daily autocommit

crowdsec/hub/collections/crowdsecurity/http-cve.yaml

@@ -21,6 +21,7 @@ scenarios:
   - crowdsecurity/CVE-2022-46169
   - crowdsecurity/CVE-2022-44877
   - crowdsecurity/CVE-2019-18935
+  - crowdsecurity/netgear_rce
 author: crowdsecurity
 tags:
   - web

crowdsec/hub/parsers/s01-parse/crowdsecurity/sshd-logs.yaml

@@ -15,6 +15,7 @@ pattern_syntax:
   SSHD_PREAUTH_AUTHENTICATING_USER: 'Connection closed by (authenticating|invalid) user %{USERNAME:sshd_invalid_user} %{IP_WORKAROUND:sshd_client_ip} port \d+ \[preauth\]'
   #following: https://github.com/crowdsecurity/crowdsec/issues/1201 - some scanners behave differently and trigger this one
   SSHD_PREAUTH_AUTHENTICATING_USER_ALT: 'Disconnected from (authenticating|invalid) user %{USERNAME:sshd_invalid_user} %{IP_WORKAROUND:sshd_client_ip} port \d+ \[preauth\]'
+  SSHD_BAD_KEY_NEGOTIATION: 'Unable to negotiate with %{IP_WORKAROUND:sshd_client_ip} port \d+: no matching (host key type|key exchange method) found.'
 nodes:
   - grok:
       name: "SSHD_FAIL"
@@ -86,6 +87,12 @@ nodes:
           value: ssh_failed-auth
         - meta: target_user
           expression: "evt.Parsed.sshd_invalid_user"
+  - grok:
+      name: "SSHD_BAD_KEY_NEGOTIATION"
+      apply_on: message
+      statics:
+        - meta: log_type
+          value: ssh_bad_keyexchange
 statics:
     - meta: service
       value: ssh

crowdsec/hub/scenarios/crowdsecurity/netgear_rce.yaml

@@ -0,0 +1,13 @@
+type: trigger
+format: 2.0
+name: crowdsecurity/netgear_rce
+description: "Detect Netgear RCE DGN1000/DGN220 exploitation attempts"
+filter: |
+  evt.Meta.log_type in ['http_access-log', 'http_error-log'] && Lower(QueryUnescape(evt.Meta.http_path)) startsWith Upper('/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=')
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+references: 
+  - "https://www.exploit-db.com/exploits/25978"
+labels:
+  type: exploit
+  remediation: true

crowdsec/scenarios/netgear_rce.yaml

@@ -0,0 +1 @@
+/etc/crowdsec/hub/scenarios/crowdsecurity/netgear_rce.yaml