From cb5c7abd8bb27b11f4f41a260aea9db37dc6765b Mon Sep 17 00:00:00 2001 From: martyduniaud98 Date: Thu, 25 Apr 2024 14:50:43 +0200 Subject: [PATCH 1/5] add: owncloud logs parsers/scenarios --- collections/crowdsecurity/owncloud.md | 29 +++++++++ collections/crowdsecurity/owncloud.yaml | 12 ++++ .../s01-parse/crowdsecurity/owncloud-logs.md | 21 +++++++ .../crowdsecurity/owncloud-logs.yaml | 41 +++++++++++++ .../crowdsecurity/owncloud-whitelist.md | 24 ++++++++ .../crowdsecurity/owncloud-whitelist.yaml | 16 +++++ scenarios/crowdsecurity/owncloud-bf.md | 5 ++ scenarios/crowdsecurity/owncloud-bf.yaml | 61 +++++++++++++++++++ 8 files changed, 209 insertions(+) create mode 100644 collections/crowdsecurity/owncloud.md create mode 100644 collections/crowdsecurity/owncloud.yaml create mode 100644 parsers/s01-parse/crowdsecurity/owncloud-logs.md create mode 100644 parsers/s01-parse/crowdsecurity/owncloud-logs.yaml create mode 100644 parsers/s02-enrich/crowdsecurity/owncloud-whitelist.md create mode 100644 parsers/s02-enrich/crowdsecurity/owncloud-whitelist.yaml create mode 100644 scenarios/crowdsecurity/owncloud-bf.md create mode 100644 scenarios/crowdsecurity/owncloud-bf.yaml diff --git a/collections/crowdsecurity/owncloud.md b/collections/crowdsecurity/owncloud.md new file mode 100644 index 00000000000..eac278eea3b --- /dev/null +++ b/collections/crowdsecurity/owncloud.md @@ -0,0 +1,29 @@ +A collection to defend [Owncloud](https://owncloud.com) instance against common attacks : + - Owncloud parser + - Owncloud bruteforce, enumeration and trusted domain detection + +> Contributed by eShard - based on Nextcloud collection HÃ¥vard Moen and a1ad + +## Acquisition template + + + Example acquisition for this collection : + +```yaml +--- +filenames: + - /var/www/owncloud/data/owncloud.log +labels: + type: Owncloud +``` + +```yaml +--- +source: journalctl +journalctl_filter: + - "SYSLOG_IDENTIFIER=Owncloud" +labels: + type: syslog +``` +- Use the filename version if you have the default settings of logging to file +- Use the journalctl version if you are sending logs to syslog or systemd and read the logs from journald diff --git a/collections/crowdsecurity/owncloud.yaml b/collections/crowdsecurity/owncloud.yaml new file mode 100644 index 00000000000..c1ab6a97dab --- /dev/null +++ b/collections/crowdsecurity/owncloud.yaml @@ -0,0 +1,12 @@ +--- +parsers: + - crowdsecurity/owncloud-logs + - crowdsecurity/owncloud-whitelist +scenarios: + - crowdsecurity/owncloud-bf +description: "Owncloud support : parser and brute-force detection" +author: crowdsecurity +tags: + - linux + - bruteforce + - owncloud diff --git a/parsers/s01-parse/crowdsecurity/owncloud-logs.md b/parsers/s01-parse/crowdsecurity/owncloud-logs.md new file mode 100644 index 00000000000..33a6ad19cfc --- /dev/null +++ b/parsers/s01-parse/crowdsecurity/owncloud-logs.md @@ -0,0 +1,21 @@ +Parser for [Owncloud](https://owncloud.com/) logs + +If you have the default settings of logging to file, you need to add in acquisition (change filename to your log file location): + +```yaml +--- +filenames: + - /var/www/owncloud/data/owncloud.log +labels: + type: Owncloud +``` + +If you are sending logs to syslog or systemd and read from