Hi all,
I try to write a scenario in order to detect CVE-2023-22515 exploit :
https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html
It s relatively easy (…), we have to catch the “/setup/*” in the log line.
I have read this documentation :
For each point, i get similar result as the doc. Here is the scenario :
type: trigger
name: ul/CVE-2023-22515
description: "Detect CVE-2023-22515 cmd injection"
filter: Upper(evt.Meta.http_path) contains Upper('/setup/*')
blackhole: 1m
groupby: "evt.Meta.source_ip"
labels:
type: exploit
remediation: true
And the parser and scenario to the test configuration :
~/hub/ cat .tests/cve-2023-22515/config.yaml
parsers:
- crowdsecurity/syslog-logs
- crowdsecurity/dateparse-enrich
- crowdsecurity/apache2-logs
scenarios:
- "./scenarios/ul/CVE-2023-22515.yaml"
postoverflows:
- ""
log_file: cve-2023-22515.log
log_type: apache2
labels: {}
ignore_parsers: true
override_statics: []
My problem is : how can i install this scenarios into my running config ?
It’s not clear for me what is the next step.
Thank you !
Stephane.