committing changes in /etc made by "-bash"

Package changes:

crowdsec/hub/scenarios/crowdsecurity/CVE-2019-18935.yaml

@@ -0,0 +1,11 @@
+type: trigger
+format: 2.0
+name: crowdsecurity/CVE-2019-18935
+description: "Detect Telerik CVE-2019-18935 exploitation attempts"
+filter: |
+  evt.Meta.log_type in ['http_access-log', 'http_error-log'] && Upper(QueryUnescape(evt.Meta.http_path)) startsWith Upper('/Telerik.Web.UI.WebResource.axd?type=rau')
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/CVE-2022-26134.yaml

@@ -0,0 +1,10 @@
+type: trigger
+#debug: true
+name: crowdsecurity/CVE-2022-26134
+description: "Detect CVE-2022-26134 exploits"
+filter: "Upper(PathUnescape(evt.Meta.http_path)) contains Upper('@java.lang.Runtime@getRuntime().exec(')"
+blackhole: 1m
+groupby: "evt.Meta.source_ip"
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/CVE-2022-35914.yaml

@@ -0,0 +1,10 @@
+type: trigger
+#debug: true
+name: crowdsecurity/CVE-2022-35914
+description: "Detect CVE-2022-35914 exploits"
+filter: "Upper(evt.Meta.http_path) contains Upper('/vendor/htmlawed/htmlawed/htmLawedTest.php')"
+blackhole: 1m
+groupby: "evt.Meta.source_ip"
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/CVE-2022-37042.yaml

@@ -0,0 +1,18 @@
+type: trigger
+#debug: true
+name: crowdsecurity/CVE-2022-37042
+description: "Detect CVE-2022-37042 exploits"
+filter: |
+    (
+    Upper(evt.Meta.http_path) contains Upper('/service/extension/backup/mboximport?account-name=admin&ow=2&no-switch=1&append=1') ||
+    Upper(evt.Meta.http_path) contains Upper('/service/extension/backup/mboximport?account-name=admin&account-status=1&ow=cmd') 
+    )
+    and evt.Meta.http_status startsWith ('40') and
+    Upper(evt.Meta.http_verb) == 'POST'
+
+
+blackhole: 2m
+groupby: "evt.Meta.source_ip"
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/CVE-2022-40684.yaml

@@ -0,0 +1,11 @@
+type: trigger
+name: crowdsecurity/fortinet-cve-2022-40684
+description: "Detect cve-2022-40684 exploitation attempts"
+filter: |
+  evt.Meta.log_type in ["http_access-log", "http_error-log"] and 
+  Upper(evt.Meta.http_path) startsWith Upper('/api/v2/cmdb/system/admin/') and Lower(evt.Parsed.http_user_agent) == 'report runner'
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/CVE-2022-41082.yaml

@@ -0,0 +1,13 @@
+type: trigger
+#debug: true
+name: crowdsecurity/CVE-2022-41082
+description: "Detect CVE-2022-41082 exploits"
+filter: |
+    Upper(evt.Meta.http_path) contains Upper('/autodiscover/autodiscover.json') &&
+    Upper(evt.Parsed.http_args) contains Upper('powershell')
+
+blackhole: 1m
+groupby: "evt.Meta.source_ip"
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/CVE-2022-41697.yaml

@@ -0,0 +1,14 @@
+type: leaky
+name: crowdsecurity/CVE-2022-41697
+description: "Detect CVE-2022-41697 enumeration"
+filter: |
+    Upper(evt.Meta.http_path) contains Upper('/ghost/api/admin/session') &&
+    Upper(evt.Parsed.verb) == 'POST' &&
+    evt.Meta.http_status == '404'
+leakspeed: "10s"
+capacity: 5
+blackhole: 1m
+groupby: "evt.Meta.source_ip"
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/CVE-2022-42889.yaml

