Hi installed http-generic-bf but it doesn’t work (look through cscli explain --file /var/log/nginx/test.server.test --type nginx and there is no script there(
Hi,
It depend on the logs sample. If there is no log that match the scenario filter, it will not display as a success in the explain command.
crowdsecurity/http-crawl-non_statics as this filter : filter: "evt.Meta.log_type in ['http_access-log', 'http_error-log'] && evt.Parsed.static_ressource == 'false' && evt.Parsed.verb in ['GET', 'HEAD']".
I wanted to use nginx authorization to protect against brute force, the logs are standard as with nginx authorization errors, each site has its own log. this is a script like and did under nginx auth
Ah yes didn’t see that you were talking about http-generic-bf because of your cscli explain command output that didn’t display this scenario.
It means your logs sample didn’t have the behavior you’re trying to detect. If you generate logs with bad basic authentications you will be able to test this scenario.
here is the basic nginx authorization log, I understand correctly that the http-generic-bf.yaml log is located in /var/log/nginx/test.example.com
filter filter: “evt.Meta.service == ‘http’ && evt.Meta.sub_type == ‘auth_fail’”
looking for in line ‘auth_fail’???
and this filter says
filter: “evt.Meta.log_type == ‘http_access-log’ && evt.Parsed.verb == ‘POST’ && evt.Meta.http_status == ‘401’”
look in http_access-log file, POST method and 401 error code?
The first scenario is trying to detect authentication failures on basic auth (see nginx-logs) when the nginx parser match this pattern or this one it will apply the meta evt.Meta.sub_type => auth_fail.
The second scenario need 401 and POST http method. Following your log sample you pasted, it seems you don’t have those king of logs.
Could you please paste some logs samples here so we can try to see if there is a behavior that we don’t detect yet.
site.conf
#AUTH model
auth_basic “Secure Zone”;
access log error log split
access_log
8.8.8.8 - fsdgds [01/Jun/2022:00:07:22 +0800] “GET / HTTP/1.1” 401 172 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0”
8.8.8.8 - dsfsdfs [01/Jun/2022:00:07:25 +0800] “GET / HTTP/1.1” 401 172 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0”
8.8.8.8 - dsfdsfds [01/Jun/2022:00:07:27 +0800] “GET / HTTP/1.1” 401 172 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0”
8.8.8.8 - dsfsd [01/Jun/2022:00:07:53 +0800] “GET / HTTP/1.1” 401 172 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0”
8.8.8.8 - dsfsd [01/Jun/2022:00:07:53 +0800] “GET / HTTP/1.1” 401 172 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0”
8.8.8.8 - asdas [01/Jun/2022:00:07:55 +0800] “GET / HTTP/1.1” 401 172 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0”
8.8.8.8 - dfsdafasf [01/Jun/2022:00:07:57 +0800] “GET / HTTP/1.1” 401 172 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0”
8.8.8.8 - adsfadsf [01/Jun/2022:00:08:03 +0800] “GET / HTTP/1.1” 401 172 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0”
8.8.8.8 - sdfasdf [01/Jun/2022:00:08:05 +0800] “GET / HTTP/1.1” 401 172 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0”
8.8.8.8 - asdfasdfasd [01/Jun/2022:00:08:06 +0800] “GET / HTTP/1.1” 401 172 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0”
8.8.8.8 - adsfasdfasdf [01/Jun/2022:00:08:07 +0800] “GET / HTTP/1.1” 401 172 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0”
error_log
2022/06/01 00:07:25 [error] 3723813#3723813: *271234 user “dsfsdfs” was not found in “/etc/nginx/auth/example.conf”, client: 8.8.8.8, server: test.example.com, request: “GET / HTTP/1.1”, host: “test.example.com”
2022/06/01 00:07:27 [error] 3723813#3723813: *271234 user “dsfdsfds” was not found in “/etc/nginx/auth/example.conf”, client: 8.8.8.8, server: test.example.com, request: “GET / HTTP/1.1”, host: “test.example.com”
2022/06/01 00:07:53 [error] 3723813#3723813: *271234 user “dsfsd” was not found in “/etc/nginx/auth/example.conf”, client: 8.8.8.8, server: test.example.com, request: “GET / HTTP/1.1”, host: “test.example.com”
2022/06/01 00:07:53 [error] 3723813#3723813: *271236 user “dsfsd” was not found in “/etc/nginx/auth/example.conf”, client: 8.8.8.8, server: test.example.com, request: “GET / HTTP/1.1”, host: “test.example.com”
2022/06/01 00:07:55 [error] 3723813#3723813: *271236 user “asdas” was not found in “/etc/nginx/auth/example.conf”, client: 8.8.8.8, server: test.example.com, request: “GET / HTTP/1.1”, host: “test.example.com”
2022/06/01 00:07:57 [error] 3723813#3723813: *271236 user “dfsdafasf” was not found in “/etc/nginx/auth/example.conf”, client: 8.8.8.8, server: test.example.com, request: “GET / HTTP/1.1”, host: “test.example.com”
2022/06/01 00:08:03 [error] 3723813#3723813: *271236 user “adsfadsf” was not found in “/etc/nginx/auth/example.conf”, client: 8.8.8.8, server: test.example.com, request: “GET / HTTP/1.1”, host: “test.example.com”
2022/06/01 00:08:05 [error] 3723813#3723813: *271236 user “sdfasdf” was not found in “/etc/nginx/auth/example.conf”, client: 8.8.8.8, server: test.example.com, request: “GET / HTTP/1.1”, host: “test.example.com”
2022/06/01 00:08:06 [error] 3723813#3723813: *271236 user “asdfasdfasd” was not found in “/etc/nginx/auth/example.conf”, client: 8.8.8.8, server: test.example.com, request: “GET / HTTP/1.1”, host: “test.example.com”
2022/06/01 00:08:07 [error] 3723813#3723813: *271236 user “adsfasdfasdf” was not found in “/etc/nginx/auth/example.conf”, client: 8.8.8.8, server: test.example.com, request: “GET / HTTP/1.1”, host: “test.example.com”
/http-generic-bf works like error logs, and if you just log without a password, then /http-generic-bf does not work.
for some reason, the err logs were not added to the acquis.yaml file (((I don’t understand why
Hi, I just tested with your logs the cscli explainand I was able to trigger the scenario:
line: 2022/06/01 00:08:07 [error] 3723813#3723813: *271236 user "adsfasdfasdf" was not found in "/etc/nginx/auth/example.conf", client: 8.8.8.8, server: test.example.com, request: "GET / HTTP/1.1", host: "test.example.com"
├ s00-raw
| ├ 🟢 crowdsecurity/non-syslog (first_parser)
| └ 🔴 crowdsecurity/syslog-logs
├ s01-parse
| └ 🟢 crowdsecurity/nginx-logs (+19 ~3)
├ s02-enrich
| ├ 🟢 crowdsecurity/dateparse-enrich (+2 ~1)
| ├ 🟢 crowdsecurity/geoip-enrich (+13)
| ├ 🔴 crowdsecurity/http-logs
| └ 🟢 crowdsecurity/whitelists (+2)
├-------- parser success 🟢
├ Scenarios
├ 🟢 crowdsecurity/http-crawl-non_statics
└ 🟢 crowdsecurity/http-generic-bf
It also worked for me when I added error logs