diff --git a/tests/scenario/01ssh/file.log b/tests/scenario/01ssh/file.log deleted file mode 100644 index 1b8af76cd..000000000 --- a/tests/scenario/01ssh/file.log +++ /dev/null @@ -1,32 +0,0 @@ -2018-02-07T18:00:06+01:00 eqx10863 sshd[13934]: Failed password for root from 192.168.13.38 port 39596 ssh2 -2018-02-07T18:00:09+01:00 eqx10863 sshd[13934]: Failed password for root from 192.168.13.38 port 39596 ssh2 -2018-02-07T18:00:12+01:00 eqx10863 sshd[13934]: Failed password for root from 192.168.13.38 port 39596 ssh2 -2018-02-07T18:00:12+01:00 eqx10863 sshd[13934]: Disconnecting: Too many authentication failures for root from 192.168.13.38 port 39596 ssh2 [preauth] -2018-02-07T18:00:21+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.38 port 2377 ssh2 -2018-02-07T18:00:23+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.38 port 2377 ssh2 -2018-02-07T18:00:26+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.38 port 2377 ssh2 -2018-02-07T18:00:29+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.38 port 2377 ssh2 -2018-02-07T18:00:31+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.38 port 2377 ssh2 -2018-02-07T18:00:31+01:00 eqx10863 sshd[13952]: Disconnecting: Too many authentication failures for root from 192.168.13.38 port 2377 ssh2 [preauth] -2018-02-07T18:00:06+01:00 eqx10863 sshd[13934]: Failed password for root from 192.168.13.38 port 39596 ssh2 -2018-02-07T18:00:09+01:00 eqx10863 sshd[13934]: Failed password for root from 192.168.13.38 port 39596 ssh2 -2018-02-07T18:00:12+01:00 eqx10863 sshd[13934]: Failed password for root from 192.168.13.38 port 39596 ssh2 -2018-02-07T18:00:12+01:00 eqx10863 sshd[13934]: Disconnecting: Too many authentication failures for root from 192.168.13.38 port 39596 ssh2 [preauth] -2018-02-07T18:00:21+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.38 port 2377 ssh2 -2018-02-07T18:00:23+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.38 port 2377 ssh2 -2018-02-07T18:00:26+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.38 port 2377 ssh2 -2018-02-07T18:00:29+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.38 port 2377 ssh2 -2018-02-07T18:00:31+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.38 port 2377 ssh2 -2018-02-07T18:00:31+01:00 eqx10863 sshd[13952]: Disconnecting: Too many authentication failures for root from 192.168.13.38 port 2377 ssh2 [preauth] -2018-02-07T18:00:31+01:00 eqx10863 sshd[13952]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.13.38 user=root -2018-02-07T18:00:31+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.37 port 2377 ssh2 -2018-02-07T18:00:31+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.37 port 2377 ssh2 -2018-02-07T18:00:32+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.37 port 2377 ssh2 -2018-02-07T18:00:32+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.37 port 2377 ssh2 -2018-02-07T18:00:33+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.37 port 2377 ssh2 -2018-02-07T18:00:34+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.37 port 2377 ssh2 -2018-02-07T18:00:34+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.37 port 2377 ssh2 -2018-02-07T18:00:34+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.37 port 2377 ssh2 -2018-02-07T18:00:34+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.37 port 2377 ssh2 -2018-02-07T18:00:34+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.37 port 2377 ssh2 -2018-02-07T18:00:34+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.37 port 2377 ssh2 diff --git a/tests/scenario/01ssh/labels b/tests/scenario/01ssh/labels deleted file mode 100644 index 9bf921c4b..000000000 --- a/tests/scenario/01ssh/labels +++ /dev/null @@ -1,2 +0,0 @@ -type: syslog - diff --git a/tests/scenario/01ssh/parsers.yaml b/tests/scenario/01ssh/parsers.yaml deleted file mode 100644 index 0f84306dc..000000000 --- a/tests/scenario/01ssh/parsers.yaml +++ /dev/null @@ -1,6 +0,0 @@ - - filename: ./hub/parsers/s00-raw/crowdsecurity/syslog-logs.yaml - stage: s00-raw - - filename: ./hub/parsers/s01-parse/crowdsecurity/sshd-logs.yaml - stage: s01-parse - - filename: ./hub/parsers/s02-enrich/crowdsecurity/dateparse-enrich.yaml - stage: s02-enrich diff --git a/tests/scenario/01ssh/scenarios.yaml b/tests/scenario/01ssh/scenarios.yaml deleted file mode 100644 index c38132371..000000000 --- a/tests/scenario/01ssh/scenarios.yaml +++ /dev/null @@ -1 +0,0 @@ - - filename: ./hub/scenarios/crowdsecurity/ssh-bf.yaml diff --git a/tests/scenario/01ssh/success.sqlite b/tests/scenario/01ssh/success.sqlite deleted file mode 100644 index 503dd9470..000000000 --- a/tests/scenario/01ssh/success.sqlite +++ /dev/null @@ -1,3 +0,0 @@ -select count(*) == 1 from signal_occurences where source_ip = "192.168.13.38" and scenario = "crowdsecurity/ssh-bf" -select count(*) == 1 from signal_occurences where source_ip = "192.168.13.37" and scenario = "crowdsecurity/ssh-bf" - diff --git a/tests/scenario/02naxsi/file.log b/tests/scenario/02naxsi/file.log deleted file mode 100644 index d8f610aae..000000000 --- a/tests/scenario/02naxsi/file.log +++ /dev/null @@ -1 +0,0 @@ -2018-04-27T15:46:50+02:00 rp-ch-01 nginx: 2018/04/27 15:46:50 [error] 20329#0: *81170632 NAXSI_EXLOG: ip=191.154.37.115&server=cogedis.trustelem.com&uri=/app/55773/sso&id=10091&zone=ARGS&var_name=signature&content=gTyxddzKMBjOQ6iiNXsauWKyznrWzgzobNS5L226v23%2BSvh0z8uKrZbErckzPs7sF1Yif/T9P1O2Fmm05mSu1%2BL/TBAt1G2JsDv2%2B0zp2blECZFMMTfpgcyIeITDgh8HGM5GR9K2diB6/d1g5yShZs6Vm9%2BMCtXVO4gfpFwH4sSM7jbjU5xbShmiKkYNn3O8f3ZAdnZpk3%2BELVcODIGWwhRuN9Hy6agMirzx4PMTUWcDmdnB9W4iDcV/k28xnxuBE0vNw1JAL9sOSqrBnzqKk%2BUx9kt9hfEofvDYPvLfWiU56oEd8yzT1fEn21dzA6BcOCetzYoNjSdYDreKQm4O%2BVAgn90WKjvcORK%2BO3CkPR5%2B9N4d1hMLc10ZrKps4iHiJMG%2BRHvzBxL3yeYGdmdjX%2Bf6ZKjPkI3dTwP9379Wong0/DZ4BQ8ZC6SozID68PXybKynOGauaUxKCt3y3fAXSLH1Qtcl70kVQ9eQa1q%2B%2BZxujCGJ33sVl6ps10iLn2lYoJ85CAXCk%2B7p%2BMKOQzwGaFUBuVMgVbxATRQPnCN%2BHPymQ23LwWtKQbvRtJpahyPR9Yb6mUbf7JO1H2XF6%2BsPp4pcIZqv/SwJlgxSkPT5ehnJjLUhVIFu6SGlau1C0B/LUgHoZ8c%2Bkoy%2BfzzPqQPO2I1Y5SXFWwFPU6dbBgz1p%2BQ=, client: 77.136.47.223, server: www.trustelem.com, request: "GET /app/55773/sso?SAMLRequest=fZJbc6owFIX%2FCpN3NCJUZIqdtHihglfU2hcmjRGwQDAJaPvrD%2Bpxpuc8dM%2FkIbP3WiuX7%2FHpnKVKRblIWG6DVgMCheaE7ZI8ssEqGKgmeOo9CpylhYVKGecLeiypkEqty4V1bdig5LnFsEiEleOMCksSa4l8z9Ia0Co4k4ywFChICMplHfTCclFmlC8prxJCVwvPBrGUhbCazWRHsSopiXOWsiihopF9NQROqdgzTmiDsOxJMBtCxzDhtWbaNgKKUx8qybG83uNuRlhEd4loSF4KSVOaXeRNXBRNw%2Bh02k0hGFBcxwah9oLq2kzf1PMG%2BX3zNAmik%2B%2Bgy4Lz7094abe8aDMIk%2B3gIYz7zmrGzYU26n8Rrnn7c3beIndjurm63Q2HqTg%2Ff3M1LeHSgL67LraTKD6ij5ggPVjrHwjiKqlN8cP3J0F9nfnF4ICNlbtIzdepF3jxpDIO%2BxF3dv336t1cqN0Xz5fz1f4Ai7QfszOVejUMsoOero9V130bw8ioxsjcxQe9%2B6qy6tBpif0Yh1lZlGietsnpzRkQj0WOxK%2BeHh4jDTPzxMQUr8LhKFTna6KNfX5oLRblftyuw4elQMOQH1MXn7OsTVD9WkKU1M2FxLm0gQZbpgp1VesELcPSHyy929DbnXegzP5%2B%2B3OS32D6jZGP25CwRkEwU2fTZQCU9R3KegDcELSu4fwHe7%2Fb4jtwoHcn4iL6D6fH5g%2Fv3m33L%2By9Pw%3D%3D&RelayState=%2Fa085800002amsSg&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=gTyxddzKMBjOQ6iiNXsauWKyznrWzgzobNS5L226v23%2BSvh0z8uKrZbErckzPs7sF1Yif%2FT9P1O2Fmm05mSu1%2BL%2FTBAt1G2JsDv2%2B0zp2blECZFMMTfpgcyIeITDgh8HGM5GR9K2diB6%2Fd1g5yShZs6Vm9%2BMCt diff --git a/tests/scenario/02naxsi/labels b/tests/scenario/02naxsi/labels deleted file mode 100644 index c2988205b..000000000 --- a/tests/scenario/02naxsi/labels +++ /dev/null @@ -1 +0,0 @@ -type: syslog diff --git a/tests/scenario/02naxsi/parsers.yaml b/tests/scenario/02naxsi/parsers.yaml deleted file mode 100644 index 595b67745..000000000 --- a/tests/scenario/02naxsi/parsers.yaml +++ /dev/null @@ -1,9 +0,0 @@ - - filename: ./hub/parsers/s00-raw/crowdsecurity/syslog-logs.yaml - stage: s00-raw - - filename: ./hub/parsers/s01-parse/crowdsecurity/nginx-logs.yaml - stage: s01-parse -#it's a bit nasty : naxsi is in enrich phase because it parses nginx error log parser output - - filename: ./hub/parsers/s02-enrich/crowdsecurity/naxsi-logs.yaml - stage: s02-enrich - - filename: ./hub/parsers/s02-enrich/crowdsecurity/dateparse-enrich.yaml - stage: s02-enrich diff --git a/tests/scenario/02naxsi/scenarios.yaml b/tests/scenario/02naxsi/scenarios.yaml deleted file mode 100644 index 9c2d18972..000000000 --- a/tests/scenario/02naxsi/scenarios.yaml +++ /dev/null @@ -1,2 +0,0 @@ - - filename: ./hub/scenarios/crowdsecurity/naxsi-exploit-vpatch.yaml - diff --git a/tests/scenario/02naxsi/success.sqlite b/tests/scenario/02naxsi/success.sqlite deleted file mode 100644 index 7a0ed44f9..000000000 --- a/tests/scenario/02naxsi/success.sqlite +++ /dev/null @@ -1 +0,0 @@ -select count(*) == 1 from signal_occurences where source_ip = "191.154.37.115" and scenario = "crowdsecurity/naxsi-exploit-vpatch" diff --git a/tests/scenario/03wpbf/file.log b/tests/scenario/03wpbf/file.log deleted file mode 100644 index 7f1752ac4..000000000 --- a/tests/scenario/03wpbf/file.log +++ /dev/null @@ -1,6 +0,0 @@ -2017-12-01T14:47:42+01:00 rp-ch-01 nginx: 192.168.13.38 - - [01/Dec/2017:14:47:42 +0000] "POST /lh-magazine/wp-login.php HTTP/1.1" 200 4249 "http://www.lahalle.com/lh-magazine/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:43+01:00 rp-ch-01 nginx: 192.168.13.38 - - [01/Dec/2017:14:47:43 +0000] "POST /lh-magazine/wp-login.php HTTP/1.1" 200 4249 "http://www.lahalle.com/lh-magazine/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 rp-ch-01 nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "POST /lh-magazine/wp-login.php HTTP/1.1" 200 4249 "http://www.lahalle.com/lh-magazine/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:45+01:00 rp-ch-01 nginx: 192.168.13.38 - - [01/Dec/2017:14:47:45 +0000] "POST /lh-magazine/wp-login.php HTTP/1.1" 200 4249 "http://www.lahalle.com/lh-magazine/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:46+01:00 rp-ch-01 nginx: 192.168.13.38 - - [01/Dec/2017:14:47:46 +0000] "POST /lh-magazine/wp-login.php HTTP/1.1" 200 4249 "http://www.lahalle.com/lh-magazine/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:48+01:00 rp-ch-01 nginx: 192.168.13.38 - - [01/Dec/2017:14:47:48 +0000] "POST /lh-magazine/wp-login.php HTTP/1.1" 200 4249 "http://www.lahalle.com/lh-magazine/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" diff --git a/tests/scenario/03wpbf/labels b/tests/scenario/03wpbf/labels deleted file mode 100644 index 3a15bed50..000000000 --- a/tests/scenario/03wpbf/labels +++ /dev/null @@ -1 +0,0 @@ -type: nginx diff --git a/tests/scenario/03wpbf/parsers.yaml b/tests/scenario/03wpbf/parsers.yaml deleted file mode 100644 index 887543e30..000000000 --- a/tests/scenario/03wpbf/parsers.yaml +++ /dev/null @@ -1,9 +0,0 @@ - - filename: ./hub/parsers/s00-raw/crowdsecurity/syslog-logs.yaml - stage: s00-raw - - filename: ./hub/parsers/s01-parse/crowdsecurity/nginx-logs.yaml - stage: s01-parse - - filename: ./hub/parsers/s02-enrich/crowdsecurity/dateparse-enrich.yaml - stage: s02-enrich - - filename: ./hub/parsers/s02-enrich/crowdsecurity/http-logs.yaml - stage: s02-enrich - \ No newline at end of file diff --git a/tests/scenario/03wpbf/scenarios.yaml b/tests/scenario/03wpbf/scenarios.yaml deleted file mode 100644 index 33b628ee8..000000000 --- a/tests/scenario/03wpbf/scenarios.yaml +++ /dev/null @@ -1,3 +0,0 @@ - - filename: ./hub/scenarios/crowdsecurity/http-bf-wordpress_bf.yaml - - diff --git a/tests/scenario/03wpbf/success.sqlite b/tests/scenario/03wpbf/success.sqlite deleted file mode 100644 index b94884ab7..000000000 --- a/tests/scenario/03wpbf/success.sqlite +++ /dev/null @@ -1 +0,0 @@ -select count(*) == 1 from signal_occurences where source_ip = "192.168.13.38" and scenario = "crowdsecurity/http-bf-wordpress_bf" diff --git a/tests/scenario/04smb/file.log b/tests/scenario/04smb/file.log deleted file mode 100644 index 90555ac0d..000000000 --- a/tests/scenario/04smb/file.log +++ /dev/null @@ -1,7 +0,0 @@ -Dec 13 00:31:12 ip-172-31-11-1.us-west-1.compute.internal smb[2762]: Auth: [SMB2,(null)] user [domainname]\[Administrator] at [Fri, 13 Dec 2019 00:31:12.487033 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [LOCALPCNAME] remote host [ipv4:61.6.206.22:65132] mapped to [domainname]\[Administrator]. local host [ipv4:172.18.0.3:445] #015 -Dec 13 00:31:13 ip-172-31-11-1.us-west-1.compute.internal smb[2762]: Auth: [SMB2,(null)] user [domainname]\[Administrator] at [Fri, 13 Dec 2019 00:31:13.294397 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [LOCALPCNAME] remote host [ipv4:61.6.206.22:1391] mapped to [domainname]\[Administrator]. local host [ipv4:172.18.0.3:445] #015 -Dec 13 00:31:14 ip-172-31-11-1.us-west-1.compute.internal smb[2762]: Auth: [SMB2,(null)] user [domainname]\[Administrator] at [Fri, 13 Dec 2019 00:31:14.108036 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [LOCALPCNAME] remote host [ipv4:61.6.206.22:2154] mapped to [domainname]\[Administrator]. local host [ipv4:172.18.0.3:445] #015 -Dec 13 00:31:14 ip-172-31-11-1.us-west-1.compute.internal smb[2762]: Auth: [SMB2,(null)] user [domainname]\[Administrator] at [Fri, 13 Dec 2019 00:31:14.883233 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [LOCALPCNAME] remote host [ipv4:61.6.206.22:2893] mapped to [domainname]\[Administrator]. local host [ipv4:172.18.0.3:445] #015 -Dec 13 00:31:15 ip-172-31-11-1.us-west-1.compute.internal smb[2762]: Auth: [SMB2,(null)] user [domainname]\[Administrator] at [Fri, 13 Dec 2019 00:31:13.294397 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [LOCALPCNAME] remote host [ipv4:61.6.206.22:1391] mapped to [domainname]\[Administrator]. local host [ipv4:172.18.0.3:445] #015 -Dec 13 00:31:16 ip-172-31-11-1.us-west-1.compute.internal smb[2762]: Auth: [SMB2,(null)] user [domainname]\[Administrator] at [Fri, 13 Dec 2019 00:31:14.108036 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [LOCALPCNAME] remote host [ipv4:61.6.206.22:2154] mapped to [domainname]\[Administrator]. local host [ipv4:172.18.0.3:445] #015 -Dec 13 00:31:17 ip-172-31-11-1.us-west-1.compute.internal smb[2762]: Auth: [SMB2,(null)] user [domainname]\[Administrator] at [Fri, 13 Dec 2019 00:31:14.883233 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [LOCALPCNAME] remote host [ipv4:61.6.206.22:2893] mapped to [domainname]\[Administrator]. local host [ipv4:172.18.0.3:445] #015 diff --git a/tests/scenario/04smb/labels b/tests/scenario/04smb/labels deleted file mode 100644 index c2988205b..000000000 --- a/tests/scenario/04smb/labels +++ /dev/null @@ -1 +0,0 @@ -type: syslog diff --git a/tests/scenario/04smb/parsers.yaml b/tests/scenario/04smb/parsers.yaml deleted file mode 100644 index 6cdf52263..000000000 --- a/tests/scenario/04smb/parsers.yaml +++ /dev/null @@ -1,6 +0,0 @@ - - filename: ./hub/parsers/s00-raw/crowdsecurity/syslog-logs.yaml - stage: s00-raw - - filename: ./hub/parsers/s01-parse/crowdsecurity/smb-logs.yaml - stage: s01-parse - - filename: ./hub/parsers/s02-enrich/crowdsecurity/dateparse-enrich.yaml - stage: s02-enrich diff --git a/tests/scenario/04smb/scenarios.yaml b/tests/scenario/04smb/scenarios.yaml deleted file mode 100644 index fe3a6166c..000000000 --- a/tests/scenario/04smb/scenarios.yaml +++ /dev/null @@ -1,4 +0,0 @@ - - filename: ./hub/scenarios/crowdsecurity/smb-bf.yaml - - - diff --git a/tests/scenario/04smb/success.sqlite b/tests/scenario/04smb/success.sqlite deleted file mode 100644 index c3edc79ae..000000000 --- a/tests/scenario/04smb/success.sqlite +++ /dev/null @@ -1 +0,0 @@ -select count(*) == 1 from signal_occurences where source_ip = "61.6.206.22" and scenario = "crowdsecurity/smb-bf" diff --git a/tests/scenario/05mysql/file.log b/tests/scenario/05mysql/file.log deleted file mode 100644 index 54fb7e0b8..000000000 --- a/tests/scenario/05mysql/file.log +++ /dev/null @@ -1,5 +0,0 @@ -Dec 12 22:43:09 ip-172-31-11-1.us-west-1.compute.internal mysql[2762]: 2019-12-12T22:43:09.600659Z 120 [Note] Access denied for user 'root'@'106.3.44.207' (using password: YES) -Dec 12 22:43:10 ip-172-31-11-1.us-west-1.compute.internal mysql[2762]: 2019-12-12T22:43:10.408842Z 121 [Note] Access denied for user 'root'@'106.3.44.207' (using password: YES) -Dec 12 22:43:11 ip-172-31-11-1.us-west-1.compute.internal mysql[2762]: 2019-12-12T22:43:11.218794Z 122 [Note] Access denied for user 'root'@'106.3.44.207' (using password: YES) -Dec 12 22:43:12 ip-172-31-11-1.us-west-1.compute.internal mysql[2762]: 2019-12-12T22:43:12.027695Z 123 [Note] Access denied for user 'root'@'106.3.44.207' (using password: YES) -Dec 12 22:43:12 ip-172-31-11-1.us-west-1.compute.internal mysql[2762]: 2019-12-12T22:43:12.841040Z 124 [Note] Access denied for user 'root'@'106.3.44.207' (using password: YES) \ No newline at end of file diff --git a/tests/scenario/05mysql/labels b/tests/scenario/05mysql/labels deleted file mode 100644 index c2988205b..000000000 --- a/tests/scenario/05mysql/labels +++ /dev/null @@ -1 +0,0 @@ -type: syslog diff --git a/tests/scenario/05mysql/parsers.yaml b/tests/scenario/05mysql/parsers.yaml deleted file mode 100644 index 524ed815b..000000000 --- a/tests/scenario/05mysql/parsers.yaml +++ /dev/null @@ -1,6 +0,0 @@ - - filename: ./hub/parsers/s00-raw/crowdsecurity/syslog-logs.yaml - stage: s00-raw - - filename: ./hub/parsers/s01-parse/crowdsecurity/mysql-logs.yaml - stage: s01-parse - - filename: ./hub/parsers/s02-enrich/crowdsecurity/dateparse-enrich.yaml - stage: s02-enrich diff --git a/tests/scenario/05mysql/scenarios.yaml b/tests/scenario/05mysql/scenarios.yaml deleted file mode 100644 index dcfb2c79b..000000000 --- a/tests/scenario/05mysql/scenarios.yaml +++ /dev/null @@ -1,5 +0,0 @@ - - filename: ./hub/scenarios/crowdsecurity/mysql-bf.yaml - - - - diff --git a/tests/scenario/05mysql/success.sqlite b/tests/scenario/05mysql/success.sqlite deleted file mode 100644 index 9d62fbc34..000000000 --- a/tests/scenario/05mysql/success.sqlite +++ /dev/null @@ -1 +0,0 @@ -select count(*) == 1 from signal_occurences where source_ip = "106.3.44.207" and scenario = "crowdsecurity/mysql-bf" diff --git a/tests/scenario/06ssh_timemachine_blackhole/file.log b/tests/scenario/06ssh_timemachine_blackhole/file.log deleted file mode 100644 index 381fe21b9..000000000 --- a/tests/scenario/06ssh_timemachine_blackhole/file.log +++ /dev/null @@ -1,23 +0,0 @@ -2018-02-07T18:00:00+01:00 eqx10863 sshd[13934]: Failed password for root from 192.168.13.38 port 39596 ssh2 -2018-02-07T18:00:00+01:00 eqx10863 sshd[13934]: Failed password for root from 192.168.13.38 port 39596 ssh2 -2018-02-07T18:00:00+01:00 eqx10863 sshd[13934]: Failed password for root from 192.168.13.38 port 39596 ssh2 -2018-02-07T18:00:00+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.38 port 2377 ssh2 -2018-02-07T18:00:00+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.38 port 2377 ssh2 -#this one will overflow -2018-02-07T18:00:01+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.38 port 2377 ssh2 -#these ones will be blackholed -2018-02-07T18:00:02+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.38 port 2377 ssh2 -2018-02-07T18:00:02+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.38 port 2377 ssh2 -2018-02-07T18:00:02+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.38 port 2377 ssh2 -2018-02-07T18:00:02+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.38 port 2377 ssh2 -2018-02-07T18:00:02+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.38 port 2377 ssh2 -2018-02-07T18:00:02+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.38 port 2377 ssh2 -2018-02-07T18:00:02+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.38 port 2377 ssh2 -#these ones won't -2018-02-07T18:02:01+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.38 port 2377 ssh2 -2018-02-07T18:02:01+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.38 port 2377 ssh2 -2018-02-07T18:02:01+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.38 port 2377 ssh2 -2018-02-07T18:02:01+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.38 port 2377 ssh2 -2018-02-07T18:02:01+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.38 port 2377 ssh2 -2018-02-07T18:02:01+01:00 eqx10863 sshd[13952]: Failed password for root from 192.168.13.38 port 2377 ssh2 - diff --git a/tests/scenario/06ssh_timemachine_blackhole/labels b/tests/scenario/06ssh_timemachine_blackhole/labels deleted file mode 100644 index c2988205b..000000000 --- a/tests/scenario/06ssh_timemachine_blackhole/labels +++ /dev/null @@ -1 +0,0 @@ -type: syslog diff --git a/tests/scenario/06ssh_timemachine_blackhole/parsers.yaml b/tests/scenario/06ssh_timemachine_blackhole/parsers.yaml deleted file mode 100644 index 0f84306dc..000000000 --- a/tests/scenario/06ssh_timemachine_blackhole/parsers.yaml +++ /dev/null @@ -1,6 +0,0 @@ - - filename: ./hub/parsers/s00-raw/crowdsecurity/syslog-logs.yaml - stage: s00-raw - - filename: ./hub/parsers/s01-parse/crowdsecurity/sshd-logs.yaml - stage: s01-parse - - filename: ./hub/parsers/s02-enrich/crowdsecurity/dateparse-enrich.yaml - stage: s02-enrich diff --git a/tests/scenario/06ssh_timemachine_blackhole/scenarios.yaml b/tests/scenario/06ssh_timemachine_blackhole/scenarios.yaml deleted file mode 100644 index 313977578..000000000 --- a/tests/scenario/06ssh_timemachine_blackhole/scenarios.yaml +++ /dev/null @@ -1,6 +0,0 @@ - - filename: ./hub/scenarios/crowdsecurity/ssh-bf.yaml - - - - - diff --git a/tests/scenario/06ssh_timemachine_blackhole/success.sqlite b/tests/scenario/06ssh_timemachine_blackhole/success.sqlite deleted file mode 100644 index 690dd400c..000000000 --- a/tests/scenario/06ssh_timemachine_blackhole/success.sqlite +++ /dev/null @@ -1 +0,0 @@ -select count(*) == 2 from signal_occurences where source_ip = "192.168.13.38" and scenario = "crowdsecurity/ssh-bf" diff --git a/tests/scenario/07crawling/file.log b/tests/scenario/07crawling/file.log deleted file mode 100644 index 71de236d1..000000000 --- a/tests/scenario/07crawling/file.log +++ /dev/null @@ -1,84 +0,0 @@ -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page1 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page1" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page2 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page2" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page3 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page3" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page4 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page4" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page5 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page5" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page6 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page6" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page7 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page7" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page8 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page8" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page9 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page9" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page10 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page10" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page11 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page11" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page12 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page12" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page13 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page13" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page14 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page14" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page15 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page15" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page16 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page16" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page17 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page17" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page18 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page18" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page19 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page19" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page20 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page20" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page21 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page1" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page22 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page2" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page23 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page3" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page24 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page4" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page25 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page5" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page26 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page6" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page27 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page7" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page28 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page8" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page29 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page9" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page30 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page10" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page31 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page11" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page32 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page12" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page33 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page13" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page34 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page14" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page35 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page15" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page36 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page16" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page37 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page17" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page38 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page18" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page39 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page19" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page40 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page20" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.38 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page41 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page20" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" - -## Those logs should not make an overflow -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page1 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page1" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page2 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page2" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page3 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page3" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page4 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page4" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page5 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page5" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page6 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page6" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page7 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page7" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page8 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page8" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:47:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:47:44 +0000] "GET /crawl_page9 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page9" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:49:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:49:44 +0000] "GET /crawl_page10 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page10" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:49:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:49:44 +0000] "GET /crawl_page11 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page11" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:49:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:49:44 +0000] "GET /crawl_page12 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page12" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:49:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:49:44 +0000] "GET /crawl_page13 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page13" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:49:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:49:44 +0000] "GET /crawl_page14 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page14" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:49:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:49:44 +0000] "GET /crawl_page15 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page15" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:49:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:49:44 +0000] "GET /crawl_page16 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page16" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:50:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:50:44 +0000] "GET /crawl_page17 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page17" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:50:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:50:44 +0000] "GET /crawl_page18 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page18" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:50:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:50:44 +0000] "GET /crawl_page19 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page19" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:50:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:50:44 +0000] "GET /crawl_page20 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page20" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:50:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:50:44 +0000] "GET /crawl_page21 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page1" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:50:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:50:44 +0000] "GET /crawl_page22 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page2" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:50:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:50:44 +0000] "GET /crawl_page23 