committing changes in /etc made by "-bash"

Package changes:

crowdsec/hub/collections/crowdsecurity/apache2.yaml

@@ -0,0 +1,13 @@
+parsers:
+#generic post-parsing of http stuff
+  - crowdsecurity/apache2-logs
+collections:
+  - crowdsecurity/base-http-scenarios
+description: "apache2 support : parser and generic http scenarios "
+author: crowdsecurity
+tags:
+  - linux
+  - apache2
+  - crawl
+  - scan
+

crowdsec/hub/collections/crowdsecurity/base-http-scenarios.yaml

@@ -0,0 +1,25 @@
+parsers:
+  - crowdsecurity/http-logs
+scenarios:
+  - crowdsecurity/http-crawl-non_statics
+  - crowdsecurity/http-probing
+  - crowdsecurity/http-bad-user-agent
+  - crowdsecurity/http-path-traversal-probing
+  - crowdsecurity/http-sensitive-files
+  - crowdsecurity/http-sqli-probing
+  - crowdsecurity/http-xss-probing
+  - crowdsecurity/http-backdoors-attempts
+  - ltsich/http-w00tw00t
+  - crowdsecurity/http-generic-bf
+  - crowdsecurity/http-open-proxy
+collections:
+  - crowdsecurity/http-cve
+
+description: "http common : scanners detection"
+author: crowdsecurity
+tags:
+  - linux
+  - http
+  - crawl
+  - scan
+

crowdsec/hub/collections/crowdsecurity/http-cve.yaml

@@ -0,0 +1,29 @@
+scenarios:
+  - crowdsecurity/http-cve-2021-41773
+  - crowdsecurity/http-cve-2021-42013
+  - crowdsecurity/grafana-cve-2021-43798
+  - crowdsecurity/vmware-vcenter-vmsa-2021-0027
+  - crowdsecurity/fortinet-cve-2018-13379
+  - crowdsecurity/pulse-secure-sslvpn-cve-2019-11510
+  - crowdsecurity/f5-big-ip-cve-2020-5902
+  - crowdsecurity/thinkphp-cve-2018-20062
+  - crowdsecurity/apache_log4j2_cve-2021-44228
+  - crowdsecurity/jira_cve-2021-26086
+  - crowdsecurity/spring4shell_cve-2022-22965
+  - crowdsecurity/vmware-cve-2022-22954
+  - crowdsecurity/CVE-2022-37042
+  - crowdsecurity/CVE-2022-41082
+  - crowdsecurity/CVE-2022-35914
+  - crowdsecurity/CVE-2022-40684
+  - crowdsecurity/CVE-2022-26134
+  - crowdsecurity/CVE-2022-42889
+  - crowdsecurity/CVE-2022-41697
+  - crowdsecurity/CVE-2022-46169
+  - crowdsecurity/CVE-2022-44877
+  - crowdsecurity/CVE-2019-18935
+author: crowdsecurity
+tags:
+  - web
+  - exploit
+  - cve
+  - http

crowdsec/hub/collections/crowdsecurity/linux.yaml

@@ -0,0 +1,11 @@
+parsers:
+  - crowdsecurity/syslog-logs
+  - crowdsecurity/geoip-enrich
+  - crowdsecurity/dateparse-enrich
+collections:
+  - crowdsecurity/sshd
+description: "core linux support : syslog+geoip+ssh"
+author: crowdsecurity
+tags:
+  - linux
+

crowdsec/hub/collections/crowdsecurity/mysql.yaml

@@ -0,0 +1,10 @@
+parsers:
+  - crowdsecurity/mysql-logs
+scenarios:
+  - crowdsecurity/mysql-bf
+description: "mysql support : logs and brute-force scenarios"
+author: crowdsecurity
+tags:
+  - linux
+  - mysql
+  - bruteforce

crowdsec/hub/collections/crowdsecurity/nginx.yaml

@@ -0,0 +1,15 @@
+parsers:
+#generic post-parsing of http stuff
+  - crowdsecurity/nginx-logs
+collections:
+  - crowdsecurity/base-http-scenarios
+scenarios:
+  - crowdsecurity/nginx-req-limit-exceeded
+description: "nginx support : parser and generic http scenarios"
+author: crowdsecurity
+tags:
+  - linux
+  - nginx
+  - crawl
+  - scan
+

crowdsec/hub/collections/crowdsecurity/sshd.yaml

@@ -0,0 +1,12 @@
+parsers:
+  - crowdsecurity/sshd-logs
+scenarios:
+  - crowdsecurity/ssh-bf
+  - crowdsecurity/ssh-slow-bf
+description: "sshd support : parser and brute-force detection"
+author: crowdsecurity
+tags:
+  - linux
+  - ssh
+  - bruteforce
+

crowdsec/hub/parsers/s00-raw/crowdsecurity/syslog-logs.yaml

@@ -0,0 +1,48 @@
+#If it's syslog, we are going to extract progname from it
+filter: "evt.Line.Labels.type == 'syslog'"
+onsuccess: next_stage
+pattern_syntax:
+  RAW_SYSLOG_PREFIX: '^<%{NUMBER:stuff1}>%{NUMBER:stuff2} %{SYSLOGBASE2} %{DATA:program} %{NUMBER:pid}'
+  RAW_SYSLOG_META: '\[meta sequenceId="%{NOTDQUOTE:seq_id}"\]'
+name: crowdsecurity/syslog-logs
+nodes:
+  - grok:
+      #this is a named regular expression. grok patterns can be kept into separate files for readability
+      pattern: "^%{SYSLOGLINE}" 
+      #This is the field of the `Event` to which the regexp should be applied
+      apply_on: Line.Raw
+  - grok:
+      #a second pattern for unparsed syslog lines, as saw in opnsense
+      pattern: '%{RAW_SYSLOG_PREFIX} - %{RAW_SYSLOG_META} %{GREEDYDATA:message}'
+      apply_on: Line.Raw
+#if the node was successfull, statics will be applied.
+statics:
+  - meta: machine
+    expression: evt.Parsed.logsource
+  - parsed: "logsource"
+    value: "syslog"
+# syslog date can be in two different fields (one of hte assignment will fail)
+  - target: evt.StrTime
+    expression: evt.Parsed.timestamp
+  - target: evt.StrTime
+    expression: evt.Parsed.timestamp8601
+  - meta: datasource_path
+    expression: evt.Line.Src
+  - meta: datasource_type
+    expression: evt.Line.Module
+---
+#if it's not syslog, the type is the progname
+filter: "evt.Line.Labels.type != 'syslog'"
+onsuccess: next_stage
+name: crowdsecurity/non-syslog
+#debug: true
+statics:
+  - parsed: message
+    expression: evt.Line.Raw
+  - parsed: program
+    expression: evt.Line.Labels.type
+  - meta: datasource_path
+    expression: evt.Line.Src
+  - meta: datasource_type
+    expression: evt.Line.Module
+

