add ipv6 for hub data (#993)

* adapt hub for ip dual stack
crowdsecurity · Mar 18, 2024 · ed67542 · ed67542
1 parent c37c84a
commit ed67542
Show file tree

Hide file tree

Showing 18 changed files with 71 additions and 71 deletions.
diff --git a/appsec-rules/crowdsecurity/crs.yaml b/appsec-rules/crowdsecurity/crs.yaml
@@ -31,150 +31,150 @@ seclang_files_rules:
  - RESPONSE-980-CORRELATION.conf
 
 data:
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/crs-setup.conf
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/crs-setup.conf
     dest_file: crs-setup.conf
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-901-INITIALIZATION.conf
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-901-INITIALIZATION.conf
     dest_file: REQUEST-901-INITIALIZATION.conf
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-905-COMMON-EXCEPTIONS.conf
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-905-COMMON-EXCEPTIONS.conf
     dest_file: REQUEST-905-COMMON-EXCEPTIONS.conf
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-911-METHOD-ENFORCEMENT.conf
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-911-METHOD-ENFORCEMENT.conf
     dest_file: REQUEST-911-METHOD-ENFORCEMENT.conf
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-913-SCANNER-DETECTION.conf
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-913-SCANNER-DETECTION.conf
     dest_file: REQUEST-913-SCANNER-DETECTION.conf
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
     dest_file: REQUEST-920-PROTOCOL-ENFORCEMENT.conf
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-921-PROTOCOL-ATTACK.conf
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-921-PROTOCOL-ATTACK.conf
     dest_file: REQUEST-921-PROTOCOL-ATTACK.conf
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-922-MULTIPART-ATTACK.conf
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-922-MULTIPART-ATTACK.conf
     dest_file: REQUEST-922-MULTIPART-ATTACK.conf
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf
     dest_file: REQUEST-930-APPLICATION-ATTACK-LFI.conf
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-931-APPLICATION-ATTACK-RFI.conf
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-931-APPLICATION-ATTACK-RFI.conf
     dest_file: REQUEST-931-APPLICATION-ATTACK-RFI.conf
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-932-APPLICATION-ATTACK-RCE.conf
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-932-APPLICATION-ATTACK-RCE.conf
     dest_file: REQUEST-932-APPLICATION-ATTACK-RCE.conf
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-933-APPLICATION-ATTACK-PHP.conf
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-933-APPLICATION-ATTACK-PHP.conf
     dest_file: REQUEST-933-APPLICATION-ATTACK-PHP.conf
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf
     dest_file: REQUEST-934-APPLICATION-ATTACK-GENERIC.conf
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf
     dest_file: REQUEST-941-APPLICATION-ATTACK-XSS.conf
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
     dest_file: REQUEST-942-APPLICATION-ATTACK-SQLI.conf
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
     dest_file: REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
     dest_file: REQUEST-944-APPLICATION-ATTACK-JAVA.conf
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-949-BLOCKING-EVALUATION.conf
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-949-BLOCKING-EVALUATION.conf
     dest_file: REQUEST-949-BLOCKING-EVALUATION.conf
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/RESPONSE-950-DATA-LEAKAGES.conf
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/RESPONSE-950-DATA-LEAKAGES.conf
     dest_file: RESPONSE-950-DATA-LEAKAGES.conf
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/RESPONSE-951-DATA-LEAKAGES-SQL.conf
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/RESPONSE-951-DATA-LEAKAGES-SQL.conf
     dest_file: RESPONSE-951-DATA-LEAKAGES-SQL.conf
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
     dest_file: RESPONSE-952-DATA-LEAKAGES-JAVA.conf
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/RESPONSE-953-DATA-LEAKAGES-PHP.conf
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/RESPONSE-953-DATA-LEAKAGES-PHP.conf
     dest_file: RESPONSE-953-DATA-LEAKAGES-PHP.conf
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/RESPONSE-954-DATA-LEAKAGES-IIS.conf
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/RESPONSE-954-DATA-LEAKAGES-IIS.conf
     dest_file: RESPONSE-954-DATA-LEAKAGES-IIS.conf
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/RESPONSE-955-WEB-SHELLS.conf
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/RESPONSE-955-WEB-SHELLS.conf
     dest_file: RESPONSE-955-WEB-SHELLS.conf
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/RESPONSE-959-BLOCKING-EVALUATION.conf
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/RESPONSE-959-BLOCKING-EVALUATION.conf
     dest_file: RESPONSE-959-BLOCKING-EVALUATION.conf
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/RESPONSE-980-CORRELATION.conf
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/RESPONSE-980-CORRELATION.conf
     dest_file: RESPONSE-980-CORRELATION.conf
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/crawlers-user-agents.data
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/crawlers-user-agents.data
     dest_file: crawlers-user-agents.data
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/iis-errors.data
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/iis-errors.data
     dest_file: iis-errors.data
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/java-classes.data
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/java-classes.data
     dest_file: java-classes.data
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/java-code-leakages.data
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/java-code-leakages.data
     dest_file: java-code-leakages.data
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/java-errors.data
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/java-errors.data
     dest_file: java-errors.data
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/lfi-os-files.data
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/lfi-os-files.data
     dest_file: lfi-os-files.data
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/php-config-directives.data
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/php-config-directives.data
     dest_file: php-config-directives.data
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/php-errors.data
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/php-errors.data
     dest_file: php-errors.data
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/php-errors-pl2.data
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/php-errors-pl2.data
     dest_file: php-errors-pl2.data
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/php-function-names-933150.data
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/php-function-names-933150.data
     dest_file: php-function-names-933150.data
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/php-function-names-933151.data
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/php-function-names-933151.data
     dest_file: php-function-names-933151.data
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/php-variables.data
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/php-variables.data
     dest_file: php-variables.data
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/restricted-files.data
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/restricted-files.data
     dest_file: restricted-files.data
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/restricted-upload.data
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/restricted-upload.data
     dest_file: restricted-upload.data
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/scanners-headers.data
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/scanners-headers.data
     dest_file: scanners-headers.data
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/scanners-urls.data
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/scanners-urls.data
     dest_file: scanners-urls.data
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/scanners-user-agents.data
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/scanners-user-agents.data
     dest_file: scanners-user-agents.data
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/scripting-user-agents.data
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/scripting-user-agents.data
     dest_file: scripting-user-agents.data
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/sql-errors.data
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/sql-errors.data
     dest_file: sql-errors.data
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/ssrf.data
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/ssrf.data
     dest_file: ssrf.data
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/unix-shell.data
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/unix-shell.data
     dest_file: unix-shell.data
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/web-shells-php.data
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/web-shells-php.data
     dest_file: web-shells-php.data
     type: modsec
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/windows-powershell-commands.data
+  - source_url: https://hub-data.crowdsec.net/appsec/crs/windows-powershell-commands.data
     dest_file: windows-powershell-commands.data
     type: modsec
diff --git a/parsers/s02-enrich/crowdsecurity/geoip-enrich.md b/parsers/s02-enrich/crowdsecurity/geoip-enrich.md
@@ -10,6 +10,6 @@ The following informations will be added to the event :
 
