const signatures = [
{
"caption": "host names on non-http ports",
"description": null,
"part": "contents",
"pattern": "(.*\\.(net|com):(?!(80|443)\b))(.*)",
"type": "regex"
},
{
"caption": "non RFC-1918 IP address",
"description": null,
"part": "contents",
"pattern": "(url|host|host_?name|host_?addr|ip|ip_?addr|ip_?address)['\"]? ?[=:] ?['\"]((http|http)s?://)(1(?!(27|0|92)\\.)|[2-9]+)",
"type": "regex"
},
{
"caption": "static passwords",
"description": null,
"part": "contents",
"pattern": "(password|passwd|pass|pwd)['\"]? ?[=:] ?['\"]?(?!(['\"]))",
"type": "regex"
},
{
"caption": "1Password password manager database file",
"description": null,
"part": "extension",
"pattern": "agilekeychain",
"type": "match"
},
{
"caption": "Apple Keychain database file",
"description": null,
"part": "extension",
"pattern": "keychain",
"type": "match"
},
{
"caption": "Day One journal file",
"description": null,
"part": "extension",
"pattern": "dayone",
"type": "match"
},
{
"caption": "GnuCash database file",
"description": null,
"part": "extension",
"pattern": "gnucash",
"type": "match"
},
{
"caption": "KDE Wallet Manager database file",
"description": null,
"part": "extension",
"pattern": "kwallet",
"type": "match"
},
{
"caption": "KeePass password manager database file",
"description": null,
"part": "extension",
"pattern": "kdb",
"type": "match"
},
{
"caption": "Log file",
"description": "Log files might contain information such as references to secret HTTP endpoints, session IDs, user information, passwords and API keys.",
"part": "extension",
"pattern": "log",
"type": "match"
},
{
"caption": "Network traffic capture file",
"description": null,
"part": "extension",
"pattern": "pcap",
"type": "match"
},
{
"caption": "OpenVPN client configuration file",
"description": null,
"part": "extension",
"pattern": "ovpn",
"type": "match"
},
{
"caption": "Potential cryptographic key bundle",
"description": null,
"part": "extension",
"pattern": "pkcs12",
"type": "match"
},
{
"caption": "Potential cryptographic key bundle",
"description": null,
"part": "extension",
"pattern": "pfx",
"type": "match"
},
{
"caption": "Potential cryptographic key bundle",
"description": null,
"part": "extension",
"pattern": "p12",
"type": "match"
},
{
"caption": "Potential cryptographic key bundle",
"description": null,
"part": "extension",
"pattern": "asc",
"type": "match"
},
{
"caption": "Potential cryptographic private key",
"description": null,
"part": "extension",
"pattern": "pem",
"type": "match"
},
{
"caption": "Tunnelblick VPN configuration file",
"description": null,
"part": "extension",
"pattern": "tblk",
"type": "match"
},
{
"caption": "GNOME Keyring database file",
"description": null,
"part": "extension",
"pattern": "^key(store|ring)quot;,
"type": "regex"
},
{
"caption": "Potential cryptographic private key",
"description": null,
"part": "extension",
"pattern": "^key(pair)?quot;,
"type": "regex"
},
{
"caption": "SQL dump file",
"description": null,
"part": "extension",
"pattern": "^sql(dump)?quot;,
"type": "regex"
},
{
"caption": "Carrierwave configuration file",
"description": "Can contain credentials for online storage systems such as Amazon S3 and Google Storage.",
"part": "filename",
"pattern": "carrierwave.rb",
"type": "match"
},
{
"caption": "Chef Knife configuration file",
"description": "Might contain references to Chef servers",
"part": "filename",
"pattern": "knife.rb",
"type": "match"
},
{
"caption": "Django configuration file",
"description": "Might contain database credentials, online storage system credentials, secret keys, etc.",
"part": "filename",
"pattern": "settings.py",
"type": "match"
},
{
"caption": "FileZilla FTP configuration file",
"description": "Might contain credentials for FTP servers",
"part": "filename",
"pattern": "filezilla.xml",
"type": "match"
},
{
"caption": "FileZilla FTP recent servers file",
"description": "Might contain credentials for FTP servers",
"part": "filename",
"pattern": "recentservers.xml",
"type": "match"
},
{
"caption": "Jenkins publish over SSH plugin file",
"description": null,
"part": "filename",
"pattern": "jenkins.plugins.publish_over_ssh.BapSshPublisherPlugin.xml",
"type": "match"
},
{
"caption": "Little Snitch firewall configuration file",
"description": "Contains traffic rules for applications",
