Skip to content

Commit

Permalink
enhance: Add stirling-pdf parser and scenario (#1142)
Browse files Browse the repository at this point in the history
  • Loading branch information
@LaurenceJJones
LaurenceJJones authored Oct 23, 2024
1 parent 8eced90 commit 15a1e5c
Show file tree
Hide file tree
Showing 15 changed files with 547 additions and 0 deletions.
62 changes: 62 additions & 0 deletions .index.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4963,6 +4963,27 @@
"crowdsecurity/impossible-travel-user"
]
},
"crowdsecurity/stirling-pdf": {
"path": "collections/crowdsecurity/stirling-pdf.yaml",
"version": "0.1",
"versions": {
"0.1": {
"digest": "3a53e0770c6173c3849f66aa83ccb474ca6e4d099798d41751bf6c02bec898d1",
"deprecated": false
}
},
"long_description": "IyMjIFN0aXJsaW5nLXBkZiBjb2xsZWN0aW9uCgpUaGlzIGNvbGxlY3Rpb24gY29udGFpbnMgYSBwYXJzZXIgYW5kIHNjZW5hcmlvIHRvIGRldGVjdCBhdXRoZW50aWNhdGlvbiBicnV0ZWZvcmNlIGF0dGFja3MgYWdhaW5zdCB0aGUgU3RpcmxpbmcgUERGIGxvZ2luIHBhbmVsLgoKRXhhbXBsZSBhY3F1aXNpdGlvbjoKCmBgYHlhbWwKZmlsZW5hbWVzOgogIC0gL3BhdGgvdG8vbG9ncy9pbnZhbGlkLWF1dGhzLmxvZwogIC0gL3BhdGgvdG8vbG9ncy9pbmZvLSoubG9nCmxhYmVsczoKICB0eXBlOiBzdGlybGluZy1wZGYKYGBgCg==",
"content": "cGFyc2VyczoKICAtIGNyb3dkc2VjdXJpdHkvc3RpcmxpbmctcGRmLWxvZ3MKc2NlbmFyaW9zOgogIC0gY3Jvd2RzZWN1cml0eS9zdGlybGluZy1wZGYtYmYKZGVzY3JpcHRpb246ICJTdGlybGluZy1QREY6IHBhcnNlciBhbmQgYnJ1dGUtZm9yY2UgZGV0ZWN0aW9uIgphdXRob3I6IGNyb3dkc2VjdXJpdHkKdGFnczoKICAtIGxpbnV4CiAgLSBzdGlybGluZy1wZGYKICAtIGJydXRlZm9yY2UKCgo=",
"description": "Stirling-PDF: parser and brute-force detection",
"author": "crowdsecurity",
"labels": null,
"parsers": [
"crowdsecurity/stirling-pdf-logs"
],
"scenarios": [
"crowdsecurity/stirling-pdf-bf"
]
},
"crowdsecurity/supabase-compose": {
"path": "collections/crowdsecurity/supabase-compose.yaml",
"version": "0.2",
Expand Down Expand Up @@ -8328,6 +8349,22 @@
"author": "crowdsecurity",
"labels": null
},
"crowdsecurity/stirling-pdf-logs": {
"path": "parsers/s01-parse/crowdsecurity/stirling-pdf-logs.yaml",
"stage": "s01-parse",
"version": "0.1",
"versions": {
"0.1": {
"digest": "1e37cb2637e0405936ec544a3958d052c13028d5980a5f404cce1b03d8fcc47f",
"deprecated": false
}
},
"long_description": "IyMjIFN0aXJsaW5nLXBkZiBwYXJzZXIKCkN1cnJlbnRseSB0aGlzIHBhcnNlciBvbmx5IHBhcnNlcyBhdXRoZW50aWNhdGlvbiBmYWlsdXJlIGxvZ3MKCkV4YW1wbGUgYWNxdWlzaXRpb246CgpgYGB5YW1sCmZpbGVuYW1lczoKICAtIC9wYXRoL3RvL2xvZ3MvaW52YWxpZC1hdXRocy5sb2cKICAtIC9wYXRoL3RvL2xvZ3MvaW5mby0qLmxvZwpsYWJlbHM6CiAgdHlwZTogc3RpcmxpbmctcGRmCmBgYAo=",