@@ -0,0 +1,17 @@
+type: trigger
+#debug: true
+name: crowdsecurity/CVE-2022-42889
+description: "Detect CVE-2022-42889 exploits (Text4Shell)"
+filter: |
+  Upper(PathUnescape(evt.Meta.http_path)) contains Upper('${script:javascript:java.lang.Runtime.getRuntime().exec(')
+  or
+  Upper(PathUnescape(evt.Meta.http_path)) contains Upper('${script:js:java.lang.Runtime.getRuntime().exec(')
+  or
+  Upper(PathUnescape(evt.Meta.http_path)) contains Upper('${url:UTF-8:') 
+  or
+  Upper(PathUnescape(evt.Meta.http_path)) contains Upper('${dns:address|') 
+blackhole: 1m
+groupby: "evt.Meta.source_ip"
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/CVE-2022-44877.yaml

@@ -0,0 +1,15 @@
+type: trigger
+#debug: true
+name: crowdsecurity/CVE-2022-44877
+description: "Detect CVE-2022-44877 exploits"
+filter: |
+    Lower(evt.Meta.http_path) contains '/index.php' &&
+    Upper(evt.Parsed.verb) == 'POST' &&
+    evt.Meta.http_status == '302' &&
+    Lower(evt.Parsed.http_args) matches 'login=.*[$|%24][\\(|%28].*[\\)|%29]'
+
+blackhole: 1m
+groupby: "evt.Meta.source_ip"
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/CVE-2022-46169.yaml

@@ -0,0 +1,29 @@
+type: leaky
+name: crowdsecurity/CVE-2022-46169-bf
+description: "Detect CVE-2022-46169 brute forcing"
+filter: |
+    Upper(evt.Meta.http_path) contains Upper('/remote_agent.php') &&
+    Upper(evt.Parsed.verb) == 'GET' &&
+    Lower(evt.Parsed.http_args) contains 'host_id' &&
+    Lower(evt.Parsed.http_args) contains 'local_data_ids'
+leakspeed: "10s"
+capacity: 5
+blackhole: 1m
+groupby: "evt.Meta.source_ip"
+labels:
+  type: exploit
+  remediation: true
+---
+type: trigger
+name: crowdsecurity/CVE-2022-46169-cmd
+description: "Detect CVE-2022-46169 cmd injection"
+filter: |
+    Upper(evt.Meta.http_path) contains Upper('/remote_agent.php') &&
+    Upper(evt.Parsed.verb) == 'GET' &&
+    Lower(evt.Parsed.http_args) contains 'action=polldata' &&
+    Lower(evt.Parsed.http_args) matches 'poller_id=.*(;|%3b)'
+blackhole: 1m
+groupby: "evt.Meta.source_ip"
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/apache_log4j2_cve-2021-44228.yaml

@@ -0,0 +1,23 @@
+type: trigger
+format: 2.0
+#debug: true
+name: crowdsecurity/apache_log4j2_cve-2021-44228
+description: "Detect cve-2021-44228 exploitation attemps"
+filter: |
+  evt.Meta.log_type in ["http_access-log", "http_error-log"] and 
+  (
+    any(File("log4j2_cve_2021_44228.txt"), { Upper(evt.Meta.http_path) contains Upper(#)})
+  or
+    any(File("log4j2_cve_2021_44228.txt"), { Upper(evt.Parsed.http_user_agent) contains Upper(#)})
+  or
+    any(File("log4j2_cve_2021_44228.txt"), { Upper(evt.Parsed.http_referer) contains Upper(#)})  
+  )
+data:
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/log4j2_cve_2021_44228.txt
+    dest_file: log4j2_cve_2021_44228.txt
+    type: string
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/f5-big-ip-cve-2020-5902.yaml

@@ -0,0 +1,16 @@
+type: trigger
+format: 2.0
+name: crowdsecurity/f5-big-ip-cve-2020-5902
+description: "Detect cve-2020-5902 exploitation attemps"
+filter: |
+  evt.Meta.log_type in ["http_access-log", "http_error-log"] and 
+    (
+    Upper(evt.Meta.http_path) matches Upper('/tmui/login.jsp/..;/tmui/[^.]+.jsp\\?(fileName|command|directoryPath|tabId)=')
+    or
+    Upper(evt.Meta.http_path) matches Upper('/tmui/login.jsp/%2E%2E;/tmui/[^.]+.jsp\\?(fileName|command|directoryPath|tabId)=')
+    )
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/fortinet-cve-2018-13379.yaml

