zbalkan
commented
2 years ago A better way might be to have an in-memory queue which would act as a buffer before writing to the file.
Also, can you share how you test it? I may give it a try.
Closed LaurenceJJones closed 2 years ago
zbalkan
commented
2 years ago A better way might be to have an in-memory queue which would act as a buffer before writing to the file.
Also, can you share how you test it? I may give it a try.
LaurenceJJones
commented
2 years ago Be better to handle it within the format string
format: |
{{range . -}}
{ "time": "{{.StopAt}}", "alert": "{{. | toJson }}" }
{{ end -}}
custom_format: "%msg%"That looks better actually.
LaurenceJJones
commented
2 years ago I provided access to custom format but that should be rarely used
LaurenceJJones
commented
2 years ago But now we have another issue that toJson by default prints unescaped
{ "time": "2022-11-01T19:08:34.782577855Z", "alert": "{"capacity":1,"decisions":[{"duration":"4h","origin":"crowdsec","scenario":"crowdsecurity/http-bad-user-agent","scope":"Ip","type":"ban","value":"127.0.0.1"}],"events":[{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/access.log"},{"key":"datasource_type","value":"file"},{"key":"http_path","value":"/"},{"key":"http_status","value":"200"},{"key":"http_user_agent","value":"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:Port Check)"},{"key":"http_verb","value":"HEAD"},{"key":"log_type","value":"http_access-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"timestamp","value":"2022-11-01T19:08:34Z"}],"timestamp":"2022-11-01T19:08:34Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/access.log"},{"key":"datasource_type","value":"file"},{"key":"http_path","value":"/"},{"key":"http_status","value":"200"},{"key":"http_user_agent","value":"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:getinfo)"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_access-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"timestamp","value":"2022-11-01T19:08:34Z"}],"timestamp":"2022-11-01T19:08:34Z"}],"events_count":2,"labels":null,"leakspeed":"1m0s","machine_id":"203197ac930c45ec90ffda924404eaddXJqgU5aDwYu2pT4F","message":"Ip 127.0.0.1 performed 'crowdsecurity/http-bad-user-agent' (2 events over 1.785346ms) at 2022-11-01 19:08:34.782577429 +0000 UTC","remediation":true,"scenario":"crowdsecurity/http-bad-user-agent","scenario_hash":"51360ad64c9672e5d3ba9c1786e6fc380c8752871a977a5dddac0d08551aa66a","scenario_version":"0.7","simulated":false,"source":{"as_number":"0","ip":"127.0.0.1","scope":"Ip","value":"127.0.0.1"},"start_at":"2022-11-01T19:08:34.780792509Z","stop_at":"2022-11-01T19:08:34.782577855Z"}" }
{ "time": "2022-11-01T19:08:34.805951668Z", "alert": "{"capacity":10,"decisions":[{"duration":"4h","origin":"crowdsec","scenario":"crowdsecurity/http-probing","scope":"Ip","type":"ban","value":"127.0.0.1"}],"events":[{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/access.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"0"},{"key":"http_path","value":"/l7C33j4U.show"},{"key":"http_status","value":"404"},{"key":"http_user_agent","value":"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:map_codes)"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_access-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"timestamp","value":"2022-11-01T19:08:34Z"}],"timestamp":"2022-11-01T19:08:34Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/access.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"0"},{"key":"http_path","value":"/l7C33j4U.shtm"},{"key":"http_status","value":"404"},{"key":"http_user_agent","value":"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:map_codes)"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_access-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"timestamp","value":"2022-11-01T19:08:34Z"}],"timestamp":"2022-11-01T19:08:34Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/access.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"0"},{"key":"http_path","value":"/l7C33j4U.pwd"},{"key":"http_status","value":"404"},{"key":"http_user_agent","value":"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:map_codes)"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_access-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"timestamp","value":"2022-11-01T19:08:34Z"}],"timestamp":"2022-11-01T19:08:34Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/access.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"0"},{"key":"http_path","value":"/l7C33j4U.mediawiki"},{"key":"http_status","value":"404"},{"key":"http_user_agent","value":"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:map_codes)"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_access-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"timestamp","value":"2022-11-01T19:08:34Z"}],"timestamp":"2022-11-01T19:08:34Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/access.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"0"},{"key":"http_path","value":"/l7C33j4U.java"},{"key":"http_status","value":"404"},{"key":"http_user_agent","value":"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:map_codes)"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_access-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"timestamp","value":"2022-11-01T19:08:34Z"}],"timestamp":"2022-11-01T19:08:34Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/access.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"0"},{"key":"http_path","value":"/l7C33j4U.ee"},{"key":"http_status","value":"404"},{"key":"http_user_agent","value":"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:map_codes)"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_access-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"timestamp","value":"2022-11-01T19:08:34Z"}],"timestamp":"2022-11-01T19:08:34Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/access.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"0"},{"key":"http_path","value":"/l7C33j4U.db"},{"key":"http_status","value":"404"},{"key":"http_user_agent","value":"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:map_codes)"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_access-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"timestamp","value":"2022-11-01T19:08:34Z"}],"timestamp":"2022-11-01T19:08:34Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/access.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"0"},{"key":"http_path","value":"/l7C33j4U.back"},{"key":"http_status","value":"404"},{"key":"http_user_agent","value":"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:map_codes)"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_access-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"timestamp","value":"2022-11-01T19:08:34Z"}],"timestamp":"2022-11-01T19:08:34Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/access.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"0"},{"key":"http_path","value":"/l7C33j4U.aspx"},{"key":"http_status","value":"404"},{"key":"http_user_agent","value":"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:map_codes)"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_access-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"timestamp","value":"2022-11-01T19:08:34Z"}],"timestamp":"2022-11-01T19:08:34Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/access.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"0"},{"key":"http_path","value":"/l7C33j4U.epl"},{"key":"http_status","value":"404"},{"key":"http_user_agent","value":"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:map_codes)"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_access-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"timestamp","value":"2022-11-01T19:08:34Z"}],"timestamp":"2022-11-01T19:08:34Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/access.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"0"},{"key":"http_path","value":"/l7C33j4U.jsa"},{"key":"http_status","value":"404"},{"key":"http_user_agent","value":"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:map_codes)"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_access-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"timestamp","value":"2022-11-01T19:08:34Z"}],"timestamp":"2022-11-01T19:08:34Z"}],"events_count":11,"labels":null,"leakspeed":"10s","machine_id":"203197ac930c45ec90ffda924404eaddXJqgU5aDwYu2pT4F","message":"Ip 127.0.0.1 performed 'crowdsecurity/http-probing' (11 events over 16.87435ms) at 2022-11-01 19:08:34.805951462 +0000 UTC","remediation":true,"scenario":"crowdsecurity/http-probing","scenario_hash":"c8bb45b4fb8834ea1dc5cff6439dd272c87d7ee5af4a51e77341ec6edc5d7a25","scenario_version":"0.2","simulated":false,"source":{"as_number":"0","ip":"127.0.0.1","scope":"Ip","value":"127.0.0.1"},"start_at":"2022-11-01T19:08:34.789077318Z","stop_at":"2022-11-01T19:08:34.805951668Z"}" }
