search

crowdsecurity / hub

Main repository for crowdsec scenarios/parsers
https://hub.crowdsec.net
148 stars 142 forks source link

http error log parser work not correctly for RHEL/CentOS/Alma #523

Closed AdzerKI closed 1 year ago

AdzerKI commented 2 years ago

What happened?

debug log: time="31-07-2022 01:39:20" level=debug msg="+ Grok '%{HTT...' returned 13 entries to merge in Parsed" id=lively-snow name=child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=debug msg="\t.Parsed['errormsg'] = ''" id=lively-snow name=child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=debug msg="\t.Parsed['proxy_errorcode'] = ''" id=lively-snow name=child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=debug msg="\t.Parsed['clientip'] = ''" id=lively-snow name=child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=debug msg="\t.Parsed['proxy_errormessage'] = ''" id=lively-snow name=child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=debug msg="\t.Parsed['loglevel'] = 'error'" id=lively-snow name=child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=error msg="unable to collect sources from bucket: while extracting scope from bucket adzer/http-error_ah01215: scope is Ip but Meta[source_ip] doesn't exist" time="31-07-2022 01:39:20" level=debug msg="\t.Parsed['module'] = 'cgi'" id=lively-snow name=child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=debug msg="\t.Parsed['client'] = ''" id=lively-snow name=child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=debug msg="\t.Parsed['tid'] = ''" id=lively-snow name=child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=debug msg="\t.Parsed['clientport'] = ''" id=lively-snow name=child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=debug msg="\t.Parsed['message'] = 'PHP Warning: Missing argument 2 for wpdb::prepare(), called in /var/www/smi/data/www/materik.ru/wp-includes/class-wp-post.php on line 248 and defined in /var/www/smi/data/www/materik.ru/wp-includes/wp-db.php on line 1222: /var/www/php-bin-isp-php56/smi/php'" id=lively-snow name=child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=debug msg="\t.Parsed['pid'] = '1906764'" id=lively-snow name=child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=debug msg="\t.Parsed['timestamp'] = 'Sun Jul 31 01:39:19.858075 2022'" id=lively-snow name=child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=debug msg="\t.Parsed['errorcode'] = '[client 157.55.39.128:0] AH01215'" id=lively-snow name=child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=debug msg="eval(evt.Parsed.module == 'auth_basic') = FALSE" id=silent-pond name=child-child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=debug msg="eval variables:" id=silent-pond name=child-child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=debug msg=" evt.Parsed.module = 'cgi'" id=silent-pond name=child-child-crowdsecurity/apache2-logs stage=s01-parse

What did you expect to happen?

Im trying to ban by error AH01215

As you see parser put client into errorcode (Parsed['errorcode'] = '[client 157.55.39.128:0] AH01215') and cant ban using ip. IP is null (Parsed['client'] = '').

How can we reproduce it (as minimally and precisely as possible)?

this is DDoS by PHP Warning: Missing argument

Anything else we need to know?

part of error logfile (httpd service)

[Sun Jul 31 03:47:48.701590 2022] [cgi:error] [pid 2002187] [client 77.88.5.47:0] AH01215: PHP Warning: addslashes() expects parameter 1 to be string, object given in /var/www/russiaws/data/www/russiaws.ru/wp-includes/functions.php on line 914: /var/www/php-bin-isp-php56/russiaws/php [Sun Jul 31 03:47:48.853696 2022] [cgi:error] [pid 2002187] [client 77.88.5.47:0] AH01215: PHP Warning: Missing argument 2 for wpdb::prepare(), called in /var/www/russiaws/data/www/russiaws.ru/wp-includes/class-wp-post.php on line 248 and defined in /var/www/russiaws/data/www/russiaws.ru/wp-includes/wp-db.php on line 1222: /var/www/php-bin-isp-php56/russiaws/php [Sun Jul 31 03:47:48.966047 2022] [cgi:error] [pid 2002187] [client 77.88.5.47:0] AH01215: PHP Warning: call_user_func_array() expects parameter 1 to be a valid callback, function 'wp_shortlink_header' not found or invalid function name in /var/www/russiaws/data/www/russiaws.ru/wp-includes/class-wp-hook.php on line 284: /var/www/php-bin-isp-php56/russiaws/php [Sun Jul 31 03:47:48.966174 2022] [cgi:error] [pid 2002187] [client 77.88.5.47:0] AH01215: PHP Warning: Missing argument 2 for wpdb::prepare(), called in /var/www/russiaws/data/www/russiaws.ru/wp-includes/class-wp-post.php on line 248 and defined in /var/www/russiaws/data/www/russiaws.ru/wp-includes/wp-db.php on line 1222: /var/www/php-bin-isp-php56/russiaws/php [Sun Jul 31 03:47:48.966279 2022] [cgi:error] [pid 2002187] [client 77.88.5.47:0] AH01215: PHP Warning: Missing argument 2 for wpdb::prepare(), called in /var/www/russiaws/data/www/russiaws.ru/wp-includes/class-wp-post.php on line 248 and defined in /var/www/russiaws/data/www/russiaws.ru/wp-includes/wp-db.php on line 1222: /var/www/php-bin-isp-php56/russiaws/php

Crowdsec version

2022/07/31 11:08:01 version: v1.4.1-el8-rpm-e1954adc325baa9e3420c324caabd50b7074dd77 2022/07/31 11:08:01 Codename: alphaga 2022/07/31 11:08:01 BuildDate: 2022-07-25_09:53:23 2022/07/31 11:08:01 GoVersion: 1.17.5 2022/07/31 11:08:01 Platform: linux 2022/07/31 11:08:01 Constraint_parser: >= 1.0, <= 2.0 2022/07/31 11:08:01 Constraint_scenario: >= 1.0, < 3.0 2022/07/31 11:08:01 Constraint_api: v1 2022/07/31 11:08:01 Constraint_acquis: >= 1.0, < 2.0

OS version

NAME="AlmaLinux" VERSION="8.6 (Sky Tiger)" ID="almalinux" ID_LIKE="rhel centos fedora" VERSION_ID="8.6" PLATFORM_ID="platform:el8" PRETTY_NAME="AlmaLinux 8.6 (Sky Tiger)" ANSI_COLOR="0;34" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:almalinux:almalinux:8::baseos" HOME_URL="https://almalinux.org/" DOCUMENTATION_URL="https://wiki.almalinux.org/" BUG_REPORT_URL="https://bugs.almalinux.org/" ALMALINUX_MANTISBT_PROJECT="AlmaLinux-8" ALMALINUX_MANTISBT_PROJECT_VERSION="8.6" REDHAT_SUPPORT_PRODUCT="AlmaLinux" REDHAT_SUPPORT_PRODUCT_VERSION="8.6"

