Whitelist User Agent

crowdsec
1

I’ve been reading various topics but haven’t seemed to find the right solution. We have occasional false positives related to the “http-bad-user-agent” scenario. I’m attempting to whitelist the specific UA that’s causing our issue but it does not appear to be working. Please see the config below. Any advice would be appreciated.

name: sdpbc/whitelists
description: “Whitelist UA”
whitelist:
reason: “whitelist UA Agents”
expression:

  • evt.Parsed.http_user_agent contains “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0”
2

Hello @Bauer3139 ,

In which folder did you put the whitelist configuration file please ?

3

Currently it’s under /etc/crowdsec/parsers/s02-enrich/

As its own file separate from whitelist.yaml. I can confirm in the hub that it sees the file.

4

Thanks for the answer.

What parser do you use for your HTTP log ? Do you have an example of a log line that contains this user agent ?

Also, did you have a look at Whitelist user agent and regex expression ? You might have the same issue ?

5

Here’s an offending log. For possible further background, the server runs Nginx as a reverse proxy and it parses the access/error logs.

Client IP - - [22/Feb/2022:08:31:54 -0500] “GET /focuslanding/ HTTP/2.0” 200 6103 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “redacted” sn=“redacted” rt=0.013 ua=“redacted:443” us=“200” ut=“0.016” ul=“18359” cs="-" shl="-" geo=“US” city=“redacted” uct=“text/html; charset=UTF-8” bs=“6332” rl=“126”

6

Not sure if it also helps, we leave the default log format for Nginx, but expand on it for our logs. See the format below.

log_format main_ext '$remote_addr - $remote_user [$time_local] “$request” ’
'$status $body_bytes_sent “$http_referer” ’
'"$http_user_agent" “$http_x_forwarded_for” ’
'"$host" sn="$server_name" ’
'rt=$request_time ’
'ua="$upstream_addr" us="$upstream_status" ’
'ut="$upstream_response_time" ul="$upstream_response_length" ’
'cs="$upstream_cache_status" shl="$sent_http_location" ’
'geo="$geoip2_data_country_code" city="$geoip2_data_city_name" ’
'uct="$upstream_http_content_type" bs="$bytes_sent" rl="$request_length" ';

7

Hello @Bauer3139,

When i run cscli explain with the line you pasted the log is being parsed correctly.

Can you paste the output of : cscli explain --log '<LOG_LINE>' --type nginx --verbose please ?

If your log is being parsed correctly also, can you try to escape the \ in your whitelist expression?
evt.Parsed.http_user_agent contains '\\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0'

8

Here’s the output from a log that was flagged and blocked this morning.

s00-raw:
crowdsecurity/non-syslog:

  • evt:
    ExpectMode: 1
    Stage: s01-parse
    Line:
    Raw: 76.109.32.252 - - [23/Feb/2022:07:12:34 -0500] “GET /sso/portal HTTP/2.0”
    302 0 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38
    (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “www.mysdpbc.org
    sn=“www.mysdpbc.org” rt=0.004 ua=“10.254.165.74:443” us=“302” ut=“0.004”
    ul=“0” cs="-" shl="/_authn/Logon?ru=L3Nzby9wb3J0YWw=" geo=“US” city=“Jupiter”
    uct="-" bs=“276” rl=“124”
    Src: /home/walshe/cscli_test_tmp.log
    time: 2022-02-23T14:07:28.345217581Z
    Labels:
    type: nginx
    process: true
    Module: file
    Parsed:
    message: 76.109.32.252 - - [23/Feb/2022:07:12:34 -0500] “GET /sso/portal HTTP/2.0”
    302 0 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38
    (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “www.mysdpbc.org
    sn=“www.mysdpbc.org” rt=0.004 ua=“10.254.165.74:443” us=“302” ut=“0.004”
    ul=“0” cs="-" shl="/_authn/Logon?ru=L3Nzby9wb3J0YWw=" geo=“US” city=“Jupiter”
    uct="-" bs=“276” rl=“124”
    program: nginx
    Time: 2022-02-23T14:07:28.34526061Z
    Meta:
    datasource_path: /home/walshe/cscli_test_tmp.log
    datasource_type: file
    success: true
    crowdsecurity/syslog-logs:
  • evt:
    ExpectMode: 1
    Stage: s00-raw
    Line:
    Raw: 76.109.32.252 - - [23/Feb/2022:07:12:34 -0500] “GET /sso/portal HTTP/2.0”
    302 0 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38
    (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “www.mysdpbc.org
    sn=“www.mysdpbc.org” rt=0.004 ua=“10.254.165.74:443” us=“302” ut=“0.004”
    ul=“0” cs="-" shl="/_authn/Logon?ru=L3Nzby9wb3J0YWw=" geo=“US” city=“Jupiter”
    uct="-" bs=“276” rl=“124”
    Src: /home/walshe/cscli_test_tmp.log
    time: 2022-02-23T14:07:28.345217581Z
    Labels:
    type: nginx
    process: true
    Module: file
    Time: 2022-02-23T14:07:28.34526061Z
    success: false
    s01-parse:
    crowdsecurity/nginx-logs:
  • evt:
    ExpectMode: 1
    Stage: s02-enrich
    Line:
    Raw: 76.109.32.252 - - [23/Feb/2022:07:12:34 -0500] “GET /sso/portal HTTP/2.0”
    302 0 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38
    (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “www.mysdpbc.org
    sn=“www.mysdpbc.org” rt=0.004 ua=“10.254.165.74:443” us=“302” ut=“0.004”
    ul=“0” cs="-" shl="/_authn/Logon?ru=L3Nzby9wb3J0YWw=" geo=“US” city=“Jupiter”
    uct="-" bs=“276” rl=“124”
    Src: /home/walshe/cscli_test_tmp.log
    time: 2022-02-23T14:07:28.345217581Z
    Labels:
    type: nginx
    process: true
    Module: file
    Parsed:
    body_bytes_sent: “0”
    http_referer: ‘-’
    http_user_agent: \x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)
    AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22
    http_version: “2.0”
    message: 76.109.32.252 - - [23/Feb/2022:07:12:34 -0500] “GET /sso/portal HTTP/2.0”
    302 0 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38
    (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “www.mysdpbc.org
    sn=“www.mysdpbc.org” rt=0.004 ua=“10.254.165.74:443” us=“302” ut=“0.004”
    ul=“0” cs="-" shl="/_authn/Logon?ru=L3Nzby9wb3J0YWw=" geo=“US” city=“Jupiter”
    uct="-" bs=“276” rl=“124”
    program: nginx
    proxy_alternative_upstream_name: “”
    proxy_upstream_name: “”
    remote_addr: 76.109.32.252
    remote_user: ‘-’
    request: /sso/portal
    request_length: “”
    request_time: “”
    status: “302”
    target_fqdn: “”
    time_local: 23/Feb/2022:07:12:34 -0500
    verb: GET
    Time: 2022-02-23T14:07:28.34526061Z
    StrTime: 23/Feb/2022:07:12:34 -0500
    Meta:
    datasource_path: /home/walshe/cscli_test_tmp.log
    datasource_type: file
    http_path: /sso/portal
    http_status: “302”
    http_user_agent: \x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)
    AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22
    http_verb: GET
    log_type: http_access-log
    service: http
    source_ip: 76.109.32.252
    success: true
    s02-enrich:
    crowdsecurity/dateparse-enrich:
  • evt:
    ExpectMode: 1
    Stage: s02-enrich
    Line:
    Raw: 76.109.32.252 - - [23/Feb/2022:07:12:34 -0500] “GET /sso/portal HTTP/2.0”
    302 0 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38
    (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “www.mysdpbc.org
    sn=“www.mysdpbc.org” rt=0.004 ua=“10.254.165.74:443” us=“302” ut=“0.004”
    ul=“0” cs="-" shl="/_authn/Logon?ru=L3Nzby9wb3J0YWw=" geo=“US” city=“Jupiter”
    uct="-" bs=“276” rl=“124”
    Src: /home/walshe/cscli_test_tmp.log
    time: 2022-02-23T14:07:28.345217581Z
    Labels:
    type: nginx
    process: true
    Module: file
    Parsed:
    body_bytes_sent: “0”
    http_referer: ‘-’
    http_user_agent: \x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)
    AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22
    http_version: “2.0”
    message: 76.109.32.252 - - [23/Feb/2022:07:12:34 -0500] “GET /sso/portal HTTP/2.0”
    302 0 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38
    (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “www.mysdpbc.org
    sn=“www.mysdpbc.org” rt=0.004 ua=“10.254.165.74:443” us=“302” ut=“0.004”
    ul=“0” cs="-" shl="/_authn/Logon?ru=L3Nzby9wb3J0YWw=" geo=“US” city=“Jupiter”
    uct="-" bs=“276” rl=“124”
    program: nginx
    proxy_alternative_upstream_name: “”
    proxy_upstream_name: “”
    remote_addr: 76.109.32.252
    remote_user: ‘-’
    request: /sso/portal
    request_length: “”
    request_time: “”
    status: “302”
    target_fqdn: “”
    time_local: 23/Feb/2022:07:12:34 -0500
    verb: GET
    Enriched:
    MarshaledTime: “2022-02-23T07:12:34-05:00”
    Time: 2022-02-23T14:07:28.34526061Z
    StrTime: 23/Feb/2022:07:12:34 -0500
    MarshaledTime: “2022-02-23T07:12:34-05:00”
    Meta:
    datasource_path: /home/walshe/cscli_test_tmp.log
    datasource_type: file
    http_path: /sso/portal
    http_status: “302”
    http_user_agent: \x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)
    AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22
    http_verb: GET
    log_type: http_access-log
    service: http
    source_ip: 76.109.32.252
    timestamp: “2022-02-23T07:12:34-05:00”
    success: true
    crowdsecurity/geoip-enrich:
  • evt:
    ExpectMode: 1
    Stage: s02-enrich
    Line:
    Raw: 76.109.32.252 - - [23/Feb/2022:07:12:34 -0500] “GET /sso/portal HTTP/2.0”
    302 0 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38
    (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “www.mysdpbc.org
    sn=“www.mysdpbc.org” rt=0.004 ua=“10.254.165.74:443” us=“302” ut=“0.004”
    ul=“0” cs="-" shl="/_authn/Logon?ru=L3Nzby9wb3J0YWw=" geo=“US” city=“Jupiter”
    uct="-" bs=“276” rl=“124”
    Src: /home/walshe/cscli_test_tmp.log
    time: 2022-02-23T14:07:28.345217581Z
    Labels:
    type: nginx
    process: true
    Module: file
    Parsed:
    body_bytes_sent: “0”
    http_referer: ‘-’
    http_user_agent: \x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)
    AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22
    http_version: “2.0”
    message: 76.109.32.252 - - [23/Feb/2022:07:12:34 -0500] “GET /sso/portal HTTP/2.0”
    302 0 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38
    (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “www.mysdpbc.org
    sn=“www.mysdpbc.org” rt=0.004 ua=“10.254.165.74:443” us=“302” ut=“0.004”
    ul=“0” cs="-" shl="/_authn/Logon?ru=L3Nzby9wb3J0YWw=" geo=“US” city=“Jupiter”
    uct="-" bs=“276” rl=“124”
    program: nginx
    proxy_alternative_upstream_name: “”
    proxy_upstream_name: “”
    remote_addr: 76.109.32.252
    remote_user: ‘-’
    request: /sso/portal
    request_length: “”
    request_time: “”
    status: “302”
    target_fqdn: “”
    time_local: 23/Feb/2022:07:12:34 -0500
    verb: GET
    Enriched:
    ASNNumber: “7922”
    ASNOrg: Comcast Cable Communications, LLC
    ASNumber: “7922”
    IsInEU: “false”
    IsoCode: US
    Latitude: “26.946700”
    Longitude: “-80.217000”
    MarshaledTime: “2022-02-23T07:12:34-05:00”
    SourceRange: 76.96.0.0/11
    Time: 2022-02-23T14:07:28.34526061Z
    StrTime: 23/Feb/2022:07:12:34 -0500
    MarshaledTime: “2022-02-23T07:12:34-05:00”
    Meta:
    ASNNumber: “7922”
    ASNOrg: Comcast Cable Communications, LLC
    IsInEU: “false”
    IsoCode: US
