
300
300
  "/.addressbook",
301
301
  "/.aptitude/config",
302
+ ".aws/config",
303
+ ".aws/credentials",
302
304
  "/.bash_config",
303
305
  "/.bash_history",
304
306
  "/.bash_logout",
@@ -330,6 +332,7 @@
330
332
  "/.nano_history",
331
333
  "/.node_repl_history",
332
334
  "/.pearrc",
335
+ "/.pgpass",
333
336
  "/.php_history",
334
337
  "/.pinerc",
335
338
  ".pki/",
@@ -350,6 +353,8 @@
350
353
  ".ssh/id_rsa.pub",
351
354
  ".ssh/identity",
352
355
  ".ssh/identity.pub",
356
+ ".ssh/id_ecdsa",
357
+ ".ssh/id_ecdsa.pub",
353
358
  ".ssh/known_hosts",
354
359
  ".subversion/auth",
355
360
  ".subversion/config",
@@ -366,6 +371,225 @@
366
371
  "/.zshrc",
367
372
  "/.zsh_history",
368
373
  "/.nsconfig",
374
+ "data/elasticsearch",
375
+ "data/kafka",
376
+ "etc/ansible",
377
+ "etc/bind",
378
+ "etc/centos-release",
379
+ "etc/centos-release-upstream",
380
+ "etc/clam.d",
381
+ "etc/elasticsearch",
382
+ "etc/freshclam.conf",
383
+ "etc/gshadow",
384
+ "etc/gshadow-",
385
+ "etc/httpd",
386
+ "etc/kafka",
387
+ "etc/kibana",
388
+ "etc/logstash",
389
+ "etc/lvm",
390
+ "etc/mongod.conf",
391
+ "etc/my.cnf",
392
+ "etc/nuxeo.conf",
393
+ "etc/pki",
394
+ "etc/postfix",
395
+ "etc/scw-release",
396
+ "etc/subgid",
397
+ "etc/subgid-",
398
+ "etc/sudoers.d",
399
+ "etc/sysconfig",
400
+ "etc/system-release-cpe",
401
+ "opt/nuxeo",
402
+ "opt/tomcat",
403
+ "tmp/kafka-logs",
404
+ "usr/lib/rpm/rpm.log",
405
+ "var/data/elasticsearch",
406
+ "var/lib/elasticsearch",
407
+ "etc/.java",
408
+ "etc/acpi",
409
+ "etc/alsa",
410
+ "etc/alternatives",
411
+ "etc/apache2",
412
+ "etc/apm",
413
+ "etc/apparmor",
414
+ "etc/apparmor.d",
415
+ "etc/apport",
416
+ "etc/apt",
417
+ "etc/asciidoc",
418
+ "etc/avahi",
419
+ "etc/bash_completion.d",
420
+ "etc/binfmt.d",
421
+ "etc/bluetooth",
422
+ "etc/bonobo-activation",
423
+ "etc/brltty",
424
+ "etc/ca-certificates",
425
+ "etc/calendar",
426
+ "etc/chatscripts",
427
+ "etc/chromium-browser",
428
+ "etc/clamav",
429
+ "etc/cni",
430
+ "etc/console-setup",
431
+ "etc/coraza-waf",
432
+ "etc/cracklib",
433
+ "etc/cron.d",
434
+ "etc/cron.daily",
435
+ "etc/cron.hourly",
436
+ "etc/cron.monthly",
437
+ "etc/cron.weekly",
438
+ "etc/cups",
439
+ "etc/cups.save",
440
+ "etc/cupshelpers",
441
+ "etc/dbus-1",
442
+ "etc/dconf",
443
+ "etc/default",
444
+ "etc/depmod.d",
445
+ "etc/dhcp",
446
+ "etc/dictionaries-common",
447
+ "etc/dkms",
448
+ "etc/dnsmasq.d",
449
+ "etc/dockeretc/dpkg",
450
+ "etc/emacs",
451
+ "etc/environment.d",
452
+ "etc/fail2ban",
453
+ "etc/firebird",
454
+ "etc/firefox",
455
+ "etc/fonts",
456
+ "etc/fwupd",
457
+ "etc/gconf",
458
+ "etc/gdb",
459
+ "etc/gdm3",
460
+ "etc/geoclue",
461
+ "etc/ghostscript",
462
+ "etc/gimp",
463
+ "etc/glvnd",
464
+ "etc/gnome",
465
+ "etc/gnome-vfs-2.0",
466
+ "etc/gnucash",
467
+ "etc/gnustep",
468
+ "etc/groff",
469
+ "etc/grub.d",
470
+ "etc/gss",
471
+ "etc/gtk-2.0",
472
+ "etc/gtk-3.0",
473
+ "etc/hp",
474
+ "etc/ifplugd",
475
+ "etc/imagemagick-6",
476
+ "etc/init",
477
+ "etc/init.d",
478
+ "etc/initramfs-tools",
479
+ "etc/insserv.conf.d",
480
+ "etc/iproute2",
481
+ "etc/iptables",
482
+ "etc/java",
483
+ "etc/java-11-openjdk",
484
+ "etc/java-17-oracle",
485
+ "etc/java-8-openjdk",
486
+ "etc/kernel",
487
+ "etc/ld.so.conf.d",
488
+ "etc/ldap",
489
+ "etc/libblockdev",
490
+ "etc/libibverbs.d",
491
+ "etc/libnl-3",
492
+ "etc/libpaper.d",
493
+ "etc/libreoffice",
494
+ "etc/lighttpd",
495
+ "etc/logcheck",
496
+ "etc/logrotate.d",
497
+ "etc/lynx",
498
+ "etc/mail",
499
+ "etc/mc",
500
+ "etc/menu",
501
+ "etc/menu-methods",
502
+ "etc/modprobe.d",
503
+ "etc/modsecurity",
504
+ "etc/modules-load.d",
505
+ "etc/monit",
506
+ "etc/mono",
507
+ "etc/mplayer",
508
+ "etc/mpv",
509
+ "etc/muttrc.d",
510
+ "etc/mysql",
511
+ "etc/netplan",
512
+ "etc/network",
513
+ "etc/networkd-dispatcher",
514
+ "etc/networkmanager",
515
+ "etc/newt",
516
+ "etc/nghttpx",
517
+ "etc/nikto",
518
+ "etc/odbcdatasources",
519
+ "etc/openal",
520
+ "etc/openmpi",
521
+ "etc/opt",
522
+ "etc/osync",
523
+ "etc/packagekit",
524
+ "etc/pam.d",
525
+ "etc/pcmcia",
526
+ "etc/perl",
527
+ "etc/php",
528
+ "etc/pki",
529
+ "etc/pm",
530
+ "etc/polkit-1",
531
+ "etc/postfix",
532
+ "etc/ppp",
533
+ "etc/profile.d",
534
+ "etc/proftpd",
535
+ "etc/pulse",
536
+ "etc/python",
537
+ "etc/rc0.d",
538
+ "etc/rc1.d",
539
+ "etc/rc2.d",
540
+ "etc/rc3.d",
541
+ "etc/rc4.d",
542
+ "etc/rc5.d",
543
+ "etc/rc6.d",
544
+ "etc/rcs.d",
545
+ "etc/resolvconf",
546
+ "etc/rsyslog.d",
547
+ "etc/samba",
548
+ "etc/sane.d",
549
+ "etc/security",
550
+ "etc/selinux",
551
+ "etc/sensors.d",
552
+ "etc/sgml",
553
+ "etc/signon-ui",
554
+ "etc/skel",
555
+ "etc/snmp",
556
+ "etc/sound",
557
+ "etc/spamassassin",
558
+ "etc/speech-dispatcher",
559
+ "etc/ssh",
560
+ "etc/ssl",
561
+ "etc/sudoers.d",
562
+ "etc/sysctl.d",
563
+ "etc/sysstat",
564
+ "etc/systemd",
565
+ "etc/terminfo",
566
+ "etc/texmf",
567
+ "etc/thermald",
568
+ "etc/thnuclnt",
569
+ "etc/thunderbird",
570
+ "etc/timidity",
571
+ "etc/tmpfiles.d",
572
+ "etc/ubuntu-advantage",
573
+ "etc/udev",
574
+ "etc/udisks2",
575
+ "etc/ufw",
576
+ "etc/update-manager",
577
+ "etc/update-motd.d",
578
+ "etc/update-notifier",
579
+ "etc/upower",
580
+ "etc/urlview",
581
+ "etc/usb_modeswitch.d",
582
+ "etc/vim",
583
+ "etc/vmware",
584
+ "etc/vmware-installer",
585
+ "etc/vmware-vix",
586
+ "etc/vulkan",
587
+ "etc/w3m",
588
+ "etc/wireshark",
589
+ "etc/wpa_supplicant",
590
+ "etc/x11",
591
+ "etc/xdg",
592
+ "etc/xml",
369
593
  "etc/redis.conf",
370
594
  "etc/redis-sentinel.conf",
371
595
  "etc/php.ini",
@@ -417,10 +641,8 @@
417
641
  "usr/local/cpanel/logs/license_log",
418
642
  "usr/local/cpanel/logs/login_log",
419
643
  "var/cpanel/cpanel.config",
420
- "var/log/sw-cp-server/error_log",
421
644
  "usr/local/psa/admin/logs/httpsd_access_log",
422
645
  "usr/local/psa/admin/logs/panel.log",
423
- "var/log/sso/sso.log",
424
646
  "usr/local/psa/admin/conf/php.ini",
425
647
  "etc/sw-cp-server/applications.d/plesk.conf",
426
648
  "usr/local/psa/admin/conf/site_isolation_settings.ini",
@@ -428,16 +650,6 @@
428
650
  "etc/sw-cp-server/applications.d/00-sso-cpserver.conf",
429
651
  "etc/sso/sso_config.ini",
430
652
  "etc/mysql/conf.d/old_passwords.cnf",
431
- "var/log/mysql/mysql-bin.log",