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page3" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:51:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:51:44 +0000] "GET /crawl_page24 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page4" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:51:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:51:44 +0000] "GET /crawl_page25 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page5" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:51:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:51:44 +0000] "GET /crawl_page26 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page6" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:51:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:51:44 +0000] "GET /crawl_page27 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page7" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:51:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:51:44 +0000] "GET /crawl_page28 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page8" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:51:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:51:44 +0000] "GET /crawl_page29 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page9" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:51:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:51:44 +0000] "GET /crawl_page30 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page10" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:51:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:51:44 +0000] "GET /crawl_page31 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page11" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:51:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:51:44 +0000] "GET /crawl_page32 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page12" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:52:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:52:44 +0000] "GET /crawl_page33 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page13" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:52:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:52:44 +0000] "GET /crawl_page34 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page14" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:52:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:52:44 +0000] "GET /crawl_page35 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page15" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:52:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:52:44 +0000] "GET /crawl_page36 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page16" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:52:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:52:44 +0000] "GET /crawl_page37 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page17" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:53:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:53:44 +0000] "GET /crawl_page38 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page18" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:53:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:53:44 +0000] "GET /crawl_page39 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page19" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:53:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:53:44 +0000] "GET /crawl_page40 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page20" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -2017-12-01T14:53:44+01:00 mywebserver nginx: 192.168.13.40 - - [01/Dec/2017:14:53:44 +0000] "GET /crawl_page41 HTTP/1.1" 200 4249 "http://www.cs.com/crawl_page20" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" diff --git a/tests/scenario/07crawling/labels b/tests/scenario/07crawling/labels deleted file mode 100644 index 3a15bed50..000000000 --- a/tests/scenario/07crawling/labels +++ /dev/null @@ -1 +0,0 @@ -type: nginx diff --git a/tests/scenario/07crawling/parsers.yaml b/tests/scenario/07crawling/parsers.yaml deleted file mode 100644 index 887543e30..000000000 --- a/tests/scenario/07crawling/parsers.yaml +++ /dev/null @@ -1,9 +0,0 @@ - - filename: ./hub/parsers/s00-raw/crowdsecurity/syslog-logs.yaml - stage: s00-raw - - filename: ./hub/parsers/s01-parse/crowdsecurity/nginx-logs.yaml - stage: s01-parse - - filename: ./hub/parsers/s02-enrich/crowdsecurity/dateparse-enrich.yaml - stage: s02-enrich - - filename: ./hub/parsers/s02-enrich/crowdsecurity/http-logs.yaml - stage: s02-enrich - \ No newline at end of file diff --git a/tests/scenario/07crawling/scenarios.yaml b/tests/scenario/07crawling/scenarios.yaml deleted file mode 100644 index 371c741ad..000000000 --- a/tests/scenario/07crawling/scenarios.yaml +++ /dev/null @@ -1,7 +0,0 @@ - - filename: ./hub/scenarios/crowdsecurity/http-crawl-non_statics.yaml - - - - - - diff --git a/tests/scenario/07crawling/success.sqlite b/tests/scenario/07crawling/success.sqlite deleted file mode 100644 index bb68aa884..000000000 --- a/tests/scenario/07crawling/success.sqlite +++ /dev/null @@ -1 +0,0 @@ -select count(*) == 1 from signal_occurences where source_ip = "192.168.13.38" and scenario = "crowdsecurity/http-crawl-non_statics" diff --git a/tests/scenario/08consensus_base/1/file.log b/tests/scenario/08consensus_base/1/file.log deleted file mode 100755 index 8fdf40d19..000000000 --- a/tests/scenario/08consensus_base/1/file.log +++ /dev/null @@ -1,1701 +0,0 @@ - -{ - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine1", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "7e159c83f45e4cabfe4c2d8653a24ac79506a703", - "scenario": "http_404-scan", - "bucket_id": "morning-sea", - "alert_message": "106.54.3.52 performed 'http_404-scan' (6 events over 2s) at 2020-01-02 15:31:32 +0000 UTC", - "events_count": 6, - "start_at": "2020-01-02T15:31:30Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-02T19:31:32Z", - "StartIp": 1781924660, - "EndIp": 1781924660, - "IpText": "106.54.3.52", - "Reason": "ban on ip 106.54.3.52", - "Scenario": "", - "SignalOccurenceID": 985 - } - ], - "stop_at": "2020-01-02T15:31:32Z", - "Source_ip": "106.54.3.52", - "Source_range": "\u003cnil\u003e", - "Source_AutonomousSystemNumber": "0", - "Source_AutonomousSystemOrganization": "", - "Source_Country": "CN", - "Source_Latitude": 39.92890167236328, - "Source_Longitude": 116.38829803466797, - "sources": { - "106.54.3.52": { - "Ip": "106.54.3.52", - "Range": { - "IP": "", - "Mask": null - }, - "AutonomousSystemNumber": "0", - "AutonomousSystemOrganization": "", - "Country": "CN", - "Latitude": 39.92890167236328, - "Longitude": 116.38829803466797, - "Flags": null - } - }, - "capacity": 5, - "leak_speed": 10000000000, - "Reprocess": true, - "Labels": { - "remediation": "true", - "service": "http", - "type": "scan" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine2", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "6cb069c62a51317feca844ed141e5f1cb61ed1c9", - "scenario": "http_404-scan", - "bucket_id": "purple-star", - "alert_message": "139.199.192.143 performed 'http_404-scan' (6 events over 3s) at 2020-01-01 18:27:32 +0000 UTC", - "events_count": 6, - "start_at": "2020-01-01T18:27:29Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-01T22:27:32Z", - "StartIp": 2345123983, - "EndIp": 2345123983, - "IpText": "139.199.192.143", - "Reason": "ban on ip 139.199.192.143", - "Scenario": "", - "SignalOccurenceID": 986 - } - ], - "stop_at": "2020-01-01T18:27:32Z", - "Source_ip": "139.199.192.143", - "Source_range": "139.199.0.0/16", - "Source_AutonomousSystemNumber": "45090", - "Source_AutonomousSystemOrganization": "Shenzhen Tencent Computer Systems Company Limited", - "Source_Country": "CN", - "Source_Latitude": 39.92890167236328, - "Source_Longitude": 116.38829803466797, - "sources": { - "139.199.192.143": { - "Ip": "139.199.192.143", - "Range": { - "IP": "139.199.0.0", - "Mask": "//8AAA==" - }, - "AutonomousSystemNumber": "45090", - "AutonomousSystemOrganization": "Shenzhen Tencent Computer Systems Company Limited", - "Country": "CN", - "Latitude": 39.92890167236328, - "Longitude": 116.38829803466797, - "Flags": null - } - }, - "capacity": 5, - "leak_speed": 10000000000, - "Reprocess": true, - "Labels": { - "remediation": "true", - "service": "http", - "type": "scan" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine2", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "04cd7cbe460be2f36d193041c486da7fdffc9056", - "scenario": "aggresive_crawl", - "bucket_id": "restless-tree", - "alert_message": "139.199.192.143 performed 'aggresive_crawl' (101 events over 30s) at 2020-01-01 18:27:59 +0000 UTC", - "events_count": 101, - "start_at": "2020-01-01T18:27:29Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-01T22:27:59Z", - "StartIp": 2345123983, - "EndIp": 2345123983, - "IpText": "139.199.192.143", - "Reason": "ban on ip 139.199.192.143", - "Scenario": "", - "SignalOccurenceID": 987 - } - ], - "stop_at": "2020-01-01T18:27:59Z", - "Source_ip": "139.199.192.143", - "Source_range": "139.199.0.0/16", - "Source_AutonomousSystemNumber": "45090", - "Source_AutonomousSystemOrganization": "Shenzhen Tencent Computer Systems Company Limited", - "Source_Country": "CN", - "Source_Latitude": 39.92890167236328, - "Source_Longitude": 116.38829803466797, - "sources": { - "139.199.192.143": { - "Ip": "139.199.192.143", - "Range": { - "IP": "139.199.0.0", - "Mask": "//8AAA==" - }, - "AutonomousSystemNumber": "45090", - "AutonomousSystemOrganization": "Shenzhen Tencent Computer Systems Company Limited", - "Country": "CN", - "Latitude": 39.92890167236328, - "Longitude": 116.38829803466797, - "Flags": null - } - }, - "capacity": 40, - "leak_speed": 500000000, - "Reprocess": false, - "Labels": { - "remediation": "true", - "service": "http", - "type": "crawl" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine1", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "04cd7cbe460be2f36d193041c486da7fdffc9056", - "scenario": "aggresive_crawl", - "bucket_id": "divine-rain", - "alert_message": "139.199.192.143 performed 'aggresive_crawl' (195 events over 1m17s) at 2020-01-01 18:29:35 +0000 UTC", - "events_count": 195, - "start_at": "2020-01-01T18:28:18Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-01T22:29:35Z", - "StartIp": 2345123983, - "EndIp": 2345123983, - "IpText": "139.199.192.143", - "Reason": "ban on ip 139.199.192.143", - "Scenario": "", - "SignalOccurenceID": 988 - } - ], - "stop_at": "2020-01-01T18:29:35Z", - "Source_ip": "139.199.192.143", - "Source_range": "139.199.0.0/16", - "Source_AutonomousSystemNumber": "45090", - "Source_AutonomousSystemOrganization": "Shenzhen Tencent Computer Systems Company Limited", - "Source_Country": "CN", - "Source_Latitude": 39.92890167236328, - "Source_Longitude": 116.38829803466797, - "sources": { - "139.199.192.143": { - "Ip": "139.199.192.143", - "Range": { - "IP": "139.199.0.0", - "Mask": "//8AAA==" - }, - "AutonomousSystemNumber": "45090", - "AutonomousSystemOrganization": "Shenzhen Tencent Computer Systems Company Limited", - "Country": "CN", - "Latitude": 39.92890167236328, - "Longitude": 116.38829803466797, - "Flags": null - } - }, - "capacity": 40, - "leak_speed": 500000000, - "Reprocess": false, - "Labels": { - "remediation": "true", - "service": "http", - "type": "crawl" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine2", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "04cd7cbe460be2f36d193041c486da7fdffc9056", - "scenario": "aggresive_crawl", - "bucket_id": "twilight-mountain", - "alert_message": "139.199.192.143 performed 'aggresive_crawl' (89 events over 24s) at 2020-01-01 18:30:56 +0000 UTC", - "events_count": 89, - "start_at": "2020-01-01T18:30:32Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-01T22:30:56Z", - "StartIp": 2345123983, - "EndIp": 2345123983, - "IpText": "139.199.192.143", - "Reason": "ban on ip 139.199.192.143", - "Scenario": "", - "SignalOccurenceID": 989 - } - ], - "stop_at": "2020-01-01T18:30:56Z", - "Source_ip": "139.199.192.143", - "Source_range": "139.199.0.0/16", - "Source_AutonomousSystemNumber": "45090", - "Source_AutonomousSystemOrganization": "Shenzhen Tencent Computer Systems Company Limited", - "Source_Country": "CN", - "Source_Latitude": 39.92890167236328, - "Source_Longitude": 116.38829803466797, - "sources": { - "139.199.192.143": { - "Ip": "139.199.192.143", - "Range": { - "IP": "139.199.0.0", - "Mask": "//8AAA==" - }, - "AutonomousSystemNumber": "45090", - "AutonomousSystemOrganization": "Shenzhen Tencent Computer Systems Company Limited", - "Country": "CN", - "Latitude": 39.92890167236328, - "Longitude": 116.38829803466797, - "Flags": null - } - }, - "capacity": 40, - "leak_speed": 500000000, - "Reprocess": false, - "Labels": { - "remediation": "true", - "service": "http", - "type": "crawl" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine1", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "04cd7cbe460be2f36d193041c486da7fdffc9056", - "scenario": "aggresive_crawl", - "bucket_id": "holy-violet", - "alert_message": "139.199.192.143 performed 'aggresive_crawl' (181 events over 1m10s) at 2020-01-01 18:32:07 +0000 UTC", - "events_count": 181, - "start_at": "2020-01-01T18:30:57Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-01T22:32:07Z", - "StartIp": 2345123983, - "EndIp": 2345123983, - "IpText": "139.199.192.143", - "Reason": "ban on ip 139.199.192.143", - "Scenario": "", - "SignalOccurenceID": 990 - } - ], - "stop_at": "2020-01-01T18:32:07Z", - "Source_ip": "139.199.192.143", - "Source_range": "139.199.0.0/16", - "Source_AutonomousSystemNumber": "45090", - "Source_AutonomousSystemOrganization": "Shenzhen Tencent Computer Systems Company Limited", - "Source_Country": "CN", - "Source_Latitude": 39.92890167236328, - "Source_Longitude": 116.38829803466797, - "sources": { - "139.199.192.143": { - "Ip": "139.199.192.143", - "Range": { - "IP": "139.199.0.0", - "Mask": "//8AAA==" - }, - "AutonomousSystemNumber": "45090", - "AutonomousSystemOrganization": "Shenzhen Tencent Computer Systems Company Limited", - "Country": "CN", - "Latitude": 39.92890167236328, - "Longitude": 116.38829803466797, - "Flags": null - } - }, - "capacity": 40, - "leak_speed": 500000000, - "Reprocess": false, - "Labels": { - "remediation": "true", - "service": "http", - "type": "crawl" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine2", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "6aedd2bf688e9a4315f3a0852e23d6257af56a6d", - "scenario": "http_404-scan", - "bucket_id": "delicate-wind", - "alert_message": "118.25.109.174 performed 'http_404-scan' (6 events over 3s) at 2020-01-02 06:20:42 +0000 UTC", - "events_count": 6, - "start_at": "2020-01-02T06:20:39Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-02T10:20:42Z", - "StartIp": 1981377966, - "EndIp": 1981377966, - "IpText": "118.25.109.174", - "Reason": "ban on ip 118.25.109.174", - "Scenario": "", - "SignalOccurenceID": 991 - } - ], - "stop_at": "2020-01-02T06:20:42Z", - "Source_ip": "118.25.109.174", - "Source_range": "118.24.0.0/15", - "Source_AutonomousSystemNumber": "45090", - "Source_AutonomousSystemOrganization": "Shenzhen Tencent Computer Systems Company Limited", - "Source_Country": "CN", - "Source_Latitude": 39.92890167236328, - "Source_Longitude": 