Skip to content

Commit

Permalink
Merge branch 'master' into auditd_sigma
Browse files Browse the repository at this point in the history
  • Loading branch information
@buixor
buixor authored Dec 18, 2024
2 parents 1c3feb0 + 4da98bc commit 6280086
Show file tree
Hide file tree
Showing 18 changed files with 6,385 additions and 16 deletions.
56 changes: 56 additions & 0 deletions .index.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6222,6 +6222,27 @@
"plague-doctor/audiobookshelf-bf"
]
},
"pserranoa/openvpn": {
"path": "collections/pserranoa/openvpn.yml",
"version": "0.1",
"versions": {
"0.1": {
"digest": "de1d699318182e4c08503b63a0ffd281196fbb1dd1a74f38ac9f1426ef8c738f",
"deprecated": false
}
},
"long_description": "IyMgT3BlblZQTiBjb2xsZWN0aW9uCgpBIGNvbGxlY3Rpb24gZm9yIE9wZW5WUE4gZmFpbGVkIGF1dGhlbnRpZmljYXRpb246CgojIyBBY3F1aXNpdGlvbiB0ZW1wbGF0ZQoKRXhhbXBsZSBhY3F1aXNpdGlvbiBmb3IgdGhpcyBjb2xsZWN0aW9uIDoKCmBgYHlhbWwKc291cmNlOiBmaWxlCmZpbGVuYW1lOiAvdmFyL2xvZy9vcGVudnBuLyoubG9nCmxhYmVsczoKICB0eXBlOiBvcGVudnBuCmZvcmNlX2lub3RpZnk6IHRydWUKYGBgCg==",
"content": "YXV0aG9yOiBwc2VycmFub2EKZGVzY3JpcHRpb246ICdDb2xsZWN0aW9uIHRvIGRldGVjdCBmYWlsZWQgYXV0aGVudGljYXRpb25zIGZvciBPcGVuVlBOJwpwYXJzZXJzOgotIHBzZXJyYW5vYS9vcGVudnBuCnNjZW5hcmlvczoKLSBwc2VycmFub2Evb3BlbnZwbi1iZgp0YWdzOgogIC0gb3BlbnZwbgogIC0gYnJ1dGVmb3JjZQ==",
"description": "Collection to detect failed authentications for OpenVPN",
"author": "pserranoa",
"labels": null,
"parsers": [
"pserranoa/openvpn"
],
"scenarios": [
"pserranoa/openvpn-bf"
]
},
"schiz0phr3ne/prowlarr": {
"path": "collections/schiz0phr3ne/prowlarr.yaml",
"version": "0.1",
Expand Down Expand Up @@ -10188,6 +10209,22 @@
"author": "plague-doctor",
"labels": null
},
"pserranoa/openvpn": {
"path": "parsers/s01-parse/pserranoa/openvpn.yml",
"stage": "s01-parse",
"version": "0.1",
"versions": {
"0.1": {
"digest": "a5a9971734da0643c3ad024b75f93fa98b4bf5a089436d8a383f2216091ec0d6",
"deprecated": false
}
},
"long_description": "IyBPcGVuVnBuCgpBIHBhcnNlciBmb3IgW29wZW52cG4gQ29tbXVuaXR5XShodHRwczovL29wZW52cG4ubmV0L2NvbW11bml0eS1kb3dubG9hZHMvKSBsb2dzLgoKLSBUZXN0ZWQgd2l0aCBPcGVuVlBOIDIuNi4zLgotIFBhcnNlciB3YXMgY3JlYXRlZCBmb3IgbGV2ZWwgMy4gKHZlcmIgMykKCkZyb20gW29wZW52cG4gcmVmZXJlbmNlIG1hbnVhbF0oaHR0cHM6Ly9vcGVudnBuLm5ldC9jb21tdW5pdHktcmVzb3VyY2VzL3JlZmVyZW5jZS1tYW51YWwtZm9yLW9wZW52cG4tMi02LykKCmBgYGNvZGUKLS12ZXJiIG4KClNldCBvdXRwdXQgdmVyYm9zaXR5IHRvIG4gKGRlZmF1bHQgMSkuIEVhY2ggbGV2ZWwgc2hvd3MgYWxsIGluZm8gZnJvbSB0aGUgcHJldmlvdXMgbGV2ZWxzLiBMZXZlbCAzIGlzIHJlY29tbWVuZGVkIGlmIHlvdSB3YW50IGEgZ29vZCBzdW1tYXJ5IG9mIHdoYXQncyBoYXBwZW5pbmcgd2l0aG91dCBiZWluZyBzd2FtcGVkIGJ5IG91dHB1dC4KYGBgCg==",
