Expand the dork collection

[glaslos]

Right now we have a fixed collection of dorks: https://github.com/mushorg/tanner/blob/master/dorks.pickle We want to increase the collection of dorks to make the SNARE sensors more attractive.

• Extract dork from request path
• Add new dorks to a separate pickle
• Mix dorks from the original pickle with dorks from the new pickle when requested by SNARE

[afeena]

"Extract dork from request path" Can you explain this point? How existing dorks file was created? (I mean which sources was used) and can we use Google hacking database for the new dorks? (or they will intersect with old dorks?)

[glaslos]

So the assumption is that an attacker is not trying to target just one vulnerability. So further requests probably contain also paths to a vulnerability. By taking the path (from first slash form the left to an eventual question mark) and adding it to the dork list, we expand the attack surface of SNARE.

[glaslos]

I used dorks from glastopf. I think they are originally from the Google Hacking DB. Intersection should be no problem. I think we should have one db for "good" dorks, dorks we got from the GHDB or which we added manually, and one dork db from requests. Consider also if we want to move the dorks into redis so we don't have to keep them in the python process memory.

[glaslos]

Closed with ebf2f6a