From 1f1d45d082a8b3ff4c08cdff8cde78d33cfe3476 Mon Sep 17 00:00:00 2001 From: Loic Nageleisen Date: Tue, 22 Nov 2022 14:04:42 +0100 Subject: [PATCH] Update AppSec ruleset to v1.4.2 --- .../appsec/assets/waf_rules/recommended.json | 81 ++++++++----------- .../appsec/assets/waf_rules/risky.json | 2 +- .../appsec/assets/waf_rules/strict.json | 47 ++++++++++- 3 files changed, 82 insertions(+), 48 deletions(-) diff --git a/lib/datadog/appsec/assets/waf_rules/recommended.json b/lib/datadog/appsec/assets/waf_rules/recommended.json index 45c4e210a0..37de13d01c 100644 --- a/lib/datadog/appsec/assets/waf_rules/recommended.json +++ b/lib/datadog/appsec/assets/waf_rules/recommended.json @@ -1,7 +1,7 @@ { "version": "2.2", "metadata": { - "rules_version": "1.4.1" + "rules_version": "1.4.2" }, "rules": [ { @@ -2853,51 +2853,6 @@ ], "transformers": [] }, - { - "id": "crs-941-100", - "name": "XSS Attack Detected via libinjection", - "tags": { - "type": "xss", - "crs_id": "941100", - "category": "attack_attempt" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "user-agent" - ] - }, - { - "address": "server.request.headers.no_cookies", - "key_path": [ - "referer" - ] - }, - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - } - ] - }, - "operator": "is_xss" - } - ], - "transformers": [ - "removeNulls" - ] - }, { "id": "crs-941-110", "name": "XSS Filter - Category 1: Script Tag Vector", @@ -4363,6 +4318,40 @@ "keys_only" ] }, + { + "id": "dog-000-007", + "name": "Server side template injection: Velocity & Freemarker", + "tags": { + "type": "java_code_injection", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "server.request.headers.no_cookies" + }, + { + "address": "grpc.server.request.message" + } + ], + "regex": "#(?:set|foreach|macro|parse|if)\\(.*\\)|<#assign.*>" + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, { "id": "nfd-000-001", "name": "Detect common directory discovery scans", diff --git a/lib/datadog/appsec/assets/waf_rules/risky.json b/lib/datadog/appsec/assets/waf_rules/risky.json index 1dcb2dea01..cf5d057d90 100644 --- a/lib/datadog/appsec/assets/waf_rules/risky.json +++ b/lib/datadog/appsec/assets/waf_rules/risky.json @@ -1,7 +1,7 @@ { "version": "2.2", "metadata": { - "rules_version": "1.4.1" + "rules_version": "1.4.2" }, "rules": [ { diff --git a/lib/datadog/appsec/assets/waf_rules/strict.json b/lib/datadog/appsec/assets/waf_rules/strict.json index ba53e9a384..b64e9b9285 100644 --- a/lib/datadog/appsec/assets/waf_rules/strict.json +++ b/lib/datadog/appsec/assets/waf_rules/strict.json @@ -1,7 +1,7 @@ { "version": "2.2", "metadata": { - "rules_version": "1.4.1" + "rules_version": "1.4.2" }, "rules": [ { @@ -855,6 +855,51 @@ ], "transformers": [] }, + { + "id": "crs-941-100", + "name": "XSS Attack Detected via libinjection", + "tags": { + "type": "xss", + "crs_id": "941100", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "user-agent" + ] + }, + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "referer" + ] + }, + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + } + ] + }, + "operator": "is_xss" + } + ], + "transformers": [ + "removeNulls" + ] + }, { "id": "crs-941-130", "name": "XSS Filter - Category 3: Attribute Vector",