crowdsecurity · 0xbbuddha · Aug 21, 2025 · Aug 21, 2025 · Aug 21, 2025 · Sep 2, 2025
diff --git a/collections/crowdsecurity/modsecurity.md b/collections/crowdsecurity/modsecurity.md
@@ -2,8 +2,29 @@
 
 A collection for modsecurity (tested only with Apache):
  - modsecurity parser: `crowdsecurity/modsecurity`
- - modsecurity scenario: `crowdsecurity/modsecurity
-
+ - modsecurity scenario:
+  - `crowdsecurity/modsecurity`
+  - `crowdsecurity/modsecurity-blocking-evaluation-response`
+  - `crowdsecurity/modsecurity-blocking-evaluation`
+  - `crowdsecurity/modsecurity-data-leakages-sql`
+  - `crowdsecurity/modsecurity-data-leakages`
+  - `crowdsecurity/modsecurity-generic`
+  - `crowdsecurity/modsecurity-injection-nodejs`
+  - `crowdsecurity/modsecurity-injection-php`
+  - `crowdsecurity/modsecurity-java`
+  - `crowdsecurity/modsecurity-lfi`
+  - `crowdsecurity/modsecurity-multipart-header`
+  - `crowdsecurity/modsecurity-nextcloud`
+  - `crowdsecurity/modsecurity-protocol-enforcement`
+  - `crowdsecurity/modsecurity-rce`
+  - `crowdsecurity/modsecurity-reputation-scanner`
+  - `crowdsecurity/modsecurity-rfi`
+  - `crowdsecurity/modsecurity-session-fixation`
+  - `crowdsecurity/modsecurity-sqli`
+  - `crowdsecurity/modsecurity-ssrf`
+  - `crowdsecurity/modsecurity-web-shells`
+  - `crowdsecurity/modsecurity-wordpress`
+  - `crowdsecurity/modsecurity-xss`
 
 ## Acquisition template
 

diff --git a/collections/crowdsecurity/modsecurity.yaml b/collections/crowdsecurity/modsecurity.yaml
@@ -2,9 +2,30 @@ parsers:
   - crowdsecurity/modsecurity
 scenarios:
   - crowdsecurity/modsecurity
+  - crowdsecurity/modsecurity-blocking-evaluation-response
+  - crowdsecurity/modsecurity-blocking-evaluation
+  - crowdsecurity/modsecurity-data-leakages-sql
+  - crowdsecurity/modsecurity-data-leakages
+  - crowdsecurity/modsecurity-generic
+  - crowdsecurity/modsecurity-injection-nodejs
+  - crowdsecurity/modsecurity-injection-php
+  - crowdsecurity/modsecurity-java
+  - crowdsecurity/modsecurity-lfi
+  - crowdsecurity/modsecurity-multipart-header
+  - crowdsecurity/modsecurity-nextcloud
+  - crowdsecurity/modsecurity-protocol-enforcement
+  - crowdsecurity/modsecurity-rce
+  - crowdsecurity/modsecurity-reputation-scanner
+  - crowdsecurity/modsecurity-rfi
+  - crowdsecurity/modsecurity-session-fixation
+  - crowdsecurity/modsecurity-sqli
+  - crowdsecurity/modsecurity-ssrf
+  - crowdsecurity/modsecurity-web-shells
+  - crowdsecurity/modsecurity-wordpress
+  - crowdsecurity/modsecurity-xss
 description: "modsecurity support : modsecurity parser and scenario"
 author: crowdsecurity
 tags:
   - linux
   - web
-  - waf
+  - waf
diff --git a/parsers/s01-parse/crowdsecurity/modsecurity.yaml b/parsers/s01-parse/crowdsecurity/modsecurity.yaml
@@ -21,8 +21,8 @@ pattern_syntax:
   MODSECRULEACCURACY: "\\[accuracy \"%{DATA:accuracy}\"\\]"
   MODSECRULEVERS2: "\\[ver \"%{DATA:version}\"\\]"
   MODSECRULETAGS2: "(?:\\[tag \"%{DATA:ruletag0}\"\\] )?(?:\\[tag \"%{DATA:ruletag1}\"\\] )?(?:\\[tag \"%{DATA:ruletag2}\"\\] )?(?:\\[tag \"%{DATA:ruletag3}\"\\] )?(?:\\[tag \"%{DATA:ruletag4}\"\\] )?(?:\\[tag \"%{DATA:ruletag5}\"\\] )?(?:\\[tag \"%{DATA:ruletag6}\"\\] )?(?:\\[tag \"%{DATA:ruletag7}\"\\] )?(?:\\[tag \"%{DATA:ruletag8}\"\\] )?(?:\\[tag \"%{DATA:ruletag9}\"\\] )?(?:\\[tag \"%{DATA}\"\\] )*"
