Ban ip by word in path

Hi there,
Someone attack my server from different ip at the same time and http-probing scenario does not ban it.
They make request to my server by its hostname (I even do not know how make it unavailable to everyone because it is auto-generated page by webuzo cPanel )
Frequantly, url request contains wp-login, wp-includes, wp-content so I want ban this ip as soon as parser find this in logs.
Mine scenario does not work:

#contributed by daria-zadorozhna
type: trigger
name: daria-zadorozhna/http-wp-files
description: "detect wp-files"
debug: false
filter: "evt.Meta.log_type == 'http_access-log' && evt.Meta.http_path contains '/wp-'"
groupby: evt.Meta.source_ip
blackhole: 5m
labels:
service: http
type: scan
remediation: true

Could anyone help me write right scenario?

Can’t help but interested by this too.

Can you provide some details like which log parsers you using? That scenario should work for nginx, apache2. Since you made the file did you restart crowdsec so it loads the file?

1 Like