From d2e00828182940c35e408f786dd332c4fa8b3a31 Mon Sep 17 00:00:00 2001 From: Joseph Gigantino <128943406+Jgigantino31@users.noreply.github.com> Date: Wed, 16 Jul 2025 20:25:56 -0400 Subject: [PATCH 01/27] Create mealie.md Created description --- collections/Jgigantino31/mealie.md | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 collections/Jgigantino31/mealie.md diff --git a/collections/Jgigantino31/mealie.md b/collections/Jgigantino31/mealie.md new file mode 100644 index 00000000000..483157ed86c --- /dev/null +++ b/collections/Jgigantino31/mealie.md @@ -0,0 +1,27 @@ +A collection to defend [Mealie](https://mealie.io/) instance against common attacks : + - Mealie parser + - Mealie bruteforce detection + +## Acquisition template + +Example acquisition for this collection : + +If using LOG_FILE environment variable: +```yaml +--- +filenames: + - /var/log/mealie.log +labels: + type: mealie +``` + +For Docker directly +```yaml +--- +source: docker +container_name: + - mealie +#container_id: +# - 843ee92d231b +labels: + type: mealie From f25c0d5406cc50b635cb6c6a7ea015842c8ec006 Mon Sep 17 00:00:00 2001 From: Joseph Gigantino <128943406+Jgigantino31@users.noreply.github.com> Date: Wed, 16 Jul 2025 20:27:40 -0400 Subject: [PATCH 02/27] Create mealie.yaml --- collections/Jgigantino31/mealie.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 collections/Jgigantino31/mealie.yaml diff --git a/collections/Jgigantino31/mealie.yaml b/collections/Jgigantino31/mealie.yaml new file mode 100644 index 00000000000..05ac9ded279 --- /dev/null +++ b/collections/Jgigantino31/mealie.yaml @@ -0,0 +1,10 @@ +parsers: + - Jgigantino31/mealie-logs +scenarios: + - Jgigantino31/mealie-bf +description: "Mealie Support : parser and brute-force detection" +author: Jgigantino31 +tags: + - linux + - brute-force + - mealie From a227251a3343458786fa69323775f2ea53d41fb3 Mon Sep 17 00:00:00 2001 From: Joseph Gigantino <128943406+Jgigantino31@users.noreply.github.com> Date: Wed, 16 Jul 2025 20:37:21 -0400 Subject: [PATCH 03/27] Create mealie-logs.yaml --- .../s01-parse/Jgigantino31/mealie-logs.yaml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 parsers/s01-parse/Jgigantino31/mealie-logs.yaml diff --git a/parsers/s01-parse/Jgigantino31/mealie-logs.yaml b/parsers/s01-parse/Jgigantino31/mealie-logs.yaml new file mode 100644 index 00000000000..abfbaf8a403 --- /dev/null +++ b/parsers/s01-parse/Jgigantino31/mealie-logs.yaml @@ -0,0 +1,26 @@ +onsuccess: next_stage +#debug: false +name: Jgigantino31/mealie-logs +description: "Parse mealie logs" +filter: "evt.Parsed.program == 'mealie'" +nodes: + - grok: + pattern: '.*%{RFC3339:timestamp} - Incorrect username or password from %{IP:source_ip}' # For logs collected directly from docker + apply_on: message + statics: + - meta: log_type + value: mealie_failed_auth + - grok: + pattern: '.*%{RFC3339:timestamp}: Incorrect username or password from %{IP:source_ip}' # For logs collected from log file + apply_on: message + statics: + - meta: log_type + value: mealie_failed_auth + +statics: + - meta: service + value: mealie + - meta: source_ip + expression: "evt.Parsed.source_ip" + - target: evt.StrTime + expression: evt.Parsed.timestamp From 182fde6ae75aa1f301a97de69220499add80a74e Mon Sep 17 00:00:00 2001 From: Joseph Gigantino <128943406+Jgigantino31@users.noreply.github.com> Date: Wed, 16 Jul 2025 20:40:11 -0400 Subject: [PATCH 04/27] Create mealie-logs.md --- parsers/s01-parse/Jgigantino31/mealie-logs.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 parsers/s01-parse/Jgigantino31/mealie-logs.md diff --git a/parsers/s01-parse/Jgigantino31/mealie-logs.md b/parsers/s01-parse/Jgigantino31/mealie-logs.md new file mode 100644 index 00000000000..4b95fd41055 --- /dev/null +++ b/parsers/s01-parse/Jgigantino31/mealie-logs.md @@ -0,0 +1,19 @@ +Parser for [Mealie](https://mealie.io/) Logs. + +```yaml +--- +filenames: + - /var/log/mealie.log +labels: + type: mealie +``` + +```yaml +--- +source: docker +container_name: + - mealie +#container_id: +# - 843ee92d231b +labels: + type: mealie From 4664c17848e738758651cb12f2decf6c6a4120b3 Mon Sep 17 00:00:00 2001 From: Joseph Gigantino <128943406+Jgigantino31@users.noreply.github.com> Date: Wed, 16 Jul 2025 20:53:54 -0400 Subject: [PATCH 05/27] Update mealie-logs.yaml Update timestamp format --- parsers/s01-parse/Jgigantino31/mealie-logs.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/parsers/s01-parse/Jgigantino31/mealie-logs.yaml b/parsers/s01-parse/Jgigantino31/mealie-logs.yaml index abfbaf8a403..2a28c90e470 100644 --- a/parsers/s01-parse/Jgigantino31/mealie-logs.yaml +++ b/parsers/s01-parse/Jgigantino31/mealie-logs.yaml @@ -3,15 +3,17 @@ onsuccess: next_stage name: Jgigantino31/mealie-logs description: "Parse mealie logs" filter: "evt.Parsed.program == 'mealie'" +pattern_syntax: + MEALIE_CUSTOMDATE: "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}T%{HOUR}:%{MINUTE}:%{SECOND}" nodes: - grok: - pattern: '.*%{RFC3339:timestamp} - Incorrect username or password from %{IP:source_ip}' # For logs collected directly from docker + pattern: '.*%{MEALIE_CUSTOMDATE:timestamp} - Incorrect username or password from %{IP:source_ip}' # For logs collected directly from docker apply_on: message statics: - meta: log_type value: mealie_failed_auth - grok: - pattern: '.*%{RFC3339:timestamp}: Incorrect username or password from %{IP:source_ip}' # For logs collected from log file + pattern: '.*%{MEALIE_CUSTOMDATE:timestamp}: Incorrect username or password from %{IP:source_ip}' # For logs collected from log file apply_on: message statics: - meta: log_type From 2dd75c7dad3845848787b811afb119480a438e57 Mon Sep 17 00:00:00 2001 From: Joseph Gigantino <128943406+Jgigantino31@users.noreply.github.com> Date: Wed, 16 Jul 2025 21:01:37 -0400 Subject: [PATCH 06/27] Create mealie-bf.yaml --- scenarios/Jgigantino31/mealie-bf.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 scenarios/Jgigantino31/mealie-bf.yaml diff --git a/scenarios/Jgigantino31/mealie-bf.yaml b/scenarios/Jgigantino31/mealie-bf.yaml new file mode 100644 index 00000000000..db57fe668cd --- /dev/null +++ b/scenarios/Jgigantino31/mealie-bf.yaml @@ -0,0 +1,5 @@ +Detect failed mealie authentications: + + - leakspeed of 10s, capacity of 10 + + Note: Mealie prints each failed authentication to the log twice causing each failed log in to count twice! This means effective leakspeed is 20s and effective capacity is 5. From 92d66a34fe1872435ee89e8b13ce7b622936e6ac Mon Sep 17 00:00:00 2001 From: Joseph Gigantino <128943406+Jgigantino31@users.noreply.github.com> Date: Wed, 16 Jul 2025 21:01:51 -0400 Subject: [PATCH 07/27] Rename mealie-bf.yaml to mealie-bf.md --- scenarios/Jgigantino31/{mealie-bf.yaml => mealie-bf.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename scenarios/Jgigantino31/{mealie-bf.yaml => mealie-bf.md} (100%) diff --git a/scenarios/Jgigantino31/mealie-bf.yaml b/scenarios/Jgigantino31/mealie-bf.md similarity index 100% rename from scenarios/Jgigantino31/mealie-bf.yaml rename to scenarios/Jgigantino31/mealie-bf.md From 7a33cc5c0a80e947a750c666c93474a75393edb0 Mon Sep 17 00:00:00 2001 From: Joseph Gigantino <128943406+Jgigantino31@users.noreply.github.com> Date: Wed, 16 Jul 2025 21:02:29 -0400 Subject: [PATCH 08/27] Update mealie-bf.md --- scenarios/Jgigantino31/mealie-bf.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scenarios/Jgigantino31/mealie-bf.md b/scenarios/Jgigantino31/mealie-bf.md index db57fe668cd..56845a9e7e0 100644 --- a/scenarios/Jgigantino31/mealie-bf.md +++ b/scenarios/Jgigantino31/mealie-bf.md @@ -2,4 +2,4 @@ Detect failed mealie authentications: - leakspeed of 10s, capacity of 10 - Note: Mealie prints each failed authentication to the log twice causing each failed log in to count twice! This means effective leakspeed is 20s and effective capacity is 5. + Note: Mealie prints each failed authentication to the log twice causing each failed log in to count as two failed attempts! This means effective leakspeed is 20s and effective capacity is 5. From 5a67bb044eb8a78981390efc9359e04fd9fc12ba Mon Sep 17 00:00:00 2001 From: Joseph Gigantino <128943406+Jgigantino31@users.noreply.github.com> Date: Wed, 16 Jul 2025 21:07:40 -0400 Subject: [PATCH 09/27] Create mealie-bf.yaml --- scenarios/Jgigantino31/mealie-bf.