{ "time": "2022-11-01T19:08:34.86591217Z", "alert": "{"capacity":40,"decisions":[{"duration":"4h","origin":"crowdsec","scenario":"crowdsecurity/http-crawl-non_statics","scope":"Ip","type":"ban","value":"127.0.0.1"}],"events":[{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/error.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"0"},{"key":"http_path","value":"/l7C33j4U.iso-ru"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_error-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"target_fqdn","value":"_"},{"key":"timestamp","value":"2022-11-01T19:08:34Z"}],"timestamp":"2022-11-01T19:08:34Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/error.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"0"},{"key":"http_path","value":"/l7C33j4U.htaccess"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_error-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"target_fqdn","value":"_"},{"key":"timestamp","value":"2022-11-01T19:08:34Z"}],"timestamp":"2022-11-01T19:08:34Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/error.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"0"},{"key":"http_path","value":"/l7C33j4U.asp+"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_error-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"target_fqdn","value":"_"},{"key":"timestamp","value":"2022-11-01T19:08:34Z"}],"timestamp":"2022-11-01T19:08:34Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/error.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"0"},{"key":"http_path","value":"/l7C33j4U.lasso"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_error-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"target_fqdn","value":"_"},{"key":"timestamp","value":"2022-11-01T19:08:34Z"}],"timestamp":"2022-11-01T19:08:34Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/error.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"0"},{"key":"http_path","value":"/l7C33j4U.dk"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_error-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"target_fqdn","value":"_"},{"key":"timestamp","value":"2022-11-01T19:08:34Z"}],"timestamp":"2022-11-01T19:08:34Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/error.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"0"},{"key":"http_path","value":"/l7C33j4U.phtml"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_error-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"target_fqdn","value":"_"},{"key":"timestamp","value":"2022-11-01T19:08:34Z"}],"timestamp":"2022-11-01T19:08:34Z"}],"events_count":41,"labels":null,"leakspeed":"500ms","machine_id":"203197ac930c45ec90ffda924404eaddXJqgU5aDwYu2pT4F","message":"Ip 127.0.0.1 performed 'crowdsecurity/http-crawl-non_statics' (41 events over 85.814816ms) at 2022-11-01 19:08:34.8659119 +0000 UTC","remediation":true,"scenario":"crowdsecurity/http-crawl-non_statics","scenario_hash":"f0fa40870cdeea7b0da40b9f132e9c6de5e32d584334ec8a2d355faa35cde01c","scenario_version":"0.3","simulated":false,"source":{"as_number":"0","ip":"127.0.0.1","scope":"Ip","value":"127.0.0.1"},"start_at":"2022-11-01T19:08:34.780097354Z","stop_at":"2022-11-01T19:08:34.86591217Z"}" }
{ "time": "2022-11-01T19:08:34.867717218Z", "alert": "{"capacity":4,"decisions":[{"duration":"4h","origin":"crowdsec","scenario":"crowdsecurity/http-sensitive-files","scope":"Ip","type":"ban","value":"127.0.0.1"}],"events":[{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/error.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"0"},{"key":"http_path","value":"/l7C33j4U.pwd"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_error-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"target_fqdn","value":"_"},{"key":"timestamp","value":"2022-11-01T19:08:34Z"}],"timestamp":"2022-11-01T19:08:34Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/error.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"0"},{"key":"http_path","value":"/l7C33j4U.htpasswd"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_error-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"target_fqdn","value":"_"},{"key":"timestamp","value":"2022-11-01T19:08:34Z"}],"timestamp":"2022-11-01T19:08:34Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/error.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"0"},{"key":"http_path","value":"/l7C33j4U.bak"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_error-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"target_fqdn","value":"_"},{"key":"timestamp","value":"2022-11-01T19:08:34Z"}],"timestamp":"2022-11-01T19:08:34Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/error.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"0"},{"key":"http_path","value":"/l7C33j4U.htaccess"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_error-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"target_fqdn","value":"_"},{"key":"timestamp","value":"2022-11-01T19:08:34Z"}],"timestamp":"2022-11-01T19:08:34Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/error.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"0"},{"key":"http_path","value":"/l7C33j4U.printer"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_error-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"target_fqdn","value":"_"},{"key":"timestamp","value":"2022-11-01T19:08:34Z"}],"timestamp":"2022-11-01T19:08:34Z"}],"events_count":5,"labels":null,"leakspeed":"5s","machine_id":"203197ac930c45ec90ffda924404eaddXJqgU5aDwYu2pT4F","message":"Ip 127.0.0.1 performed 'crowdsecurity/http-sensitive-files' (5 events over 83.943868ms) at 2022-11-01 19:08:34.867717007 +0000 UTC","remediation":true,"scenario":"crowdsecurity/http-sensitive-files","scenario_hash":"3f20d74ee5b040db30743ed189537e8c43e04f8954bb5a02251a3495e7a2a555","scenario_version":"0.2","simulated":false,"source":{"as_number":"0","ip":"127.0.0.1","scope":"Ip","value":"127.0.0.1"},"start_at":"2022-11-01T19:08:34.78377335Z","stop_at":"2022-11-01T19:08:34.867717218Z"}" }
{ "time": "2022-11-01T19:08:35.603070151Z", "alert": "{"capacity":40,"decisions":[{"duration":"4h","origin":"crowdsec","scenario":"crowdsecurity/http-crawl-non_statics","scope":"Ip","type":"ban","value":"127.0.0.1"}],"events":[{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/access.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"0"},{"key":"http_path","value":"/127001.tgz"},{"key":"http_status","value":"404"},{"key":"http_user_agent","value":"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:sitefiles)"},{"key":"http_verb","value":"HEAD"},{"key":"log_type","value":"http_access-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"timestamp","value":"2022-11-01T19:08:34Z"}],"timestamp":"2022-11-01T19:08:34Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/access.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"0"},{"key":"http_path","value":"/127.0.0.1.tar.bz2"},{"key":"http_status","value":"404"},{"key":"http_user_agent","value":"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:sitefiles)"},{"key":"http_verb","value":"HEAD"},{"key":"log_type","value":"http_access-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"timestamp","value":"2022-11-01T19:08:34Z"}],"timestamp":"2022-11-01T19:08:34Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/access.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"0"},{"key":"http_path","value":"/backup.jks"},{"key":"http_status","value":"404"},{"key":"http_user_agent","value":"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:sitefiles)"},{"key":"http_verb","value":"HEAD"},{"key":"log_type","value":"http_access-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"timestamp","value":"2022-11-01T19:08:34Z"}],"timestamp":"2022-11-01T19:08:34Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/access.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"0"},{"key":"http_path","value":"/127.0.0.cer"},{"key":"http_status","value":"404"},{"key":"http_user_agent","value":"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:sitefiles)"},{"key":"http_verb","value":"HEAD"},{"key":"log_type","value":"http_access-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"timestamp","value":"2022-11-01T19:08:34Z"}],"timestamp":"2022-11-01T19:08:34Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/access.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"0"},{"key":"http_path","value":"/1270.tar.lzma"},{"key":"http_status","value":"404"},{"key":"http_user_agent","value":"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:sitefiles)"},{"key":"http_verb","value":"HEAD"},{"key":"log_type","value":"http_access-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"timestamp","value":"2022-11-01T19:08:34Z"}],"timestamp":"2022-11-01T19:08:34Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/access.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"0"},{"key":"http_path","value":"/127.0.0.tar.lzma"},{"key":"http_status","value":"404"},{"key":"http_user_agent","value":"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:sitefiles)"},{"key":"http_verb","value":"HEAD"},{"key":"log_type","value":"http_access-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"timestamp","value":"2022-11-01T19:08:34Z"}],"timestamp":"2022-11-01T19:08:34Z"}],"events_count":42,"labels":null,"leakspeed":"500ms","machine_id":"203197ac930c45ec90ffda924404eaddXJqgU5aDwYu2pT4F","message":"Ip 127.0.0.1 performed 'crowdsecurity/http-crawl-non_statics' (42 events over 822.208479ms) at 2022-11-01 19:08:35.603069717 +0000 UTC","remediation":true,"scenario":"crowdsecurity/http-crawl-non_statics","scenario_hash":"f0fa40870cdeea7b0da40b9f132e9c6de5e32d584334ec8a2d355faa35cde01c","scenario_version":"0.3","simulated":false,"source":{"as_number":"0","ip":"127.0.0.1","scope":"Ip","value":"127.0.0.1"},"start_at":"2022-11-01T19:08:34.780861672Z","stop_at":"2022-11-01T19:08:35.603070151Z"}" }
