Skip to content

Commit

Permalink
Nextcloud whitelist (#609)
Browse files Browse the repository at this point in the history 
* start nextcloud whitelsit

* update

* Update filter and parser assert

* Nextcloud latest flags as 403

* Add whitelist to nextcloud collection

* Add link to upstream issue
  • Loading branch information
@LaurenceJJones
LaurenceJJones committed Dec 14, 2022
1 parent 275805b commit a6668f3
Show file tree
Hide file tree
Showing 7 changed files with 153 additions and 0 deletions.
15 changes: 15 additions & 0 deletions .tests/nextcloud-whitelist/config.yaml
View file
@@ -0,0 +1,15 @@
parsers:
- crowdsecurity/nginx-logs
- crowdsecurity/syslog-logs
- crowdsecurity/dateparse-enrich
- crowdsecurity/http-logs
- ./parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.yaml
scenarios:
- ""
postoverflows:
- ""
log_file: nextcloud-whitelist.log
log_type: nginx
labels: {}
ignore_parsers: false
override_statics: []
1 change: 1 addition & 0 deletions .tests/nextcloud-whitelist/nextcloud-whitelist.log
View file
@@ -0,0 +1 @@
1.2.3.4 - - [07/Oct/2022:00:01:18 +0200] "GET /remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo HTTP/2.0" 404 20 "https://myapp.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
124 changes: 124 additions & 0 deletions .tests/nextcloud-whitelist/parser.assert
View file
@@ -0,0 +1,124 @@
len(results) == 4
len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 1
results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true
results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "nginx"
results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "1.2.3.4 - - [07/Oct/2022:00:01:18 +0200] \"GET /remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo HTTP/2.0\" 404 20 \"https://myapp.com/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\""
results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "nextcloud-whitelist.log"
results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file"
len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 1
results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false
len(results["s01-parse"]["crowdsecurity/nginx-logs"]) == 1
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Success == true
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["remote_addr"] == "1.2.3.4"
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["http_referer"] == "https://myapp.com/"
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["message"] == "1.2.3.4 - - [07/Oct/2022:00:01:18 +0200] \"GET /remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo HTTP/2.0\" 404 20 \"https://myapp.com/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\""
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["verb"] == "GET"
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["program"] == "nginx"
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["time_local"] == "07/Oct/2022:00:01:18 +0200"
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["body_bytes_sent"] == "20"
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["http_version"] == "2.0"
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["remote_user"] == "-"
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["request"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo"
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["status"] == "404"
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["http_verb"] == "GET"
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["log_type"] == "http_access-log"
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4"
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["datasource_path"] == "nextcloud-whitelist.log"
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["http_path"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo"
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["http_status"] == "404"
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["service"] == "http"
results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["datasource_type"] == "file"
len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 1
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "1.2.3.4 - - [07/Oct/2022:00:01:18 +0200] \"GET /remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo HTTP/2.0\" 404 20 \"https://myapp.com/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\""
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["status"] == "404"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["verb"] == "GET"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["body_bytes_sent"] == "20"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["http_version"] == "2.0"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_addr"] == "1.2.3.4"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "nginx"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["request"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["time_local"] == "07/Oct/2022:00:01:18 +0200"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["http_referer"] == "https://myapp.com/"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_user"] == "-"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["http_verb"] == "GET"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "1.2.3.4"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "nextcloud-whitelist.log"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["http_path"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["http_status"] == "404"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "http_access-log"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "http"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2022-10-07T00:01:18+02:00"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2022-10-07T00:01:18+02:00"
len(results["s02-enrich"]["crowdsecurity/http-logs"]) == 1
results["s02-enrich"]["crowdsecurity/http-logs"][0].Success == true
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["http_version"] == "2.0"
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["verb"] == "GET"
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["body_bytes_sent"] == "20"
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["file_ext"] == ".vcf"
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["file_name"] == "14FF37C0-C83C-4CB5-9091-269A9337D362.vcf"
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["http_referer"] == "https://myapp.com/"
