diff --git a/.index.json b/.index.json index 4b01261817f..c4dfaaf714b 100644 --- a/.index.json +++ b/.index.json @@ -7084,15 +7084,19 @@ "crowdsecurity/jellyfin-whitelist": { "path": "parsers/s02-enrich/crowdsecurity/jellyfin-whitelist.yaml", "stage": "s02-enrich", - "version": "0.1", + "version": "0.2", "versions": { "0.1": { "digest": "aa1cf7cfac48914a41ca95fea4d1aa3b885b27d5359b2ecd39c9a22d21d65c47", "deprecated": false + }, + "0.2": { + "digest": "a403cc45906ec71a8c287a642218605fc45a44c0a1afe3d00c96a9aa728409b7", + "deprecated": false } }, - "long_description": "IyMgSmVsbHlmaW4gV2hpdGVsaXN0CgojIyMgUGxheWluZyB2aWRlb3MKV2hlbiBwbGF5aW5nIHZpZGVvcyBhIFBPU1QgcmVxdWVzdCBpcyBtYWRlIHRvIGBgL1Nlc3Npb25zL1BsYXlpbmcvUHJvZ3Jlc3NgYCwgSmVsbHlmaW4gd2lsbCByZXR1cm4gYSA0MDMuCg==", - "content": "bmFtZTogY3Jvd2RzZWN1cml0eS9qZWxseWZpbi13aGl0ZWxpc3QKZGVzY3JpcHRpb246ICJXaGl0ZWxpc3QgZXZlbnRzIGZyb20gamVsbHlmaW4iCmZpbHRlcjogImV2dC5NZXRhLnNlcnZpY2UgPT0gJ2h0dHAnICYmIGV2dC5NZXRhLmxvZ190eXBlIGluIFsnaHR0cF9hY2Nlc3MtbG9nJywgJ2h0dHBfZXJyb3ItbG9nJ10iCndoaXRlbGlzdDoKICByZWFzb246ICJKZWxseWZpbiB3aGl0ZWxpc3QiCiAgZXhwcmVzc2lvbjoKICAgLSBldnQuTWV0YS5odHRwX3N0YXR1cyA9PSAnNDAzJyAmJiBldnQuTWV0YS5odHRwX3ZlcmIgPT0gJ1BPU1QnICYmIGV2dC5NZXRhLmh0dHBfcGF0aCBjb250YWlucyAiL1Nlc3Npb25zL1BsYXlpbmcvUHJvZ3Jlc3MiICMgV2hlbiBwbGF5aW5nIHZpZGVvcwo=", + "long_description": "IyMgSmVsbHlmaW4gV2hpdGVsaXN0CgojIyMgUGxheWluZyB2aWRlb3MKV2hlbiBwbGF5aW5nIHZpZGVvcyBhIFBPU1QgcmVxdWVzdCBpcyBtYWRlIHRvIGBgL1Nlc3Npb25zL1BsYXlpbmcvUHJvZ3Jlc3NgYCwgSmVsbHlmaW4gd2lsbCByZXR1cm4gYSA0MDMuCgojIyMgQnJvd3NpbmcgSmVsbHlmaW4gKFN3aWZ0ZmluIGFuZCBSb2t1KQpXaGVuIGJyb3dzaW5nIEplbGx5ZmluIG9uIFJva3UgYW5kIFN3aWZ0ZmluLCBhIEdFVCByZXF1ZXN0IGlzIG1hZGUgZm9yIG5vbi1leGlzdGVudCBpbWFnZXMgYW5kIEplbGx5ZmluIHdpbGwgcmV0dXJuIGEgNDA0Lgo=", + "content": "bmFtZTogY3Jvd2RzZWN1cml0eS9qZWxseWZpbi13aGl0ZWxpc3QKZGVzY3JpcHRpb246ICJXaGl0ZWxpc3QgZXZlbnRzIGZyb20gamVsbHlmaW4iCmZpbHRlcjogImV2dC5NZXRhLnNlcnZpY2UgPT0gJ2h0dHAnICYmIGV2dC5NZXRhLmxvZ190eXBlIGluIFsnaHR0cF9hY2Nlc3MtbG9nJywgJ2h0dHBfZXJyb3ItbG9nJ10iCndoaXRlbGlzdDoKICByZWFzb246ICJKZWxseWZpbiB3aGl0ZWxpc3QiCiAgZXhwcmVzc2lvbjoKICAgLSBldnQuTWV0YS5odHRwX3N0YXR1cyA9PSAnNDAzJyAmJiBldnQuTWV0YS5odHRwX3ZlcmIgPT0gJ1BPU1QnICYmIGV2dC5NZXRhLmh0dHBfcGF0aCBjb250YWlucyAiL1Nlc3Npb25zL1BsYXlpbmcvUHJvZ3Jlc3MiICMgV2hlbiBwbGF5aW5nIHZpZGVvcwogICAtIGV2dC5NZXRhLmh0dHBfc3RhdHVzID09ICc0MDQnICYmIGV2dC5NZXRhLmh0dHBfdmVyYiA9PSAnR0VUJyAmJiBldnQuTWV0YS5odHRwX3BhdGggbWF0Y2hlcyAnKD9pKV4vaXRlbXMvLis/L2ltYWdlcy8odGh1bWJ8cHJpbWFyeSknICMgd2hlbiBicm93c2luZyBvbiBSb2t1IG9yIFN3aWZ0ZmluIENsaWVudHMK", "description": "Whitelist events from jellyfin", "author": "crowdsecurity", "labels": null diff --git a/.tests/jellyfin-whitelist/config.yaml b/.tests/jellyfin-whitelist/config.yaml new file mode 100644 index 00000000000..91e37f67a90 --- /dev/null +++ b/.tests/jellyfin-whitelist/config.yaml @@ -0,0 +1,14 @@ +parsers: +- crowdsecurity/syslog-logs +- crowdsecurity/dateparse-enrich +- crowdsecurity/nginx-logs +- ./parsers/s02-enrich/crowdsecurity/jellyfin-whitelist.yaml +scenarios: +- "" +postoverflows: +- "" +log_file: jellyfin-logs.log +log_type: nginx +labels: {} +ignore_parsers: false +override_statics: [] diff --git a/.tests/jellyfin-whitelist/jellyfin-logs.log b/.tests/jellyfin-whitelist/jellyfin-logs.log new file mode 100644 index 00000000000..7ba939c32b0 --- /dev/null +++ b/.tests/jellyfin-whitelist/jellyfin-logs.log @@ -0,0 +1,4 @@ +192.168.1.1 - - [24/Aug/2024:22:32:18 +0000] "GET /Items/5203a7e70b667d2cfaee2cd2eb3de082/Images/Primary?MaxHeight=330&MaxWidth=234&quality=90&Tags=null HTTP/2.0" 404 57 "-" "Roku/DVP-13.1 (13.1.4.01510-30)" +192.168.1.1 - - [24/Aug/2024:22:32:18 +0000] "GET /Items/fbef2493eb1b8191acf97cd81af4992f/Images/Thumb?MaxHeight=330&MaxWidth=234&quality=90&Tags=null HTTP/2.0" 404 52 "-" "Roku/DVP-13.1 (13.1.4.01510-30)" +192.168.1.1 - - [13/Jan/2024:23:17:58 +0100] "GET /Items/77c40737e58d0f8d03c5047ee17c4185/Images/primary?maxWidth=400 HTTP/2.0" 404 52 "-" "Swiftfin%20tvOS/70 CFNetwork/1490.0.4>" +192.168.1.1 - - [13/Jan/2024:23:17:58 +0100] "GET /Items/4851eba90426dea053284919c7a53e40/Images/thumb?maxWidth=400 HTTP/2.0" 404 52 "-" "Swiftfin%20tvOS/70 CFNetwork/1490.0.4>" diff --git a/.tests/jellyfin-whitelist/parser.assert b/.tests/jellyfin-whitelist/parser.assert new file mode 100644 index 00000000000..c8f5f8a3ebe --- /dev/null +++ b/.tests/jellyfin-whitelist/parser.assert @@ -0,0 +1,331 @@ +len(results) == 4 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 4 +results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "192.168.1.1 - - [24/Aug/2024:22:32:18 +0000] \"GET /Items/5203a7e70b667d2cfaee2cd2eb3de082/Images/Primary?MaxHeight=330&MaxWidth=234&quality=90&Tags=null HTTP/2.0\" 404 57 \"-\" \"Roku/DVP-13.1 (13.1.4.01510-30)\"" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "nginx" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "jellyfin-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "192.168.1.1 - - [24/Aug/2024:22:32:18 +0000] \"GET /Items/fbef2493eb1b8191acf97cd81af4992f/Images/Thumb?MaxHeight=330&MaxWidth=234&quality=90&Tags=null HTTP/2.0\" 404 52 \"-\" \"Roku/DVP-13.1 (13.1.4.01510-30)\"" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "nginx" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "jellyfin-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "192.168.1.1 - - [13/Jan/2024:23:17:58 +0100] \"GET /Items/77c40737e58d0f8d03c5047ee17c4185/Images/primary?maxWidth=400 HTTP/2.0\" 404 52 \"-\" \"Swiftfin%20tvOS/70 CFNetwork/1490.0.4>\"" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "nginx" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "jellyfin-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "192.168.1.1 - - [13/Jan/2024:23:17:58 +0100] \"GET /Items/4851eba90426dea053284919c7a53e40/Images/thumb?maxWidth=400 HTTP/2.0\" 404 52 \"-\" \"Swiftfin%20tvOS/70 CFNetwork/1490.0.4>\"" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "nginx" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"] == "jellyfin-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 4 +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == false +len(results["s01-parse"]["crowdsecurity/nginx-logs"]) == 4 +results["s01-parse"]["crowdsecurity/nginx-logs"][0].Success == true +results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["body_bytes_sent"] == "57" +results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["http_referer"] == "-" +results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["http_user_agent"] == "Roku/DVP-13.1 (13.1.4.01510-30)" +results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["http_version"] == "2.0" +results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["message"] == "192.168.1.1 - - [24/Aug/2024:22:32:18 +0000] \"GET /Items/5203a7e70b667d2cfaee2cd2eb3de082/Images/Primary?MaxHeight=330&MaxWidth=234&quality=90&Tags=null HTTP/2.0\" 404 57 \"-\" \"Roku/DVP-13.1 (13.1.4.01510-30)\"" +results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["program"] == "nginx" +results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["remote_addr"] == "192.168.1.1" +results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["remote_user"] == "-" +results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["request"] == "/Items/5203a7e70b667d2cfaee2cd2eb3de082/Images/Primary?MaxHeight=330&MaxWidth=234&quality=90&Tags=null" +results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["status"] == "404" +results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["time_local"] == "24/Aug/2024:22:32:18 +0000" +results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["verb"] == "GET" +results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["datasource_path"] == "jellyfin-logs.log" +results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["http_path"] == "/Items/5203a7e70b667d2cfaee2cd2eb3de082/Images/Primary?MaxHeight=330&MaxWidth=234&quality=90&Tags=null" +results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["http_status"] == "404" +results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["http_user_agent"] == "Roku/DVP-13.1 (13.1.4.01510-30)" +results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["http_verb"] == "GET" +results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["log_type"] == "http_access-log" +results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["service"] == "http" +results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["source_ip"] == "192.168.1.1" +results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/nginx-logs"][1].Success == true +results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Parsed["body_bytes_sent"] == "52" +results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Parsed["http_referer"] == "-" +results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Parsed["http_user_agent"] == "Roku/DVP-13.1 (13.1.4.01510-30)" +results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Parsed["http_version"] == "2.0" +results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Parsed["message"] == "192.168.1.1 - - [24/Aug/2024:22:32:18 +0000] \"GET /Items/fbef2493eb1b8191acf97cd81af4992f/Images/Thumb?MaxHeight=330&MaxWidth=234&quality=90&Tags=null HTTP/2.0\" 404 52 \"-\" \"Roku/DVP-13.1 (13.1.4.01510-30)\"" +results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Parsed["program"] == "nginx" +results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Parsed["remote_addr"] == "192.168.1.1" +results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Parsed["remote_user"] == "-" +results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Parsed["request"] == "/Items/fbef2493eb1b8191acf97cd81af4992f/Images/Thumb?MaxHeight=330&MaxWidth=234&quality=90&Tags=null" +results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Parsed["status"] == "404" +results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Parsed["time_local"] == "24/Aug/2024:22:32:18 +0000" +results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Parsed["verb"] == "GET" +results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Meta["datasource_path"] == "jellyfin-logs.log" +results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Meta["http_path"] == "/Items/fbef2493eb1b8191acf97cd81af4992f/Images/Thumb?MaxHeight=330&MaxWidth=234&quality=90&Tags=null" +results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Meta["http_status"] == "404" +results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Meta["http_user_agent"] == "Roku/DVP-13.1 (13.1.4.01510-30)" +results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Meta["http_verb"] == "GET" +results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Meta["log_type"] == "http_access-log" +results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Meta["service"] == "http" +results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Meta["source_ip"] == "192.168.1.1" +results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/nginx-logs"][2].Success == true +results["s01-parse"]["crowdsecurity/nginx-logs"][2].Evt.Parsed["body_bytes_sent"] == "52" +results["s01-parse"]["crowdsecurity/nginx-logs"][2].Evt.Parsed["http_referer"] == "-" +results["s01-parse"]["crowdsecurity/nginx-logs"][2].Evt.Parsed["http_user_agent"] == "Swiftfin%20tvOS/70 CFNetwork/1490.0.4>" +results["s01-parse"]["crowdsecurity/nginx-logs"][2].Evt.Parsed["http_version"] == "2.0" +results["s01-parse"]["crowdsecurity/nginx-logs"][2].Evt.Parsed["message"] == "192.168.1.1 - - [13/Jan/2024:23:17:58 +0100] \"GET /Items/77c40737e58d0f8d03c5047ee17c4185/Images/primary?maxWidth=400 HTTP/2.0\" 404 52 \"-\" \"Swiftfin%20tvOS/70 CFNetwork/1490.0.4>\"" +results["s01-parse"]["crowdsecurity/nginx-logs"][2].Evt.Parsed["program"] == "nginx" +results["s01-parse"]["crowdsecurity/nginx-logs"][2].Evt.Parsed["remote_addr"] == "192.168.1.1" +results["s01-parse"]["crowdsecurity/nginx-logs"][2].Evt.Parsed["remote_user"] == "-" +results["s01-parse"]["crowdsecurity/nginx-logs"][2].Evt.Parsed["request"] == "/Items/77c40737e58d0f8d03c5047ee17c4185/Images/primary?maxWidth=400" +results["s01-parse"]["crowdsecurity/nginx-logs"][2].Evt.Parsed["status"] == "404" +results["s01-parse"]["crowdsecurity/nginx-logs"][2].Evt.Parsed["time_local"] == "13/Jan/2024:23:17:58 +0100" +results["s01-parse"]["crowdsecurity/nginx-logs"][2].Evt.Parsed["verb"] == "GET" +results["s01-parse"]["crowdsecurity/nginx-logs"][2].Evt.Meta["datasource_path"] == "jellyfin-logs.log" +results["s01-parse"]["crowdsecurity/nginx-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/nginx-logs"][2].Evt.Meta["http_path"] == "/Items/77c40737e58d0f8d03c5047ee17c4185/Images/primary?maxWidth=400" +results["s01-parse"]["crowdsecurity/nginx-logs"][2].Evt.Meta["http_status"] == "404" +results["s01-parse"]["crowdsecurity/nginx-logs"][2].Evt.Meta["http_user_agent"] == "Swiftfin%20tvOS/70 CFNetwork/1490.0.4>" +results["s01-parse"]["crowdsecurity/nginx-logs"][2].Evt.Meta["http_verb"] == "GET" +results["s01-parse"]["crowdsecurity/nginx-logs"][2].Evt.Meta["log_type"] == "http_access-log" +results["s01-parse"]["crowdsecurity/nginx-logs"][2].Evt.Meta["service"] == "http" +results["s01-parse"]["crowdsecurity/nginx-logs"][2].Evt.Meta["source_ip"] == "192.168.1.1" +results["s01-parse"]["crowdsecurity/nginx-logs"][2].