{ "time": "2022-11-01T19:08:36.495028431Z", "alert": "{"capacity":3,"decisions":[{"duration":"4h","origin":"crowdsec","scenario":"crowdsecurity/http-path-traversal-probing","scope":"Ip","type":"ban","value":"127.0.0.1"}],"events":[{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/error.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"32"},{"key":"http_path","value":"/newuser?Image=../../database/rbsserv.mdb"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_error-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"target_fqdn","value":"_"},{"key":"timestamp","value":"2022-11-01T19:08:35Z"}],"timestamp":"2022-11-01T19:08:35Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/error.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"38"},{"key":"http_path","value":"/3rdparty/phpMyAdmin/db_details_importdocsql.php?submit_show=true\u0026do=import\u0026docpath=../"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_error-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"target_fqdn","value":"_"},{"key":"timestamp","value":"2022-11-01T19:08:35Z"}],"timestamp":"2022-11-01T19:08:35Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/error.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"38"},{"key":"http_path","value":"/phpMyAdmin/db_details_importdocsql.php?submit_show=true\u0026do=import\u0026docpath=../"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_error-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"target_fqdn","value":"_"},{"key":"timestamp","value":"2022-11-01T19:08:35Z"}],"timestamp":"2022-11-01T19:08:35Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/error.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"38"},{"key":"http_path","value":"/3rdparty/phpmyadmin/db_details_importdocsql.php?submit_show=true\u0026do=import\u0026docpath=../"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_error-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"target_fqdn","value":"_"},{"key":"timestamp","value":"2022-11-01T19:08:35Z"}],"timestamp":"2022-11-01T19:08:35Z"}],"events_count":4,"labels":null,"leakspeed":"10s","machine_id":"203197ac930c45ec90ffda924404eaddXJqgU5aDwYu2pT4F","message":"Ip 127.0.0.1 performed 'crowdsecurity/http-path-traversal-probing' (4 events over 280.828426ms) at 2022-11-01 19:08:36.495028114 +0000 UTC","remediation":true,"scenario":"crowdsecurity/http-path-traversal-probing","scenario_hash":"b02022230086b96c212913406376584cc431332bb5cd26078dffa44ff9454499","scenario_version":"0.2","simulated":false,"source":{"as_number":"0","ip":"127.0.0.1","scope":"Ip","value":"127.0.0.1"},"start_at":"2022-11-01T19:08:36.214200005Z","stop_at":"2022-11-01T19:08:36.495028431Z"}" }
{ "time": "2022-11-01T19:08:36.681887319Z", "alert": "{"capacity":0,"decisions":[{"duration":"4h","origin":"crowdsec","scenario":"crowdsecurity/http-cve-2021-41773","scope":"Ip","type":"ban","value":"127.0.0.1"}],"events":[{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/error.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"53"},{"key":"http_path","value":"/typo3/dev/translations.php?ONLY=%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd%00"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_error-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"target_fqdn","value":"_"},{"key":"timestamp","value":"2022-11-01T19:08:35Z"}],"timestamp":"2022-11-01T19:08:35Z"}],"events_count":1,"labels":null,"leakspeed":"0s","machine_id":"203197ac930c45ec90ffda924404eaddXJqgU5aDwYu2pT4F","message":"Ip 127.0.0.1 performed 'crowdsecurity/http-cve-2021-41773' (1 events over 39ns) at 2022-11-01 19:08:36.681887247 +0000 UTC","remediation":true,"scenario":"crowdsecurity/http-cve-2021-41773","scenario_hash":"297eff27011c942a75937838e09c60c80f9dfdbfcb18b358b666777b4d1e89aa","scenario_version":"0.1","simulated":false,"source":{"as_number":"0","ip":"127.0.0.1","scope":"Ip","value":"127.0.0.1"},"start_at":"2022-11-01T19:08:36.68188728Z","stop_at":"2022-11-01T19:08:36.681887319Z"}" }
{ "time": "2022-11-01T19:08:36.86617301Z", "alert": "{"capacity":5,"decisions":[{"duration":"4h","origin":"crowdsec","scenario":"crowdsecurity/http-xss-probbing","scope":"Ip","type":"ban","value":"127.0.0.1"}],"events":[{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/error.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"75"},{"key":"http_path","value":"/themes/mambosimple.php?detection=detected\u0026sitename=\u003c/title\u003e\u003cscript\u003ealert(document.cookie)\u003c/script\u003e"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_error-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"target_fqdn","value":"_"},{"key":"timestamp","value":"2022-11-01T19:08:35Z"}],"timestamp":"2022-11-01T19:08:35Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/error.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"65"},{"key":"http_path","value":"/index.php?option=search\u0026searchword=\u003cscript\u003ealert(document.cookie);\u003c/script\u003e"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_error-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"target_fqdn","value":"_"},{"key":"timestamp","value":"2022-11-01T19:08:35Z"}],"timestamp":"2022-11-01T19:08:35Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/error.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"40"},{"key":"http_path","value":"/index.php?dir=\u003cscript\u003ealert('Vulnerable')\u003c/script\u003e"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_error-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"target_fqdn","value":"_"},{"key":"timestamp","value":"2022-11-01T19:08:35Z"}],"timestamp":"2022-11-01T19:08:35Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/error.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"40"},{"key":"http_path","value":"/https-admserv/bin/index?/\u003cscript\u003ealert(document.cookie)\u003c/script\u003e"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_error-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"target_fqdn","value":"_"},{"key":"timestamp","value":"2022-11-01T19:08:35Z"}],"timestamp":"2022-11-01T19:08:35Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/error.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"47"},{"key":"http_path","value":"/clusterframe.jsp?cluster=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_error-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"target_fqdn","value":"_"},{"key":"timestamp","value":"2022-11-01T19:08:35Z"}],"timestamp":"2022-11-01T19:08:35Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/error.log"},{"key":"datasource_type","value":"file"},{"key":"http_args_len","value":"45"},{"key":"http_path","value":"/article.cfm?id=1'\u003cscript\u003ealert(document.cookie);\u003c/script\u003e"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_error-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"target_fqdn","value":"_"},{"key":"timestamp","value":"2022-11-01T19:08:35Z"}],"timestamp":"2022-11-01T19:08:35Z"}],"events_count":6,"labels":null,"leakspeed":"1s","machine_id":"203197ac930c45ec90ffda924404eaddXJqgU5aDwYu2pT4F","message":"Ip 127.0.0.1 performed 'crowdsecurity/http-xss-probbing' (6 events over 28.439787ms) at 2022-11-01 19:08:36.866172883 +0000 UTC","remediation":true,"scenario":"crowdsecurity/http-xss-probbing","scenario_hash":"1c4d58e1a29cf806a92f67c981532f8a4656312abd05697dcc69b59b757f0076","scenario_version":"0.2","simulated":false,"source":{"as_number":"0","ip":"127.0.0.1","scope":"Ip","value":"127.0.0.1"},"start_at":"2022-11-01T19:08:36.837733223Z","stop_at":"2022-11-01T19:08:36.86617301Z"}" }
Also, with the use of current format, we should remove the custom_time_format, right?
