DOS fixes (#943)

scenarios/crowdsecurity/http-dos-bypass-cache.yaml

@@ -2,7 +2,7 @@ type: leaky
 name: crowdsecurity/http-dos-bypass-cache
 description: "Detect DoS tools bypassing cache every request"
 #as seen in cc-attack tool
-filter: "evt.Meta.log_type == 'http_access-log' && int(evt.Meta.http_args_len) >= 7 && int(evt.Meta.http_args_len) <= 12 && evt.Parsed.http_args matches '^[0-9]+$' && evt.Parsed.static_ressource == 'false'"
+filter: "evt.Meta.log_type == 'http_access-log' && evt.Meta.http_args_len != '' && int(evt.Meta.http_args_len) >= 7 && int(evt.Meta.http_args_len) <= 12 && evt.Parsed.http_args matches '^[0-9]+$' && evt.Parsed.static_ressource == 'false'"
 distinct: "evt.Parsed.http_args"
 leakspeed: 1s
 capacity: 30
@@ -18,4 +18,4 @@ labels:
   classification:
     - attack.T1498
   behavior: "http:dos"
-  label: "detection of http dos with cache bypass"
+  label: "detection of http dos with cache bypass"

scenarios/crowdsecurity/http-dos-invalid-http-versions.yaml

@@ -4,7 +4,7 @@ format: 2.0
 name: crowdsecurity/http-dos-invalid-http-versions
 description: "Detect DoS tools using invalid HTTP versions"
 #pattern seen in mhddos tool
-filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] && evt.Parsed.http_version not in ["0.9", "1.0", "1.1", "2.0", "3.0"]' 
+filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] && evt.Parsed.http_version != "" && evt.Parsed.http_version not in ["0.9", "1.0", "1.1", "2.0", "3.0"]' 
 groupby: "evt.Meta.source_ip"
 blackhole: 2m
 labels:
@@ -15,4 +15,4 @@ labels:
   classification:
     - attack.T1498
   behavior: "http:dos"
-  label: "detection of http dos with invalid http version"
+  label: "detection of http dos with invalid http version"