journald, add: +```yaml +--- +source: journalctl +journalctl_filter: + - "SYSLOG_IDENTIFIER=Owncloud" +labels: + type: syslog +``` diff --git a/parsers/s01-parse/crowdsecurity/owncloud-logs.yaml b/parsers/s01-parse/crowdsecurity/owncloud-logs.yaml new file mode 100644 index 00000000000..b3ff8682112 --- /dev/null +++ b/parsers/s01-parse/crowdsecurity/owncloud-logs.yaml @@ -0,0 +1,41 @@ +--- +onsuccess: next_stage +filter: "Upper(evt.Parsed.program) == 'OWNCLOUD'" +name: owncloud-logs +description: "Parse owncloud logs" +pattern_syntax: + OWNCLOUD_USER: '[a-zA-Z0-9\.\@\-\+_%]+' +nodes: + - grok: + pattern: 'Login failed: ''%{OWNCLOUD_USER:target_user}'' \(Remote IP: ''%{IP:source_ip}''\)' + expression: JsonExtract(evt.Parsed.message, "message") + statics: + - meta: target_user + expression: "evt.Parsed.target_user" + - meta: log_type + value: owncloud_failed_auth + - grok: + pattern: 'Bruteforce attempt from \\?"%{IP:source_ip}\\?" detected for action \\?"%{DATA:action}\\?"' + expression: JsonExtract(evt.Parsed.message, "message") + statics: + - meta: action + expression: "evt.Parsed.action" + - meta: log_type + value: owncloud_bruteforce_attempt + +#{"reqId":"cdkLru24VO0QVWiuAqmy","level":2,"time":"2024-04-18T11:04:19+00:00","remoteAddr":"10.10.1.1","user":"--","app":"core","method":"POST","url":"\/login?user=admin","message":"Login failed: 'admin' (Remote IP: '10.10.1.1')"} + + - grok: + pattern: 'Trusted domain error. \\"%{IP:source_ip}\\".*' + expression: JsonExtract(evt.Parsed.message, "message") + statics: + - meta: log_type + value: owncloud_domain_error + +statics: + - meta: service + value: owncloud + - meta: source_ip + expression: "evt.Parsed.source_ip" + - target: evt.StrTime + expression: JsonExtract(evt.Parsed.message, "time") diff --git a/parsers/s02-enrich/crowdsecurity/owncloud-whitelist.md b/parsers/s02-enrich/crowdsecurity/owncloud-whitelist.md new file mode 100644 index 00000000000..586f93a22f1 --- /dev/null +++ b/parsers/s02-enrich/crowdsecurity/owncloud-whitelist.md @@ -0,0 +1,24 @@ +## Owncloud whitelist + +### Photos app +On first load the photos app calls a preview endpoint, however, if it fails to load it will trigger http-probing + +When opening the photos app, multiple requests are made very quickly for images, since they are not marked as images (ending in png,jpg etc) it can trigger HTTP crawl non statics. + +--- +### Backup app +When loading backups for a file if those backups have been modified or deleted by (OS/USER) it can easily trigger http-probing + +--- +### Files app +The `/core/preview` endpoint returns 404 if a file has no thumbnail (including files which aren't meant to, like XMLs). +This can trigger http-probing when using the file search bar. + +When previews are missing for files in the trash bin, a 404 error is returned which triggers http probing. + +In rare cases HTTP Probing will be triggered when opening multiple folders quickly, Owncloud checks for a ``readme.md`` file and if it doesn't exist a 404 error is thrown. + +--- +### Creating files via WebDAV +When uploading files via WebDAV, a PROPFIND request is sent to the server, which returns 404 if the file does not +exist. Then the file is created. Uploading more