[http-logs] Should check for HTTP verb?

[LaurenceJJones]

Whilst testing for a user I saw malformed HTTP logs for nginx / apache2 still get processed by the http-logs enrich which is abit pointless?

$ cscli explain --log '111.222.333.444 - - [11/Mar/2022:07:41:47 +0100] "\x16\x03\x01\x00\xCA\x01\x00\x00\xC6\x03\x03\xC3\xA3\xF6MU\xBAZJ2\xBA\xD3\xCB\xAD\xA9\x92~j\x0E<\x8Cf,\xBB\x9A)\xD4\xAD53\xF3\x04\x0E\x00\x00h\xCC\x14\xCC\x13\xC0/\xC0+\xC00\xC0,\xC0\x11\xC0\x07\xC0'\xC0#\xC0\x13\xC0\x09\xC0(\xC0$\xC0\x14\xC0" 400 157 "-" "-"' --type nginx -v
line: 111.222.333.444 - - [11/Mar/2022:07:41:47 +0100] "\x16\x03\x01\x00\xCA\x01\x00\x00\xC6\x03\x03\xC3\xA3\xF6MU\xBAZJ2\xBA\xD3\xCB\xAD\xA9\x92~j\x0E<\x8Cf,\xBB\x9A)\xD4\xAD53\xF3\x04\x0E\x00\x00h\xCC\x14\xCC\x13\xC0/\xC0+\xC00\xC0,\xC0\x11\xC0\x07\xC0'\xC0#\xC0\x13\xC0\x09\xC0(\xC0$\xC0\x14\xC0" 400 157 "-" "-"
	├ s00-raw
	|	└ 🟢 crowdsecurity/non-syslog (+5 ~8)
	|		└ update evt.ExpectMode : %!s(int=0) -> 1
	|		└ update evt.Stage :  -> s01-parse
	|		└ update evt.Line.Raw :  -> 111.222.333.444 - - [11/Mar/2022:07:41:47 +0100] "\x16\x03\x01\x00\xCA\x01\x00\x00\xC6\x03\x03\xC3\xA3\xF6MU\xBAZJ2\xBA\xD3\xCB\xAD\xA9\x92~j\x0E<\x8Cf,\xBB\x9A)\xD4\xAD53\xF3\x04\x0E\x00\x00h\xCC\x14\xCC\x13\xC0/\xC0+\xC00\xC0,\xC0\x11\xC0\x07\xC0'\xC0#\xC0\x13\xC0\x09\xC0(\xC0$\xC0\x14\xC0" 400 157 "-" "-"
	|		└ update evt.Line.Src :  -> /tmp/cscli_explain1337097339/cscli_test_tmp.log
	|		└ update evt.Line.Time : 0001-01-01 00:00:00 +0000 UTC -> 2024-04-02 10:51:18.396707886 +0000 UTC
	|		└ create evt.Line.Labels.type : nginx
	|		└ update evt.Line.Process : %!s(bool=false) -> true
	|		└ update evt.Line.Module :  -> file
	|		└ create evt.Parsed.message : 111.222.333.444 - - [11/Mar/2022:07:41:47 +0100] "\x16\x03\x01\x00\xCA\x01\x00\x00\xC6\x03\x03\xC3\xA3\xF6MU\xBAZJ2\xBA\xD3\xCB\xAD\xA9\x92~j\x0E<\x8Cf,\xBB\x9A)\xD4\xAD53\xF3\x04\x0E\x00\x00h\xCC\x14\xCC\x13\xC0/\xC0+\xC00\xC0,\xC0\x11\xC0\x07\xC0'\xC0#\xC0\x13\xC0\x09\xC0(\xC0$\xC0\x14\xC0" 400 157 "-" "-"
	|		└ create evt.Parsed.program : nginx
	|		└ update evt.Time : 0001-01-01 00:00:00 +0000 UTC -> 2024-04-02 10:51:18.396740514 +0000 UTC
	|		└ create evt.Meta.datasource_type : file
	|		└ create evt.Meta.datasource_path : /tmp/cscli_explain1337097339/cscli_test_tmp.log
	├ s01-parse
	|	└ 🟢 crowdsecurity/nginx-logs (+19 ~2)
	|		└ update evt.Stage : s01-parse -> s02-enrich
	|		└ create evt.Parsed.proxy_upstream_name : 
	|		└ create evt.Parsed.request_time : 
	|		└ create evt.Parsed.http_user_agent : -
	|		└ create evt.Parsed.remote_user : -
	|		└ create evt.Parsed.remote_addr : 111.222.333.444
	|		└ create evt.Parsed.request : \x16\x03\x01\x00\xCA\x01\x00\x00\xC6\x03\x03\xC3\xA3\xF6MU\xBAZJ2\xBA\xD3\xCB\xAD\xA9\x92~j\x0E<\x8Cf,\xBB\x9A)\xD4\xAD53\xF3\x04\x0E\x00\x00h\xCC\x14\xCC\x13\xC0/\xC0+\xC00\xC0,\xC0\x11\xC0\x07\xC0'\xC0#\xC0\x13\xC0\x09\xC0(\xC0$\xC0\x14\xC0
