type: leaky
name: crowdsecurity/http-admin-interface-probing
description: "Detect generic HTTP admin interface probing"
filter: |
  evt.Meta.service == 'http' and
  evt.Meta.log_type in ['http_access-log', 'http_error-log'] and
  evt.Meta.http_status in ['404', '403'] and
  any(File("admin_interfaces.txt"), { Lower(evt.Meta.http_path) contains #})
groupby: evt.Meta.source_ip
distinct: "evt.Meta.http_path"
data:
  - source_url: https://hub-data.crowdsec.net/web/admin_interfaces.txt
    dest_file: admin_interfaces.txt
    type: string
capacity: 5
leakspeed: "10s"
blackhole: 1m
labels:
  confidence: 3
  spoofable: 0
  classification:
    - attack.T1595
  behavior: "http:scan"
  label: "HTTP Admin Interface Probing"
  service: http
  remediation: true