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 scenarios/Jgigantino31/mealie-bf.yaml diff --git a/scenarios/Jgigantino31/mealie-bf.yaml b/scenarios/Jgigantino31/mealie-bf.yaml new file mode 100644 index 00000000000..47f895566ad --- /dev/null +++ b/scenarios/Jgigantino31/mealie-bf.yaml @@ -0,0 +1,19 @@ +# mealie BF scan +name: Jgigantino31/mealie-bf +description: "Detect mealie bruteforce" +filter: "evt.Meta.log_type == 'mealie_failed_auth'" +#debug: true +type: leaky +groupby: evt.Meta.source_ip +leakspeed: 10s +capacity: 10 +blackhole: 1m +labels: + service: mealie + behavior: "http:bruteforce" + classification: + - attack.T1110 + spoofable: 0 + confidence: 3 + label: "Mealie Bruteforce" + remediation: true From 4f98c6fbf380eaa0a02c4b69e1f0a22c73686476 Mon Sep 17 00:00:00 2001 From: Joseph Gigantino <128943406+Jgigantino31@users.noreply.github.com> Date: Wed, 16 Jul 2025 21:12:13 -0400 Subject: [PATCH 10/27] Create config.yaml --- .tests/mealie-bf/config.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 .tests/mealie-bf/config.yaml diff --git a/.tests/mealie-bf/config.yaml b/.tests/mealie-bf/config.yaml new file mode 100644 index 00000000000..515430e447d --- /dev/null +++ b/.tests/mealie-bf/config.yaml @@ -0,0 +1,13 @@ +parsers: +- crowdsecurity/syslog-logs +- crowdsecurity/dateparse-enrich +- ./parsers/s01-parse/Jgigantino31/mealie-logs.yaml +scenarios: +- ./scenarios/Jgigantino31/mealie-bf.yaml +postoverflows: +- "" +log_file: mealie-bf.log +log_type: mealie +labels: {} +ignore_parsers: true +override_statics: [] From 6102e449d8e37b5cafc1a584707e88c022dc00bd Mon Sep 17 00:00:00 2001 From: Joseph Gigantino <128943406+Jgigantino31@users.noreply.github.com> Date: Wed, 16 Jul 2025 21:13:59 -0400 Subject: [PATCH 11/27] Create mealie-bf.log --- .tests/mealie-bf/mealie-bf.log | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .tests/mealie-bf/mealie-bf.log diff --git a/.tests/mealie-bf/mealie-bf.log b/.tests/mealie-bf/mealie-bf.log new file mode 100644 index 00000000000..e355ad3478b --- /dev/null +++ b/.tests/mealie-bf/mealie-bf.log @@ -0,0 +1,24 @@ +[ERROR|auth|L83] 2025-07-16T19:43:16: Incorrect username or password from 127.0.0.1 +[ERROR|auth|L83] 2025-07-16T19:43:16: Incorrect username or password from 127.0.0.1 +[ERROR|auth|L83] 2025-07-16T19:43:16: Incorrect username or password from 127.0.0.1 +[ERROR|auth|L83] 2025-07-16T19:43:16: Incorrect username or password from 127.0.0.1 +[ERROR|auth|L83] 2025-07-16T19:43:16: Incorrect username or password from 127.0.0.1 +[ERROR|auth|L83] 2025-07-16T19:43:16: Incorrect username or password from 127.0.0.1 +[ERROR|auth|L83] 2025-07-16T19:43:16: Incorrect username or password from 127.0.0.1 +[ERROR|auth|L83] 2025-07-16T19:43:16: Incorrect username or password from 127.0.0.1 +[ERROR|auth|L83] 2025-07-16T19:43:16: Incorrect username or password from 127.0.0.1 +[ERROR|auth|L83] 2025-07-16T19:43:16: Incorrect username or password from 127.0.0.1 +[ERROR|auth|L83] 2025-07-16T19:43:16: Incorrect username or password from 127.0.0.1 +[ERROR|auth|L83] 2025-07-16T19:43:16: Incorrect username or password from 127.0.0.1 +ERROR 2025-07-16T20:12:38 - Incorrect username or password from 127.0.0.1 +ERROR 2025-07-16T20:12:38 - Incorrect username or password from 127.0.0.1 +ERROR 2025-07-16T20:12:38 - Incorrect username or password from 127.0.0.1 +ERROR 2025-07-16T20:12:38 - Incorrect username or password from 127.0.0.1 +ERROR 2025-07-16T20:12:38 - Incorrect username or password from 127.0.0.1 +ERROR 2025-07-16T20:12:38 - Incorrect username or password from 127.0.0.1 +ERROR 2025-07-16T20:12:38 - Incorrect username or password from 127.0.0.1 +ERROR 2025-07-16T20:12:38 - Incorrect username or password from 127.0.0.1 +ERROR 2025-07-16T20:12:38 - Incorrect username or password from 127.0.0.1 +ERROR 2025-07-16T20:12:38 - Incorrect username or password from 127.0.0.1 +ERROR 2025-07-16T20:12:38 - Incorrect username or password from 127.0.0.1 +ERROR 2025-07-16T20:12:38 - Incorrect username or password from 127.0.0.1 From 8dede2a031c228ccec8b8319bea7efc5f54ee501 Mon Sep 17 00:00:00 2001 From: Joseph Gigantino <128943406+Jgigantino31@users.noreply.github.com> Date: Wed, 16 Jul 2025 21:14:34 -0400 Subject: [PATCH 12/27] Create parser.assert --- .tests/mealie-bf/parser.assert | 1 + 1 file changed, 1 insertion(+) create mode 100644 .tests/mealie-bf/parser.assert diff --git a/.tests/mealie-bf/parser.assert b/.tests/mealie-bf/parser.assert new file mode 100644 index 00000000000..8b137891791 --- /dev/null +++ b/.tests/mealie-bf/parser.assert @@ -0,0 +1 @@ + From 354481885b730a5cf04bfd76b1a3466669a94b1a Mon Sep 17 00:00:00 2001 From: Joseph Gigantino <128943406+Jgigantino31@users.noreply.github.com> Date: Wed, 16 Jul 2025 21:15:09 -0400 Subject: [PATCH 13/27] Create scenario.assert --- .tests/mealie-bf/scenario.assert | 1 + 1 file changed, 1 insertion(+) create mode 100644 .tests/mealie-bf/scenario.assert diff --git a/.tests/mealie-bf/scenario.assert b/.tests/mealie-bf/scenario.assert new file mode 100644 index 00000000000..8b137891791 --- /dev/null +++ b/.tests/mealie-bf/scenario.assert @@ -0,0 +1 @@ + From bde7aeb4e10f9f44c194bd0904c7fec25500f58a Mon Sep 17 00:00:00 2001 From: Joseph Gigantino <128943406+Jgigantino31@users.noreply.github.com> Date: Wed, 16 Jul 2025 21:16:16 -0400 Subject: [PATCH 14/27] Create config.yaml --- .tests/mealie-logs/config.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 .tests/mealie-logs/config.yaml diff --git a/.tests/mealie-logs/config.yaml b/.tests/mealie-logs/config.yaml new file mode 100644 index 00000000000..bb48f02c64b --- /dev/null +++ b/.tests/mealie-logs/config.yaml @@ -0,0 +1,13 @@ +parsers: +- crowdsecurity/syslog-logs +- crowdsecurity/dateparse-enrich +- ./parsers/s01-parse/Jgigantino31/mealie-logs.yaml +scenarios: +- "" +postoverflows: +- "" +log_file: mealie-logs.log +log_type: mealie +labels: {} +ignore_parsers: false +override_statics: [] From b19e495bbbe28936e904c5fa4f2b88da3a007168 Mon Sep 17 00:00:00 2001 From: Joseph Gigantino <128943406+Jgigantino31@users.noreply.github.com> Date: Wed, 16 Jul 2025 21:19:14 -0400 Subject: [PATCH 15/27] Create mealie-logs.yaml --- .tests/mealie-logs/mealie-logs.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 .tests/mealie-logs/mealie-logs.yaml diff --git a/.tests/mealie-logs/mealie-logs.yaml b/.tests/mealie-logs/mealie-logs.yaml new file mode 100644 index 00000000000..aa4830d0aea --- /dev/null +++ b/.tests/mealie-logs/mealie-logs.yaml @@ -0,0 +1,18 @@ +INFO 2025-07-16T19:42:14 - [127.0.0.1:32894] 200 OK "GET /api/app/about HTTP/1.1" +INFO 2025-07-16T19:42:38 - [127.0.0.1:32894] 304 Not Modified "GET /login/?direct=1 HTTP/1.1" +INFO 2025-07-16T19:42:38 - [127.0.0.1:32894] 200 OK "GET /api/app/about/startup-info HTTP/1.1" +INFO 2025-07-16T19:42:38 - [127.0.0.1:32894] 200 OK "GET /api/app/about HTTP/1.1" +INFO 2025-07-16T19:42:38 - [127.0.0.1:32894] 200 OK "GET /api/app/about HTTP/1.1" +INFO 2025-07-16T19:42:39 - [127.0.0.1:32894] 200 OK "GET /sw.js HTTP/1.1" +ERROR 2025-07-16T19:42:45 - Incorrect username or password from 127.0.0.1 +ERROR 2025-07-16T19:42:45 - Incorrect username or password from 127.0.0.1 +INFO 2025-07-16T19:42:45 - [127.0.0.1:32894] 401 Unauthorized "POST /api/auth/token HTTP/1.1" +INFO 2025-07-16T19:42:45 - [127.0.0.1:53864] 200 OK "GET /api/app/about HTTP/1.1" +INFO 2025-07-16T19:43:15 - [127.0.0.1:42322] 200 OK "GET /api/app/about HTTP/1.1" +WARNING 2025-07-16T19:43:16 - Found user but their auth method is not 'Mealie'. Unable to continue with credentials login +ERROR 2025-07-16T19:43:16 - Incorrect username or password from 127.0.0.1 +WARNING 2025-07-16T19:43:16 - Found user but their auth method is not 'Mealie'. Unable to continue with credentials login +ERROR 2025-07-16T19:43:16 - Incorrect username or password from 127.0.0.1 +INFO 2025-07-16T19:43:16 - [127.0.0.1:32894] 401 Unauthorized "POST /api/auth/token HTTP/1.1" +INFO 2025-07-16T19:43:45 - [127.0.0.1:58404] 200 OK "GET /api/app/about HTTP/1.1" +INFO 2025-07-16T19:44:16 - [127.0.0.1:37558] 200 OK "GET /api/app/about HTTP/1.1" From eaf698cf1abcc627aa79a3fe2f1730856ba53dad Mon Sep 17 00:00:00 2001 From: Joseph Gigantino <128943406+Jgigantino31@users.noreply.github.com> Date: Wed, 16 Jul 2025 21:19:32 -0400 Subject: [PATCH 16/27] Create parser.assert --- .tests/mealie-logs/parser.assert | 1 + 1 file changed, 1 insertion(+) create mode 100644 .tests/mealie-logs/parser.assert diff --git a/.tests/mealie-logs/parser.assert b/.tests/mealie-logs/parser.assert new file mode 100644 index 00000000000..8b137891791 --- /dev/null +++ b/.tests/mealie-logs/parser.assert @@ -0,0 +1 @@ + From 707213a152ef206b848b4c4b566f7fa3f03fd93e Mon Sep 17 00:00:00 2001 From: Joseph Gigantino <128943406+Jgigantino31@users.noreply.github.com> Date: Wed, 16 Jul 2025 21:19:44 -0400 Subject: [PATCH 17/27] Create scenario.assert --- .tests/mealie-logs/scenario.assert | 1 + 1 file changed, 1 insertion(+) create mode 100644 .tests/mealie-logs/scenario.assert diff --git a/.tests/mealie-logs/scenario.assert b/.tests/mealie-logs/scenario.assert new file mode 100644 index 00000000000..8b137891791 --- /dev/null +++ b/.tests/mealie-logs/scenario.assert @@ -0,0 +1 @@ + From a9c864bf05b6c48ff4255ea94b9b08c36a97d042 Mon Sep 17 00:00:00 2001 From: Joseph Gigantino <128943406+Jgigantino31@users.noreply.github.com> Date: Sun, 20 Jul 2025 18:13:54 -0400 Subject: [PATCH 18/27] Update scenario.assert Run test for mealie-bf locally, added result --- .tests/mealie-bf/scenario.assert | 76 +++++++++++++++++++++++++++++++- 1 file changed, 75 insertions(+), 1 deletion(-) diff --git a/.tests/mealie-bf/scenario.assert b/.tests/mealie-bf/scenario.assert index 8b137891791..c658fc502eb 100644 --- a/.tests/mealie-bf/scenario.assert +++ b/.tests/mealie-bf/scenario.assert @@ -1 +1,75 @@ - +len(results) == 1 +"127.0.0.1" in results[0].Overflow.GetSources() +results[0].Overflow.Sources["127.0.0.1"].IP == "127.0.0.1" +results[0].Overflow.Sources["127.0.0.1"].Range == "" +results[0].Overflow.Sources["127.0.0.1"].GetScope() == "Ip" +results[0].Overflow.Sources["127.0.0.1"].GetValue() == "127.0.0.1" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "mealie-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "mealie_failed_auth" +results[0].Overflow.Alert.Events[0].GetMeta("service") == "mealie" +results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "127.0.0.1" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-07-20T22:12:26.720606156Z" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "mealie-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "mealie_failed_auth" +results[0].Overflow.Alert.Events[1].GetMeta("service") == "mealie" +results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "127.0.0.1" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-07-20T22:12:26.720654027Z" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "mealie-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "mealie_failed_auth" +results[0].Overflow.Alert.Events[2].GetMeta("service") == "mealie" +results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "127.0.0.1" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-07-20T22:12:26.720761842Z" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "mealie-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "mealie_failed_auth" +results[0].Overflow.Alert.Events[3].GetMeta("service") == "mealie" +results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "127.0.0.1" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-07-20T22:12:26.720903695Z" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "mealie-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "mealie_failed_auth" +results[0].Overflow.Alert.Events[4].GetMeta("service") == "mealie" +results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "127.0.0.1" +results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-07-20T22:12:26.720989741Z" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "mealie-bf.log" +results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "mealie_failed_auth" +results[0].Overflow.Alert.Events[5].GetMeta("service") == "mealie" +results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "127.0.0.1" +results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-07-20T22:12:26.721051736Z" +basename(results[0].Overflow.Alert.Events[6].GetMeta("datasource_path")) == "mealie-bf.log" +results[0].Overflow.Alert.Events[6].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[6].GetMeta("log_type") == "mealie_failed_auth" +results[0].Overflow.Alert.Events[6].GetMeta("service") == "mealie" +results[0].Overflow.Alert.Events[6].GetMeta("source_ip") == "127.0.0.1" +results[0].Overflow.Alert.Events[6].GetMeta("timestamp") == "2025-07-20T22:12:26.721129812Z" +basename(results[0].Overflow.Alert.Events[7].GetMeta("datasource_path")) == "mealie-bf.log" +results[0].Overflow.Alert.Events[7].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[7].GetMeta("log_type") == "mealie_failed_auth" +results[0].Overflow.Alert.Events[7].GetMeta("service") == "mealie" +results[0].Overflow.Alert.Events[7].GetMeta("source_ip") == "127.0.0.1" +results[0].Overflow.Alert.Events[7].GetMeta("timestamp") == "2025-07-20T22:12:26.721189146Z" +basename(results[0].Overflow.Alert.Events[8].GetMeta("datasource_path")) == "mealie-bf.log" +results[0].Overflow.Alert.Events[8].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[8].GetMeta("log_type") == "mealie_failed_auth" +results[0].Overflow.Alert.Events[8].GetMeta("service") == "mealie" +results[0].Overflow.Alert.Events[8].GetMeta("source_ip") == "127.0.0.1" +results[0].Overflow.Alert.Events[8].GetMeta("timestamp") == "2025-07-20T22:12:26.721253808Z" +basename(results[0].Overflow.Alert.Events[9].GetMeta("datasource_path")) == "mealie-bf.log" +results[0].Overflow.Alert.Events[9].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[9].GetMeta("log_type") == "mealie_failed_auth" +results[0].Overflow.Alert.Events[9].GetMeta("service") == "mealie" +results[0].Overflow.Alert.Events[9].GetMeta("source_ip") == "127.0.0.1" +results[0].Overflow.Alert.Events[9].GetMeta("timestamp") == "2025-07-20T22:12:26.721312822Z" +basename(results[0].Overflow.Alert.Events[10].GetMeta("datasource_path")) == "mealie-bf.log" +results[0].Overflow.Alert.Events[10].