Skip to content
Cisco AI Defense logo
CiscoAI Security

Rule packs — DefenseClaw

Overview

Rule packs are YAML bundles with rules/*.yaml, judge/*.yaml, suppressions.yaml, and sensitive-tools.yaml. Built-in packs live under policies/guardrail/<pack>/; embedded fallback files live under internal/guardrail/defaults/.

A pack is selected at runtime by guardrail.rule_pack_dir, not by guardrail.profile. internal/guardrail/rulepack.go::LoadRulePack reads the configured directory first and falls back to embedded defaults when a file is missing or corrupt.

Reference — pack diff

Rule counts by pack

Categorydefaultstrictpermissive
c2181818
cognitive-file888
command262626
enterprise-data161616
local-patterns
secret222222
sensitive-path171717
trust-exploit212121
Total rules128128128
Suppressions000

Reference — default pack, all rules

Every rule in the default pack. The strict pack adds extra rules and tightens thresholds; the permissive pack is a subset. See Configuration for defenseclaw_profile and per-rule sample_inline_with_judge overrides.

Category c2 — 18 rules

Rule IDSeverityConfidenceTitleTags
C2-WEBHOOK-SITEHIGH0.90webhook.site (known exfil)exfiltration, c2
C2-NGROKHIGH0.85ngrok tunnel (exfil risk)exfiltration, c2
C2-PIPEDREAMHIGH0.90Pipedream (known exfil)exfiltration, c2
C2-REQUESTBINHIGH0.90RequestBin (known exfil)exfiltration, c2
C2-HOOKBINHIGH0.90HookBin (known exfil)exfiltration, c2
C2-BURPHIGH0.90Burp Collaborator (pentest C2)exfiltration, c2
C2-INTERACTSHHIGH0.90interact.sh (OOB exfil)exfiltration, c2
C2-OASTHIGH0.85oast.fun (OOB testing)exfiltration, c2
C2-CANARYMEDIUM0.75Canary Tokensexfiltration, c2
C2-PASTEBINMEDIUM0.70Pastebin raw fetchexfiltration, c2
C2-METADATA-AWSCRITICAL0.95AWS metadata endpoint (SSRF)ssrf, credential
C2-METADATA-GCPCRITICAL0.95GCP metadata endpoint (SSRF)ssrf, credential
C2-METADATA-AZURECRITICAL0.95Azure metadata endpoint (SSRF)ssrf, credential
C2-METADATA-HEXCRITICAL0.95AWS metadata endpoint (hex-encoded SSRF)ssrf, credential
C2-METADATA-DECIMALCRITICAL0.93AWS metadata endpoint (decimal-encoded SSRF)ssrf, credential
C2-METADATA-OCTALCRITICAL0.93AWS metadata endpoint (octal-encoded SSRF)ssrf, credential
C2-DNS-TUNNELHIGH0.78DNS TXT query with high-entropy label (tunneling indicator)exfiltration, dns-tunnel
C2-DNS-EXFILHIGH0.80nslookup with hex subdomain (DNS exfil)exfiltration, dns-tunnel

Category cognitive-file — 8 rules

Rule IDSeverityConfidenceTitleTags
COG-SOULCRITICAL0.95SOUL.md access (agent identity)cognitive-tampering
COG-IDENTITYCRITICAL0.95IDENTITY.md accesscognitive-tampering
COG-MEMORYHIGH0.85MEMORY.md accesscognitive-tampering
COG-CLAUDE-MDHIGH0.85CLAUDE.md accesscognitive-tampering
COG-TOOLS-MDHIGH0.80TOOLS.md accesscognitive-tampering
COG-AGENTS-MDHIGH0.80AGENTS.md accesscognitive-tampering
COG-OPENCLAW-JSONHIGH0.80openclaw.json config accesscognitive-tampering
COG-GATEWAY-JSONHIGH0.80gateway.json config accesscognitive-tampering