@@ -0,0 +1,12 @@
+type: trigger
+format: 2.0
+name: crowdsecurity/fortinet-cve-2018-13379
+description: "Detect cve-2018-13379 exploitation attemps"
+filter: |
+  evt.Meta.log_type in ["http_access-log", "http_error-log"] and 
+    Upper(evt.Meta.http_path) contains Upper('/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession')
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/grafana-cve-2021-43798.yaml

@@ -0,0 +1,14 @@
+type: trigger
+format: 2.0
+name: crowdsecurity/grafana-cve-2021-43798
+description: "Detect cve-2021-43798 exploitation attemps"
+filter: |
+  evt.Meta.log_type in ["http_access-log", "http_error-log"] and 
+    (Upper(evt.Meta.http_path) matches '/PUBLIC/PLUGINS/[^/]+/../[./]+/'
+    or
+    Upper(evt.Meta.http_path) matches '/PUBLIC/PLUGINS/[^/]+/%2E%2E/[%2E/]+/')
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/http-backdoors-attempts.yaml

@@ -0,0 +1,18 @@
+type: leaky
+#debug: true
+name: crowdsecurity/http-backdoors-attempts
+description: "Detect attempt to common backdoors"
+filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] and any(File("backdoors.txt"), { evt.Parsed.file_name == #})'
+groupby: "evt.Meta.source_ip"
+distinct: evt.Parsed.file_name
+data:
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/backdoors.txt
+    dest_file: backdoors.txt
+    type: string
+capacity: 1
+leakspeed: 5s
+blackhole: 5m
+labels:
+  service: http
+  type: discovery
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/http-bad-user-agent.yaml

@@ -0,0 +1,20 @@
+type: leaky
+format: 2.0
+#debug: true
+name: crowdsecurity/http-bad-user-agent
+description: "Detect bad user-agents"
+filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] && RegexpInFile(evt.Parsed.http_user_agent, "bad_user_agents.regex.txt")'
+data:
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/bad_user_agents.regex.txt
+    dest_file: bad_user_agents.regex.txt
+    type: regexp
+    strategy: LRU
+    size: 40
+    ttl: 10s
+capacity: 1
+leakspeed: 1m
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: scan
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/http-crawl-non_statics.yaml

@@ -0,0 +1,16 @@
+type: leaky
+name: crowdsecurity/http-crawl-non_statics
+description: "Detect aggressive crawl from single ip"
+filter: "evt.Meta.log_type in ['http_access-log', 'http_error-log'] && evt.Parsed.static_ressource == 'false' && evt.Parsed.verb in ['GET', 'HEAD']"
+distinct: "evt.Parsed.file_name"
+leakspeed: 0.5s
+capacity: 40
+#debug: true
+#this limits the memory cache (and event_sequences in output) to five events
+cache_size: 5
+groupby: "evt.Meta.source_ip + '/' + evt.Parsed.target_fqdn"
+blackhole: 1m
+labels:
+ service: http
+ type: crawl
+ remediation: true

crowdsec/hub/scenarios/crowdsecurity/http-cve-2021-41773.yaml

@@ -0,0 +1,15 @@
+type: trigger
+format: 2.0
+#debug: true
+name: crowdsecurity/http-cve-2021-41773
+description: "cve-2021-41773"
+filter: |
+  evt.Meta.log_type in ["http_access-log", "http_error-log"] and 
+    (Upper(evt.Meta.http_path) contains "/.%2E/.%2E/"
+      or
+     Upper(evt.Meta.http_path) contains "/%2E%2E/%2E%2E")
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: scan
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/http-cve-2021-42013.yaml

@@ -0,0 +1,14 @@
+type: trigger
+format: 2.0
+#debug: true
+#this is getting funny, it's the third patch on top of cve-2021-41773
+name: crowdsecurity/http-cve-2021-42013
+description: "cve-2021-42013"
+filter: |
+  evt.Meta.log_type in ["http_access-log", "http_error-log"] and 
+    Upper(evt.Meta.http_path) contains "/%%32%65%%32%65/"
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: scan
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/http-generic-bf.yaml

