From 57a660cc29036da9627dfa241f9917772d2ae21f Mon Sep 17 00:00:00 2001 From: 0xbbuddha Date: Thu, 21 Aug 2025 14:28:09 +0200 Subject: [PATCH 1/6] fix: fix for xss --- parsers/s01-parse/crowdsecurity/modsecurity.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/parsers/s01-parse/crowdsecurity/modsecurity.yaml b/parsers/s01-parse/crowdsecurity/modsecurity.yaml index 06c8017dadb..d3dd3d8415f 100644 --- a/parsers/s01-parse/crowdsecurity/modsecurity.yaml +++ b/parsers/s01-parse/crowdsecurity/modsecurity.yaml @@ -21,8 +21,8 @@ pattern_syntax: MODSECRULEACCURACY: "\\[accuracy \"%{DATA:accuracy}\"\\]" MODSECRULEVERS2: "\\[ver \"%{DATA:version}\"\\]" MODSECRULETAGS2: "(?:\\[tag \"%{DATA:ruletag0}\"\\] )?(?:\\[tag \"%{DATA:ruletag1}\"\\] )?(?:\\[tag \"%{DATA:ruletag2}\"\\] )?(?:\\[tag \"%{DATA:ruletag3}\"\\] )?(?:\\[tag \"%{DATA:ruletag4}\"\\] )?(?:\\[tag \"%{DATA:ruletag5}\"\\] )?(?:\\[tag \"%{DATA:ruletag6}\"\\] )?(?:\\[tag \"%{DATA:ruletag7}\"\\] )?(?:\\[tag \"%{DATA:ruletag8}\"\\] )?(?:\\[tag \"%{DATA:ruletag9}\"\\] )?(?:\\[tag \"%{DATA}\"\\] )*" - MODSECHOSTNAME2: "\\[hostname ['\"]%{DATA:targethost}[\"']\\]" - MODSECURI2: "\\[uri [\"']%{DATA:targeturi}[\"']\\]" + MODSECHOSTNAME2: "\\[hostname ['\"]%{DATA:targethost}['\"]\\]" + MODSECURI2: "\\[uri ['\"]%{DATA:targeturi}['\"]\\]" MODSECUID2: "\\[unique_id \"%{DATA:uniqueid}\"\\]" MODSECREF2: "\\[ref \"%{DATA:ref}\"\\]" MODSECAPACHEERROR2: "%{MODSECPREFIX2} %{MODSECRULEFILE2} %{MODSECRULELINE2} (?:%{MODSECMATCHOFFSET2} )?(?:%{MODSECRULEID2} )?(?:%{MODSECRULEREV2} )?(?:%{MODSECRULEMSG2} )?(?:%{MODSECRULEDATA2} )?(?:%{MODSECRULESEVERITY2} )?(?:%{MODSECRULEVERS2} )?%{MODSECRULETAGS2}%{MODSECHOSTNAME2} %{MODSECURI2} %{MODSECUID2}" @@ -61,4 +61,3 @@ nodes: expression: evt.Parsed.rulemessage - meta: modsec_ruledata expression: evt.Parsed.ruledata - From 071b43b7b4c617088538dda8a28dd01697e7b0f8 Mon Sep 17 00:00:00 2001 From: 0xbbuddha Date: Thu, 21 Aug 2025 14:29:38 +0200 Subject: [PATCH 2/6] feat: add more rules --- ...security-blocking-evaluation-response.yaml | 18 ++++++++++++++ .../modsecurity-blocking-evaluation.yaml | 17 +++++++++++++ .../modsecurity-data-leakages-sql.yaml | 17 +++++++++++++ .../modsecurity-data-leakages.yaml | 19 +++++++++++++++ .../crowdsecurity/modsecurity-generic.yaml | 16 +++++++++++++ .../modsecurity-injection-nodejs.yaml | 18 ++++++++++++++ .../modsecurity-injection-php.yaml | 18 ++++++++++++++ scenarios/crowdsecurity/modsecurity-java.yaml | 17 +++++++++++++ scenarios/crowdsecurity/modsecurity-lfi.yaml | 20 ++++++++++++++++ .../modsecurity-multipart-header.yaml | 18 ++++++++++++++ .../crowdsecurity/modsecurity-nextcloud.yaml | 24 +++++++++++++++++++ .../modsecurity-protocol-enforcement.yaml | 17 +++++++++++++ scenarios/crowdsecurity/modsecurity-rce.yaml | 18 ++++++++++++++ .../modsecurity-reputation-scanner.yaml | 18 ++++++++++++++ scenarios/crowdsecurity/modsecurity-rfi.yaml | 18 ++++++++++++++ .../modsecurity-session-fixation.yaml | 17 +++++++++++++ scenarios/crowdsecurity/modsecurity-sqli.yaml | 18 ++++++++++++++ scenarios/crowdsecurity/modsecurity-ssrf.yaml | 20 ++++++++++++++++ .../crowdsecurity/modsecurity-web-shells.yaml | 20 ++++++++++++++++ .../crowdsecurity/modsecurity-wordpress.yaml | 23 ++++++++++++++++++ scenarios/crowdsecurity/modsecurity-xss.yaml | 18 ++++++++++++++ 21 files changed, 389 insertions(+) create mode 100644 scenarios/crowdsecurity/modsecurity-blocking-evaluation-response.yaml create mode 100644 scenarios/crowdsecurity/modsecurity-blocking-evaluation.yaml