forked from smicallef/spiderfoot
-
Notifications
You must be signed in to change notification settings - Fork 0
/
stale_host.yaml
48 lines (48 loc) · 1.21 KB
/
stale_host.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
id: stale_host
version: 1
meta:
name: Stale host found
description: >
A host appears to be stale based upon various indicators such
as unsuccessful HTTP codes, expired SSL certificates, error
messages, vulnerabilities and junk files found. Such hosts
may be unmaintained, exposing the target to security risks.
risk: HIGH
collections:
- collect:
- method: exact
field: type
value: SSL_CERTIFICATE_EXPIRED
- collect:
- method: exact
field: type
value: HTTP_CODE
- method: regex
field: data
value: not ^[2-3].*$
- method: regex
field: data
value: not 40[13]
- collect:
- method: exact
field: type
value: ERROR_MESSAGE
- collect:
- method: exact
field: type
value: JUNK_FILE
- collect:
- method: regex
field: type
value: VULNERABILITY_.*
aggregation:
field: entity.data
analysis:
- method: threshold
field: type
# Avoid multiple of the same type triggering. This means
# a minimum of 3 of different types must appear in one
# bucket.
count_unique_only: true
minimum: 3
headline: "Potentially stale/unmaintained host: {entity.data}"