add the technology probing scenario (#1776)

buixor · Copilot · Copilot · web-flow · commit 7af166b0bd13 · 2026-05-05T09:35:26.000+02:00
* add the technology probing scenario * no reprocess * Update scenarios/crowdsecurity/http-technology-probing.yaml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update scenarios/crowdsecurity/http-technology-probing.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Clarify technology probing scenario description and trim whitespace Agent-Logs-Url: https://github.com/crowdsecurity/hub/sessions/ac391c70-f3f2-41da-a496-78626375dc17 Co-authored-by: buixor <990714+buixor@users.noreply.github.com> * fix tests * tests --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: buixor <990714+buixor@users.noreply.github.com>
diff --git a/.tests/http-technology-probing/config.yaml b/.tests/http-technology-probing/config.yaml
@@ -0,0 +1,10 @@
+parsers:
+  - crowdsecurity/syslog-logs
+  - crowdsecurity/dateparse-enrich
+  - crowdsecurity/nginx-logs
+  - crowdsecurity/http-logs
+scenarios:
+  - ./scenarios/crowdsecurity/http-technology-probing.yaml
+log_file: http-technology-probing.log
+log_type: nginx
+ignore_parsers: true
diff --git a/.tests/http-technology-probing/http-technology-probing.log b/.tests/http-technology-probing/http-technology-probing.log
@@ -0,0 +1,6 @@
+10.0.0.1 - - [01/Apr/2026:10:00:00 +0000] "GET /cgi-bin/videoconfiguration.cgi HTTP/1.1" 404 153 "-" "curl/7.68.0"
+10.0.0.2 - - [01/Apr/2026:10:00:01 +0000] "GET /crx/packmgr/service.jsp HTTP/1.1" 403 153 "-" "curl/7.68.0"
+10.0.0.3 - - [01/Apr/2026:10:00:02 +0000] "GET /some/random/path HTTP/1.1" 404 153 "-" "curl/7.68.0"
+10.0.0.1 - - [01/Apr/2026:10:00:03 +0000] "GET /index.html HTTP/1.1" 200 1024 "-" "Mozilla/5.0"
+10.0.0.1 - - [01/Apr/2026:10:00:01 +0000] "GET /crx/packmgr/service.jsp HTTP/1.1" 403 153 "-" "curl/7.68.0"
+
diff --git a/.tests/http-technology-probing/scenario.assert b/.tests/http-technology-probing/scenario.assert
@@ -0,0 +1,41 @@
+len(results) == 2
+"10.0.0.2" in results[0].Overflow.GetSources()
+results[0].Overflow.Sources["10.0.0.2"].IP == "10.0.0.2"
+results[0].Overflow.Sources["10.0.0.2"].Range == ""
+results[0].Overflow.Sources["10.0.0.2"].GetScope() == "Ip"
+results[0].Overflow.Sources["10.0.0.2"].GetValue() == "10.0.0.2"
+basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "http-technology-probing.log"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[0].GetMeta("http_args_len") == "0"
+results[0].Overflow.Alert.Events[0].GetMeta("http_path") == "/crx/packmgr/service.jsp"
+results[0].Overflow.Alert.Events[0].GetMeta("http_status") == "403"
+results[0].Overflow.Alert.Events[0].GetMeta("http_user_agent") == "curl/7.68.0"
+results[0].Overflow.Alert.Events[0].GetMeta("http_verb") == "GET"
+results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "http_access-log"
+results[0].Overflow.Alert.Events[0].GetMeta("service") == "http"
+results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "10.0.0.2"
+results[0].Overflow.Alert.Events[0].GetMeta("target_technology") == "adobe-aem-crx-package-manager-probing"
+results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2026-04-01T10:00:01Z"
+results[0].Overflow.Alert.GetScenario() == "crowdsecurity/http-technology-probing"
+results[0].Overflow.Alert.Remediation == false
+results[0].Overflow.Alert.GetEventsCount() == 1
+"10.0.0.1" in results[1].Overflow.GetSources()
+results[1].Overflow.Sources["10.0.0.1"].IP == "10.0.0.1"
+results[1].Overflow.Sources["10.0.0.1"].Range == ""
+results[1].Overflow.Sources["10.0.0.1"].GetScope() == "Ip"
+results[1].Overflow.Sources["10.0.0.1"].GetValue() == "10.0.0.1"
+basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "http-technology-probing.log"
+results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
+results[1].Overflow.Alert.Events[0].GetMeta("http_args_len") == "0"
+results[1].Overflow.Alert.Events[0].GetMeta("http_path") == "/cgi-bin/videoconfiguration.cgi"
+results[1].Overflow.Alert.Events[0].GetMeta("http_status") == "404"
+results[1].Overflow.Alert.Events[0].GetMeta("http_user_agent") == "curl/7.68.0"
+results[1].Overflow.Alert.Events[0].GetMeta("http_verb") == "GET"
+results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "http_access-log"
+results[1].Overflow.Alert.Events[0].GetMeta("service") == "http"
+results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "10.0.0.1"
+results[1].Overflow.Alert.Events[0].GetMeta("target_technology") == "acti-video-monitoring-panel-probing"
+results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2026-04-01T10:00:00Z"
+results[1].Overflow.Alert.GetScenario() == "crowdsecurity/http-technology-probing"
+results[1].Overflow.Alert.Remediation == false
+results[1].Overflow.Alert.GetEventsCount() == 1
diff --git a/collections/crowdsecurity/base-http-scenarios.yaml b/collections/crowdsecurity/base-http-scenarios.yaml
@@ -18,6 +18,7 @@ scenarios:
   - crowdsecurity/http-cve-probing
   - crowdsecurity/http-sap-interface-probing
   - crowdsecurity/http-generic-test
+  - crowdsecurity/http-technology-probing
 collections:
   - crowdsecurity/http-cve
 contexts:
diff --git a/scenarios/crowdsecurity/http-technology-probing.md b/scenarios/crowdsecurity/http-technology-probing.md
@@ -0,0 +1,3 @@
+A scenario that detects fingerprinting for various (300+) vendors and technologies.
+
+It doesn't trigger a ban on its own.
diff --git a/scenarios/crowdsecurity/http-technology-probing.yaml b/scenarios/crowdsecurity/http-technology-probing.yaml
@@ -0,0 +1,27 @@
+type: trigger
+name: crowdsecurity/http-technology-probing
+description: "Detect HTTP technology/vendor probing"
+filter: |
+  if (evt.Meta.service == 'http' and
+      evt.Meta.log_type in ['http_access-log', 'http_error-log'] and
+      evt.Meta.http_status in ['404', '403'])
+    {
+      let target_technology = LookupFile(evt.Meta.http_path, "technology_probing.json");
+      target_technology != "" ? evt.SetMeta("target_technology", target_technology)  : false
+    } else { false }
+groupby: evt.Meta.source_ip
+blackhole: 1m
+data:
+  # 
+  - dest_file: technology_probing.json
+    source_url: https://hub-data.crowdsec.net/web/technology_probing.json
+    type: map
+labels:
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1595
+  behavior: "http:scan"
+  label: "HTTP Technology Probing"
+  service: http
+  remediation: false

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+A scenario that detects fingerprinting for various (300+) vendors and technologies.`
	`2`	`+`
	`3`	`+It doesn't trigger a ban on its own.`