diff --git a/lib/datadog/appsec/assets/waf_rules/recommended.json b/lib/datadog/appsec/assets/waf_rules/recommended.json index fd301b3973..f1653a1252 100644 --- a/lib/datadog/appsec/assets/waf_rules/recommended.json +++ b/lib/datadog/appsec/assets/waf_rules/recommended.json @@ -1,7 +1,7 @@ { "version": "2.2", "metadata": { - "rules_version": "1.4.3" + "rules_version": "1.5.0" }, "rules": [ { @@ -29,13 +29,39 @@ "block" ] }, + { + "id": "blk-001-002", + "name": "Block User Addresses", + "tags": { + "type": "block_user", + "category": "security_response" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "usr.id" + } + ], + "data": "blocked_users" + }, + "operator": "exact_match" + } + ], + "transformers": [], + "on_match": [ + "block" + ] + }, { "id": "crs-913-110", "name": "Acunetix", "tags": { "type": "security_scanner", "crs_id": "913110", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -66,7 +92,8 @@ "tags": { "type": "security_scanner", "crs_id": "913120", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -115,7 +142,8 @@ "tags": { "type": "http_protocol_violation", "crs_id": "920260", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "0" }, "conditions": [ { @@ -236,7 +264,8 @@ "tags": { "type": "lfi", "crs_id": "930100", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -267,7 +296,8 @@ "tags": { "type": "lfi", "crs_id": "930110", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -299,7 +329,8 @@ "tags": { "type": "lfi", "crs_id": "930120", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -1760,7 +1791,8 @@ "tags": { "type": "rfi", "crs_id": "931110", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -1819,7 +1851,8 @@ "tags": { "type": "command_injection", "crs_id": "932160", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -2322,7 +2355,8 @@ "tags": { "type": "command_injection", "crs_id": "932171", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -2361,7 +2395,8 @@ "tags": { "type": "command_injection", "crs_id": "932180", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -2419,7 +2454,8 @@ "tags": { "type": "unrestricted_file_upload", "crs_id": "933111", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -2469,7 +2505,8 @@ "tags": { "type": "php_code_injection", "crs_id": "933130", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -2561,7 +2598,8 @@ "tags": { "type": "php_code_injection", "crs_id": "933140", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -2596,7 +2634,8 @@ "tags": { "type": "php_code_injection", "crs_id": "933150", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -2711,7 +2750,8 @@ "tags": { "type": "php_code_injection", "crs_id": "933170", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -2824,7 +2864,8 @@ "tags": { "type": "js_code_injection", "crs_id": "934101", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -2860,7 +2901,8 @@ "tags": { "type": "xss", "crs_id": "941110", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -2909,7 +2951,8 @@ "tags": { "type": "xss", "crs_id": "941120", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -2958,7 +3001,8 @@ "tags": { "type": "xss", "crs_id": "941140", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -3007,7 +3051,8 @@ "tags": { "type": "xss", "crs_id": "941170", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -3096,7 +3141,8 @@ "tags": { "type": "xss", "crs_id": "941200", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -3134,7 +3180,8 @@ "tags": { "type": "xss", "crs_id": "941210", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -3172,7 +3219,8 @@ "tags": { "type": "xss", "crs_id": "941220", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -3210,7 +3258,8 @@ "tags": { "type": "xss", "crs_id": "941230", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -3247,7 +3296,8 @@ "tags": { "type": "xss", "crs_id": "941240", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -3323,7 +3373,8 @@ "tags": { "type": "xss", "crs_id": "941280", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -3360,7 +3411,8 @@ "tags": { "type": "xss", "crs_id": "941290", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -3397,7 +3449,8 @@ "tags": { "type": "xss", "crs_id": "941300", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -3434,7 +3487,8 @@ "tags": { "type": "xss", "crs_id": "941350", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -3506,7 +3560,8 @@ "tags": { "type": "xss", "crs_id": "941390", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -3575,7 +3630,8 @@ "tags": { "type": "sql_injection", "crs_id": "942160", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -3611,7 +3667,8 @@ "tags": { "type": "sql_injection", "crs_id": "942240", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -3717,7 +3774,8 @@ "tags": { "type": "sql_injection", "crs_id": "942280", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -3861,7 +3919,8 @@ "tags": { "type": "http_protocol_violation", "crs_id": "943100", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -3894,7 +3953,8 @@ "tags": { "type": "java_code_injection", "crs_id": "944100", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -4084,7 +4144,8 @@ "tags": { "type": "java_code_injection", "crs_id": "944260", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -4192,7 +4253,8 @@ "name": "OGNL - Detect OGNL exploitation primitives", "tags": { "type": "java_code_injection", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -4229,7 +4291,8 @@ "name": "Spring4Shell - Attempts to exploit the Spring4shell vulnerability", "tags": { "type": "exploit_detection", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -4256,7 +4319,8 @@ "name": "Node.js: Prototype pollution through __proto__", "tags": { "type": "js_code_injection", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -4283,7 +4347,8 @@ "name": "Node.js: Prototype pollution through constructor.prototype", "tags": { "type": "js_code_injection", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -4324,7 +4389,8 @@ "name": "Server side template injection: Velocity & Freemarker", "tags": { "type": "java_code_injection", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -4358,7 +4424,8 @@ "name": "RFI: URL Payload to well known RFI target", "tags": { "type": "rfi", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -4390,7 +4457,8 @@ "name": "Detect common directory discovery scans", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -4624,7 +4692,8 @@ "name": "Detect failed attempt to fetch readme files", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -4663,7 +4732,8 @@ "name": "Detect failed attempt to fetch Java EE resource files", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -4702,7 +4772,8 @@ "name": "Detect failed attempt to fetch code files", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -4741,7 +4812,8 @@ "name": "Detect failed attempt to fetch source code archives", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -4780,7 +4852,8 @@ "name": "Detect failed attempt to fetch sensitive files", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -4819,7 +4892,8 @@ "name": "Detect failed attempt to fetch archives", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -4858,7 +4932,8 @@ "name": "Detect failed attempt to trigger incorrect application behavior", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -4897,7 +4972,8 @@ "name": "Detect failed attempt to leak the structure of the application", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -4936,7 +5012,8 @@ "name": "SSRF: Try to access the credential manager of the main cloud services", "tags": { "type": "ssrf", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5038,7 +5115,8 @@ "name": "Windows: Detect attempts to exfiltrate .ini files", "tags": { "type": "command_injection", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5072,7 +5150,8 @@ "name": "Linux: Detect attempts to exfiltrate passwd files", "tags": { "type": "command_injection", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5106,7 +5185,8 @@ "name": "Windows: Detect attempts to timeout a shell", "tags": { "type": "command_injection", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5140,7 +5220,8 @@ "name": "SSRF: Try to access internal OMI service (CVE-2021-38647)", "tags": { "type": "ssrf", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5174,7 +5255,8 @@ "name": "SSRF: Detect SSRF attempt on internal service", "tags": { "type": "ssrf", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "0" }, "conditions": [ { @@ -5207,7 +5289,8 @@ "name": "SSRF: Detect SSRF attempts using IPv6 or octal/hexdecimal obfuscation", "tags": { "type": "ssrf", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "0" }, "conditions": [ { @@ -5240,7 +5323,8 @@ "name": "SSRF: Detect SSRF domain redirection bypass", "tags": { "type": "ssrf", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5276,7 +5360,8 @@ "name": "SSRF: Detect SSRF attempt using non HTTP protocol", "tags": { "type": "ssrf", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "0" }, "conditions": [ { @@ -5312,7 +5397,8 @@ "name": "Log4shell: Attempt to exploit log4j CVE-2021-44228", "tags": { "type": "exploit_detection", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5349,7 +5435,8 @@ "name": "Joomla exploitation tool", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5374,7 +5461,8 @@ "name": "Nessus", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5399,7 +5487,8 @@ "name": "Arachni", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5424,7 +5513,8 @@ "name": "Jorgee", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5449,7 +5539,8 @@ "name": "Probely", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5474,7 +5565,8 @@ "name": "Metis", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5499,7 +5591,8 @@ "name": "SQL power injector", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5524,7 +5617,8 @@ "name": "N-Stealth", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5549,7 +5643,8 @@ "name": "Brutus", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5574,7 +5669,8 @@ "name": "Shellshock exploitation tool", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5599,7 +5695,8 @@ "name": "Netsparker", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5624,7 +5721,8 @@ "name": "JAASCois", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5649,7 +5747,8 @@ "name": "PMAFind", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5674,7 +5773,8 @@ "name": "Webtrends", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5699,7 +5799,8 @@ "name": "Nsauditor", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5724,7 +5825,8 @@ "name": "Paros", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5749,7 +5851,8 @@ "name": "DirBuster", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5774,7 +5877,8 @@ "name": "Pangolin", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5799,7 +5903,8 @@ "name": "Qualys", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5824,7 +5929,8 @@ "name": "SQLNinja", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5849,7 +5955,8 @@ "name": "Nikto", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5874,7 +5981,8 @@ "name": "WebInspect", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5899,7 +6007,8 @@ "name": "BlackWidow", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5924,7 +6033,8 @@ "name": "Grendel-Scan", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5949,7 +6059,8 @@ "name": "Havij", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5974,7 +6085,8 @@ "name": "w3af", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -5999,7 +6111,8 @@ "name": "Nmap", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -6024,7 +6137,8 @@ "name": "Nessus Scripted", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -6049,7 +6163,8 @@ "name": "Evil Scanner", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -6074,7 +6189,8 @@ "name": "WebFuck", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -6099,7 +6215,8 @@ "name": "OpenVAS", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -6124,7 +6241,8 @@ "name": "Spider-Pig", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -6149,7 +6267,8 @@ "name": "Zgrab", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -6174,7 +6293,8 @@ "name": "Zmeu", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -6199,7 +6319,8 @@ "name": "Crowdstrike", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -6224,7 +6345,8 @@ "name": "GoogleSecurityScanner", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -6249,7 +6371,8 @@ "name": "Commix", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -6274,7 +6397,8 @@ "name": "Gobuster", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -6299,7 +6423,8 @@ "name": "CGIchk", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -6324,7 +6449,8 @@ "name": "FFUF", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -6349,7 +6475,8 @@ "name": "Nuclei", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -6374,7 +6501,8 @@ "name": "Tsunami", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -6399,7 +6527,8 @@ "name": "Nimbostratus", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -6424,7 +6553,8 @@ "name": "Datadog test scanner: user-agent", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -6455,7 +6585,8 @@ "name": "Datadog test scanner - blocking version: user-agent", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -6489,7 +6620,8 @@ "name": "Blind SQL Injection Brute Forcer", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -6514,7 +6646,8 @@ "name": "Suspicious user agent", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -6539,7 +6672,8 @@ "name": "SQLmap", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { @@ -6564,7 +6698,8 @@ "name": "Skipfish", "tags": { "type": "security_scanner", - "category": "attack_attempt" + "category": "attack_attempt", + "confidence": "1" }, "conditions": [ { diff --git a/lib/datadog/appsec/assets/waf_rules/risky.json b/lib/datadog/appsec/assets/waf_rules/risky.json deleted file mode 100644 index fea93a7094..0000000000 --- a/lib/datadog/appsec/assets/waf_rules/risky.json +++ /dev/null @@ -1,1499 +0,0 @@ -{ - "version": "2.2", - "metadata": { - "rules_version": "1.4.3" - }, - "rules": [ - { - "id": "crs-921-130", - "name": "HTTP Response Splitting Attack", - "tags": { - "type": "http_protocol_violation", - "crs_id": "921130", - "category": "attack_attempt" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - } - ], - "regex": "(?:\\bhttp/\\d|<(?:html|meta)\\b)", - "options": { - "case_sensitive": true, - "min_length": 5 - } - }, - "operator": "match_regex" - } - ], - "transformers": [ - "lowercase" - ] - }, - { - "id": "crs-930-121", - "name": "OS File Access Attempt", - "tags": { - "type": "lfi", - "crs_id": "930121", - "category": "attack_attempt" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - } - ], - "list": [ - "/.htaccess", - "/.htdigest", - "/.htpasswd", - "/.addressbook", - ".aptitude/config", - "/.bash_config", - "/.bash_history", - "/.bash_logout", - "/.bash_profile", - "/.bashrc", - ".cache/notify-osd.log", - ".config/odesk/odesk team.conf", - "/.cshrc", - "/.dockerignore", - ".drush/", - "/.eslintignore", - "/.fbcindex", - "/.forward", - "/.gitattributes", - "/.gitconfig", - ".gnupg/", - ".hplip/hplip.conf", - "/.ksh_history", - "/.lesshst", - ".lftp/", - "/.lhistory", - "/.lldb-history", - ".local/share/mc/", - "/.lynx_cookies", - "/.my.cnf", - "/.mysql_history", - "/.nano_history", - "/.node_repl_history", - "/.nsr", - "/.pearrc", - "/.php_history", - "/.pinerc", - ".pki/", - "/.proclog", - "/.procmailrc", - "/.profile", - "/.psql_history", - "/.python_history", - "/.rediscli_history", - "/.rhistory", - "/.rhosts", - "/.sh_history", - "/.sqlite_history", - ".ssh/authorized_keys", - ".ssh/config", - ".ssh/id_dsa", - ".ssh/id_dsa.pub", - ".ssh/id_rsa", - ".ssh/id_rsa.pub", - ".ssh/identity", - ".ssh/identity.pub", - ".ssh/known_hosts", - ".subversion/auth", - ".subversion/config", - ".subversion/servers", - ".tconn/tconn.conf", - "/.tcshrc", - ".vidalia/vidalia.conf", - "/.viminfo", - "/.vimrc", - "/.www_acl", - "/.wwwacl", - "/.xauthority", - "/.zhistory", - "/.zshrc", - "/.zsh_history", - "/.nsconfig", - "etc/redis.conf", - "etc/redis-sentinel.conf", - "etc/php.ini", - "bin/php.ini", - "etc/httpd/php.ini", - "usr/lib/php.ini", - "usr/lib/php/php.ini", - "usr/local/etc/php.ini", - "usr/local/lib/php.ini", - "usr/local/php/lib/php.ini", - "usr/local/php4/lib/php.ini", - "usr/local/php5/lib/php.ini", - "usr/local/apache/conf/php.ini", - "etc/php4.4/fcgi/php.ini", - "etc/php4/apache/php.ini", - "etc/php4/apache2/php.ini", - "etc/php5/apache/php.ini", - "etc/php5/apache2/php.ini", - "etc/php/php.ini", - "etc/php/php4/php.ini", - "etc/php/apache/php.ini", - "etc/php/apache2/php.ini", - "web/conf/php.ini", - "usr/local/zend/etc/php.ini", - "opt/xampp/etc/php.ini", - "var/local/www/conf/php.ini", - "etc/php/cgi/php.ini", - "etc/php4/cgi/php.ini", - "etc/php5/cgi/php.ini", - "home2/bin/stable/apache/php.ini", - "home/bin/stable/apache/php.ini", - "etc/httpd/conf.d/php.conf", - "php5/php.ini", - "php4/php.ini", - "php/php.ini", - "windows/php.ini", - "winnt/php.ini", - "apache/php/php.ini", - "xampp/apache/bin/php.ini", - "netserver/bin/stable/apache/php.ini", - "volumes/macintosh_hd1/usr/local/php/lib/php.ini", - "etc/mono/1.0/machine.config", - "etc/mono/2.0/machine.config", - "etc/mono/2.0/web.config", - "etc/mono/config", - "usr/local/cpanel/logs/stats_log", - "usr/local/cpanel/logs/access_log", - "usr/local/cpanel/logs/error_log", - "usr/local/cpanel/logs/license_log", - "usr/local/cpanel/logs/login_log", - "var/cpanel/cpanel.config", - "var/log/sw-cp-server/error_log", - "usr/local/psa/admin/logs/httpsd_access_log", - "usr/local/psa/admin/logs/panel.log", - "var/log/sso/sso.log", - "usr/local/psa/admin/conf/php.ini", - "etc/sw-cp-server/applications.d/plesk.conf", - "usr/local/psa/admin/conf/site_isolation_settings.ini", - "usr/local/sb/config", - "etc/sw-cp-server/applications.d/00-sso-cpserver.conf", - "etc/sso/sso_config.ini", - "etc/mysql/conf.d/old_passwords.cnf", - "var/log/mysql/mysql-bin.log", - "var/log/mysql/mysql-bin.index", - "var/log/mysql/data/mysql-bin.index", - "var/log/mysql.log", - "var/log/mysql.err", - "var/log/mysqlderror.log", - "var/log/mysql/mysql.log", - "var/log/mysql/mysql-slow.log", - "var/log/mysql-bin.index", - "var/log/data/mysql-bin.index", - "var/mysql.log", - "var/mysql-bin.index", - "var/data/mysql-bin.index", - "program files/mysql/mysql server 5.0/data/{host}.err", - "program files/mysql/mysql server 5.0/data/mysql.log", - "program files/mysql/mysql server 5.0/data/mysql.err", - "program files/mysql/mysql server 5.0/data/mysql-bin.log", - "program files/mysql/mysql server 5.0/data/mysql-bin.index", - "program files/mysql/data/{host}.err", - "program files/mysql/data/mysql.log", - "program files/mysql/data/mysql.err", - "program files/mysql/data/mysql-bin.log", - "program