-  MODSECHOSTNAME2: "\\[hostname ['\"]%{DATA:targethost}[\"']\\]"
-  MODSECURI2: "\\[uri [\"']%{DATA:targeturi}[\"']\\]"
+  MODSECHOSTNAME2: "\\[hostname ['\"]%{DATA:targethost}['\"]\\]"
+  MODSECURI2: "\\[uri ['\"]%{DATA:targeturi}['\"]\\]"
   MODSECUID2: "\\[unique_id \"%{DATA:uniqueid}\"\\]"
   MODSECREF2: "\\[ref \"%{DATA:ref}\"\\]"
   MODSECAPACHEERROR2: "%{MODSECPREFIX2} %{MODSECRULEFILE2} %{MODSECRULELINE2} (?:%{MODSECMATCHOFFSET2} )?(?:%{MODSECRULEID2} )?(?:%{MODSECRULEREV2} )?(?:%{MODSECRULEMSG2} )?(?:%{MODSECRULEDATA2} )?(?:%{MODSECRULESEVERITY2} )?(?:%{MODSECRULEVERS2} )?%{MODSECRULETAGS2}%{MODSECHOSTNAME2} %{MODSECURI2} %{MODSECUID2}"
@@ -61,4 +61,3 @@ nodes:
           expression: evt.Parsed.rulemessage
         - meta: modsec_ruledata
           expression: evt.Parsed.ruledata
-
diff --git a/scenarios/crowdsecurity/modsecurity-blocking-evaluation-response.yaml b/scenarios/crowdsecurity/modsecurity-blocking-evaluation-response.yaml
@@ -0,0 +1,18 @@
+type: trigger
+name: crowdsecurity/modsecurity-blocking-evaluation-response
+description: "Blocking evaluation events detected via ModSecurity CRS (response phase)"
+filter: |
+  evt.Meta.log_type == "modsecurity"
+  && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2")
+  && evt.Parsed.ruleid matches "^959"
+groupby: evt.Meta.source_ip
+labels:
+  remediation: true
+  classification:
+    - attack.T1190
+  behavior: "http:blocking-evaluation"
+  label: "Blocking Evaluation (Response)"
+  confidence: 2
+  service: http
+
+
diff --git a/scenarios/crowdsecurity/modsecurity-blocking-evaluation.yaml b/scenarios/crowdsecurity/modsecurity-blocking-evaluation.yaml
@@ -0,0 +1,17 @@
+type: trigger
+name: crowdsecurity/modsecurity-blocking-evaluation
+description: "Blocking evaluation events detected via ModSecurity CRS"
+filter: |
+  evt.Meta.log_type == "modsecurity"
+  && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2")
+  && evt.Parsed.ruleid matches "^949"
+  && (evt.Parsed.tags matches "attack-reputation-ip" || evt.Parsed.tags matches "attack-generic")
+groupby: evt.Meta.source_ip
+labels:
+  remediation: true
+  classification:
+    - attack.T1190
+  behavior: "http:blocking-evaluation"
+  label: "Blocking Evaluation"
+  confidence: 2
+  service: http
diff --git a/scenarios/crowdsecurity/modsecurity-data-leakages-sql.yaml b/scenarios/crowdsecurity/modsecurity-data-leakages-sql.yaml
@@ -0,0 +1,17 @@
+type: trigger
+name: crowdsecurity/modsecurity-data-leakages-sql
+description: "Sensitive data leakages (SQL-related) detected via ModSecurity CRS"
+filter: |
+  evt.Meta.log_type == "modsecurity"
+  && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2")
+  && evt.Parsed.ruleid matches "^951"
+  && evt.Parsed.tags matches "attack-disclosure"
+groupby: evt.Meta.source_ip
+labels:
+  remediation: true
+  classification:
+    - attack.T1530
+  behavior: "http:data-leakage-sql"
+  label: "Data Leakage (SQL)"
