Update whitelist expression to include 404s on images when using Jell…

…yfin Roku client (and Swiftfin client?) (#1099) * add additional expressions to Jellyfin whitelist * enhance: change 2 expression to one since it uses matches we can use regex or inline, generated some jellyfin test cases based on user submitted lines --------- Co-authored-by: Laurence <[email protected]>
crowdsecurity · Aug 28, 2024 · d219ff7 · d219ff7
1 parent c9c4fd0
commit d219ff7
Show file tree

Hide file tree

Showing 7 changed files with 360 additions and 3 deletions.
diff --git a/.index.json b/.index.json
@@ -7084,15 +7084,19 @@
   "crowdsecurity/jellyfin-whitelist": {
    "path": "parsers/s02-enrich/crowdsecurity/jellyfin-whitelist.yaml",
    "stage": "s02-enrich",
-   "version": "0.1",
+   "version": "0.2",
    "versions": {
     "0.1": {
      "digest": "aa1cf7cfac48914a41ca95fea4d1aa3b885b27d5359b2ecd39c9a22d21d65c47",
      "deprecated": false
+    },
+    "0.2": {
+     "digest": "a403cc45906ec71a8c287a642218605fc45a44c0a1afe3d00c96a9aa728409b7",
+     "deprecated": false
     }
    },
-   "long_description": "IyMgSmVsbHlmaW4gV2hpdGVsaXN0CgojIyMgUGxheWluZyB2aWRlb3MKV2hlbiBwbGF5aW5nIHZpZGVvcyBhIFBPU1QgcmVxdWVzdCBpcyBtYWRlIHRvIGBgL1Nlc3Npb25zL1BsYXlpbmcvUHJvZ3Jlc3NgYCwgSmVsbHlmaW4gd2lsbCByZXR1cm4gYSA0MDMuCg==",
-   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS9qZWxseWZpbi13aGl0ZWxpc3QKZGVzY3JpcHRpb246ICJXaGl0ZWxpc3QgZXZlbnRzIGZyb20gamVsbHlmaW4iCmZpbHRlcjogImV2dC5NZXRhLnNlcnZpY2UgPT0gJ2h0dHAnICYmIGV2dC5NZXRhLmxvZ190eXBlIGluIFsnaHR0cF9hY2Nlc3MtbG9nJywgJ2h0dHBfZXJyb3ItbG9nJ10iCndoaXRlbGlzdDoKICByZWFzb246ICJKZWxseWZpbiB3aGl0ZWxpc3QiCiAgZXhwcmVzc2lvbjoKICAgLSBldnQuTWV0YS5odHRwX3N0YXR1cyA9PSAnNDAzJyAmJiBldnQuTWV0YS5odHRwX3ZlcmIgPT0gJ1BPU1QnICYmIGV2dC5NZXRhLmh0dHBfcGF0aCBjb250YWlucyAiL1Nlc3Npb25zL1BsYXlpbmcvUHJvZ3Jlc3MiICMgV2hlbiBwbGF5aW5nIHZpZGVvcwo=",
+   "long_description": "IyMgSmVsbHlmaW4gV2hpdGVsaXN0CgojIyMgUGxheWluZyB2aWRlb3MKV2hlbiBwbGF5aW5nIHZpZGVvcyBhIFBPU1QgcmVxdWVzdCBpcyBtYWRlIHRvIGBgL1Nlc3Npb25zL1BsYXlpbmcvUHJvZ3Jlc3NgYCwgSmVsbHlmaW4gd2lsbCByZXR1cm4gYSA0MDMuCgojIyMgQnJvd3NpbmcgSmVsbHlmaW4gKFN3aWZ0ZmluIGFuZCBSb2t1KQpXaGVuIGJyb3dzaW5nIEplbGx5ZmluIG9uIFJva3UgYW5kIFN3aWZ0ZmluLCBhIEdFVCByZXF1ZXN0IGlzIG1hZGUgZm9yIG5vbi1leGlzdGVudCBpbWFnZXMgYW5kIEplbGx5ZmluIHdpbGwgcmV0dXJuIGEgNDA0Lgo=",
+   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS9qZWxseWZpbi13aGl0ZWxpc3QKZGVzY3JpcHRpb246ICJXaGl0ZWxpc3QgZXZlbnRzIGZyb20gamVsbHlmaW4iCmZpbHRlcjogImV2dC5NZXRhLnNlcnZpY2UgPT0gJ2h0dHAnICYmIGV2dC5NZXRhLmxvZ190eXBlIGluIFsnaHR0cF9hY2Nlc3MtbG9nJywgJ2h0dHBfZXJyb3ItbG9nJ10iCndoaXRlbGlzdDoKICByZWFzb246ICJKZWxseWZpbiB3aGl0ZWxpc3QiCiAgZXhwcmVzc2lvbjoKICAgLSBldnQuTWV0YS5odHRwX3N0YXR1cyA9PSAnNDAzJyAmJiBldnQuTWV0YS5odHRwX3ZlcmIgPT0gJ1BPU1QnICYmIGV2dC5NZXRhLmh0dHBfcGF0aCBjb250YWlucyAiL1Nlc3Npb25zL1BsYXlpbmcvUHJvZ3Jlc3MiICMgV2hlbiBwbGF5aW5nIHZpZGVvcwogICAtIGV2dC5NZXRhLmh0dHBfc3RhdHVzID09ICc0MDQnICYmIGV2dC5NZXRhLmh0dHBfdmVyYiA9PSAnR0VUJyAmJiBldnQuTWV0YS5odHRwX3BhdGggbWF0Y2hlcyAnKD9pKV4vaXRlbXMvLis/L2ltYWdlcy8odGh1bWJ8cHJpbWFyeSknICMgd2hlbiBicm93c2luZyBvbiBSb2t1IG9yIFN3aWZ0ZmluIENsaWVudHMK",
    "description": "Whitelist events from jellyfin",
    "author": "crowdsecurity",
    "labels": null