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Success == true +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Parsed["body_bytes_sent"] == "52" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Parsed["http_referer"] == "-" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Parsed["http_user_agent"] == "Swiftfin%20tvOS/70 CFNetwork/1490.0.4>" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Parsed["http_version"] == "2.0" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Parsed["message"] == "192.168.1.1 - - [13/Jan/2024:23:17:58 +0100] \"GET /Items/4851eba90426dea053284919c7a53e40/Images/thumb?maxWidth=400 HTTP/2.0\" 404 52 \"-\" \"Swiftfin%20tvOS/70 CFNetwork/1490.0.4>\"" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Parsed["program"] == "nginx" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Parsed["remote_addr"] == "192.168.1.1" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Parsed["remote_user"] == "-" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Parsed["request"] == "/Items/4851eba90426dea053284919c7a53e40/Images/thumb?maxWidth=400" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Parsed["status"] == "404" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Parsed["time_local"] == "13/Jan/2024:23:17:58 +0100" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Parsed["verb"] == "GET" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Meta["datasource_path"] == "jellyfin-logs.log" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Meta["http_path"] == "/Items/4851eba90426dea053284919c7a53e40/Images/thumb?maxWidth=400" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Meta["http_status"] == "404" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Meta["http_user_agent"] == "Swiftfin%20tvOS/70 CFNetwork/1490.0.4>" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Meta["http_verb"] == "GET" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Meta["log_type"] == "http_access-log" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Meta["service"] == "http" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Meta["source_ip"] == "192.168.1.1" +results["s01-parse"]["crowdsecurity/nginx-logs"][3].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 4 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["body_bytes_sent"] == "57" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["http_referer"] == "-" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["http_user_agent"] == "Roku/DVP-13.1 (13.1.4.01510-30)" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["http_version"] == "2.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "192.168.1.1 - - [24/Aug/2024:22:32:18 +0000] \"GET /Items/5203a7e70b667d2cfaee2cd2eb3de082/Images/Primary?MaxHeight=330&MaxWidth=234&quality=90&Tags=null HTTP/2.0\" 404 57 \"-\" \"Roku/DVP-13.1 (13.1.4.01510-30)\"" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "nginx" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_addr"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_user"] == "-" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["request"] == "/Items/5203a7e70b667d2cfaee2cd2eb3de082/Images/Primary?MaxHeight=330&MaxWidth=234&quality=90&Tags=null" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["status"] == "404" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["time_local"] == "24/Aug/2024:22:32:18 +0000" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["verb"] == "GET" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "jellyfin-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["http_path"] == "/Items/5203a7e70b667d2cfaee2cd2eb3de082/Images/Primary?MaxHeight=330&MaxWidth=234&quality=90&Tags=null" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["http_status"] == "404" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["http_user_agent"] == "Roku/DVP-13.1 (13.1.4.01510-30)" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["http_verb"] == "GET" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "http_access-log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2024-08-24T22:32:18Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2024-08-24T22:32:18Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["body_bytes_sent"] == "52" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["http_referer"] == "-" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["http_user_agent"] == "Roku/DVP-13.1 (13.1.4.01510-30)" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["http_version"] == "2.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "192.168.1.1 - - [24/Aug/2024:22:32:18 +0000] \"GET /Items/fbef2493eb1b8191acf97cd81af4992f/Images/Thumb?MaxHeight=330&MaxWidth=234&quality=90&Tags=null HTTP/2.0\" 404 52 \"-\" \"Roku/DVP-13.1 (13.1.4.01510-30)\"" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "nginx" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_addr"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_user"] == "-" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["request"] == "/Items/fbef2493eb1b8191acf97cd81af4992f/Images/Thumb?MaxHeight=330&MaxWidth=234&quality=90&Tags=null" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["status"] == "404" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["time_local"] == "24/Aug/2024:22:32:18 +0000" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["verb"] == "GET" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "jellyfin-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["http_path"] == "/Items/fbef2493eb1b8191acf97cd81af4992f/Images/Thumb?MaxHeight=330&MaxWidth=234&quality=90&Tags=null" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["http_status"] == "404" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["http_user_agent"] == "Roku/DVP-13.1 (13.1.4.01510-30)" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["http_verb"] == "GET" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "http_access-log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2024-08-24T22:32:18Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2024-08-24T22:32:18Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["body_bytes_sent"] == "52" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["http_referer"] == "-" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["http_user_agent"] == "Swiftfin%20tvOS/70 CFNetwork/1490.0.4>" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["http_version"] == "2.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "192.168.1.1 - - [13/Jan/2024:23:17:58 +0100] \"GET /Items/77c40737e58d0f8d03c5047ee17c4185/Images/primary?maxWidth=400 HTTP/2.0\" 404 52 \"-\" \"Swiftfin%20tvOS/70 CFNetwork/1490.0.4>\"" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "nginx" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_addr"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_user"] == "-" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["request"] == "/Items/77c40737e58d0f8d03c5047ee17c4185/Images/primary?maxWidth=400" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["status"] == "404" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["time_local"] == "13/Jan/2024:23:17:58 +0100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["verb"] == "GET" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "jellyfin-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["http_path"] == "/Items/77c40737e58d0f8d03c5047ee17c4185/Images/primary?maxWidth=400" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["http_status"] == "404" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["http_user_agent"] == "Swiftfin%20tvOS/70 CFNetwork/1490.0.4>" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["http_verb"] == "GET" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "http_access-log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2024-01-13T23:17:58+01:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2024-01-13T23:17:58+01:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["body_bytes_sent"] == "52" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["http_referer"] == "-" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["http_user_agent"] == "Swiftfin%20tvOS/70 CFNetwork/1490.0.4>" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["http_version"] == "2.0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "192.168.1.1 - - [13/Jan/2024:23:17:58 +0100] \"GET /Items/4851eba90426dea053284919c7a53e40/Images/thumb?maxWidth=400 HTTP/2.0\" 404 52 \"-\" \"Swiftfin%20tvOS/70 CFNetwork/1490.0.4>\"" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "nginx" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["remote_addr"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["remote_user"] == "-" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["request"] == "/Items/4851eba90426dea053284919c7a53e40/Images/thumb?maxWidth=400" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["status"] == "404" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["time_local"] == "13/Jan/2024:23:17:58 +0100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["verb"] == "GET" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "jellyfin-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["http_path"] == "/Items/4851eba90426dea053284919c7a53e40/Images/thumb?maxWidth=400" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["http_status"] == "404" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["http_user_agent"] == "Swiftfin%20tvOS/70 CFNetwork/1490.0.4>" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["http_verb"] == "GET" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "http_access-log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2024-01-13T23:17:58+01:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2024-01-13T23:17:58+01:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"]) == 4 +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][0].Success == true +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][0].Evt.Parsed["body_bytes_sent"] == "57" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][0].Evt.Parsed["http_referer"] == "-" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][0].Evt.Parsed["http_user_agent"] == "Roku/DVP-13.1 (13.1.4.01510-30)" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][0].Evt.Parsed["http_version"] == "2.0" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][0].Evt.Parsed["message"] == "192.168.1.1 - - [24/Aug/2024:22:32:18 +0000] \"GET /Items/5203a7e70b667d2cfaee2cd2eb3de082/Images/Primary?MaxHeight=330&MaxWidth=234&quality=90&Tags=null HTTP/2.0\" 404 57 \"-\" \"Roku/DVP-13.1 (13.1.4.01510-30)\"" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][0].Evt.Parsed["program"] == "nginx" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][0].Evt.Parsed["remote_addr"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][0].Evt.Parsed["remote_user"] == "-" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][0].Evt.Parsed["request"] == "/Items/5203a7e70b667d2cfaee2cd2eb3de082/Images/Primary?MaxHeight=330&MaxWidth=234&quality=90&Tags=null" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][0].Evt.Parsed["status"] == "404" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][0].Evt.Parsed["time_local"] == "24/Aug/2024:22:32:18 +0000" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][0].Evt.Parsed["verb"] == "GET" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][0].Evt.Meta["datasource_path"] == "jellyfin-logs.log" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][0].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][0].Evt.Meta["http_path"] == "/Items/5203a7e70b667d2cfaee2cd2eb3de082/Images/Primary?MaxHeight=330&MaxWidth=234&quality=90&Tags=null" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][0].Evt.Meta["http_status"] == "404" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][0].Evt.Meta["http_user_agent"] == "Roku/DVP-13.1 (13.1.4.01510-30)" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][0].Evt.Meta["http_verb"] == "GET" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][0].Evt.Meta["log_type"] == "http_access-log" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][0].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][0].Evt.Meta["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][0].Evt.Meta["timestamp"] == "2024-08-24T22:32:18Z" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][0].Evt.Enriched["MarshaledTime"] == "2024-08-24T22:32:18Z" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][0].Evt.Whitelisted == true +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][0].Evt.WhitelistReason == "Jellyfin whitelist" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][1].Success == true +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][1].Evt.Parsed["body_bytes_sent"] == "52" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][1].Evt.Parsed["http_referer"] == "-" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][1].Evt.Parsed["http_user_agent"] == "Roku/DVP-13.1 (13.1.4.01510-30)" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][1].Evt.Parsed["http_version"] == "2.0" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][1].Evt.Parsed["message"] == "192.168.1.1 - - [24/Aug/2024:22:32:18 +0000] \"GET /Items/fbef2493eb1b8191acf97cd81af4992f/Images/Thumb?MaxHeight=330&MaxWidth=234&quality=90&Tags=null HTTP/2.0\" 404 52 \"-\" \"Roku/DVP-13.1 (13.1.4.01510-30)\"" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][1].Evt.Parsed["program"] == "nginx" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][1].Evt.Parsed["remote_addr"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][1].Evt.Parsed["remote_user"] == "-" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][1].Evt.Parsed["request"] == "/Items/fbef2493eb1b8191acf97cd81af4992f/Images/Thumb?MaxHeight=330&MaxWidth=234&quality=90&Tags=null" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][1].Evt.Parsed["status"] == "404" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][1].Evt.Parsed["time_local"] == "24/Aug/2024:22:32:18 +0000" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][1].Evt.Parsed["verb"] == "GET" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][1].Evt.Meta["datasource_path"] == "jellyfin-logs.log" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][1].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][1].Evt.Meta["http_path"] == "/Items/fbef2493eb1b8191acf97cd81af4992f/Images/Thumb?MaxHeight=330&MaxWidth=234&quality=90&Tags=null" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][1].Evt.Meta["http_status"] == "404" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][1].Evt.Meta["http_user_agent"] == "Roku/DVP-13.1 (13.1.4.01510-30)" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][1].Evt.Meta["http_verb"] == "GET" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][1].Evt.Meta["log_type"] == "http_access-log" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][1].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][1].Evt.Meta["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][1].Evt.Meta["timestamp"] == "2024-08-24T22:32:18Z" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][1].Evt.Enriched["MarshaledTime"] == "2024-08-24T22:32:18Z" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][1].Evt.Whitelisted == true +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][1].Evt.WhitelistReason == "Jellyfin whitelist" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][2].Success == true +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][2].Evt.Parsed["body_bytes_sent"] == "52" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][2].Evt.Parsed["http_referer"] == "-" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][2].Evt.Parsed["http_user_agent"] == "Swiftfin%20tvOS/70 CFNetwork/1490.0.4>" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][2].Evt.Parsed["http_version"] == "2.0" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][2].Evt.Parsed["message"] == "192.168.1.1 - - [13/Jan/2024:23:17:58 +0100] \"GET /Items/77c40737e58d0f8d03c5047ee17c4185/Images/primary?maxWidth=400 HTTP/2.0\" 404 52 \"-\" \"Swiftfin%20tvOS/70 CFNetwork/1490.0.4>\"" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][2].Evt.Parsed["program"] == "nginx" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][2].Evt.Parsed["remote_addr"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][2].Evt.Parsed["remote_user"] == "-" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][2].Evt.Parsed["request"] == "/Items/77c40737e58d0f8d03c5047ee17c4185/Images/primary?maxWidth=400" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][2].Evt.Parsed["status"] == "404" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][2].Evt.Parsed["time_local"] == "13/Jan/2024:23:17:58 +0100" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][2].Evt.Parsed["verb"] == "GET" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][2].Evt.Meta["datasource_path"] == "jellyfin-logs.log" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][2].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][2].Evt.Meta["http_path"] == "/Items/77c40737e58d0f8d03c5047ee17c4185/Images/primary?maxWidth=400" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][2].Evt.Meta["http_status"] == "404" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][2].Evt.Meta["http_user_agent"] == "Swiftfin%20tvOS/70 CFNetwork/1490.0.4>" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][2].Evt.Meta["http_verb"] == "GET" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][2].Evt.Meta["log_type"] == "http_access-log" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][2].