432
- "var/log/mysql/mysql-bin.index",
433
- "var/log/mysql/data/mysql-bin.index",
434
- "var/log/mysql.log",
435
- "var/log/mysql.err",
436
- "var/log/mysqlderror.log",
437
- "var/log/mysql/mysql.log",
438
- "var/log/mysql/mysql-slow.log",
439
- "var/log/mysql-bin.index",
440
- "var/log/data/mysql-bin.index",
441
653
  "var/mysql.log",
442
654
  "var/mysql-bin.index",
443
655
  "var/data/mysql-bin.index",
@@ -474,21 +686,6 @@
474
686
  "mysql/my.cnf",
475
687
  "mysql/bin/my.ini",
476
688
  "var/postgresql/log/postgresql.log",
477
- "var/log/postgresql/postgresql.log",
478
- "var/log/postgres/pg_backup.log",
479
- "var/log/postgres/postgres.log",
480
- "var/log/postgresql.log",
481
- "var/log/pgsql/pgsql.log",
482
- "var/log/postgresql/postgresql-8.1-main.log",
483
- "var/log/postgresql/postgresql-8.3-main.log",
484
- "var/log/postgresql/postgresql-8.4-main.log",
485
- "var/log/postgresql/postgresql-9.0-main.log",
486
- "var/log/postgresql/postgresql-9.1-main.log",
487
- "var/log/pgsql8.log",
488
- "var/log/postgresql/postgres.log",
489
- "var/log/pgsql_log",
490
- "var/log/postgresql/main.log",
491
- "var/log/cron/var/log/postgres.log",
492
689
  "usr/internet/pgsql/data/postmaster.log",
493
690
  "usr/local/pgsql/data/postgresql.log",
494
691
  "usr/local/pgsql/data/pg_log",
@@ -572,29 +769,21 @@
572
769
  "windows/system32/logfiles/msftpsvc2",
573
770
  "etc/logrotate.d/proftpd",
574
771
  "www/logs/proftpd.system.log",
575
- "var/log/proftpd",
576
- "var/log/proftpd/xferlog.legacy",
577
- "var/log/proftpd.access_log",
578
- "var/log/proftpd.xferlog",
579
772
  "etc/pam.d/proftpd",
580
773
  "etc/proftp.conf",
581
774
  "etc/protpd/proftpd.conf",
582
775
  "etc/vhcs2/proftpd/proftpd.conf",
583
776
  "etc/proftpd/modules.conf",
584
- "var/log/vsftpd.log",
585
777
  "etc/vsftpd.chroot_list",
586
778
  "etc/logrotate.d/vsftpd.log",
587
779
  "etc/vsftpd/vsftpd.conf",
588
780
  "etc/vsftpd.conf",
589
781
  "etc/chrootusers",
590
- "var/log/xferlog",
591
782
  "var/adm/log/xferlog",
592
783
  "etc/wu-ftpd/ftpaccess",
593
784
  "etc/wu-ftpd/ftphosts",
594
785
  "etc/wu-ftpd/ftpusers",
595
- "var/log/pure-ftpd/pure-ftpd.log",
596
786
  "logs/pure-ftpd.log",
597
- "var/log/pureftpd.log",
598
787
  "usr/sbin/pure-config.pl",
599
788
  "usr/etc/pure-ftpd.conf",
600
789
  "etc/pure-ftpd/pure-ftpd.conf",
@@ -620,30 +809,18 @@
620
809
  "usr/ports/contrib/pure-ftpd/pure-ftpd.conf",
621
810
  "usr/ports/contrib/pure-ftpd/pureftpd.pdb",
622
811
  "usr/ports/contrib/pure-ftpd/pureftpd.passwd",
623
- "var/log/muddleftpd",
624
812
  "usr/sbin/mudlogd",
625
813
  "etc/muddleftpd/mudlog",
626
814
  "etc/muddleftpd.com",
627
815
  "etc/muddleftpd/mudlogd.conf",
628
816
  "etc/muddleftpd/muddleftpd.conf",
629
- "var/log/muddleftpd.conf",
630
817
  "usr/sbin/mudpasswd",
631
818
  "etc/muddleftpd/muddleftpd.passwd",
632
819
  "etc/muddleftpd/passwd",
633
- "var/log/ftp-proxy/ftp-proxy.log",
634
- "var/log/ftp-proxy",
635
- "var/log/ftplog",
636
820
  "etc/logrotate.d/ftp",
637
821
  "etc/ftpchroot",
638
822
  "etc/ftphosts",
639
823
  "etc/ftpusers",
640
- "var/log/exim_mainlog",
641
- "var/log/exim/mainlog",
642
- "var/log/maillog",
643
- "var/log/exim_paniclog",
644
- "var/log/exim/paniclog",
645
- "var/log/exim/rejectlog",
646
- "var/log/exim_rejectlog",
647
824
  "winnt/system32/logfiles/smtpsvc",
648
825
  "winnt/system32/logfiles/smtpsvc1",
649
826
  "winnt/system32/logfiles/smtpsvc2",
@@ -716,7 +893,6 @@
716
893
  "library/webserver/documents/default.htm",
717
894
  "library/webserver/documents/index.php",
718
895
  "library/webserver/documents/default.php",
719
- "var/log/webmin/miniserv.log",
720
896
  "usr/local/etc/webmin/miniserv.conf",
721
897
  "etc/webmin/miniserv.conf",
722
898
  "usr/local/etc/webmin/miniserv.users",
@@ -729,8 +905,6 @@
729
905
  "windows/system32/logfiles/w3svc1/inetsvn1.log",
730
906
  "windows/system32/logfiles/w3svc2/inetsvn1.log",
731
907
  "windows/system32/logfiles/w3svc3/inetsvn1.log",
732
- "var/log/httpd/access_log",
733
- "var/log/httpd/error_log",
734
908
  "apache/logs/error.log",
735
909
  "apache/logs/access.log",
736
910
  "apache2/logs/error.log",
@@ -753,20 +927,6 @@
753
927
  "var/www/logs/access.log",
754
928
  "var/www/logs/error_log",
755
929
  "var/www/logs/error.log",
756
- "var/log/httpd/access.log",
757
- "var/log/httpd/error.log",
758
- "var/log/apache/access_log",
759
- "var/log/apache/access.log",
760
- "var/log/apache/error_log",
761
- "var/log/apache/error.log",
762
- "var/log/apache2/access_log",
763
- "var/log/apache2/access.log",
764
- "var/log/apache2/error_log",
765
- "var/log/apache2/error.log",
766
- "var/log/access_log",
767
- "var/log/access.log",
768
- "var/log/error_log",
769
- "var/log/error.log",
770
930
  "opt/lampp/logs/access_log",
771
931
  "opt/lampp/logs/error_log",
772
932
  "opt/xampp/logs/access_log",
@@ -905,7 +1065,6 @@
905
1065
  "usr/share/tomcat6/conf/context.xml",
906
1066
  "usr/share/tomcat6/conf/workers.properties",
907
1067
  "usr/share/tomcat6/conf/logging.properties",
908
- "var/log/tomcat6/catalina.out",
909
1068
  "var/cpanel/tomcat.options",
910
1069
  "usr/local/jakarta/tomcat/logs/catalina.out",
911
1070
  "usr/local/jakarta/tomcat/logs/catalina.err",
@@ -986,23 +1145,14 @@
986
1145
  "program files/[jboss]/server/default/log/boot.log",
987
1146
  "[jboss]/server/default/log/server.log",
988
1147
  "[jboss]/server/default/log/boot.log",
989
- "var/log/lighttpd.error.log",
990
- "var/log/lighttpd.access.log",
991
1148
  "var/lighttpd.log",
992
1149
  "var/logs/access.log",
993
- "var/log/lighttpd/",
994
- "var/log/lighttpd/error.log",
995
- "var/log/lighttpd/access.www.log",
996
- "var/log/lighttpd/error.www.log",
997
- "var/log/lighttpd/access.log",
998
1150
  "usr/local/apache2/logs/lighttpd.error.log",
999
1151
  "usr/local/apache2/logs/lighttpd.log",
1000
1152
  "usr/local/apache/logs/lighttpd.error.log",
1001
1153
  "usr/local/apache/logs/lighttpd.log",
1002
1154
  "usr/local/lighttpd/log/lighttpd.error.log",
1003
1155
  "usr/local/lighttpd/log/access.log",
1004
- "var/log/lighttpd/{domain}/access.log",
1005
- "var/log/lighttpd/{domain}/error.log",
1006
1156
  "usr/home/user/var/log/lighttpd.error.log",
1007
1157
  "usr/home/user/var/log/apache.log",
1008
1158
  "home/user/lighttpd/lighttpd.conf",
@@ -1012,12 +1162,6 @@
