Custom scenario and local RegexpInFile data

Hi, based on http-bad-user-agent, i've created a

local/http-bad-user-agent

local/http-bad-user-agent

type: trigger
format: 2.0
#debug: true
name: local/http-bad-user-agent
description: "Detect usage of bad User Agent"
debug: false
filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] && RegexpInFile(evt.Parsed.http_user_agent, "local_bad_user_agents.regex.txt")'
data:
  - dest_file: local_bad_user_agents.regex.txt
    type: regexp
groupby: "evt.Meta.source_ip"
blackhole: 1m
labels:
  service: http
  label: "Bad User Agent"

type: trigger
format: 2.0
#debug: true
name: local/http-bad-user-agent
description: "Detect usage of bad User Agent"
debug: false
filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] && RegexpInFile(evt.Parsed.http_user_agent, "local_bad_user_agents.regex.txt")'
data:
  - dest_file: local_bad_user_agents.regex.txt
    type: regexp
groupby: "evt.Meta.source_ip"
blackhole: 1m
labels:
  service: http
  label: "Bad User Agent"

file exists in data

-rw------- 1 root root 1,4K 16 sept. 20:18 /var/lib/crowdsec/data/local_bad_user_agents.regex.txt

-rw------- 1 root root 1,4K 16 sept. 20:18 /var/lib/crowdsec/data/local_bad_user_agents.regex.txt

# head /var/lib/crowdsec/data/local_bad_user_agents.regex.txt -n 3
\bAddSearchBot\b
\bAhrefsBot\b
\bAI2Bot\b

# head /var/lib/crowdsec/data/local_bad_user_agents.regex.txt -n 3
\bAddSearchBot\b
\bAhrefsBot\b
\bAI2Bot\b

But nothing match, it look like the regex file is not used.

Doc is not clear for local custom scenario and regexpInFile part.

Do you known how to solve this please ?

Thanks a lot

CrowdSec•5mo ago•

5 replies

Erwane

Custom scenario and local RegexpInFile data

Hi, based on http-bad-user-agent, i've created a

local/http-bad-user-agent

local/http-bad-user-agent

type: trigger
format: 2.0
#debug: true
name: local/http-bad-user-agent
description: "Detect usage of bad User Agent"
debug: false
filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] && RegexpInFile(evt.Parsed.http_user_agent, "local_bad_user_agents.regex.txt")'
data:
  - dest_file: local_bad_user_agents.regex.txt
    type: regexp
groupby: "evt.Meta.source_ip"
blackhole: 1m
labels:
  service: http
  label: "Bad User Agent"

type: trigger
format: 2.0
#debug: true
name: local/http-bad-user-agent
description: "Detect usage of bad User Agent"
debug: false
filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] && RegexpInFile(evt.Parsed.http_user_agent, "local_bad_user_agents.regex.txt")'
data:
  - dest_file: local_bad_user_agents.regex.txt
    type: regexp
groupby: "evt.Meta.source_ip"
blackhole: 1m
labels:
  service: http
  label: "Bad User Agent"

file exists in data

-rw------- 1 root root 1,4K 16 sept. 20:18 /var/lib/crowdsec/data/local_bad_user_agents.regex.txt

-rw------- 1 root root 1,4K 16 sept. 20:18 /var/lib/crowdsec/data/local_bad_user_agents.regex.txt

# head /var/lib/crowdsec/data/local_bad_user_agents.regex.txt -n 3
\bAddSearchBot\b
\bAhrefsBot\b
\bAI2Bot\b

# head /var/lib/crowdsec/data/local_bad_user_agents.regex.txt -n 3
\bAddSearchBot\b
\bAhrefsBot\b
\bAI2Bot\b

But nothing match, it look like the regex file is not used.

Doc is not clear for local custom scenario and regexpInFile part.

Do you known how to solve this please ?

Thanks a lot

Custom scenario and local RegexpInFile data

Similar Threads

Custom scenario and local RegexpInFile data

Similar Threads

Similar Threads

Similar Threads