crowdsecurity / hub

Main repository for crowdsec scenarios/parsers
https://hub.crowdsec.net
162 stars 153 forks source link

Some bad-agents are not working due to the capital letter. #583

Open LucasGaleano opened 2 years ago

LucasGaleano commented 2 years ago

What happened?

I was doing some testing on my webpageprotected by crowdsec and I realized that some bad agents are not working properly, for example, I execute an Sqlmap to my page and the bad-agent scenario only parse logs with the "Sqlmap" agent but the tool created an agent like this "sqlmap/1.6.7#stable (https://sqlmap.org)" and the regular expression don't match the expression due to the capital letter.

What did you expect to happen?

The regular expression for bad agents should not be case-sensitivity.

How can we reproduce it (as minimally and precisely as possible)?

I run a SQLmap v1.6.6 to the webpage, then I copied the logs and changed the agent to capital letter from this: "sqlmap/1.6.7#stable (https://sqlmap.org) To this: "sqlmap/1.6.7#stable (https://Sqlmap.org)

and It works.

Anything else we need to know?

No response

Crowdsec version

2022/10/27 16:03:53 version: v1.4.1-debian-pragmatic-e1954adc325baa9e3420c324caabd50b7074dd77 2022/10/27 16:03:53 Codename: alphaga 2022/10/27 16:03:53 BuildDate: 2022-07-25_09:20:06 2022/10/27 16:03:53 GoVersion: 1.17.5 2022/10/27 16:03:53 Platform: linux 2022/10/27 16:03:53 Constraint_parser: >= 1.0, <= 2.0 2022/10/27 16:03:53 Constraint_scenario: >= 1.0, < 3.0 2022/10/27 16:03:53 Constraint_api: v1 2022/10/27 16:03:53 Constraint_acquis: >= 1.0, < 2.0

OS version

Linux hostname 5.15.30-2-pve crowdsecurity/crowdsec#1 SMP PVE 5.15.30-3 (Fri, 22 Apr 2022 18:08:27 +0200) x86_64 GNU/Linux

Enabled collections and parsers

crowdsecurity/base-http-scenarios,enabled,0.6,http common : scanners detection,collections crowdsecurity/http-cve,enabled,1.1,,collections crowdsecurity/linux,enabled,0.2,core linux support : syslog+geoip+ssh,collections crowdsecurity/nginx,enabled,0.2,nginx support : parser and generic http scenarios,collections crowdsecurity/sshd,enabled,0.2,sshd support : parser and brute-force detection,collections crowdsecurity/dateparse-enrich,enabled,0.2,,parsers crowdsecurity/geoip-enrich,enabled,0.2,"Populate event with geoloc info : as, country, coords, source range.",parsers crowdsecurity/http-logs,enabled,0.8,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers crowdsecurity/nginx-logs,enabled,1.3,Parse nginx access and error logs,parsers crowdsecurity/sshd-logs,enabled,1.9,Parse openSSH logs,parsers crowdsecurity/syslog-logs,enabled,0.8,,parsers crowdsecurity/whitelists,enabled,0.2,Whitelist events from private ipv4 addresses,parsers crowdsecurity/CVE-2022-37042,enabled,0.1,Detect CVE-2022-37042 exploits,scenarios crowdsecurity/apache_log4j2_cve-2021-44228,enabled,0.4,Detect cve-2021-44228 exploitation attemps,scenarios crowdsecurity/f5-big-ip-cve-2020-5902,enabled,0.1,Detect cve-2020-5902 exploitation attemps,scenarios crowdsecurity/fortinet-cve-2018-13379,enabled,0.2,Detect cve-2018-13379 exploitation attemps,scenarios crowdsecurity/grafana-cve-2021-43798,enabled,0.1,Detect cve-2021-43798 exploitation attemps,scenarios crowdsecurity/http-backdoors-attempts,enabled,0.2,Detect attempt to common backdoors,scenarios crowdsecurity/http-bad-user-agent,enabled,0.7,Detect bad user-agents,scenarios crowdsecurity/http-crawl-non_statics,enabled,0.3,Detect aggressive crawl from single ip,scenarios crowdsecurity/http-cve-2021-41773,enabled,0.1,cve-2021-41773,scenarios crowdsecurity/http-cve-2021-42013,enabled,0.1,cve-2021-42013,scenarios crowdsecurity/http-generic-bf,enabled,0.2,Detect generic http brute force,scenarios crowdsecurity/http-open-proxy,enabled,0.2,Detect scan for open proxy,scenarios crowdsecurity/http-path-traversal-probing,enabled,0.2,Detect path traversal attempt,scenarios crowdsecurity/http-probing,enabled,0.2,Detect site scanning/probing from a single ip,scenarios crowdsecurity/http-sensitive-files,enabled,0.2,"Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",scenarios crowdsecurity/http-sqli-probing,enabled,0.2,A scenario that detects SQL injection probing with minimal false positives,scenarios crowdsecurity/http-xss-probing,enabled,0.2,A scenario that detects XSS probing with minimal false positives,scenarios crowdsecurity/jira_cve-2021-26086,enabled,0.1,Detect Atlassian Jira CVE-2021-26086 exploitation attemps,scenarios crowdsecurity/nginx-req-limit-exceeded,enabled,0.1,Detects IPs which violate nginx's user set request limit.,scenarios crowdsecurity/pulse-secure-sslvpn-cve-2019-11510,enabled,0.2,Detect cve-2019-11510 exploitation attemps,scenarios crowdsecurity/spring4shell_cve-2022-22965,enabled,0.2,Detect cve-2022-22965 probing,scenarios crowdsecurity/ssh-bf,enabled,0.1,Detect ssh bruteforce,scenarios crowdsecurity/ssh-slow-bf,enabled,0.2,Detect slow ssh bruteforce,scenarios crowdsecurity/thinkphp-cve-2018-20062,enabled,0.3,Detect ThinkPHP CVE-2018-20062 exploitation attemps,scenarios crowdsecurity/vmware-cve-2022-22954,enabled,0.2,Detect Vmware CVE-2022-22954 exploitation attempts,scenarios crowdsecurity/vmware-vcenter-vmsa-2021-0027,enabled,0.1,Detect VMSA-2021-0027 exploitation attemps,scenarios ltsich/http-w00tw00t,enabled,0.1,detect w00tw00t,scenarios