crowdsec/hub/parsers/s01-parse/crowdsecurity/apache2-logs.yaml

@@ -0,0 +1,93 @@
+#Apache access/errors logs
+#debug: true
+filter: "evt.Parsed.program startsWith 'apache2'"
+onsuccess: next_stage
+name: crowdsecurity/apache2-logs
+description: "Parse Apache2 access and error logs"
+#log line can be prefixed by a target_fqdn
+nodes:
+  - grok:
+      pattern: '(%{IPORHOST:target_fqdn}(:%{INT:port})? )?%{COMMONAPACHELOG}( "%{NOTDQUOTE:referrer}" "%{NOTDQUOTE:http_user_agent}")?'
+      apply_on: message
+      # these ones apply for both grok patterns
+      statics:
+        - meta: log_type
+          value: http_access-log
+        - target: evt.StrTime
+          expression: evt.Parsed.timestamp
+        - meta: service
+          value: http
+        - meta: source_ip
+          expression: evt.Parsed.clientip
+        - meta: http_status
+          expression: evt.Parsed.response
+        - meta: http_path
+          expression: evt.Parsed.request
+        - meta: http_verb
+          expression: "evt.Parsed.verb"
+        - meta: http_user_agent
+          expression: "evt.Parsed.http_user_agent"
+        - meta: target_fqdn
+          expression: "evt.Parsed.target_fqdn"
+    onsuccess: next_stage
+  - grok:
+      pattern: '%{HTTPD_ERRORLOG}'
+      apply_on: message
+    onsuccess: next_stage
+    pattern_syntax:
+      NOT_DOUBLE_POINT: '[^:]+'
+      NOT_DOUBLE_QUOTE: '[^"]+'    
+    nodes:
+      - filter: "evt.Parsed.module == 'auth_basic'"
+        onsuccess: next_stage
+        pattern_syntax:
+          EXTRACT_USER_AND_PATH: 'user %{NOT_DOUBLE_POINT:username}: authentication failure for "%{NOT_DOUBLE_QUOTE:target_uri}": Password Mismatch'
+          EXTRACT_USER_AND_PATH2: 'user %{NOT_DOUBLE_POINT:username} not found: "?%{NOT_DOUBLE_QUOTE:target_uri}"?'
+        grok:
+          pattern: '%{EXTRACT_USER_AND_PATH}|%{EXTRACT_USER_AND_PATH2}'
+          apply_on: message
+          # these ones apply for both grok patterns
+        statics:
+          - meta: username
+            expression: evt.Parsed.username
+          - meta: http_path
+            expression: evt.Parsed.target_uri
+          - meta: sub_type
+            value: "auth_fail"
+      - filter: "evt.Parsed.module == 'core' && evt.Parsed.message contains 'Invalid URI'"
+        onsuccess: next_stage
+        pattern_syntax:
+          EXTRACT_URIVERB: 'Invalid URI in request %{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})'
+        grok:
+          pattern: '%{EXTRACT_URIVERB}'
+          apply_on: message
+        statics:
+          - meta: http_path
+            expression: evt.Parsed.request
+          - meta: sub_type
+            value: "invalid_uri"
+      - filter: "evt.Parsed.module == 'authz_core' && evt.Parsed.message contains 'client denied'"
+        onsuccess: next_stage
+        pattern_syntax:
+          EXTRACT_PATH: 'client denied by server configuration: %{GREEDYDATA:target_uri}'
+        grok:
+          pattern: '%{EXTRACT_PATH}'
+          apply_on: message
+        statics:
+          - meta: http_path
+            expression: evt.Parsed.target_uri
+          - meta: sub_type
+            value: "permission_denied"
+    statics:
+      - meta: log_type
+        value: http_error-log
+      - target: evt.StrTime
+        expression: evt.Parsed.timestamp
+      - meta: service
+        value: http
+      - meta: source_ip
+        expression: evt.Parsed.client
+      - meta: http_status
+        expression: evt.Parsed.response
+
+      

crowdsec/hub/parsers/s01-parse/crowdsecurity/mysql-logs.yaml

@@ -0,0 +1,14 @@
+onsuccess: next_stage
+name: crowdsecurity/mysql-logs
+description: "Parse MySQL logs"
+filter: "evt.Parsed.program == 'mysql'"
+grok:
+  pattern: "%{TIMESTAMP_ISO8601:time} %{NUMBER} \\[Note\\]( \\[%{DATA:err_code}\\] \\[%{DATA:subsystem}\\])? Access denied for user '%{DATA:user}'@'%{IP:source_ip}' \\(using password: %{WORD:using_password}\\)"
+  apply_on: message
+statics:
+  - meta: log_type
+    value: mysql_failed_auth
+  - meta: source_ip
+    expression: "evt.Parsed.source_ip"
+  - meta: user
+    expression: "evt.Parsed.user"

