From ed675426f2a503955a380f5ce5cf7381e97fbac6 Mon Sep 17 00:00:00 2001 From: Manuel Sabban Date: Mon, 18 Mar 2024 10:53:46 +0100 Subject: [PATCH] add ipv6 for hub data (#993) * adapt hub for ip dual stack --- appsec-rules/crowdsecurity/crs.yaml | 98 +++++++++---------- .../s02-enrich/crowdsecurity/geoip-enrich.md | 4 +- .../crowdsecurity/geoip-enrich.yaml | 4 +- .../crowdsecurity/seo-bots-whitelist.yaml | 6 +- .../apache_log4j2_cve-2021-44228.yaml | 2 +- .../http-admin-interface-probing.yaml | 2 +- .../crowdsecurity/http-backdoors-attempts.md | 4 +- .../http-backdoors-attempts.yaml | 2 +- .../crowdsecurity/http-bad-user-agent.yaml | 2 +- .../http-path-traversal-probing.yaml | 2 +- .../crowdsecurity/http-sensitive-files.md | 2 +- .../crowdsecurity/http-sensitive-files.yaml | 2 +- scenarios/crowdsecurity/http-sqli-probing.md | 2 +- .../crowdsecurity/http-sqli-probing.yaml | 2 +- scenarios/crowdsecurity/http-xss-probing.md | 2 +- scenarios/crowdsecurity/http-xss-probing.yaml | 2 +- .../crowdsecurity/jira_cve-2021-26086.yaml | 2 +- .../thinkphp-cve-2018-20062.yaml | 2 +- 18 files changed, 71 insertions(+), 71 deletions(-) diff --git a/appsec-rules/crowdsecurity/crs.yaml b/appsec-rules/crowdsecurity/crs.yaml index 8d182d7b266..c7e0c50009b 100644 --- a/appsec-rules/crowdsecurity/crs.yaml +++ b/appsec-rules/crowdsecurity/crs.yaml @@ -31,150 +31,150 @@ seclang_files_rules: - RESPONSE-980-CORRELATION.conf data: - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/crs-setup.conf + - source_url: https://hub-data.crowdsec.net/appsec/crs/crs-setup.conf dest_file: crs-setup.conf type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-901-INITIALIZATION.conf + - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-901-INITIALIZATION.conf dest_file: REQUEST-901-INITIALIZATION.conf type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-905-COMMON-EXCEPTIONS.conf + - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-905-COMMON-EXCEPTIONS.conf dest_file: REQUEST-905-COMMON-EXCEPTIONS.conf type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-911-METHOD-ENFORCEMENT.conf + - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-911-METHOD-ENFORCEMENT.conf dest_file: REQUEST-911-METHOD-ENFORCEMENT.conf type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-913-SCANNER-DETECTION.conf + - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-913-SCANNER-DETECTION.conf dest_file: REQUEST-913-SCANNER-DETECTION.conf type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf + - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf dest_file: REQUEST-920-PROTOCOL-ENFORCEMENT.conf type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-921-PROTOCOL-ATTACK.conf + - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-921-PROTOCOL-ATTACK.conf dest_file: REQUEST-921-PROTOCOL-ATTACK.conf type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-922-MULTIPART-ATTACK.conf + - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-922-MULTIPART-ATTACK.conf dest_file: REQUEST-922-MULTIPART-ATTACK.conf type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf + - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf dest_file: REQUEST-930-APPLICATION-ATTACK-LFI.conf type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-931-APPLICATION-ATTACK-RFI.conf + - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-931-APPLICATION-ATTACK-RFI.conf dest_file: REQUEST-931-APPLICATION-ATTACK-RFI.conf type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-932-APPLICATION-ATTACK-RCE.conf + - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-932-APPLICATION-ATTACK-RCE.conf dest_file: REQUEST-932-APPLICATION-ATTACK-RCE.conf type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-933-APPLICATION-ATTACK-PHP.conf + - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-933-APPLICATION-ATTACK-PHP.conf dest_file: REQUEST-933-APPLICATION-ATTACK-PHP.conf type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf + - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf dest_file: REQUEST-934-APPLICATION-ATTACK-GENERIC.conf type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf + - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf dest_file: REQUEST-941-APPLICATION-ATTACK-XSS.conf type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf + - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf dest_file: REQUEST-942-APPLICATION-ATTACK-SQLI.conf type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf + - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf dest_file: REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-944-APPLICATION-ATTACK-JAVA.conf + - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-944-APPLICATION-ATTACK-JAVA.conf dest_file: REQUEST-944-APPLICATION-ATTACK-JAVA.conf type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/REQUEST-949-BLOCKING-EVALUATION.conf + - source_url: https://hub-data.crowdsec.net/appsec/crs/REQUEST-949-BLOCKING-EVALUATION.conf dest_file: REQUEST-949-BLOCKING-EVALUATION.conf type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/RESPONSE-950-DATA-LEAKAGES.conf + - source_url: https://hub-data.crowdsec.net/appsec/crs/RESPONSE-950-DATA-LEAKAGES.conf dest_file: RESPONSE-950-DATA-LEAKAGES.conf type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/RESPONSE-951-DATA-LEAKAGES-SQL.conf + - source_url: https://hub-data.crowdsec.net/appsec/crs/RESPONSE-951-DATA-LEAKAGES-SQL.conf dest_file: RESPONSE-951-DATA-LEAKAGES-SQL.conf type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/RESPONSE-952-DATA-LEAKAGES-JAVA.conf + - source_url: https://hub-data.crowdsec.net/appsec/crs/RESPONSE-952-DATA-LEAKAGES-JAVA.conf dest_file: RESPONSE-952-DATA-LEAKAGES-JAVA.conf type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/RESPONSE-953-DATA-LEAKAGES-PHP.conf + - source_url: https://hub-data.crowdsec.net/appsec/crs/RESPONSE-953-DATA-LEAKAGES-PHP.conf dest_file: RESPONSE-953-DATA-LEAKAGES-PHP.conf type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/RESPONSE-954-DATA-LEAKAGES-IIS.conf + - source_url: https://hub-data.crowdsec.net/appsec/crs/RESPONSE-954-DATA-LEAKAGES-IIS.conf dest_file: RESPONSE-954-DATA-LEAKAGES-IIS.conf type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/RESPONSE-955-WEB-SHELLS.conf + - source_url: https://hub-data.crowdsec.net/appsec/crs/RESPONSE-955-WEB-SHELLS.conf dest_file: RESPONSE-955-WEB-SHELLS.conf type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/RESPONSE-959-BLOCKING-EVALUATION.conf + - source_url: https://hub-data.crowdsec.net/appsec/crs/RESPONSE-959-BLOCKING-EVALUATION.conf dest_file: RESPONSE-959-BLOCKING-EVALUATION.conf type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/RESPONSE-980-CORRELATION.conf + - source_url: https://hub-data.crowdsec.net/appsec/crs/RESPONSE-980-CORRELATION.conf dest_file: RESPONSE-980-CORRELATION.conf type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/crawlers-user-agents.data + - source_url: https://hub-data.crowdsec.net/appsec/crs/crawlers-user-agents.data dest_file: crawlers-user-agents.data type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/iis-errors.data + - source_url: https://hub-data.crowdsec.net/appsec/crs/iis-errors.data dest_file: iis-errors.data type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/java-classes.data + - source_url: https://hub-data.crowdsec.net/appsec/crs/java-classes.data dest_file: java-classes.data type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/java-code-leakages.data + - source_url: https://hub-data.crowdsec.net/appsec/crs/java-code-leakages.data dest_file: java-code-leakages.data type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/java-errors.data + - source_url: https://hub-data.crowdsec.net/appsec/crs/java-errors.data dest_file: java-errors.data type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/lfi-os-files.data + - source_url: https://hub-data.crowdsec.net/appsec/crs/lfi-os-files.data dest_file: lfi-os-files.data type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/php-config-directives.data + - source_url: https://hub-data.crowdsec.net/appsec/crs/php-config-directives.data dest_file: php-config-directives.data type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/php-errors.data + - source_url: https://hub-data.crowdsec.net/appsec/crs/php-errors.data dest_file: php-errors.data type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/php-errors-pl2.data + - source_url: https://hub-data.crowdsec.net/appsec/crs/php-errors-pl2.data dest_file: php-errors-pl2.data type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/php-function-names-933150.data + - source_url: https://hub-data.crowdsec.net/appsec/crs/php-function-names-933150.data dest_file: php-function-names-933150.data type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/php-function-names-933151.data + - source_url: https://hub-data.crowdsec.net/appsec/crs/php-function-names-933151.data dest_file: php-function-names-933151.data type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/php-variables.data + - source_url: https://hub-data.crowdsec.net/appsec/crs/php-variables.data dest_file: php-variables.data type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/restricted-files.data + - source_url: https://hub-data.crowdsec.net/appsec/crs/restricted-files.data dest_file: restricted-files.data type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/restricted-upload.data + - source_url: https://hub-data.crowdsec.net/appsec/crs/restricted-upload.data dest_file: restricted-upload.data type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/scanners-headers.data + - source_url: https://hub-data.crowdsec.net/appsec/crs/scanners-headers.data dest_file: scanners-headers.data type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/scanners-urls.data + - source_url: https://hub-data.crowdsec.net/appsec/crs/scanners-urls.data dest_file: scanners-urls.data type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/scanners-user-agents.data + - source_url: https://hub-data.crowdsec.net/appsec/crs/scanners-user-agents.data dest_file: scanners-user-agents.data type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/scripting-user-agents.data + - source_url: https://hub-data.crowdsec.net/appsec/crs/scripting-user-agents.data dest_file: scripting-user-agents.data type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/sql-errors.data + - source_url: https://hub-data.crowdsec.net/appsec/crs/sql-errors.data dest_file: sql-errors.data type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/ssrf.data + - source_url: https://hub-data.crowdsec.net/appsec/crs/ssrf.data dest_file: ssrf.data type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/unix-shell.data + - source_url: https://hub-data.crowdsec.net/appsec/crs/unix-shell.data dest_file: unix-shell.data type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/web-shells-php.data + - source_url: https://hub-data.crowdsec.net/appsec/crs/web-shells-php.data dest_file: web-shells-php.data type: modsec - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/appsec/crs/windows-powershell-commands.data + - source_url: https://hub-data.crowdsec.net/appsec/crs/windows-powershell-commands.data dest_file: windows-powershell-commands.data type: modsec \ No newline at end of file diff --git a/parsers/s02-enrich/crowdsecurity/geoip-enrich.md b/parsers/s02-enrich/crowdsecurity/geoip-enrich.md index 72167c7304f..63964dcd710 100644 --- a/parsers/s02-enrich/crowdsecurity/geoip-enrich.md +++ b/parsers/s02-enrich/crowdsecurity/geoip-enrich.md @@ -10,6 +10,6 @@ The following informations will be added to the event : This configuration includes GeoLite2 data created by MaxMind available from [https://www.maxmind.com](https://www.maxmind.com), it includes two data files: -* [GeoLite2-City.mmdb](https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/GeoLite2-City.mmdb) -* [GeoLite2-ASN.mmdb](https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/GeoLite2-ASN.mmdb) +* [GeoLite2-City.mmdb](https://hub-data.crowdsec.net/mmdb/GeoLite2-City.mmdb) +* [GeoLite2-ASN.mmdb](https://hub-data.crowdsec.net/mmdb/GeoLite2-ASN.mmdb) diff --git a/parsers/s02-enrich/crowdsecurity/geoip-enrich.yaml b/parsers/s02-enrich/crowdsecurity/geoip-enrich.yaml index 59a4fcab947..7e05828c81f 100644 --- a/parsers/s02-enrich/crowdsecurity/geoip-enrich.yaml +++ b/parsers/s02-enrich/crowdsecurity/geoip-enrich.yaml @@ -2,9 +2,9 @@ filter: "'source_ip' in evt.Meta" name: crowdsecurity/geoip-enrich description: "Populate event with geoloc info : as, country, coords, source range." data: - - source_url: https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/GeoLite2-City.mmdb + - source_url: https://hub-data.crowdsec.net/mmdb/GeoLite2-City.mmdb dest_file: GeoLite2-City.mmdb - - source_url: https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/GeoLite2-ASN.mmdb + - source_url: https://hub-data.crowdsec.net/mmdb/GeoLite2-ASN.mmdb dest_file: GeoLite2-ASN.mmdb statics: - method: GeoIpCity diff --git a/postoverflows/s01-whitelist/crowdsecurity/seo-bots-whitelist.yaml b/postoverflows/s01-whitelist/crowdsecurity/seo-bots-whitelist.yaml index 23c39aa16f0..9a21015066b 100644 --- a/postoverflows/s01-whitelist/crowdsecurity/seo-bots-whitelist.yaml +++ b/postoverflows/s01-whitelist/crowdsecurity/seo-bots-whitelist.yaml @@ -7,12 +7,12 @@ whitelist: - "RegexpInFile(evt.Enriched.reverse_dns, 'rdns_seo_bots.regex')" - "any(File('ip_seo_bots.txt'), { len(#) > 0 && IpInRange(evt.Overflow.Alert.Source.IP ,#)})" data: - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/whitelists/benign_bots/search_engine_crawlers/rdns_seo_bots.txt + - source_url: https://hub-data.crowdsec.net/whitelists/benign_bots/search_engine_crawlers/rdns_seo_bots.txt dest_file: rdns_seo_bots.txt type: string - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/whitelists/benign_bots/search_engine_crawlers/rnds_seo_bots.regex + - source_url: https://hub-data.crowdsec.net/whitelists/benign_bots/search_engine_crawlers/rnds_seo_bots.regex dest_file: rdns_seo_bots.regex type: regexp - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/whitelists/benign_bots/search_engine_crawlers/ip_seo_bots.txt + - source_url: https://hub-data.crowdsec.net/whitelists/benign_bots/search_engine_crawlers/ip_seo_bots.txt dest_file: ip_seo_bots.txt type: string \ No newline at end of file diff --git a/scenarios/crowdsecurity/apache_log4j2_cve-2021-44228.yaml b/scenarios/crowdsecurity/apache_log4j2_cve-2021-44228.yaml index bd41e855069..7b592fc1337 100644 --- a/scenarios/crowdsecurity/apache_log4j2_cve-2021-44228.yaml +++ b/scenarios/crowdsecurity/apache_log4j2_cve-2021-44228.yaml @@ -13,7 +13,7 @@ filter: | any(File("log4j2_cve_2021_44228.txt"), { Upper(evt.Parsed.http_referer) contains Upper(#)}) ) data: - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/log4j2_cve_2021_44228.txt + - source_url: https://hub-data.crowdsec.net/web/log4j2_cve_2021_44228.txt dest_file: log4j2_cve_2021_44228.txt type: string groupby: "evt.Meta.source_ip" diff --git a/scenarios/crowdsecurity/http-admin-interface-probing.yaml b/scenarios/crowdsecurity/http-admin-interface-probing.yaml index 84967d3df3d..9b2ab6f4112 100644 --- a/scenarios/crowdsecurity/http-admin-interface-probing.yaml +++ b/scenarios/crowdsecurity/http-admin-interface-probing.yaml @@ -10,7 +10,7 @@ filter: | groupby: evt.Meta.source_ip distinct: "evt.Meta.http_path" data: - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/admin_interfaces.txt + - source_url: https://hub-data.crowdsec.net/web/admin_interfaces.txt dest_file: admin_interfaces.txt type: string capacity: 4 diff --git a/scenarios/crowdsecurity/http-backdoors-attempts.md b/scenarios/crowdsecurity/http-backdoors-attempts.md index db0c8d0f0e2..e0ab6a52d9b 100644 --- a/scenarios/crowdsecurity/http-backdoors-attempts.md +++ b/scenarios/crowdsecurity/http-backdoors-attempts.md @@ -2,7 +2,7 @@ Detect attempts to access common backdoors such as c99.php ... ## Configuration -This scenario will be trigger if an attacker requests a minimum of two differents file of [the list](https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/backdoors.txt)/ +This scenario will be trigger if an attacker requests a minimum of two differents file of [the list](https://hub-data.crowdsec.net/web/backdoors.txt)/ Configuration: @@ -15,4 +15,4 @@ Configuration: ### Data -This scenario use the [following list backdoors.txt](https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/backdoors.txt) from [danielmiessler](https://github.com/danielmiessler/SecLists) \ No newline at end of file +This scenario use the [following list backdoors.txt](https://hub-data.crowdsec.net/web/backdoors.txt) from [danielmiessler](https://github.com/danielmiessler/SecLists) \ No newline at end of file diff --git a/scenarios/crowdsecurity/http-backdoors-attempts.yaml b/scenarios/crowdsecurity/http-backdoors-attempts.yaml index 78a2b653d6f..09ae4987dd9 100644 --- a/scenarios/crowdsecurity/http-backdoors-attempts.yaml +++ b/scenarios/crowdsecurity/http-backdoors-attempts.yaml @@ -6,7 +6,7 @@ filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] and any(File groupby: "evt.Meta.source_ip" distinct: evt.Parsed.file_name data: - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/backdoors.txt + - source_url: https://hub-data.crowdsec.net/web/backdoors.txt dest_file: backdoors.txt type: string capacity: 1 diff --git a/scenarios/crowdsecurity/http-bad-user-agent.yaml b/scenarios/crowdsecurity/http-bad-user-agent.yaml index baff8f78755..1ad526849b8 100644 --- a/scenarios/crowdsecurity/http-bad-user-agent.yaml +++ b/scenarios/crowdsecurity/http-bad-user-agent.yaml @@ -5,7 +5,7 @@ name: crowdsecurity/http-bad-user-agent description: "Detect usage of bad User Agent" filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] && RegexpInFile(evt.Parsed.http_user_agent, "bad_user_agents.regex.txt")' data: - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/bad_user_agents.regex.txt + - source_url: https://hub-data.crowdsec.net/web/bad_user_agents.regex.txt dest_file: bad_user_agents.regex.txt type: regexp strategy: LRU diff --git a/scenarios/crowdsecurity/http-path-traversal-probing.yaml b/scenarios/crowdsecurity/http-path-traversal-probing.yaml index f2422369519..5c3cb7b8ee0 100644 --- a/scenarios/crowdsecurity/http-path-traversal-probing.yaml +++ b/scenarios/crowdsecurity/http-path-traversal-probing.yaml @@ -5,7 +5,7 @@ name: crowdsecurity/http-path-traversal-probing description: "Detect path traversal attempt" filter: "evt.Meta.log_type in ['http_access-log', 'http_error-log'] && any(File('http_path_traversal.txt'),{evt.Meta.http_path contains #})" data: - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/path_traversal.txt + - source_url: https://hub-data.crowdsec.net/web/path_traversal.txt dest_file: http_path_traversal.txt type: string groupby: "evt.Meta.source_ip" diff --git a/scenarios/crowdsecurity/http-sensitive-files.md b/scenarios/crowdsecurity/http-sensitive-files.md index a4ec297e5d4..6a8b753ff5b 100644 --- a/scenarios/crowdsecurity/http-sensitive-files.md +++ b/scenarios/crowdsecurity/http-sensitive-files.md @@ -3,4 +3,4 @@ Detect tentative of dangerous file scanning such as logs file, database backup, zip archive etc ... ### Rule -More than 3 access to sensitive files in [this list](https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/sensitive_data.txt) \ No newline at end of file +More than 3 access to sensitive files in [this list](https://hub-data.crowdsec.net/web/sensitive_data.txt) \ No newline at end of file diff --git a/scenarios/crowdsecurity/http-sensitive-files.yaml b/scenarios/crowdsecurity/http-sensitive-files.yaml index 19cdf940bed..704f2b397c0 100644 --- a/scenarios/crowdsecurity/http-sensitive-files.yaml +++ b/scenarios/crowdsecurity/http-sensitive-files.yaml @@ -7,7 +7,7 @@ filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] and any(File groupby: "evt.Meta.source_ip" distinct: evt.Parsed.request data: - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/sensitive_data.txt + - source_url: https://hub-data.crowdsec.net/web/sensitive_data.txt dest_file: sensitive_data.txt type: string capacity: 4 diff --git a/scenarios/crowdsecurity/http-sqli-probing.md b/scenarios/crowdsecurity/http-sqli-probing.md index 3a92db4093b..63809555ab6 100644 --- a/scenarios/crowdsecurity/http-sqli-probing.md +++ b/scenarios/crowdsecurity/http-sqli-probing.md @@ -3,7 +3,7 @@ The http sqli probing scenario aims at detecting, with very little false positiv SQL injection probing attempts will be characterized by the presence of specific SQL-related patterns in uri/GET arguments (if and when this is where the injected parameter is), and this is what this scenario detects. -The [word