diff --git a/.tests/jellyfin-whitelist/config.yaml b/.tests/jellyfin-whitelist/config.yaml
@@ -0,0 +1,14 @@
+parsers:
+- crowdsecurity/syslog-logs
+- crowdsecurity/dateparse-enrich
+- crowdsecurity/nginx-logs
+- ./parsers/s02-enrich/crowdsecurity/jellyfin-whitelist.yaml
+scenarios:
+- ""
+postoverflows:
+- ""
+log_file: jellyfin-logs.log
+log_type: nginx
+labels: {}
+ignore_parsers: false
+override_statics: []
diff --git a/.tests/jellyfin-whitelist/jellyfin-logs.log b/.tests/jellyfin-whitelist/jellyfin-logs.log
@@ -0,0 +1,4 @@
+192.168.1.1 - - [24/Aug/2024:22:32:18 +0000] "GET /Items/5203a7e70b667d2cfaee2cd2eb3de082/Images/Primary?MaxHeight=330&MaxWidth=234&quality=90&Tags=null HTTP/2.0" 404 57 "-" "Roku/DVP-13.1 (13.1.4.01510-30)"
+192.168.1.1 - - [24/Aug/2024:22:32:18 +0000] "GET /Items/fbef2493eb1b8191acf97cd81af4992f/Images/Thumb?MaxHeight=330&MaxWidth=234&quality=90&Tags=null HTTP/2.0" 404 52 "-" "Roku/DVP-13.1 (13.1.4.01510-30)"
+192.168.1.1 - - [13/Jan/2024:23:17:58 +0100] "GET /Items/77c40737e58d0f8d03c5047ee17c4185/Images/primary?maxWidth=400 HTTP/2.0" 404 52 "-" "Swiftfin%20tvOS/70 CFNetwork/1490.0.4>"
+192.168.1.1 - - [13/Jan/2024:23:17:58 +0100] "GET /Items/4851eba90426dea053284919c7a53e40/Images/thumb?maxWidth=400 HTTP/2.0" 404 52 "-" "Swiftfin%20tvOS/70 CFNetwork/1490.0.4>"