"content": "b25zdWNjZXNzOiBuZXh0X3N0YWdlCmRlYnVnOiBmYWxzZQpmaWx0ZXI6ICJldnQuUGFyc2VkLnByb2dyYW0gPT0gJ3N0aXJsaW5nLXBkZiciCm5hbWU6IGNyb3dkc2VjdXJpdHkvc3RpcmxpbmctcGRmLWxvZ3MKZGVzY3JpcHRpb246ICJQYXJzZSBTdGlybGluZyBQREYgbG9ncyIKbm9kZXM6CiAgLSBncm9rOgogICAgICBwYXR0ZXJuOiAiJXtUSU1FU1RBTVBfSVNPODYwMTp0aW1lc3RhbXB9ICV7V09SRDpsb2dfbGV2ZWx9IC4qQ3VzdG9tQXV0aGVudGljYXRpb25GYWlsdXJlSGFuZGxlciBcXFsuKlxcXSBGYWlsZWQgbG9naW4gYXR0ZW1wdCBmcm9tIElQOiBcXFs/JXtJUDpzb3VyY2VfaXB9XFxdPyIKICAgICAgYXBwbHlfb246IG1lc3NhZ2UKICAgIHN0YXRpY3M6CiAgICAgIC0gbWV0YTogbG9nX3R5cGUKICAgICAgICB2YWx1ZTogZmFpbGVkX2F1dGhlbnRpY2F0aW9uCnN0YXRpY3M6CiAgLSBtZXRhOiBzZXJ2aWNlCiAgICB2YWx1ZTogc3RpcmxpbmctcGRmCiAgLSBtZXRhOiBzb3VyY2VfaXAKICAgIGV4cHJlc3Npb246ICJldnQuUGFyc2VkLnNvdXJjZV9pcCIKICAtIHRhcmdldDogZXZ0LlN0clRpbWUKICAgIGV4cHJlc3Npb246IGV2dC5QYXJzZWQudGltZXN0YW1w",
"description": "Parse Stirling PDF logs",
"author": "crowdsecurity",
"labels": null
},
"crowdsecurity/supabase-docker-pgsql": {
"path": "parsers/s01-parse/crowdsecurity/supabase-docker-pgsql.yaml",
"stage": "s01-parse",
Expand Down Expand Up @@ -14829,6 +14866,31 @@
"spoofable": 0
}
},
"crowdsecurity/stirling-pdf-bf": {
"path": "scenarios/crowdsecurity/stirling-pdf-bf.yaml",
"version": "0.1",
"versions": {
"0.1": {
"digest": "18bd06a7ba000717fdd3985954ab09b6191388d98bc6b977eae778c702c1fefb",
"deprecated": false
}
},
"long_description": "RGV0ZWN0cyBhdXRoZW50aWNhdGlvbiBicnV0ZWZvcmNlIG9uIHN0aXJsaW5nLXBkZiBsb2dpbiBwYW5lbCB3aXRoIGEgY2FwYWNpdHkgb2YgMyBhbmQgYSBsZWFrc3BlZWQgb2YgMTAgc2Vjb25kcyBwZXIgZXZlbnQ=",
"content": "IyBzdGlybGluZyBwZGYgYnJ1dGVmb3JjZQp0eXBlOiBsZWFreQpuYW1lOiBjcm93ZHNlY3VyaXR5L3N0aXJsaW5nLXBkZi1iZgpkZXNjcmlwdGlvbjogIkRldGVjdCBzdGlybGluZyBwZGYgYnJ1dGVmb3JjZSIKZmlsdGVyOiAiZXZ0Lk1ldGEuc2VydmljZSA9PSAnc3RpcmxpbmctcGRmJyAmJiBldnQuTWV0YS5sb2dfdHlwZSA9PSAnZmFpbGVkX2F1dGhlbnRpY2F0aW9uJyIKbGVha3NwZWVkOiAiMTBzIgpjYXBhY2l0eTogMwpncm91cGJ5OiBldnQuTWV0YS5zb3VyY2VfaXAKYmxhY2tob2xlOiAxbQpsYWJlbHM6CiAgc2VydmljZTogc3RpcmxpbmctcGRmCiAgY29uZmlkZW5jZTogMwogIHNwb29mYWJsZTogMAogIGNsYXNzaWZpY2F0aW9uOgogICAgLSBhdHRhY2suVDExMTAKICBsYWJlbDogIlN0aXJsaW5nIFBERiBCcnV0ZWZvcmNlIgogIGJlaGF2aW9yOiAiZ2VuZXJpYzpicnV0ZWZvcmNlIgogIHJlbWVkaWF0aW9uOiB0cnVlCg==",
"description": "Detect stirling pdf bruteforce",
"author": "crowdsecurity",
"labels": {
"behavior": "generic:bruteforce",
"classification": [
"attack.T1110"
],
"confidence": 3,
"label": "Stirling PDF Bruteforce",
"remediation": true,
"service": "stirling-pdf",
"spoofable": 0
}
},
"crowdsecurity/suricata-alerts": {
"path": "scenarios/crowdsecurity/suricata-alerts.yaml",
"version": "0.4",
Expand Down
12 changes: 12 additions & 0 deletions .tests/stirling-pdf-bf/config.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
parsers:
- crowdsecurity/syslog-logs
- ./parsers/s01-parse/crowdsecurity/stirling-pdf-logs.yaml
- crowdsecurity/dateparse-enrich
scenarios:
- "./scenarios/crowdsecurity/stirling-pdf-bf.yaml"
postoverflows:
- ""
log_file: stirling-pdf.log
log_type: stirling-pdf
labels: {}
ignore_parsers: true
Empty file added .tests/stirling-pdf-bf/parser.assert
View file
Empty file.
