bogdan/zira-etc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
7817b40ae2b9e47be6fc23233b2d6e5e8833f875
zira-etc/crowdsec/hub/scenarios/crowdsecurity/http-open-proxy.yaml

17 lines
490 B
YAML
Raw Blame History

type: trigger
name: crowdsecurity/http-open-proxy
description: "Detect scan for open proxy"
#apache returns 405, nginx 400
filter: "evt.Meta.log_type == 'http_access-log' && evt.Meta.http_status in ['400','405'] && (evt.Parsed.verb == 'CONNECT' || evt.Parsed.request matches '^http[s]?://')"
blackhole: 2m
labels:
service: http
type: scan
remediation: true
classification:
- attack.T1595
behavior: "http:scan"
label: "HTTP Open Proxy Probing"
spoofable: 0
confidence: 3
Reference in New Issue View Git Blame Copy Permalink