From 627f8a8ff6d9bd420b487dab04429e3fa82b30b0 Mon Sep 17 00:00:00 2001 From: Mick Grove Date: Wed, 25 Jun 2025 16:28:34 -0700 Subject: [PATCH] Added openweather, opsgeneie, pagerduty, particle.io, psatebin, and paypal rules --- data/rules/openweather.yml | 37 +++++++++++++++++ data/rules/opsgenie.yml | 32 +++++++++++++++ data/rules/pagerdutyapikey.yml | 36 +++++++++++++++++ data/rules/particle.io.yml | 74 ++++++++++++++++++++++++++++++++++ data/rules/pastebin.yml | 37 +++++++++++++++++ data/rules/paypal.yml | 56 +++++++++++++++++++++++++ 6 files changed, 272 insertions(+) create mode 100644 data/rules/openweather.yml create mode 100644 data/rules/opsgenie.yml create mode 100644 data/rules/pagerdutyapikey.yml create mode 100644 data/rules/particle.io.yml create mode 100644 data/rules/pastebin.yml create mode 100644 data/rules/paypal.yml diff --git a/data/rules/openweather.yml b/data/rules/openweather.yml new file mode 100644 index 0000000..2153e64 --- /dev/null +++ b/data/rules/openweather.yml @@ -0,0 +1,37 @@ +rules: + - name: OpenWeather Map API Key + id: kingfisher.openweather.1 + pattern: | + (?xi) + (?:pyowm|openweather|\bowm\b) + (?:.|[\n\r]){0,64}? + \b + ( + (?: + [a-z0-9]{32} + ) + \b + |APPID= + (?: + [a-z0-9]{32} + ) + ) + \b + min_entropy: 3.5 + examples: + - pyowm = '3k144a5af729351d0fc58bdrj9a21mkr' + - owm = '3k144a5af729351d0fc58bdrj9a21mkr' + - openweatherapikey=cd2b1d12d01ae2deffecfebafcc3c31d + - apikey=openweather:cd2b1d12d01ae2deffecfebafcc3c31d + validation: + type: Http + content: + request: + method: GET + response_matcher: + - report_response: true + - match_all_status: true + status: + - 200 + type: StatusMatch + url: https://api.openweathermap.org/geo/1.0/reverse?lat=0&lon=0&limit=1&appid={{ TOKEN }} \ No newline at end of file diff --git a/data/rules/opsgenie.yml b/data/rules/opsgenie.yml new file mode 100644 index 0000000..fafef06 --- /dev/null +++ b/data/rules/opsgenie.yml @@ -0,0 +1,32 @@ +rules: + - name: OpsGenie API Key + id: kingfisher.opsgenie.1 + pattern: | + (?x) + (?i) + \b + opsgenie + (?:.|[\\n\r]){0,32}? + (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN) + (?:.|[\n\r]){0,32}? + \b + ( + [0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} + ) + min_entropy: 3.5 + examples: + - opsgenie_api_key = '12345678-9abc-def0-1234-56789abcdef0' + validation: + type: Http + content: + request: + headers: + Authorization: GenieKey {{ TOKEN }} + method: GET + url: https://api.opsgenie.com/v2/alerts + response_matcher: + - report_response: true + - type: WordMatch + words: + - "Could not authenticate" + negative: true diff --git a/data/rules/pagerdutyapikey.yml b/data/rules/pagerdutyapikey.yml new file mode 100644 index 0000000..be4b24f --- /dev/null +++ b/data/rules/pagerdutyapikey.yml @@ -0,0 +1,36 @@ +rules: + - name: PagerDuty API Key + id: kingfisher.pagerduty.1 + pattern: | + (?xi) + \b + (?:pagerduty|pager[_-]duty|pd[-_\]=\)]|pd\.webhook?) + (?:.|[\n\r]){0,16}? + ( + u\+[A-Z0-9_+-]{18} # new personal tokens + | + [A-Z0-9_-]{20} # legacy personal tokens + | + [A-F0-9]{32} # integration keys / routing keys + ) + \b + min_entropy: 3.3 + confidence: medium + examples: + - pagerduty_key = u+Lyhd2_N2MCy+ZoH-S5 + - pd_key = u+3xVszZ-b4m+T6d23KA + validation: + type: Http + content: + request: + method: GET + url: https://api.pagerduty.com/abilities + headers: + Authorization: Token token={{ TOKEN }} + Accept: application/vnd.pagerduty+json;version=2 + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: WordMatch + words: ['"abilities":'] \ No newline at end of file diff --git a/data/rules/particle.io.yml b/data/rules/particle.io.yml new file mode 100644 index 0000000..8237ebd --- /dev/null +++ b/data/rules/particle.io.yml @@ -0,0 +1,74 @@ +rules: + - name: particle.io Access Token + id: kingfisher.particleio.1 + pattern: | + (?x) + https://api\.particle\.io/v1/[a-zA-Z0-9_\-\s/"\\?]