1012
1162
  "usr/local/lighttpd/conf/lighttpd.conf",
1013
1163
  "usr/local/etc/lighttpd.conf.new",
1014
1164
  "var/www/.lighttpdpassword",
1015
- "var/log/nginx/access_log",
1016
- "var/log/nginx/error_log",
1017
- "var/log/nginx/access.log",
1018
- "var/log/nginx/error.log",
1019
- "var/log/nginx.access_log",
1020
- "var/log/nginx.error_log",
1021
1165
  "logs/access_log",
1022
1166
  "logs/error_log",
1023
1167
  "etc/nginx/nginx.conf",
@@ -1033,12 +1177,6 @@
1033
1177
  "usr/local/logs/access.log",
1034
1178
  "usr/local/samba/lib/log.user",
1035
1179
  "usr/local/logs/samba.log",
1036
- "var/log/samba/log.smbd",
1037
- "var/log/samba/log.nmbd",
1038
- "var/log/samba.log",
1039
- "var/log/samba.log1",
1040
- "var/log/samba.log2",
1041
- "var/log/log.smb",
1042
1180
  "etc/samba/netlogon",
1043
1181
  "etc/smbpasswd",
1044
1182
  "etc/smb.conf",
@@ -1067,10 +1205,6 @@
1067
1205
  "etc/wicd/manager-settings.conf",
1068
1206
  "etc/wicd/wired-settings.conf",
1069
1207
  "etc/wicd/wireless-settings.conf",
1070
- "var/log/ipfw.log",
1071
- "var/log/ipfw",
1072
- "var/log/ipfw/ipfw.log",
1073
- "var/log/ipfw.today",
1074
1208
  "etc/ipfw.rules",
1075
1209
  "etc/ipfw.conf",
1076
1210
  "etc/firewall.rules",
@@ -1089,33 +1223,6 @@
1089
1223
  "etc/bluetooth/main.conf",
1090
1224
  "etc/bluetooth/network.conf",
1091
1225
  "etc/bluetooth/rfcomm.conf",
1092
- "proc/self/environ",
1093
- "proc/self/mounts",
1094
- "proc/self/stat",
1095
- "proc/self/status",
1096
- "proc/self/cmdline",
1097
- "proc/self/fd/0",
1098
- "proc/self/fd/1",
1099
- "proc/self/fd/2",
1100
- "proc/self/fd/3",
1101
- "proc/self/fd/4",
1102
- "proc/self/fd/5",
1103
- "proc/self/fd/6",
1104
- "proc/self/fd/7",
1105
- "proc/self/fd/8",
1106
- "proc/self/fd/9",
1107
- "proc/self/fd/10",
1108
- "proc/self/fd/11",
1109
- "proc/self/fd/12",
1110
- "proc/self/fd/13",
1111
- "proc/self/fd/14",
1112
- "proc/self/fd/15",
1113
- "proc/version",
1114
- "proc/devices",
1115
- "proc/cpuinfo",
1116
- "proc/meminfo",
1117
- "proc/net/tcp",
1118
- "proc/net/udp",
1119
1226
  "etc/bash_completion.d/debconf",
1120
1227
  "root/.bash_logout",
1121
1228
  "root/.bash_history",
@@ -1153,39 +1260,12 @@
1153
1260
  "var/adm/aculog",
1154
1261
  "var/adm/vold.log",
1155
1262
  "var/adm/log/asppp.log",
1156
- "var/log/poplog",
1157
- "var/log/authlog",
1158
1263
  "var/lp/logs/lpsched",
1159
1264
  "var/lp/logs/lpnet",
1160
1265
  "var/lp/logs/requests",
1161
1266
  "var/cron/log",
1162
1267
  "var/saf/_log",
1163
1268
  "var/saf/port/log",
1164
- "var/log/news.all",
1165
- "var/log/news/news.all",
1166
- "var/log/news/news.crit",
1167
- "var/log/news/news.err",
1168
- "var/log/news/news.notice",
1169
- "var/log/news/suck.err",
1170
- "var/log/news/suck.notice",
1171
- "var/log/messages",
1172
- "var/log/messages.1",
1173
- "var/log/user.log",
1174
- "var/log/user.log.1",
1175
- "var/log/auth.log",
1176
- "var/log/pm-powersave.log",
1177
- "var/log/xorg.0.log",
1178
- "var/log/daemon.log",
1179
- "var/log/daemon.log.1",
1180
- "var/log/kern.log",
1181
- "var/log/kern.log.1",
1182
- "var/log/mail.err",
1183
- "var/log/mail.info",
1184
- "var/log/mail.warn",
1185
- "var/log/ufw.log",
1186
- "var/log/boot.log",
1187
- "var/log/syslog",
1188
- "var/log/syslog.1",
1189
1269
  "tmp/access.log",
1190
1270
  "etc/sensors.conf",
1191
1271
  "etc/sensors3.conf",
@@ -1271,6 +1351,8 @@
1271
1351
  "etc/sudoers",
1272
1352
  "etc/sysconfig/network-scripts/ifcfg-eth0",
1273
1353
  "etc/redhat-release",
1354
+ "etc/scw-release",
1355
+ "etc/system-release-cpe",
1274
1356
  "etc/debian_version",
1275
1357
  "etc/fedora-release",
1276
1358
  "etc/mandrake-release",
@@ -1287,11 +1369,7 @@
1287
1369
  "root/.ksh_history",
1288
1370
  "root/.xauthority",
1289
1371
  "usr/lib/security/mkuser.default",
1290
- "var/log/squirrelmail.log",
1291
- "var/log/apache2/squirrelmail.log",
1292
- "var/log/apache2/squirrelmail.err.log",
1293
1372
  "var/lib/squirrelmail/prefs/squirrelmail.log",
1294
- "var/log/mail.log",
1295
1373
  "etc/squirrelmail/apache.conf",
1296
1374
  "etc/squirrelmail/config_local.php",
1297
1375
  "etc/squirrelmail/default_pref",
@@ -1345,6 +1423,134 @@
1345
1423
  "etc/vmware-tools/config",
1346
1424
  "etc/vmware-tools/tpvmlp.conf",
1347
1425
  "etc/vmware-tools/vmware-tools-libraries.conf",
1426
+ "var/log",
1427
+ "var/log/sw-cp-server/error_log",
1428
+ "var/log/sso/sso.log",
1429
+ "var/log/dpkg.log",
1430
+ "var/log/btmp",
1431
+ "var/log/utmp",
1432
+ "var/log/wtmp",
1433
+ "var/log/mysql/mysql-bin.log",
1434
+ "var/log/mysql/mysql-bin.index",
1435
+ "var/log/mysql/data/mysql-bin.index",
1436
+ "var/log/mysql.log",
1437
+ "var/log/mysql.err",
1438
+ "var/log/mysqlderror.log",
1439
+ "var/log/mysql/mysql.log",
1440
+ "var/log/mysql/mysql-slow.log",
1441
+ "var/log/mysql-bin.index",
1442
+ "var/log/data/mysql-bin.index",
1443
+ "var/log/postgresql/postgresql.log",
1444
+ "var/log/postgres/pg_backup.log",
1445
+ "var/log/postgres/postgres.log",
1446
+ "var/log/postgresql.log",
1447
+ "var/log/pgsql/pgsql.log",
1448
+ "var/log/postgresql/postgresql-8.1-main.log",
1449
+ "var/log/postgresql/postgresql-8.3-main.log",
1450
+ "var/log/postgresql/postgresql-8.4-main.log",
1451
+ "var/log/postgresql/postgresql-9.0-main.log",
1452
+ "var/log/postgresql/postgresql-9.1-main.log",
1453
+ "var/log/pgsql8.log",
1454
+ "var/log/postgresql/postgres.log",
1455
+ "var/log/pgsql_log",
1456
+ "var/log/postgresql/main.log",
1457
+ "var/log/cron",
1458
+ "var/log/postgres.log",
1459
+ "var/log/proftpd",
1460
+ "var/log/proftpd/xferlog.legacy",
1461
+ "var/log/proftpd.access_log",
1462
+ "var/log/proftpd.xferlog",
1463
+ "var/log/vsftpd.log",
1464
+ "var/log/xferlog",
1465
+ "var/log/pure-ftpd/pure-ftpd.log",
1466
+ "var/log/pureftpd.log",
1467
+ "var/log/muddleftpd",
1468
+ "var/log/muddleftpd.conf",
1469
+ "var/log/ftp-proxy/ftp-proxy.log",
1470
+ "var/log/ftp-proxy",
1471
+ "var/log/ftplog",
1472
+ "var/log/exim_mainlog",
1473
+ "var/log/exim/mainlog",
1474
+ "var/log/maillog",
1475
+ "var/log/exim_paniclog",
1476
+ "var/log/exim/paniclog",
1477
+ "var/log/exim/rejectlog",
1478
+ "var/log/exim_rejectlog",
1479
+ "var/log/webmin/miniserv.log",
1480
+ "var/log/httpd/access_log",
1481
+ "var/log/httpd/error_log",
1482
+ "var/log/httpd/access.log",
1483
+ "var/log/httpd/error.log",
