Closed AdzerKI closed 1 year ago
Hello,
Those logs are emitted by PHP, not apache itself.
I'm not sure this is a good idea to take ban decisions on this kind of logs because they can be produced by a legitimate user (for example, a mistake in the website code could easily trigger these logs).
If we add support for PHP logs, it would likely only be for:
Plz make parser for PHP, I dont understand how it works (with clent normal detect), I can make scenario but cant make parser. I haven't choice. DDoS with this error by using hard script make 10 gb log in a day.
Im update topic change apache2 for http
Find a bug why this happening:)
1) POSINT = 1-999999999.... not 0, but port could be 0 if it not detected, i change POSINT -> INT like this
HTTPDT24_ERRORLOG \[%{HTTPDERROR_DATE:timestamp}\] \[%{WORD:module}:%{LOGLEVEL:loglevel}\] \[pid %{POSINT:pid}(:tid %{NUMBER:tid})?\]( \(%{POSINT:proxy_errorcode}\)%{DATA:proxy_errormessage}:)?( \[client %{IPORHOST:client}:%{INT:clientport}\])? %{DATA:errorcode}: %{GREEDYDATA:message}
2) in apache2-logs.yaml I change HTTPD_ERRORLOG -> HTTPD24_ERRORLOG (I have apache24 version), dunno why, but it takes default HTTPD20_ERRORLOG. In my example HTTPDT24_ERRORLOG coz I make pattern called this name in paragraph 1
pattern: '%{HTTPDT24_ERRORLOG}'
and if somebody have same problem with ddos
1) add a file in /etc/crowdsec/scenarios called http-php-error-ah01215.yaml
nano /etc/crowdsec/scenarios/http-php-error-ah01215.yaml
2) into file put text
type: leaky
name: adzer/http-php-error-ah01215
description: "detect error PHP Warning: Missing argument"
debug: false
filter: "evt.Meta.log_type == 'http_error-log' && evt.Parsed.errorcode == 'AH01215'"
groupby: evt.Meta.source_ip
capacity: 20
leakspeed: "10s"
blackhole: 1m
labels:
service: http
# need type spam
type: bruteforce
remediation: true
3) add a file in /etc/crowdsec/patterns called httpd
nano /etc/crowdsec/patterns/httpd
4) into file put text
HTTPDT20_ERRORLOG \[%{HTTPDERROR_DATE:timestamp}\] \[%{LOGLEVEL:loglevel}\] (?:\[client %{IPORHOST:clientip}\] ){0,1}%{GREEDYDATA:errormsg}
HTTPDT24_ERRORLOG \[%{HTTPDERROR_DATE:timestamp}\] \[%{WORD:module}:%{LOGLEVEL:loglevel}\] \[pid %{POSINT:pid}(:tid %{NUMBER:tid})?\]( \(%{POSINT:proxy_errorcode}\)%{DATA:proxy_errormessage}:)?( \[client %{IPORHOST:client}:%{INT:clientport}\])? %{DATA:errorcode}: %{GREEDYDATA:message}
HTTPDT_ERRORLOG %{HTTPD20_ERRORLOG}|%{HTTPD24_ERRORLOG}
5) change into file /etc/crowdsec/parsers/s01-parse/apache2-logs.yaml pattern: '%{HTTPD_ERRORLOG}' for pattern: '%{HTTPDT24_ERRORLOG}'
Sorry was fixed, forgot to close the issue :)
What happened?
