[ASM] Update fingerprint rules

tracer/src/Datadog.Trace/AppSec/AttackerFingerprint/AttackerFingerprintHelper.cs

@@ -15,12 +15,11 @@ namespace Datadog.Trace.AppSec.AttackerFingerprint;
 internal static class AttackerFingerprintHelper
 {
     private static readonly IDatadogLogger Log = DatadogLogging.GetLoggerFor(typeof(AttackerFingerprintHelper));
-    private static readonly Dictionary<string, object> _fingerprintRequest = new() { { AddressesConstants.WafContextProcessor, new Dictionary<string, object> { { "fingerprint", true } } } };
     private static bool _warningLogged = false;
 
-    public static void AddSpanTags(Span span)
+    public static void AddSpanTags(Span span, IResult result)
     {
-        if (span.IsFinished || span.Type != SpanTypes.Web)
+        if (result?.FingerprintDerivatives is null || span.IsFinished || span.Type != SpanTypes.Web)
         {
             return;
         }
@@ -33,8 +32,7 @@ public static void AddSpanTags(Span span)
             return;
         }
 
-        var result = securityCoordinator.RunWaf(_fingerprintRequest);
-        AddSpanTags(result?.FingerprintDerivatives, span);
+        AddSpanTags(result.FingerprintDerivatives, span);
     }
 
     private static void AddSpanTags(Dictionary<string, object?>? fingerPrintDerivatives, ISpan span)

tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Reporter.cs

@@ -132,7 +132,7 @@ internal void TryReport(IResult result, bool blocked, int? status = null)
                 traceContext.AddWafSecurityEvents(result.Data);
             }
 
-            AttackerFingerprintHelper.AddSpanTags(_localRootSpan);
+            AttackerFingerprintHelper.AddSpanTags(_localRootSpan, result);
 
             var clientIp = _localRootSpan.GetTag(Tags.HttpClientIp);
             if (!string.IsNullOrEmpty(clientIp))

tracer/test/Datadog.Trace.Security.IntegrationTests/rasp-rule-set.json

@@ -16,22 +16,23 @@
   ],
   "processors": [
     {
-      "id": "processor-001",
+      "id": "http-endpoint-fingerprint",
       "generator": "http_endpoint_fingerprint",
       "conditions": [
         {
-          "operator": "equals",
+          "operator": "exists",
           "parameters": {
             "inputs": [
               {
-                "address": "waf.context.processor",
-                "key_path": [
-                  "fingerprint"
-                ]
+                "address": "waf.context.event"
+              },
+              {
+                "address": "server.business_logic.users.login.failure"
+              },
+              {
+                "address": "server.business_logic.users.login.success"
               }
-            ],
-            "value": true,
-            "type": "boolean"
+            ]
           }
         }
       ],
@@ -62,26 +63,27 @@
           }
         ]
       },
-      "evaluate": true,
+      "evaluate": false,
       "output": true
     },
     {
-      "id": "processor-002",
+      "id": "http-header-fingerprint",
       "generator": "http_header_fingerprint",
       "conditions": [
         {
-          "operator": "equals",
+          "operator": "exists",
           "parameters": {
             "inputs": [
               {
-                "address": "waf.context.processor",
-                "key_path": [
-                  "fingerprint"
-                ]
+                "address": "waf.context.event"
+              },
+              {
+                "address": "server.business_logic.users.login.failure"
+              },
+              {
+                "address": "server.business_logic.users.login.success"
               }
-            ],
-            "value": true,
-            "type": "boolean"
+            ]
           }
         }
       ],
@@ -97,26 +99,27 @@
           }
         ]
       },
-      "evaluate": true,
+      "evaluate": false,
       "output": true
     },
     {
-      "id": "processor-003",
+      "id": "http-network-fingerprint",
       "generator": "http_network_fingerprint",
       "conditions": [
         {
-          "operator": "equals",
+          "operator": "exists",
           "parameters": {
             "inputs": [
               {
-                "address": "waf.context.processor",
-                "key_path": [
-                  "fingerprint"
-                ]
+                "address": "waf.context.event"
+              },
+              {
+                "address": "server.business_logic.users.login.failure"
+              },
+              {
+                "address": "server.business_logic.users.login.success"
               }
-            ],
-            "value": true,
-            "type": "boolean"
+            ]
           }
         }
       ],
@@ -132,26 +135,27 @@
           }
         ]
       },
-      "evaluate": true,
+      "evaluate": false,
       "output": true
     },
     {
-      "id": "processor-004",
+      "id": "session-fingerprint",
       "generator": "session_fingerprint",
       "conditions": [
         {
-          "operator": "equals",
+          "operator": "exists",
           "parameters": {
             "inputs": [
               {
-                "address": "waf.context.processor",
-                "key_path": [
-                  "fingerprint"
-                ]
+                "address": "waf.context.event"
+              },
+              {
+                "address": "server.business_logic.users.login.failure"
+              },
+              {
+                "address": "server.business_logic.users.login.success"
               }
-            ],
-            "value": true,
-            "type": "boolean"
+            ]
           }
         }
       ],
@@ -177,7 +181,7 @@
           }
         ]
       },
-      "evaluate": true,
+      "evaluate": false,
       "output": true
     }
   ],
@@ -456,6 +460,35 @@
         "block"
       ]
     },
+    {
+      "id": "ua0-600-12x",
+      "name": "Arachni",
+      "tags": {
+        "type": "attack_tool",
+        "category": "attack_attempt",
+        "cwe": "200",
+        "capec": "1000/118/169",
+        "tool_name": "Arachni",
+        "confidence": "1"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.headers.no_cookies",
+                "key_path": [
+                  "user-agent"
+                ]
+              }
+            ],
+            "regex": "^Arachni\\/v"
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": []
+    },
     {
       "id": "rasp-932-400",
       "name": "New exploit",

