committing changes in /etc made by "-bash"

Package changes:
2023-06-12 09:31:52 +03:00
parent c0fa2707f8
commit f7af00565c
146 changed files with 10641 additions and 0 deletions
--- a/crowdsec/hub/parsers/s01-parse/crowdsecurity/apache2-logs.yaml
+++ b/crowdsec/hub/parsers/s01-parse/crowdsecurity/apache2-logs.yaml
@@ -0,0 +1,93 @@
+#Apache access/errors logs
+#debug: true
+filter: "evt.Parsed.program startsWith 'apache2'"
+onsuccess: next_stage
+name: crowdsecurity/apache2-logs
+description: "Parse Apache2 access and error logs"
+#log line can be prefixed by a target_fqdn
+nodes:
+  - grok:
+      pattern: '(%{IPORHOST:target_fqdn}(:%{INT:port})? )?%{COMMONAPACHELOG}( "%{NOTDQUOTE:referrer}" "%{NOTDQUOTE:http_user_agent}")?'
+      apply_on: message
+      # these ones apply for both grok patterns
+      statics:
+        - meta: log_type
+          value: http_access-log
+        - target: evt.StrTime
+          expression: evt.Parsed.timestamp
+        - meta: service
+          value: http
+        - meta: source_ip
+          expression: evt.Parsed.clientip
+        - meta: http_status
+          expression: evt.Parsed.response
+        - meta: http_path
+          expression: evt.Parsed.request
+        - meta: http_verb
+          expression: "evt.Parsed.verb"
+        - meta: http_user_agent
+          expression: "evt.Parsed.http_user_agent"
+        - meta: target_fqdn
+          expression: "evt.Parsed.target_fqdn"
+    onsuccess: next_stage
+  - grok:
+      pattern: '%{HTTPD_ERRORLOG}'
+      apply_on: message
+    onsuccess: next_stage
+    pattern_syntax:
+      NOT_DOUBLE_POINT: '[^:]+'
+      NOT_DOUBLE_QUOTE: '[^"]+'    
+    nodes:
+      - filter: "evt.Parsed.module == 'auth_basic'"
+        onsuccess: next_stage
+        pattern_syntax:
+          EXTRACT_USER_AND_PATH: 'user %{NOT_DOUBLE_POINT:username}: authentication failure for "%{NOT_DOUBLE_QUOTE:target_uri}": Password Mismatch'
+          EXTRACT_USER_AND_PATH2: 'user %{NOT_DOUBLE_POINT:username} not found: "?%{NOT_DOUBLE_QUOTE:target_uri}"?'
+        grok:
+          pattern: '%{EXTRACT_USER_AND_PATH}|%{EXTRACT_USER_AND_PATH2}'
+          apply_on: message
+          # these ones apply for both grok patterns
+        statics:
+          - meta: username
+            expression: evt.Parsed.username
+          - meta: http_path
+            expression: evt.Parsed.target_uri
+          - meta: sub_type
+            value: "auth_fail"
+      - filter: "evt.Parsed.module == 'core' && evt.Parsed.message contains 'Invalid URI'"
+        onsuccess: next_stage
+        pattern_syntax:
+          EXTRACT_URIVERB: 'Invalid URI in request %{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})'
+        grok:
+          pattern: '%{EXTRACT_URIVERB}'
+          apply_on: message
+        statics:
+          - meta: http_path
+            expression: evt.Parsed.request
+          - meta: sub_type
+            value: "invalid_uri"
+      - filter: "evt.Parsed.module == 'authz_core' && evt.Parsed.message contains 'client denied'"
+        onsuccess: next_stage
+        pattern_syntax:
+          EXTRACT_PATH: 'client denied by server configuration: %{GREEDYDATA:target_uri}'
+        grok:
+          pattern: '%{EXTRACT_PATH}'
+          apply_on: message
+        statics:
+          - meta: http_path
+            expression: evt.Parsed.target_uri
+          - meta: sub_type
+            value: "permission_denied"
+    statics:
+      - meta: log_type
+        value: http_error-log
+      - target: evt.StrTime
+        expression: evt.Parsed.timestamp
+      - meta: service
+        value: http
+      - meta: source_ip
+        expression: evt.Parsed.client
+      - meta: http_status
+        expression: evt.Parsed.response
+
+