Fix classification cast list to string

lachapette · lachapette · commit 560f4480317a · 2026-05-14T16:15:26.000+02:00
diff --git a/.gitignore b/.gitignore
@@ -27,6 +27,7 @@ taxonomy/scenario_taxonomy_errors.md
 
 workspace.code-workspace
 .cache
+runtime/
 
 waf-check/dataset/*
 waf-check/output/*
diff --git a/parsers/s01-parse/crowdsecurity/synology-dsm-logs.yaml b/parsers/s01-parse/crowdsecurity/synology-dsm-logs.yaml
@@ -18,10 +18,7 @@ grok:
   statics:
     - meta: log_type
       value: synology-dsm_failed_auth
-statics:
-  - meta: log_type
-    value: synology-dsm_failed_auth
-  - meta: service
-    value: synology-dsm
-  - meta: source_ip
-    expression: "evt.Parsed.src_ip"
+    - meta: service
+      value: synology-dsm
+    - meta: source_ip
+      expression: "evt.Parsed.src_ip"
diff --git a/scenarios/crowdsecurity/ssh-bf.yaml b/scenarios/crowdsecurity/ssh-bf.yaml
@@ -4,8 +4,6 @@ name: crowdsecurity/ssh-bf
 description: "Detect ssh bruteforce"
 filter: "evt.Meta.log_type == 'ssh_failed-auth'"
 leakspeed: "10s"
-references:
-  - http://wikipedia.com/ssh-bf-is-bad
 capacity: 5
 groupby: evt.Meta.source_ip
 blackhole: 1m
@@ -14,8 +12,7 @@ labels:
   service: ssh
   confidence: 3
   spoofable: 0
-  classification:
-    - attack.T1110
+  classification: "attack.T1110"
   label: "SSH Bruteforce"
   behavior: "ssh:bruteforce"
   remediation: true
@@ -35,7 +32,6 @@ labels:
   remediation: true
   confidence: 3
   spoofable: 0
-  classification:
-    - attack.T1589
+  classification: "attack.T1589"
   behavior: "ssh:bruteforce"
   label: "SSH User Enumeration"
diff --git a/scenarios/crowdsecurity/synology-dsm-bf-slow-1h.yaml b/scenarios/crowdsecurity/synology-dsm-bf-slow-1h.yaml
@@ -13,7 +13,6 @@ labels:
   remediation: true
   confidence: 3
   spoofable: 0
-  classification:
-    - attack.T1110
+  classification: "attack.T1110"
   behavior: "http:bruteforce"
   label: "Synology DSM Bruteforce"
diff --git a/scenarios/crowdsecurity/synology-dsm-bf.yaml b/scenarios/crowdsecurity/synology-dsm-bf.yaml
@@ -9,11 +9,10 @@ groupby: evt.Meta.source_ip
 blackhole: 1m
 reprocess: true
 labels:
- service: synology_dsm
- remediation: true
- confidence: 3
- spoofable: 0
- classification:
-  - attack.T1110
- behavior: "http:bruteforce"
- label: "Synology DSM Bruteforce"
+  service: synology_dsm
+  remediation: true
+  confidence: 3
+  spoofable: 0
+  classification: "attack.T1110"
+  behavior: "http:bruteforce"
+  label: "Synology DSM Bruteforce"
