Skip to content

Commit

Permalink
Fix the author's name in AudioBookShelf collection (#1162)
Browse files Browse the repository at this point in the history
* Add Audiobookshelf collection

* enhance: Add tests and extend parser to support non json output also

* enhance: Since we are parsing the application logs we can be more restrictive on failed attempts

* chore: run index workflow manually

* Fix the author's name in AudioBookShelf collection

* enhance: complete the renaming scheme

---------

Co-authored-by: Laurence <[email protected]>
  • Loading branch information
plague-doctor and LaurenceJJones authored Nov 15, 2024
1 parent 15a2c2c commit 834c39e
Show file tree
Hide file tree
Showing 11 changed files with 162 additions and 162 deletions.
124 changes: 62 additions & 62 deletions .index.json
Original file line number Diff line number Diff line change
Expand Up @@ -2999,27 +2999,6 @@
"MariuszKociubinski/bitwarden-bf"
]
},
"PlagueDoctor/audiobookshelf": {
"path": "collections/PlagueDoctor/audiobookshelf.yaml",
"version": "0.1",
"versions": {
"0.1": {
"digest": "8b710f122d03ec1c714045c90bc76df4b23817d7ff5a55f364f6f3dc79ed021f",
"deprecated": false
}
},
"long_description": "IyBEZXNjcmlwdGlvbgoKQSBjb2xsZWN0aW9uIHRvIGRlZmVuZCBbQXVkaW9ib29rc2hlbGYgU2VsZiBIb3N0ZWRdKGh0dHBzOi8vZ2l0aHViLmNvbS9hZHZwbHlyL2F1ZGlvYm9va3NoZWxmKQpkZXBsb3ltZW50cyBhZ2FpbnN0IGNvbW1vbiBhdHRhY2tzOgoKLSBBdWRpb2Jvb2tzaGVsZiBwYXJzZXIKLSBBdWRpb2Jvb2tzaGVsZiBicnV0ZWZvcmNlIGRldGVjdGlvbgoKIyMgQWNxdWlzaXRpb24gdGVtcGxhdGUKCkV4YW1wbGUgYWNxdWlzaXRpb24gZm9yIHRoaXMgY29sbGVjdGlvbjoKCmBgYHlhbWwKLS0tCmZpbGVuYW1lczoKICAtIC92YXIvbG9nL2F1ZGlvYm9va3NoZWxmLyoudHh0CmxhYmVsczoKICB0eXBlOiBhdWRpb2Jvb2tzaGVsZgpgYGAK",
"content": "cGFyc2VyczoKICAgIC0gUGxhZ3VlRG9jdG9yL2F1ZGlvYm9va3NoZWxmLWxvZ3MKc2NlbmFyaW9zOgogICAgLSBQbGFndWVEb2N0b3IvYXVkaW9ib29rc2hlbGYtYmYKZGVzY3JpcHRpb246ICJBdWRpb2Jvb2tzaGVsZjogcGFyc2VyIGFuZCBicnV0ZS1mb3JjZSBkZXRlY3Rpb24iCmF1dGhvcjogUGxhZ3VlRG9jdG9yCnRhZ3M6CiAgICAtIGxpbnV4CiAgICAtIGJydXRlLWZvcmNlCiAgICAtIGF1ZGlvYm9va3NoZWxmCg==",
"description": "Audiobookshelf: parser and brute-force detection",
"author": "PlagueDoctor",
"labels": null,
"parsers": [
"PlagueDoctor/audiobookshelf-logs"
],
"scenarios": [
"PlagueDoctor/audiobookshelf-bf"
]
},
"ZoeyVid/npmplus": {
"path": "collections/ZoeyVid/npmplus.yaml",
"version": "0.3",
Expand Down Expand Up @@ -6035,6 +6014,27 @@
"openappsec/openappsec-cross-site-redirect"
]
},
"plague-doctor/audiobookshelf": {
"path": "collections/plague-doctor/audiobookshelf.yaml",
"version": "0.1",
"versions": {
"0.1": {
"digest": "d2e2afd09a10c004b7dd9f1c5be07c1237fc5f1bd9ec339ae374521c6313661b",
"deprecated": false
}
},
"long_description": "IyBEZXNjcmlwdGlvbgoKQSBjb2xsZWN0aW9uIHRvIGRlZmVuZCBbQXVkaW9ib29rc2hlbGYgU2VsZiBIb3N0ZWRdKGh0dHBzOi8vZ2l0aHViLmNvbS9hZHZwbHlyL2F1ZGlvYm9va3NoZWxmKQpkZXBsb3ltZW50cyBhZ2FpbnN0IGNvbW1vbiBhdHRhY2tzOgoKLSBBdWRpb2Jvb2tzaGVsZiBwYXJzZXIKLSBBdWRpb2Jvb2tzaGVsZiBicnV0ZWZvcmNlIGRldGVjdGlvbgoKIyMgQWNxdWlzaXRpb24gdGVtcGxhdGUKCkV4YW1wbGUgYWNxdWlzaXRpb24gZm9yIHRoaXMgY29sbGVjdGlvbjoKCmBgYHlhbWwKLS0tCmZpbGVuYW1lczoKICAtIC92YXIvbG9nL2F1ZGlvYm9va3NoZWxmLyoudHh0CmxhYmVsczoKICB0eXBlOiBhdWRpb2Jvb2tzaGVsZgpgYGAK",
"content": "cGFyc2VyczoKICAgIC0gcGxhZ3VlLWRvY3Rvci9hdWRpb2Jvb2tzaGVsZi1sb2dzCnNjZW5hcmlvczoKICAgIC0gcGxhZ3VlLWRvY3Rvci9hdWRpb2Jvb2tzaGVsZi1iZgpkZXNjcmlwdGlvbjogIkF1ZGlvYm9va3NoZWxmOiBwYXJzZXIgYW5kIGJydXRlLWZvcmNlIGRldGVjdGlvbiIKYXV0aG9yOiBwbGFndWUtZG9jdG9yCnRhZ3M6CiAgICAtIGxpbnV4CiAgICAtIGJydXRlLWZvcmNlCiAgICAtIGF1ZGlvYm9va3NoZWxmCg==",
"description": "Audiobookshelf: parser and brute-force detection",
"author": "plague-doctor",
"labels": null,
"parsers": [
"plague-doctor/audiobookshelf-logs"
],
"scenarios": [
"plague-doctor/audiobookshelf-bf"
]
},
"schiz0phr3ne/prowlarr": {
"path": "collections/schiz0phr3ne/prowlarr.yaml",
"version": "0.1",
Expand Down Expand Up @@ -6646,22 +6646,6 @@
"author": "MariuszKociubinski",
"labels": null
},
"PlagueDoctor/audiobookshelf-logs": {
"path": "parsers/s01-parse/PlagueDoctor/audiobookshelf-logs.yaml",
"stage": "s01-parse",
"version": "0.1",
"versions": {
"0.1": {
"digest": "6b086296359e15379dcfde0ebd430101088f8225601666959f03f93e9baf0442",
"deprecated": false
}
},
"long_description": "IyBEZXNjcmlwdGlvbgoKQSBwYXJzZXIgdGhhdCB3aWxsIHNlYXJjaCBmb3IgdW5hdXRob3JpemVkIGFjY2VzcyB0byBBdWRpb2Jvb2tzaGVsZi4KCiMjIEFjcXVpc2l0aW9uIHRlbXBsYXRlCgpFeGFtcGxlIGFjcXVpc2l0aW9uIGZvciB0aGlzIGNvbGxlY3Rpb246CgpgYGB5YW1sCi0tLQpmaWxlbmFtZXM6CiAgLSAvdmFyL2xvZy9hdWRpb2Jvb2tzaGVsZi8qLnR4dApsYWJlbHM6CiAgdHlwZTogYXVkaW9ib29rc2hlbGYKYGBgCg==",
"content": "b25zdWNjZXNzOiBuZXh0X3N0YWdlCiNkZWJ1ZzogdHJ1ZQpmaWx0ZXI6ICJVcHBlcihldnQuUGFyc2VkLnByb2dyYW0pID09ICdBVURJT0JPT0tTSEVMRiciCm5hbWU6IFBsYWd1ZURvY3Rvci9hdWRpb2Jvb2tzaGVsZi1sb2dzCmRlc2NyaXB0aW9uOiAiUGFyc2UgQXVkaW9ib29rc2hlbGYgbG9ncyIKcGF0dGVybl9zeW50YXg6CiAgICBBQlNfRkFJTEVEX0FVVEg6ICdcW0F1dGhcXSBGYWlsZWQgbG9naW4gYXR0ZW1wdCBmb3IgdXNlcm5hbWUgXFw/IiV7VVNFUk5BTUU6dXNlcm5hbWV9XFw/IiBmcm9tIGlwICV7SVA6c291cmNlX2lwfSBcKCV7REFUQTpyZWFzb259XCknCm5vZGVzOgogICAgLSBncm9rOgogICAgICAgIHBhdHRlcm46ICdcWyV7VElNRVNUQU1QX0lTTzg2MDE6dGltZXN0YW1wfVxdIEVSUk9SOiAle0FCU19GQUlMRURfQVVUSH0nCiAgICAgICAgYXBwbHlfb246IG1lc3NhZ2UKICAgICAgc3RhdGljczoKICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICB2YWx1ZTogYWJzX2ZhaWxlZF9hdXRoCiAgICAtIGZpbHRlcjogJ1VubWFyc2hhbEpTT04oZXZ0LlBhcnNlZC5tZXNzYWdlLCBldnQuVW5tYXJzaGFsZWQsICJhYnMiKSBpbiBbIiIsIG5pbF0nCiAgICAgIGdyb2s6CiAgICAgICAgcGF0dGVybjogIiV7QUJTX0ZBSUxFRF9BVVRIfSIKICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYWJzLm1lc3NhZ2UKICAgICAgICBzdGF0aWNzOgogICAgICAgICAgLSBtZXRhOiBsb2dfdHlwZQogICAgICAgICAgICB2YWx1ZTogYWJzX2ZhaWxlZF9hdXRoCnN0YXRpY3M6CiAgICAtIG1ldGE6IHNlcnZpY2UKICAgICAgdmFsdWU6IGF1ZGlvYm9va3NoZWxmCiAgICAtIG1ldGE6IHNvdXJjZV9pcAogICAgICBleHByZXNzaW9uOiAiZXZ0LlBhcnNlZC5zb3VyY2VfaXAiCiAgICAtIHRhcmdldDogZXZ0LlN0clRpbWUKICAgICAgZXhwcmVzc2lvbjogJ2V2dC5QYXJzZWQudGltZXN0YW1wICE9ICIiID8gZXZ0LlBhcnNlZC50aW1lc3RhbXAgOiBldnQuVW5tYXJzaGFsZWQuYWJzLnRpbWVzdGFtcCcKICAgICMjIFdlIGNoZWNrIGlmIHRoZSBwYXJzZXIgcGFyc2VkIHRoZSB0aW1lc3RhbXAgb3IgaWYgaXQgd2l0aGluIHRoZSBqc29uIG91dHB1dAogICAgLSBtZXRhOiB1c2VybmFtZQogICAgICBleHByZXNzaW9uOiAiZXZ0LlBhcnNlZC51c2VybmFtZSIK",
"description": "Parse Audiobookshelf logs",
"author": "PlagueDoctor",
"labels": null
},
"Zaulao/aws-alb": {
"path": "parsers/s01-parse/Zaulao/aws-alb.yaml",
"stage": "s01-parse",
Expand Down Expand Up @@ -9397,6 +9381,22 @@
"author": "openappsec",
"labels": null
},
"plague-doctor/audiobookshelf-logs": {
"path": "parsers/s01-parse/plague-doctor/audiobookshelf-logs.yaml",
"stage": "s01-parse",
"version": "0.1",
"versions": {
"0.1": {
"digest": "0ddcd5786e0667d930a92080969958540cb93a9891e04cd5f9d0049c03eae252",
"deprecated": false
}
},
"long_description": "IyBEZXNjcmlwdGlvbgoKQSBwYXJzZXIgdGhhdCB3aWxsIHNlYXJjaCBmb3IgdW5hdXRob3JpemVkIGFjY2VzcyB0byBBdWRpb2Jvb2tzaGVsZi4KCiMjIEFjcXVpc2l0aW9uIHRlbXBsYXRlCgpFeGFtcGxlIGFjcXVpc2l0aW9uIGZvciB0aGlzIGNvbGxlY3Rpb246CgpgYGB5YW1sCi0tLQpmaWxlbmFtZXM6CiAgLSAvdmFyL2xvZy9hdWRpb2Jvb2tzaGVsZi8qLnR4dApsYWJlbHM6CiAgdHlwZTogYXVkaW9ib29rc2hlbGYKYGBgCg==",
"content": "b25zdWNjZXNzOiBuZXh0X3N0YWdlCiNkZWJ1ZzogdHJ1ZQpmaWx0ZXI6ICJVcHBlcihldnQuUGFyc2VkLnByb2dyYW0pID09ICdBVURJT0JPT0tTSEVMRiciCm5hbWU6IHBsYWd1ZS1kb2N0b3IvYXVkaW9ib29rc2hlbGYtbG9ncwpkZXNjcmlwdGlvbjogIlBhcnNlIEF1ZGlvYm9va3NoZWxmIGxvZ3MiCnBhdHRlcm5fc3ludGF4OgogICAgQUJTX0ZBSUxFRF9BVVRIOiAnXFtBdXRoXF0gRmFpbGVkIGxvZ2luIGF0dGVtcHQgZm9yIHVzZXJuYW1lIFxcPyIle1VTRVJOQU1FOnVzZXJuYW1lfVxcPyIgZnJvbSBpcCAle0lQOnNvdXJjZV9pcH0gXCgle0RBVEE6cmVhc29ufVwpJwpub2RlczoKICAgIC0gZ3JvazoKICAgICAgICBwYXR0ZXJuOiAnXFsle1RJTUVTVEFNUF9JU084NjAxOnRpbWVzdGFtcH1cXSBFUlJPUjogJXtBQlNfRkFJTEVEX0FVVEh9JwogICAgICAgIGFwcGx5X29uOiBtZXNzYWdlCiAgICAgIHN0YXRpY3M6CiAgICAgICAgLSBtZXRhOiBsb2dfdHlwZQogICAgICAgICAgdmFsdWU6IGFic19mYWlsZWRfYXV0aAogICAgLSBmaWx0ZXI6ICdVbm1hcnNoYWxKU09OKGV2dC5QYXJzZWQubWVzc2FnZSwgZXZ0LlVubWFyc2hhbGVkLCAiYWJzIikgaW4gWyIiLCBuaWxdJwogICAgICBncm9rOgogICAgICAgIHBhdHRlcm46ICIle0FCU19GQUlMRURfQVVUSH0iCiAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmFicy5tZXNzYWdlCiAgICAgICAgc3RhdGljczoKICAgICAgICAgIC0gbWV0YTogbG9nX3R5cGUKICAgICAgICAgICAgdmFsdWU6IGFic19mYWlsZWRfYXV0aApzdGF0aWNzOgogICAgLSBtZXRhOiBzZXJ2aWNlCiAgICAgIHZhbHVlOiBhdWRpb2Jvb2tzaGVsZgogICAgLSBtZXRhOiBzb3VyY2VfaXAKICAgICAgZXhwcmVzc2lvbjogImV2dC5QYXJzZWQuc291cmNlX2lwIgogICAgLSB0YXJnZXQ6IGV2dC5TdHJUaW1lCiAgICAgIGV4cHJlc3Npb246ICdldnQuUGFyc2VkLnRpbWVzdGFtcCAhPSAiIiA/IGV2dC5QYXJzZWQudGltZXN0YW1wIDogZXZ0LlVubWFyc2hhbGVkLmFicy50aW1lc3RhbXAnCiAgICAjIyBXZSBjaGVjayBpZiB0aGUgcGFyc2VyIHBhcnNlZCB0aGUgdGltZXN0YW1wIG9yIGlmIGl0IHdpdGhpbiB0aGUganNvbiBvdXRwdXQKICAgIC0gbWV0YTogdXNlcm5hbWUKICAgICAgZXhwcmVzc2lvbjogImV2dC5QYXJzZWQudXNlcm5hbWUiCg==",
"description": "Parse Audiobookshelf logs",
"author": "plague-doctor",
"labels": null
},
"schiz0phr3ne/prowlarr-logs": {
"path": "parsers/s01-parse/schiz0phr3ne/prowlarr-logs.yaml",
"stage": "s01-parse",
Expand Down Expand Up @@ -10179,31 +10179,6 @@
"spoofable": 0
}
},
"PlagueDoctor/audiobookshelf-bf": {
"path": "scenarios/PlagueDoctor/audiobookshelf-bf.yaml",
"version": "0.1",
"versions": {
"0.1": {
"digest": "cce65b68389215d3f755b28d0ebe22a30da59e054e1abcb81209ae74dd4563cd",
"deprecated": false
}
},
"long_description": "IyBEZXNjcmlwdGlvbgoKRGV0ZWN0IGZhaWxlZCBBdWRpb2Jvb2tzaGVsZiBhdXRoZW50aWNhdGlvbnM6CgotIDMgZmFpbGVkIGF1dGhlbnRpY2F0aW9uIGF0dGVtcHRzIHdpdGhpbiAxIG1pbnV0ZSBsZWFrc3BlZWQK",
"content": "IyBBdWRpb2Jvb2tzaGVsZiBicnV0ZWZvcmNlCnR5cGU6IGxlYWt5Cm5hbWU6IFBsYWd1ZURvY3Rvci9hdWRpb2Jvb2tzaGVsZi1iZgpkZXNjcmlwdGlvbjogIkRldGVjdCBBdWRpb2Jvb2tzaGVsZiBicnV0ZWZvcmNlIGF0dGFja3MiCmZpbHRlcjogImV2dC5NZXRhLnNlcnZpY2UgPT0gJ2F1ZGlvYm9va3NoZWxmJyAmJiBldnQuTWV0YS5sb2dfdHlwZSA9PSAnYWJzX2ZhaWxlZF9hdXRoJyIKbGVha3NwZWVkOiAxbQpjYXBhY2l0eTogMwpncm91cGJ5OiBldnQuTWV0YS5zb3VyY2VfaXAKYmxhY2tob2xlOiA1bQpyZXByb2Nlc3M6IHRydWUKbGFiZWxzOgogICAgc2VydmljZTogYXVkaW9ib29rc2hlbGYKICAgIHR5cGU6IGJydXRlZm9yY2UKICAgIGNsYXNzaWZpY2F0aW9uOgogICAgICAgIC0gYXR0YWNrLlQxMTEwCiAgICByZW1lZGlhdGlvbjogdHJ1ZQogICAgYmVoYXZpb3I6IGh0dHA6YnJ1dGVmb3JjZQogICAgc3Bvb2ZhYmxlOiAwCiAgICBjb25maWRlbmNlOiAzCg==",
"description": "Detect Audiobookshelf bruteforce attacks",
"author": "PlagueDoctor",
"labels": {
"behavior": "http:bruteforce",
"classification": [
"attack.T1110"
],
"confidence": 3,
"remediation": true,
"service": "audiobookshelf",
"spoofable": 0,
"type": "bruteforce"
}
},
"a1ad/meshcentral-bf": {
"path": "scenarios/a1ad/meshcentral-bf.yaml",
"version": "0.2",
Expand Down Expand Up @@ -16901,6 +16876,31 @@
"spoofable": 0
}
},
"plague-doctor/audiobookshelf-bf": {
"path": "scenarios/plague-doctor/audiobookshelf-bf.yaml",
"version": "0.1",
"versions": {
"0.1": {
"digest": "08ef8732de86ad3bb63236130482608dd1634b6fc2c28577ea87dd1aed9002b9",
"deprecated": false
}
},
"long_description": "IyBEZXNjcmlwdGlvbgoKRGV0ZWN0IGZhaWxlZCBBdWRpb2Jvb2tzaGVsZiBhdXRoZW50aWNhdGlvbnM6CgotIDMgZmFpbGVkIGF1dGhlbnRpY2F0aW9uIGF0dGVtcHRzIHdpdGhpbiAxIG1pbnV0ZSBsZWFrc3BlZWQK",
"content": "IyBBdWRpb2Jvb2tzaGVsZiBicnV0ZWZvcmNlCnR5cGU6IGxlYWt5Cm5hbWU6IHBsYWd1ZS1kb2N0b3IvYXVkaW9ib29rc2hlbGYtYmYKZGVzY3JpcHRpb246ICJEZXRlY3QgQXVkaW9ib29rc2hlbGYgYnJ1dGVmb3JjZSBhdHRhY2tzIgpmaWx0ZXI6ICJldnQuTWV0YS5zZXJ2aWNlID09ICdhdWRpb2Jvb2tzaGVsZicgJiYgZXZ0Lk1ldGEubG9nX3R5cGUgPT0gJ2Fic19mYWlsZWRfYXV0aCciCmxlYWtzcGVlZDogMW0KY2FwYWNpdHk6IDMKZ3JvdXBieTogZXZ0Lk1ldGEuc291cmNlX2lwCmJsYWNraG9sZTogNW0KcmVwcm9jZXNzOiB0cnVlCmxhYmVsczoKICAgIHNlcnZpY2U6IGF1ZGlvYm9va3NoZWxmCiAgICB0eXBlOiBicnV0ZWZvcmNlCiAgICBjbGFzc2lmaWNhdGlvbjoKICAgICAgICAtIGF0dGFjay5UMTExMAogICAgcmVtZWRpYXRpb246IHRydWUKICAgIGJlaGF2aW9yOiBodHRwOmJydXRlZm9yY2UKICAgIHNwb29mYWJsZTogMAogICAgY29uZmlkZW5jZTogMwo=",