LaurenceJJones
commented
2 years ago True it only used in logrus output not within crowdsec alert object Plus found a fix for nested object
format: |
{{range . -}}
{ "time": "{{.StopAt}}", "alert": "{{. | toJson | replace "\"" "\\\""}}" }
{{ end -}}Output is correctly json escaped
{ "time": "2022-11-01T19:21:25.957229041Z", "alert": "{\"capacity\":1,\"decisions\":[{\"duration\":\"4h\",\"origin\":\"crowdsec\",\"scenario\":\"crowdsecurity/http-bad-user-agent\",\"scope\":\"Ip\",\"type\":\"ban\",\"value\":\"127.0.0.1\"}],\"events\":[{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/access.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_path\",\"value\":\"/\"},{\"key\":\"http_status\",\"value\":\"200\"},{\"key\":\"http_user_agent\",\"value\":\"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:Port Check)\"},{\"key\":\"http_verb\",\"value\":\"HEAD\"},{\"key\":\"log_type\",\"value\":\"http_access-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:25Z\"}],\"timestamp\":\"2022-11-01T19:21:25Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/access.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_path\",\"value\":\"/\"},{\"key\":\"http_status\",\"value\":\"200\"},{\"key\":\"http_user_agent\",\"value\":\"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:getinfo)\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_access-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:25Z\"}],\"timestamp\":\"2022-11-01T19:21:25Z\"}],\"events_count\":2,\"labels\":null,\"leakspeed\":\"1m0s\",\"machine_id\":\"203197ac930c45ec90ffda924404eaddXJqgU5aDwYu2pT4F\",\"message\":\"Ip 127.0.0.1 performed 'crowdsecurity/http-bad-user-agent' (2 events over 1.984294ms) at 2022-11-01 19:21:25.957228841 +0000 UTC\",\"remediation\":true,\"scenario\":\"crowdsecurity/http-bad-user-agent\",\"scenario_hash\":\"51360ad64c9672e5d3ba9c1786e6fc380c8752871a977a5dddac0d08551aa66a\",\"scenario_version\":\"0.7\",\"simulated\":false,\"source\":{\"as_number\":\"0\",\"ip\":\"127.0.0.1\",\"scope\":\"Ip\",\"value\":\"127.0.0.1\"},\"start_at\":\"2022-11-01T19:21:25.955244747Z\",\"stop_at\":\"2022-11-01T19:21:25.957229041Z\"}" }
{ "time": "2022-11-01T19:21:25.986033579Z", "alert": "{\"capacity\":10,\"decisions\":[{\"duration\":\"4h\",\"origin\":\"crowdsec\",\"scenario\":\"crowdsecurity/http-probing\",\"scope\":\"Ip\",\"type\":\"ban\",\"value\":\"127.0.0.1\"}],\"events\":[{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/access.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"0\"},{\"key\":\"http_path\",\"value\":\"/X294Hr0N.LCDispatcher\"},{\"key\":\"http_status\",\"value\":\"404\"},{\"key\":\"http_user_agent\",\"value\":\"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:map_codes)\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_access-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:25Z\"}],\"timestamp\":\"2022-11-01T19:21:25Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/access.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"0\"},{\"key\":\"http_path\",\"value\":\"/X294Hr0N.iso2022-kr\"},{\"key\":\"http_status\",\"value\":\"404\"},{\"key\":\"http_user_agent\",\"value\":\"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:map_codes)\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_access-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:25Z\"}],\"timestamp\":\"2022-11-01T19:21:25Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/access.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"0\"},{\"key\":\"http_path\",\"value\":\"/X294Hr0N.xsl\"},{\"key\":\"http_status\",\"value\":\"404\"},{\"key\":\"http_user_agent\",\"value\":\"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:map_codes)\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_access-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:25Z\"}],\"timestamp\":\"2022-11-01T19:21:25Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/access.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"0\"},{\"key\":\"http_path\",\"value\":\"/X294Hr0N.TPF\"},{\"key\":\"http_status\",\"value\":\"404\"},{\"key\":\"http_user_agent\",\"value\":\"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:map_codes)\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_access-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:25Z\"}],\"timestamp\":\"2022-11-01T19:21:25Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/access.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"0\"},{\"key\":\"http_path\",\"value\":\"/X294Hr0N.koi8-r\"},{\"key\":\"http_status\",\"value\":\"404\"},{\"key\":\"http_user_agent\",\"value\":\"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:map_codes)\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_access-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:25Z\"}],\"timestamp\":\"2022-11-01T19:21:25Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/access.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"0\"},{\"key\":\"http_path\",\"value\":\"/X294Hr0N.htaccess\"},{\"key\":\"http_status\",\"value\":\"404\"},{\"key\":\"http_user_agent\",\"value\":\"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:map_codes)\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_access-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:25Z\"}],\"timestamp\":\"2022-11-01T19:21:25Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/access.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"0\"},{\"key\":\"http_path\",\"value\":\"/X294Hr0N.orig\"},{\"key\":\"http_status\",\"value\":\"404\"},{\"key\":\"http_user_agent\",\"value\":\"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:map_codes)\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_access-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:25Z\"}],\"timestamp\":\"2022-11-01T19:21:25Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/access.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"0\"},{\"key\":\"http_path\",\"value\":\"/X294Hr0N.home\"},{\"key\":\"http_status\",\"value\":\"404\"},{\"key\":\"http_user_agent\",\"value\":\"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:map_codes)\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_access-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:25Z\"}],\"timestamp\":\"2022-11-01T19:21:25Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/access.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"0\"},{\"key\":\"http_path\",\"value\":\"/X294Hr0N.cgi\"},{\"key\":\"http_status\",\"value\":\"404\"},{\"key\":\"http_user_agent\",\"value\":\"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:map_codes)\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_access-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:25Z\"}],\"timestamp\":\"2022-11-01T19:21:25Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/access.