crowdsec/hub/parsers/s01-parse/crowdsecurity/nginx-logs.yaml

@@ -0,0 +1,68 @@
+filter: "evt.Parsed.program startsWith 'nginx'"
+onsuccess: next_stage
+name: crowdsecurity/nginx-logs
+description: "Parse nginx access and error logs"
+nodes:
+  - grok:
+      pattern: '(%{IPORHOST:target_fqdn} )?%{IPORHOST:remote_addr} - (%{NGUSER:remote_user})? \[%{HTTPDATE:time_local}\] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:http_version}" %{NUMBER:status} %{NUMBER:body_bytes_sent} "%{NOTDQUOTE:http_referer}" "%{NOTDQUOTE:http_user_agent}"( %{NUMBER:request_length} %{NUMBER:request_time} \[%{DATA:proxy_upstream_name}\] \[%{DATA:proxy_alternative_upstream_name}\])?'
+      apply_on: message
+      statics:
+        - meta: log_type
+          value: http_access-log
+        - target: evt.StrTime
+          expression: evt.Parsed.time_local
+  - grok:
+      # and this one the error log
+      pattern: '(%{IPORHOST:target_fqdn} )?%{NGINXERRTIME:time} \[%{LOGLEVEL:loglevel}\] %{NONNEGINT:pid}#%{NONNEGINT:tid}: (\*%{NONNEGINT:cid} )?%{GREEDYDATA:message}, client: %{IPORHOST:remote_addr}, server: %{DATA:target_fqdn}, request: "%{WORD:verb} ([^/]+)?%{URIPATHPARAM:request}( HTTP/%{NUMBER:http_version})?", host: "%{IPORHOST}(:%{NONNEGINT})?"'
+      apply_on: message
+      statics:
+        - meta: log_type
+          value: http_error-log
+        - target: evt.StrTime
+          expression: evt.Parsed.time
+    pattern_syntax:
+      NO_DOUBLE_QUOTE: '[^"]+'
+    onsuccess: next_stage
+    nodes:
+      - filter: "evt.Parsed.message contains 'was not found in'"
+        pattern_syntax:
+          USER_NOT_FOUND: 'user "%{NO_DOUBLE_QUOTE:username}" was not found in "%{NO_DOUBLE_QUOTE}"'
+        grok:
+          pattern: '%{USER_NOT_FOUND}'
+          apply_on: message
+        statics:
+          - meta: sub_type
+            value: "auth_fail"
+          - meta: username
+            expression: evt.Parsed.username
+      - filter: "evt.Parsed.message contains 'password mismatch'"
+        pattern_syntax:
+          PASSWORD_MISMATCH: 'user "%{NO_DOUBLE_QUOTE:username}": password mismatch'
+        grok:
+          pattern: '%{PASSWORD_MISMATCH}'
+          apply_on: message
+        statics:
+          - meta: sub_type
+            value: "auth_fail"
+          - meta: username
+            expression: evt.Parsed.username
+      - filter: "evt.Parsed.message contains 'limiting requests, excess'"
+        statics:
+          - meta: sub_type
+            value: "req_limit_exceeded"
+    # these ones apply for both grok patterns
+statics:
+  - meta: service
+    value: http
+  - meta: source_ip
+    expression: "evt.Parsed.remote_addr"
+  - meta: http_status
+    expression: "evt.Parsed.status"
+  - meta: http_path
+    expression: "evt.Parsed.request"
+  - meta: http_verb
+    expression: "evt.Parsed.verb"
+  - meta: http_user_agent
+    expression: "evt.Parsed.http_user_agent"
+  - meta: target_fqdn
+    expression: "evt.Parsed.target_fqdn"

crowdsec/hub/parsers/s01-parse/crowdsecurity/sshd-logs.yaml

@@ -0,0 +1,93 @@
+onsuccess: next_stage
+#debug: true
+filter: "evt.Parsed.program == 'sshd'"
+name: crowdsecurity/sshd-logs
+description: "Parse openSSH logs"
+pattern_syntax:
+# The IP grok pattern that ships with crowdsec is buggy and does not capture the last digit of an IP if it is the last thing it matches, and the last octet starts with a 2
+# https://github.com/crowdsecurity/crowdsec/issues/938
+  IPv4_WORKAROUND: (?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
+  IP_WORKAROUND: (?:%{IPV6}|%{IPv4_WORKAROUND})
+  SSHD_AUTH_FAIL: 'pam_%{DATA:pam_type}\(sshd:auth\): authentication failure; logname= uid=%{NUMBER:uid}? euid=%{NUMBER:euid}? tty=ssh ruser= rhost=%{IP_WORKAROUND:sshd_client_ip}( %{SPACE}user=%{USERNAME:sshd_invalid_user})?'
+  SSHD_MAGIC_VALUE_FAILED: 'Magic value check failed \(\d+\) on obfuscated handshake from %{IP_WORKAROUND:sshd_client_ip} port \d+'
+  SSHD_INVALID_USER: 'Invalid user\s*%{USERNAME:sshd_invalid_user}? from %{IP_WORKAROUND:sshd_client_ip}( port \d+)?'
+  SSHD_INVALID_BANNER: 'banner exchange: Connection from %{IP_WORKAROUND:sshd_client_ip} port \d+: invalid format'
+  SSHD_PREAUTH_AUTHENTICATING_USER: 'Connection closed by (authenticating|invalid) user %{USERNAME:sshd_invalid_user} %{IP_WORKAROUND:sshd_client_ip} port \d+ \[preauth\]'
+  #following: https://github.com/crowdsecurity/crowdsec/issues/1201 - some scanners behave differently and trigger this one
+  SSHD_PREAUTH_AUTHENTICATING_USER_ALT: 'Disconnected from (authenticating|invalid) user %{USERNAME:sshd_invalid_user} %{IP_WORKAROUND:sshd_client_ip} port \d+ \[preauth\]'
+nodes:
+  - grok:
+      name: "SSHD_FAIL"
+      apply_on: message
+      statics:
+        - meta: log_type
+          value: ssh_failed-auth
+        - meta: target_user
+          expression: "evt.Parsed.sshd_invalid_user"
+  - grok:
+      name: "SSHD_PREAUTH_AUTHENTICATING_USER_ALT"
+      apply_on: message
+      statics:
+        - meta: log_type
+          value: ssh_failed-auth
+        - meta: target_user
+          expression: "evt.Parsed.sshd_invalid_user"
+  - grok:
+      name: "SSHD_PREAUTH_AUTHENTICATING_USER"
+      apply_on: message
+      statics:
+        - meta: log_type
+          value: ssh_failed-auth
+        - meta: target_user
+          expression: "evt.Parsed.sshd_invalid_user"
+  - grok:
+      name: "SSHD_DISC_PREAUTH"
+      apply_on: message
+  - grok:
+      name: "SSHD_BAD_VERSION"
+      apply_on: message
+  - grok:
+      name: "SSHD_INVALID_USER"
+      apply_on: message
+      statics:
+        - meta: log_type
+          value: ssh_failed-auth
+        - meta: target_user
+          expression: "evt.Parsed.sshd_invalid_user"
+  - grok:
+      name: "SSHD_INVALID_BANNER"
+      apply_on: message
+      statics:
+        - meta: log_type
+          value: ssh_failed-auth
+        - meta: extra_log_type
+          value: ssh_bad_banner
+  - grok:
+      name: "SSHD_USER_FAIL"
+      apply_on: message
+      statics:
+        - meta: log_type
+          value: ssh_failed-auth
+        - meta: target_user
+          expression: "evt.Parsed.sshd_invalid_user"
+  - grok: 
+      name: "SSHD_AUTH_FAIL"
+      apply_on: message
+      statics:
+        - meta: log_type
+          value: ssh_failed-auth
+        - meta: target_user
+          expression: "evt.Parsed.sshd_invalid_user"
+  - grok: 
+      name: "SSHD_MAGIC_VALUE_FAILED"
+      apply_on: message
+      statics:
+        - meta: log_type
+          value: ssh_failed-auth
+        - meta: target_user
+          expression: "evt.Parsed.sshd_invalid_user"
+statics:
+    - meta: service
+      value: ssh
+    - meta: source_ip
+      expression: "evt.Parsed.sshd_client_ip"

