From ba90a064ba4968636abf7994590da86e2f96dc15 Mon Sep 17 00:00:00 2001 From: Florian Wagner <39341393+florianwgnr@users.noreply.github.com> Date: Wed, 21 Aug 2024 13:02:10 +0200 Subject: [PATCH] Fix Nextcloud-Whitelist: missing expressions for Nextcloud Bookmarks #1089 (#1090) * Fix Nextcloud-Whitelist: missing expressions for Nextcloud Bookmarks #1089 Fix missing expressions for Nextcloud Bookmarks #1089 * enhance: Update whitelist to concat two of the simiar types, keep public token the same and add some test --------- Co-authored-by: Laurence Jones --- .index.json | 8 +- .../nextcloud-whitelist.log | 4 + .tests/nextcloud-whitelist/parser.assert | 366 +++++++++++++++++- .../crowdsecurity/nextcloud-whitelist.yaml | 2 + 4 files changed, 372 insertions(+), 8 deletions(-) diff --git a/.index.json b/.index.json index 020e603fc7a..bedf82cb848 100644 --- a/.index.json +++ b/.index.json @@ -7304,7 +7304,7 @@ "crowdsecurity/nextcloud-whitelist": { "path": "parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.yaml", "stage": "s02-enrich", - "version": "0.9", + "version": "1.0", "versions": { "0.1": { "digest": "7685c823a398a711b76afea742ebeb2637ac55c829eafba841b63504b1e2228e", @@ -7341,10 +7341,14 @@ "0.9": { "digest": "abb7cfd6a77a94a9c7347065ccbb3964408e51d4d58b3092f009abb65c2cb579", "deprecated": false + }, + "1.0": { + "digest": "a1e5cb85bb64594220a390b82db288534feb73b99cce25cb13776fcd63a1e75c", + "deprecated": false } }, "long_description": "IyMgTmV4dGNsb3VkIHdoaXRlbGlzdAoKIyMjIENvbnRhY3RzIGFwcApDb250YWN0cyBoYXMgYW4gaXNzdWUgd2l0aCBleGNlc3NpdmUgNDA0IHJlc3BvbnNlIGNvZGVzIHdoZW4gYSB1c2VyIGltYWdlIGlzIG1pc3NpbmcKW1Vwc3RyZWFtIGlzc3VlXShodHRwczovL2dpdGh1Yi5jb20vbmV4dGNsb3VkL2NvbnRhY3RzL2lzc3Vlcy8zMDIxKQoKLS0tCiMjIyBQaG90b3MgYXBwCk9uIGZpcnN0IGxvYWQgdGhlIHBob3RvcyBhcHAgY2FsbHMgYSBwcmV2aWV3IGVuZHBvaW50LCBob3dldmVyLCBpZiBpdCBmYWlscyB0byBsb2FkIGl0IHdpbGwgdHJpZ2dlciBodHRwLXByb2JpbmcKCldoZW4gb3BlbmluZyB0aGUgcGhvdG9zIGFwcCwgbXVsdGlwbGUgcmVxdWVzdHMgYXJlIG1hZGUgdmVyeSBxdWlja2x5IGZvciBpbWFnZXMsIHNpbmNlIHRoZXkgYXJlIG5vdCBtYXJrZWQgYXMgaW1hZ2VzIChlbmRpbmcgaW4gcG5nLGpwZyBldGMpIGl0IGNhbiB0cmlnZ2VyIEhUVFAgY3Jhd2wgbm9uIHN0YXRpY3MuCgotLS0KIyMjIEJhY2t1cCBhcHAKV2hlbiBsb2FkaW5nIGJhY2t1cHMgZm9yIGEgZmlsZSBpZiB0aG9zZSBiYWNrdXBzIGhhdmUgYmVlbiBtb2RpZmllZCBvciBkZWxldGVkIGJ5IChPUy9VU0VSKSBpdCBjYW4gZWFzaWx5IHRyaWdnZXIgaHR0cC1wcm9iaW5nCgotLS0KIyMjIEZpbGVzIGFwcApUaGUgYC9jb3JlL3ByZXZpZXdgIGVuZHBvaW50IHJldHVybnMgNDA0IGlmIGEgZmlsZSBoYXMgbm8gdGh1bWJuYWlsIChpbmNsdWRpbmcgZmlsZXMgd2hpY2ggYXJlbid0IG1lYW50IHRvLCBsaWtlIFhNTHMpLgpUaGlzIGNhbiB0cmlnZ2VyIGh0dHAtcHJvYmluZyB3aGVuIHVzaW5nIHRoZSBmaWxlIHNlYXJjaCBiYXIuCgpXaGVuIHByZXZpZXdzIGFyZSBtaXNzaW5nIGZvciBmaWxlcyBpbiB0aGUgdHJhc2ggYmluLCBhIDQwNCBlcnJvciBpcyByZXR1cm5lZCB3aGljaCB0cmlnZ2VycyBodHRwIHByb2JpbmcuCgpJbiByYXJlIGNhc2VzIEhUVFAgUHJvYmluZyB3aWxsIGJlIHRyaWdnZXJlZCB3aGVuIG9wZW5pbmcgbXVsdGlwbGUgZm9sZGVycyBxdWlja2x5LCBOZXh0Y2xvdWQgY2hlY2tzIGZvciBhIGBgcmVhZG1lLm1kYGAgZmlsZSBhbmQgaWYgaXQgZG9lc24ndCBleGlzdCBhIDQwNCBlcnJvciBpcyB0aHJvd24uCgotLS0KIyMjIENyZWF0aW5nIGZpbGVzIHZpYSBXZWJEQVYKV2hlbiB1cGxvYWRpbmcgZmlsZXMgdmlhIFdlYkRBViwgYSBQUk9QRklORCByZXF1ZXN0IGlzIHNlbnQgdG8gdGhlIHNlcnZlciwgd2hpY2ggcmV0dXJucyA0MDQgaWYgdGhlIGZpbGUgZG9lcyBub3QKZXhpc3QuIFRoZW4gdGhlIGZpbGUgaXMgY3JlYXRlZC4gVXBsb2FkaW5nIG1vcmUgdGhhbiAxMCBmaWxlcyBhdCBhIHRpbWUgd2lsbCB0cmlnZ2VyIGh0dHAtcHJvYmluZy4K", - "content": "bmFtZTogY3Jvd2RzZWN1cml0eS9uZXh0Y2xvdWQtd2hpdGVsaXN0CmRlc2NyaXB0aW9uOiAiV2hpdGVsaXN0IGV2ZW50cyBmcm9tIG5leHRjbG91ZCIKZmlsdGVyOiAiZXZ0Lk1ldGEuc2VydmljZSA9PSAnaHR0cCcgJiYgZXZ0Lk1ldGEubG9nX3R5cGUgaW4gWydodHRwX2FjY2Vzcy1sb2cnLCAnaHR0cF9lcnJvci1sb2cnXSIKd2hpdGVsaXN0OgogIHJlYXNvbjogIk5leHRjbG91ZCBXaGl0ZWxpc3QiCiAgZXhwcmVzc2lvbjoKICAgLSBldnQuTWV0YS5odHRwX3N0YXR1cyA9PSAnNDA0JyAmJiBldnQuTWV0YS5odHRwX3ZlcmIgPT0gJ0dFVCcgJiYgZXZ0LlBhcnNlZC5maWxlX2V4dCA9PSAnLnZjZicgJiYgZXZ0LlBhcnNlZC5odHRwX2FyZ3MgY29udGFpbnMgInBob3RvIiAjQ29udGFjdHMgYXBwIC52Y2YgbWlzc2luZyBwaG90bwogICAtIGV2dC5NZXRhLmh0dHBfc3RhdHVzID09ICc0MDQnICYmIGV2dC5NZXRhLmh0dHBfdmVyYiA9PSAnR0VUJyAmJiBldnQuTWV0YS5odHRwX3BhdGggY29udGFpbnMgJy9hcHBzL2ZpbGVzX3ZlcnNpb25zL3ByZXZpZXcnICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICd2ZXJzaW9uJyAjQmFja3VwIGFwcCBtaXNzaW5nIGZpbGUgdmVyc2lvbgogICAtIGV2dC5NZXRhLmh0dHBfc3RhdHVzID09ICc0MDQnICYmIGV2dC5NZXRhLmh0dHBfdmVyYiA9PSAnR0VUJyAmJiBldnQuTWV0YS5odHRwX3BhdGggY29udGFpbnMgJy9hcHBzL3Bob3Rvcy9hcGkvdjEvcHJldmlldycgJiYgZXZ0LlBhcnNlZC5odHRwX2FyZ3MgY29udGFpbnMgJ3gnICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICd5JyAjUGhvdG8gYXBwIGxvYWRzIGFsbCBwcmV2aWV3cyBhcyBzbWFsbCBwYW5lcywgYnV0IGNhbiA0MDQKICAgLSBldnQuTWV0YS5odHRwX3N0YXR1cyA9PSAnNDA0JyAmJiBldnQuTWV0YS5odHRwX3ZlcmIgPT0gJ0dFVCcgJiYgZXZ0LlBhcnNlZC5yZXF1ZXN0IGNvbnRhaW5zICcvY29yZS9wcmV2aWV3JyAmJiBldnQuUGFyc2VkLmh0dHBfYXJncyBjb250YWlucyAneD0nICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICd5PScgJiYgZXZ0LlBhcnNlZC5odHRwX2FyZ3MgY29udGFpbnMgJ2ZpbGVJZD0nICNGaWxlIHByZXZpZXcgb2Z0ZW4gNDA0cyB3aGlsZSBzZWFyY2hpbmcKICAgLSBldnQuTWV0YS5odHRwX3N0YXR1cyA9PSAnNDA0JyAmJiBldnQuTWV0YS5odHRwX3ZlcmIgaW4gWydQUk9QRklORCcsICdHRVQnXSAmJiBldnQuTWV0YS5odHRwX3BhdGggbWF0Y2hlcyAnXi9yZW1vdGUucGhwLyh3ZWIpP2Rhdi8nICNVcGxvYWRpbmcgbmV3IGZpbGVzIHZpYSBXZWJEQVYgYWx3YXlzIHByb2R1Y2VzIGEgNDA0CiAgIC0gZXZ0Lk1ldGEuaHR0cF9zdGF0dXMgPT0gJzQwNCcgJiYgZXZ0Lk1ldGEuaHR0cF92ZXJiID09ICdHRVQnICYmIGV2dC5NZXRhLmh0dHBfcGF0aCBjb250YWlucyAnL2FwcHMvbWFpbC9hcGkvYXZhdGFycy91cmwvJyAjV2hlbiBsb2FkaW5nIG1haWwgY29udGFjdHMgdGhlIGF2YXRhcnMgbWF5IGdldCA0MDQKICAgLSBldnQuTWV0YS5odHRwX3N0YXR1cyA9PSAnMjAwJyAmJiBldnQuUGFyc2VkLnN0YXRpY19yZXNzb3VyY2UgPT0gJ2ZhbHNlJyAmJiBldnQuTWV0YS5odHRwX3ZlcmIgPT0gJ0dFVCcgJiYgZXZ0Lk1ldGEuaHR0cF9wYXRoIGNvbnRhaW5zICcvYXBwcy9waG90b3MvYXBpL3YxL3ByZXZpZXcnICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICcmeD0nICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICcmeT0nICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICdldGFnPScgI1doZW4gbG9hZGluZyBtdWx0aXBsZSBpbWFnZXMgaW5zaWRlIE5leHRjbG91ZCBQaG90b3MsIEhUVFAgQ3Jhd2wgbm9uIHN0YXRpY3MgaXMgdHJpZ2dlcmVkIHNpbmNlIHRoZSBpbWFnZXMgbG9vayBsaWtlIGR5bmFtaWMgYXNzZXRzLgogICAtIGV2dC5NZXRhLmh0dHBfc3RhdHVzID09ICc0MDQnICYmIGV2dC5NZXRhLmh0dHBfdmVyYiA9PSAnR0VUJyAmJiBldnQuUGFyc2VkLnJlcXVlc3QgPT0gJy9vY3MvdjIucGhwL2FwcHMvdGV4dC93b3Jrc3BhY2UnICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICdwYXRoPSUyRicgI1doZW4gb3BlbmluZyBmb2xkZXJzIGluIE5leHRjbG91ZCBGaWxlcyB0aGF0IGRvbid0IGNvbnRhaW4gYSByZWFkbWUubWQgNDA0IGVycm9yIGlzIHRocm93bgogICAtIGV2dC5NZXRhLmh0dHBfc3RhdHVzID09ICc0MDQnICYmIGV2dC5NZXRhLmh0dHBfdmVyYiA9PSAnR0VUJyAmJiBldnQuTWV0YS5odHRwX3BhdGggY29udGFpbnMgJy9hcHBzL2ZpbGVzX3RyYXNoYmluL3ByZXZpZXcnICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICdmaWxlSWQ9JyAjIDQwNCBlcnJvciB0aHJvd24gd2hlbiBwcmV2aWV3IGlzIG1pc3NpbmcgZm9yIGZpbGVzIGluIHRyYXNoIGJpbgogICAtIGV2dC5NZXRhLmh0dHBfc3RhdHVzID09ICc0MDQnICYmIGV2dC5NZXRhLmh0dHBfdmVyYiA9PSAnR0VUJyAmJiBldnQuTWV0YS5odHRwX3BhdGggbWF0Y2hlcyAnXFwvYXBwc1xcL2ZpbGVzXFwvYXBpXFwvdjFcXC90aHVtYm5haWxcXC8oXFxkKykvKFxcZCspJwo=", + "content": "bmFtZTogY3Jvd2RzZWN1cml0eS9uZXh0Y2xvdWQtd2hpdGVsaXN0CmRlc2NyaXB0aW9uOiAiV2hpdGVsaXN0IGV2ZW50cyBmcm9tIG5leHRjbG91ZCIKZmlsdGVyOiAiZXZ0Lk1ldGEuc2VydmljZSA9PSAnaHR0cCcgJiYgZXZ0Lk1ldGEubG9nX3R5cGUgaW4gWydodHRwX2FjY2Vzcy1sb2cnLCAnaHR0cF9lcnJvci1sb2cnXSIKd2hpdGVsaXN0OgogIHJlYXNvbjogIk5leHRjbG91ZCBXaGl0ZWxpc3QiCiAgZXhwcmVzc2lvbjoKICAgLSBldnQuTWV0YS5odHRwX3N0YXR1cyA9PSAnNDA0JyAmJiBldnQuTWV0YS5odHRwX3ZlcmIgPT0gJ0dFVCcgJiYgZXZ0LlBhcnNlZC5maWxlX2V4dCA9PSAnLnZjZicgJiYgZXZ0LlBhcnNlZC5odHRwX2FyZ3MgY29udGFpbnMgInBob3RvIiAjQ29udGFjdHMgYXBwIC52Y2YgbWlzc2luZyBwaG90bwogICAtIGV2dC5NZXRhLmh0dHBfc3RhdHVzID09ICc0MDQnICYmIGV2dC5NZXRhLmh0dHBfdmVyYiA9PSAnR0VUJyAmJiBldnQuTWV0YS5odHRwX3BhdGggY29udGFpbnMgJy9hcHBzL2ZpbGVzX3ZlcnNpb25zL3ByZXZpZXcnICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICd2ZXJzaW9uJyAjQmFja3VwIGFwcCBtaXNzaW5nIGZpbGUgdmVyc2lvbgogICAtIGV2dC5NZXRhLmh0dHBfc3RhdHVzID09ICc0MDQnICYmIGV2dC5NZXRhLmh0dHBfdmVyYiA9PSAnR0VUJyAmJiBldnQuTWV0YS5odHRwX3BhdGggY29udGFpbnMgJy9hcHBzL3Bob3Rvcy9hcGkvdjEvcHJldmlldycgJiYgZXZ0LlBhcnNlZC5odHRwX2FyZ3MgY29udGFpbnMgJ3gnICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICd5JyAjUGhvdG8gYXBwIGxvYWRzIGFsbCBwcmV2aWV3cyBhcyBzbWFsbCBwYW5lcywgYnV0IGNhbiA0MDQKICAgLSBldnQuTWV0YS5odHRwX3N0YXR1cyA9PSAnNDA0JyAmJiBldnQuTWV0YS5odHRwX3ZlcmIgPT0gJ0dFVCcgJiYgZXZ0LlBhcnNlZC5yZXF1ZXN0IGNvbnRhaW5zICcvY29yZS9wcmV2aWV3JyAmJiBldnQuUGFyc2VkLmh0dHBfYXJncyBjb250YWlucyAneD0nICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICd5PScgJiYgZXZ0LlBhcnNlZC5odHRwX2FyZ3MgY29udGFpbnMgJ2ZpbGVJZD0nICNGaWxlIHByZXZpZXcgb2Z0ZW4gNDA0cyB3aGlsZSBzZWFyY2hpbmcKICAgLSBldnQuTWV0YS5odHRwX3N0YXR1cyA9PSAnNDA0JyAmJiBldnQuTWV0YS5odHRwX3ZlcmIgaW4gWydQUk9QRklORCcsICdHRVQnXSAmJiBldnQuTWV0YS5odHRwX3BhdGggbWF0Y2hlcyAnXi9yZW1vdGUucGhwLyh3ZWIpP2Rhdi8nICNVcGxvYWRpbmcgbmV3IGZpbGVzIHZpYSBXZWJEQVYgYWx3YXlzIHByb2R1Y2VzIGEgNDA0CiAgIC0gZXZ0Lk1ldGEuaHR0cF9zdGF0dXMgPT0gJzQwNCcgJiYgZXZ0Lk1ldGEuaHR0cF92ZXJiID09ICdHRVQnICYmIGV2dC5NZXRhLmh0dHBfcGF0aCBjb250YWlucyAnL2FwcHMvbWFpbC9hcGkvYXZhdGFycy91cmwvJyAjV2hlbiBsb2FkaW5nIG1haWwgY29udGFjdHMgdGhlIGF2YXRhcnMgbWF5IGdldCA0MDQKICAgLSBldnQuTWV0YS5odHRwX3N0YXR1cyA9PSAnMjAwJyAmJiBldnQuUGFyc2VkLnN0YXRpY19yZXNzb3VyY2UgPT0gJ2ZhbHNlJyAmJiBldnQuTWV0YS5odHRwX3ZlcmIgPT0gJ0dFVCcgJiYgZXZ0Lk1ldGEuaHR0cF9wYXRoIGNvbnRhaW5zICcvYXBwcy9waG90b3MvYXBpL3YxL3ByZXZpZXcnICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICcmeD0nICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICcmeT0nICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICdldGFnPScgI1doZW4gbG9hZGluZyBtdWx0aXBsZSBpbWFnZXMgaW5zaWRlIE5leHRjbG91ZCBQaG90b3MsIEhUVFAgQ3Jhd2wgbm9uIHN0YXRpY3MgaXMgdHJpZ2dlcmVkIHNpbmNlIHRoZSBpbWFnZXMgbG9vayBsaWtlIGR5bmFtaWMgYXNzZXRzLgogICAtIGV2dC5NZXRhLmh0dHBfc3RhdHVzID09ICc0MDQnICYmIGV2dC5NZXRhLmh0dHBfdmVyYiA9PSAnR0VUJyAmJiBldnQuUGFyc2VkLnJlcXVlc3QgPT0gJy9vY3MvdjIucGhwL2FwcHMvdGV4dC93b3Jrc3BhY2UnICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICdwYXRoPSUyRicgI1doZW4gb3BlbmluZyBmb2xkZXJzIGluIE5leHRjbG91ZCBGaWxlcyB0aGF0IGRvbid0IGNvbnRhaW4gYSByZWFkbWUubWQgNDA0IGVycm9yIGlzIHRocm93bgogICAtIGV2dC5NZXRhLmh0dHBfc3RhdHVzID09ICc0MDQnICYmIGV2dC5NZXRhLmh0dHBfdmVyYiA9PSAnR0VUJyAmJiBldnQuTWV0YS5odHRwX3BhdGggY29udGFpbnMgJy9hcHBzL2ZpbGVzX3RyYXNoYmluL3ByZXZpZXcnICYmIGV2dC5QYXJzZWQuaHR0cF9hcmdzIGNvbnRhaW5zICdmaWxlSWQ9JyAjIDQwNCBlcnJvciB0aHJvd24gd2hlbiBwcmV2aWV3IGlzIG1pc3NpbmcgZm9yIGZpbGVzIGluIHRyYXNoIGJpbgogICAtIGV2dC5NZXRhLmh0dHBfc3RhdHVzID09ICc0MDQnICYmIGV2dC5NZXRhLmh0dHBfdmVyYiA9PSAnR0VUJyAmJiBldnQuTWV0YS5odHRwX3BhdGggbWF0Y2hlcyAnXFwvYXBwc1xcL2ZpbGVzXFwvYXBpXFwvdjFcXC90aHVtYm5haWxcXC8oXFxkKykvKFxcZCspJwogICAtIGV2dC5NZXRhLmh0dHBfc3RhdHVzID09ICc0MDQnICYmIGV2dC5NZXRhLmh0dHBfdmVyYiA9PSAnR0VUJyAmJiBldnQuTWV0YS5odHRwX3BhdGggY29udGFpbnMgJy9hcHBzL2Jvb2ttYXJrcy9ib29rbWFyaycgJiYgKGV2dC5NZXRhLmh0dHBfcGF0aCBlbmRzV2l0aCAnZmF2aWNvbicgfHwgZXZ0Lk1ldGEuaHR0cF9wYXRoIGVuZHNXaXRoICdpbWFnZScpICNXaGVuIGxvYWRpbmcgTkMgYm9va21hcmtzOiBzb21lIGVudHJpZXMgbWlnaHQgaGF2ZSBubyBmYXZpY29uIG9yIG5vIGltYWdlCiAgIC0gZXZ0Lk1ldGEuaHR0cF9zdGF0dXMgPT0gJzQwNCcgJiYgZXZ0Lk1ldGEuaHR0cF92ZXJiID09ICdHRVQnICYmIGV2dC5NZXRhLmh0dHBfcGF0aCBjb250YWlucyAnL2FwcHMvYm9va21hcmtzL2ZvbGRlcicgJiYgZXZ0Lk1ldGEuaHR0cF9wYXRoIGVuZHNXaXRoICdwdWJsaWN0b2tlbicgI1doZW4gbG9hZGluZyBOQyBib29rbWFya3M6IHByaXZhdGUgZm9sZGVycyBoYXZlIG5vIHB1YmxpY3Rva2VuCg==", "description": "Whitelist events from nextcloud", "author": "crowdsecurity", "labels": null diff --git a/.tests/nextcloud-whitelist/nextcloud-whitelist.log b/.tests/nextcloud-whitelist/nextcloud-whitelist.log index c95456d0925..0c8acd60120 100644 --- a/.tests/nextcloud-whitelist/nextcloud-whitelist.log +++ b/.tests/nextcloud-whitelist/nextcloud-whitelist.log @@ -2,3 +2,7 @@ 192.168.1.1 - - [07/Oct/2022:00:01:25 +0200] "GET /index.php/apps/mail/api/avatars/url/noreply%40test.fr HTTP/2.0" 404 20 "https://myapp.