files/mysql/data/mysql-bin.index", - "mysql/data/{host}.err", - "mysql/data/mysql.log", - "mysql/data/mysql.err", - "mysql/data/mysql-bin.log", - "mysql/data/mysql-bin.index", - "usr/local/mysql/data/mysql.log", - "usr/local/mysql/data/mysql.err", - "usr/local/mysql/data/mysql-bin.log", - "usr/local/mysql/data/mysql-slow.log", - "usr/local/mysql/data/mysqlderror.log", - "usr/local/mysql/data/{host}.err", - "usr/local/mysql/data/mysql-bin.index", - "var/lib/mysql/my.cnf", - "etc/mysql/my.cnf", - "etc/my.cnf", - "program files/mysql/mysql server 5.0/my.ini", - "program files/mysql/mysql server 5.0/my.cnf", - "program files/mysql/my.ini", - "program files/mysql/my.cnf", - "mysql/my.ini", - "mysql/my.cnf", - "mysql/bin/my.ini", - "var/postgresql/log/postgresql.log", - "var/log/postgresql/postgresql.log", - "var/log/postgres/pg_backup.log", - "var/log/postgres/postgres.log", - "var/log/postgresql.log", - "var/log/pgsql/pgsql.log", - "var/log/postgresql/postgresql-8.1-main.log", - "var/log/postgresql/postgresql-8.3-main.log", - "var/log/postgresql/postgresql-8.4-main.log", - "var/log/postgresql/postgresql-9.0-main.log", - "var/log/postgresql/postgresql-9.1-main.log", - "var/log/pgsql8.log", - "var/log/postgresql/postgres.log", - "var/log/pgsql_log", - "var/log/postgresql/main.log", - "var/log/cron/var/log/postgres.log", - "usr/internet/pgsql/data/postmaster.log", - "usr/local/pgsql/data/postgresql.log", - "usr/local/pgsql/data/pg_log", - "postgresql/log/pgadmin.log", - "var/lib/pgsql/data/postgresql.conf", - "var/postgresql/db/postgresql.conf", - "var/nm2/postgresql.conf", - "usr/local/pgsql/data/postgresql.conf", - "usr/local/pgsql/data/pg_hba.conf", - "usr/internet/pgsql/data/pg_hba.conf", - "usr/local/pgsql/data/passwd", - "usr/local/pgsql/bin/pg_passwd", - "etc/postgresql/postgresql.conf", - "etc/postgresql/pg_hba.conf", - "home/postgres/data/postgresql.conf", - "home/postgres/data/pg_version", - "home/postgres/data/pg_ident.conf", - "home/postgres/data/pg_hba.conf", - "program files/postgresql/8.3/data/pg_hba.conf", - "program files/postgresql/8.3/data/pg_ident.conf", - "program files/postgresql/8.3/data/postgresql.conf", - "program files/postgresql/8.4/data/pg_hba.conf", - "program files/postgresql/8.4/data/pg_ident.conf", - "program files/postgresql/8.4/data/postgresql.conf", - "program files/postgresql/9.0/data/pg_hba.conf", - "program files/postgresql/9.0/data/pg_ident.conf", - "program files/postgresql/9.0/data/postgresql.conf", - "program files/postgresql/9.1/data/pg_hba.conf", - "program files/postgresql/9.1/data/pg_ident.conf", - "program files/postgresql/9.1/data/postgresql.conf", - "wamp/logs/access.log", - "wamp/logs/apache_error.log", - "wamp/logs/genquery.log", - "wamp/logs/mysql.log", - "wamp/logs/slowquery.log", - "wamp/bin/apache/apache2.2.22/logs/access.log", - "wamp/bin/apache/apache2.2.22/logs/error.log", - "wamp/bin/apache/apache2.2.21/logs/access.log", - "wamp/bin/apache/apache2.2.21/logs/error.log", - "wamp/bin/mysql/mysql5.5.24/data/mysql-bin.index", - "wamp/bin/mysql/mysql5.5.16/data/mysql-bin.index", - "wamp/bin/apache/apache2.2.21/conf/httpd.conf", - "wamp/bin/apache/apache2.2.22/conf/httpd.conf", - "wamp/bin/apache/apache2.2.21/wampserver.conf", - "wamp/bin/apache/apache2.2.22/wampserver.conf", - "wamp/bin/apache/apache2.2.22/conf/wampserver.conf", - "wamp/bin/mysql/mysql5.5.24/my.ini", - "wamp/bin/mysql/mysql5.5.24/wampserver.conf", - "wamp/bin/mysql/mysql5.5.16/my.ini", - "wamp/bin/mysql/mysql5.5.16/wampserver.conf", - "wamp/bin/php/php5.3.8/php.ini", - "wamp/bin/php/php5.4.3/php.ini", - "xampp/apache/logs/access.log", - "xampp/apache/logs/error.log", - "xampp/mysql/data/mysql-bin.index", - "xampp/mysql/data/mysql.err", - "xampp/mysql/data/{host}.err", - "xampp/sendmail/sendmail.log", - "xampp/apache/conf/httpd.conf", - "xampp/filezillaftp/filezilla server.xml", - "xampp/mercurymail/mercury.ini", - "xampp/php/php.ini", - "xampp/phpmyadmin/config.inc.php", - "xampp/sendmail/sendmail.ini", - "xampp/webalizer/webalizer.conf", - "opt/lampp/etc/httpd.conf", - "xampp/htdocs/aca.txt", - "xampp/htdocs/admin.php", - "xampp/htdocs/leer.txt", - "usr/local/apache/logs/audit_log", - "usr/local/apache2/logs/audit_log", - "logs/security_debug_log", - "logs/security_log", - "usr/local/apache/conf/modsec.conf", - "usr/local/apache2/conf/modsec.conf", - "winnt/system32/logfiles/msftpsvc", - "winnt/system32/logfiles/msftpsvc1", - "winnt/system32/logfiles/msftpsvc2", - "windows/system32/logfiles/msftpsvc", - "windows/system32/logfiles/msftpsvc1", - "windows/system32/logfiles/msftpsvc2", - "etc/logrotate.d/proftpd", - "www/logs/proftpd.system.log", - "var/log/proftpd", - "var/log/proftpd/xferlog.legacy", - "var/log/proftpd.access_log", - "var/log/proftpd.xferlog", - "etc/pam.d/proftpd", - "etc/proftp.conf", - "etc/protpd/proftpd.conf", - "etc/vhcs2/proftpd/proftpd.conf", - "etc/proftpd/modules.conf", - "var/log/vsftpd.log", - "etc/vsftpd.chroot_list", - "etc/logrotate.d/vsftpd.log", - "etc/vsftpd/vsftpd.conf", - "etc/vsftpd.conf", - "etc/chrootusers", - "var/log/xferlog", - "var/adm/log/xferlog", - "etc/wu-ftpd/ftpaccess", - "etc/wu-ftpd/ftphosts", - "etc/wu-ftpd/ftpusers", - "var/log/pure-ftpd/pure-ftpd.log", - "logs/pure-ftpd.log", - "var/log/pureftpd.log", - "usr/sbin/pure-config.pl", - "usr/etc/pure-ftpd.conf", - "etc/pure-ftpd/pure-ftpd.conf", - "usr/local/etc/pure-ftpd.conf", - "usr/local/etc/pureftpd.pdb", - "usr/local/pureftpd/etc/pureftpd.pdb", - "usr/local/pureftpd/sbin/pure-config.pl", - "usr/local/pureftpd/etc/pure-ftpd.conf", - "etc/pure-ftpd.conf", - "etc/pure-ftpd/pure-ftpd.pdb", - "etc/pureftpd.pdb", - "etc/pureftpd.passwd", - "etc/pure-ftpd/pureftpd.pdb", - "usr/ports/ftp/pure-ftpd/pure-ftpd.conf", - "usr/ports/ftp/pure-ftpd/pureftpd.pdb", - "usr/ports/ftp/pure-ftpd/pureftpd.passwd", - "usr/ports/net/pure-ftpd/pure-ftpd.conf", - "usr/ports/net/pure-ftpd/pureftpd.pdb", - "usr/ports/net/pure-ftpd/pureftpd.passwd", - "usr/pkgsrc/net/pureftpd/pure-ftpd.conf", - "usr/pkgsrc/net/pureftpd/pureftpd.pdb", - "usr/pkgsrc/net/pureftpd/pureftpd.passwd", - "usr/ports/contrib/pure-ftpd/pure-ftpd.conf", - "usr/ports/contrib/pure-ftpd/pureftpd.pdb", - "usr/ports/contrib/pure-ftpd/pureftpd.passwd", - "var/log/muddleftpd", - "usr/sbin/mudlogd", - "etc/muddleftpd/mudlog", - "etc/muddleftpd.com", - "etc/muddleftpd/mudlogd.conf", - "etc/muddleftpd/muddleftpd.conf", - "var/log/muddleftpd.conf", - "usr/sbin/mudpasswd", - "etc/muddleftpd/muddleftpd.passwd", - "etc/muddleftpd/passwd", - "var/log/ftp-proxy/ftp-proxy.log", - "var/log/ftp-proxy", - "var/log/ftplog", - "etc/logrotate.d/ftp", - "etc/ftpchroot", - "etc/ftphosts", - "etc/ftpusers", - "var/log/exim_mainlog", - "var/log/exim/mainlog", - "var/log/maillog", - "var/log/exim_paniclog", - "var/log/exim/paniclog", - "var/log/exim/rejectlog", - "var/log/exim_rejectlog", - "winnt/system32/logfiles/smtpsvc", - "winnt/system32/logfiles/smtpsvc1", - "winnt/system32/logfiles/smtpsvc2", - "winnt/system32/logfiles/smtpsvc3", - "winnt/system32/logfiles/smtpsvc4", - "winnt/system32/logfiles/smtpsvc5", - "windows/system32/logfiles/smtpsvc", - "windows/system32/logfiles/smtpsvc1", - "windows/system32/logfiles/smtpsvc2", - "windows/system32/logfiles/smtpsvc3", - "windows/system32/logfiles/smtpsvc4", - "windows/system32/logfiles/smtpsvc5", - "etc/osxhttpd/osxhttpd.conf", - "system/library/webobjects/adaptors/apache2.2/apache.conf", - "etc/apache2/sites-available/default", - "etc/apache2/sites-available/default-ssl", - "etc/apache2/sites-enabled/000-default", - "etc/apache2/sites-enabled/default", - "etc/apache2/apache2.conf", - "etc/apache2/ports.conf", - "usr/local/etc/apache/httpd.conf", - "usr/pkg/etc/httpd/httpd.conf", - "usr/pkg/etc/httpd/httpd-default.conf", - "usr/pkg/etc/httpd/httpd-vhosts.conf", - "etc/httpd/mod_php.conf", - "etc/httpd/extra/httpd-ssl.conf", - "etc/rc.d/rc.httpd", - "usr/local/apache/conf/httpd.conf.default", - "usr/local/apache/conf/access.conf", - "usr/local/apache22/conf/httpd.conf", - "usr/local/apache22/httpd.conf", - "usr/local/etc/apache22/conf/httpd.conf", - "usr/local/apps/apache22/conf/httpd.conf", - "etc/apache22/conf/httpd.conf", - "etc/apache22/httpd.conf", - "opt/apache22/conf/httpd.conf", - "usr/local/etc/apache2/vhosts.conf", - "usr/local/apache/conf/vhosts.conf", - "usr/local/apache2/conf/vhosts.conf", - "usr/local/apache/conf/vhosts-custom.conf", - "usr/local/apache2/conf/vhosts-custom.conf", - "etc/apache/default-server.conf", - "etc/apache2/default-server.conf", - "usr/local/apache2/conf/extra/httpd-ssl.conf", - "usr/local/apache2/conf/ssl.conf", - "etc/httpd/conf.d", - "usr/local/etc/apache22/httpd.conf", - "usr/local/etc/apache2/httpd.conf", - "etc/apache2/httpd2.conf", - "etc/apache2/ssl-global.conf", - "etc/apache2/vhosts.d/00_default_vhost.conf", - "apache/conf/httpd.conf", - "etc/apache/httpd.conf", - "etc/httpd/conf", - "http/httpd.conf", - "usr/local/apache1.3/conf/httpd.conf", - "usr/local/etc/httpd/conf", - "var/apache/conf/httpd.conf", - "var/www/conf", - "www/apache/conf/httpd.conf", - "www/conf/httpd.conf", - "etc/init.d", - "etc/apache/access.conf", - "etc/rc.conf", - "www/logs/freebsddiary-error.log", - "www/logs/freebsddiary-access_log", - "library/webserver/documents/index.html", - "library/webserver/documents/index.htm", - "library/webserver/documents/default.html", - "library/webserver/documents/default.htm", - "library/webserver/documents/index.php", - "library/webserver/documents/default.php", - "var/log/