Skip to content

Commit

Permalink
Merge branch 'master' into scenario_taxonomy
Browse files Browse the repository at this point in the history
  • Loading branch information
@AlteredCoder
AlteredCoder committed Sep 18, 2023
2 parents 448714b + b68f575 commit 664806e
Show file tree
Hide file tree
Showing 70 changed files with 4,986 additions and 3,635 deletions.
3,624 changes: 949 additions & 2,675 deletions .index.json
View file

Large diffs are not rendered by default.

1 change: 1 addition & 0 deletions .tests/endlessh-logs/config.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
parsers:
- crowdsecurity/syslog-logs
- ./parsers/s01-parse/crowdsecurity/endlessh-logs.yaml
- crowdsecurity/dateparse-enrich
scenarios:
Expand Down
1,201 changes: 1,130 additions & 71 deletions .tests/endlessh-logs/parser.assert
View file

Large diffs are not rendered by default.

12 changes: 12 additions & 0 deletions .tests/endlessh-logs/scenario.assert
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,26 +4,38 @@ results[0].Overflow.Sources["49.88.112.72"].IP == "49.88.112.72"
results[0].Overflow.Sources["49.88.112.72"].Range == ""
results[0].Overflow.Sources["49.88.112.72"].GetScope() == "Ip"
results[0].Overflow.Sources["49.88.112.72"].GetValue() == "49.88.112.72"
results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "endlessh-logs.log"
results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "endlessh_accept"
results[0].Overflow.Alert.Events[0].GetMeta("service") == "endlessh"
results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "49.88.112.72"
results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-02-13T10:55:56.131Z"
results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "endlessh-logs.log"
results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "endlessh_accept"
results[0].Overflow.Alert.Events[1].GetMeta("service") == "endlessh"
results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "49.88.112.72"
results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-02-13T10:57:18.739Z"
results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "endlessh-logs.log"
results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "endlessh_accept"
results[0].Overflow.Alert.Events[2].GetMeta("service") == "endlessh"
results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "49.88.112.72"
results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-02-13T11:01:37.741Z"
results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "endlessh-logs.log"
results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "endlessh_accept"
results[0].Overflow.Alert.Events[3].GetMeta("service") == "endlessh"
results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "49.88.112.72"
results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-02-13T11:01:50.846Z"
results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "endlessh-logs.log"
results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "endlessh_accept"
results[0].Overflow.Alert.Events[4].GetMeta("service") == "endlessh"
results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "49.88.112.72"
results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-02-13T11:02:12.588Z"
results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "endlessh-logs.log"
results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "endlessh_accept"
results[0].Overflow.Alert.Events[5].GetMeta("service") == "endlessh"
results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "49.88.112.72"
Expand Down
11 changes: 11 additions & 0 deletions .tests/endlessh-syslogs/config.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
parsers:
- crowdsecurity/syslog-logs
- ./parsers/s01-parse/crowdsecurity/endlessh-logs.yaml
- crowdsecurity/dateparse-enrich
scenarios:
- ./scenarios/crowdsecurity/endlessh-bf.yaml
postoverflows:
- ""
log_file: endlessh-logs.log
log_type: syslog
ignore_parsers: true
24 changes: 24 additions & 0 deletions .tests/endlessh-syslogs/endlessh-logs.log
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
2023-08-17T16:55:35.689651+02:00 mono endlessh[34256]: ACCEPT host=::ffff:124.222.66.99 port=43202 fd=5 n=1/4096
2023-08-17T16:55:55.709713+02:00 mono endlessh[34256]: CLOSE host=::ffff:124.222.66.99 port=43202 fd=5 time=20.020 bytes=32
2023-08-17T17:01:29.754473+02:00 mono endlessh[34256]: ACCEPT host=::ffff:65.49.1.109 port=39917 fd=5 n=1/4096
2023-08-17T17:01:49.769219+02:00 mono endlessh[34256]: CLOSE host=::ffff:65.49.1.109 port=39917 fd=5 time=20.014 bytes=31
2023-08-17T16:55:35.689651+02:00 mono endlessh[34256]: ACCEPT host=::ffff:124.222.66.99 port=43202 fd=5 n=1/4096
2023-08-17T16:55:55.709713+02:00 mono endlessh[34256]: CLOSE host=::ffff:124.222.66.99 port=43202 fd=5 time=20.020 bytes=32
2023-08-17T17:01:29.754473+02:00 mono endlessh[34256]: ACCEPT host=::ffff:65.49.1.109 port=39917 fd=5 n=1/4096
2023-08-17T17:01:49.769219+02:00 mono endlessh[34256]: CLOSE host=::ffff:65.49.1.109 port=39917 fd=5 time=20.014 bytes=31
