Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Develop #8

Merged
merged 2 commits into from
Apr 26, 2024
Merged

Develop #8

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
63dc74d
Updated to support Stack Overflow Watchman
PaperMtn Apr 26, 2024
73ecd7c
Add testing for Stack Overflow
PaperMtn Apr 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion .github/workflows/testing.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,6 @@ jobs:
- name: Slack EG Tests
run: python -m unittest tests/test_format_slack_eg.py
- name: Slack STD Tests
run: python -m unittest tests/test_format_slack_std.py
run: python -m unittest tests/test_format_slack_std.py
- name: Stack Overflow Tests
run: python -m unittest tests/test_format_stack_overflow.py
5 changes: 5 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
## 2024-04-26
### Added
- Signatures now support Stack Overflow Watchman
- Tests added for the new Stack Overflow Watchman format

## 2023-12-22
### Added
- Added signatures for:
Expand Down
69 changes: 69 additions & 0 deletions models/signature_stack_overflow.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
import pathlib
from dataclasses import dataclass

import yaml


@dataclass(slots=True)
class Signature:
""" Class that handles loaded signature objects. Signatures
define what to search for in Stack Overflow and where to search for it.
They also contain regex patterns to validate data that is found"""

name: str
status: bool
author: str
date: str
version: str
description: str
severity: int
watchman_apps: list
scope: list
test_cases: dataclass
search_strings: str
patterns: str


@dataclass(slots=True)
class TestCases:
match_cases: list
fail_cases: list


def load_from_yaml(sig_path: pathlib.PosixPath) -> list[Signature]:
"""Load YAML file and return a Signature object

Args:
sig_path: Path of YAML file
Returns:
Signature object with fields populated from the YAML
signature file
"""

with open(sig_path) as yaml_file:
yaml_import = yaml.safe_load(yaml_file)

output = []
for sig in yaml_import.get('signatures'):
if 'stack_overflow' in sig.get('watchman_apps'):
output.append(
Signature(
name=sig.get('name'),
status=sig.get('status'),
author=sig.get('author'),
date=sig.get('date'),
version=sig.get('version'),
description=sig.get('description'),
severity=sig.get('severity'),
watchman_apps=sig.get('watchman_apps'),
scope=sig.get('watchman_apps').get('stack_overflow').get('scope'),
test_cases=TestCases(
match_cases=sig.get('test_cases').get('match_cases'),
fail_cases=sig.get('test_cases').get('fail_cases')
),
search_strings=sig.get('watchman_apps').get('stack_overflow').get('search_strings'),
patterns=sig.get('patterns')
)
)

return output
6 changes: 6 additions & 0 deletions signatures/tokens_and_credentials/akamai.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,12 @@ signatures:
notes:
references:
watchman_apps:
stack_overflow:
scope:
- questions
- answers
search_strings:
- akab-
slack_std:
category: secrets
scope:
Expand Down
14 changes: 14 additions & 0 deletions signatures/tokens_and_credentials/alibaba.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
---
filename: alibaba.yaml
signatures:

- name: Alibaba IAM Access Key ID
status: enabled
author: PaperMtn
Expand All @@ -10,6 +11,12 @@ signatures:
notes: null
references: null
watchman_apps:
stack_overflow:
scope:
- questions
- answers
search_strings:
- LTAI
slack_std:
category: secrets
scope:
Expand Down Expand Up @@ -47,6 +54,7 @@ signatures:
- accessKeyId=LAAIAAAZ5BhleEv7
patterns:
- LTAI[0-9a-zA-Z]{12,20}

