From 8d77273148b668a9b06a4fe60ddc8e0588d004a6 Mon Sep 17 00:00:00 2001
From: Laurence Jones <laurence.jones@live.co.uk>
Date: Mon, 23 Dec 2024 08:11:04 +0000
Subject: [PATCH] fix: http generic bf add not verb check (#1202)

* fix: alter the generic-bf to check non fp verbs

* fix: readd auth_fail cause we need to split them if the parser based on www-authenticate
---
 scenarios/crowdsecurity/http-generic-bf.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scenarios/crowdsecurity/http-generic-bf.yaml b/scenarios/crowdsecurity/http-generic-bf.yaml
index b3ca1cd46c2..9780440b8f1 100644
--- a/scenarios/crowdsecurity/http-generic-bf.yaml
+++ b/scenarios/crowdsecurity/http-generic-bf.yaml
@@ -23,7 +23,7 @@ type: leaky
 #debug: true
 name: LePresidente/http-generic-401-bf
 description: "Detect generic 401 Authorization error brute force"
-filter: "evt.Meta.log_type == 'http_access-log' && evt.Meta.http_status == '401' && evt.Meta.sub_type != 'auth_fail'"
+filter: "evt.Meta.log_type == 'http_access-log' && evt.Meta.http_status == '401' && evt.Meta.sub_type != 'auth_fail' && evt.Parsed.verb not in ['OPTIONS', 'PROPFIND', 'REPORT']"
 groupby: evt.Meta.source_ip
 capacity: 5
 leakspeed: "10s"
@@ -43,7 +43,7 @@ type: leaky
 #debug: true
 name: LePresidente/http-generic-403-bf
 description: "Detect generic 403 Forbidden (Authorization) error brute force"
-filter: "evt.Meta.log_type == 'http_access-log' && evt.Meta.http_status == '403' && evt.Meta.sub_type != 'auth_fail'"
+filter: "evt.Meta.log_type == 'http_access-log' && evt.Meta.http_status == '403' && evt.Meta.sub_type != 'auth_fail' && evt.Parsed.verb not in ['OPTIONS', 'PROPFIND', 'REPORT']"
 groupby: evt.Meta.source_ip
 capacity: 5
 leakspeed: "10s"