"content": "ZmlsdGVyOiAiZXZ0LkxpbmUuTGFiZWxzLnR5cGUgPT0gJ29wZW52cG4nIgpvbnN1Y2Nlc3M6IG5leHRfc3RhZ2UKbmFtZTogcHNlcnJhbm9hL29wZW52cG4KZGVzY3JpcHRpb246ICJQYXJzZSBvcGVudnBuIGxvZ3MiCnBhdHRlcm5fc3ludGF4OgogICAgT1BFTlZQTl9UTFNfQVVUSF9FUlJPUjogIiV7VElNRVNUQU1QX0lTTzg2MDE6dGltZXN0YW1wfSAoPzole1dPUkQ6Y2xpZW50fS98KSV7SVBWNDpzb3VyY2VfaXB9OiV7SU5UOnNwb3J0fSBUTFMgQXV0aCBFcnJvcjouKiIKICAgIE9QRU5WUE5fQVVUSF9GQUlMRUQ6ICIle1RJTUVTVEFNUF9JU084NjAxOnRpbWVzdGFtcH0gKD86JXtXT1JEOmNsaWVudH0vfCkle0lQVjQ6c291cmNlX2lwfTole0lOVDpzcG9ydH0gQVVUSDogUmVjZWl2ZWQgY29udHJvbCBtZXNzYWdlOiBBVVRIX0ZBSUxFRCIKICAgIE9QRU5WUE5fQVVUSF9WRVJJRllfRVJST1I6ICIle1RJTUVTVEFNUF9JU084NjAxOnRpbWVzdGFtcH0gKD86JXtXT1JEOmNsaWVudH0vfCkle0lQVjQ6c291cmNlX2lwfTole0lOVDpzb3VyY2VfcG9ydH0gVkVSSUZZIEVSUk9SOi4qIgogICAgT1BFTlZQTl9UTFNfQ1JZUFQ6ICIle1RJTUVTVEFNUF9JU084NjAxOnRpbWVzdGFtcH0gKD86JXtXT1JEOmNsaWVudH0vfCkle0lQVjQ6c291cmNlX2lwfTole0lOVDpzcG9ydH0gVExTIEVycm9yOiB0bHMtY3J5cHQgdW53cmFwcGluZyBmYWlsZWQgZnJvbS4qIgogICAgT1BFTlZQTl9UTFNfUEFDS0VUOiAiJXtUSU1FU1RBTVBfSVNPODYwMTp0aW1lc3RhbXB9ICg/OiV7V09SRDpjbGllbnR9L3wpJXtJUFY0OnNvdXJjZV9pcH06JXtJTlQ6c3BvcnR9IFRMUyBFcnJvcjogaW5jb21pbmcgcGFja2V0IGF1dGhlbnRpY2F0aW9uIGZhaWxlZCBmcm9tLioiCiAgICBPUEVOVlBOX1RMU19IQU5EU0hBS0U6ICIle1RJTUVTVEFNUF9JU084NjAxOnRpbWVzdGFtcH0gKD86JXtXT1JEOmNsaWVudH0vfCkle0lQVjQ6c291cmNlX2lwfTole0lOVDpzcG9ydH0gVExTIEVycm9yOiBUTFMgaGFuZHNoYWtlIGZhaWxlZCBmcm9tLioiCiAgICBPUEVOVlBOX1RMU19DRVJUOiAiJXtUSU1FU1RBTVBfSVNPODYwMTp0aW1lc3RhbXB9ICg/OiV7V09SRDpjbGllbnR9L3wpJXtJUFY0OnNvdXJjZV9pcH06JXtJTlQ6c291cmNlX3BvcnR9IE9wZW5TU0w6IGVycm9yOiV7V09SRH06Lip2ZXJpZnkgZmFpbGVkIgpub2RlczoKICAtIGdyb2s6CiAgICAgIG5hbWU6ICJPUEVOVlBOX1RMU19BVVRIX0VSUk9SIgogICAgICBhcHBseV9vbjogbWVzc2FnZQogIC0gZ3JvazoKICAgICAgbmFtZTogIk9QRU5WUE5fQVVUSF9GQUlMRUQiCiAgICAgIGFwcGx5X29uOiBtZXNzYWdlCiAgLSBncm9rOgogICAgICBuYW1lOiAiT1BFTlZQTl9BVVRIX1ZFUklGWV9FUlJPUiIKICAgICAgYXBwbHlfb246IG1lc3NhZ2UKICAtIGdyb2s6CiAgICAgIG5hbWU6ICJPUEVOVlBOX1RMU19DUllQVCIKICAgICAgYXBwbHlfb246IG1lc3NhZ2UKICAtIGdyb2s6CiAgICAgIG5hbWU6ICJPUEVOVlBOX1RMU19QQUNLRVQiCiAgICAgIGFwcGx5X29uOiBtZXNzYWdlCiAgLSBncm9rOgogICAgICBuYW1lOiAiT1BFTlZQTl9UTFNfSEFORFNIQUtFIgogICAgICBhcHBseV9vbjogbWVzc2FnZQogIC0gZ3JvazoKICAgICAgbmFtZTogIk9QRU5WUE5fVExTX0NFUlQiCiAgICAgIGFwcGx5X29uOiBtZXNzYWdlCnN0YXRpY3M6CiAgLSBtZXRhOiBzZXJ2aWNlCiAgICB2YWx1ZTogb3BlbnZwbgogIC0gbWV0YTogc291cmNlX2lwCiAgICBleHByZXNzaW9uOiAiZXZ0LlBhcnNlZC5zb3VyY2VfaXAiCiAgLSBtZXRhOiBsb2dfdHlwZQogICAgdmFsdWU6IGF1dGhfZmFpbGVkCiAgLSB0YXJnZXQ6IGV2dC5TdHJUaW1lCiAgICBleHByZXNzaW9uOiBldnQuUGFyc2VkLnRpbWVzdGFtcAo=",