crowdsec/hub/parsers/s02-enrich/crowdsecurity/dateparse-enrich.yaml

@@ -0,0 +1,11 @@
+filter: "evt.StrTime != ''"
+name: crowdsecurity/dateparse-enrich
+#debug: true
+#it's a hack lol
+statics:
+  - method: ParseDate
+    expression: evt.StrTime
+  - target: MarshaledTime
+    expression: evt.Enriched.MarshaledTime
+  - meta: timestamp
+    expression: evt.Enriched.MarshaledTime

crowdsec/hub/parsers/s02-enrich/crowdsecurity/geoip-enrich.yaml

@@ -0,0 +1,27 @@
+filter: "'source_ip' in evt.Meta"
+name: crowdsecurity/geoip-enrich
+description: "Populate event with geoloc info : as, country, coords, source range."
+data:
+  - source_url: https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/GeoLite2-City.mmdb
+    dest_file: GeoLite2-City.mmdb
+  - source_url: https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/GeoLite2-ASN.mmdb
+    dest_file: GeoLite2-ASN.mmdb
+statics:
+  - method: GeoIpCity
+    expression: evt.Meta.source_ip
+  - meta: IsoCode
+    expression: evt.Enriched.IsoCode
+  - meta: IsInEU
+    expression: evt.Enriched.IsInEU
+  - meta: GeoCoords
+    expression: evt.Enriched.GeoCoords
+  - method: GeoIpASN
+    expression: evt.Meta.source_ip
+  - meta: ASNNumber
+    expression: evt.Enriched.ASNNumber
+  - meta: ASNOrg
+    expression: evt.Enriched.ASNOrg
+  - method: IpToRange
+    expression: evt.Meta.source_ip
+  - meta: SourceRange
+    expression: evt.Enriched.SourceRange

crowdsec/hub/parsers/s02-enrich/crowdsecurity/http-logs.yaml

@@ -0,0 +1,33 @@
+filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log']"
+description: "Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource"
+name: crowdsecurity/http-logs
+pattern_syntax:
+  DIR: "^.*/"
+  FILE: "[^/].*?"
+  EXT: "\\.[^.]*$|$"
+nodes:
+  - statics:
+     - parsed: "impact_completion"
+       # the value of a field can as well be determined as the result of an expression
+       expression: "evt.Meta.http_status in ['404', '403', '502'] ? 'false' : 'true'"
+     - target: evt.Parsed.static_ressource
+       value: 'false'
+  # let's split the path?query if possible
+  - grok:
+      pattern: "^%{GREEDYDATA:request}\\?%{GREEDYDATA:http_args}$"
+      apply_on: request
+  # this is another node, with its own pattern_syntax
+  - #debug: true
+    grok:
+      pattern: "%{DIR:file_dir}(%{FILE:file_frag}%{EXT:file_ext})?"
+      apply_on: request
+      statics:
+        - meta: http_path
+          expression: "evt.Parsed.http_path"
+          # meta af
+        - meta: http_args_len
+          expression: "len(evt.Parsed.http_args)"
+        - parsed: file_name
+          expression: evt.Parsed.file_frag + evt.Parsed.file_ext
+        - parsed: static_ressource
+          expression: "Upper(evt.Parsed.file_ext) in ['.JPG', '.CSS', '.JS', '.JPEG', '.PNG', '.SVG', '.MAP', '.ICO', '.OTF', '.GIF', '.MP3', '.MP4', '.WOFF', '.WOFF2', '.TTF', '.OTF', '.EOT', '.WEBP', '.WAV', '.GZ', '.BROTLI', '.BVR', '.TS', '.BMP'] ? 'true' : 'false'"

crowdsec/hub/parsers/s02-enrich/crowdsecurity/whitelists.yaml

@@ -0,0 +1,14 @@
+name: crowdsecurity/whitelists
+description: "Whitelist events from private ipv4 addresses"
+whitelist:
+  reason: "private ipv4/ipv6 ip/ranges"
+  ip: 
+    - "127.0.0.1"
+    - "::1"
+  cidr:
+    - "192.168.0.0/16"
+    - "10.0.0.0/8"
+    - "172.16.0.0/12"
+  # expression:
+  #   - "'foo.com' in evt.Meta.source_ip.reverse" 
+

crowdsec/hub/scenarios/crowdsecurity/CVE-2019-18935.yaml

@@ -0,0 +1,11 @@
+type: trigger
+format: 2.0
+name: crowdsecurity/CVE-2019-18935
+description: "Detect Telerik CVE-2019-18935 exploitation attempts"
+filter: |
+  evt.Meta.log_type in ['http_access-log', 'http_error-log'] && Upper(QueryUnescape(evt.Meta.http_path)) startsWith Upper('/Telerik.Web.UI.WebResource.axd?type=rau')
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/CVE-2022-26134.yaml

