This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
& | |
alias | |
apt | |
apt-get | |
aptitude | |
aspell | |
at | |
awk | |
basename | |
base32 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This docker-compose file starts owasp/modsecurity-crs | |
# | |
# ATTENTION! | |
# Some of the environment variables at the bottom of this | |
# docker-compose.yaml file and TLS are only available | |
# for self-built images based on Dockerfile-2.9-apache, | |
# and only if build args SETTLS and SETPROXY were set during | |
# the build of the parent owasp/modsecurity:2.9-apache image. | |
# Disclaimer! Only expose any ports if you are in a controlled enviroment (Virtual machine on computer or server not exposed on the internet) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
!#/bin/bash | |
#Replace with hostname / ip without port | |
ELASTIC_URL="localhost" | |
#Uncomment if twinttweets index exists in elastic | |
#DISCLAIMER it will delete all indexed tweets | |
#curl -XDELETE "$ELASTIC_URL:9200/twinttweets?pretty" -H 'Content-Type: application/json' | |
curl -XPUT "$ELASTIC_URL:9200/twinttweets?pretty" -H 'Content-Type: application/json' -d ' | |
{ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
filter: "evt.Parsed.program == 'mongo'" | |
onsuccess: next_stage | |
name: crowdsecurity/myservice-logs | |
description: "Mongodb4.4" | |
debug: true | |
nodes: | |
- grok: | |
pattern: '%{IPORHOST:remote_addr}:%{NUMBER}' | |
expression: JsonExtract(evt.Line.Raw, "attr.remote") | |
- grok: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{{ $myDict := dict "crowdsecurity/ssh-slow-bf" "22,18" }} | |
##Url params | |
{{range . -}} | |
?category={{ get $myDict .Scenario }}&comment={{"[Crowdsec]: Detected via: %s"| replace "%s" .Scenario | urlquery }}&ip={{ .Source.Value | urlquery }} | |
{{end}} | |
## CSV | |
{{range . -}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
const str = 'ban 1.1.1.1 duration 6h source capi' | |
const [verb, ip, ...args] = str.split(' ') | |
const splitToChunks = (arr, chunkSize, acc = []) => ( | |
arr.length > chunkSize ? | |
splitToChunks( | |
arr.slice(chunkSize), | |
chunkSize, | |
[...acc, arr.slice(0, chunkSize)] | |
) : | |
[...acc, arr] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tmp_d=$(mktemp -d) | |
tmp_f="$tmp_d/crowdsec.csv" | |
curr_dec=$(cscli -ojson decisions list -a | jq '.[].decisions |.[] | select(.duration | contains("-") | not) | .value') | |
echo "duration,scope,value" > $tmp_f | |
while read -r -s i; | |
do | |
echo "$curr_dec" | grep -qw "$i" | |
if [ ! "$?" -eq 0 ]; then | |
echo "24h,ip,$i" >> $tmp_f | |
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/apps | |
/custom_apps | |
/ocs | |
/ocs-provider | |
/public.php | |
/remote.php | |
/settings |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dir=/var/lib/crowdsec/data/ | |
declare -a URLS=("https://quic.cloud/ips?ln,quiccloud_ips.txt" "https://monitoring.platform360.io/whitelist?v4,monitoring360_ips.txt" "https://monitoring.platform360.io/whitelist?v6,monitoring360_ip6s.txt" ) | |
for i in ${URLS[@]}; do | |
IFS=, read -r url name <<< $i | |
/usr/bin/wget -q -O "$dir$name" "$url" | |
done | |
/usr/bin/systemctl restart crowdsec.service |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{{ $list := dict "crowdsecurity/apache_log4j2_cve-2021-44228" "15,21" "jusabatier/apereo-cas-bf" "15,18" "jusabatier/apereo-cas-slow-bf" "15,18" "crowdsecurity/asterisk_bf" "15,18" "crowdsecurity/asterisk_user_enum" "15,18" "lepresidente/authelia-bf" "15,18" "crowdsecurity/ban-defcon-drop_range" "15,18" "jusabatier/cas-slow-bf" "15,18" "crowdsecurity/cpanel-bf" "15,18" "crowdsecurity/cpanel-bf-attempt" "15,18" "crowdsecurity/CVE-2021-4034" "15" "crowdsecurity/CVE-2022-37042" "15,21" "crowdsecurity/dovecot-spam" "11" "lepresidente/emby-bf" "15,18" "crowdsecurity/endlessh-bf" "15,18,22" "crowdsecurity/exchange-bf" "15,18" "crowdsecurity/f5-big-ip-cve-2020-5902" "15,21" "crowdsecurity/fortinet-cve-2018-13379" "15,21" "lepresidente/gitea-bf" "15,18" "timokoessler/gitlab-bf" "15,18" "baudneo/gotify-bf" "15,18" "crowdsecurity/grafana-cve-2021-43798" "15,21" "crowdsecurity/home-assistant-bf" "15,18" "crowdsecurity/http-apiscp-bf" "15,18" "crowdsecurity/http-backdoors-attempts" "15,21" "crowdsecurity/http-bad-user-ag |
OlderNewer