@@ -0,0 +1,44 @@
+# 404 scan
+type: leaky
+#debug: true
+name: crowdsecurity/http-generic-bf
+description: "Detect generic http brute force"
+filter: "evt.Meta.service == 'http' && evt.Meta.sub_type == 'auth_fail'"
+groupby: evt.Meta.source_ip
+capacity: 5
+leakspeed: "10s"
+blackhole: 1m
+labels:
+ service: http
+ type: bf
+ remediation: true
+---
+# Generic 401 Authorization Errors
+type: leaky
+#debug: true
+name: LePresidente/http-generic-401-bf
+description: "Detect generic 401 Authorization error brute force"
+filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.verb == 'POST' && evt.Meta.http_status == '401'"
+groupby: evt.Meta.source_ip
+capacity: 5
+leakspeed: "10s"
+blackhole: 1m
+labels:
+ service: http
+ type: bf
+ remediation: true
+---
+# Generic 403 Forbidden (Authorization) Errors
+type: leaky
+#debug: true
+name: LePresidente/http-generic-403-bf
+description: "Detect generic 403 Forbidden (Authorization) error brute force"
+filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.verb == 'POST' && evt.Meta.http_status == '403'"
+groupby: evt.Meta.source_ip
+capacity: 5
+leakspeed: "10s"
+blackhole: 1m
+labels:
+ service: http
+ type: bf
+ remediation: true

crowdsec/hub/scenarios/crowdsecurity/http-open-proxy.yaml

@@ -0,0 +1,10 @@
+type: trigger
+name: crowdsecurity/http-open-proxy
+description: "Detect scan for open proxy"
+#apache returns 405, nginx 400
+filter: "evt.Meta.log_type == 'http_access-log' && evt.Meta.http_status in ['400','405'] && (evt.Parsed.verb == 'CONNECT' || evt.Parsed.request matches '^http[s]?://')"
+blackhole: 2m
+labels:
+ service: http
+ type: scan
+ remediation: true

crowdsec/hub/scenarios/crowdsecurity/http-path-traversal-probing.yaml

@@ -0,0 +1,20 @@
+# path traversal probing
+type: leaky
+#debug: true
+name: crowdsecurity/http-path-traversal-probing
+description: "Detect path traversal attempt"
+filter: "evt.Meta.log_type in ['http_access-log', 'http_error-log'] && any(File('http_path_traversal.txt'),{evt.Meta.http_path contains #})"
+data:
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/path_traversal.txt
+    dest_file: http_path_traversal.txt
+    type: string
+groupby: "evt.Meta.source_ip"
+distinct: "evt.Meta.http_path"
+capacity: 3
+reprocess: true
+leakspeed: 10s
+blackhole: 2m
+labels:
+ service: http
+ type: scan
+ remediation: true

crowdsec/hub/scenarios/crowdsecurity/http-probing.yaml

@@ -0,0 +1,16 @@
+# 404 scan
+type: leaky
+#debug: true
+name: crowdsecurity/http-probing
+description: "Detect site scanning/probing from a single ip"
+filter: "evt.Meta.service == 'http' && evt.Meta.http_status in ['404', '403', '400'] && evt.Parsed.static_ressource == 'false'"
+groupby: "evt.Meta.source_ip + '/' + evt.Parsed.target_fqdn"
+distinct: "evt.Meta.http_path"
+capacity: 10
+reprocess: true
+leakspeed: "10s"
+blackhole: 5m
+labels:
+ service: http
+ type: scan
+ remediation: true

crowdsec/hub/scenarios/crowdsecurity/http-sensitive-files.yaml

@@ -0,0 +1,19 @@
+type: leaky
+format: 2.0
+#debug: true
+name: crowdsecurity/http-sensitive-files
+description: "Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)"
+filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] and any(File("sensitive_data.txt"), { evt.Parsed.request endsWith #})'
+groupby: "evt.Meta.source_ip"
+distinct: evt.Parsed.request
+data:
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/sensitive_data.txt
+    dest_file: sensitive_data.txt
+    type: string
+capacity: 4
+leakspeed: 5s
+blackhole: 5m
+labels:
+  service: http
+  type: discovery
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/http-sqli-probing.yaml

