generated from NethServer/ns8-kickstart
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add tainted nextcloud-logs.yaml parser to crowdsec.service (#54)
* Add tainted nextcloud-logs.yaml parser NethServer/dev#7018
- Loading branch information
Showing
3 changed files
with
58 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| #!/bin/bash | ||
|
|
||
| # | ||
| # Copyright (C) 2024 Nethesis S.r.l. | ||
| # SPDX-License-Identifier: GPL-3.0-or-later | ||
| # | ||
|
|
||
| set -e | ||
| exec 1>&2 # Send any output to stderr, to not alter the action response protocol | ||
|
|
||
| # We have introduced a tainted configuration file, we need to reload the service | ||
| systemctl reload ${MODULE_ID}.service |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| --- | ||
| onsuccess: next_stage | ||
| filter: "Upper(evt.Parsed.program) == 'NEXTCLOUD-APP'" | ||
| name: crowdsecurity/nextcloud-logs | ||
| description: "Parse nextcloud logs" | ||
| pattern_syntax: | ||
| NEXTCLOUD_USER: '[a-zA-Z0-9\.\@\-\+_%]+' | ||
| nodes: | ||
| - grok: | ||
| pattern: 'Login failed: %{NEXTCLOUD_USER:target_user} \(Remote IP: %{IP:source_ip}\)' | ||
| apply_on: message | ||
| statics: | ||
| - meta: target_user | ||
| expression: "evt.Parsed.target_user" | ||
| - meta: log_type | ||
| value: nextcloud_failed_auth | ||
| - grok: | ||
| pattern: 'Bruteforce attempt from \\?"%{IP:source_ip}\\?" detected for action \\?"%{DATA:action}\\?"' | ||
| apply_on: message | ||
| statics: | ||
| - meta: action | ||
| expression: "evt.Parsed.action" | ||
| - meta: log_type | ||
| value: nextcloud_bruteforce_attempt | ||
|
|
||
| #{"reqId":"dCA39mNG3NHLwbibVCFp","level":1,"time":"2023-02-14T17:28:33+00:00","remoteAddr":"172.18.0.200","user":"--","app":"core","method":"GET","url":"/","message":"Trusted domain error. \"172.18.0.200\" tried to access using \"kloot.ronsmans.eu\" as host.","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/109.0","version":"25.0.3.2","data":{"app":"core"}} | ||
|
|
||
| - grok: | ||
| pattern: 'Trusted domain error. \\"%{IP:source_ip}\\".*' | ||
| apply_on: message | ||
| statics: | ||
| - meta: log_type | ||
| value: nextcloud_domain_error | ||
|
|
||
| statics: | ||
| - meta: service | ||
| value: nextcloud | ||
| - meta: source_ip | ||
| expression: "evt.Parsed.source_ip" | ||
| - target: evt.StrTime | ||
| expression: "evt.Parsed.time_local" |