tracer/test/Datadog.Trace.Security.IntegrationTests/ruleset.3.0.json

@@ -16,22 +16,23 @@
   ],
   "processors": [
     {
-      "id": "processor-001",
+      "id": "http-endpoint-fingerprint",
       "generator": "http_endpoint_fingerprint",
       "conditions": [
         {
-          "operator": "equals",
+          "operator": "exists",
           "parameters": {
             "inputs": [
               {
-                "address": "waf.context.processor",
-                "key_path": [
-                  "fingerprint"
-                ]
+                "address": "waf.context.event"
+              },
+              {
+                "address": "server.business_logic.users.login.failure"
+              },
+              {
+                "address": "server.business_logic.users.login.success"
               }
-            ],
-            "value": true,
-            "type": "boolean"
+            ]
           }
         }
       ],
@@ -62,26 +63,27 @@
           }
         ]
       },
-      "evaluate": true,
+      "evaluate": false,
       "output": true
     },
     {
-      "id": "processor-002",
+      "id": "http-header-fingerprint",
       "generator": "http_header_fingerprint",
       "conditions": [
         {
-          "operator": "equals",
+          "operator": "exists",
           "parameters": {
             "inputs": [
               {
-                "address": "waf.context.processor",
-                "key_path": [
-                  "fingerprint"
-                ]
+                "address": "waf.context.event"
+              },
+              {
+                "address": "server.business_logic.users.login.failure"
+              },
+              {
+                "address": "server.business_logic.users.login.success"
               }
-            ],
-            "value": true,
-            "type": "boolean"
+            ]
           }
         }
       ],
@@ -97,26 +99,27 @@
           }
         ]
       },
-      "evaluate": true,
+      "evaluate": false,
       "output": true
     },
     {
-      "id": "processor-003",
+      "id": "http-network-fingerprint",
       "generator": "http_network_fingerprint",
       "conditions": [
         {
-          "operator": "equals",
+          "operator": "exists",
           "parameters": {
             "inputs": [
               {
-                "address": "waf.context.processor",
-                "key_path": [
-                  "fingerprint"
-                ]
+                "address": "waf.context.event"
+              },
+              {
+                "address": "server.business_logic.users.login.failure"
+              },
+              {
+                "address": "server.business_logic.users.login.success"
               }
-            ],
-            "value": true,
-            "type": "boolean"
+            ]
           }
         }
       ],
@@ -132,26 +135,27 @@
           }
         ]
       },
-      "evaluate": true,
+      "evaluate": false,
       "output": true
     },
     {
-      "id": "processor-004",
+      "id": "session-fingerprint",
       "generator": "session_fingerprint",
       "conditions": [
         {
-          "operator": "equals",
+          "operator": "exists",
           "parameters": {
             "inputs": [
               {
-                "address": "waf.context.processor",
-                "key_path": [
-                  "fingerprint"
-                ]
+                "address": "waf.context.event"
+              },
+              {
+                "address": "server.business_logic.users.login.failure"
+              },
+              {
+                "address": "server.business_logic.users.login.success"
               }
-            ],
-            "value": true,
-            "type": "boolean"
+            ]
           }
         }
       ],
@@ -177,7 +181,7 @@
           }
         ]
       },
-      "evaluate": true,
+      "evaluate": false,
       "output": true
     }
   ],