Enabled collections and parsers

crowdsecurity/apache2,enabled,0.1,apache2 support : parser and generic http scenarios ,collections crowdsecurity/base-http-scenarios,enabled,0.6,http common : scanners detection,collections crowdsecurity/dovecot,enabled,0.1,dovecot support : parser and spammer detection,collections crowdsecurity/http-cve,enabled,1.0,,collections crowdsecurity/iptables,enabled,0.1,iptables support : logs and port-scans detection scenarios,collections crowdsecurity/linux,enabled,0.2,core linux support : syslog+geoip+ssh,collections crowdsecurity/linux-lpe,enabled,0.1,Linux Local Privilege Escalation collection : detect trivial LPEs,collections crowdsecurity/modsecurity,enabled,0.1,modsecurity support : modsecurity parser and scenario,collections crowdsecurity/mysql,enabled,0.1,mysql support : logs and brute-force scenarios,collections crowdsecurity/nginx,enabled,0.2,nginx support : parser and generic http scenarios,collections crowdsecurity/nginx-proxy-manager,enabled,0.1,Nginx Proxy Manager support : parser and generic http scenarios,collections crowdsecurity/postfix,enabled,0.2,postfix support : parser and spammer detection,collections crowdsecurity/proftpd,enabled,0.1,proftpd support : parser and brute-force/user enumeration detection,collections crowdsecurity/sshd,enabled,0.2,sshd support : parser and brute-force detection,collections crowdsecurity/whitelist-good-actors,enabled,0.1,Good actors whitelists,collections crowdsecurity/wordpress,enabled,0.4,wordpress: Bruteforce protection and config probing,collections hitech95/nginx-mail,enabled,0.1,nginx email core : parser and spammer detection,collections suricata.yaml,"enabled,local",n/a,,collections crowdsecurity/apache2-logs,enabled,1.0,Parse Apache2 access and error logs,parsers crowdsecurity/dateparse-enrich,enabled,0.2,,parsers crowdsecurity/dovecot-logs,enabled,0.4,Parse dovecot logs,parsers crowdsecurity/geoip-enrich,enabled,0.2,"Populate event with geoloc info : as, country, coords, source range.",parsers crowdsecurity/http-logs,enabled,0.8,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers crowdsecurity/iptables-logs,enabled,0.3,Parse iptables drop logs,parsers crowdsecurity/modsecurity,enabled,0.9,A parser for modsecurity WAF,parsers crowdsecurity/mysql-logs,enabled,0.3,Parse MySQL logs,parsers crowdsecurity/nginx-logs,enabled,1.2,Parse nginx access and error logs,parsers crowdsecurity/nginx-proxy-manager-logs,enabled,0.2,Parse Nginx Proxy Manager access and error logs,parsers crowdsecurity/pkexec-logs,enabled,0.1,Parse pkexec logs specifically for CVE-2021-4034,parsers crowdsecurity/postfix-logs,enabled,0.3,Parse postfix logs,parsers crowdsecurity/postscreen-logs,enabled,0.1,Parse postscreen logs,parsers crowdsecurity/proftpd-logs,enabled,0.2,Parse proftpd logs,parsers crowdsecurity/sshd-logs,enabled,1.9,Parse openSSH logs,parsers crowdsecurity/syslog-logs,enabled,0.8,,parsers crowdsecurity/whitelists,"enabled,tainted",?,Whitelist events from private ipv4 addresses,parsers hitech95/nginx-mail-logs,enabled,0.1,Parse Nginx Mail logs,parsers suricata-logs.yaml,"enabled,local",n/a,,parsers crowdsecurity/CVE-2021-4034,enabled,0.1,Detect CVE-2021-4034 exploits,scenarios crowdsecurity/apache_log4j2_cve-2021-44228,enabled,0.4,Detect cve-2021-44228 exploitation attemps,scenarios crowdsecurity/dovecot-spam,enabled,0.3,detect errors on dovecot,scenarios crowdsecurity/f5-big-ip-cve-2020-5902,enabled,0.1,Detect cve-2020-5902 exploitation attemps,scenarios crowdsecurity/fortinet-cve-2018-13379,enabled,0.2,Detect cve-2018-13379 exploitation attemps,scenarios crowdsecurity/grafana-cve-2021-43798,enabled,0.1,Detect cve-2021-43798 exploitation attemps,scenarios crowdsecurity/http-backdoors-attempts,enabled,0.2,Detect attempt to common backdoors,scenarios crowdsecurity/http-bad-user-agent,enabled,0.7,Detect bad user-agents,scenarios crowdsecurity/http-bf-wordpress_bf,enabled,0.4,detect wordpress bruteforce,scenarios crowdsecurity/http-bf-wordpress_bf_xmlrpc,enabled,0.1,detect wordpress bruteforce on xmlrpc,scenarios crowdsecurity/http-crawl-non_statics,enabled,0.3,Detect aggressive crawl from single ip,scenarios crowdsecurity/http-cve-2021-41773,enabled,0.1,cve-2021-41773,scenarios crowdsecurity/http-cve-2021-42013,enabled,0.1,cve-2021-42013,scenarios crowdsecurity/http-generic-bf,enabled,0.2,Detect generic http brute force,scenarios crowdsecurity/http-open-proxy,enabled,0.2,Detect scan for open proxy,scenarios crowdsecurity/http-path-traversal-probing,enabled,0.2,Detect path traversal attempt,scenarios crowdsecurity/http-probing,enabled,0.2,Detect site scanning/probing from a single ip,scenarios crowdsecurity/http-sensitive-files,enabled,0.2,"Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",scenarios crowdsecurity/http-sqli-probing,enabled,0.2,A scenario that detects SQL injection probing with minimal false positives,scenarios crowdsecurity/http-wordpress_user-enum,enabled,0.1,detect wordpress probing : authors enumeration,scenarios crowdsecurity/http-wordpress_wpconfig,enabled,0.1,detect wordpress probing : variations around wp-config.php by wpscan,scenarios crowdsecurity/http-xss-probing,enabled,0.2,A scenario that detects XSS probing with minimal false positives,scenarios crowdsecurity/iptables-scan-multi_ports,enabled,0.1,ban IPs that are scanning us,scenarios crowdsecurity/jira_cve-2021-26086,enabled,0.1,Detect Atlassian Jira CVE-2021-26086 exploitation attemps,scenarios crowdsecurity/modsecurity,enabled,0.4,Web exploitation via modsecurity,scenarios crowdsecurity/mysql-bf,enabled,0.1,Detect mysql bruteforce,scenarios crowdsecurity/nginx-req-limit-exceeded,enabled,0.1,Detects IPs which violate nginx's user set request limit.,scenarios crowdsecurity/pgsql-bf,enabled,0.1,Detect PgSQL bruteforce,scenarios crowdsecurity/postfix-spam,enabled,0.2,Detect spammers,scenarios crowdsecurity/proftpd-bf,enabled,0.1,Detect proftpd bruteforce,scenarios crowdsecurity/proftpd-bf_user-enum,enabled,0.1,Detect proftpd user enum bruteforce,scenarios crowdsecurity/pulse-secure-sslvpn-cve-2019-11510,enabled,0.2,Detect cve-2019-11510 exploitation attemps,scenarios crowdsecurity/spring4shell_cve-2022-22965,enabled,0.2,Detect cve-2022-22965 probing,scenarios crowdsecurity/ssh-bf,enabled,0.1,Detect ssh bruteforce,scenarios crowdsecurity/ssh-slow-bf,enabled,0.2,Detect slow ssh bruteforce,scenarios crowdsecurity/thinkphp-cve-2018-20062,enabled,0.3,Detect ThinkPHP CVE-2018-20062 exploitation attemps,scenarios crowdsecurity/vmware-cve-2022-22954,enabled,0.2,Detect Vmware CVE-2022-22954 exploitation attempts,scenarios crowdsecurity/vmware-vcenter-vmsa-2021-0027,enabled,0.1,Detect VMSA-2021-0027 exploitation attemps,scenarios hitech95/mail-generic-bf,enabled,0.1,Detect generic email brute force,scenarios http-error_ah01215.yaml,"enabled,local",n/a,,scenarios ltsich/http-w00tw00t,enabled,0.1,detect w00tw00t,scenarios suricata-alerts.yaml,"enabled,local",n/a,,scenarios crowdsecurity/cdn-whitelist,enabled,0.4,Whitelist CDN providers,postoverflows crowdsecurity/rdns,enabled,0.2,Lookup the DNS associated to the source IP only for overflows,postoverflows crowdsecurity/seo-bots-whitelist,enabled,0.4,Whitelist good search engine crawlers,postoverflows

