saving uncommitted changes in /etc prior to dnf run

crowdsec/hub/scenarios/crowdsecurity/CVE-2022-46169.yaml

@@ -2,10 +2,10 @@ type: leaky
 name: crowdsecurity/CVE-2022-46169-bf
 description: "Detect CVE-2022-46169 brute forcing"
 filter: |
-    Upper(evt.Meta.http_path) contains Upper('/remote_agent.php') &&
-    Upper(evt.Parsed.verb) == 'GET' &&
-    Lower(evt.Parsed.http_args) contains 'host_id' &&
-    Lower(evt.Parsed.http_args) contains 'local_data_ids'
+  Upper(evt.Meta.http_path) contains Upper('/remote_agent.php') &&
+  Upper(evt.Parsed.verb) == 'GET' &&
+  Lower(evt.Parsed.http_args) contains 'host_id' &&
+  Lower(evt.Parsed.http_args) contains 'local_data_ids'
 leakspeed: "10s"
 capacity: 5
 blackhole: 1m
@@ -13,17 +13,34 @@ groupby: "evt.Meta.source_ip"
 labels:
   type: exploit
   remediation: true
+  classification:
+    - attack.T1592
+    - cve.CVE-2022-46169
+  spoofable: 0
+  confidence: 3
+  behavior: "http:bruteforce"
+  label: "Cacti CVE-2022-46169"
+  service: cacti
 ---
 type: trigger
 name: crowdsecurity/CVE-2022-46169-cmd
 description: "Detect CVE-2022-46169 cmd injection"
 filter: |
-    Upper(evt.Meta.http_path) contains Upper('/remote_agent.php') &&
-    Upper(evt.Parsed.verb) == 'GET' &&
-    Lower(evt.Parsed.http_args) contains 'action=polldata' &&
-    Lower(evt.Parsed.http_args) matches 'poller_id=.*(;|%3b)'
+  Upper(evt.Meta.http_path) contains Upper('/remote_agent.php') &&
+  Upper(evt.Parsed.verb) == 'GET' &&
+  Lower(evt.Parsed.http_args) contains 'action=polldata' &&
+  Lower(evt.Parsed.http_args) matches 'poller_id=.*(;|%3b)'
 blackhole: 1m
 groupby: "evt.Meta.source_ip"
 labels:
   type: exploit
-  remediation: true
+  remediation: true
+  classification:
+    - attack.T1595
+    - attack.T1190
+    - cve.CVE-2022-46169
+  spoofable: 0
+  confidence: 3
+  behavior: "http:exploit"
+  label: "Cacti CVE-2022-46169"
+  service: cacti