crowdsec: enable sshd acquisition, add http admin probing scenario

crowdsec/docker-compose.yaml

@@ -41,6 +41,7 @@ services:
       - ./parsers/s02-enrich/whitelist-trusted.yaml:/etc/crowdsec/parsers/s02-enrich/whitelist-trusted.yaml:ro
       - ./scenarios/stalwart-smtp-bruteforce.yaml:/etc/crowdsec/scenarios/stalwart-smtp-bruteforce.yaml:ro
       - ./scenarios/stalwart-auth-bruteforce.yaml:/etc/crowdsec/scenarios/stalwart-auth-bruteforce.yaml:ro
+      - ./scenarios/http-admin-interface-probing.yaml:/etc/crowdsec/scenarios/http-admin-interface-probing.yaml:ro
       - /var/log/journal:/var/log/journal:ro
       - /run/log/journal:/run/log/journal:ro
       - /etc/machine-id:/etc/machine-id:ro

crowdsec/scenarios/http-admin-interface-probing.yaml

@@ -0,0 +1,26 @@
+type: leaky
+name: crowdsecurity/http-admin-interface-probing
+description: "Detect generic HTTP admin interface probing"
+filter: |
+  evt.Meta.service == 'http' and
+  evt.Meta.log_type in ['http_access-log', 'http_error-log'] and
+  evt.Meta.http_status in ['404', '403'] and
+  any(File("admin_interfaces.txt"), { Lower(evt.Meta.http_path) contains #})
+groupby: evt.Meta.source_ip
+distinct: "evt.Meta.http_path"
+data:
+  - source_url: https://hub-data.crowdsec.net/web/admin_interfaces.txt
+    dest_file: admin_interfaces.txt
+    type: string
+capacity: 5
+leakspeed: "10s"
+blackhole: 1m
+labels:
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1595
+  behavior: "http:scan"
+  label: "HTTP Admin Interface Probing"
+  service: http
+  remediation: true