From 684281c161ee07b4d06f4b5653a4ce4879cd3a4b Mon Sep 17 00:00:00 2001 From: Jackson Cremean <115671214+GNU-Plus-Windows-User@users.noreply.github.com> Date: Sat, 1 Mar 2025 22:44:02 +1100 Subject: [PATCH 1/3] detect wordpress scanning of txt and md files --- .tests/http-wordpress-scan/http-wordpress-scan.log | 2 ++ scenarios/crowdsecurity/http-wordpress-scan.yaml | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.tests/http-wordpress-scan/http-wordpress-scan.log b/.tests/http-wordpress-scan/http-wordpress-scan.log index 1fb099c77a6..69c9467da90 100644 --- a/.tests/http-wordpress-scan/http-wordpress-scan.log +++ b/.tests/http-wordpress-scan/http-wordpress-scan.log @@ -3,3 +3,5 @@ 127.0.0.1 - - [19/Apr/2024:14:41:25 +0200] "GET /activate/wp-content/plugins/advanced-dewplayer/admin-panel/download-file.php HTTP/1.1" 404 153 "-" "curl/7.68.0" 127.0.0.1 - - [19/Apr/2024:14:41:26 +0200] "GET /wp-content/plugins/sniplets/modules/syntax_highlight.php HTTP/1.1" 404 153 "-" "curl/7.68.0" 127.0.0.1 - - [19/Apr/2024:14:41:26 +0200] "GET /wp-content/plugins/sniplets/view/sniplets/warning.php HTTP/1.1" 404 153 "-" "curl/7.68.0" +127.0.0.1 - - [01/Mar/2025:18:09:52 +1100] "HEAD /wp-content/plugins/blocksy-companion/README.txt HTTP/2.0" 404 0 "https://example.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6" +127.0.0.1 - - [01/Mar/2025:18:09:53 +1100] "HEAD /wp-content/plugins/blocksy-companion/README.md HTTP/2.0" 404 0 "https://example.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6" diff --git a/scenarios/crowdsecurity/http-wordpress-scan.yaml b/scenarios/crowdsecurity/http-wordpress-scan.yaml index de8c2b9e0d6..bfe1deadb92 100644 --- a/scenarios/crowdsecurity/http-wordpress-scan.yaml +++ b/scenarios/crowdsecurity/http-wordpress-scan.yaml @@ -2,11 +2,11 @@ type: leaky name: crowdsecurity/http-wordpress-scan description: "Detect WordPress scan: vuln hunting" filter: | - evt.Meta.service == 'http' and - evt.Meta.log_type in ['http_access-log', 'http_error-log'] and + evt.Meta.service == 'http' and + evt.Meta.log_type in ['http_access-log', 'http_error-log'] and evt.Meta.http_status in ['404', '403'] and Lower(evt.Meta.http_path) contains "/wp-" and - Lower(evt.Meta.http_path) endsWith ".php" + Lower(evt.Meta.http_path) matches "\\.(php|txt|md)$" groupby: evt.Meta.source_ip distinct: evt.Meta.http_path capacity: 3 From e1a04c199fbb4b586998e939e728e10eaef2b30d Mon Sep 17 00:00:00 2001 From: Jackson Cremean <115671214+GNU-Plus-Windows-User@users.noreply.github.com> Date: Thu, 6 Mar 2025 15:26:15 +1100 Subject: [PATCH 2/3] apply suggestions --- scenarios/crowdsecurity/http-wordpress-scan.yaml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/scenarios/crowdsecurity/http-wordpress-scan.yaml b/scenarios/crowdsecurity/http-wordpress-scan.yaml index bfe1deadb92..0e1ceeba117 100644 --- a/scenarios/crowdsecurity/http-wordpress-scan.yaml +++ b/scenarios/crowdsecurity/http-wordpress-scan.yaml @@ -5,9 +5,14 @@ filter: | evt.Meta.service == 'http' and evt.Meta.log_type in ['http_access-log', 'http_error-log'] and evt.Meta.http_status in ['404', '403'] and + ( Lower(evt.Meta.http_path) contains "/wp-" and - Lower(evt.Meta.http_path) matches "\\.(php|txt|md)$" -groupby: evt.Meta.source_ip + Lower(evt.Meta.http_path) endsWith ".(php)" + ) || + ( + Lower(evt.Meta.http_path) contains "/wp-content/plugins" and + Lower(evt.Meta.http_path) matches "\\.(txt|md)$" + )groupby: evt.Meta.source_ip distinct: evt.Meta.http_path capacity: 3 leakspeed: "10s" From 78b41fa5d995b3dd998db205919c14d64ec65ba0 Mon Sep 17 00:00:00 2001 From: Laurence Jones Date: Thu, 6 Mar 2025 06:54:23 +0000 Subject: [PATCH 3/3] Update http-wordpress-scan.yaml Fix the groupby --- scenarios/crowdsecurity/http-wordpress-scan.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scenarios/crowdsecurity/http-wordpress-scan.yaml b/scenarios/crowdsecurity/http-wordpress-scan.yaml index 0e1ceeba117..4c0b741b9b0 100644 --- a/scenarios/crowdsecurity/http-wordpress-scan.yaml +++ b/scenarios/crowdsecurity/http-wordpress-scan.yaml @@ -12,7 +12,8 @@ filter: | ( Lower(evt.Meta.http_path) contains "/wp-content/plugins" and Lower(evt.Meta.http_path) matches "\\.(txt|md)$" - )groupby: evt.Meta.source_ip + ) +groupby: evt.Meta.source_ip distinct: evt.Meta.http_path capacity: 3 leakspeed: "10s"