46 lines
1023 B
YAML
46 lines
1023 B
YAML
id: linkerd-badrule-detect
|
|
|
|
# Detect the Linkerd service by overriding the delegation table with an invalid
|
|
# rule, the presence of the service is indicated by either:
|
|
# - a "Via: .. linkerd .."
|
|
# - a "l5d-err" and/or a "l5d-success" header
|
|
# - a literal error in the body
|
|
|
|
info:
|
|
name: Linkerd detection via bad rule
|
|
author: dudez
|
|
severity: low
|
|
|
|
requests:
|
|
- method: GET
|
|
path:
|
|
- "{{BaseURL}}/"
|
|
headers:
|
|
l5d-dtab: /svc/*
|
|
|
|
matchers-condition: or
|
|
matchers:
|
|
- type: regex
|
|
name: via-linkerd-present
|
|
regex:
|
|
- '(?mi)^Via\s*?:.*?linkerd.*$'
|
|
part: header
|
|
|
|
- type: regex
|
|
name: l5d-err-present
|
|
regex:
|
|
- '(?im)^l5d-err:.*$'
|
|
part: header
|
|
|
|
- type: regex
|
|
name: l5d-success-class-present
|
|
regex:
|
|
- '(?im)^l5d-success-class: 0.*$'
|
|
part: header
|
|
|
|
- type: word
|
|
name: body-error-present
|
|
words:
|
|
- 'expected but end of input found at'
|
|
part: body
|