than 10 files at a time will trigger http-probing. diff --git a/parsers/s02-enrich/crowdsecurity/owncloud-whitelist.yaml b/parsers/s02-enrich/crowdsecurity/owncloud-whitelist.yaml new file mode 100644 index 00000000000..45d84ebca14 --- /dev/null +++ b/parsers/s02-enrich/crowdsecurity/owncloud-whitelist.yaml @@ -0,0 +1,16 @@ +name: owncloud-whitelist +description: "Whitelist events from owncloud" +filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log']" +whitelist: + reason: "Owncloud Whitelist" + expression: + - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Parsed.file_ext == '.vcf' && evt.Parsed.http_args contains "photo" #Contacts app .vcf missing photo + - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/apps/files_versions/preview' && evt.Parsed.http_args contains 'version' #Backup app missing file version + - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/apps/photos/api/v1/preview' && evt.Parsed.http_args contains 'x' && evt.Parsed.http_args contains 'y' #Photo app loads all previews as small panes, but can 404 + - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Parsed.request contains '/core/preview' && evt.Parsed.http_args contains 'x=' && evt.Parsed.http_args contains 'y=' && evt.Parsed.http_args contains 'fileId=' #File preview often 404s while searching + - evt.Meta.http_status == '404' && evt.Meta.http_verb in ['PROPFIND', 'GET'] && evt.Meta.http_path matches '^/remote.php/(web)?dav/' #Uploading new files via WebDAV always produces a 404 + - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path startsWith '/apps/mail/api/avatars/url/' #When loading mail contacts the avatars may get 404 + - evt.Meta.http_status == '200' && evt.Parsed.static_ressource == 'false' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/apps/photos/api/v1/preview' && evt.Parsed.http_args contains '&x=' && evt.Parsed.http_args contains '&y=' && evt.Parsed.http_args contains 'etag=' #When loading multiple images inside Owncloud Photos, HTTP Crawl non statics is triggered since the images look like dynamic assets. + - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Parsed.request == '/ocs/v2.php/apps/text/workspace' && evt.Parsed.http_args contains 'path=%2F' #When opening folders in Owncloud Files that don't contain a readme.md 404 error is thrown + - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/apps/files_trashbin/preview' && evt.Parsed.http_args contains 'fileId=' && evt.Parsed.http_args contains '&file=' # 404 error thrown when preview is missing for files in trash bin + - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path matches '\\/apps\\/files\\/api\\/v1\\/thumbnail\\/(\\d+)/(\\d+)' diff --git a/scenarios/crowdsecurity/owncloud-bf.md b/scenarios/crowdsecurity/owncloud-bf.md new file mode 100644 index 00000000000..4eef275ed2b --- /dev/null +++ b/scenarios/crowdsecurity/owncloud-bf.md @@ -0,0 +1,5 @@ +Detects bruteforce on [Owncloud](https://owncloud.com) instance. + + - leakspeed of 1m, capacity of 5 on same target user + - leakspeed of 1m, capacity of 5 unique distinct users + - leakspeed of 1m, capacity of 5 on trust domain error diff --git a/scenarios/crowdsecurity/owncloud-bf.yaml b/scenarios/crowdsecurity/owncloud-bf.yaml