Parser failures with NPMplus logs
Using the collection here: https://app.crowdsec.net/hub/author/ZoeyVid/collections/npmplus
The npmplus-logs parser fails to parse log lines and I wanted to reach you before I waste too much time by learning to fix it if the issue is somewhere else. I force upgraded the parser to restore the original state before reporting about the issue. Explain parameter was used with log and file options. The setup itself consists of the npmplus container installed with proxmox helper scripts.
If I'm not mistaken, parser success is achieved only when it's whitelisted or matches a scenario. It could explain the test results in cscli_explain_pt2.txt. Basically lines with local IP work well or at least they are handled because of the whitelist. I cannot make safe or attack attempts to work when public IP is used. There are many scenarios installed, such as http-sensitive-files.
I tested the access.log itself and for some reason most if not all of it was whitelisted even with the public IPs. The whitelisted local IP, a real attack by someone and the custom whitelist itself are attached in whitelist+access-log_lines.txt.
I also tried a lot of things by modifying the parser, such as modifying timestamp and other pattern related parts a lot and modifying place of the onsuccess. None of them gave any good results to share.
This is a bit unrelated own topic but I would really like to understand it better. I expect openappsec to handle many attacks but I still see something logged with crowdsec often and mostly I'm worried of the security of the locally hosted publicly accessible services. I'm a bit confused if openappsec/crowdsec should only block whenever some scenarios fulfill it or should I take e.g. openwrt router firewall into use with it to block the IPs(or just the server/container side firewall). As far as I understand, currently no firewalls play any role with this topic. Also openappsec log checking is missing on Crowdsec side which I'm not sure about if it's necessary.
The npmplus-logs parser fails to parse log lines and I wanted to reach you before I waste too much time by learning to fix it if the issue is somewhere else. I force upgraded the parser to restore the original state before reporting about the issue. Explain parameter was used with log and file options. The setup itself consists of the npmplus container installed with proxmox helper scripts.
If I'm not mistaken, parser success is achieved only when it's whitelisted or matches a scenario. It could explain the test results in cscli_explain_pt2.txt. Basically lines with local IP work well or at least they are handled because of the whitelist. I cannot make safe or attack attempts to work when public IP is used. There are many scenarios installed, such as http-sensitive-files.
I tested the access.log itself and for some reason most if not all of it was whitelisted even with the public IPs. The whitelisted local IP, a real attack by someone and the custom whitelist itself are attached in whitelist+access-log_lines.txt.
I also tried a lot of things by modifying the parser, such as modifying timestamp and other pattern related parts a lot and modifying place of the onsuccess. None of them gave any good results to share.
This is a bit unrelated own topic but I would really like to understand it better. I expect openappsec to handle many attacks but I still see something logged with crowdsec often and mostly I'm worried of the security of the locally hosted publicly accessible services. I'm a bit confused if openappsec/crowdsec should only block whenever some scenarios fulfill it or should I take e.g. openwrt router firewall into use with it to block the IPs(or just the server/container side firewall). As far as I understand, currently no firewalls play any role with this topic. Also openappsec log checking is missing on Crowdsec side which I'm not sure about if it's necessary.
cscli_explain_pt2.txt7.99KB
