feature request : add a "/.git/" path traversal scenario

[aderumier]

Hi, I think it could be great to add a /.git/ path traversal scenario.

(Maybe in a separate scenario than current http traversal)

Here a sample of bots calling urls in my last 24h logs with number of occurence

/.git/config | 520
/.git/HEAD | 258
/git/ | 109
/.git/index | 81
/.git/ | 54
/.well-known/acme-challenge/.git/FETCH_HEAD | 49
/.well-known/acme-challenge/.git/ORIG_HEAD | 48
/.well-known/acme-challenge/.git/logs/HEAD | 48
/.well-known/acme-challenge/.git/HEAD | 47
/.well-known/acme-challenge/.git/config | 47
/.well-known/acme-challenge/.git/description | 47
/.well-known/acme-challenge/.git/info/exclude | 47
/.well-known/acme-challenge/.git/info/refs | 47
/.well-known/acme-challenge/.git/sourcetreeconfig | 47
/.well-known/acme-challenge/.git-credentials | 46
/.git-credentials | 39
/.git/logs/HEAD | 38
/.git/description | 30
/.git/info/ | 30
/.git/info/exclude | 30
/.git/info/refs | 30
/.git/logs/ | 30
/.git/FETCH_HEAD | 29
/.git/ORIG_HEAD | 29
/.git/sourcetreeconfig | 29
//.git/config | 16

some maybe a simple catch on "/.git/" && "/.git-credentials"

[LaurenceJJones]

We do have this scenario https://hub.crowdsec.net/author/crowdsecurity/configurations/http-sensitive-files

However, from looking at the contents of the file I would be more favourably changing it from endsWith to contains as these files should never be requested from legit sources.

[aderumier]

oh, I didn't see this scenario, I have it enabled, but it don't seem to catch them.

I see that the scenario have

capacity: 4 leakspeed: 5s

isn't this too small ? If mean, if the "slowly" scan at 1 req each 2s for example, it'll never been catched ?

If these url shouldn't normally never been called, why not use a longer leakspeed ? (1m for example) or even a trigger ?