 
 This configuration includes GeoLite2 data created by MaxMind available from [https://www.maxmind.com](https://www.maxmind.com), it includes two data files: 
-* [GeoLite2-City.mmdb](https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/GeoLite2-City.mmdb)
-* [GeoLite2-ASN.mmdb](https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/GeoLite2-ASN.mmdb)
+* [GeoLite2-City.mmdb](https://hub-data.crowdsec.net/mmdb/GeoLite2-City.mmdb)
+* [GeoLite2-ASN.mmdb](https://hub-data.crowdsec.net/mmdb/GeoLite2-ASN.mmdb)
 
diff --git a/parsers/s02-enrich/crowdsecurity/geoip-enrich.yaml b/parsers/s02-enrich/crowdsecurity/geoip-enrich.yaml
@@ -2,9 +2,9 @@ filter: "'source_ip' in evt.Meta"
 name: crowdsecurity/geoip-enrich
 description: "Populate event with geoloc info : as, country, coords, source range."
 data:
-  - source_url: https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/GeoLite2-City.mmdb
+  - source_url: https://hub-data.crowdsec.net/mmdb/GeoLite2-City.mmdb
     dest_file: GeoLite2-City.mmdb
-  - source_url: https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/GeoLite2-ASN.mmdb
+  - source_url: https://hub-data.crowdsec.net/mmdb/GeoLite2-ASN.mmdb
     dest_file: GeoLite2-ASN.mmdb
 statics:
   - method: GeoIpCity

diff --git a/postoverflows/s01-whitelist/crowdsecurity/seo-bots-whitelist.yaml b/postoverflows/s01-whitelist/crowdsecurity/seo-bots-whitelist.yaml
@@ -7,12 +7,12 @@ whitelist:
     - "RegexpInFile(evt.Enriched.reverse_dns, 'rdns_seo_bots.regex')"
     - "any(File('ip_seo_bots.txt'), { len(#) > 0 && IpInRange(evt.Overflow.Alert.Source.IP ,#)})"
 data:
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/whitelists/benign_bots/search_engine_crawlers/rdns_seo_bots.txt
+  - source_url: https://hub-data.crowdsec.net/whitelists/benign_bots/search_engine_crawlers/rdns_seo_bots.txt
     dest_file: rdns_seo_bots.txt
     type: string
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/whitelists/benign_bots/search_engine_crawlers/rnds_seo_bots.regex
+  - source_url: https://hub-data.crowdsec.net/whitelists/benign_bots/search_engine_crawlers/rnds_seo_bots.regex
     dest_file: rdns_seo_bots.regex
     type: regexp
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/whitelists/benign_bots/search_engine_crawlers/ip_seo_bots.txt
+  - source_url: https://hub-data.crowdsec.net/whitelists/benign_bots/search_engine_crawlers/ip_seo_bots.txt
     dest_file: ip_seo_bots.txt
     type: string
diff --git a/scenarios/crowdsecurity/apache_log4j2_cve-2021-44228.yaml b/scenarios/crowdsecurity/apache_log4j2_cve-2021-44228.yaml
@@ -13,7 +13,7 @@ filter: |
     any(File("log4j2_cve_2021_44228.txt"), { Upper(evt.Parsed.http_referer) contains Upper(#)})  
   )
 data:
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/log4j2_cve_2021_44228.txt
+  - source_url: https://hub-data.crowdsec.net/web/log4j2_cve_2021_44228.txt
     dest_file: log4j2_cve_2021_44228.txt
     type: string
 groupby: "evt.Meta.source_ip"

