Open aderumier opened 1 year ago
We do have this scenario https://hub.crowdsec.net/author/crowdsecurity/configurations/http-sensitive-files
However, from looking at the contents of the file I would be more favourably changing it from endsWith
to contains
as these files should never be requested from legit sources.
oh, I didn't see this scenario, I have it enabled, but it don't seem to catch them.
I see that the scenario have
capacity: 4 leakspeed: 5s
isn't this too small ? If mean, if the "slowly" scan at 1 req each 2s for example, it'll never been catched ?
If these url shouldn't normally never been called, why not use a longer leakspeed ? (1m for example) or even a trigger ?
Hi, I think it could be great to add a /.git/ path traversal scenario.
(Maybe in a separate scenario than current http traversal)
Here a sample of bots calling urls in my last 24h logs with number of occurence
some maybe a simple catch on "/.git/" && "/.git-credentials"