"part": "filename",
"pattern": "configuration.user.xpl",
"type": "match"
},
{
"caption": "OmniAuth configuration file",
"description": "The OmniAuth configuration file might contain client application secrets.",
"part": "filename",
"pattern": "omniauth.rb",
"type": "match"
},
{
"caption": "Pidgin OTR private key",
"description": null,
"part": "filename",
"pattern": "otr.private_key",
"type": "match"
},
{
"caption": "Potential Jenkins credentials file",
"description": null,
"part": "filename",
"pattern": "credentials.xml",
"type": "match"
},
{
"caption": "Potential MediaWiki configuration file",
"description": null,
"part": "filename",
"pattern": "LocalSettings.php",
"type": "match"
},
{
"caption": "Potential Ruby On Rails database configuration file",
"description": "Might contain database credentials.",
"part": "filename",
"pattern": "database.yml",
"type": "match"
},
{
"caption": "Potential jrnl journal file",
"description": null,
"part": "filename",
"pattern": "journal.txt",
"type": "match"
},
{
"caption": "Robomongo MongoDB manager configuration file",
"description": "Might contain credentials for MongoDB databases",
"part": "filename",
"pattern": "robomongo.json",
"type": "match"
},
{
"caption": "Ruby On Rails database schema file",
"description": "Contains information on the database schema of a Ruby On Rails application.",
"part": "filename",
"pattern": "schema.rb",
"type": "match"
},
{
"caption": "Ruby On Rails secret token configuration file",
"description": "If the Rails secret token is known, it can allow for remote code execution. (http://www.exploit-db.com/exploits/27527/)",
"part": "filename",
"pattern": "secret_token.rb",
"type": "match"
},
{
"caption": "Sequel Pro MySQL database manager bookmark file",
"description": null,
"part": "filename",
"pattern": "Favorites.plist",
"type": "match"
},
{
"caption": "Terraform variable config file",
"description": "Might contain credentials for terraform providers",
"part": "filename",
"pattern": "terraform.tfvars",
"type": "match"
},
{
"caption": "Ventrilo server configuration file",
"description": "Might contain passwords",
"part": "filename",
"pattern": "ventrilo_srv.ini",
"type": "match"
},
{
"caption": "cPanel backup ProFTPd credentials file",
"description": "Contains usernames and password hashes for FTP accounts",
"part": "filename",
"pattern": "proftpdpasswd",
"type": "match"
},
{
"caption": "Apache htpasswd file",
"description": null,
"part": "filename",
"pattern": "^\\.?htpasswdquot;,
"type": "regex"
},
{
"caption": "Configuration file for auto-login process",
"description": "Might contain username and password.",
"part": "filename",
"pattern": "^(\\.|_)?netrcquot;,
"type": "regex"
},
{
"caption": "Contains word: backup",
"description": null,
"part": "filename",
"pattern": "backup",
"type": "regex"
},
{
"caption": "Contains word: credential",
"description": null,
"part": "filename",
"pattern": "credential",
"type": "regex"
},
{
"caption": "Contains word: dump",
"description": null,
"part": "filename",
"pattern": "dump",
"type": "regex"
},
{
"caption": "Contains word: password",
"description": null,
"part": "filename",
"pattern": "password",
"type": "regex"
},
{
"caption": "Contains word: secret",
"description": null,
"part": "filename",
"pattern": "secret",
"type": "regex"
},
{
"caption": "Contains words: private, key",
"description": null,
"part": "filename",
"pattern": "private.*key",
"type": "regex"
},
{
"caption": "DBeaver SQL database manager configuration file",
"description": null,
"part": "filename",
"pattern": "^\\.?dbeaver-data-sources.xmlquot;,
"type": "regex"
},
{
"caption": "Docker configuration file",
"description": "Might contain credentials for public or private Docker registries",
"part": "filename",
"pattern": "^\\.?dockercfgquot;,
"type": "regex"
},
{
"caption": "Environment configuration file",
"description": null,
"part": "filename",
"pattern": "^\\.?envquot;,
"type": "regex"
},
{
"caption": "Git configuration file",
"description": null,
"part": "filename",
"pattern": "^\\.?gitconfigquot;,
"type": "regex"
},
{
"caption": "Mutt e-mail client configuration file",
"description": null,
"part": "filename",
"pattern": "^\\.?muttrcquot;,
"type": "regex"
},
{
"caption": "MySQL client command history file",
