crowdsecurity · marat2509 · Apr 13, 2025 · May 2, 2025 · May 9, 2025
diff --git a/.tests/angie_http-logs/angie_http-logs.log b/.tests/angie_http-logs/angie_http-logs.log
@@ -0,0 +1,7 @@
+192.168.1.1 - - [04/Jan/2020:07:25:02 +0000] "GET /.well-known/acme-challenge/FMuukC2JOJ5HKmLBujjE_BkDo HTTP/1.1" 404 522 "-" "Go-http-client/1.1"
+192.168.1.1 - - [04/Jan/2020:08:41:43 +0000] "GET /index.php/nous-contacter/ HTTP/1.1" 500 550 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
+192.168.1.1 - - [08/Jun/2020:08:04:43 +0000] "GET /solr/admin/info/system?wt=json HTTP/1.1" 500 803 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
+www.crowdsec.net 192.168.1.1 - - [08/Jun/2020:08:04:43 +0000] "GET /solr/admin/info/system?wt=json HTTP/1.1" 500 803 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
+www.crowdsec11.net 192.168.1.1 - - [08/Jun/2020:08:04:43 +0000] "GET /test/uppercase/extensions.JPG HTTP/1.1" 500 803 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
+www.crowdsec11.net:80 192.168.1.1 - - [08/Jun/2020:08:04:43 +0000] "GET /test/uppercase/extensions.JPG HTTP/1.1" 301 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
+2021/12/01 13:53:33 [error] 31#31: *46 "/usr/share/angie/html/market/index.html" is not found (2: No such file or directory), client: 172.17.0.1, server: localhost, request: "GET /market/ HTTP/1.1", host: "localhost"
diff --git a/.tests/angie_http-logs/config.yaml b/.tests/angie_http-logs/config.yaml
@@ -0,0 +1,11 @@
+parsers:
+    - crowdsecurity/syslog-logs
+    - ./parsers/s01-parse/marat2509/angie-logs.yaml
+    - crowdsecurity/http-logs
+    - crowdsecurity/dateparse-enrich
+scenarios:
+    - ""
+postoverflows:
+    - ""
+log_file: angie_http-logs.log
+log_type: angie
diff --git a/.tests/angie_http-logs/parser.assert b/.tests/angie_http-logs/parser.assert
diff --git a/.tests/angie_http-logs/scenario.assert b/.tests/angie_http-logs/scenario.assert
diff --git a/collections/marat2509/angie.md b/collections/marat2509/angie.md
@@ -0,0 +1,22 @@
+## Angie collection
+
+A collection to defend angie against common attacks :
+ - angie parser
+ - base http scenarios (crawl, 404 scan, bf)
+
+## Acquisition template
+
+Example acquisition for this collection :
+
+```yaml
+filenames:
+  - /var/log/angie/*.log
+labels:
+  type: angie
+```
+
+
+notes :
+ -  If you are using `syslog`, set type to `syslog` instead
+ -  Depending on your distribution/OS, paths to log files might change
+ -  Only relevant if you are manually installing collection
diff --git a/collections/marat2509/angie.yaml b/collections/marat2509/angie.yaml
@@ -0,0 +1,16 @@
+parsers:
+#generic post-parsing of http stuff
+  - marat2509/angie-logs
+collections:
+  - crowdsecurity/base-http-scenarios
+scenarios:
+  - crowdsecurity/nginx-req-limit-exceeded
+description: "angie support: parser and generic http scenarios"
+author: marat2509
+tags:
+  - linux
+  - nginx
+  - crawl
+  - scan
+  - angie
+
diff --git a/parsers/s01-parse/marat2509/angie-logs.md b/parsers/s01-parse/marat2509/angie-logs.md
@@ -0,0 +1,10 @@
+Parser for [Angie](https://angie.software) Logs.
+
+```yaml
+---
+filenames:
+ - /var/log/angie/access.log
+ - /var/log/angie/error.log
+labels:
+  type: angie
+```
diff --git a/parsers/s01-parse/marat2509/angie-logs.yaml b/parsers/s01-parse/marat2509/angie-logs.yaml
@@ -0,0 +1,81 @@
+filter: "evt.Parsed.program startsWith 'angie'"
+onsuccess: next_stage
+name: marat2509/angie-logs
+description: "Parse Angie access and error logs"
+pattern_syntax:
+  NGCUSTOMUSER: '[a-zA-Z0-9\.\@\-\+_%]+'
+  NGCUSTOMURIPATH: "(?:/[A-Za-z0-9$.+!*'\\(\\)\\{\\},~:;=@\\#%&_\\-]*)+"
+  NGCUSTOMURIPATHPARAM: '%{NGCUSTOMURIPATH}(?:%{URIPARAM})?'
