Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Collection for Dockge Docker Container. #1185

Open
wants to merge 15 commits into
base: master
Choose a base branch
from
Open

Collection for Dockge Docker Container. #1185

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
cd3dc34
Create dockge-logs.md
LearningSpot Dec 3, 2024
7cbe210
Create dockge-logs.yaml
LearningSpot Dec 3, 2024
7fae307
Create dockge-bf.yaml
LearningSpot Dec 3, 2024
c666468
Create dockge-bf.md
LearningSpot Dec 3, 2024
ffbe9fd
Create dockge.yml
LearningSpot Dec 3, 2024
30a4637
Add Dockge parser, scenario and collection.
LearningSpot Dec 3, 2024
6f5a9fa
Update LearningSpot
LearningSpot Dec 5, 2024
ebfe6e1
Update LearningSpot
LearningSpot Dec 5, 2024
d88e45a
Update LearningSpot
LearningSpot Dec 5, 2024
214a46b
Update LearningSpot
LearningSpot Dec 5, 2024
9ad8d5d
Update open-webui-logs.yaml
LearningSpot Dec 5, 2024
bfa7613
Update open-webui-bf.yaml
LearningSpot Dec 5, 2024
d1046e6
Update LearningSpot
LearningSpot Dec 5, 2024
007fed9
Add Open WebUI
LearningSpot Dec 5, 2024
e33bfcc
Resolve issues where in android app IP gets bans in the background fo…
LearningSpot Dec 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions collections/LearningSpot/dockge.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
A collection to defend Dockge instance against common attacks :
- Dockge parser
- Dockge bruteforce & enumeration detection

## Acquisition template

Example acquisition for this collection :

If dockge container name is dockge or change the container name accordingly :
```yaml
---
source: docker
container_name:
- dockge
labels:
type: dockge
```
10 changes: 10 additions & 0 deletions collections/LearningSpot/dockge.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
parsers:
- LearningSpot/dockge-logs
scenarios:
- LearningSpot/dockge-bf
description: "Dockge parser and brute-force detection"
author: LearningSpot
tags:
- linux
- brute-force
- dockge
17 changes: 17 additions & 0 deletions collections/LearningSpot/open-webui.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
A collection to defend Open WebUI Docker instance against common attacks :
- Open WebUI parser
- Open WebUI bruteforce detection

## Acquisition template

Example acquisition for this collection :