webmin/miniserv.log", - "usr/local/etc/webmin/miniserv.conf", - "etc/webmin/miniserv.conf", - "usr/local/etc/webmin/miniserv.users", - "etc/webmin/miniserv.users", - "winnt/system32/logfiles/w3svc/inetsvn1.log", - "winnt/system32/logfiles/w3svc1/inetsvn1.log", - "winnt/system32/logfiles/w3svc2/inetsvn1.log", - "winnt/system32/logfiles/w3svc3/inetsvn1.log", - "windows/system32/logfiles/w3svc/inetsvn1.log", - "windows/system32/logfiles/w3svc1/inetsvn1.log", - "windows/system32/logfiles/w3svc2/inetsvn1.log", - "windows/system32/logfiles/w3svc3/inetsvn1.log", - "var/log/httpd/access_log", - "var/log/httpd/error_log", - "apache/logs/error.log", - "apache/logs/access.log", - "apache2/logs/error.log", - "apache2/logs/access.log", - "logs/error.log", - "logs/access.log", - "etc/httpd/logs/access_log", - "etc/httpd/logs/access.log", - "etc/httpd/logs/error_log", - "etc/httpd/logs/error.log", - "usr/local/apache/logs/access_log", - "usr/local/apache/logs/access.log", - "usr/local/apache/logs/error_log", - "usr/local/apache/logs/error.log", - "usr/local/apache2/logs/access_log", - "usr/local/apache2/logs/access.log", - "usr/local/apache2/logs/error_log", - "usr/local/apache2/logs/error.log", - "var/www/logs/access_log", - "var/www/logs/access.log", - "var/www/logs/error_log", - "var/www/logs/error.log", - "var/log/httpd/access.log", - "var/log/httpd/error.log", - "var/log/apache/access_log", - "var/log/apache/access.log", - "var/log/apache/error_log", - "var/log/apache/error.log", - "var/log/apache2/access_log", - "var/log/apache2/access.log", - "var/log/apache2/error_log", - "var/log/apache2/error.log", - "var/log/access_log", - "var/log/access.log", - "var/log/error_log", - "var/log/error.log", - "opt/lampp/logs/access_log", - "opt/lampp/logs/error_log", - "opt/xampp/logs/access_log", - "opt/xampp/logs/error_log", - "opt/lampp/logs/access.log", - "opt/lampp/logs/error.log", - "opt/xampp/logs/access.log", - "opt/xampp/logs/error.log", - "program files/apache group/apache/logs/access.log", - "program files/apache group/apache/logs/error.log", - "program files/apache software foundation/apache2.2/logs/error.log", - "program files/apache software foundation/apache2.2/logs/access.log", - "opt/apache/apache.conf", - "opt/apache/conf/apache.conf", - "opt/apache2/apache.conf", - "opt/apache2/conf/apache.conf", - "opt/httpd/apache.conf", - "opt/httpd/conf/apache.conf", - "etc/httpd/apache.conf", - "etc/apache2/apache.conf", - "etc/httpd/conf/apache.conf", - "usr/local/apache/apache.conf", - "usr/local/apache/conf/apache.conf", - "usr/local/apache2/apache.conf", - "usr/local/apache2/conf/apache.conf", - "usr/local/php/apache.conf.php", - "usr/local/php4/apache.conf.php", - "usr/local/php5/apache.conf.php", - "usr/local/php/apache.conf", - "usr/local/php4/apache.conf", - "usr/local/php5/apache.conf", - "private/etc/httpd/apache.conf", - "opt/apache/apache2.conf", - "opt/apache/conf/apache2.conf", - "opt/apache2/apache2.conf", - "opt/apache2/conf/apache2.conf", - "opt/httpd/apache2.conf", - "opt/httpd/conf/apache2.conf", - "etc/httpd/apache2.conf", - "etc/httpd/conf/apache2.conf", - "usr/local/apache/apache2.conf", - "usr/local/apache/conf/apache2.conf", - "usr/local/apache2/apache2.conf", - "usr/local/apache2/conf/apache2.conf", - "usr/local/php/apache2.conf.php", - "usr/local/php4/apache2.conf.php", - "usr/local/php5/apache2.conf.php", - "usr/local/php/apache2.conf", - "usr/local/php4/apache2.conf", - "usr/local/php5/apache2.conf", - "private/etc/httpd/apache2.conf", - "usr/local/apache/conf/httpd.conf", - "usr/local/apache2/conf/httpd.conf", - "etc/httpd/conf/httpd.conf", - "etc/apache/apache.conf", - "etc/apache/conf/httpd.conf", - "etc/apache2/httpd.conf", - "usr/apache2/conf/httpd.conf", - "usr/apache/conf/httpd.conf", - "usr/local/etc/apache/conf/httpd.conf", - "usr/local/apache/httpd.conf", - "usr/local/apache2/httpd.conf", - "usr/local/httpd/conf/httpd.conf", - "usr/local/etc/apache2/conf/httpd.conf", - "usr/local/etc/httpd/conf/httpd.conf", - "usr/local/apps/apache2/conf/httpd.conf", - "usr/local/apps/apache/conf/httpd.conf", - "usr/local/php/httpd.conf.php", - "usr/local/php4/httpd.conf.php", - "usr/local/php5/httpd.conf.php", - "usr/local/php/httpd.conf", - "usr/local/php4/httpd.conf", - "usr/local/php5/httpd.conf", - "etc/apache2/conf/httpd.conf", - "etc/http/conf/httpd.conf", - "etc/httpd/httpd.conf", - "etc/http/httpd.conf", - "etc/httpd.conf", - "opt/apache/conf/httpd.conf", - "opt/apache2/conf/httpd.conf", - "var/www/conf/httpd.conf", - "private/etc/httpd/httpd.conf", - "private/etc/httpd/httpd.conf.default", - "etc/apache2/vhosts.d/default_vhost.include", - "etc/apache2/conf.d/charset", - "etc/apache2/conf.d/security", - "etc/apache2/envvars", - "etc/apache2/mods-available/autoindex.conf", - "etc/apache2/mods-available/deflate.conf", - "etc/apache2/mods-available/dir.conf", - "etc/apache2/mods-available/mem_cache.conf", - "etc/apache2/mods-available/mime.conf", - "etc/apache2/mods-available/proxy.conf", - "etc/apache2/mods-available/setenvif.conf", - "etc/apache2/mods-available/ssl.conf", - "etc/apache2/mods-enabled/alias.conf", - "etc/apache2/mods-enabled/deflate.conf", - "etc/apache2/mods-enabled/dir.conf", - "etc/apache2/mods-enabled/mime.conf", - "etc/apache2/mods-enabled/negotiation.conf", - "etc/apache2/mods-enabled/php5.conf", - "etc/apache2/mods-enabled/status.conf", - "program files/apache group/apache/conf/httpd.conf", - "program files/apache group/apache2/conf/httpd.conf", - "program files/xampp/apache/conf/apache.conf", - "program files/xampp/apache/conf/apache2.conf", - "program files/xampp/apache/conf/httpd.conf", - "program files/apache group/apache/apache.conf", - "program files/apache group/apache/conf/apache.conf", - "program files/apache group/apache2/conf/apache.conf", - "program files/apache group/apache/apache2.conf", - "program files/apache group/apache/conf/apache2.conf", - "program files/apache group/apache2/conf/apache2.conf", - "program files/apache software foundation/apache2.2/conf/httpd.conf", - "volumes/macintosh_hd1/opt/httpd/conf/httpd.conf", - "volumes/macintosh_hd1/opt/apache/conf/httpd.conf", - "volumes/macintosh_hd1/opt/apache2/conf/httpd.conf", - "volumes/macintosh_hd1/usr/local/php/httpd.conf.php", - "volumes/macintosh_hd1/usr/local/php4/httpd.conf.php", - "volumes/macintosh_hd1/usr/local/php5/httpd.conf.php", - "volumes/webbackup/opt/apache2/conf/httpd.conf", - "volumes/webbackup/private/etc/httpd/httpd.conf", - "volumes/webbackup/private/etc/httpd/httpd.conf.default", - "usr/local/etc/apache/vhosts.conf", - "usr/local/jakarta/tomcat/conf/jakarta.conf", - "usr/local/jakarta/tomcat/conf/server.xml", - "usr/local/jakarta/tomcat/conf/context.xml", - "usr/local/jakarta/tomcat/conf/workers.properties", - "usr/local/jakarta/tomcat/conf/logging.properties", - "usr/local/jakarta/dist/tomcat/conf/jakarta.conf", - "usr/local/jakarta/dist/tomcat/conf/server.xml", - "usr/local/jakarta/dist/tomcat/conf/context.xml", - "usr/local/jakarta/dist/tomcat/conf/workers.properties", - "usr/local/jakarta/dist/tomcat/conf/logging.properties", - "usr/share/tomcat6/conf/server.xml", - "usr/share/tomcat6/conf/context.xml", - "usr/share/tomcat6/conf/workers.properties", - "usr/share/tomcat6/conf/logging.properties", - "var/log/tomcat6/catalina.out", - "var/cpanel/tomcat.options", - "usr/local/jakarta/tomcat/logs/catalina.out", - "usr/local/jakarta/tomcat/logs/catalina.err", - "opt/tomcat/logs/catalina.out", - "opt/tomcat/logs/catalina.err", - "usr/share/logs/catalina.out", - "usr/share/logs/catalina.err", - "usr/share/tomcat/logs/catalina.out", - "usr/share/tomcat/logs/catalina.err", - "usr/share/tomcat6/logs/catalina.out", - "usr/share/tomcat6/logs/catalina.err", - "usr/local/apache/logs/mod_jk.log", - "usr/local/jakarta/tomcat/logs/mod_jk.log", - "usr/local/jakarta/dist/tomcat/logs/mod_jk.log", - "opt/[jboss]/server/default/conf/jboss-minimal.xml", - "opt/[jboss]/server/default/conf/jboss-service.xml", - "opt/[jboss]/server/default/conf/jndi.properties", - "opt/[jboss]/server/default/conf/log4j.xml", - "opt/[jboss]/server/default/conf/login-config.xml", - "opt/[jboss]/server/default/conf/standardjaws.xml", - "opt/[jboss]/server/default/conf/standardjboss.xml", - "opt/[jboss]/server/default/conf/server.log.properties", - "opt/[jboss]/server/default/deploy/jboss-logging.xml", - "usr/local/[jboss]/server/default/conf/jboss-minimal.xml", - "usr/local/[jboss]/server/default/conf/jboss-service.xml", - "usr/local/[jboss]/server/default/conf/jndi.properties", - "usr/local/[jboss]/server/default/conf/log4j.xml", - "usr/local/[jboss]/server/default/conf/login-config.xml", - "usr/local/[jboss]/server/default/conf/standardjaws.xml", - "usr/local/[jboss]/server/default/conf/standardjboss.xml", - "usr/local/[jboss]/server/default/conf/server.log.properties", - "usr/local/[jboss]/server/default/deploy/jboss-logging.xml", - "private/tmp/[jboss]/server/default/conf/jboss-minimal.xml", - "private/tmp/[jboss]/server/default/conf/jboss-service.xml", - "private/tmp/[jboss]/server/default/conf/jndi.properties", - "private/tmp/[jboss]/server/default/conf/log4j.xml", - "private/tmp/[jboss]/server/default/conf/login-config.xml", - "private/tmp/[jboss]/server/default/conf/standardjaws.xml", - "private/tmp/[jboss]/server/default/conf/standardjboss.xml", - "private/tmp/[jboss]/server/default/conf/server.log.properties", - "private/tmp/[jboss]/server/default/deploy/jboss-logging.xml", - "tmp/[jboss]/server/default/conf/jboss-minimal.xml", - "tmp/[jboss]/server/default/conf/jboss-service.xml", - "tmp/[jboss]/server/default/conf/jndi.properties", - "tmp/[jboss]/server/default/conf/log4j.xml", - "tmp/[jboss]/server/default/conf/login-config.xml", - "tmp/[jboss]/server/default/conf/standardjaws.xml", - "tmp/[jboss]/server/default/conf/standardjboss.xml", - "tmp/[jboss]/server/default/conf/server.log.properties", - "tmp/[jboss]/server/default/deploy/jboss-logging.xml", - "program