1484
+ "var/log/apache/access_log",
1485
+ "var/log/apache/access.log",
1486
+ "var/log/apache/error_log",
1487
+ "var/log/apache/error.log",
1488
+ "var/log/apache2/access_log",
1489
+ "var/log/apache2/access.log",
1490
+ "var/log/apache2/error_log",
1491
+ "var/log/apache2/error.log",
1492
+ "var/log/access_log",
1493
+ "var/log/access.log",
1494
+ "var/log/error_log",
1495
+ "var/log/error.log",
1496
+ "var/log/tomcat6/catalina.out",
1497
+ "var/log/lighttpd.error.log",
1498
+ "var/log/lighttpd.access.log",
1499
+ "var/logs/access.log",
1500
+ "var/log/lighttpd/",
1501
+ "var/log/lighttpd/error.log",
1502
+ "var/log/lighttpd/access.www.log",
1503
+ "var/log/lighttpd/error.www.log",
1504
+ "var/log/lighttpd/access.log",
1505
+ "var/log/lighttpd/{domain}/access.log",
1506
+ "var/log/lighttpd/{domain}/error.log",
1507
+ "var/log/nginx/access_log",
1508
+ "var/log/nginx/error_log",
1509
+ "var/log/nginx/access.log",
1510
+ "var/log/nginx/error.log",
1511
+ "var/log/nginx.access_log",
1512
+ "var/log/nginx.error_log",
1513
+ "var/log/samba/log.smbd",
1514
+ "var/log/samba/log.nmbd",
1515
+ "var/log/samba.log",
1516
+ "var/log/samba.log1",
1517
+ "var/log/samba.log2",
1518
+ "var/log/log.smb",
1519
+ "var/log/ipfw.log",
1520
+ "var/log/ipfw",
1521
+ "var/log/ipfw/ipfw.log",
1522
+ "var/log/ipfw.today",
1523
+ "var/log/poplog",
1524
+ "var/log/authlog",
1525
+ "var/log/news.all",
1526
+ "var/log/news/news.all",
1527
+ "var/log/news/news.crit",
1528
+ "var/log/news/news.err",
1529
+ "var/log/news/news.notice",
1530
+ "var/log/news/suck.err",
1531
+ "var/log/news/suck.notice",
1532
+ "var/log/messages",
1533
+ "var/log/messages.1",
1534
+ "var/log/user.log",
1535
+ "var/log/user.log.1",
1536
+ "var/log/auth.log",
1537
+ "var/log/pm-powersave.log",
1538
+ "var/log/xorg.0.log",
1539
+ "var/log/daemon.log",
1540
+ "var/log/daemon.log.1",
1541
+ "var/log/kern.log",
1542
+ "var/log/kern.log.1",
1543
+ "var/log/mail.err",
1544
+ "var/log/mail.info",
1545
+ "var/log/mail.warn",
1546
+ "var/log/ufw.log",
1547
+ "var/log/boot.log",
1548
+ "var/log/syslog",
1549
+ "var/log/syslog.1",
1550
+ "var/log/squirrelmail.log",
1551
+ "var/log/apache2/squirrelmail.log",
1552
+ "var/log/apache2/squirrelmail.err.log",
1553
+ "var/log/mail.log",
1348
1554
  "var/log/vmware/hostd.log",
1349
1555
  "var/log/vmware/hostd-1.log",
1350
1556
  "/wp-config.php",
@@ -1369,8 +1575,8 @@
1369
1575
  "/web.config",
1370
1576
  "includes/config.php",
1371
1577
  "includes/configure.php",
1372
- "config.inc.php",
1373
- "localsettings.php",
1578
+ "/config.inc.php",
1579
+ "/localsettings.php",
1374
1580
  "inc/config.php",
1375
1581
  "typo3conf/localconf.php",
1376
1582
  "config/app.php",
@@ -1397,7 +1603,122 @@
1397
1603
  "/ormconfig.json",
1398
1604
  "/tsconfig.json",
1399
1605
  "/webpack.config.js",
1400
- "/yarn.lock"
1606
+ "/yarn.lock",
1607
+ "proc/0",
1608
+ "proc/1",
1609
+ "proc/2",
1610
+ "proc/3",
1611
+ "proc/4",
1612
+ "proc/5",
1613
+ "proc/6",
1614
+ "proc/7",
1615
+ "proc/8",
1616
+ "proc/9",
1617
+ "proc/acpi",
1618
+ "proc/asound",
1619
+ "proc/bootconfig",
1620
+ "proc/buddyinfo",
1621
+ "proc/bus",
1622
+ "proc/cgroups",
1623
+ "proc/cmdline",
1624
+ "proc/config.gz",
1625
+ "proc/consoles",
1626
+ "proc/cpuinfo",
1627
+ "proc/crypto",
1628
+ "proc/devices",
1629
+ "proc/diskstats",
1630
+ "proc/dma",
1631
+ "proc/docker",
1632
+ "proc/driver",
1633
+ "proc/dynamic_debug",
1634
+ "proc/execdomains",
1635
+ "proc/fb",
1636
+ "proc/filesystems",
1637
+ "proc/fs",
1638
+ "proc/interrupts",
1639
+ "proc/iomem",
1640
+ "proc/ioports",
1641
+ "proc/ipmi",
1642
+ "proc/irq",
1643
+ "proc/kallsyms",
1644
+ "proc/kcore",
1645
+ "proc/keys",
1646
+ "proc/keys",
1647
+ "proc/key-users",
1648
+ "proc/kmsg",
1649
+ "proc/kpagecgroup",
1650
+ "proc/kpagecount",
1651
+ "proc/kpageflags",
1652
+ "proc/latency_stats",
1653
+ "proc/loadavg",
1654
+ "proc/locks",
1655
+ "proc/mdstat",
1656
+ "proc/meminfo",
1657
+ "proc/misc",
1658
+ "proc/modules",
1659
+ "proc/mounts",
1660
+ "proc/mpt",
1661
+ "proc/mtd",
1662
+ "proc/mtrr",
1663
+ "proc/net",
1664
+ "proc/net/tcp",
1665
+ "proc/net/udp",
1666
+ "proc/pagetypeinfo",
1667
+ "proc/partitions",
1668
+ "proc/pressure",
1669
+ "proc/sched_debug",
1670
+ "proc/schedstat",
1671
+ "proc/scsi",
1672
+ "proc/self",
1673
+ "proc/self/cmdline",
1674
+ "proc/self/environ",
1675
+ "proc/self/fd/0",
1676
+ "proc/self/fd/1",
1677
+ "proc/self/fd/10",
1678
+ "proc/self/fd/11",
1679
+ "proc/self/fd/12",
1680
+ "proc/self/fd/13",
1681
+ "proc/self/fd/14",
1682
+ "proc/self/fd/15",
1683
+ "proc/self/fd/2",
1684
+ "proc/self/fd/3",
1685
+ "proc/self/fd/4",
1686
+ "proc/self/fd/5",
1687
+ "proc/self/fd/6",
1688
+ "proc/self/fd/7",
1689
+ "proc/self/fd/8",
1690
+ "proc/self/fd/9",
1691
+ "proc/self/mounts",
1692
+ "proc/self/stat",
1693
+ "proc/self/status",
1694
+ "proc/slabinfo",
1695
+ "proc/softirqs",
1696
+ "proc/stat",
1697
+ "proc/swaps",
1698
+ "proc/sys",
1699
+ "proc/sysrq-trigger",
1700
+ "proc/sysvipc",
1701
+ "proc/thread-self",
1702
+ "proc/timer_list",
1703
+ "proc/timer_stats",
1704
+ "proc/tty",
1705
+ "proc/uptime",
1706
+ "proc/version",
1707
+ "proc/version_signature",
1708
+ "proc/vmallocinfo",
1709
+ "proc/vmstat",
1710
+ "proc/zoneinfo",
1711
+ "sys/block",
1712
+ "sys/bus",
1713
+ "sys/class",
1714
+ "sys/dev",
1715
+ "sys/devices",
1716
+ "sys/firmware",
1717
+ "sys/fs",
1718
+ "sys/hypervisor",
1719
+ "sys/kernel",
1720
+ "sys/module",
1721
+ "sys/power"
1401
1722
  ]
1402
1723
  },
1403
1724
  "operator": "phrase_match"
@@ -1511,103 +1832,456 @@
1511
1832
  "$ostype",
1512
1833
  "$path",
1513
1834
  "$pwd",
1835
+ "dev/fd/",
1836
+ "dev/null",
1837
+ "dev/stderr",
1838
+ "dev/stdin",
1839
+ "dev/stdout",
1840
+ "dev/tcp/",
1841
+ "dev/udp/",
1842
+ "dev/zero",
1843
+ "etc/group",
1844
+ "etc/master.passwd",
1845
+ "etc/passwd",
1846
+ "etc/pwd.db",
1847
+ "etc/shadow",
1848
+ "etc/shells",
1849
+ "etc/spwd.db",
1850
+ "proc/self/",
1851
+ "bin/7z",
1852
+ "bin/7za",
1853
+ "bin/7zr",
1854
+ "bin/ab",
1855
+ "bin/agetty",
1856
+ "bin/ansible-playbook",
1857
+ "bin/apt",
1858
+ "bin/apt-get",
1859
+ "bin/ar",
1860
+ "bin/aria2c",
1861
+ "bin/arj",
1862
+ "bin/arp",
1863
+ "bin/as",
1864
+ "bin/ascii-xfr",
1865
+ "bin/ascii85",
1866
+ "bin/ash",
1867
+ "bin/aspell",
1868