    SourceRange: 76.96.0.0/11
    datasource_path: /home/walshe/cscli_test_tmp.log
    datasource_type: file
    http_path: /sso/portal
    http_status: “302”
    http_user_agent: \x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)
    AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22
    http_verb: GET
    log_type: http_access-log
    service: http
    source_ip: 76.109.32.252
    timestamp: “2022-02-23T07:12:34-05:00”
    success: true
    crowdsecurity/http-logs:
  • evt:
    ExpectMode: 1
    Stage: s02-enrich
    Line:
    Raw: 76.109.32.252 - - [23/Feb/2022:07:12:34 -0500] “GET /sso/portal HTTP/2.0”
    302 0 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38
    (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “www.mysdpbc.org
    sn=“www.mysdpbc.org” rt=0.004 ua=“10.254.165.74:443” us=“302” ut=“0.004”
    ul=“0” cs="-" shl="/_authn/Logon?ru=L3Nzby9wb3J0YWw=" geo=“US” city=“Jupiter”
    uct="-" bs=“276” rl=“124”
    Src: /home/walshe/cscli_test_tmp.log
    time: 2022-02-23T14:07:28.345217581Z
    Labels:
    type: nginx
    process: true
    Module: file
    Parsed:
    body_bytes_sent: “0”
    file_dir: /sso/
    file_ext: “”
    file_frag: portal
    file_name: portal
    http_referer: ‘-’
    http_user_agent: \x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)
    AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22
    http_version: “2.0”
    impact_completion: “true”
    message: 76.109.32.252 - - [23/Feb/2022:07:12:34 -0500] “GET /sso/portal HTTP/2.0”
    302 0 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38
    (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “www.mysdpbc.org
    sn=“www.mysdpbc.org” rt=0.004 ua=“10.254.165.74:443” us=“302” ut=“0.004”
    ul=“0” cs="-" shl="/_authn/Logon?ru=L3Nzby9wb3J0YWw=" geo=“US” city=“Jupiter”
    uct="-" bs=“276” rl=“124”
    program: nginx
    proxy_alternative_upstream_name: “”
    proxy_upstream_name: “”
    remote_addr: 76.109.32.252
    remote_user: ‘-’
    request: /sso/portal
    request_length: “”
    request_time: “”
    static_ressource: “false”
    status: “302”
    target_fqdn: “”
    time_local: 23/Feb/2022:07:12:34 -0500
    verb: GET
    Enriched:
    ASNNumber: “7922”
    ASNOrg: Comcast Cable Communications, LLC
    ASNumber: “7922”
    IsInEU: “false”
    IsoCode: US
    Latitude: “26.946700”
    Longitude: “-80.217000”
    MarshaledTime: “2022-02-23T07:12:34-05:00”
    SourceRange: 76.96.0.0/11
    Time: 2022-02-23T14:07:28.34526061Z
    StrTime: 23/Feb/2022:07:12:34 -0500
    MarshaledTime: “2022-02-23T07:12:34-05:00”
    Meta:
    ASNNumber: “7922”
    ASNOrg: Comcast Cable Communications, LLC
    IsInEU: “false”
    IsoCode: US
    SourceRange: 76.96.0.0/11
    datasource_path: /home/walshe/cscli_test_tmp.log
    datasource_type: file
    http_args_len: “0”
    http_path: /sso/portal
    http_status: “302”
    http_user_agent: \x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)
    AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22
    http_verb: GET
    log_type: http_access-log
    service: http
    source_ip: 76.109.32.252
    timestamp: “2022-02-23T07:12:34-05:00”
    success: true
    crowdsecurity/whitelists:
  • evt:
    ExpectMode: 1
    Stage: s02-enrich
    Line:
    Raw: 76.109.32.252 - - [23/Feb/2022:07:12:34 -0500] “GET /sso/portal HTTP/2.0”
    302 0 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38
    (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “www.mysdpbc.org
    sn=“www.mysdpbc.org” rt=0.004 ua=“10.254.165.74:443” us=“302” ut=“0.004”
    ul=“0” cs="-" shl="/_authn/Logon?ru=L3Nzby9wb3J0YWw=" geo=“US” city=“Jupiter”
    uct="-" bs=“276” rl=“124”
    Src: /home/walshe/cscli_test_tmp.log
    time: 2022-02-23T14:07:28.345217581Z
    Labels:
    type: nginx
    process: true
    Module: file
    Parsed:
    body_bytes_sent: “0”
    file_dir: /sso/
    file_ext: “”
    file_frag: portal
    file_name: portal
    http_referer: ‘-’
    http_user_agent: \x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)
    AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22
    http_version: “2.0”
    impact_completion: “true”