create mode 100644 scenarios/crowdsecurity/modsecurity-data-leakages-sql.yaml create mode 100644 scenarios/crowdsecurity/modsecurity-data-leakages.yaml create mode 100644 scenarios/crowdsecurity/modsecurity-generic.yaml create mode 100644 scenarios/crowdsecurity/modsecurity-injection-nodejs.yaml create mode 100644 scenarios/crowdsecurity/modsecurity-injection-php.yaml create mode 100644 scenarios/crowdsecurity/modsecurity-java.yaml create mode 100644 scenarios/crowdsecurity/modsecurity-lfi.yaml create mode 100644 scenarios/crowdsecurity/modsecurity-multipart-header.yaml create mode 100644 scenarios/crowdsecurity/modsecurity-nextcloud.yaml create mode 100644 scenarios/crowdsecurity/modsecurity-protocol-enforcement.yaml create mode 100644 scenarios/crowdsecurity/modsecurity-rce.yaml create mode 100644 scenarios/crowdsecurity/modsecurity-reputation-scanner.yaml create mode 100644 scenarios/crowdsecurity/modsecurity-rfi.yaml create mode 100644 scenarios/crowdsecurity/modsecurity-session-fixation.yaml create mode 100644 scenarios/crowdsecurity/modsecurity-sqli.yaml create mode 100644 scenarios/crowdsecurity/modsecurity-ssrf.yaml create mode 100644 scenarios/crowdsecurity/modsecurity-web-shells.yaml create mode 100644 scenarios/crowdsecurity/modsecurity-wordpress.yaml create mode 100644 scenarios/crowdsecurity/modsecurity-xss.yaml diff --git a/scenarios/crowdsecurity/modsecurity-blocking-evaluation-response.yaml b/scenarios/crowdsecurity/modsecurity-blocking-evaluation-response.yaml new file mode 100644 index 00000000000..393036d046d --- /dev/null +++ b/scenarios/crowdsecurity/modsecurity-blocking-evaluation-response.yaml @@ -0,0 +1,18 @@ +type: trigger +name: crowdsecurity/modsecurity-blocking-evaluation-response +description: "Blocking evaluation events detected via ModSecurity CRS (response phase)" +filter: | + evt.Meta.log_type == "modsecurity" + && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2") + && evt.Parsed.ruleid matches "^959" +groupby: evt.Meta.source_ip +labels: + remediation: true + classification: + - attack.T1190 + behavior: "http:blocking-evaluation" + label: "Blocking Evaluation (Response)" + confidence: 2 + service: http + + diff --git a/scenarios/crowdsecurity/modsecurity-blocking-evaluation.yaml b/scenarios/crowdsecurity/modsecurity-blocking-evaluation.yaml new file mode 100644 index 00000000000..7f4a00259f4 --- /dev/null +++ b/scenarios/crowdsecurity/modsecurity-blocking-evaluation.yaml @@ -0,0 +1,17 @@ +type: trigger +name: crowdsecurity/modsecurity-blocking-evaluation +description: "Blocking evaluation events detected via ModSecurity CRS" +filter: | + evt.Meta.log_type == "modsecurity" + && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2") + && evt.Parsed.ruleid matches "^949" + && (evt.Parsed.tags matches "attack-reputation-ip" || evt.Parsed.tags matches "attack-generic") +groupby: evt.Meta.source_ip +labels: + remediation: true + classification: + - attack.T1190 + behavior: "http:blocking-evaluation" + label: "Blocking Evaluation" + confidence: 2 + service: http diff --git a/scenarios/crowdsecurity/modsecurity-data-leakages-sql.yaml b/scenarios/crowdsecurity/modsecurity-data-leakages-sql.yaml new file mode 100644 index 00000000000..f7eef2bbf23 --- /dev/null +++ b/scenarios/crowdsecurity/modsecurity-data-leakages-sql.yaml @@ -0,0 +1,17 @@ +type: trigger +name: crowdsecurity/modsecurity-data-leakages-sql +description: "Sensitive data leakages (SQL-related) detected via