Whitelist User Agent

Bauer3139 · February 18, 2022, 8:44pm

I’ve been reading various topics but haven’t seemed to find the right solution. We have occasional false positives related to the “http-bad-user-agent” scenario. I’m attempting to whitelist the specific UA that’s causing our issue but it does not appear to be working. Please see the config below. Any advice would be appreciated.

name: sdpbc/whitelists
description: “Whitelist UA”
whitelist:
reason: “whitelist UA Agents”
expression:

evt.Parsed.http_user_agent contains “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0”

alteredCoder · February 22, 2022, 2:32pm

Hello @Bauer3139 ,

In which folder did you put the whitelist configuration file please ?

Bauer3139 · February 22, 2022, 2:45pm

Currently it’s under /etc/crowdsec/parsers/s02-enrich/

As its own file separate from whitelist.yaml. I can confirm in the hub that it sees the file.

alteredCoder · February 22, 2022, 3:08pm

Thanks for the answer.

What parser do you use for your HTTP log ? Do you have an example of a log line that contains this user agent ?

Also, did you have a look at Whitelist user agent and regex expression ? You might have the same issue ?

Bauer3139 · February 22, 2022, 5:59pm

Here’s an offending log. For possible further background, the server runs Nginx as a reverse proxy and it parses the access/error logs.

Client IP - - [22/Feb/2022:08:31:54 -0500] “GET /focuslanding/ HTTP/2.0” 200 6103 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “redacted” sn=“redacted” rt=0.013 ua=“redacted:443” us=“200” ut=“0.016” ul=“18359” cs="-" shl="-" geo=“US” city=“redacted” uct=“text/html; charset=UTF-8” bs=“6332” rl=“126”

Bauer3139 · February 22, 2022, 6:24pm

Not sure if it also helps, we leave the default log format for Nginx, but expand on it for our logs. See the format below.

log_format main_ext '$remote_addr - $remote_user [$time_local] “$request” ’
'$status $body_bytes_sent “$http_referer” ’
'"$http_user_agent" “$http_x_forwarded_for” ’
'"$host" sn="$server_name" ’
'rt=$request_time ’
'ua="$upstream_addr" us="$upstream_status" ’
'ut="$upstream_response_time" ul="$upstream_response_length" ’
'cs="$upstream_cache_status" shl="$sent_http_location" ’
'geo="$geoip2_data_country_code" city="$geoip2_data_city_name" ’
'uct="$upstream_http_content_type" bs="$bytes_sent" rl="$request_length" ';

alteredCoder · February 23, 2022, 9:41am

Hello @Bauer3139,

When i run cscli explain with the line you pasted the log is being parsed correctly.

Can you paste the output of : cscli explain --log '<LOG_LINE>' --type nginx --verbose please ?

If your log is being parsed correctly also, can you try to escape the \ in your whitelist expression?
evt.Parsed.http_user_agent contains '\\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0'

Bauer3139 · February 23, 2022, 2:11pm

Here’s the output from a log that was flagged and blocked this morning.

s00-raw:
crowdsecurity/non-syslog:

evt:
ExpectMode: 1
Stage: s01-parse
Line:
Raw: 76.109.32.252 - - [23/Feb/2022:07:12:34 -0500] “GET /sso/portal HTTP/2.0”
302 0 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38
(KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “www.mysdpbc.org”
sn=“www.mysdpbc.org” rt=0.004 ua=“10.254.165.74:443” us=“302” ut=“0.004”
ul=“0” cs="-" shl="/_authn/Logon?ru=L3Nzby9wb3J0YWw=" geo=“US” city=“Jupiter”
uct="-" bs=“276” rl=“124”
Src: /home/walshe/cscli_test_tmp.log
time: 2022-02-23T14:07:28.345217581Z
Labels:
type: nginx
process: true
Module: file
Parsed:
message: 76.109.32.252 - - [23/Feb/2022:07:12:34 -0500] “GET /sso/portal HTTP/2.0”
302 0 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38
(KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “www.mysdpbc.org”
sn=“www.mysdpbc.org” rt=0.004 ua=“10.254.165.74:443” us=“302” ut=“0.004”
ul=“0” cs="-" shl="/_authn/Logon?ru=L3Nzby9wb3J0YWw=" geo=“US” city=“Jupiter”
uct="-" bs=“276” rl=“124”
program: nginx
Time: 2022-02-23T14:07:28.34526061Z
Meta:
datasource_path: /home/walshe/cscli_test_tmp.log
datasource_type: file
success: true
crowdsecurity/syslog-logs:
evt:
ExpectMode: 1
Stage: s00-raw
Line:
Raw: 76.109.32.252 - - [23/Feb/2022:07:12:34 -0500] “GET /sso/portal HTTP/2.0”
302 0 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38
(KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “www.mysdpbc.org”
sn=“www.mysdpbc.org” rt=0.004 ua=“10.254.165.74:443” us=“302” ut=“0.004”
ul=“0” cs="-" shl="/_authn/Logon?ru=L3Nzby9wb3J0YWw=" geo=“US” city=“Jupiter”
uct="-" bs=“276” rl=“124”
Src: /home/walshe/cscli_test_tmp.log
time: 2022-02-23T14:07:28.345217581Z
Labels:
type: nginx
process: true
Module: file
Time: 2022-02-23T14:07:28.34526061Z
success: false
s01-parse:
crowdsecurity/nginx-logs:
evt:
ExpectMode: 1
Stage: s02-enrich
Line:
Raw: 76.109.32.252 - - [23/Feb/2022:07:12:34 -0500] “GET /sso/portal HTTP/2.0”
302 0 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38
(KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “www.mysdpbc.org”
sn=“www.mysdpbc.org” rt=0.004 ua=“10.254.165.74:443” us=“302” ut=“0.004”
ul=“0” cs="-" shl="/_authn/Logon?ru=L3Nzby9wb3J0YWw=" geo=“US” city=“Jupiter”
uct="-" bs=“276” rl=“124”
Src: /home/walshe/cscli_test_tmp.log
time: 2022-02-23T14:07:28.345217581Z
Labels:
type: nginx
process: true
Module: file
Parsed:
body_bytes_sent: “0”
http_referer: ‘-’
http_user_agent: \x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)
AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22
http_version: “2.0”
message: 76.109.32.252 - - [23/Feb/2022:07:12:34 -0500] “GET /sso/portal HTTP/2.0”
302 0 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38
(KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “www.mysdpbc.org”
sn=“www.mysdpbc.org” rt=0.004 ua=“10.254.165.74:443” us=“302” ut=“0.004”
ul=“0” cs="-" shl="/_authn/Logon?ru=L3Nzby9wb3J0YWw=" geo=“US” city=“Jupiter”
uct="-" bs=“276” rl=“124”
program: nginx
proxy_alternative_upstream_name: “”
proxy_upstream_name: “”
remote_addr: 76.109.32.252
remote_user: ‘-’
request: /sso/portal
request_length: “”
request_time: “”
status: “302”
target_fqdn: “”
time_local: 23/Feb/2022:07:12:34 -0500
verb: GET
Time: 2022-02-23T14:07:28.34526061Z
StrTime: 23/Feb/2022:07:12:34 -0500
Meta:
datasource_path: /home/walshe/cscli_test_tmp.log
datasource_type: file
http_path: /sso/portal
http_status: “302”
http_user_agent: \x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)
AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22
http_verb: GET
log_type: http_access-log
service: http
source_ip: 76.109.32.252
success: true
s02-enrich:
crowdsecurity/dateparse-enrich:
evt:
ExpectMode: 1
Stage: s02-enrich
Line:
Raw: 76.109.32.252 - - [23/Feb/2022:07:12:34 -0500] “GET /sso/portal HTTP/2.0”
302 0 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38
(KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “www.mysdpbc.org”
sn=“www.mysdpbc.org” rt=0.004 ua=“10.254.165.74:443” us=“302” ut=“0.004”
ul=“0” cs="-" shl="/_authn/Logon?ru=L3Nzby9wb3J0YWw=" geo=“US” city=“Jupiter”
uct="-" bs=“276” rl=“124”
Src: /home/walshe/cscli_test_tmp.log
time: 2022-02-23T14:07:28.345217581Z
Labels:
type: nginx
process: true
Module: file
Parsed:
body_bytes_sent: “0”
http_referer: ‘-’
http_user_agent: \x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)
AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22
http_version: “2.0”
message: 76.109.32.252 - - [23/Feb/2022:07:12:34 -0500] “GET /sso/portal HTTP/2.0”
302 0 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38
(KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “www.mysdpbc.org”
sn=“www.mysdpbc.org” rt=0.004 ua=“10.254.165.74:443” us=“302” ut=“0.004”
ul=“0” cs="-" shl="/_authn/Logon?ru=L3Nzby9wb3J0YWw=" geo=“US” city=“Jupiter”
uct="-" bs=“276” rl=“124”
program: nginx
proxy_alternative_upstream_name: “”
proxy_upstream_name: “”
remote_addr: 76.109.32.252
remote_user: ‘-’
request: /sso/portal
request_length: “”
request_time: “”
status: “302”
target_fqdn: “”
time_local: 23/Feb/2022:07:12:34 -0500
verb: GET
Enriched:
MarshaledTime: “2022-02-23T07:12:34-05:00”
Time: 2022-02-23T14:07:28.34526061Z
StrTime: 23/Feb/2022:07:12:34 -0500
MarshaledTime: “2022-02-23T07:12:34-05:00”
Meta:
datasource_path: /home/walshe/cscli_test_tmp.log
datasource_type: file
http_path: /sso/portal
http_status: “302”
http_user_agent: \x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)
AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22
http_verb: GET
log_type: http_access-log
service: http
source_ip: 76.109.32.252
timestamp: “2022-02-23T07:12:34-05:00”
success: true
crowdsecurity/geoip-enrich:
evt:
ExpectMode: 1
Stage: s02-enrich
Line:
Raw: 76.109.32.252 - - [23/Feb/2022:07:12:34 -0500] “GET /sso/portal HTTP/2.0”
302 0 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38
(KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “www.mysdpbc.org”
sn=“www.mysdpbc.org” rt=0.004 ua=“10.254.165.74:443” us=“302” ut=“0.004”
ul=“0” cs="-" shl="/_authn/Logon?ru=L3Nzby9wb3J0YWw=" geo=“US” city=“Jupiter”
uct="-" bs=“276” rl=“124”
Src: /home/walshe/cscli_test_tmp.log
time: 2022-02-23T14:07:28.345217581Z
Labels:
type: nginx
process: true
Module: file
Parsed:
body_bytes_sent: “0”
http_referer: ‘-’
http_user_agent: \x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)
AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22
http_version: “2.0”
message: 76.109.32.252 - - [23/Feb/2022:07:12:34 -0500] “GET /sso/portal HTTP/2.0”
302 0 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38
(KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “www.mysdpbc.org”
sn=“www.mysdpbc.org” rt=0.004 ua=“10.254.165.74:443” us=“302” ut=“0.004”
ul=“0” cs="-" shl="/_authn/Logon?ru=L3Nzby9wb3J0YWw=" geo=“US” city=“Jupiter”
uct="-" bs=“276” rl=“124”
program: nginx
proxy_alternative_upstream_name: “”
proxy_upstream_name: “”
remote_addr: 76.109.32.252
remote_user: ‘-’
request: /sso/portal
request_length: “”
request_time: “”
status: “302”
target_fqdn: “”
time_local: 23/Feb/2022:07:12:34 -0500
verb: GET
Enriched:
ASNNumber: “7922”
ASNOrg: Comcast Cable Communications, LLC
ASNumber: “7922”
IsInEU: “false”
IsoCode: US
Latitude: “26.946700”
Longitude: “-80.217000”
MarshaledTime: “2022-02-23T07:12:34-05:00”
SourceRange: 76.96.0.0/11
Time: 2022-02-23T14:07:28.34526061Z
StrTime: 23/Feb/2022:07:12:34 -0500
MarshaledTime: “2022-02-23T07:12:34-05:00”
Meta:
ASNNumber: “7922”
ASNOrg: Comcast Cable Communications, LLC
IsInEU: “false”
IsoCode: US
SourceRange: 76.96.0.0/11
datasource_path: /home/walshe/cscli_test_tmp.log
datasource_type: file
http_path: /sso/portal
http_status: “302”
http_user_agent: \x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)
AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22
http_verb: GET
log_type: http_access-log
service: http
source_ip: 76.109.32.252
timestamp: “2022-02-23T07:12:34-05:00”
success: true
crowdsecurity/http-logs:
evt:
ExpectMode: 1
Stage: s02-enrich
Line:
Raw: 76.109.32.252 - - [23/Feb/2022:07:12:34 -0500] “GET /sso/portal HTTP/2.0”
302 0 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38
(KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “www.mysdpbc.org”
sn=“www.mysdpbc.org” rt=0.004 ua=“10.254.165.74:443” us=“302” ut=“0.004”
ul=“0” cs="-" shl="/_authn/Logon?ru=L3Nzby9wb3J0YWw=" geo=“US” city=“Jupiter”
uct="-" bs=“276” rl=“124”
Src: /home/walshe/cscli_test_tmp.log
time: 2022-02-23T14:07:28.345217581Z
Labels:
type: nginx
process: true
Module: file
Parsed:
body_bytes_sent: “0”
file_dir: /sso/
file_ext: “”
file_frag: portal
file_name: portal
http_referer: ‘-’
http_user_agent: \x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)
AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22
http_version: “2.0”
impact_completion: “true”
message: 76.109.32.252 - - [23/Feb/2022:07:12:34 -0500] “GET /sso/portal HTTP/2.0”
302 0 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38
(KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “www.mysdpbc.org”
sn=“www.mysdpbc.org” rt=0.004 ua=“10.254.165.74:443” us=“302” ut=“0.004”
ul=“0” cs="-" shl="/_authn/Logon?ru=L3Nzby9wb3J0YWw=" geo=“US” city=“Jupiter”
uct="-" bs=“276” rl=“124”
program: nginx
proxy_alternative_upstream_name: “”
proxy_upstream_name: “”
remote_addr: 76.109.32.252
remote_user: ‘-’
request: /sso/portal
request_length: “”
request_time: “”
static_ressource: “false”
status: “302”
target_fqdn: “”
time_local: 23/Feb/2022:07:12:34 -0500
verb: GET
Enriched:
ASNNumber: “7922”
ASNOrg: Comcast Cable Communications, LLC
ASNumber: “7922”
IsInEU: “false”
IsoCode: US
Latitude: “26.946700”
Longitude: “-80.217000”
MarshaledTime: “2022-02-23T07:12:34-05:00”
SourceRange: 76.96.0.0/11
Time: 2022-02-23T14:07:28.34526061Z
StrTime: 23/Feb/2022:07:12:34 -0500
MarshaledTime: “2022-02-23T07:12:34-05:00”
Meta:
ASNNumber: “7922”
ASNOrg: Comcast Cable Communications, LLC
IsInEU: “false”
IsoCode: US
SourceRange: 76.96.0.0/11
datasource_path: /home/walshe/cscli_test_tmp.log
datasource_type: file
http_args_len: “0”
http_path: /sso/portal
http_status: “302”
http_user_agent: \x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)
AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22
http_verb: GET
log_type: http_access-log
service: http
source_ip: 76.109.32.252
timestamp: “2022-02-23T07:12:34-05:00”
success: true
crowdsecurity/whitelists:
evt:
ExpectMode: 1
Stage: s02-enrich
Line:
Raw: 76.109.32.252 - - [23/Feb/2022:07:12:34 -0500] “GET /sso/portal HTTP/2.0”
302 0 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38
(KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “www.mysdpbc.org”
sn=“www.mysdpbc.org” rt=0.004 ua=“10.254.165.74:443” us=“302” ut=“0.004”
ul=“0” cs="-" shl="/_authn/Logon?ru=L3Nzby9wb3J0YWw=" geo=“US” city=“Jupiter”
uct="-" bs=“276” rl=“124”
Src: /home/walshe/cscli_test_tmp.log
time: 2022-02-23T14:07:28.345217581Z
Labels:
type: nginx
process: true
Module: file
Parsed:
body_bytes_sent: “0”
file_dir: /sso/
file_ext: “”
file_frag: portal
file_name: portal
http_referer: ‘-’
http_user_agent: \x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)
AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22
http_version: “2.0”
impact_completion: “true”
message: 76.109.32.252 - - [23/Feb/2022:07:12:34 -0500] “GET /sso/portal HTTP/2.0”
302 0 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38
(KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “www.mysdpbc.org”
sn=“www.mysdpbc.org” rt=0.004 ua=“10.254.165.74:443” us=“302” ut=“0.004”
ul=“0” cs="-" shl="/_authn/Logon?ru=L3Nzby9wb3J0YWw=" geo=“US” city=“Jupiter”
uct="-" bs=“276” rl=“124”
