From 834c39e4a14373096c0035771b86b3d7050f0a88 Mon Sep 17 00:00:00 2001 From: PlagueDoctor Date: Fri, 15 Nov 2024 09:28:37 +0000 Subject: [PATCH] Fix the author's name in AudioBookShelf collection (#1162) * Add Audiobookshelf collection * enhance: Add tests and extend parser to support non json output also * enhance: Since we are parsing the application logs we can be more restrictive on failed attempts * chore: run index workflow manually * Fix the author's name in AudioBookShelf collection * enhance: complete the renaming scheme --------- Co-authored-by: Laurence --- .index.json | 124 ++++++------ .tests/audiobookshelf-bf/config.yaml | 4 +- .tests/audiobookshelf-bf/scenario.assert | 2 +- .tests/audiobookshelf-logs/config.yaml | 2 +- .tests/audiobookshelf-logs/parser.assert | 182 +++++++++--------- .../audiobookshelf.md | 0 .../audiobookshelf.yaml | 6 +- .../audiobookshelf-logs.md | 0 .../audiobookshelf-logs.yaml | 2 +- .../audiobookshelf-bf.md | 0 .../audiobookshelf-bf.yaml | 2 +- 11 files changed, 162 insertions(+), 162 deletions(-) rename collections/{PlagueDoctor => plague-doctor}/audiobookshelf.md (100%) rename collections/{PlagueDoctor => plague-doctor}/audiobookshelf.yaml (58%) rename parsers/s01-parse/{PlagueDoctor => plague-doctor}/audiobookshelf-logs.md (100%) rename parsers/s01-parse/{PlagueDoctor => plague-doctor}/audiobookshelf-logs.yaml (96%) rename scenarios/{PlagueDoctor => plague-doctor}/audiobookshelf-bf.md (100%) rename scenarios/{PlagueDoctor => plague-doctor}/audiobookshelf-bf.yaml (92%) diff --git a/.index.json b/.index.json index c2c9f394b30..e3b13bcd0ea 100644 --- a/.index.json +++ b/.index.json @@ -2999,27 +2999,6 @@ "MariuszKociubinski/bitwarden-bf" ] }, - "PlagueDoctor/audiobookshelf": { - "path": "collections/PlagueDoctor/audiobookshelf.yaml", - "version": "0.1", - "versions": { - "0.1": { - "digest": "8b710f122d03ec1c714045c90bc76df4b23817d7ff5a55f364f6f3dc79ed021f", - "deprecated": false - } - }, - "long_description": "IyBEZXNjcmlwdGlvbgoKQSBjb2xsZWN0aW9uIHRvIGRlZmVuZCBbQXVkaW9ib29rc2hlbGYgU2VsZiBIb3N0ZWRdKGh0dHBzOi8vZ2l0aHViLmNvbS9hZHZwbHlyL2F1ZGlvYm9va3NoZWxmKQpkZXBsb3ltZW50cyBhZ2FpbnN0IGNvbW1vbiBhdHRhY2tzOgoKLSBBdWRpb2Jvb2tzaGVsZiBwYXJzZXIKLSBBdWRpb2Jvb2tzaGVsZiBicnV0ZWZvcmNlIGRldGVjdGlvbgoKIyMgQWNxdWlzaXRpb24gdGVtcGxhdGUKCkV4YW1wbGUgYWNxdWlzaXRpb24gZm9yIHRoaXMgY29sbGVjdGlvbjoKCmBgYHlhbWwKLS0tCmZpbGVuYW1lczoKICAtIC92YXIvbG9nL2F1ZGlvYm9va3NoZWxmLyoudHh0CmxhYmVsczoKICB0eXBlOiBhdWRpb2Jvb2tzaGVsZgpgYGAK", - "content": "cGFyc2VyczoKICAgIC0gUGxhZ3VlRG9jdG9yL2F1ZGlvYm9va3NoZWxmLWxvZ3MKc2NlbmFyaW9zOgogICAgLSBQbGFndWVEb2N0b3IvYXVkaW9ib29rc2hlbGYtYmYKZGVzY3JpcHRpb246ICJBdWRpb2Jvb2tzaGVsZjogcGFyc2VyIGFuZCBicnV0ZS1mb3JjZSBkZXRlY3Rpb24iCmF1dGhvcjogUGxhZ3VlRG9jdG9yCnRhZ3M6CiAgICAtIGxpbnV4CiAgICAtIGJydXRlLWZvcmNlCiAgICAtIGF1ZGlvYm9va3NoZWxmCg==", - "description": "Audiobookshelf: parser and brute-force detection", - "author": "PlagueDoctor", - "labels": null, - "parsers": [ - "PlagueDoctor/audiobookshelf-logs" - ], - "scenarios": [ - "PlagueDoctor/audiobookshelf-bf" - ] - }, "ZoeyVid/npmplus": { "path": "collections/ZoeyVid/npmplus.yaml", "version": "0.3", @@ -6035,6 +6014,27 @@ "openappsec/openappsec-cross-site-redirect" ] }, + "plague-doctor/audiobookshelf": { + "path": "collections/plague-doctor/audiobookshelf.yaml", + "version": "0.1", + "versions": { + "0.1": { + "digest": "d2e2afd09a10c004b7dd9f1c5be07c1237fc5f1bd9ec339ae374521c6313661b", + "deprecated": false + } + }, + "long_description": "IyBEZXNjcmlwdGlvbgoKQSBjb2xsZWN0aW9uIHRvIGRlZmVuZCBbQXVkaW9ib29rc2hlbGYgU2VsZiBIb3N0ZWRdKGh0dHBzOi8vZ2l0aHViLmNvbS9hZHZwbHlyL2F1ZGlvYm9va3NoZWxmKQpkZXBsb3ltZW50cyBhZ2FpbnN0IGNvbW1vbiBhdHRhY2tzOgoKLSBBdWRpb2Jvb2tzaGVsZiBwYXJzZXIKLSBBdWRpb2Jvb2tzaGVsZiBicnV0ZWZvcmNlIGRldGVjdGlvbgoKIyMgQWNxdWlzaXRpb24gdGVtcGxhdGUKCkV4YW1wbGUgYWNxdWlzaXRpb24gZm9yIHRoaXMgY29sbGVjdGlvbjoKCmBgYHlhbWwKLS0tCmZpbGVuYW1lczoKICAtIC92YXIvbG9nL2F1ZGlvYm9va3NoZWxmLyoudHh0CmxhYmVsczoKICB0eXBlOiBhdWRpb2Jvb2tzaGVsZgpgYGAK", + "content": "cGFyc2VyczoKICAgIC0gcGxhZ3VlLWRvY3Rvci9hdWRpb2Jvb2tzaGVsZi1sb2dzCnNjZW5hcmlvczoKICAgIC0gcGxhZ3VlLWRvY3Rvci9hdWRpb2Jvb2tzaGVsZi1iZgpkZXNjcmlwdGlvbjogIkF1ZGlvYm9va3NoZWxmOiBwYXJzZXIgYW5kIGJydXRlLWZvcmNlIGRldGVjdGlvbiIKYXV0aG9yOiBwbGFndWUtZG9jdG9yCnRhZ3M6CiAgICAtIGxpbnV4CiAgICAtIGJydXRlLWZvcmNlCiAgICAtIGF1ZGlvYm9va3NoZWxmCg==", + "description": "Audiobookshelf: parser and brute-force detection", + "author": "plague-doctor", + "labels": null, + "parsers": [ + "plague-doctor/audiobookshelf-logs" + ], + "scenarios": [ + "plague-doctor/audiobookshelf-bf" + ] + }, "schiz0phr3ne/prowlarr": { "path": "collections/schiz0phr3ne/prowlarr.yaml", "version": "0.1", @@ -6646,22 +6646,6 @@ "author": "MariuszKociubinski", "labels": null }, - "PlagueDoctor/audiobookshelf-logs": { - "path": "parsers/s01-parse/PlagueDoctor/audiobookshelf-logs.yaml", - "stage": "s01-parse", - "version": "0.1", - "versions": { - "0.1": { - "digest": "6b086296359e15379dcfde0ebd430101088f8225601666959f03f93e9baf0442", - "deprecated": false - } - }, - "long_description": "IyBEZXNjcmlwdGlvbgoKQSBwYXJzZXIgdGhhdCB3aWxsIHNlYXJjaCBmb3IgdW5hdXRob3JpemVkIGFjY2VzcyB0byBBdWRpb2Jvb2tzaGVsZi4KCiMjIEFjcXVpc2l0aW9uIHRlbXBsYXRlCgpFeGFtcGxlIGFjcXVpc2l0aW9uIGZvciB0aGlzIGNvbGxlY3Rpb246CgpgYGB5YW1sCi0tLQpmaWxlbmFtZXM6CiAgLSAvdmFyL2xvZy9hdWRpb2Jvb2tzaGVsZi8qLnR4dApsYWJlbHM6CiAgdHlwZTogYXVkaW9ib29rc2hlbGYKYGBgCg==", - "content": "b25zdWNjZXNzOiBuZXh0X3N0YWdlCiNkZWJ1ZzogdHJ1ZQpmaWx0ZXI6ICJVcHBlcihldnQuUGFyc2VkLnByb2dyYW0pID09ICdBVURJT0JPT0tTSEVMRiciCm5hbWU6IFBsYWd1ZURvY3Rvci9hdWRpb2Jvb2tzaGVsZi1sb2dzCmRlc2NyaXB0aW9uOiAiUGFyc2UgQXVkaW9ib29rc2hlbGYgbG9ncyIKcGF0dGVybl9zeW50YXg6CiAgICBBQlNfRkFJTEVEX0FVVEg6ICdcW0F1dGhcXSBGYWlsZWQgbG9naW4gYXR0ZW1wdCBmb3IgdXNlcm5hbWUgXFw/IiV7VVNFUk5BTUU6dXNlcm5hbWV9XFw/IiBmcm9tIGlwICV7SVA6c291cmNlX2lwfSBcKCV7REFUQTpyZWFzb259XCknCm5vZGVzOgogICAgLSBncm9rOgogICAgICAgIHBhdHRlcm46ICdcWyV7VElNRVNUQU1QX0lTTzg2MDE6dGltZXN0YW1wfVxdIEVSUk9SOiAle0FCU19GQUlMRURfQVVUSH0nCiAgICAgICAgYXBwbHlfb246IG1lc3NhZ2UKICAgICAgc3RhdGljczoKICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICB2YWx1ZTogYWJzX2ZhaWxlZF9hdXRoCiAgICAtIGZpbHRlcjogJ1VubWFyc2hhbEpTT04oZXZ0LlBhcnNlZC5tZXNzYWdlLCBldnQuVW5tYXJzaGFsZWQsICJhYnMiKSBpbiBbIiIsIG5pbF0nCiAgICAgIGdyb2s6CiAgICAgICAgcGF0dGVybjogIiV7QUJTX0ZBSUxFRF9BVVRIfSIKICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYWJzLm1lc3NhZ2UKICAgICAgICBzdGF0aWNzOgogICAgICAgICAgLSBtZXRhOiBsb2dfdHlwZQogICAgICAgICAgICB2YWx1ZTogYWJzX2ZhaWxlZF9hdXRoCnN0YXRpY3M6CiAgICAtIG1ldGE6IHNlcnZpY2UKICAgICAgdmFsdWU6IGF1ZGlvYm9va3NoZWxmCiAgICAtIG1ldGE6IHNvdXJjZV9pcAogICAgICBleHByZXNzaW9uOiAiZXZ0LlBhcnNlZC5zb3VyY2VfaXAiCiAgICAtIHRhcmdldDogZXZ0LlN0clRpbWUKICAgICAgZXhwcmVzc2lvbjogJ2V2dC5QYXJzZWQudGltZXN0YW1wICE9ICIiID8gZXZ0LlBhcnNlZC50aW1lc3RhbXAgOiBldnQuVW5tYXJzaGFsZWQuYWJzLnRpbWVzdGFtcCcKICAgICMjIFdlIGNoZWNrIGlmIHRoZSBwYXJzZXIgcGFyc2VkIHRoZSB0aW1lc3RhbXAgb3IgaWYgaXQgd2l0aGluIHRoZSBqc29uIG91dHB1dAogICAgLSBtZXRhOiB1c2VybmFtZQogICAgICBleHByZXNzaW9uOiAiZXZ0LlBhcnNlZC51c2VybmFtZSIK", - "description": "Parse Audiobookshelf logs", - "author": "PlagueDoctor", - "labels": null - }, "Zaulao/aws-alb": { "path": "parsers/s01-parse/Zaulao/aws-alb.yaml", "stage": "s01-parse", @@ -9397,6 +9381,22 @@ "author": "openappsec", "labels": null }, + "plague-doctor/audiobookshelf-logs": { + "path": "parsers/s01-parse/plague-doctor/audiobookshelf-logs.yaml", + "stage": "s01-parse", + "version": "0.1", + "versions": { + "0.1": { + "digest": "0ddcd5786e0667d930a92080969958540cb93a9891e04cd5f9d0049c03eae252", + "deprecated": false + } + }, + "long_description": "IyBEZXNjcmlwdGlvbgoKQSBwYXJzZXIgdGhhdCB3aWxsIHNlYXJjaCBmb3IgdW5hdXRob3JpemVkIGFjY2VzcyB0byBBdWRpb2Jvb2tzaGVsZi4KCiMjIEFjcXVpc2l0aW9uIHRlbXBsYXRlCgpFeGFtcGxlIGFjcXVpc2l0aW9uIGZvciB0aGlzIGNvbGxlY3Rpb246CgpgYGB5YW1sCi0tLQpmaWxlbmFtZXM6CiAgLSAvdmFyL2xvZy9hdWRpb2Jvb2tzaGVsZi8qLnR4dApsYWJlbHM6CiAgdHlwZTogYXVkaW9ib29rc2hlbGYKYGBgCg==", + "content": "b25zdWNjZXNzOiBuZXh0X3N0YWdlCiNkZWJ1ZzogdHJ1ZQpmaWx0ZXI6ICJVcHBlcihldnQuUGFyc2VkLnByb2dyYW0pID09ICdBVURJT0JPT0tTSEVMRiciCm5hbWU6IHBsYWd1ZS1kb2N0b3IvYXVkaW9ib29rc2hlbGYtbG9ncwpkZXNjcmlwdGlvbjogIlBhcnNlIEF1ZGlvYm9va3NoZWxmIGxvZ3MiCnBhdHRlcm5fc3ludGF4OgogICAgQUJTX0ZBSUxFRF9BVVRIOiAnXFtBdXRoXF0gRmFpbGVkIGxvZ2luIGF0dGVtcHQgZm9yIHVzZXJuYW1lIFxcPyIle1VTRVJOQU1FOnVzZXJuYW1lfVxcPyIgZnJvbSBpcCAle0lQOnNvdXJjZV9pcH0gXCgle0RBVEE6cmVhc29ufVwpJwpub2RlczoKICAgIC0gZ3JvazoKICAgICAgICBwYXR0ZXJuOiAnXFsle1RJTUVTVEFNUF9JU084NjAxOnRpbWVzdGFtcH1cXSBFUlJPUjogJXtBQlNfRkFJTEVEX0FVVEh9JwogICAgICAgIGFwcGx5X29uOiBtZXNzYWdlCiAgICAgIHN0YXRpY3M6CiAgICAgICAgLSBtZXRhOiBsb2dfdHlwZQogICAgICAgICAgdmFsdWU6IGFic19mYWlsZWRfYXV0aAogICAgLSBmaWx0ZXI6ICdVbm1hcnNoYWxKU09OKGV2dC5QYXJzZWQubWVzc2FnZSwgZXZ0LlVubWFyc2hhbGVkLCAiYWJzIikgaW4gWyIiLCBuaWxdJwogICAgICBncm9rOgogICAgICAgIHBhdHRlcm46ICIle0FCU19GQUlMRURfQVVUSH0iCiAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmFicy5tZXNzYWdlCiAgICAgICAgc3RhdGljczoKICAgICAgICAgIC0gbWV0YTogbG9nX3R5cGUKICAgICAgICAgICAgdmFsdWU6IGFic19mYWlsZWRfYXV0aApzdGF0aWNzOgogICAgLSBtZXRhOiBzZXJ2aWNlCiAgICAgIHZhbHVlOiBhdWRpb2Jvb2tzaGVsZgogICAgLSBtZXRhOiBzb3VyY2VfaXAKICAgICAgZXhwcmVzc2lvbjogImV2dC5QYXJzZWQuc291cmNlX2lwIgogICAgLSB0YXJnZXQ6IGV2dC5TdHJUaW1lCiAgICAgIGV4cHJlc3Npb246ICdldnQuUGFyc2VkLnRpbWVzdGFtcCAhPSAiIiA/IGV2dC5QYXJzZWQudGltZXN0YW1wIDogZXZ0LlVubWFyc2hhbGVkLmFicy50aW1lc3RhbXAnCiAgICAjIyBXZSBjaGVjayBpZiB0aGUgcGFyc2VyIHBhcnNlZCB0aGUgdGltZXN0YW1wIG9yIGlmIGl0IHdpdGhpbiB0aGUganNvbiBvdXRwdXQKICAgIC0gbWV0YTogdXNlcm5hbWUKICAgICAgZXhwcmVzc2lvbjogImV2dC5QYXJzZWQudXNlcm5hbWUiCg==", + "description": "Parse Audiobookshelf logs", + "author": "plague-doctor", + "labels": null + }, "schiz0phr3ne/prowlarr-logs": { "path": "parsers/s01-parse/schiz0phr3ne/prowlarr-logs.yaml", "stage": "s01-parse", @@ -10179,31 +10179,6 @@ "spoofable": 0 } }, - "PlagueDoctor/audiobookshelf-bf": { - "path": "scenarios/PlagueDoctor/audiobookshelf-bf.yaml", - "version": "0.1", - "versions": { - "0.1": { - "digest": "cce65b68389215d3f755b28d0ebe22a30da59e054e1abcb81209ae74dd4563cd", - "deprecated": false - } - }, - "long_description": "IyBEZXNjcmlwdGlvbgoKRGV0ZWN0IGZhaWxlZCBBdWRpb2Jvb2tzaGVsZiBhdXRoZW50aWNhdGlvbnM6CgotIDMgZmFpbGVkIGF1dGhlbnRpY2F0aW9uIGF0dGVtcHRzIHdpdGhpbiAxIG1pbnV0ZSBsZWFrc3BlZWQK", - "content": "IyBBdWRpb2Jvb2tzaGVsZiBicnV0ZWZvcmNlCnR5cGU6IGxlYWt5Cm5hbWU6IFBsYWd1ZURvY3Rvci9hdWRpb2Jvb2tzaGVsZi1iZgpkZXNjcmlwdGlvbjogIkRldGVjdCBBdWRpb2Jvb2tzaGVsZiBicnV0ZWZvcmNlIGF0dGFja3MiCmZpbHRlcjogImV2dC5NZXRhLnNlcnZpY2UgPT0gJ2F1ZGlvYm9va3NoZWxmJyAmJiBldnQuTWV0YS5sb2dfdHlwZSA9PSAnYWJzX2ZhaWxlZF9hdXRoJyIKbGVha3NwZWVkOiAxbQpjYXBhY2l0eTogMwpncm91cGJ5OiBldnQuTWV0YS5zb3VyY2VfaXAKYmxhY2tob2xlOiA1bQpyZXByb2Nlc3M6IHRydWUKbGFiZWxzOgogICAgc2VydmljZTogYXVkaW9ib29rc2hlbGYKICAgIHR5cGU6IGJydXRlZm9yY2UKICAgIGNsYXNzaWZpY2F0aW9uOgogICAgICAgIC0gYXR0YWNrLlQxMTEwCiAgICByZW1lZGlhdGlvbjogdHJ1ZQogICAgYmVoYXZpb3I6IGh0dHA6YnJ1dGVmb3JjZQogICAgc3Bvb2ZhYmxlOiAwCiAgICBjb25maWRlbmNlOiAzCg==", - "description": "Detect Audiobookshelf bruteforce attacks", - "author": "PlagueDoctor", - "labels": { - "behavior": "http:bruteforce", - "classification": [ - "attack.T1110" - ], - "confidence": 3, - "remediation": true, - "service": "audiobookshelf", - "spoofable": 0, - "type": "bruteforce" - } - }, "a1ad/meshcentral-bf": { "path": "scenarios/a1ad/meshcentral-bf.yaml", "version": "0.2", @@ -16901,6 +16876,31 @@ "spoofable": 0 } }, + "plague-doctor/audiobookshelf-bf": { + "path": "scenarios/plague-doctor/audiobookshelf-bf.yaml", + "version": "0.1", + "versions": { + "0.1": { + "digest": "08ef8732de86ad3bb63236130482608dd1634b6fc2c28577ea87dd1aed9002b9", + "deprecated": false + } + }, + "long_description": "IyBEZXNjcmlwdGlvbgoKRGV0ZWN0IGZhaWxlZCBBdWRpb2Jvb2tzaGVsZiBhdXRoZW50aWNhdGlvbnM6CgotIDMgZmFpbGVkIGF1dGhlbnRpY2F0aW9uIGF0dGVtcHRzIHdpdGhpbiAxIG1pbnV0ZSBsZWFrc3BlZWQK", + "content": "IyBBdWRpb2Jvb2tzaGVsZiBicnV0ZWZvcmNlCnR5cGU6IGxlYWt5Cm5hbWU6IHBsYWd1ZS1kb2N0b3IvYXVkaW9ib29rc2hlbGYtYmYKZGVzY3JpcHRpb246ICJEZXRlY3QgQXVkaW9ib29rc2hlbGYgYnJ1dGVmb3JjZSBhdHRhY2tzIgpmaWx0ZXI6ICJldnQuTWV0YS5zZXJ2aWNlID09ICdhdWRpb2Jvb2tzaGVsZicgJiYgZXZ0Lk1ldGEubG9nX3R5cGUgPT0gJ2Fic19mYWlsZWRfYXV0aCciCmxlYWtzcGVlZDogMW0KY2FwYWNpdHk6IDMKZ3JvdXBieTogZXZ0Lk1ldGEuc291cmNlX2lwCmJsYWNraG9sZTogNW0KcmVwcm9jZXNzOiB0cnVlCmxhYmVsczoKICAgIHNlcnZpY2U6IGF1ZGlvYm9va3NoZWxmCiAgICB0eXBlOiBicnV0ZWZvcmNlCiAgICBjbGFzc2lmaWNhdGlvbjoKICAgICAgICAtIGF0dGFjay5UMTExMAogICAgcmVtZWRpYXRpb246IHRydWUKICAgIGJlaGF2aW9yOiBodHRwOmJydXRlZm9yY2UKICAgIHNwb29mYWJsZTogMAogICAgY29uZmlkZW5jZTogMwo=", + "description": "Detect Audiobookshelf bruteforce attacks", + "author": "plague-doctor", + "labels": { + "behavior": "http:bruteforce", + "classification": [ + "attack.T1110" + ], + "confidence": 3, + "remediation": true, + "service": "audiobookshelf", + "spoofable": 0, + "type": "bruteforce" + } + }, "schiz0phr3ne/prowlarr-bf": { "path": "scenarios/schiz0phr3ne/prowlarr-bf.yaml", "version": "0.2", diff --git a/.tests/audiobookshelf-bf/config.yaml b/.tests/audiobookshelf-bf/config.yaml index 8c58977e8d7..24f322043b2 100644 --- a/.tests/audiobookshelf-bf/config.yaml +++ b/.tests/audiobookshelf-bf/config.yaml @@ -1,9 +1,9 @@ parsers: - crowdsecurity/syslog-logs - crowdsecurity/dateparse-enrich - - ./parsers/s01-parse/PlagueDoctor/audiobookshelf-logs.yaml + - ./parsers/s01-parse/plague-doctor/audiobookshelf-logs.yaml scenarios: - - ./scenarios/PlagueDoctor/audiobookshelf-bf.yaml + - ./scenarios/plague-doctor/audiobookshelf-bf.yaml postoverflows: - "" log_file: audiobookshelf.log diff --git a/.tests/audiobookshelf-bf/scenario.assert b/.tests/audiobookshelf-bf/scenario.assert index e7429a8ead3..224f284c11f 100644 --- a/.tests/audiobookshelf-bf/scenario.assert +++ b/.tests/audiobookshelf-bf/scenario.assert @@ -32,6 +32,6 @@ results[0].Overflow.Alert.Events[3].GetMeta("service") == "audiobookshelf" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.1.1" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2024-11-13T09:07:10.784Z" results[0].Overflow.Alert.Events[3].GetMeta("username") == "test" -results[0].Overflow.Alert.GetScenario() == "PlagueDoctor/audiobookshelf-bf" +results[0].Overflow.Alert.GetScenario() == "plague-doctor/audiobookshelf-bf" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 