@@ -0,0 +1,10 @@
+type: trigger
+#debug: true
+name: crowdsecurity/CVE-2022-26134
+description: "Detect CVE-2022-26134 exploits"
+filter: "Upper(PathUnescape(evt.Meta.http_path)) contains Upper('@java.lang.Runtime@getRuntime().exec(')"
+blackhole: 1m
+groupby: "evt.Meta.source_ip"
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/CVE-2022-35914.yaml

@@ -0,0 +1,10 @@
+type: trigger
+#debug: true
+name: crowdsecurity/CVE-2022-35914
+description: "Detect CVE-2022-35914 exploits"
+filter: "Upper(evt.Meta.http_path) contains Upper('/vendor/htmlawed/htmlawed/htmLawedTest.php')"
+blackhole: 1m
+groupby: "evt.Meta.source_ip"
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/CVE-2022-37042.yaml

@@ -0,0 +1,18 @@
+type: trigger
+#debug: true
+name: crowdsecurity/CVE-2022-37042
+description: "Detect CVE-2022-37042 exploits"
+filter: |
+    (
+    Upper(evt.Meta.http_path) contains Upper('/service/extension/backup/mboximport?account-name=admin&ow=2&no-switch=1&append=1') ||
+    Upper(evt.Meta.http_path) contains Upper('/service/extension/backup/mboximport?account-name=admin&account-status=1&ow=cmd') 
+    )
+    and evt.Meta.http_status startsWith ('40') and
+    Upper(evt.Meta.http_verb) == 'POST'
+
+
+blackhole: 2m
+groupby: "evt.Meta.source_ip"
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/CVE-2022-40684.yaml

@@ -0,0 +1,11 @@
+type: trigger
+name: crowdsecurity/fortinet-cve-2022-40684
+description: "Detect cve-2022-40684 exploitation attempts"
+filter: |
+  evt.Meta.log_type in ["http_access-log", "http_error-log"] and 
+  Upper(evt.Meta.http_path) startsWith Upper('/api/v2/cmdb/system/admin/') and Lower(evt.Parsed.http_user_agent) == 'report runner'
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/CVE-2022-41082.yaml

@@ -0,0 +1,13 @@
+type: trigger
+#debug: true
+name: crowdsecurity/CVE-2022-41082
+description: "Detect CVE-2022-41082 exploits"
+filter: |
+    Upper(evt.Meta.http_path) contains Upper('/autodiscover/autodiscover.json') &&
+    Upper(evt.Parsed.http_args) contains Upper('powershell')
+
+blackhole: 1m
+groupby: "evt.Meta.source_ip"
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/CVE-2022-41697.yaml

@@ -0,0 +1,14 @@
+type: leaky
+name: crowdsecurity/CVE-2022-41697
+description: "Detect CVE-2022-41697 enumeration"
+filter: |
+    Upper(evt.Meta.http_path) contains Upper('/ghost/api/admin/session') &&
+    Upper(evt.Parsed.verb) == 'POST' &&
+    evt.Meta.http_status == '404'
+leakspeed: "10s"
+capacity: 5
+blackhole: 1m
+groupby: "evt.Meta.source_ip"
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/CVE-2022-42889.yaml

@@ -0,0 +1,17 @@
+type: trigger
+#debug: true
+name: crowdsecurity/CVE-2022-42889
+description: "Detect CVE-2022-42889 exploits (Text4Shell)"
+filter: |
+  Upper(PathUnescape(evt.Meta.http_path)) contains Upper('${script:javascript:java.lang.Runtime.getRuntime().exec(')
+  or
+  Upper(PathUnescape(evt.Meta.http_path)) contains Upper('${script:js:java.lang.Runtime.getRuntime().exec(')
+  or
+  Upper(PathUnescape(evt.Meta.http_path)) contains Upper('${url:UTF-8:') 
+  or
+  Upper(PathUnescape(evt.Meta.http_path)) contains Upper('${dns:address|') 
+blackhole: 1m
+groupby: "evt.Meta.source_ip"
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/CVE-2022-44877.yaml

@@ -0,0 +1,15 @@
+type: trigger
+#debug: true
+name: crowdsecurity/CVE-2022-44877
+description: "Detect CVE-2022-44877 exploits"
+filter: |
+    Lower(evt.Meta.http_path) contains '/index.php' &&
+    Upper(evt.Parsed.verb) == 'POST' &&
+    evt.Meta.http_status == '302' &&
+    Lower(evt.Parsed.http_args) matches 'login=.*[$|%24][\\(|%28].*[\\)|%29]'
+
+blackhole: 1m
+groupby: "evt.Meta.source_ip"
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/CVE-2022-46169.yaml

@@ -0,0 +1,29 @@
+type: leaky
+name: crowdsecurity/CVE-2022-46169-bf
+description: "Detect CVE-2022-46169 brute forcing"
+filter: |
+    Upper(evt.Meta.http_path) contains Upper('/remote_agent.php') &&
+    Upper(evt.Parsed.verb) == 'GET' &&
+    Lower(evt.Parsed.http_args) contains 'host_id' &&
+    Lower(evt.Parsed.http_args) contains 'local_data_ids'
+leakspeed: "10s"
+capacity: 5
+blackhole: 1m
+groupby: "evt.Meta.source_ip"
+labels:
+  type: exploit
+  remediation: true
+---
+type: trigger
+name: crowdsecurity/CVE-2022-46169-cmd
+description: "Detect CVE-2022-46169 cmd injection"
+filter: |
+    Upper(evt.Meta.http_path) contains Upper('/remote_agent.php') &&
+    Upper(evt.Parsed.verb) == 'GET' &&
+    Lower(evt.Parsed.http_args) contains 'action=polldata' &&
+    Lower(evt.Parsed.http_args) matches 'poller_id=.*(;|%3b)'
+blackhole: 1m
+groupby: "evt.Meta.source_ip"
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/apache_log4j2_cve-2021-44228.yaml