Acquisition config

#Generated acquisition file - wizard.sh (service: apache2) / files : /var/log/httpd/access_log /var/log/httpd/error_log filenames: # - /var/www/httpd-logs/materik.ru.access.log - /var/www/httpd-logs/materik.ru.error.log # - /var/www/httpd-logs/i-sng.ru.access.log - /var/www/httpd-logs/i-sng.ru.error.log # - /var/www/httpd-logs/penza365.ru.access.log - /var/www/httpd-logs/penza365.ru.error.log # - /var/www/httpd-logs/russiaws.ru.access.log - /var/www/httpd-logs/russiaws.ru.error.log # - /var/www/httpd-logs/vektor-penza.ru.access.log - /var/www/httpd-logs/vektor-penza.ru.error.log # - /var/www/httpd-logs/bravo-plitka.ru.access.log - /var/www/httpd-logs/bravo-plitka.ru.error.log # - /var/www/httpd-logs/sfei.info.access.log - /var/www/httpd-logs/sfei.info.error.log # - /var/www/httpd-logs/rudiaspora.ru.access.log - /var/www/httpd-logs/rudiaspora.ru.error.log # - /var/www/httpd-logs/lazarevsky.club.access.log - /var/www/httpd-logs/lazarevsky.club.error.log # - /var/www/httpd-logs/xn--80aakfk9amh.xn--p1ai.access.log - /var/www/httpd-logs/xn--80aakfk9amh.xn--p1ai.error.log # - /var/www/httpd-logs/xn--80aaab5bghnfbsf1a1k.xn--p1ai.access.log - /var/www/httpd-logs/xn--80aaab5bghnfbsf1a1k.xn--p1ai.error.log # - /var/www/httpd-logs/xn--d1anib6a9c.xn--p1ai.access.log - /var/www/httpd-logs/xn--d1anib6a9c.xn--p1ai.error.log # - /var/www/httpd-logs/upakpnz.ru.access.log - /var/www/httpd-logs/upakpnz.ru.error.log - /var/log/httpd/access_log - /var/log/httpd/error_log labels: type: apache2 --- #Generated acquisition file - wizard.sh (service: nginx) / files : /var/log/nginx/error.log /var/log/nginx/access.log filenames: - /var/log/nginx/error.log - /var/log/nginx/access.log labels: type: nginx --- #Generated acquisition file - wizard.sh (service: mysql) / files : journalctl_filter: - _SYSTEMD_UNIT=mysqld.service labels: type: mysql --- filenames: #Generated acquisition file - wizard.sh (service: linux) / files : /var/log/anaconda/syslog /var/log/messages - /var/log/anaconda/syslog - /var/log/messages #Generated acquisition file - wizard.sh (service: sshd) / files : /var/log/secure - /var/log/secure labels: type: syslog --- # service: suricata filename: /var/log/suricata/eve.json labels: type: suricata-evelogs --- # service: suricata filename: /var/log/suricata/fast.log labels: type: suricata-fastlogs --- # service: dovecot, postfix filenames: - /var/log/maillog labels: type: syslog --- # service: proftpd filenames: - /var/log/proftpd/*.log labels: type: proftpd --- cat: '/etc/crowdsec/acquis.d/*': No such file or directory

