http-path-traversal-probing Configuration

« http-path-traversal-probing »
v0.4 by crowdsecurity
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1595confidence:3

Detect path traversal attempt

Installation

cscli scenarios install crowdsecurity/http-path-traversal-probing

Description

The http path traversal probing scenario aims at detecting, with very little false positive chances, path traversal probing attempts.

Path traversal attempts will be detected with the presence of specific path manipulation patterns in the URI or the GET parameter such as ../ , %2Fetc%2Fpasswd ...

⚠️ This scenario is not a WAF and this scenario does not aims at replacing a WAF.

YAML Configuration

1# path traversal probing
2type: leaky
3#debug: true
4name: crowdsecurity/http-path-traversal-probing
5description: "Detect path traversal attempt"
6filter: "evt.Meta.log_type in ['http_access-log', 'http_error-log'] && any(File('http_path_traversal.txt'),{evt.Meta.http_path contains #})"
7data:
8  - source_url: https://hub-data.crowdsec.net/web/path_traversal.txt
9    dest_file: http_path_traversal.txt
10    type: string
11groupby: "evt.Meta.source_ip"
12distinct: "evt.Meta.http_path"
13capacity: 3
14reprocess: true
15leakspeed: 10s
16blackhole: 2m
17labels:
18  remediation: true
19  classification:
20    - attack.T1595.002
21  behavior: "http:exploit"
22  label: "HTTP Path Traversal Exploit"
23  service: http
24  spoofable: 0
25  confidence: 3
26

Hub configuration

« http-path-traversal-probing »v0.4 by crowdsecurityAttack scenarioremediation:trueservice:httpspoofable:0MITRE:T1595confidence:3

« http-path-traversal-probing »
v0.4 by crowdsecurity
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1595confidence:3