@@ -0,0 +1,23 @@
+type: trigger
+format: 2.0
+#debug: true
+name: crowdsecurity/apache_log4j2_cve-2021-44228
+description: "Detect cve-2021-44228 exploitation attemps"
+filter: |
+  evt.Meta.log_type in ["http_access-log", "http_error-log"] and 
+  (
+    any(File("log4j2_cve_2021_44228.txt"), { Upper(evt.Meta.http_path) contains Upper(#)})
+  or
+    any(File("log4j2_cve_2021_44228.txt"), { Upper(evt.Parsed.http_user_agent) contains Upper(#)})
+  or
+    any(File("log4j2_cve_2021_44228.txt"), { Upper(evt.Parsed.http_referer) contains Upper(#)})  
+  )
+data:
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/log4j2_cve_2021_44228.txt
+    dest_file: log4j2_cve_2021_44228.txt
+    type: string
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/f5-big-ip-cve-2020-5902.yaml

@@ -0,0 +1,16 @@
+type: trigger
+format: 2.0
+name: crowdsecurity/f5-big-ip-cve-2020-5902
+description: "Detect cve-2020-5902 exploitation attemps"
+filter: |
+  evt.Meta.log_type in ["http_access-log", "http_error-log"] and 
+    (
+    Upper(evt.Meta.http_path) matches Upper('/tmui/login.jsp/..;/tmui/[^.]+.jsp\\?(fileName|command|directoryPath|tabId)=')
+    or
+    Upper(evt.Meta.http_path) matches Upper('/tmui/login.jsp/%2E%2E;/tmui/[^.]+.jsp\\?(fileName|command|directoryPath|tabId)=')
+    )
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/fortinet-cve-2018-13379.yaml

@@ -0,0 +1,12 @@
+type: trigger
+format: 2.0
+name: crowdsecurity/fortinet-cve-2018-13379
+description: "Detect cve-2018-13379 exploitation attemps"
+filter: |
+  evt.Meta.log_type in ["http_access-log", "http_error-log"] and 
+    Upper(evt.Meta.http_path) contains Upper('/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession')
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/grafana-cve-2021-43798.yaml

@@ -0,0 +1,14 @@
+type: trigger
+format: 2.0
+name: crowdsecurity/grafana-cve-2021-43798
+description: "Detect cve-2021-43798 exploitation attemps"
+filter: |
+  evt.Meta.log_type in ["http_access-log", "http_error-log"] and 
+    (Upper(evt.Meta.http_path) matches '/PUBLIC/PLUGINS/[^/]+/../[./]+/'
+    or
+    Upper(evt.Meta.http_path) matches '/PUBLIC/PLUGINS/[^/]+/%2E%2E/[%2E/]+/')
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/http-backdoors-attempts.yaml

@@ -0,0 +1,18 @@
+type: leaky
+#debug: true
+name: crowdsecurity/http-backdoors-attempts
+description: "Detect attempt to common backdoors"
+filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] and any(File("backdoors.txt"), { evt.Parsed.file_name == #})'
+groupby: "evt.Meta.source_ip"
+distinct: evt.Parsed.file_name
+data:
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/backdoors.txt
+    dest_file: backdoors.txt
+    type: string
+capacity: 1
+leakspeed: 5s
+blackhole: 5m
+labels:
+  service: http
+  type: discovery
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/http-bad-user-agent.yaml

@@ -0,0 +1,20 @@
+type: leaky
+format: 2.0
+#debug: true
+name: crowdsecurity/http-bad-user-agent
+description: "Detect bad user-agents"
+filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] && RegexpInFile(evt.Parsed.http_user_agent, "bad_user_agents.regex.txt")'
+data:
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/bad_user_agents.regex.txt
+    dest_file: bad_user_agents.regex.txt
+    type: regexp
+    strategy: LRU
+    size: 40
+    ttl: 10s
+capacity: 1
+leakspeed: 1m
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: scan
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/http-crawl-non_statics.yaml

@@ -0,0 +1,16 @@
+type: leaky
+name: crowdsecurity/http-crawl-non_statics
+description: "Detect aggressive crawl from single ip"
+filter: "evt.Meta.log_type in ['http_access-log', 'http_error-log'] && evt.Parsed.static_ressource == 'false' && evt.Parsed.verb in ['GET', 'HEAD']"
+distinct: "evt.Parsed.file_name"
+leakspeed: 0.5s
+capacity: 40
+#debug: true
+#this limits the memory cache (and event_sequences in output) to five events
+cache_size: 5
+groupby: "evt.Meta.source_ip + '/' + evt.Parsed.target_fqdn"
+blackhole: 1m
+labels:
+ service: http
+ type: crawl
+ remediation: true

crowdsec/hub/scenarios/crowdsecurity/http-cve-2021-41773.yaml

@@ -0,0 +1,15 @@
+type: trigger
+format: 2.0
+#debug: true
+name: crowdsecurity/http-cve-2021-41773
+description: "cve-2021-41773"
+filter: |
+  evt.Meta.log_type in ["http_access-log", "http_error-log"] and 
+    (Upper(evt.Meta.http_path) contains "/.%2E/.%2E/"
+      or
+     Upper(evt.Meta.http_path) contains "/%2E%2E/%2E%2E")
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: scan
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/http-cve-2021-42013.yaml

@@ -0,0 +1,14 @@
+type: trigger
+format: 2.0
+#debug: true
+#this is getting funny, it's the third patch on top of cve-2021-41773
+name: crowdsecurity/http-cve-2021-42013
+description: "cve-2021-42013"
+filter: |
+  evt.Meta.log_type in ["http_access-log", "http_error-log"] and 
+    Upper(evt.Meta.http_path) contains "/%%32%65%%32%65/"
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: scan
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/http-generic-bf.yaml

