cscli scenarios install crowdsecurity/http-sap-interface-probingThe sap interface probing scenario aims at detecting, with very little false positive chances, IPs probing for exposed SAP interfaces.
Path traversal attempts will be detected with the presence of specific path related to SAP.
⚠️ This scenario is not a WAF and this scenario does not aims at replacing a WAF.
1type: leaky2#debug: true3name: crowdsecurity/http-sap-interface-probing4description: "Detect generic HTTP SAP interface probing"5filter: |6 evt.Meta.service == 'http' and7 evt.Meta.log_type in ['http_access-log', 'http_error-log'] and8 evt.Meta.http_status in ['404', '403'] and (9 let uri = Lower(evt.Meta.http_path);10 uri contains "/sap/bc/gui/sap/its/webgui"11 or uri contains "/irj/portal"12 or uri contains "/sap/bc/"13 or uri contains "/sap/bc/ui2/flp"14 or uri contains "/sap/bc/ui5_ui5/"15 or uri contains "/sap/opu/odata/"16 or uri contains "/sap/bc/webdynpro/"17 or uri contains "/sap/public/bc/"18 or uri contains "/sap/public/info"19 or uri contains "/sap/public/icf_info"20 or uri contains "/sap/admin/publicicp/"21 or uri contains "/sap/admin/public/"22 or uri == "/nwa"23 or uri contains "/webdynpro/dispatcher/sap.com/tc~sec~ume~wd~umeadmin/umeadminapp"24 or uri contains "/sap/hana/xs/admin"25 or uri contains "/sap/hana/xs/formlogin"26 or uri contains "/irj/go/km/navigation"27 )28groupby: evt.Meta.source_ip29leakspeed: "10s"30capacity: 131distinct: evt.Meta.http_path32blackhole: 1m33labels:34 confidence: 335 spoofable: 036 classification:37 - attack.T159538 behavior: "http:scan"39 label: "HTTP SAP Interface Probing"40 service: http41 remediation: true42