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[10].GetMeta("log_type") == "mealie_failed_auth" +results[0].Overflow.Alert.Events[10].GetMeta("service") == "mealie" +results[0].Overflow.Alert.Events[10].GetMeta("source_ip") == "127.0.0.1" +results[0].Overflow.Alert.Events[10].GetMeta("timestamp") == "2025-07-20T22:12:26.721370643Z" +results[0].Overflow.Alert.GetScenario() == "Jgigantino31/mealie-bf" +results[0].Overflow.Alert.Remediation == true +results[0].Overflow.Alert.GetEventsCount() == 11 From 6f90eaa07b07ca5aef0f55912cc0e31c06b8db2b Mon Sep 17 00:00:00 2001 From: Joseph Gigantino <128943406+Jgigantino31@users.noreply.github.com> Date: Sun, 20 Jul 2025 18:34:52 -0400 Subject: [PATCH 19/27] Update and rename mealie-logs.yaml to mealie-logs.log --- .tests/mealie-logs/{mealie-logs.yaml => mealie-logs.log} | 8 -------- 1 file changed, 8 deletions(-) rename .tests/mealie-logs/{mealie-logs.yaml => mealie-logs.log} (56%) diff --git a/.tests/mealie-logs/mealie-logs.yaml b/.tests/mealie-logs/mealie-logs.log similarity index 56% rename from .tests/mealie-logs/mealie-logs.yaml rename to .tests/mealie-logs/mealie-logs.log index aa4830d0aea..42dc61571bb 100644 --- a/.tests/mealie-logs/mealie-logs.yaml +++ b/.tests/mealie-logs/mealie-logs.log @@ -1,9 +1,3 @@ -INFO 2025-07-16T19:42:14 - [127.0.0.1:32894] 200 OK "GET /api/app/about HTTP/1.1" -INFO 2025-07-16T19:42:38 - [127.0.0.1:32894] 304 Not Modified "GET /login/?direct=1 HTTP/1.1" -INFO 2025-07-16T19:42:38 - [127.0.0.1:32894] 200 OK "GET /api/app/about/startup-info HTTP/1.1" -INFO 2025-07-16T19:42:38 - [127.0.0.1:32894] 200 OK "GET /api/app/about HTTP/1.1" -INFO 2025-07-16T19:42:38 - [127.0.0.1:32894] 200 OK "GET /api/app/about HTTP/1.1" -INFO 2025-07-16T19:42:39 - [127.0.0.1:32894] 200 OK "GET /sw.js HTTP/1.1" ERROR 2025-07-16T19:42:45 - Incorrect username or password from 127.0.0.1 ERROR 2025-07-16T19:42:45 - Incorrect username or password from 127.0.0.1 INFO 2025-07-16T19:42:45 - [127.0.0.1:32894] 401 Unauthorized "POST /api/auth/token HTTP/1.1" @@ -14,5 +8,3 @@ ERROR 2025-07-16T19:43:16 - Incorrect username or password from 127.0.0.1 WARNING 2025-07-16T19:43:16 - Found user but their auth method is not 'Mealie'. Unable to continue with credentials login ERROR 2025-07-16T19:43:16 - Incorrect username or password from 127.0.0.1 INFO 2025-07-16T19:43:16 - [127.0.0.1:32894] 401 Unauthorized "POST /api/auth/token HTTP/1.1" -INFO 2025-07-16T19:43:45 - [127.0.0.1:58404] 200 OK "GET /api/app/about HTTP/1.1" -INFO 2025-07-16T19:44:16 - [127.0.0.1:37558] 200 OK "GET /api/app/about HTTP/1.1" From 789f3feac0c7b6b1ffd5001823ec93649036ed26 Mon Sep 17 00:00:00 2001 From: Joseph Gigantino <128943406+Jgigantino31@users.noreply.github.com> Date: Sun, 20 Jul 2025 18:42:08 -0400 Subject: [PATCH 20/27] Update parser.assert Add test result --- .tests/mealie-logs/parser.assert | 179 ++++++++++++++++++++++++++++++- 1 file changed, 178 insertions(+), 1 deletion(-) diff --git a/.tests/mealie-logs/parser.assert b/.tests/mealie-logs/parser.assert index 8b137891791..da519e8a380 100644 --- a/.tests/mealie-logs/parser.assert +++ b/.tests/mealie-logs/parser.assert @@ -1 +1,178 @@ - +len(results) == 4 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 10 +results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "ERROR 2025-07-16T19:42:45 - Incorrect username or password from 127.0.0.1" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "mealie" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "mealie-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "ERROR 2025-07-16T19:42:45 - Incorrect username or password from 127.0.0.1" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "mealie" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "mealie-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "INFO 2025-07-16T19:42:45 - [127.0.0.1:32894] 401 Unauthorized \"POST /api/auth/token HTTP/1.1\"" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "mealie" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "mealie-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "INFO 2025-07-16T19:42:45 - [127.0.0.1:53864] 200 OK \"GET /api/app/about HTTP/1.1\"" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "mealie" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"]) == "mealie-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][4].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["message"] == "INFO 2025-07-16T19:43:15 - [127.0.0.1:42322] 200 OK \"GET /api/app/about HTTP/1.1\"" +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["program"] == "mealie" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"]) == "mealie-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][5].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["message"] == "WARNING 2025-07-16T19:43:16 - Found user but their auth method is not 'Mealie'. Unable to continue with credentials login" +results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["program"] == "mealie" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_path"]) == "mealie-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][6].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["message"] == "ERROR 2025-07-16T19:43:16 - Incorrect username or password from 127.0.0.1" +results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["program"] == "mealie" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_path"]) == "mealie-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][7].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Parsed["message"] == "WARNING 2025-07-16T19:43:16 - Found user but their auth method is not 'Mealie'. Unable to continue with credentials login" +results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Parsed["program"] == "mealie" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Meta["datasource_path"]) == "mealie-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][8].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Parsed["message"] == "ERROR 2025-07-16T19:43:16 - Incorrect username or password from 127.0.0.1" +results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Parsed["program"] == "mealie" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Meta["datasource_path"]) == "mealie-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][8].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][9].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Parsed["message"] == "INFO 2025-07-16T19:43:16 - [127.0.0.1:32894] 401 Unauthorized \"POST /api/auth/token HTTP/1.1\"" +results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Parsed["program"] == "mealie" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Meta["datasource_path"]) == "mealie-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][9].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 10 +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][8].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][9].Success == false +len(results["s01-parse"]["Jgigantino31/mealie-logs"]) == 10 +results["s01-parse"]["Jgigantino31/mealie-logs"][0].Success == true +results["s01-parse"]["Jgigantino31/mealie-logs"][0].Evt.Parsed["message"] == "ERROR 2025-07-16T19:42:45 - Incorrect username or password from 127.0.0.1" +results["s01-parse"]["Jgigantino31/mealie-logs"][0].Evt.Parsed["program"] == "mealie" +results["s01-parse"]["Jgigantino31/mealie-logs"][0].Evt.Parsed["source_ip"] == "127.0.0.1" +results["s01-parse"]["Jgigantino31/mealie-logs"][0].Evt.Parsed["timestamp"] == "25-07-16T19:42:45" +basename(results["s01-parse"]["Jgigantino31/mealie-logs"][0].Evt.Meta["datasource_path"]) == "mealie-logs.log" +results["s01-parse"]["Jgigantino31/mealie-logs"][0].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["Jgigantino31/mealie-logs"][0].Evt.Meta["log_type"] == "mealie_failed_auth" +results["s01-parse"]["Jgigantino31/mealie-logs"][0].Evt.Meta["service"] == "mealie" +results["s01-parse"]["Jgigantino31/mealie-logs"][0].Evt.Meta["source_ip"] == "127.0.0.1" +results["s01-parse"]["Jgigantino31/mealie-logs"][0].Evt.Whitelisted == false +results["s01-parse"]["Jgigantino31/mealie-logs"][1].Success == true +results["s01-parse"]["Jgigantino31/mealie-logs"][1].Evt.Parsed["message"] == "ERROR 2025-07-16T19:42:45 - Incorrect username or password from 127.0.0.1" +results["s01-parse"]["Jgigantino31/mealie-logs"][1].Evt.Parsed["program"] == "mealie" +results["s01-parse"]["Jgigantino31/mealie-logs"][1].Evt.Parsed["source_ip"] == "127.0.0.1" +results["s01-parse"]["Jgigantino31/mealie-logs"][1].Evt.Parsed["timestamp"] == "25-07-16T19:42:45" +basename(results["s01-parse"]["Jgigantino31/mealie-logs"][1].Evt.Meta["datasource_path"]) == "mealie-logs.log" +results["s01-parse"]["Jgigantino31/mealie-logs"][1].