ModSecurity CRS" +filter: | + evt.Meta.log_type == "modsecurity" + && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2") + && evt.Parsed.ruleid matches "^951" + && evt.Parsed.tags matches "attack-disclosure" +groupby: evt.Meta.source_ip +labels: + remediation: true + classification: + - attack.T1530 + behavior: "http:data-leakage-sql" + label: "Data Leakage (SQL)" + confidence: 3 + service: http diff --git a/scenarios/crowdsecurity/modsecurity-data-leakages.yaml b/scenarios/crowdsecurity/modsecurity-data-leakages.yaml new file mode 100644 index 00000000000..c016cbcaaf3 --- /dev/null +++ b/scenarios/crowdsecurity/modsecurity-data-leakages.yaml @@ -0,0 +1,19 @@ +type: trigger +name: crowdsecurity/modsecurity-data-leakages +description: "Sensitive data leakages detected via ModSecurity CRS" +filter: | + evt.Meta.log_type == "modsecurity" + && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2") + && (evt.Parsed.ruleid matches "^950" || evt.Parsed.ruleid matches "^952" || evt.Parsed.ruleid matches "^953" || evt.Parsed.ruleid matches "^954" || evt.Parsed.ruleid matches "^956") + && evt.Parsed.tags matches "attack-disclosure" +groupby: evt.Meta.source_ip +labels: + remediation: true + classification: + - attack.T1530 + behavior: "http:data-leakage" + label: "Data Leakage" + confidence: 3 + service: http + + diff --git a/scenarios/crowdsecurity/modsecurity-generic.yaml b/scenarios/crowdsecurity/modsecurity-generic.yaml new file mode 100644 index 00000000000..e246badac3c --- /dev/null +++ b/scenarios/crowdsecurity/modsecurity-generic.yaml @@ -0,0 +1,16 @@ +type: trigger +name: crowdsecurity/modsecurity-generic +description: "Generic ModSecurity CRS alert" +filter: | + evt.Meta.log_type == "modsecurity" + && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2") + && (evt.Parsed.ruleid matches "^911" || evt.Parsed.tags matches "attack-generic") +groupby: evt.Meta.source_ip +labels: + remediation: true + classification: + - attack.T1190 + behavior: "http:generic" + label: "Generic ModSecurity Alert" + confidence: 3 + service: http diff --git a/scenarios/crowdsecurity/modsecurity-injection-nodejs.yaml b/scenarios/crowdsecurity/modsecurity-injection-nodejs.yaml new file mode 100644 index 00000000000..4cb3628cdc4 --- /dev/null +++ b/scenarios/crowdsecurity/modsecurity-injection-nodejs.yaml @@ -0,0 +1,18 @@ +type: trigger +name: crowdsecurity/modsecurity-injection-nodejs +description: "Node.js Injection detected via ModSecurity CRS" +filter: | + evt.Meta.log_type == "modsecurity" + && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2") + && evt.Parsed.ruleid matches "^934" + && (evt.Parsed.tags matches "platform-nodejs" || evt.Parsed.tags matches "language-javascript" || evt.Parsed.tags matches "attack-injection-generic") +groupby: evt.Meta.source_ip +labels: + remediation: true + classification: + - attack.T1059 + - attack.T1190 + behavior: "http:injection-nodejs" + label: "Node.js Injection" + confidence: 3 + service: http diff --git a/scenarios/crowdsecurity/modsecurity-injection-php.yaml b/scenarios/crowdsecurity/modsecurity-injection-php.yaml new file mode 100644 index 00000000000..cad0728da4b --- /dev/null +++ b/scenarios/crowdsecurity/modsecurity-injection-php.yaml @@ -0,0 +1,18 @@ +type: trigger +name: crowdsecurity/modsecurity-injection-php +description: "PHP Injection detected via ModSecurity CRS" +filter: | + evt.Meta.log_type == "modsecurity" + && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2") + && evt.Parsed.ruleid