Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[HAProxy] SSL handshake fail to parse #1262

Open
LaurenceJJones opened this issue Mar 6, 2025 · 3 comments
Open

[HAProxy] SSL handshake fail to parse #1262

LaurenceJJones opened this issue Mar 6, 2025 · 3 comments
Labels
good first issue Good for newcomers

Comments

@LaurenceJJones
Copy link
Contributor

LaurenceJJones commented Mar 6, 2025
edited
Loading

Currently the HAProxy parser only parses successful proxied requests, however, a user may also want to create a custom scenario if SSL handshake fails

192.168.1.1:33283 [28/Feb/2025:02:07:51.623] 1_HTTPS_frontend/192.168.5.100:443: SSL handshake failure (error:0A0000C1:SSL routines::no shared cipher)

We wouldnt provide a scenario for this as we wouldnt know if a user wants to act on these types of requests, but a parser that can set a log_type to act on would be good enough for now.

line: 192.168.1.1:33283 [28/Feb/2025:02:07:51.623] 1_HTTPS_frontend/192.168.5.100:443: SSL handshake failure (error:0A0000C1:SSL routines::no shared cipher)
    ├ s00-raw
    |    ├ 🔴 crowdsecurity/syslog-logs
    |    └ 🟢 crowdsecurity/non-syslog (+5 ~8)
    ├ s01-parse
    |    ├ 🔴 crowdsecurity/haproxy-logs
    |    ├ 🔴 crowdsecurity/opnsense-gui-logs
    |    ├ 🔴 firewallservices/pf-logs
    |    ├ 🔴 firewallservices/pf-logs-drop
    |    └ 🔴 crowdsecurity/sshd-logs
    └-------- parser failure 🔴
@LaurenceJJones LaurenceJJones added the good first issue Good for newcomers label Mar 6, 2025
@cookiemonsteruk
Copy link

Subscribed now to the issue, Thank you @LaurenceJJones for raising this on behalf of haproxy users like me.
I will be very happy to provide any additional information or data that could be required,

@cookiemonsteruk
Copy link

Hi. From my message on Discord https://discord.com/channels/921520481163673640/1342642325226000404 I'd like to have a go at learning to modify the parser. I fail to start the test hub and I quote:

additionally in an attempt to see if I can diagnose the parser, I followed the docs https://docs.crowdsec.net/docs/next/log_processor/parsers/create to install a testing environment. It failed. ~/applications/crowdsec-v1.6.4/tests/hub$ ../cscli -c ../dev.yaml hubtest run --all
FATA unable to load hubtest: path to crowdsec binary 'crowdsec' doesn't exist or is not in $PATH, can't run 
[Creating parsers | CrowdSec](https://docs.crowdsec.net/docs/next/log_processor/parsers/create)
Foreword
Creating parsers | CrowdSec
~/applications/crowdsec-v1.6.4/tests$ ../cscli -c ../dev.yaml hubtest run --all
bash: ../cscli: No such file or directory
~/applications/crowdsec-v1.6.4/tests$ ./cscli -c ./dev.yaml hubtest run --all
FATA unable to load hubtest: failed to load hub index: unable to read index file: open /home/penguin/applications/crowdsec-v1.6.4/tests/.index.json: no such file or directory
I couldn't find a way to tell where the .index.json is explicitly so whether from tests or hub directories, in both cases I can tell it the relative path to cscli and the yaml file no problem, but it is looking for the .index.json in the current directory but then fails with the binary not in the $PATH. Is the documentation correct?

Could I have a hand fixing this?

@cookiemonsteruk
Copy link

@LaurenceJJones @blotus @LePresidente - give me a hand please ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cookiemonsteruk @LaurenceJJones