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["Jgigantino31/mealie-logs"][1].Evt.Meta["log_type"] == "mealie_failed_auth" +results["s01-parse"]["Jgigantino31/mealie-logs"][1].Evt.Meta["service"] == "mealie" +results["s01-parse"]["Jgigantino31/mealie-logs"][1].Evt.Meta["source_ip"] == "127.0.0.1" +results["s01-parse"]["Jgigantino31/mealie-logs"][1].Evt.Whitelisted == false +results["s01-parse"]["Jgigantino31/mealie-logs"][2].Success == false +results["s01-parse"]["Jgigantino31/mealie-logs"][3].Success == false +results["s01-parse"]["Jgigantino31/mealie-logs"][4].Success == false +results["s01-parse"]["Jgigantino31/mealie-logs"][5].Success == false +results["s01-parse"]["Jgigantino31/mealie-logs"][6].Success == true +results["s01-parse"]["Jgigantino31/mealie-logs"][6].Evt.Parsed["message"] == "ERROR 2025-07-16T19:43:16 - Incorrect username or password from 127.0.0.1" +results["s01-parse"]["Jgigantino31/mealie-logs"][6].Evt.Parsed["program"] == "mealie" +results["s01-parse"]["Jgigantino31/mealie-logs"][6].Evt.Parsed["source_ip"] == "127.0.0.1" +results["s01-parse"]["Jgigantino31/mealie-logs"][6].Evt.Parsed["timestamp"] == "25-07-16T19:43:16" +basename(results["s01-parse"]["Jgigantino31/mealie-logs"][6].Evt.Meta["datasource_path"]) == "mealie-logs.log" +results["s01-parse"]["Jgigantino31/mealie-logs"][6].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["Jgigantino31/mealie-logs"][6].Evt.Meta["log_type"] == "mealie_failed_auth" +results["s01-parse"]["Jgigantino31/mealie-logs"][6].Evt.Meta["service"] == "mealie" +results["s01-parse"]["Jgigantino31/mealie-logs"][6].Evt.Meta["source_ip"] == "127.0.0.1" +results["s01-parse"]["Jgigantino31/mealie-logs"][6].Evt.Whitelisted == false +results["s01-parse"]["Jgigantino31/mealie-logs"][7].Success == false +results["s01-parse"]["Jgigantino31/mealie-logs"][8].Success == true +results["s01-parse"]["Jgigantino31/mealie-logs"][8].Evt.Parsed["message"] == "ERROR 2025-07-16T19:43:16 - Incorrect username or password from 127.0.0.1" +results["s01-parse"]["Jgigantino31/mealie-logs"][8].Evt.Parsed["program"] == "mealie" +results["s01-parse"]["Jgigantino31/mealie-logs"][8].Evt.Parsed["source_ip"] == "127.0.0.1" +results["s01-parse"]["Jgigantino31/mealie-logs"][8].Evt.Parsed["timestamp"] == "25-07-16T19:43:16" +basename(results["s01-parse"]["Jgigantino31/mealie-logs"][8].Evt.Meta["datasource_path"]) == "mealie-logs.log" +results["s01-parse"]["Jgigantino31/mealie-logs"][8].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["Jgigantino31/mealie-logs"][8].Evt.Meta["log_type"] == "mealie_failed_auth" +results["s01-parse"]["Jgigantino31/mealie-logs"][8].Evt.Meta["service"] == "mealie" +results["s01-parse"]["Jgigantino31/mealie-logs"][8].Evt.Meta["source_ip"] == "127.0.0.1" +results["s01-parse"]["Jgigantino31/mealie-logs"][8].Evt.Whitelisted == false +results["s01-parse"]["Jgigantino31/mealie-logs"][9].Success == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 4 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "ERROR 2025-07-16T19:42:45 - Incorrect username or password from 127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "mealie" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "25-07-16T19:42:45" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "mealie-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "mealie_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "mealie" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2025-07-20T22:39:52.555143764Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2025-07-20T22:39:52.555143764Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "ERROR 2025-07-16T19:42:45 - Incorrect username or password from 127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "mealie" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "25-07-16T19:42:45" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "mealie-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "mealie_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "mealie" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2025-07-20T22:39:52.555183696Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2025-07-20T22:39:52.555183696Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "ERROR 2025-07-16T19:43:16 - Incorrect username or password from 127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "mealie" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "25-07-16T19:43:16" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "mealie-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "mealie_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "mealie" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2025-07-20T22:39:52.555372279Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2025-07-20T22:39:52.555372279Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "ERROR 2025-07-16T19:43:16 - Incorrect username or password from 127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "mealie" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "25-07-16T19:43:16" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "mealie-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "mealie_failed_auth" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "mealie" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "127.0.0.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2025-07-20T22:39:52.555431999Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2025-07-20T22:39:52.555431999Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false +len(results["success"][""]) == 0 From 90d60dbe49d1215fab32ca3afcd52e1cfa099d7e Mon Sep 17 00:00:00 2001 From: Joseph Gigantino <128943406+Jgigantino31@users.noreply.github.com> Date: Sun, 20 Jul 2025 21:24:48 -0400 Subject: [PATCH 21/27] Update mealie-bf.yaml --- scenarios/Jgigantino31/mealie-bf.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scenarios/Jgigantino31/mealie-bf.yaml b/scenarios/Jgigantino31/mealie-bf.yaml index 47f895566ad..8bd4adfc602 100644 --- a/scenarios/Jgigantino31/mealie-bf.yaml +++ b/scenarios/Jgigantino31/mealie-bf.yaml @@ -11,9 +11,9 @@ blackhole: 1m labels: service: mealie behavior: "http:bruteforce" - classification: - - attack.T1110 spoofable: 0 confidence: 3 + classification: + - attack.T1110 label: "Mealie Bruteforce" remediation: true From 755ae492b07a39e8154eab4d59983a958310edd0 Mon Sep 17 00:00:00 2001 From: Joseph Gigantino <128943406+Jgigantino31@users.noreply.github.com> Date: Fri, 25 Jul 2025 10:03:00 -0400 Subject: [PATCH 22/27] Update parser.assert --- .tests/mealie-logs/parser.assert | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.tests/mealie-logs/parser.assert b/.tests/mealie-logs/parser.assert index da519e8a380..9ce86966435 100644 --- a/.tests/mealie-logs/parser.assert +++ b/.tests/mealie-logs/parser.assert @@ -133,8 +133,8 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "mealie_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "mealie" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "127.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2025-07-20T22:39:52.555143764Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2025-07-20T22:39:52.555143764Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2025-07-25T14:01:58.934381354Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2025-07-25T14:01:58.934381354Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "ERROR 2025-07-16T19:42:45 - Incorrect username or password from 127.0.0.1" @@ -146,8 +146,8 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "mealie_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "mealie" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "127.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2025-07-20T22:39:52.555183696Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2025-07-20T22:39:52.555183696Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2025-07-25T14:01:58.934420384Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2025-07-25T14:01:58.934420384Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "ERROR 2025-07-16T19:43:16 - Incorrect username or password from 127.0.0.1" @@ -159,8 +159,8 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "mealie_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "mealie" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "127.