Merge pull request #8 from PaperMtn/develop

Develop

.github/workflows/testing.yml

@@ -22,4 +22,6 @@ jobs:
       - name: Slack EG Tests
         run: python -m unittest tests/test_format_slack_eg.py
       - name: Slack STD Tests
-        run: python -m unittest tests/test_format_slack_std.py
+        run: python -m unittest tests/test_format_slack_std.py
+      - name: Stack Overflow Tests
+        run: python -m unittest tests/test_format_stack_overflow.py

CHANGELOG.md

@@ -1,3 +1,8 @@
+## 2024-04-26
+### Added
+- Signatures now support Stack Overflow Watchman
+  - Tests added for the new Stack Overflow Watchman format
+
 ## 2023-12-22
 ### Added
 - Added signatures for:

models/signature_stack_overflow.py

@@ -0,0 +1,69 @@
+import pathlib
+from dataclasses import dataclass
+
+import yaml
+
+
+@dataclass(slots=True)
+class Signature:
+    """ Class that handles loaded signature objects. Signatures
+    define what to search for in Stack Overflow and where to search for it.
+    They also contain regex patterns to validate data that is found"""
+
+    name: str
+    status: bool
+    author: str
+    date: str
+    version: str
+    description: str
+    severity: int
+    watchman_apps: list
+    scope: list
+    test_cases: dataclass
+    search_strings: str
+    patterns: str
+
+
+@dataclass(slots=True)
+class TestCases:
+    match_cases: list
+    fail_cases: list
+
+
+def load_from_yaml(sig_path: pathlib.PosixPath) -> list[Signature]:
+    """Load YAML file and return a Signature object
+
+    Args:
+        sig_path: Path of YAML file
+    Returns:
+        Signature object with fields populated from the YAML
+        signature file
+    """
+
+    with open(sig_path) as yaml_file:
+        yaml_import = yaml.safe_load(yaml_file)
+
+        output = []
+        for sig in yaml_import.get('signatures'):
+            if 'stack_overflow' in sig.get('watchman_apps'):
+                output.append(
+                    Signature(
+                        name=sig.get('name'),
+                        status=sig.get('status'),
+                        author=sig.get('author'),
+                        date=sig.get('date'),
+                        version=sig.get('version'),
+                        description=sig.get('description'),
+                        severity=sig.get('severity'),
+                        watchman_apps=sig.get('watchman_apps'),
+                        scope=sig.get('watchman_apps').get('stack_overflow').get('scope'),
+                        test_cases=TestCases(
+                            match_cases=sig.get('test_cases').get('match_cases'),
+                            fail_cases=sig.get('test_cases').get('fail_cases')
+                        ),
+                        search_strings=sig.get('watchman_apps').get('stack_overflow').get('search_strings'),
+                        patterns=sig.get('patterns')
+                    )
+                )
+
+    return output

signatures/tokens_and_credentials/akamai.yaml

@@ -11,6 +11,12 @@ signatures:
     notes:
     references:
     watchman_apps:
+      stack_overflow:
+        scope:
+          - questions
+          - answers
+        search_strings:
+          - akab-
       slack_std:
         category: secrets
         scope:

signatures/tokens_and_credentials/alibaba.yaml

@@ -1,6 +1,7 @@
 ---
 filename: alibaba.yaml
 signatures:
+
   - name: Alibaba IAM Access Key ID
     status: enabled
     author: PaperMtn
@@ -10,6 +11,12 @@ signatures:
     notes: null
     references: null
     watchman_apps:
+      stack_overflow:
+        scope:
+          - questions
+          - answers
+        search_strings:
+          - LTAI
       slack_std:
         category: secrets
         scope:
@@ -47,6 +54,7 @@ signatures:
         - accessKeyId=LAAIAAAZ5BhleEv7
     patterns:
       - LTAI[0-9a-zA-Z]{12,20}
+
   - name: Alibaba IAM Secret Access Key
     status: enabled
     author: PaperMtn
@@ -56,6 +64,12 @@ signatures:
     notes: null
     references: null
     watchman_apps:
+      stack_overflow:
+        scope:
+          - questions
+          - answers
+        search_strings:
+          - LTAI
       slack_std:
         category: secrets
         scope:

signatures/tokens_and_credentials/aws.yaml

@@ -9,6 +9,14 @@ signatures:
     description: Detects exposed AWS API secret tokens
     severity: "90"
     watchman_apps:
+      stack_overflow:
+        scope:
+          - questions
+          - answers
+        search_strings:
+          - aws_access_key_id
+          - aws_secret_access_key
+          - aws_session_token
       slack_std:
         category: secrets
         scope:
@@ -57,6 +65,14 @@ signatures:
     description: Detects S3 bucket URLs, a potential source of exposed data
     severity: "30"
     watchman_apps:
+      stack_overflow:
+        scope:
+          - questions
+          - answers
+        search_strings:
+          - s3.amazonaws.com
+          - s3.console.aws.amazon.com
+          - s3://
       slack_std:
         category: secrets
         scope:

signatures/tokens_and_credentials/azure.yaml

@@ -13,6 +13,12 @@ signatures:
     notes:
     references:
     watchman_apps:
+      stack_overflow:
+        scope:
+          - questions
+          - answers
+        search_strings:
+          - ".cscfg"
       slack_std:
         category: secrets
         scope:
@@ -53,6 +59,14 @@ signatures:
     notes:
     references:
     watchman_apps:
+      stack_overflow:
+        scope:
+          - questions
+          - answers
+        search_strings:
+            - login.microsoftonline.com
+            - management.azure
+            - management.core
       slack_std:
         category: secrets
         scope:
@@ -105,6 +119,15 @@ signatures:
     notes:
     references:
     watchman_apps:
+      stack_overflow:
+        scope:
+            - questions
+            - answers
+        search_strings:
+            - azureProfile.json
+            - az.sess
+            - az.json
+            - clouds.configtelemetry.txt
       slack_std:
         category: secrets
         scope:

signatures/tokens_and_credentials/cloudflare.yaml

@@ -11,6 +11,13 @@ signatures:
     notes:
     references:
     watchman_apps:
+      stack_overflow:
+        scope:
+          - questions
+          - answers
+        search_strings:
+          - api.cloudflare.com
+          - cloudflare_
       slack_std:
         category: secrets
         scope:

signatures/tokens_and_credentials/facebook.yaml

@@ -11,6 +11,15 @@ signatures:
     notes:
     references:
     watchman_apps:
+      stack_overflow:
+        scope:
+          - questions
+          - answers
+        search_strings:
+          - graph.facebook.com
+          - facebook.com/dialog/oauth
+          - eaaced
+          - client_secret
       slack_std:
         category: secrets
         scope:
@@ -67,6 +76,15 @@ signatures:
     notes:
     references:
     watchman_apps:
+      stack_overflow:
+        scope:
+          - questions
+          - answers
+        search_strings:
+            - graph.facebook.com
+            - facebook.com/dialog/oauth
+            - eaaced
+            - client_secret
       slack_std:
         category: secrets
         scope:

signatures/tokens_and_credentials/ftp.yaml

@@ -9,6 +9,12 @@ signatures:
     description: Detects exposed FTP credentials
     severity: "90"
     watchman_apps:
+      stack_overflow:
+        scope:
+          - questions
+          - answers
+        search_strings:
+          - ftp
       slack_std:
         category: secrets
         scope:

signatures/tokens_and_credentials/generic_tokens.yaml

@@ -9,6 +9,12 @@ signatures:
     description: Detects exposed access_tokens
     severity: "70"
     watchman_apps:
+      stack_overflow:
+        scope:
+          - questions
+          - answers
+        search_strings:
+          - access_token
       slack_std:
         category: secrets
         scope:
@@ -54,6 +60,12 @@ signatures:
     description: Detects exposed bearer tokens_and_credentials
     severity: "70"
     watchman_apps:
+      stack_overflow:
+        scope:
+          - questions
+          - answers
+        search_strings:
+          - bearer
       slack_std:
         category: secrets
         scope:
@@ -101,6 +113,12 @@ signatures:
     description: Detects exposed client_secrets
     severity: "70"
     watchman_apps:
+      stack_overflow:
+        scope:
+          - questions
+          - answers
+        search_strings:
+          - client_secret
       slack_std:
         category: secrets
         scope:
@@ -146,6 +164,12 @@ signatures:
     description: Detects exposed private_tokens
     severity: "70"
     watchman_apps:
+      stack_overflow:
+        scope:
+          - questions
+          - answers
+        search_strings:
+          - PRIVATE
       slack_std:
         category: secrets
         scope:
@@ -181,6 +205,12 @@ signatures:
     notes:
     references:
     watchman_apps:
+      stack_overflow:
+        scope:
+          - questions
+          - answers
+        search_strings:
+          - x-api-key
       slack_std:
         category: secrets
         scope:
@@ -229,6 +259,12 @@ signatures:
     notes:
     references:
     watchman_apps:
+      stack_overflow:
+        scope:
+          - questions
+          - answers
+        search_strings:
+          - x-auth-key
       slack_std:
         category: secrets
         scope:

signatures/tokens_and_credentials/github.yaml

@@ -11,6 +11,14 @@ signatures:
     notes:
     references:
     watchman_apps:
+      stack_overflow:
+        scope:
+          - questions
+          - answers
+        search_strings:
+          - api.github.com
+          - github.com/login/oauth/
+          - github access_token
       slack_std:
         category: secrets
         scope: