From 19d3e6924833b833ccf134db9a24fd1d9e50bc31 Mon Sep 17 00:00:00 2001 From: Romain Marcadier Date: Wed, 2 Apr 2025 12:13:46 +0200 Subject: [PATCH] feat: upgrade built-in rules to v1.14.1 --- appsec/embed.go | 4 +- appsec/rules.json | 336 ++++++++++++++++++++++++++++++++++------------ 2 files changed, 254 insertions(+), 86 deletions(-) diff --git a/appsec/embed.go b/appsec/embed.go index 97b129c..f2a6298 100644 --- a/appsec/embed.go +++ b/appsec/embed.go @@ -7,8 +7,8 @@ package appsec import _ "embed" // Blank import comment for golint compliance -// StaticRecommendedRules holds the recommended AppSec security rules (v1.13.3) -// Source: https://github.com/DataDog/appsec-event-rules/blob/1.13.3/build/recommended.json +// StaticRecommendedRules holds the recommended AppSec security rules (v1.14.1) +// Source: https://github.com/DataDog/appsec-event-rules/blob/1.14.1/build/recommended.json // //go:embed rules.json var StaticRecommendedRules string diff --git a/appsec/rules.json b/appsec/rules.json index 2f53276..ca182bf 100644 --- a/appsec/rules.json +++ b/appsec/rules.json @@ -1,7 +1,7 @@ { "version": "2.2", "metadata": { - "rules_version": "1.13.3" + "rules_version": "1.14.1" }, "rules": [ { @@ -4864,6 +4864,36 @@ ], "transformers": [] }, + { + "id": "ua0-600-68x", + "name": "xorbot", + "tags": { + "type": "attack_tool", + "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", + "tool_name": "xorbot", + "confidence": "0", + "module": "waf" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "user-agent" + ] + } + ], + "regex": "\\bmasjesu\\b" + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, { "id": "dog-913-001", "name": "BurpCollaborator OOB domain", @@ -5422,6 +5452,78 @@ ], "transformers": [] }, + { + "id": "dog-913-013", + "name": "Public PoC for CVE-2025-24813", + "tags": { + "type": "attack_tool", + "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", + "confidence": "1", + "module": "waf" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.uri.raw" + } + ], + "regex": "/iSee857/session", + "options": { + "case_sensitive": false, + "min_length": 16 + } + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "dog-913-014", + "name": "Exploit attempt for Next.js Middleware Exploit (CVE-2025-29927)", + "tags": { + "type": "security_scanner", + "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", + "confidence": "0", + "module": "waf" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "x-middleware-subrequest" + ] + } + ] + }, + "operator": "exists" + }, + { + "parameters": { + "inputs": [ + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "x-middleware-subrequest" + ] + } + ], + "regex": "[0-9a-fA-F]{40}|\\[\\w+\\]" + }, + "operator": "!match_regex" + } + ], + "transformers": [] + }, { "id": "dog-920-001", "name": "JWT authentication bypass", @@ -6314,7 +6416,7 @@ "address": "server.request.uri.raw" } ], - "regex": "(?:/swagger\\b|/api[-/]docs?\\b)", + "regex": "(?:^|/)(?:swagger|api[-/]?docs?|openapi)\\b", "options": { "case_sensitive": false } @@ -6331,7 +6433,7 @@ "category": "vulnerability_trigger", "cwe": "22", "capec": "1000/255/153/126", - "confidence": "0", + "confidence": "1", "module": "rasp" }, "conditions": [ @@ -6379,7 +6481,7 @@ "category": "vulnerability_trigger", "cwe": "77", "capec": "1000/152/248/88", - "confidence": "0", + "confidence": "1", "module": "rasp" }, "conditions": [ @@ -6427,7 +6529,7 @@ "category": "vulnerability_trigger", "cwe": "77", "capec": "1000/152/248/88", - "confidence": "0", + "confidence": "1", "module": "rasp" }, "conditions": [ @@ -6479,6 +6581,20 @@ "module": "rasp" }, "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.io.net.url" + } + ], + "regex": "^(jar:)?https?:\\/\\/\\W*([0-9oq]{1,5}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}|[0-9]{1,10}|(\\[)?[:0-9a-f\\.x]{2,}(\\])?|metadata\\.google\\.internal|(?:[a-z0-9:@\\.\\-]*\\.)?(?:burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io|oastify\\.com|oast\\.(?:pro|live|site|online|fun|me)|sslip\\.io|requestbin\\.com|requestbin\\.net|hookbin\\.com|webhook\\.site|canarytokens\\.com|interact\\.sh|ngrok\\.io|bugbounty\\.click|prbly\\.win|qualysperiscope\\.com|vii\\.one|act1on3\\.ru|ifconfig\\.pro|dnslog\\.\\w+))(:[0-9]{1,5})?(\\/[^:@]*)?$", + "options": { + "case_sensitive": false + } + }, + "operator": "match_regex" + }, { "parameters": { "resource": [ @@ -6523,7 +6639,7 @@ "category": "vulnerability_trigger", "cwe": "89", "capec": "1000/152/248/66", - "confidence": "0", + "confidence": "1", "module": "rasp" }, "conditions": [ @@ -6957,7 +7073,7 @@ "address": "graphql.server.resolver" } ], - "regex": "(http|https):\\/\\/(?:.