Scenario not working
Hello
Some time ago, I created a scenario designed to stop SQL attacks in the URL. It's actually a copy of your "http-sqli-probing" scenario. Unfortunately, my scenario doesn't work.
First, I added the website log folders to acquis.xml:
Here is the scenario:
The SQL statements are located in the local file
I can't find any errors.
The only difference is that I block the IP when a match is found and that I use a local text file.
Can you find an error or a reason?
Thanks
Some time ago, I created a scenario designed to stop SQL attacks in the URL. It's actually a copy of your "http-sqli-probing" scenario. Unfortunately, my scenario doesn't work.
First, I added the website log folders to acquis.xml:
filenames:
- /var/log/httpd/access_log
- /var/log/httpd/error_log
- /var/www/vhosts/foobar.de/logs/access_ssl_log
- /var/www/vhosts/foobar.de/logs/error_log
labels:
type: apache2Here is the scenario:
type: trigger
name: martinschaible/http-sqli-probing-detection-evo
description: "A scenario that detects SQL injection probing from a local file"
filter: "evt.Meta.log_type in ['http_access-log', 'http_error-log'] && any(File('sqli_probe_patterns_evo.txt'), {Upper(evt.Parsed.http_args) contains Upper(#)})"
data:
- dest_file: sqli_probe_patterns_evo.txt
type: string
groupby: possibly.Meta.source_ip
blackhole: 1m
#low false positives approach: we require distinct payloads to avoid false positives
distinct: evt.Parsed.http_args
labels:
label: "SQL Injection Attempt"
spoofable: 0
confidence: 3
service: http
remediation: trueThe SQL statements are located in the local file
/var/lib/crowdsec/sqli_probe_patterns_evo.txtI can't find any errors.
The only difference is that I block the IP when a match is found and that I use a local text file.
Can you find an error or a reason?
Thanks