116.38829803466797, - "sources": { - "118.25.109.174": { - "Ip": "118.25.109.174", - "Range": { - "IP": "118.24.0.0", - "Mask": "//4AAA==" - }, - "AutonomousSystemNumber": "45090", - "AutonomousSystemOrganization": "Shenzhen Tencent Computer Systems Company Limited", - "Country": "CN", - "Latitude": 39.92890167236328, - "Longitude": 116.38829803466797, - "Flags": null - } - }, - "capacity": 5, - "leak_speed": 10000000000, - "Reprocess": true, - "Labels": { - "remediation": "true", - "service": "http", - "type": "scan" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine1", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "d55d24200351af8d4831cd7e88087b7bc5e02aca", - "scenario": "http_404-scan", - "bucket_id": "misty-waterfall", - "alert_message": "207.38.89.99 performed 'http_404-scan' (6 events over 1s) at 2019-12-31 07:48:07 +0000 UTC", - "events_count": 6, - "start_at": "2019-12-31T07:48:06Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2019-12-31T11:48:07Z", - "StartIp": 3475396963, - "EndIp": 3475396963, - "IpText": "207.38.89.99", - "Reason": "ban on ip 207.38.89.99", - "Scenario": "", - "SignalOccurenceID": 992 - } - ], - "stop_at": "2019-12-31T07:48:07Z", - "Source_ip": "207.38.89.99", - "Source_range": "207.38.80.0/20", - "Source_AutonomousSystemNumber": "30083", - "Source_AutonomousSystemOrganization": "HEG US Inc.", - "Source_Country": "US", - "Source_Latitude": 38.63119888305664, - "Source_Longitude": -90.19219970703125, - "sources": { - "207.38.89.99": { - "Ip": "207.38.89.99", - "Range": { - "IP": "207.38.80.0", - "Mask": "///wAA==" - }, - "AutonomousSystemNumber": "30083", - "AutonomousSystemOrganization": "HEG US Inc.", - "Country": "US", - "Latitude": 38.63119888305664, - "Longitude": -90.19219970703125, - "Flags": null - } - }, - "capacity": 5, - "leak_speed": 10000000000, - "Reprocess": true, - "Labels": { - "remediation": "true", - "service": "http", - "type": "scan" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine2", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "38523b23fb81133eaf1c2b21083175c942e76883", - "scenario": "aggresive_crawl", - "bucket_id": "restless-haze", - "alert_message": "207.38.89.99 performed 'aggresive_crawl' (53 events over 6s) at 2019-12-31 07:48:12 +0000 UTC", - "events_count": 53, - "start_at": "2019-12-31T07:48:06Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2019-12-31T11:48:12Z", - "StartIp": 3475396963, - "EndIp": 3475396963, - "IpText": "207.38.89.99", - "Reason": "ban on ip 207.38.89.99", - "Scenario": "", - "SignalOccurenceID": 993 - } - ], - "stop_at": "2019-12-31T07:48:12Z", - "Source_ip": "207.38.89.99", - "Source_range": "207.38.80.0/20", - "Source_AutonomousSystemNumber": "30083", - "Source_AutonomousSystemOrganization": "HEG US Inc.", - "Source_Country": "US", - "Source_Latitude": 38.63119888305664, - "Source_Longitude": -90.19219970703125, - "sources": { - "207.38.89.99": { - "Ip": "207.38.89.99", - "Range": { - "IP": "207.38.80.0", - "Mask": "///wAA==" - }, - "AutonomousSystemNumber": "30083", - "AutonomousSystemOrganization": "HEG US Inc.", - "Country": "US", - "Latitude": 38.63119888305664, - "Longitude": -90.19219970703125, - "Flags": null - } - }, - "capacity": 40, - "leak_speed": 500000000, - "Reprocess": false, - "Labels": { - "remediation": "true", - "service": "http", - "type": "crawl" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine1", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "38523b23fb81133eaf1c2b21083175c942e76883", - "scenario": "aggresive_crawl", - "bucket_id": "ancient-forest", - "alert_message": "207.38.89.99 performed 'aggresive_crawl' (51 events over 5s) at 2019-12-31 07:49:16 +0000 UTC", - "events_count": 51, - "start_at": "2019-12-31T07:49:11Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2019-12-31T11:49:16Z", - "StartIp": 3475396963, - "EndIp": 3475396963, - "IpText": "207.38.89.99", - "Reason": "ban on ip 207.38.89.99", - "Scenario": "", - "SignalOccurenceID": 994 - } - ], - "stop_at": "2019-12-31T07:49:16Z", - "Source_ip": "207.38.89.99", - "Source_range": "207.38.80.0/20", - "Source_AutonomousSystemNumber": "30083", - "Source_AutonomousSystemOrganization": "HEG US Inc.", - "Source_Country": "US", - "Source_Latitude": 38.63119888305664, - "Source_Longitude": -90.19219970703125, - "sources": { - "207.38.89.99": { - "Ip": "207.38.89.99", - "Range": { - "IP": "207.38.80.0", - "Mask": "///wAA==" - }, - "AutonomousSystemNumber": "30083", - "AutonomousSystemOrganization": "HEG US Inc.", - "Country": "US", - "Latitude": 38.63119888305664, - "Longitude": -90.19219970703125, - "Flags": null - } - }, - "capacity": 40, - "leak_speed": 500000000, - "Reprocess": false, - "Labels": { - "remediation": "true", - "service": "http", - "type": "crawl" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine2", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "57097e2f13de9a441098679dd1ba632d75bc5726", - "scenario": "http_404-scan", - "bucket_id": "hidden-cherry", - "alert_message": "51.159.56.89 performed 'http_404-scan' (6 events over 0s) at 2020-01-12 20:12:33 +0000 UTC", - "events_count": 6, - "start_at": "2020-01-12T20:12:33Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-13T00:12:33Z", - "StartIp": 866072665, - "EndIp": 866072665, - "IpText": "51.159.56.89", - "Reason": "ban on ip 51.159.56.89", - "Scenario": "", - "SignalOccurenceID": 995 - } - ], - "stop_at": "2020-01-12T20:12:33Z", - "Source_ip": "51.159.56.89", - "Source_range": "51.158.0.0/15", - "Source_AutonomousSystemNumber": "12876", - "Source_AutonomousSystemOrganization": "Online S.a.s.", - "Source_Country": "FR", - "Source_Latitude": 48.86669921875, - "Source_Longitude": 2.3333001136779785, - "sources": { - "51.159.56.89": { - "Ip": "51.159.56.89", - "Range": { - "IP": "51.158.0.0", - "Mask": "//4AAA==" - }, - "AutonomousSystemNumber": "12876", - "AutonomousSystemOrganization": "Online S.a.s.", - "Country": "FR", - "Latitude": 48.86669921875, - "Longitude": 2.3333001136779785, - "Flags": null - } - }, - "capacity": 5, - "leak_speed": 10000000000, - "Reprocess": true, - "Labels": { - "remediation": "true", - "service": "http", - "type": "scan" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine1", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "8329d169b66b77c1ffb1476ee6be6157df0fb01c", - "scenario": "aggresive_crawl", - "bucket_id": "summer-voice", - "alert_message": "51.159.56.89 performed 'aggresive_crawl' (57 events over 8s) at 2020-01-12 20:12:41 +0000 UTC", - "events_count": 57, - "start_at": "2020-01-12T20:12:33Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-13T00:12:41Z", - "StartIp": 866072665, - "EndIp": 866072665, - "IpText": "51.159.56.89", - "Reason": "ban on ip 51.159.56.89", - "Scenario": "", - "SignalOccurenceID": 996 - } - ], - "stop_at": "2020-01-12T20:12:41Z", - "Source_ip": "51.159.56.89", - "Source_range": "51.158.0.0/15", - "Source_AutonomousSystemNumber": "12876", - "Source_AutonomousSystemOrganization": "Online S.a.s.", - "Source_Country": "FR", - "Source_Latitude": 48.86669921875, - "Source_Longitude": 2.3333001136779785, - "sources": { - "51.159.56.89": { - "Ip": "51.159.56.89", - "Range": { - "IP": "51.158.0.0", - "Mask": "//4AAA==" - }, - "AutonomousSystemNumber": "12876", - "AutonomousSystemOrganization": "Online S.a.s.", - "Country": "FR", - "Latitude": 48.86669921875, - "Longitude": 2.3333001136779785, - "Flags": null - } - }, - "capacity": 40, - "leak_speed": 500000000, - "Reprocess": false, - "Labels": { - "remediation": "true", - "service": "http", - "type": "crawl" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine2", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "e3670eedea41bad31bd62d4bcc3b11e0c0a26373", - "scenario": "http_404-scan", - "bucket_id": "quiet-sunset", - "alert_message": "167.172.50.134 performed 'http_404-scan' (6 events over 1s) at 2020-01-11 06:46:02 +0000 UTC", - "events_count": 6, - "start_at": "2020-01-11T06:46:01Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-11T10:46:02Z", - "StartIp": 2813080198, - "EndIp": 2813080198, - "IpText": "167.172.50.134", - "Reason": "ban on ip 167.172.50.134", - "Scenario": "", - "SignalOccurenceID": 997 - } - ], - "stop_at": "2020-01-11T06:46:02Z", - "Source_ip": "167.172.50.134", - "Source_range": "\u003cnil\u003e", - "Source_AutonomousSystemNumber": "0", - "Source_AutonomousSystemOrganization": "", - "Source_Country": "GB", - "Source_Latitude": 51.91669845581055, - "Source_Longitude": -0.2167000025510788, - "sources": { - "167.172.50.134": { - "Ip": "167.172.50.134", - "Range": { - "IP": "", - "Mask": null - }, - "AutonomousSystemNumber": "0", - "AutonomousSystemOrganization": "", - "Country": "GB", - "Latitude": 51.91669845581055, - "Longitude": -0.2167000025510788, - "Flags": null - } - }, - "capacity": 5, - "leak_speed": 10000000000, - "Reprocess": true, - "Labels": { - "remediation": "true", - "service": "http", - "type": "scan" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine1", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "fe7c4addc743ea4a3fbbf8abc4768c38a815fb04", - "scenario": "http_404-scan", - "bucket_id": "divine-butterfly", - "alert_message": "103.212.97.45 performed 'http_404-scan' (6 events over 5s) at 2020-01-08 16:22:09 +0000 UTC", - "events_count": 6, - "start_at": "2020-01-08T16:22:04Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-08T20:22:09Z", - "StartIp": 1741971757, - "EndIp": 1741971757, - "IpText": "103.212.97.45", - "Reason": "ban on ip 103.212.97.45", - "Scenario": "", - "SignalOccurenceID": 998 - } - ], - "stop_at": "2020-01-08T16:22:09Z", - "Source_ip": "103.212.97.45", - "Source_range": "103.212.96.0/22", - "Source_AutonomousSystemNumber": "45753", - "Source_AutonomousSystemOrganization": "NETSEC", - "Source_Country": "HK", - "Source_Latitude": 22.283300399780273, - "Source_Longitude": 114.1500015258789, - "sources": { - "103.212.97.45": { - "Ip": "103.212.97.45", - "Range": { - "IP": "103.212.96.0", - "Mask": "///8AA==" - }, - "AutonomousSystemNumber": "45753", - "AutonomousSystemOrganization": "NETSEC", - "Country": "HK", - "Latitude": 22.283300399780273, - "Longitude": 114.1500015258789, - "Flags": null - } - }, - "capacity": 5, - "leak_speed": 10000000000, - "Reprocess": true, - "Labels": { - "remediation": "true", - "service": "http", - "type": "scan" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine2", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "5a6ac7d4e195547d2b404da4a0d9b6f9cd50b4a9", - "scenario": "aggresive_crawl", - "bucket_id": "old-dawn", - "alert_message": "103.212.97.45 performed 'aggresive_crawl' (232 events over 1m46s) at 2020-01-08 16:23:50 +0000 UTC", - "events_count": 232, - "start_at": "2020-01-08T16:22:04Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-08T20:23:50Z", - "StartIp": 1741971757, - "EndIp": 1741971757, - "IpText": "103.212.97.45", - "Reason": "ban on ip 103.212.97.45", - "Scenario": "", - "SignalOccurenceID": 999 - } - ], - "stop_at": "2020-01-08T16:23:50Z", - "Source_ip": "103.212.97.45", - "Source_range": "103.212.96.0/22", - "Source_AutonomousSystemNumber": "45753", - "Source_AutonomousSystemOrganization": "NETSEC", - "Source_Country": "HK", - "Source_Latitude": 22.283300399780273, - "Source_Longitude": 114.1500015258789, - "sources": { - "103.212.97.45": { - "Ip": "103.212.97.45", - "Range": { - "IP": "103.212.96.0", - "Mask": "///8AA==" - }, - "AutonomousSystemNumber": "45753", - "AutonomousSystemOrganization": "NETSEC", - "Country": "HK", - "Latitude": 22.283300399780273, - "Longitude": 114.1500015258789, - "Flags": null - } - }, - "capacity": 40, - "leak_speed": 500000000, - "Reprocess": false, - "Labels": { - "remediation": "true", - "service": "http", - "type": "crawl" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine1", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "5a6ac7d4e195547d2b404da4a0d9b6f9cd50b4a9", - "scenario": "aggresive_crawl", - "bucket_id": "weathered-wood", - "alert_message": "103.212.97.45 performed 'aggresive_crawl' (76 events over 18s) at 2020-01-08 16:24:50 +0000 UTC", - "events_count": 76, - "start_at": "2020-01-08T16:24:32Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-08T20:24:50Z", - "StartIp": 1741971757, - "EndIp": 1741971757, - "IpText": "103.212.97.45", - "Reason": "ban on ip 103.212.97.45", - "Scenario": "", - "SignalOccurenceID": 1000 - } - ], - "stop_at": "2020-01-08T16:24:50Z", - "Source_ip": "103.212.97.45", - "Source_range": "103.212.96.0/22", - "Source_AutonomousSystemNumber": "45753", - "Source_AutonomousSystemOrganization": "NETSEC", - "Source_Country": "HK", - "Source_Latitude": 22.283300399780273, - "Source_Longitude": 114.1500015258789, - "sources": { - "103.212.97.45": { - "Ip": "103.212.97.45", - "Range": { - "IP": "103.212.96.0", - "Mask": "///8AA==" - }, - "AutonomousSystemNumber": "45753", - "AutonomousSystemOrganization": "NETSEC", - "Country": "HK", - "Latitude": 22.283300399780273, - "Longitude": 114.1500015258789, - "Flags": null - } - }, - "capacity": 40, - "leak_speed": 500000000, - "Reprocess": false, - "Labels": { - "remediation": "true", - "service": "http", - "type": "crawl" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine2", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "5a6ac7d4e195547d2b404da4a0d9b6f9cd50b4a9", - "scenario": "aggresive_crawl", - "bucket_id": "wandering-dawn", - "alert_message": "103.212.97.45 performed 'aggresive_crawl' (175 events over 1m7s) at 2020-01-08 16:26:21 +0000 UTC", - "events_count": 175, - "start_at": "2020-01-08T16:25:14Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-08T20:26:21Z", - "StartIp": 1741971757, - "EndIp": 1741971757, - "IpText": "103.212.97.45", - "Reason": "ban on ip 103.212.97.45", - "Scenario": "", - "SignalOccurenceID": 1001 - } - ], - "stop_at": "2020-01-08T16:26:21Z", - "Source_ip": "103.212.97.45", - "Source_range": "103.212.96.0/22", - "Source_AutonomousSystemNumber": "45753", - "Source_AutonomousSystemOrganization": "NETSEC", - "Source_Country": "HK", - "Source_Latitude": 22.283300399780273, - "Source_Longitude": 114.1500015258789, - "sources": { - "103.212.97.45": { - "Ip": "103.212.97.45", - "Range": { - "IP": "103.212.96.0", - "Mask": "///8AA==" - }, - "AutonomousSystemNumber": "45753", - "AutonomousSystemOrganization": "NETSEC", - "Country": "HK", - "Latitude": 22.283300399780273, - "Longitude": 114.1500015258789, - "Flags": null - } - }, - "capacity": 40, - "leak_speed": 500000000, - "Reprocess": false, - "Labels": { - "remediation": "true", - "service": "http", - "type": "crawl" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine1", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "fe7c4addc743ea4a3fbbf8abc4768c38a815fb04", - "scenario": "http_404-scan", - "bucket_id": "wispy-frog", - "alert_message": "103.212.97.45 performed 'http_404-scan' (6 events over 3s) at 2020-01-08 16:27:12 +0000 UTC", - "events_count": 6, - "start_at": "2020-01-08T16:27:09Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-08T20:27:12Z", - "StartIp": 1741971757, - "EndIp": 1741971757, - "IpText": "103.212.97.45", - "Reason": "ban on ip 103.212.97.45", - "Scenario": "", - "SignalOccurenceID": 1002 - } - ], - "stop_at": "2020-01-08T16:27:12Z", - "Source_ip": "103.212.97.45", - "Source_range": "103.212.96.0/22", - "Source_AutonomousSystemNumber": "45753", - "Source_AutonomousSystemOrganization": "NETSEC", - "Source_Country": "HK", - "Source_Latitude": 22.283300399780273, - "Source_Longitude": 