Creating scenario for CVE-2023-22515

Hi all,
I try to write a scenario in order to detect CVE-2023-22515 exploit :

It s relatively easy (…), we have to catch the “/setup/*” in the log line.
I have read this documentation :

For each point, i get similar result as the doc. Here is the scenario :

type: trigger
name: ul/CVE-2023-22515
description: "Detect CVE-2023-22515 cmd injection"
filter: Upper(evt.Meta.http_path) contains Upper('/setup/*')
blackhole: 1m
groupby: "evt.Meta.source_ip"
  type: exploit
  remediation: true

And the parser and scenario to the test configuration :

~/hub/ cat .tests/cve-2023-22515/config.yaml 
- crowdsecurity/syslog-logs
- crowdsecurity/dateparse-enrich
- crowdsecurity/apache2-logs
- "./scenarios/ul/CVE-2023-22515.yaml"
- ""
log_file: cve-2023-22515.log
log_type: apache2
labels: {}
ignore_parsers: true
override_statics: []

My problem is : how can i install this scenarios into my running config ?
It’s not clear for me what is the next step.
Thank you !


If you dont plan to push the scenarios back into the hub then you dont need to create tests and you can simply just copy or scp the file to the scenarios folder within crowdsec.

Also got pinged and created Add CVE-2023-22515 by LaurenceJJones · Pull Request #843 · crowdsecurity/hub · GitHub

I thought i tested id (scp) but yes it works, thanks !

Great for this pull request. Do we know how when it will be available ?
Sorry, i am not confortable with this workflow…

it will most likley be merge within the next 15 minutes just waiting for tests to complete

Then you can run

cscli hub update
cscli hub upgrade
cscli scenarios install crowdsecurity/CVE-2023-22515

I got it !
Thank you @iiAmLoz