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0" 192.168.1.1 - - [07/Oct/2022:00:01:25 +0200] "GET /apps/mail/api/avatars/url/noreply%40test.fr HTTP/2.0" 404 20 "https://myapp.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0" 192.168.1.1 - - [06/Aug/2024:20:58:42 +0200] "GET /apps/files_trashbin/preview?fileId=1331569&x=32&y=32&mimeFallback=true&a=0 HTTP/2.0" 404 2 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" +192.168.1.1 - - [06/Aug/2024:21:01:57 +0200] "GET /apps/bookmarks/bookmark/155/favicon HTTP/2.0" 404 8304 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" +192.168.1.1 - - [06/Aug/2024:21:01:57 +0200] "GET /apps/bookmarks/bookmark/460/image HTTP/2.0" 404 8307 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" +192.168.1.1 - - [06/Aug/2024:21:01:59 +0200] "GET /apps/bookmarks/folder/3/publictoken HTTP/2.0" 404 39 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" + diff --git a/.tests/nextcloud-whitelist/parser.assert b/.tests/nextcloud-whitelist/parser.assert index f1ae2f73d09..8935c7a03c5 100644 --- a/.tests/nextcloud-whitelist/parser.assert +++ b/.tests/nextcloud-whitelist/parser.assert @@ -1,5 +1,5 @@ len(results) == 4 -len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 4 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 7 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "192.168.1.1 - - [07/Oct/2022:00:01:18 +0200] \"GET /remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo HTTP/2.0\" 404 20 \"https://myapp.com/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\"" results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "nginx" @@ -24,12 +24,33 @@ results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "ngin results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"] == "nextcloud-whitelist.log" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 4 +results["s00-raw"]["crowdsecurity/non-syslog"][4].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["message"] == "192.168.1.1 - - [06/Aug/2024:21:01:57 +0200] \"GET /apps/bookmarks/bookmark/155/favicon HTTP/2.0\" 404 8304 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0\"" +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["program"] == "nginx" +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"] == "nextcloud-whitelist.log" +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][5].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["message"] == "192.168.1.1 - - [06/Aug/2024:21:01:57 +0200] \"GET /apps/bookmarks/bookmark/460/image HTTP/2.0\" 404 8307 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0\"" +results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["program"] == "nginx" +results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_path"] == "nextcloud-whitelist.log" +results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][6].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["message"] == "192.168.1.1 - - [06/Aug/2024:21:01:59 +0200] \"GET /apps/bookmarks/folder/3/publictoken HTTP/2.0\" 404 39 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0\"" +results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["program"] == "nginx" +results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_path"] == "nextcloud-whitelist.log" +results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 7 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == false -len(results["s01-parse"]["crowdsecurity/nginx-logs"]) == 4 +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Success == false +len(results["s01-parse"]["crowdsecurity/nginx-logs"]) == 7 results["s01-parse"]["crowdsecurity/nginx-logs"][0].Success == true results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["body_bytes_sent"] == "20" results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["http_referer"] == "https://myapp.com/" @@ -122,7 +143,76 @@ results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Meta["log_type"] == "htt results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Meta["service"] == "http" results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Whitelisted == false -len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 4 +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Success == true +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Parsed["body_bytes_sent"] == "8304" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Parsed["http_referer"] == "-" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Parsed["http_version"] == "2.0" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Parsed["message"] == "192.168.1.1 - - [06/Aug/2024:21:01:57 +0200] \"GET /apps/bookmarks/bookmark/155/favicon HTTP/2.0\" 404 8304 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0\"" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Parsed["program"] == "nginx" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Parsed["remote_addr"] == "192.168.1.1" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Parsed["remote_user"] == "-" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Parsed["request"] == "/apps/bookmarks/bookmark/155/favicon" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Parsed["status"] == "404" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Parsed["time_local"] == "06/Aug/2024:21:01:57 +0200" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Parsed["verb"] == "GET" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Meta["datasource_path"] == "nextcloud-whitelist.log" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Meta["http_path"] == "/apps/bookmarks/bookmark/155/favicon" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Meta["http_status"] == "404" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Meta["http_verb"] == "GET" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Meta["log_type"] == "http_access-log" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Meta["service"] == "http" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Meta["source_ip"] == "192.168.1.1" +results["s01-parse"]["crowdsecurity/nginx-logs"][4].