Merge pull request #521 from DataDog/s.obregoso/add_new_shady-links

Add shady links domains
DataDog · Jan 15, 2025 · d27a62e · d27a62e
2 parents ba19bb9 + c7f6e4d
commit d27a62e
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 4 deletions.
diff --git a/guarddog/analyzer/sourcecode/shady-links.yml b/guarddog/analyzer/sourcecode/shady-links.yml
@@ -33,12 +33,12 @@ rules:
             # complete domains: shorteners
             - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(bit\.ly)\b)
             # complete domains: ephimerals,tunnels
-            - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(workers\.dev|appdomain\.cloud|ngrok\.io|termbin\.com|localhost\.run|webhook\.site|oastify\.com|burpcollaborator\.(me|net)|trycloudflare\.com)\b)
-            - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(oast\.(pro|live|site|online|fun|me)|ply\.gg|pipedream\.net|dnslog\.cn|ngrok-free\.(app|dev))\b)
+            - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(workers\.dev|appdomain\.cloud|ngrok\.io|termbin\.com|localhost\.run|webhook\.(site|cool)|oastify\.com|burpcollaborator\.(me|net)|trycloudflare\.com)\b)
+            - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(oast\.(pro|live|site|online|fun|me)|ply\.gg|pipedream\.net|dnslog\.cn|webhook-test\.com|typedwebhook\.tools|beeceptor\.com|ngrok-free\.(app|dev))\b)
             # complete domains: exfil
-            - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(discord\.com|transfer\.sh|filetransfer\.io|sendspace\.com|backblazeb2\.com|paste\.ee|pastebin\.com|api\.telegram\.org|rentry\.co)\b)
+            - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(discord\.com|transfer\.sh|filetransfer\.io|sendspace\.com|backblazeb2\.com|paste\.ee|pastebin\.com|hastebin\.com|ghostbin.site|api\.telegram\.org|rentry\.co)\b)
             # complete domains: intel 
-            - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(ipinfo\.io)\b)
+            - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(ipinfo\.io|checkip\.dyndns\.org|\bip\.me|jsonip\.com|ipify\.org|ifconfig\.me)\b)
 
             # top-level domains
             - pattern-regex: (https?:\/\/[^\n\[\/\?#"']*?\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream)\/)

diff --git a/tests/analyzer/sourcecode/shady-links.py b/tests/analyzer/sourcecode/shady-links.py
@@ -176,3 +176,11 @@ def f():
 def f():
     # ruleid: shady-links
     trackingUrl = "qkrfaniquihoswritqaqwbg5r4l072qp7.oast.fun/track"
+
+def f():
+    # ok: shady-links
+    trackingUrl = "someip.me/track"
+
+def f():
+    # ruleid: shady-links
+    trackingUrl = "https://ip.me/"