eblume/kingfisher
1
0
Fork 0
forked from mirrors/kingfisher
Code Pull requests Activity Actions

added redis rule, modified from Titus project, and updated NOTICE file

Browse source
This commit is contained in:
Mick Grove 2026-02-24 12:44:24 -07:00
commit 71638cce47
2 changed files with 145 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

28
NOTICE
View file

@ -3,7 +3,7 @@ NOTICE file corresponding to Section 4 (d) of the Apache License, Version 2.0
--------------------------------------------------------------------
Notices for Kingfisher
--------------------------------------------------------------------
Copyright 2025 MongoDB, Inc.
Copyright 2025-2026 MongoDB, Inc.
https://www.mongodb.com
Source repository: https://github.com/mongodb/kingfisher
@ -30,3 +30,29 @@ distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
--------------------------------------------------------------------
Some detection rules:
* data/rules/redis.yml
are derived in part from Titus (https://github.com/praetorian-inc/titus),
which is licensed under the Apache License, Version 2.0.
Titus
Copyright 2026 Praetorian Security, Inc.
This product includes software developed at Praetorian Security, Inc.
(https://www.praetorian.com/).
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

118
crates/kingfisher-rules/data/rules/redis.yml Normal file
View file

@ -0,0 +1,118 @@
rules:
- id: kingfisher.redis.1
name: Redis URI Connection String
# Hyperscan-compatible pattern (no lookbehind)
# Host supports hostnames, IPv4, and IPv6 in brackets
pattern: |
(?xi)
(?: redis | rediss | redis\+sentinel ) :// (?# URI scheme )
(?: (?P<username>[a-zA-Z0-9%;._~!$&'()*+,;=-]{1,}) (?# username - optional )
:
)?
(?P<password>[a-zA-Z0-9%;._~!$&'()*+,;=/*+-]{8,}) (?# password - min 8 chars )
@ (?P<host>(?:\[[0-9a-fA-F:.]+\]|[a-zA-Z0-9_.-]+)) (?: :(?P<port>\d{1,5}))? (?# host and optional port )
(?: / (?P<db>\d{1,2}))? (?# optional database number )
\b
pattern_requirements:
min_digits: 1
ignore_if_contains:
- "****"
- "xxxx"
- "example.com"
- "your_password"
- "your-password"
- "changeme"
- "replaceme"
- ":password@"
- ":secret@"
- "localhost"
- "127.0.0.1"
- "# redis"
- "// redis"
min_entropy: 3.0
confidence: medium
examples:
- 'REDIS_URL="redis://user:EXAMPLEp4ssw0rd123@cache.prod.internal:6379/0"'
- 'rediss://admin:TESTsecur3K3y456@redis.cache.internal:6380/1'
- 'redis+sentinel://default:SAMPLEr3d1sK3y789@sentinel.cluster.local:26379'
- 'redis://:oJs3RjFV5CVDyObDiooJk8NGGSylGTlNmAzCaPVydjM=@gainazurecacheforredis03.eastus.redisenterprise.cache.azure.net:10000'
- 'redis://default:MyP4ss@192.168.1.10:6379/2'
- 'rediss://:token123@[::1]:6380/0'
references:
- https://redis.io/docs/latest/develop/clients/redis-py/connect/
- https://redis.io/docs/latest/commands/auth/
- https://github.com/redis/redis-py/blob/master/redis/client.py
- id: kingfisher.redis.2
name: Python Redis Client Debug Output
# Hyperscan-compatible pattern (no lookahead)
# "None" filtering moved to ignore_if_contains
pattern: |
(?xi)
redis\.(?:client\.Redis|connection\.(?:Connection|SSLConnection|ConnectionPool)) (?# Python Redis class )
.*?
(?:password|passwd|pwd) (?# password key )
\s*=\s* (?# equals separator )
(?P<password>[a-zA-Z0-9+/=_-]{8,}) (?# password value )
(?:,|\s) (?# separator )
.*?
host\s*=\s* (?# host key )
(?P<host>(?:\[[0-9a-fA-F:.]+\]|[a-zA-Z0-9_.-]+)) (?# host - hostname, IPv4, or IPv6 )
pattern_requirements:
min_digits: 1
ignore_if_contains:
- "password=None"
- "passwd=None"
- "pwd=None"
min_entropy: 3.0
confidence: medium
examples:
- '<redis.client.Redis(<redis.connection.ConnectionPool(<redis.connection.Connection(db=0,username=None,password=oJs3RjFV5CVDyObDiooJk8NGGSylGTlNmAzCaPVydjM=,host=gainazurecacheforredis03.eastus.redisenterprise.cache.azure.net,port=10000,...)>)>)>'
- '<redis.client.Redis(<redis.connection.ConnectionPool(<redis.connection.SSLConnection(db=0,password=EXAMPLEsecretKey123,host=redis-server.local,port=6379,...)>)>)>'
references:
- https://github.com/redis/redis-py
- https://redis.readthedocs.io/en/stable/connections.html
- id: kingfisher.redis.3
name: Redis Password (Standalone Config)
# Detects REDIS_PASSWORD, redis_password, redis.password etc. in env vars and config files
pattern: |
(?xi)
\b
(?:REDIS|redis)
[-_.]?
(?:PASSWORD|PASS|PASSWD|AUTH|SECRET|TOKEN)
\b
(?:.|[\n\r]){0,24}?
[=:\s]+
['"]?
(?P<password>[a-zA-Z0-9%;._~!$&'()*+,;=/*+-]{8,})
['"]?
pattern_requirements:
min_digits: 1
ignore_if_contains:
- "****"
- "xxxx"
- "your_password"
- "changeme"
- "replaceme"
- "example.com"
- "localhost"
min_entropy: 3.0
confidence: medium
examples:
- 'REDIS_PASSWORD="EXAMPLEp4ssw0rd123"'
- 'redis_password=MyS3cur3R3d1sK3y'
- "config.redis.auth = 'secretT0ken456'"
- 'REDIS_AUTH: "aB3cD4eF5gH6iJ7kL8"'
references:
- https://redis.io/docs/latest/commands/auth/
- https://redis.io/docs/latest/operate/oss_and_stack/management/security/