"description": "Detect Audiobookshelf bruteforce attacks",
"author": "plague-doctor",
"labels": {
"behavior": "http:bruteforce",
"classification": [
"attack.T1110"
],
"confidence": 3,
"remediation": true,
"service": "audiobookshelf",
"spoofable": 0,
"type": "bruteforce"
}
},
"schiz0phr3ne/prowlarr-bf": {
"path": "scenarios/schiz0phr3ne/prowlarr-bf.yaml",
"version": "0.2",
Expand Down
4 changes: 2 additions & 2 deletions .tests/audiobookshelf-bf/config.yaml
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
parsers:
- crowdsecurity/syslog-logs
- crowdsecurity/dateparse-enrich
- ./parsers/s01-parse/PlagueDoctor/audiobookshelf-logs.yaml
- ./parsers/s01-parse/plague-doctor/audiobookshelf-logs.yaml
scenarios:
- ./scenarios/PlagueDoctor/audiobookshelf-bf.yaml
- ./scenarios/plague-doctor/audiobookshelf-bf.yaml
postoverflows:
- ""
log_file: audiobookshelf.log
Expand Down
2 changes: 1 addition & 1 deletion .tests/audiobookshelf-bf/scenario.assert
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,6 @@ results[0].Overflow.Alert.Events[3].GetMeta("service") == "audiobookshelf"
results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.1.1"
results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2024-11-13T09:07:10.784Z"
results[0].Overflow.Alert.Events[3].GetMeta("username") == "test"
results[0].Overflow.Alert.GetScenario() == "PlagueDoctor/audiobookshelf-bf"
results[0].Overflow.Alert.GetScenario() == "plague-doctor/audiobookshelf-bf"
results[0].Overflow.Alert.Remediation == true
results[0].Overflow.Alert.GetEventsCount() == 4
2 changes: 1 addition & 1 deletion .tests/audiobookshelf-logs/config.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
parsers:
- crowdsecurity/syslog-logs
- crowdsecurity/dateparse-enrich
- ./parsers/s01-parse/PlagueDoctor/audiobookshelf-logs.yaml
- ./parsers/s01-parse/plague-doctor/audiobookshelf-logs.yaml
scenarios:
- ""
postoverflows:
Expand Down
Loading

0 comments on commit 834c39e

Please sign in to comment.