From e1df296694ccb23d3bd49290d3e25b0072b3b7c8 Mon Sep 17 00:00:00 2001 From: Thibault Koechlin Date: Fri, 13 Dec 2024 17:19:06 +0100 Subject: [PATCH 01/25] add EXECVE support, change old syscall+execve generated log type --- .../s01-parse/crowdsecurity/auditd-logs.yaml | 24 ++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/parsers/s01-parse/crowdsecurity/auditd-logs.yaml b/parsers/s01-parse/crowdsecurity/auditd-logs.yaml index fbdd8251a65..c4164b46c92 100644 --- a/parsers/s01-parse/crowdsecurity/auditd-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/auditd-logs.yaml @@ -1,8 +1,17 @@ #type=SYSCALL msg=audit(1672330955.273:4433): arch=c000003e syscall=263 success=no exit=-2 a0=ffffff9c a1=557162396590 a2=0 a3=0 items=1 ppid=144571 pid=145400 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=79 comm="rm" exe="/usr/bin/rm" key="file_modification" + + +#type=SYSCALL msg=audit(1734093141.455:922): arch=c000003e syscall=59 success=yes exit=0 a0=563db14c9800 a1=563db14c6370 a2=563db14c5e70 a3=8 items=2 ppid=1344351 pid=1344358 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=5448 comm="id" exe="/usr/bin/id" key="recon" +#type=EXECVE msg=audit(1734093141.455:922): argc=2 a0="id" a1="-a" +#type=PATH msg=audit(1734093141.455:922): item=0 name="/usr/bin/id" inode=5505499 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 +#type=PATH msg=audit(1734093141.455:922): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=5505904 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 + + name: crowdsecurity/auditd-logs description: "Parse auditd logs" filter: "evt.Parsed.program == 'auditd'" onsuccess: next_stage +debug: true pattern_syntax: FLOAT: '[0-9\.]+' @@ -14,10 +23,23 @@ nodes: pattern: '%{WORD:msg_type}\(%{FLOAT:timestamp}:%{INT:event_inc_id}\):' expression: evt.Unmarshaled.auditd.msg nodes: - - filter: evt.Unmarshaled.auditd.type == "SYSCALL" and evt.Unmarshaled.auditd.arch == "c000003e" and evt.Unmarshaled.auditd.syscall == "59" +# add EXECVE : +# type=EXECVE msg=audit(1734093713.565:1031): argc=101 a0="id" a1="1" a2="2" a3="3" a4="4" a5="5" a6="6" a7="7" a8="8" a9="9" a10="10" a11="11" a12="12" a13="13" a14="14" a15="15" a16="16" a17="17" a18="18" a19="19" a20="20" a21="21" a22="22" a23="23" a24="24" a25="25" a26="26" a27="27" a28="28" a29="29" a30="30" a31="31" a32="32" a33="33" a34="34" a35="35" a36="36" a37="37" a38="38" a39="39" a40="40" a41="41" a42="42" a43="43" a44="44" a45="45" a46="46" a47="47" a48="48" a49="49" a50="50" a51="51" a52="52" a53="53" a54="54" a55="55" a56="56" a57="57" a58="58" a59="59" a60="60" a61="61" a62="62" a63="63" a64="64" a65="65" a66="66" a67="67" a68="68" a69="69" a70="70" a71="71" a72="72" a73="73" a74="74" a75="75" a76="76" a77="77" a78="78" a79="79" a80="80" a81="81" a82="82" a83="83" a84="84" a85="85" a86="86" a87="87" a88="88" a89="89" a90="90" a91="91" a92="92" a93="93" a94="94" a95="95" a96="96" a97="97" a98="98" a99="99" a100="100" + - filter: evt.Unmarshaled.auditd.type == "EXECVE" statics: - meta: log_type value: execve + - meta: execve_full_str + #we only keep the "a[0-9]+" keys and join them into a string + #we're not dealing yet with hex encoded arguments + expression: | + let args = evt.Unmarshaled.auditd | keys() | filter(# matches "^a[0-9]+$"); + map(sortBy(args, { int(#[1:]) }, "asc"), get(evt.Unmarshaled.auditd, #)) | join(" ") + + - filter: evt.Unmarshaled.auditd.type == "SYSCALL" and evt.Unmarshaled.auditd.arch == "c000003e" and evt.Unmarshaled.auditd.syscall == "59" + statics: + - meta: log_type + value: syscall_execve #let's hydrate with ppid process if we can :) - target: evt.Meta.parent_progname expression: GetFromStash("auditd_pid_progname", evt.Unmarshaled.auditd.ppid) From 0891dc4cf6da02da045141042155b58c0c3bd325 Mon Sep 17 00:00:00 2001 From: Thibault Koechlin Date: Fri, 13 Dec 2024 17:19:18 +0100 Subject: [PATCH 02/25] reflect change on log_type for syscall+execve --- scenarios/crowdsecurity/auditd-base64-exec-behavior.yaml | 2 +- scenarios/crowdsecurity/auditd-postexploit-exec-from-net.yaml | 2 +- scenarios/crowdsecurity/auditd-postexploit-pkill.yaml | 2 +- scenarios/crowdsecurity/auditd-postexploit-rm.yaml | 2 +- scenarios/crowdsecurity/auditd-suid-crash.yaml | 2 +- scenarios/crowdsecurity/auditd-sus-exec.yaml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/scenarios/crowdsecurity/auditd-base64-exec-behavior.yaml b/scenarios/crowdsecurity/auditd-base64-exec-behavior.yaml index 5f865731c1a..99ea946a267 100644 --- a/scenarios/crowdsecurity/auditd-base64-exec-behavior.yaml +++ b/scenarios/crowdsecurity/auditd-base64-exec-behavior.yaml @@ -2,7 +2,7 @@ type: conditional #debug: true name: crowdsecurity/auditd-base64-exec-behavior description: "Detect post-exploitation behaviour : base64 + interpreter (perl/bash/python)" -filter: evt.Meta.log_type == 'execve' +filter: evt.Meta.log_type == 'syscall_execve' #grouping by ppid to track a processs invoking base64 and interpreter in sequence groupby: evt.Meta.ppid condition: | diff --git a/scenarios/crowdsecurity/auditd-postexploit-exec-from-net.yaml b/scenarios/crowdsecurity/auditd-postexploit-exec-from-net.yaml index 36e05e698bc..4f694342368 100644 --- a/scenarios/crowdsecurity/auditd-postexploit-exec-from-net.yaml +++ b/scenarios/crowdsecurity/auditd-postexploit-exec-from-net.yaml @@ -1,7 +1,7 @@ type: conditional name: crowdsecurity/auditd-postexploit-exec-from-net description: "Detect post-exploitation behaviour : curl/wget and exec" -filter: evt.Meta.log_type == 'execve' +filter: evt.Meta.log_type == 'syscall_execve' #grouping by ppid to track a process doing those action in a short timeframe groupby: evt.Meta.ppid condition: | diff --git a/scenarios/crowdsecurity/auditd-postexploit-pkill.yaml b/scenarios/crowdsecurity/auditd-postexploit-pkill.yaml index df89524b839..745ece34e41 100644 --- a/scenarios/crowdsecurity/auditd-postexploit-pkill.yaml +++ b/scenarios/crowdsecurity/auditd-postexploit-pkill.yaml @@ -3,7 +3,7 @@ type: leaky name: crowdsecurity/auditd-postexploit-pkill description: "Detect post-exploitation behaviour : pkill execve bursts" #we're looking for the EXCVE syscalls to 'pkill' (which is actually pgrep) -filter: evt.Meta.log_type == 'execve' && evt.Meta.exe == '/usr/bin/pgrep' +filter: evt.Meta.log_type == 'syscall_execve' && evt.Meta.exe == '/usr/bin/pgrep' #grouping by ppid to track on process doing a lot of invocations to rm, such as a shell script groupby: evt.Meta.ppid leakspeed: 1s diff --git a/scenarios/crowdsecurity/auditd-postexploit-rm.yaml b/scenarios/crowdsecurity/auditd-postexploit-rm.yaml index 28df9573d09..5cb9a8a1907 100644 --- a/scenarios/crowdsecurity/auditd-postexploit-rm.yaml +++ b/scenarios/crowdsecurity/auditd-postexploit-rm.yaml @@ -2,7 +2,7 @@ type: leaky #debug: true name: crowdsecurity/auditd-postexploit-rm description: "Detect post-exploitation behaviour : rm execve bursts" -filter: evt.Meta.log_type == 'execve' && evt.Meta.exe in ['/usr/bin/rm', '/bin/rm'] +filter: evt.Meta.log_type == 'syscall_execve' && evt.Meta.exe in ['/usr/bin/rm', '/bin/rm'] #grouping by ppid to track on process doing a lot of invocations to rm, such as a shell script groupby: evt.Meta.ppid leakspeed: 1s diff --git a/scenarios/crowdsecurity/auditd-suid-crash.yaml b/scenarios/crowdsecurity/auditd-suid-crash.yaml index 6bde32c5929..b7cff0beac9 100644 --- a/scenarios/crowdsecurity/auditd-suid-crash.yaml +++ b/scenarios/crowdsecurity/auditd-suid-crash.yaml @@ -2,7 +2,7 @@ type: conditional name: crowdsecurity/auditd-suid-crash description: "Detect root suid process crashing" filter: | - (evt.Meta.log_type == 'execve' && evt.Meta.euid == '0' && evt.Meta.auid != '0') || + (evt.Meta.log_type == 'syscall_execve' && evt.Meta.euid == '0' && evt.Meta.auid != '0') || (evt.Meta.log_type == 'anom_abend' && evt.Meta.sig in ["4", "5", "6", "7", "11"]) groupby: evt.Meta.pid distinct: evt.Meta.log_type diff --git a/scenarios/crowdsecurity/auditd-sus-exec.yaml b/scenarios/crowdsecurity/auditd-sus-exec.yaml index 86f3ea890e1..9ed5445a995 100644 --- a/scenarios/crowdsecurity/auditd-sus-exec.yaml +++ b/scenarios/crowdsecurity/auditd-sus-exec.yaml @@ -2,7 +2,7 @@ type: trigger #debug: true name: crowdsecurity/auditd-sus-exec description: "Detect post-exploitation behaviour : exec from suspicious locations" -filter: evt.Meta.log_type == 'execve' and ( evt.Meta.exe startsWith "/tmp/" or evt.Meta.exe contains "/." ) +filter: evt.Meta.log_type == 'syscall_execve' and ( evt.Meta.exe startsWith "/tmp/" or evt.Meta.exe contains "/." ) labels: confidence: 2 spoofable: 0 From 9d3c8d722ee7c14f1deaf793e0897b8435d83104 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Fri, 13 Dec 2024 16:20:03 +0000 Subject: [PATCH 03/25] Update index --- .index.json | 56 +++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 42 insertions(+), 14 deletions(-) diff --git a/.index.json b/.index.json index 43067689349..312cd589849 100644 --- a/.index.json +++ b/.index.json @@ -7806,7 +7806,7 @@ "crowdsecurity/auditd-logs": { "path": "parsers/s01-parse/crowdsecurity/auditd-logs.yaml", "stage": "s01-parse", - "version": "0.9", + "version": "1.0", "versions": { "0.1": { "digest": "fa23b38e12ef4abce21475ad78c3d6650538c88e68f8235f74afc238345b0279", @@ -7843,9 +7843,13 @@ "0.9": { "digest": "a8302c5a00fd74c13205934a6b101b5216ba93f2798fcbf816cc361bd63c829f", "deprecated": false + }, + "1.0": { + "digest": "4a3e90a2064ff4ef39566f9d8f85e8909ba39ee5530b3407f73e7961bcd6b187", + "deprecated": false } }, - "content": "I3R5cGU9U1lTQ0FMTCBtc2c9YXVkaXQoMTY3MjMzMDk1NS4yNzM6NDQzMyk6IGFyY2g9YzAwMDAwM2Ugc3lzY2FsbD0yNjMgc3VjY2Vzcz1ubyBleGl0PS0yIGEwPWZmZmZmZjljIGExPTU1NzE2MjM5NjU5MCBhMj0wIGEzPTAgaXRlbXM9MSBwcGlkPTE0NDU3MSBwaWQ9MTQ1NDAwIGF1aWQ9MTAwMCB1aWQ9MTAwMCBnaWQ9MTAwMCBldWlkPTEwMDAgc3VpZD0xMDAwIGZzdWlkPTEwMDAgZWdpZD0xMDAwIHNnaWQ9MTAwMCBmc2dpZD0xMDAwIHR0eT1wdHMwIHNlcz03OSBjb21tPSJybSIgZXhlPSIvdXNyL2Jpbi9ybSIga2V5PSJmaWxlX21vZGlmaWNhdGlvbiIKbmFtZTogY3Jvd2RzZWN1cml0eS9hdWRpdGQtbG9ncwpkZXNjcmlwdGlvbjogIlBhcnNlIGF1ZGl0ZCBsb2dzIgpmaWx0ZXI6ICJldnQuUGFyc2VkLnByb2dyYW0gPT0gJ2F1ZGl0ZCciCm9uc3VjY2VzczogbmV4dF9zdGFnZQpwYXR0ZXJuX3N5bnRheDoKICBGTE9BVDogJ1swLTlcLl0rJwoKbm9kZXM6CiAgI1NZU0NBTEwgNTkgb24geDg2XzY0IC0+IGV4ZWN2ZQogIC0gZmlsdGVyOiBQYXJzZUtWKGV2dC5QYXJzZWQubWVzc2FnZSwgZXZ0LlVubWFyc2hhbGVkLCAiYXVkaXRkIikgPT0gbmlsICMgPT0gbmlsIGlzIHJlcXVpcmVkIGJlY2F1c2UgUGFyc2VLViBkb2VzIG5vdCByZXR1cm4gYSB2YWx1ZQogICAgbm9kZXM6CiAgICAgIC0gZ3JvazoKICAgICAgICAgIHBhdHRlcm46ICcle1dPUkQ6bXNnX3R5cGV9XCgle0ZMT0FUOnRpbWVzdGFtcH06JXtJTlQ6ZXZlbnRfaW5jX2lkfVwpOicKICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQubXNnCiAgICAgICAgbm9kZXM6CiAgICAgICAgICAtIGZpbHRlcjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC50eXBlID09ICJTWVNDQUxMIiBhbmQgZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5hcmNoID09ICJjMDAwMDAzZSIgYW5kIGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuc3lzY2FsbCA9PSAiNTkiCiAgICAgICAgICAgIHN0YXRpY3M6CiAgICAgICAgICAgICAgLSBtZXRhOiBsb2dfdHlwZQogICAgICAgICAgICAgICAgdmFsdWU6IGV4ZWN2ZQogICAgICAgICAgICAgICNsZXQncyBoeWRyYXRlIHdpdGggcHBpZCBwcm9jZXNzIGlmIHdlIGNhbiA6KQogICAgICAgICAgICAgIC0gdGFyZ2V0OiBldnQuTWV0YS5wYXJlbnRfcHJvZ25hbWUKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IEdldEZyb21TdGFzaCgiYXVkaXRkX3BpZF9wcm9nbmFtZSIsIGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQucHBpZCkKICAgICAgICAgICAgI2xldCdzIGNhcHR1cmUgcHJvY2VzcyBuYW1lIGlmIHdlIGNhbgogICAgICAgICAgICBzdGFzaDoKICAgICAgICAgICAgICAtIG5hbWU6IGF1ZGl0ZF9waWRfcHJvZ25hbWUKICAgICAgICAgICAgICAgIGtleTogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5waWQKICAgICAgICAgICAgICAgIHZhbHVlOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLmV4ZQogICAgICAgICAgICAgICAgdHRsOiAxbQogICAgICAgICAgICAgICAgc2l6ZTogMTAwCiAgICAgICAgICAtIGZpbHRlcjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC50eXBlID09ICJBTk9NX0FCRU5EIgogICAgICAgICAgICBzdGF0aWNzOgogICAgICAgICAgICAgIC0gbWV0YTogbG9nX3R5cGUKICAgICAgICAgICAgICAgIHZhbHVlOiBhbm9tX2FiZW5kCiAgICAgICAgc3RhdGljczoKICAgICAgICAgIC0gdGFyZ2V0OiBldnQuU3RyVGltZQogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuUGFyc2VkLnRpbWVzdGFtcAogICAgICAgICAgLSBtZXRhOiBwcGlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQucHBpZAogICAgICAgICAgLSBtZXRhOiBleGUKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5leGUKICAgICAgICAgIC0gbWV0YTogdWlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQudWlkCiAgICAgICAgICAtIG1ldGE6IGF1aWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5hdWlkCiAgICAgICAgICAtIG1ldGE6IGV1aWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5ldWlkCiAgICAgICAgICAtIG1ldGE6IGdpZAogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLmdpZAogICAgICAgICAgLSBtZXRhOiBzZXMKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5zZXMKICAgICAgICAgIC0gbWV0YTogc3ViagogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnN1YmoKICAgICAgICAgIC0gbWV0YTogcGlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQucGlkCiAgICAgICAgICAtIG1ldGE6IGNvbW0KICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5jb21tCiAgICAgICAgICAtIG1ldGE6IHNpZwogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnNpZwogICAgICAgICAgLSBtZXRhOiB0dHkKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC50dHkKICAgICAgICAgIC0gbWV0YTogcmVzCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQucmVzCiAgICAgICAgICAtIG1ldGE6IHN0cl9VSUQKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5VSUQKICAgICAgICAgIC0gbWV0YTogc3RyX0dJRAogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLkdJRCAKICAgICAgICAgIC0gbWV0YTogYXVkaXRkX2V2ZW50aWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlBhcnNlZC5ldmVudF9pbmNfaWQK", + "content": "I3R5cGU9U1lTQ0FMTCBtc2c9YXVkaXQoMTY3MjMzMDk1NS4yNzM6NDQzMyk6IGFyY2g9YzAwMDAwM2Ugc3lzY2FsbD0yNjMgc3VjY2Vzcz1ubyBleGl0PS0yIGEwPWZmZmZmZjljIGExPTU1NzE2MjM5NjU5MCBhMj0wIGEzPTAgaXRlbXM9MSBwcGlkPTE0NDU3MSBwaWQ9MTQ1NDAwIGF1aWQ9MTAwMCB1aWQ9MTAwMCBnaWQ9MTAwMCBldWlkPTEwMDAgc3VpZD0xMDAwIGZzdWlkPTEwMDAgZWdpZD0xMDAwIHNnaWQ9MTAwMCBmc2dpZD0xMDAwIHR0eT1wdHMwIHNlcz03OSBjb21tPSJybSIgZXhlPSIvdXNyL2Jpbi9ybSIga2V5PSJmaWxlX21vZGlmaWNhdGlvbiIKCgojdHlwZT1TWVNDQUxMIG1zZz1hdWRpdCgxNzM0MDkzMTQxLjQ1NTo5MjIpOiBhcmNoPWMwMDAwMDNlIHN5c2NhbGw9NTkgc3VjY2Vzcz15ZXMgZXhpdD0wIGEwPTU2M2RiMTRjOTgwMCBhMT01NjNkYjE0YzYzNzAgYTI9NTYzZGIxNGM1ZTcwIGEzPTggaXRlbXM9MiBwcGlkPTEzNDQzNTEgcGlkPTEzNDQzNTggYXVpZD0xMDAwIHVpZD0xMDAwIGdpZD0xMDAwIGV1aWQ9MTAwMCBzdWlkPTEwMDAgZnN1aWQ9MTAwMCBlZ2lkPTEwMDAgc2dpZD0xMDAwIGZzZ2lkPTEwMDAgdHR5PXB0czEgc2VzPTU0NDggY29tbT0iaWQiIGV4ZT0iL3Vzci9iaW4vaWQiIGtleT0icmVjb24iCiN0eXBlPUVYRUNWRSBtc2c9YXVkaXQoMTczNDA5MzE0MS40NTU6OTIyKTogYXJnYz0yIGEwPSJpZCIgYTE9Ii1hIgojdHlwZT1QQVRIIG1zZz1hdWRpdCgxNzM0MDkzMTQxLjQ1NTo5MjIpOiBpdGVtPTAgbmFtZT0iL3Vzci9iaW4vaWQiIGlub2RlPTU1MDU0OTkgZGV2PTA4OjAyIG1vZGU9MDEwMDc1NSBvdWlkPTAgb2dpZD0wIHJkZXY9MDA6MDAgbmFtZXR5cGU9Tk9STUFMIGNhcF9mcD0wIGNhcF9maT0wIGNhcF9mZT0wIGNhcF9mdmVyPTAgY2FwX2Zyb290aWQ9MAojdHlwZT1QQVRIIG1zZz1hdWRpdCgxNzM0MDkzMTQxLjQ1NTo5MjIpOiBpdGVtPTEgbmFtZT0iL2xpYjY0L2xkLWxpbnV4LXg4Ni02NC5zby4yIiBpbm9kZT01NTA1OTA0IGRldj0wODowMiBtb2RlPTAxMDA3NTUgb3VpZD0wIG9naWQ9MCByZGV2PTAwOjAwIG5hbWV0eXBlPU5PUk1BTCBjYXBfZnA9MCBjYXBfZmk9MCBjYXBfZmU9MCBjYXBfZnZlcj0wIGNhcF9mcm9vdGlkPTAKCgpuYW1lOiBjcm93ZHNlY3VyaXR5L2F1ZGl0ZC1sb2dzCmRlc2NyaXB0aW9uOiAiUGFyc2UgYXVkaXRkIGxvZ3MiCmZpbHRlcjogImV2dC5QYXJzZWQucHJvZ3JhbSA9PSAnYXVkaXRkJyIKb25zdWNjZXNzOiBuZXh0X3N0YWdlCmRlYnVnOiB0cnVlCnBhdHRlcm5fc3ludGF4OgogIEZMT0FUOiAnWzAtOVwuXSsnCgpub2RlczoKICAjU1lTQ0FMTCA1OSBvbiB4ODZfNjQgLT4gZXhlY3ZlCiAgLSBmaWx0ZXI6IFBhcnNlS1YoZXZ0LlBhcnNlZC5tZXNzYWdlLCBldnQuVW5tYXJzaGFsZWQsICJhdWRpdGQiKSA9PSBuaWwgIyA9PSBuaWwgaXMgcmVxdWlyZWQgYmVjYXVzZSBQYXJzZUtWIGRvZXMgbm90IHJldHVybiBhIHZhbHVlCiAgICBub2RlczoKICAgICAgLSBncm9rOgogICAgICAgICAgcGF0dGVybjogJyV7V09SRDptc2dfdHlwZX1cKCV7RkxPQVQ6dGltZXN0YW1wfTole0lOVDpldmVudF9pbmNfaWR9XCk6JwogICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5tc2cKICAgICAgICBub2RlczoKIyBhZGQgRVhFQ1ZFIDogCiMgdHlwZT1FWEVDVkUgbXNnPWF1ZGl0KDE3MzQwOTM3MTMuNTY1OjEwMzEpOiBhcmdjPTEwMSBhMD0iaWQiIGExPSIxIiBhMj0iMiIgYTM9IjMiIGE0PSI0IiBhNT0iNSIgYTY9IjYiIGE3PSI3IiBhOD0iOCIgYTk9IjkiIGExMD0iMTAiIGExMT0iMTEiIGExMj0iMTIiIGExMz0iMTMiIGExND0iMTQiIGExNT0iMTUiIGExNj0iMTYiIGExNz0iMTciIGExOD0iMTgiIGExOT0iMTkiIGEyMD0iMjAiIGEyMT0iMjEiIGEyMj0iMjIiIGEyMz0iMjMiIGEyND0iMjQiIGEyNT0iMjUiIGEyNj0iMjYiIGEyNz0iMjciIGEyOD0iMjgiIGEyOT0iMjkiIGEzMD0iMzAiIGEzMT0iMzEiIGEzMj0iMzIiIGEzMz0iMzMiIGEzND0iMzQiIGEzNT0iMzUiIGEzNj0iMzYiIGEzNz0iMzciIGEzOD0iMzgiIGEzOT0iMzkiIGE0MD0iNDAiIGE0MT0iNDEiIGE0Mj0iNDIiIGE0Mz0iNDMiIGE0ND0iNDQiIGE0NT0iNDUiIGE0Nj0iNDYiIGE0Nz0iNDciIGE0OD0iNDgiIGE0OT0iNDkiIGE1MD0iNTAiIGE1MT0iNTEiIGE1Mj0iNTIiIGE1Mz0iNTMiIGE1ND0iNTQiIGE1NT0iNTUiIGE1Nj0iNTYiIGE1Nz0iNTciIGE1OD0iNTgiIGE1OT0iNTkiIGE2MD0iNjAiIGE2MT0iNjEiIGE2Mj0iNjIiIGE2Mz0iNjMiIGE2ND0iNjQiIGE2NT0iNjUiIGE2Nj0iNjYiIGE2Nz0iNjciIGE2OD0iNjgiIGE2OT0iNjkiIGE3MD0iNzAiIGE3MT0iNzEiIGE3Mj0iNzIiIGE3Mz0iNzMiIGE3ND0iNzQiIGE3NT0iNzUiIGE3Nj0iNzYiIGE3Nz0iNzciIGE3OD0iNzgiIGE3OT0iNzkiIGE4MD0iODAiIGE4MT0iODEiIGE4Mj0iODIiIGE4Mz0iODMiIGE4ND0iODQiIGE4NT0iODUiIGE4Nj0iODYiIGE4Nz0iODciIGE4OD0iODgiIGE4OT0iODkiIGE5MD0iOTAiIGE5MT0iOTEiIGE5Mj0iOTIiIGE5Mz0iOTMiIGE5ND0iOTQiIGE5NT0iOTUiIGE5Nj0iOTYiIGE5Nz0iOTciIGE5OD0iOTgiIGE5OT0iOTkiIGExMDA9IjEwMCIKICAgICAgICAgIC0gZmlsdGVyOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnR5cGUgPT0gIkVYRUNWRSIKICAgICAgICAgICAgc3RhdGljczoKICAgICAgICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICAgICAgICB2YWx1ZTogZXhlY3ZlCiAgICAgICAgICAgICAgLSBtZXRhOiBleGVjdmVfZnVsbF9zdHIKICAgICAgICAgICAgICAgICN3ZSBvbmx5IGtlZXAgdGhlICJhWzAtOV0rIiBrZXlzIGFuZCBqb2luIHRoZW0gaW50byBhIHN0cmluZwogICAgICAgICAgICAgICAgI3dlJ3JlIG5vdCBkZWFsaW5nIHlldCB3aXRoIGhleCBlbmNvZGVkIGFyZ3VtZW50cwogICAgICAgICAgICAgICAgZXhwcmVzc2lvbjogfAogICAgICAgICAgICAgICAgICBsZXQgYXJncyA9IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQgfCBrZXlzKCkgfCBmaWx0ZXIoIyBtYXRjaGVzICJeYVswLTldKyQiKTsKICAgICAgICAgICAgICAgICAgbWFwKHNvcnRCeShhcmdzLCB7IGludCgjWzE6XSkgfSwgImFzYyIpLCBnZXQoZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZCwgIykpIHwgam9pbigiICIpCgogICAgICAgICAgLSBmaWx0ZXI6IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQudHlwZSA9PSAiU1lTQ0FMTCIgYW5kIGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYXJjaCA9PSAiYzAwMDAwM2UiIGFuZCBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnN5c2NhbGwgPT0gIjU5IgogICAgICAgICAgICBzdGF0aWNzOgogICAgICAgICAgICAgIC0gbWV0YTogbG9nX3R5cGUKICAgICAgICAgICAgICAgIHZhbHVlOiBzeXNjYWxsX2V4ZWN2ZQogICAgICAgICAgICAgICNsZXQncyBoeWRyYXRlIHdpdGggcHBpZCBwcm9jZXNzIGlmIHdlIGNhbiA6KQogICAgICAgICAgICAgIC0gdGFyZ2V0OiBldnQuTWV0YS5wYXJlbnRfcHJvZ25hbWUKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IEdldEZyb21TdGFzaCgiYXVkaXRkX3BpZF9wcm9nbmFtZSIsIGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQucHBpZCkKICAgICAgICAgICAgI2xldCdzIGNhcHR1cmUgcHJvY2VzcyBuYW1lIGlmIHdlIGNhbgogICAgICAgICAgICBzdGFzaDoKICAgICAgICAgICAgICAtIG5hbWU6IGF1ZGl0ZF9waWRfcHJvZ25hbWUKICAgICAgICAgICAgICAgIGtleTogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5waWQKICAgICAgICAgICAgICAgIHZhbHVlOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLmV4ZQogICAgICAgICAgICAgICAgdHRsOiAxbQogICAgICAgICAgICAgICAgc2l6ZTogMTAwCiAgICAgICAgICAtIGZpbHRlcjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC50eXBlID09ICJBTk9NX0FCRU5EIgogICAgICAgICAgICBzdGF0aWNzOgogICAgICAgICAgICAgIC0gbWV0YTogbG9nX3R5cGUKICAgICAgICAgICAgICAgIHZhbHVlOiBhbm9tX2FiZW5kCiAgICAgICAgc3RhdGljczoKICAgICAgICAgIC0gdGFyZ2V0OiBldnQuU3RyVGltZQogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuUGFyc2VkLnRpbWVzdGFtcAogICAgICAgICAgLSBtZXRhOiBwcGlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQucHBpZAogICAgICAgICAgLSBtZXRhOiBleGUKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5leGUKICAgICAgICAgIC0gbWV0YTogdWlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQudWlkCiAgICAgICAgICAtIG1ldGE6IGF1aWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5hdWlkCiAgICAgICAgICAtIG1ldGE6IGV1aWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5ldWlkCiAgICAgICAgICAtIG1ldGE6IGdpZAogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLmdpZAogICAgICAgICAgLSBtZXRhOiBzZXMKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5zZXMKICAgICAgICAgIC0gbWV0YTogc3ViagogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnN1YmoKICAgICAgICAgIC0gbWV0YTogcGlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQucGlkCiAgICAgICAgICAtIG1ldGE6IGNvbW0KICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5jb21tCiAgICAgICAgICAtIG1ldGE6IHNpZwogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnNpZwogICAgICAgICAgLSBtZXRhOiB0dHkKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC50dHkKICAgICAgICAgIC0gbWV0YTogcmVzCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQucmVzCiAgICAgICAgICAtIG1ldGE6IHN0cl9VSUQKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5VSUQKICAgICAgICAgIC0gbWV0YTogc3RyX0dJRAogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLkdJRCAKICAgICAgICAgIC0gbWV0YTogYXVkaXRkX2V2ZW50aWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlBhcnNlZC5ldmVudF9pbmNfaWQK", "description": "Parse auditd logs", "author": "crowdsecurity", "labels": null @@ -12272,7 +12276,7 @@ }, "crowdsecurity/auditd-base64-exec-behavior": { "path": "scenarios/crowdsecurity/auditd-base64-exec-behavior.yaml", - "version": "0.5", + "version": "0.6", "versions": { "0.1": { "digest": "01ad2b3595589418088a1e6632ef6347ccaee8300cc6bb4f5253e9163fbaa62d", @@ -12293,10 +12297,14 @@ "0.5": { "digest": "abdb7d3b5f2c6a7b995801257bb0ec10194e702994f67eee9078e70389ec51b8", "deprecated": false + }, + "0.6": { + "digest": "5b5113e120b48f93c41e38c329220f451c3fc15eb4b6cad06b0c85dff1da8afc", + "deprecated": false } }, "long_description": "IyMgQXVkaXRkIDogYmFzZTY0IGV4ZWMgZGV0ZWN0aW9uCgpBdHRlbXB0IHRvIGRldGVjdCBhIHByb2Nlc3MgdGhhdCBpcyBpbnZva2luZyBib3RoIGBiYXNlNjRgIGFuZCBhbiBpbnRlcnByZXRlciBzdWNoIGFzIGBzaGAsIGBiYXNoYCwgYHBlcmxgLCBgZGFzaGAsIGB6c2hgIG9yIGBweXRob25gLgoKVGhpcyBwYXR0ZXJuIGlzIHVzdWFsbHkgc2VlbiBpbiBwb3N0LWV4cGxvaXRhdGlvbiBiZWhhdmlvcnMgdG8gaGF2ZSAiZmlsZSBsZXNzIiBiYWNrZG9vcnMgOgoKYGBgYmFzaAplY2hvIFpXTm9ieUFuYldGc2FXTnBiM1Z6SUhCaGVXeHZZV1FuQ2c9PSB8IGJhc2U2NCAtZCB8IGJhc2gKYGBgCg==", - "content": "dHlwZTogY29uZGl0aW9uYWwKI2RlYnVnOiB0cnVlCm5hbWU6IGNyb3dkc2VjdXJpdHkvYXVkaXRkLWJhc2U2NC1leGVjLWJlaGF2aW9yCmRlc2NyaXB0aW9uOiAiRGV0ZWN0IHBvc3QtZXhwbG9pdGF0aW9uIGJlaGF2aW91ciA6IGJhc2U2NCArIGludGVycHJldGVyIChwZXJsL2Jhc2gvcHl0aG9uKSIKZmlsdGVyOiBldnQuTWV0YS5sb2dfdHlwZSA9PSAnZXhlY3ZlJwojZ3JvdXBpbmcgYnkgcHBpZCB0byB0cmFjayBhIHByb2Nlc3NzIGludm9raW5nIGJhc2U2NCBhbmQgaW50ZXJwcmV0ZXIgaW4gc2VxdWVuY2UKZ3JvdXBieTogZXZ0Lk1ldGEucHBpZApjb25kaXRpb246IHwKICBhbnkocXVldWUuUXVldWUsIHsuTWV0YS5leGUgPT0gIi91c3IvYmluL2Jhc2U2NCJ9KQogIGFuZCAoCiAgICBhbnkocXVldWUuUXVldWUsIHsgLk1ldGEuZXhlIG1hdGNoZXMgJ15cXC8odXNyXFwvKGxvY2FsXFwvKT8pP2JpblxcLyhzaHxiYXNofHBlcmx8ZGFzaHx6c2gpJCcgfSkKICAgIG9yCiAgICBhbnkocXVldWUuUXVldWUsIHsgLk1ldGEuZXhlIHN0YXJ0c1dpdGggIi91c3IvYmluL3B5dGhvbiIgfSkKICApCmxlYWtzcGVlZDogMXMKY2FwYWNpdHk6IC0xCmJsYWNraG9sZTogMW0KbGFiZWxzOgogIHNlcnZpY2U6IGxpbnV4CiAgY29uZmlkZW5jZTogMgogIHNwb29mYWJsZTogMAogIGNsYXNzaWZpY2F0aW9uOgogICAgLSBhdHRhY2suVDEwNTkuMDA0CiAgYmVoYXZpb3I6ICJsaW51eDpwb3N0LWV4cGxvaXRhdGlvbiIKICBsYWJlbDogIlBvc3QgRXhwbG9pdGF0aW9uIGNvbW1hbmQgZXhlY3V0aW9uIGZyb20gYmFzZTY0IGVuY29kZWQgcGF5bG9hZCIKICByZW1lZGlhdGlvbjogZmFsc2UKc2NvcGU6CiAgdHlwZTogcGlkCiAgZXhwcmVzc2lvbjogZXZ0Lk1ldGEucHBpZAo=", + "content": "dHlwZTogY29uZGl0aW9uYWwKI2RlYnVnOiB0cnVlCm5hbWU6IGNyb3dkc2VjdXJpdHkvYXVkaXRkLWJhc2U2NC1leGVjLWJlaGF2aW9yCmRlc2NyaXB0aW9uOiAiRGV0ZWN0IHBvc3QtZXhwbG9pdGF0aW9uIGJlaGF2aW91ciA6IGJhc2U2NCArIGludGVycHJldGVyIChwZXJsL2Jhc2gvcHl0aG9uKSIKZmlsdGVyOiBldnQuTWV0YS5sb2dfdHlwZSA9PSAnc3lzY2FsbF9leGVjdmUnCiNncm91cGluZyBieSBwcGlkIHRvIHRyYWNrIGEgcHJvY2Vzc3MgaW52b2tpbmcgYmFzZTY0IGFuZCBpbnRlcnByZXRlciBpbiBzZXF1ZW5jZQpncm91cGJ5OiBldnQuTWV0YS5wcGlkCmNvbmRpdGlvbjogfAogIGFueShxdWV1ZS5RdWV1ZSwgey5NZXRhLmV4ZSA9PSAiL3Vzci9iaW4vYmFzZTY0In0pCiAgYW5kICgKICAgIGFueShxdWV1ZS5RdWV1ZSwgeyAuTWV0YS5leGUgbWF0Y2hlcyAnXlxcLyh1c3JcXC8obG9jYWxcXC8pPyk/YmluXFwvKHNofGJhc2h8cGVybHxkYXNofHpzaCkkJyB9KQogICAgb3IKICAgIGFueShxdWV1ZS5RdWV1ZSwgeyAuTWV0YS5leGUgc3RhcnRzV2l0aCAiL3Vzci9iaW4vcHl0aG9uIiB9KQogICkKbGVha3NwZWVkOiAxcwpjYXBhY2l0eTogLTEKYmxhY2tob2xlOiAxbQpsYWJlbHM6CiAgc2VydmljZTogbGludXgKICBjb25maWRlbmNlOiAyCiAgc3Bvb2ZhYmxlOiAwCiAgY2xhc3NpZmljYXRpb246CiAgICAtIGF0dGFjay5UMTA1OS4wMDQKICBiZWhhdmlvcjogImxpbnV4OnBvc3QtZXhwbG9pdGF0aW9uIgogIGxhYmVsOiAiUG9zdCBFeHBsb2l0YXRpb24gY29tbWFuZCBleGVjdXRpb24gZnJvbSBiYXNlNjQgZW5jb2RlZCBwYXlsb2FkIgogIHJlbWVkaWF0aW9uOiBmYWxzZQpzY29wZToKICB0eXBlOiBwaWQKICBleHByZXNzaW9uOiBldnQuTWV0YS5wcGlkCg==", "description": "Detect post-exploitation behaviour : base64 + interpreter (perl/bash/python)", "author": "crowdsecurity", "labels": { @@ -12313,7 +12321,7 @@ }, "crowdsecurity/auditd-postexploit-exec-from-net": { "path": "scenarios/crowdsecurity/auditd-postexploit-exec-from-net.yaml", - "version": "0.6", + "version": "0.7", "versions": { "0.1": { "digest": "8e98c791ceed799f8a8fa4b48cb7ed5cf5cf48f2bd715852abd618629ce2f117", @@ -12338,10 +12346,14 @@ "0.6": { "digest": "a2859770f0b19a05ca09b6996b1aaa9242717889cec4f46053b7345d94798170", "deprecated": false + }, + "0.7": { + "digest": "a75022a22a0936cde4a60b303e376f13d05b67b681c8fff8b39ab8bfb3f8ed0f", + "deprecated": false } }, "long_description": "IyMgQXVkaXRkIDogZXhlY3V0ZSBwYXlsb2FkIGZyb20gaW50ZXJuZXQKCkF0dGVtcHQgdG8gZGV0ZWN0IGEgcHJvY2VzcyB0aGF0IGlzIHN1Y2Nlc3NpdmVseSBpbnZva2luZyBgY3VybGAgb3IgYHdnZXRgIGFuZCBleGVjdXRpbmcgYSBub24tc3RhbmRhcmQgcGF5bG9hZCBvciBzY3JpcHQuCgpUaGlzIHBhdHRlcm4gaXMgdXN1YWxseSBzZWVuIGluIHBvc3QtZXhwbG9pdGF0aW9uIGJlaGF2aW9ycyB0byB3aGVuIGRvd25sb2FkaW5nIGFuZCBleGVjdXRpbmcgYmFja2Rvb3JzIDoKCmBgYGJhc2gKY3VybCAtbyAvdG1wL3NtdGggaHR0cDovL1guWC5YLlgvc29tZV9tYWx3YXJlIDsgY2htb2QgK3ggL3RtcC9zbXRoIDsgL3RtcC9zbXRoCmBgYAo=", - "content": "dHlwZTogY29uZGl0aW9uYWwKbmFtZTogY3Jvd2RzZWN1cml0eS9hdWRpdGQtcG9zdGV4cGxvaXQtZXhlYy1mcm9tLW5ldApkZXNjcmlwdGlvbjogIkRldGVjdCBwb3N0LWV4cGxvaXRhdGlvbiBiZWhhdmlvdXIgOiBjdXJsL3dnZXQgYW5kIGV4ZWMiCmZpbHRlcjogZXZ0Lk1ldGEubG9nX3R5cGUgPT0gJ2V4ZWN2ZScKI2dyb3VwaW5nIGJ5IHBwaWQgdG8gdHJhY2sgYSBwcm9jZXNzIGRvaW5nIHRob3NlIGFjdGlvbiBpbiBhIHNob3J0IHRpbWVmcmFtZQpncm91cGJ5OiBldnQuTWV0YS5wcGlkCmNvbmRpdGlvbjogfAogIGFueShxdWV1ZS5RdWV1ZSwgey5NZXRhLmV4ZSBpbiBbIi91c3IvYmluL3dnZXQiLCAiL3Vzci9iaW4vY3VybCJdfSkgCiAgYW5kICgKICAgIGFueShxdWV1ZS5RdWV1ZSwgeyAhKC5NZXRhLmV4ZSBzdGFydHNXaXRoICIvdXNyLyIgb3IgLk1ldGEuZXhlIHN0YXJ0c1dpdGggIi9iaW4vIiBvciAuTWV0YS5leGUgc3RhcnRzV2l0aCAiL3NiaW4vIil9KQogICAgb3IgYW55KHF1ZXVlLlF1ZXVlLCB7IC5NZXRhLmV4ZSBpbiBbIi9iaW4vc2giLCAiL2Jpbi9iYXNoIiwgIi9iaW4vZGFzaCJdIH0pCiAgKQpsZWFrc3BlZWQ6IDFzCmNhcGFjaXR5OiAtMQpibGFja2hvbGU6IDFtCmxhYmVsczoKICBzZXJ2aWNlOiBsaW51eAogIGNvbmZpZGVuY2U6IDIKICBzcG9vZmFibGU6IDAKICBjbGFzc2lmaWNhdGlvbjoKICAgIC0gYXR0YWNrLlQxMDU5LjAwNAogIGJlaGF2aW9yOiAibGludXg6cG9zdC1leHBsb2l0YXRpb24iCiAgbGFiZWw6ICJQb3N0IEV4cGxvaXRhdGlvbiBjb21tYW5kIGV4ZWN1dGlvbiBmcm9tIEludGVybmV0IgogIHJlbWVkaWF0aW9uOiBmYWxzZQpzY29wZToKICB0eXBlOiBwaWQKICBleHByZXNzaW9uOiBldnQuTWV0YS5wcGlkCg==", + "content": "dHlwZTogY29uZGl0aW9uYWwKbmFtZTogY3Jvd2RzZWN1cml0eS9hdWRpdGQtcG9zdGV4cGxvaXQtZXhlYy1mcm9tLW5ldApkZXNjcmlwdGlvbjogIkRldGVjdCBwb3N0LWV4cGxvaXRhdGlvbiBiZWhhdmlvdXIgOiBjdXJsL3dnZXQgYW5kIGV4ZWMiCmZpbHRlcjogZXZ0Lk1ldGEubG9nX3R5cGUgPT0gJ3N5c2NhbGxfZXhlY3ZlJwojZ3JvdXBpbmcgYnkgcHBpZCB0byB0cmFjayBhIHByb2Nlc3MgZG9pbmcgdGhvc2UgYWN0aW9uIGluIGEgc2hvcnQgdGltZWZyYW1lCmdyb3VwYnk6IGV2dC5NZXRhLnBwaWQKY29uZGl0aW9uOiB8CiAgYW55KHF1ZXVlLlF1ZXVlLCB7Lk1ldGEuZXhlIGluIFsiL3Vzci9iaW4vd2dldCIsICIvdXNyL2Jpbi9jdXJsIl19KSAKICBhbmQgKAogICAgYW55KHF1ZXVlLlF1ZXVlLCB7ICEoLk1ldGEuZXhlIHN0YXJ0c1dpdGggIi91c3IvIiBvciAuTWV0YS5leGUgc3RhcnRzV2l0aCAiL2Jpbi8iIG9yIC5NZXRhLmV4ZSBzdGFydHNXaXRoICIvc2Jpbi8iKX0pCiAgICBvciBhbnkocXVldWUuUXVldWUsIHsgLk1ldGEuZXhlIGluIFsiL2Jpbi9zaCIsICIvYmluL2Jhc2giLCAiL2Jpbi9kYXNoIl0gfSkKICApCmxlYWtzcGVlZDogMXMKY2FwYWNpdHk6IC0xCmJsYWNraG9sZTogMW0KbGFiZWxzOgogIHNlcnZpY2U6IGxpbnV4CiAgY29uZmlkZW5jZTogMgogIHNwb29mYWJsZTogMAogIGNsYXNzaWZpY2F0aW9uOgogICAgLSBhdHRhY2suVDEwNTkuMDA0CiAgYmVoYXZpb3I6ICJsaW51eDpwb3N0LWV4cGxvaXRhdGlvbiIKICBsYWJlbDogIlBvc3QgRXhwbG9pdGF0aW9uIGNvbW1hbmQgZXhlY3V0aW9uIGZyb20gSW50ZXJuZXQiCiAgcmVtZWRpYXRpb246IGZhbHNlCnNjb3BlOgogIHR5cGU6IHBpZAogIGV4cHJlc3Npb246IGV2dC5NZXRhLnBwaWQK", "description": "Detect post-exploitation behaviour : curl/wget and exec", "author": "crowdsecurity", "labels": { @@ -12358,7 +12370,7 @@ }, "crowdsecurity/auditd-postexploit-pkill": { "path": "scenarios/crowdsecurity/auditd-postexploit-pkill.yaml", - "version": "0.5", + "version": "0.6", "versions": { "0.1": { "digest": "a355d046ce043b9d8bbfa5af6da5adcd7713c87023760aa02c54318ad82a6cb6", @@ -12379,10 +12391,14 @@ "0.5": { "digest": "797a415beedd9044edbb9a45f3d016a3a6b1d3de49c4e3f0c650346ee63303c5", "deprecated": false + }, + "0.6": { + "digest": "e813f99ebc1a13cdc51e4b44d49d7c4492195e23d068486d9ab978cd18fc3f09", + "deprecated": false } }, "long_description": "IyMgQXVkaXRkIDogYnVyc3Qgb2YgcHJvY2VzcyBraWxsaW5nCgpBdHRlbXB0IHRvIGRldGVjdCBhIHByb2Nlc3MgdGhhdCBpcyBhdHRlbXB0aW5nIHRvIGtpbGwgYSBsb3Qgb2YgM3JkIHBhcnR5IHByb2Nlc3Nlcy4KClRoaXMgcGF0dGVybiBpcyB1c3VhbGx5IHNlZW4gaW4gcG9zdC1leHBsb2l0YXRpb24gYmVoYXZpb3JzIHdoZXJlIGEgYmFja2Rvb3JzIGlzIHRyeWluZyB0byAia2lsbCIgY29tcGV0aXRpb24uCg==", - "content": "dHlwZTogbGVha3kKI2RlYnVnOiB0cnVlCm5hbWU6IGNyb3dkc2VjdXJpdHkvYXVkaXRkLXBvc3RleHBsb2l0LXBraWxsCmRlc2NyaXB0aW9uOiAiRGV0ZWN0IHBvc3QtZXhwbG9pdGF0aW9uIGJlaGF2aW91ciA6IHBraWxsIGV4ZWN2ZSBidXJzdHMiCiN3ZSdyZSBsb29raW5nIGZvciB0aGUgRVhDVkUgc3lzY2FsbHMgdG8gJ3BraWxsJyAod2hpY2ggaXMgYWN0dWFsbHkgcGdyZXApCmZpbHRlcjogZXZ0Lk1ldGEubG9nX3R5cGUgPT0gJ2V4ZWN2ZScgJiYgZXZ0Lk1ldGEuZXhlID09ICcvdXNyL2Jpbi9wZ3JlcCcKI2dyb3VwaW5nIGJ5IHBwaWQgdG8gdHJhY2sgb24gcHJvY2VzcyBkb2luZyBhIGxvdCBvZiBpbnZvY2F0aW9ucyB0byBybSwgc3VjaCBhcyBhIHNoZWxsIHNjcmlwdApncm91cGJ5OiBldnQuTWV0YS5wcGlkCmxlYWtzcGVlZDogMXMKY2FwYWNpdHk6IDUKYmxhY2tob2xlOiAxbQpsYWJlbHM6CiAgY29uZmlkZW5jZTogMgogIHNwb29mYWJsZTogMAogIGNsYXNzaWZpY2F0aW9uOgogICAgLSBhdHRhY2suVDEwNTkuMDA0CiAgYmVoYXZpb3I6ICJsaW51eDpwb3N0LWV4cGxvaXRhdGlvbiIKICBsYWJlbDogIlBvc3QgRXhwbG9pdGF0aW9uIGNvbW1hbmQgZXhlY3V0aW9uIgogIHNlcnZpY2U6IGxpbnV4CiAgcmVtZWRpYXRpb246IGZhbHNlCnNjb3BlOgogIHR5cGU6IHBpZAogIGV4cHJlc3Npb246IGV2dC5NZXRhLnBwaWQK", + "content": "dHlwZTogbGVha3kKI2RlYnVnOiB0cnVlCm5hbWU6IGNyb3dkc2VjdXJpdHkvYXVkaXRkLXBvc3RleHBsb2l0LXBraWxsCmRlc2NyaXB0aW9uOiAiRGV0ZWN0IHBvc3QtZXhwbG9pdGF0aW9uIGJlaGF2aW91ciA6IHBraWxsIGV4ZWN2ZSBidXJzdHMiCiN3ZSdyZSBsb29raW5nIGZvciB0aGUgRVhDVkUgc3lzY2FsbHMgdG8gJ3BraWxsJyAod2hpY2ggaXMgYWN0dWFsbHkgcGdyZXApCmZpbHRlcjogZXZ0Lk1ldGEubG9nX3R5cGUgPT0gJ3N5c2NhbGxfZXhlY3ZlJyAmJiBldnQuTWV0YS5leGUgPT0gJy91c3IvYmluL3BncmVwJwojZ3JvdXBpbmcgYnkgcHBpZCB0byB0cmFjayBvbiBwcm9jZXNzIGRvaW5nIGEgbG90IG9mIGludm9jYXRpb25zIHRvIHJtLCBzdWNoIGFzIGEgc2hlbGwgc2NyaXB0Cmdyb3VwYnk6IGV2dC5NZXRhLnBwaWQKbGVha3NwZWVkOiAxcwpjYXBhY2l0eTogNQpibGFja2hvbGU6IDFtCmxhYmVsczoKICBjb25maWRlbmNlOiAyCiAgc3Bvb2ZhYmxlOiAwCiAgY2xhc3NpZmljYXRpb246CiAgICAtIGF0dGFjay5UMTA1OS4wMDQKICBiZWhhdmlvcjogImxpbnV4OnBvc3QtZXhwbG9pdGF0aW9uIgogIGxhYmVsOiAiUG9zdCBFeHBsb2l0YXRpb24gY29tbWFuZCBleGVjdXRpb24iCiAgc2VydmljZTogbGludXgKICByZW1lZGlhdGlvbjogZmFsc2UKc2NvcGU6CiAgdHlwZTogcGlkCiAgZXhwcmVzc2lvbjogZXZ0Lk1ldGEucHBpZAo=", "description": "Detect post-exploitation behaviour : pkill execve bursts", "author": "crowdsecurity", "labels": { @@ -12399,7 +12415,7 @@ }, "crowdsecurity/auditd-postexploit-rm": { "path": "scenarios/crowdsecurity/auditd-postexploit-rm.yaml", - "version": "0.6", + "version": "0.7", "versions": { "0.1": { "digest": "2e67dbdc8c9d1d41590bf25b9545d41896e474e824c02fd990d80a5ca6e26690", @@ -12424,10 +12440,14 @@ "0.6": { "digest": "43f984dde9205c2aa0bdef13c5fe129818fd4c9f6ed8820ae005eba9b82288e7", "deprecated": false + }, + "0.7": { + "digest": "a2f31cbf75ef6456234454ca97f9492989f36f83a96fe931910587d9958d6a83", + "deprecated": false } }, "long_description": "IyMgQXVkaXRkIDogYnVyc3Qgb2YgZmlsZSBzdXBwcmVzc2lvbgoKQXR0ZW1wdCB0byBkZXRlY3QgYSBwcm9jZXNzIHRoYXQgaXMgYXR0ZW1wdGluZyB0byBgcm1gIGEgbG90IG9mIGZpbGVzLgoKVGhpcyBwYXR0ZXJuIGlzIHVzdWFsbHkgc2VlbiBpbiBwb3N0LWV4cGxvaXRhdGlvbiBiZWhhdmlvcnMgd2hlcmUgYSBiYWNrZG9vcnMgaXMgdHJ5aW5nIHRvICJraWxsIiBjb21wZXRpdGlvbi4K", - "content": "dHlwZTogbGVha3kKI2RlYnVnOiB0cnVlCm5hbWU6IGNyb3dkc2VjdXJpdHkvYXVkaXRkLXBvc3RleHBsb2l0LXJtCmRlc2NyaXB0aW9uOiAiRGV0ZWN0IHBvc3QtZXhwbG9pdGF0aW9uIGJlaGF2aW91ciA6IHJtIGV4ZWN2ZSBidXJzdHMiCmZpbHRlcjogZXZ0Lk1ldGEubG9nX3R5cGUgPT0gJ2V4ZWN2ZScgJiYgZXZ0Lk1ldGEuZXhlIGluIFsnL3Vzci9iaW4vcm0nLCAnL2Jpbi9ybSddCiNncm91cGluZyBieSBwcGlkIHRvIHRyYWNrIG9uIHByb2Nlc3MgZG9pbmcgYSBsb3Qgb2YgaW52b2NhdGlvbnMgdG8gcm0sIHN1Y2ggYXMgYSBzaGVsbCBzY3JpcHQKZ3JvdXBieTogZXZ0Lk1ldGEucHBpZApsZWFrc3BlZWQ6IDFzCmNhcGFjaXR5OiA1CmJsYWNraG9sZTogMW0KbGFiZWxzOgogIGNvbmZpZGVuY2U6IDEKICBzcG9vZmFibGU6IDAKICBjbGFzc2lmaWNhdGlvbjoKICAgIC0gYXR0YWNrLlQxMDU5LjAwNAogIGJlaGF2aW9yOiAibGludXg6cG9zdC1leHBsb2l0YXRpb24iCiAgbGFiZWw6ICJQb3N0IEV4cGxvaXRhdGlvbiBjb21tYW5kIGV4ZWN1dGlvbiIKICBzZXJ2aWNlOiBsaW51eAogIHJlbWVkaWF0aW9uOiBmYWxzZQpzY29wZToKICB0eXBlOiBwaWQKICBleHByZXNzaW9uOiBldnQuTWV0YS5wcGlkCg==", + "content": "dHlwZTogbGVha3kKI2RlYnVnOiB0cnVlCm5hbWU6IGNyb3dkc2VjdXJpdHkvYXVkaXRkLXBvc3RleHBsb2l0LXJtCmRlc2NyaXB0aW9uOiAiRGV0ZWN0IHBvc3QtZXhwbG9pdGF0aW9uIGJlaGF2aW91ciA6IHJtIGV4ZWN2ZSBidXJzdHMiCmZpbHRlcjogZXZ0Lk1ldGEubG9nX3R5cGUgPT0gJ3N5c2NhbGxfZXhlY3ZlJyAmJiBldnQuTWV0YS5leGUgaW4gWycvdXNyL2Jpbi9ybScsICcvYmluL3JtJ10KI2dyb3VwaW5nIGJ5IHBwaWQgdG8gdHJhY2sgb24gcHJvY2VzcyBkb2luZyBhIGxvdCBvZiBpbnZvY2F0aW9ucyB0byBybSwgc3VjaCBhcyBhIHNoZWxsIHNjcmlwdApncm91cGJ5OiBldnQuTWV0YS5wcGlkCmxlYWtzcGVlZDogMXMKY2FwYWNpdHk6IDUKYmxhY2tob2xlOiAxbQpsYWJlbHM6CiAgY29uZmlkZW5jZTogMQogIHNwb29mYWJsZTogMAogIGNsYXNzaWZpY2F0aW9uOgogICAgLSBhdHRhY2suVDEwNTkuMDA0CiAgYmVoYXZpb3I6ICJsaW51eDpwb3N0LWV4cGxvaXRhdGlvbiIKICBsYWJlbDogIlBvc3QgRXhwbG9pdGF0aW9uIGNvbW1hbmQgZXhlY3V0aW9uIgogIHNlcnZpY2U6IGxpbnV4CiAgcmVtZWRpYXRpb246IGZhbHNlCnNjb3BlOgogIHR5cGU6IHBpZAogIGV4cHJlc3Npb246IGV2dC5NZXRhLnBwaWQK", "description": "Detect post-exploitation behaviour : rm execve bursts", "author": "crowdsecurity", "labels": { @@ -12444,7 +12464,7 @@ }, "crowdsecurity/auditd-suid-crash": { "path": "scenarios/crowdsecurity/auditd-suid-crash.yaml", - "version": "0.6", + "version": "0.7", "versions": { "0.1": { "digest": "363efa4bbcda1abd870a49673ab402da63312259200e69bf9f80d565b24e4f45", @@ -12469,10 +12489,14 @@ "0.6": { "digest": "de0dd532eba64e3b20c8ef7103e8523c36248bbb13ed09239ace03e88b5d1862", "deprecated": false + }, + "0.7": { + "digest": "9ffcaec0627e6ac494495d1964d36c54c4e437af55ddf78d59be4878fde6ba51", + "deprecated": false } }, "long_description": "IyMgQXVkaXRkIDogQ3Jhc2ggb2Ygc3VpZCBiaW5hcnkKCkF0dGVtcHQgdG8gZGV0ZWN0IGEgU1VJRCBiaW5hcnkgdGhhdCBjcmFzaGVzIHdpdGggYFNJR0lMTGAsIGBTSUdUUkFQYCwgYFNJR0FCUlRgLCBgU0lHQlVTYCwgYFNJR1NFR1ZgLgoKSXQgbWlnaHQgYmUgcmVsYXRlZCB0byBzb21lb25lIHRyeWluZyB0byBleHBsb2l0IGxvY2FsIHByaXZpbGVnZSBlc2NhbGF0aW9uIHN1Y2ggYXMgW0NWRS0yMDIzLTQ5MTFdKGh0dHBzOi8vbnZkLm5pc3QuZ292L3Z1bG4vZGV0YWlsL0NWRS0yMDIzLTQ5MTEpLgo=", - "content": "dHlwZTogY29uZGl0aW9uYWwKbmFtZTogY3Jvd2RzZWN1cml0eS9hdWRpdGQtc3VpZC1jcmFzaApkZXNjcmlwdGlvbjogIkRldGVjdCByb290IHN1aWQgcHJvY2VzcyBjcmFzaGluZyIKZmlsdGVyOiB8CiAgKGV2dC5NZXRhLmxvZ190eXBlID09ICdleGVjdmUnICYmIGV2dC5NZXRhLmV1aWQgPT0gJzAnICYmIGV2dC5NZXRhLmF1aWQgIT0gJzAnKSB8fAogIChldnQuTWV0YS5sb2dfdHlwZSA9PSAnYW5vbV9hYmVuZCcgJiYgZXZ0Lk1ldGEuc2lnIGluIFsiNCIsICI1IiwgIjYiLCAiNyIsICIxMSJdKQpncm91cGJ5OiBldnQuTWV0YS5waWQKZGlzdGluY3Q6IGV2dC5NZXRhLmxvZ190eXBlCmNvbmRpdGlvbjogfAogIGxlbihxdWV1ZS5RdWV1ZSkgPj0gMiBhbmQgCiAgICBxdWV1ZS5RdWV1ZVswXS5NZXRhLmV4ZSA9PSBxdWV1ZS5RdWV1ZVsxXS5NZXRhLmV4ZQpsZWFrc3BlZWQ6IDFzCmNhcGFjaXR5OiAtMQpibGFja2hvbGU6IDFtCmxhYmVsczoKICBjb25maWRlbmNlOiAxCiAgc3Bvb2ZhYmxlOiAwCiAgY2xhc3NpZmljYXRpb246CiAgICAtIGF0dGFjay5UMTU0OC4wMDQKICBiZWhhdmlvcjogImxpbnV4OmV4cGxvaXRhdGlvbiIKICBsYWJlbDogIlN1c3BpY2lvdXMgc3VpZCBwcm9jZXNzIGNyYXNoIgogIHNlcnZpY2U6IGxpbnV4CiAgcmVtZWRpYXRpb246IGZhbHNlCnNjb3BlOgogIHR5cGU6IGV4ZQogIGV4cHJlc3Npb246IGV2dC5NZXRhLmV4ZQo=", + "content": "dHlwZTogY29uZGl0aW9uYWwKbmFtZTogY3Jvd2RzZWN1cml0eS9hdWRpdGQtc3VpZC1jcmFzaApkZXNjcmlwdGlvbjogIkRldGVjdCByb290IHN1aWQgcHJvY2VzcyBjcmFzaGluZyIKZmlsdGVyOiB8CiAgKGV2dC5NZXRhLmxvZ190eXBlID09ICdzeXNjYWxsX2V4ZWN2ZScgJiYgZXZ0Lk1ldGEuZXVpZCA9PSAnMCcgJiYgZXZ0Lk1ldGEuYXVpZCAhPSAnMCcpIHx8CiAgKGV2dC5NZXRhLmxvZ190eXBlID09ICdhbm9tX2FiZW5kJyAmJiBldnQuTWV0YS5zaWcgaW4gWyI0IiwgIjUiLCAiNiIsICI3IiwgIjExIl0pCmdyb3VwYnk6IGV2dC5NZXRhLnBpZApkaXN0aW5jdDogZXZ0Lk1ldGEubG9nX3R5cGUKY29uZGl0aW9uOiB8CiAgbGVuKHF1ZXVlLlF1ZXVlKSA+PSAyIGFuZCAKICAgIHF1ZXVlLlF1ZXVlWzBdLk1ldGEuZXhlID09IHF1ZXVlLlF1ZXVlWzFdLk1ldGEuZXhlCmxlYWtzcGVlZDogMXMKY2FwYWNpdHk6IC0xCmJsYWNraG9sZTogMW0KbGFiZWxzOgogIGNvbmZpZGVuY2U6IDEKICBzcG9vZmFibGU6IDAKICBjbGFzc2lmaWNhdGlvbjoKICAgIC0gYXR0YWNrLlQxNTQ4LjAwNAogIGJlaGF2aW9yOiAibGludXg6ZXhwbG9pdGF0aW9uIgogIGxhYmVsOiAiU3VzcGljaW91cyBzdWlkIHByb2Nlc3MgY3Jhc2giCiAgc2VydmljZTogbGludXgKICByZW1lZGlhdGlvbjogZmFsc2UKc2NvcGU6CiAgdHlwZTogZXhlCiAgZXhwcmVzc2lvbjogZXZ0Lk1ldGEuZXhlCg==", "description": "Detect root suid process crashing", "author": "crowdsecurity", "labels": { @@ -12489,7 +12513,7 @@ }, "crowdsecurity/auditd-sus-exec": { "path": "scenarios/crowdsecurity/auditd-sus-exec.yaml", - "version": "0.5", + "version": "0.6", "versions": { "0.1": { "digest": "d640df2e1a53d962c97ee25af290916f88d86150fc210b43f011e665851c27cd", @@ -12510,10 +12534,14 @@ "0.5": { "digest": "ab7718fd1696b50c1f6d9b990f057d4b37d2d45accb9a6aca3a44232f0b4776e", "deprecated": false + }, + "0.6": { + "digest": "f77fee35cf9e58f346f0b1dcfadfab363454b9f95b6450965498bdc0e7c0a49a", + "deprecated": false } }, "long_description": "IyMgQXVkaXRkIDogc3VzcGljaW91cyBleGVjdXRpb25zCgpBdHRlbXB0IHRvIGRldGVjdCBhIGJpbmFyeSB0aGF0IGlzIGV4ZWN1dGVkIGZyb20gdW51c3VhbCAvIHN1c3BpY2lvdXMgbG9jYXRpb25zLCBzdWNoIGFzIGAvdG1wL2Agb3IgaGlkZGVuIGRpcmVjdG9yaWVzIHN0YXJ0aW1nIHdpdGggYSBgLmAuCgpUaGlzIHBhdHRlcm4gaXMgdXN1YWxseSBzZWVuIGluIHBvc3QtZXhwbG9pdGF0aW9uIHdoZW4gYXR0YWNrZXJzIGFyZSBhdHRlbXB0aW5nIHRvIGhpZGUgYmFja2Rvb3JzIGFuZCBvdGhlciB0b29scy4K", - "content": "dHlwZTogdHJpZ2dlcgojZGVidWc6IHRydWUKbmFtZTogY3Jvd2RzZWN1cml0eS9hdWRpdGQtc3VzLWV4ZWMKZGVzY3JpcHRpb246ICJEZXRlY3QgcG9zdC1leHBsb2l0YXRpb24gYmVoYXZpb3VyIDogZXhlYyBmcm9tIHN1c3BpY2lvdXMgbG9jYXRpb25zIgpmaWx0ZXI6IGV2dC5NZXRhLmxvZ190eXBlID09ICdleGVjdmUnIGFuZCAoIGV2dC5NZXRhLmV4ZSBzdGFydHNXaXRoICIvdG1wLyIgb3IgZXZ0Lk1ldGEuZXhlIGNvbnRhaW5zICIvLiIgKQpsYWJlbHM6CiAgY29uZmlkZW5jZTogMgogIHNwb29mYWJsZTogMAogIGNsYXNzaWZpY2F0aW9uOgogICAgLSBhdHRhY2suVDEwNTkuMDA0CiAgYmVoYXZpb3I6ICJsaW51eDpwb3N0LWV4cGxvaXRhdGlvbiIKICBsYWJlbDogIlBvc3QgRXhwbG9pdGF0aW9uIGNvbW1hbmQgZXhlY3V0aW9uIgogIHNlcnZpY2U6IGxpbnV4CiAgcmVtZWRpYXRpb246IGZhbHNlCnNjb3BlOgogIHR5cGU6IHBpZAogIGV4cHJlc3Npb246IGV2dC5NZXRhLnBwaWQK", + "content": "dHlwZTogdHJpZ2dlcgojZGVidWc6IHRydWUKbmFtZTogY3Jvd2RzZWN1cml0eS9hdWRpdGQtc3VzLWV4ZWMKZGVzY3JpcHRpb246ICJEZXRlY3QgcG9zdC1leHBsb2l0YXRpb24gYmVoYXZpb3VyIDogZXhlYyBmcm9tIHN1c3BpY2lvdXMgbG9jYXRpb25zIgpmaWx0ZXI6IGV2dC5NZXRhLmxvZ190eXBlID09ICdzeXNjYWxsX2V4ZWN2ZScgYW5kICggZXZ0Lk1ldGEuZXhlIHN0YXJ0c1dpdGggIi90bXAvIiBvciBldnQuTWV0YS5leGUgY29udGFpbnMgIi8uIiApCmxhYmVsczoKICBjb25maWRlbmNlOiAyCiAgc3Bvb2ZhYmxlOiAwCiAgY2xhc3NpZmljYXRpb246CiAgICAtIGF0dGFjay5UMTA1OS4wMDQKICBiZWhhdmlvcjogImxpbnV4OnBvc3QtZXhwbG9pdGF0aW9uIgogIGxhYmVsOiAiUG9zdCBFeHBsb2l0YXRpb24gY29tbWFuZCBleGVjdXRpb24iCiAgc2VydmljZTogbGludXgKICByZW1lZGlhdGlvbjogZmFsc2UKc2NvcGU6CiAgdHlwZTogcGlkCiAgZXhwcmVzc2lvbjogZXZ0Lk1ldGEucHBpZAo=", "description": "Detect post-exploitation behaviour : exec from suspicious locations", "author": "crowdsecurity", "labels": { From c4bd5ea34aa43aef34bb7ac945ffba1a3292ccb1 Mon Sep 17 00:00:00 2001 From: Thibault Koechlin Date: Mon, 16 Dec 2024 10:24:36 +0100 Subject: [PATCH 04/25] update --- .../s01-parse/crowdsecurity/auditd-logs.yaml | 61 ++++++++++++++++++- 1 file changed, 58 insertions(+), 3 deletions(-) diff --git a/parsers/s01-parse/crowdsecurity/auditd-logs.yaml b/parsers/s01-parse/crowdsecurity/auditd-logs.yaml index c4164b46c92..963460899e6 100644 --- a/parsers/s01-parse/crowdsecurity/auditd-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/auditd-logs.yaml @@ -1,7 +1,6 @@ #type=SYSCALL msg=audit(1672330955.273:4433): arch=c000003e syscall=263 success=no exit=-2 a0=ffffff9c a1=557162396590 a2=0 a3=0 items=1 ppid=144571 pid=145400 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=79 comm="rm" exe="/usr/bin/rm" key="file_modification" -#type=SYSCALL msg=audit(1734093141.455:922): arch=c000003e syscall=59 success=yes exit=0 a0=563db14c9800 a1=563db14c6370 a2=563db14c5e70 a3=8 items=2 ppid=1344351 pid=1344358 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=5448 comm="id" exe="/usr/bin/id" key="recon" #type=EXECVE msg=audit(1734093141.455:922): argc=2 a0="id" a1="-a" #type=PATH msg=audit(1734093141.455:922): item=0 name="/usr/bin/id" inode=5505499 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 #type=PATH msg=audit(1734093141.455:922): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=5505904 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 @@ -23,7 +22,46 @@ nodes: pattern: '%{WORD:msg_type}\(%{FLOAT:timestamp}:%{INT:event_inc_id}\):' expression: evt.Unmarshaled.auditd.msg nodes: -# add EXECVE : +# type=PATH msg=audit(1734112431.675:3784): item=1 name="/bin/sh" inode=5505165 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 + - filter: evt.Unmarshaled.auditd.type == "PATH" + statics: + - meta: log_type + value: path + - meta: item + expression: evt.Unmarshaled.auditd.item + - meta: name + expression: evt.Unmarshaled.auditd.name + - meta: inode + expression: evt.Unmarshaled.auditd.inode + - meta: dev + expression: evt.Unmarshaled.auditd.dev + - meta: mode + expression: evt.Unmarshaled.auditd.mode + - meta: ouid + expression: evt.Unmarshaled.auditd.ouid + - meta: ogid + expression: evt.Unmarshaled.auditd.ogid + - meta: rdev + expression: evt.Unmarshaled.auditd.rdev + - meta: nametype + expression: evt.Unmarshaled.auditd.nametype + - meta: cap_fp + expression: evt.Unmarshaled.auditd.cap_fp + - meta: cap_fi + expression: evt.Unmarshaled.auditd.cap_fi + - meta: cap_fe + expression: evt.Unmarshaled.auditd.cap_fe + - meta: cap_fver + expression: evt.Unmarshaled.auditd.cap_fver + - meta: cap_frootid + expression: evt.Unmarshaled.auditd.cap_frootid + # for SE linux + - meta: obj + expression: evt.Unmarshaled.auditd.obj + - meta: objtype + expression: evt.Unmarshaled.auditd.objtype + # end of SE linux + # type=EXECVE msg=audit(1734093713.565:1031): argc=101 a0="id" a1="1" a2="2" a3="3" a4="4" a5="5" a6="6" a7="7" a8="8" a9="9" a10="10" a11="11" a12="12" a13="13" a14="14" a15="15" a16="16" a17="17" a18="18" a19="19" a20="20" a21="21" a22="22" a23="23" a24="24" a25="25" a26="26" a27="27" a28="28" a29="29" a30="30" a31="31" a32="32" a33="33" a34="34" a35="35" a36="36" a37="37" a38="38" a39="39" a40="40" a41="41" a42="42" a43="43" a44="44" a45="45" a46="46" a47="47" a48="48" a49="49" a50="50" a51="51" a52="52" a53="53" a54="54" a55="55" a56="56" a57="57" a58="58" a59="59" a60="60" a61="61" a62="62" a63="63" a64="64" a65="65" a66="66" a67="67" a68="68" a69="69" a70="70" a71="71" a72="72" a73="73" a74="74" a75="75" a76="76" a77="77" a78="78" a79="79" a80="80" a81="81" a82="82" a83="83" a84="84" a85="85" a86="86" a87="87" a88="88" a89="89" a90="90" a91="91" a92="92" a93="93" a94="94" a95="95" a96="96" a97="97" a98="98" a99="99" a100="100" - filter: evt.Unmarshaled.auditd.type == "EXECVE" statics: @@ -35,7 +73,22 @@ nodes: expression: | let args = evt.Unmarshaled.auditd | keys() | filter(# matches "^a[0-9]+$"); map(sortBy(args, { int(#[1:]) }, "asc"), get(evt.Unmarshaled.auditd, #)) | join(" ") - + #For compatibility with Sigma, we'll as well keep the a1/a2/a... args + - parsed: a1 + expression: evt.Unmarshaled.auditd.a1 + - parsed: a2 + expression: evt.Unmarshaled.auditd.a2 + - parsed: a3 + expression: evt.Unmarshaled.auditd.a3 + - parsed: a4 + expression: evt.Unmarshaled.auditd.a4 + - parsed: a5 + expression: evt.Unmarshaled.auditd.a5 + - parsed: a6 + expression: evt.Unmarshaled.auditd.a6 + - parsed: a7 + expression: evt.Unmarshaled.auditd.a7 +# type=SYSCALL msg=audit(1734093141.455:922): arch=c000003e syscall=59 success=yes exit=0 a0=563db14c9800 a1=563db14c6370 a2=563db14c5e70 a3=8 items=2 ppid=1344351 pid=1344358 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=5448 comm="id" exe="/usr/bin/id" key="recon" - filter: evt.Unmarshaled.auditd.type == "SYSCALL" and evt.Unmarshaled.auditd.arch == "c000003e" and evt.Unmarshaled.auditd.syscall == "59" statics: - meta: log_type @@ -89,3 +142,5 @@ nodes: expression: evt.Unmarshaled.auditd.GID - meta: auditd_eventid expression: evt.Parsed.event_inc_id + - meta: auditd_type + expression: evt.Unmarshaled.auditd.type From d9509390ccbe7bfbd374beb9cafab4f166fa4e13 Mon Sep 17 00:00:00 2001 From: Thibault Koechlin Date: Tue, 17 Dec 2024 16:44:13 +0100 Subject: [PATCH 05/25] evolve parser --- .../auditd-logs-EXECVE/auditd-logs-EXECVE.log | 3 + .tests/auditd-logs-EXECVE/config.yaml | 9 ++ .tests/auditd-logs-EXECVE/parser.assert | 90 +++++++++++++++++++ .../s01-parse/crowdsecurity/auditd-logs.yaml | 7 ++ 4 files changed, 109 insertions(+) create mode 100644 .tests/auditd-logs-EXECVE/auditd-logs-EXECVE.log create mode 100644 .tests/auditd-logs-EXECVE/config.yaml create mode 100644 .tests/auditd-logs-EXECVE/parser.assert diff --git a/.tests/auditd-logs-EXECVE/auditd-logs-EXECVE.log b/.tests/auditd-logs-EXECVE/auditd-logs-EXECVE.log new file mode 100644 index 00000000000..4a4bad9e126 --- /dev/null +++ b/.tests/auditd-logs-EXECVE/auditd-logs-EXECVE.log @@ -0,0 +1,3 @@ +type=EXECVE msg=audit(1734094314.009:1032): argc=2 a0="id" a1="a=1" +type=EXECVE msg=audit(1734099855.076:1689): argc=3 a0="/bin/sh" a1="/etc/update-motd.d/50-motd-news" a2="--force" +type=EXECVE msg=audit(1734093676.086:1008): argc=14 a0="id" a1="1" a2="2" a3="3" a4="4" a5="5" a6="6" a7="7" a8="8" a9="9" a10="10" a11="11" a12="12" a13="13" diff --git a/.tests/auditd-logs-EXECVE/config.yaml b/.tests/auditd-logs-EXECVE/config.yaml new file mode 100644 index 00000000000..cec036098aa --- /dev/null +++ b/.tests/auditd-logs-EXECVE/config.yaml @@ -0,0 +1,9 @@ +parsers: + - crowdsecurity/syslog-logs + - ./parsers/s01-parse/crowdsecurity/auditd-logs.yaml +scenarios: + - "" +postoverflows: + - "" +log_file: auditd-logs-EXECVE.log +log_type: auditd diff --git a/.tests/auditd-logs-EXECVE/parser.assert b/.tests/auditd-logs-EXECVE/parser.assert new file mode 100644 index 00000000000..c9aa5ad1be8 --- /dev/null +++ b/.tests/auditd-logs-EXECVE/parser.assert @@ -0,0 +1,90 @@ +len(results) == 3 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 3 +results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "type=EXECVE msg=audit(1734094314.009:1032): argc=2 a0=\"id\" a1=\"a=1\"" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "auditd" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "auditd-logs-EXECVE.log" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "type=EXECVE msg=audit(1734099855.076:1689): argc=3 a0=\"/bin/sh\" a1=\"/etc/update-motd.d/50-motd-news\" a2=\"--force\"" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "auditd" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "auditd-logs-EXECVE.log" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "type=EXECVE msg=audit(1734093676.086:1008): argc=14 a0=\"id\" a1=\"1\" a2=\"2\" a3=\"3\" a4=\"4\" a5=\"5\" a6=\"6\" a7=\"7\" a8=\"8\" a9=\"9\" a10=\"10\" a11=\"11\" a12=\"12\" a13=\"13\"" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "auditd" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "auditd-logs-EXECVE.log" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 3 +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false +len(results["s01-parse"]["crowdsecurity/auditd-logs"]) == 3 +results["s01-parse"]["crowdsecurity/auditd-logs"][0].Success == true +results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Parsed["event_inc_id"] == "1032" +results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Parsed["message"] == "type=EXECVE msg=audit(1734094314.009:1032): argc=2 a0=\"id\" a1=\"a=1\"" +results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Parsed["msg_type"] == "audit" +results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Parsed["program"] == "auditd" +results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Parsed["timestamp"] == "1734094314.009" +results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["auditd_eventid"] == "1032" +results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["datasource_path"] == "auditd-logs-EXECVE.log" +results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["execve_full_str"] == "id a=1" +results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["log_type"] == "execve" +results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Unmarshaled["auditd"]["a0"] == "id" +results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Unmarshaled["auditd"]["a1"] == "a=1" +results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Unmarshaled["auditd"]["argc"] == "2" +results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Unmarshaled["auditd"]["msg"] == "audit(1734094314.009:1032):" +results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Unmarshaled["auditd"]["type"] == "EXECVE" +results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/auditd-logs"][1].Success == true +results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Parsed["event_inc_id"] == "1689" +results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Parsed["message"] == "type=EXECVE msg=audit(1734099855.076:1689): argc=3 a0=\"/bin/sh\" a1=\"/etc/update-motd.d/50-motd-news\" a2=\"--force\"" +results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Parsed["msg_type"] == "audit" +results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Parsed["program"] == "auditd" +results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Parsed["timestamp"] == "1734099855.076" +results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Meta["auditd_eventid"] == "1689" +results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Meta["datasource_path"] == "auditd-logs-EXECVE.log" +results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Meta["execve_full_str"] == "/bin/sh /etc/update-motd.d/50-motd-news --force" +results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Meta["log_type"] == "execve" +results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Unmarshaled["auditd"]["a0"] == "/bin/sh" +results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Unmarshaled["auditd"]["a1"] == "/etc/update-motd.d/50-motd-news" +results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Unmarshaled["auditd"]["a2"] == "--force" +results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Unmarshaled["auditd"]["argc"] == "3" +results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Unmarshaled["auditd"]["msg"] == "audit(1734099855.076:1689):" +results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Unmarshaled["auditd"]["type"] == "EXECVE" +results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/auditd-logs"][2].Success == true +results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Parsed["event_inc_id"] == "1008" +results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Parsed["message"] == "type=EXECVE msg=audit(1734093676.086:1008): argc=14 a0=\"id\" a1=\"1\" a2=\"2\" a3=\"3\" a4=\"4\" a5=\"5\" a6=\"6\" a7=\"7\" a8=\"8\" a9=\"9\" a10=\"10\" a11=\"11\" a12=\"12\" a13=\"13\"" +results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Parsed["msg_type"] == "audit" +results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Parsed["program"] == "auditd" +results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Parsed["timestamp"] == "1734093676.086" +results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["auditd_eventid"] == "1008" +results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["datasource_path"] == "auditd-logs-EXECVE.log" +results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["execve_full_str"] == "id 1 2 3 4 5 6 7 8 9 10 11 12 13" +results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["log_type"] == "execve" +results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["a9"] == "9" +results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["a10"] == "10" +results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["a3"] == "3" +results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["a4"] == "4" +results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["a5"] == "5" +results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["a8"] == "8" +results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["argc"] == "14" +results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["msg"] == "audit(1734093676.086:1008):" +results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["type"] == "EXECVE" +results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["a0"] == "id" +results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["a1"] == "1" +results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["a12"] == "12" +results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["a13"] == "13" +results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["a6"] == "6" +results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["a11"] == "11" +results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["a2"] == "2" +results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["a7"] == "7" +results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/parsers/s01-parse/crowdsecurity/auditd-logs.yaml b/parsers/s01-parse/crowdsecurity/auditd-logs.yaml index 963460899e6..5485f46e4dd 100644 --- a/parsers/s01-parse/crowdsecurity/auditd-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/auditd-logs.yaml @@ -61,6 +61,11 @@ nodes: - meta: objtype expression: evt.Unmarshaled.auditd.objtype # end of SE linux +#type=SERVICE_STOP msg=audit(1734365831.272:876): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=packagekit comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" + - filter: evt.Unmarshaled.auditd.type == "SERVICE_STOP" + statics: + - meta: log_type + value: service_stop # type=EXECVE msg=audit(1734093713.565:1031): argc=101 a0="id" a1="1" a2="2" a3="3" a4="4" a5="5" a6="6" a7="7" a8="8" a9="9" a10="10" a11="11" a12="12" a13="13" a14="14" a15="15" a16="16" a17="17" a18="18" a19="19" a20="20" a21="21" a22="22" a23="23" a24="24" a25="25" a26="26" a27="27" a28="28" a29="29" a30="30" a31="31" a32="32" a33="33" a34="34" a35="35" a36="36" a37="37" a38="38" a39="39" a40="40" a41="41" a42="42" a43="43" a44="44" a45="45" a46="46" a47="47" a48="48" a49="49" a50="50" a51="51" a52="52" a53="53" a54="54" a55="55" a56="56" a57="57" a58="58" a59="59" a60="60" a61="61" a62="62" a63="63" a64="64" a65="65" a66="66" a67="67" a68="68" a69="69" a70="70" a71="71" a72="72" a73="73" a74="74" a75="75" a76="76" a77="77" a78="78" a79="79" a80="80" a81="81" a82="82" a83="83" a84="84" a85="85" a86="86" a87="87" a88="88" a89="89" a90="90" a91="91" a92="92" a93="93" a94="94" a95="95" a96="96" a97="97" a98="98" a99="99" a100="100" - filter: evt.Unmarshaled.auditd.type == "EXECVE" @@ -91,6 +96,8 @@ nodes: # type=SYSCALL msg=audit(1734093141.455:922): arch=c000003e syscall=59 success=yes exit=0 a0=563db14c9800 a1=563db14c6370 a2=563db14c5e70 a3=8 items=2 ppid=1344351 pid=1344358 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=5448 comm="id" exe="/usr/bin/id" key="recon" - filter: evt.Unmarshaled.auditd.type == "SYSCALL" and evt.Unmarshaled.auditd.arch == "c000003e" and evt.Unmarshaled.auditd.syscall == "59" statics: + - meta: syscall_num + expression: evt.Unmarshaled.auditd.syscall - meta: log_type value: syscall_execve #let's hydrate with ppid process if we can :) From bfa138c71bd01c8dd24735e74a461507c4f4ce9d Mon Sep 17 00:00:00 2001 From: Thibault Koechlin Date: Wed, 18 Dec 2024 10:38:55 +0100 Subject: [PATCH 06/25] support new items --- collections/crowdsecurity/auditd.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/collections/crowdsecurity/auditd.yaml b/collections/crowdsecurity/auditd.yaml index 9d3a31df594..1e9f0b9a4bb 100644 --- a/collections/crowdsecurity/auditd.yaml +++ b/collections/crowdsecurity/auditd.yaml @@ -7,6 +7,12 @@ scenarios: - crowdsecurity/auditd-sus-exec - crowdsecurity/auditd-base64-exec-behavior - crowdsecurity/auditd-suid-crash + - sigmahq/lnx_auditd_auditing_config_change + - sigmahq/lnx_auditd_find_cred_in_files + - sigmahq/lnx_auditd_keylogging_with_pam_d + - sigmahq/lnx_auditd_ld_so_preload_mod + - sigmahq/lnx_auditd_load_module_insmod + - sigmahq/lnx_auditd_logging_config_change postoverflows: - crowdsecurity/auditd-whitelisted-process description: "auditd support : parsers and scenarios" From 073464750b17b2fd98754eb3d301eefd8c2f5a6c Mon Sep 17 00:00:00 2001 From: Thibault Koechlin Date: Wed, 18 Dec 2024 10:42:55 +0100 Subject: [PATCH 07/25] update collection --- collections/crowdsecurity/auditd.md | 9 +++++++++ collections/crowdsecurity/auditd.yaml | 1 - 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/collections/crowdsecurity/auditd.md b/collections/crowdsecurity/auditd.md index 2a2a1de3bbf..7491704b648 100644 --- a/collections/crowdsecurity/auditd.md +++ b/collections/crowdsecurity/auditd.md @@ -16,10 +16,19 @@ A collection for auditd: - repeated/fast invokation of `rm` - repeated/fast invokation of `kill` / `pkill` + ### Local exploitation - detect a root suid binary that crashes soon after startup with a SIGSEGV, SIGABRT, SIGBUS or SIGTRAP. +### Suspicious post-exploitation related activities + + - detect changes to logging configuration + - detect changes to auditd configuration + - detect changes to ld.preload configuration + - detect `grep`ing passwords in files + - detect kernel module loading (`insmod`) + ## Acquisition template Example acquisition for this collection : diff --git a/collections/crowdsecurity/auditd.yaml b/collections/crowdsecurity/auditd.yaml index 1e9f0b9a4bb..f7f6e85b608 100644 --- a/collections/crowdsecurity/auditd.yaml +++ b/collections/crowdsecurity/auditd.yaml @@ -9,7 +9,6 @@ scenarios: - crowdsecurity/auditd-suid-crash - sigmahq/lnx_auditd_auditing_config_change - sigmahq/lnx_auditd_find_cred_in_files - - sigmahq/lnx_auditd_keylogging_with_pam_d - sigmahq/lnx_auditd_ld_so_preload_mod - sigmahq/lnx_auditd_load_module_insmod - sigmahq/lnx_auditd_logging_config_change From 9994a05b4a2951bff2c6b7890796ebedc5701e8e Mon Sep 17 00:00:00 2001 From: Thibault Koechlin Date: Wed, 18 Dec 2024 10:43:06 +0100 Subject: [PATCH 08/25] add new scenarios add associated tests --- .../config.yaml | 11 +++++++ .../lnx_auditd_auditing_config_change.log | 1 + .../parser.assert | 0 .../scenario.assert | 29 ++++++++++++++++++ .../lnx_auditd_find_cred_in_files/config.yaml | 11 +++++++ .../lnx_auditd_find_cred_in_files.log | 1 + .../parser.assert | 0 .../scenario.assert | 16 ++++++++++ .../lnx_auditd_ld_so_preload_mod/config.yaml | 11 +++++++ .../lnx_auditd_ld_so_preload_mod.log | 1 + .../parser.assert | 0 .../scenario.assert | 29 ++++++++++++++++++ .../lnx_auditd_load_module_insmod/config.yaml | 11 +++++++ .../lnx_auditd_load_module_insmod.log | 1 + .../parser.assert | 0 .../scenario.assert | 30 +++++++++++++++++++ .../config.yaml | 11 +++++++ .../lnx_auditd_logging_config_change.log | 1 + .../parser.assert | 0 .../scenario.assert | 29 ++++++++++++++++++ .../lnx_auditd_auditing_config_change.yml | 23 ++++++++++++++ .../sigmahq/lnx_auditd_find_cred_in_files.yml | 23 ++++++++++++++ .../sigmahq/lnx_auditd_ld_so_preload_mod.yml | 23 ++++++++++++++ .../sigmahq/lnx_auditd_load_module_insmod.yml | 23 ++++++++++++++ .../lnx_auditd_logging_config_change.yml | 23 ++++++++++++++ 25 files changed, 308 insertions(+) create mode 100644 .tests/lnx_auditd_auditing_config_change/config.yaml create mode 100644 .tests/lnx_auditd_auditing_config_change/lnx_auditd_auditing_config_change.log create mode 100644 .tests/lnx_auditd_auditing_config_change/parser.assert create mode 100644 .tests/lnx_auditd_auditing_config_change/scenario.assert create mode 100644 .tests/lnx_auditd_find_cred_in_files/config.yaml create mode 100644 .tests/lnx_auditd_find_cred_in_files/lnx_auditd_find_cred_in_files.log create mode 100644 .tests/lnx_auditd_find_cred_in_files/parser.assert create mode 100644 .tests/lnx_auditd_find_cred_in_files/scenario.assert create mode 100644 .tests/lnx_auditd_ld_so_preload_mod/config.yaml create mode 100644 .tests/lnx_auditd_ld_so_preload_mod/lnx_auditd_ld_so_preload_mod.log create mode 100644 .tests/lnx_auditd_ld_so_preload_mod/parser.assert create mode 100644 .tests/lnx_auditd_ld_so_preload_mod/scenario.assert create mode 100644 .tests/lnx_auditd_load_module_insmod/config.yaml create mode 100644 .tests/lnx_auditd_load_module_insmod/lnx_auditd_load_module_insmod.log create mode 100644 .tests/lnx_auditd_load_module_insmod/parser.assert create mode 100644 .tests/lnx_auditd_load_module_insmod/scenario.assert create mode 100644 .tests/lnx_auditd_logging_config_change/config.yaml create mode 100644 .tests/lnx_auditd_logging_config_change/lnx_auditd_logging_config_change.log create mode 100644 .tests/lnx_auditd_logging_config_change/parser.assert create mode 100644 .tests/lnx_auditd_logging_config_change/scenario.assert create mode 100644 scenarios/sigmahq/lnx_auditd_auditing_config_change.yml create mode 100644 scenarios/sigmahq/lnx_auditd_find_cred_in_files.yml create mode 100644 scenarios/sigmahq/lnx_auditd_ld_so_preload_mod.yml create mode 100644 scenarios/sigmahq/lnx_auditd_load_module_insmod.yml create mode 100644 scenarios/sigmahq/lnx_auditd_logging_config_change.yml diff --git a/.tests/lnx_auditd_auditing_config_change/config.yaml b/.tests/lnx_auditd_auditing_config_change/config.yaml new file mode 100644 index 00000000000..e702581f558 --- /dev/null +++ b/.tests/lnx_auditd_auditing_config_change/config.yaml @@ -0,0 +1,11 @@ +parsers: + - crowdsecurity/syslog-logs + - crowdsecurity/dateparse-enrich + - crowdsecurity/auditd-logs +scenarios: + - ./scenarios/sigmahq/lnx_auditd_auditing_config_change.yml +postoverflows: + - "" +log_file: lnx_auditd_auditing_config_change.log +log_type: auditd +ignore_parsers: true \ No newline at end of file diff --git a/.tests/lnx_auditd_auditing_config_change/lnx_auditd_auditing_config_change.log b/.tests/lnx_auditd_auditing_config_change/lnx_auditd_auditing_config_change.log new file mode 100644 index 00000000000..ca507bc5fb3 --- /dev/null +++ b/.tests/lnx_auditd_auditing_config_change/lnx_auditd_auditing_config_change.log @@ -0,0 +1 @@ +type=PATH msg=audit(1734451586.897:25243): item=0 name="/etc/audit/audit.rules" inode=21889652 dev=fc:01 mode=0100640 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root" diff --git a/.tests/lnx_auditd_auditing_config_change/parser.assert b/.tests/lnx_auditd_auditing_config_change/parser.assert new file mode 100644 index 00000000000..e69de29bb2d diff --git a/.tests/lnx_auditd_auditing_config_change/scenario.assert b/.tests/lnx_auditd_auditing_config_change/scenario.assert new file mode 100644 index 00000000000..00a00f4087f --- /dev/null +++ b/.tests/lnx_auditd_auditing_config_change/scenario.assert @@ -0,0 +1,29 @@ +len(results) == 1 +"" in results[0].Overflow.GetSources() +results[0].Overflow.Sources[""].IP == "" +results[0].Overflow.Sources[""].Range == "" +results[0].Overflow.Sources[""].GetScope() == "pid" +results[0].Overflow.Sources[""].GetValue() == "" +results[0].Overflow.Alert.Events[0].GetMeta("auditd_eventid") == "25243" +results[0].Overflow.Alert.Events[0].GetMeta("auditd_type") == "PATH" +results[0].Overflow.Alert.Events[0].GetMeta("cap_fe") == "0" +results[0].Overflow.Alert.Events[0].GetMeta("cap_fi") == "0" +results[0].Overflow.Alert.Events[0].GetMeta("cap_fp") == "0" +results[0].Overflow.Alert.Events[0].GetMeta("cap_frootid") == "0OUID" +results[0].Overflow.Alert.Events[0].GetMeta("cap_fver") == "0" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "lnx_auditd_auditing_config_change.log" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[0].GetMeta("dev") == "fc:01" +results[0].Overflow.Alert.Events[0].GetMeta("inode") == "21889652" +results[0].Overflow.Alert.Events[0].GetMeta("item") == "0" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "path" +results[0].Overflow.Alert.Events[0].GetMeta("mode") == "0100640" +results[0].Overflow.Alert.Events[0].GetMeta("name") == "/etc/audit/audit.rules" +results[0].Overflow.Alert.Events[0].GetMeta("nametype") == "NORMAL" +results[0].Overflow.Alert.Events[0].GetMeta("ogid") == "0" +results[0].Overflow.Alert.Events[0].GetMeta("ouid") == "0" +results[0].Overflow.Alert.Events[0].GetMeta("rdev") == "00:00" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-12-17T16:06:26Z" +results[0].Overflow.Alert.GetScenario() == "sigmahq/lnx_auditd_auditing_config_change" +results[0].Overflow.Alert.Remediation == false +results[0].Overflow.Alert.GetEventsCount() == 1 diff --git a/.tests/lnx_auditd_find_cred_in_files/config.yaml b/.tests/lnx_auditd_find_cred_in_files/config.yaml