"description": "Parse openvpn logs",
"author": "pserranoa",
"labels": null
},
"schiz0phr3ne/prowlarr-logs": {
"path": "parsers/s01-parse/schiz0phr3ne/prowlarr-logs.yaml",
"stage": "s01-parse",
Expand Down Expand Up @@ -17780,6 +17817,25 @@
"type": "bruteforce"
}
},
"pserranoa/openvpn-bf": {
"path": "scenarios/pserranoa/openvpn-bf.yml",
"version": "0.1",
"versions": {
"0.1": {
"digest": "22a4026f3fd636871afb2c2e7498cfe81be354f77aa9e2a175f299e6a2998952",
"deprecated": false
}
},
"long_description": "IyBEZXNjcmlwdGlvbgoKLSAzIGZhaWxlZCBhdXRoZW50aWNhdGlvbiBhdHRlbXB0cyB3aXRoaW4gMSBtaW51dGUgbGVha3NwZWVkLg==",
"content": "IyBvcGVudnBuIGJydXRlZm9yY2UgZGV0ZWN0aW9uIC8gYXV0aF9mYWlsZWQKdHlwZTogbGVha3kKbmFtZTogcHNlcnJhbm9hL29wZW52cG4tYmYKZGVzY3JpcHRpb246ICJEZXRlY3Qgb3BlbnZwbiBicnV0ZWZvcmNlIgpmaWx0ZXI6ICJldnQuTWV0YS5zZXJ2aWNlID09ICdvcGVudnBuJyAmJiBldnQuTWV0YS5sb2dfdHlwZSA9PSAnYXV0aF9mYWlsZWQnIgpsZWFrc3BlZWQ6ICIxbSIKYmxhY2tob2xlOiA1bQpjYXBhY2l0eTogMwpncm91cGJ5OiBldnQuTWV0YS5zb3VyY2VfaXAKcmVwcm9jZXNzOiB0cnVlCmxhYmVsczoKIHNlcnZpY2U6IG9wZW52cG4KIHR5cGU6IGF1dGhfZmFpbGVkCiByZW1lZGlhdGlvbjogdHJ1ZQ==",
"description": "Detect openvpn bruteforce",
"author": "pserranoa",
"labels": {
"remediation": true,
"service": "openvpn",
"type": "auth_failed"
}
},
"schiz0phr3ne/prowlarr-bf": {
"path": "scenarios/schiz0phr3ne/prowlarr-bf.yaml",
"version": "0.2",
Expand Down
11 changes: 11 additions & 0 deletions .tests/openvpn-bf/config.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
parsers:
- crowdsecurity/syslog-logs
- crowdsecurity/dateparse-enrich
- ./parsers/s01-parse/pserranoa/openvpn.yml
scenarios:
- ./scenarios/pserranoa/openvpn-bf.yml
postoverflows:
- ""
log_file: openvpn.log
log_type: openvpn
ignore_parsers: true
4 changes: 4 additions & 0 deletions .tests/openvpn-bf/openvpn.log
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
2024-12-15 14:12:12 192.168.1.31:45321 TLS Error: incoming packet authentication failed from [AF_INET]192.168.1.31:45321
2024-12-15 14:12:13 192.168.1.31:45321 TLS Error: incoming packet authentication failed from [AF_INET]192.168.1.31:45321
2024-12-15 14:12:14 192.168.1.31:45321 TLS Error: incoming packet authentication failed from [AF_INET]192.168.1.31:45321
2024-12-15 14:12:15 192.168.1.31:45321 TLS Error: incoming packet authentication failed from [AF_INET]192.168.1.31:45321