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2025-07-20T22:39:52.555372279Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2025-07-20T22:39:52.555372279Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2025-07-25T14:01:58.934737945Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2025-07-25T14:01:58.934737945Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "ERROR 2025-07-16T19:43:16 - Incorrect username or password from 127.0.0.1" @@ -172,7 +172,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "mealie_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "mealie" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "127.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2025-07-20T22:39:52.555431999Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2025-07-20T22:39:52.555431999Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2025-07-25T14:01:58.934855238Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2025-07-25T14:01:58.934855238Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false len(results["success"][""]) == 0 From af0b58c18385701a2ebac48199cbf29ce394f17c Mon Sep 17 00:00:00 2001 From: Joseph Gigantino <128943406+Jgigantino31@users.noreply.github.com> Date: Fri, 25 Jul 2025 10:04:22 -0400 Subject: [PATCH 23/27] Update scenario.assert --- .tests/mealie-bf/scenario.assert | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/.tests/mealie-bf/scenario.assert b/.tests/mealie-bf/scenario.assert index c658fc502eb..c87595b3dec 100644 --- a/.tests/mealie-bf/scenario.assert +++ b/.tests/mealie-bf/scenario.assert @@ -9,67 +9,67 @@ results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "mealie_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "mealie" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "127.0.0.1" -results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-07-20T22:12:26.720606156Z" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-07-25T14:03:56.305600558Z" basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "mealie-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "mealie_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "mealie" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "127.0.0.1" -results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-07-20T22:12:26.720654027Z" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-07-25T14:03:56.305645457Z" basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "mealie-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "mealie_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "mealie" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "127.0.0.1" -results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-07-20T22:12:26.720761842Z" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-07-25T14:03:56.305746955Z" basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "mealie-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "mealie_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "mealie" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "127.0.0.1" -results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-07-20T22:12:26.720903695Z" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-07-25T14:03:56.305800664Z" basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "mealie-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "mealie_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "mealie" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "127.0.0.1" -results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-07-20T22:12:26.720989741Z" +results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-07-25T14:03:56.305840414Z" basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "mealie-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "mealie_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "mealie" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "127.0.0.1" -results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-07-20T22:12:26.721051736Z" +results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-07-25T14:03:56.305903309Z" basename(results[0].Overflow.Alert.Events[6].GetMeta("datasource_path")) == "mealie-bf.log" results[0].Overflow.Alert.Events[6].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[6].GetMeta("log_type") == "mealie_failed_auth" results[0].Overflow.Alert.Events[6].GetMeta("service") == "mealie" results[0].Overflow.Alert.Events[6].GetMeta("source_ip") == "127.0.0.1" -results[0].Overflow.Alert.Events[6].GetMeta("timestamp") == "2025-07-20T22:12:26.721129812Z" +results[0].Overflow.Alert.Events[6].GetMeta("timestamp") == "2025-07-25T14:03:56.305950261Z" basename(results[0].Overflow.Alert.Events[7].GetMeta("datasource_path")) == "mealie-bf.log" results[0].Overflow.Alert.Events[7].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[7].GetMeta("log_type") == "mealie_failed_auth" results[0].Overflow.Alert.Events[7].GetMeta("service") == "mealie" results[0].Overflow.Alert.Events[7].GetMeta("source_ip") == "127.0.0.1" -results[0].Overflow.Alert.Events[7].GetMeta("timestamp") == "2025-07-20T22:12:26.721189146Z" +results[0].Overflow.Alert.Events[7].GetMeta("timestamp") == "2025-07-25T14:03:56.305986843Z" basename(results[0].Overflow.Alert.Events[8].GetMeta("datasource_path")) == "mealie-bf.log" results[0].Overflow.Alert.Events[8].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[8].GetMeta("log_type") == "mealie_failed_auth" results[0].Overflow.Alert.Events[8].GetMeta("service") == "mealie" results[0].Overflow.Alert.Events[8].GetMeta("source_ip") == "127.0.0.1" -results[0].Overflow.Alert.Events[8].GetMeta("timestamp") == "2025-07-20T22:12:26.721253808Z" +results[0].Overflow.Alert.Events[8].GetMeta("timestamp") == "2025-07-25T14:03:56.306042895Z" basename(results[0].Overflow.Alert.Events[9].GetMeta("datasource_path")) == "mealie-bf.log" results[0].Overflow.Alert.Events[9].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[9].GetMeta("log_type") == "mealie_failed_auth" results[0].Overflow.Alert.Events[9].GetMeta("service") == "mealie" results[0].Overflow.Alert.Events[9].GetMeta("source_ip") == "127.0.0.1" -results[0].Overflow.Alert.Events[9].GetMeta("timestamp") == "2025-07-20T22:12:26.721312822Z" +results[0].Overflow.Alert.Events[9].GetMeta("timestamp") == "2025-07-25T14:03:56.306078893Z" basename(results[0].Overflow.Alert.Events[10].GetMeta("datasource_path")) == "mealie-bf.log" results[0].Overflow.Alert.Events[10].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[10].GetMeta("log_type") == "mealie_failed_auth" results[0].Overflow.Alert.Events[10].GetMeta("service") == "mealie" results[0].Overflow.Alert.Events[10].GetMeta("source_ip") == "127.0.0.1" -results[0].Overflow.Alert.Events[10].GetMeta("timestamp") == "2025-07-20T22:12:26.721370643Z" +results[0].Overflow.Alert.Events[10].GetMeta("timestamp") == "2025-07-25T14:03:56.306130721Z" results[0].Overflow.Alert.GetScenario() == "Jgigantino31/mealie-bf" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 11 From 0084744d9fc0e9b4b5afeca254198e13f8038a87 Mon Sep 17 00:00:00 2001 From: Joseph Gigantino <128943406+Jgigantino31@users.noreply.github.com> Date: Sun, 3 Aug 2025 12:51:15 -0400 Subject: [PATCH 24/27] Update mealie-logs.yaml Fix patterns to get correct time from logs --- parsers/s01-parse/Jgigantino31/mealie-logs.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/parsers/s01-parse/Jgigantino31/mealie-logs.yaml b/parsers/s01-parse/Jgigantino31/mealie-logs.yaml index 2a28c90e470..9ef2811fc8d 100644 --- a/parsers/s01-parse/Jgigantino31/mealie-logs.yaml +++ b/parsers/s01-parse/Jgigantino31/mealie-logs.yaml @@ -7,13 +7,13 @@ pattern_syntax: MEALIE_CUSTOMDATE: "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}T%{HOUR}:%{MINUTE}:%{SECOND}" nodes: - grok: - pattern: '.