"description": null,
"part": "filename",
"pattern": "^\\.?mysql_historyquot;,
"type": "regex"
},
{
"caption": "NPM configuration file",
"description": "Might contain credentials for NPM registries",
"part": "filename",
"pattern": "^\\.?npmrcquot;,
"type": "regex"
},
{
"caption": "PHP configuration file",
"description": "Might contain credentials and keys.",
"part": "filename",
"pattern": "^(.*)?config(\\.inc)?\\.phpquot;,
"type": "regex"
},
{
"caption": "PostgreSQL client command history file",
"description": null,
"part": "filename",
"pattern": "^\\.?psql_historyquot;,
"type": "regex"
},
{
"caption": "PostgreSQL password file",
"description": null,
"part": "filename",
"pattern": "^\\.?pgpassquot;,
"type": "regex"
},
{
"caption": "Private SSH key",
"description": null,
"part": "filename",
"pattern": "^.*_rsaquot;,
"type": "regex"
},
{
"caption": "Private SSH key",
"description": null,
"part": "filename",
"pattern": "^.*_dsaquot;,
"type": "regex"
},
{
"caption": "Private SSH key",
"description": null,
"part": "filename",
"pattern": "^.*_ed25519quot;,
"type": "regex"
},
{
"caption": "Private SSH key",
"description": null,
"part": "filename",
"pattern": "^.*_ecdsaquot;,
"type": "regex"
},
{
"caption": "Ruby IRB console history file",
"description": null,
"part": "filename",
"pattern": "^\\.?irb_historyquot;,
"type": "regex"
},
{
"caption": "S3cmd configuration file",
"description": null,
"part": "filename",
"pattern": "^\\.?s3cfgquot;,
"type": "regex"
},
{
"caption": "Shell command alias configuration file",
"description": "Shell configuration files might contain information such as server hostnames, passwords and API keys.",
"part": "filename",
"pattern": "^\\.?(bash_|zsh_)?aliasesquot;,
"type": "regex"
},
{
"caption": "Shell command history file",
"description": null,
"part": "filename",
"pattern": "^\\.?(bash_|zsh_|z)?historyquot;,
"type": "regex"
},
{
"caption": "Shell configuration file",
"description": "Shell configuration files might contain information such as server hostnames, passwords and API keys.",
"part": "filename",
"pattern": "^\\.?(bash|zsh)rcquot;,
"type": "regex"
},
{
"caption": "Shell profile configuration file",
"description": "Shell configuration files might contain information such as server hostnames, passwords and API keys.",
"part": "filename",
"pattern": "^\\.?(bash_|zsh_)?profilequot;,
"type": "regex"
},
{
"caption": "T command-line Twitter client configuration file",
"description": null,
"part": "filename",
"pattern": "^\\.?trcquot;,
"type": "regex"
},
{
"caption": "Tugboat DigitalOcean management tool configuration",
"description": null,
"part": "filename",
"pattern": "^\\.?tugboatquot;,
"type": "regex"
},
{
"caption": "Well, this is awkward... Gitrob configuration file",
"description": null,
"part": "filename",
"pattern": "^\\.?gitrobrcquot;,
"type": "regex"
},
{
"caption": "git-credential-store helper credentials file",
"description": null,
"part": "filename",
"pattern": "^\\.?git-credentialsquot;,
"type": "regex"
},
{
"caption": "AWS CLI credentials file",
"description": null,
"part": "path",
"pattern": "\\.?aws/credentialsquot;,
"type": "regex"
},
{
"caption": "Chef private key",
"description": "Can be used to authenticate against Chef servers",
"part": "path",
"pattern": "\\.?chef/(.*)\\.pemquot;,
"type": "regex"
},
{
"caption": "Hexchat/XChat IRC client server list configuration file",
"description": null,
"part": "path",
"pattern": "\\.?xchat2?\\/servlist_?\\.confquot;,
"type": "regex"
},
{
"caption": "Irssi IRC client configuration file",
"description": null,
"part": "path",
"pattern": "\\.?irssi\\/configquot;,
"type": "regex"
},
{
"caption": "Pidgin chat client account configuration file",
"description": null,
"part": "path",
"pattern": "\\.?purple\\/accounts\\.xmlquot;,
"type": "regex"
},
{
"caption": "Recon-ng web reconnaissance framework API key database",
"description": null,
"part": "path",
"pattern": "\\.?recon-ng\\/keys\\.dbquot;,
"type": "regex"
},
{
"caption": "Rubygems credentials file",
"description": "Might contain API key for a rubygems.org account.",
"part": "path",
"pattern": "\\.?gem/credentialsquot;,
"type": "regex"
},
{
"caption": "SSH configuration file",
"description": null,
"part": "path",
"pattern": "\\.?ssh/configquot;,
"type": "regex"
}
]