Skip to content

Commit

Permalink
Merge pull request #2662 from DataDog/appsec-update-ruleset-to-1.5.2
Browse files Browse the repository at this point in the history
[APPSEC-8492] Appsec update ruleset to 1.5.2
  • Loading branch information
GustavoCaso authored Mar 3, 2023
2 parents 085ad1b + ab9777c commit 94721a7
Show file tree
Hide file tree
Showing 2 changed files with 72 additions and 44 deletions.
84 changes: 41 additions & 43 deletions lib/datadog/appsec/assets/waf_rules/recommended.json
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"version": "2.2",
"metadata": {
"rules_version": "1.5.1"
"rules_version": "1.5.2"
},
"rules": [
{
Expand Down Expand Up @@ -1351,16 +1351,11 @@
"etc/timezone",
"etc/modules",
"etc/passwd",
"etc/passwd~",
"etc/passwd-",
"etc/shadow",
"etc/shadow~",
"etc/shadow-",
"etc/fstab",
"etc/motd",
"etc/hosts",
"etc/group",
"etc/group-",
"etc/alias",
"etc/crontab",
"etc/crypttab",
Expand Down Expand Up @@ -1871,11 +1866,8 @@
"dev/tcp/",
"dev/udp/",
"dev/zero",
"etc/group",
"etc/master.passwd",
"etc/passwd",
"etc/pwd.db",
"etc/shadow",
"etc/shells",
"etc/spwd.db",
"proc/self/",
Expand Down Expand Up @@ -4090,9 +4082,7 @@
"java.lang.number",
"java.lang.object",
"java.lang.process",
"java.lang.processbuilder",
"java.lang.reflect",
"java.lang.runtime",
"java.lang.string",
"java.lang.stringbuilder",
"java.lang.system",
Expand Down Expand Up @@ -4455,6 +4445,44 @@
],
"transformers": []
},
{
"id": "dog-942-001",
"name": "Blind XSS callback domains",
"tags": {
"type": "xss",
"category": "attack_attempt",
"confidence": "1"
},
"conditions": [
{
"parameters": {
"inputs": [
{
"address": "server.request.query"
},
{
"address": "server.request.body"
},
{
"address": "server.request.path_params"
},
{
"address": "server.request.headers.no_cookies"
},
{
"address": "grpc.server.request.message"
}
],
"regex": "https?:\\/\\/(?:.*\\.)?(?:bxss\\.in|xss\\.ht|js\\.rip)",
"options": {
"case_sensitive": false
}
},
"operator": "match_regex"
}
],
"transformers": []
},
{
"id": "nfd-000-001",
"name": "Detect common directory discovery scans",
Expand Down Expand Up @@ -5083,36 +5111,6 @@
"removeNulls"
]
},
{
"id": "sqr-000-007",
"name": "NoSQL: Detect common exploitation strategy",
"tags": {
"type": "nosql_injection",
"category": "attack_attempt"
},
"conditions": [
{
"parameters": {
"inputs": [
{
"address": "server.request.query"
},
{
"address": "server.request.body"
},
{
"address": "server.request.path_params"
}
],
"regex": "^\\$(eq|ne|(l|g)te?|n?in|not|(n|x|)or|and|regex|where|expr|exists)$"
},
"operator": "match_regex"
}
],
"transformers": [
"keys_only"
]
},
{
"id": "sqr-000-008",
"name": "Windows: Detect attempts to exfiltrate .ini files",
Expand Down Expand Up @@ -5312,7 +5310,7 @@
"address": "grpc.server.request.message"
}
],
"regex": "^(jar:)?(http|https):\\/\\/((\\[)?[:0-9a-f\\.x]{2,}(\\])?)(:[0-9]{1,5})?(\\/.*)?$"
"regex": "^(jar:)?(http|https):\\/\\/((\\[)?[:0-9a-f\\.x]{2,}(\\])?)(:[0-9]{1,5})?(\\/[^:@]*)?$"
},
"operator": "match_regex"
}
Expand Down Expand Up @@ -5349,7 +5347,7 @@
"address": "grpc.server.request.message"
}
],
"regex": "(http|https):\\/\\/(?:.*\\.)?(?:burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io|oastify\\.com|oast\\.(?:pro|live|site|online|fun|me)|sslip\\.io|requestbin\\.com|requestbin\\.net|hookbin\\.com|webhook\\.site|canarytokens\\.com|interact\\.sh|ngrok\\.io|bugbounty\\.click)"
"regex": "(http|https):\\/\\/(?:.*\\.)?(?:burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io|oastify\\.com|oast\\.(?:pro|live|site|online|fun|me)|sslip\\.io|requestbin\\.com|requestbin\\.net|hookbin\\.com|webhook\\.site|canarytokens\\.com|interact\\.sh|ngrok\\.io|bugbounty\\.click|prbly\\.win|qualysperiscope\\.com)"
},
"operator": "match_regex"
}
Expand Down
32 changes: 31 additions & 1 deletion lib/datadog/appsec/assets/waf_rules/strict.json
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"version": "2.2",
"metadata": {
"rules_version": "1.5.1"
"rules_version": "1.5.2"
},
"rules": [
{
Expand Down Expand Up @@ -1525,6 +1525,36 @@
"removeNulls"
]
},
{
"id": "sqr-000-007",
"name": "NoSQL: Detect common exploitation strategy",
"tags": {
"type": "nosql_injection",
"category": "attack_attempt"
},
"conditions": [
{
"parameters": {
"inputs": [
{
"address": "server.request.query"
},
{
"address": "server.request.body"
},
{
"address": "server.request.path_params"
}
],
"regex": "^\\$(eq|ne|(l|g)te?|n?in|not|(n|x|)or|and|regex|where|expr|exists)$"
},
"operator": "match_regex"
}
],
"transformers": [
"keys_only"
]
},
{
"id": "sqr-000-011",
"name": "Node.js: Prototype pollution",
Expand Down

0 comments on commit 94721a7

Please sign in to comment.