Empty file added .tests/openvpn-bf/parser.assert
View file
Empty file.
33 changes: 33 additions & 0 deletions .tests/openvpn-bf/scenario.assert
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
len(results) == 1
"192.168.1.31" in results[0].Overflow.GetSources()
results[0].Overflow.Sources["192.168.1.31"].IP == "192.168.1.31"
results[0].Overflow.Sources["192.168.1.31"].Range == ""
results[0].Overflow.Sources["192.168.1.31"].GetScope() == "Ip"
results[0].Overflow.Sources["192.168.1.31"].GetValue() == "192.168.1.31"
results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "openvpn.log"
results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed"
results[0].Overflow.Alert.Events[0].GetMeta("service") == "openvpn"
results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.31"
results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-12-15T14:12:12Z"
results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "openvpn.log"
results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed"
results[0].Overflow.Alert.Events[1].GetMeta("service") == "openvpn"
results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.1.31"
results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2024-12-15T14:12:13Z"
results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "openvpn.log"
results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed"
results[0].Overflow.Alert.Events[2].GetMeta("service") == "openvpn"
results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.1.31"
results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2024-12-15T14:12:14Z"
results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "openvpn.log"
results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed"
results[0].Overflow.Alert.Events[3].GetMeta("service") == "openvpn"
results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.1.31"
results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2024-12-15T14:12:15Z"
results[0].Overflow.Alert.GetScenario() == "pserranoa/openvpn-bf"
results[0].Overflow.Alert.Remediation == true
results[0].Overflow.Alert.GetEventsCount() == 4
11 changes: 11 additions & 0 deletions .tests/openvpn/config.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
parsers:
- crowdsecurity/syslog-logs
- crowdsecurity/dateparse-enrich
- ./parsers/s01-parse/pserranoa/openvpn.yml
scenarios:
- ""
postoverflows:
- ""
log_file: openvpn.log
log_type: openvpn
ignore_parsers: false
24 changes: 24 additions & 0 deletions .tests/openvpn/openvpn.log
