test fix

Signed-off-by: Sandesh Kumar <sandeshkr419@gmail.com>
opensearch-project · Sep 26, 2023 · 9a10743 · 9a10743
1 parent 7621e89
commit 9a10743
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 2 deletions.
diff --git a/src/main/resources/rules/waf/aws_waf/aws_web_susp_useragents.yml b/src/main/resources/rules/waf/aws_waf/aws_web_susp_useragents.yml
@@ -0,0 +1,28 @@
+title: Suspicious User-Agents Related To Recon Tools
+id: 19aa4f58-94ca-45ff-bc34-92e533c0994a
+status: experimental
+description: Detects known suspicious (default) user-agents related to scanning/recon tools
+references:
+  - https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb
+  - https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst
+  - https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92
+author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton
+date: 2022/07/19
+modified: 2023/01/02
+tags:
+  - attack.initial_access
+  - attack.t1190
+logsource:
+  category: webserver
+detection:
+  selection:
+    cs-user-agent|contains:
+      # Add more tools as you see fit
+      - 'Wfuzz/'
+      - 'WPScan v'
+      - 'Recon-ng/v'
+      - 'GIS - AppSec Team - Project Vision'
+  condition: selection
+falsepositives:
+  - Unknown
+level: medium
diff --git a/src/test/java/org/opensearch/securityanalytics/resthandler/RuleRestApiIT.java b/src/test/java/org/opensearch/securityanalytics/resthandler/RuleRestApiIT.java
@@ -770,7 +770,7 @@ public void testCustomRuleValidation() throws IOException {
     public void testGetAllRuleCategories() throws IOException {
         Response response = makeRequest(client(), "GET", SecurityAnalyticsPlugin.RULE_BASE_URI + "/categories", Collections.emptyMap(), null);
         List<Object> categories = (List<Object>) asMap(response).get("rule_categories");
-        assertEquals(22, categories.size());
+        assertEquals(23, categories.size());
         assertTrue(categories.stream().anyMatch(e -> ((Map<String, Object>)e).get("key").equals("ad_ldap")));
         assertTrue(categories.stream().anyMatch(e -> ((Map<String, Object>)e).get("key").equals("dns")));
         assertTrue(categories.stream().anyMatch(e -> ((Map<String, Object>)e).get("key").equals("network")));
@@ -783,5 +783,6 @@ public void testGetAllRuleCategories() throws IOException {
         assertTrue(categories.stream().anyMatch(e -> ((Map<String, Object>)e).get("key").equals("okta")));
         assertTrue(categories.stream().anyMatch(e -> ((Map<String, Object>)e).get("key").equals("azure")));
         assertTrue(categories.stream().anyMatch(e -> ((Map<String, Object>)e).get("key").equals("linux")));
+        assertTrue(categories.stream().anyMatch(e -> ((Map<String, Object>)e).get("key").equals("waf")));
     }
-}
+}