LaurenceJJones

&
alias
apt
apt-get
aptitude
aspell
at
awk
basename
base32

LaurenceJJones

# This docker-compose file starts owasp/modsecurity-crs
#
# ATTENTION!
# Some of the environment variables at the bottom of this
# docker-compose.yaml file and TLS are only available
# for self-built images based on Dockerfile-2.9-apache,
# and only if build args SETTLS and SETPROXY were set during
# the build of the parent owasp/modsecurity:2.9-apache image.

# Disclaimer! Only expose any ports if you are in a controlled enviroment (Virtual machine on computer or server not exposed on the internet)

LaurenceJJones

!#/bin/bash
#Replace with hostname / ip without port
ELASTIC_URL="localhost"

#Uncomment if twinttweets index exists in elastic
#DISCLAIMER it will delete all indexed tweets
#curl -XDELETE "$ELASTIC_URL:9200/twinttweets?pretty" -H 'Content-Type: application/json'

curl -XPUT "$ELASTIC_URL:9200/twinttweets?pretty" -H 'Content-Type: application/json' -d '
{

LaurenceJJones

filter: "evt.Parsed.program == 'mongo'"
onsuccess: next_stage
name: crowdsecurity/myservice-logs
description: "Mongodb4.4"
debug: true
nodes:
  - grok:
      pattern: '%{IPORHOST:remote_addr}:%{NUMBER}'
      expression: JsonExtract(evt.Line.Raw, "attr.remote")
  - grok:

LaurenceJJones

{{ $myDict := dict "crowdsecurity/ssh-slow-bf" "22,18" }}
##Url params
{{range . -}}

?category={{ get $myDict .Scenario }}&comment={{"[Crowdsec]: Detected via: %s"| replace "%s" .Scenario | urlquery }}&ip={{ .Source.Value | urlquery }}

{{end}}
## CSV
{{range . -}}

LaurenceJJones

const str = 'ban 1.1.1.1 duration 6h source capi'
const [verb, ip, ...args] = str.split(' ')
const splitToChunks = (arr, chunkSize, acc = []) => (
    arr.length > chunkSize ?
        splitToChunks(
            arr.slice(chunkSize),
            chunkSize,
            [...acc, arr.slice(0, chunkSize)]
        ) :
        [...acc, arr]

LaurenceJJones

tmp_d=$(mktemp -d)
tmp_f="$tmp_d/crowdsec.csv"
curr_dec=$(cscli -ojson decisions list -a | jq '.[].decisions |.[] | select(.duration | contains("-") | not) | .value')
echo "duration,scope,value" > $tmp_f
while read -r -s i;
do
        echo "$curr_dec" | grep -qw "$i"
        if [ ! "$?" -eq 0 ]; then
                echo "24h,ip,$i" >> $tmp_f
        fi

LaurenceJJones

/apps
/custom_apps
/ocs
/ocs-provider
/public.php
/remote.php
/settings

LaurenceJJones

dir=/var/lib/crowdsec/data/
declare -a URLS=("https://quic.cloud/ips?ln,quiccloud_ips.txt" "https://monitoring.platform360.io/whitelist?v4,monitoring360_ips.txt" "https://monitoring.platform360.io/whitelist?v6,monitoring360_ip6s.txt" )
for i in ${URLS[@]}; do
    IFS=, read -r url name <<< $i
    /usr/bin/wget -q -O "$dir$name" "$url"
done
/usr/bin/systemctl restart crowdsec.service

LaurenceJJones

{{ $list := dict "crowdsecurity/apache_log4j2_cve-2021-44228" "15,21" "jusabatier/apereo-cas-bf" "15,18" "jusabatier/apereo-cas-slow-bf" "15,18" "crowdsecurity/asterisk_bf" "15,18" "crowdsecurity/asterisk_user_enum" "15,18" "lepresidente/authelia-bf" "15,18" "crowdsecurity/ban-defcon-drop_range" "15,18" "jusabatier/cas-slow-bf" "15,18" "crowdsecurity/cpanel-bf" "15,18" "crowdsecurity/cpanel-bf-attempt" "15,18" "crowdsecurity/CVE-2021-4034" "15" "crowdsecurity/CVE-2022-37042" "15,21" "crowdsecurity/dovecot-spam" "11" "lepresidente/emby-bf" "15,18" "crowdsecurity/endlessh-bf" "15,18,22" "crowdsecurity/exchange-bf" "15,18" "crowdsecurity/f5-big-ip-cve-2020-5902" "15,21" "crowdsecurity/fortinet-cve-2018-13379" "15,21" "lepresidente/gitea-bf" "15,18" "timokoessler/gitlab-bf" "15,18" "baudneo/gotify-bf" "15,18" "crowdsecurity/grafana-cve-2021-43798" "15,21" "crowdsecurity/home-assistant-bf" "15,18" "crowdsecurity/http-apiscp-bf" "15,18" "crowdsecurity/http-backdoors-attempts" "15,21" "crowdsecurity/http-bad-user-ag