Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update the shady-links rule to match IPs #303

Merged
merged 7 commits into from
Feb 9, 2024
Merged

Update the shady-links rule to match IPs #303

merged 7 commits into from
Feb 9, 2024

Conversation

Taiki-San
Copy link
Contributor

@Taiki-San Taiki-San commented Feb 8, 2024
edited
Loading

The shady-links rule try to match suspicious URLs. However, it's not looking for IPs although those are more discrete means to reach C2 instances. This PR add support to detect IPv4 & IPv6

zmallen
zmallen requested changes Feb 8, 2024
View reviewed changes
Copy link
Contributor

@zmallen zmallen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good find! Any chance we can add a unit test for this?

@Taiki-San Taiki-San requested a review from zmallen February 8, 2024 15:09
christophetd
christophetd reviewed Feb 8, 2024
View reviewed changes
tests/analyzer/sourcecode/shady-links.py Outdated
"""

# ruleid: shady-links
req = urllib3.Request("https://[email protected]", headers={"User-Agent": os})
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

did you want to add a "simple" test? e.g. https://1.3.4.5/foo.exe)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://faker.readthedocs.io/en/master/providers/faker.providers.internet.html#faker.providers.internet.Provider.ipv4
helps too, but might be overkill :D

@christophetd christophetd merged commit ad81bca into main Feb 9, 2024
10 checks passed
@christophetd christophetd deleted the emilehugo.spir/expand-shady-links branch February 9, 2024 08:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@christophetd christophetd christophetd approved these changes

@zmallen zmallen Awaiting requested review from zmallen

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Taiki-San @christophetd @zmallen