Patch groupby (#948)

* Patch groupby * I like to move it move it * No iperino
crowdsecurity · Feb 1, 2024 · e3566e8 · e3566e8
1 parent 1232d32
commit e3566e8
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 0 deletions.
diff --git a/scenarios/crowdsecurity/http-open-proxy.yaml b/scenarios/crowdsecurity/http-open-proxy.yaml
@@ -4,6 +4,7 @@ description: "Detect scan for open proxy"
 #apache returns 405, nginx 400
 filter: "evt.Meta.log_type == 'http_access-log' && evt.Meta.http_status in ['400','405'] && (evt.Parsed.verb == 'CONNECT' || evt.Parsed.request matches '^http[s]?://')"
 blackhole: 2m
+groupby: evt.Meta.source_ip
 labels:
   service: http
   type: scan

diff --git a/scenarios/crowdsecurity/modsecurity.yaml b/scenarios/crowdsecurity/modsecurity.yaml
@@ -5,6 +5,7 @@ description: "Web exploitation via modsecurity"
 #modsec for nginx only logs the numerical value of the severity
 filter: evt.Meta.log_type == 'modsecurity' && (evt.Parsed.ruleseverity == 'CRITICAL' || evt.Parsed.ruleseverity == '2')
 blackhole: 2m
+groupby: evt.Meta.source_ip
 labels:
   remediation: true
   classification: