add wip scenarios for challenge mode#1815
Open
blotus wants to merge 4 commits into
Open
Conversation
|
Hello @blotus, Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution! |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds three work-in-progress AppSec scenarios that detect abnormal interaction patterns with the AppSec challenge page (excessive requests, excessive submissions, and requests without subsequent submissions).
Changes:
- New leaky scenario
crowdsecurity/appsec-challenge-too-many-submissions(5 submits / 60s, blackhole 1m). - New leaky scenario
crowdsecurity/appsec-challenge-too-many-requests(5 requests / 60s, blackhole 1m). - New counter scenario
crowdsecurity/appsec-challenge-request-with-no-submissionusingcancel_onto discard buckets where a submission follows the request.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| scenarios/crowdsecurity/challenge-too-many-submit.yaml | Leaky bucket on submitted challenge events grouped by source IP. |
| scenarios/crowdsecurity/challenge-too-many-request.yaml | Leaky bucket on requested challenge events grouped by source IP. |
| scenarios/crowdsecurity/challenge-request-with-no-submission.yaml | Counter scenario that fires when a challenge is requested but not submitted within 60s. |
| type: leaky | ||
| format: 3.0 | ||
| #debug: true | ||
| name: crowdsecurity/appsec-challenge-too-many-submissions |
Comment on lines
+4
to
+5
| name: crowdsecurity/appsec-challenge-too-many-requests | ||
| description: "Client made too many request to challenge page" |
Comment on lines
+4
to
+5
| name: crowdsecurity/appsec-challenge-request-with-no-submission | ||
| description: "Client made too many request to challenge page" |
Comment on lines
+15
to
+16
| classification: | ||
| - attack.T1110 |
Comment on lines
+13
to
+20
| labels: | ||
| service: http | ||
| confidence: 0 | ||
| spoofable: 0 | ||
| classification: | ||
| - attack.T1110 | ||
| label: "Blocked by CrowdSec AppSec" | ||
| behavior: "http:exploit" |
Comment on lines
+1
to
+19
| type: leaky | ||
| format: 3.0 | ||
| #debug: true | ||
| name: crowdsecurity/appsec-challenge-too-many-submissions | ||
| description: "Client made too many submissions for challenge" | ||
| filter: "evt.Meta.log_type == 'appsec-challenge' && evt.Meta.challenge_event == 'submitted'" | ||
| leakspeed: "60s" | ||
| capacity: 5 | ||
| groupby: evt.Meta.source_ip | ||
| blackhole: 1m | ||
| labels: | ||
| service: http | ||
| confidence: 0 | ||
| spoofable: 0 | ||
| classification: | ||
| - attack.T1110 | ||
| label: "Blocked by CrowdSec AppSec" | ||
| behavior: "http:exploit" | ||
| remediation: true |
buixor
reviewed
Jun 1, 2026
| expression: Sprintf("%+v", evt.Appsec.GetRuleIDs()) | ||
| - meta: remediation_cmpt_ip | ||
| expression: "evt.Parsed.remediation_cmpt_ip" | ||
| - meta: challenge_event |
Contributor
There was a problem hiding this comment.
add to parsed:
- positive bot detection flags
- platform/os
- Browser family
Contributor
|
|
Hello @buixor, Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.