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"0\"},{\"key\":\"http_path\",\"value\":\"/X294Hr0N.asp+\"},{\"key\":\"http_status\",\"value\":\"404\"},{\"key\":\"http_user_agent\",\"value\":\"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:map_codes)\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_access-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:25Z\"}],\"timestamp\":\"2022-11-01T19:21:25Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/access.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"0\"},{\"key\":\"http_path\",\"value\":\"/X294Hr0N.xml+\"},{\"key\":\"http_status\",\"value\":\"404\"},{\"key\":\"http_user_agent\",\"value\":\"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:map_codes)\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_access-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:25Z\"}],\"timestamp\":\"2022-11-01T19:21:25Z\"}],\"events_count\":11,\"labels\":null,\"leakspeed\":\"10s\",\"machine_id\":\"203197ac930c45ec90ffda924404eaddXJqgU5aDwYu2pT4F\",\"message\":\"Ip 127.0.0.1 performed 'crowdsecurity/http-probing' (11 events over 25.483935ms) at 2022-11-01 19:21:25.986032728 +0000 UTC\",\"remediation\":true,\"scenario\":\"crowdsecurity/http-probing\",\"scenario_hash\":\"c8bb45b4fb8834ea1dc5cff6439dd272c87d7ee5af4a51e77341ec6edc5d7a25\",\"scenario_version\":\"0.2\",\"simulated\":false,\"source\":{\"as_number\":\"0\",\"ip\":\"127.0.0.1\",\"scope\":\"Ip\",\"value\":\"127.0.0.1\"},\"start_at\":\"2022-11-01T19:21:25.960549644Z\",\"stop_at\":\"2022-11-01T19:21:25.986033579Z\"}" }
{ "time": "2022-11-01T19:21:26.038381567Z", "alert": "{\"capacity\":40,\"decisions\":[{\"duration\":\"4h\",\"origin\":\"crowdsec\",\"scenario\":\"crowdsecurity/http-crawl-non_statics\",\"scope\":\"Ip\",\"type\":\"ban\",\"value\":\"127.0.0.1\"}],\"events\":[{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/error.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"0\"},{\"key\":\"http_path\",\"value\":\"/X294Hr0N.show_query_columns\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_error-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"target_fqdn\",\"value\":\"_\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:25Z\"}],\"timestamp\":\"2022-11-01T19:21:25Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/error.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"0\"},{\"key\":\"http_path\",\"value\":\"/X294Hr0N.stm\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_error-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"target_fqdn\",\"value\":\"_\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:25Z\"}],\"timestamp\":\"2022-11-01T19:21:25Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/error.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"0\"},{\"key\":\"http_path\",\"value\":\"/X294Hr0N.cmd\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_error-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"target_fqdn\",\"value\":\"_\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:25Z\"}],\"timestamp\":\"2022-11-01T19:21:25Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/error.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"0\"},{\"key\":\"http_path\",\"value\":\"/X294Hr0N.mdb\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_error-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"target_fqdn\",\"value\":\"_\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:25Z\"}],\"timestamp\":\"2022-11-01T19:21:25Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/error.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"0\"},{\"key\":\"http_path\",\"value\":\"/X294Hr0N.cfc\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_error-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"target_fqdn\",\"value\":\"_\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:25Z\"}],\"timestamp\":\"2022-11-01T19:21:25Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/error.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"0\"},{\"key\":\"http_path\",\"value\":\"/X294Hr0N.es\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_error-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"target_fqdn\",\"value\":\"_\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:25Z\"}],\"timestamp\":\"2022-11-01T19:21:25Z\"}],\"events_count\":41,\"labels\":null,\"leakspeed\":\"500ms\",\"machine_id\":\"203197ac930c45ec90ffda924404eaddXJqgU5aDwYu2pT4F\",\"message\":\"Ip 127.0.0.1 performed 'crowdsecurity/http-crawl-non_statics' (41 events over 85.680377ms) at 2022-11-01 19:21:26.038381283 +0000 UTC\",\"remediation\":true,\"scenario\":\"crowdsecurity/http-crawl-non_statics\",\"scenario_hash\":\"f0fa40870cdeea7b0da40b9f132e9c6de5e32d584334ec8a2d355faa35cde01c\",\"scenario_version\":\"0.3\",\"simulated\":false,\"source\":{\"as_number\":\"0\",\"ip\":\"127.0.0.1\",\"scope\":\"Ip\",\"value\":\"127.0.0.1\"},\"start_at\":\"2022-11-01T19:21:25.95270119Z\",\"stop_at\":\"2022-11-01T19:21:26.038381567Z\"}" }
{ "time": "2022-11-01T19:21:26.171230209Z", "alert": "{\"capacity\":4,\"decisions\":[{\"duration\":\"4h\",\"origin\":\"crowdsec\",\"scenario\":\"crowdsecurity/http-sensitive-files\",\"scope\":\"Ip\",\"type\":\"ban\",\"value\":\"127.0.0.1\"}],\"events\":[{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/error.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"0\"},{\"key\":\"http_path\",\"value\":\"/X294Hr0N.htaccess\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_error-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"target_fqdn\",\"value\":\"_\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:25Z\"}],\"timestamp\":\"2022-11-01T19:21:25Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/error.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"0\"},{\"key\":\"http_path\",\"value\":\"/X294Hr0N.printer\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_error-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"target_fqdn\",\"value\":\"_\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:25Z\"}],\"timestamp\":\"2022-11-01T19:21:25Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/error.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"0\"},{\"key\":\"http_path\",\"value\":\"/X294Hr0N.sql\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_error-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"target_fqdn\",\"value\":\"_\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:25Z\"}],\"timestamp\":\"2022-11-01T19:21:25Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/error.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"0\"},{\"key\":\"http_path\",\"value\":\"/X294Hr0N.bak\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_error-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"target_fqdn\",\"value\":\"_\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:25Z\"}],\"timestamp\":\"2022-11-01T19:21:25Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/error.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"0\"},{\"key\":\"http_path\",\"value\":\"/X294Hr0N.config\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_error-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"target_fqdn\",\"value\":\"_\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:25Z\"}],\"timestamp\":\"2022-11-01T19:21:25Z\"}],\"events_count\":5,\"labels\":null,\"leakspeed\":\"5s\",\"machine_id\":\"203197ac930c45ec90ffda924404eaddXJqgU5aDwYu2pT4F\",\"message\":\"Ip 127.0.0.1 performed 'crowdsecurity/http-sensitive-files' (5 events over 208.986518ms) at 2022-11-01 19:21:26.171229934 +0000 UTC\",\"remediation\":true,\"scenario\":\"crowdsecurity/http-sensitive-files\",\"scenario_hash\":\"3f20d74ee5b040db30743ed189537e8c43e04f8954bb5a02251a3495e7a2a555\",\"scenario_version\":\"0.2\",\"simulated\":false,\"source\":{\"as_number\":\"0\",\"ip\":\"127.0.0.1\",\"scope\":\"Ip\",\"value\":\"127.0.0.1\"},\"start_at\":\"2022-11-01T19:21:25.962243691Z\",\"stop_at\":\"2022-11-01T19:21:26.171230209Z\"}" }
