Last active
October 11, 2022 21:26
-
-
Save dustyfresh/614fa3edddfca99b766ba410fcc8ddd6 to your computer and use it in GitHub Desktop.
yara signatures converted from trufflehog regexes for identifying secrets in text files
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
Yara signatures for identifying secrets in text files. Requires libmagic! | |
Mostly all stolen from Trufflehog regexes: | |
- https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json | |
*/ | |
import "magic" | |
rule RSA_PRIVATE_KEY { | |
meta: | |
description = "RSA key patterns" | |
strings: | |
$rsa = /-{5}BEGIN\sRSA\sPRIVATE\sKEY-{5}/ | |
condition: | |
$rsa and magic.type() contains "text" | |
} | |
rule SSH_EC_PRIVATE_KEY { | |
meta: | |
description = "SSH (EC) private key patterns" | |
strings: | |
$pattern = /-{5}BEGIN\sEC\sPRIVATE\sKEY-{5}/ | |
condition: | |
$pattern and magic.type() contains "text" | |
} | |
rule PGP_PRIVATE_KEY { | |
meta: | |
description = "PGP Private key patterns" | |
strings: | |
$pattern = /-{5}BEGIN\sPGP\sPRIVATE\sKEY-{5}/ | |
condition: | |
$pattern and magic.type() contains "text" | |
} | |
rule AWS_KEY { | |
meta: | |
description = "AWS key patterns" | |
strings: | |
$aws_access_key_id = /AKIA[0-9A-Z]{16}/ | |
$aws_mws_auth_token = /amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/ | |
condition: | |
any of them and magic.type() contains "text" | |
} | |
rule facebook_keys { | |
meta: | |
description = "facebook key patterns" | |
strings: | |
$access_token = /EAACEdEose0cBA[0-9A-Za-z]+/ | |
$facebook_oauth = /[f|F][a|A][c|C][e|E][b|B][o|O][o|O][k|K].*['|\"][0-9a-f]{32}['|\"]/ | |
condition: | |
any of them and magic.type() contains "text" | |
} | |
rule github_key { | |
meta: | |
description = "github key patterns" | |
strings: | |
$access_token = /[g|G][i|I][t|T][h|H][u|U][b|B].*['|\"][0-9a-zA-Z]{35,40}['|\"]/ | |
condition: | |
$access_token and magic.type() contains "text" | |
} | |
rule generic_api_key { | |
meta: | |
description = "generic key patterns" | |
strings: | |
$generic_key = /[a|A][p|P][i|I][_]?[k|K][e|E][y|Y].*['|\"][0-9a-zA-Z]{32,45}['|\"]/ | |
$generic_secret = /[s|S][e|E][c|C][r|R][e|E][t|T].*['|\"][0-9a-zA-Z]{32,45}['|\"]/ | |
condition: | |
any of them and magic.type() contains "text" | |
} | |
rule google_keys { | |
meta: | |
description = "Google key patterns" | |
strings: | |
$google_api = /AIza[0-9A-Za-z\\-_]{35}/ | |
$google_oauth = /[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com/ | |
$gmail_oauth_access_key = /ya29\\.[0-9A-Za-z\\-_]+/ | |
$GCP_service_account = /\"type\": \"service_account\"/ | |
condition: | |
any of them and magic.type() contains "text" | |
} | |
rule heroku_api_key { | |
meta: | |
description = "heroku key patterns" | |
strings: | |
$heroku_key = /[h|H][e|E][r|R][o|O][k|K][u|U].*[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}/ | |
condition: | |
$heroku_key and magic.type() contains "text" | |
} | |
rule mailchimp_api_key { | |
meta: | |
description = "mailchimp key patterns" | |
strings: | |
$mailchimp_key = /[0-9a-f]{32}-us[0-9]{1,2}/ | |
condition: | |
$mailchimp_key and magic.type() contains "text" | |
} | |
rule mailgun_api_key { | |
meta: | |
description = "mailgun key patterns" | |
strings: | |
$mailgun_key = /key-[0-9a-zA-Z]{32}/ | |
condition: | |
$mailgun_key and magic.type() contains "text" | |
} | |
rule password_url { | |
meta: | |
description = "URL string containing a password" | |
strings: | |
$password_url = /[a-z-0-9]{,8}:\/{2}[a-z-0-9]{,16}\:[a-z-0-9-!@#$%^&*()_+\,.<>?]{,16}@[a-z]{,64}\.[a-z]{,8}/ nocase | |
condition: | |
$password_url and magic.type() contains "text" | |
} | |
rule paypal_braintree { | |
meta: | |
description = "paypal braintree access token" | |
strings: | |
$access_token = /access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32}/ | |
condition: | |
$access_token and magic.type() contains "text" | |
} | |
rule picatic_api_key { | |
meta: | |
description = "Picatic API Key" | |
strings: | |
$api_key = /sk_live_[0-9a-z]{32}/ | |
condition: | |
$api_key and magic.type() contains "text" | |
} | |
rule stripe_api_keys { | |
meta: | |
description = "Stripe API" | |
strings: | |
$api_key = /sk_live_[0-9a-zA-Z]{24}/ | |
$restricted_api_key = /rk_live_[0-9a-zA-Z]{24}/ | |
condition: | |
any of them and magic.type() contains "text" | |
} | |
rule square_keys { | |
meta: | |
description = "Square secrets" | |
strings: | |
$square_access_token = /sq0atp-[0-9A-Za-z\\-_]{22}/ | |
$square_oauth_secret = /sq0csp-[0-9A-Za-z\\-_]{43}/ | |
condition: | |
any of them and magic.type() contains "text" | |
} | |
rule twilio_api_key { | |
meta: | |
description = "Twilio API key" | |
strings: | |
$api_key = /SK[0-9a-fA-F]{32}/ | |
condition: | |
$api_key and magic.type() contains "text" | |
} | |
rule twitter_keys { | |
meta: | |
description = "Twitter API key" | |
strings: | |
$access_key = /[t|T][w|W][i|I][t|T][t|T][e|E][r|R].*[1-9][0-9]+-[0-9a-zA-Z]{40}/ | |
$oauth = /[t|T][w|W][i|I][t|T][t|T][e|E][r|R].*['|\"][0-9a-zA-Z]{35,44}['|\"]/ | |
condition: | |
any of them and magic.type() contains "text" | |
} | |
/* commenting slack stuff out as needs to be tested | |
rule slack { | |
meta: | |
description = "Slack API key patterns" | |
strings: | |
$slack_token = /(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})/ | |
condition: | |
$slack_token and magic.type() contains "text" | |
} | |
rule slack_webhook { | |
meta: | |
description = "Slack Webhook" | |
strings: | |
$slack_webhook_url = /https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}/ | |
condition: | |
$slack_webhook_url and magic.type() contains "text" | |
} | |
*/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment