search

crowdsecurity / hub

Main repository for crowdsec scenarios/parsers
https://hub.crowdsec.net
160 stars 147 forks source link

error with sigma/web_exchange_proxyshell #794

Open sabban opened 1 year ago

sabban commented 1 year ago

It seems that the sigma/web_exchange_proxyshell is a bit buggy, I keep getting those

time="03-08-2023 15:12:22" level=error msg="failed parsing : invalid operation: int() (1:33)\n | evt.Meta.service == 'http' && ((int(evt.Meta.http_status) == 401 && evt.Parsed.http_args contains \"/autodiscover.json\" && (evt.Parsed.http_args contains \"/powershell\" || evt.Parsed.http_args contains \"/mapi/nspi\" || evt.Parsed.http_args contains \"/EWS\" || evt.Parsed.http_args contains \"X-Rps-CAT\")) || (int(evt.Meta.http_status) == 401 && (Match(\"*autodiscover.json?@*\", evt.Parsed.http_args) || evt.Parsed.http_args contains \"autodiscover.json%3f@\" || evt.Parsed.http_args contains \"%3f@foo.com\" || evt.Parsed.http_args contains \"Email=autodiscover/autodiscover.json\" || Match(\"*json?@foo.com*\", evt.Parsed.http_args))))\n | ................................^" cfg=red-fire file=/etc/crowdsec/scenarios/web_exchange_proxyshell.yml name=sigma/web_exchange_proxyshell
time="03-08-2023 15:12:22" level=error msg="bucketify failed for: {0 0 false  s02-enrich {2023/08/03 15:12:22 [error] 232290#232290: *21 [lua] crowdsec.lua:459: Allow(): [Crowdsec] bouncer error: Http error 403 while talking to LAPI (http://127.0.0.1:8999/v1/decisions?ip=2a05:d018:aff:2f01:6eda:540d:ff39:af10), client: 2a05:d018:aff:2f01:6eda:540d:ff39:af10, server: monitoring.unique-redfish.hklmpt.com, request: \"GET /containers HTTP/1.1\", host: \"monitoring.unique-redfish.hklmpt.com:443\" /var/log/nginx/error.log 2023-08-03 15:12:22.630815861 +0000 UTC m=+504.902415153 map[type:nginx] true file} map[cid:21 file_dir:/ file_ext: file_frag:containers file_name:containers http_version:1.1 impact_completion:true loglevel:error message:[lua] crowdsec.lua:459: Allow(): [Crowdsec] bouncer error: Http error 403 while talking to LAPI (http://127.0.0.1:8999/v1/decisions?ip=2a05:d018:aff:2f01:6eda:540d:ff39:af10) pid:232290 program:nginx remote_addr:2a05:d018:aff:2f01:6eda:540d:ff39:af10 request:/containers static_ressource:false target_fqdn:monitoring.unique-redfish.hklmpt.com tid:232290 time:2023/08/03 15:12:22 verb:GET] map[ASNNumber:16509 ASNOrg:AMAZON-02 ASNumber:16509 IsInEU:true IsoCode:IE Latitude:53.337900 Longitude:-6.259100 MarshaledTime:2023-08-03T15:12:22Z SourceRange:2a05:d018::/35] map[] {  false false map[] <nil> []} 2023-08-03 15:12:22.630838164 +0000 UTC 2023/08/03 15:12:22  2023-08-03T15:12:22Z true {[] map[]} map[ASNNumber:16509 ASNOrg:AMAZON-02 IsInEU:true IsoCode:IE SourceRange:2a05:d018::/35 datasource_path:/var/log/nginx/error.log datasource_type:file http_args_len:0 http_path:/containers http_verb:GET log_type:http_error-log service:http source_ip:2a05:d018:aff:2f01:6eda:540d:ff39:af10 target_fqdn:monitoring.unique-redfish.hklmpt.com timestamp:2023-08-03T15:12:22Z]}"
LaurenceJJones commented 1 year ago

Are the HPs on latest version? as INT is included in latest version of crowdsec?