+  NGINXERRTIME: "%{YEAR}/%{MONTHNUM}/%{MONTHDAY} %{TIME}"
+  NGUSER: '[a-zA-Z\.\@\-\+_%]+'
+nodes:
+  - grok:
+      pattern: '(%{IPORHOST:target_fqdn}(:%{INT:port})? )?%{IPORHOST:remote_addr} - %{NGCUSTOMUSER:remote_user}? \[%{HTTPDATE:time_local}\] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:http_version}" %{NUMBER:status} %{NUMBER:body_bytes_sent} "%{NOTDQUOTE:http_referer}" "%{NOTDQUOTE:http_user_agent}"( %{NUMBER:request_length} %{NUMBER:request_time} \[%{DATA:proxy_upstream_name}\] \[%{DATA:proxy_alternative_upstream_name}\])?'
+      apply_on: message
+      statics:
+        - meta: log_type
+          value: http_access-log
+        - target: evt.StrTime
+          expression: evt.Parsed.time_local
+  - grok:
+      pattern: '(%{IPORHOST:target_fqdn} )?%{NGINXERRTIME:time} \[%{LOGLEVEL:loglevel}\] %{NONNEGINT:pid}#%{NONNEGINT:tid}: (\*%{NONNEGINT:cid} )?%{GREEDYDATA:message}, client: %{IPORHOST:remote_addr}, server: %{DATA:target_fqdn}, request: "%{WORD:verb} ([^/]+)?%{NGCUSTOMURIPATHPARAM:request}( HTTP/%{NUMBER:http_version})?", host: "%{IPORHOST}(:%{NONNEGINT})?"'
+      apply_on: message
+      statics:
+        - meta: log_type
+          value: http_error-log
+        - target: evt.StrTime
+          expression: evt.Parsed.time
+    pattern_syntax:
+      NO_DOUBLE_QUOTE: '[^"]+'
+    onsuccess: next_stage
+    nodes:
+      - filter: "evt.Parsed.message contains 'was not found in'"
+        pattern_syntax:
+          USER_NOT_FOUND: 'user "%{NO_DOUBLE_QUOTE:username}" was not found in "%{NO_DOUBLE_QUOTE}"'
+        grok:
+          pattern: '%{USER_NOT_FOUND}'
+          apply_on: message
+        statics:
+          - meta: sub_type
+            value: "auth_fail"
+          - meta: username
+            expression: evt.Parsed.username
+      - filter: "evt.Parsed.message contains 'password mismatch'"
+        pattern_syntax:
+          PASSWORD_MISMATCH: 'user "%{NO_DOUBLE_QUOTE:username}": password mismatch'
+        grok:
+          pattern: '%{PASSWORD_MISMATCH}'
+          apply_on: message
+        statics:
+          - meta: sub_type
+            value: "auth_fail"
+          - meta: username
+            expression: evt.Parsed.username
+      - filter: "evt.Parsed.message contains 'limiting requests, excess'"
+        statics:
+          - meta: sub_type
+            value: "req_limit_exceeded"
+  - grok:
+      pattern: '(%{IPORHOST:target_fqdn} )?%{IPORHOST:remote_addr} - (%{NGUSER:remote_user})? \[%{HTTPDATE:time_local}\] "%{DATA:request}" %{NUMBER:status} %{NUMBER:body_bytes_sent} "%{NOTDQUOTE:http_referer}" "%{NOTDQUOTE:http_user_agent}"( %{NUMBER:request_length} %{NUMBER:request_time} \[%{DATA:proxy_upstream_name}\] \[%{DATA:proxy_alternative_upstream_name}\])?'
+      apply_on: message
+    statics:
+      - meta: log_type
+        value: http_access-log
+      - target: evt.StrTime
+        expression: evt.Parsed.time_local
+
+statics:
+  - meta: service
+    value: http
+  - meta: source_ip
+    expression: "evt.Parsed.remote_addr"
+  - meta: http_status
+    expression: "evt.Parsed.status"
+  - meta: http_path
+    expression: "evt.Parsed.request"
+  - meta: http_verb
+    expression: "evt.Parsed.verb"
+  - meta: http_user_agent
+    expression: "evt.Parsed.http_user_agent"
+  - meta: target_fqdn
+    expression: "evt.Parsed.target_fqdn"