33 changes: 33 additions & 0 deletions .tests/stirling-pdf-bf/scenario.assert
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
len(results) == 1
"::1" in results[0].Overflow.GetSources()
results[0].Overflow.Sources["::1"].IP == "::1"
results[0].Overflow.Sources["::1"].Range == ""
results[0].Overflow.Sources["::1"].GetScope() == "Ip"
results[0].Overflow.Sources["::1"].GetValue() == "::1"
results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "stirling-pdf.log"
results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "failed_authentication"
results[0].Overflow.Alert.Events[0].GetMeta("service") == "stirling-pdf"
results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "::1"
results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-10-10T12:59:53.237Z"
results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "stirling-pdf.log"
results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "failed_authentication"
results[0].Overflow.Alert.Events[1].GetMeta("service") == "stirling-pdf"
results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "::1"
results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2024-10-10T12:59:53.237Z"
results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "stirling-pdf.log"
results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "failed_authentication"
results[0].Overflow.Alert.Events[2].GetMeta("service") == "stirling-pdf"
results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "::1"
results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2024-10-10T12:59:58.543Z"
results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "stirling-pdf.log"
results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "failed_authentication"
results[0].Overflow.Alert.Events[3].GetMeta("service") == "stirling-pdf"
results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "::1"
results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2024-10-10T12:59:58.543Z"
results[0].Overflow.Alert.GetScenario() == "crowdsecurity/stirling-pdf-bf"
results[0].Overflow.Alert.Remediation == true
results[0].Overflow.Alert.GetEventsCount() == 4
6 changes: 6 additions & 0 deletions .tests/stirling-pdf-bf/stirling-pdf.log
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
2024-10-10 12:59:53,237 ERROR s.s.S.c.s.CustomAuthenticationFailureHandler [qtp877788296-102] Failed login attempt from IP: [::1]
2024-10-10 12:59:53,237 ERROR s.s.S.c.s.CustomAuthenticationFailureHandler [qtp877788296-102] Failed login attempt from IP: [::1]
2024-10-10 12:59:58,543 ERROR s.s.S.c.s.CustomAuthenticationFailureHandler [qtp877788296-1176] Failed login attempt from IP: [::1]
2024-10-10 12:59:58,543 ERROR s.s.S.c.s.CustomAuthenticationFailureHandler [qtp877788296-1176] Failed login attempt from IP: [::1]
2024-10-10 12:59:58,543 ERROR s.s.S.c.s.CustomAuthenticationFailureHandler [qtp877788296-1176] Failed login attempt from IP: [::1]
2024-10-10 12:59:58,543 ERROR s.s.S.c.s.CustomAuthenticationFailureHandler [qtp877788296-1176] Failed login attempt from IP: [::1]
12 changes: 12 additions & 0 deletions .tests/stirling-pdf-logs/config.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
parsers:
- crowdsecurity/syslog-logs
- ./parsers/s01-parse/crowdsecurity/stirling-pdf-logs.yaml
- crowdsecurity/dateparse-enrich
scenarios:
- ""
postoverflows:
- ""
log_file: stirling-pdf.log
log_type: stirling-pdf
labels: {}
ignore_parsers: false
Loading

0 comments on commit 15a1e5c

Please sign in to comment.