+ "bin/at",
1869
+ "bin/atobm",
1870
+ "bin/awk",
1871
+ "bin/base32",
1872
+ "bin/base64",
1873
+ "bin/basenc",
1514
1874
  "bin/bash",
1875
+ "bin/bpftrace",
1876
+ "bin/bridge",
1877
+ "bin/bundler",
1878
+ "bin/bunzip2",
1879
+ "bin/busctl",
1880
+ "bin/busybox",
1881
+ "bin/byebug",
1882
+ "bin/bzcat",
1883
+ "bin/bzcmp",
1884
+ "bin/bzdiff",
1885
+ "bin/bzegrep",
1886
+ "bin/bzexe",
1887
+ "bin/bzfgrep",
1888
+ "bin/bzgrep",
1889
+ "bin/bzip2",
1890
+ "bin/bzip2recover",
1891
+ "bin/bzless",
1892
+ "bin/bzmore",
1893
+ "bin/bzz",
1894
+ "bin/c89",
1895
+ "bin/c99",
1896
+ "bin/cancel",
1897
+ "bin/capsh",
1515
1898
  "bin/cat",
1899
+ "bin/cc",
1900
+ "bin/certbot",
1901
+ "bin/check_by_ssh",
1902
+ "bin/check_cups",
1903
+ "bin/check_log",
1904
+ "bin/check_memory",
1905
+ "bin/check_raid",
1906
+ "bin/check_ssl_cert",
1907
+ "bin/check_statusfile",
1908
+ "bin/chmod",
1909
+ "bin/choom",
1910
+ "bin/chown",
1911
+ "bin/chroot",
1912
+ "bin/clang",
1913
+ "bin/clang++",
1914
+ "bin/cmp",
1915
+ "bin/cobc",
1916
+ "bin/column",
1917
+ "bin/comm",
1918
+ "bin/composer",
1919
+ "bin/core_perl/zipdetails",
1920
+ "bin/cowsay",
1921
+ "bin/cowthink",
1922
+ "bin/cp",
1923
+ "bin/cpan",
1924
+ "bin/cpio",
1925
+ "bin/cpulimit",
1926
+ "bin/crash",
1927
+ "bin/crontab",
1516
1928
  "bin/csh",
1929
+ "bin/csplit",
1930
+ "bin/csvtool",
1931
+ "bin/cupsfilter",
1932
+ "bin/curl",
1933
+ "bin/cut",
1517
1934
  "bin/dash",
1935
+ "bin/date",
1936
+ "bin/dd",
1937
+ "bin/dev/fd/",
1938
+ "bin/dev/null",
1939
+ "bin/dev/stderr",
1940
+ "bin/dev/stdin",
1941
+ "bin/dev/stdout",
1942
+ "bin/dev/tcp/",
1943
+ "bin/dev/udp/",
1944
+ "bin/dev/zero",
1945
+ "bin/dialog",
1946
+ "bin/diff",
1947
+ "bin/dig",
1948
+ "bin/dmesg",
1949
+ "bin/dmidecode",
1950
+ "bin/dmsetup",
1951
+ "bin/dnf",
1952
+ "bin/docker",
1953
+ "bin/dosbox",
1954
+ "bin/dpkg",
1518
1955
  "bin/du",
1956
+ "bin/dvips",
1957
+ "bin/easy_install",
1958
+ "bin/eb",
1519
1959
  "bin/echo",
1960
+ "bin/ed",
1961
+ "bin/efax",
1962
+ "bin/emacs",
1963
+ "bin/env",
1964
+ "bin/eqn",
1965
+ "bin/es",
1966
+ "bin/esh",
1967
+ "bin/etc/group",
1968
+ "bin/etc/master.passwd",
1969
+ "bin/etc/passwd",
1970
+ "bin/etc/pwd.db",
1971
+ "bin/etc/shadow",
1972
+ "bin/etc/shells",
1973
+ "bin/etc/spwd.db",
1974
+ "bin/ex",
1975
+ "bin/exiftool",
1976
+ "bin/expand",
1977
+ "bin/expect",
1978
+ "bin/expr",
1979
+ "bin/facter",
1980
+ "bin/fetch",
1981
+ "bin/file",
1982
+ "bin/find",
1983
+ "bin/finger",
1984
+ "bin/fish",
1985
+ "bin/flock",
1986
+ "bin/fmt",
1987
+ "bin/fold",
1988
+ "bin/fping",
1989
+ "bin/ftp",
1990
+ "bin/gawk",
1991
+ "bin/gcc",
1992
+ "bin/gcore",
1993
+ "bin/gdb",
1994
+ "bin/gem",
1995
+ "bin/genie",
1996
+ "bin/genisoimage",
1997
+ "bin/ghc",
1998
+ "bin/ghci",
1999
+ "bin/gimp",
2000
+ "bin/ginsh",
2001
+ "bin/git",
2002
+ "bin/grc",
1520
2003
  "bin/grep",
2004
+ "bin/gtester",
2005
+ "bin/gunzip",
2006
+ "bin/gzexe",
2007
+ "bin/gzip",
2008
+ "bin/hd",
2009
+ "bin/head",
2010
+ "bin/hexdump",
2011
+ "bin/highlight",
2012
+ "bin/hping3",
2013
+ "bin/iconv",
2014
+ "bin/id",
2015
+ "bin/iftop",
2016
+ "bin/install",
2017
+ "bin/ionice",
2018
+ "bin/ip",
2019
+ "bin/irb",
2020
+ "bin/ispell",
2021
+ "bin/jjs",
2022
+ "bin/join",
2023
+ "bin/journalctl",
2024
+ "bin/jq",
2025
+ "bin/jrunscript",
2026
+ "bin/knife",
2027
+ "bin/ksh",
2028
+ "bin/ksshell",
2029
+ "bin/latex",
2030
+ "bin/ld",
2031
+ "bin/ldconfig",
1521
2032
  "bin/less",
2033
+ "bin/lftp",
2034
+ "bin/ln",
2035
+ "bin/loginctl",
2036
+ "bin/logsave",
2037
+ "bin/look",
2038
+ "bin/lp",
1522
2039
  "bin/ls",
2040
+ "bin/ltrace",
2041
+ "bin/lua",
2042
+ "bin/lualatex",
2043
+ "bin/luatex",
2044
+ "bin/lwp-download",
2045
+ "bin/lwp-request",
2046
+ "bin/lz",
2047
+ "bin/lz4",
2048
+ "bin/lz4c",
2049
+ "bin/lz4cat",
2050
+ "bin/lzcat",
2051
+ "bin/lzcmp",
2052
+ "bin/lzdiff",
2053
+ "bin/lzegrep",
2054
+ "bin/lzfgrep",
2055
+ "bin/lzgrep",
2056
+ "bin/lzless",
2057
+ "bin/lzma",
2058
+ "bin/lzmadec",
2059
+ "bin/lzmainfo",
2060
+ "bin/lzmore",
2061
+ "bin/mail",
2062
+ "bin/make",
2063
+ "bin/man",
2064
+ "bin/mawk",
2065
+ "bin/mkfifo",
1523
2066
  "bin/mknod",
1524
2067
  "bin/more",
2068
+ "bin/mosquitto",
2069
+ "bin/mount",
2070
+ "bin/msgattrib",
2071
+ "bin/msgcat",
2072
+ "bin/msgconv",
2073
+ "bin/msgfilter",
2074
+ "bin/msgmerge",
2075
+ "bin/msguniq",
2076
+ "bin/mtr",
2077
+ "bin/mv",
2078
+ "bin/mysql",
2079
+ "bin/nano",
2080
+ "bin/nasm",
2081
+ "bin/nawk",
1525
2082
  "bin/nc",
2083
+ "bin/ncat",
2084
+ "bin/neofetch",
2085
+ "bin/nice",
2086
+ "bin/nl",
2087
+ "bin/nm",
2088
+ "bin/nmap",
2089
+ "bin/node",
2090
+ "bin/nohup",
2091
+ "bin/npm",
2092
+ "bin/nroff",
2093
+ "bin/nsenter",
2094
+ "bin/octave",
2095
+ "bin/od",
2096
+ "bin/openssl",
2097
+ "bin/openvpn",
2098
+ "bin/openvt",
2099
+ "bin/opkg",
2100
+ "bin/paste",
2101
+ "bin/pax",
2102
+ "bin/pdb",
2103
+ "bin/pdflatex",
2104
+ "bin/pdftex",
2105
+ "bin/pdksh",
2106
+ "bin/perf",
2107
+ "bin/perl",
2108
+ "bin/pg",
2109
+ "bin/php",
2110
+ "bin/php-cgi",
2111
+ "bin/php5",
2112
+ "bin/php7",
2113
+ "bin/pic",
2114
+ "bin/pico",
2115
+ "bin/pidstat",
2116
+ "bin/pigz",
2117
+ "bin/pip",
2118
+ "bin/pkexec",
2119
+ "bin/pkg",
2120
+ "bin/pr",
2121
+ "bin/printf",
2122
+ "bin/proc/self/",
2123
+ "bin/pry",
1526
2124
  "bin/ps",
2125
+ "bin/psed",
2126
+ "bin/psftp",
2127
+ "bin/psql",
2128
+ "bin/ptx",
2129
+ "bin/puppet",
2130
+ "bin/pxz",
2131
+ "bin/python",
2132
+ "bin/python2",
2133
+ "bin/python3",
2134
+ "bin/rake",
1527
2135
  "bin/rbash",
2136
+ "bin/rc",
2137
+ "bin/readelf",
2138
+ "bin/red",
2139
+ "bin/redcarpet",
2140
+ "bin/restic",
2141
+ "bin/rev",
2142
+ "bin/rlogin",
2143
+ "bin/rlwrap",
2144
+ "bin/rpm",
2145
+ "bin/rpmquery",
2146
+ "bin/rsync",
2147
+ "bin/ruby",
2148
+ "bin/run-mailcap",
2149
+ "bin/run-parts",
2150
+ "bin/rview",
2151
+ "bin/rvim",
2152
+ "bin/sash",
2153
+ "bin/sbin/capsh",
2154
+ "bin/sbin/logsave",
2155
+ "bin/sbin/service",
2156
+ "bin/sbin/start-stop-daemon",
2157
+ "bin/scp",
2158
+ "bin/screen",
2159
+ "bin/script",
2160
+ "bin/sed",
2161
+ "bin/service",
2162
+ "bin/setarch",
2163
+ "bin/sftp",
2164
+ "bin/sg",
1528
2165
  "bin/sh",
2166
+ "bin/shuf",
1529
2167
  "bin/sleep",
2168
+ "bin/slsh",
2169
+ "bin/smbclient",
2170
+ "bin/snap",
2171