4 diff --git a/.tests/audiobookshelf-logs/config.yaml b/.tests/audiobookshelf-logs/config.yaml index 48ac542de50..2eedc0e9bc1 100644 --- a/.tests/audiobookshelf-logs/config.yaml +++ b/.tests/audiobookshelf-logs/config.yaml @@ -1,7 +1,7 @@ parsers: - crowdsecurity/syslog-logs - crowdsecurity/dateparse-enrich - - ./parsers/s01-parse/PlagueDoctor/audiobookshelf-logs.yaml + - ./parsers/s01-parse/plague-doctor/audiobookshelf-logs.yaml scenarios: - "" postoverflows: diff --git a/.tests/audiobookshelf-logs/parser.assert b/.tests/audiobookshelf-logs/parser.assert index 88c9bb601a5..fb18b43d00e 100644 --- a/.tests/audiobookshelf-logs/parser.assert +++ b/.tests/audiobookshelf-logs/parser.assert @@ -50,95 +50,95 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == false results["s00-raw"]["crowdsecurity/syslog-logs"][6].Success == false -len(results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"]) == 7 -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][0].Success == true -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][0].Evt.Parsed["message"] == "{\"timestamp\":\"2024-11-13 11:03:31.784\",\"source\":\"Auth.js:888\",\"message\":\"[Auth] Failed login attempt for username \\\"test\\\" from ip 192.168.1.1 (Invalid password)\",\"levelName\":\"ERROR\",\"level\":4}" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][0].Evt.Parsed["program"] == "audiobookshelf" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][0].Evt.Parsed["reason"] == "Invalid password" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][0].Evt.Parsed["source_ip"] == "192.168.1.1" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][0].Evt.Parsed["username"] == "test" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][0].Evt.Meta["datasource_path"] == "audiobookshelf.log" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][0].Evt.Meta["log_type"] == "abs_failed_auth" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][0].Evt.Meta["service"] == "audiobookshelf" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][0].Evt.Meta["source_ip"] == "192.168.1.1" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][0].Evt.Meta["username"] == "test" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][0].Evt.Unmarshaled["abs"]["message"] == "[Auth] Failed login attempt for username \"test\" from ip 192.168.1.1 (Invalid password)" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][0].Evt.Unmarshaled["abs"]["source"] == "Auth.js:888" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][0].Evt.Unmarshaled["abs"]["timestamp"] == "2024-11-13 11:03:31.784" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][0].Evt.Unmarshaled["abs"]["level"] == 4 -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][0].Evt.Unmarshaled["abs"]["levelName"] == "ERROR" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][0].Evt.Whitelisted == false -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][1].Success == true -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][1].Evt.Parsed["message"] == "{\"timestamp\":\"2024-11-13 09:07:05.896\",\"source\":\"Auth.js:888\",\"message\":\"[Auth] Failed login attempt for username \\\"Hfhh\\\" from ip 192.168.1.1 (User not found)\",\"levelName\":\"ERROR\",\"level\":4}" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][1].Evt.Parsed["program"] == "audiobookshelf" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][1].Evt.Parsed["reason"] == "User not found" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][1].Evt.Parsed["source_ip"] == "192.168.1.1" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][1].Evt.Parsed["username"] == "Hfhh" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][1].Evt.Meta["datasource_path"] == "audiobookshelf.log" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][1].Evt.Meta["log_type"] == "abs_failed_auth" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][1].Evt.Meta["service"] == "audiobookshelf" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][1].Evt.Meta["source_ip"] == "192.168.1.1" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][1].Evt.Meta["username"] == "Hfhh" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][1].Evt.Unmarshaled["abs"]["level"] == 4 -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][1].Evt.Unmarshaled["abs"]["levelName"] == "ERROR" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][1].Evt.Unmarshaled["abs"]["message"] == "[Auth] Failed login attempt for username \"Hfhh\" from ip 192.168.1.1 (User not found)" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][1].Evt.Unmarshaled["abs"]["source"] == "Auth.js:888" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][1].Evt.Unmarshaled["abs"]["timestamp"] == "2024-11-13 09:07:05.896" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][1].Evt.Whitelisted == false -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][2].Success == true -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][2].Evt.Parsed["message"] == "{\"timestamp\":\"2024-11-13 09:07:17.741\",\"source\":\"Auth.js:888\",\"message\":\"[Auth] Failed login attempt for username \\\"Hfhh\\\" from ip 192.168.1.1 (User not found)\",\"levelName\":\"ERROR\",\"level\":4}" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][2].Evt.Parsed["program"] == "audiobookshelf" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][2].Evt.Parsed["reason"] == "User not found" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][2].Evt.Parsed["source_ip"] == "192.168.1.1" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][2].Evt.Parsed["username"] == "Hfhh" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][2].Evt.Meta["datasource_path"] == "audiobookshelf.log" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][2].Evt.Meta["log_type"] == "abs_failed_auth" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][2].Evt.Meta["service"] == "audiobookshelf" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][2].Evt.Meta["source_ip"] == "192.168.1.1" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][2].Evt.Meta["username"] == "Hfhh" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][2].Evt.Unmarshaled["abs"]["source"] == "Auth.js:888" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][2].Evt.Unmarshaled["abs"]["timestamp"] == "2024-11-13 09:07:17.741" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][2].Evt.Unmarshaled["abs"]["level"] == 4 -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][2].Evt.Unmarshaled["abs"]["levelName"] == "ERROR" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][2].Evt.Unmarshaled["abs"]["message"] == "[Auth] Failed login attempt for username \"Hfhh\" from ip 192.168.1.1 (User not found)" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][2].Evt.Whitelisted == false -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][3].Success == true -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][3].Evt.Parsed["message"] == "{\"timestamp\":\"2024-11-13 11:03:31.784\",\"source\":\"Auth.js:888\",\"message\":\"[Auth] Failed login attempt for username \\\"test\\\" from ip 192.168.1.1 (Invalid password)\",\"levelName\":\"ERROR\",\"level\":4}" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][3].Evt.Parsed["program"] == "audiobookshelf" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][3].Evt.Parsed["reason"] == "Invalid password" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][3].Evt.Parsed["source_ip"] == "192.168.1.1" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][3].Evt.Parsed["username"] == "test" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][3].Evt.Meta["datasource_path"] == "audiobookshelf.log" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][3].Evt.Meta["log_type"] == "abs_failed_auth" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][3].Evt.Meta["service"] == "audiobookshelf" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][3].Evt.Meta["source_ip"] == "192.168.1.1" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][3].Evt.Meta["username"] == "test" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][3].Evt.Unmarshaled["abs"]["level"] == 4 -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][3].Evt.Unmarshaled["abs"]["levelName"] == "ERROR" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][3].Evt.Unmarshaled["abs"]["message"] == "[Auth] Failed login attempt for username \"test\" from ip 192.168.1.1 (Invalid password)" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][3].Evt.Unmarshaled["abs"]["source"] == "Auth.js:888" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][3].Evt.Unmarshaled["abs"]["timestamp"] == "2024-11-13 11:03:31.784" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][3].Evt.Whitelisted == false -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][4].Success == true -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][4].Evt.Parsed["message"] == "[2024-11-13 09:54:35.882] ERROR: [Auth] Failed login attempt for username \"fooobar\" from ip ::1 (User not found) (Auth.js:888)" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][4].Evt.Parsed["program"] == "audiobookshelf" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][4].Evt.Parsed["reason"] == "User not found" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][4].Evt.Parsed["source_ip"] == "::1" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][4].Evt.Parsed["timestamp"] == "2024-11-13 09:54:35.882" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][4].Evt.Parsed["username"] == "fooobar" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][4].Evt.Meta["datasource_path"] == "audiobookshelf.log" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][4].Evt.Meta["log_type"] == "abs_failed_auth" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][4].Evt.Meta["service"] == "audiobookshelf" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][4].Evt.Meta["source_ip"] == "::1" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][4].Evt.Meta["username"] == "fooobar" -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][4].Evt.Whitelisted == false -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][5].Success == false -results["s01-parse"]["PlagueDoctor/audiobookshelf-logs"][6].Success == false +len(results["s01-parse"]["plague-doctor/audiobookshelf-logs"]) == 7 +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Success == true +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Parsed["message"] == "{\"timestamp\":\"2024-11-13 11:03:31.784\",\"source\":\"Auth.js:888\",\"message\":\"[Auth] Failed login attempt for username \\\"test\\\" from ip 192.168.1.1 (Invalid password)\",\"levelName\":\"ERROR\",\"level\":4}" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Parsed["program"] == "audiobookshelf" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Parsed["reason"] == "Invalid password" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Parsed["username"] == "test" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Meta["datasource_path"] == "audiobookshelf.log" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Meta["log_type"] == "abs_failed_auth" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Meta["service"] == "audiobookshelf" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Meta["source_ip"] == "192.168.1.1" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Meta["username"] == "test" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Unmarshaled["abs"]["levelName"] == "ERROR" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Unmarshaled["abs"]["message"] == "[Auth] Failed login attempt for username \"test\" from ip 192.168.1.1 (Invalid password)" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Unmarshaled["abs"]["source"] == "Auth.js:888" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Unmarshaled["abs"]["timestamp"] == "2024-11-13 11:03:31.784" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Unmarshaled["abs"]["level"] == 4 +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][0].Evt.Whitelisted == false +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Success == true +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Parsed["message"] == "{\"timestamp\":\"2024-11-13 09:07:05.896\",\"source\":\"Auth.js:888\",\"message\":\"[Auth] Failed login attempt for username \\\"Hfhh\\\" from ip 192.168.1.1 (User not found)\",\"levelName\":\"ERROR\",\"level\":4}" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Parsed["program"] == "audiobookshelf" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Parsed["reason"] == "User not found" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Parsed["username"] == "Hfhh" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Meta["datasource_path"] == "audiobookshelf.log" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Meta["log_type"] == "abs_failed_auth" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Meta["service"] == "audiobookshelf" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Meta["source_ip"] == "192.168.1.1" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Meta["username"] == "Hfhh" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Unmarshaled["abs"]["level"] == 4 +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Unmarshaled["abs"]["levelName"] == "ERROR" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Unmarshaled["abs"]["message"] == "[Auth] Failed login attempt for username \"Hfhh\" from ip 192.168.1.1 (User not found)" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Unmarshaled["abs"]["source"] == "Auth.js:888" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Unmarshaled["abs"]["timestamp"] == "2024-11-13 09:07:05.896" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][1].Evt.Whitelisted == false +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Success == true +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Parsed["message"] == "{\"timestamp\":\"2024-11-13 09:07:17.741\",\"source\":\"Auth.js:888\",\"message\":\"[Auth] Failed login attempt for username \\\"Hfhh\\\" from ip 192.168.1.1 (User not found)\",\"levelName\":\"ERROR\",\"level\":4}" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Parsed["program"] == "audiobookshelf" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Parsed["reason"] == "User not found" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Parsed["username"] == "Hfhh" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Meta["datasource_path"] == "audiobookshelf.log" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Meta["log_type"] == "abs_failed_auth" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Meta["service"] == "audiobookshelf" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Meta["source_ip"] == "192.168.1.1" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Meta["username"] == "Hfhh" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Unmarshaled["abs"]["source"] == "Auth.js:888" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Unmarshaled["abs"]["timestamp"] == "2024-11-13 09:07:17.741" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Unmarshaled["abs"]["level"] == 4 +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Unmarshaled["abs"]["levelName"] == "ERROR" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Unmarshaled["abs"]["message"] == "[Auth] Failed login attempt for username \"Hfhh\" from ip 192.168.1.1 (User not found)" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][2].Evt.Whitelisted == false +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Success == true +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Parsed["message"] == "{\"timestamp\":\"2024-11-13 11:03:31.784\",\"source\":\"Auth.js:888\",\"message\":\"[Auth] Failed login attempt for username \\\"test\\\" from ip 192.168.1.1 (Invalid password)\",\"levelName\":\"ERROR\",\"level\":4}" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Parsed["program"] == "audiobookshelf" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Parsed["reason"] == "Invalid password" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Parsed["source_ip"] == "192.168.1.1" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Parsed["username"] == "test" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Meta["datasource_path"] == "audiobookshelf.log" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Meta["log_type"] == "abs_failed_auth" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Meta["service"] == "audiobookshelf" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Meta["source_ip"] == "192.168.1.1" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Meta["username"] == "test" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Unmarshaled["abs"]["source"] == "Auth.js:888" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Unmarshaled["abs"]["timestamp"] == "2024-11-13 11:03:31.784" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Unmarshaled["abs"]["level"] == 4 +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Unmarshaled["abs"]["levelName"] == "ERROR" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Unmarshaled["abs"]["message"] == "[Auth] Failed login attempt for username \"test\" from ip 192.168.1.1 (Invalid password)" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][3].Evt.Whitelisted == false +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][4].Success == true +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][4].Evt.Parsed["message"] == "[2024-11-13 09:54:35.882] ERROR: [Auth] Failed login attempt for username \"fooobar\" from ip ::1 (User not found) (Auth.js:888)" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][4].Evt.Parsed["program"] == "audiobookshelf" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][4].Evt.Parsed["reason"] == "User not found" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][4].Evt.Parsed["source_ip"] == "::1" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][4].Evt.Parsed["timestamp"] == "2024-11-13 09:54:35.882" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][4].Evt.Parsed["username"] == "fooobar" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][4].Evt.Meta["datasource_path"] == "audiobookshelf.log" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][4].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][4].Evt.Meta["log_type"] == "abs_failed_auth" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][4].Evt.Meta["service"] == "audiobookshelf" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][4].Evt.Meta["source_ip"] == "::1" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][4].Evt.Meta["username"] == "fooobar" +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][4].Evt.Whitelisted == false +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][5].Success == false +results["s01-parse"]["plague-doctor/audiobookshelf-logs"][6].Success == false len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 5 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "{\"timestamp\":\"2024-11-13 11:03:31.784\",\"source\":\"Auth.js:888\",\"message\":\"[Auth] Failed login attempt for username \\\"test\\\" from ip 192.168.1.1 (Invalid password)\",\"levelName\":\"ERROR\",\"level\":4}" @@ -154,11 +154,11 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2024-11-13T11:03:31.784Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["username"] == "test" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2024-11-13T11:03:31.784Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["abs"]["level"] == 4 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["abs"]["levelName"] == "ERROR" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["abs"]["message"] == "[Auth] Failed login attempt for username \"test\" from ip 192.168.1.1 (Invalid password)" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["abs"]["source"] == "Auth.js:888" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["abs"]["timestamp"] == "2024-11-13 11:03:31.784" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["abs"]["level"] == 4 -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["abs"]["levelName"] == "ERROR" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "{\"timestamp\":\"2024-11-13 09:07:05.896\",\"source\":\"Auth.js:888\",\"message\":\"[Auth] Failed login attempt for username \\\"Hfhh\\\" from ip 192.168.1.1 (User not found)\",\"levelName\":\"ERROR\",\"level\":4}" diff --git a/collections/PlagueDoctor/audiobookshelf.md b/collections/plague-doctor/audiobookshelf.md similarity index 100% rename from collections/PlagueDoctor/audiobookshelf.md rename to collections/plague-doctor/audiobookshelf.md diff --git a/collections/PlagueDoctor/audiobookshelf.yaml b/collections/plague-doctor/audiobookshelf.yaml similarity index 58% rename from collections/PlagueDoctor/audiobookshelf.yaml rename to collections/plague-doctor/audiobookshelf.yaml index 3c48c5502bd..d66d4534434 100644 --- a/collections/PlagueDoctor/audiobookshelf.yaml +++ b/collections/plague-doctor/audiobookshelf.yaml @@ -1,9 +1,9 @@ parsers: - - PlagueDoctor/audiobookshelf-logs + - plague-doctor/audiobookshelf-logs scenarios: - - PlagueDoctor/audiobookshelf-bf + - plague-doctor/audiobookshelf-bf description: "Audiobookshelf: parser and brute-force detection" -author: PlagueDoctor +author: plague-doctor tags: - linux - brute-force diff --git a/parsers/s01-parse/PlagueDoctor/audiobookshelf-logs.md b/parsers/s01-parse/plague-doctor/audiobookshelf-logs.md similarity index 100% rename from parsers/s01-parse/PlagueDoctor/audiobookshelf-logs.md rename to parsers/s01-parse/plague-doctor/audiobookshelf-logs.md diff --git a/parsers/s01-parse/PlagueDoctor/audiobookshelf-logs.yaml b/parsers/s01-parse/plague-doctor/audiobookshelf-logs.yaml similarity index 96% rename from parsers/s01-parse/PlagueDoctor/audiobookshelf-logs.yaml rename to parsers/s01-parse/plague-doctor/audiobookshelf-logs.yaml index 91b4123973e..e77213063fd 100644 --- a/parsers/s01-parse/PlagueDoctor/audiobookshelf-logs.yaml +++ b/parsers/s01-parse/plague-doctor/audiobookshelf-logs.yaml @@ -1,7 +1,7 @@ onsuccess: next_stage #debug: true filter: "Upper(evt.Parsed.program) == 'AUDIOBOOKSHELF'" -name: PlagueDoctor/audiobookshelf-logs +name: plague-doctor/audiobookshelf-logs description: "Parse Audiobookshelf logs" pattern_syntax: ABS_FAILED_AUTH: '\[Auth\] Failed login attempt for username \\?"%{USERNAME:username}\\?" from ip %{IP:source_ip} \(%{DATA:reason}\)' diff --git a/scenarios/PlagueDoctor/audiobookshelf-bf.md b/scenarios/plague-doctor/audiobookshelf-bf.md similarity index 100% rename from scenarios/PlagueDoctor/audiobookshelf-bf.md rename to scenarios/plague-doctor/audiobookshelf-bf.md diff --git a/scenarios/PlagueDoctor/audiobookshelf-bf.yaml b/scenarios/plague-doctor/audiobookshelf-bf.yaml similarity index 92% rename from scenarios/PlagueDoctor/audiobookshelf-bf.yaml rename to scenarios/plague-doctor/audiobookshelf-bf.yaml index 9e0ead776bf..254eb391905 100644 --- a/scenarios/PlagueDoctor/audiobookshelf-bf.yaml +++ b/scenarios/plague-doctor/audiobookshelf-bf.yaml @@ -1,6 +1,6 @@ # Audiobookshelf bruteforce type: leaky -name: PlagueDoctor/audiobookshelf-bf +name: plague-doctor/audiobookshelf-bf description: "Detect Audiobookshelf bruteforce attacks" filter: "evt.Meta.service == 'audiobookshelf' && evt.Meta.log_type == 'abs_failed_auth'" leakspeed: 1m