Set traefik to use evt.parsed.message to respect s00 stage (#821)

crowdsecurity · Sep 4, 2023 · 23ea379 · 23ea379
1 parent 456b651
commit 23ea379
Show file tree

Hide file tree

Showing 3 changed files with 403 additions and 331 deletions.
diff --git a/.tests/traefik_base-http-scenario/scenario.assert b/.tests/traefik_base-http-scenario/scenario.assert
@@ -9,89 +9,133 @@ results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
 results[0].Overflow.Alert.Events[0].GetMeta("http_args_len") == "0"
 results[0].Overflow.Alert.Events[0].GetMeta("http_path") == "/594VAEoi.dtd"
 results[0].Overflow.Alert.Events[0].GetMeta("http_status") == "404"
+results[0].Overflow.Alert.Events[0].GetMeta("http_user_agent") == "Nikto"
+results[0].Overflow.Alert.Events[0].GetMeta("http_verb") == "GET"
 results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "http_access-log"
 results[0].Overflow.Alert.Events[0].GetMeta("service") == "http"
 results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "172.17.0.1"
+results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2021-12-08T14:02:43Z"
+results[0].Overflow.Alert.Events[0].GetMeta("traefik_router_name") == "test@docker"
 results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "traefik_base-http-scenario.log"
 results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
 results[0].Overflow.Alert.Events[1].GetMeta("http_args_len") == "0"
 results[0].Overflow.Alert.Events[1].GetMeta("http_path") == "/594VAEoi.vts"
 results[0].Overflow.Alert.Events[1].GetMeta("http_status") == "404"
+results[0].Overflow.Alert.Events[1].GetMeta("http_user_agent") == "Nikto"
+results[0].Overflow.Alert.Events[1].GetMeta("http_verb") == "GET"
 results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "http_access-log"
 results[0].Overflow.Alert.Events[1].GetMeta("service") == "http"
 results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "172.17.0.1"
+results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2021-12-08T14:02:43Z"
+results[0].Overflow.Alert.Events[1].GetMeta("traefik_router_name") == "test@docker"
 results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "traefik_base-http-scenario.log"
 results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file"
 results[0].Overflow.Alert.Events[2].GetMeta("http_args_len") == "0"
 results[0].Overflow.Alert.Events[2].GetMeta("http_path") == "/594VAEoi.asp"
 results[0].Overflow.Alert.Events[2].GetMeta("http_status") == "404"
+results[0].Overflow.Alert.Events[2].GetMeta("http_user_agent") == "Nikto"
+results[0].Overflow.Alert.Events[2].GetMeta("http_verb") == "GET"
 results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "http_access-log"
 results[0].Overflow.Alert.Events[2].GetMeta("service") == "http"
 results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "172.17.0.1"
+results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2021-12-08T14:02:43Z"
+results[0].Overflow.Alert.Events[2].GetMeta("traefik_router_name") == "test@docker"
 results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "traefik_base-http-scenario.log"
 results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file"
 results[0].Overflow.Alert.Events[3].GetMeta("http_args_len") == "0"
 results[0].Overflow.Alert.Events[3].GetMeta("http_path") == "/594VAEoi.PRINT"
 results[0].Overflow.Alert.Events[3].GetMeta("http_status") == "404"
+results[0].Overflow.Alert.Events[3].GetMeta("http_user_agent") == "Nikto"
+results[0].Overflow.Alert.Events[3].GetMeta("http_verb") == "GET"
 results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "http_access-log"
 results[0].Overflow.Alert.Events[3].GetMeta("service") == "http"
 results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "172.17.0.1"
+results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2021-12-08T14:02:43Z"
+results[0].Overflow.Alert.Events[3].GetMeta("traefik_router_name") == "test@docker"
 results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "traefik_base-http-scenario.log"
 results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file"
 results[0].Overflow.Alert.Events[4].GetMeta("http_args_len") == "0"
 results[0].Overflow.Alert.Events[4].GetMeta("http_path") == "/594VAEoi.xtp"
 results[0].Overflow.Alert.Events[4].GetMeta("http_status") == "404"
