crowdsec issue - Vobar gist

alert.json · 4.5 KiB · JSON Raw

{ "capacity": 1, "created_at": "2026-01-14T11:26:08Z", "decisions": null, "events": [ { "meta": [ { "key": "rule_name", "value": "native_rule:901340" }, { "key": "message", "value": "Enabling body inspection" }, { "key": "uri", "value": "/socket.io/?EIO=4\u0026transport=polling\u0026t=PkyGN_O\u0026sid=BYSeZOBcMq3Mo6yYAAJX" }, { "key": "matched_zones", "value": "REQBODY_PROCESSOR" }, { "key": "data" }, { "key": "target_fqdn", "value": "temp-ns.vobar.eu" } ], "timestamp": "2026-01-14 11:26:08 +0000 UTC" }, { "meta": [ { "key": "rule_name", "value": "native_rule:920420" }, { "key": "message", "value": "Request content type is not allowed by policy" }, { "key": "uri", "value": "/socket.io/?EIO=4\u0026transport=polling\u0026t=PkyGN_O\u0026sid=BYSeZOBcMq3Mo6yYAAJX" }, { "key": "matched_zones", "value": "REQUEST_HEADERS.Content-Type,TX.content_type" }, { "key": "data", "value": "|text/plain|" }, { "key": "target_fqdn", "value": "temp-ns.vobar.eu" } ], "timestamp": "2026-01-14 11:26:08 +0000 UTC" }, { "meta": [ { "key": "rule_name", "value": "native_rule:949110" }, { "key": "message", "value": "Inbound Anomaly Score Exceeded (Total Score: 5)" }, { "key": "uri", "value": "/socket.io/?EIO=4\u0026transport=polling\u0026t=PkyGN_O\u0026sid=BYSeZOBcMq3Mo6yYAAJX" }, { "key": "matched_zones", "value": "TX.blocking_inbound_anomaly_score" }, { "key": "data" }, { "key": "target_fqdn", "value": "temp-ns.vobar.eu" } ], "timestamp": "2026-01-14 11:26:08 +0000 UTC" }, { "meta": [ { "key": "rule_name", "value": "native_rule:980170" }, { "key": "message", "value": "Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=5-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=0, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)" }, { "key": "uri", "value": "/socket.io/?EIO=4\u0026transport=polling\u0026t=PkyGN_O\u0026sid=BYSeZOBcMq3Mo6yYAAJX" }, { "key": "matched_zones", "value": "UNKNOWN" }, { "key": "data" }, { "key": "target_fqdn", "value": "temp-ns.vobar.eu" } ], "timestamp": "2026-01-14 11:26:08 +0000 UTC" } ], "events_count": 4, "id": 49953, "labels": null, "leakspeed": "", "machine_id": "localhost", "message": "WAF out-of-band match: anomaly score out-of-band: anomaly: 5, from redacted (172.20.0.6)", "meta": [ { "key": "user_agent", "value": "[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15\"]" }, { "key": "name", "value": "[\"native_rule:920420\"]" }, { "key": "matched_zones", "value": "[\"REQUEST_HEADERS.Content-Type\",\"TX.content_type\"]" }, { "key": "method", "value": "[\"POST\"]" }, { "key": "ja4h", "value": "[\"po11nn15enus_536e520efc37_000000000000_000000000000\"]" }, { "key": "msg", "value": "[\"Request content type is not allowed by policy\"]" }, { "key": "target_uri", "value": "[\"/socket.io/?EIO=4\\u0026transport=polling\\u0026t=PkyGN_O\\u0026sid=BYSeZOBcMq3Mo6yYAAJX\"]" } ], "scenario": "anomaly score out-of-band: anomaly: 5, ", "scenario_hash": "", "scenario_version": "", "simulated": false, "source": { "as_name": "ATT-INTERNET4", "as_number": "7018", "cn": "US", "ip": "redacted", "latitude": 34.0544, "longitude": -118.244, "range": "redacted", "scope": "Ip", "value": "redacted" }, "start_at": "2026-01-14T11:26:08Z", "stop_at": "2026-01-14T11:26:08Z", "uuid": "ff490c91-3c84-46f5-8ffc-a054ce565f64" }

1	{
2	"capacity": 1,
3	"created_at": "2026-01-14T11:26:08Z",
4	"decisions": null,
5	"events": [
6	{
7	"meta": [
8	{
9	"key": "rule_name",
10	"value": "native_rule:901340"
11	},
12	{
13	"key": "message",
14	"value": "Enabling body inspection"
15	},
16	{
17	"key": "uri",
18	"value": "/socket.io/?EIO=4\u0026transport=polling\u0026t=PkyGN_O\u0026sid=BYSeZOBcMq3Mo6yYAAJX"
19	},
20	{
21	"key": "matched_zones",
22	"value": "REQBODY_PROCESSOR"
23	},
24	{
25	"key": "data"
26	},
27	{
28	"key": "target_fqdn",
29	"value": "temp-ns.vobar.eu"
30	}
31	],
32	"timestamp": "2026-01-14 11:26:08 +0000 UTC"
33	},
34	{
35	"meta": [
36	{
37	"key": "rule_name",
38	"value": "native_rule:920420"
39	},
40	{
41	"key": "message",
42	"value": "Request content type is not allowed by policy"
43	},
44	{
45	"key": "uri",
46	"value": "/socket.io/?EIO=4\u0026transport=polling\u0026t=PkyGN_O\u0026sid=BYSeZOBcMq3Mo6yYAAJX"
47	},
48	{
49	"key": "matched_zones",
50	"value": "REQUEST_HEADERS.Content-Type,TX.content_type"
51	},
52	{
53	"key": "data",
54	"value": "\|text/plain\|"
55	},
56	{
57	"key": "target_fqdn",
58	"value": "temp-ns.vobar.eu"
59	}
60	],
61	"timestamp": "2026-01-14 11:26:08 +0000 UTC"
62	},
63	{
64	"meta": [
65	{
66	"key": "rule_name",
67	"value": "native_rule:949110"
68	},
69	{
70	"key": "message",
71	"value": "Inbound Anomaly Score Exceeded (Total Score: 5)"
72	},
73	{
74	"key": "uri",
75	"value": "/socket.io/?EIO=4\u0026transport=polling\u0026t=PkyGN_O\u0026sid=BYSeZOBcMq3Mo6yYAAJX"
76	},
77	{
78	"key": "matched_zones",
79	"value": "TX.blocking_inbound_anomaly_score"
80	},
81	{
82	"key": "data"
83	},
84	{
85	"key": "target_fqdn",
86	"value": "temp-ns.vobar.eu"
87	}
88	],
89	"timestamp": "2026-01-14 11:26:08 +0000 UTC"
90	},
91	{
92	"meta": [
93	{
94	"key": "rule_name",
95	"value": "native_rule:980170"
96	},
97	{
98	"key": "message",
99	"value": "Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=5-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=0, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)"
100	},
101	{
102	"key": "uri",
103	"value": "/socket.io/?EIO=4\u0026transport=polling\u0026t=PkyGN_O\u0026sid=BYSeZOBcMq3Mo6yYAAJX"
104	},
105	{
106	"key": "matched_zones",
107	"value": "UNKNOWN"
108	},
109	{
110	"key": "data"
111	},
112	{
113	"key": "target_fqdn",
114	"value": "temp-ns.vobar.eu"
115	}
116	],
117	"timestamp": "2026-01-14 11:26:08 +0000 UTC"
118	}
119	],
120	"events_count": 4,
121	"id": 49953,
122	"labels": null,
123	"leakspeed": "",
124	"machine_id": "localhost",
125	"message": "WAF out-of-band match: anomaly score out-of-band: anomaly: 5, from redacted (172.20.0.6)",
126	"meta": [
127	{
128	"key": "user_agent",
129	"value": "[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15\"]"
130	},
131	{
132	"key": "name",
133	"value": "[\"native_rule:920420\"]"
134	},
135	{
136	"key": "matched_zones",
137	"value": "[\"REQUEST_HEADERS.Content-Type\",\"TX.content_type\"]"
138	},
139	{
140	"key": "method",
141	"value": "[\"POST\"]"
142	},
143	{
144	"key": "ja4h",
145	"value": "[\"po11nn15enus_536e520efc37_000000000000_000000000000\"]"
146	},
147	{
148	"key": "msg",
149	"value": "[\"Request content type is not allowed by policy\"]"
150	},
151	{
152	"key": "target_uri",
153	"value": "[\"/socket.io/?EIO=4\\u0026transport=polling\\u0026t=PkyGN_O\\u0026sid=BYSeZOBcMq3Mo6yYAAJX\"]"
154	}
155	],
156	"scenario": "anomaly score out-of-band: anomaly: 5, ",
157	"scenario_hash": "",
158	"scenario_version": "",
159	"simulated": false,
160	"source": {
161	"as_name": "ATT-INTERNET4",
162	"as_number": "7018",
163	"cn": "US",
164	"ip": "redacted",
165	"latitude": 34.0544,
166	"longitude": -118.244,
167	"range": "redacted",
168	"scope": "Ip",
169	"value": "redacted"
170	},
171	"start_at": "2026-01-14T11:26:08Z",
172	"stop_at": "2026-01-14T11:26:08Z",
173	"uuid": "ff490c91-3c84-46f5-8ffc-a054ce565f64"
174	}
175

nightscout-socketio-whitelist.yaml · 468 B · YAML Raw

1	# /etc/crowdsec/parsers/s02-enrich/nightscout-socketio-whitelist.yaml
2	name: nightscout/socketio-whitelist
3	description: "Whitelist Nightscout Socket.IO connections to prevent false positives"
4	filter: >-
5	evt.Meta.datasource_type == 'appsec'
6	&& evt.Meta.log_type == 'appsec-info'
7	&& evt.Meta.target_host in ['redacted', 'temp-ns.vobar.eu']
8	whitelist:
9	reason: "Nightscout Socket.IO traffic"
10	expression:
11	- "evt.Meta.target_uri startsWith '/socket.io/?EIO='"
12

nightscout_outofband.yaml · 764 B · YAML Raw

1	# /etc/crowdsec/appsec-configs/nightscout-outofband.yaml
2	name: nightscout-outofband
3	description: "Out-of-band AppSec config with Socket.IO exclusions"
4
5	default_remediation: ban
6	default_pass_action: allow
7
8	# Load generic rules but with exclusions
9	rules:
10	- crowdsecurity/appsec-generic-rules
11
12	# Out-of-band specific configuration
13	outofband_rules:
14	- crowdsecurity/appsec-generic-rules
15
16	# Rule exclusions - prevent these rules from firing on socket.io paths
17	rule_exclusions:
18	- rule_id: 920420
19	zones: [URI]
20	match:
21	type: regex
22	value: "^/socket\\.io/"
23	- rule_id: 901340
24	zones: [URI]
25	match:
26	type: regex
27	value: "^/socket\\.io/"
28	- rule_id: 949110
29	zones: [URI]
30	match:
31	type: regex
32	value: "^/socket\\.io/"