From 404aabdcf43435f76f30f86de430a4bbec915ace Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Fri, 29 Sep 2023 20:40:50 +0530 Subject: [PATCH 1/2] fixes dns templates --- dns/azure-takeover-detection.yaml | 8 ++--- dns/caa-fingerprint.yaml | 6 ++-- dns/detect-dangling-cname.yaml | 14 ++++---- dns/dmarc-detect.yaml | 6 ++++ dns/dns-saas-service-detection.yaml | 53 ++++++++++++++++++++++++++--- dns/dns-waf-detect.yaml | 24 +++++++++++++ dns/dnssec-detection.yaml | 3 +- dns/elasticbeanstalk-takeover.yaml | 7 ++-- dns/mx-fingerprint.yaml | 7 ++-- dns/nameserver-fingerprint.yaml | 7 ++-- dns/ptr-fingerprint.yaml | 14 ++++---- dns/txt-fingerprint.yaml | 7 ++-- 12 files changed, 117 insertions(+), 39 deletions(-) diff --git a/dns/azure-takeover-detection.yaml b/dns/azure-takeover-detection.yaml index a04bef1ba57..dc425ce0c98 100644 --- a/dns/azure-takeover-detection.yaml +++ b/dns/azure-takeover-detection.yaml @@ -24,6 +24,7 @@ dns: matchers-condition: and matchers: - type: word + part: answer words: - "azure-api.net" - "azure-mobile.net" @@ -50,7 +51,6 @@ dns: - "NXDOMAIN" extractors: - - type: regex - group: 1 - regex: - - "IN\tCNAME\t(.+)" + - type: dsl + dsl: + - cname diff --git a/dns/caa-fingerprint.yaml b/dns/caa-fingerprint.yaml index 410f68921e3..f3682db62b0 100644 --- a/dns/caa-fingerprint.yaml +++ b/dns/caa-fingerprint.yaml @@ -18,9 +18,9 @@ dns: type: CAA matchers: - - type: word - words: - - "IN\tCAA" + - type: regex + regex: + - "IN\tCAA\\t(.+)$" extractors: - type: regex diff --git a/dns/detect-dangling-cname.yaml b/dns/detect-dangling-cname.yaml index f9676a59468..4a42d7147a1 100644 --- a/dns/detect-dangling-cname.yaml +++ b/dns/detect-dangling-cname.yaml @@ -26,12 +26,12 @@ dns: words: - "NXDOMAIN" - - type: word - words: - - "IN\tCNAME" - - extractors: - type: regex - group: 1 + part: answer regex: - - "IN\tCNAME\t(.+)" \ No newline at end of file + - "IN\tCNAME\\t(.+)$" + + extractors: + - type: dsl + dsl: + - cname \ No newline at end of file diff --git a/dns/dmarc-detect.yaml b/dns/dmarc-detect.yaml index 0c7b785f675..dc180b7178f 100644 --- a/dns/dmarc-detect.yaml +++ b/dns/dmarc-detect.yaml @@ -21,6 +21,12 @@ dns: - name: "_dmarc.{{FQDN}}" type: TXT + matchers: + - type: regex + part: answer + regex: + - "IN\tTXT\\t(.+)$" + extractors: - type: regex group: 1 diff --git a/dns/dns-saas-service-detection.yaml b/dns/dns-saas-service-detection.yaml index f11d6cf5a1d..6805bb5d6e4 100644 --- a/dns/dns-saas-service-detection.yaml +++ b/dns/dns-saas-service-detection.yaml @@ -25,12 +25,14 @@ dns: matchers-condition: or matchers: - type: word + part: answer name: ms-office words: - outlook.com - office.com - type: word + part: answer name: azure words: - "azure-api.net" @@ -56,23 +58,26 @@ dns: - "trafficmanager.net" - type: word + part: answer name: zendesk words: - "zendesk.com" - type: word + part: answer name: announcekit words: - "cname.announcekit.app" - type: word + part: answer name: wix words: - "wixdns.net" - type: word + part: answer name: akamai-cdn - condition: or words: - akadns.net - akagtm.org @@ -96,6 +101,7 @@ dns: - edgesuite.net - type: word + part: answer name: cloudflare-cdn words: - cloudflare.net @@ -117,11 +123,13 @@ dns: - sn-cloudflare.com - type: word + part: answer name: amazon-cloudfront words: - cloudfront.net - type: word + part: answer name: salesforce words: - salesforce.com @@ -129,6 +137,7 @@ dns: - force.com - type: word + part: answer name: amazon-aws words: - amazonaws.com @@ -136,11 +145,13 @@ dns: - awsglobalaccelerator.com - type: word + part: answer name: fastly-cdn words: - fastly.net - type: word + part: answer name: netlify words: - netlify.app @@ -148,22 +159,26 @@ dns: - netlifyglobalcdn.com - type: word + part: answer name: vercel words: - vercel.app - type: word + part: answer name: sendgrid words: - sendgrid.net - sendgrid.com - type: word + part: answer name: qualtrics words: - qualtrics.com - type: word + part: answer name: heroku words: - herokuapp.com @@ -173,44 +188,52 @@ dns: - herokuspace.com - type: word + part: answer name: gitlab words: - gitlab.com - gitlab.io - type: word + part: answer name: perforce-akana words: - akana.com - apiportal.akana.com - type: word + part: answer name: skilljar words: - skilljarapp.com - type: word + part: answer name: datagrail words: - datagrail.io - type: word + part: answer name: platform.sh words: - platform.sh - type: word + part: answer name: folloze words: - folloze.com - type: word + part: answer name: pendo-receptive words: - receptive.io - pendo.io - type: word + part: answer name: discourse words: - bydiscourse.com @@ -220,6 +243,7 @@ dns: - hosted-by-discourse.com - type: word + part: answer name: adobe-marketo words: - marketo.com @@ -228,16 +252,19 @@ dns: - mktossl.com - mktoweb.com - - type: regex + - type: word + part: answer name: adobe-marketo - 'mkto-.{5,8}\.com' - type: word + part: answer name: adobe-marketo words: - marketo.com - type: word + part: answer name: rock-content words: - postclickmarketing.com @@ -245,21 +272,25 @@ dns: - rockstage.io - type: word + part: answer name: rocketlane words: - rocketlane.com - type: word + part: answer name: webflow words: - proxy-ssl.webflow.com - type: word + part: answer name: stacker-hq words: - stacker.app - type: word + part: answer name: hubspot words: - hs-analytics.net @@ -285,12 +316,14 @@ dns: - usemessages.com - type: word + part: answer name: gitbook words: - gitbook.com - gitbook.io - type: word + part: answer name: google-firebase words: - fcm.googleapis.com @@ -311,6 +344,7 @@ dns: - firebaseremoteconfig.googleapis.com - type: word + part: answer name: zendesk words: - zdassets.com @@ -319,12 +353,14 @@ dns: - zopim.com - type: word + part: answer name: imperva words: - incapdns.net - incapsula.com - type: word + part: answer name: proofpoint words: - infoprtct.com @@ -334,6 +370,7 @@ dns: - proofpoint.com - type: word + part: answer name: q4-investor-relations words: - q4inc.com @@ -341,6 +378,7 @@ dns: - q4web.com - type: word + part: answer name: google-hosted words: - appspot.com @@ -354,11 +392,13 @@ dns: - run.app - type: word + part: answer name: wp-engine words: - wpengine.com - type: word + part: answer name: github words: - github.com @@ -366,26 +406,31 @@ dns: - githubusercontent.com - type: word + part: answer name: ghost words: - ghost.io - type: word + part: answer name: digital-ocean words: - ondigitalocean.app - type: word + part: answer name: typedream words: - ontypedream.com - type: word + part: answer name: oracle-eloqua-marketing words: - hs.eloqua.com - type: regex + part: answer regex: - - "IN\tCNAME" - - "IN\\s*CNAME" + - "IN\tCNAME\\t(.+)$" + - "IN\\s*CNAME\\t(.+)$" diff --git a/dns/dns-waf-detect.yaml b/dns/dns-waf-detect.yaml index 02c447486f1..710ca1d46e6 100644 --- a/dns/dns-waf-detect.yaml +++ b/dns/dns-waf-detect.yaml @@ -20,54 +20,64 @@ dns: matchers: - type: word + part: answer name: sanfor-shield words: - ".sangfordns.com" - type: word + part: answer name: 360panyun words: - ".360panyun.com" - type: word + part: answer name: baiduyun words: - ".yunjiasu-cdn.net" - type: word + part: answer name: chuangyudun words: - ".365cyd.cn" - ".cyudun.net" - type: word + part: answer name: knownsec words: - ".jiashule.com" - ".jiasule.org" - type: word + part: answer name: huaweicloud words: - ".huaweicloudwaf.com" - type: word + part: answer name: xinliuyun words: - ".ngaagslb.cn" - type: word + part: answer name: chinacache words: - ".chinacache.net" - ".ccgslb.net" - type: word + part: answer name: nscloudwaf words: - ".nscloudwaf.com" - type: word + part: answer name: wangsu words: - ".wsssec.com" @@ -85,17 +95,20 @@ dns: - ".mwcloudcdn.com" - type: word + part: answer name: qianxin words: - ".360safedns.com" - ".360cloudwaf.com" - type: word + part: answer name: baiduyunjiasu words: - ".yunjiasu-cdn.net" - type: word + part: answer name: anquanbao words: - ".anquanbao.net" @@ -114,58 +127,69 @@ dns: - '\.aliyundunwaf\.com' - type: word + part: answer name: xuanwudun words: - ".saaswaf.com" - ".dbappwaf.cn" - type: word + part: answer name: yundun words: - ".hwwsdns.cn" - ".yunduncname.com" - type: word + part: answer name: knownsec-ns words: - ".jiasule.net" - type: word + part: answer name: chuangyudun words: - ".365cyd.net" - type: word + part: answer name: qianxin words: - ".360wzb.com" - type: word + part: answer name: anquanbao words: - ".anquanbao.com" - type: word + part: answer name: wangsu words: - ".chinanetcenter.com" - type: word + part: answer name: baiduyunjiasue words: - ".ns.yunjiasu.com" - type: word + part: answer name: chinacache words: - ".chinacache.com" - type: word + part: answer name: cloudflare words: - "ns.cloudflare.com" - type: word + part: answer name: edns words: - ".iidns.com" \ No newline at end of file diff --git a/dns/dnssec-detection.yaml b/dns/dnssec-detection.yaml index f9007a6eb58..9c85f26c5c9 100644 --- a/dns/dnssec-detection.yaml +++ b/dns/dnssec-detection.yaml @@ -20,5 +20,6 @@ dns: matchers: - type: regex + part: answer regex: - - "IN\tDS\t(.+)" \ No newline at end of file + - "IN\tDS\\t(.+)$" \ No newline at end of file diff --git a/dns/elasticbeanstalk-takeover.yaml b/dns/elasticbeanstalk-takeover.yaml index 3e4af216b61..336a08f87ea 100644 --- a/dns/elasticbeanstalk-takeover.yaml +++ b/dns/elasticbeanstalk-takeover.yaml @@ -42,7 +42,6 @@ dns: - NXDOMAIN extractors: - - type: regex - group: 1 - regex: - - "IN\tCNAME\t(.+)" + - type: dsl + dsl: + - cname diff --git a/dns/mx-fingerprint.yaml b/dns/mx-fingerprint.yaml index 24808c1e147..a207076ae04 100644 --- a/dns/mx-fingerprint.yaml +++ b/dns/mx-fingerprint.yaml @@ -19,9 +19,10 @@ dns: type: MX matchers: - - type: word - words: - - "IN\tMX" + - type: regex + part: answer + regex: + - "IN\tMX\\t(.+)$" extractors: - type: regex diff --git a/dns/nameserver-fingerprint.yaml b/dns/nameserver-fingerprint.yaml index d08362e0bd0..01884975e3c 100644 --- a/dns/nameserver-fingerprint.yaml +++ b/dns/nameserver-fingerprint.yaml @@ -16,9 +16,10 @@ dns: type: NS matchers: - - type: word - words: - - "IN\tNS" + - type: regex + part: answer + regex: + - "IN\tNS\\t(.+)$" extractors: - type: regex diff --git a/dns/ptr-fingerprint.yaml b/dns/ptr-fingerprint.yaml index 08613645011..e562d62f1e2 100644 --- a/dns/ptr-fingerprint.yaml +++ b/dns/ptr-fingerprint.yaml @@ -16,12 +16,12 @@ dns: type: PTR matchers: - - type: word - words: - - "IN\tPTR" - - extractors: - type: regex - group: 1 + part: answer regex: - - "IN\tPTR\t(.+)" \ No newline at end of file + - "IN\tPTR\\t(.+)$" + + extractors: + - type: dsl + dsl: + - ptr \ No newline at end of file diff --git a/dns/txt-fingerprint.yaml b/dns/txt-fingerprint.yaml index 02e5f127007..382e3e5f617 100644 --- a/dns/txt-fingerprint.yaml +++ b/dns/txt-fingerprint.yaml @@ -18,9 +18,10 @@ dns: type: TXT matchers: - - type: word - words: - - "IN\tTXT" + - type: regex + part: answer + regex: + - "IN\tTXT\\t(.+)$" extractors: - type: regex From b20a9f11242c02baf975a1e8d62e9da1ea0cedc1 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Fri, 29 Sep 2023 20:46:48 +0530 Subject: [PATCH 2/2] misc fixes --- dns/ptr-fingerprint.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/dns/ptr-fingerprint.yaml b/dns/ptr-fingerprint.yaml index e562d62f1e2..6de14779436 100644 --- a/dns/ptr-fingerprint.yaml +++ b/dns/ptr-fingerprint.yaml @@ -22,6 +22,7 @@ dns: - "IN\tPTR\\t(.+)$" extractors: - - type: dsl - dsl: - - ptr \ No newline at end of file + - type: regex + group: 1 + regex: + - "IN\tPTR\t(.+)" \ No newline at end of file