114.1500015258789, - "sources": { - "103.212.97.45": { - "Ip": "103.212.97.45", - "Range": { - "IP": "103.212.96.0", - "Mask": "///8AA==" - }, - "AutonomousSystemNumber": "45753", - "AutonomousSystemOrganization": "NETSEC", - "Country": "HK", - "Latitude": 22.283300399780273, - "Longitude": 114.1500015258789, - "Flags": null - } - }, - "capacity": 5, - "leak_speed": 10000000000, - "Reprocess": true, - "Labels": { - "remediation": "true", - "service": "http", - "type": "scan" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine2", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "0a2b19cb243f6607e4d95c45eb979424efa1f838", - "scenario": "http_404-scan", - "bucket_id": "restless-dream", - "alert_message": "35.180.132.238 performed 'http_404-scan' (6 events over 0s) at 2020-01-06 15:36:09 +0000 UTC", - "events_count": 6, - "start_at": "2020-01-06T15:36:09Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-06T19:36:09Z", - "StartIp": 599033070, - "EndIp": 599033070, - "IpText": "35.180.132.238", - "Reason": "ban on ip 35.180.132.238", - "Scenario": "", - "SignalOccurenceID": 1003 - } - ], - "stop_at": "2020-01-06T15:36:09Z", - "Source_ip": "35.180.132.238", - "Source_range": "35.180.0.0/16", - "Source_AutonomousSystemNumber": "16509", - "Source_AutonomousSystemOrganization": "Amazon.com, Inc.", - "Source_Country": "FR", - "Source_Latitude": 48.86669921875, - "Source_Longitude": 2.3333001136779785, - "sources": { - "35.180.132.238": { - "Ip": "35.180.132.238", - "Range": { - "IP": "35.180.0.0", - "Mask": "//8AAA==" - }, - "AutonomousSystemNumber": "16509", - "AutonomousSystemOrganization": "Amazon.com, Inc.", - "Country": "FR", - "Latitude": 48.86669921875, - "Longitude": 2.3333001136779785, - "Flags": null - } - }, - "capacity": 5, - "leak_speed": 10000000000, - "Reprocess": true, - "Labels": { - "remediation": "true", - "service": "http", - "type": "scan" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine1", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "76779a7c22da5b031227d205fdc53a1d5c2e0940", - "scenario": "aggresive_crawl", - "bucket_id": "delicate-dust", - "alert_message": "35.180.132.238 performed 'aggresive_crawl' (47 events over 3s) at 2020-01-06 15:36:12 +0000 UTC", - "events_count": 47, - "start_at": "2020-01-06T15:36:09Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-06T19:36:12Z", - "StartIp": 599033070, - "EndIp": 599033070, - "IpText": "35.180.132.238", - "Reason": "ban on ip 35.180.132.238", - "Scenario": "", - "SignalOccurenceID": 1004 - } - ], - "stop_at": "2020-01-06T15:36:12Z", - "Source_ip": "35.180.132.238", - "Source_range": "35.180.0.0/16", - "Source_AutonomousSystemNumber": "16509", - "Source_AutonomousSystemOrganization": "Amazon.com, Inc.", - "Source_Country": "FR", - "Source_Latitude": 48.86669921875, - "Source_Longitude": 2.3333001136779785, - "sources": { - "35.180.132.238": { - "Ip": "35.180.132.238", - "Range": { - "IP": "35.180.0.0", - "Mask": "//8AAA==" - }, - "AutonomousSystemNumber": "16509", - "AutonomousSystemOrganization": "Amazon.com, Inc.", - "Country": "FR", - "Latitude": 48.86669921875, - "Longitude": 2.3333001136779785, - "Flags": null - } - }, - "capacity": 40, - "leak_speed": 500000000, - "Reprocess": false, - "Labels": { - "remediation": "true", - "service": "http", - "type": "crawl" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine2", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "a0c56f23985d1f8fcb844afd95b40c79b6a95d84", - "scenario": "http_404-scan", - "bucket_id": "small-sky", - "alert_message": "129.211.41.26 performed 'http_404-scan' (6 events over 2s) at 2020-01-06 18:34:21 +0000 UTC", - "events_count": 6, - "start_at": "2020-01-06T18:34:19Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-06T22:34:21Z", - "StartIp": 2178099482, - "EndIp": 2178099482, - "IpText": "129.211.41.26", - "Reason": "ban on ip 129.211.41.26", - "Scenario": "", - "SignalOccurenceID": 1005 - } - ], - "stop_at": "2020-01-06T18:34:21Z", - "Source_ip": "129.211.41.26", - "Source_range": "129.211.0.0/16", - "Source_AutonomousSystemNumber": "7091", - "Source_AutonomousSystemOrganization": "ViaNet Communications", - "Source_Country": "CN", - "Source_Latitude": 39.92890167236328, - "Source_Longitude": 116.38829803466797, - "sources": { - "129.211.41.26": { - "Ip": "129.211.41.26", - "Range": { - "IP": "129.211.0.0", - "Mask": "//8AAA==" - }, - "AutonomousSystemNumber": "7091", - "AutonomousSystemOrganization": "ViaNet Communications", - "Country": "CN", - "Latitude": 39.92890167236328, - "Longitude": 116.38829803466797, - "Flags": null - } - }, - "capacity": 5, - "leak_speed": 10000000000, - "Reprocess": true, - "Labels": { - "remediation": "true", - "service": "http", - "type": "scan" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine1", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "0a2b19cb243f6607e4d95c45eb979424efa1f838", - "scenario": "http_404-scan", - "bucket_id": "cool-rain", - "alert_message": "35.180.132.238 performed 'http_404-scan' (10 events over 2h58m14s) at 2020-01-06 18:34:25 +0000 UTC", - "events_count": 10, - "start_at": "2020-01-06T15:36:11Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-06T22:34:25Z", - "StartIp": 599033070, - "EndIp": 599033070, - "IpText": "35.180.132.238", - "Reason": "ban on ip 35.180.132.238", - "Scenario": "", - "SignalOccurenceID": 1006 - } - ], - "stop_at": "2020-01-06T18:34:25Z", - "Source_ip": "35.180.132.238", - "Source_range": "35.180.0.0/16", - "Source_AutonomousSystemNumber": "16509", - "Source_AutonomousSystemOrganization": "Amazon.com, Inc.", - "Source_Country": "FR", - "Source_Latitude": 48.86669921875, - "Source_Longitude": 2.3333001136779785, - "sources": { - "35.180.132.238": { - "Ip": "35.180.132.238", - "Range": { - "IP": "35.180.0.0", - "Mask": "//8AAA==" - }, - "AutonomousSystemNumber": "16509", - "AutonomousSystemOrganization": "Amazon.com, Inc.", - "Country": "FR", - "Latitude": 48.86669921875, - "Longitude": 2.3333001136779785, - "Flags": null - } - }, - "capacity": 5, - "leak_speed": 10000000000, - "Reprocess": true, - "Labels": { - "remediation": "true", - "service": "http", - "type": "scan" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine2", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "ca3945158c65616ddf95a814778f47da10c6cb6b", - "scenario": "http_404-scan", - "bucket_id": "long-wildflower", - "alert_message": "180.96.14.25 performed 'http_404-scan' (9 events over 72h37m58s) at 2020-01-07 04:11:11 +0000 UTC", - "events_count": 9, - "start_at": "2020-01-04T03:33:13Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-07T08:11:11Z", - "StartIp": 3026193945, - "EndIp": 3026193945, - "IpText": "180.96.14.25", - "Reason": "ban on ip 180.96.14.25", - "Scenario": "", - "SignalOccurenceID": 1007 - } - ], - "stop_at": "2020-01-07T04:11:11Z", - "Source_ip": "180.96.14.25", - "Source_range": "180.96.8.0/21", - "Source_AutonomousSystemNumber": "23650", - "Source_AutonomousSystemOrganization": "AS Number for CHINANET jiangsu province backbone", - "Source_Country": "CN", - "Source_Latitude": 32.06169891357422, - "Source_Longitude": 118.77780151367188, - "sources": { - "180.96.14.25": { - "Ip": "180.96.14.25", - "Range": { - "IP": "180.96.8.0", - "Mask": "///4AA==" - }, - "AutonomousSystemNumber": "23650", - "AutonomousSystemOrganization": "AS Number for CHINANET jiangsu province backbone", - "Country": "CN", - "Latitude": 32.06169891357422, - "Longitude": 118.77780151367188, - "Flags": null - } - }, - "capacity": 5, - "leak_speed": 10000000000, - "Reprocess": true, - "Labels": { - "remediation": "true", - "service": "http", - "type": "scan" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine1", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "574814d8651d7500a6325c696067497d4d051274", - "scenario": "http_404-scan", - "bucket_id": "black-shadow", - "alert_message": "176.122.121.249 performed 'http_404-scan' (6 events over 3s) at 2020-01-05 19:15:57 +0000 UTC", - "events_count": 6, - "start_at": "2020-01-05T19:15:54Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-05T23:15:57Z", - "StartIp": 2960816633, - "EndIp": 2960816633, - "IpText": "176.122.121.249", - "Reason": "ban on ip 176.122.121.249", - "Scenario": "", - "SignalOccurenceID": 1008 - } - ], - "stop_at": "2020-01-05T19:15:57Z", - "Source_ip": "176.122.121.249", - "Source_range": "176.122.120.0/21", - "Source_AutonomousSystemNumber": "50581", - "Source_AutonomousSystemOrganization": "Ukraine telecommunication group Ltd.", - "Source_Country": "UA", - "Source_Latitude": 48.4630012512207, - "Source_Longitude": 35.03900146484375, - "sources": { - "176.122.121.249": { - "Ip": "176.122.121.249", - "Range": { - "IP": "176.122.120.0", - "Mask": "///4AA==" - }, - "AutonomousSystemNumber": "50581", - "AutonomousSystemOrganization": "Ukraine telecommunication group Ltd.", - "Country": "UA", - "Latitude": 48.4630012512207, - "Longitude": 35.03900146484375, - "Flags": null - } - }, - "capacity": 5, - "leak_speed": 10000000000, - "Reprocess": true, - "Labels": { - "remediation": "true", - "service": "http", - "type": "scan" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine2", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "94f52cd832ed322d3bd788565170d5bdabed0f71", - "scenario": "http_404-scan", - "bucket_id": "lively-breeze", - "alert_message": "31.222.187.197 performed 'http_404-scan' (6 events over 0s) at 2020-01-14 00:44:14 +0000 UTC", - "events_count": 6, - "start_at": "2020-01-14T00:44:14Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-14T04:44:14Z", - "StartIp": 534690757, - "EndIp": 534690757, - "IpText": "31.222.187.197", - "Reason": "ban on ip 31.222.187.197", - "Scenario": "", - "SignalOccurenceID": 1009 - } - ], - "stop_at": "2020-01-14T00:44:14Z", - "Source_ip": "31.222.187.197", - "Source_range": "31.222.128.0/18", - "Source_AutonomousSystemNumber": "15395", - "Source_AutonomousSystemOrganization": "Rackspace Ltd.", - "Source_Country": "GB", - "Source_Latitude": 51.49639892578125, - "Source_Longitude": -0.12240000069141388, - "sources": { - "31.222.187.197": { - "Ip": "31.222.187.197", - "Range": { - "IP": "31.222.128.0", - "Mask": "///AAA==" - }, - "AutonomousSystemNumber": "15395", - "AutonomousSystemOrganization": "Rackspace Ltd.", - "Country": "GB", - "Latitude": 51.49639892578125, - "Longitude": -0.12240000069141388, - "Flags": null - } - }, - "capacity": 5, - "leak_speed": 10000000000, - "Reprocess": true, - "Labels": { - "remediation": "true", - "service": "http", - "type": "scan" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": false - } diff --git a/tests/scenario/08consensus_base/1/parsers.yaml b/tests/scenario/08consensus_base/1/parsers.yaml deleted file mode 100644 index 6e1549cdd..000000000 --- a/tests/scenario/08consensus_base/1/parsers.yaml +++ /dev/null @@ -1,2 +0,0 @@ - - filename: ./hub/parsers/s00-raw/crowdsecurity/enrich.yaml - stage: s00-raw diff --git a/tests/scenario/08consensus_base/1/scenarios.yaml b/tests/scenario/08consensus_base/1/scenarios.yaml deleted file mode 100644 index 9eb8f2d70..000000000 --- a/tests/scenario/08consensus_base/1/scenarios.yaml +++ /dev/null @@ -1,6 +0,0 @@ - - filename: ./hub/scenarios/crowdsecurity/basic-consensus.yaml - - - - - diff --git a/tests/scenario/08consensus_base/1/success.sqlite b/tests/scenario/08consensus_base/1/success.sqlite deleted file mode 100644 index 72d5f4b97..000000000 --- a/tests/scenario/08consensus_base/1/success.sqlite +++ /dev/null @@ -1,12 +0,0 @@ -select count(*) == 1 from signal_occurences where source_ip = "139.199.192.143" and scenario = "specialized_consensus" -select count(*) == 1 from signal_occurences where source_ip = "139.199.192.143" and scenario = "base_consensus" -select count(*) == 1 from signal_occurences where source_ip = "207.38.89.99" and scenario = "base_consensus" -select count(*) == 1 from signal_occurences where source_ip = "207.38.89.99" and scenario = "specialized_consensus" -select count(*) == 1 from signal_occurences where source_ip = "51.159.56.89" and scenario = "base_consensus" -select count(*) == 1 from signal_occurences where source_ip = "103.212.97.45" and scenario = "base_consensus" -select count(*) == 1 from signal_occurences where source_ip = "103.212.97.45" and scenario = "specialized_consensus" -select count(*) == 1 from signal_occurences where source_ip = "35.180.132.238" and scenario = "specialized_consensus" -select count(*) == 1 from signal_occurences where source_ip = "35.180.132.238" and scenario = "base_consensus" - - - diff --git a/tests/scenario/08consensus_base/2/file.log b/tests/scenario/08consensus_base/2/file.log deleted file mode 100755 index cca46fb77..000000000 --- a/tests/scenario/08consensus_base/2/file.log +++ /dev/null @@ -1,70 +0,0 @@ - -{ - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine1", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "7e159c83f45e4cabfe4c2d8653a24ac79506a703", - "scenario": "http_404-scan", - "bucket_id": "morning-sea", - "alert_message": "31.222.187.197 performed 'http_404-scan' (6 events over 2s) at 2020-01-02 15:31:32 +0000 UTC", - "events_count": 6, - "start_at": "2020-01-02T15:31:30Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-02T19:31:32Z", - "StartIp": 1781924660, - "EndIp": 1781924660, - "IpText": "31.222.187.197", - "Reason": "ban on ip 31.222.187.197", - "Scenario": "", - "SignalOccurenceID": 985 - } - ], - "stop_at": "2020-01-14T06:44:14Z", - "Source_ip": "31.222.187.197", - "Source_range": "\u003cnil\u003e", - "Source_AutonomousSystemNumber": "0", - "Source_AutonomousSystemOrganization": "", - "Source_Country": "CN", - "Source_Latitude": 39.92890167236328, - "Source_Longitude": 116.38829803466797, - "sources": { - "31.222.187.197": { - "Ip": "31.222.187.197", - "Range": { - "IP": "", - "Mask": null - }, - "AutonomousSystemNumber": "0", - "AutonomousSystemOrganization": "", - "Country": "CN", - "Latitude": 39.92890167236328, - "Longitude": 116.38829803466797, - "Flags": null - } - }, - "capacity": 5, - "leak_speed": 10000000000, - "Reprocess": true, - "Labels": { - "remediation": "true", - "service": "http", - "type": "scan" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - \ No newline at end of file diff --git a/tests/scenario/08consensus_base/2/parsers.yaml b/tests/scenario/08consensus_base/2/parsers.yaml deleted file mode 100644 index 6e1549cdd..000000000 --- a/tests/scenario/08consensus_base/2/parsers.yaml +++ /dev/null @@ -1,2 +0,0 @@ - - filename: ./hub/parsers/s00-raw/crowdsecurity/enrich.yaml - stage: s00-raw diff --git a/tests/scenario/08consensus_base/2/scenarios.yaml b/tests/scenario/08consensus_base/2/scenarios.yaml deleted file mode 100644 index 9eb8f2d70..000000000 --- a/tests/scenario/08consensus_base/2/scenarios.yaml +++ /dev/null @@ -1,6 +0,0 @@ - - filename: ./hub/scenarios/crowdsecurity/basic-consensus.yaml - - - - - diff --git a/tests/scenario/08consensus_base/2/success.sqlite b/tests/scenario/08consensus_base/2/success.sqlite deleted file mode 100644 index 10da3a573..000000000 --- a/tests/scenario/08consensus_base/2/success.sqlite +++ /dev/null @@ -1,7 +0,0 @@ -select count(*) == 1 from signal_occurences where source_ip = "31.222.187.197" and scenario = "base_consensus" -select count(*) == 1 from signal_occurences where source_ip = "31.222.187.197" and scenario = "specialized_consensus" - - - - - diff --git