saving uncommitted changes in /etc prior to dnf run

crowdsec/hub/scenarios/crowdsecurity/CVE-2022-44877.yaml

@@ -3,13 +3,22 @@ type: trigger
 name: crowdsecurity/CVE-2022-44877
 description: "Detect CVE-2022-44877 exploits"
 filter: |
-    Lower(evt.Meta.http_path) contains '/index.php' &&
-    Upper(evt.Parsed.verb) == 'POST' &&
-    evt.Meta.http_status == '302' &&
-    Lower(evt.Parsed.http_args) matches 'login=.*[$|%24][\\(|%28].*[\\)|%29]'
+  Lower(evt.Meta.http_path) contains '/index.php' &&
+  Upper(evt.Parsed.verb) == 'POST' &&
+  evt.Meta.http_status == '302' &&
+  Lower(evt.Parsed.http_args) matches 'login=.*[$|%24][\\(|%28].*[\\)|%29]'
 
 blackhole: 1m
 groupby: "evt.Meta.source_ip"
 labels:
   type: exploit
   remediation: true
+  classification:
+    - attack.T1595
+    - attack.T1190
+    - cve.CVE-2022-44877
+  spoofable: 0
+  confidence: 3
+  behavior: "http:exploit"
+  label: "Centos Webpanel CVE-2022-44877"
+  service: centos