new file mode 100644 index 00000000000..1f9e5fc7440 --- /dev/null +++ b/scenarios/crowdsecurity/owncloud-bf.yaml @@ -0,0 +1,61 @@ +--- +type: leaky +name: owncloud-bf +description: "Detect Owncloud bruteforce" +filter: "evt.Meta.log_type in ['owncloud_failed_auth', 'owncloud_bruteforce_attempt']" +leakspeed: "1m" +capacity: 5 +# if we have bruteforce protection enabled in owncloud, the same login attempt +# can log # both login failure and bruteforce attempt at the same time, so +# keep them in seperate buckets +groupby: evt.Meta.source_ip + '--' + evt.Meta.log_type +blackhole: 5m +reprocess: true +labels: + remediation: true + confidence: 3 + spoofable: 0 + classification: + - attack.T1110 + behavior: "http:bruteforce" + label: "OwnCloud Bruteforce" + service: owncloud +--- +type: leaky +name: owncloud-bf_user_enum +description: "Detect Owncloud user enum bruteforce" +filter: "evt.Meta.log_type == 'owncloud_failed_auth'" +leakspeed: "1m" +capacity: 5 +groupby: evt.Meta.source_ip +distinct: evt.Meta.target_user +blackhole: 5m +reprocess: true +labels: + remediation: true + confidence: 3 + spoofable: 0 + classification: + - attack.T1110 + behavior: "http:bruteforce" + label: "OwnCloud Bruteforce" + service: owncloud +--- +type: leaky +name: owncloud-bf_domain_error +description: "Detect Owncloud domain error" +filter: "evt.Meta.log_type == 'owncloud_domain_error'" +leakspeed: "1m" +capacity: 5 +groupby: evt.Meta.source_ip +blackhole: 5m +reprocess: true +labels: + remediation: true + confidence: 3 + spoofable: 0 + classification: + - attack.T1110 + behavior: "http:bruteforce" + label: "OwnCloud Bruteforce" + service: owncloud From c2654b086b762a0ad7132d28841386baf795253b Mon Sep 17 00:00:00 2001 From: martyd Date: Thu, 25 Apr 2024 17:45:42 +0200 Subject: [PATCH 2/5] remove: owncloud whitelist --- .../crowdsecurity/owncloud-whitelist.md | 24 ------------------- .../crowdsecurity/owncloud-whitelist.yaml | 16 ------------- 2 files changed, 40 deletions(-) delete mode 100644 parsers/s02-enrich/crowdsecurity/owncloud-whitelist.md delete mode 100644 parsers/s02-enrich/crowdsecurity/owncloud-whitelist.yaml diff --git a/parsers/s02-enrich/crowdsecurity/owncloud-whitelist.md b/parsers/s02-enrich/crowdsecurity/owncloud-whitelist.md deleted file mode 100644 index 586f93a22f1..00000000000 --- a/parsers/s02-enrich/crowdsecurity/owncloud-whitelist.md +++ /dev/null @@ -1,24 +0,0 @@ -## Owncloud whitelist - -### Photos app -On first load the photos app calls a preview endpoint, however, if it fails to load it will trigger http-probing - -When opening the photos app, multiple requests are made very quickly for images, since they are not marked as images (ending in png,jpg etc) it can trigger HTTP crawl non statics. - ---- -### Backup app -When loading backups for a file if those backups have been modified or deleted by (OS/USER) it can easily trigger http-probing - ---- -### Files app -The `/core/preview` endpoint returns 404 if a file has no thumbnail (including files which aren't meant to, like XMLs). -This can trigger http-probing when using the file search bar. - -When previews are missing for files in the trash bin, a 404 error is returned which triggers http probing. - -In