a/tests/scenario/09consensus_trust/1/file.log b/tests/scenario/09consensus_trust/1/file.log deleted file mode 100755 index c8ae05234..000000000 --- a/tests/scenario/09consensus_trust/1/file.log +++ /dev/null @@ -1,1701 +0,0 @@ - -{ - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine1", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "7e159c83f45e4cabfe4c2d8653a24ac79506a703", - "scenario": "http_404-scan", - "bucket_id": "morning-sea", - "alert_message": "106.54.3.52 performed 'http_404-scan' (6 events over 2s) at 2020-01-02 15:31:32 +0000 UTC", - "events_count": 6, - "start_at": "2020-01-02T15:31:30Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-02T19:31:32Z", - "StartIp": 1781924660, - "EndIp": 1781924660, - "IpText": "106.54.3.52", - "Reason": "ban on ip 106.54.3.52", - "Scenario": "", - "SignalOccurenceID": 985 - } - ], - "stop_at": "2020-01-02T15:31:32Z", - "Source_ip": "106.54.3.52", - "Source_range": "\u003cnil\u003e", - "Source_AutonomousSystemNumber": "0", - "Source_AutonomousSystemOrganization": "", - "Source_Country": "CN", - "Source_Latitude": 39.92890167236328, - "Source_Longitude": 116.38829803466797, - "sources": { - "106.54.3.52": { - "Ip": "106.54.3.52", - "Range": { - "IP": "", - "Mask": null - }, - "AutonomousSystemNumber": "0", - "AutonomousSystemOrganization": "", - "Country": "CN", - "Latitude": 39.92890167236328, - "Longitude": 116.38829803466797, - "Flags": null - } - }, - "capacity": 5, - "leak_speed": 10000000000, - "Reprocess": true, - "Labels": { - "remediation": "true", - "service": "http", - "type": "scan" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine2", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "6cb069c62a51317feca844ed141e5f1cb61ed1c9", - "scenario": "http_404-scan", - "bucket_id": "purple-star", - "alert_message": "139.199.192.143 performed 'http_404-scan' (6 events over 3s) at 2020-01-01 18:27:32 +0000 UTC", - "events_count": 6, - "start_at": "2020-01-01T18:27:29Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-01T22:27:32Z", - "StartIp": 2345123983, - "EndIp": 2345123983, - "IpText": "139.199.192.143", - "Reason": "ban on ip 139.199.192.143", - "Scenario": "", - "SignalOccurenceID": 986 - } - ], - "stop_at": "2020-01-01T18:27:32Z", - "Source_ip": "139.199.192.143", - "Source_range": "139.199.0.0/16", - "Source_AutonomousSystemNumber": "45090", - "Source_AutonomousSystemOrganization": "Shenzhen Tencent Computer Systems Company Limited", - "Source_Country": "CN", - "Source_Latitude": 39.92890167236328, - "Source_Longitude": 116.38829803466797, - "sources": { - "139.199.192.143": { - "Ip": "139.199.192.143", - "Range": { - "IP": "139.199.0.0", - "Mask": "//8AAA==" - }, - "AutonomousSystemNumber": "45090", - "AutonomousSystemOrganization": "Shenzhen Tencent Computer Systems Company Limited", - "Country": "CN", - "Latitude": 39.92890167236328, - "Longitude": 116.38829803466797, - "Flags": null - } - }, - "capacity": 5, - "leak_speed": 10000000000, - "Reprocess": true, - "Labels": { - "remediation": "true", - "service": "http", - "type": "scan" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine2", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "04cd7cbe460be2f36d193041c486da7fdffc9056", - "scenario": "aggresive_crawl", - "bucket_id": "restless-tree", - "alert_message": "139.199.192.143 performed 'aggresive_crawl' (101 events over 30s) at 2020-01-01 18:27:59 +0000 UTC", - "events_count": 101, - "start_at": "2020-01-01T18:27:29Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-01T22:27:59Z", - "StartIp": 2345123983, - "EndIp": 2345123983, - "IpText": "139.199.192.143", - "Reason": "ban on ip 139.199.192.143", - "Scenario": "", - "SignalOccurenceID": 987 - } - ], - "stop_at": "2020-01-01T18:27:59Z", - "Source_ip": "139.199.192.143", - "Source_range": "139.199.0.0/16", - "Source_AutonomousSystemNumber": "45090", - "Source_AutonomousSystemOrganization": "Shenzhen Tencent Computer Systems Company Limited", - "Source_Country": "CN", - "Source_Latitude": 39.92890167236328, - "Source_Longitude": 116.38829803466797, - "sources": { - "139.199.192.143": { - "Ip": "139.199.192.143", - "Range": { - "IP": "139.199.0.0", - "Mask": "//8AAA==" - }, - "AutonomousSystemNumber": "45090", - "AutonomousSystemOrganization": "Shenzhen Tencent Computer Systems Company Limited", - "Country": "CN", - "Latitude": 39.92890167236328, - "Longitude": 116.38829803466797, - "Flags": null - } - }, - "capacity": 40, - "leak_speed": 500000000, - "Reprocess": false, - "Labels": { - "remediation": "true", - "service": "http", - "type": "crawl" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine1", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "04cd7cbe460be2f36d193041c486da7fdffc9056", - "scenario": "aggresive_crawl", - "bucket_id": "divine-rain", - "alert_message": "139.199.192.143 performed 'aggresive_crawl' (195 events over 1m17s) at 2020-01-01 18:29:35 +0000 UTC", - "events_count": 195, - "start_at": "2020-01-01T18:28:18Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-01T22:29:35Z", - "StartIp": 2345123983, - "EndIp": 2345123983, - "IpText": "139.199.192.143", - "Reason": "ban on ip 139.199.192.143", - "Scenario": "", - "SignalOccurenceID": 988 - } - ], - "stop_at": "2020-01-01T18:29:35Z", - "Source_ip": "139.199.192.143", - "Source_range": "139.199.0.0/16", - "Source_AutonomousSystemNumber": "45090", - "Source_AutonomousSystemOrganization": "Shenzhen Tencent Computer Systems Company Limited", - "Source_Country": "CN", - "Source_Latitude": 39.92890167236328, - "Source_Longitude": 116.38829803466797, - "sources": { - "139.199.192.143": { - "Ip": "139.199.192.143", - "Range": { - "IP": "139.199.0.0", - "Mask": "//8AAA==" - }, - "AutonomousSystemNumber": "45090", - "AutonomousSystemOrganization": "Shenzhen Tencent Computer Systems Company Limited", - "Country": "CN", - "Latitude": 39.92890167236328, - "Longitude": 116.38829803466797, - "Flags": null - } - }, - "capacity": 40, - "leak_speed": 500000000, - "Reprocess": false, - "Labels": { - "remediation": "true", - "service": "http", - "type": "crawl" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine2", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "04cd7cbe460be2f36d193041c486da7fdffc9056", - "scenario": "aggresive_crawl", - "bucket_id": "twilight-mountain", - "alert_message": "139.199.192.143 performed 'aggresive_crawl' (89 events over 24s) at 2020-01-01 18:30:56 +0000 UTC", - "events_count": 89, - "start_at": "2020-01-01T18:30:32Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-01T22:30:56Z", - "StartIp": 2345123983, - "EndIp": 2345123983, - "IpText": "139.199.192.143", - "Reason": "ban on ip 139.199.192.143", - "Scenario": "", - "SignalOccurenceID": 989 - } - ], - "stop_at": "2020-01-01T18:30:56Z", - "Source_ip": "139.199.192.143", - "Source_range": "139.199.0.0/16", - "Source_AutonomousSystemNumber": "45090", - "Source_AutonomousSystemOrganization": "Shenzhen Tencent Computer Systems Company Limited", - "Source_Country": "CN", - "Source_Latitude": 39.92890167236328, - "Source_Longitude": 116.38829803466797, - "sources": { - "139.199.192.143": { - "Ip": "139.199.192.143", - "Range": { - "IP": "139.199.0.0", - "Mask": "//8AAA==" - }, - "AutonomousSystemNumber": "45090", - "AutonomousSystemOrganization": "Shenzhen Tencent Computer Systems Company Limited", - "Country": "CN", - "Latitude": 39.92890167236328, - "Longitude": 116.38829803466797, - "Flags": null - } - }, - "capacity": 40, - "leak_speed": 500000000, - "Reprocess": false, - "Labels": { - "remediation": "true", - "service": "http", - "type": "crawl" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine1", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "04cd7cbe460be2f36d193041c486da7fdffc9056", - "scenario": "aggresive_crawl", - "bucket_id": "holy-violet", - "alert_message": "139.199.192.143 performed 'aggresive_crawl' (181 events over 1m10s) at 2020-01-01 18:32:07 +0000 UTC", - "events_count": 181, - "start_at": "2020-01-01T18:30:57Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-01T22:32:07Z", - "StartIp": 2345123983, - "EndIp": 2345123983, - "IpText": "139.199.192.143", - "Reason": "ban on ip 139.199.192.143", - "Scenario": "", - "SignalOccurenceID": 990 - } - ], - "stop_at": "2020-01-01T18:32:07Z", - "Source_ip": "139.199.192.143", - "Source_range": "139.199.0.0/16", - "Source_AutonomousSystemNumber": "45090", - "Source_AutonomousSystemOrganization": "Shenzhen Tencent Computer Systems Company Limited", - "Source_Country": "CN", - "Source_Latitude": 39.92890167236328, - "Source_Longitude": 116.38829803466797, - "sources": { - "139.199.192.143": { - "Ip": "139.199.192.143", - "Range": { - "IP": "139.199.0.0", - "Mask": "//8AAA==" - }, - "AutonomousSystemNumber": "45090", - "AutonomousSystemOrganization": "Shenzhen Tencent Computer Systems Company Limited", - "Country": "CN", - "Latitude": 39.92890167236328, - "Longitude": 116.38829803466797, - "Flags": null - } - }, - "capacity": 40, - "leak_speed": 500000000, - "Reprocess": false, - "Labels": { - "remediation": "true", - "service": "http", - "type": "crawl" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine2", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "6aedd2bf688e9a4315f3a0852e23d6257af56a6d", - "scenario": "http_404-scan", - "bucket_id": "delicate-wind", - "alert_message": "118.25.109.174 performed 'http_404-scan' (6 events over 3s) at 2020-01-02 06:20:42 +0000 UTC", - "events_count": 6, - "start_at": "2020-01-02T06:20:39Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-02T10:20:42Z", - "StartIp": 1981377966, - "EndIp": 1981377966, - "IpText": "118.25.109.174", - "Reason": "ban on ip 118.25.109.174", - "Scenario": "", - "SignalOccurenceID": 991 - } - ], - "stop_at": "2020-01-02T06:20:42Z", - "Source_ip": "118.25.109.174", - "Source_range": "118.24.0.0/15", - "Source_AutonomousSystemNumber": "45090", - "Source_AutonomousSystemOrganization": "Shenzhen Tencent Computer Systems Company Limited", - "Source_Country": "CN", - "Source_Latitude": 39.92890167236328, - "Source_Longitude": 116.38829803466797, - "sources": { - "118.25.109.174": { - "Ip": "118.25.109.174", - "Range": { - "IP": "118.24.0.0", - "Mask": "//4AAA==" - }, - "AutonomousSystemNumber": "45090", - "AutonomousSystemOrganization": "Shenzhen Tencent Computer Systems Company Limited", - "Country": "CN", - "Latitude": 39.92890167236328, - "Longitude": 116.38829803466797, - "Flags": null - } - }, - "capacity": 5, - "leak_speed": 10000000000, - "Reprocess": true, - "Labels": { - "remediation": "true", - "service": "http", - "type": "scan" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine1", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "d55d24200351af8d4831cd7e88087b7bc5e02aca", - "scenario": "http_404-scan", - "bucket_id": "misty-waterfall", - "alert_message": "207.38.89.99 performed 'http_404-scan' (6 events over 1s) at 2019-12-31 07:48:07 +0000 UTC", - "events_count": 6, - "start_at": "2019-12-31T07:48:06Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2019-12-31T11:48:07Z", - "StartIp": 3475396963, - "EndIp": 3475396963, - "IpText": "207.38.89.99", - "Reason": "ban on ip 207.38.89.99", - "Scenario": "", - "SignalOccurenceID": 992 - } - ], - "stop_at": "2019-12-31T07:48:07Z", - "Source_ip": "207.38.89.99", - "Source_range": "207.38.80.0/20", - "Source_AutonomousSystemNumber": "30083", - "Source_AutonomousSystemOrganization": "HEG US Inc.", - "Source_Country": "US", - "Source_Latitude": 38.63119888305664, - "Source_Longitude": -90.19219970703125, - "sources": { - "207.38.89.99": { - "Ip": "207.38.89.99", - "Range": { - "IP": "207.38.80.0", - "Mask": "///wAA==" - }, - "AutonomousSystemNumber": "30083", - "AutonomousSystemOrganization": "HEG US Inc.", - "Country": "US", - "Latitude": 38.63119888305664, - "Longitude": -90.19219970703125, - "Flags": null - } - }, - "capacity": 5, - "leak_speed": 10000000000, - "Reprocess": true, - "Labels": { - "remediation": "true", - "service": "http", - "type": "scan" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine2", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "38523b23fb81133eaf1c2b21083175c942e76883", - "scenario": "aggresive_crawl", - "bucket_id": "restless-haze", - "alert_message": "207.38.89.99 performed 'aggresive_crawl' (53 events over 6s) at 2019-12-31 07:48:12 +0000 UTC", - "events_count": 53, - "start_at": "2019-12-31T07:48:06Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2019-12-31T11:48:12Z", - "StartIp": 3475396963, - "EndIp": 3475396963, - "IpText": "207.38.89.99", - "Reason": "ban on ip 207.38.89.99", - "Scenario": "", - "SignalOccurenceID": 993 - } - ], - "stop_at": "2019-12-31T07:48:12Z", - "Source_ip": "207.38.89.99", - "Source_range": "207.38.80.0/20", - "Source_AutonomousSystemNumber": "30083", - "Source_AutonomousSystemOrganization": "HEG US Inc.", - "Source_Country": "US", - "Source_Latitude": 38.63119888305664, - "Source_Longitude": -90.19219970703125, - "sources": { - "207.38.89.99": { - "Ip": "207.38.89.99", - "Range": { - "IP": "207.38.80.0", - "Mask": "///wAA==" - }, - "AutonomousSystemNumber": "30083", - "AutonomousSystemOrganization": "HEG US Inc.", - "Country": "US", - "Latitude": 38.63119888305664, - "Longitude": -90.19219970703125, - "Flags": null - } - }, - "capacity": 40, - "leak_speed": 500000000, - "Reprocess": false, - "Labels": { - "remediation": "true", - "service": "http", - "type": "crawl" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine1", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "38523b23fb81133eaf1c2b21083175c942e76883", - "scenario": "aggresive_crawl", - "bucket_id": "ancient-forest", - "alert_message": "207.38.89.99 performed 'aggresive_crawl' (51 events over 5s) at 2019-12-31 07:49:16 +0000 UTC", - "events_count": 51, - "start_at": "2019-12-31T07:49:11Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2019-12-31T11:49:16Z", - "StartIp": 3475396963, - "EndIp": 3475396963, - "IpText": "207.38.89.99", - "Reason": "ban on ip 207.38.89.99", - "Scenario": "", - "SignalOccurenceID": 994 - } - ], - "stop_at": "2019-12-31T07:49:16Z", - "Source_ip": "207.38.89.99", - "Source_range": "207.38.80.0/20", - "Source_AutonomousSystemNumber": "30083", - "Source_AutonomousSystemOrganization": "HEG US Inc.", - "Source_Country": "US", - "Source_Latitude": 38.63119888305664, - "Source_Longitude": -90.19219970703125, - "sources": { - "207.38.89.99": { - "Ip": "207.38.89.99", - "Range": { - "IP": "207.38.80.0", - "Mask": "///wAA==" - }, - "AutonomousSystemNumber": "30083", - "AutonomousSystemOrganization": "HEG US Inc.", - "Country": "US", - "Latitude": 38.63119888305664, - "Longitude": -90.19219970703125, - "Flags": null - } - }, - "capacity": 40, - "leak_speed": 500000000, - "Reprocess": false, - "Labels": { - "remediation": "true", - "service": "http", - "type": "crawl" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine2", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "57097e2f13de9a441098679dd1ba632d75bc5726", - "scenario": "http_404-scan", - "bucket_id": "hidden-cherry", - "alert_message": "51.159.56.89 performed 'http_404-scan' (6 events over 0s) at 2020-01-12 20:12:33 +0000 UTC", - "events_count": 6, - "start_at": "2020-01-12T20:12:33Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-13T00:12:33Z", - "StartIp": 866072665, - "EndIp": 866072665, - "IpText": "51.159.56.89", - "Reason": "ban on ip 51.159.56.89", - "Scenario": "", - "SignalOccurenceID": 