matches "^933" + && evt.Parsed.tags matches "attack-injection-php" +groupby: evt.Meta.source_ip +labels: + remediation: true + classification: + - attack.T1059 + - attack.T1190 + behavior: "http:injection-php" + label: "PHP Injection" + confidence: 3 + service: http diff --git a/scenarios/crowdsecurity/modsecurity-java.yaml b/scenarios/crowdsecurity/modsecurity-java.yaml new file mode 100644 index 00000000000..a9a0229089f --- /dev/null +++ b/scenarios/crowdsecurity/modsecurity-java.yaml @@ -0,0 +1,17 @@ +type: trigger +name: crowdsecurity/modsecurity-java +description: "Java-related security rule triggered via ModSecurity CRS" +filter: | + evt.Meta.log_type == "modsecurity" + && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2") + && evt.Parsed.ruleid matches "^944" + && evt.Parsed.tags matches "attack-rce" +groupby: evt.Meta.source_ip +labels: + remediation: true + classification: + - attack.T1190 + behavior: "http:java" + label: "Java Security Rule" + confidence: 3 + service: http diff --git a/scenarios/crowdsecurity/modsecurity-lfi.yaml b/scenarios/crowdsecurity/modsecurity-lfi.yaml new file mode 100644 index 00000000000..2032151575a --- /dev/null +++ b/scenarios/crowdsecurity/modsecurity-lfi.yaml @@ -0,0 +1,20 @@ +type: trigger +name: crowdsecurity/modsecurity-lfi +description: "Local File Inclusion detected via ModSecurity CRS" +filter: | + evt.Meta.log_type == "modsecurity" + && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2") + && evt.Parsed.ruleid matches "^930" + && evt.Parsed.tags matches "attack-lfi" +groupby: evt.Meta.source_ip +labels: + remediation: true + classification: + - attack.T1190 + - attack.T1105 + behavior: "http:lfi" + label: "Local File Inclusion" + confidence: 3 + service: http + + diff --git a/scenarios/crowdsecurity/modsecurity-multipart-header.yaml b/scenarios/crowdsecurity/modsecurity-multipart-header.yaml new file mode 100644 index 00000000000..578aaf6eb0c --- /dev/null +++ b/scenarios/crowdsecurity/modsecurity-multipart-header.yaml @@ -0,0 +1,18 @@ +type: trigger +name: crowdsecurity/modsecurity-multipart-header +description: "Malformed multipart or deprecated header detected via ModSecurity CRS" +filter: | + evt.Meta.log_type == "modsecurity" + && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2") + && evt.Parsed.ruleid matches "^922" + && (evt.Parsed.tags matches "attack-multipart-header" || evt.Parsed.tags matches "attack-deprecated-header") +groupby: evt.Meta.source_ip +labels: + remediation: true + classification: + - attack.T1190 + - attack.T1071.001 + behavior: "http:multipart-header" + label: "Malformed Multipart/Header" + confidence: 3 + service: http diff --git a/scenarios/crowdsecurity/modsecurity-nextcloud.yaml b/scenarios/crowdsecurity/modsecurity-nextcloud.yaml new file mode 100644 index 00000000000..85457a7978c --- /dev/null +++ b/scenarios/crowdsecurity/modsecurity-nextcloud.yaml @@ -0,0 +1,24 @@ +type: trigger +name: crowdsecurity/modsecurity-nextcloud +description: "Nextcloud attacks detected via ModSecurity (application classification)" +filter: | + evt.Meta.log_type == "modsecurity" + && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2") + && ( + evt.Parsed.targeturi matches "(?i)/remote\\.php" + || evt.Parsed.targeturi matches "(?i)/index\\.php/apps/" + || evt.Parsed.targeturi matches "(?i)/ocs/v1\\.php|/ocs/v2\\.php" + || evt.Parsed.targeturi matches "(?i)/status\\.php" + || evt.Parsed.targeturi matches "(?i)/nextcloud/" + ) +groupby: evt.Meta.source_ip +labels: + remediation: true + classification: + - attack.T1190 + behavior: "http:nextcloud-attack" + label: "Nextcloud Attack" + confidence: 2 + service: http + + diff --git a/scenarios/crowdsecurity/modsecurity-protocol-enforcement.yaml b/scenarios/crowdsecurity/modsecurity-protocol-enforcement.yaml new file mode 100644 index 00000000000..a665fb60d92 --- /dev/null +++ b/scenarios/crowdsecurity/modsecurity-protocol-enforcement.yaml @@ -0,0 +1,17 @@ +type: trigger +name: crowdsecurity/modsecurity-protocol-enforcement +description: "Protocol enforcement anomalies detected via ModSecurity CRS" +filter: | + evt.Meta.log_type == "modsecurity" + && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2") + && (evt.Parsed.ruleid matches "^920" || evt.Parsed.ruleid matches "^921") +groupby: evt.Meta.source_ip +labels: + remediation: true + classification: + - attack.T1190 + - attack.T1071.001 + behavior: "http:protocol-enforcement" + label: "Protocol Enforcement Violation" + confidence: 3 + service: http diff --git a/scenarios/crowdsecurity/modsecurity-rce.yaml b/scenarios/crowdsecurity/modsecurity-rce.yaml new file mode 100644 index 00000000000..b08443c9654 --- /dev/null +++ b/scenarios/crowdsecurity/modsecurity-rce.yaml @@ -0,0 +1,18 @@ +type: trigger +name: crowdsecurity/modsecurity-rce +description: "Command Injection / RCE detected via ModSecurity CRS" +filter: | + evt.Meta.log_type == "modsecurity" + && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2") + && evt.Parsed.ruleid matches "^932" + && evt.Parsed.tags matches "attack-rce" +groupby: evt.Meta.source_ip +labels: + remediation: true + classification: + - attack.T1059 + - attack.T1190 + behavior: "http:rce" + label: "Remote Code Execution" + confidence: 3 + service: http diff --git a/scenarios/crowdsecurity/modsecurity-reputation-scanner.yaml b/scenarios/crowdsecurity/modsecurity-reputation-scanner.yaml new file mode 100644 index 00000000000..b0873c66f71 --- /dev/null +++ b/scenarios/crowdsecurity/modsecurity-reputation-scanner.yaml @@ -0,0 +1,18 @@ +type: trigger +name: crowdsecurity/modsecurity-reputation-scanner +description: "Scanner reputation hit detected via ModSecurity CRS" +filter: | + evt.Meta.log_type == "modsecurity" + && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2") + && evt.Parsed.ruleid matches "^913" + && evt.Parsed.tags matches "attack-reputation-scanner" +groupby: evt.Meta.source_ip +labels: + remediation: true + classification: + - attack.T1595 + - attack.T1046 + behavior: "http:reputation-scanner" + label: "Scanner Reputation Hit" + confidence: 3 + service: http diff --git a/scenarios/crowdsecurity/modsecurity-rfi.yaml b/scenarios/crowdsecurity/modsecurity-rfi.yaml new file mode 100644 index 00000000000..2e1d9d326a2 --- /dev/null +++ b/scenarios/crowdsecurity/modsecurity-rfi.yaml @@ -0,0 +1,18 @@ +type: trigger +name: crowdsecurity/modsecurity-rfi +description: "Remote File Inclusion detected via ModSecurity CRS" +filter: | + evt.Meta.log_type == "modsecurity" + && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2") + && evt.Parsed.ruleid matches "^931" + && evt.Parsed.tags matches "attack-rfi" +groupby: evt.Meta.source_ip +labels: + remediation: true + classification: + - attack.T1190 + - attack.T1105 + behavior: "http:rfi" + label: "Remote File Inclusion" + confidence: 3 + service: http diff --git a/scenarios/crowdsecurity/modsecurity-session-fixation.yaml b/scenarios/crowdsecurity/modsecurity-session-fixation.yaml new file mode 