@@ -0,0 +1,20 @@
+type: leaky
+#requires at least 2.0 because it's using the 'data' section and the 'Upper' expr helper
+format: 2.0
+name: crowdsecurity/http-sqli-probbing-detection
+data:
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/sqli_probe_patterns.txt
+    dest_file: sqli_probe_patterns.txt
+    type: string
+description: "A scenario that detects SQL injection probing with minimal false positives"
+filter: "evt.Meta.log_type in ['http_access-log', 'http_error-log'] && any(File('sqli_probe_patterns.txt'), {Upper(evt.Parsed.http_args) contains Upper(#)})"
+groupby: evt.Meta.source_ip
+capacity: 10
+leakspeed: 1s
+blackhole: 5m
+#low false positives approach : we require distinct payloads to avoid false positives
+distinct: evt.Parsed.http_args
+labels:
+  service: http
+  type: sqli_probing
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/http-xss-probing.yaml

@@ -0,0 +1,20 @@
+type: leaky
+#requires at least 2.0 because it's using the 'data' section and the 'Upper' expr helper
+format: 2.0
+name: crowdsecurity/http-xss-probbing
+data:
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/xss_probe_patterns.txt
+    dest_file: xss_probe_patterns.txt
+    type: string
+description: "A scenario that detects XSS probing with minimal false positives"
+filter: "evt.Meta.log_type in ['http_access-log', 'http_error-log'] && any(File('xss_probe_patterns.txt'), {Upper(evt.Parsed.http_args) contains Upper(#)})"
+groupby: evt.Meta.source_ip
+capacity: 5
+leakspeed: 1s
+blackhole: 5m
+#low false positives approach : we require distinct payloads to avoid false positives
+distinct: evt.Parsed.http_args
+labels:
+  service: http
+  type: xss_probing
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/jira_cve-2021-26086.yaml

@@ -0,0 +1,16 @@
+type: trigger
+format: 2.0
+#debug: true
+name: crowdsecurity/jira_cve-2021-26086
+description: "Detect Atlassian Jira CVE-2021-26086 exploitation attemps"
+filter: |
+  evt.Meta.log_type in ["http_access-log", "http_error-log"] and any(File("jira_cve_2021-26086.txt"), {Upper(evt.Meta.http_path) contains Upper(#)})
+data:
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/jira_cve_2021-26086.txt
+    dest_file: jira_cve_2021-26086.txt
+    type: string
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/mysql-bf.yaml

@@ -0,0 +1,14 @@
+# mysql bruteforce
+type: leaky
+#debug: true
+name: crowdsecurity/mysql-bf
+description: "Detect mysql bruteforce"
+filter: evt.Meta.log_type == 'mysql_failed_auth'
+leakspeed: "10s"
+capacity: 5
+groupby: evt.Meta.source_ip
+blackhole: 5m
+labels:
+ service: mysql
+ type: bruteforce
+ remediation: true

crowdsec/hub/scenarios/crowdsecurity/nginx-req-limit-exceeded.yaml

@@ -0,0 +1,13 @@
+type: leaky
+#debug: true
+name: crowdsecurity/nginx-req-limit-exceeded
+description: "Detects IPs which violate nginx's user set request limit."
+filter: evt.Meta.sub_type == 'req_limit_exceeded'
+leakspeed: "60s"
+capacity: 5
+groupby: evt.Meta.source_ip
+blackhole: 5m
+labels:
+ service: nginx
+ type: bruteforce
+ remediation: true

crowdsec/hub/scenarios/crowdsecurity/pulse-secure-sslvpn-cve-2019-11510.yaml

@@ -0,0 +1,14 @@
+type: trigger
+format: 2.0
+name: crowdsecurity/pulse-secure-sslvpn-cve-2019-11510
+description: "Detect cve-2019-11510 exploitation attemps"
+filter: |
+  evt.Meta.log_type in ["http_access-log", "http_error-log"] and 
+    (Upper(evt.Meta.http_path) matches Upper('/dana-na/../dana/html5acc/guacamole/../../../../../../../[^?]+\\?/dana/html5acc/guacamole/')
+    or
+    Upper(evt.Meta.http_path) matches Upper('/dana-na/%2E%2E/dana/html5acc/guacamole/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/[^?]+\\?/dana/html5acc/guacamole/'))
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/spring4shell_cve-2022-22965.yaml