files/[jboss]/server/default/conf/jboss-minimal.xml", - "program files/[jboss]/server/default/conf/jboss-service.xml", - "program files/[jboss]/server/default/conf/jndi.properties", - "program files/[jboss]/server/default/conf/log4j.xml", - "program files/[jboss]/server/default/conf/login-config.xml", - "program files/[jboss]/server/default/conf/standardjaws.xml", - "program files/[jboss]/server/default/conf/standardjboss.xml", - "program files/[jboss]/server/default/conf/server.log.properties", - "program files/[jboss]/server/default/deploy/jboss-logging.xml", - "[jboss]/server/default/conf/jboss-minimal.xml", - "[jboss]/server/default/conf/jboss-service.xml", - "[jboss]/server/default/conf/jndi.properties", - "[jboss]/server/default/conf/log4j.xml", - "[jboss]/server/default/conf/login-config.xml", - "[jboss]/server/default/conf/standardjaws.xml", - "[jboss]/server/default/conf/standardjboss.xml", - "[jboss]/server/default/conf/server.log.properties", - "[jboss]/server/default/deploy/jboss-logging.xml", - "opt/[jboss]/server/default/log/server.log", - "opt/[jboss]/server/default/log/boot.log", - "usr/local/[jboss]/server/default/log/server.log", - "usr/local/[jboss]/server/default/log/boot.log", - "private/tmp/[jboss]/server/default/log/server.log", - "private/tmp/[jboss]/server/default/log/boot.log", - "tmp/[jboss]/server/default/log/server.log", - "tmp/[jboss]/server/default/log/boot.log", - "program files/[jboss]/server/default/log/server.log", - "program files/[jboss]/server/default/log/boot.log", - "[jboss]/server/default/log/server.log", - "[jboss]/server/default/log/boot.log", - "var/log/lighttpd.error.log", - "var/log/lighttpd.access.log", - "var/lighttpd.log", - "var/logs/access.log", - "var/log/lighttpd/", - "var/log/lighttpd/error.log", - "var/log/lighttpd/access.www.log", - "var/log/lighttpd/error.www.log", - "var/log/lighttpd/access.log", - "usr/local/apache2/logs/lighttpd.error.log", - "usr/local/apache2/logs/lighttpd.log", - "usr/local/apache/logs/lighttpd.error.log", - "usr/local/apache/logs/lighttpd.log", - "usr/local/lighttpd/log/lighttpd.error.log", - "usr/local/lighttpd/log/access.log", - "var/log/lighttpd/{domain}/access.log", - "var/log/lighttpd/{domain}/error.log", - "usr/home/user/var/log/lighttpd.error.log", - "usr/home/user/var/log/apache.log", - "home/user/lighttpd/lighttpd.conf", - "usr/home/user/lighttpd/lighttpd.conf", - "etc/lighttpd/lighthttpd.conf", - "usr/local/etc/lighttpd.conf", - "usr/local/lighttpd/conf/lighttpd.conf", - "usr/local/etc/lighttpd.conf.new", - "var/www/.lighttpdpassword", - "var/log/nginx/access_log", - "var/log/nginx/error_log", - "var/log/nginx/access.log", - "var/log/nginx/error.log", - "var/log/nginx.access_log", - "var/log/nginx.error_log", - "logs/access_log", - "logs/error_log", - "etc/nginx/nginx.conf", - "usr/local/etc/nginx/nginx.conf", - "usr/local/nginx/conf/nginx.conf", - "usr/local/zeus/web/global.cfg", - "usr/local/zeus/web/log/errors", - "opt/lsws/conf/httpd_conf.xml", - "usr/local/lsws/conf/httpd_conf.xml", - "opt/lsws/logs/error.log", - "opt/lsws/logs/access.log", - "usr/local/lsws/logs/error.log", - "usr/local/logs/access.log", - "usr/local/samba/lib/log.user", - "usr/local/logs/samba.log", - "var/log/samba/log.smbd", - "var/log/samba/log.nmbd", - "var/log/samba.log", - "var/log/samba.log1", - "var/log/samba.log2", - "var/log/log.smb", - "etc/samba/netlogon", - "etc/smbpasswd", - "etc/smb.conf", - "etc/samba/dhcp.conf", - "etc/samba/smb.conf", - "etc/samba/samba.conf", - "etc/samba/smb.conf.user", - "etc/samba/smbpasswd", - "etc/samba/smbusers", - "etc/samba/private/smbpasswd", - "usr/local/etc/smb.conf", - "usr/local/samba/lib/smb.conf.user", - "etc/dhcp3/dhclient.conf", - "etc/dhcp3/dhcpd.conf", - "etc/dhcp/dhclient.conf", - "program files/vidalia bundle/polipo/polipo.conf", - "etc/tor/tor-tsocks.conf", - "etc/stunnel/stunnel.conf", - "etc/tsocks.conf", - "etc/tinyproxy/tinyproxy.conf", - "etc/miredo-server.conf", - "etc/miredo.conf", - "etc/miredo/miredo-server.conf", - "etc/miredo/miredo.conf", - "etc/wicd/dhclient.conf.template.default", - "etc/wicd/manager-settings.conf", - "etc/wicd/wired-settings.conf", - "etc/wicd/wireless-settings.conf", - "var/log/ipfw.log", - "var/log/ipfw", - "var/log/ipfw/ipfw.log", - "var/log/ipfw.today", - "etc/ipfw.rules", - "etc/ipfw.conf", - "etc/firewall.rules", - "winnt/system32/logfiles/firewall/pfirewall.log", - "winnt/system32/logfiles/firewall/pfirewall.log.old", - "windows/system32/logfiles/firewall/pfirewall.log", - "windows/system32/logfiles/firewall/pfirewall.log.old", - "etc/clamav/clamd.conf", - "etc/clamav/freshclam.conf", - "etc/x11/xorg.conf", - "etc/x11/xorg.conf-vesa", - "etc/x11/xorg.conf-vmware", - "etc/x11/xorg.conf.beforevmwaretoolsinstall", - "etc/x11/xorg.conf.orig", - "etc/bluetooth/input.conf", - "etc/bluetooth/main.conf", - "etc/bluetooth/network.conf", - "etc/bluetooth/rfcomm.conf", - "etc/bash_completion.d/debconf", - "root/.bash_logout", - "root/.bash_history", - "root/.bash_config", - "root/.bashrc", - "etc/bash.bashrc", - "var/adm/syslog", - "var/adm/sulog", - "var/adm/utmp", - "var/adm/utmpx", - "var/adm/wtmp", - "var/adm/wtmpx", - "var/adm/lastlog/username", - "usr/spool/lp/log", - "var/adm/lp/lpd-errs", - "usr/lib/cron/log", - "var/adm/loginlog", - "var/adm/pacct", - "var/adm/dtmp", - "var/adm/acct/sum/loginlog", - "var/adm/x0msgs", - "var/adm/crash/vmcore", - "var/adm/crash/unix", - "etc/newsyslog.conf", - "var/adm/qacct", - "var/adm/ras/errlog", - "var/adm/ras/bootlog", - "var/adm/cron/log", - "etc/utmp", - "etc/security/lastlog", - "etc/security/failedlogin", - "usr/spool/mqueue/syslog", - "var/adm/messages", - "var/adm/aculogs", - "var/adm/aculog", - "var/adm/vold.log", - "var/adm/log/asppp.log", - "var/log/poplog", - "var/log/authlog", - "var/lp/logs/lpsched", - "var/lp/logs/lpnet", - "var/lp/logs/requests", - "var/cron/log", - "var/saf/_log", - "var/saf/port/log", - "var/log/news.all", - "var/log/news/news.all", - "var/log/news/news.crit", - "var/log/news/news.err", - "var/log/news/news.notice", - "var/log/news/suck.err", - "var/log/news/suck.notice", - "var/log/messages", - "var/log/messages.1", - "var/log/user.log", - "var/log/user.log.1", - "var/log/auth.log", - "var/log/pm-powersave.log", - "var/log/xorg.0.log", - "var/log/daemon.log", - "var/log/daemon.log.1", - "var/log/kern.log", - "var/log/kern.log.1", - "var/log/mail.err", - "var/log/mail.info", - "var/log/mail.warn", - "var/log/ufw.log", - "var/log/boot.log", - "var/log/syslog", - "var/log/syslog.1", - "tmp/access.log", - "etc/sensors.conf", - "etc/sensors3.conf", - "etc/host.conf", - "etc/pam.conf", - "etc/resolv.conf", - "etc/apt/apt.conf", - "etc/inetd.conf", - "etc/syslog.conf", - "etc/sysctl.conf", - "etc/sysctl.d/10-console-messages.conf", - "etc/sysctl.d/10-network-security.conf", - "etc/sysctl.d/10-process-security.conf", - "etc/sysctl.d/wine.sysctl.conf", - "etc/security/access.conf", - "etc/security/group.conf", - "etc/security/limits.conf", - "etc/security/namespace.conf", - "etc/security/pam_env.conf", - "etc/security/sepermit.conf", - "etc/security/time.conf", - "etc/ssh/sshd_config", - "etc/adduser.conf", - "etc/deluser.conf", - "etc/avahi/avahi-daemon.conf", - "etc/ca-certificates.conf", - "etc/ca-certificates.conf.dpkg-old", - "etc/casper.conf", - "etc/chkrootkit.conf", - "etc/debconf.conf", - "etc/dns2tcpd.conf", - "etc/e2fsck.conf", - "etc/esound/esd.conf", - "etc/etter.conf", - "etc/fuse.conf", - "etc/foremost.conf", - "etc/hdparm.conf", - "etc/kernel-img.conf", - "etc/kernel-pkg.conf", - "etc/ld.so.conf", - "etc/ltrace.conf", - "etc/mail/sendmail.conf", - "etc/manpath.config", - "etc/kbd/config", - "etc/ldap/ldap.conf", - "etc/logrotate.conf", - "etc/mtools.conf", - "etc/smi.conf", - "etc/updatedb.conf", - "etc/pulse/client.conf", - "usr/share/adduser/adduser.conf", - "etc/hostname", - "etc/networks", - "etc/timezone", - "etc/modules", - "etc/passwd", - "etc/passwd~", - "etc/passwd-", - "etc/shadow", - "etc/shadow~", - "etc/shadow-", - "etc/fstab", - "etc/motd", - "etc/hosts", - "etc/group", - "etc/group-", - "etc/alias", - "etc/crontab", - "etc/crypttab", - "etc/exports", - "etc/mtab", - "etc/hosts.allow", - "etc/hosts.deny", - "etc/os-release", - "etc/password.master", - "etc/profile", - "etc/default/grub", - "etc/resolvconf/update-libc.d/sendmail", - "etc/inittab", - "etc/issue", - "etc/issue.net", - "etc/login.defs", - "etc/sudoers", - "etc/sysconfig/network-scripts/ifcfg-eth0", - "etc/redhat-release", - "etc/debian_version", - "etc/fedora-release", - "etc/mandrake-release", - "etc/slackware-release", - "etc/suse-release", - "etc/security/group", - "etc/security/passwd", - "etc/security/user", - "etc/security/environ", - "etc/security/limits", - "etc/security/opasswd", - "boot/grub/grub.cfg", - "boot/grub/menu.lst", - "root/.ksh_history", - "root/.xauthority", - "usr/lib/security/mkuser.default", - "var/log/squirrelmail.log", - "var/log/apache2/squirrelmail.log", - "var/log/apache2/squirrelmail