+ "bin/socat",
2172
+ "bin/soelim",
2173
+ "bin/sort",
2174
+ "bin/split",
2175
+ "bin/sqlite3",
2176
+ "bin/ss",
2177
+ "bin/ssh",
2178
+ "bin/ssh-keygen",
2179
+ "bin/ssh-keyscan",
2180
+ "bin/sshpass",
2181
+ "bin/start-stop-daemon",
2182
+ "bin/stdbuf",
2183
+ "bin/strace",
2184
+ "bin/strings",
1530
2185
  "bin/su",
2186
+ "bin/sysctl",
2187
+ "bin/systemctl",
2188
+ "bin/systemd-resolve",
2189
+ "bin/tac",
2190
+ "bin/tail",
2191
+ "bin/tar",
2192
+ "bin/task",
2193
+ "bin/taskset",
2194
+ "bin/tbl",
2195
+ "bin/tclsh",
2196
+ "bin/tcpdump",
1531
2197
  "bin/tcsh",
2198
+ "bin/tee",
2199
+ "bin/telnet",
2200
+ "bin/tex",
2201
+ "bin/tftp",
2202
+ "bin/tic",
2203
+ "bin/time",
2204
+ "bin/timedatectl",
2205
+ "bin/timeout",
2206
+ "bin/tmux",
2207
+ "bin/top",
2208
+ "bin/troff",
2209
+ "bin/tshark",
2210
+ "bin/ul",
1532
2211
  "bin/uname",
1533
- "dev/fd/",
1534
- "dev/null",
1535
- "dev/stderr",
1536
- "dev/stdin",
1537
- "dev/stdout",
1538
- "dev/tcp/",
1539
- "dev/udp/",
1540
- "dev/zero",
1541
- "etc/group",
1542
- "etc/master.passwd",
1543
- "etc/passwd",
1544
- "etc/pwd.db",
1545
- "etc/shadow",
1546
- "etc/shells",
1547
- "etc/spwd.db",
1548
- "proc/self/",
1549
- "usr/bin/awk",
1550
- "usr/bin/base64",
1551
- "usr/bin/cat",
1552
- "usr/bin/cc",
1553
- "usr/bin/clang",
1554
- "usr/bin/clang++",
1555
- "usr/bin/curl",
1556
- "usr/bin/diff",
1557
- "usr/bin/env",
1558
- "usr/bin/fetch",
1559
- "usr/bin/file",
1560
- "usr/bin/find",
1561
- "usr/bin/ftp",
1562
- "usr/bin/gawk",
1563
- "usr/bin/gcc",
1564
- "usr/bin/head",
1565
- "usr/bin/hexdump",
1566
- "usr/bin/id",
1567
- "usr/bin/less",
1568
- "usr/bin/ln",
1569
- "usr/bin/mkfifo",
1570
- "usr/bin/more",
1571
- "usr/bin/nc",
1572
- "usr/bin/ncat",
1573
- "usr/bin/nice",
1574
- "usr/bin/nmap",
1575
- "usr/bin/perl",
1576
- "usr/bin/php",
1577
- "usr/bin/php5",
1578
- "usr/bin/php7",
1579
- "usr/bin/php-cgi",
1580
- "usr/bin/printf",
1581
- "usr/bin/psed",
1582
- "usr/bin/python",
1583
- "usr/bin/python2",
1584
- "usr/bin/python3",
1585
- "usr/bin/ruby",
1586
- "usr/bin/sed",
1587
- "usr/bin/socat",
1588
- "usr/bin/tail",
1589
- "usr/bin/tee",
1590
- "usr/bin/telnet",
1591
- "usr/bin/top",
1592
- "usr/bin/uname",
1593
- "usr/bin/wget",
1594
- "usr/bin/who",
1595
- "usr/bin/whoami",
1596
- "usr/bin/xargs",
1597
- "usr/bin/xxd",
1598
- "usr/bin/yes",
1599
- "usr/local/bin/bash",
1600
- "usr/local/bin/curl",
1601
- "usr/local/bin/ncat",
1602
- "usr/local/bin/nmap",
1603
- "usr/local/bin/perl",
1604
- "usr/local/bin/php",
1605
- "usr/local/bin/python",
1606
- "usr/local/bin/python2",
1607
- "usr/local/bin/python3",
1608
- "usr/local/bin/rbash",
1609
- "usr/local/bin/ruby",
1610
- "usr/local/bin/wget"
2212
+ "bin/uncompress",
2213
+ "bin/unexpand",
2214
+ "bin/uniq",
2215
+ "bin/unlz4",
2216
+ "bin/unlzma",
2217
+ "bin/unpigz",
2218
+ "bin/unrar",
2219
+ "bin/unshare",
2220
+ "bin/unxz",
2221
+ "bin/unzip",
2222
+ "bin/unzstd",
2223
+ "bin/update-alternatives",
2224
+ "bin/uudecode",
2225
+ "bin/uuencode",
2226
+ "bin/valgrind",
2227
+ "bin/vi",
2228
+ "bin/view",
2229
+ "bin/vigr",
2230
+ "bin/vim",
2231
+ "bin/vimdiff",
2232
+ "bin/vipw",
2233
+ "bin/virsh",
2234
+ "bin/volatility",
2235
+ "bin/wall",
2236
+ "bin/watch",
2237
+ "bin/wc",
2238
+ "bin/wget",
2239
+ "bin/whiptail",
2240
+ "bin/who",
2241
+ "bin/whoami",
2242
+ "bin/whois",
2243
+ "bin/wireshark",
2244
+ "bin/wish",
2245
+ "bin/xargs",
2246
+ "bin/xelatex",
2247
+ "bin/xetex",
2248
+ "bin/xmodmap",
2249
+ "bin/xmore",
2250
+ "bin/xpad",
2251
+ "bin/xxd",
2252
+ "bin/xz",
2253
+ "bin/xzcat",
2254
+ "bin/xzcmp",
2255
+ "bin/xzdec",
2256
+ "bin/xzdiff",
2257
+ "bin/xzegrep",
2258
+ "bin/xzfgrep",
2259
+ "bin/xzgrep",
2260
+ "bin/xzless",
2261
+ "bin/xzmore",
2262
+ "bin/yarn",
2263
+ "bin/yelp",
2264
+ "bin/yes",
2265
+ "bin/yum",
2266
+ "bin/zathura",
2267
+ "bin/zip",
2268
+ "bin/zipcloak",
2269
+ "bin/zipcmp",
2270
+ "bin/zipdetails",
2271
+ "bin/zipgrep",
2272
+ "bin/zipinfo",
2273
+ "bin/zipmerge",
2274
+ "bin/zipnote",
2275
+ "bin/zipsplit",
2276
+ "bin/ziptool",
2277
+ "bin/zsh",
2278
+ "bin/zsoelim",
2279
+ "bin/zstd",
2280
+ "bin/zstdcat",
2281
+ "bin/zstdgrep",
2282
+ "bin/zstdless",
2283
+ "bin/zstdmt",
2284
+ "bin/zypper"
1611
2285
  ]
1612
2286
  },
1613
2287
  "operator": "phrase_match"
@@ -1791,14 +2465,6 @@
1791
2465
  ],
1792
2466
  "list": [
1793
2467
  "$globals",
1794
- "$http_cookie_vars",
1795
- "$http_env_vars",
1796
- "$http_get_vars",
1797
- "$http_post_files",
1798
- "$http_post_vars",
1799
- "$http_raw_post_data",
1800
- "$http_request_vars",
1801
- "$http_server_vars",
1802
2468
  "$_cookie",
1803
2469
  "$_env",
1804
2470
  "$_files",
@@ -1808,7 +2474,17 @@
1808
2474
  "$_server",
1809
2475
  "$_session",
1810
2476
  "$argc",
1811
- "$argv"
2477
+ "$argv",
2478
+ "$http_\\u200bresponse_\\u200bheader",
2479
+ "$php_\\u200berrormsg",
2480
+ "$http_cookie_vars",
2481
+ "$http_env_vars",
2482
+ "$http_get_vars",
2483
+ "$http_post_files",
2484
+ "$http_post_vars",
2485
+ "$http_raw_post_data",
2486
+ "$http_request_vars",
2487
+ "$http_server_vars"
1812
2488
  ]
1813
2489
  },
1814
2490
  "operator": "phrase_match"
@@ -1993,7 +2669,7 @@
1993
2669
  "address": "grpc.server.request.message"
1994
2670
  }
1995
2671
  ],
1996
- "regex": "\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|b(?:(?:son_(?:de|en)|ase64_en)code|zopen)|var_dump)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\(.*\\)",
2672
+ "regex": "\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?|lert|tob)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|b(?:(?:son_(?:de|en)|ase64_en)code|zopen|toa)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|var_dump)(?:\\s|/\\*.*\\*/|//.*|#.*|\\\")*\\(.*\\)",
1997
2673
  "options": {
1998
2674
  "min_length": 5
1999
2675
  }
@@ -2067,7 +2743,7 @@
2067
2743
  "address": "grpc.server.request.message"
2068
2744
  }
2069
2745
  ],
2070
- "regex": "(?i:zlib|glob|phar|ssh2|rar|ogg|expect|zip)://",
2746
+ "regex": "(?:(?:bzip|ssh)2|z(?:lib|ip)|(?:ph|r)ar|expect|glob|ogg)://",
2071
2747
  "options": {
2072
2748
  "case_sensitive": true,
2073
2749
  "min_length": 6
@@ -2082,7 +2758,7 @@
2082
2758
  },
2083
2759
  {
2084
2760
  "id": "crs-934-100",
2085
- "name": "Node.js Injection Attack",
2761
+ "name": "Node.js Injection Attack 1/2",
2086
2762