Config show

Global: - Configuration Folder : /etc/crowdsec - Data Folder : /var/lib/crowdsec/data - Hub Folder : /etc/crowdsec/hub - Simulation File : /etc/crowdsec/simulation.yaml - Log Folder : /var/log/ - Log level : info - Log Media : file Crowdsec: - Acquisition File : /etc/crowdsec/acquis.yaml - Parsers routines : 10 cscli: - Output : human - Hub Branch : - Hub Folder : /etc/crowdsec/hub Local API Server: - Listen URL : 127.0.0.1:8081 - Profile File : /etc/crowdsec/profiles.yaml - Trusted IPs: - 127.0.0.1 - 77.66.179.105 - Database: - Type : sqlite - Path : /var/lib/crowdsec/data/crowdsec.db - Flush age : 7d - Flush size : 5000000

Prometheus metrics

INFO[31-07-2022 11:09:46 AM] Buckets Metrics: +---------------------------------------------+---------------+-----------+--------------+---------+---------+ | BUCKET | CURRENT COUNT | OVERFLOWS | INSTANTIATED | POURED | EXPIRED | +---------------------------------------------+---------------+-----------+--------------+---------+---------+ | adzer/http-error_ah01215 | 342 | 719.43k | 749.93k | 8.02M | 30.44k | | crowdsecurity/dovecot-spam | - | - | 16 | 46 | 16 | | crowdsecurity/http-backdoors-attempts | - | 2 | 34 | 37 | 32 | | crowdsecurity/http-bad-user-agent | - | 553 | 605 | 1.16k | 52 | | crowdsecurity/http-bf-wordpress_bf | 2 | 1 | 1.16k | 1.53k | 1.16k | | crowdsecurity/http-bf-wordpress_bf_xmlrpc | 230 | 13.12k | 22.38k | 100.49k | 9.04k | | crowdsecurity/http-crawl-non_statics | 26 | 1 | 36.03k | 58.41k | 36.01k | | crowdsecurity/http-path-traversal-probing | - | 1 | 2 | 7 | 1 | | crowdsecurity/http-probing | 11 | 9 | 2.64k | 3.85k | 2.62k | | crowdsecurity/http-sensitive-files | - | - | 6 | 6 | 6 | | crowdsecurity/http-wordpress_user-enum | - | - | 13 | 20 | 13 | | crowdsecurity/http-wordpress_wpconfig | - | - | 2 | 4 | 2 | | crowdsecurity/http-xss-probbing | - | - | 1 | 1 | 1 | | crowdsecurity/ssh-bf | - | 4 | 55 | 214 | 51 | | crowdsecurity/ssh-bf_user-enum | - | - | 55 | 101 | 55 | | crowdsecurity/ssh-slow-bf | - | 5 | 31 | 214 | 26 | | crowdsecurity/ssh-slow-bf_user-enum | - | - | 30 | 77 | 30 | | crowdsecurity/suricata-high-medium-severity | 34 | 315 | 11.66k | 22.15k | 11.31k | | crowdsecurity/suricata-major-severity | 3 | 47.80k | 47.80k | - | - | +---------------------------------------------+---------------+-----------+--------------+---------+---------+ INFO[31-07-2022 11:09:46 AM] Acquisition Metrics: +---------------------------------------------------------------------+------------+--------------+----------------+------------------------+ | SOURCE | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET | +---------------------------------------------------------------------+------------+--------------+----------------+------------------------+ | file:/var/log/httpd/access_log | 191.99k | 191.99k | 2 | 134.60k | | file:/var/log/httpd/error_log | 2 | 2 | - | - | | file:/var/log/maillog | 127 | 125 | 2 | 46 | | file:/var/log/messages | 9.43k | - | 9.43k | - | | file:/var/log/nginx/access.log | 83.20k | 83.20k | 7 | 30.91k | | file:/var/log/nginx/error.log | 738 | 219 | 519 | 7 | | file:/var/log/proftpd/tls.log | 2 | - | 2 | - | | file:/var/log/secure | 2.76k | 220 | 2.54k | 606 | | file:/var/log/suricata/eve.json | 1.20M | 65.07k | 1.14M | 22.15k | | file:/var/log/suricata/fast.log | 65.07k | 65.07k | - | - | | file:/var/www/httpd-logs/bravo-plitka.ru.error.log | 25.93k | 25.93k | - | 25.92k | | file:/var/www/httpd-logs/i-sng.ru.error.log | 436.83k | 436.35k | 479 | 436.35k | | file:/var/www/httpd-logs/lazarevsky.club.error.log | 116.12k | 116.09k | 22 | 116.09k | | file:/var/www/httpd-logs/materik.ru.error.log | 6.66M | 6.66M | 2.92k | 6.66M | | file:/var/www/httpd-logs/penza365.ru.error.log | 123.56k | 123.55k | 5 | 123.55k | | file:/var/www/httpd-logs/rudiaspora.ru.error.log | 84.85k | 