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][2].Evt.Meta["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][2].Evt.Meta["timestamp"] == "2024-01-13T23:17:58+01:00" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][2].Evt.Enriched["MarshaledTime"] == "2024-01-13T23:17:58+01:00" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][2].Evt.Whitelisted == true +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][2].Evt.WhitelistReason == "Jellyfin whitelist" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][3].Success == true +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][3].Evt.Parsed["body_bytes_sent"] == "52" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][3].Evt.Parsed["http_referer"] == "-" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][3].Evt.Parsed["http_user_agent"] == "Swiftfin%20tvOS/70 CFNetwork/1490.0.4>" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][3].Evt.Parsed["http_version"] == "2.0" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][3].Evt.Parsed["message"] == "192.168.1.1 - - [13/Jan/2024:23:17:58 +0100] \"GET /Items/4851eba90426dea053284919c7a53e40/Images/thumb?maxWidth=400 HTTP/2.0\" 404 52 \"-\" \"Swiftfin%20tvOS/70 CFNetwork/1490.0.4>\"" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][3].Evt.Parsed["program"] == "nginx" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][3].Evt.Parsed["remote_addr"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][3].Evt.Parsed["remote_user"] == "-" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][3].Evt.Parsed["request"] == "/Items/4851eba90426dea053284919c7a53e40/Images/thumb?maxWidth=400" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][3].Evt.Parsed["status"] == "404" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][3].Evt.Parsed["time_local"] == "13/Jan/2024:23:17:58 +0100" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][3].Evt.Parsed["verb"] == "GET" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][3].Evt.Meta["datasource_path"] == "jellyfin-logs.log" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][3].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][3].Evt.Meta["http_path"] == "/Items/4851eba90426dea053284919c7a53e40/Images/thumb?maxWidth=400" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][3].Evt.Meta["http_status"] == "404" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][3].Evt.Meta["http_user_agent"] == "Swiftfin%20tvOS/70 CFNetwork/1490.0.4>" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][3].Evt.Meta["http_verb"] == "GET" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][3].Evt.Meta["log_type"] == "http_access-log" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][3].Evt.Meta["service"] == "http" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][3].Evt.Meta["source_ip"] == "192.168.1.1" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][3].Evt.Meta["timestamp"] == "2024-01-13T23:17:58+01:00" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][3].Evt.Enriched["MarshaledTime"] == "2024-01-13T23:17:58+01:00" +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][3].Evt.Whitelisted == true +results["s02-enrich"]["crowdsecurity/jellyfin-whitelist"][3].Evt.WhitelistReason == "Jellyfin whitelist" +len(results["success"][""]) == 0 diff --git a/.tests/jellyfin-whitelist/scenario.assert b/.tests/jellyfin-whitelist/scenario.assert new file mode 100644 index 00000000000..e69de29bb2d diff --git a/parsers/s02-enrich/crowdsecurity/jellyfin-whitelist.md b/parsers/s02-enrich/crowdsecurity/jellyfin-whitelist.md index 61b1f312cc2..9765224dff5 100644 --- a/parsers/s02-enrich/crowdsecurity/jellyfin-whitelist.md +++ b/parsers/s02-enrich/crowdsecurity/jellyfin-whitelist.md @@ -2,3 +2,6 @@ ### Playing videos When playing videos a POST request is made to ``/Sessions/Playing/Progress``, Jellyfin will return a 403. + +### Browsing Jellyfin (Swiftfin and Roku) +When browsing Jellyfin on Roku and Swiftfin, a GET request is made for non-existent images and Jellyfin will return a 404. diff --git a/parsers/s02-enrich/crowdsecurity/jellyfin-whitelist.yaml b/parsers/s02-enrich/crowdsecurity/jellyfin-whitelist.yaml index 991462ad8bc..2153ad9a2c6 100644 --- a/parsers/s02-enrich/crowdsecurity/jellyfin-whitelist.yaml +++ b/parsers/s02-enrich/crowdsecurity/jellyfin-whitelist.yaml @@ -5,3 +5,4 @@ whitelist: reason: "Jellyfin whitelist" expression: - evt.Meta.http_status == '403' && evt.Meta.http_verb == 'POST' && evt.Meta.http_path contains "/Sessions/Playing/Progress" # When playing videos + - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path matches '(?i)^/items/.+?/images/(thumb|primary)' # when browsing on Roku or Swiftfin Clients