Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(collection/sshd): change acquistion yaml #1109

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(collection/sshd): change acquistion yaml #1109

wants to merge 1 commit into from

Conversation

bk-debug
Copy link

@bk-debug bk-debug commented Sep 3, 2024
edited
Loading

Change the notes to instructions for the sshd parser

@LaurenceJJones
Copy link
Contributor

LaurenceJJones commented Sep 3, 2024
edited
Loading

This is not correct as if you have the syslog parser installed it should be able to parse the program name from the log line

$ sudo cscli explain --log 'Feb 19 10:38:14 myhost sshd[3355]: Disconnected from authenticating user ftp 92.255.85.135 port 26138 [preauth]' --type syslog --only-successful-parsers -v
line: Feb 19 10:38:14 myhost sshd[3355]: Disconnected from authenticating user ftp 92.255.85.135 port 26138 [preauth]
├ s00-raw
|       └ 🟢 crowdsecurity/syslog-logs (+12 ~9)
|               └ update evt.ExpectMode : %!s(int=0) -> 1
|               └ update evt.Stage :  -> s01-parse
|               └ update evt.Line.Raw :  -> Feb 19 10:38:14 myhost sshd[3355]: Disconnected from authenticating user ftp 92.255.85.135 port 26138 [preauth]
|               └ update evt.Line.Src :  -> /tmp/cscli_explain1310535647/cscli_test_tmp.log
|               └ update evt.Line.Time : 0001-01-01 00:00:00 +0000 UTC -> 2024-09-03 10:00:23.121648753 +0000 UTC
|               └ create evt.Line.Labels.type : syslog
|               └ update evt.Line.Process : %!s(bool=false) -> true
|               └ update evt.Line.Module :  -> file
|               └ create evt.Parsed.priority :
|               └ create evt.Parsed.program : sshd
|               └ create evt.Parsed.timestamp : Feb 19 10:38:14
|               └ create evt.Parsed.timestamp8601 :
|               └ create evt.Parsed.facility :
|               └ create evt.Parsed.logsource : syslog
|               └ create evt.Parsed.message : Disconnected from authenticating user ftp 92.255.85.135 port 26138 [preauth]
|               └ create evt.Parsed.pid : 3355
|               └ update evt.Time : 0001-01-01 00:00:00 +0000 UTC -> 2024-09-03 10:00:23.121672153 +0000 UTC
|               └ update evt.StrTime :  -> Feb 19 10:38:14
|               └ create evt.Meta.datasource_path : /tmp/cscli_explain1310535647/cscli_test_tmp.log
|               └ create evt.Meta.datasource_type : file
|               └ create evt.Meta.machine : myhost
├ s01-parse
|       └ 🟢 crowdsecurity/sshd-logs (+6 ~1)
|               └ update evt.Stage : s01-parse -> s02-enrich
|               └ create evt.Parsed.sshd_client_ip : 92.255.85.135
|               └ create evt.Parsed.sshd_invalid_user : ftp
|               └ create evt.Meta.log_type : ssh_failed-auth
|               └ create evt.Meta.service : ssh
|               └ create evt.Meta.source_ip : 92.255.85.135
|               └ create evt.Meta.target_user : ftp
├ s02-enrich
|       ├ 🟢 crowdsecurity/dateparse-enrich (+2 ~2)
|               ├ create evt.Enriched.MarshaledTime : 2024-02-19T10:38:14Z
|               ├ update evt.Time : 2024-09-03 10:00:23.121672153 +0000 UTC -> 2024-02-19 10:38:14 +0000 UTC
|               ├ update evt.MarshaledTime :  -> 2024-02-19T10:38:14Z
|               ├ create evt.Meta.timestamp : 2024-02-19T10:38:14Z
|       ├ 🟢 crowdsecurity/geoip-enrich (+13)
|               ├ create evt.Enriched.SourceRange : 92.255.85.0/24
|               ├ create evt.Enriched.Longitude : 114.165700
|               ├ create evt.Enriched.ASNOrg : Chang Way Technologies Co. Limited
|               ├ create evt.Enriched.ASNumber : 207566
|               ├ create evt.Enriched.IsInEU : false
|               ├ create evt.Enriched.IsoCode : HK
|               ├ create evt.Enriched.Latitude : 22.257800
|               ├ create evt.Enriched.ASNNumber : 207566
|               ├ create evt.Meta.ASNNumber : 207566
|               ├ create evt.Meta.IsInEU : false
|               ├ create evt.Meta.ASNOrg : Chang Way Technologies Co. Limited
|               ├ create evt.Meta.IsoCode : HK
|               ├ create evt.Meta.SourceRange : 92.255.85.0/24
├-------- parser success 🟢
├ Scenarios
├ 🟢 crowdsecurity/ssh-bf
├ 🟢 crowdsecurity/ssh-bf_user-enum
├ 🟢 crowdsecurity/ssh-slow-bf
└ 🟢 crowdsecurity/ssh-slow-bf_user-enum

@bk-debug
Copy link
Author

bk-debug commented Sep 3, 2024

Thanks for the very fast response.

Then I would suggest updating this line with instructions on how to use the sshd parser, as the current wording is a bit confusing: https://github.com/crowdsecurity/hub/pull/1109/files#diff-05d748cef28bea4cbaf1e0e46322c1ce1417c1225f69f46393aeaa8ae80c4c1fL21.
If you agree, I’d be happy to make the change.

@LaurenceJJones
Copy link
Contributor

LaurenceJJones commented Sep 3, 2024
edited
Loading

Thanks for the very fast response.

Then I would suggest updating this line with instructions on how to use the sshd parser, as the current wording is a bit confusing: https://github.com/crowdsecurity/hub/pull/1109/files#diff-05d748cef28bea4cbaf1e0e46322c1ce1417c1225f69f46393aeaa8ae80c4c1fL21. If you agree, I’d be happy to make the change.

imo since the example shown is a syslog file the change should be reverted and then the line below should be updated to be something like

if the defined file is not syslog format then the label should be updated to sshd

fix(collection/sshd): change acquistion yaml
37cf090 
Change the notes to instructions for the sshd parser
@bk-debug
Copy link
Author

bk-debug commented Sep 3, 2024

changed it.

@bk-debug
Copy link
Author

bk-debug commented Sep 3, 2024

After having a look at other collections, I kind of disagree with you.
We normally make an example with the specific parser e.g. apache2 and write a note that syslog can also be used.

So for consistenty I would prefer changing the example to the sshd parser instead of changing the notes.

What do you think?

The collections I checked:

@LaurenceJJones
Copy link
Contributor

After having a look at other collections, I kind of disagree with you. We normally make an example with the specific parser e.g. apache2 and write a note that syslog can also be used.

So for consistenty I would prefer changing the example to the sshd parser instead of changing the notes.

What do you think?

The collections I checked:

* https://app.crowdsec.net/hub/author/crowdsecurity/collections/apache2

* https://app.crowdsec.net/hub/author/crowdsecurity/collections/traefik

* https://app.crowdsec.net/hub/author/crowdsecurity/collections/nginx

Well that's because those applications handle there own logging to a different file by default and can opt in to using syslog. However, for ssh 99% of the time the default is to syslog and rarely you log to another file that is not the syslog format.

@bk-debug
Copy link
Author

bk-debug commented Sep 3, 2024

Ah I see. Thanks for clearing this up for me :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bk-debug @LaurenceJJones