{ "time": "2022-11-01T19:21:26.628687748Z", "alert": "{\"capacity\":40,\"decisions\":[{\"duration\":\"4h\",\"origin\":\"crowdsec\",\"scenario\":\"crowdsecurity/http-crawl-non_statics\",\"scope\":\"Ip\",\"type\":\"ban\",\"value\":\"127.0.0.1\"}],\"events\":[{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/access.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"0\"},{\"key\":\"http_path\",\"value\":\"/images\"},{\"key\":\"http_status\",\"value\":\"404\"},{\"key\":\"http_user_agent\",\"value\":\"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:headers: IIS internal IP)\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_access-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:25Z\"}],\"timestamp\":\"2022-11-01T19:21:25Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/access.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"0\"},{\"key\":\"http_path\",\"value\":\"/index.html\"},{\"key\":\"http_status\",\"value\":\"200\"},{\"key\":\"http_user_agent\",\"value\":\"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:multiple_index)\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_access-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:25Z\"}],\"timestamp\":\"2022-11-01T19:21:25Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/access.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"0\"},{\"key\":\"http_path\",\"value\":\"/12700.cer\"},{\"key\":\"http_status\",\"value\":\"404\"},{\"key\":\"http_user_agent\",\"value\":\"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:sitefiles)\"},{\"key\":\"http_verb\",\"value\":\"HEAD\"},{\"key\":\"log_type\",\"value\":\"http_access-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:26Z\"}],\"timestamp\":\"2022-11-01T19:21:26Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/access.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"0\"},{\"key\":\"http_path\",\"value\":\"/127_0_0_1.jks\"},{\"key\":\"http_status\",\"value\":\"404\"},{\"key\":\"http_user_agent\",\"value\":\"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:sitefiles)\"},{\"key\":\"http_verb\",\"value\":\"HEAD\"},{\"key\":\"log_type\",\"value\":\"http_access-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:26Z\"}],\"timestamp\":\"2022-11-01T19:21:26Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/access.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"0\"},{\"key\":\"http_path\",\"value\":\"/127.0.0.1.tgz\"},{\"key\":\"http_status\",\"value\":\"404\"},{\"key\":\"http_user_agent\",\"value\":\"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:sitefiles)\"},{\"key\":\"http_verb\",\"value\":\"HEAD\"},{\"key\":\"log_type\",\"value\":\"http_access-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:26Z\"}],\"timestamp\":\"2022-11-01T19:21:26Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/access.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"0\"},{\"key\":\"http_path\",\"value\":\"/backup.pem\"},{\"key\":\"http_status\",\"value\":\"404\"},{\"key\":\"http_user_agent\",\"value\":\"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:sitefiles)\"},{\"key\":\"http_verb\",\"value\":\"HEAD\"},{\"key\":\"log_type\",\"value\":\"http_access-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:26Z\"}],\"timestamp\":\"2022-11-01T19:21:26Z\"}],\"events_count\":42,\"labels\":null,\"leakspeed\":\"500ms\",\"machine_id\":\"203197ac930c45ec90ffda924404eaddXJqgU5aDwYu2pT4F\",\"message\":\"Ip 127.0.0.1 performed 'crowdsecurity/http-crawl-non_statics' (42 events over 673.177177ms) at 2022-11-01 19:21:26.628687468 +0000 UTC\",\"remediation\":true,\"scenario\":\"crowdsecurity/http-crawl-non_statics\",\"scenario_hash\":\"f0fa40870cdeea7b0da40b9f132e9c6de5e32d584334ec8a2d355faa35cde01c\",\"scenario_version\":\"0.3\",\"simulated\":false,\"source\":{\"as_number\":\"0\",\"ip\":\"127.0.0.1\",\"scope\":\"Ip\",\"value\":\"127.0.0.1\"},\"start_at\":\"2022-11-01T19:21:25.955510571Z\",\"stop_at\":\"2022-11-01T19:21:26.628687748Z\"}" }
{ "time": "2022-11-01T19:21:27.771131182Z", "alert": "{\"capacity\":3,\"decisions\":[{\"duration\":\"4h\",\"origin\":\"crowdsec\",\"scenario\":\"crowdsecurity/http-path-traversal-probing\",\"scope\":\"Ip\",\"type\":\"ban\",\"value\":\"127.0.0.1\"}],\"events\":[{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/error.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"32\"},{\"key\":\"http_path\",\"value\":\"/newuser?Image=../../database/rbsserv.mdb\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_error-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"target_fqdn\",\"value\":\"_\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:26Z\"}],\"timestamp\":\"2022-11-01T19:21:26Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/error.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"38\"},{\"key\":\"http_path\",\"value\":\"/3rdparty/phpMyAdmin/db_details_importdocsql.php?submit_show=true\u0026do=import\u0026docpath=../\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_error-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"target_fqdn\",\"value\":\"_\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:26Z\"}],\"timestamp\":\"2022-11-01T19:21:26Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/error.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"38\"},{\"key\":\"http_path\",\"value\":\"/phpMyAdmin/db_details_importdocsql.php?submit_show=true\u0026do=import\u0026docpath=../\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_error-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"target_fqdn\",\"value\":\"_\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:26Z\"}],\"timestamp\":\"2022-11-01T19:21:26Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/error.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"38\"},{\"key\":\"http_path\",\"value\":\"/3rdparty/phpmyadmin/db_details_importdocsql.php?submit_show=true\u0026do=import\u0026docpath=../\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_error-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"target_fqdn\",\"value\":\"_\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:26Z\"}],\"timestamp\":\"2022-11-01T19:21:26Z\"}],\"events_count\":4,\"labels\":null,\"leakspeed\":\"10s\",\"machine_id\":\"203197ac930c45ec90ffda924404eaddXJqgU5aDwYu2pT4F\",\"message\":\"Ip 127.0.0.1 performed 'crowdsecurity/http-path-traversal-probing' (4 events over 282.776463ms) at 2022-11-01 19:21:27.771130741 +0000 UTC\",\"remediation\":true,\"scenario\":\"crowdsecurity/http-path-traversal-probing\",\"scenario_hash\":\"b02022230086b96c212913406376584cc431332bb5cd26078dffa44ff9454499\",\"scenario_version\":\"0.2\",\"simulated\":false,\"source\":{\"as_number\":\"0\",\"ip\":\"127.0.0.1\",\"scope\":\"Ip\",\"value\":\"127.0.0.1\"},\"start_at\":\"2022-11-01T19:21:27.488354719Z\",\"stop_at\":\"2022-11-01T19:21:27.771131182Z\"}" }
