Graphs" - "Measuring for" - "hosts</a>" condition: and extractors: - type: kval part: header kval: - server # digest: 4a0a004730450221008c1c59610f5757c3128a9ec1b663abc26b1a5cf4aa82b241ec97ee2188fb5466022068c349324d617970891e65fd832b7035e95dff053674eb97f3bc6a05f4308a39:922c64590222798bb761d5b6d8e72950

id: darkstat-detect

info:
  name: Detect Darkstat Reports
  author: geeknik
  severity: high
  description: Darkstat captures network traffic, calculates statistics about usage, and serves reports over HTTP
  reference:
    - https://unix4lyfe.org/darkstat/
  metadata:
    max-request: 2
  tags: darkstat,logs,exposure

http:
  - method: GET
    path:
      - "{{BaseURL}}"
      - "{{BaseURL}}/darkstat/"

    # FYI, the default port for darkstat is 666
    matchers-condition: and
    matchers:
      - type: regex
        part: header
        regex:
          - "[Ss]erver: darkstat.*"

      - type: word
        part: body
        words:
          - "darkstat"
          - "<title>Graphs"
          - "Measuring for"
          - "hosts</a>"
        condition: and

    extractors:
      - type: kval
        part: header
        kval:
          - server
# digest: 4a0a004730450221008c1c59610f5757c3128a9ec1b663abc26b1a5cf4aa82b241ec97ee2188fb5466022068c349324d617970891e65fd832b7035e95dff053674eb97f3bc6a05f4308a39:922c64590222798bb761d5b6d8e72950