2023-08-17T16:55:35.689651+02:00 mono endlessh[34256]: ACCEPT host=::ffff:124.222.66.99 port=43202 fd=5 n=1/4096
2023-08-17T16:55:55.709713+02:00 mono endlessh[34256]: CLOSE host=::ffff:124.222.66.99 port=43202 fd=5 time=20.020 bytes=32
2023-08-17T17:01:29.754473+02:00 mono endlessh[34256]: ACCEPT host=::ffff:65.49.1.109 port=39917 fd=5 n=1/4096
2023-08-17T17:01:49.769219+02:00 mono endlessh[34256]: CLOSE host=::ffff:65.49.1.109 port=39917 fd=5 time=20.014 bytes=31
2023-08-17T16:55:35.689651+02:00 mono endlessh[34256]: ACCEPT host=::ffff:124.222.66.99 port=43202 fd=5 n=1/4096
2023-08-17T16:55:55.709713+02:00 mono endlessh[34256]: CLOSE host=::ffff:124.222.66.99 port=43202 fd=5 time=20.020 bytes=32
2023-08-17T17:01:29.754473+02:00 mono endlessh[34256]: ACCEPT host=::ffff:65.49.1.109 port=39917 fd=5 n=1/4096
2023-08-17T17:01:49.769219+02:00 mono endlessh[34256]: CLOSE host=::ffff:65.49.1.109 port=39917 fd=5 time=20.014 bytes=31
2023-08-17T16:55:35.689651+02:00 mono endlessh[34256]: ACCEPT host=::ffff:124.222.66.99 port=43202 fd=5 n=1/4096
2023-08-17T16:55:55.709713+02:00 mono endlessh[34256]: CLOSE host=::ffff:124.222.66.99 port=43202 fd=5 time=20.020 bytes=32
2023-08-17T17:01:29.754473+02:00 mono endlessh[34256]: ACCEPT host=::ffff:65.49.1.109 port=39917 fd=5 n=1/4096
2023-08-17T17:01:49.769219+02:00 mono endlessh[34256]: CLOSE host=::ffff:65.49.1.109 port=39917 fd=5 time=20.014 bytes=31
2023-08-17T16:55:35.689651+02:00 mono endlessh[34256]: ACCEPT host=::ffff:124.222.66.99 port=43202 fd=5 n=1/4096
2023-08-17T16:55:55.709713+02:00 mono endlessh[34256]: CLOSE host=::ffff:124.222.66.99 port=43202 fd=5 time=20.020 bytes=32
2023-08-17T17:01:29.754473+02:00 mono endlessh[34256]: ACCEPT host=::ffff:65.49.1.109 port=39917 fd=5 n=1/4096
2023-08-17T17:01:49.769219+02:00 mono endlessh[34256]: CLOSE host=::ffff:65.49.1.109 port=39917 fd=5 time=20.014 bytes=31
99 changes: 99 additions & 0 deletions .tests/endlessh-syslogs/parser.assert
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
len(results) == 4
len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 4
results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true
results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog"
results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "ACCEPT host=::ffff:124.222.66.99 port=43202 fd=5 n=1/4096"
results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["pid"] == "34256"
results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "endlessh"
results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp8601"] == "2023-08-17T16:55:35.689651+02:00"
results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"] == "endlessh-logs.log"
results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file"
results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "mono"
results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == true
results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "endlessh"
results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp8601"] == "2023-08-17T16:55:55.709713+02:00"
results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog"
results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "CLOSE host=::ffff:124.222.66.99 port=43202 fd=5 time=20.020 bytes=32"
results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["pid"] == "34256"
results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"] == "endlessh-logs.log"
results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file"
results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "mono"
results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == true
results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "ACCEPT host=::ffff:65.49.1.109 port=39917 fd=5 n=1/4096"
results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["pid"] == "34256"
results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "endlessh"
results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp8601"] == "2023-08-17T17:01:29.754473+02:00"
results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["logsource"] == "syslog"
results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"] == "endlessh-logs.log"
results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] == "file"
results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "mono"
results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == true
results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["logsource"] == "syslog"
results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["message"] == "CLOSE host=::ffff:65.49.1.109 port=39917 fd=5 time=20.014 bytes=31"
results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["pid"] == "34256"
results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "endlessh"
results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp8601"] == "2023-08-17T17:01:49.769219+02:00"
results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"] == "endlessh-logs.log"
results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_type"] == "file"
