add the technology probing scenario

[buixor]

Add a scenario that can detect probing towards specific technologies or vendors, thanks to:

• add technology probing datafile sec-lists#148
• add LookupFile and FileMap expr helpers crowdsec#4372

For now, this scenario doesn't lead to a decision. If we're happy with the results at scale, we'll add a scenario that reprocesses overflows from this one and bans IPs that trigger X distinct technologies' probing.

[github-actions]

Hello @buixor and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information.
I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following items have errors:

crowdsecurity/crs-exclusion-plugin-cpanel:

• labels not found

crowdsecurity/crs-exclusion-plugin-dokuwiki:

• labels not found

crowdsecurity/crs-exclusion-plugin-drupal:

• labels not found

crowdsecurity/crs-exclusion-plugin-nextcloud:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpbb:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpmyadmin:

• labels not found

crowdsecurity/crs-exclusion-plugin-wordpress:

• labels not found

crowdsecurity/crs-exclusion-plugin-xenforo:

• labels not found

Mitre ATT&CK

Information about mitre attack can be found here.
As an example, some common mitre attack techniques:

• T1110 for bruteforce attacks
• T1595 and T1190 for exploitation of public vulnerabilities
• T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.

[Copilot]

Pull request overview

Adds a new CrowdSec HTTP scenario that tags requests matching known technology/vendor probing paths (via an external lookup file), and wires it into the base HTTP collection with an accompanying test fixture.

Changes:

• Add crowdsecurity/http-technology-probing trigger scenario that looks up http_path in technology_probing.json and sets target_techno.
• Include the new scenario in crowdsecurity/base-http-scenarios.
• Add a dedicated .tests/http-technology-probing dataset and assertions.

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
scenarios/crowdsecurity/http-technology-probing.yaml	New trigger scenario performing map-based path lookup and setting target_techno.
scenarios/crowdsecurity/http-technology-probing.md	Short scenario documentation.
collections/crowdsecurity/base-http-scenarios.yaml	Registers the new scenario in the base HTTP collection.
.tests/http-technology-probing/config.yaml	Test harness configuration for the new scenario.
.tests/http-technology-probing/http-technology-probing.log	Sample nginx access log inputs (positive and negative cases).
.tests/http-technology-probing/scenario.assert	Assertions validating overflows and target_techno metadata.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The scenario description says "Detect generic HTTP probing", but this scenario is specifically about technology/vendor fingerprinting (and sets target_techno). Consider updating the description to match the actual behavior so alerts/overflows are self-explanatory. Also, lines in the filter condition currently contain trailing whitespace; trimming it will avoid noisy diffs and formatting issues.

[buixor]

@copilot apply changes based on this feedback

[Copilot]

Done in 3d1d8ff: I updated the scenario description to match technology/vendor probing and removed the trailing whitespace in the filter lines.

[buixor]

• Add it to alert context
• Update schema

[github-actions]

Hello @buixor and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information.
I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following items have errors:

crowdsecurity/crs-exclusion-plugin-cpanel:

• labels not found

crowdsecurity/crs-exclusion-plugin-dokuwiki:

• labels not found

crowdsecurity/crs-exclusion-plugin-drupal:

• labels not found

crowdsecurity/crs-exclusion-plugin-nextcloud:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpbb:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpmyadmin:

• labels not found

crowdsecurity/crs-exclusion-plugin-wordpress:

• labels not found

crowdsecurity/crs-exclusion-plugin-xenforo:

• labels not found

Mitre ATT&CK

Information about mitre attack can be found here.
As an example, some common mitre attack techniques:

• T1110 for bruteforce attacks
• T1595 and T1190 for exploitation of public vulnerabilities
• T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.