Add vpatch-CVE-2019-11253 rule and test

[crowdsec-automation]

This rule detects attempts to exploit the Kubernetes API Server YAML parsing DoS (Billion Laughs) vulnerability (CVE-2019-11253). The detection logic is as follows:

• The first rule block matches requests to the specific Kubernetes API endpoint /apis/authorization.k8s.io/v1/selfsubjectaccessreviews, which is a common target for this attack.
• The second rule block ensures the Content-Type header is set to application/yaml, indicating a YAML payload is being sent.
• The third rule block inspects the raw body of the request for the presence of the string lol: &lol, which is a canonical indicator of the "Billion Laughs" YAML entity expansion attack pattern.

All value: fields are lowercase, and the transform includes lowercase for case-insensitive matching. The rule uses contains for matching, as the attack pattern is a substring within the payload. This approach minimizes false positives and negatives by focusing on the unique structure of the attack. No regex or unnecessary complexity is used, and the rule is tightly scoped to the relevant endpoint, header, and body content.

[github-actions]

Hello @crowdsec-automation and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information.
I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following items have errors:

crowdsecurity/crs-exclusion-plugin-cpanel:

• labels not found

crowdsecurity/crs-exclusion-plugin-dokuwiki:

• labels not found

crowdsecurity/crs-exclusion-plugin-drupal:

• labels not found

crowdsecurity/crs-exclusion-plugin-nextcloud:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpbb:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpmyadmin:

• labels not found

crowdsecurity/crs-exclusion-plugin-wordpress:

• labels not found

crowdsecurity/crs-exclusion-plugin-xenforo:

• labels not found

Mitre ATT&CK

Information about mitre attack can be found here.
As an example, some common mitre attack techniques:

• T1110 for bruteforce attacks
• T1595 and T1190 for exploitation of public vulnerabilities
• T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.

[github-actions]

Hello @crowdsec-automation and thank you for your contribution!

❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

🔴 crowdsecurity/vpatch-CVE-2019-11253 🔴