@@ -0,0 +1,12 @@
+type: trigger
+format: 2.0
+name: crowdsecurity/spring4shell_cve-2022-22965
+description: "Detect cve-2022-22965 probing"
+filter: |
+  evt.Meta.log_type in ["http_access-log", "http_error-log"] and
+    (Upper(evt.Meta.http_path) contains 'CLASS.MODULE.CLASSLOADER.')
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/ssh-bf.yaml

@@ -0,0 +1,32 @@
+# ssh bruteforce
+type: leaky
+name: crowdsecurity/ssh-bf
+description: "Detect ssh bruteforce"
+filter: "evt.Meta.log_type == 'ssh_failed-auth'"
+leakspeed: "10s"
+references:
+  - http://wikipedia.com/ssh-bf-is-bad
+capacity: 5
+groupby: evt.Meta.source_ip
+blackhole: 1m
+reprocess: true
+labels:
+ service: ssh
+ type: bruteforce
+ remediation: true
+---
+# ssh user-enum
+type: leaky
+name: crowdsecurity/ssh-bf_user-enum
+description: "Detect ssh user enum bruteforce"
+filter: evt.Meta.log_type == 'ssh_failed-auth'
+groupby: evt.Meta.source_ip
+distinct: evt.Meta.target_user
+leakspeed: 10s
+capacity: 5
+blackhole: 1m
+labels:
+ service: ssh
+ type: bruteforce
+ remediation: true
+

crowdsec/hub/scenarios/crowdsecurity/ssh-slow-bf.yaml

@@ -0,0 +1,32 @@
+# ssh bruteforce
+type: leaky
+name: crowdsecurity/ssh-slow-bf
+description: "Detect slow ssh bruteforce"
+filter: "evt.Meta.log_type == 'ssh_failed-auth'"
+leakspeed: "60s"
+references:
+  - http://wikipedia.com/ssh-bf-is-bad
+capacity: 10
+groupby: evt.Meta.source_ip
+blackhole: 1m
+reprocess: true
+labels:
+ service: ssh
+ type: bruteforce
+ remediation: true
+---
+# ssh user-enum
+type: leaky
+name: crowdsecurity/ssh-slow-bf_user-enum
+description: "Detect slow ssh user enum bruteforce"
+filter: evt.Meta.log_type == 'ssh_failed-auth'
+groupby: evt.Meta.source_ip
+distinct: evt.Meta.target_user
+leakspeed: 60s
+capacity: 10
+blackhole: 1m
+labels:
+ service: ssh
+ type: bruteforce
+ remediation: true
+

crowdsec/hub/scenarios/crowdsecurity/thinkphp-cve-2018-20062.yaml

@@ -0,0 +1,16 @@
+type: trigger
+format: 2.0
+#debug: true
+name: crowdsecurity/thinkphp-cve-2018-20062
+description: "Detect ThinkPHP CVE-2018-20062 exploitation attemps"
+filter: |
+  evt.Meta.log_type in ["http_access-log", "http_error-log"] and any(File("thinkphp_cve_2018-20062.txt"), {Upper(evt.Meta.http_path) matches Upper(#)})
+data:
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/thinkphp_cve_2018-20062.txt
+    dest_file: thinkphp_cve_2018-20062.txt
+    type: string
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/vmware-cve-2022-22954.yaml

@@ -0,0 +1,11 @@
+type: trigger
+format: 2.0
+name: crowdsecurity/vmware-cve-2022-22954
+description: "Detect Vmware CVE-2022-22954 exploitation attempts"
+filter: |
+  evt.Meta.log_type in ['http_access-log', 'http_error-log'] && Upper(QueryUnescape(evt.Meta.http_path)) startsWith Upper('/catalog-portal/ui/oauth/verify?error=&deviceUdid=${"freemarker.template.utility.Execute"?new()(')
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: exploit
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/vmware-vcenter-vmsa-2021-0027.yaml

@@ -0,0 +1,11 @@
+type: trigger
+format: 2.0
+name: crowdsecurity/vmware-vcenter-vmsa-2021-0027
+description: "Detect VMSA-2021-0027 exploitation attemps"
+filter: |
+  evt.Meta.log_type in ['http_access-log', 'http_error-log'] && evt.Meta.http_path matches '/ui/vcav-bootstrap/rest/vcav-providers/provider-logo\\?url=(file|http)'
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: exploit
+  remediation: true