http-cve-probing Scenario

« http-cve-probing »
v0.6 by crowdsecurity
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1595confidence:3

Detect generic HTTP cve probing

Installation

cscli scenarios install crowdsecurity/http-cve-probing

YAML Configuration

1type: trigger
2name: crowdsecurity/http-cve-probing
3description: "Detect generic HTTP cve probing"
4filter: |
5  evt.Meta.service == 'http' and 
6  evt.Meta.log_type in ['http_access-log', 'http_error-log'] and 
7  evt.Meta.http_status in ['404', '403'] and
8  any(File("trendy_cves_uris.json"), { 
9    evt.Meta.http_path contains JsonExtract(#, "uri") ? evt.SetMeta("cve", JsonExtract(#, "cve")) : false 
10  })
11groupby: evt.Meta.source_ip
12distinct: "evt.Meta.http_path"
13data:
14  # 
15  - source_url: https://hub-data.crowdsec.net/web/trendy_cves_uris.json
16    dest_file: trendy_cves_uris.json
17    type: string
18blackhole: 1m
19labels:
20  confidence: 3
21  spoofable: 0
22  classification:
23    - attack.T1595
24  behavior: "http:scan"
25  label: "HTTP CVE Probing"
26  service: http
27  remediation: true
28

Hub configuration

« http-cve-probing »v0.6 by crowdsecurityAttack scenarioremediation:trueservice:httpspoofable:0MITRE:T1595confidence:3

« http-cve-probing »
v0.6 by crowdsecurity
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1595confidence:3