100644 index 00000000000..d2afa2ecee1 --- /dev/null +++ b/scenarios/crowdsecurity/modsecurity-session-fixation.yaml @@ -0,0 +1,17 @@ +type: trigger +name: crowdsecurity/modsecurity-session-fixation +description: "Session fixation attempt detected via ModSecurity CRS" +filter: | + evt.Meta.log_type == "modsecurity" + && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2") + && evt.Parsed.ruleid matches "^943" + && evt.Parsed.tags matches "attack-fixation" +groupby: evt.Meta.source_ip +labels: + remediation: true + classification: + - attack.T1556 + behavior: "http:session-fixation" + label: "Session Fixation" + confidence: 3 + service: http diff --git a/scenarios/crowdsecurity/modsecurity-sqli.yaml b/scenarios/crowdsecurity/modsecurity-sqli.yaml new file mode 100644 index 00000000000..f655f3500b7 --- /dev/null +++ b/scenarios/crowdsecurity/modsecurity-sqli.yaml @@ -0,0 +1,18 @@ +type: trigger +name: crowdsecurity/modsecurity-sqli +description: "SQL Injection detected via ModSecurity CRS" +filter: | + evt.Meta.log_type == 'modsecurity' + && (evt.Parsed.ruleseverity == 'CRITICAL' || evt.Parsed.ruleseverity == '2') + && evt.Parsed.ruleid matches "^942" + && evt.Parsed.tags matches "attack-sqli" +groupby: evt.Meta.source_ip +labels: + remediation: true + classification: + - attack.T1190 + - attack.T1565 + behavior: "http:sqli" + label: "SQL Injection" + confidence: 3 + service: http diff --git a/scenarios/crowdsecurity/modsecurity-ssrf.yaml b/scenarios/crowdsecurity/modsecurity-ssrf.yaml new file mode 100644 index 00000000000..10be8064c73 --- /dev/null +++ b/scenarios/crowdsecurity/modsecurity-ssrf.yaml @@ -0,0 +1,20 @@ +type: trigger +name: crowdsecurity/modsecurity-ssrf +description: "Server-Side Request Forgery detected via ModSecurity CRS" +filter: | + evt.Meta.log_type == "modsecurity" + && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2") + && evt.Parsed.ruleid matches "^934" + && evt.Parsed.tags matches "attack-ssrf" +groupby: evt.Meta.source_ip +labels: + remediation: true + classification: + - attack.T1190 + - attack.T1105 + behavior: "http:ssrf" + label: "Server-Side Request Forgery" + confidence: 3 + service: http + + diff --git a/scenarios/crowdsecurity/modsecurity-web-shells.yaml b/scenarios/crowdsecurity/modsecurity-web-shells.yaml new file mode 100644 index 00000000000..e545146de98 --- /dev/null +++ b/scenarios/crowdsecurity/modsecurity-web-shells.yaml @@ -0,0 +1,20 @@ +type: trigger +name: crowdsecurity/modsecurity-web-shells +description: "Web shell activity detected via ModSecurity CRS" +filter: | + evt.Meta.log_type == "modsecurity" + && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2") + && evt.Parsed.ruleid matches "^955" + && evt.Parsed.tags matches "attack-rce" +groupby: evt.Meta.source_ip +labels: + remediation: true + classification: + - attack.T1059 + - attack.T1190 + behavior: "http:web-shell" + label: "Web Shells" + confidence: 3 + service: http + + diff --git a/scenarios/crowdsecurity/modsecurity-wordpress.yaml b/scenarios/crowdsecurity/modsecurity-wordpress.yaml new file mode 100644 index 00000000000..a30f9118cc0 --- /dev/null +++ b/scenarios/crowdsecurity/modsecurity-wordpress.yaml @@ -0,0 +1,23 @@ +type: trigger +name: crowdsecurity/modsecurity-wordpress +description: "WordPress attacks detected via ModSecurity (application classification)" +filter: | + evt.Meta.log_type == "modsecurity" + && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2") + && ( + evt.Parsed.targeturi matches "(?i)/wp-(admin|login\\.php|content|includes|json)" + || evt.Parsed.targeturi matches "(?i)/xmlrpc\\.php" + || evt.Parsed.targeturi matches "(?i)/wp-cron\\.php" + || evt.Parsed.targeturi matches "(?i)/comments-post\\.php" + ) +groupby: evt.Meta.source_ip +labels: + remediation: true + classification: + - attack.T1190 + behavior: "http:wordpress-attack" + label: "WordPress Attack" + confidence: 2 + service: http + + diff --git a/scenarios/crowdsecurity/modsecurity-xss.yaml b/scenarios/crowdsecurity/modsecurity-xss.yaml new file mode 100644 index 00000000000..e7b060e187e --- /dev/null +++ b/scenarios/crowdsecurity/modsecurity-xss.yaml @@ -0,0 +1,18 @@ +type: trigger +name: crowdsecurity/modsecurity-xss +description: "Cross-Site Scripting detected via ModSecurity CRS" +filter: | + evt.Meta.log_type == "modsecurity" + && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2") + && evt.Parsed.ruleid matches "^941" + && evt.Parsed.tags matches "attack-xss" +groupby: evt.Meta.source_ip +labels: + remediation: true + classification: + - attack.T1059.007 + - attack.T1189 + behavior: "http:xss" + label: "Cross-Site Scripting" + confidence: 3 + service: http From f8259f27f7bd6bdfc7541793a50a04d03a7eb942 Mon Sep 17 00:00:00 2001 From: 0xbbuddha Date: Thu, 21 Aug 2025 14:30:15 +0200 Subject: [PATCH 3/6] feat: update modsecurity collection with new rules --- collections/crowdsecurity/modsecurity.md | 25 ++++++++++++++++++++-- collections/crowdsecurity/modsecurity.yaml | 23 +++++++++++++++++++- 2 files changed, 45 insertions(+), 3 deletions(-) diff --git a/collections/crowdsecurity/modsecurity.md b/collections/crowdsecurity/modsecurity.md index a1687841728..ac12839494b 100644 --- a/collections/crowdsecurity/modsecurity.md +++ b/collections/crowdsecurity/modsecurity.md @@ -2,8 +2,29 @@ A collection for modsecurity (tested only with Apache): - modsecurity parser: `crowdsecurity/modsecurity` - - modsecurity scenario: `crowdsecurity/modsecurity - + - modsecurity scenario: + - `crowdsecurity/modsecurity` + - `crowdsecurity/modsecurity-blocking-evaluation-response` + - `crowdsecurity/modsecurity-blocking-evaluation` + - `crowdsecurity/modsecurity-data-leakages-sql` + - `crowdsecurity/modsecurity-data-leakages` + - `crowdsecurity/modsecurity-generic` + - `crowdsecurity/modsecurity-injection-nodejs` + - `crowdsecurity/modsecurity-injection-php` + - `crowdsecurity/modsecurity-java` + - `crowdsecurity/modsecurity-lfi` + - `crowdsecurity/modsecurity-multipart-header` + - `crowdsecurity/modsecurity-nextcloud` + - `crowdsecurity/modsecurity-protocol-enforcement` + - `crowdsecurity/modsecurity-rce` + - `crowdsecurity/modsecurity-reputation-scanner` + - `crowdsecurity/modsecurity-rfi` + - `crowdsecurity/modsecurity-session-fixation` + - `crowdsecurity/modsecurity-sqli` + - `crowdsecurity/modsecurity-ssrf` + - `crowdsecurity/modsecurity-web-shells` + - `crowdsecurity/modsecurity-wordpress` + - `crowdsecurity/modsecurity-xss` ## Acquisition template diff --git a/collections/crowdsecurity/modsecurity.yaml b/collections/crowdsecurity/modsecurity.yaml index 0f3ec238585..984df2f160d 100644 --- a/collections/crowdsecurity/modsecurity.yaml +++ b/collections/crowdsecurity/modsecurity.yaml @@ -2,9 +2,30 @@ parsers: - crowdsecurity/modsecurity scenarios: - crowdsecurity/modsecurity + - crowdsecurity/modsecurity-blocking-evaluation-response + - crowdsecurity/modsecurity-blocking-evaluation + - crowdsecurity/modsecurity-data-leakages-sql + - crowdsecurity/modsecurity-data-leakages + - crowdsecurity/modsecurity-generic + - crowdsecurity/modsecurity-injection-nodejs + - crowdsecurity/modsecurity-injection-php + - crowdsecurity/modsecurity-java + - crowdsecurity/modsecurity-lfi + - crowdsecurity/modsecurity-multipart-header + - crowdsecurity/modsecurity-nextcloud + - crowdsecurity/modsecurity-protocol-enforcement + - crowdsecurity/modsecurity-rce + - crowdsecurity/modsecurity-reputation-scanner + - crowdsecurity/modsecurity-rfi + - crowdsecurity/modsecurity-session-fixation + - crowdsecurity/modsecurity-sqli + - crowdsecurity/modsecurity-ssrf + - crowdsecurity/modsecurity-web-shells + - crowdsecurity/modsecurity-wordpress + - crowdsecurity/modsecurity-xss description: "modsecurity support : modsecurity parser and scenario" author: crowdsecurity tags: - linux - web - - waf \ No newline at end of file + - waf From ad56b24d43092afc91a50b5d0efaf6a8974617f0 Mon Sep 17 00:00:00 2001 From: 0xbbuddha Date: Tue, 2 Sep 2025 12:03:31 +0200 Subject: [PATCH 4/6] fix: || evt parsed tags OWASP_CRS/ATTACK-XSS --- scenarios/crowdsecurity/modsecurity-xss.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scenarios/crowdsecurity/modsecurity-xss.yaml b/scenarios/crowdsecurity/modsecurity-xss.yaml index e7b060e187e..3e33d3838a8 100644 --- a/scenarios/crowdsecurity/modsecurity-xss.yaml +++ b/scenarios/crowdsecurity/modsecurity-xss.yaml @@ -5,7 +5,7 @@ filter: | evt.Meta.log_type == "modsecurity" && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2") && evt.Parsed.ruleid matches "^941" - && evt.Parsed.tags matches "attack-xss" + && (evt.Parsed.tags matches "attack-xss" || evt.Parsed.tags matches "OWASP_CRS/ATTACK-XSS" groupby: evt.Meta.source_ip labels: remediation: true From 37c3726b145f341a6f50037bb374aa5f3996fed6 Mon Sep 17 00:00:00 2001 From: 0xbbuddha Date: Tue, 2 Sep 2025 12:05:07 +0200 Subject: [PATCH 5/6] fix: close () --- scenarios/crowdsecurity/modsecurity-xss.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scenarios/crowdsecurity/modsecurity-xss.yaml b/scenarios/crowdsecurity/modsecurity-xss.yaml index 3e33d3838a8..ee21eae4889 100644 --- a/scenarios/crowdsecurity/modsecurity-xss.yaml +++ b/scenarios/crowdsecurity/modsecurity-xss.yaml @@ -5,7 +5,7 @@ filter: | evt.Meta.log_type == "modsecurity" && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2") && evt.Parsed.ruleid matches "^941" - && (evt.Parsed.tags matches "attack-xss" || evt.Parsed.tags matches "OWASP_CRS/ATTACK-XSS" + && (evt.Parsed.tags matches "attack-xss" || evt.Parsed.tags matches "OWASP_CRS/ATTACK-XSS") groupby: evt.Meta.source_ip labels: remediation: true From 0ccc1d45e7ba1725015cb7c9c82f0be0efd7b852 Mon Sep 17 00:00:00 2001 From: 0xbbuddha Date: Tue, 2 Sep 2025 12:05:29 +0200 Subject: [PATCH 6/6] fix: || evt parsed tags OWASP_CRS/ATTACK-SQLI --- scenarios/crowdsecurity/modsecurity-sqli.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scenarios/crowdsecurity/modsecurity-sqli.yaml b/scenarios/crowdsecurity/modsecurity-sqli.yaml index f655f3500b7..0badc0038ea 100644 --- a/scenarios/crowdsecurity/modsecurity-sqli.yaml +++ b/scenarios/crowdsecurity/modsecurity-sqli.yaml @@ -5,7 +5,7 @@ filter: | evt.Meta.log_type == 'modsecurity' && (evt.Parsed.ruleseverity == 'CRITICAL' || evt.Parsed.ruleseverity == '2') && evt.Parsed.ruleid matches "^942" - && evt.Parsed.tags matches "attack-sqli" + && (evt.Parsed.tags matches "attack-sqli" || evt.Parsed.tags matches "OWASP_CRS/ATTACK-SQLI") groupby: evt.Meta.source_ip labels: remediation: true