owncloud feature

[martyduniaud98]

Add Owncloud logs collection with parsers and scenarios based on Nextcloud logs collection created by Håvard Moen and a1ad

[LaurenceJJones]

Does this file actually differ from the nextcloud whitelist?

[martyduniaud98]

it's an error, no want to push this file

[martyduniaud98]

Owncloud whiteliste removed.

[martyduniaud98]

@LaurenceJJones Hey Laurence, everything is going well or is there anything missing ?

[LaurenceJJones]

@LaurenceJJones Hey Laurence, everything is going well or is there anything missing ?

Do you have any test logs that we can ensure the parser and scenarios are working?

You can paste them here and I can create the test suite for you.

[martyduniaud98]

@LaurenceJJones Hey Laurence, everything is going well or is there anything missing ?

Do you have any test logs that we can ensure the parser and scenarios are working?

You can paste them here and I can create the test suite for you.

Yes i can paste logs here :

{"reqId":"Y9uiebTXtcbqy5btKCdv","level":2,"time":"2024-04-25T15:41:12+00:00","remoteAddr":"10.10.1.1","user":"--","app":"core","method":"POST","url":"/login","message":"Login failed: 'test' (Remote IP: '10.10.1.1')"}
{"reqId":"mDo8eCRjvLctHur3LtHr","level":2,"time":"2024-04-25T15:41:22+00:00","remoteAddr":"10.10.1.1","user":"--","app":"core","method":"POST","url":"/login?redirect_url=%252Fsettings%252Fusers","message":"Login failed: 'test' (Remote IP: '10.10.1.1')"}

[buixor]

Hey, Sorry for the lag @martyduniaud98 !

Are you able to share some log samples that are enough for us to trigger each scenario individually, please ?

It is needed for us to create tests for both the parsers and the scenarios, so that we can merge it and make it available to everyone.

Extra question : Are you using some specific whitelists? We are thinking of importing the existing nextcloud whitelist(s) into the collection.

Thanks in advance and awesome work!

[martyduniaud98]

Hey, Sorry for the lag @martyduniaud98 !

Are you able to share some log samples that are enough for us to trigger each scenario individually, please ?

It is needed for us to create tests for both the parsers and the scenarios, so that we can merge it and make it available to everyone.

Extra question : Are you using some specific whitelists? We are thinking of importing the existing nextcloud whitelist(s) into the collection.

Thanks in advance and awesome work!

Hey @buixor ! Thanks for your answer

I paste you logs here :

grok value : owncloud_failed_auth -> scenarios owncloud-bf/owncloud-bf_user_enum

{"reqId":"aGFSFAUPlqEI0HXwdNdA","level":2,"time":"2024-06-25T09:15:04+00:00","remoteAddr":"10.10.33.1","user":"--","app":"core","method":"POST","url":"/login?user=admin","message":"Login failed: 'admin' (Remote IP: '10.10.33.1')"}

grok value : owncloud_bruteforce_attempt -> scenario owncloud-bf

{"reqId":"Wmx6aXgKqP8qpdTz02UA","level":3,"time":"2024-06-25T09:26:52+00:00","remoteAddr":"10.10.33.1","user":"--","app":"PHP","method":"GET","url":"/login?user=a","message":"Bruteforce attempt from "10.10.33.1" detected for action "login""}

grok value : owncloud_domain_error -> scenario owncloud-bf_domain_error

{"reqId":"3aeDzvo0rqQ6JZZzh04l","level":2,"time":"2024-06-25T11:03:35+00:00","remoteAddr":"192.168.123.30","user":"--","app":"core","method":"GET","url":"/","message":"Trusted domain error. "192.168.123.30" tried to access using "192.168.123.166:8000" as host."}

Not tried to use specific whitelists

I hope it's good now :D

[martyduniaud98]

Hey @buixor,
Something is wrong ? :)