Hello,
I am trying to setup parsers and decisions/scenarios for banning real ip since we are using haproxy in front of our IIS. In IIS logs i have everything logged (tested with some crawler)
2024-12-03 07:31:27 172.x.x.x. GET /blablabla/asd/ - 80 - 172.x.x.x colly+-+https://github.com/gocolly/colly/v2 - test.url 200 0 0 1218 363 2 89.111.111.111,+89.111.111.111 - off -
I changed my iis parser to parse also forwarder-for field (i tested this pattern with crowdstrike playground page)
- filter: "evt.Parsed.datasource_type != 'wineventlog'"
grok:
pattern: "%{TIMESTAMP_ISO8601:date} %{IP:server_ip} %{WORD:http_method} %{DATA:http_path} %{DATA:http_args} %{INT} %{DATA:remote_user} %{IP:client_ip} %{DATA:user_agent} %{DATA:referer} %{INT:status} %{INT:substatus} %{INT:win32_status} %{INT:duration} %{INT:bytes_received} %{INT:time_taken} %{IPORHOST:forwarded_for}"
apply_on: message
statics:
- target: evt.StrTime
expression: evt.Parsed.date
- meta: source_ip
expression: evt.Parsed.client_ip
- meta: http_status
expression: evt.Parsed.status
- meta: http_path
expression: evt.Parsed.http_path
- meta: http_user_agent
expression: evt.Parsed.user_agent
- meta: real_ip
expression: evt.Parsed.forwarded_for
- meta: http_verb
expression: evt.Parsed.method
- parsed: verb
expression: evt.Parsed.method
- target: evt.Parsed.request
expression: evt.Meta.http_path + '?' + evt.Parsed.http_args
and I also changed default scenario http-probing to match real_ip instead of client_ip
# 404 scan
type: leaky
#debug: true
name: crowdsecurity/http-probing
description: "Detect site scanning/probing from a single ip"
filter: "evt.Meta.service == 'http' && evt.Meta.http_status in ['404', '403', '400'] && evt.Parsed.static_ressource == 'false'"
groupby: "evt.Meta.real_ip + '/' + evt.Parsed.target_fqdn"
distinct: "evt.Meta.http_path"
capacity: 10
reprocess: true
leakspeed: "10s"
blackhole: 5m
labels:
remediation: true
classification:
- attack.T1595
behavior: "http:scan"
label: "HTTP Probing"
spoofable: 0
service: http
confidence: 1
if i test parser via cli
├ s01-parse
| └ 🟢 crowdsecurity/iis-logs ( +24 ~2)
| └ update evt.Stage : s01-parse -> s02-enrich
| └ create evt.Parsed.duration : 1454
| └ create evt.Parsed.time_taken : 1
| └ create evt.Parsed.client_ip : 172.x.x.x
| └ create evt.Parsed.http_path : /user/bob/details
| └ create evt.Parsed.remote_user : -
| └ create evt.Parsed.server_ip : 172.x.x.x
| └ create evt.Parsed.user_agent : Mozilla/5.0+(Windows+NT+10.0)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/55.0.2883.87+Safari/537.36
| └ create evt.Parsed.http_args : -
| └ create evt.Parsed.referer : test-rul
| └ create evt.Parsed.request : /user/bob/details?-
| └ create evt.Parsed.win32_status : 2
| └ create evt.Parsed.date : 2024-12-03 09:31:51
| └ create evt.Parsed.forwarded_for : 89.111.111.111
| └ create evt.Parsed.http_method : GET
| └ create evt.Parsed.status : 404
| └ create evt.Parsed.substatus : 0
| └ create evt.Parsed.bytes_received : 386
| └ update evt.StrTime : -> 2024-12-03 09:31:51
| └ create evt.Meta.log_type : http_access-log
| └ create evt.Meta.service : http
| └ create evt.Meta.source_ip : 172.x.x.x.
| └ create evt.Meta.http_path : /user/bob/details
| └ create evt.Meta.http_status : 404
| └ create evt.Meta.http_user_agent : Mozilla/5.0+(Windows+NT+10.0)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/55.0.2883.87+Safari/537.36
| └ create evt.Meta.real_ip : 89.111.111.111
but decision still lists client ip (haproxy server ip) under Scope:Value.
What am I missing
Thanks