rare cases HTTP Probing will be triggered when opening multiple folders quickly, Owncloud checks for a ``readme.md`` file and if it doesn't exist a 404 error is thrown. - ---- -### Creating files via WebDAV -When uploading files via WebDAV, a PROPFIND request is sent to the server, which returns 404 if the file does not -exist. Then the file is created. Uploading more than 10 files at a time will trigger http-probing. diff --git a/parsers/s02-enrich/crowdsecurity/owncloud-whitelist.yaml b/parsers/s02-enrich/crowdsecurity/owncloud-whitelist.yaml deleted file mode 100644 index 45d84ebca14..00000000000 --- a/parsers/s02-enrich/crowdsecurity/owncloud-whitelist.yaml +++ /dev/null @@ -1,16 +0,0 @@ -name: owncloud-whitelist -description: "Whitelist events from owncloud" -filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log']" -whitelist: - reason: "Owncloud Whitelist" - expression: - - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Parsed.file_ext == '.vcf' && evt.Parsed.http_args contains "photo" #Contacts app .vcf missing photo - - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/apps/files_versions/preview' && evt.Parsed.http_args contains 'version' #Backup app missing file version - - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/apps/photos/api/v1/preview' && evt.Parsed.http_args contains 'x' && evt.Parsed.http_args contains 'y' #Photo app loads all previews as small panes, but can 404 - - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Parsed.request contains '/core/preview' && evt.Parsed.http_args contains 'x=' && evt.Parsed.http_args contains 'y=' && evt.Parsed.http_args contains 'fileId=' #File preview often 404s while searching - - evt.Meta.http_status == '404' && evt.Meta.http_verb in ['PROPFIND', 'GET'] && evt.Meta.http_path matches '^/remote.php/(web)?dav/' #Uploading new files via WebDAV always produces a 404 - - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path startsWith '/apps/mail/api/avatars/url/' #When loading mail contacts the avatars may get 404 - - evt.Meta.http_status == '200' && evt.Parsed.static_ressource == 'false' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/apps/photos/api/v1/preview' && evt.Parsed.http_args contains '&x=' && evt.Parsed.http_args contains '&y=' && evt.Parsed.http_args contains 'etag=' #When loading multiple images inside Owncloud Photos, HTTP Crawl non statics is triggered since the images look like dynamic assets. - - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Parsed.request == '/ocs/v2.php/apps/text/workspace' && evt.Parsed.http_args contains 'path=%2F' #When opening folders in Owncloud Files that don't contain a readme.md 404 error is thrown - - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/apps/files_trashbin/preview' && evt.Parsed.http_args contains 'fileId=' && evt.Parsed.http_args contains '&file=' # 404 error thrown when preview is missing for files in trash bin - - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path matches '\\/apps\\/files\\/api\\/v1\\/thumbnail\\/(\\d+)/(\\d+)' From 814401d3b2217d5ad0a8470166c4e12960337cf6 Mon Sep 17 00:00:00 2001 From: martyduniaud98 <92717628+martyduniaud98@users.noreply.github.com> Date: Thu, 2 May 2024 16:00:42 +0200 Subject: [PATCH 3/5] Update owncloud.yaml --- collections/crowdsecurity/owncloud.