owncloud feature

collections/crowdsecurity/owncloud.md

@@ -0,0 +1,29 @@
+A collection to defend [Owncloud](https://owncloud.com) instance against common attacks :
+ - Owncloud parser
+ - Owncloud bruteforce, enumeration and trusted domain detection
+
+> Contributed by eShard - based on Nextcloud collection Håvard Moen and a1ad
+
+## Acquisition template
+
+
+ Example acquisition for this collection :
+
+```yaml
+---
+filenames:
+ - /var/www/owncloud/data/owncloud.log
+labels:
+  type: Owncloud
+```
+
+```yaml
+---
+source: journalctl
+journalctl_filter:
+  - "SYSLOG_IDENTIFIER=Owncloud"
+labels:
+  type: syslog
+```
+- Use the filename version if you have the default settings of logging to file
+- Use the journalctl version if you are sending logs to syslog or systemd and read the logs from journald

collections/crowdsecurity/owncloud.yaml

@@ -0,0 +1,12 @@
+---
+parsers:
+  - crowdsecurity/owncloud-logs
+  - crowdsecurity/owncloud-whitelist
+scenarios:
+  - crowdsecurity/owncloud-bf
+description: "Owncloud support : parser and brute-force detection"
+author: crowdsecurity
+tags:
+  - linux
+  - bruteforce
+  - owncloud

parsers/s01-parse/crowdsecurity/owncloud-logs.md

@@ -0,0 +1,21 @@
+Parser for [Owncloud](https://owncloud.com/) logs
+
+If you have the default settings of logging to file, you need to add in acquisition (change filename to your log file location):
+
+```yaml
+---
+filenames:
+ - /var/www/owncloud/data/owncloud.log
+labels:
+  type: Owncloud
+```
+
+If you are sending logs to syslog or systemd and read from journald, add:
+```yaml
+---
+source: journalctl
+journalctl_filter:
+  - "SYSLOG_IDENTIFIER=Owncloud"
+labels:
+  type: syslog
+```

parsers/s01-parse/crowdsecurity/owncloud-logs.yaml

@@ -0,0 +1,41 @@
+---
+onsuccess: next_stage
+filter: "Upper(evt.Parsed.program) == 'OWNCLOUD'"
+name: owncloud-logs
+description: "Parse owncloud logs"
+pattern_syntax:
+  OWNCLOUD_USER: '[a-zA-Z0-9\.\@\-\+_%]+'
+nodes:
+  - grok:
+      pattern: 'Login failed: ''%{OWNCLOUD_USER:target_user}'' \(Remote IP: ''%{IP:source_ip}''\)'
+      expression: JsonExtract(evt.Parsed.message, "message")
+    statics:
+      - meta: target_user
+        expression: "evt.Parsed.target_user"
+      - meta: log_type
+        value: owncloud_failed_auth
+  - grok:
+      pattern: 'Bruteforce attempt from \\?"%{IP:source_ip}\\?" detected for action \\?"%{DATA:action}\\?"'
+      expression: JsonExtract(evt.Parsed.message, "message")
+    statics:
+      - meta: action
+        expression: "evt.Parsed.action"
+      - meta: log_type
+        value: owncloud_bruteforce_attempt
+
+#{"reqId":"cdkLru24VO0QVWiuAqmy","level":2,"time":"2024-04-18T11:04:19+00:00","remoteAddr":"10.10.1.1","user":"--","app":"core","method":"POST","url":"\/login?user=admin","message":"Login failed: 'admin' (Remote IP: '10.10.1.1')"}
+
+  - grok:
+      pattern: 'Trusted domain error. \\"%{IP:source_ip}\\".*'
+      expression: JsonExtract(evt.Parsed.message, "message")
+    statics:
+      - meta: log_type
+        value: owncloud_domain_error
+
+statics:
+  - meta: service
+    value: owncloud
+  - meta: source_ip
+    expression: "evt.Parsed.source_ip"
+  - target: evt.StrTime
+    expression: JsonExtract(evt.Parsed.message, "time")

scenarios/crowdsecurity/owncloud-bf.md

@@ -0,0 +1,5 @@
+Detects bruteforce on [Owncloud](https://owncloud.com) instance.
+
+ - leakspeed of 1m, capacity of 5 on same target user
+ - leakspeed of 1m, capacity of 5 unique distinct users
+ - leakspeed of 1m, capacity of 5 on trust domain error

scenarios/crowdsecurity/owncloud-bf.yaml

@@ -0,0 +1,61 @@
+---
+type: leaky
+name: owncloud-bf
+description: "Detect Owncloud bruteforce"
+filter: "evt.Meta.log_type in ['owncloud_failed_auth', 'owncloud_bruteforce_attempt']"
+leakspeed: "1m"
+capacity: 5
+# if we have bruteforce protection enabled in owncloud, the same login attempt
+# can log # both login failure and bruteforce attempt at the same time, so
+# keep them in seperate buckets
+groupby: evt.Meta.source_ip + '--' + evt.Meta.log_type
+blackhole: 5m
+reprocess: true
+labels:
+  remediation: true
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1110
+  behavior: "http:bruteforce"
+  label: "OwnCloud Bruteforce"
+  service: owncloud
+---
+type: leaky
+name: owncloud-bf_user_enum
+description: "Detect Owncloud user enum bruteforce"
+filter: "evt.Meta.log_type == 'owncloud_failed_auth'"
+leakspeed: "1m"
+capacity: 5
+groupby: evt.Meta.source_ip
+distinct: evt.Meta.target_user
+blackhole: 5m
+reprocess: true
+labels:
+  remediation: true
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1110
+  behavior: "http:bruteforce"
+  label: "OwnCloud Bruteforce"
+  service: owncloud
+---
+type: leaky
+name: owncloud-bf_domain_error
+description: "Detect Owncloud domain error"
+filter: "evt.Meta.log_type == 'owncloud_domain_error'"
+leakspeed: "1m"
+capacity: 5
+groupby: evt.Meta.source_ip
+blackhole: 5m
+reprocess: true
+labels:
+  remediation: true
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1110
+  behavior: "http:bruteforce"
+  label: "OwnCloud Bruteforce"
+  service: owncloud