new file mode 100644 index 00000000000..58d124df54f --- /dev/null +++ b/.tests/lnx_auditd_find_cred_in_files/config.yaml @@ -0,0 +1,11 @@ +parsers: + - crowdsecurity/syslog-logs + - crowdsecurity/dateparse-enrich + - crowdsecurity/auditd-logs +scenarios: + - ./scenarios/sigmahq/lnx_auditd_find_cred_in_files.yml +postoverflows: + - "" +log_file: lnx_auditd_find_cred_in_files.log +log_type: auditd +ignore_parsers: true \ No newline at end of file diff --git a/.tests/lnx_auditd_find_cred_in_files/lnx_auditd_find_cred_in_files.log b/.tests/lnx_auditd_find_cred_in_files/lnx_auditd_find_cred_in_files.log new file mode 100644 index 00000000000..e534d03eff3 --- /dev/null +++ b/.tests/lnx_auditd_find_cred_in_files/lnx_auditd_find_cred_in_files.log @@ -0,0 +1 @@ +type=EXECVE msg=audit(1734452636.814:25676): argc=4 a0="grep" a1="--color=auto" a2="password" a3="/tmp/foo" diff --git a/.tests/lnx_auditd_find_cred_in_files/parser.assert b/.tests/lnx_auditd_find_cred_in_files/parser.assert new file mode 100644 index 00000000000..e69de29bb2d diff --git a/.tests/lnx_auditd_find_cred_in_files/scenario.assert b/.tests/lnx_auditd_find_cred_in_files/scenario.assert new file mode 100644 index 00000000000..78f17005093 --- /dev/null +++ b/.tests/lnx_auditd_find_cred_in_files/scenario.assert @@ -0,0 +1,16 @@ +len(results) == 1 +"" in results[0].Overflow.GetSources() +results[0].Overflow.Sources[""].IP == "" +results[0].Overflow.Sources[""].Range == "" +results[0].Overflow.Sources[""].GetScope() == "pid" +results[0].Overflow.Sources[""].GetValue() == "" +results[0].Overflow.Alert.Events[0].GetMeta("auditd_eventid") == "25676" +results[0].Overflow.Alert.Events[0].GetMeta("auditd_type") == "EXECVE" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "lnx_auditd_find_cred_in_files.log" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[0].GetMeta("execve_full_str") == "grep --color=auto password /tmp/foo" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "execve" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-12-17T16:23:56Z" +results[0].Overflow.Alert.GetScenario() == "sigmahq/lnx_auditd_find_cred_in_files" +results[0].Overflow.Alert.Remediation == false +results[0].Overflow.Alert.GetEventsCount() == 1 diff --git a/.tests/lnx_auditd_ld_so_preload_mod/config.yaml b/.tests/lnx_auditd_ld_so_preload_mod/config.yaml new file mode 100644 index 00000000000..e74719a37ae --- /dev/null +++ b/.tests/lnx_auditd_ld_so_preload_mod/config.yaml @@ -0,0 +1,11 @@ +parsers: + - crowdsecurity/syslog-logs + - crowdsecurity/dateparse-enrich + - crowdsecurity/auditd-logs +scenarios: + - ./scenarios/sigmahq/lnx_auditd_ld_so_preload_mod.yml +postoverflows: + - "" +log_file: lnx_auditd_ld_so_preload_mod.log +log_type: auditd +ignore_parsers: true diff --git a/.tests/lnx_auditd_ld_so_preload_mod/lnx_auditd_ld_so_preload_mod.log b/.tests/lnx_auditd_ld_so_preload_mod/lnx_auditd_ld_so_preload_mod.log new file mode 100644 index 00000000000..e6943462d76 --- /dev/null +++ b/.tests/lnx_auditd_ld_so_preload_mod/lnx_auditd_ld_so_preload_mod.log @@ -0,0 +1 @@ +type=PATH msg=audit(1734512461.575:29466): item=1 name="/etc/ld.so.preload" inode=21761059 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root" diff --git a/.tests/lnx_auditd_ld_so_preload_mod/parser.assert b/.tests/lnx_auditd_ld_so_preload_mod/parser.assert new file mode 100644 index 00000000000..e69de29bb2d diff --git a/.tests/lnx_auditd_ld_so_preload_mod/scenario.assert b/.tests/lnx_auditd_ld_so_preload_mod/scenario.assert new file mode 100644 index 00000000000..184ec9b0aed --- /dev/null +++ b/.tests/lnx_auditd_ld_so_preload_mod/scenario.assert @@ -0,0 +1,29 @@ +len(results) == 1 +"" in results[0].Overflow.GetSources() +results[0].Overflow.Sources[""].IP == "" +results[0].Overflow.Sources[""].Range == "" +results[0].Overflow.Sources[""].GetScope() == "pid" +results[0].Overflow.Sources[""].GetValue() == "" +results[0].Overflow.Alert.Events[0].GetMeta("auditd_eventid") == "29466" +results[0].Overflow.Alert.Events[0].GetMeta("auditd_type") == "PATH" +results[0].Overflow.Alert.Events[0].GetMeta("cap_fe") == "0" +results[0].Overflow.Alert.Events[0].GetMeta("cap_fi") == "0" +results[0].Overflow.Alert.Events[0].GetMeta("cap_fp") == "0" +results[0].Overflow.Alert.Events[0].GetMeta("cap_frootid") == "0OUID" +results[0].Overflow.Alert.Events[0].GetMeta("cap_fver") == "0" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "lnx_auditd_ld_so_preload_mod.log" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[0].GetMeta("dev") == "fc:01" +results[0].Overflow.Alert.Events[0].GetMeta("inode") == "21761059" +results[0].Overflow.Alert.Events[0].GetMeta("item") == "1" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "path" +results[0].Overflow.Alert.Events[0].GetMeta("mode") == "0100644" +results[0].Overflow.Alert.Events[0].GetMeta("name") == "/etc/ld.so.preload" +results[0].Overflow.Alert.Events[0].GetMeta("nametype") == "CREATE" +results[0].Overflow.Alert.Events[0].GetMeta("ogid") == "0" +results[0].Overflow.Alert.Events[0].GetMeta("ouid") == "0" +results[0].Overflow.Alert.Events[0].GetMeta("rdev") == "00:00" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-12-18T09:01:01Z" +results[0].Overflow.Alert.GetScenario() == "sigmahq/lnx_auditd_ld_so_preload_mod" +results[0].Overflow.Alert.Remediation == false +results[0].Overflow.Alert.GetEventsCount() == 1 diff --git a/.tests/lnx_auditd_load_module_insmod/config.yaml b/.tests/lnx_auditd_load_module_insmod/config.yaml new file mode 100644 index 00000000000..1a7f683896d --- /dev/null +++ b/.tests/lnx_auditd_load_module_insmod/config.yaml @@ -0,0 +1,11 @@ +parsers: + - crowdsecurity/syslog-logs + - crowdsecurity/dateparse-enrich + - crowdsecurity/auditd-logs +scenarios: + - ./scenarios/sigmahq/lnx_auditd_load_module_insmod.yml +postoverflows: + - "" +log_file: lnx_auditd_load_module_insmod.log +log_type: auditd +ignore_parsers: true diff --git a/.tests/lnx_auditd_load_module_insmod/lnx_auditd_load_module_insmod.log b/.tests/lnx_auditd_load_module_insmod/lnx_auditd_load_module_insmod.log new file mode 100644 index 00000000000..51b803493bf --- /dev/null +++ b/.tests/lnx_auditd_load_module_insmod/lnx_auditd_load_module_insmod.log @@ -0,0 +1 @@ +type=SYSCALL msg=audit(1734514623.072:48702): arch=c000003e syscall=59 success=yes exit=0 a0=5a7ed47bab20 a1=5a7ed4799640 a2=5a7ed47888a0 a3=5a7ed4799640 items=2 ppid=13783 pid=13801 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=3 comm="insmod" exe="/usr/bin/kmod" subj=unconfined key="rootcmd"ARCH=x86_64 SYSCALL=execve AUID="bui" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" diff --git a/.tests/lnx_auditd_load_module_insmod/parser.assert b/.tests/lnx_auditd_load_module_insmod/parser.assert new file mode 100644 index 00000000000..e69de29bb2d diff --git a/.tests/lnx_auditd_load_module_insmod/scenario.assert b/.tests/lnx_auditd_load_module_insmod/scenario.assert new file mode 100644 index 00000000000..ad3e03986d0 --- /dev/null +++ b/.tests/lnx_auditd_load_module_insmod/scenario.assert @@ -0,0 +1,30 @@ +len(results) == 1 +"13783" in results[0].Overflow.GetSources() +results[0].Overflow.Sources["13783"].IP == "" +results[0].Overflow.Sources["13783"].Range == "" +results[0].Overflow.Sources["13783"].GetScope() == "pid" +results[0].Overflow.Sources["13783"].GetValue() == "13783" +results[0].Overflow.Alert.Events[0].GetMeta("auditd_eventid") == "48702" +results[0].Overflow.Alert.Events[0].GetMeta("auditd_type") == "SYSCALL" +results[0].Overflow.Alert.Events[0].GetMeta("auid") == "1000" +results[0].Overflow.Alert.Events[0].GetMeta("comm") == "insmod" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "lnx_auditd_load_module_insmod.log" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[0].GetMeta("euid") == "0" +results[0].Overflow.Alert.Events[0].GetMeta("exe") == "/usr/bin/kmod" +results[0].Overflow.Alert.Events[0].GetMeta("gid") == "0" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "syscall_execve" +results[0].Overflow.Alert.Events[0].GetMeta("pid") == "13801" +results[0].Overflow.Alert.Events[0].GetMeta("ppid") == "13783" +results[0].Overflow.Alert.Events[0].GetMeta("ses") == "3" +results[0].Overflow.Alert.Events[0].GetMeta("str_GID") == "root" +results[0].Overflow.Alert.Events[0].GetMeta("str_UID") == "root" +results[0].Overflow.Alert.Events[0].GetMeta("subj") == "unconfined" +results[0].Overflow.Alert.Events[0].GetMeta("syscall_num") == "59" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-12-18T09:37:03Z" +results[0].Overflow.Alert.Events[0].GetMeta("tty") == "pts6" +results[0].Overflow.Alert.Events[0].GetMeta("uid") == "0" +results[0].Overflow.Alert.GetScenario() == "sigmahq/lnx_auditd_load_module_insmod" +results[0].Overflow.Alert.Remediation == false +results[0].Overflow.Alert.GetEventsCount() == 1 + diff --git a/.tests/lnx_auditd_logging_config_change/config.yaml b/.tests/lnx_auditd_logging_config_change/config.yaml new file mode 100644 index 00000000000..0273508fad1 --- /dev/null +++ b/.tests/lnx_auditd_logging_config_change/config.yaml @@ -0,0 +1,11 @@ +parsers: + - crowdsecurity/syslog-logs + - crowdsecurity/dateparse-enrich + - crowdsecurity/auditd-logs +scenarios: + - ./scenarios/sigmahq/lnx_auditd_logging_config_change.yml +postoverflows: + - "" +log_file: lnx_auditd_logging_config_change.log +log_type: auditd +ignore_parsers: true diff --git a/.tests/lnx_auditd_logging_config_change/lnx_auditd_logging_config_change.log b/.tests/lnx_auditd_logging_config_change/lnx_auditd_logging_config_change.log new file mode 100644 index 00000000000..98e3ad98314 --- /dev/null +++ b/.tests/lnx_auditd_logging_config_change/lnx_auditd_logging_config_change.log @@ -0,0 +1 @@ +type=PATH msg=audit(1734513848.554:41135): item=0 name="/etc/rsyslog.conf" inode=21761060 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root" diff --git a/.tests/lnx_auditd_logging_config_change/parser.assert b/.tests/lnx_auditd_logging_config_change/parser.assert new file mode 100644 index 00000000000..e69de29bb2d diff --git a/.tests/lnx_auditd_logging_config_change/scenario.assert b/.tests/lnx_auditd_logging_config_change/scenario.assert new file mode 100644 index 00000000000..d9b8e6f06a8 --- /dev/null +++ b/.tests/lnx_auditd_logging_config_change/scenario.assert @@ -0,0 +1,29 @@ +len(results) == 1 +"" in results[0].Overflow.GetSources() +results[0].Overflow.Sources[""].IP == "" +results[0].Overflow.Sources[""].Range == "" +results[0].Overflow.Sources[""].GetScope() == "pid" +results[0].Overflow.Sources[""].GetValue() == "" +results[0].Overflow.Alert.Events[0].GetMeta("auditd_eventid") == "41135" +results[0].Overflow.Alert.Events[0].GetMeta("auditd_type") == "PATH" +results[0].Overflow.Alert.Events[0].GetMeta("cap_fe") == "0" +results[0].Overflow.Alert.Events[0].GetMeta("cap_fi") == "0" +results[0].Overflow.Alert.Events[0].GetMeta("cap_fp") == "0" +results[0].Overflow.Alert.Events[0].GetMeta("cap_frootid") == "0OUID" +results[0].Overflow.Alert.Events[0].GetMeta("cap_fver") == "0" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "lnx_auditd_logging_config_change.log" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[0].GetMeta("dev") == "fc:01" +results[0].Overflow.Alert.Events[0].GetMeta("inode") == "21761060" +results[0].Overflow.Alert.Events[0].GetMeta("item") == "0" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "path" +results[0].Overflow.Alert.Events[0].GetMeta("mode") == "0100644" +results[0].Overflow.Alert.Events[0].GetMeta("name") == "/etc/rsyslog.conf" +results[0].Overflow.Alert.Events[0].GetMeta("nametype") == "NORMAL" +results[0].Overflow.Alert.Events[0].GetMeta("ogid") == "0" +results[0].Overflow.Alert.Events[0].GetMeta("ouid") == "0" +results[0].Overflow.Alert.Events[0].GetMeta("rdev") == "00:00" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-12-18T09:24:08Z" +results[0].Overflow.Alert.GetScenario() == "sigmahq/lnx_auditd_logging_config_change" +results[0].Overflow.Alert.Remediation == false +results[0].Overflow.Alert.GetEventsCount() == 1 diff --git a/scenarios/sigmahq/lnx_auditd_auditing_config_change.yml b/scenarios/sigmahq/lnx_auditd_auditing_config_change.yml new file mode 100644 index 00000000000..580580710c5 --- /dev/null +++ b/scenarios/sigmahq/lnx_auditd_auditing_config_change.yml @@ -0,0 +1,23 @@ +type: trigger +name: sigmahq/lnx_auditd_auditing_config_change +description: | + Detect changes in auditd configuration files +filter: | + (evt.Parsed.program == 'auditd') && (evt.Meta.auditd_type == 'PATH' && (evt.Meta.name startsWith '/etc/audit/' || evt.Meta.name == '/etc/libaudit.conf' || evt.Meta.name startsWith '/etc/audisp/')) +blackhole: 2m +#status: test +labels: + service: linux + confidence: 1 + spoofable: 0 + label: "Auditing Configuration Changes on Linux Host" + behavior : "linux:audit" + remediation: false + classification: + - attack.t1562.006 + + +scope: + type: pid + expression: evt.Meta.ppid + diff --git a/scenarios/sigmahq/lnx_auditd_find_cred_in_files.yml b/scenarios/sigmahq/lnx_auditd_find_cred_in_files.yml new file mode 100644 index 00000000000..f68a6e62c0b --- /dev/null +++ b/scenarios/sigmahq/lnx_auditd_find_cred_in_files.yml @@ -0,0 +1,23 @@ +type: trigger +name: sigmahq/lnx_auditd_find_cred_in_files +description: | + Detecting attempts to extract passwords with grep +filter: | + (evt.Parsed.program == 'auditd') && (evt.Meta.auditd_type == 'EXECVE' && evt.Line.Raw contains 'grep' && evt.Line.Raw contains 'password') +blackhole: 2m +#status: test +labels: + service: linux + confidence: 1 + spoofable: 0 + label: "Credentials In Files - Linux" + behavior : "linux:audit" + remediation: false + classification: + - attack.t1552.001 + + +scope: + type: pid + expression: evt.Meta.ppid + diff --git a/scenarios/sigmahq/lnx_auditd_ld_so_preload_mod.yml b/scenarios/sigmahq/lnx_auditd_ld_so_preload_mod.yml new file mode 100644 index 00000000000..73a3f65de97 --- /dev/null +++ b/scenarios/sigmahq/lnx_auditd_ld_so_preload_mod.yml @@ -0,0 +1,23 @@ +type: trigger +name: sigmahq/lnx_auditd_ld_so_preload_mod +description: | + Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes. +filter: | + (evt.Parsed.program == 'auditd') && (evt.Meta.auditd_type == 'PATH' && evt.Meta.name == '/etc/ld.so.preload') +blackhole: 2m +#status: test +labels: + service: linux + confidence: 1 + spoofable: 0 + label: "Modification of ld.so.preload" + behavior : "linux:audit" + remediation: false + classification: + - attack.t1574.006 + + +scope: + type: pid + expression: evt.Meta.ppid + diff --git a/scenarios/sigmahq/lnx_auditd_load_module_insmod.yml b/scenarios/sigmahq/lnx_auditd_load_module_insmod.yml new file mode 100644 index 00000000000..5742e894e30 --- /dev/null +++ b/scenarios/sigmahq/lnx_auditd_load_module_insmod.yml @@ -0,0 +1,23 @@ +type: trigger +name: sigmahq/lnx_auditd_load_module_insmod +description: | + Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges. +filter: | + (evt.Parsed.program == 'auditd') && (evt.Meta.auditd_type == 'SYSCALL' && evt.Meta.comm == 'insmod' && evt.Meta.exe == '/usr/bin/kmod') +blackhole: 2m +#status: test +labels: + service: linux + confidence: 1 + spoofable: 0 + label: "Loading of Kernel Module via Insmod" + behavior : "linux:audit" + remediation: false + classification: + - attack.t1547.006 + + +scope: + type: pid + expression: evt.Meta.ppid + diff --git a/scenarios/sigmahq/lnx_auditd_logging_config_change.yml b/scenarios/sigmahq/lnx_auditd_logging_config_change.yml new file mode 100644 index 00000000000..b8e5791d958 --- /dev/null +++ b/scenarios/sigmahq/lnx_auditd_logging_config_change.yml @@ -0,0 +1,23 @@ +type: trigger +name: sigmahq/lnx_auditd_logging_config_change +description: | + Detect changes of syslog daemons configuration files +filter: | + (evt.Parsed.program == 'auditd') && (evt.Meta.auditd_type == 'PATH' && (evt.Meta.name in ['/etc/syslog.conf', '/etc/rsyslog.conf', '/etc/syslog-ng/syslog-ng.conf'])) +blackhole: 2m +#status: test +labels: + service: linux + confidence: 1 + spoofable: 0 + label: "Logging Configuration Changes on Linux Host" + behavior : "linux:audit" + remediation: false + classification: + - attack.t1562.006 + + +scope: + type: pid + expression: evt.Meta.ppid + From 1c3feb02833048632be2a2c263053d1706686783 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Wed, 18 Dec 2024 09:43:43 +0000 Subject: [PATCH 09/25] Update index --- .index.json | 145 +++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 139 insertions(+), 6 deletions(-) diff --git a/.index.json b/.index.json index 312cd589849..7293e6c66ba 100644 --- a/.index.json +++ b/.index.json @@ -3932,7 +3932,7 @@ }, "crowdsecurity/auditd": { "path": "collections/crowdsecurity/auditd.yaml", - "version": "0.6", + "version": "0.7", "versions": { "0.1": { "digest": "784496b8295720e314a9a5da7bbc6645605781a4cb46595ebb4c04b158468768", @@ -3957,10 +3957,14 @@ "0.6": { "digest": "22934d51878ef76b5cece7d8af7788803d9c735f9f4a1926e1beaac56259f5f6", "deprecated": false + }, + "0.7": { + "digest": "a6491d9b7e8b46704f9e5393fed6abdf9ef4efa835789e4ee60bb2e0bb87b59c", + "deprecated": false } }, - "long_description": "Ondhcm5pbmc6IFRoaXMgdmVyc2lvbiByZXF1aXJlcyBjcm93ZHNlYyB2ZXJzaW9uID49IDEuNSA6d2FybmluZzoKCiMjIEF1ZGl0ZCBjb2xsZWN0aW9uCgpBIGNvbGxlY3Rpb24gZm9yIGF1ZGl0ZDoKIC0gYXVkaXRkIGxvZyBwYXJzZXIKIC0gcG9zdCBleHBsb2l0YXRpb24gYmVoYXZpb3IgZGV0ZWN0aW9uCgojIyMgQmFja2Rvb3IgaW5pdGlhbCBleGVjdXRpb24gZGV0ZWN0aW9uCgogLSBkZXRlY3QgYSBwcm9jZXNzIGNhbGxpbmcgYHdnZXRgL2BjdXJsYCBhbmQgZXhlY3V0aW5nIHRoZSBkb3dubG9hZCBzY3JpcHQvYmluYXJ5IHZlcnkgcXVpY2tseSBhZnRlcgogLSBkZXRlY3QgaW52b2NhdGlvbiBvZiBvYmZ1c2NhdGVkIHBheWxvYWRzIChpZS4gYGJhc2U2NCBkZWNvZGUgfCBpbnRlcnByZXRlcmApCiAtIGRldGVjdCBpbnZvY2F0aW9uIG9mIHNjcmlwdHMvYmluYXJpZXMgZnJvbSBoaWRkZW4gZGlyZWN0b3JpZXMKCiAtIGRldGVjdCBiYWNrZG9vcnMgdHJ5aW5nIHRvICJraWxsIGNvbXBldGl0b3JzIiA6CiAgIC0gcmVwZWF0ZWQvZmFzdCBpbnZva2F0aW9uIG9mIGBybWAgCiAgIC0gcmVwZWF0ZWQvZmFzdCBpbnZva2F0aW9uIG9mIGBraWxsYCAvIGBwa2lsbGAKCiMjIyBMb2NhbCBleHBsb2l0YXRpb24KCiAtIGRldGVjdCBhIHJvb3Qgc3VpZCBiaW5hcnkgdGhhdCBjcmFzaGVzIHNvb24gYWZ0ZXIgc3RhcnR1cCB3aXRoIGEgU0lHU0VHViwgU0lHQUJSVCwgU0lHQlVTIG9yIFNJR1RSQVAuCgojIyBBY3F1aXNpdGlvbiB0ZW1wbGF0ZQoKRXhhbXBsZSBhY3F1aXNpdGlvbiBmb3IgdGhpcyBjb2xsZWN0aW9uIDoKCmBgYHlhbWwKZmlsZW5hbWVzOgogIC0gL3Zhci9sb2cvYXVkaXQvKi5sb2cKbGFiZWxzOgogIHR5cGU6IGF1ZGl0ZApgYGAKCiMjIFdhcm5pbmcKClRoZSBzY2VuYXJpbydzIGVmZmVjdGl2ZW5lc3MgcmVsaWVzIG9uIHlvdXIgYGF1ZGl0ZGAgY29uZmlndXJhdGlvbiBsb2dnaW5nIEVYRUNWRSA6CgpgYGBiYXNoCmF1ZGl0Y3RsIC1hIGV4aXQsYWx3YXlzIC1GIGFyY2g9YjY0IC1TIGV4ZWN2ZQphdWRpdGN0bCAtYSBleGl0LGFsd2F5cyAtRiBhcmNoPWIzMiAtUyBleGVjdmUKYGBgCgpBcyBhbiBleGFtcGxlLCB5b3UgY2FucmVzdHJpY3QgaXQgdG8gYSBzcGVjaWZpYyB1aWQgKGllIGAtRiBldWlkPTMzYCkgaWYgeW91IHdhbnQgdG8gbW9uaXRvciBvbmx5IHlvdXIgd2ViIHNlcnZlci4KCkFzIGFuIGV4YW1wbGUsIHNlZSBbRmxvcmlhbiBSb3RoJ3MgZXhhbXBsZSBhdWRpdGQgY29uZmlnXShodHRwczovL2dpdGh1Yi5jb20vTmVvMjN4MC9hdWRpdGQvYmxvYi9tYXN0ZXIvYXVkaXQucnVsZXMpLgoKIyMgTm90aWZpY2F0aW9uIHRlbXBsYXRlCgpUbyBoYXZlIG5pY2UtbG9va2luZyBub3RpZmljYXRpb25zIG9uIGF1ZGl0ZCBhbGVydHMsIHlvdSBjYW4gdXNlIHRoZSBmb2xsb3dpbmcgZm9ybWF0IHRlbXBsYXRlOgoKYGBgeWFtbApmb3JtYXQ6IHwKICB7eyByYW5nZSAuIC19fQogIHt7JGFsZXJ0IDo9IC4gfX0KICAqe3skYWxlcnQuU2NlbmFyaW99fSoKICB7eyByYW5nZSAuRXZlbnRzIH19CiAgYHt7LkdldE1ldGEgImV4ZSJ9fWAgaW52b2tlZCBieSBwYXJlbnQgcHJvY2VzcyBge3suR2V0TWV0YSAicGFyZW50X3Byb2duYW1lIn19YCAodWlkPXt7LkdldE1ldGEgInVpZCJ9fSkKICB7eyBlbmQgLX19CiAge3stIGVuZCB9fQpgYGAKCllvdSBzaG91bGRuJ3QgdXNlIGFuIGV4aXN0aW5nIG5vdGlmaWNhdGlvbiB0ZW1wbGF0ZSwgYXMgaXQgd2lsbCBub3QgZGlzcGxheSB0aGUgZnVsbCBpbmZvcm1hdGlvbiBhcyBpdCBpcyB0YWlsb3JlZCB0byBJUCBiYXNlIGFsZXJ0cy4KCk9uY2UgeW91IGhhdmUgc2V0dXAgeW91ciBub3RpZmljYXRpb24gdGVtcGxhdGUsIHlvdSAqKk1VU1QqKiBhZGQgYSBwcm9maWxlIHRvIGVpdGhlciBgcHJvZmlsZXMueWFtbGAgb3IgYHByb2ZpbGVzLnlhbWwubG9jYWxgCgpgYGB5YW1sCm5hbWU6IHBpZF9hbGVydApmaWx0ZXJzOgogLSBBbGVydC5HZXRTY29wZSgpID09ICJwaWQiCmRlY2lzaW9uczogW10Kbm90aWZpY2F0aW9uczoKICAtIHNsYWNrX2RlZmF1bHQKIyMgUGxlYXNlIGVkaXQgdGhlIGFib3ZlIGxpbmUgdG8gbWF0Y2ggeW91ciBub3RpZmljYXRpb24gbmFtZQpvbl9zdWNjZXNzOiBicmVhawotLS0KYGBg", - "content": "cGFyc2VyczoKICAtIGNyb3dkc2VjdXJpdHkvYXVkaXRkLWxvZ3MKc2NlbmFyaW9zOgogIC0gY3Jvd2RzZWN1cml0eS9hdWRpdGQtcG9zdGV4cGxvaXQtcm0KICAtIGNyb3dkc2VjdXJpdHkvYXVkaXRkLXBvc3RleHBsb2l0LXBraWxsCiAgLSBjcm93ZHNlY3VyaXR5L2F1ZGl0ZC1wb3N0ZXhwbG9pdC1leGVjLWZyb20tbmV0CiAgLSBjcm93ZHNlY3VyaXR5L2F1ZGl0ZC1zdXMtZXhlYwogIC0gY3Jvd2RzZWN1cml0eS9hdWRpdGQtYmFzZTY0LWV4ZWMtYmVoYXZpb3IKICAtIGNyb3dkc2VjdXJpdHkvYXVkaXRkLXN1aWQtY3Jhc2gKcG9zdG92ZXJmbG93czoKICAtIGNyb3dkc2VjdXJpdHkvYXVkaXRkLXdoaXRlbGlzdGVkLXByb2Nlc3MKZGVzY3JpcHRpb246ICJhdWRpdGQgc3VwcG9ydCA6IHBhcnNlcnMgYW5kIHNjZW5hcmlvcyIKYXV0aG9yOiBjcm93ZHNlY3VyaXR5CnRhZ3M6CiAgLSBhdWRpdGQKICAtIGNvbXBsaWFuY2UKICAtIHBvc3RleHBsb2l0YXRpb24KCgo=", + "long_description": "Ondhcm5pbmc6IFRoaXMgdmVyc2lvbiByZXF1aXJlcyBjcm93ZHNlYyB2ZXJzaW9uID49IDEuNSA6d2FybmluZzoKCiMjIEF1ZGl0ZCBjb2xsZWN0aW9uCgpBIGNvbGxlY3Rpb24gZm9yIGF1ZGl0ZDoKIC0gYXVkaXRkIGxvZyBwYXJzZXIKIC0gcG9zdCBleHBsb2l0YXRpb24gYmVoYXZpb3IgZGV0ZWN0aW9uCgojIyMgQmFja2Rvb3IgaW5pdGlhbCBleGVjdXRpb24gZGV0ZWN0aW9uCgogLSBkZXRlY3QgYSBwcm9jZXNzIGNhbGxpbmcgYHdnZXRgL2BjdXJsYCBhbmQgZXhlY3V0aW5nIHRoZSBkb3dubG9hZCBzY3JpcHQvYmluYXJ5IHZlcnkgcXVpY2tseSBhZnRlcgogLSBkZXRlY3QgaW52b2NhdGlvbiBvZiBvYmZ1c2NhdGVkIHBheWxvYWRzIChpZS4gYGJhc2U2NCBkZWNvZGUgfCBpbnRlcnByZXRlcmApCiAtIGRldGVjdCBpbnZvY2F0aW9uIG9mIHNjcmlwdHMvYmluYXJpZXMgZnJvbSBoaWRkZW4gZGlyZWN0b3JpZXMKCiAtIGRldGVjdCBiYWNrZG9vcnMgdHJ5aW5nIHRvICJraWxsIGNvbXBldGl0b3JzIiA6CiAgIC0gcmVwZWF0ZWQvZmFzdCBpbnZva2F0aW9uIG9mIGBybWAgCiAgIC0gcmVwZWF0ZWQvZmFzdCBpbnZva2F0aW9uIG9mIGBraWxsYCAvIGBwa2lsbGAKCgojIyMgTG9jYWwgZXhwbG9pdGF0aW9uCgogLSBkZXRlY3QgYSByb290IHN1aWQgYmluYXJ5IHRoYXQgY3Jhc2hlcyBzb29uIGFmdGVyIHN0YXJ0dXAgd2l0aCBhIFNJR1NFR1YsIFNJR0FCUlQsIFNJR0JVUyBvciBTSUdUUkFQLgoKIyMjIFN1c3BpY2lvdXMgcG9zdC1leHBsb2l0YXRpb24gcmVsYXRlZCBhY3Rpdml0aWVzCgogLSBkZXRlY3QgY2hhbmdlcyB0byBsb2dnaW5nIGNvbmZpZ3VyYXRpb24KIC0gZGV0ZWN0IGNoYW5nZXMgdG8gYXVkaXRkIGNvbmZpZ3VyYXRpb24KIC0gZGV0ZWN0IGNoYW5nZXMgdG8gbGQucHJlbG9hZCBjb25maWd1cmF0aW9uCiAtIGRldGVjdCBgZ3JlcGBpbmcgcGFzc3dvcmRzIGluIGZpbGVzCiAtIGRldGVjdCBrZXJuZWwgbW9kdWxlIGxvYWRpbmcgKGBpbnNtb2RgKQoKIyMgQWNxdWlzaXRpb24gdGVtcGxhdGUKCkV4YW1wbGUgYWNxdWlzaXRpb24gZm9yIHRoaXMgY29sbGVjdGlvbiA6CgpgYGB5YW1sCmZpbGVuYW1lczoKICAtIC92YXIvbG9nL2F1ZGl0LyoubG9nCmxhYmVsczoKICB0eXBlOiBhdWRpdGQKYGBgCgojIyBXYXJuaW5nCgpUaGUgc2NlbmFyaW8ncyBlZmZlY3RpdmVuZXNzIHJlbGllcyBvbiB5b3VyIGBhdWRpdGRgIGNvbmZpZ3VyYXRpb24gbG9nZ2luZyBFWEVDVkUgOgoKYGBgYmFzaAphdWRpdGN0bCAtYSBleGl0LGFsd2F5cyAtRiBhcmNoPWI2NCAtUyBleGVjdmUKYXVkaXRjdGwgLWEgZXhpdCxhbHdheXMgLUYgYXJjaD1iMzIgLVMgZXhlY3ZlCmBgYAoKQXMgYW4gZXhhbXBsZSwgeW91IGNhbnJlc3RyaWN0IGl0IHRvIGEgc3BlY2lmaWMgdWlkIChpZSBgLUYgZXVpZD0zM2ApIGlmIHlvdSB3YW50IHRvIG1vbml0b3Igb25seSB5b3VyIHdlYiBzZXJ2ZXIuCgpBcyBhbiBleGFtcGxlLCBzZWUgW0Zsb3JpYW4gUm90aCdzIGV4YW1wbGUgYXVkaXRkIGNvbmZpZ10oaHR0cHM6Ly9naXRodWIuY29tL05lbzIzeDAvYXVkaXRkL2Jsb2IvbWFzdGVyL2F1ZGl0LnJ1bGVzKS4KCiMjIE5vdGlmaWNhdGlvbiB0ZW1wbGF0ZQoKVG8gaGF2ZSBuaWNlLWxvb2tpbmcgbm90aWZpY2F0aW9ucyBvbiBhdWRpdGQgYWxlcnRzLCB5b3UgY2FuIHVzZSB0aGUgZm9sbG93aW5nIGZvcm1hdCB0ZW1wbGF0ZToKCmBgYHlhbWwKZm9ybWF0OiB8CiAge3sgcmFuZ2UgLiAtfX0KICB7eyRhbGVydCA6PSAuIH19CiAgKnt7JGFsZXJ0LlNjZW5hcmlvfX0qCiAge3sgcmFuZ2UgLkV2ZW50cyB9fQogIGB7ey5HZXRNZXRhICJleGUifX1gIGludm9rZWQgYnkgcGFyZW50IHByb2Nlc3MgYHt7LkdldE1ldGEgInBhcmVudF9wcm9nbmFtZSJ9fWAgKHVpZD17ey5HZXRNZXRhICJ1aWQifX0pCiAge3sgZW5kIC19fQogIHt7LSBlbmQgfX0KYGBgCgpZb3Ugc2hvdWxkbid0IHVzZSBhbiBleGlzdGluZyBub3RpZmljYXRpb24gdGVtcGxhdGUsIGFzIGl0IHdpbGwgbm90IGRpc3BsYXkgdGhlIGZ1bGwgaW5mb3JtYXRpb24gYXMgaXQgaXMgdGFpbG9yZWQgdG8gSVAgYmFzZSBhbGVydHMuCgpPbmNlIHlvdSBoYXZlIHNldHVwIHlvdXIgbm90aWZpY2F0aW9uIHRlbXBsYXRlLCB5b3UgKipNVVNUKiogYWRkIGEgcHJvZmlsZSB0byBlaXRoZXIgYHByb2ZpbGVzLnlhbWxgIG9yIGBwcm9maWxlcy55YW1sLmxvY2FsYAoKYGBgeWFtbApuYW1lOiBwaWRfYWxlcnQKZmlsdGVyczoKIC0gQWxlcnQuR2V0U2NvcGUoKSA9PSAicGlkIgpkZWNpc2lvbnM6IFtdCm5vdGlmaWNhdGlvbnM6CiAgLSBzbGFja19kZWZhdWx0CiMjIFBsZWFzZSBlZGl0IHRoZSBhYm92ZSBsaW5lIHRvIG1hdGNoIHlvdXIgbm90aWZpY2F0aW9uIG5hbWUKb25fc3VjY2VzczogYnJlYWsKLS0tCmBgYA==", + "content": "cGFyc2VyczoKICAtIGNyb3dkc2VjdXJpdHkvYXVkaXRkLWxvZ3MKc2NlbmFyaW9zOgogIC0gY3Jvd2RzZWN1cml0eS9hdWRpdGQtcG9zdGV4cGxvaXQtcm0KICAtIGNyb3dkc2VjdXJpdHkvYXVkaXRkLXBvc3RleHBsb2l0LXBraWxsCiAgLSBjcm93ZHNlY3VyaXR5L2F1ZGl0ZC1wb3N0ZXhwbG9pdC1leGVjLWZyb20tbmV0CiAgLSBjcm93ZHNlY3VyaXR5L2F1ZGl0ZC1zdXMtZXhlYwogIC0gY3Jvd2RzZWN1cml0eS9hdWRpdGQtYmFzZTY0LWV4ZWMtYmVoYXZpb3IKICAtIGNyb3dkc2VjdXJpdHkvYXVkaXRkLXN1aWQtY3Jhc2gKICAtIHNpZ21haHEvbG54X2F1ZGl0ZF9hdWRpdGluZ19jb25maWdfY2hhbmdlCiAgLSBzaWdtYWhxL2xueF9hdWRpdGRfZmluZF9jcmVkX2luX2ZpbGVzCiAgLSBzaWdtYWhxL2xueF9hdWRpdGRfbGRfc29fcHJlbG9hZF9tb2QKICAtIHNpZ21haHEvbG54X2F1ZGl0ZF9sb2FkX21vZHVsZV9pbnNtb2QKICAtIHNpZ21haHEvbG54X2F1ZGl0ZF9sb2dnaW5nX2NvbmZpZ19jaGFuZ2UKcG9zdG92ZXJmbG93czoKICAtIGNyb3dkc2VjdXJpdHkvYXVkaXRkLXdoaXRlbGlzdGVkLXByb2Nlc3MKZGVzY3JpcHRpb246ICJhdWRpdGQgc3VwcG9ydCA6IHBhcnNlcnMgYW5kIHNjZW5hcmlvcyIKYXV0aG9yOiBjcm93ZHNlY3VyaXR5CnRhZ3M6CiAgLSBhdWRpdGQKICAtIGNvbXBsaWFuY2UKICAtIHBvc3RleHBsb2l0YXRpb24KCgo=", "description": "auditd support : parsers and scenarios", "author": "crowdsecurity", "labels": null, @@ -3976,7 +3980,12 @@ "crowdsecurity/auditd-postexploit-exec-from-net", "crowdsecurity/auditd-sus-exec", "crowdsecurity/auditd-base64-exec-behavior", - "crowdsecurity/auditd-suid-crash" + "crowdsecurity/auditd-suid-crash", + "sigmahq/lnx_auditd_auditing_config_change", + "sigmahq/lnx_auditd_find_cred_in_files", + "sigmahq/lnx_auditd_ld_so_preload_mod", + "sigmahq/lnx_auditd_load_module_insmod", + "sigmahq/lnx_auditd_logging_config_change" ] }, "crowdsecurity/aws-cis-benchmark": { @@ -7806,7 +7815,7 @@ "crowdsecurity/auditd-logs": { "path": "parsers/s01-parse/crowdsecurity/auditd-logs.yaml", "stage": "s01-parse", - "version": "1.0", + "version": "1.1", "versions": { "0.1": { "digest": "fa23b38e12ef4abce21475ad78c3d6650538c88e68f8235f74afc238345b0279", @@ -7847,9 +7856,13 @@ "1.0": { "digest": "4a3e90a2064ff4ef39566f9d8f85e8909ba39ee5530b3407f73e7961bcd6b187", "deprecated": false + }, + "1.1": { + "digest": "0ee9e59cc6ed348d9f400fce36e0dd2f1941832da70c5f94e1e2f09f39f7ccfe", + "deprecated": false } }, - "content": "I3R5cGU9U1lTQ0FMTCBtc2c9YXVkaXQoMTY3MjMzMDk1NS4yNzM6NDQzMyk6IGFyY2g9YzAwMDAwM2Ugc3lzY2FsbD0yNjMgc3VjY2Vzcz1ubyBleGl0PS0yIGEwPWZmZmZmZjljIGExPTU1NzE2MjM5NjU5MCBhMj0wIGEzPTAgaXRlbXM9MSBwcGlkPTE0NDU3MSBwaWQ9MTQ1NDAwIGF1aWQ9MTAwMCB1aWQ9MTAwMCBnaWQ9MTAwMCBldWlkPTEwMDAgc3VpZD0xMDAwIGZzdWlkPTEwMDAgZWdpZD0xMDAwIHNnaWQ9MTAwMCBmc2dpZD0xMDAwIHR0eT1wdHMwIHNlcz03OSBjb21tPSJybSIgZXhlPSIvdXNyL2Jpbi9ybSIga2V5PSJmaWxlX21vZGlmaWNhdGlvbiIKCgojdHlwZT1TWVNDQUxMIG1zZz1hdWRpdCgxNzM0MDkzMTQxLjQ1NTo5MjIpOiBhcmNoPWMwMDAwMDNlIHN5c2NhbGw9NTkgc3VjY2Vzcz15ZXMgZXhpdD0wIGEwPTU2M2RiMTRjOTgwMCBhMT01NjNkYjE0YzYzNzAgYTI9NTYzZGIxNGM1ZTcwIGEzPTggaXRlbXM9MiBwcGlkPTEzNDQzNTEgcGlkPTEzNDQzNTggYXVpZD0xMDAwIHVpZD0xMDAwIGdpZD0xMDAwIGV1aWQ9MTAwMCBzdWlkPTEwMDAgZnN1aWQ9MTAwMCBlZ2lkPTEwMDAgc2dpZD0xMDAwIGZzZ2lkPTEwMDAgdHR5PXB0czEgc2VzPTU0NDggY29tbT0iaWQiIGV4ZT0iL3Vzci9iaW4vaWQiIGtleT0icmVjb24iCiN0eXBlPUVYRUNWRSBtc2c9YXVkaXQoMTczNDA5MzE0MS40NTU6OTIyKTogYXJnYz0yIGEwPSJpZCIgYTE9Ii1hIgojdHlwZT1QQVRIIG1zZz1hdWRpdCgxNzM0MDkzMTQxLjQ1NTo5MjIpOiBpdGVtPTAgbmFtZT0iL3Vzci9iaW4vaWQiIGlub2RlPTU1MDU0OTkgZGV2PTA4OjAyIG1vZGU9MDEwMDc1NSBvdWlkPTAgb2dpZD0wIHJkZXY9MDA6MDAgbmFtZXR5cGU9Tk9STUFMIGNhcF9mcD0wIGNhcF9maT0wIGNhcF9mZT0wIGNhcF9mdmVyPTAgY2FwX2Zyb290aWQ9MAojdHlwZT1QQVRIIG1zZz1hdWRpdCgxNzM0MDkzMTQxLjQ1NTo5MjIpOiBpdGVtPTEgbmFtZT0iL2xpYjY0L2xkLWxpbnV4LXg4Ni02NC5zby4yIiBpbm9kZT01NTA1OTA0IGRldj0wODowMiBtb2RlPTAxMDA3NTUgb3VpZD0wIG9naWQ9MCByZGV2PTAwOjAwIG5hbWV0eXBlPU5PUk1BTCBjYXBfZnA9MCBjYXBfZmk9MCBjYXBfZmU9MCBjYXBfZnZlcj0wIGNhcF9mcm9vdGlkPTAKCgpuYW1lOiBjcm93ZHNlY3VyaXR5L2F1ZGl0ZC1sb2dzCmRlc2NyaXB0aW9uOiAiUGFyc2UgYXVkaXRkIGxvZ3MiCmZpbHRlcjogImV2dC5QYXJzZWQucHJvZ3JhbSA9PSAnYXVkaXRkJyIKb25zdWNjZXNzOiBuZXh0X3N0YWdlCmRlYnVnOiB0cnVlCnBhdHRlcm5fc3ludGF4OgogIEZMT0FUOiAnWzAtOVwuXSsnCgpub2RlczoKICAjU1lTQ0FMTCA1OSBvbiB4ODZfNjQgLT4gZXhlY3ZlCiAgLSBmaWx0ZXI6IFBhcnNlS1YoZXZ0LlBhcnNlZC5tZXNzYWdlLCBldnQuVW5tYXJzaGFsZWQsICJhdWRpdGQiKSA9PSBuaWwgIyA9PSBuaWwgaXMgcmVxdWlyZWQgYmVjYXVzZSBQYXJzZUtWIGRvZXMgbm90IHJldHVybiBhIHZhbHVlCiAgICBub2RlczoKICAgICAgLSBncm9rOgogICAgICAgICAgcGF0dGVybjogJyV7V09SRDptc2dfdHlwZX1cKCV7RkxPQVQ6dGltZXN0YW1wfTole0lOVDpldmVudF9pbmNfaWR9XCk6JwogICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5tc2cKICAgICAgICBub2RlczoKIyBhZGQgRVhFQ1ZFIDogCiMgdHlwZT1FWEVDVkUgbXNnPWF1ZGl0KDE3MzQwOTM3MTMuNTY1OjEwMzEpOiBhcmdjPTEwMSBhMD0iaWQiIGExPSIxIiBhMj0iMiIgYTM9IjMiIGE0PSI0IiBhNT0iNSIgYTY9IjYiIGE3PSI3IiBhOD0iOCIgYTk9IjkiIGExMD0iMTAiIGExMT0iMTEiIGExMj0iMTIiIGExMz0iMTMiIGExND0iMTQiIGExNT0iMTUiIGExNj0iMTYiIGExNz0iMTciIGExOD0iMTgiIGExOT0iMTkiIGEyMD0iMjAiIGEyMT0iMjEiIGEyMj0iMjIiIGEyMz0iMjMiIGEyND0iMjQiIGEyNT0iMjUiIGEyNj0iMjYiIGEyNz0iMjciIGEyOD0iMjgiIGEyOT0iMjkiIGEzMD0iMzAiIGEzMT0iMzEiIGEzMj0iMzIiIGEzMz0iMzMiIGEzND0iMzQiIGEzNT0iMzUiIGEzNj0iMzYiIGEzNz0iMzciIGEzOD0iMzgiIGEzOT0iMzkiIGE0MD0iNDAiIGE0MT0iNDEiIGE0Mj0iNDIiIGE0Mz0iNDMiIGE0ND0iNDQiIGE0NT0iNDUiIGE0Nj0iNDYiIGE0Nz0iNDciIGE0OD0iNDgiIGE0OT0iNDkiIGE1MD0iNTAiIGE1MT0iNTEiIGE1Mj0iNTIiIGE1Mz0iNTMiIGE1ND0iNTQiIGE1NT0iNTUiIGE1Nj0iNTYiIGE1Nz0iNTciIGE1OD0iNTgiIGE1OT0iNTkiIGE2MD0iNjAiIGE2MT0iNjEiIGE2Mj0iNjIiIGE2Mz0iNjMiIGE2ND0iNjQiIGE2NT0iNjUiIGE2Nj0iNjYiIGE2Nz0iNjciIGE2OD0iNjgiIGE2OT0iNjkiIGE3MD0iNzAiIGE3MT0iNzEiIGE3Mj0iNzIiIGE3Mz0iNzMiIGE3ND0iNzQiIGE3NT0iNzUiIGE3Nj0iNzYiIGE3Nz0iNzciIGE3OD0iNzgiIGE3OT0iNzkiIGE4MD0iODAiIGE4MT0iODEiIGE4Mj0iODIiIGE4Mz0iODMiIGE4ND0iODQiIGE4NT0iODUiIGE4Nj0iODYiIGE4Nz0iODciIGE4OD0iODgiIGE4OT0iODkiIGE5MD0iOTAiIGE5MT0iOTEiIGE5Mj0iOTIiIGE5Mz0iOTMiIGE5ND0iOTQiIGE5NT0iOTUiIGE5Nj0iOTYiIGE5Nz0iOTciIGE5OD0iOTgiIGE5OT0iOTkiIGExMDA9IjEwMCIKICAgICAgICAgIC0gZmlsdGVyOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnR5cGUgPT0gIkVYRUNWRSIKICAgICAgICAgICAgc3RhdGljczoKICAgICAgICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICAgICAgICB2YWx1ZTogZXhlY3ZlCiAgICAgICAgICAgICAgLSBtZXRhOiBleGVjdmVfZnVsbF9zdHIKICAgICAgICAgICAgICAgICN3ZSBvbmx5IGtlZXAgdGhlICJhWzAtOV0rIiBrZXlzIGFuZCBqb2luIHRoZW0gaW50byBhIHN0cmluZwogICAgICAgICAgICAgICAgI3dlJ3JlIG5vdCBkZWFsaW5nIHlldCB3aXRoIGhleCBlbmNvZGVkIGFyZ3VtZW50cwogICAgICAgICAgICAgICAgZXhwcmVzc2lvbjogfAogICAgICAgICAgICAgICAgICBsZXQgYXJncyA9IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQgfCBrZXlzKCkgfCBmaWx0ZXIoIyBtYXRjaGVzICJeYVswLTldKyQiKTsKICAgICAgICAgICAgICAgICAgbWFwKHNvcnRCeShhcmdzLCB7IGludCgjWzE6XSkgfSwgImFzYyIpLCBnZXQoZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZCwgIykpIHwgam9pbigiICIpCgogICAgICAgICAgLSBmaWx0ZXI6IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQudHlwZSA9PSAiU1lTQ0FMTCIgYW5kIGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYXJjaCA9PSAiYzAwMDAwM2UiIGFuZCBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnN5c2NhbGwgPT0gIjU5IgogICAgICAgICAgICBzdGF0aWNzOgogICAgICAgICAgICAgIC0gbWV0YTogbG9nX3R5cGUKICAgICAgICAgICAgICAgIHZhbHVlOiBzeXNjYWxsX2V4ZWN2ZQogICAgICAgICAgICAgICNsZXQncyBoeWRyYXRlIHdpdGggcHBpZCBwcm9jZXNzIGlmIHdlIGNhbiA6KQogICAgICAgICAgICAgIC0gdGFyZ2V0OiBldnQuTWV0YS5wYXJlbnRfcHJvZ25hbWUKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IEdldEZyb21TdGFzaCgiYXVkaXRkX3BpZF9wcm9nbmFtZSIsIGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQucHBpZCkKICAgICAgICAgICAgI2xldCdzIGNhcHR1cmUgcHJvY2VzcyBuYW1lIGlmIHdlIGNhbgogICAgICAgICAgICBzdGFzaDoKICAgICAgICAgICAgICAtIG5hbWU6IGF1ZGl0ZF9waWRfcHJvZ25hbWUKICAgICAgICAgICAgICAgIGtleTogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5waWQKICAgICAgICAgICAgICAgIHZhbHVlOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLmV4ZQogICAgICAgICAgICAgICAgdHRsOiAxbQogICAgICAgICAgICAgICAgc2l6ZTogMTAwCiAgICAgICAgICAtIGZpbHRlcjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC50eXBlID09ICJBTk9NX0FCRU5EIgogICAgICAgICAgICBzdGF0aWNzOgogICAgICAgICAgICAgIC0gbWV0YTogbG9nX3R5cGUKICAgICAgICAgICAgICAgIHZhbHVlOiBhbm9tX2FiZW5kCiAgICAgICAgc3RhdGljczoKICAgICAgICAgIC0gdGFyZ2V0OiBldnQuU3RyVGltZQogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuUGFyc2VkLnRpbWVzdGFtcAogICAgICAgICAgLSBtZXRhOiBwcGlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQucHBpZAogICAgICAgICAgLSBtZXRhOiBleGUKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5leGUKICAgICAgICAgIC0gbWV0YTogdWlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQudWlkCiAgICAgICAgICAtIG1ldGE6IGF1aWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5hdWlkCiAgICAgICAgICAtIG1ldGE6IGV1aWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5ldWlkCiAgICAgICAgICAtIG1ldGE6IGdpZAogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLmdpZAogICAgICAgICAgLSBtZXRhOiBzZXMKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5zZXMKICAgICAgICAgIC0gbWV0YTogc3ViagogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnN1YmoKICAgICAgICAgIC0gbWV0YTogcGlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQucGlkCiAgICAgICAgICAtIG1ldGE6IGNvbW0KICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5jb21tCiAgICAgICAgICAtIG1ldGE6IHNpZwogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnNpZwogICAgICAgICAgLSBtZXRhOiB0dHkKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC50dHkKICAgICAgICAgIC0gbWV0YTogcmVzCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQucmVzCiAgICAgICAgICAtIG1ldGE6IHN0cl9VSUQKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5VSUQKICAgICAgICAgIC0gbWV0YTogc3RyX0dJRAogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLkdJRCAKICAgICAgICAgIC0gbWV0YTogYXVkaXRkX2V2ZW50aWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlBhcnNlZC5ldmVudF9pbmNfaWQK", + "content": "I3R5cGU9U1lTQ0FMTCBtc2c9YXVkaXQoMTY3MjMzMDk1NS4yNzM6NDQzMyk6IGFyY2g9YzAwMDAwM2Ugc3lzY2FsbD0yNjMgc3VjY2Vzcz1ubyBleGl0PS0yIGEwPWZmZmZmZjljIGExPTU1NzE2MjM5NjU5MCBhMj0wIGEzPTAgaXRlbXM9MSBwcGlkPTE0NDU3MSBwaWQ9MTQ1NDAwIGF1aWQ9MTAwMCB1aWQ9MTAwMCBnaWQ9MTAwMCBldWlkPTEwMDAgc3VpZD0xMDAwIGZzdWlkPTEwMDAgZWdpZD0xMDAwIHNnaWQ9MTAwMCBmc2dpZD0xMDAwIHR0eT1wdHMwIHNlcz03OSBjb21tPSJybSIgZXhlPSIvdXNyL2Jpbi9ybSIga2V5PSJmaWxlX21vZGlmaWNhdGlvbiIKCgojdHlwZT1FWEVDVkUgbXNnPWF1ZGl0KDE3MzQwOTMxNDEuNDU1OjkyMik6IGFyZ2M9MiBhMD0iaWQiIGExPSItYSIKI3R5cGU9UEFUSCBtc2c9YXVkaXQoMTczNDA5MzE0MS40NTU6OTIyKTogaXRlbT0wIG5hbWU9Ii91c3IvYmluL2lkIiBpbm9kZT01NTA1NDk5IGRldj0wODowMiBtb2RlPTAxMDA3NTUgb3VpZD0wIG9naWQ9MCByZGV2PTAwOjAwIG5hbWV0eXBlPU5PUk1BTCBjYXBfZnA9MCBjYXBfZmk9MCBjYXBfZmU9MCBjYXBfZnZlcj0wIGNhcF9mcm9vdGlkPTAKI3R5cGU9UEFUSCBtc2c9YXVkaXQoMTczNDA5MzE0MS40NTU6OTIyKTogaXRlbT0xIG5hbWU9Ii9saWI2NC9sZC1saW51eC14ODYtNjQuc28uMiIgaW5vZGU9NTUwNTkwNCBkZXY9MDg6MDIgbW9kZT0wMTAwNzU1IG91aWQ9MCBvZ2lkPTAgcmRldj0wMDowMCBuYW1ldHlwZT1OT1JNQUwgY2FwX2ZwPTAgY2FwX2ZpPTAgY2FwX2ZlPTAgY2FwX2Z2ZXI9MCBjYXBfZnJvb3RpZD0wCgoKbmFtZTogY3Jvd2RzZWN1cml0eS9hdWRpdGQtbG9ncwpkZXNjcmlwdGlvbjogIlBhcnNlIGF1ZGl0ZCBsb2dzIgpmaWx0ZXI6ICJldnQuUGFyc2VkLnByb2dyYW0gPT0gJ2F1ZGl0ZCciCm9uc3VjY2VzczogbmV4dF9zdGFnZQpkZWJ1ZzogdHJ1ZQpwYXR0ZXJuX3N5bnRheDoKICBGTE9BVDogJ1swLTlcLl0rJwoKbm9kZXM6CiAgI1NZU0NBTEwgNTkgb24geDg2XzY0IC0+IGV4ZWN2ZQogIC0gZmlsdGVyOiBQYXJzZUtWKGV2dC5QYXJzZWQubWVzc2FnZSwgZXZ0LlVubWFyc2hhbGVkLCAiYXVkaXRkIikgPT0gbmlsICMgPT0gbmlsIGlzIHJlcXVpcmVkIGJlY2F1c2UgUGFyc2VLViBkb2VzIG5vdCByZXR1cm4gYSB2YWx1ZQogICAgbm9kZXM6CiAgICAgIC0gZ3JvazoKICAgICAgICAgIHBhdHRlcm46ICcle1dPUkQ6bXNnX3R5cGV9XCgle0ZMT0FUOnRpbWVzdGFtcH06JXtJTlQ6ZXZlbnRfaW5jX2lkfVwpOicKICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQubXNnCiAgICAgICAgbm9kZXM6CiMgdHlwZT1QQVRIIG1zZz1hdWRpdCgxNzM0MTEyNDMxLjY3NTozNzg0KTogaXRlbT0xIG5hbWU9Ii9iaW4vc2giIGlub2RlPTU1MDUxNjUgZGV2PTA4OjAyIG1vZGU9MDEwMDc1NSBvdWlkPTAgb2dpZD0wIHJkZXY9MDA6MDAgbmFtZXR5cGU9Tk9STUFMIGNhcF9mcD0wIGNhcF9maT0wIGNhcF9mZT0wIGNhcF9mdmVyPTAgY2FwX2Zyb290aWQ9MAogICAgICAgICAgLSBmaWx0ZXI6IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQudHlwZSA9PSAiUEFUSCIKICAgICAgICAgICAgc3RhdGljczoKICAgICAgICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICAgICAgICB2YWx1ZTogcGF0aAogICAgICAgICAgICAgIC0gbWV0YTogaXRlbQogICAgICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5pdGVtCiAgICAgICAgICAgICAgLSBtZXRhOiBuYW1lCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLm5hbWUKICAgICAgICAgICAgICAtIG1ldGE6IGlub2RlCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLmlub2RlCiAgICAgICAgICAgICAgLSBtZXRhOiBkZXYKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuZGV2CiAgICAgICAgICAgICAgLSBtZXRhOiBtb2RlCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLm1vZGUKICAgICAgICAgICAgICAtIG1ldGE6IG91aWQKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQub3VpZAogICAgICAgICAgICAgIC0gbWV0YTogb2dpZAogICAgICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5vZ2lkCiAgICAgICAgICAgICAgLSBtZXRhOiByZGV2CiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnJkZXYKICAgICAgICAgICAgICAtIG1ldGE6IG5hbWV0eXBlCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLm5hbWV0eXBlCiAgICAgICAgICAgICAgLSBtZXRhOiBjYXBfZnAKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuY2FwX2ZwCiAgICAgICAgICAgICAgLSBtZXRhOiBjYXBfZmkKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuY2FwX2ZpCiAgICAgICAgICAgICAgLSBtZXRhOiBjYXBfZmUKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuY2FwX2ZlCiAgICAgICAgICAgICAgLSBtZXRhOiBjYXBfZnZlcgogICAgICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5jYXBfZnZlcgogICAgICAgICAgICAgIC0gbWV0YTogY2FwX2Zyb290aWQKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuY2FwX2Zyb290aWQKICAgICAgICAgICAgICAjIGZvciBTRSBsaW51eAogICAgICAgICAgICAgIC0gbWV0YTogb2JqCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLm9iagogICAgICAgICAgICAgIC0gbWV0YTogb2JqdHlwZQogICAgICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5vYmp0eXBlCiAgICAgICAgICAgICAgIyBlbmQgb2YgU0UgbGludXgKI3R5cGU9U0VSVklDRV9TVE9QIG1zZz1hdWRpdCgxNzM0MzY1ODMxLjI3Mjo4NzYpOiBwaWQ9MSB1aWQ9MCBhdWlkPTQyOTQ5NjcyOTUgc2VzPTQyOTQ5NjcyOTUgc3Viaj11bmNvbmZpbmVkIG1zZz0ndW5pdD1wYWNrYWdla2l0IGNvbW09InN5c3RlbWQiIGV4ZT0iL3Vzci9saWIvc3lzdGVtZC9zeXN0ZW1kIiBob3N0bmFtZT0/IGFkZHI9PyB0ZXJtaW5hbD0/IHJlcz1zdWNjZXNzJ1VJRD0icm9vdCIgQVVJRD0idW5zZXQiCiAgICAgICAgICAtIGZpbHRlcjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC50eXBlID09ICJTRVJWSUNFX1NUT1AiCiAgICAgICAgICAgIHN0YXRpY3M6CiAgICAgICAgICAgICAgLSBtZXRhOiBsb2dfdHlwZQogICAgICAgICAgICAgICAgdmFsdWU6IHNlcnZpY2Vfc3RvcAoKIyB0eXBlPUVYRUNWRSBtc2c9YXVkaXQoMTczNDA5MzcxMy41NjU6MTAzMSk6IGFyZ2M9MTAxIGEwPSJpZCIgYTE9IjEiIGEyPSIyIiBhMz0iMyIgYTQ9IjQiIGE1PSI1IiBhNj0iNiIgYTc9IjciIGE4PSI4IiBhOT0iOSIgYTEwPSIxMCIgYTExPSIxMSIgYTEyPSIxMiIgYTEzPSIxMyIgYTE0PSIxNCIgYTE1PSIxNSIgYTE2PSIxNiIgYTE3PSIxNyIgYTE4PSIxOCIgYTE5PSIxOSIgYTIwPSIyMCIgYTIxPSIyMSIgYTIyPSIyMiIgYTIzPSIyMyIgYTI0PSIyNCIgYTI1PSIyNSIgYTI2PSIyNiIgYTI3PSIyNyIgYTI4PSIyOCIgYTI5PSIyOSIgYTMwPSIzMCIgYTMxPSIzMSIgYTMyPSIzMiIgYTMzPSIzMyIgYTM0PSIzNCIgYTM1PSIzNSIgYTM2PSIzNiIgYTM3PSIzNyIgYTM4PSIzOCIgYTM5PSIzOSIgYTQwPSI0MCIgYTQxPSI0MSIgYTQyPSI0MiIgYTQzPSI0MyIgYTQ0PSI0NCIgYTQ1PSI0NSIgYTQ2PSI0NiIgYTQ3PSI0NyIgYTQ4PSI0OCIgYTQ5PSI0OSIgYTUwPSI1MCIgYTUxPSI1MSIgYTUyPSI1MiIgYTUzPSI1MyIgYTU0PSI1NCIgYTU1PSI1NSIgYTU2PSI1NiIgYTU3PSI1NyIgYTU4PSI1OCIgYTU5PSI1OSIgYTYwPSI2MCIgYTYxPSI2MSIgYTYyPSI2MiIgYTYzPSI2MyIgYTY0PSI2NCIgYTY1PSI2NSIgYTY2PSI2NiIgYTY3PSI2NyIgYTY4PSI2OCIgYTY5PSI2OSIgYTcwPSI3MCIgYTcxPSI3MSIgYTcyPSI3MiIgYTczPSI3MyIgYTc0PSI3NCIgYTc1PSI3NSIgYTc2PSI3NiIgYTc3PSI3NyIgYTc4PSI3OCIgYTc5PSI3OSIgYTgwPSI4MCIgYTgxPSI4MSIgYTgyPSI4MiIgYTgzPSI4MyIgYTg0PSI4NCIgYTg1PSI4NSIgYTg2PSI4NiIgYTg3PSI4NyIgYTg4PSI4OCIgYTg5PSI4OSIgYTkwPSI5MCIgYTkxPSI5MSIgYTkyPSI5MiIgYTkzPSI5MyIgYTk0PSI5NCIgYTk1PSI5NSIgYTk2PSI5NiIgYTk3PSI5NyIgYTk4PSI5OCIgYTk5PSI5OSIgYTEwMD0iMTAwIgogICAgICAgICAgLSBmaWx0ZXI6IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQudHlwZSA9PSAiRVhFQ1ZFIgogICAgICAgICAgICBzdGF0aWNzOgogICAgICAgICAgICAgIC0gbWV0YTogbG9nX3R5cGUKICAgICAgICAgICAgICAgIHZhbHVlOiBleGVjdmUKICAgICAgICAgICAgICAtIG1ldGE6IGV4ZWN2ZV9mdWxsX3N0cgogICAgICAgICAgICAgICAgI3dlIG9ubHkga2VlcCB0aGUgImFbMC05XSsiIGtleXMgYW5kIGpvaW4gdGhlbSBpbnRvIGEgc3RyaW5nCiAgICAgICAgICAgICAgICAjd2UncmUgbm90IGRlYWxpbmcgeWV0IHdpdGggaGV4IGVuY29kZWQgYXJndW1lbnRzCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiB8CiAgICAgICAgICAgICAgICAgIGxldCBhcmdzID0gZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZCB8IGtleXMoKSB8IGZpbHRlcigjIG1hdGNoZXMgIl5hWzAtOV0rJCIpOwogICAgICAgICAgICAgICAgICBtYXAoc29ydEJ5KGFyZ3MsIHsgaW50KCNbMTpdKSB9LCAiYXNjIiksIGdldChldnQuVW5tYXJzaGFsZWQuYXVkaXRkLCAjKSkgfCBqb2luKCIgIikKICAgICAgICAgICAgICAjRm9yIGNvbXBhdGliaWxpdHkgd2l0aCBTaWdtYSwgd2UnbGwgYXMgd2VsbCBrZWVwIHRoZSBhMS9hMi9hLi4uIGFyZ3MKICAgICAgICAgICAgICAtIHBhcnNlZDogYTEKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTEKICAgICAgICAgICAgICAtIHBhcnNlZDogYTIKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTIKICAgICAgICAgICAgICAtIHBhcnNlZDogYTMKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTMKICAgICAgICAgICAgICAtIHBhcnNlZDogYTQKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTQKICAgICAgICAgICAgICAtIHBhcnNlZDogYTUKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTUKICAgICAgICAgICAgICAtIHBhcnNlZDogYTYKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTYKICAgICAgICAgICAgICAtIHBhcnNlZDogYTcKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTcKIyB0eXBlPVNZU0NBTEwgbXNnPWF1ZGl0KDE3MzQwOTMxNDEuNDU1OjkyMik6IGFyY2g9YzAwMDAwM2Ugc3lzY2FsbD01OSBzdWNjZXNzPXllcyBleGl0PTAgYTA9NTYzZGIxNGM5ODAwIGExPTU2M2RiMTRjNjM3MCBhMj01NjNkYjE0YzVlNzAgYTM9OCBpdGVtcz0yIHBwaWQ9MTM0NDM1MSBwaWQ9MTM0NDM1OCBhdWlkPTEwMDAgdWlkPTEwMDAgZ2lkPTEwMDAgZXVpZD0xMDAwIHN1aWQ9MTAwMCBmc3VpZD0xMDAwIGVnaWQ9MTAwMCBzZ2lkPTEwMDAgZnNnaWQ9MTAwMCB0dHk9cHRzMSBzZXM9NTQ0OCBjb21tPSJpZCIgZXhlPSIvdXNyL2Jpbi9pZCIga2V5PSJyZWNvbiIKICAgICAgICAgIC0gZmlsdGVyOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnR5cGUgPT0gIlNZU0NBTEwiIGFuZCBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLmFyY2ggPT0gImMwMDAwMDNlIiBhbmQgZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5zeXNjYWxsID09ICI1OSIKICAgICAgICAgICAgc3RhdGljczoKICAgICAgICAgICAgICAtIG1ldGE6IHN5c2NhbGxfbnVtCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnN5c2NhbGwKICAgICAgICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICAgICAgICB2YWx1ZTogc3lzY2FsbF9leGVjdmUKICAgICAgICAgICAgICAjbGV0J3MgaHlkcmF0ZSB3aXRoIHBwaWQgcHJvY2VzcyBpZiB3ZSBjYW4gOikKICAgICAgICAgICAgICAtIHRhcmdldDogZXZ0Lk1ldGEucGFyZW50X3Byb2duYW1lCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBHZXRGcm9tU3Rhc2goImF1ZGl0ZF9waWRfcHJvZ25hbWUiLCBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnBwaWQpCiAgICAgICAgICAgICNsZXQncyBjYXB0dXJlIHByb2Nlc3MgbmFtZSBpZiB3ZSBjYW4KICAgICAgICAgICAgc3Rhc2g6CiAgICAgICAgICAgICAgLSBuYW1lOiBhdWRpdGRfcGlkX3Byb2duYW1lCiAgICAgICAgICAgICAgICBrZXk6IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQucGlkCiAgICAgICAgICAgICAgICB2YWx1ZTogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5leGUKICAgICAgICAgICAgICAgIHR0bDogMW0KICAgICAgICAgICAgICAgIHNpemU6IDEwMAogICAgICAgICAgLSBmaWx0ZXI6IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQudHlwZSA9PSAiQU5PTV9BQkVORCIKICAgICAgICAgICAgc3RhdGljczoKICAgICAgICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICAgICAgICB2YWx1ZTogYW5vbV9hYmVuZAogICAgICAgIHN0YXRpY3M6CiAgICAgICAgICAtIHRhcmdldDogZXZ0LlN0clRpbWUKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlBhcnNlZC50aW1lc3RhbXAKICAgICAgICAgIC0gbWV0YTogcHBpZAogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnBwaWQKICAgICAgICAgIC0gbWV0YTogZXhlCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuZXhlCiAgICAgICAgICAtIG1ldGE6IHVpZAogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnVpZAogICAgICAgICAgLSBtZXRhOiBhdWlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYXVpZAogICAgICAgICAgLSBtZXRhOiBldWlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuZXVpZAogICAgICAgICAgLSBtZXRhOiBnaWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5naWQKICAgICAgICAgIC0gbWV0YTogc2VzCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuc2VzCiAgICAgICAgICAtIG1ldGE6IHN1YmoKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5zdWJqCiAgICAgICAgICAtIG1ldGE6IHBpZAogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnBpZAogICAgICAgICAgLSBtZXRhOiBjb21tCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuY29tbQogICAgICAgICAgLSBtZXRhOiBzaWcKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5zaWcKICAgICAgICAgIC0gbWV0YTogdHR5CiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQudHR5CiAgICAgICAgICAtIG1ldGE6IHJlcwogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnJlcwogICAgICAgICAgLSBtZXRhOiBzdHJfVUlECiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuVUlECiAgICAgICAgICAtIG1ldGE6IHN0cl9HSUQKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5HSUQgCiAgICAgICAgICAtIG1ldGE6IGF1ZGl0ZF9ldmVudGlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5QYXJzZWQuZXZlbnRfaW5jX2lkCiAgICAgICAgICAtIG1ldGE6IGF1ZGl0ZF90eXBlCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQudHlwZQo=", "description": "Parse auditd logs", "author": "crowdsecurity", "labels": null @@ -17854,6 +17867,126 @@ "spoofable": 0 } }, + "sigmahq/lnx_auditd_auditing_config_change": { + "path": "scenarios/sigmahq/lnx_auditd_auditing_config_change.yml", + "version": "0.1", + "versions": { + "0.1": { + "digest": "ec07855e59d785af74822e795c213155f0fc69aea6f9fa7668f163a5c8b3e8a4", + "deprecated": false + } + }, + "content": "dHlwZTogdHJpZ2dlcgpuYW1lOiBzaWdtYWhxL2xueF9hdWRpdGRfYXVkaXRpbmdfY29uZmlnX2NoYW5nZQpkZXNjcmlwdGlvbjogfAogIERldGVjdCBjaGFuZ2VzIGluIGF1ZGl0ZCBjb25maWd1cmF0aW9uIGZpbGVzCmZpbHRlcjogfAogIChldnQuUGFyc2VkLnByb2dyYW0gPT0gJ2F1ZGl0ZCcpICYmIChldnQuTWV0YS5hdWRpdGRfdHlwZSA9PSAnUEFUSCcgJiYgKGV2dC5NZXRhLm5hbWUgc3RhcnRzV2l0aCAnL2V0Yy9hdWRpdC8nIHx8IGV2dC5NZXRhLm5hbWUgPT0gJy9ldGMvbGliYXVkaXQuY29uZicgfHwgZXZ0Lk1ldGEubmFtZSBzdGFydHNXaXRoICcvZXRjL2F1ZGlzcC8nKSkKYmxhY2tob2xlOiAybQojc3RhdHVzOiB0ZXN0CmxhYmVsczoKICBzZXJ2aWNlOiBsaW51eAogIGNvbmZpZGVuY2U6IDEKICBzcG9vZmFibGU6IDAKICBsYWJlbDogIkF1ZGl0aW5nIENvbmZpZ3VyYXRpb24gQ2hhbmdlcyBvbiBMaW51eCBIb3N0IgogIGJlaGF2aW9yIDogImxpbnV4OmF1ZGl0IgogIHJlbWVkaWF0aW9uOiBmYWxzZQogIGNsYXNzaWZpY2F0aW9uOgogICAtIGF0dGFjay50MTU2Mi4wMDYKCgpzY29wZToKICB0eXBlOiBwaWQKICBleHByZXNzaW9uOiBldnQuTWV0YS5wcGlkCgo=", + "description": "Detect changes in auditd configuration files\n", + "author": "sigmahq", + "labels": { + "behavior": "linux:audit", + "classification": [ + "attack.t1562.006" + ], + "confidence": 1, + "label": "Auditing Configuration Changes on Linux Host", + "remediation": false, + "service": "linux", + "spoofable": 0 + } + }, + "sigmahq/lnx_auditd_find_cred_in_files": { + "path": "scenarios/sigmahq/lnx_auditd_find_cred_in_files.yml", + "version": "0.1", + "versions": { + "0.1": { + "digest": "2bfbf339eed113a4965d83069f6cf5b6cfadc32c19e3e8eeb0e2c23e951a0336", + "deprecated": false + } + }, + "content": "dHlwZTogdHJpZ2dlcgpuYW1lOiBzaWdtYWhxL2xueF9hdWRpdGRfZmluZF9jcmVkX2luX2ZpbGVzCmRlc2NyaXB0aW9uOiB8CiAgRGV0ZWN0aW5nIGF0dGVtcHRzIHRvIGV4dHJhY3QgcGFzc3dvcmRzIHdpdGggZ3JlcApmaWx0ZXI6IHwKICAoZXZ0LlBhcnNlZC5wcm9ncmFtID09ICdhdWRpdGQnKSAmJiAoZXZ0Lk1ldGEuYXVkaXRkX3R5cGUgPT0gJ0VYRUNWRScgJiYgZXZ0LkxpbmUuUmF3IGNvbnRhaW5zICdncmVwJyAmJiBldnQuTGluZS5SYXcgY29udGFpbnMgJ3Bhc3N3b3JkJykKYmxhY2tob2xlOiAybQojc3RhdHVzOiB0ZXN0CmxhYmVsczoKICBzZXJ2aWNlOiBsaW51eAogIGNvbmZpZGVuY2U6IDEKICBzcG9vZmFibGU6IDAKICBsYWJlbDogIkNyZWRlbnRpYWxzIEluIEZpbGVzIC0gTGludXgiCiAgYmVoYXZpb3IgOiAibGludXg6YXVkaXQiCiAgcmVtZWRpYXRpb246IGZhbHNlCiAgY2xhc3NpZmljYXRpb246CiAgIC0gYXR0YWNrLnQxNTUyLjAwMQoKCnNjb3BlOgogIHR5cGU6IHBpZAogIGV4cHJlc3Npb246IGV2dC5NZXRhLnBwaWQKCg==", + "description": "Detecting attempts to extract passwords with grep\n", + "author": "sigmahq", + "labels": { + "behavior": "linux:audit", + "classification": [ + "attack.t1552.001" + ], + "confidence": 1, + "label": "Credentials In Files - Linux", + "remediation": false, + "service": "linux", + "spoofable": 0 + } + }, + "sigmahq/lnx_auditd_ld_so_preload_mod": { + "path": "scenarios/sigmahq/lnx_auditd_ld_so_preload_mod.yml", + "version": "0.1", + "versions": { + "0.1": { + "digest": "b1fd4104830b0b45e5eeb5ce727eedf2f603b57f9d4a691a668040595068d06c", + "deprecated": false + } + }, + "content": "dHlwZTogdHJpZ2dlcgpuYW1lOiBzaWdtYWhxL2xueF9hdWRpdGRfbGRfc29fcHJlbG9hZF9tb2QKZGVzY3JpcHRpb246IHwKICBJZGVudGlmaWVzIG1vZGlmaWNhdGlvbiBvZiBsZC5zby5wcmVsb2FkIGZvciBzaGFyZWQgb2JqZWN0IGluamVjdGlvbi4gVGhpcyB0ZWNobmlxdWUgaXMgdXNlZCBieSBhdHRhY2tlcnMgdG8gbG9hZCBhcmJpdHJhcnkgY29kZSBpbnRvIHByb2Nlc3Nlcy4KZmlsdGVyOiB8CiAgKGV2dC5QYXJzZWQucHJvZ3JhbSA9PSAnYXVkaXRkJykgJiYgKGV2dC5NZXRhLmF1ZGl0ZF90eXBlID09ICdQQVRIJyAmJiBldnQuTWV0YS5uYW1lID09ICcvZXRjL2xkLnNvLnByZWxvYWQnKQpibGFja2hvbGU6IDJtCiNzdGF0dXM6IHRlc3QKbGFiZWxzOgogIHNlcnZpY2U6IGxpbnV4CiAgY29uZmlkZW5jZTogMQogIHNwb29mYWJsZTogMAogIGxhYmVsOiAiTW9kaWZpY2F0aW9uIG9mIGxkLnNvLnByZWxvYWQiCiAgYmVoYXZpb3IgOiAibGludXg6YXVkaXQiCiAgcmVtZWRpYXRpb246IGZhbHNlCiAgY2xhc3NpZmljYXRpb246CiAgIC0gYXR0YWNrLnQxNTc0LjAwNgoKCnNjb3BlOgogIHR5cGU6IHBpZAogIGV4cHJlc3Npb246IGV2dC5NZXRhLnBwaWQKCg==", + "description": "Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.\n", + "author": "sigmahq", + "labels": { + "behavior": "linux:audit", + "classification": [ + "attack.t1574.006" + ], + "confidence": 1, + "label": "Modification of ld.so.preload", + "remediation": false, + "service": "linux", + "spoofable": 0 + } + }, + "sigmahq/lnx_auditd_load_module_insmod": { + "path": "scenarios/sigmahq/lnx_auditd_load_module_insmod.yml", + "version": "0.1", + "versions": { + "0.1": { + "digest": "90aea7e4b44bd602f55be88dc331fee05e6edd8f304ae2ca48393a435698a66d", + "deprecated": false + } + }, + "content": "dHlwZTogdHJpZ2dlcgpuYW1lOiBzaWdtYWhxL2xueF9hdWRpdGRfbG9hZF9tb2R1bGVfaW5zbW9kCmRlc2NyaXB0aW9uOiB8CiAgRGV0ZWN0cyBsb2FkaW5nIG9mIGtlcm5lbCBtb2R1bGVzIHdpdGggaW5zbW9kIGNvbW1hbmQuIExvYWRhYmxlIEtlcm5lbCBNb2R1bGVzIChMS01zKSBhcmUgcGllY2VzIG9mIGNvZGUgdGhhdCBjYW4gYmUgbG9hZGVkIGFuZCB1bmxvYWRlZCBpbnRvIHRoZSBrZXJuZWwgdXBvbiBkZW1hbmQuIEFkdmVyc2FyaWVzIG1heSB1c2UgTEtNcyB0byBvYnRhaW4gcGVyc2lzdGVuY2Ugd2l0aGluIHRoZSBzeXN0ZW0gb3IgZWxldmF0ZSB0aGUgcHJpdmlsZWdlcy4gCmZpbHRlcjogfAogIChldnQuUGFyc2VkLnByb2dyYW0gPT0gJ2F1ZGl0ZCcpICYmIChldnQuTWV0YS5hdWRpdGRfdHlwZSA9PSAnU1lTQ0FMTCcgJiYgZXZ0Lk1ldGEuY29tbSA9PSAnaW5zbW9kJyAmJiBldnQuTWV0YS5leGUgPT0gJy91c3IvYmluL2ttb2QnKQpibGFja2hvbGU6IDJtCiNzdGF0dXM6IHRlc3QKbGFiZWxzOgogIHNlcnZpY2U6IGxpbnV4CiAgY29uZmlkZW5jZTogMQogIHNwb29mYWJsZTogMAogIGxhYmVsOiAiTG9hZGluZyBvZiBLZXJuZWwgTW9kdWxlIHZpYSBJbnNtb2QiCiAgYmVoYXZpb3IgOiAibGludXg6YXVkaXQiCiAgcmVtZWRpYXRpb246IGZhbHNlCiAgY2xhc3NpZmljYXRpb246CiAgIC0gYXR0YWNrLnQxNTQ3LjAwNgoKCnNjb3BlOgogIHR5cGU6IHBpZAogIGV4cHJlc3Npb246IGV2dC5NZXRhLnBwaWQKCg==", + "description": "Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges. \n", + "author": "sigmahq", + "labels": { + "behavior": "linux:audit", + "classification": [ + "attack.t1547.006" + ], + "confidence": 1, + "label": "Loading of Kernel Module via Insmod", + "remediation": false, + "service": "linux", + "spoofable": 0 + } + }, + "sigmahq/lnx_auditd_logging_config_change": { + "path": "scenarios/sigmahq/lnx_auditd_logging_config_change.yml", + "version": "0.1", + "versions": { + "0.1": { + "digest": "b38be5b2e2a02c35781afc031cd88ee3f6393c267a1ce0ffd99ef156df7c20c5", + "deprecated": false + } + }, + "content": "dHlwZTogdHJpZ2dlcgpuYW1lOiBzaWdtYWhxL2xueF9hdWRpdGRfbG9nZ2luZ19jb25maWdfY2hhbmdlCmRlc2NyaXB0aW9uOiB8CiAgRGV0ZWN0IGNoYW5nZXMgb2Ygc3lzbG9nIGRhZW1vbnMgY29uZmlndXJhdGlvbiBmaWxlcwpmaWx0ZXI6IHwKICAoZXZ0LlBhcnNlZC5wcm9ncmFtID09ICdhdWRpdGQnKSAmJiAoZXZ0Lk1ldGEuYXVkaXRkX3R5cGUgPT0gJ1BBVEgnICYmIChldnQuTWV0YS5uYW1lIGluIFsnL2V0Yy9zeXNsb2cuY29uZicsICcvZXRjL3JzeXNsb2cuY29uZicsICcvZXRjL3N5c2xvZy1uZy9zeXNsb2ctbmcuY29uZiddKSkKYmxhY2tob2xlOiAybQojc3RhdHVzOiB0ZXN0CmxhYmVsczoKICBzZXJ2aWNlOiBsaW51eAogIGNvbmZpZGVuY2U6IDEKICBzcG9vZmFibGU6IDAKICBsYWJlbDogIkxvZ2dpbmcgQ29uZmlndXJhdGlvbiBDaGFuZ2VzIG9uIExpbnV4IEhvc3QiCiAgYmVoYXZpb3IgOiAibGludXg6YXVkaXQiCiAgcmVtZWRpYXRpb246IGZhbHNlCiAgY2xhc3NpZmljYXRpb246CiAgIC0gYXR0YWNrLnQxNTYyLjAwNgoKCnNjb3BlOgogIHR5cGU6IHBpZAogIGV4cHJlc3Npb246IGV2dC5NZXRhLnBwaWQKCg==", + "description": "Detect changes of syslog daemons configuration files\n", + "author": "sigmahq", + "labels": { + "behavior": "linux:audit", + "classification": [ + "attack.t1562.006" + ], + "confidence": 1, + "label": "Logging Configuration Changes on Linux Host", + "remediation": false, + "service": "linux", + "spoofable": 0 + } + }, "sigmahq/proc_creation_win_addinutil_suspicious_cmdline": { "path": "scenarios/sigmahq/proc_creation_win_addinutil_suspicious_cmdline.yml", "version": "0.2", From 896a71ed657580db646644f69472a91e66c171e0 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Wed, 18 Dec 2024 09:58:13 +0000 Subject: [PATCH 10/25] Update taxonomy --- taxonomy/scenarios.json | 55 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/taxonomy/scenarios.json b/taxonomy/scenarios.json index 249973feb11..c060c58c7e9 100644 --- a/taxonomy/scenarios.json +++ b/taxonomy/scenarios.json @@ -5930,6 +5930,61 @@ "cti": true, "service": "sonarr" }, + "sigmahq/lnx_auditd_auditing_config_change": { + "name": "sigmahq/lnx_auditd_auditing_config_change", + "description": "Detect changes in auditd configuration files\n", + "label": "Auditing Configuration Changes on Linux Host", + "behaviors": [], + "mitre_attacks": [], + "confidence": 1, + "spoofable": 0, + "cti": true, + "service": "linux" + }, + "sigmahq/lnx_auditd_find_cred_in_files": { + "name": "sigmahq/lnx_auditd_find_cred_in_files", + "description": "Detecting attempts to extract passwords with grep\n", + "label": "Credentials In Files - Linux", + "behaviors": [], + "mitre_attacks": [], + "confidence": 1, + "spoofable": 0, + "cti": true, + "service": "linux" + }, + "sigmahq/lnx_auditd_ld_so_preload_mod": { + "name": "sigmahq/lnx_auditd_ld_so_preload_mod", + "description": "Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.\n", + "label": "Modification of ld.so.preload", + "behaviors": [], + "mitre_attacks": [], + "confidence": 1, + "spoofable": 0, + "cti": true, + "service": "linux" + }, + "sigmahq/lnx_auditd_load_module_insmod": { + "name": "sigmahq/lnx_auditd_load_module_insmod", + "description": "Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges. \n", + "label": "Loading of Kernel Module via Insmod", + "behaviors": [], + "mitre_attacks": [], + "confidence": 1, + "spoofable": 0, + "cti": true, + "service": "linux" + }, + "sigmahq/lnx_auditd_logging_config_change": { + "name": "sigmahq/lnx_auditd_logging_config_change", + "description": "Detect changes of syslog daemons configuration files\n", + "label": "Logging Configuration Changes on Linux Host", + "behaviors": [], + "mitre_attacks": [], + "confidence": 1, + "spoofable": 0, + "cti": true, + "service": "linux" + }, "sigmahq/proc_creation_win_addinutil_suspicious_cmdline": { "name": "sigmahq/proc_creation_win_addinutil_suspicious_cmdline", "description": "Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload. \n", From 1de45fc3c743afb119ef121c1aa06e3632deff38 Mon Sep 17 00:00:00 2001 From: Thibault Koechlin Date: Wed, 18 Dec 2024 11:00:37 +0100 Subject: [PATCH 11/25] oopsie debug --- parsers/s01-parse/crowdsecurity/auditd-logs.yaml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/parsers/s01-parse/crowdsecurity/auditd-logs.yaml b/parsers/s01-parse/crowdsecurity/auditd-logs.yaml index 5485f46e4dd..e3be25896e0 100644 --- a/parsers/s01-parse/crowdsecurity/auditd-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/auditd-logs.yaml @@ -1,16 +1,7 @@ -#type=SYSCALL msg=audit(1672330955.273:4433): arch=c000003e syscall=263 success=no exit=-2 a0=ffffff9c a1=557162396590 a2=0 a3=0 items=1 ppid=144571 pid=145400 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=79 comm="rm" exe="/usr/bin/rm" key="file_modification" - - -#type=EXECVE msg=audit(1734093141.455:922): argc=2 a0="id" a1="-a" -#type=PATH msg=audit(1734093141.455:922): item=0 name="/usr/bin/id" inode=5505499 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 -#type=PATH msg=audit(1734093141.455:922): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=5505904 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 - - name: crowdsecurity/auditd-logs description: "Parse auditd logs" filter: "evt.Parsed.program == 'auditd'" onsuccess: next_stage -debug: true pattern_syntax: FLOAT: '[0-9\.]+' From c45b845ca30abaaa21050b92cd6e94601d9e64f2 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Wed, 18 Dec 2024 10:06:46 +0000 Subject: [PATCH 12/25] Update index --- .index.json | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.index.json b/.index.json index d5140fba29b..bc6478d6197 100644 --- a/.index.json +++ b/.index.json @@ -7836,7 +7836,7 @@ "crowdsecurity/auditd-logs": { "path": "parsers/s01-parse/crowdsecurity/auditd-logs.yaml", "stage": "s01-parse", - "version": "1.1", + "version": "1.2", "versions": { "0.1": { "digest": "fa23b38e12ef4abce21475ad78c3d6650538c88e68f8235f74afc238345b0279", @@ -7881,9 +7881,13 @@ "1.1": { "digest": "0ee9e59cc6ed348d9f400fce36e0dd2f1941832da70c5f94e1e2f09f39f7ccfe", "deprecated": false + }, + "1.2": { + "digest": "5e931914f3ace47aa2817712c4949c850e293d0ef8431112ea783a3b6a9e96a5", + "deprecated": false } }, - "content": "I3R5cGU9U1lTQ0FMTCBtc2c9YXVkaXQoMTY3MjMzMDk1NS4yNzM6NDQzMyk6IGFyY2g9YzAwMDAwM2Ugc3lzY2FsbD0yNjMgc3VjY2Vzcz1ubyBleGl0PS0yIGEwPWZmZmZmZjljIGExPTU1NzE2MjM5NjU5MCBhMj0wIGEzPTAgaXRlbXM9MSBwcGlkPTE0NDU3MSBwaWQ9MTQ1NDAwIGF1aWQ9MTAwMCB1aWQ9MTAwMCBnaWQ9MTAwMCBldWlkPTEwMDAgc3VpZD0xMDAwIGZzdWlkPTEwMDAgZWdpZD0xMDAwIHNnaWQ9MTAwMCBmc2dpZD0xMDAwIHR0eT1wdHMwIHNlcz03OSBjb21tPSJybSIgZXhlPSIvdXNyL2Jpbi9ybSIga2V5PSJmaWxlX21vZGlmaWNhdGlvbiIKCgojdHlwZT1FWEVDVkUgbXNnPWF1ZGl0KDE3MzQwOTMxNDEuNDU1OjkyMik6IGFyZ2M9MiBhMD0iaWQiIGExPSItYSIKI3R5cGU9UEFUSCBtc2c9YXVkaXQoMTczNDA5MzE0MS40NTU6OTIyKTogaXRlbT0wIG5hbWU9Ii91c3IvYmluL2lkIiBpbm9kZT01NTA1NDk5IGRldj0wODowMiBtb2RlPTAxMDA3NTUgb3VpZD0wIG9naWQ9MCByZGV2PTAwOjAwIG5hbWV0eXBlPU5PUk1BTCBjYXBfZnA9MCBjYXBfZmk9MCBjYXBfZmU9MCBjYXBfZnZlcj0wIGNhcF9mcm9vdGlkPTAKI3R5cGU9UEFUSCBtc2c9YXVkaXQoMTczNDA5MzE0MS40NTU6OTIyKTogaXRlbT0xIG5hbWU9Ii9saWI2NC9sZC1saW51eC14ODYtNjQuc28uMiIgaW5vZGU9NTUwNTkwNCBkZXY9MDg6MDIgbW9kZT0wMTAwNzU1IG91aWQ9MCBvZ2lkPTAgcmRldj0wMDowMCBuYW1ldHlwZT1OT1JNQUwgY2FwX2ZwPTAgY2FwX2ZpPTAgY2FwX2ZlPTAgY2FwX2Z2ZXI9MCBjYXBfZnJvb3RpZD0wCgoKbmFtZTogY3Jvd2RzZWN1cml0eS9hdWRpdGQtbG9ncwpkZXNjcmlwdGlvbjogIlBhcnNlIGF1ZGl0ZCBsb2dzIgpmaWx0ZXI6ICJldnQuUGFyc2VkLnByb2dyYW0gPT0gJ2F1ZGl0ZCciCm9uc3VjY2VzczogbmV4dF9zdGFnZQpkZWJ1ZzogdHJ1ZQpwYXR0ZXJuX3N5bnRheDoKICBGTE9BVDogJ1swLTlcLl0rJwoKbm9kZXM6CiAgI1NZU0NBTEwgNTkgb24geDg2XzY0IC0+IGV4ZWN2ZQogIC0gZmlsdGVyOiBQYXJzZUtWKGV2dC5QYXJzZWQubWVzc2FnZSwgZXZ0LlVubWFyc2hhbGVkLCAiYXVkaXRkIikgPT0gbmlsICMgPT0gbmlsIGlzIHJlcXVpcmVkIGJlY2F1c2UgUGFyc2VLViBkb2VzIG5vdCByZXR1cm4gYSB2YWx1ZQogICAgbm9kZXM6CiAgICAgIC0gZ3JvazoKICAgICAgICAgIHBhdHRlcm46ICcle1dPUkQ6bXNnX3R5cGV9XCgle0ZMT0FUOnRpbWVzdGFtcH06JXtJTlQ6ZXZlbnRfaW5jX2lkfVwpOicKICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQubXNnCiAgICAgICAgbm9kZXM6CiMgdHlwZT1QQVRIIG1zZz1hdWRpdCgxNzM0MTEyNDMxLjY3NTozNzg0KTogaXRlbT0xIG5hbWU9Ii9iaW4vc2giIGlub2RlPTU1MDUxNjUgZGV2PTA4OjAyIG1vZGU9MDEwMDc1NSBvdWlkPTAgb2dpZD0wIHJkZXY9MDA6MDAgbmFtZXR5cGU9Tk9STUFMIGNhcF9mcD0wIGNhcF9maT0wIGNhcF9mZT0wIGNhcF9mdmVyPTAgY2FwX2Zyb290aWQ9MAogICAgICAgICAgLSBmaWx0ZXI6IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQudHlwZSA9PSAiUEFUSCIKICAgICAgICAgICAgc3RhdGljczoKICAgICAgICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICAgICAgICB2YWx1ZTogcGF0aAogICAgICAgICAgICAgIC0gbWV0YTogaXRlbQogICAgICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5pdGVtCiAgICAgICAgICAgICAgLSBtZXRhOiBuYW1lCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLm5hbWUKICAgICAgICAgICAgICAtIG1ldGE6IGlub2RlCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLmlub2RlCiAgICAgICAgICAgICAgLSBtZXRhOiBkZXYKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuZGV2CiAgICAgICAgICAgICAgLSBtZXRhOiBtb2RlCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLm1vZGUKICAgICAgICAgICAgICAtIG1ldGE6IG91aWQKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQub3VpZAogICAgICAgICAgICAgIC0gbWV0YTogb2dpZAogICAgICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5vZ2lkCiAgICAgICAgICAgICAgLSBtZXRhOiByZGV2CiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnJkZXYKICAgICAgICAgICAgICAtIG1ldGE6IG5hbWV0eXBlCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLm5hbWV0eXBlCiAgICAgICAgICAgICAgLSBtZXRhOiBjYXBfZnAKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuY2FwX2ZwCiAgICAgICAgICAgICAgLSBtZXRhOiBjYXBfZmkKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuY2FwX2ZpCiAgICAgICAgICAgICAgLSBtZXRhOiBjYXBfZmUKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuY2FwX2ZlCiAgICAgICAgICAgICAgLSBtZXRhOiBjYXBfZnZlcgogICAgICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5jYXBfZnZlcgogICAgICAgICAgICAgIC0gbWV0YTogY2FwX2Zyb290aWQKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuY2FwX2Zyb290aWQKICAgICAgICAgICAgICAjIGZvciBTRSBsaW51eAogICAgICAgICAgICAgIC0gbWV0YTogb2JqCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLm9iagogICAgICAgICAgICAgIC0gbWV0YTogb2JqdHlwZQogICAgICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5vYmp0eXBlCiAgICAgICAgICAgICAgIyBlbmQgb2YgU0UgbGludXgKI3R5cGU9U0VSVklDRV9TVE9QIG1zZz1hdWRpdCgxNzM0MzY1ODMxLjI3Mjo4NzYpOiBwaWQ9MSB1aWQ9MCBhdWlkPTQyOTQ5NjcyOTUgc2VzPTQyOTQ5NjcyOTUgc3Viaj11bmNvbmZpbmVkIG1zZz0ndW5pdD1wYWNrYWdla2l0IGNvbW09InN5c3RlbWQiIGV4ZT0iL3Vzci9saWIvc3lzdGVtZC9zeXN0ZW1kIiBob3N0bmFtZT0/IGFkZHI9PyB0ZXJtaW5hbD0/IHJlcz1zdWNjZXNzJ1VJRD0icm9vdCIgQVVJRD0idW5zZXQiCiAgICAgICAgICAtIGZpbHRlcjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC50eXBlID09ICJTRVJWSUNFX1NUT1AiCiAgICAgICAgICAgIHN0YXRpY3M6CiAgICAgICAgICAgICAgLSBtZXRhOiBsb2dfdHlwZQogICAgICAgICAgICAgICAgdmFsdWU6IHNlcnZpY2Vfc3RvcAoKIyB0eXBlPUVYRUNWRSBtc2c9YXVkaXQoMTczNDA5MzcxMy41NjU6MTAzMSk6IGFyZ2M9MTAxIGEwPSJpZCIgYTE9IjEiIGEyPSIyIiBhMz0iMyIgYTQ9IjQiIGE1PSI1IiBhNj0iNiIgYTc9IjciIGE4PSI4IiBhOT0iOSIgYTEwPSIxMCIgYTExPSIxMSIgYTEyPSIxMiIgYTEzPSIxMyIgYTE0PSIxNCIgYTE1PSIxNSIgYTE2PSIxNiIgYTE3PSIxNyIgYTE4PSIxOCIgYTE5PSIxOSIgYTIwPSIyMCIgYTIxPSIyMSIgYTIyPSIyMiIgYTIzPSIyMyIgYTI0PSIyNCIgYTI1PSIyNSIgYTI2PSIyNiIgYTI3PSIyNyIgYTI4PSIyOCIgYTI5PSIyOSIgYTMwPSIzMCIgYTMxPSIzMSIgYTMyPSIzMiIgYTMzPSIzMyIgYTM0PSIzNCIgYTM1PSIzNSIgYTM2PSIzNiIgYTM3PSIzNyIgYTM4PSIzOCIgYTM5PSIzOSIgYTQwPSI0MCIgYTQxPSI0MSIgYTQyPSI0MiIgYTQzPSI0MyIgYTQ0PSI0NCIgYTQ1PSI0NSIgYTQ2PSI0NiIgYTQ3PSI0NyIgYTQ4PSI0OCIgYTQ5PSI0OSIgYTUwPSI1MCIgYTUxPSI1MSIgYTUyPSI1MiIgYTUzPSI1MyIgYTU0PSI1NCIgYTU1PSI1NSIgYTU2PSI1NiIgYTU3PSI1NyIgYTU4PSI1OCIgYTU5PSI1OSIgYTYwPSI2MCIgYTYxPSI2MSIgYTYyPSI2MiIgYTYzPSI2MyIgYTY0PSI2NCIgYTY1PSI2NSIgYTY2PSI2NiIgYTY3PSI2NyIgYTY4PSI2OCIgYTY5PSI2OSIgYTcwPSI3MCIgYTcxPSI3MSIgYTcyPSI3MiIgYTczPSI3MyIgYTc0PSI3NCIgYTc1PSI3NSIgYTc2PSI3NiIgYTc3PSI3NyIgYTc4PSI3OCIgYTc5PSI3OSIgYTgwPSI4MCIgYTgxPSI4MSIgYTgyPSI4MiIgYTgzPSI4MyIgYTg0PSI4NCIgYTg1PSI4NSIgYTg2PSI4NiIgYTg3PSI4NyIgYTg4PSI4OCIgYTg5PSI4OSIgYTkwPSI5MCIgYTkxPSI5MSIgYTkyPSI5MiIgYTkzPSI5MyIgYTk0PSI5NCIgYTk1PSI5NSIgYTk2PSI5NiIgYTk3PSI5NyIgYTk4PSI5OCIgYTk5PSI5OSIgYTEwMD0iMTAwIgogICAgICAgICAgLSBmaWx0ZXI6IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQudHlwZSA9PSAiRVhFQ1ZFIgogICAgICAgICAgICBzdGF0aWNzOgogICAgICAgICAgICAgIC0gbWV0YTogbG9nX3R5cGUKICAgICAgICAgICAgICAgIHZhbHVlOiBleGVjdmUKICAgICAgICAgICAgICAtIG1ldGE6IGV4ZWN2ZV9mdWxsX3N0cgogICAgICAgICAgICAgICAgI3dlIG9ubHkga2VlcCB0aGUgImFbMC05XSsiIGtleXMgYW5kIGpvaW4gdGhlbSBpbnRvIGEgc3RyaW5nCiAgICAgICAgICAgICAgICAjd2UncmUgbm90IGRlYWxpbmcgeWV0IHdpdGggaGV4IGVuY29kZWQgYXJndW1lbnRzCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiB8CiAgICAgICAgICAgICAgICAgIGxldCBhcmdzID0gZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZCB8IGtleXMoKSB8IGZpbHRlcigjIG1hdGNoZXMgIl5hWzAtOV0rJCIpOwogICAgICAgICAgICAgICAgICBtYXAoc29ydEJ5KGFyZ3MsIHsgaW50KCNbMTpdKSB9LCAiYXNjIiksIGdldChldnQuVW5tYXJzaGFsZWQuYXVkaXRkLCAjKSkgfCBqb2luKCIgIikKICAgICAgICAgICAgICAjRm9yIGNvbXBhdGliaWxpdHkgd2l0aCBTaWdtYSwgd2UnbGwgYXMgd2VsbCBrZWVwIHRoZSBhMS9hMi9hLi4uIGFyZ3MKICAgICAgICAgICAgICAtIHBhcnNlZDogYTEKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTEKICAgICAgICAgICAgICAtIHBhcnNlZDogYTIKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTIKICAgICAgICAgICAgICAtIHBhcnNlZDogYTMKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTMKICAgICAgICAgICAgICAtIHBhcnNlZDogYTQKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTQKICAgICAgICAgICAgICAtIHBhcnNlZDogYTUKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTUKICAgICAgICAgICAgICAtIHBhcnNlZDogYTYKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTYKICAgICAgICAgICAgICAtIHBhcnNlZDogYTcKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTcKIyB0eXBlPVNZU0NBTEwgbXNnPWF1ZGl0KDE3MzQwOTMxNDEuNDU1OjkyMik6IGFyY2g9YzAwMDAwM2Ugc3lzY2FsbD01OSBzdWNjZXNzPXllcyBleGl0PTAgYTA9NTYzZGIxNGM5ODAwIGExPTU2M2RiMTRjNjM3MCBhMj01NjNkYjE0YzVlNzAgYTM9OCBpdGVtcz0yIHBwaWQ9MTM0NDM1MSBwaWQ9MTM0NDM1OCBhdWlkPTEwMDAgdWlkPTEwMDAgZ2lkPTEwMDAgZXVpZD0xMDAwIHN1aWQ9MTAwMCBmc3VpZD0xMDAwIGVnaWQ9MTAwMCBzZ2lkPTEwMDAgZnNnaWQ9MTAwMCB0dHk9cHRzMSBzZXM9NTQ0OCBjb21tPSJpZCIgZXhlPSIvdXNyL2Jpbi9pZCIga2V5PSJyZWNvbiIKICAgICAgICAgIC0gZmlsdGVyOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnR5cGUgPT0gIlNZU0NBTEwiIGFuZCBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLmFyY2ggPT0gImMwMDAwMDNlIiBhbmQgZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5zeXNjYWxsID09ICI1OSIKICAgICAgICAgICAgc3RhdGljczoKICAgICAgICAgICAgICAtIG1ldGE6IHN5c2NhbGxfbnVtCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnN5c2NhbGwKICAgICAgICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICAgICAgICB2YWx1ZTogc3lzY2FsbF9leGVjdmUKICAgICAgICAgICAgICAjbGV0J3MgaHlkcmF0ZSB3aXRoIHBwaWQgcHJvY2VzcyBpZiB3ZSBjYW4gOikKICAgICAgICAgICAgICAtIHRhcmdldDogZXZ0Lk1ldGEucGFyZW50X3Byb2duYW1lCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBHZXRGcm9tU3Rhc2goImF1ZGl0ZF9waWRfcHJvZ25hbWUiLCBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnBwaWQpCiAgICAgICAgICAgICNsZXQncyBjYXB0dXJlIHByb2Nlc3MgbmFtZSBpZiB3ZSBjYW4KICAgICAgICAgICAgc3Rhc2g6CiAgICAgICAgICAgICAgLSBuYW1lOiBhdWRpdGRfcGlkX3Byb2duYW1lCiAgICAgICAgICAgICAgICBrZXk6IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQucGlkCiAgICAgICAgICAgICAgICB2YWx1ZTogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5leGUKICAgICAgICAgICAgICAgIHR0bDogMW0KICAgICAgICAgICAgICAgIHNpemU6IDEwMAogICAgICAgICAgLSBmaWx0ZXI6IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQudHlwZSA9PSAiQU5PTV9BQkVORCIKICAgICAgICAgICAgc3RhdGljczoKICAgICAgICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICAgICAgICB2YWx1ZTogYW5vbV9hYmVuZAogICAgICAgIHN0YXRpY3M6CiAgICAgICAgICAtIHRhcmdldDogZXZ0LlN0clRpbWUKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlBhcnNlZC50aW1lc3RhbXAKICAgICAgICAgIC0gbWV0YTogcHBpZAogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnBwaWQKICAgICAgICAgIC0gbWV0YTogZXhlCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuZXhlCiAgICAgICAgICAtIG1ldGE6IHVpZAogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnVpZAogICAgICAgICAgLSBtZXRhOiBhdWlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYXVpZAogICAgICAgICAgLSBtZXRhOiBldWlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuZXVpZAogICAgICAgICAgLSBtZXRhOiBnaWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5naWQKICAgICAgICAgIC0gbWV0YTogc2VzCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuc2VzCiAgICAgICAgICAtIG1ldGE6IHN1YmoKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5zdWJqCiAgICAgICAgICAtIG1ldGE6IHBpZAogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnBpZAogICAgICAgICAgLSBtZXRhOiBjb21tCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuY29tbQogICAgICAgICAgLSBtZXRhOiBzaWcKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5zaWcKICAgICAgICAgIC0gbWV0YTogdHR5CiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQudHR5CiAgICAgICAgICAtIG1ldGE6IHJlcwogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnJlcwogICAgICAgICAgLSBtZXRhOiBzdHJfVUlECiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuVUlECiAgICAgICAgICAtIG1ldGE6IHN0cl9HSUQKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5HSUQgCiAgICAgICAgICAtIG1ldGE6IGF1ZGl0ZF9ldmVudGlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5QYXJzZWQuZXZlbnRfaW5jX2lkCiAgICAgICAgICAtIG1ldGE6IGF1ZGl0ZF90eXBlCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQudHlwZQo=", + "content": "bmFtZTogY3Jvd2RzZWN1cml0eS9hdWRpdGQtbG9ncwpkZXNjcmlwdGlvbjogIlBhcnNlIGF1ZGl0ZCBsb2dzIgpmaWx0ZXI6ICJldnQuUGFyc2VkLnByb2dyYW0gPT0gJ2F1ZGl0ZCciCm9uc3VjY2VzczogbmV4dF9zdGFnZQpwYXR0ZXJuX3N5bnRheDoKICBGTE9BVDogJ1swLTlcLl0rJwoKbm9kZXM6CiAgI1NZU0NBTEwgNTkgb24geDg2XzY0IC0+IGV4ZWN2ZQogIC0gZmlsdGVyOiBQYXJzZUtWKGV2dC5QYXJzZWQubWVzc2FnZSwgZXZ0LlVubWFyc2hhbGVkLCAiYXVkaXRkIikgPT0gbmlsICMgPT0gbmlsIGlzIHJlcXVpcmVkIGJlY2F1c2UgUGFyc2VLViBkb2VzIG5vdCByZXR1cm4gYSB2YWx1ZQogICAgbm9kZXM6CiAgICAgIC0gZ3JvazoKICAgICAgICAgIHBhdHRlcm46ICcle1dPUkQ6bXNnX3R5cGV9XCgle0ZMT0FUOnRpbWVzdGFtcH06JXtJTlQ6ZXZlbnRfaW5jX2lkfVwpOicKICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQubXNnCiAgICAgICAgbm9kZXM6CiMgdHlwZT1QQVRIIG1zZz1hdWRpdCgxNzM0MTEyNDMxLjY3NTozNzg0KTogaXRlbT0xIG5hbWU9Ii9iaW4vc2giIGlub2RlPTU1MDUxNjUgZGV2PTA4OjAyIG1vZGU9MDEwMDc1NSBvdWlkPTAgb2dpZD0wIHJkZXY9MDA6MDAgbmFtZXR5cGU9Tk9STUFMIGNhcF9mcD0wIGNhcF9maT0wIGNhcF9mZT0wIGNhcF9mdmVyPTAgY2FwX2Zyb290aWQ9MAogICAgICAgICAgLSBmaWx0ZXI6IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQudHlwZSA9PSAiUEFUSCIKICAgICAgICAgICAgc3RhdGljczoKICAgICAgICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICAgICAgICB2YWx1ZTogcGF0aAogICAgICAgICAgICAgIC0gbWV0YTogaXRlbQogICAgICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5pdGVtCiAgICAgICAgICAgICAgLSBtZXRhOiBuYW1lCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLm5hbWUKICAgICAgICAgICAgICAtIG1ldGE6IGlub2RlCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLmlub2RlCiAgICAgICAgICAgICAgLSBtZXRhOiBkZXYKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuZGV2CiAgICAgICAgICAgICAgLSBtZXRhOiBtb2RlCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLm1vZGUKICAgICAgICAgICAgICAtIG1ldGE6IG91aWQKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQub3VpZAogICAgICAgICAgICAgIC0gbWV0YTogb2dpZAogICAgICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5vZ2lkCiAgICAgICAgICAgICAgLSBtZXRhOiByZGV2CiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnJkZXYKICAgICAgICAgICAgICAtIG1ldGE6IG5hbWV0eXBlCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLm5hbWV0eXBlCiAgICAgICAgICAgICAgLSBtZXRhOiBjYXBfZnAKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuY2FwX2ZwCiAgICAgICAgICAgICAgLSBtZXRhOiBjYXBfZmkKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuY2FwX2ZpCiAgICAgICAgICAgICAgLSBtZXRhOiBjYXBfZmUKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuY2FwX2ZlCiAgICAgICAgICAgICAgLSBtZXRhOiBjYXBfZnZlcgogICAgICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5jYXBfZnZlcgogICAgICAgICAgICAgIC0gbWV0YTogY2FwX2Zyb290aWQKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuY2FwX2Zyb290aWQKICAgICAgICAgICAgICAjIGZvciBTRSBsaW51eAogICAgICAgICAgICAgIC0gbWV0YTogb2JqCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLm9iagogICAgICAgICAgICAgIC0gbWV0YTogb2JqdHlwZQogICAgICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5vYmp0eXBlCiAgICAgICAgICAgICAgIyBlbmQgb2YgU0UgbGludXgKI3R5cGU9U0VSVklDRV9TVE9QIG1zZz1hdWRpdCgxNzM0MzY1ODMxLjI3Mjo4NzYpOiBwaWQ9MSB1aWQ9MCBhdWlkPTQyOTQ5NjcyOTUgc2VzPTQyOTQ5NjcyOTUgc3Viaj11bmNvbmZpbmVkIG1zZz0ndW5pdD1wYWNrYWdla2l0IGNvbW09InN5c3RlbWQiIGV4ZT0iL3Vzci9saWIvc3lzdGVtZC9zeXN0ZW1kIiBob3N0bmFtZT0/IGFkZHI9PyB0ZXJtaW5hbD0/IHJlcz1zdWNjZXNzJ1VJRD0icm9vdCIgQVVJRD0idW5zZXQiCiAgICAgICAgICAtIGZpbHRlcjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC50eXBlID09ICJTRVJWSUNFX1NUT1AiCiAgICAgICAgICAgIHN0YXRpY3M6CiAgICAgICAgICAgICAgLSBtZXRhOiBsb2dfdHlwZQogICAgICAgICAgICAgICAgdmFsdWU6IHNlcnZpY2Vfc3RvcAoKIyB0eXBlPUVYRUNWRSBtc2c9YXVkaXQoMTczNDA5MzcxMy41NjU6MTAzMSk6IGFyZ2M9MTAxIGEwPSJpZCIgYTE9IjEiIGEyPSIyIiBhMz0iMyIgYTQ9IjQiIGE1PSI1IiBhNj0iNiIgYTc9IjciIGE4PSI4IiBhOT0iOSIgYTEwPSIxMCIgYTExPSIxMSIgYTEyPSIxMiIgYTEzPSIxMyIgYTE0PSIxNCIgYTE1PSIxNSIgYTE2PSIxNiIgYTE3PSIxNyIgYTE4PSIxOCIgYTE5PSIxOSIgYTIwPSIyMCIgYTIxPSIyMSIgYTIyPSIyMiIgYTIzPSIyMyIgYTI0PSIyNCIgYTI1PSIyNSIgYTI2PSIyNiIgYTI3PSIyNyIgYTI4PSIyOCIgYTI5PSIyOSIgYTMwPSIzMCIgYTMxPSIzMSIgYTMyPSIzMiIgYTMzPSIzMyIgYTM0PSIzNCIgYTM1PSIzNSIgYTM2PSIzNiIgYTM3PSIzNyIgYTM4PSIzOCIgYTM5PSIzOSIgYTQwPSI0MCIgYTQxPSI0MSIgYTQyPSI0MiIgYTQzPSI0MyIgYTQ0PSI0NCIgYTQ1PSI0NSIgYTQ2PSI0NiIgYTQ3PSI0NyIgYTQ4PSI0OCIgYTQ5PSI0OSIgYTUwPSI1MCIgYTUxPSI1MSIgYTUyPSI1MiIgYTUzPSI1MyIgYTU0PSI1NCIgYTU1PSI1NSIgYTU2PSI1NiIgYTU3PSI1NyIgYTU4PSI1OCIgYTU5PSI1OSIgYTYwPSI2MCIgYTYxPSI2MSIgYTYyPSI2MiIgYTYzPSI2MyIgYTY0PSI2NCIgYTY1PSI2NSIgYTY2PSI2NiIgYTY3PSI2NyIgYTY4PSI2OCIgYTY5PSI2OSIgYTcwPSI3MCIgYTcxPSI3MSIgYTcyPSI3MiIgYTczPSI3MyIgYTc0PSI3NCIgYTc1PSI3NSIgYTc2PSI3NiIgYTc3PSI3NyIgYTc4PSI3OCIgYTc5PSI3OSIgYTgwPSI4MCIgYTgxPSI4MSIgYTgyPSI4MiIgYTgzPSI4MyIgYTg0PSI4NCIgYTg1PSI4NSIgYTg2PSI4NiIgYTg3PSI4NyIgYTg4PSI4OCIgYTg5PSI4OSIgYTkwPSI5MCIgYTkxPSI5MSIgYTkyPSI5MiIgYTkzPSI5MyIgYTk0PSI5NCIgYTk1PSI5NSIgYTk2PSI5NiIgYTk3PSI5NyIgYTk4PSI5OCIgYTk5PSI5OSIgYTEwMD0iMTAwIgogICAgICAgICAgLSBmaWx0ZXI6IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQudHlwZSA9PSAiRVhFQ1ZFIgogICAgICAgICAgICBzdGF0aWNzOgogICAgICAgICAgICAgIC0gbWV0YTogbG9nX3R5cGUKICAgICAgICAgICAgICAgIHZhbHVlOiBleGVjdmUKICAgICAgICAgICAgICAtIG1ldGE6IGV4ZWN2ZV9mdWxsX3N0cgogICAgICAgICAgICAgICAgI3dlIG9ubHkga2VlcCB0aGUgImFbMC05XSsiIGtleXMgYW5kIGpvaW4gdGhlbSBpbnRvIGEgc3RyaW5nCiAgICAgICAgICAgICAgICAjd2UncmUgbm90IGRlYWxpbmcgeWV0IHdpdGggaGV4IGVuY29kZWQgYXJndW1lbnRzCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiB8CiAgICAgICAgICAgICAgICAgIGxldCBhcmdzID0gZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZCB8IGtleXMoKSB8IGZpbHRlcigjIG1hdGNoZXMgIl5hWzAtOV0rJCIpOwogICAgICAgICAgICAgICAgICBtYXAoc29ydEJ5KGFyZ3MsIHsgaW50KCNbMTpdKSB9LCAiYXNjIiksIGdldChldnQuVW5tYXJzaGFsZWQuYXVkaXRkLCAjKSkgfCBqb2luKCIgIikKICAgICAgICAgICAgICAjRm9yIGNvbXBhdGliaWxpdHkgd2l0aCBTaWdtYSwgd2UnbGwgYXMgd2VsbCBrZWVwIHRoZSBhMS9hMi9hLi4uIGFyZ3MKICAgICAgICAgICAgICAtIHBhcnNlZDogYTEKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTEKICAgICAgICAgICAgICAtIHBhcnNlZDogYTIKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTIKICAgICAgICAgICAgICAtIHBhcnNlZDogYTMKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTMKICAgICAgICAgICAgICAtIHBhcnNlZDogYTQKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTQKICAgICAgICAgICAgICAtIHBhcnNlZDogYTUKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTUKICAgICAgICAgICAgICAtIHBhcnNlZDogYTYKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTYKICAgICAgICAgICAgICAtIHBhcnNlZDogYTcKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTcKIyB0eXBlPVNZU0NBTEwgbXNnPWF1ZGl0KDE3MzQwOTMxNDEuNDU1OjkyMik6IGFyY2g9YzAwMDAwM2Ugc3lzY2FsbD01OSBzdWNjZXNzPXllcyBleGl0PTAgYTA9NTYzZGIxNGM5ODAwIGExPTU2M2RiMTRjNjM3MCBhMj01NjNkYjE0YzVlNzAgYTM9OCBpdGVtcz0yIHBwaWQ9MTM0NDM1MSBwaWQ9MTM0NDM1OCBhdWlkPTEwMDAgdWlkPTEwMDAgZ2lkPTEwMDAgZXVpZD0xMDAwIHN1aWQ9MTAwMCBmc3VpZD0xMDAwIGVnaWQ9MTAwMCBzZ2lkPTEwMDAgZnNnaWQ9MTAwMCB0dHk9cHRzMSBzZXM9NTQ0OCBjb21tPSJpZCIgZXhlPSIvdXNyL2Jpbi9pZCIga2V5PSJyZWNvbiIKICAgICAgICAgIC0gZmlsdGVyOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnR5cGUgPT0gIlNZU0NBTEwiIGFuZCBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLmFyY2ggPT0gImMwMDAwMDNlIiBhbmQgZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5zeXNjYWxsID09ICI1OSIKICAgICAgICAgICAgc3RhdGljczoKICAgICAgICAgICAgICAtIG1ldGE6IHN5c2NhbGxfbnVtCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnN5c2NhbGwKICAgICAgICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICAgICAgICB2YWx1ZTogc3lzY2FsbF9leGVjdmUKICAgICAgICAgICAgICAjbGV0J3MgaHlkcmF0ZSB3aXRoIHBwaWQgcHJvY2VzcyBpZiB3ZSBjYW4gOikKICAgICAgICAgICAgICAtIHRhcmdldDogZXZ0Lk1ldGEucGFyZW50X3Byb2duYW1lCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBHZXRGcm9tU3Rhc2goImF1ZGl0ZF9waWRfcHJvZ25hbWUiLCBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnBwaWQpCiAgICAgICAgICAgICNsZXQncyBjYXB0dXJlIHByb2Nlc3MgbmFtZSBpZiB3ZSBjYW4KICAgICAgICAgICAgc3Rhc2g6CiAgICAgICAgICAgICAgLSBuYW1lOiBhdWRpdGRfcGlkX3Byb2duYW1lCiAgICAgICAgICAgICAgICBrZXk6IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQucGlkCiAgICAgICAgICAgICAgICB2YWx1ZTogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5leGUKICAgICAgICAgICAgICAgIHR0bDogMW0KICAgICAgICAgICAgICAgIHNpemU6IDEwMAogICAgICAgICAgLSBmaWx0ZXI6IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQudHlwZSA9PSAiQU5PTV9BQkVORCIKICAgICAgICAgICAgc3RhdGljczoKICAgICAgICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICAgICAgICB2YWx1ZTogYW5vbV9hYmVuZAogICAgICAgIHN0YXRpY3M6CiAgICAgICAgICAtIHRhcmdldDogZXZ0LlN0clRpbWUKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlBhcnNlZC50aW1lc3RhbXAKICAgICAgICAgIC0gbWV0YTogcHBpZAogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnBwaWQKICAgICAgICAgIC0gbWV0YTogZXhlCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuZXhlCiAgICAgICAgICAtIG1ldGE6IHVpZAogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnVpZAogICAgICAgICAgLSBtZXRhOiBhdWlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYXVpZAogICAgICAgICAgLSBtZXRhOiBldWlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuZXVpZAogICAgICAgICAgLSBtZXRhOiBnaWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5naWQKICAgICAgICAgIC0gbWV0YTogc2VzCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuc2VzCiAgICAgICAgICAtIG1ldGE6IHN1YmoKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5zdWJqCiAgICAgICAgICAtIG1ldGE6IHBpZAogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnBpZAogICAgICAgICAgLSBtZXRhOiBjb21tCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuY29tbQogICAgICAgICAgLSBtZXRhOiBzaWcKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5zaWcKICAgICAgICAgIC0gbWV0YTogdHR5CiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQudHR5CiAgICAgICAgICAtIG1ldGE6IHJlcwogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnJlcwogICAgICAgICAgLSBtZXRhOiBzdHJfVUlECiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuVUlECiAgICAgICAgICAtIG1ldGE6IHN0cl9HSUQKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5HSUQgCiAgICAgICAgICAtIG1ldGE6IGF1ZGl0ZF9ldmVudGlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5QYXJzZWQuZXZlbnRfaW5jX2lkCiAgICAgICAgICAtIG1ldGE6IGF1ZGl0ZF90eXBlCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQudHlwZQo=", "description": "Parse auditd logs", "author": "crowdsecurity", "labels": null From 52cea5e3403cc3fcd873ea423b395b3b3976811a Mon Sep 17 00:00:00 2001 From: Thibault Koechlin Date: Wed, 18 Dec 2024 12:20:29 +0100 Subject: [PATCH 13/25] fix tests --- .tests/auditd-base64-exec/scenario.assert | 18 ++++++++++++++++-- .tests/auditd-logs-EXECVE/parser.assert | 6 +++--- .tests/auditd-logs/parser.assert | 8 ++++---- .../scenario.assert | 6 +++--- .tests/auditd-postexploit-rm/scenario.assert | 12 ++++++------ .tests/auditd-suid-crash/scenario.assert | 7 +++++-- .../s01-parse/crowdsecurity/auditd-logs.yaml | 10 +++++----- .../auditd-base64-exec-behavior.yaml | 2 +- .../auditd-postexploit-exec-from-net.yaml | 2 +- .../auditd-postexploit-pkill.yaml | 2 +- .../crowdsecurity/auditd-postexploit-rm.yaml | 2 +- scenarios/crowdsecurity/auditd-suid-crash.yaml | 5 +++-- 12 files changed, 49 insertions(+), 31 deletions(-) diff --git a/.tests/auditd-base64-exec/scenario.assert b/.tests/auditd-base64-exec/scenario.assert index 5b1ccc4908c..c9232664993 100644 --- a/.tests/auditd-base64-exec/scenario.assert +++ b/.tests/auditd-base64-exec/scenario.assert @@ -5,22 +5,36 @@ results[0].Overflow.Sources["26843"].Range == "" results[0].Overflow.Sources["26843"].GetScope() == "pid" results[0].Overflow.Sources["26843"].GetValue() == "26843" results[0].Overflow.Alert.Events[0].GetMeta("auditd_eventid") == "2995" +results[0].Overflow.Alert.Events[0].GetMeta("auditd_type") == "SYSCALL" results[0].Overflow.Alert.Events[0].GetMeta("auid") == "1000" +results[0].Overflow.Alert.Events[0].GetMeta("comm") == "perl" results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "auditd-base64-exec.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[0].GetMeta("euid") == "1000" results[0].Overflow.Alert.Events[0].GetMeta("exe") == "/usr/bin/perl" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "execve" +results[0].Overflow.Alert.Events[0].GetMeta("gid") == "1000" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "auditd_syscall_execve" +results[0].Overflow.Alert.Events[0].GetMeta("pid") == "27032" results[0].Overflow.Alert.Events[0].GetMeta("ppid") == "26843" +results[0].Overflow.Alert.Events[0].GetMeta("ses") == "106985" +results[0].Overflow.Alert.Events[0].GetMeta("syscall_num") == "59" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-05-17T13:23:37Z" results[0].Overflow.Alert.Events[0].GetMeta("tty") == "pts2" results[0].Overflow.Alert.Events[0].GetMeta("uid") == "1000" results[0].Overflow.Alert.Events[1].GetMeta("auditd_eventid") == "2996" +results[0].Overflow.Alert.Events[1].GetMeta("auditd_type") == "SYSCALL" results[0].Overflow.Alert.Events[1].GetMeta("auid") == "1000" +results[0].Overflow.Alert.Events[1].GetMeta("comm") == "base64" results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "auditd-base64-exec.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[1].GetMeta("euid") == "1000" results[0].Overflow.Alert.Events[1].GetMeta("exe") == "/usr/bin/base64" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "execve" +results[0].Overflow.Alert.Events[1].GetMeta("gid") == "1000" +results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "auditd_syscall_execve" +results[0].Overflow.Alert.Events[1].GetMeta("pid") == "27031" results[0].Overflow.Alert.Events[1].GetMeta("ppid") == "26843" +results[0].Overflow.Alert.Events[1].GetMeta("ses") == "106985" +results[0].Overflow.Alert.Events[1].GetMeta("syscall_num") == "59" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-05-17T13:23:37Z" results[0].Overflow.Alert.Events[1].GetMeta("tty") == "pts2" results[0].Overflow.Alert.Events[1].GetMeta("uid") == "1000" diff --git a/.tests/auditd-logs-EXECVE/parser.assert b/.tests/auditd-logs-EXECVE/parser.assert index c9aa5ad1be8..661ec7ab017 100644 --- a/.tests/auditd-logs-EXECVE/parser.assert +++ b/.tests/auditd-logs-EXECVE/parser.assert @@ -33,7 +33,7 @@ results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["auditd_eventid"] results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["datasource_path"] == "auditd-logs-EXECVE.log" results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["execve_full_str"] == "id a=1" -results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["log_type"] == "execve" +results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["log_type"] == "auditd_execve" results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Unmarshaled["auditd"]["a0"] == "id" results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Unmarshaled["auditd"]["a1"] == "a=1" results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Unmarshaled["auditd"]["argc"] == "2" @@ -50,7 +50,7 @@ results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Meta["auditd_eventid"] results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Meta["datasource_path"] == "auditd-logs-EXECVE.log" results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Meta["execve_full_str"] == "/bin/sh /etc/update-motd.d/50-motd-news --force" -results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Meta["log_type"] == "execve" +results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Meta["log_type"] == "auditd_execve" results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Unmarshaled["auditd"]["a0"] == "/bin/sh" results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Unmarshaled["auditd"]["a1"] == "/etc/update-motd.d/50-motd-news" results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Unmarshaled["auditd"]["a2"] == "--force" @@ -68,7 +68,7 @@ results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["auditd_eventid"] results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["datasource_path"] == "auditd-logs-EXECVE.log" results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["execve_full_str"] == "id 1 2 3 4 5 6 7 8 9 10 11 12 13" -results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["log_type"] == "execve" +results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["log_type"] == "auditd_execve" results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["a9"] == "9" results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["a10"] == "10" results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["a3"] == "3" diff --git a/.tests/auditd-logs/parser.assert b/.tests/auditd-logs/parser.assert index 037369956b2..63f0a466afb 100644 --- a/.tests/auditd-logs/parser.assert +++ b/.tests/auditd-logs/parser.assert @@ -35,7 +35,7 @@ results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Parsed["message"] == "t results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["datasource_path"] == "auditd-logs.log" results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["exe"] == "/usr/bin/perl" -results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["log_type"] == "execve" +results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["log_type"] == "auditd_syscall_execve" results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["tty"] == "pts2" results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["uid"] == "1000" results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["auditd_eventid"] == "2995" @@ -75,7 +75,7 @@ results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Parsed["timestamp"] == results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Parsed["event_inc_id"] == "2996" results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Parsed["message"] == "type=SYSCALL msg=audit(1684329817.579:2996): arch=c000003e syscall=59 success=yes exit=0 a0=237f5e8 a1=238d408 a2=2384008 a3=59a items=2 ppid=26843 pid=27031 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=106985 comm=\"base64\" exe=\"/usr/bin/base64\" key=(null)" results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Meta["log_type"] == "execve" +results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Meta["log_type"] == "auditd_syscall_execve" results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Meta["auditd_eventid"] == "2996" results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Meta["auid"] == "1000" results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Meta["datasource_path"] == "auditd-logs.log" @@ -120,7 +120,7 @@ results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["auditd_eventid"] results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["datasource_path"] == "auditd-logs.log" results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["exe"] == "/usr/bin/perl" -results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["log_type"] == "execve" +results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["log_type"] == "auditd_syscall_execve" results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["ppid"] == "26843" results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["auid"] == "1000" results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["tty"] == "pts2" @@ -164,7 +164,7 @@ results["s01-parse"]["crowdsecurity/auditd-logs"][3].Evt.Meta["tty"] == "pts2" results["s01-parse"]["crowdsecurity/auditd-logs"][3].Evt.Meta["auditd_eventid"] == "2998" results["s01-parse"]["crowdsecurity/auditd-logs"][3].Evt.Meta["auid"] == "1000" results["s01-parse"]["crowdsecurity/auditd-logs"][3].Evt.Meta["exe"] == "/usr/bin/id" -results["s01-parse"]["crowdsecurity/auditd-logs"][3].Evt.Meta["log_type"] == "execve" +results["s01-parse"]["crowdsecurity/auditd-logs"][3].Evt.Meta["log_type"] == "auditd_syscall_execve" results["s01-parse"]["crowdsecurity/auditd-logs"][3].Evt.Meta["ppid"] == "26843" results["s01-parse"]["crowdsecurity/auditd-logs"][3].Evt.Meta["uid"] == "1000" results["s01-parse"]["crowdsecurity/auditd-logs"][3].Evt.Unmarshaled["auditd"]["success"] == "yes" diff --git a/.tests/auditd-postexploit-exec-from-net/scenario.assert b/.tests/auditd-postexploit-exec-from-net/scenario.assert index 813124157a8..f60a99a6f17 100644 --- a/.tests/auditd-postexploit-exec-from-net/scenario.assert +++ b/.tests/auditd-postexploit-exec-from-net/scenario.assert @@ -9,7 +9,7 @@ results[0].Overflow.Alert.Events[0].GetMeta("auid") == "1000" results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "auditd-postexploit-exec-from-net.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("exe") == "/usr/bin/wget" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "execve" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "auditd_syscall_execve" results[0].Overflow.Alert.Events[0].GetMeta("ppid") == "26843" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-05-17T13:45:27Z" results[0].Overflow.Alert.Events[0].GetMeta("tty") == "pts2" @@ -19,7 +19,7 @@ results[0].Overflow.Alert.Events[1].GetMeta("auid") == "1000" results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "auditd-postexploit-exec-from-net.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[1].GetMeta("exe") == "/bin/chmod" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "execve" +results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "auditd_syscall_execve" results[0].Overflow.Alert.Events[1].GetMeta("ppid") == "26843" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-05-17T13:45:27Z" results[0].Overflow.Alert.Events[1].GetMeta("tty") == "pts2" @@ -29,7 +29,7 @@ results[0].Overflow.Alert.Events[2].GetMeta("auid") == "1000" results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "auditd-postexploit-exec-from-net.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[2].GetMeta("exe") == "/tmp/blitz64" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "execve" +results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "auditd_syscall_execve" results[0].Overflow.Alert.Events[2].GetMeta("ppid") == "26843" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-05-17T13:45:27Z" results[0].Overflow.Alert.Events[2].GetMeta("tty") == "pts2" diff --git a/.tests/auditd-postexploit-rm/scenario.assert b/.tests/auditd-postexploit-rm/scenario.assert index f217b2973f3..03c0ac1a45c 100644 --- a/.tests/auditd-postexploit-rm/scenario.assert +++ b/.tests/auditd-postexploit-rm/scenario.assert @@ -9,7 +9,7 @@ results[0].Overflow.Alert.Events[0].GetMeta("auid") == "1000" results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "auditd-postexploit-rm.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("exe") == "/bin/rm" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "execve" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "auditd_syscall_execve" results[0].Overflow.Alert.Events[0].GetMeta("ppid") == "26843" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-05-17T13:56:22Z" results[0].Overflow.Alert.Events[0].GetMeta("tty") == "pts2" @@ -19,7 +19,7 @@ results[0].Overflow.Alert.Events[1].GetMeta("auid") == "1000" results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "auditd-postexploit-rm.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[1].GetMeta("exe") == "/bin/rm" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "execve" +results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "auditd_syscall_execve" results[0].Overflow.Alert.Events[1].GetMeta("ppid") == "26843" results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-05-17T13:56:22Z" results[0].Overflow.Alert.Events[1].GetMeta("tty") == "pts2" @@ -29,7 +29,7 @@ results[0].Overflow.Alert.Events[2].GetMeta("auid") == "1000" results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "auditd-postexploit-rm.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[2].GetMeta("exe") == "/bin/rm" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "execve" +results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "auditd_syscall_execve" results[0].Overflow.Alert.Events[2].GetMeta("ppid") == "26843" results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-05-17T13:56:22Z" results[0].Overflow.Alert.Events[2].GetMeta("tty") == "pts2" @@ -39,7 +39,7 @@ results[0].Overflow.Alert.Events[3].GetMeta("auid") == "1000" results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "auditd-postexploit-rm.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[3].GetMeta("exe") == "/bin/rm" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "execve" +results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "auditd_syscall_execve" results[0].Overflow.Alert.Events[3].GetMeta("ppid") == "26843" results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-05-17T13:56:22Z" results[0].Overflow.Alert.Events[3].GetMeta("tty") == "pts2" @@ -49,7 +49,7 @@ results[0].Overflow.Alert.Events[4].GetMeta("auid") == "1000" results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "auditd-postexploit-rm.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[4].GetMeta("exe") == "/bin/rm" -results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "execve" +results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "auditd_syscall_execve" results[0].Overflow.Alert.Events[4].GetMeta("ppid") == "26843" results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-05-17T13:56:22Z" results[0].Overflow.Alert.Events[4].GetMeta("tty") == "pts2" @@ -59,7 +59,7 @@ results[0].Overflow.Alert.Events[5].GetMeta("auid") == "1000" results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "auditd-postexploit-rm.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[5].GetMeta("exe") == "/bin/rm" -results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "execve" +results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "auditd_syscall_execve" results[0].Overflow.Alert.Events[5].GetMeta("ppid") == "26843" results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-05-17T13:56:22Z" results[0].Overflow.Alert.Events[5].GetMeta("tty") == "pts2" diff --git a/.tests/auditd-suid-crash/scenario.assert b/.tests/auditd-suid-crash/scenario.assert index db4ac56f84a..41032badb4a 100644 --- a/.tests/auditd-suid-crash/scenario.assert +++ b/.tests/auditd-suid-crash/scenario.assert @@ -5,6 +5,7 @@ results[0].Overflow.Sources["/usr/bin/su"].Range == "" results[0].Overflow.Sources["/usr/bin/su"].GetScope() == "exe" results[0].Overflow.Sources["/usr/bin/su"].GetValue() == "/usr/bin/su" results[0].Overflow.Alert.Events[0].GetMeta("auditd_eventid") == "8282" +results[0].Overflow.Alert.Events[0].GetMeta("auditd_type") == "SYSCALL" results[0].Overflow.Alert.Events[0].GetMeta("auid") == "1000" results[0].Overflow.Alert.Events[0].GetMeta("comm") == "su" results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "auditd-suid-crash.log" @@ -12,7 +13,7 @@ results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("euid") == "0" results[0].Overflow.Alert.Events[0].GetMeta("exe") == "/usr/bin/su" results[0].Overflow.Alert.Events[0].GetMeta("gid") == "1000" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "execve" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "auditd_syscall_execve" results[0].Overflow.Alert.Events[0].GetMeta("parent_progname") == "/usr/bin/bash" results[0].Overflow.Alert.Events[0].GetMeta("pid") == "192019" results[0].Overflow.Alert.Events[0].GetMeta("ppid") == "192010" @@ -20,17 +21,19 @@ results[0].Overflow.Alert.Events[0].GetMeta("ses") == "417" results[0].Overflow.Alert.Events[0].GetMeta("str_GID") == "bui" results[0].Overflow.Alert.Events[0].GetMeta("str_UID") == "bui" results[0].Overflow.Alert.Events[0].GetMeta("subj") == "unconfined" +results[0].Overflow.Alert.Events[0].GetMeta("syscall_num") == "59" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-10-04T14:54:42Z" results[0].Overflow.Alert.Events[0].GetMeta("tty") == "pts0" results[0].Overflow.Alert.Events[0].GetMeta("uid") == "1000" results[0].Overflow.Alert.Events[1].GetMeta("auditd_eventid") == "8283" +results[0].Overflow.Alert.Events[1].GetMeta("auditd_type") == "ANOM_ABEND" results[0].Overflow.Alert.Events[1].GetMeta("auid") == "1000" results[0].Overflow.Alert.Events[1].GetMeta("comm") == "su" results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "auditd-suid-crash.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[1].GetMeta("exe") == "/usr/bin/su" results[0].Overflow.Alert.Events[1].GetMeta("gid") == "1000" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "anom_abend" +results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "auditd_anom_abend" results[0].Overflow.Alert.Events[1].GetMeta("pid") == "192019" results[0].Overflow.Alert.Events[1].GetMeta("res") == "1AUID" results[0].Overflow.Alert.Events[1].GetMeta("ses") == "417" diff --git a/parsers/s01-parse/crowdsecurity/auditd-logs.yaml b/parsers/s01-parse/crowdsecurity/auditd-logs.yaml index e3be25896e0..bfeeb51a69f 100644 --- a/parsers/s01-parse/crowdsecurity/auditd-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/auditd-logs.yaml @@ -17,7 +17,7 @@ nodes: - filter: evt.Unmarshaled.auditd.type == "PATH" statics: - meta: log_type - value: path + value: auditd_path - meta: item expression: evt.Unmarshaled.auditd.item - meta: name @@ -56,13 +56,13 @@ nodes: - filter: evt.Unmarshaled.auditd.type == "SERVICE_STOP" statics: - meta: log_type - value: service_stop + value: auditd_service_stop # type=EXECVE msg=audit(1734093713.565:1031): argc=101 a0="id" a1="1" a2="2" a3="3" a4="4" a5="5" a6="6" a7="7" a8="8" a9="9" a10="10" a11="11" a12="12" a13="13" a14="14" a15="15" a16="16" a17="17" a18="18" a19="19" a20="20" a21="21" a22="22" a23="23" a24="24" a25="25" a26="26" a27="27" a28="28" a29="29" a30="30" a31="31" a32="32" a33="33" a34="34" a35="35" a36="36" a37="37" a38="38" a39="39" a40="40" a41="41" a42="42" a43="43" a44="44" a45="45" a46="46" a47="47" a48="48" a49="49" a50="50" a51="51" a52="52" a53="53" a54="54" a55="55" a56="56" a57="57" a58="58" a59="59" a60="60" a61="61" a62="62" a63="63" a64="64" a65="65" a66="66" a67="67" a68="68" a69="69" a70="70" a71="71" a72="72" a73="73" a74="74" a75="75" a76="76" a77="77" a78="78" a79="79" a80="80" a81="81" a82="82" a83="83" a84="84" a85="85" a86="86" a87="87" a88="88" a89="89" a90="90" a91="91" a92="92" a93="93" a94="94" a95="95" a96="96" a97="97" a98="98" a99="99" a100="100" - filter: evt.Unmarshaled.auditd.type == "EXECVE" statics: - meta: log_type - value: execve + value: auditd_execve - meta: execve_full_str #we only keep the "a[0-9]+" keys and join them into a string #we're not dealing yet with hex encoded arguments @@ -90,7 +90,7 @@ nodes: - meta: syscall_num expression: evt.Unmarshaled.auditd.syscall - meta: log_type - value: syscall_execve + value: auditd_syscall_execve #let's hydrate with ppid process if we can :) - target: evt.Meta.parent_progname expression: GetFromStash("auditd_pid_progname", evt.Unmarshaled.auditd.ppid) @@ -104,7 +104,7 @@ nodes: - filter: evt.Unmarshaled.auditd.type == "ANOM_ABEND" statics: - meta: log_type - value: anom_abend + value: auditd_anom_abend statics: - target: evt.StrTime expression: evt.Parsed.timestamp diff --git a/scenarios/crowdsecurity/auditd-base64-exec-behavior.yaml b/scenarios/crowdsecurity/auditd-base64-exec-behavior.yaml index 99ea946a267..94144a35fde 100644 --- a/scenarios/crowdsecurity/auditd-base64-exec-behavior.yaml +++ b/scenarios/crowdsecurity/auditd-base64-exec-behavior.yaml @@ -2,7 +2,7 @@ type: conditional #debug: true name: crowdsecurity/auditd-base64-exec-behavior description: "Detect post-exploitation behaviour : base64 + interpreter (perl/bash/python)" -filter: evt.Meta.log_type == 'syscall_execve' +filter: evt.Meta.log_type == 'auditd_syscall_execve' #grouping by ppid to track a processs invoking base64 and interpreter in sequence groupby: evt.Meta.ppid condition: | diff --git a/scenarios/crowdsecurity/auditd-postexploit-exec-from-net.yaml b/scenarios/crowdsecurity/auditd-postexploit-exec-from-net.yaml index 4f694342368..53a195eaf2e 100644 --- a/scenarios/crowdsecurity/auditd-postexploit-exec-from-net.yaml +++ b/scenarios/crowdsecurity/auditd-postexploit-exec-from-net.yaml @@ -1,7 +1,7 @@ type: conditional name: crowdsecurity/auditd-postexploit-exec-from-net description: "Detect post-exploitation behaviour : curl/wget and exec" -filter: evt.Meta.log_type == 'syscall_execve' +filter: evt.Meta.log_type == 'auditd_syscall_execve' #grouping by ppid to track a process doing those action in a short timeframe groupby: evt.Meta.ppid condition: | diff --git a/scenarios/crowdsecurity/auditd-postexploit-pkill.yaml b/scenarios/crowdsecurity/auditd-postexploit-pkill.yaml index 745ece34e41..a3873c64380 100644 --- a/scenarios/crowdsecurity/auditd-postexploit-pkill.yaml +++ b/scenarios/crowdsecurity/auditd-postexploit-pkill.yaml @@ -3,7 +3,7 @@ type: leaky name: crowdsecurity/auditd-postexploit-pkill description: "Detect post-exploitation behaviour : pkill execve bursts" #we're looking for the EXCVE syscalls to 'pkill' (which is actually pgrep) -filter: evt.Meta.log_type == 'syscall_execve' && evt.Meta.exe == '/usr/bin/pgrep' +filter: evt.Meta.log_type == 'auditd_syscall_execve' && evt.Meta.exe == '/usr/bin/pgrep' #grouping by ppid to track on process doing a lot of invocations to rm, such as a shell script groupby: evt.Meta.ppid leakspeed: 1s diff --git a/scenarios/crowdsecurity/auditd-postexploit-rm.yaml b/scenarios/crowdsecurity/auditd-postexploit-rm.yaml index 5cb9a8a1907..5f97dd2806b 100644 --- a/scenarios/crowdsecurity/auditd-postexploit-rm.yaml +++ b/scenarios/crowdsecurity/auditd-postexploit-rm.yaml @@ -2,7 +2,7 @@ type: leaky #debug: true name: crowdsecurity/auditd-postexploit-rm description: "Detect post-exploitation behaviour : rm execve bursts" -filter: evt.Meta.log_type == 'syscall_execve' && evt.Meta.exe in ['/usr/bin/rm', '/bin/rm'] +filter: evt.Meta.log_type == 'auditd_syscall_execve' && evt.Meta.exe in ['/usr/bin/rm', '/bin/rm'] #grouping by ppid to track on process doing a lot of invocations to rm, such as a shell script groupby: evt.Meta.ppid leakspeed: 1s diff --git a/scenarios/crowdsecurity/auditd-suid-crash.yaml b/scenarios/crowdsecurity/auditd-suid-crash.yaml index b7cff0beac9..d0ef0ad43ac 100644 --- a/scenarios/crowdsecurity/auditd-suid-crash.yaml +++ b/scenarios/crowdsecurity/auditd-suid-crash.yaml @@ -1,9 +1,10 @@ type: conditional +debug: true name: crowdsecurity/auditd-suid-crash description: "Detect root suid process crashing" filter: | - (evt.Meta.log_type == 'syscall_execve' && evt.Meta.euid == '0' && evt.Meta.auid != '0') || - (evt.Meta.log_type == 'anom_abend' && evt.Meta.sig in ["4", "5", "6", "7", "11"]) + (evt.Meta.log_type == 'auditd_syscall_execve' && evt.Meta.euid == '0' && evt.Meta.auid != '0') || + (evt.Meta.log_type == 'auditd_anom_abend' && evt.Meta.sig in ["4", "5", "6", "7", "11"]) groupby: evt.Meta.pid distinct: evt.Meta.log_type condition: | From 51e094613713834b1a7a2c585dcc80f671b65994 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Wed, 18 Dec 2024 11:21:21 +0000 Subject: [PATCH 14/25] Update index --- .index.json | 48 ++++++++++++++++++++++++++++++++++++------------ 1 file changed, 36 insertions(+), 12 deletions(-) diff --git a/.index.json b/.index.json index bc6478d6197..32f00a4f0b6 100644 --- a/.index.json +++ b/.index.json @@ -7836,7 +7836,7 @@ "crowdsecurity/auditd-logs": { "path": "parsers/s01-parse/crowdsecurity/auditd-logs.yaml", "stage": "s01-parse", - "version": "1.2", + "version": "1.3", "versions": { "0.1": { "digest": "fa23b38e12ef4abce21475ad78c3d6650538c88e68f8235f74afc238345b0279", @@ -7885,9 +7885,13 @@ "1.2": { "digest": "5e931914f3ace47aa2817712c4949c850e293d0ef8431112ea783a3b6a9e96a5", "deprecated": false + }, + "1.3": { + "digest": "6580ba666bf12429eefad2d00b89bd7111881e6d3a1245dd11b46d08e8c7ad44", + "deprecated": false } }, - "content": "bmFtZTogY3Jvd2RzZWN1cml0eS9hdWRpdGQtbG9ncwpkZXNjcmlwdGlvbjogIlBhcnNlIGF1ZGl0ZCBsb2dzIgpmaWx0ZXI6ICJldnQuUGFyc2VkLnByb2dyYW0gPT0gJ2F1ZGl0ZCciCm9uc3VjY2VzczogbmV4dF9zdGFnZQpwYXR0ZXJuX3N5bnRheDoKICBGTE9BVDogJ1swLTlcLl0rJwoKbm9kZXM6CiAgI1NZU0NBTEwgNTkgb24geDg2XzY0IC0+IGV4ZWN2ZQogIC0gZmlsdGVyOiBQYXJzZUtWKGV2dC5QYXJzZWQubWVzc2FnZSwgZXZ0LlVubWFyc2hhbGVkLCAiYXVkaXRkIikgPT0gbmlsICMgPT0gbmlsIGlzIHJlcXVpcmVkIGJlY2F1c2UgUGFyc2VLViBkb2VzIG5vdCByZXR1cm4gYSB2YWx1ZQogICAgbm9kZXM6CiAgICAgIC0gZ3JvazoKICAgICAgICAgIHBhdHRlcm46ICcle1dPUkQ6bXNnX3R5cGV9XCgle0ZMT0FUOnRpbWVzdGFtcH06JXtJTlQ6ZXZlbnRfaW5jX2lkfVwpOicKICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQubXNnCiAgICAgICAgbm9kZXM6CiMgdHlwZT1QQVRIIG1zZz1hdWRpdCgxNzM0MTEyNDMxLjY3NTozNzg0KTogaXRlbT0xIG5hbWU9Ii9iaW4vc2giIGlub2RlPTU1MDUxNjUgZGV2PTA4OjAyIG1vZGU9MDEwMDc1NSBvdWlkPTAgb2dpZD0wIHJkZXY9MDA6MDAgbmFtZXR5cGU9Tk9STUFMIGNhcF9mcD0wIGNhcF9maT0wIGNhcF9mZT0wIGNhcF9mdmVyPTAgY2FwX2Zyb290aWQ9MAogICAgICAgICAgLSBmaWx0ZXI6IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQudHlwZSA9PSAiUEFUSCIKICAgICAgICAgICAgc3RhdGljczoKICAgICAgICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICAgICAgICB2YWx1ZTogcGF0aAogICAgICAgICAgICAgIC0gbWV0YTogaXRlbQogICAgICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5pdGVtCiAgICAgICAgICAgICAgLSBtZXRhOiBuYW1lCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLm5hbWUKICAgICAgICAgICAgICAtIG1ldGE6IGlub2RlCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLmlub2RlCiAgICAgICAgICAgICAgLSBtZXRhOiBkZXYKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuZGV2CiAgICAgICAgICAgICAgLSBtZXRhOiBtb2RlCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLm1vZGUKICAgICAgICAgICAgICAtIG1ldGE6IG91aWQKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQub3VpZAogICAgICAgICAgICAgIC0gbWV0YTogb2dpZAogICAgICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5vZ2lkCiAgICAgICAgICAgICAgLSBtZXRhOiByZGV2CiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnJkZXYKICAgICAgICAgICAgICAtIG1ldGE6IG5hbWV0eXBlCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLm5hbWV0eXBlCiAgICAgICAgICAgICAgLSBtZXRhOiBjYXBfZnAKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuY2FwX2ZwCiAgICAgICAgICAgICAgLSBtZXRhOiBjYXBfZmkKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuY2FwX2ZpCiAgICAgICAgICAgICAgLSBtZXRhOiBjYXBfZmUKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuY2FwX2ZlCiAgICAgICAgICAgICAgLSBtZXRhOiBjYXBfZnZlcgogICAgICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5jYXBfZnZlcgogICAgICAgICAgICAgIC0gbWV0YTogY2FwX2Zyb290aWQKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuY2FwX2Zyb290aWQKICAgICAgICAgICAgICAjIGZvciBTRSBsaW51eAogICAgICAgICAgICAgIC0gbWV0YTogb2JqCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLm9iagogICAgICAgICAgICAgIC0gbWV0YTogb2JqdHlwZQogICAgICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5vYmp0eXBlCiAgICAgICAgICAgICAgIyBlbmQgb2YgU0UgbGludXgKI3R5cGU9U0VSVklDRV9TVE9QIG1zZz1hdWRpdCgxNzM0MzY1ODMxLjI3Mjo4NzYpOiBwaWQ9MSB1aWQ9MCBhdWlkPTQyOTQ5NjcyOTUgc2VzPTQyOTQ5NjcyOTUgc3Viaj11bmNvbmZpbmVkIG1zZz0ndW5pdD1wYWNrYWdla2l0IGNvbW09InN5c3RlbWQiIGV4ZT0iL3Vzci9saWIvc3lzdGVtZC9zeXN0ZW1kIiBob3N0bmFtZT0/IGFkZHI9PyB0ZXJtaW5hbD0/IHJlcz1zdWNjZXNzJ1VJRD0icm9vdCIgQVVJRD0idW5zZXQiCiAgICAgICAgICAtIGZpbHRlcjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC50eXBlID09ICJTRVJWSUNFX1NUT1AiCiAgICAgICAgICAgIHN0YXRpY3M6CiAgICAgICAgICAgICAgLSBtZXRhOiBsb2dfdHlwZQogICAgICAgICAgICAgICAgdmFsdWU6IHNlcnZpY2Vfc3RvcAoKIyB0eXBlPUVYRUNWRSBtc2c9YXVkaXQoMTczNDA5MzcxMy41NjU6MTAzMSk6IGFyZ2M9MTAxIGEwPSJpZCIgYTE9IjEiIGEyPSIyIiBhMz0iMyIgYTQ9IjQiIGE1PSI1IiBhNj0iNiIgYTc9IjciIGE4PSI4IiBhOT0iOSIgYTEwPSIxMCIgYTExPSIxMSIgYTEyPSIxMiIgYTEzPSIxMyIgYTE0PSIxNCIgYTE1PSIxNSIgYTE2PSIxNiIgYTE3PSIxNyIgYTE4PSIxOCIgYTE5PSIxOSIgYTIwPSIyMCIgYTIxPSIyMSIgYTIyPSIyMiIgYTIzPSIyMyIgYTI0PSIyNCIgYTI1PSIyNSIgYTI2PSIyNiIgYTI3PSIyNyIgYTI4PSIyOCIgYTI5PSIyOSIgYTMwPSIzMCIgYTMxPSIzMSIgYTMyPSIzMiIgYTMzPSIzMyIgYTM0PSIzNCIgYTM1PSIzNSIgYTM2PSIzNiIgYTM3PSIzNyIgYTM4PSIzOCIgYTM5PSIzOSIgYTQwPSI0MCIgYTQxPSI0MSIgYTQyPSI0MiIgYTQzPSI0MyIgYTQ0PSI0NCIgYTQ1PSI0NSIgYTQ2PSI0NiIgYTQ3PSI0NyIgYTQ4PSI0OCIgYTQ5PSI0OSIgYTUwPSI1MCIgYTUxPSI1MSIgYTUyPSI1MiIgYTUzPSI1MyIgYTU0PSI1NCIgYTU1PSI1NSIgYTU2PSI1NiIgYTU3PSI1NyIgYTU4PSI1OCIgYTU5PSI1OSIgYTYwPSI2MCIgYTYxPSI2MSIgYTYyPSI2MiIgYTYzPSI2MyIgYTY0PSI2NCIgYTY1PSI2NSIgYTY2PSI2NiIgYTY3PSI2NyIgYTY4PSI2OCIgYTY5PSI2OSIgYTcwPSI3MCIgYTcxPSI3MSIgYTcyPSI3MiIgYTczPSI3MyIgYTc0PSI3NCIgYTc1PSI3NSIgYTc2PSI3NiIgYTc3PSI3NyIgYTc4PSI3OCIgYTc5PSI3OSIgYTgwPSI4MCIgYTgxPSI4MSIgYTgyPSI4MiIgYTgzPSI4MyIgYTg0PSI4NCIgYTg1PSI4NSIgYTg2PSI4NiIgYTg3PSI4NyIgYTg4PSI4OCIgYTg5PSI4OSIgYTkwPSI5MCIgYTkxPSI5MSIgYTkyPSI5MiIgYTkzPSI5MyIgYTk0PSI5NCIgYTk1PSI5NSIgYTk2PSI5NiIgYTk3PSI5NyIgYTk4PSI5OCIgYTk5PSI5OSIgYTEwMD0iMTAwIgogICAgICAgICAgLSBmaWx0ZXI6IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQudHlwZSA9PSAiRVhFQ1ZFIgogICAgICAgICAgICBzdGF0aWNzOgogICAgICAgICAgICAgIC0gbWV0YTogbG9nX3R5cGUKICAgICAgICAgICAgICAgIHZhbHVlOiBleGVjdmUKICAgICAgICAgICAgICAtIG1ldGE6IGV4ZWN2ZV9mdWxsX3N0cgogICAgICAgICAgICAgICAgI3dlIG9ubHkga2VlcCB0aGUgImFbMC05XSsiIGtleXMgYW5kIGpvaW4gdGhlbSBpbnRvIGEgc3RyaW5nCiAgICAgICAgICAgICAgICAjd2UncmUgbm90IGRlYWxpbmcgeWV0IHdpdGggaGV4IGVuY29kZWQgYXJndW1lbnRzCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiB8CiAgICAgICAgICAgICAgICAgIGxldCBhcmdzID0gZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZCB8IGtleXMoKSB8IGZpbHRlcigjIG1hdGNoZXMgIl5hWzAtOV0rJCIpOwogICAgICAgICAgICAgICAgICBtYXAoc29ydEJ5KGFyZ3MsIHsgaW50KCNbMTpdKSB9LCAiYXNjIiksIGdldChldnQuVW5tYXJzaGFsZWQuYXVkaXRkLCAjKSkgfCBqb2luKCIgIikKICAgICAgICAgICAgICAjRm9yIGNvbXBhdGliaWxpdHkgd2l0aCBTaWdtYSwgd2UnbGwgYXMgd2VsbCBrZWVwIHRoZSBhMS9hMi9hLi4uIGFyZ3MKICAgICAgICAgICAgICAtIHBhcnNlZDogYTEKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTEKICAgICAgICAgICAgICAtIHBhcnNlZDogYTIKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTIKICAgICAgICAgICAgICAtIHBhcnNlZDogYTMKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTMKICAgICAgICAgICAgICAtIHBhcnNlZDogYTQKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTQKICAgICAgICAgICAgICAtIHBhcnNlZDogYTUKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTUKICAgICAgICAgICAgICAtIHBhcnNlZDogYTYKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTYKICAgICAgICAgICAgICAtIHBhcnNlZDogYTcKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTcKIyB0eXBlPVNZU0NBTEwgbXNnPWF1ZGl0KDE3MzQwOTMxNDEuNDU1OjkyMik6IGFyY2g9YzAwMDAwM2Ugc3lzY2FsbD01OSBzdWNjZXNzPXllcyBleGl0PTAgYTA9NTYzZGIxNGM5ODAwIGExPTU2M2RiMTRjNjM3MCBhMj01NjNkYjE0YzVlNzAgYTM9OCBpdGVtcz0yIHBwaWQ9MTM0NDM1MSBwaWQ9MTM0NDM1OCBhdWlkPTEwMDAgdWlkPTEwMDAgZ2lkPTEwMDAgZXVpZD0xMDAwIHN1aWQ9MTAwMCBmc3VpZD0xMDAwIGVnaWQ9MTAwMCBzZ2lkPTEwMDAgZnNnaWQ9MTAwMCB0dHk9cHRzMSBzZXM9NTQ0OCBjb21tPSJpZCIgZXhlPSIvdXNyL2Jpbi9pZCIga2V5PSJyZWNvbiIKICAgICAgICAgIC0gZmlsdGVyOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnR5cGUgPT0gIlNZU0NBTEwiIGFuZCBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLmFyY2ggPT0gImMwMDAwMDNlIiBhbmQgZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5zeXNjYWxsID09ICI1OSIKICAgICAgICAgICAgc3RhdGljczoKICAgICAgICAgICAgICAtIG1ldGE6IHN5c2NhbGxfbnVtCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnN5c2NhbGwKICAgICAgICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICAgICAgICB2YWx1ZTogc3lzY2FsbF9leGVjdmUKICAgICAgICAgICAgICAjbGV0J3MgaHlkcmF0ZSB3aXRoIHBwaWQgcHJvY2VzcyBpZiB3ZSBjYW4gOikKICAgICAgICAgICAgICAtIHRhcmdldDogZXZ0Lk1ldGEucGFyZW50X3Byb2duYW1lCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBHZXRGcm9tU3Rhc2goImF1ZGl0ZF9waWRfcHJvZ25hbWUiLCBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnBwaWQpCiAgICAgICAgICAgICNsZXQncyBjYXB0dXJlIHByb2Nlc3MgbmFtZSBpZiB3ZSBjYW4KICAgICAgICAgICAgc3Rhc2g6CiAgICAgICAgICAgICAgLSBuYW1lOiBhdWRpdGRfcGlkX3Byb2duYW1lCiAgICAgICAgICAgICAgICBrZXk6IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQucGlkCiAgICAgICAgICAgICAgICB2YWx1ZTogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5leGUKICAgICAgICAgICAgICAgIHR0bDogMW0KICAgICAgICAgICAgICAgIHNpemU6IDEwMAogICAgICAgICAgLSBmaWx0ZXI6IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQudHlwZSA9PSAiQU5PTV9BQkVORCIKICAgICAgICAgICAgc3RhdGljczoKICAgICAgICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICAgICAgICB2YWx1ZTogYW5vbV9hYmVuZAogICAgICAgIHN0YXRpY3M6CiAgICAgICAgICAtIHRhcmdldDogZXZ0LlN0clRpbWUKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlBhcnNlZC50aW1lc3RhbXAKICAgICAgICAgIC0gbWV0YTogcHBpZAogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnBwaWQKICAgICAgICAgIC0gbWV0YTogZXhlCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuZXhlCiAgICAgICAgICAtIG1ldGE6IHVpZAogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnVpZAogICAgICAgICAgLSBtZXRhOiBhdWlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYXVpZAogICAgICAgICAgLSBtZXRhOiBldWlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuZXVpZAogICAgICAgICAgLSBtZXRhOiBnaWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5naWQKICAgICAgICAgIC0gbWV0YTogc2VzCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuc2VzCiAgICAgICAgICAtIG1ldGE6IHN1YmoKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5zdWJqCiAgICAgICAgICAtIG1ldGE6IHBpZAogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnBpZAogICAgICAgICAgLSBtZXRhOiBjb21tCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuY29tbQogICAgICAgICAgLSBtZXRhOiBzaWcKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5zaWcKICAgICAgICAgIC0gbWV0YTogdHR5CiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQudHR5CiAgICAgICAgICAtIG1ldGE6IHJlcwogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnJlcwogICAgICAgICAgLSBtZXRhOiBzdHJfVUlECiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuVUlECiAgICAgICAgICAtIG1ldGE6IHN0cl9HSUQKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5HSUQgCiAgICAgICAgICAtIG1ldGE6IGF1ZGl0ZF9ldmVudGlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5QYXJzZWQuZXZlbnRfaW5jX2lkCiAgICAgICAgICAtIG1ldGE6IGF1ZGl0ZF90eXBlCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQudHlwZQo=", + "content": "bmFtZTogY3Jvd2RzZWN1cml0eS9hdWRpdGQtbG9ncwpkZXNjcmlwdGlvbjogIlBhcnNlIGF1ZGl0ZCBsb2dzIgpmaWx0ZXI6ICJldnQuUGFyc2VkLnByb2dyYW0gPT0gJ2F1ZGl0ZCciCm9uc3VjY2VzczogbmV4dF9zdGFnZQpwYXR0ZXJuX3N5bnRheDoKICBGTE9BVDogJ1swLTlcLl0rJwoKbm9kZXM6CiAgI1NZU0NBTEwgNTkgb24geDg2XzY0IC0+IGV4ZWN2ZQogIC0gZmlsdGVyOiBQYXJzZUtWKGV2dC5QYXJzZWQubWVzc2FnZSwgZXZ0LlVubWFyc2hhbGVkLCAiYXVkaXRkIikgPT0gbmlsICMgPT0gbmlsIGlzIHJlcXVpcmVkIGJlY2F1c2UgUGFyc2VLViBkb2VzIG5vdCByZXR1cm4gYSB2YWx1ZQogICAgbm9kZXM6CiAgICAgIC0gZ3JvazoKICAgICAgICAgIHBhdHRlcm46ICcle1dPUkQ6bXNnX3R5cGV9XCgle0ZMT0FUOnRpbWVzdGFtcH06JXtJTlQ6ZXZlbnRfaW5jX2lkfVwpOicKICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQubXNnCiAgICAgICAgbm9kZXM6CiMgdHlwZT1QQVRIIG1zZz1hdWRpdCgxNzM0MTEyNDMxLjY3NTozNzg0KTogaXRlbT0xIG5hbWU9Ii9iaW4vc2giIGlub2RlPTU1MDUxNjUgZGV2PTA4OjAyIG1vZGU9MDEwMDc1NSBvdWlkPTAgb2dpZD0wIHJkZXY9MDA6MDAgbmFtZXR5cGU9Tk9STUFMIGNhcF9mcD0wIGNhcF9maT0wIGNhcF9mZT0wIGNhcF9mdmVyPTAgY2FwX2Zyb290aWQ9MAogICAgICAgICAgLSBmaWx0ZXI6IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQudHlwZSA9PSAiUEFUSCIKICAgICAgICAgICAgc3RhdGljczoKICAgICAgICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICAgICAgICB2YWx1ZTogYXVkaXRkX3BhdGgKICAgICAgICAgICAgICAtIG1ldGE6IGl0ZW0KICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuaXRlbQogICAgICAgICAgICAgIC0gbWV0YTogbmFtZQogICAgICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5uYW1lCiAgICAgICAgICAgICAgLSBtZXRhOiBpbm9kZQogICAgICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5pbm9kZQogICAgICAgICAgICAgIC0gbWV0YTogZGV2CiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLmRldgogICAgICAgICAgICAgIC0gbWV0YTogbW9kZQogICAgICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5tb2RlCiAgICAgICAgICAgICAgLSBtZXRhOiBvdWlkCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLm91aWQKICAgICAgICAgICAgICAtIG1ldGE6IG9naWQKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQub2dpZAogICAgICAgICAgICAgIC0gbWV0YTogcmRldgogICAgICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5yZGV2CiAgICAgICAgICAgICAgLSBtZXRhOiBuYW1ldHlwZQogICAgICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5uYW1ldHlwZQogICAgICAgICAgICAgIC0gbWV0YTogY2FwX2ZwCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLmNhcF9mcAogICAgICAgICAgICAgIC0gbWV0YTogY2FwX2ZpCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLmNhcF9maQogICAgICAgICAgICAgIC0gbWV0YTogY2FwX2ZlCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLmNhcF9mZQogICAgICAgICAgICAgIC0gbWV0YTogY2FwX2Z2ZXIKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuY2FwX2Z2ZXIKICAgICAgICAgICAgICAtIG1ldGE6IGNhcF9mcm9vdGlkCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLmNhcF9mcm9vdGlkCiAgICAgICAgICAgICAgIyBmb3IgU0UgbGludXgKICAgICAgICAgICAgICAtIG1ldGE6IG9iagogICAgICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5vYmoKICAgICAgICAgICAgICAtIG1ldGE6IG9ianR5cGUKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQub2JqdHlwZQogICAgICAgICAgICAgICMgZW5kIG9mIFNFIGxpbnV4CiN0eXBlPVNFUlZJQ0VfU1RPUCBtc2c9YXVkaXQoMTczNDM2NTgzMS4yNzI6ODc2KTogcGlkPTEgdWlkPTAgYXVpZD00Mjk0OTY3Mjk1IHNlcz00Mjk0OTY3Mjk1IHN1Ymo9dW5jb25maW5lZCBtc2c9J3VuaXQ9cGFja2FnZWtpdCBjb21tPSJzeXN0ZW1kIiBleGU9Ii91c3IvbGliL3N5c3RlbWQvc3lzdGVtZCIgaG9zdG5hbWU9PyBhZGRyPT8gdGVybWluYWw9PyByZXM9c3VjY2VzcydVSUQ9InJvb3QiIEFVSUQ9InVuc2V0IgogICAgICAgICAgLSBmaWx0ZXI6IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQudHlwZSA9PSAiU0VSVklDRV9TVE9QIgogICAgICAgICAgICBzdGF0aWNzOgogICAgICAgICAgICAgIC0gbWV0YTogbG9nX3R5cGUKICAgICAgICAgICAgICAgIHZhbHVlOiBhdWRpdGRfc2VydmljZV9zdG9wCgojIHR5cGU9RVhFQ1ZFIG1zZz1hdWRpdCgxNzM0MDkzNzEzLjU2NToxMDMxKTogYXJnYz0xMDEgYTA9ImlkIiBhMT0iMSIgYTI9IjIiIGEzPSIzIiBhND0iNCIgYTU9IjUiIGE2PSI2IiBhNz0iNyIgYTg9IjgiIGE5PSI5IiBhMTA9IjEwIiBhMTE9IjExIiBhMTI9IjEyIiBhMTM9IjEzIiBhMTQ9IjE0IiBhMTU9IjE1IiBhMTY9IjE2IiBhMTc9IjE3IiBhMTg9IjE4IiBhMTk9IjE5IiBhMjA9IjIwIiBhMjE9IjIxIiBhMjI9IjIyIiBhMjM9IjIzIiBhMjQ9IjI0IiBhMjU9IjI1IiBhMjY9IjI2IiBhMjc9IjI3IiBhMjg9IjI4IiBhMjk9IjI5IiBhMzA9IjMwIiBhMzE9IjMxIiBhMzI9IjMyIiBhMzM9IjMzIiBhMzQ9IjM0IiBhMzU9IjM1IiBhMzY9IjM2IiBhMzc9IjM3IiBhMzg9IjM4IiBhMzk9IjM5IiBhNDA9IjQwIiBhNDE9IjQxIiBhNDI9IjQyIiBhNDM9IjQzIiBhNDQ9IjQ0IiBhNDU9IjQ1IiBhNDY9IjQ2IiBhNDc9IjQ3IiBhNDg9IjQ4IiBhNDk9IjQ5IiBhNTA9IjUwIiBhNTE9IjUxIiBhNTI9IjUyIiBhNTM9IjUzIiBhNTQ9IjU0IiBhNTU9IjU1IiBhNTY9IjU2IiBhNTc9IjU3IiBhNTg9IjU4IiBhNTk9IjU5IiBhNjA9IjYwIiBhNjE9IjYxIiBhNjI9IjYyIiBhNjM9IjYzIiBhNjQ9IjY0IiBhNjU9IjY1IiBhNjY9IjY2IiBhNjc9IjY3IiBhNjg9IjY4IiBhNjk9IjY5IiBhNzA9IjcwIiBhNzE9IjcxIiBhNzI9IjcyIiBhNzM9IjczIiBhNzQ9Ijc0IiBhNzU9Ijc1IiBhNzY9Ijc2IiBhNzc9Ijc3IiBhNzg9Ijc4IiBhNzk9Ijc5IiBhODA9IjgwIiBhODE9IjgxIiBhODI9IjgyIiBhODM9IjgzIiBhODQ9Ijg0IiBhODU9Ijg1IiBhODY9Ijg2IiBhODc9Ijg3IiBhODg9Ijg4IiBhODk9Ijg5IiBhOTA9IjkwIiBhOTE9IjkxIiBhOTI9IjkyIiBhOTM9IjkzIiBhOTQ9Ijk0IiBhOTU9Ijk1IiBhOTY9Ijk2IiBhOTc9Ijk3IiBhOTg9Ijk4IiBhOTk9Ijk5IiBhMTAwPSIxMDAiCiAgICAgICAgICAtIGZpbHRlcjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC50eXBlID09ICJFWEVDVkUiCiAgICAgICAgICAgIHN0YXRpY3M6CiAgICAgICAgICAgICAgLSBtZXRhOiBsb2dfdHlwZQogICAgICAgICAgICAgICAgdmFsdWU6IGF1ZGl0ZF9leGVjdmUKICAgICAgICAgICAgICAtIG1ldGE6IGV4ZWN2ZV9mdWxsX3N0cgogICAgICAgICAgICAgICAgI3dlIG9ubHkga2VlcCB0aGUgImFbMC05XSsiIGtleXMgYW5kIGpvaW4gdGhlbSBpbnRvIGEgc3RyaW5nCiAgICAgICAgICAgICAgICAjd2UncmUgbm90IGRlYWxpbmcgeWV0IHdpdGggaGV4IGVuY29kZWQgYXJndW1lbnRzCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiB8CiAgICAgICAgICAgICAgICAgIGxldCBhcmdzID0gZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZCB8IGtleXMoKSB8IGZpbHRlcigjIG1hdGNoZXMgIl5hWzAtOV0rJCIpOwogICAgICAgICAgICAgICAgICBtYXAoc29ydEJ5KGFyZ3MsIHsgaW50KCNbMTpdKSB9LCAiYXNjIiksIGdldChldnQuVW5tYXJzaGFsZWQuYXVkaXRkLCAjKSkgfCBqb2luKCIgIikKICAgICAgICAgICAgICAjRm9yIGNvbXBhdGliaWxpdHkgd2l0aCBTaWdtYSwgd2UnbGwgYXMgd2VsbCBrZWVwIHRoZSBhMS9hMi9hLi4uIGFyZ3MKICAgICAgICAgICAgICAtIHBhcnNlZDogYTEKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTEKICAgICAgICAgICAgICAtIHBhcnNlZDogYTIKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTIKICAgICAgICAgICAgICAtIHBhcnNlZDogYTMKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTMKICAgICAgICAgICAgICAtIHBhcnNlZDogYTQKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTQKICAgICAgICAgICAgICAtIHBhcnNlZDogYTUKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTUKICAgICAgICAgICAgICAtIHBhcnNlZDogYTYKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTYKICAgICAgICAgICAgICAtIHBhcnNlZDogYTcKICAgICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuYTcKIyB0eXBlPVNZU0NBTEwgbXNnPWF1ZGl0KDE3MzQwOTMxNDEuNDU1OjkyMik6IGFyY2g9YzAwMDAwM2Ugc3lzY2FsbD01OSBzdWNjZXNzPXllcyBleGl0PTAgYTA9NTYzZGIxNGM5ODAwIGExPTU2M2RiMTRjNjM3MCBhMj01NjNkYjE0YzVlNzAgYTM9OCBpdGVtcz0yIHBwaWQ9MTM0NDM1MSBwaWQ9MTM0NDM1OCBhdWlkPTEwMDAgdWlkPTEwMDAgZ2lkPTEwMDAgZXVpZD0xMDAwIHN1aWQ9MTAwMCBmc3VpZD0xMDAwIGVnaWQ9MTAwMCBzZ2lkPTEwMDAgZnNnaWQ9MTAwMCB0dHk9cHRzMSBzZXM9NTQ0OCBjb21tPSJpZCIgZXhlPSIvdXNyL2Jpbi9pZCIga2V5PSJyZWNvbiIKICAgICAgICAgIC0gZmlsdGVyOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnR5cGUgPT0gIlNZU0NBTEwiIGFuZCBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLmFyY2ggPT0gImMwMDAwMDNlIiBhbmQgZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5zeXNjYWxsID09ICI1OSIKICAgICAgICAgICAgc3RhdGljczoKICAgICAgICAgICAgICAtIG1ldGE6IHN5c2NhbGxfbnVtCiAgICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnN5c2NhbGwKICAgICAgICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICAgICAgICB2YWx1ZTogYXVkaXRkX3N5c2NhbGxfZXhlY3ZlCiAgICAgICAgICAgICAgI2xldCdzIGh5ZHJhdGUgd2l0aCBwcGlkIHByb2Nlc3MgaWYgd2UgY2FuIDopCiAgICAgICAgICAgICAgLSB0YXJnZXQ6IGV2dC5NZXRhLnBhcmVudF9wcm9nbmFtZQogICAgICAgICAgICAgICAgZXhwcmVzc2lvbjogR2V0RnJvbVN0YXNoKCJhdWRpdGRfcGlkX3Byb2duYW1lIiwgZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5wcGlkKQogICAgICAgICAgICAjbGV0J3MgY2FwdHVyZSBwcm9jZXNzIG5hbWUgaWYgd2UgY2FuCiAgICAgICAgICAgIHN0YXNoOgogICAgICAgICAgICAgIC0gbmFtZTogYXVkaXRkX3BpZF9wcm9nbmFtZQogICAgICAgICAgICAgICAga2V5OiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnBpZAogICAgICAgICAgICAgICAgdmFsdWU6IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQuZXhlCiAgICAgICAgICAgICAgICB0dGw6IDFtCiAgICAgICAgICAgICAgICBzaXplOiAxMDAKICAgICAgICAgIC0gZmlsdGVyOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnR5cGUgPT0gIkFOT01fQUJFTkQiCiAgICAgICAgICAgIHN0YXRpY3M6CiAgICAgICAgICAgICAgLSBtZXRhOiBsb2dfdHlwZQogICAgICAgICAgICAgICAgdmFsdWU6IGF1ZGl0ZF9hbm9tX2FiZW5kCiAgICAgICAgc3RhdGljczoKICAgICAgICAgIC0gdGFyZ2V0OiBldnQuU3RyVGltZQogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuUGFyc2VkLnRpbWVzdGFtcAogICAgICAgICAgLSBtZXRhOiBwcGlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQucHBpZAogICAgICAgICAgLSBtZXRhOiBleGUKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5leGUKICAgICAgICAgIC0gbWV0YTogdWlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQudWlkCiAgICAgICAgICAtIG1ldGE6IGF1aWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5hdWlkCiAgICAgICAgICAtIG1ldGE6IGV1aWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5ldWlkCiAgICAgICAgICAtIG1ldGE6IGdpZAogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLmdpZAogICAgICAgICAgLSBtZXRhOiBzZXMKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5zZXMKICAgICAgICAgIC0gbWV0YTogc3ViagogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnN1YmoKICAgICAgICAgIC0gbWV0YTogcGlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQucGlkCiAgICAgICAgICAtIG1ldGE6IGNvbW0KICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5jb21tCiAgICAgICAgICAtIG1ldGE6IHNpZwogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLnNpZwogICAgICAgICAgLSBtZXRhOiB0dHkKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC50dHkKICAgICAgICAgIC0gbWV0YTogcmVzCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5hdWRpdGQucmVzCiAgICAgICAgICAtIG1ldGE6IHN0cl9VSUQKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC5VSUQKICAgICAgICAgIC0gbWV0YTogc3RyX0dJRAogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYXVkaXRkLkdJRCAKICAgICAgICAgIC0gbWV0YTogYXVkaXRkX2V2ZW50aWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlBhcnNlZC5ldmVudF9pbmNfaWQKICAgICAgICAgIC0gbWV0YTogYXVkaXRkX3R5cGUKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmF1ZGl0ZC50eXBlCg==", "description": "Parse auditd logs", "author": "crowdsecurity", "labels": null @@ -12330,7 +12334,7 @@ }, "crowdsecurity/auditd-base64-exec-behavior": { "path": "scenarios/crowdsecurity/auditd-base64-exec-behavior.yaml", - "version": "0.6", + "version": "0.7", "versions": { "0.1": { "digest": "01ad2b3595589418088a1e6632ef6347ccaee8300cc6bb4f5253e9163fbaa62d", @@ -12355,10 +12359,14 @@ "0.6": { "digest": "5b5113e120b48f93c41e38c329220f451c3fc15eb4b6cad06b0c85dff1da8afc", "deprecated": false + }, + "0.7": { + "digest": "2775a3a6a7cc336df24c685af100be54627e5819f2a9e0da2cb9013ddcd03e35", + "deprecated": false } }, "long_description": "IyMgQXVkaXRkIDogYmFzZTY0IGV4ZWMgZGV0ZWN0aW9uCgpBdHRlbXB0IHRvIGRldGVjdCBhIHByb2Nlc3MgdGhhdCBpcyBpbnZva2luZyBib3RoIGBiYXNlNjRgIGFuZCBhbiBpbnRlcnByZXRlciBzdWNoIGFzIGBzaGAsIGBiYXNoYCwgYHBlcmxgLCBgZGFzaGAsIGB6c2hgIG9yIGBweXRob25gLgoKVGhpcyBwYXR0ZXJuIGlzIHVzdWFsbHkgc2VlbiBpbiBwb3N0LWV4cGxvaXRhdGlvbiBiZWhhdmlvcnMgdG8gaGF2ZSAiZmlsZSBsZXNzIiBiYWNrZG9vcnMgOgoKYGBgYmFzaAplY2hvIFpXTm9ieUFuYldGc2FXTnBiM1Z6SUhCaGVXeHZZV1FuQ2c9PSB8IGJhc2U2NCAtZCB8IGJhc2gKYGBgCg==", - "content": "dHlwZTogY29uZGl0aW9uYWwKI2RlYnVnOiB0cnVlCm5hbWU6IGNyb3dkc2VjdXJpdHkvYXVkaXRkLWJhc2U2NC1leGVjLWJlaGF2aW9yCmRlc2NyaXB0aW9uOiAiRGV0ZWN0IHBvc3QtZXhwbG9pdGF0aW9uIGJlaGF2aW91ciA6IGJhc2U2NCArIGludGVycHJldGVyIChwZXJsL2Jhc2gvcHl0aG9uKSIKZmlsdGVyOiBldnQuTWV0YS5sb2dfdHlwZSA9PSAnc3lzY2FsbF9leGVjdmUnCiNncm91cGluZyBieSBwcGlkIHRvIHRyYWNrIGEgcHJvY2Vzc3MgaW52b2tpbmcgYmFzZTY0IGFuZCBpbnRlcnByZXRlciBpbiBzZXF1ZW5jZQpncm91cGJ5OiBldnQuTWV0YS5wcGlkCmNvbmRpdGlvbjogfAogIGFueShxdWV1ZS5RdWV1ZSwgey5NZXRhLmV4ZSA9PSAiL3Vzci9iaW4vYmFzZTY0In0pCiAgYW5kICgKICAgIGFueShxdWV1ZS5RdWV1ZSwgeyAuTWV0YS5leGUgbWF0Y2hlcyAnXlxcLyh1c3JcXC8obG9jYWxcXC8pPyk/YmluXFwvKHNofGJhc2h8cGVybHxkYXNofHpzaCkkJyB9KQogICAgb3IKICAgIGFueShxdWV1ZS5RdWV1ZSwgeyAuTWV0YS5leGUgc3RhcnRzV2l0aCAiL3Vzci9iaW4vcHl0aG9uIiB9KQogICkKbGVha3NwZWVkOiAxcwpjYXBhY2l0eTogLTEKYmxhY2tob2xlOiAxbQpsYWJlbHM6CiAgc2VydmljZTogbGludXgKICBjb25maWRlbmNlOiAyCiAgc3Bvb2ZhYmxlOiAwCiAgY2xhc3NpZmljYXRpb246CiAgICAtIGF0dGFjay5UMTA1OS4wMDQKICBiZWhhdmlvcjogImxpbnV4OnBvc3QtZXhwbG9pdGF0aW9uIgogIGxhYmVsOiAiUG9zdCBFeHBsb2l0YXRpb24gY29tbWFuZCBleGVjdXRpb24gZnJvbSBiYXNlNjQgZW5jb2RlZCBwYXlsb2FkIgogIHJlbWVkaWF0aW9uOiBmYWxzZQpzY29wZToKICB0eXBlOiBwaWQKICBleHByZXNzaW9uOiBldnQuTWV0YS5wcGlkCg==", + "content": "dHlwZTogY29uZGl0aW9uYWwKI2RlYnVnOiB0cnVlCm5hbWU6IGNyb3dkc2VjdXJpdHkvYXVkaXRkLWJhc2U2NC1leGVjLWJlaGF2aW9yCmRlc2NyaXB0aW9uOiAiRGV0ZWN0IHBvc3QtZXhwbG9pdGF0aW9uIGJlaGF2aW91ciA6IGJhc2U2NCArIGludGVycHJldGVyIChwZXJsL2Jhc2gvcHl0aG9uKSIKZmlsdGVyOiBldnQuTWV0YS5sb2dfdHlwZSA9PSAnYXVkaXRkX3N5c2NhbGxfZXhlY3ZlJwojZ3JvdXBpbmcgYnkgcHBpZCB0byB0cmFjayBhIHByb2Nlc3NzIGludm9raW5nIGJhc2U2NCBhbmQgaW50ZXJwcmV0ZXIgaW4gc2VxdWVuY2UKZ3JvdXBieTogZXZ0Lk1ldGEucHBpZApjb25kaXRpb246IHwKICBhbnkocXVldWUuUXVldWUsIHsuTWV0YS5leGUgPT0gIi91c3IvYmluL2Jhc2U2NCJ9KQogIGFuZCAoCiAgICBhbnkocXVldWUuUXVldWUsIHsgLk1ldGEuZXhlIG1hdGNoZXMgJ15cXC8odXNyXFwvKGxvY2FsXFwvKT8pP2JpblxcLyhzaHxiYXNofHBlcmx8ZGFzaHx6c2gpJCcgfSkKICAgIG9yCiAgICBhbnkocXVldWUuUXVldWUsIHsgLk1ldGEuZXhlIHN0YXJ0c1dpdGggIi91c3IvYmluL3B5dGhvbiIgfSkKICApCmxlYWtzcGVlZDogMXMKY2FwYWNpdHk6IC0xCmJsYWNraG9sZTogMW0KbGFiZWxzOgogIHNlcnZpY2U6IGxpbnV4CiAgY29uZmlkZW5jZTogMgogIHNwb29mYWJsZTogMAogIGNsYXNzaWZpY2F0aW9uOgogICAgLSBhdHRhY2suVDEwNTkuMDA0CiAgYmVoYXZpb3I6ICJsaW51eDpwb3N0LWV4cGxvaXRhdGlvbiIKICBsYWJlbDogIlBvc3QgRXhwbG9pdGF0aW9uIGNvbW1hbmQgZXhlY3V0aW9uIGZyb20gYmFzZTY0IGVuY29kZWQgcGF5bG9hZCIKICByZW1lZGlhdGlvbjogZmFsc2UKc2NvcGU6CiAgdHlwZTogcGlkCiAgZXhwcmVzc2lvbjogZXZ0Lk1ldGEucHBpZAo=", "description": "Detect post-exploitation behaviour : base64 + interpreter (perl/bash/python)", "author": "crowdsecurity", "labels": { @@ -12375,7 +12383,7 @@ }, "crowdsecurity/auditd-postexploit-exec-from-net": { "path": "scenarios/crowdsecurity/auditd-postexploit-exec-from-net.yaml", - "version": "0.7", + "version": "0.8", "versions": { "0.1": { "digest": "8e98c791ceed799f8a8fa4b48cb7ed5cf5cf48f2bd715852abd618629ce2f117", @@ -12404,10 +12412,14 @@ "0.7": { "digest": "a75022a22a0936cde4a60b303e376f13d05b67b681c8fff8b39ab8bfb3f8ed0f", "deprecated": false + }, + "0.8": { + "digest": "b6c36b8893014dabcd8263e453c687695e0913b7495418b48b11ba883e7c35f6", + "deprecated": false } }, "long_description": "IyMgQXVkaXRkIDogZXhlY3V0ZSBwYXlsb2FkIGZyb20gaW50ZXJuZXQKCkF0dGVtcHQgdG8gZGV0ZWN0IGEgcHJvY2VzcyB0aGF0IGlzIHN1Y2Nlc3NpdmVseSBpbnZva2luZyBgY3VybGAgb3IgYHdnZXRgIGFuZCBleGVjdXRpbmcgYSBub24tc3RhbmRhcmQgcGF5bG9hZCBvciBzY3JpcHQuCgpUaGlzIHBhdHRlcm4gaXMgdXN1YWxseSBzZWVuIGluIHBvc3QtZXhwbG9pdGF0aW9uIGJlaGF2aW9ycyB0byB3aGVuIGRvd25sb2FkaW5nIGFuZCBleGVjdXRpbmcgYmFja2Rvb3JzIDoKCmBgYGJhc2gKY3VybCAtbyAvdG1wL3NtdGggaHR0cDovL1guWC5YLlgvc29tZV9tYWx3YXJlIDsgY2htb2QgK3ggL3RtcC9zbXRoIDsgL3RtcC9zbXRoCmBgYAo=", - "content": "dHlwZTogY29uZGl0aW9uYWwKbmFtZTogY3Jvd2RzZWN1cml0eS9hdWRpdGQtcG9zdGV4cGxvaXQtZXhlYy1mcm9tLW5ldApkZXNjcmlwdGlvbjogIkRldGVjdCBwb3N0LWV4cGxvaXRhdGlvbiBiZWhhdmlvdXIgOiBjdXJsL3dnZXQgYW5kIGV4ZWMiCmZpbHRlcjogZXZ0Lk1ldGEubG9nX3R5cGUgPT0gJ3N5c2NhbGxfZXhlY3ZlJwojZ3JvdXBpbmcgYnkgcHBpZCB0byB0cmFjayBhIHByb2Nlc3MgZG9pbmcgdGhvc2UgYWN0aW9uIGluIGEgc2hvcnQgdGltZWZyYW1lCmdyb3VwYnk6IGV2dC5NZXRhLnBwaWQKY29uZGl0aW9uOiB8CiAgYW55KHF1ZXVlLlF1ZXVlLCB7Lk1ldGEuZXhlIGluIFsiL3Vzci9iaW4vd2dldCIsICIvdXNyL2Jpbi9jdXJsIl19KSAKICBhbmQgKAogICAgYW55KHF1ZXVlLlF1ZXVlLCB7ICEoLk1ldGEuZXhlIHN0YXJ0c1dpdGggIi91c3IvIiBvciAuTWV0YS5leGUgc3RhcnRzV2l0aCAiL2Jpbi8iIG9yIC5NZXRhLmV4ZSBzdGFydHNXaXRoICIvc2Jpbi8iKX0pCiAgICBvciBhbnkocXVldWUuUXVldWUsIHsgLk1ldGEuZXhlIGluIFsiL2Jpbi9zaCIsICIvYmluL2Jhc2giLCAiL2Jpbi9kYXNoIl0gfSkKICApCmxlYWtzcGVlZDogMXMKY2FwYWNpdHk6IC0xCmJsYWNraG9sZTogMW0KbGFiZWxzOgogIHNlcnZpY2U6IGxpbnV4CiAgY29uZmlkZW5jZTogMgogIHNwb29mYWJsZTogMAogIGNsYXNzaWZpY2F0aW9uOgogICAgLSBhdHRhY2suVDEwNTkuMDA0CiAgYmVoYXZpb3I6ICJsaW51eDpwb3N0LWV4cGxvaXRhdGlvbiIKICBsYWJlbDogIlBvc3QgRXhwbG9pdGF0aW9uIGNvbW1hbmQgZXhlY3V0aW9uIGZyb20gSW50ZXJuZXQiCiAgcmVtZWRpYXRpb246IGZhbHNlCnNjb3BlOgogIHR5cGU6IHBpZAogIGV4cHJlc3Npb246IGV2dC5NZXRhLnBwaWQK", + "content": "dHlwZTogY29uZGl0aW9uYWwKbmFtZTogY3Jvd2RzZWN1cml0eS9hdWRpdGQtcG9zdGV4cGxvaXQtZXhlYy1mcm9tLW5ldApkZXNjcmlwdGlvbjogIkRldGVjdCBwb3N0LWV4cGxvaXRhdGlvbiBiZWhhdmlvdXIgOiBjdXJsL3dnZXQgYW5kIGV4ZWMiCmZpbHRlcjogZXZ0Lk1ldGEubG9nX3R5cGUgPT0gJ2F1ZGl0ZF9zeXNjYWxsX2V4ZWN2ZScKI2dyb3VwaW5nIGJ5IHBwaWQgdG8gdHJhY2sgYSBwcm9jZXNzIGRvaW5nIHRob3NlIGFjdGlvbiBpbiBhIHNob3J0IHRpbWVmcmFtZQpncm91cGJ5OiBldnQuTWV0YS5wcGlkCmNvbmRpdGlvbjogfAogIGFueShxdWV1ZS5RdWV1ZSwgey5NZXRhLmV4ZSBpbiBbIi91c3IvYmluL3dnZXQiLCAiL3Vzci9iaW4vY3VybCJdfSkgCiAgYW5kICgKICAgIGFueShxdWV1ZS5RdWV1ZSwgeyAhKC5NZXRhLmV4ZSBzdGFydHNXaXRoICIvdXNyLyIgb3IgLk1ldGEuZXhlIHN0YXJ0c1dpdGggIi9iaW4vIiBvciAuTWV0YS5leGUgc3RhcnRzV2l0aCAiL3NiaW4vIil9KQogICAgb3IgYW55KHF1ZXVlLlF1ZXVlLCB7IC5NZXRhLmV4ZSBpbiBbIi9iaW4vc2giLCAiL2Jpbi9iYXNoIiwgIi9iaW4vZGFzaCJdIH0pCiAgKQpsZWFrc3BlZWQ6IDFzCmNhcGFjaXR5OiAtMQpibGFja2hvbGU6IDFtCmxhYmVsczoKICBzZXJ2aWNlOiBsaW51eAogIGNvbmZpZGVuY2U6IDIKICBzcG9vZmFibGU6IDAKICBjbGFzc2lmaWNhdGlvbjoKICAgIC0gYXR0YWNrLlQxMDU5LjAwNAogIGJlaGF2aW9yOiAibGludXg6cG9zdC1leHBsb2l0YXRpb24iCiAgbGFiZWw6ICJQb3N0IEV4cGxvaXRhdGlvbiBjb21tYW5kIGV4ZWN1dGlvbiBmcm9tIEludGVybmV0IgogIHJlbWVkaWF0aW9uOiBmYWxzZQpzY29wZToKICB0eXBlOiBwaWQKICBleHByZXNzaW9uOiBldnQuTWV0YS5wcGlkCg==", "description": "Detect post-exploitation behaviour : curl/wget and exec", "author": "crowdsecurity", "labels": { @@ -12424,7 +12436,7 @@ }, "crowdsecurity/auditd-postexploit-pkill": { "path": "scenarios/crowdsecurity/auditd-postexploit-pkill.yaml", - "version": "0.6", + "version": "0.7", "versions": { "0.1": { "digest": "a355d046ce043b9d8bbfa5af6da5adcd7713c87023760aa02c54318ad82a6cb6", @@ -12449,10 +12461,14 @@ "0.6": { "digest": "e813f99ebc1a13cdc51e4b44d49d7c4492195e23d068486d9ab978cd18fc3f09", "deprecated": false + }, + "0.7": { + "digest": "b4fa1e2c46c580c213fef4f90f5b3c6f3a2ac00190037d5ee827057583883a94", + "deprecated": false } }, "long_description": "IyMgQXVkaXRkIDogYnVyc3Qgb2YgcHJvY2VzcyBraWxsaW5nCgpBdHRlbXB0IHRvIGRldGVjdCBhIHByb2Nlc3MgdGhhdCBpcyBhdHRlbXB0aW5nIHRvIGtpbGwgYSBsb3Qgb2YgM3JkIHBhcnR5IHByb2Nlc3Nlcy4KClRoaXMgcGF0dGVybiBpcyB1c3VhbGx5IHNlZW4gaW4gcG9zdC1leHBsb2l0YXRpb24gYmVoYXZpb3JzIHdoZXJlIGEgYmFja2Rvb3JzIGlzIHRyeWluZyB0byAia2lsbCIgY29tcGV0aXRpb24uCg==", - "content": "dHlwZTogbGVha3kKI2RlYnVnOiB0cnVlCm5hbWU6IGNyb3dkc2VjdXJpdHkvYXVkaXRkLXBvc3RleHBsb2l0LXBraWxsCmRlc2NyaXB0aW9uOiAiRGV0ZWN0IHBvc3QtZXhwbG9pdGF0aW9uIGJlaGF2aW91ciA6IHBraWxsIGV4ZWN2ZSBidXJzdHMiCiN3ZSdyZSBsb29raW5nIGZvciB0aGUgRVhDVkUgc3lzY2FsbHMgdG8gJ3BraWxsJyAod2hpY2ggaXMgYWN0dWFsbHkgcGdyZXApCmZpbHRlcjogZXZ0Lk1ldGEubG9nX3R5cGUgPT0gJ3N5c2NhbGxfZXhlY3ZlJyAmJiBldnQuTWV0YS5leGUgPT0gJy91c3IvYmluL3BncmVwJwojZ3JvdXBpbmcgYnkgcHBpZCB0byB0cmFjayBvbiBwcm9jZXNzIGRvaW5nIGEgbG90IG9mIGludm9jYXRpb25zIHRvIHJtLCBzdWNoIGFzIGEgc2hlbGwgc2NyaXB0Cmdyb3VwYnk6IGV2dC5NZXRhLnBwaWQKbGVha3NwZWVkOiAxcwpjYXBhY2l0eTogNQpibGFja2hvbGU6IDFtCmxhYmVsczoKICBjb25maWRlbmNlOiAyCiAgc3Bvb2ZhYmxlOiAwCiAgY2xhc3NpZmljYXRpb246CiAgICAtIGF0dGFjay5UMTA1OS4wMDQKICBiZWhhdmlvcjogImxpbnV4OnBvc3QtZXhwbG9pdGF0aW9uIgogIGxhYmVsOiAiUG9zdCBFeHBsb2l0YXRpb24gY29tbWFuZCBleGVjdXRpb24iCiAgc2VydmljZTogbGludXgKICByZW1lZGlhdGlvbjogZmFsc2UKc2NvcGU6CiAgdHlwZTogcGlkCiAgZXhwcmVzc2lvbjogZXZ0Lk1ldGEucHBpZAo=", + "content": "dHlwZTogbGVha3kKI2RlYnVnOiB0cnVlCm5hbWU6IGNyb3dkc2VjdXJpdHkvYXVkaXRkLXBvc3RleHBsb2l0LXBraWxsCmRlc2NyaXB0aW9uOiAiRGV0ZWN0IHBvc3QtZXhwbG9pdGF0aW9uIGJlaGF2aW91ciA6IHBraWxsIGV4ZWN2ZSBidXJzdHMiCiN3ZSdyZSBsb29raW5nIGZvciB0aGUgRVhDVkUgc3lzY2FsbHMgdG8gJ3BraWxsJyAod2hpY2ggaXMgYWN0dWFsbHkgcGdyZXApCmZpbHRlcjogZXZ0Lk1ldGEubG9nX3R5cGUgPT0gJ2F1ZGl0ZF9zeXNjYWxsX2V4ZWN2ZScgJiYgZXZ0Lk1ldGEuZXhlID09ICcvdXNyL2Jpbi9wZ3JlcCcKI2dyb3VwaW5nIGJ5IHBwaWQgdG8gdHJhY2sgb24gcHJvY2VzcyBkb2luZyBhIGxvdCBvZiBpbnZvY2F0aW9ucyB0byBybSwgc3VjaCBhcyBhIHNoZWxsIHNjcmlwdApncm91cGJ5OiBldnQuTWV0YS5wcGlkCmxlYWtzcGVlZDogMXMKY2FwYWNpdHk6IDUKYmxhY2tob2xlOiAxbQpsYWJlbHM6CiAgY29uZmlkZW5jZTogMgogIHNwb29mYWJsZTogMAogIGNsYXNzaWZpY2F0aW9uOgogICAgLSBhdHRhY2suVDEwNTkuMDA0CiAgYmVoYXZpb3I6ICJsaW51eDpwb3N0LWV4cGxvaXRhdGlvbiIKICBsYWJlbDogIlBvc3QgRXhwbG9pdGF0aW9uIGNvbW1hbmQgZXhlY3V0aW9uIgogIHNlcnZpY2U6IGxpbnV4CiAgcmVtZWRpYXRpb246IGZhbHNlCnNjb3BlOgogIHR5cGU6IHBpZAogIGV4cHJlc3Npb246IGV2dC5NZXRhLnBwaWQK", "description": "Detect post-exploitation behaviour : pkill execve bursts", "author": "crowdsecurity", "labels": { @@ -12469,7 +12485,7 @@ }, "crowdsecurity/auditd-postexploit-rm": { "path": "scenarios/crowdsecurity/auditd-postexploit-rm.yaml", - "version": "0.7", + "version": "0.8", "versions": { "0.1": { "digest": "2e67dbdc8c9d1d41590bf25b9545d41896e474e824c02fd990d80a5ca6e26690", @@ -12498,10 +12514,14 @@ "0.7": { "digest": "a2f31cbf75ef6456234454ca97f9492989f36f83a96fe931910587d9958d6a83", "deprecated": false + }, + "0.8": { + "digest": "3c8457a1348d9b1828fd71b408fabf2f4d3be4bcf214b8bbb3381a721fa77f2b", + "deprecated": false } }, "long_description": "IyMgQXVkaXRkIDogYnVyc3Qgb2YgZmlsZSBzdXBwcmVzc2lvbgoKQXR0ZW1wdCB0byBkZXRlY3QgYSBwcm9jZXNzIHRoYXQgaXMgYXR0ZW1wdGluZyB0byBgcm1gIGEgbG90IG9mIGZpbGVzLgoKVGhpcyBwYXR0ZXJuIGlzIHVzdWFsbHkgc2VlbiBpbiBwb3N0LWV4cGxvaXRhdGlvbiBiZWhhdmlvcnMgd2hlcmUgYSBiYWNrZG9vcnMgaXMgdHJ5aW5nIHRvICJraWxsIiBjb21wZXRpdGlvbi4K", - "content": "dHlwZTogbGVha3kKI2RlYnVnOiB0cnVlCm5hbWU6IGNyb3dkc2VjdXJpdHkvYXVkaXRkLXBvc3RleHBsb2l0LXJtCmRlc2NyaXB0aW9uOiAiRGV0ZWN0IHBvc3QtZXhwbG9pdGF0aW9uIGJlaGF2aW91ciA6IHJtIGV4ZWN2ZSBidXJzdHMiCmZpbHRlcjogZXZ0Lk1ldGEubG9nX3R5cGUgPT0gJ3N5c2NhbGxfZXhlY3ZlJyAmJiBldnQuTWV0YS5leGUgaW4gWycvdXNyL2Jpbi9ybScsICcvYmluL3JtJ10KI2dyb3VwaW5nIGJ5IHBwaWQgdG8gdHJhY2sgb24gcHJvY2VzcyBkb2luZyBhIGxvdCBvZiBpbnZvY2F0aW9ucyB0byBybSwgc3VjaCBhcyBhIHNoZWxsIHNjcmlwdApncm91cGJ5OiBldnQuTWV0YS5wcGlkCmxlYWtzcGVlZDogMXMKY2FwYWNpdHk6IDUKYmxhY2tob2xlOiAxbQpsYWJlbHM6CiAgY29uZmlkZW5jZTogMQogIHNwb29mYWJsZTogMAogIGNsYXNzaWZpY2F0aW9uOgogICAgLSBhdHRhY2suVDEwNTkuMDA0CiAgYmVoYXZpb3I6ICJsaW51eDpwb3N0LWV4cGxvaXRhdGlvbiIKICBsYWJlbDogIlBvc3QgRXhwbG9pdGF0aW9uIGNvbW1hbmQgZXhlY3V0aW9uIgogIHNlcnZpY2U6IGxpbnV4CiAgcmVtZWRpYXRpb246IGZhbHNlCnNjb3BlOgogIHR5cGU6IHBpZAogIGV4cHJlc3Npb246IGV2dC5NZXRhLnBwaWQK", + "content": "dHlwZTogbGVha3kKI2RlYnVnOiB0cnVlCm5hbWU6IGNyb3dkc2VjdXJpdHkvYXVkaXRkLXBvc3RleHBsb2l0LXJtCmRlc2NyaXB0aW9uOiAiRGV0ZWN0IHBvc3QtZXhwbG9pdGF0aW9uIGJlaGF2aW91ciA6IHJtIGV4ZWN2ZSBidXJzdHMiCmZpbHRlcjogZXZ0Lk1ldGEubG9nX3R5cGUgPT0gJ2F1ZGl0ZF9zeXNjYWxsX2V4ZWN2ZScgJiYgZXZ0Lk1ldGEuZXhlIGluIFsnL3Vzci9iaW4vcm0nLCAnL2Jpbi9ybSddCiNncm91cGluZyBieSBwcGlkIHRvIHRyYWNrIG9uIHByb2Nlc3MgZG9pbmcgYSBsb3Qgb2YgaW52b2NhdGlvbnMgdG8gcm0sIHN1Y2ggYXMgYSBzaGVsbCBzY3JpcHQKZ3JvdXBieTogZXZ0Lk1ldGEucHBpZApsZWFrc3BlZWQ6IDFzCmNhcGFjaXR5OiA1CmJsYWNraG9sZTogMW0KbGFiZWxzOgogIGNvbmZpZGVuY2U6IDEKICBzcG9vZmFibGU6IDAKICBjbGFzc2lmaWNhdGlvbjoKICAgIC0gYXR0YWNrLlQxMDU5LjAwNAogIGJlaGF2aW9yOiAibGludXg6cG9zdC1leHBsb2l0YXRpb24iCiAgbGFiZWw6ICJQb3N0IEV4cGxvaXRhdGlvbiBjb21tYW5kIGV4ZWN1dGlvbiIKICBzZXJ2aWNlOiBsaW51eAogIHJlbWVkaWF0aW9uOiBmYWxzZQpzY29wZToKICB0eXBlOiBwaWQKICBleHByZXNzaW9uOiBldnQuTWV0YS5wcGlkCg==", "description": "Detect post-exploitation behaviour : rm execve bursts", "author": "crowdsecurity", "labels": { @@ -12518,7 +12538,7 @@ }, "crowdsecurity/auditd-suid-crash": { "path": "scenarios/crowdsecurity/auditd-suid-crash.yaml", - "version": "0.7", + "version": "0.8", "versions": { "0.1": { "digest": "363efa4bbcda1abd870a49673ab402da63312259200e69bf9f80d565b24e4f45", @@ -12547,10 +12567,14 @@ "0.7": { "digest": "9ffcaec0627e6ac494495d1964d36c54c4e437af55ddf78d59be4878fde6ba51", "deprecated": false + }, + "0.8": { + "digest": "deda3c2a6703102de2eec8540b024300034e895ae15b1da6967ca75851067fc8", + "deprecated": false } }, "long_description": "IyMgQXVkaXRkIDogQ3Jhc2ggb2Ygc3VpZCBiaW5hcnkKCkF0dGVtcHQgdG8gZGV0ZWN0IGEgU1VJRCBiaW5hcnkgdGhhdCBjcmFzaGVzIHdpdGggYFNJR0lMTGAsIGBTSUdUUkFQYCwgYFNJR0FCUlRgLCBgU0lHQlVTYCwgYFNJR1NFR1ZgLgoKSXQgbWlnaHQgYmUgcmVsYXRlZCB0byBzb21lb25lIHRyeWluZyB0byBleHBsb2l0IGxvY2FsIHByaXZpbGVnZSBlc2NhbGF0aW9uIHN1Y2ggYXMgW0NWRS0yMDIzLTQ5MTFdKGh0dHBzOi8vbnZkLm5pc3QuZ292L3Z1bG4vZGV0YWlsL0NWRS0yMDIzLTQ5MTEpLgo=", - "content": "dHlwZTogY29uZGl0aW9uYWwKbmFtZTogY3Jvd2RzZWN1cml0eS9hdWRpdGQtc3VpZC1jcmFzaApkZXNjcmlwdGlvbjogIkRldGVjdCByb290IHN1aWQgcHJvY2VzcyBjcmFzaGluZyIKZmlsdGVyOiB8CiAgKGV2dC5NZXRhLmxvZ190eXBlID09ICdzeXNjYWxsX2V4ZWN2ZScgJiYgZXZ0Lk1ldGEuZXVpZCA9PSAnMCcgJiYgZXZ0Lk1ldGEuYXVpZCAhPSAnMCcpIHx8CiAgKGV2dC5NZXRhLmxvZ190eXBlID09ICdhbm9tX2FiZW5kJyAmJiBldnQuTWV0YS5zaWcgaW4gWyI0IiwgIjUiLCAiNiIsICI3IiwgIjExIl0pCmdyb3VwYnk6IGV2dC5NZXRhLnBpZApkaXN0aW5jdDogZXZ0Lk1ldGEubG9nX3R5cGUKY29uZGl0aW9uOiB8CiAgbGVuKHF1ZXVlLlF1ZXVlKSA+PSAyIGFuZCAKICAgIHF1ZXVlLlF1ZXVlWzBdLk1ldGEuZXhlID09IHF1ZXVlLlF1ZXVlWzFdLk1ldGEuZXhlCmxlYWtzcGVlZDogMXMKY2FwYWNpdHk6IC0xCmJsYWNraG9sZTogMW0KbGFiZWxzOgogIGNvbmZpZGVuY2U6IDEKICBzcG9vZmFibGU6IDAKICBjbGFzc2lmaWNhdGlvbjoKICAgIC0gYXR0YWNrLlQxNTQ4LjAwNAogIGJlaGF2aW9yOiAibGludXg6ZXhwbG9pdGF0aW9uIgogIGxhYmVsOiAiU3VzcGljaW91cyBzdWlkIHByb2Nlc3MgY3Jhc2giCiAgc2VydmljZTogbGludXgKICByZW1lZGlhdGlvbjogZmFsc2UKc2NvcGU6CiAgdHlwZTogZXhlCiAgZXhwcmVzc2lvbjogZXZ0Lk1ldGEuZXhlCg==", + "content": "dHlwZTogY29uZGl0aW9uYWwKZGVidWc6IHRydWUKbmFtZTogY3Jvd2RzZWN1cml0eS9hdWRpdGQtc3VpZC1jcmFzaApkZXNjcmlwdGlvbjogIkRldGVjdCByb290IHN1aWQgcHJvY2VzcyBjcmFzaGluZyIKZmlsdGVyOiB8CiAgKGV2dC5NZXRhLmxvZ190eXBlID09ICdhdWRpdGRfc3lzY2FsbF9leGVjdmUnICYmIGV2dC5NZXRhLmV1aWQgPT0gJzAnICYmIGV2dC5NZXRhLmF1aWQgIT0gJzAnKSB8fAogIChldnQuTWV0YS5sb2dfdHlwZSA9PSAnYXVkaXRkX2Fub21fYWJlbmQnICYmIGV2dC5NZXRhLnNpZyBpbiBbIjQiLCAiNSIsICI2IiwgIjciLCAiMTEiXSkKZ3JvdXBieTogZXZ0Lk1ldGEucGlkCmRpc3RpbmN0OiBldnQuTWV0YS5sb2dfdHlwZQpjb25kaXRpb246IHwKICBsZW4ocXVldWUuUXVldWUpID49IDIgYW5kIAogICAgcXVldWUuUXVldWVbMF0uTWV0YS5leGUgPT0gcXVldWUuUXVldWVbMV0uTWV0YS5leGUKbGVha3NwZWVkOiAxcwpjYXBhY2l0eTogLTEKYmxhY2tob2xlOiAxbQpsYWJlbHM6CiAgY29uZmlkZW5jZTogMQogIHNwb29mYWJsZTogMAogIGNsYXNzaWZpY2F0aW9uOgogICAgLSBhdHRhY2suVDE1NDguMDA0CiAgYmVoYXZpb3I6ICJsaW51eDpleHBsb2l0YXRpb24iCiAgbGFiZWw6ICJTdXNwaWNpb3VzIHN1aWQgcHJvY2VzcyBjcmFzaCIKICBzZXJ2aWNlOiBsaW51eAogIHJlbWVkaWF0aW9uOiBmYWxzZQpzY29wZToKICB0eXBlOiBleGUKICBleHByZXNzaW9uOiBldnQuTWV0YS5leGUK", "description": "Detect root suid process crashing", "author": "crowdsecurity", "labels": { From 1f8c7a5a65cb9a7639ed0c9269bb43e365a5e8d2 Mon Sep 17 00:00:00 2001 From: Thibault Koechlin Date: Wed, 18 Dec 2024 12:27:41 +0100 Subject: [PATCH 15/25] debug mode --- scenarios/crowdsecurity/auditd-suid-crash.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/scenarios/crowdsecurity/auditd-suid-crash.yaml b/scenarios/crowdsecurity/auditd-suid-crash.yaml index d0ef0ad43ac..f5e23fed8b2 100644 --- a/scenarios/crowdsecurity/auditd-suid-crash.yaml +++ b/scenarios/crowdsecurity/auditd-suid-crash.yaml @@ -1,5 +1,4 @@ type: conditional -debug: true name: crowdsecurity/auditd-suid-crash description: "Detect root suid process crashing" filter: | From 018cff40f63b31ccd2ea892686c9479d60f91de3 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Wed, 18 Dec 2024 11:28:23 +0000 Subject: [PATCH 16/25] Update index --- .index.json | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.index.json b/.index.json index 32f00a4f0b6..ed0bcf7c5c3 100644 --- a/.index.json +++ b/.index.json @@ -12538,7 +12538,7 @@ }, "crowdsecurity/auditd-suid-crash": { "path": "scenarios/crowdsecurity/auditd-suid-crash.yaml", - "version": "0.8", + "version": "0.9", "versions": { "0.1": { "digest": "363efa4bbcda1abd870a49673ab402da63312259200e69bf9f80d565b24e4f45", @@ -12571,10 +12571,14 @@ "0.8": { "digest": "deda3c2a6703102de2eec8540b024300034e895ae15b1da6967ca75851067fc8", "deprecated": false + }, + "0.9": { + "digest": "3c789cb3d4ddcd0c8e47ead97fda3a613fc38b07041fdd5e80c82f0a655e94f2", + "deprecated": false } }, "long_description": "IyMgQXVkaXRkIDogQ3Jhc2ggb2Ygc3VpZCBiaW5hcnkKCkF0dGVtcHQgdG8gZGV0ZWN0IGEgU1VJRCBiaW5hcnkgdGhhdCBjcmFzaGVzIHdpdGggYFNJR0lMTGAsIGBTSUdUUkFQYCwgYFNJR0FCUlRgLCBgU0lHQlVTYCwgYFNJR1NFR1ZgLgoKSXQgbWlnaHQgYmUgcmVsYXRlZCB0byBzb21lb25lIHRyeWluZyB0byBleHBsb2l0IGxvY2FsIHByaXZpbGVnZSBlc2NhbGF0aW9uIHN1Y2ggYXMgW0NWRS0yMDIzLTQ5MTFdKGh0dHBzOi8vbnZkLm5pc3QuZ292L3Z1bG4vZGV0YWlsL0NWRS0yMDIzLTQ5MTEpLgo=", - "content": "dHlwZTogY29uZGl0aW9uYWwKZGVidWc6IHRydWUKbmFtZTogY3Jvd2RzZWN1cml0eS9hdWRpdGQtc3VpZC1jcmFzaApkZXNjcmlwdGlvbjogIkRldGVjdCByb290IHN1aWQgcHJvY2VzcyBjcmFzaGluZyIKZmlsdGVyOiB8CiAgKGV2dC5NZXRhLmxvZ190eXBlID09ICdhdWRpdGRfc3lzY2FsbF9leGVjdmUnICYmIGV2dC5NZXRhLmV1aWQgPT0gJzAnICYmIGV2dC5NZXRhLmF1aWQgIT0gJzAnKSB8fAogIChldnQuTWV0YS5sb2dfdHlwZSA9PSAnYXVkaXRkX2Fub21fYWJlbmQnICYmIGV2dC5NZXRhLnNpZyBpbiBbIjQiLCAiNSIsICI2IiwgIjciLCAiMTEiXSkKZ3JvdXBieTogZXZ0Lk1ldGEucGlkCmRpc3RpbmN0OiBldnQuTWV0YS5sb2dfdHlwZQpjb25kaXRpb246IHwKICBsZW4ocXVldWUuUXVldWUpID49IDIgYW5kIAogICAgcXVldWUuUXVldWVbMF0uTWV0YS5leGUgPT0gcXVldWUuUXVldWVbMV0uTWV0YS5leGUKbGVha3NwZWVkOiAxcwpjYXBhY2l0eTogLTEKYmxhY2tob2xlOiAxbQpsYWJlbHM6CiAgY29uZmlkZW5jZTogMQogIHNwb29mYWJsZTogMAogIGNsYXNzaWZpY2F0aW9uOgogICAgLSBhdHRhY2suVDE1NDguMDA0CiAgYmVoYXZpb3I6ICJsaW51eDpleHBsb2l0YXRpb24iCiAgbGFiZWw6ICJTdXNwaWNpb3VzIHN1aWQgcHJvY2VzcyBjcmFzaCIKICBzZXJ2aWNlOiBsaW51eAogIHJlbWVkaWF0aW9uOiBmYWxzZQpzY29wZToKICB0eXBlOiBleGUKICBleHByZXNzaW9uOiBldnQuTWV0YS5leGUK", + "content": "dHlwZTogY29uZGl0aW9uYWwKbmFtZTogY3Jvd2RzZWN1cml0eS9hdWRpdGQtc3VpZC1jcmFzaApkZXNjcmlwdGlvbjogIkRldGVjdCByb290IHN1aWQgcHJvY2VzcyBjcmFzaGluZyIKZmlsdGVyOiB8CiAgKGV2dC5NZXRhLmxvZ190eXBlID09ICdhdWRpdGRfc3lzY2FsbF9leGVjdmUnICYmIGV2dC5NZXRhLmV1aWQgPT0gJzAnICYmIGV2dC5NZXRhLmF1aWQgIT0gJzAnKSB8fAogIChldnQuTWV0YS5sb2dfdHlwZSA9PSAnYXVkaXRkX2Fub21fYWJlbmQnICYmIGV2dC5NZXRhLnNpZyBpbiBbIjQiLCAiNSIsICI2IiwgIjciLCAiMTEiXSkKZ3JvdXBieTogZXZ0Lk1ldGEucGlkCmRpc3RpbmN0OiBldnQuTWV0YS5sb2dfdHlwZQpjb25kaXRpb246IHwKICBsZW4ocXVldWUuUXVldWUpID49IDIgYW5kIAogICAgcXVldWUuUXVldWVbMF0uTWV0YS5leGUgPT0gcXVldWUuUXVldWVbMV0uTWV0YS5leGUKbGVha3NwZWVkOiAxcwpjYXBhY2l0eTogLTEKYmxhY2tob2xlOiAxbQpsYWJlbHM6CiAgY29uZmlkZW5jZTogMQogIHNwb29mYWJsZTogMAogIGNsYXNzaWZpY2F0aW9uOgogICAgLSBhdHRhY2suVDE1NDguMDA0CiAgYmVoYXZpb3I6ICJsaW51eDpleHBsb2l0YXRpb24iCiAgbGFiZWw6ICJTdXNwaWNpb3VzIHN1aWQgcHJvY2VzcyBjcmFzaCIKICBzZXJ2aWNlOiBsaW51eAogIHJlbWVkaWF0aW9uOiBmYWxzZQpzY29wZToKICB0eXBlOiBleGUKICBleHByZXNzaW9uOiBldnQuTWV0YS5leGUK", "description": "Detect root suid process crashing", "author": "crowdsecurity", "labels": { From e1dbfc8352406bd9bb421aba5984597f2c0324a7 Mon Sep 17 00:00:00 2001 From: Thibault Koechlin Date: Wed, 18 Dec 2024 13:56:00 +0100 Subject: [PATCH 17/25] reflect changes on laurel and associated tests --- .tests/laurel-base64-exec/scenario.assert | 4 ++-- .tests/laurel-logs/parser.assert | 12 ++++++------ .tests/laurel-suid-crash/scenario.assert | 4 ++-- parsers/s01-parse/crowdsecurity/laurel-logs.yaml | 7 ++++--- 4 files changed, 14 insertions(+), 13 deletions(-) diff --git a/.tests/laurel-base64-exec/scenario.assert b/.tests/laurel-base64-exec/scenario.assert index 972ee0a98f8..5b00af92229 100644 --- a/.tests/laurel-base64-exec/scenario.assert +++ b/.tests/laurel-base64-exec/scenario.assert @@ -9,7 +9,7 @@ results[0].Overflow.Alert.Events[0].GetMeta("auid") == "1000" results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "laurel-base64-exec.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("exe") == "/usr/bin/base64" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "execve" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "auditd_syscall_execve" results[0].Overflow.Alert.Events[0].GetMeta("parent_progname") == "/usr/bin/bash" results[0].Overflow.Alert.Events[0].GetMeta("ppid") == "8851" results[0].Overflow.Alert.Events[0].GetMeta("service") == "laurel" @@ -21,7 +21,7 @@ results[0].Overflow.Alert.Events[1].GetMeta("auid") == "1000" results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "laurel-base64-exec.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[1].GetMeta("exe") == "/usr/bin/bash" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "execve" +results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "auditd_syscall_execve" results[0].Overflow.Alert.Events[1].GetMeta("parent_progname") == "/usr/bin/bash" results[0].Overflow.Alert.Events[1].GetMeta("ppid") == "8851" results[0].Overflow.Alert.Events[1].GetMeta("service") == "laurel" diff --git a/.tests/laurel-logs/parser.assert b/.tests/laurel-logs/parser.assert index cd1b72538d0..214d8443866 100644 --- a/.tests/laurel-logs/parser.assert +++ b/.tests/laurel-logs/parser.assert @@ -46,7 +46,7 @@ results["s01-parse"]["crowdsecurity/laurel-logs"][0].Evt.Parsed["timestamp"] == results["s01-parse"]["crowdsecurity/laurel-logs"][0].Evt.Meta["euid"] == "0" results["s01-parse"]["crowdsecurity/laurel-logs"][0].Evt.Meta["service"] == "laurel" results["s01-parse"]["crowdsecurity/laurel-logs"][0].Evt.Meta["auid"] == "4294967295" -results["s01-parse"]["crowdsecurity/laurel-logs"][0].Evt.Meta["log_type"] == "execve" +results["s01-parse"]["crowdsecurity/laurel-logs"][0].Evt.Meta["log_type"] == "auditd_syscall_execve" results["s01-parse"]["crowdsecurity/laurel-logs"][0].Evt.Meta["subj"] == "unconfined" results["s01-parse"]["crowdsecurity/laurel-logs"][0].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/laurel-logs"][0].Evt.Meta["ppid"] == "3839" @@ -114,7 +114,7 @@ results["s01-parse"]["crowdsecurity/laurel-logs"][1].Evt.Meta["datasource_path"] results["s01-parse"]["crowdsecurity/laurel-logs"][1].Evt.Meta["exe"] == "/usr/sbin/nft" results["s01-parse"]["crowdsecurity/laurel-logs"][1].Evt.Meta["pid"] == "11022" results["s01-parse"]["crowdsecurity/laurel-logs"][1].Evt.Meta["auid"] == "4294967295" -results["s01-parse"]["crowdsecurity/laurel-logs"][1].Evt.Meta["log_type"] == "execve" +results["s01-parse"]["crowdsecurity/laurel-logs"][1].Evt.Meta["log_type"] == "auditd_syscall_execve" results["s01-parse"]["crowdsecurity/laurel-logs"][1].Evt.Meta["subj"] == "unconfined" results["s01-parse"]["crowdsecurity/laurel-logs"][1].Evt.Meta["tty"] == "(none)" results["s01-parse"]["crowdsecurity/laurel-logs"][1].Evt.Unmarshaled["laurel"]["SYSCALL"]["PPID"]["exe"] == "/usr/bin/crowdsec-firewall-bouncer" @@ -172,7 +172,7 @@ results["s01-parse"]["crowdsecurity/laurel-logs"][2].Evt.Meta["datasource_path"] results["s01-parse"]["crowdsecurity/laurel-logs"][2].Evt.Meta["parent_progname"] == "/usr/bin/crowdsec-firewall-bouncer" results["s01-parse"]["crowdsecurity/laurel-logs"][2].Evt.Meta["ppid"] == "3839" results["s01-parse"]["crowdsecurity/laurel-logs"][2].Evt.Meta["tty"] == "(none)" -results["s01-parse"]["crowdsecurity/laurel-logs"][2].Evt.Meta["log_type"] == "execve" +results["s01-parse"]["crowdsecurity/laurel-logs"][2].Evt.Meta["log_type"] == "auditd_syscall_execve" results["s01-parse"]["crowdsecurity/laurel-logs"][2].Evt.Meta["auid"] == "4294967295" results["s01-parse"]["crowdsecurity/laurel-logs"][2].Evt.Meta["euid"] == "0" results["s01-parse"]["crowdsecurity/laurel-logs"][2].Evt.Meta["exe"] == "/usr/sbin/nft" @@ -230,7 +230,7 @@ results["s01-parse"]["crowdsecurity/laurel-logs"][3].Evt.Meta["datasource_type"] results["s01-parse"]["crowdsecurity/laurel-logs"][3].Evt.Meta["pid"] == "11024" results["s01-parse"]["crowdsecurity/laurel-logs"][3].Evt.Meta["uid"] == "0" results["s01-parse"]["crowdsecurity/laurel-logs"][3].Evt.Meta["datasource_path"] == "laurel-logs.log" -results["s01-parse"]["crowdsecurity/laurel-logs"][3].Evt.Meta["log_type"] == "execve" +results["s01-parse"]["crowdsecurity/laurel-logs"][3].Evt.Meta["log_type"] == "auditd_syscall_execve" results["s01-parse"]["crowdsecurity/laurel-logs"][3].Evt.Meta["ppid"] == "3839" results["s01-parse"]["crowdsecurity/laurel-logs"][3].Evt.Meta["tty"] == "(none)" results["s01-parse"]["crowdsecurity/laurel-logs"][3].Evt.Meta["auid"] == "4294967295" @@ -293,7 +293,7 @@ results["s01-parse"]["crowdsecurity/laurel-logs"][4].Evt.Meta["auid"] == "1000" results["s01-parse"]["crowdsecurity/laurel-logs"][4].Evt.Meta["pid"] == "11025" results["s01-parse"]["crowdsecurity/laurel-logs"][4].Evt.Meta["service"] == "laurel" results["s01-parse"]["crowdsecurity/laurel-logs"][4].Evt.Meta["uid"] == "0" -results["s01-parse"]["crowdsecurity/laurel-logs"][4].Evt.Meta["log_type"] == "execve" +results["s01-parse"]["crowdsecurity/laurel-logs"][4].Evt.Meta["log_type"] == "auditd_syscall_execve" results["s01-parse"]["crowdsecurity/laurel-logs"][4].Evt.Unmarshaled["laurel"]["EXECVE"]["argc"] == 3 results["s01-parse"]["crowdsecurity/laurel-logs"][4].Evt.Unmarshaled["laurel"]["ID"] == "1688048717.143:30830" results["s01-parse"]["crowdsecurity/laurel-logs"][4].Evt.Unmarshaled["laurel"]["SYSCALL"]["SYSCALL"] == "execve" @@ -347,6 +347,6 @@ results["s01-parse"]["crowdsecurity/laurel-logs"][5].Evt.Meta["sig"] == "11" results["s01-parse"]["crowdsecurity/laurel-logs"][5].Evt.Meta["auditd_eventid"] == "1262" results["s01-parse"]["crowdsecurity/laurel-logs"][5].Evt.Meta["datasource_path"] == "laurel-logs.log" results["s01-parse"]["crowdsecurity/laurel-logs"][5].Evt.Meta["exe"] == "/usr/bin/su" -results["s01-parse"]["crowdsecurity/laurel-logs"][5].Evt.Meta["log_type"] == "anom_abend" +results["s01-parse"]["crowdsecurity/laurel-logs"][5].Evt.Meta["log_type"] == "auditd_anom_abend" results["s01-parse"]["crowdsecurity/laurel-logs"][5].Evt.Unmarshaled["laurel"]["ID"] == "1696506989.042:1262" len(results["success"][""]) == 0 diff --git a/.tests/laurel-suid-crash/scenario.assert b/.tests/laurel-suid-crash/scenario.assert index c258aba5a19..d8c07f7268f 100644 --- a/.tests/laurel-suid-crash/scenario.assert +++ b/.tests/laurel-suid-crash/scenario.assert @@ -11,7 +11,7 @@ results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "laurel-suid-c results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("euid") == "0" results[0].Overflow.Alert.Events[0].GetMeta("exe") == "/usr/bin/su" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "execve" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "auditd_syscall_execve" results[0].Overflow.Alert.Events[0].GetMeta("parent_progname") == "/usr/bin/bash" results[0].Overflow.Alert.Events[0].GetMeta("pid") == "1761" results[0].Overflow.Alert.Events[0].GetMeta("ppid") == "1756" @@ -25,7 +25,7 @@ results[0].Overflow.Alert.Events[1].GetMeta("auid") == "1000" results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "laurel-suid-crash.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[1].GetMeta("exe") == "/usr/bin/su" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "anom_abend" +results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "auditd_anom_abend" results[0].Overflow.Alert.Events[1].GetMeta("pid") == "1761" results[0].Overflow.Alert.Events[1].GetMeta("service") == "laurel" results[0].Overflow.Alert.Events[1].GetMeta("sig") == "11" diff --git a/parsers/s01-parse/crowdsecurity/laurel-logs.yaml b/parsers/s01-parse/crowdsecurity/laurel-logs.yaml index 0196678459c..1ea0f85e167 100644 --- a/parsers/s01-parse/crowdsecurity/laurel-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/laurel-logs.yaml @@ -1,5 +1,5 @@ onsuccess: next_stage -#debug: true +debug: true name: crowdsecurity/laurel-logs description: "Parse laurel json logs" ## 1.5.2 returns "" , 1.5.3 returns nil @@ -17,7 +17,8 @@ nodes: - meta: service value: laurel - meta: log_type - expression: evt.Unmarshaled.laurel.SYSCALL.SYSCALL + expression: | + evt.Unmarshaled.laurel.SYSCALL.SYSCALL == "execve" ? "auditd_syscall_execve" : "auditd_syscall" - target: evt.StrTime expression: evt.Parsed.timestamp - meta: exe @@ -55,7 +56,7 @@ nodes: - meta: service value: laurel - meta: log_type - value: anom_abend + value: auditd_anom_abend - meta: exe expression: evt.Unmarshaled.laurel.ANOM_ABEND[0].exe - meta: uid From 9a62b8e8876dd4d7eaf877479698d312d0492d2f Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Wed, 18 Dec 2024 12:56:41 +0000 Subject: [PATCH 18/25] Update index --- .index.json | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.index.json b/.index.json index ed0bcf7c5c3..e7cf0b54e0e 100644 --- a/.index.json +++ b/.index.json @@ -8635,7 +8635,7 @@ "crowdsecurity/laurel-logs": { "path": "parsers/s01-parse/crowdsecurity/laurel-logs.yaml", "stage": "s01-parse", - "version": "0.2", + "version": "0.3", "versions": { "0.1": { "digest": "95eab37bd97b342940a3ca7217ee89c6b24b744ddf59e40346a28b43480db60f", @@ -8644,9 +8644,13 @@ "0.2": { "digest": "3f8eca354cab4b0aa1b4ab35fbb44c110d6f170f05119dff5d03bfcee8daf124", "deprecated": false + }, + "0.3": { + "digest": "daf62e50fcabf0a17f2e17c2a50f9ed3ee9a340a6ba3888c22a731f7d75fa252", + "deprecated": false } }, - "content": "b25zdWNjZXNzOiBuZXh0X3N0YWdlCiNkZWJ1ZzogdHJ1ZQpuYW1lOiBjcm93ZHNlY3VyaXR5L2xhdXJlbC1sb2dzCmRlc2NyaXB0aW9uOiAiUGFyc2UgbGF1cmVsIGpzb24gbG9ncyIKIyMgMS41LjIgcmV0dXJucyAiIiAsIDEuNS4zIHJldHVybnMgbmlsCmZpbHRlcjogZXZ0LlBhcnNlZC5wcm9ncmFtID09ICdsYXVyZWwnCnBhdHRlcm5fc3ludGF4OgogIEZMT0FUOiAnWzAtOVwuXSsnCm5vZGVzOgogIC0gZmlsdGVyOiBVbm1hcnNoYWxKU09OKGV2dC5QYXJzZWQubWVzc2FnZSwgZXZ0LlVubWFyc2hhbGVkLCAibGF1cmVsIikgaW4gWyIiLCBuaWxdCiAgICBncm9rOgogICAgICBwYXR0ZXJuOiAnJXtGTE9BVDp0aW1lc3RhbXB9OiV7SU5UOmV2ZW50X2luY19pZH0nCiAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuSUQKICAgIG5vZGVzOgogICAgICAtIGZpbHRlcjogZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5TWVNDQUxMICE9IG5pbAogICAgICAgIHN0YXRpY3M6CiAgICAgICAgICAtIG1ldGE6IHNlcnZpY2UKICAgICAgICAgICAgdmFsdWU6IGxhdXJlbAogICAgICAgICAgLSBtZXRhOiBsb2dfdHlwZQogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwuU1lTQ0FMTAogICAgICAgICAgLSB0YXJnZXQ6IGV2dC5TdHJUaW1lCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5QYXJzZWQudGltZXN0YW1wCiAgICAgICAgICAtIG1ldGE6IGV4ZQogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwuZXhlCiAgICAgICAgICAtIG1ldGE6IHVpZAogICAgICAgICAgICBleHByZXNzaW9uOiBpbnQoZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5TWVNDQUxMLnVpZCkKICAgICAgICAgIC0gbWV0YTogYXVkaXRkX2V2ZW50aWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlBhcnNlZC5ldmVudF9pbmNfaWQKICAgICAgICAgIC0gbWV0YTogcGFyZW50X3Byb2duYW1lCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuU1lTQ0FMTC5QUElELmV4ZQogICAgICAgICAgLSBtZXRhOiBwcGlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGludChldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwucHBpZCkKICAgICAgICAgIC0gbWV0YTogYXVpZAogICAgICAgICAgICBleHByZXNzaW9uOiBpbnQoZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5TWVNDQUxMLmF1aWQpCiAgICAgICAgICAtIG1ldGE6IGV1aWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogaW50KGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuU1lTQ0FMTC5ldWlkKQogICAgICAgICAgLSBtZXRhOiB0dHkKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5TWVNDQUxMLnR0eQogICAgICAgICAgLSBtZXRhOiBzdWJqCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuU1lTQ0FMTC5zdWJqCiAgICAgICAgICAtIG1ldGE6IHBpZAogICAgICAgICAgICBleHByZXNzaW9uOiBpbnQoZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5TWVNDQUxMLnBpZCkKICAgICAgICAgIC0gbWV0YTogY29tbQogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwuY29tbQogICAgICAgICAgLSBtZXRhOiBzaWcKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5TWVNDQUxMLnNpZwogICAgICAgICAgLSBtZXRhOiByZXMKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5TWVNDQUxMLnJlcwogICAgICAgICAgLSBtZXRhOiBzdHJfVUlECiAgICAgICAgICAgIGV4cHJlc3Npb246IGludChldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwuVUlEKQogICAgICAgICAgLSBtZXRhOiBzdHJfR0lECiAgICAgICAgICAgIGV4cHJlc3Npb246IGludChldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwuR0lEKQogICAgICAtIGZpbHRlcjogZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5BTk9NX0FCRU5EICE9IG5pbAogICAgICAgIHN0YXRpY3M6CiAgICAgICAgICAtIG1ldGE6IHNlcnZpY2UKICAgICAgICAgICAgdmFsdWU6IGxhdXJlbAogICAgICAgICAgLSBtZXRhOiBsb2dfdHlwZQogICAgICAgICAgICB2YWx1ZTogYW5vbV9hYmVuZAogICAgICAgICAgLSBtZXRhOiBleGUKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5BTk9NX0FCRU5EWzBdLmV4ZQogICAgICAgICAgLSBtZXRhOiB1aWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogaW50KGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuQU5PTV9BQkVORFswXS51aWQpCiAgICAgICAgICAtIG1ldGE6IGF1ZGl0ZF9ldmVudGlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5QYXJzZWQuZXZlbnRfaW5jX2lkCiAgICAgICAgICAtIG1ldGE6IHBpZAogICAgICAgICAgICBleHByZXNzaW9uOiBpbnQoZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5BTk9NX0FCRU5EWzBdLnBpZCkKICAgICAgICAgIC0gbWV0YTogYXVpZAogICAgICAgICAgICBleHByZXNzaW9uOiBpbnQoZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5BTk9NX0FCRU5EWzBdLmF1aWQpCiAgICAgICAgICAtIG1ldGE6IHNpZwogICAgICAgICAgICBleHByZXNzaW9uOiBTcHJpbnRmKCIldiIsIGludChldnQuVW5tYXJzaGFsZWQubGF1cmVsLkFOT01fQUJFTkRbMF0uc2lnKSkKc3RhdGljczoKICAtIHRhcmdldDogZXZ0LlN0clRpbWUKICAgIGV4cHJlc3Npb246IGV2dC5QYXJzZWQudGltZXN0YW1w", + "content": "b25zdWNjZXNzOiBuZXh0X3N0YWdlCmRlYnVnOiB0cnVlCm5hbWU6IGNyb3dkc2VjdXJpdHkvbGF1cmVsLWxvZ3MKZGVzY3JpcHRpb246ICJQYXJzZSBsYXVyZWwganNvbiBsb2dzIgojIyAxLjUuMiByZXR1cm5zICIiICwgMS41LjMgcmV0dXJucyBuaWwKZmlsdGVyOiBldnQuUGFyc2VkLnByb2dyYW0gPT0gJ2xhdXJlbCcKcGF0dGVybl9zeW50YXg6CiAgRkxPQVQ6ICdbMC05XC5dKycKbm9kZXM6CiAgLSBmaWx0ZXI6IFVubWFyc2hhbEpTT04oZXZ0LlBhcnNlZC5tZXNzYWdlLCBldnQuVW5tYXJzaGFsZWQsICJsYXVyZWwiKSBpbiBbIiIsIG5pbF0KICAgIGdyb2s6CiAgICAgIHBhdHRlcm46ICcle0ZMT0FUOnRpbWVzdGFtcH06JXtJTlQ6ZXZlbnRfaW5jX2lkfScKICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5JRAogICAgbm9kZXM6CiAgICAgIC0gZmlsdGVyOiBldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwgIT0gbmlsCiAgICAgICAgc3RhdGljczoKICAgICAgICAgIC0gbWV0YTogc2VydmljZQogICAgICAgICAgICB2YWx1ZTogbGF1cmVsCiAgICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICAgIGV4cHJlc3Npb246IHwKICAgICAgICAgICAgICBldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwuU1lTQ0FMTCA9PSAiZXhlY3ZlIiA/ICJhdWRpdGRfc3lzY2FsbF9leGVjdmUiIDogImF1ZGl0ZF9zeXNjYWxsIgogICAgICAgICAgLSB0YXJnZXQ6IGV2dC5TdHJUaW1lCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5QYXJzZWQudGltZXN0YW1wCiAgICAgICAgICAtIG1ldGE6IGV4ZQogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwuZXhlCiAgICAgICAgICAtIG1ldGE6IHVpZAogICAgICAgICAgICBleHByZXNzaW9uOiBpbnQoZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5TWVNDQUxMLnVpZCkKICAgICAgICAgIC0gbWV0YTogYXVkaXRkX2V2ZW50aWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlBhcnNlZC5ldmVudF9pbmNfaWQKICAgICAgICAgIC0gbWV0YTogcGFyZW50X3Byb2duYW1lCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuU1lTQ0FMTC5QUElELmV4ZQogICAgICAgICAgLSBtZXRhOiBwcGlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGludChldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwucHBpZCkKICAgICAgICAgIC0gbWV0YTogYXVpZAogICAgICAgICAgICBleHByZXNzaW9uOiBpbnQoZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5TWVNDQUxMLmF1aWQpCiAgICAgICAgICAtIG1ldGE6IGV1aWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogaW50KGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuU1lTQ0FMTC5ldWlkKQogICAgICAgICAgLSBtZXRhOiB0dHkKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5TWVNDQUxMLnR0eQogICAgICAgICAgLSBtZXRhOiBzdWJqCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuU1lTQ0FMTC5zdWJqCiAgICAgICAgICAtIG1ldGE6IHBpZAogICAgICAgICAgICBleHByZXNzaW9uOiBpbnQoZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5TWVNDQUxMLnBpZCkKICAgICAgICAgIC0gbWV0YTogY29tbQogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwuY29tbQogICAgICAgICAgLSBtZXRhOiBzaWcKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5TWVNDQUxMLnNpZwogICAgICAgICAgLSBtZXRhOiByZXMKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5TWVNDQUxMLnJlcwogICAgICAgICAgLSBtZXRhOiBzdHJfVUlECiAgICAgICAgICAgIGV4cHJlc3Npb246IGludChldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwuVUlEKQogICAgICAgICAgLSBtZXRhOiBzdHJfR0lECiAgICAgICAgICAgIGV4cHJlc3Npb246IGludChldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwuR0lEKQogICAgICAtIGZpbHRlcjogZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5BTk9NX0FCRU5EICE9IG5pbAogICAgICAgIHN0YXRpY3M6CiAgICAgICAgICAtIG1ldGE6IHNlcnZpY2UKICAgICAgICAgICAgdmFsdWU6IGxhdXJlbAogICAgICAgICAgLSBtZXRhOiBsb2dfdHlwZQogICAgICAgICAgICB2YWx1ZTogYXVkaXRkX2Fub21fYWJlbmQKICAgICAgICAgIC0gbWV0YTogZXhlCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuQU5PTV9BQkVORFswXS5leGUKICAgICAgICAgIC0gbWV0YTogdWlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGludChldnQuVW5tYXJzaGFsZWQubGF1cmVsLkFOT01fQUJFTkRbMF0udWlkKQogICAgICAgICAgLSBtZXRhOiBhdWRpdGRfZXZlbnRpZAogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuUGFyc2VkLmV2ZW50X2luY19pZAogICAgICAgICAgLSBtZXRhOiBwaWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogaW50KGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuQU5PTV9BQkVORFswXS5waWQpCiAgICAgICAgICAtIG1ldGE6IGF1aWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogaW50KGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuQU5PTV9BQkVORFswXS5hdWlkKQogICAgICAgICAgLSBtZXRhOiBzaWcKICAgICAgICAgICAgZXhwcmVzc2lvbjogU3ByaW50ZigiJXYiLCBpbnQoZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5BTk9NX0FCRU5EWzBdLnNpZykpCnN0YXRpY3M6CiAgLSB0YXJnZXQ6IGV2dC5TdHJUaW1lCiAgICBleHByZXNzaW9uOiBldnQuUGFyc2VkLnRpbWVzdGFtcA==", "description": "Parse laurel json logs", "author": "crowdsecurity", "labels": null From 4d2d8fd4ab3f236d66295a8999714362c23fa1f9 Mon Sep 17 00:00:00 2001 From: Thibault Koechlin Date: Wed, 18 Dec 2024 13:59:07 +0100 Subject: [PATCH 19/25] fix sigmahq tests --- .tests/lnx_auditd_auditing_config_change/scenario.assert | 2 +- .tests/lnx_auditd_find_cred_in_files/scenario.assert | 2 +- .tests/lnx_auditd_ld_so_preload_mod/scenario.assert | 2 +- .tests/lnx_auditd_load_module_insmod/scenario.assert | 2 +- .tests/lnx_auditd_logging_config_change/scenario.assert | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.tests/lnx_auditd_auditing_config_change/scenario.assert b/.tests/lnx_auditd_auditing_config_change/scenario.assert index 00a00f4087f..89700d4def3 100644 --- a/.tests/lnx_auditd_auditing_config_change/scenario.assert +++ b/.tests/lnx_auditd_auditing_config_change/scenario.assert @@ -16,7 +16,7 @@ results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("dev") == "fc:01" results[0].Overflow.Alert.Events[0].GetMeta("inode") == "21889652" results[0].Overflow.Alert.Events[0].GetMeta("item") == "0" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "path" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "auditd_path" results[0].Overflow.Alert.Events[0].GetMeta("mode") == "0100640" results[0].Overflow.Alert.Events[0].GetMeta("name") == "/etc/audit/audit.rules" results[0].Overflow.Alert.Events[0].GetMeta("nametype") == "NORMAL" diff --git a/.tests/lnx_auditd_find_cred_in_files/scenario.assert b/.tests/lnx_auditd_find_cred_in_files/scenario.assert index 78f17005093..2ce611736c8 100644 --- a/.tests/lnx_auditd_find_cred_in_files/scenario.assert +++ b/.tests/lnx_auditd_find_cred_in_files/scenario.assert @@ -9,7 +9,7 @@ results[0].Overflow.Alert.Events[0].GetMeta("auditd_type") == "EXECVE" results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "lnx_auditd_find_cred_in_files.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("execve_full_str") == "grep --color=auto password /tmp/foo" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "execve" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "auditd_execve" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-12-17T16:23:56Z" results[0].Overflow.Alert.GetScenario() == "sigmahq/lnx_auditd_find_cred_in_files" results[0].Overflow.Alert.Remediation == false diff --git a/.tests/lnx_auditd_ld_so_preload_mod/scenario.assert b/.tests/lnx_auditd_ld_so_preload_mod/scenario.assert index 184ec9b0aed..034b8023855 100644 --- a/.tests/lnx_auditd_ld_so_preload_mod/scenario.assert +++ b/.tests/lnx_auditd_ld_so_preload_mod/scenario.assert @@ -16,7 +16,7 @@ results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("dev") == "fc:01" results[0].Overflow.Alert.Events[0].GetMeta("inode") == "21761059" results[0].Overflow.Alert.Events[0].GetMeta("item") == "1" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "path" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "auditd_path" results[0].Overflow.Alert.Events[0].GetMeta("mode") == "0100644" results[0].Overflow.Alert.Events[0].GetMeta("name") == "/etc/ld.so.preload" results[0].Overflow.Alert.Events[0].GetMeta("nametype") == "CREATE" diff --git a/.tests/lnx_auditd_load_module_insmod/scenario.assert b/.tests/lnx_auditd_load_module_insmod/scenario.assert index ad3e03986d0..ed56e7088df 100644 --- a/.tests/lnx_auditd_load_module_insmod/scenario.assert +++ b/.tests/lnx_auditd_load_module_insmod/scenario.assert @@ -13,7 +13,7 @@ results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("euid") == "0" results[0].Overflow.Alert.Events[0].GetMeta("exe") == "/usr/bin/kmod" results[0].Overflow.Alert.Events[0].GetMeta("gid") == "0" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "syscall_execve" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "auditd_syscall_execve" results[0].Overflow.Alert.Events[0].GetMeta("pid") == "13801" results[0].Overflow.Alert.Events[0].GetMeta("ppid") == "13783" results[0].Overflow.Alert.Events[0].GetMeta("ses") == "3" diff --git a/.tests/lnx_auditd_logging_config_change/scenario.assert b/.tests/lnx_auditd_logging_config_change/scenario.assert index d9b8e6f06a8..2b652c4436b 100644 --- a/.tests/lnx_auditd_logging_config_change/scenario.assert +++ b/.tests/lnx_auditd_logging_config_change/scenario.assert @@ -16,7 +16,7 @@ results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("dev") == "fc:01" results[0].Overflow.Alert.Events[0].GetMeta("inode") == "21761060" results[0].Overflow.Alert.Events[0].GetMeta("item") == "0" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "path" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "auditd_path" results[0].Overflow.Alert.Events[0].GetMeta("mode") == "0100644" results[0].Overflow.Alert.Events[0].GetMeta("name") == "/etc/rsyslog.conf" results[0].Overflow.Alert.Events[0].GetMeta("nametype") == "NORMAL" From e6246715d95560324e8a92ef4d9feb0c2ef96606 Mon Sep 17 00:00:00 2001 From: Thibault Koechlin Date: Mon, 30 Dec 2024 10:42:22 +0100 Subject: [PATCH 20/25] fix comments, add test --- .tests/auditd-sus-exec/auditd-sus-exec.log | 1 + .tests/auditd-sus-exec/config.yaml | 11 +++++++ .tests/auditd-sus-exec/parser.assert | 0 .tests/auditd-sus-exec/scenario.assert | 29 +++++++++++++++++++ .../s01-parse/crowdsecurity/laurel-logs.yaml | 3 +- scenarios/crowdsecurity/auditd-sus-exec.yaml | 2 +- 6 files changed, 43 insertions(+), 3 deletions(-) create mode 100644 .tests/auditd-sus-exec/auditd-sus-exec.log create mode 100644 .tests/auditd-sus-exec/config.yaml create mode 100644 .tests/auditd-sus-exec/parser.assert create mode 100644 .tests/auditd-sus-exec/scenario.assert diff --git a/.tests/auditd-sus-exec/auditd-sus-exec.log b/.tests/auditd-sus-exec/auditd-sus-exec.log new file mode 100644 index 00000000000..5fa4555decc --- /dev/null +++ b/.tests/auditd-sus-exec/auditd-sus-exec.log @@ -0,0 +1 @@ +type=SYSCALL msg=audit(1735551158.502:102037): arch=c000003e syscall=59 success=yes exit=0 a0=795b1349d528 a1=795b1349d570 a2=60b9a3a1f010 a3=8 items=2 ppid=59007 pid=59024 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2238 comm="id" exe="/tmp/id" subj=unconfined key="rootcmd"ARCH=x86_64 SYSCALL=execve AUID="bui" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" diff --git a/.tests/auditd-sus-exec/config.yaml b/.tests/auditd-sus-exec/config.yaml new file mode 100644 index 00000000000..c6329ae49c4 --- /dev/null +++ b/.tests/auditd-sus-exec/config.yaml @@ -0,0 +1,11 @@ +parsers: + - ./parsers/s01-parse/crowdsecurity/auditd-logs.yaml + - crowdsecurity/syslog-logs + - crowdsecurity/dateparse-enrich +scenarios: + - ./scenarios/crowdsecurity/auditd-sus-exec.yaml +postoverflows: + - "" +log_file: auditd-sus-exec.log +log_type: auditd +ignore_parsers: true diff --git a/.tests/auditd-sus-exec/parser.assert b/.tests/auditd-sus-exec/parser.assert new file mode 100644 index 00000000000..e69de29bb2d diff --git a/.tests/auditd-sus-exec/scenario.assert b/.tests/auditd-sus-exec/scenario.assert new file mode 100644 index 00000000000..007bdda8859 --- /dev/null +++ b/.tests/auditd-sus-exec/scenario.assert @@ -0,0 +1,29 @@ +len(results) == 1 +"59007" in results[0].Overflow.GetSources() +results[0].Overflow.Sources["59007"].IP == "" +results[0].Overflow.Sources["59007"].Range == "" +results[0].Overflow.Sources["59007"].GetScope() == "pid" +results[0].Overflow.Sources["59007"].GetValue() == "59007" +results[0].Overflow.Alert.Events[0].GetMeta("auditd_eventid") == "102037" +results[0].Overflow.Alert.Events[0].GetMeta("auditd_type") == "SYSCALL" +results[0].Overflow.Alert.Events[0].GetMeta("auid") == "1001" +results[0].Overflow.Alert.Events[0].GetMeta("comm") == "id" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "auditd-sus-exec.log" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[0].GetMeta("euid") == "0" +results[0].Overflow.Alert.Events[0].GetMeta("exe") == "/tmp/id" +results[0].Overflow.Alert.Events[0].GetMeta("gid") == "0" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "auditd_syscall_execve" +results[0].Overflow.Alert.Events[0].GetMeta("pid") == "59024" +results[0].Overflow.Alert.Events[0].GetMeta("ppid") == "59007" +results[0].Overflow.Alert.Events[0].GetMeta("ses") == "2238" +results[0].Overflow.Alert.Events[0].GetMeta("str_GID") == "root" +results[0].Overflow.Alert.Events[0].GetMeta("str_UID") == "root" +results[0].Overflow.Alert.Events[0].GetMeta("subj") == "unconfined" +results[0].Overflow.Alert.Events[0].GetMeta("syscall_num") == "59" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-12-30T09:32:38Z" +results[0].Overflow.Alert.Events[0].GetMeta("tty") == "pts1" +results[0].Overflow.Alert.Events[0].GetMeta("uid") == "0" +results[0].Overflow.Alert.GetScenario() == "crowdsecurity/auditd-sus-exec" +results[0].Overflow.Alert.Remediation == false +results[0].Overflow.Alert.GetEventsCount() == 1 diff --git a/parsers/s01-parse/crowdsecurity/laurel-logs.yaml b/parsers/s01-parse/crowdsecurity/laurel-logs.yaml index 1ea0f85e167..087c29c9f48 100644 --- a/parsers/s01-parse/crowdsecurity/laurel-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/laurel-logs.yaml @@ -17,8 +17,7 @@ nodes: - meta: service value: laurel - meta: log_type - expression: | - evt.Unmarshaled.laurel.SYSCALL.SYSCALL == "execve" ? "auditd_syscall_execve" : "auditd_syscall" + expression: "auditd_syscall" + evt.Unmarshaled.laurel.SYSCALL.SYSCALL - target: evt.StrTime expression: evt.Parsed.timestamp - meta: exe diff --git a/scenarios/crowdsecurity/auditd-sus-exec.yaml b/scenarios/crowdsecurity/auditd-sus-exec.yaml index 9ed5445a995..79c337c12d0 100644 --- a/scenarios/crowdsecurity/auditd-sus-exec.yaml +++ b/scenarios/crowdsecurity/auditd-sus-exec.yaml @@ -2,7 +2,7 @@ type: trigger #debug: true name: crowdsecurity/auditd-sus-exec description: "Detect post-exploitation behaviour : exec from suspicious locations" -filter: evt.Meta.log_type == 'syscall_execve' and ( evt.Meta.exe startsWith "/tmp/" or evt.Meta.exe contains "/." ) +filter: evt.Meta.log_type == 'auditd_syscall_execve' and ( evt.Meta.exe startsWith "/tmp/" or evt.Meta.exe contains "/." ) labels: confidence: 2 spoofable: 0 From a47edd08c77a1bb26ae22f80c4bcf255f07ada25 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 30 Dec 2024 09:42:56 +0000 Subject: [PATCH 21/25] Update index --- .index.json | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.index.json b/.index.json index e7cf0b54e0e..d47f1ecf4ed 100644 --- a/.index.json +++ b/.index.json @@ -12599,7 +12599,7 @@ }, "crowdsecurity/auditd-sus-exec": { "path": "scenarios/crowdsecurity/auditd-sus-exec.yaml", - "version": "0.6", + "version": "0.7", "versions": { "0.1": { "digest": "d640df2e1a53d962c97ee25af290916f88d86150fc210b43f011e665851c27cd", @@ -12624,10 +12624,14 @@ "0.6": { "digest": "f77fee35cf9e58f346f0b1dcfadfab363454b9f95b6450965498bdc0e7c0a49a", "deprecated": false + }, + "0.7": { + "digest": "7461684a74b0731648aa6f41fdc98e76887a0ef43435d7064f1367f8e22cf6c6", + "deprecated": false } }, "long_description": "IyMgQXVkaXRkIDogc3VzcGljaW91cyBleGVjdXRpb25zCgpBdHRlbXB0IHRvIGRldGVjdCBhIGJpbmFyeSB0aGF0IGlzIGV4ZWN1dGVkIGZyb20gdW51c3VhbCAvIHN1c3BpY2lvdXMgbG9jYXRpb25zLCBzdWNoIGFzIGAvdG1wL2Agb3IgaGlkZGVuIGRpcmVjdG9yaWVzIHN0YXJ0aW1nIHdpdGggYSBgLmAuCgpUaGlzIHBhdHRlcm4gaXMgdXN1YWxseSBzZWVuIGluIHBvc3QtZXhwbG9pdGF0aW9uIHdoZW4gYXR0YWNrZXJzIGFyZSBhdHRlbXB0aW5nIHRvIGhpZGUgYmFja2Rvb3JzIGFuZCBvdGhlciB0b29scy4K", - "content": "dHlwZTogdHJpZ2dlcgojZGVidWc6IHRydWUKbmFtZTogY3Jvd2RzZWN1cml0eS9hdWRpdGQtc3VzLWV4ZWMKZGVzY3JpcHRpb246ICJEZXRlY3QgcG9zdC1leHBsb2l0YXRpb24gYmVoYXZpb3VyIDogZXhlYyBmcm9tIHN1c3BpY2lvdXMgbG9jYXRpb25zIgpmaWx0ZXI6IGV2dC5NZXRhLmxvZ190eXBlID09ICdzeXNjYWxsX2V4ZWN2ZScgYW5kICggZXZ0Lk1ldGEuZXhlIHN0YXJ0c1dpdGggIi90bXAvIiBvciBldnQuTWV0YS5leGUgY29udGFpbnMgIi8uIiApCmxhYmVsczoKICBjb25maWRlbmNlOiAyCiAgc3Bvb2ZhYmxlOiAwCiAgY2xhc3NpZmljYXRpb246CiAgICAtIGF0dGFjay5UMTA1OS4wMDQKICBiZWhhdmlvcjogImxpbnV4OnBvc3QtZXhwbG9pdGF0aW9uIgogIGxhYmVsOiAiUG9zdCBFeHBsb2l0YXRpb24gY29tbWFuZCBleGVjdXRpb24iCiAgc2VydmljZTogbGludXgKICByZW1lZGlhdGlvbjogZmFsc2UKc2NvcGU6CiAgdHlwZTogcGlkCiAgZXhwcmVzc2lvbjogZXZ0Lk1ldGEucHBpZAo=", + "content": "dHlwZTogdHJpZ2dlcgojZGVidWc6IHRydWUKbmFtZTogY3Jvd2RzZWN1cml0eS9hdWRpdGQtc3VzLWV4ZWMKZGVzY3JpcHRpb246ICJEZXRlY3QgcG9zdC1leHBsb2l0YXRpb24gYmVoYXZpb3VyIDogZXhlYyBmcm9tIHN1c3BpY2lvdXMgbG9jYXRpb25zIgpmaWx0ZXI6IGV2dC5NZXRhLmxvZ190eXBlID09ICdhdWRpdGRfc3lzY2FsbF9leGVjdmUnIGFuZCAoIGV2dC5NZXRhLmV4ZSBzdGFydHNXaXRoICIvdG1wLyIgb3IgZXZ0Lk1ldGEuZXhlIGNvbnRhaW5zICIvLiIgKQpsYWJlbHM6CiAgY29uZmlkZW5jZTogMgogIHNwb29mYWJsZTogMAogIGNsYXNzaWZpY2F0aW9uOgogICAgLSBhdHRhY2suVDEwNTkuMDA0CiAgYmVoYXZpb3I6ICJsaW51eDpwb3N0LWV4cGxvaXRhdGlvbiIKICBsYWJlbDogIlBvc3QgRXhwbG9pdGF0aW9uIGNvbW1hbmQgZXhlY3V0aW9uIgogIHNlcnZpY2U6IGxpbnV4CiAgcmVtZWRpYXRpb246IGZhbHNlCnNjb3BlOgogIHR5cGU6IHBpZAogIGV4cHJlc3Npb246IGV2dC5NZXRhLnBwaWQK", "description": "Detect post-exploitation behaviour : exec from suspicious locations", "author": "crowdsecurity", "labels": { From 8ef1d560773d71224a7254165243a8665b465a60 Mon Sep 17 00:00:00 2001 From: Thibault Koechlin Date: Mon, 30 Dec 2024 11:43:53 +0100 Subject: [PATCH 22/25] fix parser --- parsers/s01-parse/crowdsecurity/laurel-logs.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/parsers/s01-parse/crowdsecurity/laurel-logs.yaml b/parsers/s01-parse/crowdsecurity/laurel-logs.yaml index 087c29c9f48..2eae0a472e4 100644 --- a/parsers/s01-parse/crowdsecurity/laurel-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/laurel-logs.yaml @@ -17,7 +17,8 @@ nodes: - meta: service value: laurel - meta: log_type - expression: "auditd_syscall" + evt.Unmarshaled.laurel.SYSCALL.SYSCALL + expression: | + 'auditd_syscall_' + evt.Unmarshaled.laurel.SYSCALL.SYSCALL - target: evt.StrTime expression: evt.Parsed.timestamp - meta: exe From d7c3bb4ea639d3601eaa6320a4dfabcc88e63583 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 30 Dec 2024 10:44:29 +0000 Subject: [PATCH 23/25] Update index --- .index.json | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.index.json b/.index.json index d47f1ecf4ed..dd0fc2f99b5 100644 --- a/.index.json +++ b/.index.json @@ -8635,7 +8635,7 @@ "crowdsecurity/laurel-logs": { "path": "parsers/s01-parse/crowdsecurity/laurel-logs.yaml", "stage": "s01-parse", - "version": "0.3", + "version": "0.4", "versions": { "0.1": { "digest": "95eab37bd97b342940a3ca7217ee89c6b24b744ddf59e40346a28b43480db60f", @@ -8648,9 +8648,13 @@ "0.3": { "digest": "daf62e50fcabf0a17f2e17c2a50f9ed3ee9a340a6ba3888c22a731f7d75fa252", "deprecated": false + }, + "0.4": { + "digest": "1b41ef597816ca0c70393fbbdcafacbce662754f8a1a4f2525350803b48aa755", + "deprecated": false } }, - "content": "b25zdWNjZXNzOiBuZXh0X3N0YWdlCmRlYnVnOiB0cnVlCm5hbWU6IGNyb3dkc2VjdXJpdHkvbGF1cmVsLWxvZ3MKZGVzY3JpcHRpb246ICJQYXJzZSBsYXVyZWwganNvbiBsb2dzIgojIyAxLjUuMiByZXR1cm5zICIiICwgMS41LjMgcmV0dXJucyBuaWwKZmlsdGVyOiBldnQuUGFyc2VkLnByb2dyYW0gPT0gJ2xhdXJlbCcKcGF0dGVybl9zeW50YXg6CiAgRkxPQVQ6ICdbMC05XC5dKycKbm9kZXM6CiAgLSBmaWx0ZXI6IFVubWFyc2hhbEpTT04oZXZ0LlBhcnNlZC5tZXNzYWdlLCBldnQuVW5tYXJzaGFsZWQsICJsYXVyZWwiKSBpbiBbIiIsIG5pbF0KICAgIGdyb2s6CiAgICAgIHBhdHRlcm46ICcle0ZMT0FUOnRpbWVzdGFtcH06JXtJTlQ6ZXZlbnRfaW5jX2lkfScKICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5JRAogICAgbm9kZXM6CiAgICAgIC0gZmlsdGVyOiBldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwgIT0gbmlsCiAgICAgICAgc3RhdGljczoKICAgICAgICAgIC0gbWV0YTogc2VydmljZQogICAgICAgICAgICB2YWx1ZTogbGF1cmVsCiAgICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICAgIGV4cHJlc3Npb246IHwKICAgICAgICAgICAgICBldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwuU1lTQ0FMTCA9PSAiZXhlY3ZlIiA/ICJhdWRpdGRfc3lzY2FsbF9leGVjdmUiIDogImF1ZGl0ZF9zeXNjYWxsIgogICAgICAgICAgLSB0YXJnZXQ6IGV2dC5TdHJUaW1lCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5QYXJzZWQudGltZXN0YW1wCiAgICAgICAgICAtIG1ldGE6IGV4ZQogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwuZXhlCiAgICAgICAgICAtIG1ldGE6IHVpZAogICAgICAgICAgICBleHByZXNzaW9uOiBpbnQoZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5TWVNDQUxMLnVpZCkKICAgICAgICAgIC0gbWV0YTogYXVkaXRkX2V2ZW50aWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlBhcnNlZC5ldmVudF9pbmNfaWQKICAgICAgICAgIC0gbWV0YTogcGFyZW50X3Byb2duYW1lCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuU1lTQ0FMTC5QUElELmV4ZQogICAgICAgICAgLSBtZXRhOiBwcGlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGludChldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwucHBpZCkKICAgICAgICAgIC0gbWV0YTogYXVpZAogICAgICAgICAgICBleHByZXNzaW9uOiBpbnQoZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5TWVNDQUxMLmF1aWQpCiAgICAgICAgICAtIG1ldGE6IGV1aWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogaW50KGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuU1lTQ0FMTC5ldWlkKQogICAgICAgICAgLSBtZXRhOiB0dHkKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5TWVNDQUxMLnR0eQogICAgICAgICAgLSBtZXRhOiBzdWJqCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuU1lTQ0FMTC5zdWJqCiAgICAgICAgICAtIG1ldGE6IHBpZAogICAgICAgICAgICBleHByZXNzaW9uOiBpbnQoZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5TWVNDQUxMLnBpZCkKICAgICAgICAgIC0gbWV0YTogY29tbQogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwuY29tbQogICAgICAgICAgLSBtZXRhOiBzaWcKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5TWVNDQUxMLnNpZwogICAgICAgICAgLSBtZXRhOiByZXMKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5TWVNDQUxMLnJlcwogICAgICAgICAgLSBtZXRhOiBzdHJfVUlECiAgICAgICAgICAgIGV4cHJlc3Npb246IGludChldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwuVUlEKQogICAgICAgICAgLSBtZXRhOiBzdHJfR0lECiAgICAgICAgICAgIGV4cHJlc3Npb246IGludChldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwuR0lEKQogICAgICAtIGZpbHRlcjogZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5BTk9NX0FCRU5EICE9IG5pbAogICAgICAgIHN0YXRpY3M6CiAgICAgICAgICAtIG1ldGE6IHNlcnZpY2UKICAgICAgICAgICAgdmFsdWU6IGxhdXJlbAogICAgICAgICAgLSBtZXRhOiBsb2dfdHlwZQogICAgICAgICAgICB2YWx1ZTogYXVkaXRkX2Fub21fYWJlbmQKICAgICAgICAgIC0gbWV0YTogZXhlCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuQU5PTV9BQkVORFswXS5leGUKICAgICAgICAgIC0gbWV0YTogdWlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGludChldnQuVW5tYXJzaGFsZWQubGF1cmVsLkFOT01fQUJFTkRbMF0udWlkKQogICAgICAgICAgLSBtZXRhOiBhdWRpdGRfZXZlbnRpZAogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuUGFyc2VkLmV2ZW50X2luY19pZAogICAgICAgICAgLSBtZXRhOiBwaWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogaW50KGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuQU5PTV9BQkVORFswXS5waWQpCiAgICAgICAgICAtIG1ldGE6IGF1aWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogaW50KGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuQU5PTV9BQkVORFswXS5hdWlkKQogICAgICAgICAgLSBtZXRhOiBzaWcKICAgICAgICAgICAgZXhwcmVzc2lvbjogU3ByaW50ZigiJXYiLCBpbnQoZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5BTk9NX0FCRU5EWzBdLnNpZykpCnN0YXRpY3M6CiAgLSB0YXJnZXQ6IGV2dC5TdHJUaW1lCiAgICBleHByZXNzaW9uOiBldnQuUGFyc2VkLnRpbWVzdGFtcA==", + "content": "b25zdWNjZXNzOiBuZXh0X3N0YWdlCmRlYnVnOiB0cnVlCm5hbWU6IGNyb3dkc2VjdXJpdHkvbGF1cmVsLWxvZ3MKZGVzY3JpcHRpb246ICJQYXJzZSBsYXVyZWwganNvbiBsb2dzIgojIyAxLjUuMiByZXR1cm5zICIiICwgMS41LjMgcmV0dXJucyBuaWwKZmlsdGVyOiBldnQuUGFyc2VkLnByb2dyYW0gPT0gJ2xhdXJlbCcKcGF0dGVybl9zeW50YXg6CiAgRkxPQVQ6ICdbMC05XC5dKycKbm9kZXM6CiAgLSBmaWx0ZXI6IFVubWFyc2hhbEpTT04oZXZ0LlBhcnNlZC5tZXNzYWdlLCBldnQuVW5tYXJzaGFsZWQsICJsYXVyZWwiKSBpbiBbIiIsIG5pbF0KICAgIGdyb2s6CiAgICAgIHBhdHRlcm46ICcle0ZMT0FUOnRpbWVzdGFtcH06JXtJTlQ6ZXZlbnRfaW5jX2lkfScKICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5JRAogICAgbm9kZXM6CiAgICAgIC0gZmlsdGVyOiBldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwgIT0gbmlsCiAgICAgICAgc3RhdGljczoKICAgICAgICAgIC0gbWV0YTogc2VydmljZQogICAgICAgICAgICB2YWx1ZTogbGF1cmVsCiAgICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICAgIGV4cHJlc3Npb246IHwKICAgICAgICAgICAgICAnYXVkaXRkX3N5c2NhbGxfJyArIGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuU1lTQ0FMTC5TWVNDQUxMCiAgICAgICAgICAtIHRhcmdldDogZXZ0LlN0clRpbWUKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlBhcnNlZC50aW1lc3RhbXAKICAgICAgICAgIC0gbWV0YTogZXhlCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuU1lTQ0FMTC5leGUKICAgICAgICAgIC0gbWV0YTogdWlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGludChldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwudWlkKQogICAgICAgICAgLSBtZXRhOiBhdWRpdGRfZXZlbnRpZAogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuUGFyc2VkLmV2ZW50X2luY19pZAogICAgICAgICAgLSBtZXRhOiBwYXJlbnRfcHJvZ25hbWUKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5TWVNDQUxMLlBQSUQuZXhlCiAgICAgICAgICAtIG1ldGE6IHBwaWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogaW50KGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuU1lTQ0FMTC5wcGlkKQogICAgICAgICAgLSBtZXRhOiBhdWlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGludChldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwuYXVpZCkKICAgICAgICAgIC0gbWV0YTogZXVpZAogICAgICAgICAgICBleHByZXNzaW9uOiBpbnQoZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5TWVNDQUxMLmV1aWQpCiAgICAgICAgICAtIG1ldGE6IHR0eQogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwudHR5CiAgICAgICAgICAtIG1ldGE6IHN1YmoKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5TWVNDQUxMLnN1YmoKICAgICAgICAgIC0gbWV0YTogcGlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGludChldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwucGlkKQogICAgICAgICAgLSBtZXRhOiBjb21tCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuU1lTQ0FMTC5jb21tCiAgICAgICAgICAtIG1ldGE6IHNpZwogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwuc2lnCiAgICAgICAgICAtIG1ldGE6IHJlcwogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwucmVzCiAgICAgICAgICAtIG1ldGE6IHN0cl9VSUQKICAgICAgICAgICAgZXhwcmVzc2lvbjogaW50KGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuU1lTQ0FMTC5VSUQpCiAgICAgICAgICAtIG1ldGE6IHN0cl9HSUQKICAgICAgICAgICAgZXhwcmVzc2lvbjogaW50KGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuU1lTQ0FMTC5HSUQpCiAgICAgIC0gZmlsdGVyOiBldnQuVW5tYXJzaGFsZWQubGF1cmVsLkFOT01fQUJFTkQgIT0gbmlsCiAgICAgICAgc3RhdGljczoKICAgICAgICAgIC0gbWV0YTogc2VydmljZQogICAgICAgICAgICB2YWx1ZTogbGF1cmVsCiAgICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICAgIHZhbHVlOiBhdWRpdGRfYW5vbV9hYmVuZAogICAgICAgICAgLSBtZXRhOiBleGUKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5BTk9NX0FCRU5EWzBdLmV4ZQogICAgICAgICAgLSBtZXRhOiB1aWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogaW50KGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuQU5PTV9BQkVORFswXS51aWQpCiAgICAgICAgICAtIG1ldGE6IGF1ZGl0ZF9ldmVudGlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5QYXJzZWQuZXZlbnRfaW5jX2lkCiAgICAgICAgICAtIG1ldGE6IHBpZAogICAgICAgICAgICBleHByZXNzaW9uOiBpbnQoZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5BTk9NX0FCRU5EWzBdLnBpZCkKICAgICAgICAgIC0gbWV0YTogYXVpZAogICAgICAgICAgICBleHByZXNzaW9uOiBpbnQoZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5BTk9NX0FCRU5EWzBdLmF1aWQpCiAgICAgICAgICAtIG1ldGE6IHNpZwogICAgICAgICAgICBleHByZXNzaW9uOiBTcHJpbnRmKCIldiIsIGludChldnQuVW5tYXJzaGFsZWQubGF1cmVsLkFOT01fQUJFTkRbMF0uc2lnKSkKc3RhdGljczoKICAtIHRhcmdldDogZXZ0LlN0clRpbWUKICAgIGV4cHJlc3Npb246IGV2dC5QYXJzZWQudGltZXN0YW1w", "description": "Parse laurel json logs", "author": "crowdsecurity", "labels": null From be52d459eae90885519f3b3f18e275fc8bfb5502 Mon Sep 17 00:00:00 2001 From: Thibault Koechlin Date: Mon, 30 Dec 2024 13:51:37 +0100 Subject: [PATCH 24/25] debug --- parsers/s01-parse/crowdsecurity/laurel-logs.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/parsers/s01-parse/crowdsecurity/laurel-logs.yaml b/parsers/s01-parse/crowdsecurity/laurel-logs.yaml index 2eae0a472e4..e95b4bbcfa4 100644 --- a/parsers/s01-parse/crowdsecurity/laurel-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/laurel-logs.yaml @@ -1,5 +1,4 @@ onsuccess: next_stage -debug: true name: crowdsecurity/laurel-logs description: "Parse laurel json logs" ## 1.5.2 returns "" , 1.5.3 returns nil From 5ec3010cb0e7b8acd444b90663bc7512379ea7c8 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 30 Dec 2024 12:52:12 +0000 Subject: [PATCH 25/25] Update index --- .index.json | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.index.json b/.index.json index dd0fc2f99b5..82faee132c1 100644 --- a/.index.json +++ b/.index.json @@ -8635,7 +8635,7 @@ "crowdsecurity/laurel-logs": { "path": "parsers/s01-parse/crowdsecurity/laurel-logs.yaml", "stage": "s01-parse", - "version": "0.4", + "version": "0.5", "versions": { "0.1": { "digest": "95eab37bd97b342940a3ca7217ee89c6b24b744ddf59e40346a28b43480db60f", @@ -8652,9 +8652,13 @@ "0.4": { "digest": "1b41ef597816ca0c70393fbbdcafacbce662754f8a1a4f2525350803b48aa755", "deprecated": false + }, + "0.5": { + "digest": "cadeb943922f809f0cf2630d7cdb326b727636888786780dc6a2f2fa7548db76", + "deprecated": false } }, - "content": "b25zdWNjZXNzOiBuZXh0X3N0YWdlCmRlYnVnOiB0cnVlCm5hbWU6IGNyb3dkc2VjdXJpdHkvbGF1cmVsLWxvZ3MKZGVzY3JpcHRpb246ICJQYXJzZSBsYXVyZWwganNvbiBsb2dzIgojIyAxLjUuMiByZXR1cm5zICIiICwgMS41LjMgcmV0dXJucyBuaWwKZmlsdGVyOiBldnQuUGFyc2VkLnByb2dyYW0gPT0gJ2xhdXJlbCcKcGF0dGVybl9zeW50YXg6CiAgRkxPQVQ6ICdbMC05XC5dKycKbm9kZXM6CiAgLSBmaWx0ZXI6IFVubWFyc2hhbEpTT04oZXZ0LlBhcnNlZC5tZXNzYWdlLCBldnQuVW5tYXJzaGFsZWQsICJsYXVyZWwiKSBpbiBbIiIsIG5pbF0KICAgIGdyb2s6CiAgICAgIHBhdHRlcm46ICcle0ZMT0FUOnRpbWVzdGFtcH06JXtJTlQ6ZXZlbnRfaW5jX2lkfScKICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5JRAogICAgbm9kZXM6CiAgICAgIC0gZmlsdGVyOiBldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwgIT0gbmlsCiAgICAgICAgc3RhdGljczoKICAgICAgICAgIC0gbWV0YTogc2VydmljZQogICAgICAgICAgICB2YWx1ZTogbGF1cmVsCiAgICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICAgIGV4cHJlc3Npb246IHwKICAgICAgICAgICAgICAnYXVkaXRkX3N5c2NhbGxfJyArIGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuU1lTQ0FMTC5TWVNDQUxMCiAgICAgICAgICAtIHRhcmdldDogZXZ0LlN0clRpbWUKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlBhcnNlZC50aW1lc3RhbXAKICAgICAgICAgIC0gbWV0YTogZXhlCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuU1lTQ0FMTC5leGUKICAgICAgICAgIC0gbWV0YTogdWlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGludChldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwudWlkKQogICAgICAgICAgLSBtZXRhOiBhdWRpdGRfZXZlbnRpZAogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuUGFyc2VkLmV2ZW50X2luY19pZAogICAgICAgICAgLSBtZXRhOiBwYXJlbnRfcHJvZ25hbWUKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5TWVNDQUxMLlBQSUQuZXhlCiAgICAgICAgICAtIG1ldGE6IHBwaWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogaW50KGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuU1lTQ0FMTC5wcGlkKQogICAgICAgICAgLSBtZXRhOiBhdWlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGludChldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwuYXVpZCkKICAgICAgICAgIC0gbWV0YTogZXVpZAogICAgICAgICAgICBleHByZXNzaW9uOiBpbnQoZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5TWVNDQUxMLmV1aWQpCiAgICAgICAgICAtIG1ldGE6IHR0eQogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwudHR5CiAgICAgICAgICAtIG1ldGE6IHN1YmoKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5TWVNDQUxMLnN1YmoKICAgICAgICAgIC0gbWV0YTogcGlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGludChldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwucGlkKQogICAgICAgICAgLSBtZXRhOiBjb21tCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuU1lTQ0FMTC5jb21tCiAgICAgICAgICAtIG1ldGE6IHNpZwogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwuc2lnCiAgICAgICAgICAtIG1ldGE6IHJlcwogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwucmVzCiAgICAgICAgICAtIG1ldGE6IHN0cl9VSUQKICAgICAgICAgICAgZXhwcmVzc2lvbjogaW50KGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuU1lTQ0FMTC5VSUQpCiAgICAgICAgICAtIG1ldGE6IHN0cl9HSUQKICAgICAgICAgICAgZXhwcmVzc2lvbjogaW50KGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuU1lTQ0FMTC5HSUQpCiAgICAgIC0gZmlsdGVyOiBldnQuVW5tYXJzaGFsZWQubGF1cmVsLkFOT01fQUJFTkQgIT0gbmlsCiAgICAgICAgc3RhdGljczoKICAgICAgICAgIC0gbWV0YTogc2VydmljZQogICAgICAgICAgICB2YWx1ZTogbGF1cmVsCiAgICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICAgIHZhbHVlOiBhdWRpdGRfYW5vbV9hYmVuZAogICAgICAgICAgLSBtZXRhOiBleGUKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5BTk9NX0FCRU5EWzBdLmV4ZQogICAgICAgICAgLSBtZXRhOiB1aWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogaW50KGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuQU5PTV9BQkVORFswXS51aWQpCiAgICAgICAgICAtIG1ldGE6IGF1ZGl0ZF9ldmVudGlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5QYXJzZWQuZXZlbnRfaW5jX2lkCiAgICAgICAgICAtIG1ldGE6IHBpZAogICAgICAgICAgICBleHByZXNzaW9uOiBpbnQoZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5BTk9NX0FCRU5EWzBdLnBpZCkKICAgICAgICAgIC0gbWV0YTogYXVpZAogICAgICAgICAgICBleHByZXNzaW9uOiBpbnQoZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5BTk9NX0FCRU5EWzBdLmF1aWQpCiAgICAgICAgICAtIG1ldGE6IHNpZwogICAgICAgICAgICBleHByZXNzaW9uOiBTcHJpbnRmKCIldiIsIGludChldnQuVW5tYXJzaGFsZWQubGF1cmVsLkFOT01fQUJFTkRbMF0uc2lnKSkKc3RhdGljczoKICAtIHRhcmdldDogZXZ0LlN0clRpbWUKICAgIGV4cHJlc3Npb246IGV2dC5QYXJzZWQudGltZXN0YW1w", + "content": "b25zdWNjZXNzOiBuZXh0X3N0YWdlCm5hbWU6IGNyb3dkc2VjdXJpdHkvbGF1cmVsLWxvZ3MKZGVzY3JpcHRpb246ICJQYXJzZSBsYXVyZWwganNvbiBsb2dzIgojIyAxLjUuMiByZXR1cm5zICIiICwgMS41LjMgcmV0dXJucyBuaWwKZmlsdGVyOiBldnQuUGFyc2VkLnByb2dyYW0gPT0gJ2xhdXJlbCcKcGF0dGVybl9zeW50YXg6CiAgRkxPQVQ6ICdbMC05XC5dKycKbm9kZXM6CiAgLSBmaWx0ZXI6IFVubWFyc2hhbEpTT04oZXZ0LlBhcnNlZC5tZXNzYWdlLCBldnQuVW5tYXJzaGFsZWQsICJsYXVyZWwiKSBpbiBbIiIsIG5pbF0KICAgIGdyb2s6CiAgICAgIHBhdHRlcm46ICcle0ZMT0FUOnRpbWVzdGFtcH06JXtJTlQ6ZXZlbnRfaW5jX2lkfScKICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5JRAogICAgbm9kZXM6CiAgICAgIC0gZmlsdGVyOiBldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwgIT0gbmlsCiAgICAgICAgc3RhdGljczoKICAgICAgICAgIC0gbWV0YTogc2VydmljZQogICAgICAgICAgICB2YWx1ZTogbGF1cmVsCiAgICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICAgIGV4cHJlc3Npb246IHwKICAgICAgICAgICAgICAnYXVkaXRkX3N5c2NhbGxfJyArIGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuU1lTQ0FMTC5TWVNDQUxMCiAgICAgICAgICAtIHRhcmdldDogZXZ0LlN0clRpbWUKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlBhcnNlZC50aW1lc3RhbXAKICAgICAgICAgIC0gbWV0YTogZXhlCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuU1lTQ0FMTC5leGUKICAgICAgICAgIC0gbWV0YTogdWlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGludChldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwudWlkKQogICAgICAgICAgLSBtZXRhOiBhdWRpdGRfZXZlbnRpZAogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuUGFyc2VkLmV2ZW50X2luY19pZAogICAgICAgICAgLSBtZXRhOiBwYXJlbnRfcHJvZ25hbWUKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5TWVNDQUxMLlBQSUQuZXhlCiAgICAgICAgICAtIG1ldGE6IHBwaWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogaW50KGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuU1lTQ0FMTC5wcGlkKQogICAgICAgICAgLSBtZXRhOiBhdWlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGludChldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwuYXVpZCkKICAgICAgICAgIC0gbWV0YTogZXVpZAogICAgICAgICAgICBleHByZXNzaW9uOiBpbnQoZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5TWVNDQUxMLmV1aWQpCiAgICAgICAgICAtIG1ldGE6IHR0eQogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwudHR5CiAgICAgICAgICAtIG1ldGE6IHN1YmoKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5TWVNDQUxMLnN1YmoKICAgICAgICAgIC0gbWV0YTogcGlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGludChldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwucGlkKQogICAgICAgICAgLSBtZXRhOiBjb21tCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuU1lTQ0FMTC5jb21tCiAgICAgICAgICAtIG1ldGE6IHNpZwogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwuc2lnCiAgICAgICAgICAtIG1ldGE6IHJlcwogICAgICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQubGF1cmVsLlNZU0NBTEwucmVzCiAgICAgICAgICAtIG1ldGE6IHN0cl9VSUQKICAgICAgICAgICAgZXhwcmVzc2lvbjogaW50KGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuU1lTQ0FMTC5VSUQpCiAgICAgICAgICAtIG1ldGE6IHN0cl9HSUQKICAgICAgICAgICAgZXhwcmVzc2lvbjogaW50KGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuU1lTQ0FMTC5HSUQpCiAgICAgIC0gZmlsdGVyOiBldnQuVW5tYXJzaGFsZWQubGF1cmVsLkFOT01fQUJFTkQgIT0gbmlsCiAgICAgICAgc3RhdGljczoKICAgICAgICAgIC0gbWV0YTogc2VydmljZQogICAgICAgICAgICB2YWx1ZTogbGF1cmVsCiAgICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICAgIHZhbHVlOiBhdWRpdGRfYW5vbV9hYmVuZAogICAgICAgICAgLSBtZXRhOiBleGUKICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5BTk9NX0FCRU5EWzBdLmV4ZQogICAgICAgICAgLSBtZXRhOiB1aWQKICAgICAgICAgICAgZXhwcmVzc2lvbjogaW50KGV2dC5Vbm1hcnNoYWxlZC5sYXVyZWwuQU5PTV9BQkVORFswXS51aWQpCiAgICAgICAgICAtIG1ldGE6IGF1ZGl0ZF9ldmVudGlkCiAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5QYXJzZWQuZXZlbnRfaW5jX2lkCiAgICAgICAgICAtIG1ldGE6IHBpZAogICAgICAgICAgICBleHByZXNzaW9uOiBpbnQoZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5BTk9NX0FCRU5EWzBdLnBpZCkKICAgICAgICAgIC0gbWV0YTogYXVpZAogICAgICAgICAgICBleHByZXNzaW9uOiBpbnQoZXZ0LlVubWFyc2hhbGVkLmxhdXJlbC5BTk9NX0FCRU5EWzBdLmF1aWQpCiAgICAgICAgICAtIG1ldGE6IHNpZwogICAgICAgICAgICBleHByZXNzaW9uOiBTcHJpbnRmKCIldiIsIGludChldnQuVW5tYXJzaGFsZWQubGF1cmVsLkFOT01fQUJFTkRbMF0uc2lnKSkKc3RhdGljczoKICAtIHRhcmdldDogZXZ0LlN0clRpbWUKICAgIGV4cHJlc3Npb246IGV2dC5QYXJzZWQudGltZXN0YW1w", "description": "Parse laurel json logs", "author": "crowdsecurity", "labels": null