bogdan/zira-etc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
7817b40ae2b9e47be6fc23233b2d6e5e8833f875
zira-etc/crowdsec/hub/scenarios/crowdsecurity/http-sensitive-files.yaml

25 lines
756 B
YAML
Raw Blame History

type: leaky
format: 2.0
#debug: true
name: crowdsecurity/http-sensitive-files
description: "Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)"
filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] and any(File("sensitive_data.txt"), { evt.Parsed.request endsWith #})'
groupby: "evt.Meta.source_ip"
distinct: evt.Parsed.request
data:
- source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/sensitive_data.txt
dest_file: sensitive_data.txt
type: string
capacity: 4
leakspeed: 5s
blackhole: 5m
labels:
remediation: true
classification:
- attack.T1595.003
behavior: "http:scan"
label: "Access to sensitive files over HTTP"
spoofable: 0
service: http
confidence: 3
Reference in New Issue View Git Blame Copy Permalink