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/collections/crowdsecurity/owncloud.yaml b/collections/crowdsecurity/owncloud.yaml index c1ab6a97dab..81d56d9fc65 100644 --- a/collections/crowdsecurity/owncloud.yaml +++ b/collections/crowdsecurity/owncloud.yaml @@ -1,4 +1,3 @@ ---- parsers: - crowdsecurity/owncloud-logs - crowdsecurity/owncloud-whitelist From 2e3c823dd7c97c05173f969a8b87691c7e137b75 Mon Sep 17 00:00:00 2001 From: martyduniaud98 <92717628+martyduniaud98@users.noreply.github.com> Date: Thu, 2 May 2024 16:01:13 +0200 Subject: [PATCH 4/5] Update owncloud.yaml --- collections/crowdsecurity/owncloud.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/collections/crowdsecurity/owncloud.yaml b/collections/crowdsecurity/owncloud.yaml index 81d56d9fc65..dda7e271727 100644 --- a/collections/crowdsecurity/owncloud.yaml +++ b/collections/crowdsecurity/owncloud.yaml @@ -1,6 +1,5 @@ parsers: - crowdsecurity/owncloud-logs - - crowdsecurity/owncloud-whitelist scenarios: - crowdsecurity/owncloud-bf description: "Owncloud support : parser and brute-force detection" From 499b646e776103f8d8ff8057bee851cf3f9dd94b Mon Sep 17 00:00:00 2001 From: Laurence Date: Tue, 11 Jun 2024 18:30:25 +0100 Subject: [PATCH 5/5] wip: manually run action on forked repo --- .index.json | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/.index.json b/.index.json index 1f0ec439a1e..e693edba899 100644 --- a/.index.json +++ b/.index.json @@ -4108,6 +4108,27 @@ "crowdsecurity/opnsense-gui-bf" ] }, + "crowdsecurity/owncloud": { + "path": "collections/crowdsecurity/owncloud.yaml", + "version": "0.1", + "versions": { + "0.1": { + "digest": "8fa74eed3cc1cdcc272c9557b3103c0fc5c5b6d6fff8215ad534a8460263be67", + "deprecated": false + } + }, + "long_description": "QSBjb2xsZWN0aW9uIHRvIGRlZmVuZCBbT3duY2xvdWRdKGh0dHBzOi8vb3duY2xvdWQuY29tKSBpbnN0YW5jZSBhZ2FpbnN0IGNvbW1vbiBhdHRhY2tzIDoKIC0gT3duY2xvdWQgcGFyc2VyCiAtIE93bmNsb3VkIGJydXRlZm9yY2UsIGVudW1lcmF0aW9uIGFuZCB0cnVzdGVkIGRvbWFpbiBkZXRlY3Rpb24KCj4gQ29udHJpYnV0ZWQgYnkgZVNoYXJkIC0gYmFzZWQgb24gTmV4dGNsb3VkIGNvbGxlY3Rpb24gSMOldmFyZCBNb2VuIGFuZCBhMWFkCgojIyBBY3F1aXNpdGlvbiB0ZW1wbGF0ZQoKCiBFeGFtcGxlIGFjcXVpc2l0aW9uIGZvciB0aGlzIGNvbGxlY3Rpb24gOgoKYGBgeWFtbAotLS0KZmlsZW5hbWVzOgogLSAvdmFyL3d3dy9vd25jbG91ZC9kYXRhL293bmNsb3VkLmxvZwpsYWJlbHM6CiAgdHlwZTogT3duY2xvdWQKYGBgCgpgYGB5YW1sCi0tLQpzb3VyY2U6IGpvdXJuYWxjdGwKam91cm5hbGN0bF9maWx0ZXI6CiAgLSAiU1lTTE9HX0lERU5USUZJRVI9T3duY2xvdWQiCmxhYmVsczoKICB0eXBlOiBzeXNsb2cKYGBgCi0gVXNlIHRoZSBmaWxlbmFtZSB2ZXJzaW9uIGlmIHlvdSBoYXZlIHRoZSBkZWZhdWx0IHNldHRpbmdzIG9mIGxvZ2dpbmcgdG8gZmlsZQotIFVzZSB0aGUgam91cm5hbGN0bCB2ZXJzaW9uIGlmIHlvdSBhcmUgc2VuZGluZyBsb2dzIHRvIHN5c2xvZyBvciBzeXN0ZW1kIGFuZCByZWFkIHRoZSBsb2dzIGZyb20gam91cm5hbGQK", + "content": "cGFyc2VyczoKICAtIGNyb3dkc2VjdXJpdHkvb3duY2xvdWQtbG9ncwpzY2VuYXJpb3M6CiAgLSBjcm93ZHNlY3VyaXR5L293bmNsb3VkLWJmCmRlc2NyaXB0aW9uOiAiT3duY2xvdWQgc3VwcG9ydCA6IHBhcnNlciBhbmQgYnJ1dGUtZm9yY2UgZGV0ZWN0aW9uIgphdXRob3I6IGNyb3dkc2VjdXJpdHkKdGFnczoKICAtIGxpbnV4CiAgLSBicnV0ZWZvcmNlCiAgLSBvd25jbG91ZAo=", + "description": "Owncloud support : parser and brute-force detection", + "author": "crowdsecurity", + "labels": null, + "parsers": [ + "crowdsecurity/owncloud-logs" + ], + "scenarios": [ + "crowdsecurity/owncloud-bf" + ] + }, "crowdsecurity/palo-alto": { "path": "collections/crowdsecurity/palo-alto.yaml", "version": "0.2", @@ -7185,6 +7206,22 @@ "author": "crowdsecurity", "labels": null }, + "crowdsecurity/owncloud-logs": { + "path": "parsers/s01-parse/crowdsecurity/owncloud-logs.yaml", + "stage": "s01-parse", + "version": "0.1", + "versions": { + "0.1": { + "digest": "83973e365882ccac7942fd25a3357f54a9ca9d5dc4e428a8e05ca2491457473b", + "deprecated": false + } + }, + "long_description": "UGFyc2VyIGZvciBbT3duY2xvdWRdKGh0dHBzOi8vb3duY2xvdWQuY29tLykgbG9ncwoKSWYgeW91IGhhdmUgdGhlIGRlZmF1bHQgc2V0dGluZ3Mgb2YgbG9nZ2luZyB0byBmaWxlLCB5b3UgbmVlZCB0byBhZGQgaW4gYWNxdWlzaXRpb24gKGNoYW5nZSBmaWxlbmFtZSB0byB5b3VyIGxvZyBmaWxlIGxvY2F0aW9uKToKCmBgYHlhbWwKLS0tCmZpbGVuYW1lczoKIC0gL3Zhci93d3cvb3duY2xvdWQvZGF0YS9vd25jbG91ZC5sb2cKbGFiZWxzOgogIHR5cGU6IE93bmNsb3VkCmBgYAoKSWYgeW91IGFyZSBzZW5kaW5nIGxvZ3MgdG8gc3lzbG9nIG9yIHN5c3RlbWQgYW5kIHJlYWQgZnJvbSBqb3VybmFsZCwgYWRkOgpgYGB5YW1sCi0tLQpzb3VyY2U6IGpvdXJuYWxjdGwKam91cm5hbGN0bF9maWx0ZXI6CiAgLSAiU1lTTE9HX0lERU5USUZJRVI9T3duY2xvdWQiCmxhYmVsczoKICB0eXBlOiBzeXNsb2cKYGBgCg==", + "content": "LS0tCm9uc3VjY2VzczogbmV4dF9zdGFnZQpmaWx0ZXI6ICJVcHBlcihldnQuUGFyc2VkLnByb2dyYW0pID09ICdPV05DTE9VRCciCm5hbWU6IG93bmNsb3VkLWxvZ3MKZGVzY3JpcHRpb246ICJQYXJzZSBvd25jbG91ZCBsb2dzIgpwYXR0ZXJuX3N5bnRheDoKICBPV05DTE9VRF9VU0VSOiAnW2EtekEtWjAtOVwuXEBcLVwrXyVdKycKbm9kZXM6CiAgLSBncm9rOgogICAgICBwYXR0ZXJuOiAnTG9naW4gZmFpbGVkOiAnJyV7T1dOQ0xPVURfVVNFUjp0YXJnZXRfdXNlcn0nJyBcKFJlbW90ZSBJUDogJycle0lQOnNvdXJjZV9pcH0nJ1wpJwogICAgICBleHByZXNzaW9uOiBKc29uRXh0cmFjdChldnQuUGFyc2VkLm1lc3NhZ2UsICJtZXNzYWdlIikKICAgIHN0YXRpY3M6CiAgICAgIC0gbWV0YTogdGFyZ2V0X3VzZXIKICAgICAgICBleHByZXNzaW9uOiAiZXZ0LlBhcnNlZC50YXJnZXRfdXNlciIKICAgICAgLSBtZXRhOiBsb2dfdHlwZQogICAgICAgIHZhbHVlOiBvd25jbG91ZF9mYWlsZWRfYXV0aAogIC0gZ3JvazoKICAgICAgcGF0dGVybjogJ0JydXRlZm9yY2UgYXR0ZW1wdCBmcm9tIFxcPyIle0lQOnNvdXJjZV9pcH1cXD8iIGRldGVjdGVkIGZvciBhY3Rpb24gXFw/IiV7REFUQTphY3Rpb259XFw/IicKICAgICAgZXhwcmVzc2lvbjogSnNvbkV4dHJhY3QoZXZ0LlBhcnNlZC5tZXNzYWdlLCAibWVzc2FnZSIpCiAgICBzdGF0aWNzOgogICAgICAtIG1ldGE6IGFjdGlvbgogICAgICAgIGV4cHJlc3Npb246ICJldnQuUGFyc2VkLmFjdGlvbiIKICAgICAgLSBtZXRhOiBsb2dfdHlwZQogICAgICAgIHZhbHVlOiBvd25jbG91ZF9icnV0ZWZvcmNlX2F0dGVtcHQKCiN7InJlcUlkIjoiY2RrTHJ1MjRWTzBRVldpdUFxbXkiLCJsZXZlbCI6MiwidGltZSI6IjIwMjQtMDQtMThUMTE6MDQ6MTkrMDA6MDAiLCJyZW1vdGVBZGRyIjoiMTAuMTAuMS4xIiwidXNlciI6Ii0tIiwiYXBwIjoiY29yZSIsIm1ldGhvZCI6IlBPU1QiLCJ1cmwiOiJcL2xvZ2luP3VzZXI9YWRtaW4iLCJtZXNzYWdlIjoiTG9naW4gZmFpbGVkOiAnYWRtaW4nIChSZW1vdGUgSVA6ICcxMC4xMC4xLjEnKSJ9CgogIC0gZ3JvazoKICAgICAgcGF0dGVybjogJ1RydXN0ZWQgZG9tYWluIGVycm9yLiBcXCIle0lQOnNvdXJjZV9pcH1cXCIuKicKICAgICAgZXhwcmVzc2lvbjogSnNvbkV4dHJhY3QoZXZ0LlBhcnNlZC5tZXNzYWdlLCAibWVzc2FnZSIpCiAgICBzdGF0aWNzOgogICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgdmFsdWU6IG93bmNsb3VkX2RvbWFpbl9lcnJvcgoKc3RhdGljczoKICAtIG1ldGE6IHNlcnZpY2UKICAgIHZhbHVlOiBvd25jbG91ZAogIC0gbWV0YTogc291cmNlX2lwCiAgICBleHByZXNzaW9uOiAiZXZ0LlBhcnNlZC5zb3VyY2VfaXAiCiAgLSB0YXJnZXQ6IGV2dC5TdHJUaW1lCiAgICBleHByZXNzaW9uOiBKc29uRXh0cmFjdChldnQuUGFyc2VkLm1lc3NhZ2UsICJ0aW1lIikK", + "description": "Parse owncloud