@@ -0,0 +1,44 @@
+# 404 scan
+type: leaky
+#debug: true
+name: crowdsecurity/http-generic-bf
+description: "Detect generic http brute force"
+filter: "evt.Meta.service == 'http' && evt.Meta.sub_type == 'auth_fail'"
+groupby: evt.Meta.source_ip
+capacity: 5
+leakspeed: "10s"
+blackhole: 1m
+labels:
+ service: http
+ type: bf
+ remediation: true
+---
+# Generic 401 Authorization Errors
+type: leaky
+#debug: true
+name: LePresidente/http-generic-401-bf
+description: "Detect generic 401 Authorization error brute force"
+filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.verb == 'POST' && evt.Meta.http_status == '401'"
+groupby: evt.Meta.source_ip
+capacity: 5
+leakspeed: "10s"
+blackhole: 1m
+labels:
+ service: http
+ type: bf
+ remediation: true
+---
+# Generic 403 Forbidden (Authorization) Errors
+type: leaky
+#debug: true
+name: LePresidente/http-generic-403-bf
+description: "Detect generic 403 Forbidden (Authorization) error brute force"
+filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.verb == 'POST' && evt.Meta.http_status == '403'"
+groupby: evt.Meta.source_ip
+capacity: 5
+leakspeed: "10s"
+blackhole: 1m
+labels:
+ service: http
+ type: bf
+ remediation: true

crowdsec/hub/scenarios/crowdsecurity/http-open-proxy.yaml

@@ -0,0 +1,10 @@
+type: trigger
+name: crowdsecurity/http-open-proxy
+description: "Detect scan for open proxy"
+#apache returns 405, nginx 400
+filter: "evt.Meta.log_type == 'http_access-log' && evt.Meta.http_status in ['400','405'] && (evt.Parsed.verb == 'CONNECT' || evt.Parsed.request matches '^http[s]?://')"
+blackhole: 2m
+labels:
+ service: http
+ type: scan
+ remediation: true

crowdsec/hub/scenarios/crowdsecurity/http-path-traversal-probing.yaml

@@ -0,0 +1,20 @@
+# path traversal probing
+type: leaky
+#debug: true
+name: crowdsecurity/http-path-traversal-probing
+description: "Detect path traversal attempt"
+filter: "evt.Meta.log_type in ['http_access-log', 'http_error-log'] && any(File('http_path_traversal.txt'),{evt.Meta.http_path contains #})"
+data:
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/path_traversal.txt
+    dest_file: http_path_traversal.txt
+    type: string
+groupby: "evt.Meta.source_ip"
+distinct: "evt.Meta.http_path"
+capacity: 3
+reprocess: true
+leakspeed: 10s
+blackhole: 2m
+labels:
+ service: http
+ type: scan
+ remediation: true

crowdsec/hub/scenarios/crowdsecurity/http-probing.yaml

@@ -0,0 +1,16 @@
+# 404 scan
+type: leaky
+#debug: true
+name: crowdsecurity/http-probing
+description: "Detect site scanning/probing from a single ip"
+filter: "evt.Meta.service == 'http' && evt.Meta.http_status in ['404', '403', '400'] && evt.Parsed.static_ressource == 'false'"
+groupby: "evt.Meta.source_ip + '/' + evt.Parsed.target_fqdn"
+distinct: "evt.Meta.http_path"
+capacity: 10
+reprocess: true
+leakspeed: "10s"
+blackhole: 5m
+labels:
+ service: http
+ type: scan
+ remediation: true

crowdsec/hub/scenarios/crowdsecurity/http-sensitive-files.yaml

@@ -0,0 +1,19 @@
+type: leaky
+format: 2.0
+#debug: true
+name: crowdsecurity/http-sensitive-files
+description: "Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)"
+filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] and any(File("sensitive_data.txt"), { evt.Parsed.request endsWith #})'
+groupby: "evt.Meta.source_ip"
+distinct: evt.Parsed.request
+data:
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/sensitive_data.txt
+    dest_file: sensitive_data.txt
+    type: string
+capacity: 4
+leakspeed: 5s
+blackhole: 5m
+labels:
+  service: http
+  type: discovery
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/http-sqli-probing.yaml

@@ -0,0 +1,20 @@
+type: leaky
+#requires at least 2.0 because it's using the 'data' section and the 'Upper' expr helper
+format: 2.0
+name: crowdsecurity/http-sqli-probbing-detection
+data:
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/sqli_probe_patterns.txt
+    dest_file: sqli_probe_patterns.txt
+    type: string
+description: "A scenario that detects SQL injection probing with minimal false positives"
+filter: "evt.Meta.log_type in ['http_access-log', 'http_error-log'] && any(File('sqli_probe_patterns.txt'), {Upper(evt.Parsed.http_args) contains Upper(#)})"
+groupby: evt.Meta.source_ip
+capacity: 10
+leakspeed: 1s
+blackhole: 5m
+#low false positives approach : we require distinct payloads to avoid false positives
+distinct: evt.Parsed.http_args
+labels:
+  service: http
+  type: sqli_probing
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/http-xss-probing.yaml

@@ -0,0 +1,20 @@
+type: leaky
+#requires at least 2.0 because it's using the 'data' section and the 'Upper' expr helper
+format: 2.0
+name: crowdsecurity/http-xss-probbing
+data:
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/xss_probe_patterns.txt
+    dest_file: xss_probe_patterns.txt
+    type: string
+description: "A scenario that detects XSS probing with minimal false positives"
+filter: "evt.Meta.log_type in ['http_access-log', 'http_error-log'] && any(File('xss_probe_patterns.txt'), {Upper(evt.Parsed.http_args) contains Upper(#)})"
+groupby: evt.Meta.source_ip
+capacity: 5
+leakspeed: 1s
+blackhole: 5m
+#low false positives approach : we require distinct payloads to avoid false positives
+distinct: evt.Parsed.http_args
+labels:
+  service: http
+  type: xss_probing
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/jira_cve-2021-26086.yaml

@@ -0,0 +1,16 @@
+type: trigger
+format: 2.0
+#debug: true
+name: crowdsecurity/jira_cve-2021-26086
+description: "Detect Atlassian Jira CVE-2021-26086 exploitation attemps"
+filter: |
+  evt.Meta.log_type in ["http_access-log", "http_error-log"] and any(File("jira_cve_2021-26086.txt"), {Upper(evt.Meta.http_path) contains Upper(#)})
+data:
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/jira_cve_2021-26086.txt
+    dest_file: jira_cve_2021-26086.txt
+    type: string
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/mysql-bf.yaml

