eblume/kingfisher
1
0
Fork 0
forked from mirrors/kingfisher
Code Pull requests Activity Actions

Added openweather, opsgeneie, pagerduty, particle.io, psatebin, and paypal rules

Browse source
This commit is contained in:
Mick Grove 2025-06-25 16:28:34 -07:00
commit 627f8a8ff6
6 changed files with 272 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

37
data/rules/openweather.yml Normal file
View file

@ -0,0 +1,37 @@
rules:
- name: OpenWeather Map API Key
id: kingfisher.openweather.1
pattern: |
(?xi)
(?:pyowm|openweather|\bowm\b)
(?:.|[\n\r]){0,64}?
\b
(
(?:
[a-z0-9]{32}
)
\b
|APPID=
(?:
[a-z0-9]{32}
)
)
\b
min_entropy: 3.5
examples:
- pyowm = '3k144a5af729351d0fc58bdrj9a21mkr'
- owm = '3k144a5af729351d0fc58bdrj9a21mkr'
- openweatherapikey=cd2b1d12d01ae2deffecfebafcc3c31d
- apikey=openweather:cd2b1d12d01ae2deffecfebafcc3c31d
validation:
type: Http
content:
request:
method: GET
response_matcher:
- report_response: true
- match_all_status: true
status:
- 200
type: StatusMatch
url: https://api.openweathermap.org/geo/1.0/reverse?lat=0&lon=0&limit=1&appid={{ TOKEN }}

32
data/rules/opsgenie.yml Normal file
View file

@ -0,0 +1,32 @@
rules:
- name: OpsGenie API Key
id: kingfisher.opsgenie.1
pattern: |
(?x)
(?i)
\b
opsgenie
(?:.|[\\n\r]){0,32}?
(?:SECRET|PRIVATE|ACCESS|KEY|TOKEN)
(?:.|[\n\r]){0,32}?
\b
(
[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}
)
min_entropy: 3.5
examples:
- opsgenie_api_key = '12345678-9abc-def0-1234-56789abcdef0'
validation:
type: Http
content:
request:
headers:
Authorization: GenieKey {{ TOKEN }}
method: GET
url: https://api.opsgenie.com/v2/alerts
response_matcher:
- report_response: true
- type: WordMatch
words:
- "Could not authenticate"
negative: true

36
data/rules/pagerdutyapikey.yml Normal file
View file

@ -0,0 +1,36 @@
rules:
- name: PagerDuty API Key
id: kingfisher.pagerduty.1
pattern: |
(?xi)
\b
(?:pagerduty|pager[_-]duty|pd[-_\]=\)]|pd\.webhook?)
(?:.|[\n\r]){0,16}?
(
u\+[A-Z0-9_+-]{18} # new personal tokens
|
[A-Z0-9_-]{20} # legacy personal tokens
|
[A-F0-9]{32} # integration keys / routing keys
)
\b
min_entropy: 3.3
confidence: medium
examples:
- pagerduty_key = u+Lyhd2_N2MCy+ZoH-S5
- pd_key = u+3xVszZ-b4m+T6d23KA
validation:
type: Http
content:
request:
method: GET
url: https://api.pagerduty.com/abilities
headers:
Authorization: Token token={{ TOKEN }}
Accept: application/vnd.pagerduty+json;version=2
response_matcher:
- report_response: true
- type: StatusMatch
status: [200]
- type: WordMatch
words: ['"abilities":']

