From 9617d27fe66a6ccb935d88718133d771919e4983 Mon Sep 17 00:00:00 2001 From: Henry Post Date: Mon, 16 Feb 2026 11:30:07 -0600 Subject: [PATCH] Add detection for unencrypted PPK files - Modified KeepSSHKeysByFileExtension.toml to relay .ppk files to content scanning - Added KeepUnencryptedPPK.toml to detect "Encryption: none" pattern with Black triage This allows Snaffler to differentiate between encrypted and unencrypted PPK files, flagging only unencrypted ones as high-priority findings. Co-Authored-By: Claude Opus 4.6 --- .../UserFiles/SSH/KeepSSHKeysByFileExtension.toml | 9 +++++---- .../Keep/UserFiles/SSH/KeepUnencryptedPPK.toml | 11 +++++++++++ 2 files changed, 16 insertions(+), 4 deletions(-) create mode 100644 Snaffler/SnaffRules/DefaultRules/FileRules/Keep/UserFiles/SSH/KeepUnencryptedPPK.toml diff --git a/Snaffler/SnaffRules/DefaultRules/FileRules/Keep/UserFiles/SSH/KeepSSHKeysByFileExtension.toml b/Snaffler/SnaffRules/DefaultRules/FileRules/Keep/UserFiles/SSH/KeepSSHKeysByFileExtension.toml index e706fa98..013cd1ad 100644 --- a/Snaffler/SnaffRules/DefaultRules/FileRules/Keep/UserFiles/SSH/KeepSSHKeysByFileExtension.toml +++ b/Snaffler/SnaffRules/DefaultRules/FileRules/Keep/UserFiles/SSH/KeepSSHKeysByFileExtension.toml @@ -1,10 +1,11 @@ [[ClassifierRules]] EnumerationScope = "FileEnumeration" -RuleName = "KeepSSHKeysByFileExtension" -MatchAction = "Snaffle" -Description = "SSHKeys" +RuleName = "RelayPPKForContentScan" +MatchAction = "Relay" +RelayTargets = ["KeepUnencryptedPPK"] +Description = "PPK files are relayed to content scanning for unencrypted detection" MatchLocation = "FileExtension" WordListType = "Exact" MatchLength = 0 WordList = ["\\.ppk"] -Triage = "Black" +Triage = "Green" diff --git a/Snaffler/SnaffRules/DefaultRules/FileRules/Keep/UserFiles/SSH/KeepUnencryptedPPK.toml b/Snaffler/SnaffRules/DefaultRules/FileRules/Keep/UserFiles/SSH/KeepUnencryptedPPK.toml new file mode 100644 index 00000000..53339345 --- /dev/null +++ b/Snaffler/SnaffRules/DefaultRules/FileRules/Keep/UserFiles/SSH/KeepUnencryptedPPK.toml @@ -0,0 +1,11 @@ +[[ClassifierRules]] +EnumerationScope = "ContentsEnumeration" +RuleName = "KeepUnencryptedPPK" +MatchAction = "Snaffle" +Description = "Unencrypted PPK files (contains 'Encryption: none')" +MatchLocation = "FileContentAsString" +WordListType = "Regex" +MatchLength = 0 +WordList = ["Encryption:\\s*none"] +Triage = "Black" +