995 - } - ], - "stop_at": "2020-01-12T20:12:33Z", - "Source_ip": "51.159.56.89", - "Source_range": "51.158.0.0/15", - "Source_AutonomousSystemNumber": "12876", - "Source_AutonomousSystemOrganization": "Online S.a.s.", - "Source_Country": "FR", - "Source_Latitude": 48.86669921875, - "Source_Longitude": 2.3333001136779785, - "sources": { - "51.159.56.89": { - "Ip": "51.159.56.89", - "Range": { - "IP": "51.158.0.0", - "Mask": "//4AAA==" - }, - "AutonomousSystemNumber": "12876", - "AutonomousSystemOrganization": "Online S.a.s.", - "Country": "FR", - "Latitude": 48.86669921875, - "Longitude": 2.3333001136779785, - "Flags": null - } - }, - "capacity": 5, - "leak_speed": 10000000000, - "Reprocess": true, - "Labels": { - "remediation": "true", - "service": "http", - "type": "scan" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine1", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "8329d169b66b77c1ffb1476ee6be6157df0fb01c", - "scenario": "aggresive_crawl", - "bucket_id": "summer-voice", - "alert_message": "51.159.56.89 performed 'aggresive_crawl' (57 events over 8s) at 2020-01-12 20:12:41 +0000 UTC", - "events_count": 57, - "start_at": "2020-01-12T20:12:33Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-13T00:12:41Z", - "StartIp": 866072665, - "EndIp": 866072665, - "IpText": "51.159.56.89", - "Reason": "ban on ip 51.159.56.89", - "Scenario": "", - "SignalOccurenceID": 996 - } - ], - "stop_at": "2020-01-12T20:12:41Z", - "Source_ip": "51.159.56.89", - "Source_range": "51.158.0.0/15", - "Source_AutonomousSystemNumber": "12876", - "Source_AutonomousSystemOrganization": "Online S.a.s.", - "Source_Country": "FR", - "Source_Latitude": 48.86669921875, - "Source_Longitude": 2.3333001136779785, - "sources": { - "51.159.56.89": { - "Ip": "51.159.56.89", - "Range": { - "IP": "51.158.0.0", - "Mask": "//4AAA==" - }, - "AutonomousSystemNumber": "12876", - "AutonomousSystemOrganization": "Online S.a.s.", - "Country": "FR", - "Latitude": 48.86669921875, - "Longitude": 2.3333001136779785, - "Flags": null - } - }, - "capacity": 40, - "leak_speed": 500000000, - "Reprocess": false, - "Labels": { - "remediation": "true", - "service": "http", - "type": "crawl" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine2", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "e3670eedea41bad31bd62d4bcc3b11e0c0a26373", - "scenario": "http_404-scan", - "bucket_id": "quiet-sunset", - "alert_message": "167.172.50.134 performed 'http_404-scan' (6 events over 1s) at 2020-01-11 06:46:02 +0000 UTC", - "events_count": 6, - "start_at": "2020-01-11T06:46:01Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-11T10:46:02Z", - "StartIp": 2813080198, - "EndIp": 2813080198, - "IpText": "167.172.50.134", - "Reason": "ban on ip 167.172.50.134", - "Scenario": "", - "SignalOccurenceID": 997 - } - ], - "stop_at": "2020-01-11T06:46:02Z", - "Source_ip": "167.172.50.134", - "Source_range": "\u003cnil\u003e", - "Source_AutonomousSystemNumber": "0", - "Source_AutonomousSystemOrganization": "", - "Source_Country": "GB", - "Source_Latitude": 51.91669845581055, - "Source_Longitude": -0.2167000025510788, - "sources": { - "167.172.50.134": { - "Ip": "167.172.50.134", - "Range": { - "IP": "", - "Mask": null - }, - "AutonomousSystemNumber": "0", - "AutonomousSystemOrganization": "", - "Country": "GB", - "Latitude": 51.91669845581055, - "Longitude": -0.2167000025510788, - "Flags": null - } - }, - "capacity": 5, - "leak_speed": 10000000000, - "Reprocess": true, - "Labels": { - "remediation": "true", - "service": "http", - "type": "scan" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine1", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "fe7c4addc743ea4a3fbbf8abc4768c38a815fb04", - "scenario": "http_404-scan", - "bucket_id": "divine-butterfly", - "alert_message": "103.212.97.45 performed 'http_404-scan' (6 events over 5s) at 2020-01-08 16:22:09 +0000 UTC", - "events_count": 6, - "start_at": "2020-01-08T16:22:04Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-08T20:22:09Z", - "StartIp": 1741971757, - "EndIp": 1741971757, - "IpText": "103.212.97.45", - "Reason": "ban on ip 103.212.97.45", - "Scenario": "", - "SignalOccurenceID": 998 - } - ], - "stop_at": "2020-01-08T16:22:09Z", - "Source_ip": "103.212.97.45", - "Source_range": "103.212.96.0/22", - "Source_AutonomousSystemNumber": "45753", - "Source_AutonomousSystemOrganization": "NETSEC", - "Source_Country": "HK", - "Source_Latitude": 22.283300399780273, - "Source_Longitude": 114.1500015258789, - "sources": { - "103.212.97.45": { - "Ip": "103.212.97.45", - "Range": { - "IP": "103.212.96.0", - "Mask": "///8AA==" - }, - "AutonomousSystemNumber": "45753", - "AutonomousSystemOrganization": "NETSEC", - "Country": "HK", - "Latitude": 22.283300399780273, - "Longitude": 114.1500015258789, - "Flags": null - } - }, - "capacity": 5, - "leak_speed": 10000000000, - "Reprocess": true, - "Labels": { - "remediation": "true", - "service": "http", - "type": "scan" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine2", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "5a6ac7d4e195547d2b404da4a0d9b6f9cd50b4a9", - "scenario": "aggresive_crawl", - "bucket_id": "old-dawn", - "alert_message": "103.212.97.45 performed 'aggresive_crawl' (232 events over 1m46s) at 2020-01-08 16:23:50 +0000 UTC", - "events_count": 232, - "start_at": "2020-01-08T16:22:04Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-08T20:23:50Z", - "StartIp": 1741971757, - "EndIp": 1741971757, - "IpText": "103.212.97.45", - "Reason": "ban on ip 103.212.97.45", - "Scenario": "", - "SignalOccurenceID": 999 - } - ], - "stop_at": "2020-01-08T16:23:50Z", - "Source_ip": "103.212.97.45", - "Source_range": "103.212.96.0/22", - "Source_AutonomousSystemNumber": "45753", - "Source_AutonomousSystemOrganization": "NETSEC", - "Source_Country": "HK", - "Source_Latitude": 22.283300399780273, - "Source_Longitude": 114.1500015258789, - "sources": { - "103.212.97.45": { - "Ip": "103.212.97.45", - "Range": { - "IP": "103.212.96.0", - "Mask": "///8AA==" - }, - "AutonomousSystemNumber": "45753", - "AutonomousSystemOrganization": "NETSEC", - "Country": "HK", - "Latitude": 22.283300399780273, - "Longitude": 114.1500015258789, - "Flags": null - } - }, - "capacity": 40, - "leak_speed": 500000000, - "Reprocess": false, - "Labels": { - "remediation": "true", - "service": "http", - "type": "crawl" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine1", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "5a6ac7d4e195547d2b404da4a0d9b6f9cd50b4a9", - "scenario": "aggresive_crawl", - "bucket_id": "weathered-wood", - "alert_message": "103.212.97.45 performed 'aggresive_crawl' (76 events over 18s) at 2020-01-08 16:24:50 +0000 UTC", - "events_count": 76, - "start_at": "2020-01-08T16:24:32Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-08T20:24:50Z", - "StartIp": 1741971757, - "EndIp": 1741971757, - "IpText": "103.212.97.45", - "Reason": "ban on ip 103.212.97.45", - "Scenario": "", - "SignalOccurenceID": 1000 - } - ], - "stop_at": "2020-01-08T16:24:50Z", - "Source_ip": "103.212.97.45", - "Source_range": "103.212.96.0/22", - "Source_AutonomousSystemNumber": "45753", - "Source_AutonomousSystemOrganization": "NETSEC", - "Source_Country": "HK", - "Source_Latitude": 22.283300399780273, - "Source_Longitude": 114.1500015258789, - "sources": { - "103.212.97.45": { - "Ip": "103.212.97.45", - "Range": { - "IP": "103.212.96.0", - "Mask": "///8AA==" - }, - "AutonomousSystemNumber": "45753", - "AutonomousSystemOrganization": "NETSEC", - "Country": "HK", - "Latitude": 22.283300399780273, - "Longitude": 114.1500015258789, - "Flags": null - } - }, - "capacity": 40, - "leak_speed": 500000000, - "Reprocess": false, - "Labels": { - "remediation": "true", - "service": "http", - "type": "crawl" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine2", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "5a6ac7d4e195547d2b404da4a0d9b6f9cd50b4a9", - "scenario": "aggresive_crawl", - "bucket_id": "wandering-dawn", - "alert_message": "103.212.97.45 performed 'aggresive_crawl' (175 events over 1m7s) at 2020-01-08 16:26:21 +0000 UTC", - "events_count": 175, - "start_at": "2020-01-08T16:25:14Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-08T20:26:21Z", - "StartIp": 1741971757, - "EndIp": 1741971757, - "IpText": "103.212.97.45", - "Reason": "ban on ip 103.212.97.45", - "Scenario": "", - "SignalOccurenceID": 1001 - } - ], - "stop_at": "2020-01-08T16:26:21Z", - "Source_ip": "103.212.97.45", - "Source_range": "103.212.96.0/22", - "Source_AutonomousSystemNumber": "45753", - "Source_AutonomousSystemOrganization": "NETSEC", - "Source_Country": "HK", - "Source_Latitude": 22.283300399780273, - "Source_Longitude": 114.1500015258789, - "sources": { - "103.212.97.45": { - "Ip": "103.212.97.45", - "Range": { - "IP": "103.212.96.0", - "Mask": "///8AA==" - }, - "AutonomousSystemNumber": "45753", - "AutonomousSystemOrganization": "NETSEC", - "Country": "HK", - "Latitude": 22.283300399780273, - "Longitude": 114.1500015258789, - "Flags": null - } - }, - "capacity": 40, - "leak_speed": 500000000, - "Reprocess": false, - "Labels": { - "remediation": "true", - "service": "http", - "type": "crawl" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine1", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "fe7c4addc743ea4a3fbbf8abc4768c38a815fb04", - "scenario": "http_404-scan", - "bucket_id": "wispy-frog", - "alert_message": "103.212.97.45 performed 'http_404-scan' (6 events over 3s) at 2020-01-08 16:27:12 +0000 UTC", - "events_count": 6, - "start_at": "2020-01-08T16:27:09Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-08T20:27:12Z", - "StartIp": 1741971757, - "EndIp": 1741971757, - "IpText": "103.212.97.45", - "Reason": "ban on ip 103.212.97.45", - "Scenario": "", - "SignalOccurenceID": 1002 - } - ], - "stop_at": "2020-01-08T16:27:12Z", - "Source_ip": "103.212.97.45", - "Source_range": "103.212.96.0/22", - "Source_AutonomousSystemNumber": "45753", - "Source_AutonomousSystemOrganization": "NETSEC", - "Source_Country": "HK", - "Source_Latitude": 22.283300399780273, - "Source_Longitude": 114.1500015258789, - "sources": { - "103.212.97.45": { - "Ip": "103.212.97.45", - "Range": { - "IP": "103.212.96.0", - "Mask": "///8AA==" - }, - "AutonomousSystemNumber": "45753", - "AutonomousSystemOrganization": "NETSEC", - "Country": "HK", - "Latitude": 22.283300399780273, - "Longitude": 114.1500015258789, - "Flags": null - } - }, - "capacity": 5, - "leak_speed": 10000000000, - "Reprocess": true, - "Labels": { - "remediation": "true", - "service": "http", - "type": "scan" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine2", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "0a2b19cb243f6607e4d95c45eb979424efa1f838", - "scenario": "http_404-scan", - "bucket_id": "restless-dream", - "alert_message": "35.180.132.238 performed 'http_404-scan' (6 events over 0s) at 2020-01-06 15:36:09 +0000 UTC", - "events_count": 6, - "start_at": "2020-01-06T15:36:09Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-06T19:36:09Z", - "StartIp": 599033070, - "EndIp": 599033070, - "IpText": "35.180.132.238", - "Reason": "ban on ip 35.180.132.238", - "Scenario": "", - "SignalOccurenceID": 1003 - } - ], - "stop_at": "2020-01-06T15:36:09Z", - "Source_ip": "35.180.132.238", - "Source_range": "35.180.0.0/16", - "Source_AutonomousSystemNumber": "16509", - "Source_AutonomousSystemOrganization": "Amazon.com, Inc.", - "Source_Country": "FR", - "Source_Latitude": 48.86669921875, - "Source_Longitude": 2.3333001136779785, - "sources": { - "35.180.132.238": { - "Ip": "35.180.132.238", - "Range": { - "IP": "35.180.0.0", - "Mask": "//8AAA==" - }, - "AutonomousSystemNumber": "16509", - "AutonomousSystemOrganization": "Amazon.com, Inc.", - "Country": "FR", - "Latitude": 48.86669921875, - "Longitude": 2.3333001136779785, - "Flags": null - } - }, - "capacity": 5, - "leak_speed": 10000000000, - "Reprocess": true, - "Labels": { - "remediation": "true", - "service": "http", - "type": "scan" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine1", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "76779a7c22da5b031227d205fdc53a1d5c2e0940", - "scenario": "aggresive_crawl", - "bucket_id": "delicate-dust", - "alert_message": "35.180.132.238 performed 'aggresive_crawl' (47 events over 3s) at 2020-01-06 15:36:12 +0000 UTC", - "events_count": 47, - "start_at": "2020-01-06T15:36:09Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-06T19:36:12Z", - "StartIp": 599033070, - "EndIp": 599033070, - "IpText": "35.180.132.238", - "Reason": "ban on ip 35.180.132.238", - "Scenario": "", - "SignalOccurenceID": 1004 - } - ], - "stop_at": "2020-01-06T15:36:12Z", - "Source_ip": "35.180.132.238", - "Source_range": "35.180.0.0/16", - "Source_AutonomousSystemNumber": "16509", - "Source_AutonomousSystemOrganization": "Amazon.com, Inc.", - "Source_Country": "FR", - "Source_Latitude": 48.86669921875, - "Source_Longitude": 2.3333001136779785, - "sources": { - "35.180.132.238": { - "Ip": "35.180.132.238", - "Range": { - "IP": "35.180.0.0", - "Mask": "//8AAA==" - }, - "AutonomousSystemNumber": "16509", - "AutonomousSystemOrganization": "Amazon.com, Inc.", - "Country": "FR", - "Latitude": 48.86669921875, - "Longitude": 2.3333001136779785, - "Flags": null - } - }, - "capacity": 40, - "leak_speed": 500000000, - "Reprocess": false, - "Labels": { - "remediation": "true", - "service": "http", - "type": "crawl" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine2", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "a0c56f23985d1f8fcb844afd95b40c79b6a95d84", - "scenario": "http_404-scan", - "bucket_id": "small-sky", - "alert_message": "129.211.41.26 performed 'http_404-scan' (6 events over 2s) at 2020-01-06 18:34:21 +0000 UTC", - "events_count": 6, - "start_at": "2020-01-06T18:34:19Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-06T22:34:21Z", - "StartIp": 2178099482, - "EndIp": 2178099482, - "IpText": "129.211.41.26", - "Reason": "ban on ip 129.211.41.26", - "Scenario": "", - "SignalOccurenceID": 1005 - } - ], - "stop_at": "2020-01-06T18:34:21Z", - "Source_ip": "129.211.41.26", - "Source_range": "129.211.0.0/16", - "Source_AutonomousSystemNumber": "7091", - "Source_AutonomousSystemOrganization": "ViaNet Communications", - "Source_Country": "CN", - "Source_Latitude": 39.92890167236328, - "Source_Longitude": 116.38829803466797, - "sources": { - "129.211.41.26": { - "Ip": "129.211.41.26", - "Range": { - "IP": "129.211.0.0", - "Mask": "//8AAA==" - }, - "AutonomousSystemNumber": "7091", - "AutonomousSystemOrganization": "ViaNet Communications", - "Country": "CN", - "Latitude": 39.92890167236328, - "Longitude": 116.38829803466797, - "Flags": null - } - }, - "capacity": 5, - "leak_speed": 10000000000, - "Reprocess": true, - "Labels": { - "remediation": "true", - "service": "http", - "type": "scan" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine1", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "0a2b19cb243f6607e4d95c45eb979424efa1f838", - "scenario": "http_404-scan", - "bucket_id": "cool-rain", - "alert_message": "35.180.132.238 performed 'http_404-scan' (10 events over 2h58m14s) at 2020-01-06 18:34:25 +0000 UTC", - "events_count": 10, - "start_at": "2020-01-06T15:36:11Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-06T22:34:25Z", - "StartIp": 599033070, - "EndIp": 599033070, - "IpText": "35.180.132.238", - "Reason": "ban