74
data/rules/particle.io.yml Normal file
View file

@ -0,0 +1,74 @@
rules:
- name: particle.io Access Token
id: kingfisher.particleio.1
pattern: |
(?x)
https://api\.particle\.io/v1/[a-zA-Z0-9_\-\s/"\\?]*
(?:access_token=|Authorization:\s*Bearer\s*)
\b
([a-zA-Z0-9]{40})
\b
min_entropy: 3.3
confidence: medium
examples:
- |
curl https://api.particle.io/v1/devices \
-H "Authorization: Bearer 38bb7b318cc6898c80317decb34525844bc9db55"
- |
curl https://api.particle.io/v1/devices \
-d access_token=38bb7b318cc6898c80317decb34525844bc9db55
- 'curl https://api.particle.io/v1/devices -H "Authorization: Bearer 38bb7b318cc6898c80317decb34525844bc9db55"'
- 'curl https://api.particle.io/v1/devices -d access_token=38bb7b318cc6898c80317decb34525844bc9db55'
- 'curl "https://api.particle.io/v1/devices/events?access_token=38bb7b318cc6898c80317decb34525844bc9db55"'
- 'curl "https://api.particle.io/v1/access_tokens/current?access_token=38bb7b318cc6898c80317decb34525844bc9db55"'
references:
- https://docs.particle.io/reference/cloud-apis/api/
validation:
type: Http
content:
request:
method: GET
url: https://api.particle.io/v1/user?access_token={{ TOKEN }}
response_matcher:
- report_response: true
- type: StatusMatch
status: [200]
- type: WordMatch
match_all_words: true
words: ['"username":']
- name: particle.io Access Token
id: kingfisher.particleio.2
pattern: |
(?x)
(?:access_token=|Authorization:\s*Bearer\s*)
\b
([a-zA-Z0-9]{40})
\b
[\s"\\]*https://api\.particle\.io/v1
min_entropy: 3.3
confidence: medium
examples:
- |
curl -H "Authorization: Bearer 38bb7b318cc6898c80317decb34525844bc9db55" \
https://api.particle.io/v1/devices
- |
curl -d access_token=38bb7b318cc6898c80317decb34525844bc9db55 \
https://api.particle.io/v1/devices
- 'curl -H "Authorization: Bearer 38bb7b318cc6898c80317decb34525844bc9db55" https://api.particle.io/v1/devices'
- 'curl -d access_token=38bb7b318cc6898c80317decb34525844bc9db55 https://api.particle.io/v1/devices'
references:
- https://docs.particle.io/reference/cloud-apis/api/
validation:
type: Http
content:
request:
method: GET
url: https://api.particle.io/v1/user?access_token={{ TOKEN }}
response_matcher:
- report_response: true
- type: StatusMatch
status: [200]
- type: WordMatch
match_all_words: true
words: ['"username":']

37
data/rules/pastebin.yml Normal file
View file

@ -0,0 +1,37 @@
rules:
- name: Pastebin API Key
id: kingfisher.pastebin.1
pattern: |
(?xi)
\b
pastebin
(?:.|[\n\r]){0,32}?
(?:SECRET|PRIVATE|ACCESS|KEY|TOKEN)
(?:.|[\n\r]){0,32}?
\b
(
[a-zA-Z0-9_]{32}
)
\b
min_entropy: 3.5
confidence: medium
examples:
- pastebin_key=zwD26NeyMCvBsR9nxfaybLHD7TcLh22O
- pastebin_api_token=zwD26NeyMCvBsR9n_faybLHD7TcLh22O
validation:
type: Http
content:
request:
method: POST
url: https://pastebin.com/api/api_login.php
headers:
Content-Type: application/x-www-form-urlencoded
body: |
api_dev_key={{ TOKEN }}&api_user_name=dummy&api_user_password=dummy
response_matcher:
- report_response: true
- type: StatusMatch
status: [200]
- type: WordMatch
words: ['invalid api_dev_key']
negative: true

56
data/rules/paypal.yml Normal file
View file

@ -0,0 +1,56 @@
rules:
- name: PayPal OAuth Client ID
id: kingfisher.paypal.1
pattern: |
(?xi)
paypal
(?:.|[\n\r]){0,8}?
(?:CLIENT|ID|USER)
(?:.|[\n\r]){0,16}?
\b
(
A[A-Z0-9_-]{79,99}
)
\b
min_entropy: 3.5
visible: false
examples:
- paypal_client_id=AZJ6y8Dpr1TYbqAIdhkPzyhjXoY6m8GplL7C3zZ3lPrkTIdhkPzyhjXo_Dx3
- name: PayPal OAuth Secret
id: kingfisher.paypal.2
pattern: |
(?xi)
paypal
(?:.|[\n\r]){0,16}?
(?:SECRET|PRIVATE|ACCESS|KEY|TOKEN)
(?:.|[\n\r]){0,32}?
\b
(
[A-Z0-9_.-]{80,120}
)
\b
min_entropy: 3.5
examples:
- paypal_secret=EDe5J6y8Dpr1TYbqAIdhkPzyhjXoY6m8GplL7C3zZ3lPrkT1XlV6hYPSeJL5b1T1
validation:
type: Http
content:
request:
method: POST
url: https://api-m.paypal.com/v1/oauth2/token
headers:
Accept: application/json
Accept-Language: en_US
Content-Type: application/x-www-form-urlencoded
Authorization: |
Basic {{ CLIENTID | append: ':' | append: TOKEN | b64enc }}
body: grant_type=client_credentials
response_matcher:
- report_response: true
- type: StatusMatch
status: [200]
depends_on_rule:
- rule_id: kingfisher.paypal.1
variable: CLIENTID