list](https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/sqli_probe_patterns.txt) is picked specifically to limit false positives. +The [word list](https://hub-data.crowdsec.net/web/sqli_probe_patterns.txt) is picked specifically to limit false positives. Furthermore, a `distinct` directive is present on the get parameters themselves to reduce false positive chances. You can test the behavior of the scenario by launching the excellent [sqlmap](https://sqlmap.org) on one of your pages. diff --git a/scenarios/crowdsecurity/http-sqli-probing.yaml b/scenarios/crowdsecurity/http-sqli-probing.yaml index 28c5cfd290a..983afef6233 100644 --- a/scenarios/crowdsecurity/http-sqli-probing.yaml +++ b/scenarios/crowdsecurity/http-sqli-probing.yaml @@ -3,7 +3,7 @@ type: leaky format: 2.0 name: crowdsecurity/http-sqli-probbing-detection data: - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/sqli_probe_patterns.txt + - source_url: https://hub-data.crowdsec.net/web/sqli_probe_patterns.txt dest_file: sqli_probe_patterns.txt type: string description: "A scenario that detects SQL injection probing with minimal false positives" diff --git a/scenarios/crowdsecurity/http-xss-probing.md b/scenarios/crowdsecurity/http-xss-probing.md index 046d1998d7a..779c2b4a6be 100644 --- a/scenarios/crowdsecurity/http-xss-probing.md +++ b/scenarios/crowdsecurity/http-xss-probing.md @@ -3,7 +3,7 @@ The http XSS probing scenario aims at detecting, with very little false positive XSS probing attempts will be characterized by the presence of specific XSS related patterns in uri/GET arguments (if and when this is where the injected parameter is), and this is what this scenario detects. -The [word list](https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/xss_probe_patterns.txt) is picked specifically to limit false positives. +The [word list](https://hub-data.crowdsec.net/web/xss_probe_patterns.txt) is picked specifically to limit false positives. Furthermore, a `distinct` directive is present on the get parameters themselves to reduce false positive chances. diff --git a/scenarios/crowdsecurity/http-xss-probing.yaml b/scenarios/crowdsecurity/http-xss-probing.yaml index 8ac30a4c47d..18eb509cf3c 100644 --- a/scenarios/crowdsecurity/http-xss-probing.yaml +++ b/scenarios/crowdsecurity/http-xss-probing.yaml @@ -3,7 +3,7 @@ type: leaky format: 2.0 name: crowdsecurity/http-xss-probbing data: - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/xss_probe_patterns.txt + - source_url: https://hub-data.crowdsec.net/web/xss_probe_patterns.txt dest_file: xss_probe_patterns.txt type: string description: "A scenario that detects XSS probing with minimal false positives" diff --git a/scenarios/crowdsecurity/jira_cve-2021-26086.yaml b/scenarios/crowdsecurity/jira_cve-2021-26086.yaml index 66406db693d..48167d389ee 100644 --- a/scenarios/crowdsecurity/jira_cve-2021-26086.yaml +++ b/scenarios/crowdsecurity/jira_cve-2021-26086.yaml @@ -6,7 +6,7 @@ description: "Detect Atlassian Jira CVE-2021-26086 exploitation attemps" filter: | evt.Meta.log_type in ["http_access-log", "http_error-log"] and any(File("jira_cve_2021-26086.txt"), {Upper(evt.Meta.http_path) contains Upper(#)}) data: - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/jira_cve_2021-26086.txt + - source_url: https://hub-data.crowdsec.net/web/jira_cve_2021-26086.txt dest_file: jira_cve_2021-26086.txt type: string groupby: "evt.Meta.source_ip" diff --git a/scenarios/crowdsecurity/thinkphp-cve-2018-20062.yaml b/scenarios/crowdsecurity/thinkphp-cve-2018-20062.yaml index 1ccd61b0e97..b129a9736c3 100644 --- a/scenarios/crowdsecurity/thinkphp-cve-2018-20062.yaml +++ b/scenarios/crowdsecurity/thinkphp-cve-2018-20062.yaml @@ -6,7 +6,7 @@ description: "Detect ThinkPHP CVE-2018-20062 exploitation attemps" filter: | evt.Meta.log_type in ["http_access-log", "http_error-log"] and RegexpInFile(Lower(evt.Meta.http_path), "thinkphp_cve_2018-20062.txt") data: - - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/thinkphp_cve_2018-20062.txt + - source_url: https://hub-data.crowdsec.net/web/thinkphp_cve_2018-20062.txt dest_file: thinkphp_cve_2018-20062.txt type: regexp strategy: LRU