84.84k | 3 | 84.84k | | file:/var/www/httpd-logs/russiaws.ru.error.log | 458.85k | 458.82k | 25 | 458.81k | | file:/var/www/httpd-logs/sfei.info.error.log | 53.79k | 53.77k | 12 | 53.77k | | file:/var/www/httpd-logs/vektor-penza.ru.error.log | 4.65k | 267 | 4.39k | 22 | | file:/var/www/httpd-logs/xn--80aaab5bghnfbsf1a1k.xn--p1ai.error.log | 39.61k | 39.61k | 1 | 39.61k | | file:/var/www/httpd-logs/xn--80aakfk9amh.xn--p1ai.error.log | 672 | 672 | - | 672 | | file:/var/www/httpd-logs/xn--d1anib6a9c.xn--p1ai.error.log | 23.68k | 23.68k | - | 23.68k | | journalctl:journalctl-_SYSTEMD_UNIT=mysqld.service | 1 | - | 1 | - | +---------------------------------------------------------------------+------------+--------------+----------------+------------------------+ INFO[31-07-2022 11:09:46 AM] Parser Metrics: +----------------------------------------+---------+---------+----------+ | PARSERS | HITS | PARSED | UNPARSED | +----------------------------------------+---------+---------+----------+ | child-child-crowdsecurity/apache2-logs | 1 | 1 | - | | child-crowdsecurity/apache2-logs | 16.25M | 8.21M | 8.04M | | child-crowdsecurity/dovecot-logs | 131 | 125 | 6 | | child-crowdsecurity/http-logs | 24.89M | 8.58M | 16.30M | | child-crowdsecurity/nginx-logs | 84.69k | 83.41k | 1.27k | | child-crowdsecurity/sshd-logs | 3.14k | 220 | 2.92k | | child-crowdsecurity/suricata-evelogs | 65.07k | 65.07k | - | | child-crowdsecurity/syslog-logs | 12.31k | 12.31k | - | | child-hitech95/nginx-mail-logs | 528 | - | 528 | | child-proftpd-logs | 1.78k | - | 1.78k | | crowdsecurity/apache2-logs | 8.22M | 8.21M | 7.85k | | crowdsecurity/cdn-whitelist | 15.42k | 15.42k | - | | crowdsecurity/dateparse-enrich | 8.43M | 8.43M | - | | crowdsecurity/dovecot-logs | 127 | 125 | 2 | | crowdsecurity/geoip-enrich | 405.89k | 405.89k | - | | crowdsecurity/http-logs | 8.30M | 262.30k | 8.03M | | crowdsecurity/mysql-logs | 1 | - | 1 | | crowdsecurity/nginx-logs | 83.94k | 83.41k | 528 | | crowdsecurity/non-syslog | 9.57M | 9.57M | - | | crowdsecurity/rdns | 15.42k | 15.42k | - | | crowdsecurity/seo-bots-whitelist | 15.42k | 15.42k | - | | crowdsecurity/sshd-logs | 398 | 220 | 178 | | crowdsecurity/suricata-evelogs | 65.07k | 65.07k | - | | crowdsecurity/suricata-fastlogs | 65.07k | 65.07k | - | | crowdsecurity/syslog-logs | 12.31k | 12.31k | - | | crowdsecurity/whitelists | 8.43M | 8.43M | - | | hitech95/nginx-mail-logs | 528 | - | 528 | | proftpd-logs | 446 | - | 446 | +----------------------------------------+---------+---------+----------+ INFO[31-07-2022 11:09:46 AM] Local Api Metrics: +----------------------+--------+------+ | ROUTE | METHOD | HITS | +----------------------+--------+------+ | /v1/alerts | GET | 2 | | /v1/alerts | POST | 8237 | | /v1/decisions/stream | GET | 3293 | | /v1/heartbeat | GET | 552 | | /v1/watchers/login | POST | 13 | +----------------------+--------+------+ INFO[31-07-2022 11:09:46 AM] Local Api Machines Metrics: +--------------------------------------------------+---------------+--------+------+ | MACHINE | ROUTE | METHOD | HITS | +--------------------------------------------------+---------------+--------+------+ | 447781bc7fa345aebfeea23fb74801da9KTEcbPOXh90F5T7 | /v1/alerts | GET | 2 | | 447781bc7fa345aebfeea23fb74801da9KTEcbPOXh90F5T7 | /v1/alerts | POST | 8237 | | 447781bc7fa345aebfeea23fb74801da9KTEcbPOXh90F5T7 | /v1/heartbeat | GET | 552 | +--------------------------------------------------+---------------+--------+------+ INFO[31-07-2022 11:09:46 AM] Local Api Bouncers Metrics: +----------------------------+----------------------+--------+------+ | BOUNCER | ROUTE | METHOD | HITS | +----------------------------+----------------------+--------+------+ | FirewallBouncer-1655471332 | /v1/decisions/stream | GET | 3293 | +----------------------------+----------------------+--------+------+ INFO[31-07-2022 11:09:46 AM] Local Api Decisions: +--------------------------------------------+----------+--------+-------+ | REASON | ORIGIN | ACTION | COUNT | +--------------------------------------------+----------+--------+-------+ | crowdsecurity/http-wordpress_user-enum | crowdsec | ban | 1 | | crowdsecurity/http-bad-user-agent | CAPI | ban | 2575 | | crowdsecurity/http-bad-user-agent | crowdsec | ban | 1488 | | crowdsecurity/http-cve-2021-41773 | CAPI | ban | 7 | | crowdsecurity/http-sensitive-files | CAPI | ban | 20 | | crowdsecurity/http-sensitive-files | crowdsec | ban | 3 | | crowdsecurity/proftpd-bf | CAPI | ban | 192 | | crowdsecurity/ssh-bf | CAPI | ban | 1814 | | crowdsecurity/ssh-bf | crowdsec | ban | 27 | | crowdsecurity/thinkphp-cve-2018-20062 | CAPI | ban | 268 | | crowdsecurity/thinkphp-cve-2018-20062 | crowdsec | ban | 1 | | ltsich/http-w00tw00t | CAPI | ban | 4 | | crowdsecurity/http-bf-wordpress_bf | crowdsec | ban | 219 | | crowdsecurity/http-bf-wordpress_bf | CAPI | ban | 1180 | | crowdsecurity/mysql-bf | CAPI | ban | 64 | | crowdsecurity/nginx-req-limit-exceeded | CAPI | ban | 17 | | crowdsecurity/postfix-spam | CAPI | ban | 796 | | crowdsecurity/apache_log4j2_cve-2021-44228 | CAPI | ban | 21 | | crowdsecurity/http-open-proxy | CAPI | ban | 116 | | crowdsecurity/http-open-proxy | crowdsec | ban | 3 | | crowdsecurity/iptables-scan-multi_ports | CAPI | ban | 423 | | crowdsecurity/http-crawl-non_statics | CAPI | ban | 5 | | crowdsecurity/http-crawl-non_statics | crowdsec | ban | 1 | | crowdsecurity/http-probing | CAPI | ban | 882 | | crowdsecurity/http-probing | crowdsec | ban | 79 | | crowdsecurity/jira_cve-2021-26086 | CAPI | ban | 61 | | crowdsecurity/dovecot-spam | CAPI | ban | 90 | | crowdsecurity/fortinet-cve-2018-13379 | CAPI | ban | 104 | | crowdsecurity/http-path-traversal-probing | crowdsec | ban | 1 | | crowdsecurity/http-path-traversal-probing | CAPI | ban | 15 | | crowdsecurity/modsecurity | CAPI | ban | 61 | | crowdsecurity/pgsql-bf | CAPI | ban | 42 | | crowdsecurity/spring4shell_cve-2022-22965 | CAPI | ban | 8 | | crowdsecurity/vmware-cve-2022-22954 | CAPI | ban | 4 | | crowdsecurity/http-bf-wordpress_bf_xmlrpc | CAPI | ban | 4 | | crowdsecurity/http-bf-wordpress_bf_xmlrpc | crowdsec | ban | 1550 | | crowdsecurity/http-cve-2021-42013 | CAPI | ban | 2 | | crowdsecurity/http-generic-bf | CAPI | ban | 4 | | crowdsecurity/f5-big-ip-cve-2020-5902 | CAPI | ban | 1 | | crowdsecurity/proftpd-bf_user-enum | CAPI | ban | 7 | | crowdsecurity/suricata-major-severity | crowdsec | ban | 30741 | | crowdsecurity/http-backdoors-attempts | CAPI | ban | 665 | | crowdsecurity/http-backdoors-attempts | crowdsec | ban | 2 | | crowdsecurity/http-wordpress_wpconfig | CAPI | ban | 16 | | crowdsecurity/ssh-slow-bf | CAPI | ban | 10762 | | crowdsecurity/ssh-slow-bf | crowdsec | ban | 75 | +--------------------------------------------+----------+--------+-------+ INFO[31-07-2022 11:09:46 AM] Local Api Alerts: +--------------------------------------------+-------+ | REASON | COUNT | +--------------------------------------------+-------+ | crowdsecurity/http-bad-user-agent | 1948 | | crowdsecurity/http-bf-wordpress_bf_xmlrpc | 1549 | | crowdsecurity/http-probing | 103 | | crowdsecurity/thinkphp-cve-2018-20062 | 2 | | crowdsecurity/ssh-bf | 57 | | crowdsecurity/ssh-slow-bf | 189 | | crowdsecurity/http-backdoors-attempts | 2 | | crowdsecurity/http-crawl-non_statics | 3 | | crowdsecurity/http-path-traversal-probing | 1 | | crowdsecurity/apache_log4j2_cve-2021-44228 | 1 | | crowdsecurity/http-bf-wordpress_bf | 219 | | crowdsecurity/http-open-proxy | 3 | | crowdsecurity/http-sensitive-files | 3 | | crowdsecurity/http-wordpress_user-enum | 1 | | crowdsecurity/suricata-major-severity | 30683 | +--------------------------------------------+-------+

