Skip to content

Commit

Permalink
wip: update caddy to properly detect basic auth failures (#1015)
Browse files Browse the repository at this point in the history
  • Loading branch information
@LaurenceJJones
LaurenceJJones authored Apr 2, 2024
1 parent 71d3853 commit 08b4d35
Show file tree
Hide file tree
Showing 7 changed files with 630 additions and 153 deletions.
6 changes: 6 additions & 0 deletions .tests/caddy-basic-auth-bf/caddy-logs.log
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{"level":"error","ts":1711741827.9626286,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"127.0.0.1","remote_port":"54462","client_ip":"127.0.0.1","proto":"HTTP/1.1","method":"GET","host":"localhost:9080","uri":"/","headers":{"User-Agent":["curl/7.88.1"],"Accept":["*/*"]}},"bytes_read":0,"user_id":"","duration":0.000033987,"size":0,"status":401,"resp_headers":{"Server":["Caddy"],"Www-Authenticate":["Basic realm=\"restricted\""]}}
{"level":"error","ts":1711741827.9626286,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"127.0.0.1","remote_port":"54462","client_ip":"127.0.0.1","proto":"HTTP/1.1","method":"GET","host":"localhost:9080","uri":"/","headers":{"User-Agent":["curl/7.88.1"],"Accept":["*/*"]}},"bytes_read":0,"user_id":"","duration":0.000033987,"size":0,"status":401,"resp_headers":{"Server":["Caddy"],"Www-Authenticate":["Basic realm=\"restricted\""]}}
{"level":"error","ts":1711741827.9626286,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"127.0.0.1","remote_port":"54462","client_ip":"127.0.0.1","proto":"HTTP/1.1","method":"GET","host":"localhost:9080","uri":"/","headers":{"User-Agent":["curl/7.88.1"],"Accept":["*/*"]}},"bytes_read":0,"user_id":"","duration":0.000033987,"size":0,"status":401,"resp_headers":{"Server":["Caddy"],"Www-Authenticate":["Basic realm=\"restricted\""]}}
{"level":"error","ts":1711741827.9626286,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"127.0.0.1","remote_port":"54462","client_ip":"127.0.0.1","proto":"HTTP/1.1","method":"GET","host":"localhost:9080","uri":"/","headers":{"User-Agent":["curl/7.88.1"],"Accept":["*/*"]}},"bytes_read":0,"user_id":"","duration":0.000033987,"size":0,"status":401,"resp_headers":{"Server":["Caddy"],"Www-Authenticate":["Basic realm=\"restricted\""]}}
{"level":"error","ts":1711741827.9626286,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"127.0.0.1","remote_port":"54462","client_ip":"127.0.0.1","proto":"HTTP/1.1","method":"GET","host":"localhost:9080","uri":"/","headers":{"User-Agent":["curl/7.88.1"],"Accept":["*/*"]}},"bytes_read":0,"user_id":"","duration":0.000033987,"size":0,"status":401,"resp_headers":{"Server":["Caddy"],"Www-Authenticate":["Basic realm=\"restricted\""]}}
{"level":"error","ts":1711741827.9626286,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"127.0.0.1","remote_port":"54462","client_ip":"127.0.0.1","proto":"HTTP/1.1","method":"GET","host":"localhost:9080","uri":"/","headers":{"User-Agent":["curl/7.88.1"],"Accept":["*/*"]}},"bytes_read":0,"user_id":"","duration":0.000033987,"size":0,"status":401,"resp_headers":{"Server":["Caddy"],"Www-Authenticate":["Basic realm=\"restricted\""]}}
13 changes: 13 additions & 0 deletions .tests/caddy-basic-auth-bf/config.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
parsers:
- crowdsecurity/syslog-logs
- "./parsers/s01-parse/crowdsecurity/caddy-logs.yaml"
- crowdsecurity/http-logs
- crowdsecurity/dateparse-enrich
scenarios:
- "crowdsecurity/http-generic-bf"
postoverflows:
- ""
collections: []
log_file: caddy-logs.log
log_type: caddy
ignore_parsers: true
1 change: 1 addition & 0 deletions .tests/caddy-basic-auth-bf/parser.assert
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@

