Added rules for twitter, wireguard, onepassword, droneci

data/rules/droneci.yml

@@ -0,0 +1,42 @@
+rules:
+  - name: DroneCI Access Token
+    id:   kingfisher.drone.1
+    pattern: |
+      (?xi)
+      \b                                    
+      (?:drone|droneci|drone[_-])
+      (?:.|[\n\r]){0,16}?
+      (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN)
+      (?:.|[\n\r]){0,16}?
+      \b
+      (                                                  
+        ey[A-Za-z0-9_-]{30,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}  
+        |
+        [a-f0-9]{32,64}                                   
+      )
+      \b
+    min_entropy: 3.5
+    confidence: medium
+    examples:
+      - export DRONE_TOKEN=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiZGVtbyJ9.GEPa7kCDdw4nruBKgLkQF1EGMZVvJ1kM4sMp9p8a1x4
+      - drone_token = fe8c402a51e6629aa1f43a4234afee81
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: https://cloud.drone.io/api/user
+          headers:
+            Authorization: "Bearer {{ TOKEN }}"
+            Accept: application/json
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+            - type: WordMatch
+              words: ['"email"']         
+              match_all_words: true
+    references:
+      - https://docs.drone.io/api/overview/           
+      - https://0-8-0.docs.drone.io/api-authentication/ 
+      - https://docs.drone.io/server/user/machine/    

data/rules/odbc.yml

@@ -28,43 +28,6 @@ rules:
         adoConn.Open("Provider=SQLOLEDB.1;User ID=specialbill_user; " & "Password =specialbill_user;Initial Catalog=SpecialBill_PROD;Data Source=uszdba01;")
       - |
         "driver={SQL Server};server=(#{datastore['DBHOST']});database=#{datastore['DBNAME']};uid=#{datastore['DBUID']};pwd=#{datastore['DBPASSWORD']}"
-    negative_examples:
-      - 'def login(self, user = "", password = "", domain = ""):'
-      - |
-        if datastore['VERBOSE']
-          text  = ''
-          text << "User=#{username}, "
-          text << "Password=#{password}, "
-          text << "Domain=#{domain}, "
-          text << "Full Name=#{full_name}, "
-          text << "E-mail=#{e_mail}"
-          print_good(text)
-      - |
-        if (len < ulen + wlen + 2)
-          break;
-        user = (char *) (p + 1);
-        pwd = (char *) (p + ulen + 2);
-        p += ulen + wlen + 2;
-      - |
-        /* Set default values */
-        server = xmalloc(sizeof(*server));
-        server->user = "anonymous";
-        server->password = "busybox@";
-      - |
-        System.out.println("Here we go...");
-        String url = "jdbc:msf:sql://127.0.0.1:8080/sample";
-        String userid = "userid";
-        String password = "password";
-      - |
-        char *domain = NULL;
-        char *user = NULL;
-        char *password = NULL;
-      - |
-        <?php
-        \$user = \$_POST["username"];
-        \$pwd = \$_POST["password"];
-        \$otherdata = \$_POST["otherdata"];
-        ?>
     references:
       - https://docs.aws.amazon.com/redshift/latest/mgmt/configure-odbc-connection.html
       - https://docs.microsoft.com/en-us/azure/data-explorer/kusto/api/connection-strings/kusto

