Hi
Modsecurity detected a scan with a ‘User-Agent: Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; +info@netcraft.com)’ header due to wrong ‘Accept-Charset’ header …
Seeing this I wonder
what I need to do to detect this with Crowdsec directly? Any scenario for this or can I add this string easily to an existing scenario?
how can I order the detection? So that Crowdsec scenarios for this come first and modsecurity as last in chain?
Hi,
are you talking about the " http-bad-user-agent" scenario?
https://hub.crowdsec.net/author/crowdsecurity/configurations/http-bad-user-agent
There is a list that the scenario refers to:
https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/bad_user_agents.regex.txt
So I think your input should be placed there or you modify the scenario to a local list.
Basically neither option really suits what I would expect which is
Maybe supporting two lists by default, one unmodifyable/retrieved from the scenario and an optional local list for this would be a solution?
Hello !
It is something we’re working on. Currently data-files are not updated when you update the hub 