87 changes: 87 additions & 0 deletions .tests/caddy-basic-auth-bf/scenario.assert
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
len(results) == 1
"127.0.0.1" in results[0].Overflow.GetSources()
results[0].Overflow.Sources["127.0.0.1"].IP == "127.0.0.1"
results[0].Overflow.Sources["127.0.0.1"].Range == ""
results[0].Overflow.Sources["127.0.0.1"].GetScope() == "Ip"
results[0].Overflow.Sources["127.0.0.1"].GetValue() == "127.0.0.1"
results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "caddy-logs.log"
results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[0].GetMeta("http_args_len") == "0"
results[0].Overflow.Alert.Events[0].GetMeta("http_path") == "/"
results[0].Overflow.Alert.Events[0].GetMeta("http_status") == "401"
results[0].Overflow.Alert.Events[0].GetMeta("http_user_agent") == "curl/7.88.1"
results[0].Overflow.Alert.Events[0].GetMeta("http_verb") == "GET"
results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "http_access-log"
results[0].Overflow.Alert.Events[0].GetMeta("service") == "http"
results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "127.0.0.1"
results[0].Overflow.Alert.Events[0].GetMeta("sub_type") == "auth_fail"
results[0].Overflow.Alert.Events[0].GetMeta("target_fqdn") == "localhost:9080"
results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-03-29T19:50:27Z"
results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "caddy-logs.log"
results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[1].GetMeta("http_args_len") == "0"
results[0].Overflow.Alert.Events[1].GetMeta("http_path") == "/"
results[0].Overflow.Alert.Events[1].GetMeta("http_status") == "401"
results[0].Overflow.Alert.Events[1].GetMeta("http_user_agent") == "curl/7.88.1"
results[0].Overflow.Alert.Events[1].GetMeta("http_verb") == "GET"
results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "http_access-log"
results[0].Overflow.Alert.Events[1].GetMeta("service") == "http"
results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "127.0.0.1"
results[0].Overflow.Alert.Events[1].GetMeta("sub_type") == "auth_fail"
results[0].Overflow.Alert.Events[1].GetMeta("target_fqdn") == "localhost:9080"
results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2024-03-29T19:50:27Z"
results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "caddy-logs.log"
results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[2].GetMeta("http_args_len") == "0"
results[0].Overflow.Alert.Events[2].GetMeta("http_path") == "/"
results[0].Overflow.Alert.Events[2].GetMeta("http_status") == "401"
results[0].Overflow.Alert.Events[2].GetMeta("http_user_agent") == "curl/7.88.1"
results[0].Overflow.Alert.Events[2].GetMeta("http_verb") == "GET"
results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "http_access-log"
results[0].Overflow.Alert.Events[2].GetMeta("service") == "http"
results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "127.0.0.1"
results[0].Overflow.Alert.Events[2].GetMeta("sub_type") == "auth_fail"
results[0].Overflow.Alert.Events[2].GetMeta("target_fqdn") == "localhost:9080"
results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2024-03-29T19:50:27Z"
results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "caddy-logs.log"
results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[3].GetMeta("http_args_len") == "0"
results[0].Overflow.Alert.Events[3].GetMeta("http_path") == "/"
results[0].Overflow.Alert.Events[3].GetMeta("http_status") == "401"
results[0].Overflow.Alert.Events[3].GetMeta("http_user_agent") == "curl/7.88.1"
results[0].Overflow.Alert.Events[3].GetMeta("http_verb") == "GET"
results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "http_access-log"
results[0].Overflow.Alert.Events[3].GetMeta("service") == "http"
results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "127.0.0.1"
results[0].Overflow.Alert.Events[3].GetMeta("sub_type") == "auth_fail"
results[0].Overflow.Alert.Events[3].GetMeta("target_fqdn") == "localhost:9080"
results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2024-03-29T19:50:27Z"
results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "caddy-logs.log"
results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[4].GetMeta("http_args_len") == "0"
results[0].Overflow.Alert.Events[4].GetMeta("http_path") == "/"
results[0].Overflow.Alert.Events[4].GetMeta("http_status") == "401"
results[0].Overflow.Alert.Events[4].GetMeta("http_user_agent") == "curl/7.88.1"
results[0].Overflow.Alert.Events[4].GetMeta("http_verb") == "GET"
results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "http_access-log"
results[0].Overflow.Alert.Events[4].GetMeta("service") == "http"
results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "127.0.0.1"
results[0].Overflow.Alert.Events[4].GetMeta("sub_type") == "auth_fail"
