Skip to content

add http-forensic collection #1470

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

add http-forensic collection #1470

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c6ec615
add http-forensic collection
blotus Sep 12, 2025
d3b567f
Update taxonomy
actions-user Sep 12, 2025
5a99f4b
add good actor whitelist to collection
blotus Sep 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions collections/crowdsecurity/http-forensic.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
## HTTP Forensic

This collection is intended to be used while replaying logs.

It includes rules that detect exploitation attempts of known vulnerabilities, along with generic SQL injection and XSS attacks.

Unlike the main HTTP scenarios, which generally cover a broad range of traffic patterns, this collection specifically targets requests that resulted in a 200 OK response—i.e., cases where the server appeared to accept the request successfully. This makes it especially useful for spotting attacks that may have bypassed protections or gone unnoticed in normal traffic.

The collection does not ship any log parser directly, make sure the parser for your webserver (such as [nginx](https://hub.crowdsec.net/author/crowdsecurity/collections/nginx) or [apache2](https://hub.crowdsec.net/author/crowdsecurity/collections/apache2).) is installed.

12 changes: 12 additions & 0 deletions collections/crowdsecurity/http-forensic.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
collections:
- crowdsecurity/whitelist-good-actors
parsers:
- crowdsecurity/http-logs
scenarios:
- crowdsecurity/forensic-sqli-detection
- crowdsecurity/forensic-xss-detection
author: crowdsecurity
tags:
- web
- exploit
- http
25 changes: 25 additions & 0 deletions scenarios/crowdsecurity/forensic-sqli-detection.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
type: trigger
name: crowdsecurity/forensic-sqli-detection
description: "Detect SQLI attempts in GET parameters with libinjection"
# this requires the http-logs parser
filter: |
let has_args = len(evt.Parsed.http_args) > 0;
if has_args && evt.Meta.log_type == "http_access-log" && evt.Meta.http_status == "200" {
let full_uri = evt.Parsed.request + "?" + evt.Parsed.http_args;
let http_params = ParseUri(full_uri);
let vals = flatten(values(http_params));
any(vals, { LibInjectionIsSQLI(#) })
} else {
false
}
# This scenario has no blackhole
# It's intended to be used while replaying logs, in which case you likely want to see all matches
labels:
confidence: 2
spoofable: 0
classification:
- attack.T1190
behavior: "http:exploit"
label: "HTTP SQLi Detection - GET parameters"
service: http
remediation: false
25 changes: 25 additions & 0 deletions scenarios/crowdsecurity/forensic-xss-detection.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
type: trigger
name: crowdsecurity/forensic-xss-detection
description: "Detect XSS attempts in GET parameters with libinjection"
# this requires the http-logs parser
filter: |
let has_args = len(evt.Parsed.http_args) > 0;
if has_args && evt.Meta.log_type == "http_access-log" && evt.Meta.http_status == "200" {
let full_uri = evt.Parsed.request + "?" + evt.Parsed.http_args;
let http_params = ParseUri(full_uri);
let vals = flatten(values(http_params));
any(vals, { LibInjectionIsXSS(#) })
} else {
false
}
# This scenario has no blackhole
# It's intended to be used while replaying logs, in which case you likely want to see all matches
labels:
confidence: 2
spoofable: 0
classification:
- attack.T1190
behavior: "http:exploit"
label: "HTTP XSS Detection - GET parameters"
service: http
remediation: false
32 changes: 32 additions & 0 deletions taxonomy/scenarios.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4635,6 +4635,38 @@
"CVE-2020-5902"
]
},
"crowdsecurity/forensic-sqli-detection": {
"name": "crowdsecurity/forensic-sqli-detection",
"description": "Detect SQLI attempts in GET parameters with libinjection",
"label": "HTTP SQLi Detection - GET parameters",
"behaviors": [
"http:exploit"
],
"mitre_attacks": [
"TA0001:T1190"
],
"confidence": 2,
"spoofable": 0,
"cti": true,
"service": "http",
"created_at": "2025-09-12 15:57:09"
},
"crowdsecurity/forensic-xss-detection": {
"name": "crowdsecurity/forensic-xss-detection",
"description": "Detect XSS attempts in GET parameters with libinjection",
"label": "HTTP XSS Detection - GET parameters",
"behaviors": [
"http:exploit"
],
"mitre_attacks": [
"TA0001:T1190"
],
"confidence": 2,
"spoofable": 0,
"cti": true,
"service": "http",
"created_at": "2025-09-12 15:57:09"
},
"crowdsecurity/fortinet-cve-2018-13379": {
"name": "crowdsecurity/fortinet-cve-2018-13379",
"description": "Detect cve-2018-13379 exploitation attemps",
Expand Down