.err.log", - "var/lib/squirrelmail/prefs/squirrelmail.log", - "var/log/mail.log", - "etc/squirrelmail/apache.conf", - "etc/squirrelmail/config_local.php", - "etc/squirrelmail/default_pref", - "etc/squirrelmail/index.php", - "etc/squirrelmail/config_default.php", - "etc/squirrelmail/config.php", - "etc/squirrelmail/filters_setup.php", - "etc/squirrelmail/sqspell_config.php", - "etc/squirrelmail/config/config.php", - "etc/httpd/conf.d/squirrelmail.conf", - "usr/share/squirrelmail/config/config.php", - "private/etc/squirrelmail/config/config.php", - "srv/www/htdos/squirrelmail/config/config.php", - "var/www/squirrelmail/config/config.php", - "var/www/html/squirrelmail/config/config.php", - "var/www/html/squirrelmail-1.2.9/config/config.php", - "usr/share/squirrelmail/plugins/squirrel_logger/setup.php", - "usr/local/squirrelmail/www/readme", - "windows/system32/drivers/etc/hosts", - "windows/system32/drivers/etc/lmhosts.sam", - "windows/system32/drivers/etc/networks", - "windows/system32/drivers/etc/protocol", - "windows/system32/drivers/etc/services", - "/boot.ini", - "windows/debug/netsetup.log", - "windows/comsetup.log", - "windows/repair/setup.log", - "windows/setupact.log", - "windows/setupapi.log", - "windows/setuperr.log", - "windows/updspapi.log", - "windows/wmsetup.log", - "windows/windowsupdate.log", - "windows/odbc.ini", - "usr/local/psa/admin/htdocs/domains/databases/phpmyadmin/libraries/config.default.php", - "etc/apache2/conf.d/phpmyadmin.conf", - "etc/phpmyadmin/config.inc.php", - "etc/openldap/ldap.conf", - "etc/cups/acroread.conf", - "etc/cups/cupsd.conf", - "etc/cups/cupsd.conf.default", - "etc/cups/pdftops.conf", - "etc/cups/printers.conf", - "windows/system32/macromed/flash/flashinstall.log", - "windows/system32/macromed/flash/install.log", - "etc/cvs-cron.conf", - "etc/cvs-pserver.conf", - "etc/subversion/config", - "etc/modprobe.d/vmware-tools.conf", - "etc/updatedb.conf.beforevmwaretoolsinstall", - "etc/vmware-tools/config", - "etc/vmware-tools/tpvmlp.conf", - "etc/vmware-tools/vmware-tools-libraries.conf", - "var/log/vmware/hostd.log", - "var/log/vmware/hostd-1.log", - "/wp-config.php", - "/wp-config.bak", - "/wp-config.old", - "/wp-config.temp", - "/wp-config.tmp", - "/wp-config.txt", - "/config.yml", - "/config_dev.yml", - "/config_prod.yml", - "/config_test.yml", - "/parameters.yml", - "/routing.yml", - "/security.yml", - "/services.yml", - "sites/default/default.settings.php", - "sites/default/settings.php", - "sites/default/settings.local.php", - "app/etc/local.xml", - "/sftp-config.json", - "/web.config", - "includes/config.php", - "includes/configure.php", - "/config.inc.php", - "/localsettings.php", - "inc/config.php", - "typo3conf/localconf.php", - "config/app.php", - "config/custom.php", - "config/database.php", - "/configuration.php", - "/config.php", - "var/mail/www-data", - "etc/network/", - "etc/init/", - "inetpub/wwwroot/global.asa", - "system32/inetsrv/config/applicationhost.config", - "system32/inetsrv/config/administration.config", - "system32/inetsrv/config/redirection.config", - "system32/config/default", - "system32/config/sam", - "system32/config/system", - "system32/config/software", - "winnt/repair/sam._", - "/package.json", - "/package-lock.json", - "/gruntfile.js", - "/npm-debug.log", - "/ormconfig.json", - "/tsconfig.json", - "/webpack.config.js", - "/yarn.lock", - "proc/0", - "proc/1", - "proc/2", - "proc/3", - "proc/4", - "proc/5", - "proc/6", - "proc/7", - "proc/8", - "proc/9", - "proc/acpi", - "proc/asound", - "proc/bootconfig", - "proc/buddyinfo", - "proc/bus", - "proc/cgroups", - "proc/cmdline", - "proc/config.gz", - "proc/consoles", - "proc/cpuinfo", - "proc/crypto", - "proc/devices", - "proc/diskstats", - "proc/dma", - "proc/docker", - "proc/driver", - "proc/dynamic_debug", - "proc/execdomains", - "proc/fb", - "proc/filesystems", - "proc/fs", - "proc/interrupts", - "proc/iomem", - "proc/ioports", - "proc/ipmi", - "proc/irq", - "proc/kallsyms", - "proc/kcore", - "proc/keys", - "proc/keys", - "proc/key-users", - "proc/kmsg", - "proc/kpagecgroup", - "proc/kpagecount", - "proc/kpageflags", - "proc/latency_stats", - "proc/loadavg", - "proc/locks", - "proc/mdstat", - "proc/meminfo", - "proc/misc", - "proc/modules", - "proc/mounts", - "proc/mpt", - "proc/mtd", - "proc/mtrr", - "proc/net", - "proc/net/tcp", - "proc/net/udp", - "proc/pagetypeinfo", - "proc/partitions", - "proc/pressure", - "proc/sched_debug", - "proc/schedstat", - "proc/scsi", - "proc/self", - "proc/self/cmdline", - "proc/self/environ", - "proc/self/fd/0", - "proc/self/fd/1", - "proc/self/fd/10", - "proc/self/fd/11", - "proc/self/fd/12", - "proc/self/fd/13", - "proc/self/fd/14", - "proc/self/fd/15", - "proc/self/fd/2", - "proc/self/fd/3", - "proc/self/fd/4", - "proc/self/fd/5", - "proc/self/fd/6", - "proc/self/fd/7", - "proc/self/fd/8", - "proc/self/fd/9", - "proc/self/mounts", - "proc/self/stat", - "proc/self/status", - "proc/slabinfo", - "proc/softirqs", - "proc/stat", - "proc/swaps", - "proc/sys", - "proc/sysrq-trigger", - "proc/sysvipc", - "proc/thread-self", - "proc/timer_list", - "proc/timer_stats", - "proc/tty", - "proc/uptime", - "proc/version", - "proc/version_signature", - "proc/vmallocinfo", - "proc/vmstat", - "proc/zoneinfo", - "sys/block", - "sys/bus", - "sys/class", - "sys/dev", - "sys/devices", - "sys/firmware", - "sys/fs", - "sys/hypervisor", - "sys/kernel", - "sys/module", - "sys/power" - ] - }, - "operator": "phrase_match" - } - ], - "transformers": [ - "lowercase", - "normalizePath" - ] - }, - { - "id": "crs-931-100", - "name": "Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address", - "tags": { - "type": "rfi", - "crs_id": "931100", - "category": "attack_attempt" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - } - ], - "regex": "^(?i:file|ftps?|https?)://(?:\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})", - "options": { - "case_sensitive": true, - "min_length": 13 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "crs-932-105", - "name": "Remote Command Execution: Unix Command Injection", - "tags": { - "type": "command_injection", - "crs_id": "932105", - "category": "attack_attempt" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - } - ], - "regex": "(?:[;\\n\\r`]|\\$(?:\\(?\\(|{)|(?:\\|)?\\||\\(\\s*\\)|[<>]\\(|&?&|\\{)\\s*(?:(?:\\w+=(?:[^\\s]*|\\$.*|\\$.*|<.*|>.*|\\'.*\\'|\\\".*\\\")\\s+|(?:\\s*\\(|!)\\s*|\\{|\\$))*\\s*(?:['\\\"])*(?:[\\?\\*\\[\\]\\(\\)\\-\\|+\\w'\\\"\\./\\x5c]+/)?[\\x5c'\\\"]*(?:s[\\x5c'\\\"]*(?:e[\\x5c'\\\"]*(?:t[\\x5c'\\\"]*(?:(?:f[\\x5c'\\\"]*a[\\x5c'\\\"]*c[\\x5c'\\\"]*l[\\x5c'\\\"]*)?(?:\\s|<|>).*|a[\\x5c'\\\"]*r[\\x5c'\\\"]*c[\\x5c'\\\"]*h|e[\\x5c'\\\"]*n[\\x5c'\\\"]*v|s[\\x5c'\\\"]*i[\\x5c'\\\"]*d)|(?:r[\\x5c'\\\"]*v[\\x5c'\\\"]*i[\\x5c'\\\"]*c[\\x5c'\\\"]*e|d)[\\x5c'\\\"]*(?:\\s|<|>).*|n[\\x5c'\\\"]*d[\\x5c'\\\"]*m[\\x5c'\\\"]*a[\\x5c'\\\"]*i[\\x5c'\\\"]*l)|t[\\x5c'\\\"]*(?:a[\\x5c'\\\"]*r[\\x5c'\\\"]*t[\\x5c'\\\"]*-[\\x5c'\\\"]*s[\\x5c'\\\"]*t[\\x5c'\\\"]*o[\\x5c'\\\"]*p[\\x5c'\\\"]*-[\\x5c'\\\"]*d[\\x5c'\\\"]*a[\\x5c'\\\"]*e[\\x5c'\\\"]*m[\\x5c'\\\"]*o[\\x5c'\\\"]*n|r[\\x5c'\\\"]*(?:i[\\x5c'\\\"]*n[\\x5c'\\\"]*g[\\x5c'\\\"]*s|a[\\x5c'\\\"]*c[\\x5c'\\\"]*e)|d[\\x5c'\\\"]*b[\\x5c'\\\"]*u[\\x5c'\\\"]*f)|h[\\x5c'\\\"]*(?:\\.[\\x5c'\\\"]*d[\\x5c'\\\"]*i[\\x5c'\\\"]*s[\\x5c'\\\"]*t[\\x5c'\\\"]*r[\\x5c'\\\"]*i[\\x5c'\\\"]*b|u[\\x5c'\\\"]*t[\\x5c'\\\"]*d[\\x5c'\\\"]*o[\\x5c'\\\"]*w[\\x5c'\\\"]*n|(?:\\s|<|>).*)|c[\\x5c'\\\"]*(?:(?:r[\\x5c'\\\"]*(?:e[\\x5c'\\\"]*e[\\x5c'\\\"]*n|i[\\x5c'\\\"]*p[\\x5c'\\\"]*t)|p)[\\x5c'\\\"]*(?:\\s|<|>).*|h[\\x5c'\\\"]*e[\\x5c'\\\"]*d)|o[\\x5c'\\\"]*(?:(?:u[\\x5c'\\\"]*r[\\x5c'\\\"]*c[\\x5c'\\\"]*e|r[\\x5c'\\\"]*t)[\\x5c'\\\"]*(?:\\s|<|>).*|c[\\x5c'\\\"]*a[\\x5c'\\\"]*t)|(?:p[\\x5c'\\\"]*l[\\x5c'\\\"]*i[\\x5c'\\\"]*t|g)[\\x5c'\\\"]*(?:\\s|<|>).*|q[\\x5c'\\\"]*l[\\x5c'\\\"]*i[\\x5c'\\\"]*t[\\x5c'\\\"]*e[\\x5c'\\\"]*3|(?:l[\\x5c'\\\"]*e[\\x5c'\\\"]*e|f[\\x5c'\\\"]*t)[\\x5c'\\\"]*p|y[\\x5c'\\\"]*s[\\x5c'\\\"]*c[\\x5c'\\\"]*t[\\x5c'\\\"]*l|u[\\x5c'\\\"]*(?:(?:\\s|<|>).*|d[\\x5c'\\\"]*o)|d[\\x5c'\\\"]*i[\\x5c'\\\"]*f[\\x5c'\\\"]*f|s[\\x5c'\\\"]*h|v[\\x5c'\\\"]*n)|p[\\x5c'\\\"]*(?:k[\\x5c'\\\"]*(?:g(?:(?:[\\x5c'\\\"]*_)?[\\x5c'\\\"]*i[\\x5c'\\\"]*n[\\x5c'\\\"]*f[\\x5c'\\\"]*o)?|e[\\x5c'\\\"]*x[\\x5c'\\\"]*e[\\x5c'\\\"]*c|i[\\x5c'\\\"]*l[\\x5c'\\\"]*l)|i[\\x5c'\\\"]*(?:(?:c(?:[\\x5c'\\\"]*o)?|p)[\\x5c'\\\"]*(?:\\s|<|>).*|d[\\x5c'\\\"]*s[\\x5c'\\\"]*t[\\x5c'\\\"]*a[\\x5c'\\\"]*t|n[\\x5c'\\\"]*g)|t[\\x5c'\\\"]*a[\\x5c'\\\"]*r(?:[\\x5c'\\\"]*(?:d[\\x5c'\\\"]*i[\\x5c'\\\"]*f[\\x5c'\\\"]*f|g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p))?|a[\\x5c'\\\"]*(?:t[\\x5c'\\\"]*c[\\x5c'\\\"]*h[\\x5c'\\\"]*(?:\\s|<|>).*|s[\\x5c'\\\"]*s[\\x5c'\\\"]*w[\\x5c'\\\"]*d)|r[\\x5c'\\\"]*i[\\x5c'\\\"]*n[\\x5c'\\\"]*t[\\x5c'\\\"]*(?:e[\\x5c'\\\"]*n[\\x5c'\\\"]*v|f[\\x5c'\\\"]*(?:\\s|<|>).*)|y[\\x5c'\\\"]*t[\\x5c'\\\"]*h[\\x5c'\\\"]*o[\\x5c'\\\"]*n(?:[\\x5c'\\\"]*(?:3(?:[\\x5c'\\\"]*m)?|2))?|e[\\x5c'\\\"]*r[\\x5c'\\\"]*(?:l(?:[\\x5c'\\\"]*(?:s[\\x5c'\\\"]*h|5))?|m[\\x5c'\\\"]*s)|(?:u[\\x5c'\\\"]*s[\\x5c'\\\"]*h|o[\\x5c'\\\"]*p)[\\x5c'\\\"]*d|f[\\x5c'\\\"]*(?:(?:\\s|<|>).*|t[\\x5c'\\\"]*p)|g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p|h[\\x5c'\\\"]*p(?:[\\x5c'\\\"]*[57])?|s[\\x5c'\\\"]*(?:\\s|<|>).*|d[\\x5c'\\\"]*b)|n[\\x5c'\\\"]*(?:c[\\x5c'\\\"]*(?:\\.[\\x5c'\\\"]*(?:t[\\x5c'\\\"]*r[\\x5c'\\\"]*a[\\x5c'\\\"]*d[\\x5c'\\\"]*i[\\x5c'\\\"]*t[\\x5c'\\\"]*i[\\x5c'\\\"]*o[\\x5c'\\\"]*n[\\x5c'\\\"]*a[\\x5c'\\\"]*l|o[\\x5c'\\\"]*p[\\x5c'\\\"]*e[\\x5c'\\\"]*n[\\x5c'\\\"]*b[\\x5c'\\\"]*s[\\x5c'\\\"]*d)|(?:\\s|<|>).