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Success == true +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Parsed["body_bytes_sent"] == "8307" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Parsed["http_referer"] == "-" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Parsed["http_version"] == "2.0" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Parsed["message"] == "192.168.1.1 - - [06/Aug/2024:21:01:57 +0200] \"GET /apps/bookmarks/bookmark/460/image HTTP/2.0\" 404 8307 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0\"" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Parsed["program"] == "nginx" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Parsed["remote_addr"] == "192.168.1.1" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Parsed["remote_user"] == "-" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Parsed["request"] == "/apps/bookmarks/bookmark/460/image" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Parsed["status"] == "404" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Parsed["time_local"] == "06/Aug/2024:21:01:57 +0200" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Parsed["verb"] == "GET" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Meta["datasource_path"] == "nextcloud-whitelist.log" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Meta["http_path"] == "/apps/bookmarks/bookmark/460/image" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Meta["http_status"] == "404" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Meta["http_verb"] == "GET" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Meta["log_type"] == "http_access-log" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Meta["service"] == "http" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Meta["source_ip"] == "192.168.1.1" +results["s01-parse"]["crowdsecurity/nginx-logs"][5].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/nginx-logs"][6].Success == true +results["s01-parse"]["crowdsecurity/nginx-logs"][6].Evt.Parsed["body_bytes_sent"] == "39" +results["s01-parse"]["crowdsecurity/nginx-logs"][6].Evt.Parsed["http_referer"] == "-" +results["s01-parse"]["crowdsecurity/nginx-logs"][6].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" +results["s01-parse"]["crowdsecurity/nginx-logs"][6].Evt.Parsed["http_version"] == "2.0" +results["s01-parse"]["crowdsecurity/nginx-logs"][6].Evt.Parsed["message"] == "192.168.1.1 - - [06/Aug/2024:21:01:59 +0200] \"GET /apps/bookmarks/folder/3/publictoken HTTP/2.0\" 404 39 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0\"" +results["s01-parse"]["crowdsecurity/nginx-logs"][6].Evt.Parsed["program"] == "nginx" +results["s01-parse"]["crowdsecurity/nginx-logs"][6].Evt.Parsed["remote_addr"] == "192.168.1.1" +results["s01-parse"]["crowdsecurity/nginx-logs"][6].Evt.Parsed["remote_user"] == "-" +results["s01-parse"]["crowdsecurity/nginx-logs"][6].Evt.Parsed["request"] == "/apps/bookmarks/folder/3/publictoken" +results["s01-parse"]["crowdsecurity/nginx-logs"][6].Evt.Parsed["status"] == "404" +results["s01-parse"]["crowdsecurity/nginx-logs"][6].Evt.Parsed["time_local"] == "06/Aug/2024:21:01:59 +0200" +results["s01-parse"]["crowdsecurity/nginx-logs"][6].Evt.Parsed["verb"] == "GET" +results["s01-parse"]["crowdsecurity/nginx-logs"][6].Evt.Meta["datasource_path"] == "nextcloud-whitelist.log" +results["s01-parse"]["crowdsecurity/nginx-logs"][6].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/nginx-logs"][6].Evt.Meta["http_path"] == "/apps/bookmarks/folder/3/publictoken" +results["s01-parse"]["crowdsecurity/nginx-logs"][6].Evt.Meta["http_status"] == "404" +results["s01-parse"]["crowdsecurity/nginx-logs"][6].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" +results["s01-parse"]["crowdsecurity/nginx-logs"][6].Evt.Meta["http_verb"] == "GET" +results["s01-parse"]["crowdsecurity/nginx-logs"][6].Evt.Meta["log_type"] == "http_access-log" +results["s01-parse"]["crowdsecurity/nginx-logs"][6].Evt.Meta["service"] == "http" +results["s01-parse"]["crowdsecurity/nginx-logs"][6].Evt.Meta["source_ip"] == "192.168.1.1" +results["s01-parse"]["crowdsecurity/nginx-logs"][6].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 7 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["body_bytes_sent"] == "20" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["http_referer"] == "https://myapp.com/" @@ -223,7 +313,82 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2024-08-06T20:58:42+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2024-08-06T20:58:42+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false -len(results["s02-enrich"]["crowdsecurity/http-logs"]) == 4 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["body_bytes_sent"] == "8304" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["http_referer"] == "-" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["http_version"] == "2.