  "tags": {
2087
2763
  "type": "js_code_injection",
2088
2764
  "crs_id": "934100",
@@ -2105,7 +2781,43 @@
2105
2781
  "address": "grpc.server.request.message"
2106
2782
  }
2107
2783
  ],
2108
- "regex": "(?:(?:_(?:\\$\\$ND_FUNC\\$\\$_|_js_function)|(?:new\\s+Function|\\beval)\\s*\\(|String\\s*\\.\\s*fromCharCode|function\\s*\\(\\s*\\)\\s*{|this\\.constructor)|module\\.exports\\s*=)",
2784
+ "regex": "\\b(?:(?:l(?:(?:utimes|chmod)(?:Sync)?|(?:stat|ink)Sync)|w(?:rite(?:(?:File|v)(?:Sync)?|Sync)|atchFile)|u(?:n(?:watchFile|linkSync)|times(?:Sync)?)|s(?:(?:ymlink|tat)Sync|pawn(?:File|Sync))|ex(?:ec(?:File(?:Sync)?|Sync)|istsSync)|a(?:ppendFile|ccess)(?:Sync)?|(?:Caveat|Inode)s|open(?:dir)?Sync|new\\s+Function|Availability|\\beval)\\s*\\(|m(?:ain(?:Module\\s*(?:\\W*\\s*(?:constructor|require)|\\[)|\\s*(?:\\W*\\s*(?:constructor|require)|\\[))|kd(?:temp(?:Sync)?|irSync)\\s*\\(|odule\\.exports\\s*=)|c(?:(?:(?:h(?:mod|own)|lose)Sync|reate(?:Write|Read)Stream|p(?:Sync)?)\\s*\\(|o(?:nstructor\\s*(?:\\W*\\s*_load|\\[)|pyFile(?:Sync)?\\s*\\())|f(?:(?:(?:s(?:(?:yncS)?|tatS)|datas(?:yncS)?)ync|ch(?:mod|own)(?:Sync)?)\\s*\\(|u(?:nction\\s*\\(\\s*\\)\\s*{|times(?:Sync)?\\s*\\())|r(?:e(?:(?:ad(?:(?:File|link|dir)?Sync|v(?:Sync)?)|nameSync)\\s*\\(|quire\\s*(?:\\W*\\s*main|\\[))|m(?:Sync)?\\s*\\()|process\\s*(?:\\W*\\s*(?:mainModule|binding)|\\[)|t(?:his\\.constructor|runcateSync\\s*\\()|_(?:\\$\\$ND_FUNC\\$\\$_|_js_function)|global\\s*(?:\\W*\\s*process|\\[)|String\\s*\\.\\s*fromCharCode|binding\\s*\\[)",
2785
+ "options": {
2786
+ "case_sensitive": true,
2787
+ "min_length": 3
2788
+ }
2789
+ },
2790
+ "operator": "match_regex"
2791
+ }
2792
+ ],
2793
+ "transformers": []
2794
+ },
2795
+ {
2796
+ "id": "crs-934-101",
2797
+ "name": "Node.js Injection Attack 2/2",
2798
+ "tags": {
2799
+ "type": "js_code_injection",
2800
+ "crs_id": "934101",
2801
+ "category": "attack_attempt"
2802
+ },
2803
+ "conditions": [
2804
+ {
2805
+ "parameters": {
2806
+ "inputs": [
2807
+ {
2808
+ "address": "server.request.query"
2809
+ },
2810
+ {
2811
+ "address": "server.request.body"
2812
+ },
2813
+ {
2814
+ "address": "server.request.path_params"
2815
+ },
2816
+ {
2817
+ "address": "grpc.server.request.message"
2818
+ }
2819
+ ],
2820
+ "regex": "\\b(?:w(?:atch|rite)|(?:spaw|ope)n|exists|close|fork|read)\\s*\\(",
2109
2821
  "options": {
2110
2822
  "case_sensitive": true,
2111
2823
  "min_length": 5
@@ -2247,7 +2959,7 @@
2247
2959
  "address": "grpc.server.request.message"
2248
2960
  }
2249
2961
  ],
2250
- "regex": "[\\s\\\"'`;\\/0-9=\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]on[a-zA-Z]{3,25}[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=[^=]",
2962
+ "regex": "[\\s\\\"'`;\\/0-9=\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]on(?:d(?:r(?:ag(?:en(?:ter|d)|leave|start|over)?|op)|urationchange|blclick)|s(?:e(?:ek(?:ing|ed)|arch|lect)|u(?:spend|bmit)|talled|croll|how)|m(?:ouse(?:(?:lea|mo)ve|o(?:ver|ut)|enter|down|up)|essage)|p(?:a(?:ge(?:hide|show)|(?:st|us)e)|lay(?:ing)?|rogress)|c(?:anplay(?:through)?|o(?:ntextmenu|py)|hange|lick|ut)|a(?:nimation(?:iteration|start|end)|(?:fterprin|bor)t)|t(?:o(?:uch(?:cancel|start|move|end)|ggle)|imeupdate)|f(?:ullscreen(?:change|error)|ocus(?:out|in)?)|(?:(?:volume|hash)chang|o(?:ff|n)lin)e|b(?:efore(?:unload|print)|lur)|load(?:ed(?:meta)?data|start)?|r(?:es(?:ize|et)|atechange)|key(?:press|down|up)|w(?:aiting|heel)|in(?:valid|put)|e(?:nded|rror)|unload)[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=[^=]",
2251
2963
  "options": {
2252
2964
  "min_length": 8
2253
2965
  }
@@ -2308,6 +3020,52 @@
2308
3020
  "removeNulls"
2309
3021
  ]
2310
3022
  },
3023
+ {
3024
+ "id": "crs-941-170",
3025
+ "name": "NoScript XSS InjectionChecker: Attribute Injection",
3026
+ "tags": {
3027
+ "type": "xss",
3028
+ "crs_id": "941170",
3029
+ "category": "attack_attempt"
3030
+ },
3031
+ "conditions": [
3032
+ {
3033
+ "parameters": {
3034
+ "inputs": [
3035
+ {
3036
+ "address": "server.request.headers.no_cookies",
3037
+ "key_path": [
3038
+ "user-agent"
3039
+ ]
3040
+ },
3041
+ {
3042
+ "address": "server.request.headers.no_cookies",
3043
+ "key_path": [
3044
+ "referer"
3045
+ ]
3046
+ },
3047
+ {
3048
+ "address": "server.request.query"
3049
+ },
3050
+ {
3051
+ "address": "server.request.body"
3052
+ },
3053
+ {
3054
+ "address": "server.request.path_params"
3055
+ }
3056
+ ],
3057
+ "regex": "(?:\\W|^)(?:javascript:(?:[\\s\\S]+[=\\x5c\\(\\[\\.<]|[\\s\\S]*?(?:\\bname\\b|\\x5c[ux]\\d)))|@\\W*?i\\W*?m\\W*?p\\W*?o\\W*?r\\W*?t\\W*?(?:/\\*[\\s\\S]*?)?(?:[\\\"']|\\W*?u\\W*?r\\W*?l[\\s\\S]*?\\()|[^-]*?-\\W*?m\\W*?o\\W*?z\\W*?-\\W*?b\\W*?i\\W*?n\\W*?d\\W*?i\\W*?n\\W*?g[^:]*?:\\W*?u\\W*?r\\W*?l[\\s\\S]*?\\(",
3058
+ "options": {
3059
+ "min_length": 6
3060
+ }
3061
+ },
3062
+ "operator": "match_regex"
3063
+ }
3064
+ ],
3065
+ "transformers": [
3066
+ "removeNulls"
3067
+ ]
3068
+ },
2311
3069
  {
2312
3070
  "id": "crs-941-180",
2313
3071
  "name": "Node-Validator Deny List Keywords",
@@ -2414,7 +3172,7 @@
2414
3172
  "address": "grpc.server.request.message"
2415
3173
  }
2416
3174
  ],
2417
- "regex": "(?i:(?:j|&#x?0*(?:74|4A|106|6A);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:v|&#x?0*(?:86|56|118|76);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)",
3175
+ "regex": "(?i:(?:j|&#x?0*(?:74|4A|106|6A);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:v|&#x?0*(?:86|56|118|76);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)",
2418
3176
  "options": {
2419
3177
  "case_sensitive": true,
2420
3178
  "min_length": 12
@@ -2762,11 +3520,11 @@
2762
3520
  "transformers": []
2763
3521
  },
2764
3522
  {
2765
- "id": "crs-942-100",
2766
- "name": "SQL Injection Attack Detected via libinjection",
3523
+ "id": "crs-941-390",
3524
+ "name": "Javascript method detected",
2767
3525
  "tags": {
2768
- "type": "sql_injection",
2769
- "crs_id": "942100",
3526
+ "type": "xss",
3527
+ "crs_id": "941390",
2770
3528
  "category": "attack_attempt"
2771
3529
  },
2772
3530
  "conditions": [
@@ -2785,21 +3543,24 @@
2785
3543
  {
2786
3544
  "address": "grpc.server.request.message"
2787
3545
  }
2788
- ]
3546
+ ],
3547
+ "regex": "\\b(?i:eval|settimeout|setinterval|new\\s+Function)\\s*\\(",
3548
+ "options": {
3549
+ "case_sensitive": true,
3550
+ "min_length": 5
3551
+ }
2789