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["program"] == "nginx"
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["request"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf"
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["static_ressource"] == "false"
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["status"] == "404"
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["http_args"] == "photo"
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["message"] == "1.2.3.4 - - [07/Oct/2022:00:01:18 +0200] \"GET /remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo HTTP/2.0\" 404 20 \"https://myapp.com/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\""
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["remote_addr"] == "1.2.3.4"
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["remote_user"] == "-"
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["time_local"] == "07/Oct/2022:00:01:18 +0200"
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["file_dir"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/"
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["file_frag"] == "14FF37C0-C83C-4CB5-9091-269A9337D362"
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["impact_completion"] == "false"
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["http_status"] == "404"
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["http_verb"] == "GET"
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["timestamp"] == "2022-10-07T00:01:18+02:00"
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["log_type"] == "http_access-log"
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["service"] == "http"
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4"
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["datasource_path"] == "nextcloud-whitelist.log"
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["datasource_type"] == "file"
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["http_args_len"] == "5"
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["http_path"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo"
results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Enriched["MarshaledTime"] == "2022-10-07T00:01:18+02:00"
len(results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"]) == 1
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Success == true
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["body_bytes_sent"] == "20"
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["http_args"] == "photo"
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["message"] == "1.2.3.4 - - [07/Oct/2022:00:01:18 +0200] \"GET /remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo HTTP/2.0\" 404 20 \"https://myapp.com/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\""
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["status"] == "404"
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["static_ressource"] == "false"
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["time_local"] == "07/Oct/2022:00:01:18 +0200"
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["file_dir"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/"
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["file_name"] == "14FF37C0-C83C-4CB5-9091-269A9337D362.vcf"
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["impact_completion"] == "false"
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["remote_user"] == "-"
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["request"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf"
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["program"] == "nginx"
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["remote_addr"] == "1.2.3.4"
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["verb"] == "GET"
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["file_ext"] == ".vcf"
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["file_frag"] == "14FF37C0-C83C-4CB5-9091-269A9337D362"
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["http_referer"] == "https://myapp.com/"
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["http_version"] == "2.0"
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["service"] == "http"
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["timestamp"] == "2022-10-07T00:01:18+02:00"
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["datasource_type"] == "file"
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["http_verb"] == "GET"
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["log_type"] == "http_access-log"
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["source_ip"] == "1.2.3.4"
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["datasource_path"] == "nextcloud-whitelist.log"
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["http_args_len"] == "5"
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["http_path"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo"
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["http_status"] == "404"
results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Enriched["MarshaledTime"] == "2022-10-07T00:01:18+02:00"
len(results["success"][""]) == 0
Empty file added .tests/nextcloud-whitelist/scenario.assert
View file
Empty file.
1 change: 1 addition & 0 deletions collections/crowdsecurity/nextcloud.yaml
View file
@@ -1,6 +1,7 @@
---
parsers:
- crowdsecurity/nextcloud-logs
- crowdsecurity/nextcloud-whitelist
scenarios:
- crowdsecurity/nextcloud-bf
description: "Nextcloud support : parser and brute-force detection"
Expand Down
5 changes: 5 additions & 0 deletions parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.md
View file
@@ -0,0 +1,5 @@
## Nextcloud whitelist

### Contacts app
Contacts has an issue with excessive 404 response codes when a user image is missing
[Upstream issue](https://github.com/nextcloud/contacts/issues/3021)
7 changes: 7 additions & 0 deletions parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.yaml
View file
@@ -0,0 +1,7 @@
name: crowdsecurity/nextcloud-whitelist
description: "Whitelist events from nextcloud"
filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log']"
whitelist:
reason: "Nextcloud Whitelist"
expression:
- evt.Meta.http_status in ["404", "403"] && evt.Meta.http_verb == "GET" && evt.Parsed.file_ext == ".vcf" && Lower(evt.Parsed.http_args) contains "photo"

0 comments on commit a6668f3

Please sign in to comment.