+results[0].Overflow.Alert.Events[4].GetMeta("http_user_agent") == "Nikto"
+results[0].Overflow.Alert.Events[4].GetMeta("http_verb") == "GET"
 results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "http_access-log"
 results[0].Overflow.Alert.Events[4].GetMeta("service") == "http"
 results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "172.17.0.1"
+results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2021-12-08T14:02:43Z"
+results[0].Overflow.Alert.Events[4].GetMeta("traefik_router_name") == "test@docker"
 results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "traefik_base-http-scenario.log"
 results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file"
 results[0].Overflow.Alert.Events[5].GetMeta("http_args_len") == "0"
 results[0].Overflow.Alert.Events[5].GetMeta("http_path") == "/594VAEoi.php"
 results[0].Overflow.Alert.Events[5].GetMeta("http_status") == "404"
+results[0].Overflow.Alert.Events[5].GetMeta("http_user_agent") == "Nikto"
+results[0].Overflow.Alert.Events[5].GetMeta("http_verb") == "GET"
 results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "http_access-log"
 results[0].Overflow.Alert.Events[5].GetMeta("service") == "http"
 results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "172.17.0.1"
+results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2021-12-08T14:02:43Z"
+results[0].Overflow.Alert.Events[5].GetMeta("traefik_router_name") == "test@docker"
 results[0].Overflow.Alert.Events[6].GetMeta("datasource_path") == "traefik_base-http-scenario.log"
 results[0].Overflow.Alert.Events[6].GetMeta("datasource_type") == "file"
 results[0].Overflow.Alert.Events[6].GetMeta("http_args_len") == "0"
 results[0].Overflow.Alert.Events[6].GetMeta("http_path") == "/594VAEoi.pt-br"
 results[0].Overflow.Alert.Events[6].GetMeta("http_status") == "404"
+results[0].Overflow.Alert.Events[6].GetMeta("http_user_agent") == "Nikto"
+results[0].Overflow.Alert.Events[6].GetMeta("http_verb") == "GET"
 results[0].Overflow.Alert.Events[6].GetMeta("log_type") == "http_access-log"
 results[0].Overflow.Alert.Events[6].GetMeta("service") == "http"
 results[0].Overflow.Alert.Events[6].GetMeta("source_ip") == "172.17.0.1"
+results[0].Overflow.Alert.Events[6].GetMeta("timestamp") == "2021-12-08T14:02:43Z"
+results[0].Overflow.Alert.Events[6].GetMeta("traefik_router_name") == "test@docker"
 results[0].Overflow.Alert.Events[7].GetMeta("datasource_path") == "traefik_base-http-scenario.log"
 results[0].Overflow.Alert.Events[7].GetMeta("datasource_type") == "file"
 results[0].Overflow.Alert.Events[7].GetMeta("http_args_len") == "0"
 results[0].Overflow.Alert.Events[7].GetMeta("http_path") == "/594VAEoi.www_acl"
 results[0].Overflow.Alert.Events[7].GetMeta("http_status") == "404"
+results[0].Overflow.Alert.Events[7].GetMeta("http_user_agent") == "Nikto"
+results[0].Overflow.Alert.Events[7].GetMeta("http_verb") == "GET"
 results[0].Overflow.Alert.Events[7].GetMeta("log_type") == "http_access-log"
 results[0].Overflow.Alert.Events[7].GetMeta("service") == "http"
 results[0].Overflow.Alert.Events[7].GetMeta("source_ip") == "172.17.0.1"
+results[0].Overflow.Alert.Events[7].GetMeta("timestamp") == "2021-12-08T14:02:43Z"
+results[0].Overflow.Alert.Events[7].GetMeta("traefik_router_name") == "test@docker"
 results[0].Overflow.Alert.Events[8].GetMeta("datasource_path") == "traefik_base-http-scenario.log"
 results[0].Overflow.Alert.Events[8].GetMeta("datasource_type") == "file"
 results[0].Overflow.Alert.Events[8].GetMeta("http_args_len") == "0"
 results[0].Overflow.Alert.Events[8].GetMeta("http_path") == "/594VAEoi.orig"
 results[0].Overflow.Alert.Events[8].GetMeta("http_status") == "404"
+results[0].Overflow.Alert.Events[8].GetMeta("http_user_agent") == "Nikto"
+results[0].Overflow.Alert.Events[8].GetMeta("http_verb") == "GET"
 results[0].Overflow.Alert.Events[8].GetMeta("log_type") == "http_access-log"
 results[0].Overflow.Alert.Events[8].GetMeta("service") == "http"
 results[0].Overflow.Alert.Events[8].GetMeta("source_ip") == "172.17.0.1"
+results[0].Overflow.Alert.Events[8].GetMeta("timestamp") == "2021-12-08T14:02:43Z"
+results[0].Overflow.Alert.Events[8].GetMeta("traefik_router_name") == "test@docker"
 results[0].Overflow.Alert.Events[9].GetMeta("datasource_path") == "traefik_base-http-scenario.log"
 results[0].Overflow.Alert.Events[9].GetMeta("datasource_type") == "file"
