gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ae26317815
secubox-openwrt/package/secubox/secubox-app-crowdsec-custom/files/parsers/s01-parse/secubox-webapp.yaml
CyberMind-FR 1fb2b11d4a feat(crowdsec+haproxy): Dashboard refactor, custom parsers & scenarios 
CrowdSec Dashboard:
- Refactor all views (alerts, bouncers, decisions, overview, settings)
- Add soc.css for Security Operations Center styling
- Remove 3000+ lines of redundant code

CrowdSec Custom Parsers & Scenarios:
- Add secubox-gitea parser and bruteforce scenario
- Add secubox-haproxy parser and bruteforce scenario
- Add secubox-streamlit parser and bruteforce scenario
- Add secubox-webapp parser and bruteforce scenario
- Update Makefile for new parser/scenario files

HAProxy:
- Update api.js, backends.js view improvements
- Update luci.haproxy RPCD backend
- Update haproxyctl helper script

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-27 11:16:17 +01:00

42 lines
1.3 KiB
YAML
Raw Blame History

# CrowdSec parser for SecuBox Webapp logs
# Parses generic web application authentication events
onsuccess: next_stage
name: secubox/webapp-logs
description: "Parse SecuBox Webapp logs"
filter: "evt.Line.Labels.type == 'webapp'"
grok:
pattern: '%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} %{GREEDYDATA:message}'
apply_on: message
statics:
- meta: log_type
value: webapp
- meta: service
value: webapp
---
# Parse webapp authentication failures
onsuccess: next_stage
name: secubox/webapp-auth-failure
description: "Parse webapp authentication failures"
filter: "evt.Meta.log_type == 'webapp' && (evt.Parsed.message contains 'auth' || evt.Parsed.message contains 'login')"
grok:
pattern: '.*%{IP:source_ip}.*(?:failed|denied|invalid|error)'
apply_on: message
statics:
- meta: auth_success
value: "false"
---
# Parse Nginx access for webapp (401/403)
onsuccess: next_stage
name: secubox/webapp-nginx-auth
description: "Parse Nginx auth failures for webapp"
filter: "evt.Line.Labels.type == 'nginx' && evt.Parsed.http_status in ['401', '403']"
grok:
pattern: '%{IP:source_ip} - %{NOTSPACE:user} \[%{HTTPDATE:timestamp}\] "%{WORD:method} %{URIPATHPARAM:request} HTTP/%{NUMBER:http_version}" %{INT:http_status}'
apply_on: message
statics:
- meta: auth_success
value: "false"
- meta: log_type
value: webapp_nginx
Reference in New Issue View Git Blame Copy Permalink