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

blotus commented 2 years ago

Hello,

Those logs are emitted by PHP, not apache itself.

I'm not sure this is a good idea to take ban decisions on this kind of logs because they can be produced by a legitimate user (for example, a mistake in the website code could easily trigger these logs).

If we add support for PHP logs, it would likely only be for:

AdzerKI commented 2 years ago

Plz make parser for PHP, I dont understand how it works (with clent normal detect), I can make scenario but cant make parser. I haven't choice. DDoS with this error by using hard script make 10 gb log in a day.

Im update topic change apache2 for http

AdzerKI commented 1 year ago

Find a bug why this happening:)

1) POSINT = 1-999999999.... not 0, but port could be 0 if it not detected, i change POSINT -> INT like this HTTPDT24_ERRORLOG \[%{HTTPDERROR_DATE:timestamp}\] \[%{WORD:module}:%{LOGLEVEL:loglevel}\] \[pid %{POSINT:pid}(:tid %{NUMBER:tid})?\]( \(%{POSINT:proxy_errorcode}\)%{DATA:proxy_errormessage}:)?( \[client %{IPORHOST:client}:%{INT:clientport}\])? %{DATA:errorcode}: %{GREEDYDATA:message}

2) in apache2-logs.yaml I change HTTPD_ERRORLOG -> HTTPD24_ERRORLOG (I have apache24 version), dunno why, but it takes default HTTPD20_ERRORLOG. In my example HTTPDT24_ERRORLOG coz I make pattern called this name in paragraph 1 pattern: '%{HTTPDT24_ERRORLOG}'

AdzerKI commented 1 year ago

and if somebody have same problem with ddos 1) add a file in /etc/crowdsec/scenarios called http-php-error-ah01215.yaml nano /etc/crowdsec/scenarios/http-php-error-ah01215.yaml 2) into file put text

type: leaky
name: adzer/http-php-error-ah01215
description: "detect error PHP Warning:  Missing argument"
debug: false
filter: "evt.Meta.log_type == 'http_error-log' && evt.Parsed.errorcode == 'AH01215'"
groupby: evt.Meta.source_ip
capacity: 20
leakspeed: "10s"
blackhole: 1m
labels:
 service: http
 # need type spam
 type: bruteforce
 remediation: true

3) add a file in /etc/crowdsec/patterns called httpd nano /etc/crowdsec/patterns/httpd 4) into file put text

HTTPDT20_ERRORLOG \[%{HTTPDERROR_DATE:timestamp}\] \[%{LOGLEVEL:loglevel}\] (?:\[client %{IPORHOST:clientip}\] ){0,1}%{GREEDYDATA:errormsg}
HTTPDT24_ERRORLOG \[%{HTTPDERROR_DATE:timestamp}\] \[%{WORD:module}:%{LOGLEVEL:loglevel}\] \[pid %{POSINT:pid}(:tid %{NUMBER:tid})?\]( \(%{POSINT:proxy_errorcode}\)%{DATA:proxy_errormessage}:)?( \[client %{IPORHOST:client}:%{INT:clientport}\])? %{DATA:errorcode}: %{GREEDYDATA:message}

HTTPDT_ERRORLOG %{HTTPD20_ERRORLOG}|%{HTTPD24_ERRORLOG}

5) change into file /etc/crowdsec/parsers/s01-parse/apache2-logs.yaml pattern: '%{HTTPD_ERRORLOG}' for pattern: '%{HTTPDT24_ERRORLOG}'

buixor commented 1 year ago

Sorry was fixed, forgot to close the issue :)