Category command — 26 rules

Rule IDSeverityConfidenceTitleTags
CMD-REVSHELL-BASHCRITICAL0.98Bash reverse shellexecution, reverse-shell
CMD-REVSHELL-DEVTCPCRITICAL0.95Reverse shell via /dev/tcpexecution, reverse-shell
CMD-REVSHELL-NCCRITICAL0.95Netcat reverse shell with -eexecution, reverse-shell
CMD-REVSHELL-PYTHONCRITICAL0.90Python reverse shellexecution, reverse-shell
CMD-PIPE-CURLCRITICAL0.95curl piped to shellexecution, download-exec
CMD-PIPE-WGETCRITICAL0.95wget piped to shellexecution, download-exec
CMD-PIPE-BASE64CRITICAL0.95base64 decode piped to shellexecution, obfuscation
CMD-EVALHIGH0.85Shell eval with dynamic inputexecution
CMD-BASH-CLOW0.55Shell -c executionexecution
CMD-PYTHON-CLOW0.55Python inline executionexecution
CMD-PERL-ELOW0.55Perl inline executionexecution
CMD-RUBY-ELOW0.55Ruby inline executionexecution
CMD-RM-RFCRITICAL0.95Recursive force delete from critical root pathdestructive
CMD-MKFSCRITICAL0.90Filesystem format commanddestructive
CMD-DD-IFHIGH0.80dd disk writedestructive
CMD-CHMOD-WORLDHIGH0.80chmod world-writableprivilege
CMD-CHOWN-ROOTHIGH0.75chown to rootprivilege
CMD-SUDOLOW0.50sudo invocationprivilege
CMD-ETC-WRITECRITICAL0.90Write redirect to /etc/system-file
CMD-CRONTABHIGH0.75Crontab modificationpersistence
CMD-SYSTEMCTLHIGH0.82Suspicious systemd persistence enablementpersistence
CMD-NETCAT-LISTENHIGH0.85Netcat listenernetwork, reverse-shell
CMD-CURL-UPLOADHIGH0.85curl file uploadnetwork, exfiltration
CMD-WGET-POSTHIGH0.85wget POST data exfilnetwork, exfiltration
CMD-SOCAT-EXECCRITICAL0.95socat with EXEC (reverse shell)execution, reverse-shell
CMD-ENV-DUMPHIGH0.80Environment variable dumpcredential

Category enterprise-data — 16 rules

Rule IDSeverityConfidenceTitleTags
ENT-BULK-SSNCRITICAL0.85US Social Security Numberpii, regulated
ENT-BULK-SSN-NOHYPHENHIGH0.55US SSN (no hyphens)pii, regulated
ENT-CC-VISACRITICAL0.80Visa credit card numberpii, pci
ENT-CC-MCCRITICAL0.80Mastercard credit card numberpii, pci
ENT-CC-AMEXCRITICAL0.80American Express card numberpii, pci
ENT-CC-DISCOVERCRITICAL0.80Discover card numberpii, pci
ENT-IBANHIGH0.75International Bank Account Number (IBAN)pii, financial
ENT-US-PHONEMEDIUM0.50US phone numberpii
ENT-EMAIL-BULKLOW0.40Email addresspii
ENT-PASSPORT-USHIGH0.50US passport number patternpii, regulated
ENT-DL-CAHIGH0.40California drivers license patternpii, regulated
ENT-MEDICAL-RECORDCRITICAL0.70Medical record numberpii, hipaa
ENT-DOB-PATTERNHIGH0.75Date of birth with labelpii, hipaa
ENT-NHS-NUMBERHIGH0.40UK NHS number patternpii, regulated
ENT-BULK-CSV-PIIHIGH0.80CSV/TSV header with multiple PII columnspii, bulk-data
ENT-BULK-JSON-PIIHIGH0.75JSON field with PII keypii, bulk-data

Category local-patterns — 0 rules

Rule IDSeverityConfidenceTitleTags

Category secret — 22 rules

Rule IDSeverityConfidenceTitleTags
SEC-AWS-KEYCRITICAL0.95AWS access keycredential
SEC-AWS-SECRETCRITICAL0.90AWS secret access keycredential
SEC-ANTHROPICCRITICAL0.98Anthropic API keycredential
SEC-OPENAICRITICAL0.95OpenAI project keycredential
SEC-OPENAI-V2CRITICAL0.85OpenAI API key (long form)credential
SEC-STRIPECRITICAL0.95Stripe keycredential
SEC-GITHUB-TOKENCRITICAL0.95GitHub tokencredential
SEC-GITHUB-PATCRITICAL0.95GitHub fine-grained PATcredential
SEC-GITLABCRITICAL0.95GitLab personal access tokencredential
SEC-GOOGLEHIGH0.90Google API keycredential
SEC-SLACK-TOKENHIGH0.90Slack tokencredential
SEC-SLACK-WEBHOOKHIGH0.95Slack webhook URLcredential
SEC-DISCORD-WEBHOOKHIGH0.95Discord webhook URLcredential
SEC-PRIVKEYCRITICAL0.98Private keycredential
SEC-JWTMEDIUM0.70JWT tokencredential
SEC-CONNSTRHIGH0.90Connection string with credentialscredential
SEC-BEARERHIGH0.80Bearer token in headercredential
SEC-SENDGRIDHIGH0.95SendGrid API keycredential
SEC-TWILIOHIGH0.80Twilio API keycredential
SEC-NPM-TOKENCRITICAL0.95npm access tokencredential
SEC-PYPI-TOKENCRITICAL0.95PyPI API tokencredential
SEC-HEX-SECRETHIGH0.72Hex-encoded secret in assignmentcredential

