From 58e247f7707ec2ec9c3d6e597051c35f2b74f9bf Mon Sep 17 00:00:00 2001
From: Aykhan Shahsuvarov <aykhan.shahs@gmail.com>
Date: Sun, 10 May 2026 00:51:24 +0400
Subject: [PATCH] crowdsec: enable sshd acquisition, add http admin probing
 scenario

---
 .../acquis.d/{sshd.yaml.example => sshd.yaml} |  0
 crowdsec/docker-compose.yaml                  |  1 +
 .../http-admin-interface-probing.yaml         | 26 +++++++++++++++++++
 3 files changed, 27 insertions(+)
 rename crowdsec/acquis.d/{sshd.yaml.example => sshd.yaml} (100%)
 create mode 100644 crowdsec/scenarios/http-admin-interface-probing.yaml

diff --git a/crowdsec/acquis.d/sshd.yaml.example b/crowdsec/acquis.d/sshd.yaml
similarity index 100%
rename from crowdsec/acquis.d/sshd.yaml.example
rename to crowdsec/acquis.d/sshd.yaml
diff --git a/crowdsec/docker-compose.yaml b/crowdsec/docker-compose.yaml
index b50c05d..f38c4ca 100644
--- a/crowdsec/docker-compose.yaml
+++ b/crowdsec/docker-compose.yaml
@@ -41,6 +41,7 @@ services:
       - ./parsers/s02-enrich/whitelist-trusted.yaml:/etc/crowdsec/parsers/s02-enrich/whitelist-trusted.yaml:ro
       - ./scenarios/stalwart-smtp-bruteforce.yaml:/etc/crowdsec/scenarios/stalwart-smtp-bruteforce.yaml:ro
       - ./scenarios/stalwart-auth-bruteforce.yaml:/etc/crowdsec/scenarios/stalwart-auth-bruteforce.yaml:ro
+      - ./scenarios/http-admin-interface-probing.yaml:/etc/crowdsec/scenarios/http-admin-interface-probing.yaml:ro
       - /var/log/journal:/var/log/journal:ro
       - /run/log/journal:/run/log/journal:ro
       - /etc/machine-id:/etc/machine-id:ro
diff --git a/crowdsec/scenarios/http-admin-interface-probing.yaml b/crowdsec/scenarios/http-admin-interface-probing.yaml
new file mode 100644
index 0000000..f5415de
--- /dev/null
+++ b/crowdsec/scenarios/http-admin-interface-probing.yaml
@@ -0,0 +1,26 @@
+type: leaky
+name: crowdsecurity/http-admin-interface-probing
+description: "Detect generic HTTP admin interface probing"
+filter: |
+  evt.Meta.service == 'http' and
+  evt.Meta.log_type in ['http_access-log', 'http_error-log'] and
+  evt.Meta.http_status in ['404', '403'] and
+  any(File("admin_interfaces.txt"), { Lower(evt.Meta.http_path) contains #})
+groupby: evt.Meta.source_ip
+distinct: "evt.Meta.http_path"
+data:
+  - source_url: https://hub-data.crowdsec.net/web/admin_interfaces.txt
+    dest_file: admin_interfaces.txt
+    type: string
+capacity: 5
+leakspeed: "10s"
+blackhole: 1m
+labels:
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1595
+  behavior: "http:scan"
+  label: "HTTP Admin Interface Probing"
+  service: http
+  remediation: true