http-sensitive-files Configuration

« http-sensitive-files »
v0.4 by crowdsecurity
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1595confidence:3

Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)

Installation

cscli scenarios install crowdsecurity/http-sensitive-files

Description

Detect tentative of dangerous file scanning such as logs file, database backup, zip archive etc ...

More than 3 access to sensitive files in this list

YAML Configuration

1type: leaky
2format: 2.0
3#debug: true
4name: crowdsecurity/http-sensitive-files
5description: "Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)"
6filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] and any(File("sensitive_data.txt"), { evt.Parsed.request endsWith #})'
7groupby: "evt.Meta.source_ip"
8distinct: evt.Parsed.request
9data:
10  - source_url: https://hub-data.crowdsec.net/web/sensitive_data.txt
11    dest_file: sensitive_data.txt
12    type: string
13capacity: 4
14leakspeed: 5s
15blackhole: 5m
16labels:
17  remediation: true
18  classification:
19    - attack.T1595.003
20  behavior: "http:scan"
21  label: "Access to sensitive files over HTTP"
22  spoofable: 0
23  service: http
24  confidence: 3
25

Hub configuration

« http-sensitive-files »v0.4 by crowdsecurityAttack scenarioremediation:trueservice:httpspoofable:0MITRE:T1595confidence:3

« http-sensitive-files »
v0.4 by crowdsecurity
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1595confidence:3