	|		└ create evt.Parsed.request_length : 
	|		└ create evt.Parsed.time_local : 11/Mar/2022:07:41:47 +0100
	|		└ create evt.Parsed.body_bytes_sent : 157
	|		└ create evt.Parsed.proxy_alternative_upstream_name : 
	|		└ create evt.Parsed.status : 400
	|		└ create evt.Parsed.target_fqdn : 
	|		└ create evt.Parsed.http_referer : -
	|		└ update evt.StrTime :  -> 11/Mar/2022:07:41:47 +0100
	|		└ create evt.Meta.http_path : \x16\x03\x01\x00\xCA\x01\x00\x00\xC6\x03\x03\xC3\xA3\xF6MU\xBAZJ2\xBA\xD3\xCB\xAD\xA9\x92~j\x0E<\x8Cf,\xBB\x9A)\xD4\xAD53\xF3\x04\x0E\x00\x00h\xCC\x14\xCC\x13\xC0/\xC0+\xC00\xC0,\xC0\x11\xC0\x07\xC0'\xC0#\xC0\x13\xC0\x09\xC0(\xC0$\xC0\x14\xC0
	|		└ create evt.Meta.http_status : 400
	|		└ create evt.Meta.http_user_agent : -
	|		└ create evt.Meta.log_type : http_access-log
	|		└ create evt.Meta.service : http
	|		└ create evt.Meta.source_ip : 111.222.333.444
	├ s02-enrich
	|	├ 🟢 crowdsecurity/dateparse-enrich (+2 ~2)
	|		├ create evt.Enriched.MarshaledTime : 2022-03-11T07:41:47+01:00
	|		├ update evt.Time : 2024-04-02 10:51:18.396740514 +0000 UTC -> 2022-03-11 07:41:47 +0100 +0100
	|		├ update evt.MarshaledTime :  -> 2022-03-11T07:41:47+01:00
	|		├ create evt.Meta.timestamp : 2022-03-11T07:41:47+01:00
	|	├ 🟢 crowdsecurity/geoip-enrich (unchanged)
	|	├ 🟢 crowdsecurity/http-logs (+7)
	|		├ create evt.Parsed.file_ext : 
	|		├ create evt.Parsed.file_dir : \x16\x03\x01\x00\xCA\x01\x00\x00\xC6\x03\x03\xC3\xA3\xF6MU\xBAZJ2\xBA\xD3\xCB\xAD\xA9\x92~j\x0E<\x8Cf,\xBB\x9A)\xD4\xAD53\xF3\x04\x0E\x00\x00h\xCC\x14\xCC\x13\xC0/
	|		├ create evt.Parsed.impact_completion : true
	|		├ create evt.Parsed.file_frag : \xC0+\xC00\xC0,\xC0\x11\xC0\x07\xC0'\xC0#\xC0\x13\xC0\x09\xC0(\xC0$\xC0\x14\xC0
	|		├ create evt.Parsed.static_ressource : false
	|		├ create evt.Parsed.file_name : \xC0+\xC00\xC0,\xC0\x11\xC0\x07\xC0'\xC0#\xC0\x13\xC0\x09\xC0(\xC0$\xC0\x14\xC0
	|		├ create evt.Meta.http_args_len : 0
	|	├ 🟢 crowdsecurity/jellyfin-whitelist (unchanged)
	|	├ 🟢 crowdsecurity/nextcloud-whitelist (unchanged)
	|	└ 🟢 crowdsecurity/whitelists (unchanged)
	├-------- parser success 🟢
	├ Scenarios
		├ 🟢 crowdsecurity/http-dos-swithcing-ua
		└ 🟢 crowdsecurity/http-probing

however, the http-probing scenario wouldnt trigger if they sent the same malformed request anyways

# 404 scan
type: leaky
#debug: true
name: crowdsecurity/http-probing
description: "Detect site scanning/probing from a single ip"
filter: "evt.Meta.service == 'http' && evt.Meta.http_status in ['404', '403', '400'] && evt.Parsed.static_ressource == 'false'"
groupby: "evt.Meta.source_ip + '/' + evt.Parsed.target_fqdn"
distinct: "evt.Meta.http_path"
capacity: 10
reprocess: true
leakspeed: "10s"
blackhole: 5m
labels:
  remediation: true
  classification:
    - attack.T1595.003
  behavior: "http:scan"
  label: "HTTP Probing"
  spoofable: 0
  service: http
  confidence: 1