logs", + "author": "crowdsecurity", + "labels": null + }, "crowdsecurity/palo-alto-threat-log": { "path": "parsers/s01-parse/crowdsecurity/palo-alto-threat-log.yaml", "stage": "s01-parse", @@ -13524,6 +13561,31 @@ "spoofable": 0 } }, + "crowdsecurity/owncloud-bf": { + "path": "scenarios/crowdsecurity/owncloud-bf.yaml", + "version": "0.1", + "versions": { + "0.1": { + "digest": "dfadf7181a507834b8e1ae11481d9b1f60ad199fdac9c09f9eb6220bfb42772c", + "deprecated": false + } + }, + "long_description": "RGV0ZWN0cyBicnV0ZWZvcmNlIG9uIFtPd25jbG91ZF0oaHR0cHM6Ly9vd25jbG91ZC5jb20pIGluc3RhbmNlLgoKIC0gbGVha3NwZWVkIG9mIDFtLCBjYXBhY2l0eSBvZiA1IG9uIHNhbWUgdGFyZ2V0IHVzZXIKIC0gbGVha3NwZWVkIG9mIDFtLCBjYXBhY2l0eSBvZiA1IHVuaXF1ZSBkaXN0aW5jdCB1c2VycwogLSBsZWFrc3BlZWQgb2YgMW0sIGNhcGFjaXR5IG9mIDUgb24gdHJ1c3QgZG9tYWluIGVycm9yCg==", + "content": "LS0tCnR5cGU6IGxlYWt5Cm5hbWU6IG93bmNsb3VkLWJmCmRlc2NyaXB0aW9uOiAiRGV0ZWN0IE93bmNsb3VkIGJydXRlZm9yY2UiCmZpbHRlcjogImV2dC5NZXRhLmxvZ190eXBlIGluIFsnb3duY2xvdWRfZmFpbGVkX2F1dGgnLCAnb3duY2xvdWRfYnJ1dGVmb3JjZV9hdHRlbXB0J10iCmxlYWtzcGVlZDogIjFtIgpjYXBhY2l0eTogNQojIGlmIHdlIGhhdmUgYnJ1dGVmb3JjZSBwcm90ZWN0aW9uIGVuYWJsZWQgaW4gb3duY2xvdWQsIHRoZSBzYW1lIGxvZ2luIGF0dGVtcHQKIyBjYW4gbG9nICMgYm90aCBsb2dpbiBmYWlsdXJlIGFuZCBicnV0ZWZvcmNlIGF0dGVtcHQgYXQgdGhlIHNhbWUgdGltZSwgc28KIyBrZWVwIHRoZW0gaW4gc2VwZXJhdGUgYnVja2V0cwpncm91cGJ5OiBldnQuTWV0YS5zb3VyY2VfaXAgKyAnLS0nICsgZXZ0Lk1ldGEubG9nX3R5cGUKYmxhY2tob2xlOiA1bQpyZXByb2Nlc3M6IHRydWUKbGFiZWxzOgogIHJlbWVkaWF0aW9uOiB0cnVlCiAgY29uZmlkZW5jZTogMwogIHNwb29mYWJsZTogMAogIGNsYXNzaWZpY2F0aW9uOgogICAgLSBhdHRhY2suVDExMTAKICBiZWhhdmlvcjogImh0dHA6YnJ1dGVmb3JjZSIKICBsYWJlbDogIk93bkNsb3VkIEJydXRlZm9yY2UiCiAgc2VydmljZTogb3duY2xvdWQKLS0tCnR5cGU6IGxlYWt5Cm5hbWU6IG93bmNsb3VkLWJmX3VzZXJfZW51bQpkZXNjcmlwdGlvbjogIkRldGVjdCBPd25jbG91ZCB1c2VyIGVudW0gYnJ1dGVmb3JjZSIKZmlsdGVyOiAiZXZ0Lk1ldGEubG9nX3R5cGUgPT0gJ293bmNsb3VkX2ZhaWxlZF9hdXRoJyIKbGVha3NwZWVkOiAiMW0iCmNhcGFjaXR5OiA1Cmdyb3VwYnk6IGV2dC5NZXRhLnNvdXJjZV9pcApkaXN0aW5jdDogZXZ0Lk1ldGEudGFyZ2V0X3VzZXIKYmxhY2tob2xlOiA1bQpyZXByb2Nlc3M6IHRydWUKbGFiZWxzOgogIHJlbWVkaWF0aW9uOiB0cnVlCiAgY29uZmlkZW5jZTogMwogIHNwb29mYWJsZTogMAogIGNsYXNzaWZpY2F0aW9uOgogICAgLSBhdHRhY2suVDExMTAKICBiZWhhdmlvcjogImh0dHA6YnJ1dGVmb3JjZSIKICBsYWJlbDogIk93bkNsb3VkIEJydXRlZm9yY2UiCiAgc2VydmljZTogb3duY2xvdWQKLS0tCnR5cGU6IGxlYWt5Cm5hbWU6IG93bmNsb3VkLWJmX2RvbWFpbl9lcnJvcgpkZXNjcmlwdGlvbjogIkRldGVjdCBPd25jbG91ZCBkb21haW4gZXJyb3IiCmZpbHRlcjogImV2dC5NZXRhLmxvZ190eXBlID09ICdvd25jbG91ZF9kb21haW5fZXJyb3InIgpsZWFrc3BlZWQ6ICIxbSIKY2FwYWNpdHk6IDUKZ3JvdXBieTogZXZ0Lk1ldGEuc291cmNlX2lwCmJsYWNraG9sZTogNW0KcmVwcm9jZXNzOiB0cnVlCmxhYmVsczoKICByZW1lZGlhdGlvbjogdHJ1ZQogIGNvbmZpZGVuY2U6IDMKICBzcG9vZmFibGU6IDAKICBjbGFzc2lmaWNhdGlvbjoKICAgIC0gYXR0YWNrLlQxMTEwCiAgYmVoYXZpb3I6ICJodHRwOmJydXRlZm9yY2UiCiAgbGFiZWw6ICJPd25DbG91ZCBCcnV0ZWZvcmNlIgogIHNlcnZpY2U6IG93bmNsb3VkCg==", + "description": "Detect Owncloud bruteforce", + "author": "crowdsecurity", + "labels": { + "behavior": "http:bruteforce", + "classification": [ + "attack.T1110" + ], + "confidence": 3, + "label": "OwnCloud Bruteforce", + "remediation": true, + "service": "owncloud", + "spoofable": 0 + } + }, "crowdsecurity/palo-alto-threat": { "path": "scenarios/crowdsecurity/palo-alto-threat.yaml", "version": "0.1",