+  confidence: 3
+  service: http
diff --git a/scenarios/crowdsecurity/modsecurity-data-leakages.yaml b/scenarios/crowdsecurity/modsecurity-data-leakages.yaml
@@ -0,0 +1,19 @@
+type: trigger
+name: crowdsecurity/modsecurity-data-leakages
+description: "Sensitive data leakages detected via ModSecurity CRS"
+filter: |
+  evt.Meta.log_type == "modsecurity"
+  && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2")
+  && (evt.Parsed.ruleid matches "^950" || evt.Parsed.ruleid matches "^952" || evt.Parsed.ruleid matches "^953" || evt.Parsed.ruleid matches "^954" || evt.Parsed.ruleid matches "^956")
+  && evt.Parsed.tags matches "attack-disclosure"
+groupby: evt.Meta.source_ip
+labels:
+  remediation: true
+  classification:
+    - attack.T1530
+  behavior: "http:data-leakage"
+  label: "Data Leakage"
+  confidence: 3
+  service: http
+
+
diff --git a/scenarios/crowdsecurity/modsecurity-generic.yaml b/scenarios/crowdsecurity/modsecurity-generic.yaml
@@ -0,0 +1,16 @@
+type: trigger
+name: crowdsecurity/modsecurity-generic
+description: "Generic ModSecurity CRS alert"
+filter: |
+  evt.Meta.log_type == "modsecurity"
+  && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2")
+  && (evt.Parsed.ruleid matches "^911" || evt.Parsed.tags matches "attack-generic")
+groupby: evt.Meta.source_ip
+labels:
+  remediation: true
+  classification:
+    - attack.T1190
+  behavior: "http:generic"
+  label: "Generic ModSecurity Alert"
+  confidence: 3
+  service: http
diff --git a/scenarios/crowdsecurity/modsecurity-injection-nodejs.yaml b/scenarios/crowdsecurity/modsecurity-injection-nodejs.yaml
@@ -0,0 +1,18 @@
+type: trigger
+name: crowdsecurity/modsecurity-injection-nodejs
+description: "Node.js Injection detected via ModSecurity CRS"
+filter: |
+  evt.Meta.log_type == "modsecurity"
+  && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2")
+  && evt.Parsed.ruleid matches "^934"
+  && (evt.Parsed.tags matches "platform-nodejs" || evt.Parsed.tags matches "language-javascript" || evt.Parsed.tags matches "attack-injection-generic")
+groupby: evt.Meta.source_ip
+labels:
+  remediation: true
+  classification:
+    - attack.T1059
+    - attack.T1190
+  behavior: "http:injection-nodejs"
+  label: "Node.js Injection"
+  confidence: 3
+  service: http
diff --git a/scenarios/crowdsecurity/modsecurity-injection-php.yaml b/scenarios/crowdsecurity/modsecurity-injection-php.yaml
@@ -0,0 +1,18 @@
+type: trigger
+name: crowdsecurity/modsecurity-injection-php
+description: "PHP Injection detected via ModSecurity CRS"
+filter: |
+  evt.Meta.log_type == "modsecurity"
+  && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2")
+  && evt.Parsed.ruleid matches "^933"
+  && evt.Parsed.tags matches "attack-injection-php"
+groupby: evt.Meta.source_ip
+labels:
+  remediation: true
+  classification:
+    - attack.T1059
+    - attack.T1190
+  behavior: "http:injection-php"
+  label: "PHP Injection"
+  confidence: 3
+  service: http
diff --git a/scenarios/crowdsecurity/modsecurity-java.yaml b/scenarios/crowdsecurity/modsecurity-java.yaml
@@ -0,0 +1,17 @@
+type: trigger
+name: crowdsecurity/modsecurity-java