data/rules/onepassword.yml

@@ -0,0 +1,53 @@
+rules:
+  - name: 1Password Service-Account Token
+    id: kingfisher.1password.2
+    pattern: |
+      (?xi)
+      \b
+      (
+        ops_eyj[A-Za-z0-9_-]{80,500}
+      )\b
+    min_entropy: 4.0
+    confidence: medium
+    examples:
+      - export OP_SERVICE_ACCOUNT_TOKEN=ops_eyJzaWduSW5BZGRyZXNzIjoibXkuMXBhc3N3b3JkLmV1IiwidXNlckF1dGgiOnsibWV0aG9kIjoiU1JQZy00MDk2IiwiYWxnIjoiUEJFUzJnLUhTMjU2IiwiaXRlcmF0aW9ucyI6NjUwMDAwLCJzYWx0IjoiUUNYYy1wTDUtakdCaDlTVjFHb1lpUSJ9LCJlbWFpbCI6ImF2ZGxyZ3JramU3dm9AMXBhc3N3b3Jkc2VydmljZWFjY291bnRzLmV1Iiwic3JwWCI6IjExNjFkMmYwNTQ3NDgxNTBmOTEwOWMxZDEzYTllZjFiNGY0ZjZiYzhlNTFlNWZkMWI5NmI5ZjQwZjY3NWEyNTciLCJtdWsiOnsiYWxnIjoiQTI1Nkd1111111111
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: https://events.1password.com/api/v2/auth/introspect
+          headers:
+            Authorization: "Bearer {{ TOKEN }}"
+            Accept: application/json
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+            - type: WordMatch
+              words: ['"features"']
+              match_all_words: true
+    references:
+      - https://developer.1password.com/docs/service-accounts/security
+      - https://developer.1password.com/docs/service-accounts/get-started
+      - https://developer.1password.com/docs/cli/environment-variables
+      - https://developer.1password.com/docs/events-api/reference
+
+  - name: 1Password Account Secret Key
+    id:  kingfisher.1password.2
+    pattern: |
+      (?xi)
+      \b
+      (
+        A[0-9]-[A-Z0-9]{6}-[A-Z0-9]{6}-[A-Z0-9]{5}(?:-[A-Z0-9]{5}){3}
+      )
+      \b
+    min_entropy: 3.8
+    confidence: medium
+    prevalidated: true
+    examples:
+      - A3-R69SQK-TZ9KPW-8MXYD-6W373-V7GHJ-EDJQW
+      - A3-ASWWYB-798JRY-LJVD4-23DC2-86TVM-H43EB
+    references:
+      - https://support.1password.com/secret-key-security/
+      - https://developer.1password.com/files/1password-white-paper.pdf

data/rules/twitter.yml

@@ -0,0 +1,38 @@
+rules:
+  - name: X / Twitter Bearer Token (App-only)
+    id:   kingfisher.twitter.bearer.1
+    pattern: |
+      (?xi)           
+      \b                       
+      (?:twitter|x.com|twtr)?
+      (?:.|[\n\r]){0,16}?
+      (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN)
+      (?:.|[\n\r]){0,16}?
+      \b
+      (                                      
+        A{10,}[A-Za-z0-9_\-]{40,200}         
+      )
+      \b
+    min_entropy: 4.0
+    confidence: medium
+    examples:
+      - Authorization: Bearer AAAAAAAAAAAAAAAAAAAAAAL6NcQAAAAABkCyZ4E5jEXAMPLE0wuJbhVN8
+      - TWITTER_BEARER="AAAAAAAAAAAAAAAAAAAAAAAYk9SClAAAAAAAfkwAAAABAAAAA"
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: https://api.x.com/1.1/application/rate_limit_status.json
+          headers:
+            Authorization: "Bearer {{ TOKEN }}"
+            Accept: application/json
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+            - type: WordMatch
+              words: ['"rate_limit_context"']
+              match_all_words: true
+    references:
+      - https://developer.x.com/en/docs/x-api/v1/developer-utilities/rate-limit-status/api-reference/get-application-rate_limit_status

data/rules/wireguard.yml

@@ -0,0 +1,35 @@
+rules:
+  - name: WireGuard Private Key
+    id: kingfisher.wireguard.1
+    pattern: PrivateKey\s*=\s*([A-Za-z0-9+/]{43}=)
+    min_entropy: 3.3
+    confidence: medium
+    examples:
+      - |
+        [Interface]
+        Address = 10.200.200.3/32
+        PrivateKey = AsaFot43bfs1fEWjvtty+rGcjh3rP1H6sug1l3u19ix=
+        DNS = 8.8.8.8
+    references:
+      - https://www.wireguard.com/quickstart/
+      - https://manpages.debian.org/testing/wireguard-tools/wg.8.en.html
+      - https://gist.github.com/lanceliao/5d2977f417f34dda0e3d63ac7e217fd6
+    categories: [fuzzy, secret]
+
+  - name: WireGuard Preshared Key
+    id: kingfisher.wireguard.2
+    pattern: PresharedKey\s*=\s*([A-Za-z0-9+/]{43}=)
+    min_entropy: 3.3
+    confidence: medium
+    examples:
+      - |
+        [Peer]
+        PublicKey = [Server's public key]
+        PresharedKey = uRsfsZ2Ts1rach4Zv3hhwcx6wa5fuIo2u3w7sa+7j81=
+        AllowedIPs = 0.0.0.0/0, ::/0
+        Endpoint = [Server Addr:Server Port]
+    references:
+      - https://www.wireguard.com/quickstart/
+      - https://manpages.debian.org/testing/wireguard-tools/wg.8.en.html
+      - https://gist.github.com/lanceliao/5d2977f417f34dda0e3d63ac7e217fd6
+    categories: [fuzzy, secret]