cscli scenarios install crowdsecurity/naxsi-exploit-vpatchDetects naxsi blocked requests on custom (>9999) rules.
Triggers on first request.
1# naxsi vpatch rules detection2type: trigger3name: crowdsecurity/naxsi-exploit-vpatch4# id is bigger than 9k, custom rule5description: "Detect custom blacklist triggered in naxsi"6filter: "evt.Meta.log_type == 'waf_naxsi-log' && len(evt.Parsed.naxsi_id) > 4"7groupby: "evt.Meta.source_ip"8blackhole: 5m9labels:10 remediation: true11 confidence: 212 spoofable: 013 classification:14 - attack.T159515 - attack.T119016 behavior: "http:exploit"17 service: http18