1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
# We want to be able to find this key regardless if it's b64 encoded or not
[[rules]]
id = 'private-key'
description = 'Private Key'
regex = '''(?i)-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY(?: BLOCK)?-----[\s\S-]*?-----END[ A-Z0-9_-]{0,100}PRIVATE KEY(?: BLOCK)?-----'''
tags = ['key', 'private']
keywords = [
'-----begin',
]
# This exists to test what would happen if a normal rule matched something that
# also gets decoded. We don't want to break anyone's existing rules that might
# be looking for specific segments of b64 encoded data.
[[rules]]
id = 'b64-encoded-private-key'
description = 'Private Key'
regex = '''(?:LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0t|0tLS0tQkVHSU4gUFJJVkFURSBLRVktLS0tL|tLS0tLUJFR0lOIFBSSVZBVEUgS0VZLS0tLS)[a-zA-Z0-9+\/]+={0,3}'''
tags = ['key', 'private']
keywords = [
'ls0tls1crudjtibquklwqvrfietfws0tls0t',
'0tls0tqkvhsu4gufjjvkfursblrvktls0tl',
'tls0tlujfr0loifbssvzbveugs0vzls0tls',
]
[[rules]]
id = 'aws-iam-unique-identifier'
description = 'AWS IAM Unique Identifier'
# The funky not group at the beginning consists of ascii ranges
regex = '''(?:^|[^!$-&\(-9<>-~])((?:A3T[A-Z0-9]|ACCA|ABIA|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16})\b'''
tags = ['aws', 'identifier']
entropy = 3.2
secretGroup = 1
keywords = [
'a3t',
'abia',
'acca',
'agpa',
'aida',
'aipa',
'akia',
'anpa',
'anva',
'aroa',
'asia',
]
[[rules]]
id = 'aws-secret-access-key'
description = 'AWS Secret Access Key'
regex = '''(?i)aws[\w\-]{0,32}[\'\"]?\s*?[:=\(]\s*?[\'\"]?([a-z0-9\/+]{40})\b'''
tags = ['aws', 'secret']
entropy = 4
secretGroup = 1
keywords = [
'aws',
]
[[rules]]
# Use a small one for making sure things shifting around are kept up with
# appropriately
id = 'small-secret'
description = 'Small Secret'
regex = '''\bsmall-secret\b'''
tags = ['small', 'secret']
[[rules]]
# When the example value is decoded this will overlap and this is here to
# test that the location information is reported accurately when the match
# goes outside the bounds of the encoded value
id = 'overlapping'
description = 'Overlapping'
regex = '''secret=(decoded-secret-value\w*)'''
tags = ['overlapping']
secretGroup = 1
# -----BEGIN REGEX TARGET DECODED MATCH PATTERNS-----
[[rules]]
id = 'decoded-password-dont-ignore'
description = 'Make sure this would be detected with no allowlist'
regex = '''password\s*=\s*\"([^\"]+please-ignore-me[^\"]+)\"'''
tags = ['decode-ignore']
secretGroup = 1
[[rules]]
id = 'decoded-password-ignore-secret'
description = 'Test ignore on decoded secrets: regexTarget = "secret"'
regex = '''password\s*=\s*\"([^\"]+please-ignore-me[^\"]+)\"'''
tags = ['decode-ignore']
secretGroup = 1
[[rules.allowlists]]
regexTarget = 'secret'
regexes = [
# The decoded segment that we are testing against
'please-ignore-me',
]
[[rules]]
id = 'decoded-password-ignore-match'
description = 'Test ignore on decoded secrets: regexTarget = "match"'
regex = '''password\s*=\s*\"([^\"]+please-ignore-me[^\"]+)\"'''
tags = ['decode-ignore']
secretGroup = 1
[[rules.allowlists]]
regexTarget = 'match'
regexes = [
# The decoded segment that we are testing against
'please-ignore-me',
]
[[rules]]
id = 'decoded-password-ignore-line'
description = 'Test ignore on decoded secrets: regexTarget = "line"'
regex = '''password\s*=\s*\"([^\"]+please-ignore-me[^\"]+)\"'''
tags = ['decode-ignore']
secretGroup = 1
[[rules.allowlists]]
regexTarget = 'line'
regexes = [
# The decoded segment that we are testing against
'please-ignore-me',
]
# -----END REGEX TARGET DECODED MATCH PATTERNS-----
|