 results[0].Overflow.Alert.Events[9].GetMeta("http_args_len") == "0"
 results[0].Overflow.Alert.Events[9].GetMeta("http_path") == "/594VAEoi.htw"
 results[0].Overflow.Alert.Events[9].GetMeta("http_status") == "404"
+results[0].Overflow.Alert.Events[9].GetMeta("http_user_agent") == "Nikto"
+results[0].Overflow.Alert.Events[9].GetMeta("http_verb") == "GET"
 results[0].Overflow.Alert.Events[9].GetMeta("log_type") == "http_access-log"
 results[0].Overflow.Alert.Events[9].GetMeta("service") == "http"
 results[0].Overflow.Alert.Events[9].GetMeta("source_ip") == "172.17.0.1"
+results[0].Overflow.Alert.Events[9].GetMeta("timestamp") == "2021-12-08T14:02:43Z"
+results[0].Overflow.Alert.Events[9].GetMeta("traefik_router_name") == "test@docker"
 results[0].Overflow.Alert.Events[10].GetMeta("datasource_path") == "traefik_base-http-scenario.log"
 results[0].Overflow.Alert.Events[10].GetMeta("datasource_type") == "file"
 results[0].Overflow.Alert.Events[10].GetMeta("http_args_len") == "0"
 results[0].Overflow.Alert.Events[10].GetMeta("http_path") == "/594VAEoi.json"
 results[0].Overflow.Alert.Events[10].GetMeta("http_status") == "404"
+results[0].Overflow.Alert.Events[10].GetMeta("http_user_agent") == "Nikto"
+results[0].Overflow.Alert.Events[10].GetMeta("http_verb") == "GET"
 results[0].Overflow.Alert.Events[10].GetMeta("log_type") == "http_access-log"
 results[0].Overflow.Alert.Events[10].GetMeta("service") == "http"
 results[0].Overflow.Alert.Events[10].GetMeta("source_ip") == "172.17.0.1"
+results[0].Overflow.Alert.Events[10].GetMeta("timestamp") == "2021-12-08T14:02:43Z"
+results[0].Overflow.Alert.Events[10].GetMeta("traefik_router_name") == "test@docker"
 results[0].Overflow.Alert.GetScenario() == "crowdsecurity/http-probing"
 results[0].Overflow.Alert.Remediation == true
 results[0].Overflow.Alert.GetEventsCount() == 11
@@ -105,33 +149,49 @@ results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
 results[1].Overflow.Alert.Events[0].GetMeta("http_args_len") == "22"
 results[1].Overflow.Alert.Events[0].GetMeta("http_path") == "/toto?url=file:///etc/passwd"
 results[1].Overflow.Alert.Events[0].GetMeta("http_status") == "404"
+results[1].Overflow.Alert.Events[0].GetMeta("http_user_agent") == "Nikto"
+results[1].Overflow.Alert.Events[0].GetMeta("http_verb") == "GET"
 results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "http_access-log"
 results[1].Overflow.Alert.Events[0].GetMeta("service") == "http"
 results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "172.17.0.1"
+results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2021-12-08T14:02:43Z"
+results[1].Overflow.Alert.Events[0].GetMeta("traefik_router_name") == "test@docker"
 results[1].Overflow.Alert.Events[1].GetMeta("datasource_path") == "traefik_base-http-scenario.log"
 results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
 results[1].Overflow.Alert.Events[1].GetMeta("http_args_len") == "21"
 results[1].Overflow.Alert.Events[1].GetMeta("http_path") == "/toto?url=file:///etc/group"
 results[1].Overflow.Alert.Events[1].GetMeta("http_status") == "404"
+results[1].Overflow.Alert.Events[1].GetMeta("http_user_agent") == "Nikto"
+results[1].Overflow.Alert.Events[1].GetMeta("http_verb") == "GET"
 results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "http_access-log"
 results[1].Overflow.Alert.Events[1].GetMeta("service") == "http"
 results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "172.17.0.1"
+results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2021-12-08T14:02:43Z"
+results[1].Overflow.Alert.Events[1].GetMeta("traefik_router_name") == "test@docker"
 results[1].Overflow.Alert.Events[2].GetMeta("datasource_path") == "traefik_base-http-scenario.log"
 results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file"
 results[1].Overflow.Alert.Events[2].GetMeta("http_args_len") == "22"
 results[1].Overflow.Alert.Events[2].GetMeta("http_path") == "/toto?url=file:///etc/shadow"
 results[1].Overflow.Alert.Events[2].GetMeta("http_status") == "404"
+results[1].Overflow.Alert.Events[2].GetMeta("http_user_agent") == "Nikto"
+results[1].Overflow.Alert.Events[2].GetMeta("http_verb") == "GET"
 results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "http_access-log"
 results[1].Overflow.Alert.Events[2].GetMeta("service") == "http"