* + (?:access_token=|Authorization:\s*Bearer\s*) + \b + ([a-zA-Z0-9]{40}) + \b + min_entropy: 3.3 + confidence: medium + examples: + - | + curl https://api.particle.io/v1/devices \ + -H "Authorization: Bearer 38bb7b318cc6898c80317decb34525844bc9db55" + - | + curl https://api.particle.io/v1/devices \ + -d access_token=38bb7b318cc6898c80317decb34525844bc9db55 + - 'curl https://api.particle.io/v1/devices -H "Authorization: Bearer 38bb7b318cc6898c80317decb34525844bc9db55"' + - 'curl https://api.particle.io/v1/devices -d access_token=38bb7b318cc6898c80317decb34525844bc9db55' + - 'curl "https://api.particle.io/v1/devices/events?access_token=38bb7b318cc6898c80317decb34525844bc9db55"' + - 'curl "https://api.particle.io/v1/access_tokens/current?access_token=38bb7b318cc6898c80317decb34525844bc9db55"' + references: + - https://docs.particle.io/reference/cloud-apis/api/ + validation: + type: Http + content: + request: + method: GET + url: https://api.particle.io/v1/user?access_token={{ TOKEN }} + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: WordMatch + match_all_words: true + words: ['"username":'] + + - name: particle.io Access Token + id: kingfisher.particleio.2 + pattern: | + (?x) + (?:access_token=|Authorization:\s*Bearer\s*) + \b + ([a-zA-Z0-9]{40}) + \b + [\s"\\]*https://api\.particle\.io/v1 + min_entropy: 3.3 + confidence: medium + examples: + - | + curl -H "Authorization: Bearer 38bb7b318cc6898c80317decb34525844bc9db55" \ + https://api.particle.io/v1/devices + - | + curl -d access_token=38bb7b318cc6898c80317decb34525844bc9db55 \ + https://api.particle.io/v1/devices + - 'curl -H "Authorization: Bearer 38bb7b318cc6898c80317decb34525844bc9db55" https://api.particle.io/v1/devices' + - 'curl -d access_token=38bb7b318cc6898c80317decb34525844bc9db55 https://api.particle.io/v1/devices' + references: + - https://docs.particle.io/reference/cloud-apis/api/ + validation: + type: Http + content: + request: + method: GET + url: https://api.particle.io/v1/user?access_token={{ TOKEN }} + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: WordMatch + match_all_words: true + words: ['"username":'] \ No newline at end of file diff --git a/data/rules/pastebin.yml b/data/rules/pastebin.yml new file mode 100644 index 0000000..26a55dd --- /dev/null +++ b/data/rules/pastebin.yml @@ -0,0 +1,37 @@ +rules: + - name: Pastebin API Key + id: kingfisher.pastebin.1 + pattern: | + (?xi) + \b + pastebin + (?:.|[\n\r]){0,32}? + (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN) + (?:.|[\n\r]){0,32}? + \b + ( + [a-zA-Z0-9_]{32} + ) + \b + min_entropy: 3.5 + confidence: medium + examples: + - pastebin_key=zwD26NeyMCvBsR9nxfaybLHD7TcLh22O + - pastebin_api_token=zwD26NeyMCvBsR9n_faybLHD7TcLh22O + validation: + type: Http + content: + request: + method: POST + url: https://pastebin.com/api/api_login.php + headers: + Content-Type: application/x-www-form-urlencoded + body: | + api_dev_key={{ TOKEN }}&api_user_name=dummy&api_user_password=dummy + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: WordMatch + words: ['invalid api_dev_key'] + negative: true \ No newline at end of file diff --git a/data/rules/paypal.yml b/data/rules/paypal.yml new file mode 100644 index 0000000..2441a68 --- /dev/null +++ b/data/rules/paypal.yml @@ -0,0 +1,56 @@ +rules: +- name: PayPal OAuth Client ID + id: kingfisher.paypal.1 + pattern: | + (?xi) + paypal + (?:.|[\n\r]){0,8}? + (?:CLIENT|ID|USER) + (?:.|[\n\r]){0,16}? + \b + ( + A[A-Z0-9_-]{79,99} + ) + \b + min_entropy: 3.5 + visible: false + examples: + - paypal_client_id=AZJ6y8Dpr1TYbqAIdhkPzyhjXoY6m8GplL7C3zZ3lPrkTIdhkPzyhjXo_Dx3 + +- name: PayPal OAuth Secret + id: kingfisher.paypal.2 + pattern: | + (?xi) + paypal + (?:.|[\n\r]){0,16}? + (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN) + (?:.|[\n\r]){0,32}? + \b + ( + [A-Z0-9_.-]{80,120} + ) + \b + min_entropy: 3.5 + examples: + - paypal_secret=EDe5J6y8Dpr1TYbqAIdhkPzyhjXoY6m8GplL7C3zZ3lPrkT1XlV6hYPSeJL5b1T1 + + validation: + type: Http + content: + request: + method: POST + url: https://api-m.paypal.com/v1/oauth2/token + headers: + Accept: application/json + Accept-Language: en_US + Content-Type: application/x-www-form-urlencoded + Authorization: | + Basic {{ CLIENTID | append: ':' | append: TOKEN | b64enc }} + body: grant_type=client_credentials + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + depends_on_rule: + - rule_id: kingfisher.paypal.1 + variable: CLIENTID