on ip 35.180.132.238", - "Scenario": "", - "SignalOccurenceID": 1006 - } - ], - "stop_at": "2020-01-06T18:34:25Z", - "Source_ip": "35.180.132.238", - "Source_range": "35.180.0.0/16", - "Source_AutonomousSystemNumber": "16509", - "Source_AutonomousSystemOrganization": "Amazon.com, Inc.", - "Source_Country": "FR", - "Source_Latitude": 48.86669921875, - "Source_Longitude": 2.3333001136779785, - "sources": { - "35.180.132.238": { - "Ip": "35.180.132.238", - "Range": { - "IP": "35.180.0.0", - "Mask": "//8AAA==" - }, - "AutonomousSystemNumber": "16509", - "AutonomousSystemOrganization": "Amazon.com, Inc.", - "Country": "FR", - "Latitude": 48.86669921875, - "Longitude": 2.3333001136779785, - "Flags": null - } - }, - "capacity": 5, - "leak_speed": 10000000000, - "Reprocess": true, - "Labels": { - "remediation": "true", - "service": "http", - "type": "scan" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine2", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "ca3945158c65616ddf95a814778f47da10c6cb6b", - "scenario": "http_404-scan", - "bucket_id": "long-wildflower", - "alert_message": "180.96.14.25 performed 'http_404-scan' (9 events over 72h37m58s) at 2020-01-07 04:11:11 +0000 UTC", - "events_count": 9, - "start_at": "2020-01-04T03:33:13Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-07T08:11:11Z", - "StartIp": 3026193945, - "EndIp": 3026193945, - "IpText": "180.96.14.25", - "Reason": "ban on ip 180.96.14.25", - "Scenario": "", - "SignalOccurenceID": 1007 - } - ], - "stop_at": "2020-01-07T04:11:11Z", - "Source_ip": "180.96.14.25", - "Source_range": "180.96.8.0/21", - "Source_AutonomousSystemNumber": "23650", - "Source_AutonomousSystemOrganization": "AS Number for CHINANET jiangsu province backbone", - "Source_Country": "CN", - "Source_Latitude": 32.06169891357422, - "Source_Longitude": 118.77780151367188, - "sources": { - "180.96.14.25": { - "Ip": "180.96.14.25", - "Range": { - "IP": "180.96.8.0", - "Mask": "///4AA==" - }, - "AutonomousSystemNumber": "23650", - "AutonomousSystemOrganization": "AS Number for CHINANET jiangsu province backbone", - "Country": "CN", - "Latitude": 32.06169891357422, - "Longitude": 118.77780151367188, - "Flags": null - } - }, - "capacity": 5, - "leak_speed": 10000000000, - "Reprocess": true, - "Labels": { - "remediation": "true", - "service": "http", - "type": "scan" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine1", - "trust_factor": "4", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "574814d8651d7500a6325c696067497d4d051274", - "scenario": "http_404-scan", - "bucket_id": "black-shadow", - "alert_message": "176.122.121.249 performed 'http_404-scan' (6 events over 3s) at 2020-01-05 19:15:57 +0000 UTC", - "events_count": 6, - "start_at": "2020-01-05T19:15:54Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-05T23:15:57Z", - "StartIp": 2960816633, - "EndIp": 2960816633, - "IpText": "176.122.121.249", - "Reason": "ban on ip 176.122.121.249", - "Scenario": "", - "SignalOccurenceID": 1008 - } - ], - "stop_at": "2020-01-05T19:15:57Z", - "Source_ip": "176.122.121.249", - "Source_range": "176.122.120.0/21", - "Source_AutonomousSystemNumber": "50581", - "Source_AutonomousSystemOrganization": "Ukraine telecommunication group Ltd.", - "Source_Country": "UA", - "Source_Latitude": 48.4630012512207, - "Source_Longitude": 35.03900146484375, - "sources": { - "176.122.121.249": { - "Ip": "176.122.121.249", - "Range": { - "IP": "176.122.120.0", - "Mask": "///4AA==" - }, - "AutonomousSystemNumber": "50581", - "AutonomousSystemOrganization": "Ukraine telecommunication group Ltd.", - "Country": "UA", - "Latitude": 48.4630012512207, - "Longitude": 35.03900146484375, - "Flags": null - } - }, - "capacity": 5, - "leak_speed": 10000000000, - "Reprocess": true, - "Labels": { - "remediation": "true", - "service": "http", - "type": "scan" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - { - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine2", - "trust_factor": "2", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "94f52cd832ed322d3bd788565170d5bdabed0f71", - "scenario": "http_404-scan", - "bucket_id": "lively-breeze", - "alert_message": "31.222.187.197 performed 'http_404-scan' (6 events over 0s) at 2020-01-14 00:44:14 +0000 UTC", - "events_count": 6, - "start_at": "2020-01-14T00:44:14Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-14T04:44:14Z", - "StartIp": 534690757, - "EndIp": 534690757, - "IpText": "31.222.187.197", - "Reason": "ban on ip 31.222.187.197", - "Scenario": "", - "SignalOccurenceID": 1009 - } - ], - "stop_at": "2020-01-14T00:44:14Z", - "Source_ip": "31.222.187.197", - "Source_range": "31.222.128.0/18", - "Source_AutonomousSystemNumber": "15395", - "Source_AutonomousSystemOrganization": "Rackspace Ltd.", - "Source_Country": "GB", - "Source_Latitude": 51.49639892578125, - "Source_Longitude": -0.12240000069141388, - "sources": { - "31.222.187.197": { - "Ip": "31.222.187.197", - "Range": { - "IP": "31.222.128.0", - "Mask": "///AAA==" - }, - "AutonomousSystemNumber": "15395", - "AutonomousSystemOrganization": "Rackspace Ltd.", - "Country": "GB", - "Latitude": 51.49639892578125, - "Longitude": -0.12240000069141388, - "Flags": null - } - }, - "capacity": 5, - "leak_speed": 10000000000, - "Reprocess": true, - "Labels": { - "remediation": "true", - "service": "http", - "type": "scan" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": false - } diff --git a/tests/scenario/09consensus_trust/1/parsers.yaml b/tests/scenario/09consensus_trust/1/parsers.yaml deleted file mode 100644 index 6e1549cdd..000000000 --- a/tests/scenario/09consensus_trust/1/parsers.yaml +++ /dev/null @@ -1,2 +0,0 @@ - - filename: ./hub/parsers/s00-raw/crowdsecurity/enrich.yaml - stage: s00-raw diff --git a/tests/scenario/09consensus_trust/1/scenarios.yaml b/tests/scenario/09consensus_trust/1/scenarios.yaml deleted file mode 100644 index b97099b94..000000000 --- a/tests/scenario/09consensus_trust/1/scenarios.yaml +++ /dev/null @@ -1,6 +0,0 @@ - - filename: ./hub/scenarios/crowdsecurity/consensus-trust-factor.yaml - - - - - diff --git a/tests/scenario/09consensus_trust/1/success.sqlite b/tests/scenario/09consensus_trust/1/success.sqlite deleted file mode 100644 index 138120855..000000000 --- a/tests/scenario/09consensus_trust/1/success.sqlite +++ /dev/null @@ -1,11 +0,0 @@ -select count(*) == 1 from signal_occurences where source_ip = "139.199.192.143" and scenario = "consensus/strong_trust+diff_scenario" -select count(*) == 1 from signal_occurences where source_ip = "139.199.192.143" and scenario = "consensus/strong_trust+same_scenario" -select count(*) == 1 from signal_occurences where source_ip = "207.38.89.99" and scenario = "consensus/strong_trust+diff_scenario" -select count(*) == 1 from signal_occurences where source_ip = "207.38.89.99" and scenario = "consensus/strong_trust+same_scenario" -select count(*) == 1 from signal_occurences where source_ip = "51.159.56.89" and scenario = "consensus/strong_trust+diff_scenario" -select count(*) == 1 from signal_occurences where source_ip = "103.212.97.45" and scenario = "consensus/strong_trust+diff_scenario" -select count(*) == 1 from signal_occurences where source_ip = "103.212.97.45" and scenario = "consensus/strong_trust+same_scenario" -select count(*) == 1 from signal_occurences where source_ip = "35.180.132.238" and scenario = "consensus/strong_trust+diff_scenario" -select count(*) == 1 from signal_occurences where source_ip = "35.180.132.238" and scenario = "consensus/strong_trust+same_scenario" - - diff --git a/tests/scenario/09consensus_trust/2/file.log b/tests/scenario/09consensus_trust/2/file.log deleted file mode 100755 index 706e381c3..000000000 --- a/tests/scenario/09consensus_trust/2/file.log +++ /dev/null @@ -1,70 +0,0 @@ - -{ - "Type": 0, - "ExpectMode": 0, - "Whitelisted": false, - "Stage": "", - "Enriched": { - "machine_uuid": "user1_machine1", - "trust_factor": "1", - "user_uuid": "1", - "watcher_ip": "1.2.3.4" - }, - "Overflow": { - "MapKey": "7e159c83f45e4cabfe4c2d8653a24ac79506a703", - "scenario": "http_404-scan", - "bucket_id": "morning-sea", - "alert_message": "31.222.187.197 performed 'http_404-scan' (6 events over 2s) at 2020-01-02 15:31:32 +0000 UTC", - "events_count": 6, - "start_at": "2020-01-02T15:31:30Z", - "ban_applications": [ - { - "MeasureType": "ban", - "MeasureExtra": "", - "Until": "2020-01-02T19:31:32Z", - "StartIp": 1781924660, - "EndIp": 1781924660, - "IpText": "31.222.187.197", - "Reason": "ban on ip 31.222.187.197", - "Scenario": "", - "SignalOccurenceID": 985 - } - ], - "stop_at": "2020-01-14T06:44:14Z", - "Source_ip": "31.222.187.197", - "Source_range": "\u003cnil\u003e", - "Source_AutonomousSystemNumber": "0", - "Source_AutonomousSystemOrganization": "", - "Source_Country": "CN", - "Source_Latitude": 39.92890167236328, - "Source_Longitude": 116.38829803466797, - "sources": { - "31.222.187.197": { - "Ip": "31.222.187.197", - "Range": { - "IP": "", - "Mask": null - }, - "AutonomousSystemNumber": "0", - "AutonomousSystemOrganization": "", - "Country": "CN", - "Latitude": 39.92890167236328, - "Longitude": 116.38829803466797, - "Flags": null - } - }, - "capacity": 5, - "leak_speed": 10000000000, - "Reprocess": true, - "Labels": { - "remediation": "true", - "service": "http", - "type": "scan" - } - }, - "Time": "0001-01-01T00:00:00Z", - "StrTime": "", - "MarshaledTime": "", - "Process": true - } - \ No newline at end of file diff --git a/tests/scenario/09consensus_trust/2/parsers.yaml b/tests/scenario/09consensus_trust/2/parsers.yaml deleted file mode 100644 index 6e1549cdd..000000000 --- a/tests/scenario/09consensus_trust/2/parsers.yaml +++ /dev/null @@ -1,2 +0,0 @@ - - filename: ./hub/parsers/s00-raw/crowdsecurity/enrich.yaml - stage: s00-raw diff --git a/tests/scenario/09consensus_trust/2/scenarios.yaml b/tests/scenario/09consensus_trust/2/scenarios.yaml deleted file mode 100644 index b97099b94..000000000 --- a/tests/scenario/09consensus_trust/2/scenarios.yaml +++ /dev/null @@ -1,6 +0,0 @@ - - filename: ./hub/scenarios/crowdsecurity/consensus-trust-factor.yaml - - - - - diff --git a/tests/scenario/09consensus_trust/2/success.sqlite b/tests/scenario/09consensus_trust/2/success.sqlite deleted file mode 100644 index 10da3a573..000000000 --- a/tests/scenario/09consensus_trust/2/success.sqlite +++ /dev/null @@ -1,7 +0,0 @@ -select count(*) == 1 from signal_occurences where source_ip = "31.222.187.197" and scenario = "base_consensus" -select count(*) == 1 from signal_occurences where source_ip = "31.222.187.197" and scenario = "specialized_consensus" - - - - - diff --git a/tests/scenario/README.md b/tests/scenario/README.md deleted file mode 100644 index b34530df9..000000000 --- a/tests/scenario/README.md +++ /dev/null @@ -1,37 +0,0 @@ -# scenario tests - -``` -$ make build -$ cd tests/.../ -$ git clone git@github.com:JohnDoeCrowdSec/hub.git hub -$ ./cracra.sh -all -``` - -For the tests to run : - - crowdsec must be built - - ./hub/ must be a valid hub directory (ie `git clone git@github.com:JohnDoeCrowdSec/hub.git hub`) - -Each test is a directory starting by `0` containing : - - a logfile `file.log` - - a list of enabled parsers `parsers.yaml` - - a list of enabled scenarios `scenarios.yaml` - - a `success.sqlite` file that is a list of sqlite commands that must run successfuly - - a `label` file containing the label of the input file (ie. `type:syslog` or `prog_name:nginx`) - -A test is successfull when the agent, started with said parsers.yaml,scenarios.yaml,postoverflows.yaml produces a sqlite database conform to success.sqlite after being injected with the `file.log` in time-machine mode. - -## parsers.yaml - -As tests are run using time-machine mode, the `timemachine.yaml` parsers is mandatory or you will be getting errors. - -``` -$ cat 01ssh/parsers.yaml - - filename: ./hub/parsers/s00-raw/crowdsec/syslog-parse.yaml - stage: s00-raw - - filename: ./hub/parsers/s01-parse/crowdsec/sshd-logs.yaml - stage: s01-parse - - filename: ./hub/parsers/s02-enrich/crowdsec/timemachine.yaml - stage: s02-enrich -``` - -postoverflows and scenarios follows the same logic. diff --git a/tests/scenario/backend/sqlite.yaml b/tests/scenario/backend/sqlite.yaml deleted file mode 100644 index 6c1821be5..000000000 --- a/tests/scenario/backend/sqlite.yaml +++ /dev/null @@ -1,5 +0,0 @@ -name: sqlite -path: ./plugins/backend/sqlite.so -config: - db_path: ./test.db - flush: true \ No newline at end of file diff --git a/tests/scenario/cracra.sh b/tests/scenario/cracra.sh deleted file mode 100755 index cb3be8f6e..000000000 --- a/tests/scenario/cracra.sh +++ /dev/null @@ -1,106 +0,0 @@ -#!/bin/bash - -CWCMD="../../cmd/crowdsec/crowdsec" -PLUGINS_FOLDER="../../plugins" -PLUGINS_FOLDER_BACKEND="./plugins/backend/" - -dostuff() { - - STEP=${1} - - - if [[ "${STEP}" == *consensus_* ]] ; then - cat > ./acquis.yaml << EOF -mode: cat -type: bin -filename: ${STEP}/file.log -labels: - type: consensus -EOF - -EXTRA="" -if [ -f "./buckets_state.json" ] ; then - echo "Reusing existing bucket state" - EXTRA="-restore-state ./buckets_state.json" -else - echo "Creating new bucket state" -fi; - -${CWCMD} -c ./dev.yaml -acquis ./acquis.yaml ${EXTRA} -custom-config "parser:${STEP}/parsers.yaml,scenario:${STEP}/scenarios.yaml" -dump-state - - else - - -SCENAR=${1} -FILE_LABELS=$(cat ${SCENAR}"/labels" 2>/dev/null) - -rm "./test.db" -cat > ./acquis.yaml << EOF -mode: cat -filename: ${SCENAR}/file.log -labels: - ${FILE_LABELS} -EOF - -${CWCMD} -c ./dev.yaml -acquis ./acquis.yaml -custom-config "parser:${SCENAR}/parsers.yaml,scenario:${SCENAR}/scenarios.yaml" -fi; - -success=0 -echo "Checking results" -# check results -while read sqq ; do - if [ -z "${sqq}" ] ; then - continue - fi; - success=$((${success}+1)) - - if [ `echo ${sqq} | sqlite3 ./test.db` -eq "1" ] ; then - echo "OK : ${sqq}" ; - else - echo "FAILED : ${1} ${sqq}"; - echo "IN logs : ${1}/file.log" - echo "Expected : ${1}/success.sqlite" - echo "Failed sql query : ${sqq}" - echo "Full log : out.log" - exit - fi -done < ${1}/success.sqlite - - -echo "Done testing ${success} tests runned" - -} - -# Still cracra, but build the plugins and move them in ./plugins -CWD=$(pwd) -cd ../.. -bash ./scripts/build_plugins.sh -cd $CWD -mkdir -p "$PLUGINS_FOLDER_BACKEND" -cp -r ../../plugins/backend/*.so "$PLUGINS_FOLDER_BACKEND" -# Cracra finished - -### - -if [ -z ${1} ] ; then - echo "${0} [-all|/path/to/test]" - echo " /path/to/test : path to test directory (ie. ./01ssh/)" - echo " -all : run all tests" - echo " **./hub/** must be up-to-date hub directory/symlink (ie. hub clone)" - exit; -fi; - -case ${1} in - "-all") - for i in `find . -mindepth 1 -type d -iname "0*"` ; - do - echo "Testing ${i}"; - dostuff $i ; - done - ;; - *) - echo "Testing ${1}"; - dostuff $1 ; - ;; -esac - diff --git a/tests/scenario/dev.yaml b/tests/scenario/dev.yaml deleted file mode 100644 index 7e78ab7dd..000000000 --- a/tests/scenario/dev.yaml +++ /dev/null @@ -1,12 +0,0 @@ -working_dir: "." -data_dir: "../../data/" -config_dir: "../../config/" -pid_dir: "./" -log_dir: "./" -log_mode: "stdout" -log_level: info -profiling: false -sqlite_path: "./test.db" -apimode: false -plugin: - backend: "./backend/" diff --git a/tests/scenario/test.db b/tests/scenario/test.db deleted file mode 100644 index 1cea4bf09..000000000 Binary files a/tests/scenario/test.db and /dev/null differ