    message: 76.109.32.252 - - [23/Feb/2022:07:12:34 -0500] “GET /sso/portal HTTP/2.0”
    302 0 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38
    (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “www.mysdpbc.org
    sn=“www.mysdpbc.org” rt=0.004 ua=“10.254.165.74:443” us=“302” ut=“0.004”
    ul=“0” cs="-" shl="/_authn/Logon?ru=L3Nzby9wb3J0YWw=" geo=“US” city=“Jupiter”
    uct="-" bs=“276” rl=“124”
    program: nginx
    proxy_alternative_upstream_name: “”
    proxy_upstream_name: “”
    remote_addr: 76.109.32.252
    remote_user: ‘-’
    request: /sso/portal
    request_length: “”
    request_time: “”
    static_ressource: “false”
    status: “302”
    target_fqdn: “”
    time_local: 23/Feb/2022:07:12:34 -0500
    verb: GET
    Enriched:
    ASNNumber: “7922”
    ASNOrg: Comcast Cable Communications, LLC
    ASNumber: “7922”
    IsInEU: “false”
    IsoCode: US
    Latitude: “26.946700”
    Longitude: “-80.217000”
    MarshaledTime: “2022-02-23T07:12:34-05:00”
    SourceRange: 76.96.0.0/11
    Time: 2022-02-23T14:07:28.34526061Z
    StrTime: 23/Feb/2022:07:12:34 -0500
    MarshaledTime: “2022-02-23T07:12:34-05:00”
    Meta:
    ASNNumber: “7922”
    ASNOrg: Comcast Cable Communications, LLC
    IsInEU: “false”
    IsoCode: US
    SourceRange: 76.96.0.0/11
    datasource_path: /home/walshe/cscli_test_tmp.log
    datasource_type: file
    http_args_len: “0”
    http_path: /sso/portal
    http_status: “302”
    http_user_agent: \x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)
    AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22
    http_verb: GET
    log_type: http_access-log
    service: http
    source_ip: 76.109.32.252
    timestamp: “2022-02-23T07:12:34-05:00”
    success: true
    sdpbc/whitelists:
  • evt:
    ExpectMode: 1
    Stage: s02-enrich
    Line:
    Raw: 76.109.32.252 - - [23/Feb/2022:07:12:34 -0500] “GET /sso/portal HTTP/2.0”
    302 0 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38
    (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “www.mysdpbc.org
    sn=“www.mysdpbc.org” rt=0.004 ua=“10.254.165.74:443” us=“302” ut=“0.004”
    ul=“0” cs="-" shl="/_authn/Logon?ru=L3Nzby9wb3J0YWw=" geo=“US” city=“Jupiter”
    uct="-" bs=“276” rl=“124”
    Src: /home/walshe/cscli_test_tmp.log
    time: 2022-02-23T14:07:28.345217581Z
    Labels:
    type: nginx
    process: true
    Module: file
    Parsed:
    body_bytes_sent: “0”
    http_referer: ‘-’
    http_user_agent: \x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)
    AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22
    http_version: “2.0”
    message: 76.109.32.252 - - [23/Feb/2022:07:12:34 -0500] “GET /sso/portal HTTP/2.0”
    302 0 “-” “\x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38
    (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22” “-” “www.mysdpbc.org
    sn=“www.mysdpbc.org” rt=0.004 ua=“10.254.165.74:443” us=“302” ut=“0.004”
    ul=“0” cs="-" shl="/_authn/Logon?ru=L3Nzby9wb3J0YWw=" geo=“US” city=“Jupiter”
    uct="-" bs=“276” rl=“124”
    program: nginx
    proxy_alternative_upstream_name: “”
    proxy_upstream_name: “”
    remote_addr: 76.109.32.252
    remote_user: ‘-’
    request: /sso/portal
    request_length: “”
    request_time: “”
    status: “302”
    target_fqdn: “”
    time_local: 23/Feb/2022:07:12:34 -0500
    verb: GET
    Time: 2022-02-23T14:07:28.34526061Z
    StrTime: 23/Feb/2022:07:12:34 -0500
    Meta:
    datasource_path: /home/walshe/cscli_test_tmp.log
    datasource_type: file
    http_path: /sso/portal
    http_status: “302”
    http_user_agent: \x22Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)
    AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\x22
    http_verb: GET
    log_type: http_access-log
    service: http
    source_ip: 76.109.32.252
    success: true
    success:
    “”: []
9

I believe your suggestion on escaping the \ may have worked. I see a log later in the morning showing it Whitelisting a request because of my rule. I will continue to monitor the logs as more requests come in and see if it’s working properly.

10

Hello,

Ok thanks for your answer. Let me know if the problem was solved.