{ "time": "2022-11-01T19:21:27.976120565Z", "alert": "{\"capacity\":0,\"decisions\":[{\"duration\":\"4h\",\"origin\":\"crowdsec\",\"scenario\":\"crowdsecurity/http-cve-2021-41773\",\"scope\":\"Ip\",\"type\":\"ban\",\"value\":\"127.0.0.1\"}],\"events\":[{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/error.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"53\"},{\"key\":\"http_path\",\"value\":\"/typo3/dev/translations.php?ONLY=%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd%00\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_error-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"target_fqdn\",\"value\":\"_\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:26Z\"}],\"timestamp\":\"2022-11-01T19:21:26Z\"}],\"events_count\":1,\"labels\":null,\"leakspeed\":\"0s\",\"machine_id\":\"203197ac930c45ec90ffda924404eaddXJqgU5aDwYu2pT4F\",\"message\":\"Ip 127.0.0.1 performed 'crowdsecurity/http-cve-2021-41773' (1 events over 46ns) at 2022-11-01 19:21:27.976120473 +0000 UTC\",\"remediation\":true,\"scenario\":\"crowdsecurity/http-cve-2021-41773\",\"scenario_hash\":\"297eff27011c942a75937838e09c60c80f9dfdbfcb18b358b666777b4d1e89aa\",\"scenario_version\":\"0.1\",\"simulated\":false,\"source\":{\"as_number\":\"0\",\"ip\":\"127.0.0.1\",\"scope\":\"Ip\",\"value\":\"127.0.0.1\"},\"start_at\":\"2022-11-01T19:21:27.976120519Z\",\"stop_at\":\"2022-11-01T19:21:27.976120565Z\"}" }
{ "time": "2022-11-01T19:21:28.161015203Z", "alert": "{\"capacity\":5,\"decisions\":[{\"duration\":\"4h\",\"origin\":\"crowdsec\",\"scenario\":\"crowdsecurity/http-xss-probbing\",\"scope\":\"Ip\",\"type\":\"ban\",\"value\":\"127.0.0.1\"}],\"events\":[{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/error.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"75\"},{\"key\":\"http_path\",\"value\":\"/themes/mambosimple.php?detection=detected\u0026sitename=\u003c/title\u003e\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_error-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"target_fqdn\",\"value\":\"_\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:26Z\"}],\"timestamp\":\"2022-11-01T19:21:26Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/error.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"65\"},{\"key\":\"http_path\",\"value\":\"/index.php?option=search\u0026searchword=\u003cscript\u003ealert(document.cookie);\u003c/script\u003e\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_error-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"target_fqdn\",\"value\":\"_\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:26Z\"}],\"timestamp\":\"2022-11-01T19:21:26Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/error.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"40\"},{\"key\":\"http_path\",\"value\":\"/index.php?dir=\u003cscript\u003ealert('Vulnerable')\u003c/script\u003e\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_error-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"target_fqdn\",\"value\":\"_\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:26Z\"}],\"timestamp\":\"2022-11-01T19:21:26Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/error.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"40\"},{\"key\":\"http_path\",\"value\":\"/https-admserv/bin/index?/\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_error-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"target_fqdn\",\"value\":\"_\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:26Z\"}],\"timestamp\":\"2022-11-01T19:21:26Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/error.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"47\"},{\"key\":\"http_path\",\"value\":\"/clusterframe.jsp?cluster=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_error-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"target_fqdn\",\"value\":\"_\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:26Z\"}],\"timestamp\":\"2022-11-01T19:21:26Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/error.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_args_len\",\"value\":\"45\"},{\"key\":\"http_path\",\"value\":\"/article.cfm?id=1'\u003cscript\u003ealert(document.cookie);\u003c/script\u003e\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_error-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"target_fqdn\",\"value\":\"_\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:26Z\"}],\"timestamp\":\"2022-11-01T19:21:26Z\"}],\"events_count\":6,\"labels\":null,\"leakspeed\":\"1s\",\"machine_id\":\"203197ac930c45ec90ffda924404eaddXJqgU5aDwYu2pT4F\",\"message\":\"Ip 127.0.0.1 performed 'crowdsecurity/http-xss-probbing' (6 events over 29.461603ms) at 2022-11-01 19:21:28.161014986 +0000 UTC\",\"remediation\":true,\"scenario\":\"crowdsecurity/http-xss-probbing\",\"scenario_hash\":\"1c4d58e1a29cf806a92f67c981532f8a4656312abd05697dcc69b59b757f0076\",\"scenario_version\":\"0.2\",\"simulated\":false,\"source\":{\"as_number\":\"0\",\"ip\":\"127.0.0.1\",\"scope\":\"Ip\",\"value\":\"127.0.0.1\"},\"start_at\":\"2022-11-01T19:21:28.1315536Z\",\"stop_at\":\"2022-11-01T19:21:28.161015203Z\"}" }
Are you sure that's the expected result?
LaurenceJJones
commented
2 years ago JQ output
{
"time": "2022-11-01T19:21:25.957229041Z",