debug log: time="31-07-2022 01:39:20" level=debug msg="+ Grok '%{HTT...' returned 13 entries to merge in Parsed" id=lively-snow name=child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=debug msg="\t.Parsed['errormsg'] = ''" id=lively-snow name=child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=debug msg="\t.Parsed['proxy_errorcode'] = ''" id=lively-snow name=child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=debug msg="\t.Parsed['clientip'] = ''" id=lively-snow name=child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=debug msg="\t.Parsed['proxy_errormessage'] = ''" id=lively-snow name=child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=debug msg="\t.Parsed['loglevel'] = 'error'" id=lively-snow name=child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=error msg="unable to collect sources from bucket: while extracting scope from bucket adzer/http-error_ah01215: scope is Ip but Meta[source_ip] doesn't exist" time="31-07-2022 01:39:20" level=debug msg="\t.Parsed['module'] = 'cgi'" id=lively-snow name=child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=debug msg="\t.Parsed['client'] = ''" id=lively-snow name=child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=debug msg="\t.Parsed['tid'] = ''" id=lively-snow name=child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=debug msg="\t.Parsed['clientport'] = ''" id=lively-snow name=child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=debug msg="\t.Parsed['message'] = 'PHP Warning: Missing argument 2 for wpdb::prepare(), called in /var/www/smi/data/www/materik.ru/wp-includes/class-wp-post.php on line 248 and defined in /var/www/smi/data/www/materik.ru/wp-includes/wp-db.php on line 1222: /var/www/php-bin-isp-php56/smi/php'" id=lively-snow name=child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=debug msg="\t.Parsed['pid'] = '1906764'" id=lively-snow name=child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=debug msg="\t.Parsed['timestamp'] = 'Sun Jul 31 01:39:19.858075 2022'" id=lively-snow name=child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=debug msg="\t.Parsed['errorcode'] = '[client 157.55.39.128:0] AH01215'" id=lively-snow name=child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=debug msg="eval(evt.Parsed.module == 'auth_basic') = FALSE" id=silent-pond name=child-child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=debug msg="eval variables:" id=silent-pond name=child-child-crowdsecurity/apache2-logs stage=s01-parse time="31-07-2022 01:39:20" level=debug msg=" evt.Parsed.module = 'cgi'" id=silent-pond name=child-child-crowdsecurity/apache2-logs stage=s01-parse
What did you expect to happen?
Im trying to ban by error AH01215
As you see parser put client into errorcode (Parsed['errorcode'] = '[client 157.55.39.128:0] AH01215') and cant ban using ip. IP is null (Parsed['client'] = '').
How can we reproduce it (as minimally and precisely as possible)?
this is DDoS by PHP Warning: Missing argument
Anything else we need to know?
part of error logfile (httpd service)
[Sun Jul 31 03:47:48.701590 2022] [cgi:error] [pid 2002187] [client 77.88.5.47:0] AH01215: PHP Warning: addslashes() expects parameter 1 to be string, object given in /var/www/russiaws/data/www/russiaws.ru/wp-includes/functions.php on line 914: /var/www/php-bin-isp-php56/russiaws/php [Sun Jul 31 03:47:48.853696 2022] [cgi:error] [pid 2002187] [client 77.88.5.47:0] AH01215: PHP Warning: Missing argument 2 for wpdb::prepare(), called in /var/www/russiaws/data/www/russiaws.ru/wp-includes/class-wp-post.php on line 248 and defined in /var/www/russiaws/data/www/russiaws.ru/wp-includes/wp-db.php on line 1222: /var/www/php-bin-isp-php56/russiaws/php [Sun Jul 31 03:47:48.966047 2022] [cgi:error] [pid 2002187] [client 77.88.5.47:0] AH01215: PHP Warning: call_user_func_array() expects parameter 1 to be a valid callback, function 'wp_shortlink_header' not found or invalid function name in /var/www/russiaws/data/www/russiaws.ru/wp-includes/class-wp-hook.php on line 284: /var/www/php-bin-isp-php56/russiaws/php [Sun Jul 31 03:47:48.966174 2022] [cgi:error] [pid 2002187] [client 77.88.5.47:0] AH01215: PHP Warning: Missing argument 2 for wpdb::prepare(), called in /var/www/russiaws/data/www/russiaws.ru/wp-includes/class-wp-post.php on line 248 and defined in /var/www/russiaws/data/www/russiaws.ru/wp-includes/wp-db.php on line 1222: /var/www/php-bin-isp-php56/russiaws/php [Sun Jul 31 03:47:48.966279 2022] [cgi:error] [pid 2002187] [client 77.88.5.47:0] AH01215: PHP Warning: Missing argument 2 for wpdb::prepare(), called in /var/www/russiaws/data/www/russiaws.ru/wp-includes/class-wp-post.php on line 248 and defined in /var/www/russiaws/data/www/russiaws.ru/wp-includes/wp-db.php on line 1222: /var/www/php-bin-isp-php56/russiaws/php
Crowdsec version
OS version
Enabled collections and parsers
Acquisition config
Config show
Prometheus metrics
Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.