cscli scenarios install crowdsecurity/http-dos-invalid-http-versionsThis scenario detects DoS tools that issue a high number of requests with invalid HTTP versions.
Directly inspired by some specific DoS tools TTP.
⚠️ This scenario might trigger false positives, proper testing is advised ⚠️
1type: trigger2format: 2.03#debug: true4name: crowdsecurity/http-dos-invalid-http-versions5description: "Detect DoS tools using invalid HTTP versions"6#pattern seen in mhddos tool7filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] && evt.Parsed.http_version != "" && evt.Parsed.http_version not in ["0.9", "1.0", "1.1", "2.0", "3.0"]'8groupby: "evt.Meta.source_ip"9blackhole: 2m10labels:11 service: http12 remediation: true13 confidence: 214 spoofable: 015 classification:16 - attack.T149817 behavior: "http:dos"18 label: "HTTP DOS with invalid HTTP version"19