 results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "172.17.0.1"
+results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2021-12-08T14:02:43Z"
+results[1].Overflow.Alert.Events[2].GetMeta("traefik_router_name") == "test@docker"
 results[1].Overflow.Alert.Events[3].GetMeta("datasource_path") == "traefik_base-http-scenario.log"
 results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file"
 results[1].Overflow.Alert.Events[3].GetMeta("http_args_len") == "27"
 results[1].Overflow.Alert.Events[3].GetMeta("http_path") == "/toto?azda=file//../../etc/passwd"
 results[1].Overflow.Alert.Events[3].GetMeta("http_status") == "404"
+results[1].Overflow.Alert.Events[3].GetMeta("http_user_agent") == "Nikto"
+results[1].Overflow.Alert.Events[3].GetMeta("http_verb") == "GET"
 results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "http_access-log"
 results[1].Overflow.Alert.Events[3].GetMeta("service") == "http"
 results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "172.17.0.1"
+results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2021-12-08T14:02:43Z"
+results[1].Overflow.Alert.Events[3].GetMeta("traefik_router_name") == "test@docker"
 results[1].Overflow.Alert.GetScenario() == "crowdsecurity/http-path-traversal-probing"
 results[1].Overflow.Alert.Remediation == true
 results[1].Overflow.Alert.GetEventsCount() == 4
@@ -145,9 +205,13 @@ results[2].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
 results[2].Overflow.Alert.Events[0].GetMeta("http_args_len") == "0"
 results[2].Overflow.Alert.Events[0].GetMeta("http_path") == "/594VAEoi.local"
 results[2].Overflow.Alert.Events[0].GetMeta("http_status") == "400"
+results[2].Overflow.Alert.Events[0].GetMeta("http_user_agent") == "Nikto"
+results[2].Overflow.Alert.Events[0].GetMeta("http_verb") == "CONNECT"
 results[2].Overflow.Alert.Events[0].GetMeta("log_type") == "http_access-log"
 results[2].Overflow.Alert.Events[0].GetMeta("service") == "http"
 results[2].Overflow.Alert.Events[0].GetMeta("source_ip") == "172.17.0.1"
+results[2].Overflow.Alert.Events[0].GetMeta("timestamp") == "2021-12-08T14:02:43Z"
+results[2].Overflow.Alert.Events[0].GetMeta("traefik_router_name") == "test@docker"
 results[2].Overflow.Alert.GetScenario() == "crowdsecurity/http-open-proxy"
 results[2].Overflow.Alert.Remediation == true
 results[2].Overflow.Alert.GetEventsCount() == 1
@@ -161,18 +225,25 @@ results[3].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
 results[3].Overflow.Alert.Events[0].GetMeta("http_args_len") == "0"
 results[3].Overflow.Alert.Events[0].GetMeta("http_path") == "/594VAEoi.dtd"
 results[3].Overflow.Alert.Events[0].GetMeta("http_status") == "404"
+results[3].Overflow.Alert.Events[0].GetMeta("http_user_agent") == "Nikto"
+results[3].Overflow.Alert.Events[0].GetMeta("http_verb") == "GET"
 results[3].Overflow.Alert.Events[0].GetMeta("log_type") == "http_access-log"
 results[3].Overflow.Alert.Events[0].GetMeta("service") == "http"
 results[3].Overflow.Alert.Events[0].GetMeta("source_ip") == "172.17.0.1"
+results[3].Overflow.Alert.Events[0].GetMeta("timestamp") == "2021-12-08T14:02:43Z"
+results[3].Overflow.Alert.Events[0].GetMeta("traefik_router_name") == "test@docker"
 results[3].Overflow.Alert.Events[1].GetMeta("datasource_path") == "traefik_base-http-scenario.log"
 results[3].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
 results[3].Overflow.Alert.Events[1].GetMeta("http_args_len") == "0"
 results[3].Overflow.Alert.Events[1].GetMeta("http_path") == "/594VAEoi.vts"
 results[3].Overflow.Alert.Events[1].GetMeta("http_status") == "404"
+results[3].Overflow.Alert.Events[1].GetMeta("http_user_agent") == "Nikto"
+results[3].Overflow.Alert.Events[1].GetMeta("http_verb") == "GET"
 results[3].Overflow.Alert.Events[1].GetMeta("log_type") == "http_access-log"
 results[3].Overflow.Alert.Events[1].GetMeta("service") == "http"
 results[3].Overflow.Alert.Events[1].GetMeta("source_ip") == "172.17.0.1"
+results[3].Overflow.Alert.Events[1].GetMeta("timestamp") == "2021-12-08T14:02:43Z"
+results[3].Overflow.Alert.Events[1].GetMeta("traefik_router_name") == "test@docker"
 results[3].Overflow.Alert.GetScenario() == "crowdsecurity/http-bad-user-agent"
 results[3].Overflow.Alert.Remediation == true
 results[3].Overflow.Alert.GetEventsCount() == 2
-