saving uncommitted changes in /etc prior to dnf run

2023-08-10 11:58:05 +03:00
parent 2d84c3580c
commit b9d544b9c6
199 changed files with 5119 additions and 120 deletions
--- a/crowdsec/hub/parsers/s01-parse/crowdsecurity/mysql-logs.yaml
+++ b/crowdsec/hub/parsers/s01-parse/crowdsecurity/mysql-logs.yaml
@@ -2,13 +2,21 @@ onsuccess: next_stage
 name: crowdsecurity/mysql-logs
 description: "Parse MySQL logs"
 filter: "evt.Parsed.program == 'mysql'"
-grok:
-  pattern: "%{TIMESTAMP_ISO8601:time} %{NUMBER} \\[Note\\]( \\[%{DATA:err_code}\\] \\[%{DATA:subsystem}\\])? Access denied for user '%{DATA:user}'@'%{IP:source_ip}' \\(using password: %{WORD:using_password}\\)"
-  apply_on: message
+pattern_syntax:
+  MYSQL_ACCESS_DENIED: "Access denied for user '%{DATA:user}'@'%{IP:source_ip}' \\(using password: %{WORD:using_password}\\)" 
+nodes:
+  - grok:
+      pattern: "%{TIMESTAMP_ISO8601:time} %{NUMBER} \\[Note\\]( \\[%{DATA:err_code}\\] \\[%{DATA:subsystem}\\])? %{MYSQL_ACCESS_DENIED}"
+      apply_on: message
+  - grok:
+      pattern: "%{TIMESTAMP_ISO8601:time}.*%{NUMBER} Connect.*%{MYSQL_ACCESS_DENIED}"
+      apply_on: message
 statics:
  - meta: log_type
    value: mysql_failed_auth
  - meta: source_ip
    expression: "evt.Parsed.source_ip"
+  - target: evt.StrTime
+    expression: evt.Parsed.time
  - meta: user
-    expression: "evt.Parsed.user"
+    expression: "evt.Parsed.user"
--- a/crowdsec/hub/parsers/s01-parse/crowdsecurity/nginx-logs.yaml
+++ b/crowdsec/hub/parsers/s01-parse/crowdsecurity/nginx-logs.yaml
@@ -2,9 +2,11 @@ filter: "evt.Parsed.program startsWith 'nginx'"
 onsuccess: next_stage
 name: crowdsecurity/nginx-logs
 description: "Parse nginx access and error logs"
+pattern_syntax:
+  NGCUSTOMUSER: '[a-zA-Z0-9\.\@\-\+_%]+'
 nodes:
  - grok:
-      pattern: '(%{IPORHOST:target_fqdn} )?%{IPORHOST:remote_addr} - (%{NGUSER:remote_user})? \[%{HTTPDATE:time_local}\] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:http_version}" %{NUMBER:status} %{NUMBER:body_bytes_sent} "%{NOTDQUOTE:http_referer}" "%{NOTDQUOTE:http_user_agent}"( %{NUMBER:request_length} %{NUMBER:request_time} \[%{DATA:proxy_upstream_name}\] \[%{DATA:proxy_alternative_upstream_name}\])?'
+      pattern: '(%{IPORHOST:target_fqdn} )?%{IPORHOST:remote_addr} - %{NGCUSTOMUSER:remote_user}? \[%{HTTPDATE:time_local}\] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:http_version}" %{NUMBER:status} %{NUMBER:body_bytes_sent} "%{NOTDQUOTE:http_referer}" "%{NOTDQUOTE:http_user_agent}"( %{NUMBER:request_length} %{NUMBER:request_time} \[%{DATA:proxy_upstream_name}\] \[%{DATA:proxy_alternative_upstream_name}\])?'
      apply_on: message
      statics:
        - meta: log_type
--- a/crowdsec/hub/parsers/s01-parse/crowdsecurity/sshd-logs.yaml
+++ b/crowdsec/hub/parsers/s01-parse/crowdsecurity/sshd-logs.yaml
@@ -15,7 +15,7 @@ pattern_syntax:
  SSHD_PREAUTH_AUTHENTICATING_USER: 'Connection closed by (authenticating|invalid) user %{USERNAME:sshd_invalid_user} %{IP_WORKAROUND:sshd_client_ip} port \d+ \[preauth\]'
  #following: https://github.com/crowdsecurity/crowdsec/issues/1201 - some scanners behave differently and trigger this one
  SSHD_PREAUTH_AUTHENTICATING_USER_ALT: 'Disconnected from (authenticating|invalid) user %{USERNAME:sshd_invalid_user} %{IP_WORKAROUND:sshd_client_ip} port \d+ \[preauth\]'
-  SSHD_BAD_KEY_NEGOTIATION: 'Unable to negotiate with %{IP_WORKAROUND:sshd_client_ip} port \d+: no matching (host key type|key exchange method) found.'
+  SSHD_BAD_KEY_NEGOTIATION: 'Unable to negotiate with %{IP_WORKAROUND:sshd_client_ip} port \d+: no matching (host key type|key exchange method|MAC) found.'
 nodes:
  - grok:
      name: "SSHD_FAIL"