- name: Alibaba IAM Secret Access Key
status: enabled
author: PaperMtn
Expand All @@ -56,6 +64,12 @@ signatures:
notes: null
references: null
watchman_apps:
stack_overflow:
scope:
- questions
- answers
search_strings:
- LTAI
slack_std:
category: secrets
scope:
Expand Down
16 changes: 16 additions & 0 deletions signatures/tokens_and_credentials/aws.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,14 @@ signatures:
description: Detects exposed AWS API secret tokens
severity: "90"
watchman_apps:
stack_overflow:
scope:
- questions
- answers
search_strings:
- aws_access_key_id
- aws_secret_access_key
- aws_session_token
slack_std:
category: secrets
scope:
Expand Down Expand Up @@ -57,6 +65,14 @@ signatures:
description: Detects S3 bucket URLs, a potential source of exposed data
severity: "30"
watchman_apps:
stack_overflow:
scope:
- questions
- answers
search_strings:
- s3.amazonaws.com
- s3.console.aws.amazon.com
- s3://
slack_std:
category: secrets
scope:
Expand Down
23 changes: 23 additions & 0 deletions signatures/tokens_and_credentials/azure.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,12 @@ signatures:
notes:
references:
watchman_apps:
stack_overflow:
scope:
- questions
- answers
search_strings:
- ".cscfg"
slack_std:
category: secrets
scope:
Expand Down Expand Up @@ -53,6 +59,14 @@ signatures:
notes:
references:
watchman_apps:
stack_overflow:
scope:
- questions
- answers
search_strings:
- login.microsoftonline.com
- management.azure
- management.core
slack_std:
category: secrets
scope:
Expand Down Expand Up @@ -105,6 +119,15 @@ signatures:
notes:
references:
watchman_apps:
stack_overflow:
scope:
- questions
- answers
search_strings:
- azureProfile.json
- az.sess
- az.json
- clouds.configtelemetry.txt
slack_std:
category: secrets
scope:
Expand Down
7 changes: 7 additions & 0 deletions signatures/tokens_and_credentials/cloudflare.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,13 @@ signatures:
notes:
references:
watchman_apps:
stack_overflow:
scope:
- questions
- answers
search_strings:
- api.cloudflare.com
- cloudflare_
slack_std:
category: secrets
scope:
Expand Down
18 changes: 18 additions & 0 deletions signatures/tokens_and_credentials/facebook.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,15 @@ signatures:
notes:
references:
watchman_apps:
stack_overflow:
scope:
- questions
- answers
search_strings:
- graph.facebook.com
- facebook.com/dialog/oauth
- eaaced
- client_secret
slack_std:
category: secrets
scope:
Expand Down Expand Up @@ -67,6 +76,15 @@ signatures:
notes:
references:
watchman_apps:
stack_overflow:
scope:
- questions
- answers
search_strings:
- graph.facebook.com
- facebook.com/dialog/oauth
- eaaced
- client_secret
slack_std:
category: secrets
scope:
Expand Down
6 changes: 6 additions & 0 deletions signatures/tokens_and_credentials/ftp.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,12 @@ signatures:
description: Detects exposed FTP credentials
severity: "90"
watchman_apps:
stack_overflow:
scope:
- questions
- answers
search_strings:
- ftp
slack_std:
category: secrets
scope:
Expand Down
36 changes: 36 additions & 0 deletions signatures/tokens_and_credentials/generic_tokens.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,12 @@ signatures:
description: Detects exposed access_tokens
severity: "70"
watchman_apps:
stack_overflow:
scope:
- questions
- answers
search_strings:
- access_token
slack_std:
category: secrets
scope:
Expand Down Expand Up @@ -54,6 +60,12 @@ signatures:
description: Detects exposed bearer tokens_and_credentials
severity: "70"
watchman_apps:
stack_overflow:
scope:
- questions
- answers
search_strings:
- bearer
slack_std:
category: secrets
scope:
Expand Down Expand Up @@ -101,6 +113,12 @@ signatures:
description: Detects exposed client_secrets
severity: "70"
watchman_apps:
stack_overflow:
scope:
- questions
- answers
search_strings:
- client_secret
slack_std:
category: secrets
scope:
Expand Down Expand Up @@ -146,6 +164,12 @@ signatures:
description: Detects exposed private_tokens
severity: "70"
watchman_apps:
stack_overflow:
scope:
- questions
- answers
search_strings:
- PRIVATE
slack_std:
category: secrets
scope:
Expand Down Expand Up @@ -181,6 +205,12 @@ signatures:
notes:
references:
watchman_apps:
stack_overflow:
scope:
- questions
- answers
search_strings:
- x-api-key
slack_std:
category: secrets
scope:
Expand Down Expand Up @@ -229,6 +259,12 @@ signatures:
notes:
references:
watchman_apps:
stack_overflow:
scope:
- questions
- answers
search_strings:
- x-auth-key
slack_std:
category: secrets
scope:
Expand Down
8 changes: 8 additions & 0 deletions signatures/tokens_and_credentials/github.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,14 @@ signatures:
notes:
references:
watchman_apps:
stack_overflow:
scope:
- questions
- answers
search_strings:
- api.github.com
- github.com/login/oauth/
- github access_token
slack_std:
category: secrets
scope:
Expand Down
Loading
Loading