Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* start nextcloud whitelsit * update * Update filter and parser assert * Nextcloud latest flags as 403 * Add whitelist to nextcloud collection * Add link to upstream issue
- Loading branch information
1 parent
275805b
commit a6668f3
Showing
7 changed files
with
153 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
parsers: | ||
- crowdsecurity/nginx-logs | ||
- crowdsecurity/syslog-logs | ||
- crowdsecurity/dateparse-enrich | ||
- crowdsecurity/http-logs | ||
- ./parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.yaml | ||
scenarios: | ||
- "" | ||
postoverflows: | ||
- "" | ||
log_file: nextcloud-whitelist.log | ||
log_type: nginx | ||
labels: {} | ||
ignore_parsers: false | ||
override_statics: [] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
1.2.3.4 - - [07/Oct/2022:00:01:18 +0200] "GET /remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo HTTP/2.0" 404 20 "https://myapp.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,124 @@ | ||
len(results) == 4 | ||
len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 1 | ||
results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true | ||
results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "nginx" | ||
results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "1.2.3.4 - - [07/Oct/2022:00:01:18 +0200] \"GET /remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo HTTP/2.0\" 404 20 \"https://myapp.com/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\"" | ||
results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "nextcloud-whitelist.log" | ||
results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" | ||
len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 1 | ||
results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false | ||
len(results["s01-parse"]["crowdsecurity/nginx-logs"]) == 1 | ||
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Success == true | ||
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0" | ||
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["remote_addr"] == "1.2.3.4" | ||
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["http_referer"] == "https://myapp.com/" | ||
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["message"] == "1.2.3.4 - - [07/Oct/2022:00:01:18 +0200] \"GET /remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo HTTP/2.0\" 404 20 \"https://myapp.com/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\"" | ||
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["verb"] == "GET" | ||
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["program"] == "nginx" | ||
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["time_local"] == "07/Oct/2022:00:01:18 +0200" | ||
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["body_bytes_sent"] == "20" | ||
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["http_version"] == "2.0" | ||
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["remote_user"] == "-" | ||
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["request"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo" | ||
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["status"] == "404" | ||
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["http_verb"] == "GET" | ||
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["log_type"] == "http_access-log" | ||
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4" | ||
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["datasource_path"] == "nextcloud-whitelist.log" | ||
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["http_path"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo" | ||
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["http_status"] == "404" | ||
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0" | ||
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["service"] == "http" | ||
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["datasource_type"] == "file" | ||
len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 1 | ||
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true | ||
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "1.2.3.4 - - [07/Oct/2022:00:01:18 +0200] \"GET /remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo HTTP/2.0\" 404 20 \"https://myapp.com/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\"" | ||
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["status"] == "404" | ||
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["verb"] == "GET" | ||
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["body_bytes_sent"] == "20" | ||
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["http_version"] == "2.0" | ||
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_addr"] == "1.2.3.4" | ||
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "nginx" | ||
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["request"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo" | ||
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["time_local"] == "07/Oct/2022:00:01:18 +0200" | ||
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["http_referer"] == "https://myapp.com/" | ||
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0" | ||
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_user"] == "-" | ||
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0" | ||
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["http_verb"] == "GET" | ||
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "1.2.3.4" | ||
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "nextcloud-whitelist.log" | ||
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" | ||
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["http_path"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo" | ||
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["http_status"] == "404" | ||
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "http_access-log" | ||
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "http" | ||
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2022-10-07T00:01:18+02:00" | ||
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2022-10-07T00:01:18+02:00" | ||
len(results["s02-enrich"]["crowdsecurity/http-logs"]) == 1 | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Success == true | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0" | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["http_version"] == "2.0" | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["verb"] == "GET" | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["body_bytes_sent"] == "20" | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["file_ext"] == ".vcf" | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["file_name"] == "14FF37C0-C83C-4CB5-9091-269A9337D362.vcf" | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["http_referer"] == "https://myapp.com/" | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["program"] == "nginx" | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["request"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf" | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["static_ressource"] == "false" | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["status"] == "404" | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["http_args"] == "photo" | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["message"] == "1.2.3.4 - - [07/Oct/2022:00:01:18 +0200] \"GET /remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo HTTP/2.0\" 404 20 \"https://myapp.com/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\"" | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["remote_addr"] == "1.2.3.4" | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["remote_user"] == "-" | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["time_local"] == "07/Oct/2022:00:01:18 +0200" | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["file_dir"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/" | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["file_frag"] == "14FF37C0-C83C-4CB5-9091-269A9337D362" | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["impact_completion"] == "false" | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["http_status"] == "404" | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["http_verb"] == "GET" | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["timestamp"] == "2022-10-07T00:01:18+02:00" | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0" | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["log_type"] == "http_access-log" | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["service"] == "http" | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4" | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["datasource_path"] == "nextcloud-whitelist.log" | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["datasource_type"] == "file" | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["http_args_len"] == "5" | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["http_path"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo" | ||
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Enriched["MarshaledTime"] == "2022-10-07T00:01:18+02:00" | ||
len(results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"]) == 1 | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Success == true | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["body_bytes_sent"] == "20" | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["http_args"] == "photo" | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0" | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["message"] == "1.2.3.4 - - [07/Oct/2022:00:01:18 +0200] \"GET /remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo HTTP/2.0\" 404 20 \"https://myapp.com/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\"" | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["status"] == "404" | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["static_ressource"] == "false" | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["time_local"] == "07/Oct/2022:00:01:18 +0200" | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["file_dir"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/" | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["file_name"] == "14FF37C0-C83C-4CB5-9091-269A9337D362.vcf" | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["impact_completion"] == "false" | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["remote_user"] == "-" | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["request"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf" | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["program"] == "nginx" | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["remote_addr"] == "1.2.3.4" | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["verb"] == "GET" | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["file_ext"] == ".vcf" | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["file_frag"] == "14FF37C0-C83C-4CB5-9091-269A9337D362" | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["http_referer"] == "https://myapp.com/" | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["http_version"] == "2.0" | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["service"] == "http" | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["timestamp"] == "2022-10-07T00:01:18+02:00" | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["datasource_type"] == "file" | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0" | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["http_verb"] == "GET" | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["log_type"] == "http_access-log" | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["source_ip"] == "1.2.3.4" | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["datasource_path"] == "nextcloud-whitelist.log" | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["http_args_len"] == "5" | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["http_path"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo" | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["http_status"] == "404" | ||
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Enriched["MarshaledTime"] == "2022-10-07T00:01:18+02:00" | ||
len(results["success"][""]) == 0 |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
## Nextcloud whitelist | ||
|
||
### Contacts app | ||
Contacts has an issue with excessive 404 response codes when a user image is missing | ||
[Upstream issue](https://github.com/nextcloud/contacts/issues/3021) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
name: crowdsecurity/nextcloud-whitelist | ||
description: "Whitelist events from nextcloud" | ||
filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log']" | ||
whitelist: | ||
reason: "Nextcloud Whitelist" | ||
expression: | ||
- evt.Meta.http_status in ["404", "403"] && evt.Meta.http_verb == "GET" && evt.Parsed.file_ext == ".vcf" && Lower(evt.Parsed.http_args) contains "photo" |