If Open WebUI container name is open-webui or change the container name accordingly :
```yaml
---
source: docker
container_name:
- open-webui
labels:
type: open-webui
```
10 changes: 10 additions & 0 deletions collections/LearningSpot/open-webui.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
parsers:
- LearningSpot/open-webui-logs
scenarios:
- LearningSpot/open-webui-bf
description: "Open WebUI parser and brute-force detection"
author: LearningSpot
tags:
- linux
- brute-force
- open-webui
10 changes: 10 additions & 0 deletions parsers/s01-parse/LearningSpot/dockge-logs.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
Parser for Dockge Logs with Docker.

```yaml
---
source: docker
container_name:
- dockge
labels:
type: dockge
```
22 changes: 22 additions & 0 deletions parsers/s01-parse/LearningSpot/dockge-logs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
name: LearningSpot/dockge-logs
description: "Parse Dockge Logs"
filter: "evt.Parsed.program == 'dockge'"
onsuccess: next_stage
nodes:
- grok:
pattern: '%{TIMESTAMP_ISO8601:timestamp} \[AUTH\] WARN: Incorrect username or password for user %{EMAILADDRESS:username} IP=%{IP:source_ip}'
apply_on: message
statics:
- meta: log_type
value: dockge_failed_auth
- target: evt.StrTime
expression: evt.Parsed.event_timestamp
- meta: target_user
expression: evt.Parsed.username
- meta: dockge_service
expression: evt.Parsed.dockge_service
statics:
- meta: service
value: dockge
- meta: source_ip
expression: evt.Parsed.source_ip
10 changes: 10 additions & 0 deletions parsers/s01-parse/LearningSpot/open-webui-logs.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
Parser for Open WebUI Logs with Docker.

```yaml
---
source: docker
container_name:
- open-webui
labels:
type: open-webui
```
20 changes: 20 additions & 0 deletions parsers/s01-parse/LearningSpot/open-webui-logs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
name: LearningSpot/open-webui-logs
description: "Parse Open Web UI logs"
filter: "evt.Parsed.program == 'open-webui'"
onsuccess: next_stage
nodes:
- grok:
pattern: '%{LOGLEVEL:log_level}:%{SPACE}%{IP:source_ip}:0 - "POST /api/v1/auths/signin HTTP/1.1" %{NUMBER:status} Bad Request'
apply_on: message
statics:
- meta: log_type
value: open-webui_failed_auth
- target: evt.StrTime
expression: evt.Parsed.event_timestamp
- meta: open-webui_service
expression: evt.Parsed.open-webui_service
statics:
- meta: service
value: open-webui
- meta: source_ip
expression: evt.Parsed.source_ip
2 changes: 1 addition & 1 deletion parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ whitelist:
- evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/apps/files_versions/preview' && evt.Parsed.http_args contains 'version' #Backup app missing file version
- evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/apps/photos/api/v1/preview' && evt.Parsed.http_args contains 'x' && evt.Parsed.http_args contains 'y' #Photo app loads all previews as small panes, but can 404
- evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Parsed.request contains '/core/preview' && evt.Parsed.http_args contains 'x=' && evt.Parsed.http_args contains 'y=' && evt.Parsed.http_args contains 'fileId=' #File preview often 404s while searching
- evt.Meta.http_status in ['404', '200'] && evt.Meta.http_verb in ['PROPFIND', 'GET'] && evt.Meta.http_path matches '^/remote.php/(web)?dav/' #Uploading new files via WebDAV always produces a 404
- evt.Meta.http_status in ['404', '200'] && evt.Meta.http_verb in ['PROPFIND', 'GET', 'HEAD'] && evt.Meta.http_path matches '^/remote.php/(web)?dav/' #Uploading new files via WebDAV always produces a 404
- evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/apps/mail/api/avatars/url/' #When loading mail contacts the avatars may get 404
- evt.Meta.http_status == '200' && evt.Parsed.static_ressource == 'false' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/apps/photos/api/v1/preview' && evt.Parsed.http_args contains '&x=' && evt.Parsed.http_args contains '&y=' && evt.Parsed.http_args contains 'etag=' #When loading multiple images inside Nextcloud Photos, HTTP Crawl non statics is triggered since the images look like dynamic assets.
- evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Parsed.request == '/ocs/v2.php/apps/text/workspace' && evt.Parsed.http_args contains 'path=%2F' #When opening folders in Nextcloud Files that don't contain a readme.md 404 error is thrown
Expand Down
4 changes: 4 additions & 0 deletions scenarios/LearningSpot/dockge-bf.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
Detect failed dockge authentications:

leakspeed of 1m, capacity of 3 on source ip
leakspeed of 1m, capacity of 3 on users
35 changes: 35 additions & 0 deletions scenarios/LearningSpot/dockge-bf.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
type: leaky
name: LearningSpot/dockge_bf
description: "Detect Dockge Bruteforce"
filter: evt.Meta.log_type == 'dockge_failed_auth'
groupby: evt.Meta.source_ip
leakspeed: 1m
capacity: 3
blackhole: 5m
reprocess: true
labels:
service: dockge
classification:
- attack.T1110
behavior: "http:bruteforce"
label: "Dockge Bruteforce"
remediation: true
---
type: leaky
name: LearningSpot/dockge_bf_user_enum
description: "Detect Dockge User Enumeration Bruteforce"
filter: evt.Meta.log_type == 'dockge_failed_auth'
distinct: evt.Meta.target_user
groupby: evt.Meta.source_ip
leakspeed: 1m
capacity: 3
blackhole: 5m
reprocess: true
labels:
service: dockge
classification:
- attack.T1589
- attack.T1110
behavior: "http:bruteforce"
label: "Dockge User Enumeration"
remediation: true
3 changes: 3 additions & 0 deletions scenarios/LearningSpot/open-webui-bf.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
Detect failed authentications for Open WebUI:

leakspeed of 1m, capacity of 3 on source ip leakspeed of 1m, blackhole for 5m.
16 changes: 16 additions & 0 deletions scenarios/LearningSpot/open-webui-bf.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
type: leaky
name: LearningSpot/open-webui-bf
description: "Detect open webui bruteforce"
filter: evt.Meta.log_type == 'open-webui_failed_auth'
groupby: evt.Meta.source_ip
leakspeed: 1m
capacity: 3
blackhole: 5m
reprocess: true
labels:
service: open-webui
classification:
- attack.T1110
behavior: "http:bruteforce"
label: "Open Web UI Bruteforce"
remediation: true