*|a[\\x5c'\\\"]*t)|e[\\x5c'\\\"]*t[\\x5c'\\\"]*(?:k[\\x5c'\\\"]*i[\\x5c'\\\"]*t[\\x5c'\\\"]*-[\\x5c'\\\"]*f[\\x5c'\\\"]*t[\\x5c'\\\"]*p|(?:s[\\x5c'\\\"]*t|c)[\\x5c'\\\"]*a[\\x5c'\\\"]*t|(?:\\s|<|>).*)|s[\\x5c'\\\"]*(?:l[\\x5c'\\\"]*o[\\x5c'\\\"]*o[\\x5c'\\\"]*k[\\x5c'\\\"]*u[\\x5c'\\\"]*p|e[\\x5c'\\\"]*n[\\x5c'\\\"]*t[\\x5c'\\\"]*e[\\x5c'\\\"]*r|t[\\x5c'\\\"]*a[\\x5c'\\\"]*t)|o[\\x5c'\\\"]*(?:d[\\x5c'\\\"]*e[\\x5c'\\\"]*(?:\\s|<|>).*|h[\\x5c'\\\"]*u[\\x5c'\\\"]*p)|a[\\x5c'\\\"]*(?:n[\\x5c'\\\"]*o[\\x5c'\\\"]*(?:\\s|<|>).*|w[\\x5c'\\\"]*k)|p[\\x5c'\\\"]*(?:i[\\x5c'\\\"]*n[\\x5c'\\\"]*g|m[\\x5c'\\\"]*(?:\\s|<|>).*)|i[\\x5c'\\\"]*c[\\x5c'\\\"]*e[\\x5c'\\\"]*(?:\\s|<|>).*|r[\\x5c'\\\"]*o[\\x5c'\\\"]*f[\\x5c'\\\"]*f|m[\\x5c'\\\"]*a[\\x5c'\\\"]*p)|r[\\x5c'\\\"]*(?:u[\\x5c'\\\"]*(?:n[\\x5c'\\\"]*-[\\x5c'\\\"]*(?:m[\\x5c'\\\"]*a[\\x5c'\\\"]*i[\\x5c'\\\"]*l[\\x5c'\\\"]*c[\\x5c'\\\"]*a[\\x5c'\\\"]*p|p[\\x5c'\\\"]*a[\\x5c'\\\"]*r[\\x5c'\\\"]*t[\\x5c'\\\"]*s)|b[\\x5c'\\\"]*y(?:[\\x5c'\\\"]*(?:1(?:[\\x5c'\\\"]*[89])?|2[\\x5c'\\\"]*[012]))?)|e[\\x5c'\\\"]*(?:(?:p[\\x5c'\\\"]*(?:l[\\x5c'\\\"]*a[\\x5c'\\\"]*c[\\x5c'\\\"]*e|e[\\x5c'\\\"]*a[\\x5c'\\\"]*t)|n[\\x5c'\\\"]*a[\\x5c'\\\"]*m[\\x5c'\\\"]*e)[\\x5c'\\\"]*(?:\\s|<|>).*|a[\\x5c'\\\"]*l[\\x5c'\\\"]*p[\\x5c'\\\"]*a[\\x5c'\\\"]*t[\\x5c'\\\"]*h)|m[\\x5c'\\\"]*(?:(?:d[\\x5c'\\\"]*i[\\x5c'\\\"]*r[\\x5c'\\\"]*)?(?:\\s|<|>).*|u[\\x5c'\\\"]*s[\\x5c'\\\"]*e[\\x5c'\\\"]*r)|a[\\x5c'\\\"]*(?:k[\\x5c'\\\"]*(?:e[\\x5c'\\\"]*(?:\\s|<|>).*|u)|r[\\x5c'\\\"]*(?:\\s|<|>).*)|(?:c[\\x5c'\\\"]*p|p[\\x5c'\\\"]*m)[\\x5c'\\\"]*(?:\\s|<|>).*|v[\\x5c'\\\"]*i[\\x5c'\\\"]*(?:e[\\x5c'\\\"]*w|m)|n[\\x5c'\\\"]*a[\\x5c'\\\"]*n[\\x5c'\\\"]*o|o[\\x5c'\\\"]*u[\\x5c'\\\"]*t[\\x5c'\\\"]*e|s[\\x5c'\\\"]*y[\\x5c'\\\"]*n[\\x5c'\\\"]*c)|t[\\x5c'\\\"]*(?:c[\\x5c'\\\"]*(?:p[\\x5c'\\\"]*(?:t[\\x5c'\\\"]*r[\\x5c'\\\"]*a[\\x5c'\\\"]*c[\\x5c'\\\"]*e[\\x5c'\\\"]*r[\\x5c'\\\"]*o[\\x5c'\\\"]*u[\\x5c'\\\"]*t[\\x5c'\\\"]*e|i[\\x5c'\\\"]*n[\\x5c'\\\"]*g)|s[\\x5c'\\\"]*h)|i[\\x5c'\\\"]*m[\\x5c'\\\"]*e[\\x5c'\\\"]*(?:d[\\x5c'\\\"]*a[\\x5c'\\\"]*t[\\x5c'\\\"]*e[\\x5c'\\\"]*c[\\x5c'\\\"]*t[\\x5c'\\\"]*l|o[\\x5c'\\\"]*u[\\x5c'\\\"]*t|(?:\\s|<|>).*)|a[\\x5c'\\\"]*(?:s[\\x5c'\\\"]*k[\\x5c'\\\"]*s[\\x5c'\\\"]*e[\\x5c'\\\"]*t|i[\\x5c'\\\"]*l(?:[\\x5c'\\\"]*f)?|r[\\x5c'\\\"]*(?:\\s|<|>).*)|r[\\x5c'\\\"]*a[\\x5c'\\\"]*c[\\x5c'\\\"]*e[\\x5c'\\\"]*r[\\x5c'\\\"]*o[\\x5c'\\\"]*u[\\x5c'\\\"]*t[\\x5c'\\\"]*e(?:[\\x5c'\\\"]*6)?|e[\\x5c'\\\"]*(?:l[\\x5c'\\\"]*n[\\x5c'\\\"]*e[\\x5c'\\\"]*t|e[\\x5c'\\\"]*(?:\\s|<|>).*)|o[\\x5c'\\\"]*(?:u[\\x5c'\\\"]*c[\\x5c'\\\"]*h[\\x5c'\\\"]*(?:\\s|<|>).*|p)|m[\\x5c'\\\"]*u[\\x5c'\\\"]*x)|m[\\x5c'\\\"]*(?:y[\\x5c'\\\"]*s[\\x5c'\\\"]*q[\\x5c'\\\"]*l(?:[\\x5c'\\\"]*(?:d[\\x5c'\\\"]*u[\\x5c'\\\"]*m[\\x5c'\\\"]*p(?:[\\x5c'\\\"]*s[\\x5c'\\\"]*l[\\x5c'\\\"]*o[\\x5c'\\\"]*w)?|h[\\x5c'\\\"]*o[\\x5c'\\\"]*t[\\x5c'\\\"]*c[\\x5c'\\\"]*o[\\x5c'\\\"]*p[\\x5c'\\\"]*y|a[\\x5c'\\\"]*d[\\x5c'\\\"]*m[\\x5c'\\\"]*i[\\x5c'\\\"]*n|s[\\x5c'\\\"]*h[\\x5c'\\\"]*o[\\x5c'\\\"]*w))?|(?:o[\\x5c'\\\"]*(?:u[\\x5c'\\\"]*n[\\x5c'\\\"]*t|r[\\x5c'\\\"]*e)|k[\\x5c'\\\"]*d[\\x5c'\\\"]*i[\\x5c'\\\"]*r|u[\\x5c'\\\"]*t[\\x5c'\\\"]*t|v)[\\x5c'\\\"]*(?:\\s|<|>).*|a[\\x5c'\\\"]*(?:i[\\x5c'\\\"]*l[\\x5c'\\\"]*(?:x[\\x5c'\\\"]*(?:\\s|<|>).*|q)|(?:k[\\x5c'\\\"]*e|n)[\\x5c'\\\"]*(?:\\s|<|>).*|w[\\x5c'\\\"]*k)|l[\\x5c'\\\"]*o[\\x5c'\\\"]*c[\\x5c'\\\"]*a[\\x5c'\\\"]*t[\\x5c'\\\"]*e)|u[\\x5c'\\\"]*(?:n[\\x5c'\\\"]*(?:l[\\x5c'\\\"]*(?:i[\\x5c'\\\"]*n[\\x5c'\\\"]*k[\\x5c'\\\"]*(?:\\s|<|>).*|z[\\x5c'\\\"]*m[\\x5c'\\\"]*a)|s[\\x5c'\\\"]*(?:h[\\x5c'\\\"]*a[\\x5c'\\\"]*r[\\x5c'\\\"]*e|e[\\x5c'\\\"]*t)[\\x5c'\\\"]*(?:\\s|<|>).*|c[\\x5c'\\\"]*o[\\x5c'\\\"]*m[\\x5c'\\\"]*p[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*s[\\x5c'\\\"]*s|a[\\x5c'\\\"]*m[\\x5c'\\\"]*e|r[\\x5c'\\\"]*a[\\x5c'\\\"]*r|z[\\x5c'\\\"]*i[\\x5c'\\\"]*p|x[\\x5c'\\\"]*z)|s[\\x5c'\\\"]*e[\\x5c'\\\"]*r[\\x5c'\\\"]*(?:(?:a[\\x5c'\\\"]*d|m[\\x5c'\\\"]*o)[\\x5c'\\\"]*d|d[\\x5c'\\\"]*e[\\x5c'\\\"]*l)|l[\\x5c'\\\"]*i[\\x5c'\\\"]*m[\\x5c'\\\"]*i[\\x5c'\\\"]*t[\\x5c'\\\"]*(?:\\s|<|>).*)|x[\\x5c'\\\"]*(?:z[\\x5c'\\\"]*(?:(?:[ef][\\x5c'\\\"]*)?g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p|d[\\x5c'\\\"]*(?:i[\\x5c'\\\"]*f[\\x5c'\\\"]*f|e[\\x5c'\\\"]*c)|c[\\x5c'\\\"]*(?:a[\\x5c'\\\"]*t|m[\\x5c'\\\"]*p)|l[\\x5c'\\\"]*e[\\x5c'\\\"]*s[\\x5c'\\\"]*s|m[\\x5c'\\\"]*o[\\x5c'\\\"]*r[\\x5c'\\\"]*e|(?:\\s|<|>).*)|a[\\x5c'\\\"]*r[\\x5c'\\\"]*g[\\x5c'\\\"]*s|t[\\x5c'\\\"]*e[\\x5c'\\\"]*r[\\x5c'\\\"]*m|x[\\x5c'\\\"]*d[\\x5c'\\\"]*(?:\\s|<|>).*)|z[\\x5c'\\\"]*(?:(?:[ef][\\x5c'\\\"]*)?g[\\x5c'\\\"]*r[\\x5c'\\\"]*e[\\x5c'\\\"]*p|c[\\x5c'\\\"]*(?:a[\\x5c'\\\"]*t|m[\\x5c'\\\"]*p)|d[\\x5c'\\\"]*i[\\x5c'\\\"]*f[\\x5c'\\\"]*f|i[\\x5c'\\\"]*p[\\x5c'\\\"]*(?:\\s|<|>).*|l[\\x5c'\\\"]*e[\\x5c'\\\"]*s[\\x5c'\\\"]*s|m[\\x5c'\\\"]*o[\\x5c'\\\"]*r[\\x5c'\\\"]*e|r[\\x5c'\\\"]*u[\\x5c'\\\"]*n|s[\\x5c'\\\"]*h)|w[\\x5c'\\\"]*(?:h[\\x5c'\\\"]*o[\\x5c'\\\"]*(?:a[\\x5c'\\\"]*m[\\x5c'\\\"]*i|(?:\\s|<|>).*)|a[\\x5c'\\\"]*t[\\x5c'\\\"]*c[\\x5c'\\\"]*h[\\x5c'\\\"]*(?:\\s|<|>).*|g[\\x5c'\\\"]*e[\\x5c'\\\"]*t|3[\\x5c'\\\"]*m)|v[\\x5c'\\\"]*i[\\x5c'\\\"]*(?:m[\\x5c'\\\"]*(?:d[\\x5c'\\\"]*i[\\x5c'\\\"]*f[\\x5c'\\\"]*f|(?:\\s|<|>).*)|(?:e[\\x5c'\\\"]*w[\\x5c'\\\"]*)?(?:\\s|<|>).*|g[\\x5c'\\\"]*r|p[\\x5c'\\\"]*w)|o[\\x5c'\\\"]*(?:p[\\x5c'\\\"]*e[\\x5c'\\\"]*n[\\x5c'\\\"]*s[\\x5c'\\\"]*s[\\x5c'\\\"]*l|n[\\x5c'\\\"]*i[\\x5c'\\\"]*n[\\x5c'\\\"]*t[\\x5c'\\\"]*r)|y[\\x5c'\\\"]*u[\\x5c'\\\"]*m)\\b", - "options": { - "case_sensitive": true, - "min_length": 4 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "crs-932-110", - "name": "Remote Command Execution: Windows Command Injection", - "tags": { - "type": "command_injection", - "crs_id": "932110", - "category": "attack_attempt" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - } - ], - "regex": "(?:[;\\n\\r`]|(?:\\|)?\\||&?&|\\{)\\s*(?:['(?:,@\\\"\\s])*(?:(?:(?:[\\x5c'\\\"\\^]*\\w[\\x5c'\\\"\\^]*:.*|[\\^\\.\\w '\\\"/\\x5c]*)\\x5c|[\\w'\\\"\\./]+\\/))?[\\\"\\^]*(?:m[\\\"\\^]*(?:y[\\\"\\^]*s[\\\"\\^]*q[\\\"\\^]*l(?:[\\\"\\^]*(?:d[\\\"\\^]*u[\\\"\\^]*m[\\\"\\^]*p(?:[\\\"\\^]*s[\\\"\\^]*l[\\\"\\^]*o[\\\"\\^]*w)?|h[\\\"\\^]*o[\\\"\\^]*t[\\\"\\^]*c[\\\"\\^]*o[\\\"\\^]*p[\\\"\\^]*y|a[\\\"\\^]*d[\\\"\\^]*m[\\\"\\^]*i[\\\"\\^]*n|s[\\\"\\^]*h[\\\"\\^]*o[\\\"\\^]*w))?|s[\\\"\\^]*(?:i[\\\"\\^]*(?:n[\\\"\\^]*f[\\\"\\^]*o[\\\"\\^]*3[\\\"\\^]*2|e[\\\"\\^]*x[\\\"\\^]*e[\\\"\\^]*c)|c[\\\"\\^]*o[\\\"\\^]*n[\\\"\\^]*f[\\\"\\^]*i[\\\"\\^]*g|g[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|h[\\\"\\^]*t[\\\"\\^]*a|t[\\\"\\^]*s[\\\"\\^]*c)|o[\\\"\\^]*(?:u[\\\"\\^]*n[\\\"\\^]*t[\\\"\\^]*(?:(?:[\\s,;]|\\.|/|<|>).*|v[\\\"\\^]*o[\\\"\\^]*l)|v[\\\"\\^]*e[\\\"\\^]*u[\\\"\\^]*s[\\\"\\^]*e[\\\"\\^]*r|[dr][\\\"\\^]*e[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*)|k[\\\"\\^]*(?:d[\\\"\\^]*i[\\\"\\^]*r[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|l[\\\"\\^]*i[\\\"\\^]*n[\\\"\\^]*k)|d[\\\"\\^]*(?:s[\\\"\\^]*c[\\\"\\^]*h[\\\"\\^]*e[\\\"\\^]*d|(?:[\\s,;]|\\.|/|<|>).*)|a[\\\"\\^]*p[\\\"\\^]*i[\\\"\\^]*s[\\\"\\^]*e[\\\"\\^]*n[\\\"\\^]*d|b[\\\"\\^]*s[\\\"\\^]*a[\\\"\\^]*c[\\\"\\^]*l[\\\"\\^]*i|e[\\\"\\^]*a[\\\"\\^]*s[\\\"\\^]*u[\\\"\\^]*r[\\\"\\^]*e|m[\\\"\\^]*s[\\\"\\^]*y[\\\"\\^]*s)|d[\\\"\\^]*(?:i[\\\"\\^]*(?:s[\\\"\\^]*k[\\\"\\^]*(?:(?:m[\\\"\\^]*g[\\\"\\^]*m|p[\\\"\\^]*a[\\\"\\^]*r)[\\\"\\^]*t|s[\\\"\\^]*h[\\\"\\^]*a[\\\"\\^]*d[\\\"\\^]*o[\\\"\\^]*w)|r[\\\"\\^]*(?:(?:[\\s,;]|\\.|/|<|>).*|u[\\\"\\^]*s[\\\"\\^]*e)|f[\\\"\\^]*f[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*)|e[\\\"\\^]*(?:l[\\\"\\^]*(?:p[\\\"\\^]*r[\\\"\\^]*o[\\\"\\^]*f|t[\\\"\\^]*r[\\\"\\^]*e[\\\"\\^]*e|(?:[\\s,;]|\\.|/|<|>).*)|v[\\\"\\^]*(?:m[\\\"\\^]*g[\\\"\\^]*m[\\\"\\^]*t|c[\\\"\\^]*o[\\\"\\^]*n)|(?:f[\\\"\\^]*r[\\\"\\^]*a|b[\\\"\\^]*u)[\\\"\\^]*g)|s[\\\"\\^]*(?:a[\\\"\\^]*(?:c[\\\"\\^]*l[\\\"\\^]*s|d[\\\"\\^]*d)|q[\\\"\\^]*u[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*y|m[\\\"\\^]*o[\\\"\\^]*(?:v[\\\"\\^]*e|d)|g[\\\"\\^]*e[\\\"\\^]*t|r[\\\"\\^]*m)|(?:r[\\\"\\^]*i[\\\"\\^]*v[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*q[\\\"\\^]*u[\\\"\\^]*e[\\\"\\^]*r|o[\\\"\\^]*s[\\\"\\^]*k[\\\"\\^]*e)[\\\"\\^]*y|(?:c[\\\"\\^]*o[\\\"\\^]*m[\\\"\\^]*c[\\\"\\^]*n[\\\"\\^]*f|x[\\\"\\^]*d[\\\"\\^]*i[\\\"\\^]*a)[\\\"\\^]*g|a[\\\"\\^]*t[\\\"\\^]*e[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|n[\\\"\\^]*s[\\\"\\^]*s[\\\"\\^]*t[\\\"\\^]*a[\\\"\\^]*t)|c[\\\"\\^]*(?:o[\\\"\\^]*(?:m[\\\"\\^]*(?:p[\\\"\\^]*(?:(?:a[\\\"\\^]*c[\\\"\\^]*t[\\\"\\^]*)?(?:[\\s,;]|\\.|/|<|>).*|m[\\\"\\^]*g[\\\"\\^]*m[\\\"\\^]*t)|e[\\\"\\^]*x[\\\"\\^]*p)|n[\\\"\\^]*(?:2[\\\"\\^]*p|v[\\\"\\^]*e)[\\\"\\^]*r[\\\"\\^]*t|p[\\\"\\^]*y)|l[\\\"\\^]*(?:e[\\\"\\^]*a[\\\"\\^]*(?:n[\\\"\\^]*m[\\\"\\^]*g[\\\"\\^]*r|r[\\\"\\^]*m[\\\"\\^]*e[\\\"\\^]*m)|u[\\\"\\^]*s[\\\"\\^]*t[\\\"\\^]*e[\\\"\\^]*r)|h[\\\"\\^]*(?:k[\\\"\\^]*(?:n[\\\"\\^]*t[\\\"\\^]*f[\\\"\\^]*s|d[\\\"\\^]*s[\\\"\\^]*k)|d[\\\"\\^]*i[\\\"\\^]*r[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*)|s[\\\"\\^]*(?:c[\\\"\\^]*(?:r[\\\"\\^]*i[\\\"\\^]*p[\\\"\\^]*t|c[\\\"\\^]*m[\\\"\\^]*d)|v[\\\"\\^]*d[\\\"\\^]*e)|e[\\\"\\^]*r[\\\"\\^]*t[\\\"\\^]*(?:u[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*l|r[\\\"\\^]*e[\\\"\\^]*q)|a[\\\"\\^]*(?:l[\\\"\\^]*l[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|c[\\\"\\^]*l[\\\"\\^]*s)|m[\\\"\\^]*d(?:[\\\"\\^]*k[\\\"\\^]*e[\\\"\\^]*y)?