diff --git a/scenarios/crowdsecurity/http-admin-interface-probing.yaml b/scenarios/crowdsecurity/http-admin-interface-probing.yaml
@@ -10,7 +10,7 @@ filter: |
 groupby: evt.Meta.source_ip
 distinct: "evt.Meta.http_path"
 data:
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/admin_interfaces.txt
+  - source_url: https://hub-data.crowdsec.net/web/admin_interfaces.txt
     dest_file: admin_interfaces.txt
     type: string
 capacity: 4

diff --git a/scenarios/crowdsecurity/http-backdoors-attempts.md b/scenarios/crowdsecurity/http-backdoors-attempts.md
@@ -2,7 +2,7 @@ Detect attempts to access common backdoors such as c99.php ...
 
 ## Configuration
 
-This scenario will be trigger if an attacker requests a minimum of two differents file of [the list](https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/backdoors.txt)/
+This scenario will be trigger if an attacker requests a minimum of two differents file of [the list](https://hub-data.crowdsec.net/web/backdoors.txt)/
 
 Configuration:
 
@@ -15,4 +15,4 @@ Configuration:
 
 ### Data
 
-This scenario use the [following list backdoors.txt](https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/backdoors.txt) from [danielmiessler](https://github.com/danielmiessler/SecLists)
+This scenario use the [following list backdoors.txt](https://hub-data.crowdsec.net/web/backdoors.txt) from [danielmiessler](https://github.com/danielmiessler/SecLists)
diff --git a/scenarios/crowdsecurity/http-backdoors-attempts.yaml b/scenarios/crowdsecurity/http-backdoors-attempts.yaml
@@ -6,7 +6,7 @@ filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] and any(File
 groupby: "evt.Meta.source_ip"
 distinct: evt.Parsed.file_name
 data:
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/backdoors.txt
+  - source_url: https://hub-data.crowdsec.net/web/backdoors.txt
     dest_file: backdoors.txt
     type: string
 capacity: 1

diff --git a/scenarios/crowdsecurity/http-bad-user-agent.yaml b/scenarios/crowdsecurity/http-bad-user-agent.yaml
@@ -5,7 +5,7 @@ name: crowdsecurity/http-bad-user-agent
 description: "Detect usage of bad User Agent"
 filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] && RegexpInFile(evt.Parsed.http_user_agent, "bad_user_agents.regex.txt")'
 data:
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/bad_user_agents.regex.txt
+  - source_url: https://hub-data.crowdsec.net/web/bad_user_agents.regex.txt
     dest_file: bad_user_agents.regex.txt
     type: regexp
     strategy: LRU

diff --git a/scenarios/crowdsecurity/http-path-traversal-probing.yaml b/scenarios/crowdsecurity/http-path-traversal-probing.yaml
@@ -5,7 +5,7 @@ name: crowdsecurity/http-path-traversal-probing
 description: "Detect path traversal attempt"
 filter: "evt.Meta.log_type in ['http_access-log', 'http_error-log'] && any(File('http_path_traversal.txt'),{evt.Meta.http_path contains #})"
 data:
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/path_traversal.txt
+  - source_url: https://hub-data.crowdsec.net/web/path_traversal.txt
     dest_file: http_path_traversal.txt
     type: string
 groupby: "evt.Meta.source_ip"

diff --git a/scenarios/crowdsecurity/http-sensitive-files.md b/scenarios/crowdsecurity/http-sensitive-files.md
@@ -3,4 +3,4 @@
 Detect tentative of dangerous file scanning such as logs file, database backup, zip archive etc ...
 
 ### Rule
-More than 3 access to sensitive files in [this list](https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/sensitive_data.txt)
+More than 3 access to sensitive files in [this list](https://hub-data.crowdsec.net/web/sensitive_data.txt)
diff --git a/scenarios/crowdsecurity/http-sensitive-files.yaml b/scenarios/crowdsecurity/http-sensitive-files.yaml
@@ -7,7 +7,7 @@ filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] and any(File
 groupby: "evt.Meta.source_ip"
 distinct: evt.Parsed.request
 data:
-  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/sensitive_data.txt
+  - source_url: https://hub-data.crowdsec.net/web/sensitive_data.txt
     dest_file: sensitive_data.txt
     type: string
 capacity: 4