+description: "Java-related security rule triggered via ModSecurity CRS"
+filter: |
+  evt.Meta.log_type == "modsecurity"
+  && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2")
+  && evt.Parsed.ruleid matches "^944"
+  && evt.Parsed.tags matches "attack-rce"
+groupby: evt.Meta.source_ip
+labels:
+  remediation: true
+  classification:
+    - attack.T1190
+  behavior: "http:java"
+  label: "Java Security Rule"
+  confidence: 3
+  service: http
diff --git a/scenarios/crowdsecurity/modsecurity-lfi.yaml b/scenarios/crowdsecurity/modsecurity-lfi.yaml
@@ -0,0 +1,20 @@
+type: trigger
+name: crowdsecurity/modsecurity-lfi
+description: "Local File Inclusion detected via ModSecurity CRS"
+filter: |
+  evt.Meta.log_type == "modsecurity"
+  && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2")
+  && evt.Parsed.ruleid matches "^930"
+  && evt.Parsed.tags matches "attack-lfi"
+groupby: evt.Meta.source_ip
+labels:
+  remediation: true
+  classification:
+    - attack.T1190
+    - attack.T1105
+  behavior: "http:lfi"
+  label: "Local File Inclusion"
+  confidence: 3
+  service: http
+
+
diff --git a/scenarios/crowdsecurity/modsecurity-multipart-header.yaml b/scenarios/crowdsecurity/modsecurity-multipart-header.yaml
@@ -0,0 +1,18 @@
+type: trigger
+name: crowdsecurity/modsecurity-multipart-header
+description: "Malformed multipart or deprecated header detected via ModSecurity CRS"
+filter: |
+  evt.Meta.log_type == "modsecurity"
+  && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2")
+  && evt.Parsed.ruleid matches "^922"
+  && (evt.Parsed.tags matches "attack-multipart-header" || evt.Parsed.tags matches "attack-deprecated-header")
+groupby: evt.Meta.source_ip
+labels:
+  remediation: true
+  classification:
+    - attack.T1190
+    - attack.T1071.001
+  behavior: "http:multipart-header"
+  label: "Malformed Multipart/Header"
+  confidence: 3
+  service: http
diff --git a/scenarios/crowdsecurity/modsecurity-nextcloud.yaml b/scenarios/crowdsecurity/modsecurity-nextcloud.yaml
@@ -0,0 +1,24 @@
+type: trigger
+name: crowdsecurity/modsecurity-nextcloud
+description: "Nextcloud attacks detected via ModSecurity (application classification)"
+filter: |
+  evt.Meta.log_type == "modsecurity"
+  && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2")
+  && (
+    evt.Parsed.targeturi matches "(?i)/remote\\.php"
+    || evt.Parsed.targeturi matches "(?i)/index\\.php/apps/"
+    || evt.Parsed.targeturi matches "(?i)/ocs/v1\\.php|/ocs/v2\\.php"
+    || evt.Parsed.targeturi matches "(?i)/status\\.php"
+    || evt.Parsed.targeturi matches "(?i)/nextcloud/"
+  )
+groupby: evt.Meta.source_ip
+labels:
+  remediation: true
+  classification:
+    - attack.T1190
+  behavior: "http:nextcloud-attack"
+  label: "Nextcloud Attack"
+  confidence: 2
+  service: http
+
+
diff --git a/scenarios/crowdsecurity/modsecurity-protocol-enforcement.yaml b/scenarios/crowdsecurity/modsecurity-protocol-enforcement.yaml
@@ -0,0 +1,17 @@
+type: trigger
+name: crowdsecurity/modsecurity-protocol-enforcement
+description: "Protocol enforcement anomalies detected via ModSecurity CRS"
+filter: |
