hub icon indicating copy to clipboard operation
hub copied to clipboard
verified publisher icon crowdsecurity

owncloud feature

Open martyduniaud98 opened this issue 1 year ago • 7 comments

Add Owncloud logs collection with parsers and scenarios based on Nextcloud logs collection created by Håvard Moen and a1ad

martyduniaud98 avatar Apr 25 '24 13:04 martyduniaud98

Owncloud whiteliste removed.

martyduniaud98 avatar May 02 '24 12:05 martyduniaud98

@LaurenceJJones Hey Laurence, everything is going well or is there anything missing ?

martyduniaud98 avatar Jun 11 '24 15:06 martyduniaud98

@LaurenceJJones Hey Laurence, everything is going well or is there anything missing ?

Do you have any test logs that we can ensure the parser and scenarios are working?

You can paste them here and I can create the test suite for you.

LaurenceJJones avatar Jun 11 '24 17:06 LaurenceJJones

@LaurenceJJones Hey Laurence, everything is going well or is there anything missing ?

Do you have any test logs that we can ensure the parser and scenarios are working?

You can paste them here and I can create the test suite for you.

Yes i can paste logs here :

{"reqId":"Y9uiebTXtcbqy5btKCdv","level":2,"time":"2024-04-25T15:41:12+00:00","remoteAddr":"10.10.1.1","user":"--","app":"core","method":"POST","url":"/login","message":"Login failed: 'test' (Remote IP: '10.10.1.1')"} {"reqId":"mDo8eCRjvLctHur3LtHr","level":2,"time":"2024-04-25T15:41:22+00:00","remoteAddr":"10.10.1.1","user":"--","app":"core","method":"POST","url":"/login?redirect_url=%252Fsettings%252Fusers","message":"Login failed: 'test' (Remote IP: '10.10.1.1')"}

martyduniaud98 avatar Jun 12 '24 08:06 martyduniaud98

Hey, Sorry for the lag @martyduniaud98 !

Are you able to share some log samples that are enough for us to trigger each scenario individually, please ?

It is needed for us to create tests for both the parsers and the scenarios, so that we can merge it and make it available to everyone.

Extra question : Are you using some specific whitelists? We are thinking of importing the existing nextcloud whitelist(s) into the collection.

Thanks in advance and awesome work!

buixor avatar Jun 24 '24 14:06 buixor

Hey, Sorry for the lag @martyduniaud98 !

Are you able to share some log samples that are enough for us to trigger each scenario individually, please ?

It is needed for us to create tests for both the parsers and the scenarios, so that we can merge it and make it available to everyone.

Extra question : Are you using some specific whitelists? We are thinking of importing the existing nextcloud whitelist(s) into the collection.

Thanks in advance and awesome work!

Hey @buixor ! Thanks for your answer

I paste you logs here :

grok value : owncloud_failed_auth -> scenarios owncloud-bf/owncloud-bf_user_enum

{"reqId":"aGFSFAUPlqEI0HXwdNdA","level":2,"time":"2024-06-25T09:15:04+00:00","remoteAddr":"10.10.33.1","user":"--","app":"core","method":"POST","url":"/login?user=admin","message":"Login failed: 'admin' (Remote IP: '10.10.33.1')"}

grok value : owncloud_bruteforce_attempt -> scenario owncloud-bf

{"reqId":"Wmx6aXgKqP8qpdTz02UA","level":3,"time":"2024-06-25T09:26:52+00:00","remoteAddr":"10.10.33.1","user":"--","app":"PHP","method":"GET","url":"/login?user=a","message":"Bruteforce attempt from "10.10.33.1" detected for action "login""}

grok value : owncloud_domain_error -> scenario owncloud-bf_domain_error

{"reqId":"3aeDzvo0rqQ6JZZzh04l","level":2,"time":"2024-06-25T11:03:35+00:00","remoteAddr":"192.168.123.30","user":"--","app":"core","method":"GET","url":"/","message":"Trusted domain error. "192.168.123.30" tried to access using "192.168.123.166:8000" as host."}

Not tried to use specific whitelists

I hope it's good now :D

martyduniaud98 avatar Jun 25 '24 13:06 martyduniaud98

Hey @buixor, Something is wrong ? :)

martyduniaud98 avatar Jul 11 '24 14:07 martyduniaud98