anti
dc1867315d
5 YAMLs for the canary-fingerprint cohort per Appendix B / A.9: navigator.webdriver flag, automation canvas/audio/WebGL hash match, WebRTC IP leak, TZ/lang vs geo mismatch, platform inconsistency. CanaryFingerprintLifter (E.3.11) consumes by rule_id. test_canary_rules.py: YAML-present + inert-in-v0 + xfail(strict) gated on E.3.11.
22 lines
503 B
YAML
22 lines
503 B
YAML
rule_id: R0051
|
|
rule_version: 1
|
|
name: webrtc_ip_leak
|
|
description: |
|
|
WebRTC-discovered private IP doesn't match the source-IP geo —
|
|
classic VPN/proxy obfuscation tell. CanaryFingerprintLifter
|
|
composes the leak with the IP geo lookup.
|
|
applies_to:
|
|
- canary_fingerprint
|
|
match:
|
|
kind: lifter:canary_webrtc_leak
|
|
require_geo_mismatch: true
|
|
emits:
|
|
- tactic: TA0011
|
|
technique_id: T1090
|
|
confidence: 0.85
|
|
evidence_fields:
|
|
- webrtc_local_ip
|
|
- source_ip
|
|
- source_country
|
|
- leak_country
|