results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["machine"] == "mono"
len(results["s01-parse"]["crowdsecurity/endlessh-logs"]) == 4
results["s01-parse"]["crowdsecurity/endlessh-logs"][0].Success == true
results["s01-parse"]["crowdsecurity/endlessh-logs"][0].Evt.Parsed["logsource"] == "syslog"
results["s01-parse"]["crowdsecurity/endlessh-logs"][0].Evt.Parsed["pid"] == "34256"
results["s01-parse"]["crowdsecurity/endlessh-logs"][0].Evt.Parsed["message"] == "ACCEPT host=::ffff:124.222.66.99 port=43202 fd=5 n=1/4096"
results["s01-parse"]["crowdsecurity/endlessh-logs"][0].Evt.Parsed["program"] == "endlessh"
results["s01-parse"]["crowdsecurity/endlessh-logs"][0].Evt.Parsed["source_ip"] == "124.222.66.99"
results["s01-parse"]["crowdsecurity/endlessh-logs"][0].Evt.Parsed["timestamp8601"] == "2023-08-17T16:55:35.689651+02:00"
results["s01-parse"]["crowdsecurity/endlessh-logs"][0].Evt.Meta["source_ip"] == "124.222.66.99"
results["s01-parse"]["crowdsecurity/endlessh-logs"][0].Evt.Meta["datasource_path"] == "endlessh-logs.log"
results["s01-parse"]["crowdsecurity/endlessh-logs"][0].Evt.Meta["datasource_type"] == "file"
results["s01-parse"]["crowdsecurity/endlessh-logs"][0].Evt.Meta["log_type"] == "endlessh_accept"
results["s01-parse"]["crowdsecurity/endlessh-logs"][0].Evt.Meta["machine"] == "mono"
results["s01-parse"]["crowdsecurity/endlessh-logs"][0].Evt.Meta["service"] == "endlessh"
results["s01-parse"]["crowdsecurity/endlessh-logs"][1].Success == false
results["s01-parse"]["crowdsecurity/endlessh-logs"][2].Success == true
results["s01-parse"]["crowdsecurity/endlessh-logs"][2].Evt.Parsed["logsource"] == "syslog"
results["s01-parse"]["crowdsecurity/endlessh-logs"][2].Evt.Parsed["message"] == "ACCEPT host=::ffff:65.49.1.109 port=39917 fd=5 n=1/4096"
results["s01-parse"]["crowdsecurity/endlessh-logs"][2].Evt.Parsed["pid"] == "34256"
results["s01-parse"]["crowdsecurity/endlessh-logs"][2].Evt.Parsed["program"] == "endlessh"
results["s01-parse"]["crowdsecurity/endlessh-logs"][2].Evt.Parsed["source_ip"] == "65.49.1.109"
results["s01-parse"]["crowdsecurity/endlessh-logs"][2].Evt.Parsed["timestamp8601"] == "2023-08-17T17:01:29.754473+02:00"
results["s01-parse"]["crowdsecurity/endlessh-logs"][2].Evt.Meta["datasource_type"] == "file"
results["s01-parse"]["crowdsecurity/endlessh-logs"][2].Evt.Meta["log_type"] == "endlessh_accept"
results["s01-parse"]["crowdsecurity/endlessh-logs"][2].Evt.Meta["machine"] == "mono"
results["s01-parse"]["crowdsecurity/endlessh-logs"][2].Evt.Meta["service"] == "endlessh"
results["s01-parse"]["crowdsecurity/endlessh-logs"][2].Evt.Meta["source_ip"] == "65.49.1.109"
results["s01-parse"]["crowdsecurity/endlessh-logs"][2].Evt.Meta["datasource_path"] == "endlessh-logs.log"
results["s01-parse"]["crowdsecurity/endlessh-logs"][3].Success == false
len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 2
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "endlessh"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp8601"] == "2023-08-17T16:55:35.689651+02:00"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["logsource"] == "syslog"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "ACCEPT host=::ffff:124.222.66.99 port=43202 fd=5 n=1/4096"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pid"] == "34256"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "124.222.66.99"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2023-08-17T16:55:35.689651+02:00"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "endlessh-logs.log"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "endlessh_accept"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "mono"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "endlessh"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "124.222.66.99"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2023-08-17T16:55:35.689651+02:00"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "ACCEPT host=::ffff:65.49.1.109 port=39917 fd=5 n=1/4096"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pid"] == "34256"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "endlessh"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "65.49.1.109"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp8601"] == "2023-08-17T17:01:29.754473+02:00"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logsource"] == "syslog"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "endlessh_accept"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["machine"] == "mono"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "endlessh"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "65.49.1.109"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2023-08-17T17:01:29.754473+02:00"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "endlessh-logs.log"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2023-08-17T17:01:29.754473+02:00"
len(results["success"][""]) == 0
Loading

0 comments on commit 664806e

Please sign in to comment.