From 50509bfb2e9ea32d992684cf41a30c12647d9016 Mon Sep 17 00:00:00 2001
From: Laurence Jones <laurence.jones@live.co.uk>
Date: Tue, 30 Jan 2024 10:16:44 +0000
Subject: [PATCH] DOS fixes (#943)

---
 scenarios/crowdsecurity/http-dos-bypass-cache.yaml          | 4 ++--
 scenarios/crowdsecurity/http-dos-invalid-http-versions.yaml | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/scenarios/crowdsecurity/http-dos-bypass-cache.yaml b/scenarios/crowdsecurity/http-dos-bypass-cache.yaml
index 6a7f91975c4..ba24b651741 100644
--- a/scenarios/crowdsecurity/http-dos-bypass-cache.yaml
+++ b/scenarios/crowdsecurity/http-dos-bypass-cache.yaml
@@ -2,7 +2,7 @@ type: leaky
 name: crowdsecurity/http-dos-bypass-cache
 description: "Detect DoS tools bypassing cache every request"
 #as seen in cc-attack tool
-filter: "evt.Meta.log_type == 'http_access-log' && int(evt.Meta.http_args_len) >= 7 && int(evt.Meta.http_args_len) <= 12 && evt.Parsed.http_args matches '^[0-9]+$' && evt.Parsed.static_ressource == 'false'"
+filter: "evt.Meta.log_type == 'http_access-log' && evt.Meta.http_args_len != '' && int(evt.Meta.http_args_len) >= 7 && int(evt.Meta.http_args_len) <= 12 && evt.Parsed.http_args matches '^[0-9]+$' && evt.Parsed.static_ressource == 'false'"
 distinct: "evt.Parsed.http_args"
 leakspeed: 1s
 capacity: 30
@@ -18,4 +18,4 @@ labels:
   classification:
     - attack.T1498
   behavior: "http:dos"
-  label: "detection of http dos with cache bypass"
\ No newline at end of file
+  label: "detection of http dos with cache bypass"
diff --git a/scenarios/crowdsecurity/http-dos-invalid-http-versions.yaml b/scenarios/crowdsecurity/http-dos-invalid-http-versions.yaml
index e63616f3c16..da90a3fa508 100644
--- a/scenarios/crowdsecurity/http-dos-invalid-http-versions.yaml
+++ b/scenarios/crowdsecurity/http-dos-invalid-http-versions.yaml
@@ -4,7 +4,7 @@ format: 2.0
 name: crowdsecurity/http-dos-invalid-http-versions
 description: "Detect DoS tools using invalid HTTP versions"
 #pattern seen in mhddos tool
-filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] && evt.Parsed.http_version not in ["0.9", "1.0", "1.1", "2.0", "3.0"]' 
+filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] && evt.Parsed.http_version != "" && evt.Parsed.http_version not in ["0.9", "1.0", "1.1", "2.0", "3.0"]' 
 groupby: "evt.Meta.source_ip"
 blackhole: 2m
 labels:
@@ -15,4 +15,4 @@ labels:
   classification:
     - attack.T1498
   behavior: "http:dos"
-  label: "detection of http dos with invalid http version"
\ No newline at end of file
+  label: "detection of http dos with invalid http version"