+  evt.Meta.log_type == "modsecurity"
+  && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2")
+  && (evt.Parsed.ruleid matches "^920" || evt.Parsed.ruleid matches "^921")
+groupby: evt.Meta.source_ip
+labels:
+  remediation: true
+  classification:
+    - attack.T1190
+    - attack.T1071.001
+  behavior: "http:protocol-enforcement"
+  label: "Protocol Enforcement Violation"
+  confidence: 3
+  service: http
diff --git a/scenarios/crowdsecurity/modsecurity-rce.yaml b/scenarios/crowdsecurity/modsecurity-rce.yaml
@@ -0,0 +1,18 @@
+type: trigger
+name: crowdsecurity/modsecurity-rce
+description: "Command Injection / RCE detected via ModSecurity CRS"
+filter: |
+  evt.Meta.log_type == "modsecurity"
+  && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2")
+  && evt.Parsed.ruleid matches "^932"
+  && evt.Parsed.tags matches "attack-rce"
+groupby: evt.Meta.source_ip
+labels:
+  remediation: true
+  classification:
+    - attack.T1059
+    - attack.T1190
+  behavior: "http:rce"
+  label: "Remote Code Execution"
+  confidence: 3
+  service: http
diff --git a/scenarios/crowdsecurity/modsecurity-reputation-scanner.yaml b/scenarios/crowdsecurity/modsecurity-reputation-scanner.yaml
@@ -0,0 +1,18 @@
+type: trigger
+name: crowdsecurity/modsecurity-reputation-scanner
+description: "Scanner reputation hit detected via ModSecurity CRS"
+filter: |
+  evt.Meta.log_type == "modsecurity"
+  && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2")
+  && evt.Parsed.ruleid matches "^913"
+  && evt.Parsed.tags matches "attack-reputation-scanner"
+groupby: evt.Meta.source_ip
+labels:
+  remediation: true
+  classification:
+    - attack.T1595
+    - attack.T1046
+  behavior: "http:reputation-scanner"
+  label: "Scanner Reputation Hit"
+  confidence: 3
+  service: http
diff --git a/scenarios/crowdsecurity/modsecurity-rfi.yaml b/scenarios/crowdsecurity/modsecurity-rfi.yaml
@@ -0,0 +1,18 @@
+type: trigger
+name: crowdsecurity/modsecurity-rfi
+description: "Remote File Inclusion detected via ModSecurity CRS"
+filter: |
+  evt.Meta.log_type == "modsecurity"
+  && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2")
+  && evt.Parsed.ruleid matches "^931"
+  && evt.Parsed.tags matches "attack-rfi"
+groupby: evt.Meta.source_ip
+labels:
+  remediation: true
+  classification:
+    - attack.T1190
+    - attack.T1105
+  behavior: "http:rfi"
+  label: "Remote File Inclusion"
+  confidence: 3
+  service: http
diff --git a/scenarios/crowdsecurity/modsecurity-session-fixation.yaml b/scenarios/crowdsecurity/modsecurity-session-fixation.yaml
@@ -0,0 +1,17 @@
+type: trigger
+name: crowdsecurity/modsecurity-session-fixation
+description: "Session fixation attempt detected via ModSecurity CRS"
+filter: |
+  evt.Meta.log_type == "modsecurity"
+  && (evt.Parsed.ruleseverity == "CRITICAL" || evt.Parsed.ruleseverity == "2")
+  && evt.Parsed.ruleid matches "^943"
+  && evt.Parsed.tags matches "attack-fixation"
+groupby: evt.Meta.source_ip
+labels:
+  remediation: true
+  classification:
+    - attack.T1556
+  behavior: "http:session-fixation"
+  label: "Session Fixation"
+  confidence: 3
+  service: http