cscli scenarios install cyrille37/sympa_ww-http-scanSympa Web Service scan scenario based on Sympa log parser "cyrille37/sympa_ww-logs".
As Sympa reply HTTP 200 on unexisted files, we cannot detect http scan on http web server logs.
So this "leaky" scenario looks for errors signaled by "sympa_ww-logs" logs parser with meta "evt.Meta.sympa_warn" for blocking source after 1 attempt with a non existing action or list, except for files "robots.txt", "sitemap.xml" and "favicon.ico".
1# cyrille37/sympa_ww-http-scan2# Version: 2025-11-093#4# @see sympa_ww-http-scan.md5#6# Docs:7# - [Creating scenario](https://docs.crowdsec.net/docs/next/log_processor/scenarios/create)8# - [expression language](https://expr-lang.org/docs/language-definition)9#10format: 2.011name: cyrille37/sympa_ww-http-scan12description: "Detect http scan on Sympa endpoint"13type: leaky14#debug: true15filter: "evt.Meta.service == 'wwsympa' && evt.Meta.sympa_warn != '' && not (hasSuffix(evt.Meta.sympa_message, 'robots.txt') || hasSuffix(evt.Meta.sympa_message, 'sitemap.xml') || hasSuffix(evt.Meta.sympa_message, 'favicon.ico'))"16groupby: "evt.Meta.source_ip"17# Here we say that if an IP address is doing more than X matches in less than Y seconds,18# the scenario will be triggered and will then be silent for Zm for the same IP.19capacity: 120leakspeed: 1m21blackhole: 15m22labels:23 service: wwsympa24 spoofable: 025 confidence: 326 type: discovery27 label: "Http Scan"28 behaviors: ['http:scan']29 remediation: true3031