results[0].Overflow.Alert.Events[4].GetMeta("target_fqdn") == "localhost:9080"
results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2024-03-29T19:50:27Z"
results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "caddy-logs.log"
results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[5].GetMeta("http_args_len") == "0"
results[0].Overflow.Alert.Events[5].GetMeta("http_path") == "/"
results[0].Overflow.Alert.Events[5].GetMeta("http_status") == "401"
results[0].Overflow.Alert.Events[5].GetMeta("http_user_agent") == "curl/7.88.1"
results[0].Overflow.Alert.Events[5].GetMeta("http_verb") == "GET"
results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "http_access-log"
results[0].Overflow.Alert.Events[5].GetMeta("service") == "http"
results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "127.0.0.1"
results[0].Overflow.Alert.Events[5].GetMeta("sub_type") == "auth_fail"
results[0].Overflow.Alert.Events[5].GetMeta("target_fqdn") == "localhost:9080"
results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2024-03-29T19:50:27Z"
results[0].Overflow.Alert.GetScenario() == "crowdsecurity/http-generic-bf"
results[0].Overflow.Alert.Remediation == true
results[0].Overflow.Alert.GetEventsCount() == 6
5 changes: 4 additions & 1 deletion .tests/caddy-logs/caddy-logs.log
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,7 @@
{"level":"info","ts":1693840839.657635,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"172.17.0.1","remote_port":"42876","client_ip":"172.17.0.1","proto":"HTTP/1.1","method":"GET","host":"127.0.0.1:8080","uri":"/","headers":{"Accept":["*/*"],"User-Agent":["curl/7.74.0"]}},"bytes_read":0,"user_id":"","duration":0.000002689,"size":0,"status":0,"resp_headers":{"Server":["Caddy"]}}
{"level":"info","ts":1693840840.2321608,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"172.17.0.1","remote_port":"42884","client_ip":"172.17.0.1","proto":"HTTP/1.1","method":"GET","host":"127.0.0.1:8080","uri":"/","headers":{"Accept":["*/*"],"User-Agent":["curl/7.74.0"]}},"bytes_read":0,"user_id":"","duration":0.000002693,"size":0,"status":0,"resp_headers":{"Server":["Caddy"]}}
{"level":"info","ts":1693840840.5579731,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"172.17.0.1","remote_port":"42892","client_ip":"172.17.0.1","proto":"HTTP/1.1","method":"GET","host":"127.0.0.1:8080","uri":"/","headers":{"User-Agent":["curl/7.74.0"],"Accept":["*/*"]}},"bytes_read":0,"user_id":"","duration":0.000002928,"size":0,"status":0,"resp_headers":{"Server":["Caddy"]}}
{"level":"info","ts":1693840840.896227,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"172.17.0.1","remote_port":"42894","client_ip":"172.17.0.1","proto":"HTTP/1.1","method":"GET","host":"127.0.0.1:8080","uri":"/","headers":{"User-Agent":["curl/7.74.0"],"Accept":["*/*"]}},"bytes_read":0,"user_id":"","duration":0.000002716,"size":0,"status":0,"resp_headers":{"Server":["Caddy"]}}
{"level":"info","ts":1693840840.896227,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"172.17.0.1","remote_port":"42894","client_ip":"172.17.0.1","proto":"HTTP/1.1","method":"GET","host":"127.0.0.1:8080","uri":"/","headers":{"User-Agent":["curl/7.74.0"],"Accept":["*/*"]}},"bytes_read":0,"user_id":"","duration":0.000002716,"size":0,"status":0,"resp_headers":{"Server":["Caddy"]}}
{"level":"error","ts":1711741798.0391326,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"127.0.0.1","remote_port":"46944","client_ip":"127.0.0.1","proto":"HTTP/1.1","method":"GET","host":"localhost:9080","uri":"/","headers":{"Authorization":[],"User-Agent":["curl/7.88.1"],"Accept":["*/*"]}},"bytes_read":0,"user_id":"","duration":0.782670468,"size":0,"status":401,"resp_headers":{"Server":["Caddy"],"Www-Authenticate":["Basic realm=\"restricted\""]}}
{"level":"error","ts":1711741827.9626286,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"127.0.0.1","remote_port":"54462","client_ip":"127.0.0.1","proto":"HTTP/1.1","method":"GET","host":"localhost:9080","uri":"/","headers":{"User-Agent":["curl/7.88.1"],"Accept":["*/*"]}},"bytes_read":0,"user_id":"","duration":0.000033987,"size":0,"status":401,"resp_headers":{"Server":["Caddy"],"Www-Authenticate":["Basic realm=\"restricted\""]}}
{"level":"info","ts":1711741864.947103,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"127.0.0.1","remote_port":"43498","client_ip":"127.0.0.1","proto":"HTTP/1.1","method":"GET","host":"localhost:9080","uri":"/","headers":{"Authorization":[],"User-Agent":["curl/7.88.1"],"Accept":["*/*"]}},"bytes_read":0,"user_id":"Bob","duration":0.794682124,"size":18630,"status":200,"resp_headers":{"Content-Type":["text/html; charset=utf-8"],"Last-Modified":["Fri, 08 Dec 2023 00:28:15 GMT"],"Accept-Ranges":["bytes"],"Content-Length":["18630"],"Server":["Caddy"],"Etag":["\"s5bnz3edi\""]}}
Loading

0 comments on commit 08b4d35

Please sign in to comment.