1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
|
From: Cyril Brulebois <cyril@debamax.com>
Date: Fri, 22 Jan 2021 14:35:42 +0000
Subject: Disable geoip-enrich in the hub files
It would download GeoLite2*.mmdb files from the network. Let users
enable the hub by themselves if they want to use it.
When refreshing this patch, don't forget to update both digest and
content fields, using:
- digest: sha256sum hub1/collections/crowdsecurity/linux.yaml
- content: base64 -w 0 /etc/crowdsec/collections/linux.yaml
--- a/hub1/.index.json
+++ b/hub1/.index.json
@@ -585,12 +585,11 @@
},
"long_description": "Kipjb3JlIHBhY2thZ2UgZm9yIGZyZWVic2QqKgoKY29udGFpbnMgc3VwcG9ydCBmb3Igc3lzbG9nLCBkbyBub3QgcmVtb3ZlLgo=",
"content": "cGFyc2VyczoKICAtIGNyb3dkc2VjdXJpdHkvc3lzbG9nLWxvZ3MKICAtIGNyb3dkc2VjdXJpdHkvZ2VvaXAtZW5yaWNoCiAgLSBjcm93ZHNlY3VyaXR5L2RhdGVwYXJzZS1lbnJpY2gKY29sbGVjdGlvbnM6CiAgLSBjcm93ZHNlY3VyaXR5L3NzaGQKZGVzY3JpcHRpb246ICJjb3JlIGZyZWVic2Qgc3VwcG9ydCA6IHN5c2xvZytnZW9pcCtzc2giCmF1dGhvcjogY3Jvd2RzZWN1cml0eQp0YWdzOgogIC0gZnJlZWJzZCAKCg==",
- "description": "core freebsd support : syslog+geoip+ssh",
+ "description": "core freebsd support : syslog+ssh",
"author": "crowdsecurity",
"labels": null,
"parsers": [
"crowdsecurity/syslog-logs",
- "crowdsecurity/geoip-enrich",
"crowdsecurity/dateparse-enrich"
],
"collections": [
@@ -819,18 +818,17 @@
"deprecated": false
},
"0.2": {
- "digest": "baaa37b12b4d734fab81ae01ff81c58ceb7a99304f21e6bb6ff86b871ed6d5eb",
+ "digest": "21ac34a4e2146ac8cd42f8377e1af5ead7eef5447bf3d6b0bf4e8ca456a7c16d",
"deprecated": false
}
},
"long_description": "Kipjb3JlIHBhY2thZ2UgZm9yIGxpbnV4KioKCmNvbnRhaW5zIHN1cHBvcnQgZm9yIHN5c2xvZywgZG8gbm90IHJlbW92ZS4K",
- "content": "cGFyc2VyczoKICAtIGNyb3dkc2VjdXJpdHkvc3lzbG9nLWxvZ3MKICAtIGNyb3dkc2VjdXJpdHkvZ2VvaXAtZW5yaWNoCiAgLSBjcm93ZHNlY3VyaXR5L2RhdGVwYXJzZS1lbnJpY2gKY29sbGVjdGlvbnM6CiAgLSBjcm93ZHNlY3VyaXR5L3NzaGQKZGVzY3JpcHRpb246ICJjb3JlIGxpbnV4IHN1cHBvcnQgOiBzeXNsb2crZ2VvaXArc3NoIgphdXRob3I6IGNyb3dkc2VjdXJpdHkKdGFnczoKICAtIGxpbnV4Cgo=",
- "description": "core linux support : syslog+geoip+ssh",
+ "content": "cGFyc2VyczoKICAtIGNyb3dkc2VjdXJpdHkvc3lzbG9nLWxvZ3MKICAtIGNyb3dkc2VjdXJpdHkvZGF0ZXBhcnNlLWVucmljaApjb2xsZWN0aW9uczoKICAtIGNyb3dkc2VjdXJpdHkvc3NoZApkZXNjcmlwdGlvbjogImNvcmUgbGludXggc3VwcG9ydCA6IHN5c2xvZytzc2giCmF1dGhvcjogY3Jvd2RzZWN1cml0eQp0YWdzOgogIC0gbGludXgKCg==",
+ "description": "core linux support : syslog+ssh",
"author": "crowdsecurity",
"labels": null,
"parsers": [
"crowdsecurity/syslog-logs",
- "crowdsecurity/geoip-enrich",
"crowdsecurity/dateparse-enrich"
],
"collections": [
@@ -902,8 +900,7 @@
"parsers": [
"crowdsecurity/syslog-logs",
"crowdsecurity/magento-extension-logs",
- "crowdsecurity/dateparse-enrich",
- "crowdsecurity/geoip-enrich"
+ "crowdsecurity/dateparse-enrich"
],
"scenarios": [
"crowdsecurity/http-magento-bf",
@@ -1473,7 +1470,6 @@
"parsers": [
"crowdsecurity/windows-logs",
"crowdsecurity/windows-auth",
- "crowdsecurity/geoip-enrich",
"crowdsecurity/dateparse-enrich"
],
"scenarios": [
@@ -2532,26 +2528,6 @@
"author": "crowdsecurity",
"labels": null
},
- "crowdsecurity/geoip-enrich": {
- "path": "parsers/s02-enrich/crowdsecurity/geoip-enrich.yaml",
- "stage": "s02-enrich",
- "version": "0.2",
- "versions": {
- "0.1": {
- "digest": "c0718adfc71ad462ad90485ad5c490e5de0e54d8af425bff552994e114443ab6",
- "deprecated": false
- },
- "0.2": {
- "digest": "ab327e6044a32de7d2f3780cbc8e0c4af0c11716f353023d2dc7b986571bb765",
- "deprecated": false
- }
- },
- "long_description": "VGhlIEdlb0lQIG1vZHVsZSByZWxpZXMgb24gZ2VvbGl0ZSBkYXRhYmFzZSB0byBwcm92aWRlIGVucmljaG1lbnQgb24gc291cmNlIGlwLgoKVGhlIGZvbGxvd2luZyBpbmZvcm1hdGlvbnMgd2lsbCBiZSBhZGRlZCB0byB0aGUgZXZlbnQgOgogLSBgTWV0YS5Jc29Db2RlYCA6IHR3by1sZXR0ZXJzIGNvdW50cnkgY29kZQogLSBgTWV0YS5Jc0luRVVgIDogYSBib29sZWFuIGluZGljYXRpbmcgaWYgSVAgaXMgaW4gRVUKIC0gYE1ldGEuR2VvQ29vcmRzYCA6IGxhdGl0dWRlICYgbG9uZ2l0dWRlIG9mIElQCiAtIGBNZXRhLkFTTk51bWJlcmAgOiBBdXRvbm9tb3VzIFN5c3RlbSBOdW1iZXIKIC0gYE1ldGEuQVNOT3JnYCA6IEF1dG9ub21vdXMgU3lzdGVtIE5hbWUKIC0gYE1ldGEuU291cmNlUmFuZ2VgIDogVGhlIHB1YmxpYyByYW5nZSB0byB3aGljaCB0aGUgSVAgYmVsb25ncwoKClRoaXMgY29uZmlndXJhdGlvbiBpbmNsdWRlcyBHZW9MaXRlMiBkYXRhIGNyZWF0ZWQgYnkgTWF4TWluZCBhdmFpbGFibGUgZnJvbSBbaHR0cHM6Ly93d3cubWF4bWluZC5jb21dKGh0dHBzOi8vd3d3Lm1heG1pbmQuY29tKSwgaXQgaW5jbHVkZXMgdHdvIGRhdGEgZmlsZXM6IAoqIFtHZW9MaXRlMi1DaXR5Lm1tZGJdKGh0dHBzOi8vY3Jvd2RzZWMtc3RhdGljcy1hc3NldHMuczMtZXUtd2VzdC0xLmFtYXpvbmF3cy5jb20vR2VvTGl0ZTItQ2l0eS5tbWRiKQoqIFtHZW9MaXRlMi1BU04ubW1kYl0oaHR0cHM6Ly9jcm93ZHNlYy1zdGF0aWNzLWFzc2V0cy5zMy1ldS13ZXN0LTEuYW1hem9uYXdzLmNvbS9HZW9MaXRlMi1BU04ubW1kYikKCg==",
- "content": "ZmlsdGVyOiAiJ3NvdXJjZV9pcCcgaW4gZXZ0Lk1ldGEiCm5hbWU6IGNyb3dkc2VjdXJpdHkvZ2VvaXAtZW5yaWNoCmRlc2NyaXB0aW9uOiAiUG9wdWxhdGUgZXZlbnQgd2l0aCBnZW9sb2MgaW5mbyA6IGFzLCBjb3VudHJ5LCBjb29yZHMsIHNvdXJjZSByYW5nZS4iCmRhdGE6CiAgLSBzb3VyY2VfdXJsOiBodHRwczovL2Nyb3dkc2VjLXN0YXRpY3MtYXNzZXRzLnMzLWV1LXdlc3QtMS5hbWF6b25hd3MuY29tL0dlb0xpdGUyLUNpdHkubW1kYgogICAgZGVzdF9maWxlOiBHZW9MaXRlMi1DaXR5Lm1tZGIKICAtIHNvdXJjZV91cmw6IGh0dHBzOi8vY3Jvd2RzZWMtc3RhdGljcy1hc3NldHMuczMtZXUtd2VzdC0xLmFtYXpvbmF3cy5jb20vR2VvTGl0ZTItQVNOLm1tZGIKICAgIGRlc3RfZmlsZTogR2VvTGl0ZTItQVNOLm1tZGIKc3RhdGljczoKICAtIG1ldGhvZDogR2VvSXBDaXR5CiAgICBleHByZXNzaW9uOiBldnQuTWV0YS5zb3VyY2VfaXAKICAtIG1ldGE6IElzb0NvZGUKICAgIGV4cHJlc3Npb246IGV2dC5FbnJpY2hlZC5Jc29Db2RlCiAgLSBtZXRhOiBJc0luRVUKICAgIGV4cHJlc3Npb246IGV2dC5FbnJpY2hlZC5Jc0luRVUKICAtIG1ldGE6IEdlb0Nvb3JkcwogICAgZXhwcmVzc2lvbjogZXZ0LkVucmljaGVkLkdlb0Nvb3JkcwogIC0gbWV0aG9kOiBHZW9JcEFTTgogICAgZXhwcmVzc2lvbjogZXZ0Lk1ldGEuc291cmNlX2lwCiAgLSBtZXRhOiBBU05OdW1iZXIKICAgIGV4cHJlc3Npb246IGV2dC5FbnJpY2hlZC5BU05OdW1iZXIKICAtIG1ldGE6IEFTTk9yZwogICAgZXhwcmVzc2lvbjogZXZ0LkVucmljaGVkLkFTTk9yZwogIC0gbWV0aG9kOiBJcFRvUmFuZ2UKICAgIGV4cHJlc3Npb246IGV2dC5NZXRhLnNvdXJjZV9pcAogIC0gbWV0YTogU291cmNlUmFuZ2UKICAgIGV4cHJlc3Npb246IGV2dC5FbnJpY2hlZC5Tb3VyY2VSYW5nZQo=",
- "description": "Populate event with geoloc info : as, country, coords, source range.",
- "author": "crowdsecurity",
- "labels": null
- },
"crowdsecurity/haproxy-logs": {
"path": "parsers/s01-parse/crowdsecurity/haproxy-logs.yaml",
"stage": "s01-parse",
@@ -6375,4 +6351,4 @@
}
}
}
-}
\ No newline at end of file
+}
--- a/hub1/collections/crowdsecurity/linux.yaml
+++ b/hub1/collections/crowdsecurity/linux.yaml
@@ -1,10 +1,9 @@
parsers:
- crowdsecurity/syslog-logs
- - crowdsecurity/geoip-enrich
- crowdsecurity/dateparse-enrich
collections:
- crowdsecurity/sshd
-description: "core linux support : syslog+geoip+ssh"
+description: "core linux support : syslog+ssh"
author: crowdsecurity
tags:
- linux
--- a/hub1/parsers/s02-enrich/crowdsecurity/geoip-enrich.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
-filter: "'source_ip' in evt.Meta"
-name: crowdsecurity/geoip-enrich
-description: "Populate event with geoloc info : as, country, coords, source range."
-data:
- - source_url: https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/GeoLite2-City.mmdb
- dest_file: GeoLite2-City.mmdb
- - source_url: https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/GeoLite2-ASN.mmdb
- dest_file: GeoLite2-ASN.mmdb
-statics:
- - method: GeoIpCity
- expression: evt.Meta.source_ip
- - meta: IsoCode
- expression: evt.Enriched.IsoCode
- - meta: IsInEU
- expression: evt.Enriched.IsInEU
- - meta: GeoCoords
- expression: evt.Enriched.GeoCoords
- - method: GeoIpASN
- expression: evt.Meta.source_ip
- - meta: ASNNumber
- expression: evt.Enriched.ASNNumber
- - meta: ASNOrg
- expression: evt.Enriched.ASNOrg
- - method: IpToRange
- expression: evt.Meta.source_ip
- - meta: SourceRange
- expression: evt.Enriched.SourceRange
|