Acquisition config

#Generated acquisition file - wizard.sh (service: nginx) / files : /var/log/nginx/error.log /var/log/nginx/cp-prod-error.log /var/log/nginx/cp-prod-access.log /var/log/nginx/www-access.log filenames: - /var/log/nginx/error.log - /var/log/nginx/cp-prod-error.log - /var/log/nginx/cp-prod-access.log - /var/log/nginx/www-access.log labels: type: nginx --- #Generated acquisition file - wizard.sh (service: sshd) / files : /var/log/auth.log filenames: - /var/log/auth.log labels: type: syslog --- #Generated acquisition file - wizard.sh (service: linux) / files : /var/log/syslog /var/log/messages filenames: - /var/log/syslog - /var/log/messages labels: type: syslog ---

Config show

Global: - Configuration Folder : /etc/crowdsec - Data Folder : /var/lib/crowdsec/data - Hub Folder : /etc/crowdsec/hub - Simulation File : /etc/crowdsec/simulation.yaml - Log Folder : /var/log/ - Log level : info - Log Media : file Crowdsec: - Acquisition File : /etc/crowdsec/acquis.yaml - Parsers routines : 1 cscli: - Output : human - Hub Branch : - Hub Folder : /etc/crowdsec/hub Local API Server: - Listen URL : 127.0.0.1:8080 - Profile File : /etc/crowdsec/profiles.yaml - Trusted IPs: - 127.0.0.1 - ::1 - Database: - Type : sqlite - Path : /var/lib/crowdsec/data/crowdsec.db - Flush age : 7d - Flush size : 5000

Prometheus metrics

INFO[27-10-2022 04:06:39 PM] Buckets Metrics: +--------------------------------------------+---------------+-----------+--------------+--------+---------+ | BUCKET | CURRENT COUNT | OVERFLOWS | INSTANTIATED | POURED | EXPIRED | +--------------------------------------------+---------------+-----------+--------------+--------+---------+ | crowdsecurity/http-backdoors-attempts | - | - | 1 | 1 | 1 | | crowdsecurity/http-bad-user-agent | - | 8 | 9 | 17 | 1 | | crowdsecurity/http-crawl-non_statics | 3 | - | 448 | 597 | 445 | | crowdsecurity/http-path-traversal-probing | - | - | 2 | 2 | 2 | | crowdsecurity/http-probing | 2 | 2 | 43 | 72 | 39 | | crowdsecurity/http-sensitive-files | - | - | 1 | 1 | 1 | | crowdsecurity/http-sqli-probbing-detection | - | - | 4 | 40 | 4 | | crowdsecurity/http-xss-probbing | - | - | 2 | 2 | 2 | +--------------------------------------------+---------------+-----------+--------------+--------+---------+ INFO[27-10-2022 04:06:39 PM] Acquisition Metrics: +----------------------------------------+------------+--------------+----------------+------------------------+ | SOURCE | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET | +----------------------------------------+------------+--------------+----------------+------------------------+ | file:/var/log/auth.log | 2 | - | 2 | - | | file:/var/log/nginx/cp-prod-access.log | 3.18k | 3.18k | - | 700 | | file:/var/log/nginx/error.log | 3 | 1 | 2 | 1 | | file:/var/log/nginx/www-access.log | 39 | 39 | - | 31 | | file:/var/log/syslog | 1 | - | 1 | - | +----------------------------------------+------------+--------------+----------------+------------------------+ INFO[27-10-2022 04:06:39 PM] Parser Metrics: +---------------------------------+-------+--------+----------+ | PARSERS | HITS | PARSED | UNPARSED | +---------------------------------+-------+--------+----------+ | child-crowdsecurity/http-logs | 9.66k | 7.24k | 2.42k | | child-crowdsecurity/nginx-logs | 3.22k | 3.22k | 5 | | child-crowdsecurity/syslog-logs | 3 | 3 | - | | crowdsecurity/dateparse-enrich | 3.22k | 3.22k | - | | crowdsecurity/geoip-enrich | 3.22k | 3.22k | - | | crowdsecurity/http-logs | 3.22k | 2.77k | 446 | | crowdsecurity/nginx-logs | 3.22k | 3.22k | 2 | | crowdsecurity/non-syslog | 3.22k | 3.22k | - | | crowdsecurity/syslog-logs | 3 | 3 | - | | crowdsecurity/whitelists | 3.22k | 3.22k | - | | edgeuno/whitelists | 3.22k | 3.22k | - | +---------------------------------+-------+--------+----------+

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

LaurenceJJones commented 2 years ago

Going to move this over to the hub as its a more appropriate location for this issue.