*%{MEALIE_CUSTOMDATE:timestamp} - Incorrect username or password from %{IP:source_ip}' # For logs collected directly from docker + pattern: 'ERROR %{MEALIE_CUSTOMDATE:timestamp} - Incorrect username or password from %{IP:source_ip}' # For logs collected directly from docker apply_on: message statics: - meta: log_type value: mealie_failed_auth - grok: - pattern: '.*%{MEALIE_CUSTOMDATE:timestamp}: Incorrect username or password from %{IP:source_ip}' # For logs collected from log file + pattern: '[ERROR|auth|L83] %{MEALIE_CUSTOMDATE:timestamp}: Incorrect username or password from %{IP:source_ip}' # For logs collected from log file apply_on: message statics: - meta: log_type From 916ffeb1ca2d400b68845570c2982fc05bfc0a7d Mon Sep 17 00:00:00 2001 From: Joseph Gigantino <128943406+Jgigantino31@users.noreply.github.com> Date: Sun, 3 Aug 2025 12:55:10 -0400 Subject: [PATCH 25/27] Update scenario.assert --- .tests/mealie-bf/scenario.assert | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/.tests/mealie-bf/scenario.assert b/.tests/mealie-bf/scenario.assert index c87595b3dec..c008637b6f3 100644 --- a/.tests/mealie-bf/scenario.assert +++ b/.tests/mealie-bf/scenario.assert @@ -9,67 +9,67 @@ results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "mealie_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "mealie" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "127.0.0.1" -results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-07-25T14:03:56.305600558Z" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-07-16T20:12:38Z" basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "mealie-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "mealie_failed_auth" results[0].Overflow.Alert.Events[1].GetMeta("service") == "mealie" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "127.0.0.1" -results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-07-25T14:03:56.305645457Z" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-07-16T20:12:38Z" basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "mealie-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "mealie_failed_auth" results[0].Overflow.Alert.Events[2].GetMeta("service") == "mealie" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "127.0.0.1" -results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-07-25T14:03:56.305746955Z" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-07-16T20:12:38Z" basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "mealie-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "mealie_failed_auth" results[0].Overflow.Alert.Events[3].GetMeta("service") == "mealie" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "127.0.0.1" -results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-07-25T14:03:56.305800664Z" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-07-16T20:12:38Z" basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "mealie-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "mealie_failed_auth" results[0].Overflow.Alert.Events[4].GetMeta("service") == "mealie" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "127.0.0.1" -results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-07-25T14:03:56.305840414Z" +results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-07-16T20:12:38Z" basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "mealie-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "mealie_failed_auth" results[0].Overflow.Alert.Events[5].GetMeta("service") == "mealie" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "127.0.0.1" -results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-07-25T14:03:56.305903309Z" +results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-07-16T20:12:38Z" basename(results[0].Overflow.Alert.Events[6].GetMeta("datasource_path")) == "mealie-bf.log" results[0].Overflow.Alert.Events[6].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[6].GetMeta("log_type") == "mealie_failed_auth" results[0].Overflow.Alert.Events[6].GetMeta("service") == "mealie" results[0].Overflow.Alert.Events[6].GetMeta("source_ip") == "127.0.0.1" -results[0].Overflow.Alert.Events[6].GetMeta("timestamp") == "2025-07-25T14:03:56.305950261Z" +results[0].Overflow.Alert.Events[6].GetMeta("timestamp") == "2025-07-16T20:12:38Z" basename(results[0].Overflow.Alert.Events[7].GetMeta("datasource_path")) == "mealie-bf.log" results[0].Overflow.Alert.Events[7].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[7].GetMeta("log_type") == "mealie_failed_auth" results[0].Overflow.Alert.Events[7].GetMeta("service") == "mealie" results[0].Overflow.Alert.Events[7].GetMeta("source_ip") == "127.0.0.1" -results[0].Overflow.Alert.Events[7].GetMeta("timestamp") == "2025-07-25T14:03:56.305986843Z" +results[0].Overflow.Alert.Events[7].GetMeta("timestamp") == "2025-07-16T20:12:38Z" basename(results[0].Overflow.Alert.Events[8].GetMeta("datasource_path")) == "mealie-bf.log" results[0].Overflow.Alert.Events[8].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[8].GetMeta("log_type") == "mealie_failed_auth" results[0].Overflow.Alert.Events[8].GetMeta("service") == "mealie" results[0].Overflow.Alert.Events[8].GetMeta("source_ip") == "127.0.0.1" -results[0].Overflow.Alert.Events[8].GetMeta("timestamp") == "2025-07-25T14:03:56.306042895Z" +results[0].Overflow.Alert.Events[8].GetMeta("timestamp") == "2025-07-16T20:12:38Z" basename(results[0].Overflow.Alert.Events[9].GetMeta("datasource_path")) == "mealie-bf.log" results[0].Overflow.Alert.Events[9].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[9].GetMeta("log_type") == "mealie_failed_auth" results[0].Overflow.Alert.Events[9].GetMeta("service") == "mealie" results[0].Overflow.Alert.Events[9].GetMeta("source_ip") == "127.0.0.1" -results[0].Overflow.Alert.Events[9].GetMeta("timestamp") == "2025-07-25T14:03:56.306078893Z" +results[0].Overflow.Alert.Events[9].GetMeta("timestamp") == "2025-07-16T20:12:38Z" basename(results[0].Overflow.Alert.Events[10].GetMeta("datasource_path")) == "mealie-bf.log" results[0].Overflow.Alert.Events[10].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[10].GetMeta("log_type") == "mealie_failed_auth" results[0].Overflow.Alert.Events[10].GetMeta("service") == "mealie" results[0].Overflow.Alert.Events[10].GetMeta("source_ip") == "127.0.0.1" -results[0].Overflow.Alert.Events[10].GetMeta("timestamp") == "2025-07-25T14:03:56.306130721Z" +results[0].Overflow.Alert.Events[10].GetMeta("timestamp") == "2025-07-16T20:12:38Z" results[0].Overflow.Alert.GetScenario() == "Jgigantino31/mealie-bf" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 11 From 3022ebcfb0070f791d9566c0ba7a471a6ece290d Mon Sep 17 00:00:00 2001 From: Joseph Gigantino <128943406+Jgigantino31@users.noreply.github.com> Date: Sun, 3 Aug 2025 12:56:14 -0400 Subject: [PATCH 26/27] Update parser.assert --- .tests/mealie-logs/parser.assert | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/.tests/mealie-logs/parser.assert b/.tests/mealie-logs/parser.assert index 9ce86966435..c8cf2dc747b 100644 --- a/.tests/mealie-logs/parser.assert +++ b/.tests/mealie-logs/parser.assert @@ -76,7 +76,7 @@ results["s01-parse"]["Jgigantino31/mealie-logs"][0].Success == true results["s01-parse"]["Jgigantino31/mealie-logs"][0].Evt.Parsed["message"] == "ERROR 2025-07-16T19:42:45 - Incorrect username or password from 127.0.0.1" results["s01-parse"]["Jgigantino31/mealie-logs"][0].Evt.Parsed["program"] == "mealie" results["s01-parse"]["Jgigantino31/mealie-logs"][0].Evt.Parsed["source_ip"] == "127.0.0.1" -results["s01-parse"]["Jgigantino31/mealie-logs"][0].Evt.Parsed["timestamp"] == "25-07-16T19:42:45" +results["s01-parse"]["Jgigantino31/mealie-logs"][0].Evt.Parsed["timestamp"] == "2025-07-16T19:42:45" basename(results["s01-parse"]["Jgigantino31/mealie-logs"][0].Evt.Meta["datasource_path"]) == "mealie-logs.log" results["s01-parse"]["Jgigantino31/mealie-logs"][0].