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
2024-12-15 14:10:00 OpenVPN 2.6.3 x86_64-linux-gnu started
2024-12-15 14:10:00 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2024-12-15 14:11:25 192.168.1.30:52234 TCP connection established with [AF_INET]192.168.1.30:52234
2024-12-15 14:11:26 192.168.1.30:52234 [UNDEF] Peer Connection Initiated with [AF_INET]192.168.1.30:52234
2024-12-15 14:11:27 192.168.1.30:52234 TLS Error: tls-crypt unwrapping failed from [AF_INET]192.168.1.30:52234
2024-12-15 14:12:10 192.168.1.31:45321 TCP connection established with [AF_INET]192.168.1.31:45321
2024-12-15 14:12:11 192.168.1.31:45321 [UNDEF] Peer Connection Initiated with [AF_INET]192.168.1.31:45321
2024-12-15 14:12:12 192.168.1.31:45321 TLS Error: incoming packet authentication failed from [AF_INET]192.168.1.31:45321
2024-12-15 14:13:05 192.168.1.32:61432 TCP connection established with [AF_INET]192.168.1.32:61432
2024-12-15 14:13:06 192.168.1.32:61432 [UNDEF] Peer Connection Initiated with [AF_INET]192.168.1.32:61432
2024-12-15 14:13:07 192.168.1.32:61432 TLS Error: TLS handshake failed from [AF_INET]192.168.1.32:61432
2024-12-15 14:14:20 192.168.1.33:54321 TCP connection established with [AF_INET]192.168.1.33:54321
2024-12-15 14:14:21 192.168.1.33:54321 [UNDEF] Peer Connection Initiated with [AF_INET]192.168.1.33:54321
2024-12-15 14:14:22 192.168.1.33:54321 VERIFY ERROR: depth=0, error=certificate signature failure: CN=malicious-client
2024-12-15 14:14:22 192.168.1.33:54321 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
2024-12-15 14:14:22 192.168.1.33:54321 TLS Auth Error: Auth Certificate verification failed for peer
2024-12-15 14:14:20 client1/192.168.1.13:54321 TCP connection established with [AF_INET]192.168.1.13:54321
2024-12-15 14:14:21 client1/192.168.1.13:54321 AUTH: Received control message: AUTH_FAILED
2024-12-15 14:15:00 192.168.1.35:46789 TCP connection established with [AF_INET]192.168.1.35:46789
2024-12-15 14:15:01 192.168.1.35:46789 [UNDEF] Peer Connection Initiated with [AF_INET]192.168.1.35:46789
2024-12-15 14:15:02 192.168.1.35:46789 TLS Error: incoming packet authentication failed from [AF_INET]192.168.1.35:46789
2024-12-15 14:15:50 192.168.1.34:56312 TCP connection established with [AF_INET]192.168.1.34:56312
2024-12-15 14:15:51 192.168.1.34:56312/client3 Peer Connection Initiated with [AF_INET]192.168.1.34:56312
2024-12-15 14:15:52 192.168.1.34:56312/client3 Authentication succeeded
Loading

0 comments on commit 6280086

Please sign in to comment.