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "192.168.1.1 - - [06/Aug/2024:21:01:57 +0200] \"GET /apps/bookmarks/bookmark/155/favicon HTTP/2.0\" 404 8304 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0\"" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "nginx" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["remote_addr"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["remote_user"] == "-" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["request"] == "/apps/bookmarks/bookmark/155/favicon" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["status"] == "404" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["time_local"] == "06/Aug/2024:21:01:57 +0200" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["verb"] == "GET" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"] == "nextcloud-whitelist.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["http_path"] == "/apps/bookmarks/bookmark/155/favicon" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["http_status"] == "404" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["http_verb"] == "GET" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "http_access-log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2024-08-06T21:01:57+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2024-08-06T21:01:57+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["body_bytes_sent"] == "8307" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["http_referer"] == "-" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["http_version"] == "2.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "192.168.1.1 - - [06/Aug/2024:21:01:57 +0200] \"GET /apps/bookmarks/bookmark/460/image HTTP/2.0\" 404 8307 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0\"" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "nginx" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["remote_addr"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["remote_user"] == "-" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["request"] == "/apps/bookmarks/bookmark/460/image" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["status"] == "404" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["time_local"] == "06/Aug/2024:21:01:57 +0200" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["verb"] == "GET" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"] == "nextcloud-whitelist.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["http_path"] == "/apps/bookmarks/bookmark/460/image" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["http_status"] == "404" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["http_verb"] == "GET" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "http_access-log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2024-08-06T21:01:57+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2024-08-06T21:01:57+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["body_bytes_sent"] == "39" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["http_referer"] == "-" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["http_version"] == "2.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["message"] == "192.168.1.1 - - [06/Aug/2024:21:01:59 +0200] \"GET /apps/bookmarks/folder/3/publictoken HTTP/2.0\" 404 39 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0\"" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["program"] == "nginx" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["remote_addr"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["remote_user"] == "-" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["request"] == "/apps/bookmarks/folder/3/publictoken" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["status"] == "404" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["time_local"] == "06/Aug/2024:21:01:59 +0200" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["verb"] == "GET" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"] == "nextcloud-whitelist.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["http_path"] == "/apps/bookmarks/folder/3/publictoken" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["http_status"] == "404" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["http_verb"] == "GET" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_type"] == "http_access-log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["timestamp"] == "2024-08-06T21:01:59+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Enriched["MarshaledTime"] == "2024-08-06T21:01:59+02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/http-logs"]) == 7 results["s02-enrich"]["crowdsecurity/http-logs"][0].Success == true results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["body_bytes_sent"] == "20" results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["file_dir"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/" @@ -353,7 +518,100 @@ results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Meta["source_ip"] == "19 results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Meta["timestamp"] == "2024-08-06T20:58:42+02:00" results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Enriched["MarshaledTime"] == "2024-08-06T20:58:42+02:00" results["s02-enrich"]["crowdsecurity/http-logs"][3].Evt.Whitelisted == false -len(results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"]) == 4 +results["s02-enrich"]["crowdsecurity/http-logs"][4].Success == true +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["body_bytes_sent"] == "8304" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["file_dir"] == "/apps/bookmarks/bookmark/155/" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["file_frag"] == "favicon" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["file_name"] == "favicon" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["http_referer"] == "-" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["http_version"] == "2.0" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["impact_completion"] == "false" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["message"] == "192.168.1.1 - - [06/Aug/2024:21:01:57 +0200] \"GET /apps/bookmarks/bookmark/155/favicon HTTP/2.0\" 404 8304 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0\"" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["program"] == "nginx" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["remote_addr"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["remote_user"] == "-" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["request"] == "/apps/bookmarks/bookmark/155/favicon" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["static_ressource"] == "false" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["status"] == "404" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["time_local"] == "06/Aug/2024:21:01:57 +0200" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Parsed["verb"] == "GET" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Meta["datasource_path"] == "nextcloud-whitelist.log" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Meta["http_args_len"] == "0" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Meta["http_path"] == "/apps/bookmarks/bookmark/155/favicon" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Meta["http_status"] == "404" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Meta["http_verb"] == "GET" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Meta["log_type"] == "http_access-log" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Meta["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Meta["timestamp"] == "2024-08-06T21:01:57+02:00" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Enriched["MarshaledTime"] == "2024-08-06T21:01:57+02:00" +results["s02-enrich"]["crowdsecurity/http-logs"][4].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/http-logs"][5].Success == true +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["body_bytes_sent"] == "8307" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["file_dir"] == "/apps/bookmarks/bookmark/460/" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["file_frag"] == "image" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["file_name"] == "image" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["http_referer"] == "-" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["http_version"] == "2.0" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["impact_completion"] == "false" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["message"] == "192.168.1.1 - - [06/Aug/2024:21:01:57 +0200] \"GET /apps/bookmarks/bookmark/460/image HTTP/2.0\" 404 8307 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0\"" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["program"] == "nginx" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["remote_addr"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["remote_user"] == "-" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["request"] == "/apps/bookmarks/bookmark/460/image" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["static_ressource"] == "false" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["status"] == "404" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["time_local"] == "06/Aug/2024:21:01:57 +0200" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Parsed["verb"] == "GET" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Meta["datasource_path"] == "nextcloud-whitelist.log" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Meta["http_args_len"] == "0" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Meta["http_path"] == "/apps/bookmarks/bookmark/460/image" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Meta["http_status"] == "404" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Meta["http_verb"] == "GET" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Meta["log_type"] == "http_access-log" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Meta["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Meta["timestamp"] == "2024-08-06T21:01:57+02:00" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Enriched["MarshaledTime"] == "2024-08-06T21:01:57+02:00" +results["s02-enrich"]["crowdsecurity/http-logs"][5].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/http-logs"][6].Success == true +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["body_bytes_sent"] == "39" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["file_dir"] == "/apps/bookmarks/folder/3/" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["file_frag"] == "publictoken" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["file_name"] == "publictoken" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["http_referer"] == "-" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["http_version"] == "2.0" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["impact_completion"] == "false" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["message"] == "192.168.1.1 - - [06/Aug/2024:21:01:59 +0200] \"GET /apps/bookmarks/folder/3/publictoken HTTP/2.0\" 404 39 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0\"" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["program"] == "nginx" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["remote_addr"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["remote_user"] == "-" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["request"] == "/apps/bookmarks/folder/3/publictoken" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["static_ressource"] == "false" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["status"] == "404" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["time_local"] == "06/Aug/2024:21:01:59 +0200" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Parsed["verb"] == "GET" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Meta["datasource_path"] == "nextcloud-whitelist.log" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Meta["http_args_len"] == "0" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Meta["http_path"] == "/apps/bookmarks/folder/3/publictoken" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Meta["http_status"] == "404" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Meta["http_verb"] == "GET" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Meta["log_type"] == "http_access-log" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Meta["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Meta["timestamp"] == "2024-08-06T21:01:59+02:00" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Enriched["MarshaledTime"] == "2024-08-06T21:01:59+02:00" +results["s02-enrich"]["crowdsecurity/http-logs"][6].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"]) == 7 results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Success == true results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["body_bytes_sent"] == "20" results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["file_dir"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/" @@ -487,4 +745,100 @@ results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][3].Evt.Meta["timestam results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][3].Evt.Enriched["MarshaledTime"] == "2024-08-06T20:58:42+02:00" results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][3].Evt.Whitelisted == true results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][3].Evt.WhitelistReason == "Nextcloud Whitelist" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Success == true +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Evt.Parsed["body_bytes_sent"] == "8304" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Evt.Parsed["file_dir"] == "/apps/bookmarks/bookmark/155/" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Evt.Parsed["file_frag"] == "favicon" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Evt.Parsed["file_name"] == "favicon" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Evt.Parsed["http_referer"] == "-" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Evt.Parsed["http_version"] == "2.0" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Evt.Parsed["impact_completion"] == "false" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Evt.Parsed["message"] == "192.168.1.1 - - [06/Aug/2024:21:01:57 +0200] \"GET /apps/bookmarks/bookmark/155/favicon HTTP/2.0\" 404 8304 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0\"" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Evt.Parsed["program"] == "nginx" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Evt.Parsed["remote_addr"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Evt.Parsed["remote_user"] == "-" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Evt.Parsed["request"] == "/apps/bookmarks/bookmark/155/favicon" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Evt.Parsed["static_ressource"] == "false" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Evt.Parsed["status"] == "404" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Evt.Parsed["time_local"] == "06/Aug/2024:21:01:57 +0200" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Evt.Parsed["verb"] == "GET" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Evt.Meta["datasource_path"] == "nextcloud-whitelist.log" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Evt.Meta["http_args_len"] == "0" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Evt.Meta["http_path"] == "/apps/bookmarks/bookmark/155/favicon" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Evt.Meta["http_status"] == "404" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Evt.Meta["http_verb"] == "GET" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Evt.Meta["log_type"] == "http_access-log" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Evt.Meta["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Evt.Meta["timestamp"] == "2024-08-06T21:01:57+02:00" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Evt.Enriched["MarshaledTime"] == "2024-08-06T21:01:57+02:00" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Evt.Whitelisted == true +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][4].Evt.WhitelistReason == "Nextcloud Whitelist" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Success == true +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Evt.Parsed["body_bytes_sent"] == "8307" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Evt.Parsed["file_dir"] == "/apps/bookmarks/bookmark/460/" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Evt.Parsed["file_frag"] == "image" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Evt.Parsed["file_name"] == "image" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Evt.Parsed["http_referer"] == "-" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Evt.Parsed["http_version"] == "2.0" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Evt.Parsed["impact_completion"] == "false" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Evt.Parsed["message"] == "192.168.1.1 - - [06/Aug/2024:21:01:57 +0200] \"GET /apps/bookmarks/bookmark/460/image HTTP/2.0\" 404 8307 