|i[\\\"\\^]*p[\\\"\\^]*h[\\\"\\^]*e[\\\"\\^]*r|u[\\\"\\^]*r[\\\"\\^]*l)|f[\\\"\\^]*(?:o[\\\"\\^]*r[\\\"\\^]*(?:m[\\\"\\^]*a[\\\"\\^]*t[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|f[\\\"\\^]*i[\\\"\\^]*l[\\\"\\^]*e[\\\"\\^]*s|e[\\\"\\^]*a[\\\"\\^]*c[\\\"\\^]*h)|i[\\\"\\^]*n[\\\"\\^]*d[\\\"\\^]*(?:(?:[\\s,;]|\\.|/|<|>).*|s[\\\"\\^]*t[\\\"\\^]*r)|s[\\\"\\^]*(?:m[\\\"\\^]*g[\\\"\\^]*m[\\\"\\^]*t|u[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*l)|t[\\\"\\^]*(?:p[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|y[\\\"\\^]*p[\\\"\\^]*e)|r[\\\"\\^]*e[\\\"\\^]*e[\\\"\\^]*d[\\\"\\^]*i[\\\"\\^]*s[\\\"\\^]*k|c[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|g[\\\"\\^]*r[\\\"\\^]*e[\\\"\\^]*p)|n[\\\"\\^]*(?:e[\\\"\\^]*t[\\\"\\^]*(?:s[\\\"\\^]*(?:t[\\\"\\^]*a[\\\"\\^]*t|v[\\\"\\^]*c|h)|(?:[\\s,;]|\\.|/|<|>).*|c[\\\"\\^]*a[\\\"\\^]*t|d[\\\"\\^]*o[\\\"\\^]*m)|t[\\\"\\^]*(?:b[\\\"\\^]*a[\\\"\\^]*c[\\\"\\^]*k[\\\"\\^]*u[\\\"\\^]*p|r[\\\"\\^]*i[\\\"\\^]*g[\\\"\\^]*h[\\\"\\^]*t[\\\"\\^]*s)|(?:s[\\\"\\^]*l[\\\"\\^]*o[\\\"\\^]*o[\\\"\\^]*k[\\\"\\^]*u|m[\\\"\\^]*a)[\\\"\\^]*p|c[\\\"\\^]*(?:(?:[\\s,;]|\\.|/|<|>).*|a[\\\"\\^]*t)|b[\\\"\\^]*t[\\\"\\^]*s[\\\"\\^]*t[\\\"\\^]*a[\\\"\\^]*t)|e[\\\"\\^]*(?:x[\\\"\\^]*p[\\\"\\^]*(?:a[\\\"\\^]*n[\\\"\\^]*d[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|l[\\\"\\^]*o[\\\"\\^]*r[\\\"\\^]*e[\\\"\\^]*r)|v[\\\"\\^]*e[\\\"\\^]*n[\\\"\\^]*t[\\\"\\^]*(?:c[\\\"\\^]*r[\\\"\\^]*e[\\\"\\^]*a[\\\"\\^]*t[\\\"\\^]*e|v[\\\"\\^]*w[\\\"\\^]*r)|n[\\\"\\^]*d[\\\"\\^]*l[\\\"\\^]*o[\\\"\\^]*c[\\\"\\^]*a[\\\"\\^]*l|g[\\\"\\^]*r[\\\"\\^]*e[\\\"\\^]*p|r[\\\"\\^]*a[\\\"\\^]*s[\\\"\\^]*e|c[\\\"\\^]*h[\\\"\\^]*o)|g[\\\"\\^]*(?:a[\\\"\\^]*t[\\\"\\^]*h[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*n[\\\"\\^]*e[\\\"\\^]*t[\\\"\\^]*w[\\\"\\^]*o[\\\"\\^]*r[\\\"\\^]*k[\\\"\\^]*i[\\\"\\^]*n[\\\"\\^]*f[\\\"\\^]*o|p[\\\"\\^]*(?:(?:r[\\\"\\^]*e[\\\"\\^]*s[\\\"\\^]*u[\\\"\\^]*l|e[\\\"\\^]*d[\\\"\\^]*i)[\\\"\\^]*t|u[\\\"\\^]*p[\\\"\\^]*d[\\\"\\^]*a[\\\"\\^]*t[\\\"\\^]*e)|i[\\\"\\^]*t[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|e[\\\"\\^]*t[\\\"\\^]*m[\\\"\\^]*a[\\\"\\^]*c)|i[\\\"\\^]*(?:r[\\\"\\^]*b(?:[\\\"\\^]*(?:1(?:[\\\"\\^]*[89])?|2[\\\"\\^]*[012]))?|f[\\\"\\^]*m[\\\"\\^]*e[\\\"\\^]*m[\\\"\\^]*b[\\\"\\^]*e[\\\"\\^]*r|p[\\\"\\^]*c[\\\"\\^]*o[\\\"\\^]*n[\\\"\\^]*f[\\\"\\^]*i[\\\"\\^]*g|n[\\\"\\^]*e[\\\"\\^]*t[\\\"\\^]*c[\\\"\\^]*p[\\\"\\^]*l|c[\\\"\\^]*a[\\\"\\^]*c[\\\"\\^]*l[\\\"\\^]*s)|a[\\\"\\^]*(?:d[\\\"\\^]*(?:d[\\\"\\^]*u[\\\"\\^]*s[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*s|m[\\\"\\^]*o[\\\"\\^]*d[\\\"\\^]*c[\\\"\\^]*m[\\\"\\^]*d)|r[\\\"\\^]*p[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|t[\\\"\\^]*t[\\\"\\^]*r[\\\"\\^]*i[\\\"\\^]*b|s[\\\"\\^]*s[\\\"\\^]*o[\\\"\\^]*c|z[\\\"\\^]*m[\\\"\\^]*a[\\\"\\^]*n)|l[\\\"\\^]*(?:o[\\\"\\^]*g[\\\"\\^]*(?:e[\\\"\\^]*v[\\\"\\^]*e[\\\"\\^]*n[\\\"\\^]*t|t[\\\"\\^]*i[\\\"\\^]*m[\\\"\\^]*e|m[\\\"\\^]*a[\\\"\\^]*n|o[\\\"\\^]*f[\\\"\\^]*f)|a[\\\"\\^]*b[\\\"\\^]*e[\\\"\\^]*l[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|u[\\\"\\^]*s[\\\"\\^]*r[\\\"\\^]*m[\\\"\\^]*g[\\\"\\^]*r)|b[\\\"\\^]*(?:(?:c[\\\"\\^]*d[\\\"\\^]*(?:b[\\\"\\^]*o[\\\"\\^]*o|e[\\\"\\^]*d[\\\"\\^]*i)|r[\\\"\\^]*o[\\\"\\^]*w[\\\"\\^]*s[\\\"\\^]*t[\\\"\\^]*a)[\\\"\\^]*t|i[\\\"\\^]*t[\\\"\\^]*s[\\\"\\^]*a[\\\"\\^]*d[\\\"\\^]*m[\\\"\\^]*i[\\\"\\^]*n|o[\\\"\\^]*o[\\\"\\^]*t[\\\"\\^]*c[\\\"\\^]*f[\\\"\\^]*g)|h[\\\"\\^]*(?:o[\\\"\\^]*s[\\\"\\^]*t[\\\"\\^]*n[\\\"\\^]*a[\\\"\\^]*m[\\\"\\^]*e|d[\\\"\\^]*w[\\\"\\^]*w[\\\"\\^]*i[\\\"\\^]*z)|j[\\\"\\^]*a[\\\"\\^]*v[\\\"\\^]*a[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|7[\\\"\\^]*z(?:[\\\"\\^]*[ar])?)(?:\\.[\\\"\\^]*\\w+)?\\b", - "options": { - "min_length": 3 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "crs-932-140", - "name": "Remote Command Execution: Windows FOR/IF Command Found", - "tags": { - "type": "command_injection", - "crs_id": "932140", - "category": "attack_attempt" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - } - ], - "regex": "\\b(?:if(?:/i)?(?: not)?(?: exist\\b| defined\\b| errorlevel\\b| cmdextversion\\b|(?: |\\().*(?:\\bgeq\\b|\\bequ\\b|\\bneq\\b|\\bleq\\b|\\bgtr\\b|\\blss\\b|==))|for(?:/[dflr].*)? %+[^ ]+ in\\(.*\\)\\s?do)", - "options": { - "case_sensitive": true, - "min_length": 5 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "crs-941-320", - "name": "Possible XSS Attack Detected - HTML Tag Handler", - "tags": { - "type": "xss", - "crs_id": "941320", - "category": "attack_attempt" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - } - ], - "regex": "<(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\\W", - "options": { - "case_sensitive": true, - "min_length": 3 - } - }, - "operator": "match_regex" - } - ], - "transformers": [ - "lowercase" - ] - }, - { - "id": "crs-942-140", - "name": "SQL Injection Attack: Common DB Names Detected", - "tags": { - "type": "sql_injection", - "crs_id": "942140", - "category": "attack_attempt" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - } - ], - "regex": "\\b(?:(?:m(?:s(?:ys(?:ac(?:cess(?:objects|storage|xml)|es)|(?:relationship|object|querie)s|modules2?)|db)|aster\\.\\.sysdatabases|ysql\\.db)|pg_(?:catalog|toast)|information_schema|northwind|tempdb)\\b|s(?:(?:ys(?:\\.database_name|aux)|qlite(?:_temp)?_master)\\b|chema(?:_name\\b|\\W*\\())|d(?:atabas|b_nam)e\\W*\\()", - "options": { - "min_length": 4 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - }, - { - "id": "crs-942-220", - "name": "Looking for integer overflow attacks", - "tags": { - "type": "sql_injection", - "crs_id": "942220", - "category": "attack_attempt" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.query" - }, - { - "address": "server.request.body" - }, - { - "address": "server.request.path_params" - }, - { - "address": "grpc.server.request.message" - } - ], - "regex": "^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$", - "options": { - "case_sensitive": true, - "min_length": 5 - } - }, - "operator": "match_regex" - } - ], - "transformers": [] - } - ] -} \ No newline at end of file diff --git a/lib/datadog/appsec/assets/waf_rules/strict.json b/lib/datadog/appsec/assets/waf_rules/strict.json index 68517133de..a72741c5e1 100644 --- a/lib/datadog/appsec/assets/waf_rules/strict.json +++ b/lib/datadog/appsec/assets/waf_rules/strict.json @@ -1,7 +1,7 @@ { "version": "2.2", "metadata": { - "rules_version": "1.4.3" + "rules_version": "1.5.0" }, "rules": [ { diff --git a/lib/datadog/appsec/processor.rb b/lib/datadog/appsec/processor.rb index 24194e0d93..af29cf21c6 100644 --- a/lib/datadog/appsec/processor.rb +++ b/lib/datadog/appsec/processor.rb @@ -103,8 +103,15 @@ def load_ruleset begin @ruleset = case ruleset_setting - when :recommended, :risky, :strict + when :recommended, :strict JSON.parse(Datadog::AppSec::Assets.waf_rules(ruleset_setting)) + when :risky + JSON.parse(Datadog::AppSec::Assets.waf_rules(:recommended)) + Datadog.logger.warn( + 'The :risky Application Security Management ruleset has been deprecated and no longer available.'\ + 'The `:recommended` ruleset will be used instead.'\ + 'Please remove the `appsec.ruleset = :risky` setting from your Datadog.configure block.' + ) when String JSON.parse(File.read(ruleset_setting)) when File, StringIO diff --git a/spec/datadog/appsec/configuration/settings_spec.rb b/spec/datadog/appsec/configuration/settings_spec.rb index b6bfd99138..326b80d2f4 100644 --- a/spec/datadog/appsec/configuration/settings_spec.rb +++ b/spec/datadog/appsec/configuration/settings_spec.rb @@ -48,8 +48,8 @@ end describe '#ruleset=' do - subject(:ruleset_) { settings.merge(dsl.tap { |c| c.ruleset = :risky }) } - it { expect { ruleset_ }.to change { settings.ruleset }.from(:recommended).to(:risky) } + subject(:ruleset_) { settings.merge(dsl.tap { |c| c.ruleset = :strict }) } + it { expect { ruleset_ }.to change { settings.ruleset }.from(:recommended).to(:strict) } end describe '#waf_timeout' do @@ -157,8 +157,8 @@ end describe '#ruleset=' do - subject(:ruleset_) { settings.merge(dsl.tap { |c| c.ruleset = :risky }) } - it { expect { ruleset_ }.to change { settings.ruleset }.from('/some/path').to(:risky) } + subject(:ruleset_) { settings.merge(dsl.tap { |c| c.ruleset = :strict }) } + it { expect { ruleset_ }.to change { settings.ruleset }.from('/some/path').to(:strict) } end end diff --git a/spec/datadog/appsec/extensions_spec.rb b/spec/datadog/appsec/extensions_spec.rb index f1b8c263f3..543cd3e401 100644 --- a/spec/datadog/appsec/extensions_spec.rb +++ b/spec/datadog/appsec/extensions_spec.rb @@ -69,8 +69,8 @@ end describe '#ruleset=' do - subject(:ruleset_) { settings.ruleset = :risky } - it { expect { ruleset_ }.to change { settings.ruleset }.from(:recommended).to(:risky) } + subject(:ruleset_) { settings.ruleset = :strict } + it { expect { ruleset_ }.to change { settings.ruleset }.from(:recommended).to(:strict) } end describe '#waf_timeout' do diff --git a/spec/datadog/appsec/processor_spec.rb b/spec/datadog/appsec/processor_spec.rb index cab2f10d56..29f4898a4e 100644 --- a/spec/datadog/appsec/processor_spec.rb +++ b/spec/datadog/appsec/processor_spec.rb @@ -128,7 +128,7 @@ let(:ruleset) { :risky } before do - expect(Datadog::AppSec::Assets).to receive(:waf_rules).with(:risky).and_call_original.twice + expect(Datadog::AppSec::Assets).to receive(:waf_rules).with(:recommended).and_call_original.twice end it { expect(described_class.new.send(:load_ruleset)).to be true }