*\\.)?(?:burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io|oastify\\.com|oast\\.(?:pro|live|site|online|fun|me)|sslip\\.io|requestbin\\.com|requestbin\\.net|hookbin\\.com|webhook\\.site|canarytokens\\.com|interact\\.sh|ngrok\\.io|bugbounty\\.click|prbly\\.win|qualysperiscope\\.com|vii\\.one|act1on3\\.ru)" + "regex": "(http|https):\\/\\/(?:.*\\.)?(?:burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io|oastify\\.com|oast\\.(?:pro|live|site|online|fun|me)|sslip\\.io|requestbin\\.com|requestbin\\.net|hookbin\\.com|webhook\\.site|canarytokens\\.com|interact\\.sh|ngrok\\.io|bugbounty\\.click|prbly\\.win|qualysperiscope\\.com|vii\\.one|act1on3\\.ru|dnslog\\.\\w+)" }, "operator": "match_regex" } @@ -7765,7 +7881,7 @@ ] } ], - "regex": "nmap (nse|scripting engine)" + "regex": "nmap (nse|scripting engine|icap-client/)" }, "operator": "match_regex" } @@ -8537,6 +8653,126 @@ ], "transformers": [] }, + { + "id": "ua0-600-64x", + "name": "ddg_win", + "tags": { + "type": "attack_tool", + "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", + "tool_name": "ddg_win", + "confidence": "1", + "module": "waf" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "user-agent" + ] + } + ], + "regex": "\\bddg_win\\b" + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "ua0-600-65x", + "name": "ISS", + "tags": { + "type": "commercial_scanner", + "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", + "tool_name": "iss", + "confidence": "0", + "module": "waf" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "user-agent" + ] + } + ], + "regex": "\\bisscyberriskcrawler/\\d\\.\\d" + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "ua0-600-66x", + "name": "BountyBot", + "tags": { + "type": "attack_tool", + "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", + "tool_name": "bountybot", + "confidence": "1", + "module": "waf" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "user-agent" + ] + } + ], + "regex": "\\bbountybot\\b" + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "ua0-600-67x", + "name": "ZumBot", + "tags": { + "type": "attack_tool", + "category": "attack_attempt", + "cwe": "200", + "capec": "1000/118/169", + "tool_name": "zumbot", + "confidence": "1", + "module": "waf" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "user-agent" + ] + } + ], + "regex": "\\bzumbot\\b" + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, { "id": "ua0-600-6xx", "name": "Stealthy scanner", @@ -8634,24 +8870,7 @@ { "id": "http-endpoint-fingerprint", "generator": "http_endpoint_fingerprint", - "conditions": [ - { - "operator": "exists", - "parameters": { - "inputs": [ - { - "address": "waf.context.event" - }, - { - "address": "server.business_logic.users.login.failure" - }, - { - "address": "server.business_logic.users.login.success" - } - ] - } - } - ], + "conditions": [], "parameters": { "mappings": [ { @@ -8679,7 +8898,7 @@ } ] }, - "evaluate": false, + "evaluate": true, "output": true }, { @@ -8835,24 +9054,7 @@ { "id": "http-header-fingerprint", "generator": "http_header_fingerprint", - "conditions": [ - { - "operator": "exists", - "parameters": { - "inputs": [ - { - "address": "waf.context.event" - }, - { - "address": "server.business_logic.users.login.failure" - }, - { - "address": "server.business_logic.users.login.success" - } - ] - } - } - ], + "conditions": [], "parameters": { "mappings": [ { @@ -8865,30 +9067,13 @@ } ] }, - "evaluate": false, + "evaluate": true, "output": true }, { "id": "http-network-fingerprint", "generator": "http_network_fingerprint", - "conditions": [ - { - "operator": "exists", - "parameters": { - "inputs": [ - { - "address": "waf.context.event" - }, - { - "address": "server.business_logic.users.login.failure" - }, - { - "address": "server.business_logic.users.login.success" - } - ] - } - } - ], + "conditions": [], "parameters": { "mappings": [ { @@ -8901,30 +9086,13 @@ } ] }, - "evaluate": false, + "evaluate": true, "output": true }, { "id": "session-fingerprint", "generator": "session_fingerprint", - "conditions": [ - { - "operator": "exists", - "parameters": { - "inputs": [ - { - "address": "waf.context.event" - }, - { - "address": "server.business_logic.users.login.failure" - }, - { - "address": "server.business_logic.users.login.success" - } - ] - } - } - ], + "conditions": [], "parameters": { "mappings": [ { @@ -8947,7 +9115,7 @@ } ] }, - "evaluate": false, + "evaluate": true, "output": true } ],