Category sensitive-path — 17 rules

Rule IDSeverityConfidenceTitleTags
PATH-SSH-DIRHIGH0.95SSH directory accesscredential, file-sensitive
PATH-SSH-KEYHIGH0.90SSH key file pathcredential, file-sensitive
PATH-AWS-CREDSCRITICAL0.98AWS credentials filecredential, file-sensitive
PATH-AWS-CONFIGHIGH0.85AWS config filecredential, file-sensitive
PATH-KUBEHIGH0.90Kubernetes configcredential, file-sensitive
PATH-DOCKERHIGH0.90Docker configcredential, file-sensitive
PATH-GNUPGHIGH0.95GPG keyring accesscredential, file-sensitive
PATH-NPMRCMEDIUM0.80npm config (may contain tokens)credential, file-sensitive
PATH-PYPIRCMEDIUM0.80PyPI config (may contain tokens)credential, file-sensitive
PATH-GIT-CREDSHIGH0.95Git credentials filecredential, file-sensitive
PATH-NETRCHIGH0.90netrc credentials filecredential, file-sensitive
PATH-ENV-FILEHIGH0.85Environment filecredential, file-sensitive
PATH-ETC-PASSWDHIGH0.85/etc/passwd accesssystem-file
PATH-ETC-SHADOWCRITICAL0.90/etc/shadow accesssystem-file, credential
PATH-ETC-SUDOERSHIGH0.85/etc/sudoers accesssystem-file, privilege
PATH-PROC-ENVIRONHIGH0.90/proc environ accesscredential
PATH-HISTORYMEDIUM0.80Shell history filecredential, file-sensitive

Category trust-exploit — 21 rules

Rule IDSeverityConfidenceTitleTags
TRUST-AUTHORITYHIGH0.85Authority claim in tool argsprompt-injection
TRUST-MAINTENANCEHIGH0.85Fake mode activationprompt-injection
TRUST-SAFETY-OVERRIDECRITICAL0.90Safety override attemptprompt-injection
TRUST-NEW-INSTRUCTIONSHIGH0.85Fake instruction updateprompt-injection
TRUST-IGNORE-PREVIOUSCRITICAL0.90Ignore previous instructionsprompt-injection
TRUST-DISREGARDCRITICAL0.90Disregard instructionsprompt-injection
TRUST-JAILBREAKCRITICAL0.92Jailbreak attemptprompt-injection
TRUST-PRETENDHIGH0.85Identity override attemptprompt-injection
TRUST-FORGETCRITICAL0.90Forget instructions attackprompt-injection
TRUST-NEW-INSTRUCT-PREFIXHIGH0.85Direct instruction injection prefixprompt-injection
TRUST-OVERRIDE-INSTRUCTCRITICAL0.88Override instructionsprompt-injection
TRUST-FROM-NOW-ONHIGH0.85Persistent behavior changeprompt-injection
TRUST-SWITCH-MODEHIGH0.85Mode/personality switchprompt-injection
TRUST-PROMPT-EXTRACTMEDIUM0.75System prompt extraction attemptprompt-injection
TRUST-FICTIONALMEDIUM0.70Fictional framing / purpose launderingprompt-injection
TRUST-NO-ETHICSHIGH0.88Ethics removal attemptprompt-injection
TRUST-TOOL-MANIPHIGH0.85Tool manipulation directiveprompt-injection
TRUST-PERSONAHIGH0.88Malicious persona adoptionprompt-injection
TRUST-DELIMITERCRITICAL0.93Delimiter hijacking / prompt framing escapeprompt-injection
TRUST-OUTPUT-CONSTRAINTHIGH0.85Forced encoding to bypass filtersprompt-injection, obfuscation
TRUST-PAYLOAD-SPLITHIGH0.87Payload splitting / forced compliance prefixprompt-injection

Related