@@ -0,0 +1,14 @@
+# mysql bruteforce
+type: leaky
+#debug: true
+name: crowdsecurity/mysql-bf
+description: "Detect mysql bruteforce"
+filter: evt.Meta.log_type == 'mysql_failed_auth'
+leakspeed: "10s"
+capacity: 5
+groupby: evt.Meta.source_ip
+blackhole: 5m
+labels:
+ service: mysql
+ type: bruteforce
+ remediation: true

crowdsec/hub/scenarios/crowdsecurity/nginx-req-limit-exceeded.yaml

@@ -0,0 +1,13 @@
+type: leaky
+#debug: true
+name: crowdsecurity/nginx-req-limit-exceeded
+description: "Detects IPs which violate nginx's user set request limit."
+filter: evt.Meta.sub_type == 'req_limit_exceeded'
+leakspeed: "60s"
+capacity: 5
+groupby: evt.Meta.source_ip
+blackhole: 5m
+labels:
+ service: nginx
+ type: bruteforce
+ remediation: true

crowdsec/hub/scenarios/crowdsecurity/pulse-secure-sslvpn-cve-2019-11510.yaml

@@ -0,0 +1,14 @@
+type: trigger
+format: 2.0
+name: crowdsecurity/pulse-secure-sslvpn-cve-2019-11510
+description: "Detect cve-2019-11510 exploitation attemps"
+filter: |
+  evt.Meta.log_type in ["http_access-log", "http_error-log"] and 
+    (Upper(evt.Meta.http_path) matches Upper('/dana-na/../dana/html5acc/guacamole/../../../../../../../[^?]+\\?/dana/html5acc/guacamole/')
+    or
+    Upper(evt.Meta.http_path) matches Upper('/dana-na/%2E%2E/dana/html5acc/guacamole/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/[^?]+\\?/dana/html5acc/guacamole/'))
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/spring4shell_cve-2022-22965.yaml

@@ -0,0 +1,12 @@
+type: trigger
+format: 2.0
+name: crowdsecurity/spring4shell_cve-2022-22965
+description: "Detect cve-2022-22965 probing"
+filter: |
+  evt.Meta.log_type in ["http_access-log", "http_error-log"] and
+    (Upper(evt.Meta.http_path) contains 'CLASS.MODULE.CLASSLOADER.')
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/ssh-bf.yaml

@@ -0,0 +1,32 @@
+# ssh bruteforce
+type: leaky
+name: crowdsecurity/ssh-bf
+description: "Detect ssh bruteforce"
+filter: "evt.Meta.log_type == 'ssh_failed-auth'"
+leakspeed: "10s"
+references:
+  - http://wikipedia.com/ssh-bf-is-bad
+capacity: 5
+groupby: evt.Meta.source_ip
+blackhole: 1m
+reprocess: true
+labels:
+ service: ssh
+ type: bruteforce
+ remediation: true
+---
+# ssh user-enum
+type: leaky
+name: crowdsecurity/ssh-bf_user-enum
+description: "Detect ssh user enum bruteforce"
+filter: evt.Meta.log_type == 'ssh_failed-auth'
+groupby: evt.Meta.source_ip
+distinct: evt.Meta.target_user
+leakspeed: 10s
+capacity: 5
+blackhole: 1m
+labels:
+ service: ssh
+ type: bruteforce
+ remediation: true
+

crowdsec/hub/scenarios/crowdsecurity/ssh-slow-bf.yaml

@@ -0,0 +1,32 @@
+# ssh bruteforce
+type: leaky
+name: crowdsecurity/ssh-slow-bf
+description: "Detect slow ssh bruteforce"
+filter: "evt.Meta.log_type == 'ssh_failed-auth'"
+leakspeed: "60s"
+references:
+  - http://wikipedia.com/ssh-bf-is-bad
+capacity: 10
+groupby: evt.Meta.source_ip
+blackhole: 1m
+reprocess: true
+labels:
+ service: ssh
+ type: bruteforce
+ remediation: true
+---
+# ssh user-enum
+type: leaky
+name: crowdsecurity/ssh-slow-bf_user-enum
+description: "Detect slow ssh user enum bruteforce"
+filter: evt.Meta.log_type == 'ssh_failed-auth'
+groupby: evt.Meta.source_ip
+distinct: evt.Meta.target_user
+leakspeed: 60s
+capacity: 10
+blackhole: 1m
+labels:
+ service: ssh
+ type: bruteforce
+ remediation: true
+

crowdsec/hub/scenarios/crowdsecurity/thinkphp-cve-2018-20062.yaml

@@ -0,0 +1,16 @@
+type: trigger
+format: 2.0
+#debug: true
+name: crowdsecurity/thinkphp-cve-2018-20062
+description: "Detect ThinkPHP CVE-2018-20062 exploitation attemps"
+filter: |
+  evt.Meta.log_type in ["http_access-log", "http_error-log"] and any(File("thinkphp_cve_2018-20062.txt"), {Upper(evt.Meta.http_path) matches Upper(#)})
+data:
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/thinkphp_cve_2018-20062.txt
+    dest_file: thinkphp_cve_2018-20062.txt
+    type: string
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/vmware-cve-2022-22954.yaml

@@ -0,0 +1,11 @@
+type: trigger
+format: 2.0
+name: crowdsecurity/vmware-cve-2022-22954
+description: "Detect Vmware CVE-2022-22954 exploitation attempts"
+filter: |
+  evt.Meta.log_type in ['http_access-log', 'http_error-log'] && Upper(QueryUnescape(evt.Meta.http_path)) startsWith Upper('/catalog-portal/ui/oauth/verify?error=&deviceUdid=${"freemarker.template.utility.Execute"?new()(')
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/vmware-vcenter-vmsa-2021-0027.yaml

@@ -0,0 +1,11 @@
+type: trigger
+format: 2.0
+name: crowdsecurity/vmware-vcenter-vmsa-2021-0027
+description: "Detect VMSA-2021-0027 exploitation attemps"
+filter: |
+  evt.Meta.log_type in ['http_access-log', 'http_error-log'] && evt.Meta.http_path matches '/ui/vcav-bootstrap/rest/vcav-providers/provider-logo\\?url=(file|http)'
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/ltsich/http-w00tw00t.yaml

@@ -0,0 +1,12 @@
+#contributed by ltsich
+type: trigger
+name: ltsich/http-w00tw00t
+description: "detect w00tw00t"
+debug: false
+filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.file_name contains 'w00tw00t.at.ISC.SANS.DFind'"
+groupby: evt.Meta.source_ip
+blackhole: 5m
+labels:
+ service: http
+ type: scan
+ remediation: true