"alert": "{\"capacity\":1,\"decisions\":[{\"duration\":\"4h\",\"origin\":\"crowdsec\",\"scenario\":\"crowdsecurity/http-bad-user-agent\",\"scope\":\"Ip\",\"type\":\"ban\",\"value\":\"127.0.0.1\"}],\"events\":[{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/access.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_path\",\"value\":\"/\"},{\"key\":\"http_status\",\"value\":\"200\"},{\"key\":\"http_user_agent\",\"value\":\"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:Port Check)\"},{\"key\":\"http_verb\",\"value\":\"HEAD\"},{\"key\":\"log_type\",\"value\":\"http_access-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:25Z\"}],\"timestamp\":\"2022-11-01T19:21:25Z\"},{\"meta\":[{\"key\":\"ASNNumber\",\"value\":\"0\"},{\"key\":\"IsInEU\",\"value\":\"false\"},{\"key\":\"datasource_path\",\"value\":\"/var/log/nginx/access.log\"},{\"key\":\"datasource_type\",\"value\":\"file\"},{\"key\":\"http_path\",\"value\":\"/\"},{\"key\":\"http_status\",\"value\":\"200\"},{\"key\":\"http_user_agent\",\"value\":\"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:getinfo)\"},{\"key\":\"http_verb\",\"value\":\"GET\"},{\"key\":\"log_type\",\"value\":\"http_access-log\"},{\"key\":\"service\",\"value\":\"http\"},{\"key\":\"source_ip\",\"value\":\"127.0.0.1\"},{\"key\":\"timestamp\",\"value\":\"2022-11-01T19:21:25Z\"}],\"timestamp\":\"2022-11-01T19:21:25Z\"}],\"events_count\":2,\"labels\":null,\"leakspeed\":\"1m0s\",\"machine_id\":\"203197ac930c45ec90ffda924404eaddXJqgU5aDwYu2pT4F\",\"message\":\"Ip 127.0.0.1 performed crowdsecurity/http-bad-user-agent (2 events over 1.984294ms) at 2022-11-01 19:21:25.957228841 +0000 UTC\",\"remediation\":true,\"scenario\":\"crowdsecurity/http-bad-user-agent\",\"scenario_hash\":\"51360ad64c9672e5d3ba9c1786e6fc380c8752871a977a5dddac0d08551aa66a\",\"scenario_version\":\"0.7\",\"simulated\":false,\"source\":{\"as_number\":\"0\",\"ip\":\"127.0.0.1\",\"scope\":\"Ip\",\"value\":\"127.0.0.1\"},\"start_at\":\"2022-11-01T19:21:25.955244747Z\",\"stop_at\":\"2022-11-01T19:21:25.957229041Z\"}"
}I believe, this would be a better format for the other tools to consume (JQ result):
{
"time": "2022-11-01T19:21:25.957229041Z",
"alert": {
"capacity": 1,
"decisions": [
{
"duration": "4h",
"origin": "crowdsec",
"scenario": "crowdsecurity/http-bad-user-agent",
"scope": "Ip",
"type": "ban",
"value": "127.0.0.1"
}
],
"events": [
{
"meta": [
{
"key": "ASNNumber",
"value": "0"
},
{
"key": "IsInEU",
"value": "false"
},
{
"key": "datasource_path",
"value": "/var/log/nginx/access.log"
},
{
"key": "datasource_type",
"value": "file"
},
{
"key": "http_path",
"value": "/"
},
{
"key": "http_status",
"value": "200"
},
{
"key": "http_user_agent",
"value": "Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:Port Check)"
},
{
"key": "http_verb",
"value": "HEAD"
},
{
"key": "log_type",
"value": "http_access-log"
},
{
"key": "service",
"value": "http"
},
{
"key": "source_ip",
"value": "127.0.0.1"
},
{
"key": "timestamp",
"value": "2022-11-01T19:21:25Z"
}
],
"timestamp": "2022-11-01T19:21:25Z"
},
{
"meta": [
{
"key": "ASNNumber",
"value": "0"
},
{
"key": "IsInEU",
"value": "false"
},
{
"key": "datasource_path",
"value": "/var/log/nginx/access.log"
},
{
"key": "datasource_type",
"value": "file"
},
{
"key": "http_path",
"value": "/"
},
{
"key": "http_status",
"value": "200"
},
{
"key": "http_user_agent",
"value": "Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:getinfo)"
},
{
"key": "http_verb",
"value": "GET"
},
{
"key": "log_type",
"value": "http_access-log"
},
{
"key": "service",
"value": "http"
},
{
"key": "source_ip",
"value": "127.0.0.1"
},
{
"key": "timestamp",
"value": "2022-11-01T19:21:25Z"
}
],
"timestamp": "2022-11-01T19:21:25Z"
}
],
"events_count": 2,
"labels": null,
"leakspeed": "1m0s",
"machine_id": "203197ac930c45ec90ffda924404eaddXJqgU5aDwYu2pT4F",
"message": "Ip 127.0.0.1 performed 'crowdsecurity/http-bad-user-agent' (2 events over 1.984294ms) at 2022-11-01 19:21:25.957228841 +0000 UTC",
"remediation": true,
"scenario": "crowdsecurity/http-bad-user-agent",
"scenario_hash": "51360ad64c9672e5d3ba9c1786e6fc380c8752871a977a5dddac0d08551aa66a",
"scenario_version": "0.7",
"simulated": false,
"source": {
"as_number": "0",
"ip": "127.0.0.1",
"scope": "Ip",
"value": "127.0.0.1"
},
"start_at": "2022-11-01T19:21:25.955244747Z",
"stop_at": "2022-11-01T19:21:25.957229041Z"
}
}Original result:
{ "time": "2022-11-01T19:21:25.957229041Z", "alert": {"capacity":1,"decisions":[{"duration":"4h","origin":"crowdsec","scenario":"crowdsecurity/http-bad-user-agent","scope":"Ip","type":"ban","value":"127.0.0.1"}],"events":[{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/access.log"},{"key":"datasource_type","value":"file"},{"key":"http_path","value":"/"},{"key":"http_status","value":"200"},{"key":"http_user_agent","value":"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:Port Check)"},{"key":"http_verb","value":"HEAD"},{"key":"log_type","value":"http_access-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"timestamp","value":"2022-11-01T19:21:25Z"}],"timestamp":"2022-11-01T19:21:25Z"},{"meta":[{"key":"ASNNumber","value":"0"},{"key":"IsInEU","value":"false"},{"key":"datasource_path","value":"/var/log/nginx/access.log"},{"key":"datasource_type","value":"file"},{"key":"http_path","value":"/"},{"key":"http_status","value":"200"},{"key":"http_user_agent","value":"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:getinfo)"},{"key":"http_verb","value":"GET"},{"key":"log_type","value":"http_access-log"},{"key":"service","value":"http"},{"key":"source_ip","value":"127.0.0.1"},{"key":"timestamp","value":"2022-11-01T19:21:25Z"}],"timestamp":"2022-11-01T19:21:25Z"}],"events_count":2,"labels":null,"leakspeed":"1m0s","machine_id":"203197ac930c45ec90ffda924404eaddXJqgU5aDwYu2pT4F","message":"Ip 127.0.0.1 performed 'crowdsecurity/http-bad-user-agent' (2 events over 1.984294ms) at 2022-11-01 19:21:25.957228841 +0000 UTC","remediation":true,"scenario":"crowdsecurity/http-bad-user-agent","scenario_hash":"51360ad64c9672e5d3ba9c1786e6fc380c8752871a977a5dddac0d08551aa66a","scenario_version":"0.7","simulated":false,"source":{"as_number":"0","ip":"127.0.0.1","scope":"Ip","value":"127.0.0.1"},"start_at":"2022-11-01T19:21:25.955244747Z","stop_at":"2022-11-01T19:21:25.957229041Z"} }Depends if the tool is expecting a string or object as the alert type. Either can work as long as the tool expecting it
LaurenceJJones
commented
2 years ago Added a comment to your PR as currently its a string not an object
zbalkan
commented
2 years ago Most of the time, they expect a plain text file, then they parse it based on the configuration. So, I believe, the format below would suffice. Just removed the quotation marks around.
format: |
{{range . -}}
{ "time": "{{.StopAt}}", "alert": {{. | toJson }} }
{{ end -}}Because it is ndjson, a whole line should be able to interpreted as a single JSON object when parsed. That is my intention.
LaurenceJJones
commented
2 years ago Exactly you are right. I was expecting the tool to only be searching the alert key to parse out but that wouldnt make sense now I think about it.... time for some food and water! 😆
LaurenceJJones
commented
2 years ago Maybe makes sense to remove the custom_format from the yaml and by default we supply "%msg%" and only if somebody desperately needs it (or checks in code) they can override it
zbalkan
commented
2 years ago I removed it already with latest commit https://github.com/zbalkan/notification-file/commit/a5480eb8df2779fdffb4b84ec82e3915ab4df84a. Should we add a comment for the custom_format?
Also, you have been working on this for last 8 hours. It is time to finish the shift.
https://github.com/zbalkan/notification-file/blob/d1cbec401dcc2bdc947e37a9857f2b048d60731e/file.yaml#L23
Sometimes even though alerts can be 1 by 1 sometimes when the alert channel get rushed by 2 or more it may become more than one Your object may look like this