3552
  },
2790
- "operator": "is_sqli"
3553
+ "operator": "match_regex"
2791
3554
  }
2792
3555
  ],
2793
- "transformers": [
2794
- "removeNulls"
2795
- ]
3556
+ "transformers": []
2796
3557
  },
2797
3558
  {
2798
- "id": "crs-942-160",
2799
- "name": "Detects blind sqli tests using sleep() or benchmark()",
3559
+ "id": "crs-942-100",
3560
+ "name": "SQL Injection Attack Detected via libinjection",
2800
3561
  "tags": {
2801
3562
  "type": "sql_injection",
2802
- "crs_id": "942160",
3563
+ "crs_id": "942100",
2803
3564
  "category": "attack_attempt"
2804
3565
  },
2805
3566
  "conditions": [
@@ -2818,24 +3579,21 @@
2818
3579
  {
2819
3580
  "address": "grpc.server.request.message"
2820
3581
  }
2821
- ],
2822
- "regex": "(?i:sleep\\(\\s*?\\d*?\\s*?\\)|benchmark\\(.*?\\,.*?\\))",
2823
- "options": {
2824
- "case_sensitive": true,
2825
- "min_length": 7
2826
- }
3582
+ ]
2827
3583
  },
2828
- "operator": "match_regex"
3584
+ "operator": "is_sqli"
2829
3585
  }
2830
3586
  ],
2831
- "transformers": []
3587
+ "transformers": [
3588
+ "removeNulls"
3589
+ ]
2832
3590
  },
2833
3591
  {
2834
- "id": "crs-942-190",
2835
- "name": "Detects MSSQL code execution and information gathering attempts",
3592
+ "id": "crs-942-160",
3593
+ "name": "Detects blind sqli tests using sleep() or benchmark()",
2836
3594
  "tags": {
2837
3595
  "type": "sql_injection",
2838
- "crs_id": "942190",
3596
+ "crs_id": "942160",
2839
3597
  "category": "attack_attempt"
2840
3598
  },
2841
3599
  "conditions": [
@@ -2855,9 +3613,10 @@
2855
3613
  "address": "grpc.server.request.message"
2856
3614
  }
2857
3615
  ],
2858
- "regex": "(?:\\b(?:(?:c(?:onnection_id|urrent_user)|database)\\s*?\\([^\\)]*?|u(?:nion(?:[\\w(?:\\s]*?select| select @)|ser\\s*?\\([^\\)]*?)|s(?:chema\\s*?\\([^\\)]*?|elect.*?\\w?user\\()|into[\\s+]+(?:dump|out)file\\s*?[\\\"'`]|from\\W+information_schema\\W|exec(?:ute)?\\s+master\\.)|[\\\"'`](?:;?\\s*?(?:union\\b\\s*?(?:(?:distin|sele)ct|all)|having|select)\\b\\s*?[^\\s]|\\s*?!\\s*?[\\\"'`\\w])|\\s*?exec(?:ute)?.*?\\Wxp_cmdshell|\\Wiif\\s*?\\()",
3616
+ "regex": "(?i:sleep\\(\\s*?\\d*?\\s*?\\)|benchmark\\(.*?\\,.*?\\))",
2859
3617
  "options": {
2860
- "min_length": 3
3618
+ "case_sensitive": true,
3619
+ "min_length": 7
2861
3620
  }
2862
3621
  },
2863
3622
  "operator": "match_regex"
@@ -3031,10 +3790,10 @@
3031
3790
  "address": "grpc.server.request.message"
3032
3791
  }
3033
3792
  ],
3034
- "regex": "(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))",
3793
+ "regex": "(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?))",
3035
3794
  "options": {
3036
3795
  "case_sensitive": true,
3037
- "min_length": 5
3796
+ "min_length": 3
3038
3797
  }
3039
3798
  },
3040
3799
  "operator": "match_regex"
@@ -3338,6 +4097,45 @@
3338
4097
  "lowercase"
3339
4098
  ]
3340
4099
  },
4100
+ {
4101
+ "id": "crs-944-260",
4102
+ "name": "Remote Command Execution: Malicious class-loading payload",
4103
+ "tags": {
4104
+ "type": "java_code_injection",
4105
+ "crs_id": "944260",
4106
+ "category": "attack_attempt"
4107
+ },
4108
+ "conditions": [
4109
+ {
4110
+ "parameters": {
4111
+ "inputs": [
4112
+ {
4113
+ "address": "server.request.query"
4114
+ },
4115
+ {
4116
+ "address": "server.request.body"
4117
+ },
4118
+ {
4119
+ "address": "server.request.path_params"
4120
+ },
4121
+ {
4122
+ "address": "server.request.headers.no_cookies"
4123
+ },
4124
+ {
4125
+ "address": "grpc.server.request.message"
4126
+ }
4127
+ ],
4128
+ "regex": "(?:class\\.module\\.classLoader\\.resources\\.context\\.parent\\.pipeline|springframework\\.context\\.support\\.FileSystemXmlApplicationContext)",
4129
+ "options": {
4130
+ "case_sensitive": true,
4131
+ "min_length": 58
4132
+ }
4133
+ },
4134
+ "operator": "match_regex"
4135
+ }
4136
+ ],
4137
+ "transformers": []
4138
+ },
3341
4139
  {
3342
4140
  "id": "dog-000-001",
3343
4141
  "name": "Look for Cassandra injections",
@@ -3383,6 +4181,9 @@
3383
4181
  "operator": "match_regex",
3384
4182
  "parameters": {
3385
4183
  "inputs": [
4184
+ {
4185
+ "address": "server.request.uri.raw"
4186
+ },
3386
4187
  {
3387
4188
  "address": "server.request.query"
3388
4189
  },
@@ -3469,6 +4270,74 @@
3469
4270
  "keys_only"
3470
4271
  ]
3471
4272
  },
4273
+ {
4274
+ "id": "dog-000-005",
4275
+ "name": "Node.js: Prototype pollution through __proto__",
4276
+ "tags": {
4277
+ "type": "js_code_injection",
4278
+ "category": "attack_attempt"
4279
+ },
4280
+ "conditions": [
4281
+ {
4282
+ "parameters": {
4283
+ "inputs": [
4284
+ {
4285
+ "address": "server.request.query"
4286
+ },
4287
+ {
4288
+ "address": "server.request.body"
4289
+ }
4290
+ ],
4291
+ "regex": "^__proto__$"
4292
+ },
4293
+ "operator": "match_regex"
4294
+ }
4295
+ ],
4296
+ "transformers": [
4297
+ "keys_only"
4298
+ ]
4299
+ },
4300
+ {
4301
+ "id": "dog-000-006",
4302
+ "name": "Node.js: Prototype pollution through constructor.prototype",
4303
+ "tags": {
4304
+ "type": "js_code_injection",
4305
+ "category": "attack_attempt"
4306
+ },
4307
+ "conditions": [
4308
+ {
4309
+ "parameters": {
4310
+ "inputs": [
4311
+ {
4312
+ "address": "server.request.query"
4313
+ },
4314
+ {
4315
+ "address": "server.request.body"
4316
+ }
4317
+ ],
4318
+ "regex": "^constructor$"
4319
+ },
4320
+ "operator": "match_regex"
4321
+ },
4322
+ {
4323
+ "parameters": {
4324
+ "inputs": [
4325
+ {
4326
+ "address": "server.request.query"
4327
+ },
4328
+ {
4329
+ "address": "server.request.body"
4330
+ }
4331
+ ],
4332
+ "regex": "^prototype$"
4333
+ },
4334
+ "operator": "match_regex"
4335
+ }
4336
+ ],
4337
+ "transformers": [
4338
+ "keys_only"
4339
+ ]
4340
+ },
3472
4341
  {
3473
4342
  "id": "nfd-000-001",
3474
4343
  "name": "Detect common directory discovery scans",
@@ -4346,7 +5215,7 @@
4346
5215
  "address": "grpc.server.request.message"
4347
5216
  }
4348
5217
  ],
4349
- "regex": "^(http|https):\\/\\/(.*burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io)"
5218
+ "regex": "(http|https):\\/\\/(?:.*\\.)?(?:burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io|oastify\\.com|oast\\.(?:pro|live|site|online|fun|me)|sslip\\.io|requestbin\\.com|requestbin\\.net|hookbin\\.com|webhook\\.site|canarytokens\\.com|interact\\.sh|ngrok\\.io|bugbounty\\.click)"
4350
5219
  },
4351
5220
  "operator": "match_regex"
4352
5221
  }