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0\"" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Evt.Parsed["program"] == "nginx" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Evt.Parsed["remote_addr"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Evt.Parsed["remote_user"] == "-" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Evt.Parsed["request"] == "/apps/bookmarks/bookmark/460/image" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Evt.Parsed["static_ressource"] == "false" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Evt.Parsed["status"] == "404" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Evt.Parsed["time_local"] == "06/Aug/2024:21:01:57 +0200" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Evt.Parsed["verb"] == "GET" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Evt.Meta["datasource_path"] == "nextcloud-whitelist.log" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Evt.Meta["http_args_len"] == "0" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Evt.Meta["http_path"] == "/apps/bookmarks/bookmark/460/image" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Evt.Meta["http_status"] == "404" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Evt.Meta["http_verb"] == "GET" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Evt.Meta["log_type"] == "http_access-log" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Evt.Meta["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Evt.Meta["timestamp"] == "2024-08-06T21:01:57+02:00" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Evt.Enriched["MarshaledTime"] == "2024-08-06T21:01:57+02:00" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Evt.Whitelisted == true +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][5].Evt.WhitelistReason == "Nextcloud Whitelist" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Success == true +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Evt.Parsed["body_bytes_sent"] == "39" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Evt.Parsed["file_dir"] == "/apps/bookmarks/folder/3/" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Evt.Parsed["file_frag"] == "publictoken" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Evt.Parsed["file_name"] == "publictoken" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Evt.Parsed["http_referer"] == "-" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Evt.Parsed["http_version"] == "2.0" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Evt.Parsed["impact_completion"] == "false" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Evt.Parsed["message"] == "192.168.1.1 - - [06/Aug/2024:21:01:59 +0200] \"GET /apps/bookmarks/folder/3/publictoken HTTP/2.0\" 404 39 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0\"" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Evt.Parsed["program"] == "nginx" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Evt.Parsed["remote_addr"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Evt.Parsed["remote_user"] == "-" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Evt.Parsed["request"] == "/apps/bookmarks/folder/3/publictoken" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Evt.Parsed["static_ressource"] == "false" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Evt.Parsed["status"] == "404" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Evt.Parsed["time_local"] == "06/Aug/2024:21:01:59 +0200" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Evt.Parsed["verb"] == "GET" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Evt.Meta["datasource_path"] == "nextcloud-whitelist.log" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Evt.Meta["http_args_len"] == "0" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Evt.Meta["http_path"] == "/apps/bookmarks/folder/3/publictoken" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Evt.Meta["http_status"] == "404" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Evt.Meta["http_verb"] == "GET" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Evt.Meta["log_type"] == "http_access-log" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Evt.Meta["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Evt.Meta["timestamp"] == "2024-08-06T21:01:59+02:00" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Evt.Enriched["MarshaledTime"] == "2024-08-06T21:01:59+02:00" +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Evt.Whitelisted == true +results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][6].Evt.WhitelistReason == "Nextcloud Whitelist" len(results["success"][""]) == 0 diff --git a/parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.yaml b/parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.yaml index 77d62d15ba7..a493f2213a0 100644 --- a/parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.yaml +++ b/parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.yaml @@ -14,3 +14,5 @@ whitelist: - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Parsed.request == '/ocs/v2.php/apps/text/workspace' && evt.Parsed.http_args contains 'path=%2F' #When opening folders in Nextcloud Files that don't contain a readme.md 404 error is thrown - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/apps/files_trashbin/preview' && evt.Parsed.http_args contains 'fileId=' # 404 error thrown when preview is missing for files in trash bin - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path matches '\\/apps\\/files\\/api\\/v1\\/thumbnail\\/(\\d+)/(\\d+)' + - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/apps/bookmarks/bookmark' && (evt.Meta.http_path endsWith 'favicon' || evt.Meta.http_path endsWith 'image') #When loading NC bookmarks: some entries might have no favicon or no image + - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/apps/bookmarks/folder' && evt.Meta.http_path endsWith 'publictoken' #When loading NC bookmarks: private folders have no publictoken