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["Jgigantino31/mealie-logs"][0].Evt.Meta["log_type"] == "mealie_failed_auth" @@ -87,7 +87,7 @@ results["s01-parse"]["Jgigantino31/mealie-logs"][1].Success == true results["s01-parse"]["Jgigantino31/mealie-logs"][1].Evt.Parsed["message"] == "ERROR 2025-07-16T19:42:45 - Incorrect username or password from 127.0.0.1" results["s01-parse"]["Jgigantino31/mealie-logs"][1].Evt.Parsed["program"] == "mealie" results["s01-parse"]["Jgigantino31/mealie-logs"][1].Evt.Parsed["source_ip"] == "127.0.0.1" -results["s01-parse"]["Jgigantino31/mealie-logs"][1].Evt.Parsed["timestamp"] == "25-07-16T19:42:45" +results["s01-parse"]["Jgigantino31/mealie-logs"][1].Evt.Parsed["timestamp"] == "2025-07-16T19:42:45" basename(results["s01-parse"]["Jgigantino31/mealie-logs"][1].Evt.Meta["datasource_path"]) == "mealie-logs.log" results["s01-parse"]["Jgigantino31/mealie-logs"][1].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["Jgigantino31/mealie-logs"][1].Evt.Meta["log_type"] == "mealie_failed_auth" @@ -102,7 +102,7 @@ results["s01-parse"]["Jgigantino31/mealie-logs"][6].Success == true results["s01-parse"]["Jgigantino31/mealie-logs"][6].Evt.Parsed["message"] == "ERROR 2025-07-16T19:43:16 - Incorrect username or password from 127.0.0.1" results["s01-parse"]["Jgigantino31/mealie-logs"][6].Evt.Parsed["program"] == "mealie" results["s01-parse"]["Jgigantino31/mealie-logs"][6].Evt.Parsed["source_ip"] == "127.0.0.1" -results["s01-parse"]["Jgigantino31/mealie-logs"][6].Evt.Parsed["timestamp"] == "25-07-16T19:43:16" +results["s01-parse"]["Jgigantino31/mealie-logs"][6].Evt.Parsed["timestamp"] == "2025-07-16T19:43:16" basename(results["s01-parse"]["Jgigantino31/mealie-logs"][6].Evt.Meta["datasource_path"]) == "mealie-logs.log" results["s01-parse"]["Jgigantino31/mealie-logs"][6].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["Jgigantino31/mealie-logs"][6].Evt.Meta["log_type"] == "mealie_failed_auth" @@ -114,7 +114,7 @@ results["s01-parse"]["Jgigantino31/mealie-logs"][8].Success == true results["s01-parse"]["Jgigantino31/mealie-logs"][8].Evt.Parsed["message"] == "ERROR 2025-07-16T19:43:16 - Incorrect username or password from 127.0.0.1" results["s01-parse"]["Jgigantino31/mealie-logs"][8].Evt.Parsed["program"] == "mealie" results["s01-parse"]["Jgigantino31/mealie-logs"][8].Evt.Parsed["source_ip"] == "127.0.0.1" -results["s01-parse"]["Jgigantino31/mealie-logs"][8].Evt.Parsed["timestamp"] == "25-07-16T19:43:16" +results["s01-parse"]["Jgigantino31/mealie-logs"][8].Evt.Parsed["timestamp"] == "2025-07-16T19:43:16" basename(results["s01-parse"]["Jgigantino31/mealie-logs"][8].Evt.Meta["datasource_path"]) == "mealie-logs.log" results["s01-parse"]["Jgigantino31/mealie-logs"][8].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["Jgigantino31/mealie-logs"][8].Evt.Meta["log_type"] == "mealie_failed_auth" @@ -127,52 +127,52 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "ERROR 2025-07-16T19:42:45 - Incorrect username or password from 127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "mealie" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "127.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "25-07-16T19:42:45" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2025-07-16T19:42:45" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "mealie-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "mealie_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "mealie" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "127.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2025-07-25T14:01:58.934381354Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2025-07-25T14:01:58.934381354Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2025-07-16T19:42:45Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2025-07-16T19:42:45Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "ERROR 2025-07-16T19:42:45 - Incorrect username or password from 127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "mealie" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "127.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "25-07-16T19:42:45" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "2025-07-16T19:42:45" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "mealie-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "mealie_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "mealie" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "127.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2025-07-25T14:01:58.934420384Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2025-07-25T14:01:58.934420384Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2025-07-16T19:42:45Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2025-07-16T19:42:45Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "ERROR 2025-07-16T19:43:16 - Incorrect username or password from 127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "mealie" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "127.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "25-07-16T19:43:16" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "2025-07-16T19:43:16" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "mealie-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "mealie_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "mealie" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "127.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2025-07-25T14:01:58.934737945Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2025-07-25T14:01:58.934737945Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2025-07-16T19:43:16Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2025-07-16T19:43:16Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "ERROR 2025-07-16T19:43:16 - Incorrect username or password from 127.0.0.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "mealie" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "127.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "25-07-16T19:43:16" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "2025-07-16T19:43:16" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "mealie-logs.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "mealie_failed_auth" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "mealie" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "127.0.0.1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2025-07-25T14:01:58.934855238Z" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2025-07-25T14:01:58.934855238Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2025-07-16T19:43:16Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2025-07-16T19:43:16Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false len(results["success"][""]) == 0 From 21c8d272836c8dc03aef928d5b1487b7d06730be Mon Sep 17 00:00:00 2001 From: Joseph Gigantino <128943406+Jgigantino31@users.noreply.github.com> Date: Sun, 3 Aug 2025 14:23:12 -0400 Subject: [PATCH 27/27] Update mealie-bf.md --- scenarios/Jgigantino31/mealie-bf.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scenarios/Jgigantino31/mealie-bf.md b/scenarios/Jgigantino31/mealie-bf.md index 56845a9e7e0..d70f584e2cb 100644 --- a/scenarios/Jgigantino31/mealie-bf.md +++ b/scenarios/Jgigantino31/mealie-bf.md @@ -2,4 +2,4 @@ Detect failed mealie authentications: - leakspeed of 10s, capacity of 10 - Note: Mealie prints each failed authentication to the log twice causing each failed log in to count as two failed attempts! This means effective leakspeed is 20s and effective capacity is 5. +**Note:** Mealie prints each failed authentication to the log twice causing each failed log in to count as two failed attempts! This means effective leakspeed is 20s and effective capacity is 5.