Scenario not working
Hello
Some time ago, I created a scenario designed to stop SQL attacks in the URL. It's actually a copy of your "http-sqli-probing" scenario. Unfortunately, my scenario doesn't work.
First, I added the website log folders to acquis.xml:
filenames:
- /var/log/httpd/access_log
- /var/log/httpd/error_log
- /var/www/vhosts/foobar.de/logs/access_ssl_log
- /var/www/vhosts/foobar.de/logs/error_log
labels:
type: apache2
Here is the scenario:
type: trigger
name: martinschaible/http-sqli-probing-detection-evo
description: "A scenario that detects SQL injection probing from a local file"
filter: "evt.Meta.log_type in ['http_access-log', 'http_error-log'] && any(File('sqli_probe_patterns_evo.txt'), {Upper(evt.Parsed.http_args) contains Upper(#)})"
data:
- dest_file: sqli_probe_patterns_evo.txt
type: string
groupby: possibly.Meta.source_ip
blackhole: 1m
#low false positives approach: we require distinct payloads to avoid false positives
distinct: evt.Parsed.http_args
labels:
label: "SQL Injection Attempt"
spoofable: 0
confidence: 3
service: http
remediation: true
The SQL statements are located in the local file /var/lib/crowdsec/sqli_probe_patterns_evo.txt
I can't find any errors.
The only difference is that I block the IP when a match is found and that I use a local text file.
Can you find an error or a reason?
Thanks2 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
This is a typically entry in the log: