LaurenceJJones

TARGET_FILE=/etc/nginx/conf.d/cloudflare.conf
REAL_HEADER=CF-Connecting-IP
echo "# AUTOGENERATED FILE" > $TARGET_FILE
for i in `curl -s https://www.cloudflare.com/ips-v4`;
do
   echo "set_real_ip_from $i;" >> $TARGET_FILE
done
for i in `curl -s https://www.cloudflare.com/ips-v6`;
do
   echo "set_real_ip_from $i;" >> $TARGET_FILE

LaurenceJJones

onsuccess: next_stage
filter: "evt.Parsed.program == 'windows-firewall' and evt.Parsed.message contains ' DROP TCP ' and evt.Parsed.message contains ' RECEIVE'"
name: crowdsecurity/windows-firewall-logs
description: "Parse windows firewall drop logs"
grok:
  pattern: "%{TIMESTAMP_ISO8601:date} DROP TCP %{IP:src_ip} %{IP:dst_ip} %{INT:src_port} %{INT:dst_port} %{INT:size} %{WORD:flags} %{INT:tcpsyn} %{INT:tcpack} %{INT:window} - - - RECEIVE( %{INT:pid})?" 
  apply_on: message
statics:
    - meta: service
      value: tcp

LaurenceJJones

current="$(/usr/bin/date '+%s')"
cscli=$(which cscli)
machinesJson=$($cscli -ojson machines list)

echo $machinesJson | /usr/bin/jq -r '.[]| select(.last_heartbeat != null) | [.last_heartbeat, .machineId] | @tsv' |
  while IFS=$'\t' read -r hb mid; do
      last_hb="$(/usr/bin/date -u -d "$hb" '+%s')"
      diff=$((current - last_hb))
      if [ "$diff" -gt "180" ]; then
	  echo "$mid has not contacted LAPI for more than 2 minutes"

LaurenceJJones

# security.txt
location /security.txt {
    return 301 /.well-known/security.txt;
}

location = /.well-known/security.txt {
    add_header Content-Type text/plain;
    return 200 'Contact: mailto:[email protected]\nExpires: 2024-01-01T00:00:00.000Z';
}

LaurenceJJones

#Apache access/errors logs
#debug: true
filter: "evt.Parsed.program startsWith 'apache2'"
onsuccess: next_stage
name: crowdsecurity/apache2-logs
description: "Parse Apache2 access and error logs"
#log line can be prefixed by a target_fqdn
pattern_syntax:
  NC_APACHE2: '%{IPORHOST:clientip} %{DATA:forwardedip} %{HTTPDUSER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-)'
nodes:

LaurenceJJones

filter: "evt.Line.Labels.type == 'containerd' && evt.Line.Labels.program == 'syslog'"
name: crowdsecurity/cri-syslogs
description: CRI logging format parser for syslogs
#debug: true
pattern_syntax:
  RAW_SYSLOG_PREFIX: '^<%{NUMBER:stuff1}>%{NUMBER:stuff2} %{SYSLOGBASE2} %{DATA:program} %{NUMBER:pid}'
  RAW_SYSLOG_META: '\[meta sequenceId="%{NOTDQUOTE:seq_id}"\]'
nodes:
  - grok:
      pattern: "^%{TIMESTAMP_ISO8601:cri_timestamp} %{WORD:stream} %{WORD:logtag} %{GREEDYDATA:message}"

LaurenceJJones

CROWDSEC_GITHUB_RELEASE="github.com/crowdsecurity/crowdsec/releases/download"
CROWDSEC_VERSION="1.4.6"
CROWDSEC_FILE="crowdsec-release-static.tgz"
OLD_DIR=$(pwd)
TMP_DIR=$(mktemp -d)

download() {
    if command -v curl >/dev/null; then
        cd "$2" || (echo "Could not cd to $2" && exit 1)
        # older versions of curl don't support --output-dir

LaurenceJJones

Dominic-Wagner/vaultwarden `
LePresidente/adguardhome `
LePresidente/authelia `
LePresidente/emby `
LePresidente/gitea `
LePresidente/jellyfin `
LePresidente/jellyseerr `
LePresidente/ombi `
LePresidente/redmine `
a1ad/meshcentral `

LaurenceJJones

type: leaky
format: 2.0
#debug: true
name: example/chrome-under-100
description: "Detect bad user-agents of chrome under version 100"
filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] && evt.Parsed.http_user_agent matches "Chrome\\/[0-9][0-9]?\\."'
capacity: 1
leakspeed: 1m
groupby: "evt.Meta.source_ip"
blackhole: 2m

LaurenceJJones

#!/bin/bash
##########
## Maintained by Laurence from CrowdSec 
## Discord: https://discord.gg/crowdsec
## Website: https://www.crowdsec.net/
## Docs: https://docs.crowdsec.net/
##########

# Linode users can use the UI to change these variables
# Digital ocean users uncomment and change these variables