Scénario crowdsec pour des vieux user agents

type: trigger
name: bmo/http-ua-old-403-404
description: "Bloque les User-Agent Chrome < 100 qui génèrent des 403 ou 404"
debug: false

filter: |
  evt.Meta.log_type in ["http_access-log"] &&
  evt.Meta.http_status in ["403", "404","499", "500", "502", "200", "206", "503"] &&
  (
    evt.Meta.http_user_agent matches '(Chrome|Firefox)/([1-9]|[1-9][0-9])\\.' ||
    evt.Meta.http_user_agent matches 'Trident/[1-5]\\.[0-1]'
  )  

groupby: evt.Meta.source_ip

labels:
  confidence: 3
  spoofable: 0
  classification: "attack.T1595"
  behavior: "http:scan"
  label: "Old Chrome/Firefox UA 403/404 Scan"
  service: nginx
  type: nginx
  remediation: true