cscli scenarios install baudneo/zoneminder_cve-2022-39291Scenario to detect exploitation attempts of CVE-2022-39291. Basically rate limit adding (POST) log entries using index.php.
POST /zm/index.php HTTP/1.1
Host: 10.0.10.107
Content-Length: 256
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://10.0.10.107
Referer: http://10.0.10.107/zm/?
Content-Security-Policy: default-src 'self' data: *; connect-src 'self'; script-src 'self';
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: zmSkin=classic; zmCSS=base; zmBandwidth=high; ZMSESSID=8o8h3mg4nv7pmmsu4tm13r1v4d
Connection: close
__csrf_magic=key%3A85866fbcb6a1d7325544a55aa63fb534677f34ca%2C1665102411&view=request&request=log&task=create&level=ERR&message=Trenches%20of%20IT%20PoC&browser%5Bname%5D=Chrome&browser%5Bversion%5D=101.0.4951.41&browser%5Bplatform%5D=Windows&file=line=800⚠️ Crowdsec is not a WAF and, as such, bypass to those signatures are likely ⚠️
1type: leaky2format: 2.03#debug: true4# __csrf_magic=key%3A85866fbcb6a1d7325544a55aa63fb534677f34ca%2C1665102411&request=log&task=create&level=ERR&message=Trenches%20of%20IT%20PoC&browser%5Bname%5D=Chrome&browser%5Bversion%5D=101.0.4951.41&browser%5Bplatform%5D=Windows&file=line=800&view=request HTTP/1.15name: baudneo/zoneminder_cve-2022-392916description: "Detect cve-2022-39291 exploitation attempts"7filter: |8 evt.Meta.log_type in ["http_access-log", "http_error-log"]9 and10 (11 ( Upper(evt.Meta.http_verb) == "POST" and12 Upper(evt.Meta.http_path) matches Upper('^(?P<path>/.*index.php)?.*(?P<view>view=request|request=log|task=create)+.*(?P<request_query>view=request|request=log|task=create)+.*(?P<task_query>view=request|request=log|task=create)+.*')1314 )15 or16 Upper(evt.Parsed.rawrequest) matches Upper('^(?P<verb>POST) (?P<path>/.*index.php)?.*(?P<view>view=request|request=log|task=create)+.*(?P<request_query>view=request|request=log|task=create)+.*(?P<task_query>view=request|request=log|task=create)+.*')17 )18groupby: "evt.Meta.source_ip"19capacity: 1020leakspeed: "10s"21blackhole: 2m22labels:23 classification:24 - attack.T159525 - attack.T119026 - cve.CVE-2022-3929127 spoofable: 028 confidence: 329 service: zoneminder30 behavior: "http:exploit"31 label: "Zoneminder CVE-2022-39291"32 remediation: true33