program: nginx
proxy_alternative_upstream_name: “”
proxy_upstream_name: “”
remote_addr: 76.109.32.252
remote_user: ‘-’
request: /sso/portal
request_length: “”
request_time: “”
static_ressource: “false”
status: “302”
target_fqdn: “”
time_local: 23/Feb/2022:07:12:34 -0500
verb: GET
Enriched:
ASNNumber: “7922”
ASNOrg: Comcast Cable Communications, LLC
ASNumber: “7922”
IsInEU: “false”
IsoCode: US
Latitude: “26.946700”
Longitude: “-80.217000”
MarshaledTime: “2022-02-23T07:12:34-05:00”
SourceRange: 76.96.0.0/11
Time: 2022-02-23T14:07:28.34526061Z
StrTime: 23/Feb/2022:07:12:34 -0500
MarshaledTime: “2022-02-23T07:12:34-05:00”
Meta:
ASNNumber: “7922”
ASNOrg: Comcast Cable Communications, LLC
IsInEU: “false”
IsoCode: US
SourceRange: 76.96.0.0/11
datasource_path: /home/walshe/cscli_test_tmp.log
datasource_type: file
http_args_len: “0”
http_path: /sso/portal
http_status: “302”
http_user_agent: \x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)
AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22
http_verb: GET
log_type: http_access-log
service: http
source_ip: 76.109.32.252
timestamp: “2022-02-23T07:12:34-05:00”
success: true
sdpbc/whitelists:
evt:
ExpectMode: 1
Stage: s02-enrich
Line:
Raw: 76.109.32.252 - - [23/Feb/2022:07:12:34 -0500] “GET /sso/portal HTTP/2.0”
302 0 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38
(KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “www.mysdpbc.org”
sn=“www.mysdpbc.org” rt=0.004 ua=“10.254.165.74:443” us=“302” ut=“0.004”
ul=“0” cs="-" shl="/_authn/Logon?ru=L3Nzby9wb3J0YWw=" geo=“US” city=“Jupiter”
uct="-" bs=“276” rl=“124”
Src: /home/walshe/cscli_test_tmp.log
time: 2022-02-23T14:07:28.345217581Z
Labels:
type: nginx
process: true
Module: file
Parsed:
body_bytes_sent: “0”
http_referer: ‘-’
http_user_agent: \x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)
AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22
http_version: “2.0”
message: 76.109.32.252 - - [23/Feb/2022:07:12:34 -0500] “GET /sso/portal HTTP/2.0”
302 0 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38
(KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “www.mysdpbc.org”
sn=“www.mysdpbc.org” rt=0.004 ua=“10.254.165.74:443” us=“302” ut=“0.004”
ul=“0” cs="-" shl="/_authn/Logon?ru=L3Nzby9wb3J0YWw=" geo=“US” city=“Jupiter”
uct="-" bs=“276” rl=“124”
program: nginx
proxy_alternative_upstream_name: “”
proxy_upstream_name: “”
remote_addr: 76.109.32.252
remote_user: ‘-’
request: /sso/portal
request_length: “”
request_time: “”
status: “302”
target_fqdn: “”
time_local: 23/Feb/2022:07:12:34 -0500
verb: GET
Time: 2022-02-23T14:07:28.34526061Z
StrTime: 23/Feb/2022:07:12:34 -0500
Meta:
datasource_path: /home/walshe/cscli_test_tmp.log
datasource_type: file
http_path: /sso/portal
http_status: “302”
http_user_agent: \x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)
AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22
http_verb: GET
log_type: http_access-log
service: http
source_ip: 76.109.32.252
success: true
success:
“”: []

Bauer3139 · February 23, 2022, 3:56pm

I believe your suggestion on escaping the \ may have worked. I see a log later in the morning showing it Whitelisting a request because of my rule. I will continue to monitor the logs as more requests come in and see if it’s working properly.

alteredCoder · February 28, 2022, 9:13am

Hello,

Ok thanks for your answer. Let me know if the problem was solved.

Topic		Replies	Views
Whitelist user agent and regex expression crowdsec	7	747	November 18, 2021
Http-probing ban occuring for url which is in a whitelist crowdsec	2	1043	May 30, 2022
Ban after number of attemps crowdsec	12	689	March 11, 2022
How to add a new user-agent to blocking? crowdsec	3	505	November 15, 2022
Nginx parser and scenario for malformed HTTP requests crowdsec	2	682	July 31, 2023

Whitelist User Agent

Related Topics