update appsec outofband scenarios and add it to the crs collection

crowdsecurity · Feb 13, 2025 · 3e55b93 · 3e55b93
1 parent c5fe650
commit 3e55b93
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 3 deletions.
diff --git a/collections/crowdsecurity/appsec-crs.yaml b/collections/crowdsecurity/appsec-crs.yaml
@@ -4,6 +4,8 @@ appsec-configs:
   - crowdsecurity/crs
 appsec-rules:
   - crowdsecurity/crs
+scenarios:
+  - crowdsecurity/crowdsec-appsec-outofband
 description: "Appsec: Modsecurity core rule set rules"
 author: crowdsecurity
 tags:

diff --git a/scenarios/crowdsecurity/crowdsec-appsec-outofband.yaml b/scenarios/crowdsecurity/crowdsec-appsec-outofband.yaml
@@ -1,14 +1,15 @@
-# just count distinct number of requests getting blocked
 type: leaky
-filter: evt.Parsed.program == 'crowdsec-waap' && evt.Appsec.HasInBandMatches == false && evt.Parsed.action in ["deny", "drop"]
+filter: evt.Parsed.source == 'crowdsec-appsec' && evt.Appsec.HasOutBandMatches == true && evt.Parsed.outofband_action in ["deny", "drop"]
 name: crowdsecurity/crowdsec-appsec-outofband
-description: IP has triggered more than 5 CrowdSec Out Of Band Waap rules
+description: IP has made more than 5 requests that triggered out-of-band appsec rules
 blackhole: 2m
 leakspeed: 30s
 capacity: 5
 labels:
   type: exploit
   remediation: true
+  confidence: 1
+  spoofable: 0
 groupby: "evt.Meta.source_ip"
 #---
 # at least requests blocked on 3 distinct URIs