1type: leaky
2#debug: true
3name: crowdsecurity/http-admin-interface-probing
4description: "Detect generic HTTP admin interface probing"
5filter: |
6  evt.Meta.service == 'http' and 
7  evt.Meta.log_type in ['http_access-log', 'http_error-log'] and 
8  evt.Meta.http_status in ['404', '403'] and
9  any(File("admin_interfaces.txt"), { Lower(evt.Meta.http_path) contains #})
10groupby: evt.Meta.source_ip
11distinct: "evt.Meta.http_path"
12data:
13  - source_url: https://hub-data.crowdsec.net/web/admin_interfaces.txt
14    dest_file: admin_interfaces.txt
15    type: string
16capacity: 2
17leakspeed: "10s"
18blackhole: 1m
19labels:
20  confidence: 3
21  spoofable: 0
22  classification:
23    - attack.T1595
24  behavior: "http:scan"
25  label: "HTTP Admin Interface Probing"
26  service: http
27  remediation: true
28