Update whitelist expression to include 404s on images when using Jellyfin Roku client (and Swiftfin client?) #1099
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Update whitelist expression to include 404s on images when using Roku (and Swiftfin?)
ConfusedOwlet
changed the title
…regex or inline, generated some jellyfin test cases based on user submitted lines
|
Hey 👋🏻 Thank you for opening a pull request! I have refactored the expression slightly to only need one expression for both cases since the only change between the two was the end string and since your using This means when parsing for whitelist we can cater for both within one. Since you provided us with some log lines I took the time to create a test case and added your example to it thank you! 🦙 I will wait for these test cases to pass then merge so everyone can enjoy! |
LaurenceJJones
approved these changes
Aug 28, 2024
mmetc
added a commit
that referenced
this pull request
Sep 12, 2024
* Update blockers meta * Update blockers meta * fixed Extend sshd parser to log messages regarding AllowUsers #874 #1018 (#1021) * fixed Extend sshd parser to log messages regarding AllowUsers #874 #1018 * add two invalid user test case and update grok to support both * change IP to the workarund * enhance: run action workflow manually --------- Co-authored-by: Laurence <[email protected]> * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * fix: change sshd to focus on allow users only to prevent FP, add FP tests to ensure it should return false for those connections (#1065) * Detect SSH authentication timeouts (CVE-2024-6387) (#1067) * Update taxonomy * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * better description (#1070) * Update blockers meta * Update blockers meta * Handle Nextcloud configurations where all urls start with '/index.php' (#1066) * Replaced startsWith by contains for '/apps/mail/api/avatars/url/' url In my Nextcloud configuration, all urls starts with '/index.php', so the url to get the avatars in Nextcloud Mail app is '/index.php/apps/mail/api/avatars/url/' * enhance: add tests and update index.json --------- Co-authored-by: Laurence <[email protected]> * Update blockers meta * Update blockers meta * support for ssh_dispatch_fatal (#1068) * support for ssh_dispatch_fatal raised by the public poc for cve-2024-6387 --------- Co-authored-by: GitHub Action <[email protected]> * improve the doc of crowdsecurity/ban-defcon-drop_range (#1071) * explain things --------- Co-authored-by: GitHub Action <[email protected]> * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Fix CloudFront logs parsing where Content-Length is provided as "-" (#1076) * Fix CloudFront logs parsing where Content-Length is provided as "-" The "sc-content-len" field in the CloudFront logs format provides the value of the "Content-Length" response header, as sent by the server. This header is not a required header and in cases where it is not provided, CloudFront instead provides the default value of "-" in the log files. That does however not parse with the CloudFront parser as it expects the field to always have a number in this column. This change fixes that by instead changing the column to be parsed via the "DATA" grok pattern instead of "NUMBER". An extra test line was added to check this case. * enhance: run index workflow manually because forked repo --------- Co-authored-by: Laurence <[email protected]> * enhance: Allow nginx error log to handle all character chars (#1074) * enhance: Allow nginx error log to handle all character chars * enhance: fix scenario assert * enhance: Make date optional for syslog logs (#1075) * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * News rules: CVE-2023-47218 and git-config (#1078) * add rules to collec --------- Co-authored-by: GitHub Action <[email protected]> * Update blockers meta * Update blockers meta * fix debug for rule `crowdsecurity/vpatch-CVE-2023-47218` (#1079) * fix debug --------- Co-authored-by: GitHub Action <[email protected]> * CVE-2024-3272 (#1080) * CVE-2024-3272 * CVE-2024-32113 * fix CVE and title --------- Co-authored-by: GitHub Action <[email protected]> * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * enhance: add sabnzbd collection (#1083) * enhance: add sabnzbd collection * enhance: add ipv6 forwarded test * Update taxonomy * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Add additional fields to pf-logs.yaml parser (#1084) * Add additional fields to pf-logs.yaml parser * enhance: Manually run index update * enhance: Update test file to include new meta fields --------- Co-authored-by: Laurence <[email protected]> * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Add CVE-2024-28255 (#1082) * Add CVE-2024-28255 --------- Co-authored-by: GitHub Action <[email protected]> * add crowdsecurity/appsec-generic-rules collection to NPMplus collection (#1085) * Update npmplus.yaml * fix: manually run update workflow cause of fork --------- Co-authored-by: Laurence <[email protected]> * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Fix Nextcloud-Whitelist: false-positive when opening the trashbin #1086 (#1087) * Update nextcloud-whitelist.yaml Fix #1086 * enhance: Add new test case based on whitelist changes * enhance: manually run index workflow cause fork --------- Co-authored-by: Laurence <[email protected]> * Fix Nextcloud-Whitelist: missing expressions for Nextcloud Bookmarks #1089 (#1090) * Fix Nextcloud-Whitelist: missing expressions for Nextcloud Bookmarks #1089 Fix missing expressions for Nextcloud Bookmarks #1089 * enhance: Update whitelist to concat two of the simiar types, keep public token the same and add some test --------- Co-authored-by: Laurence Jones <[email protected]> * enhance: Update webdav expression to include 200's (#1094) * enhance: Update webdav expression to include 200's * enhance: Update markdown * Update blockers meta * Update blockers meta * CVE-2024-38475 (#1095) * CVE-2024-38475 --------- Co-authored-by: GitHub Action <[email protected]> * Add CVE-2024-27348 & CVE-2024-29824 (#1091) * Add CVE-2024-27348 & CVE-2024-29824 * Update taxonomy * Update index --------- Co-authored-by: GitHub Action <[email protected]> * Update blockers meta * Update blockers meta * Update pterodactyl-wings-logs parser (#1096) * Update pterodactyl-wings-logs parser Update the parser to make sure it works with the latest version of pterodactyl-wings software * Update pterodactyl collection - Update parser to ensure it works with all versions of pterodactyl wings - Update scenario configuration to make it more reliable and correct incorrect behavior values (the pterodactyl wings logs covered by this scenario concern the SFTP service) * enhance: Fix parser, split tests and update logs to account for scenario changes * enhance: Add newer log line test to see if parses --------- Co-authored-by: Lucas GETREAU <[email protected]> Co-authored-by: Laurence Jones <[email protected]> * Update taxonomy * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update pterodactyl-wings-logs parser (#1098) * Update pterodactyl-wings-logs.yaml whitespace can appear before WARN * Update pterodactyl-wings-bf.log * Update pterodactyl-wings-bf.log * Update parser.assert * Update index * Update parser to look at both sshd and sshd-session log lines (#1093) * Update parser to look at both sshd and sshd-session log lines * Add parser assertions to ensure that sshd-session & sshd are parsed correctly. Both are set to 'ssh' as the service name * enhance: Move log line to parser assert file instead of bf file, remove changes to bf test config * enhance: run index workflow manually cause of fork; prepped for merge --------- Co-authored-by: Laurence <[email protected]> * Update whitelist expression to include 404s on images when using Jellyfin Roku client (and Swiftfin client?) (#1099) * add additional expressions to Jellyfin whitelist * enhance: change 2 expression to one since it uses matches we can use regex or inline, generated some jellyfin test cases based on user submitted lines --------- Co-authored-by: Laurence <[email protected]> * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * enhance: parse more data out of postfix log lines (#1104) * enhance: parse more data out of postfix rejection commands to allow more scenarios * enhance: fix so parser supports just basic Service unavailable * enhance: rename key to codes instead of code since there could be 2 * enhance: Add new scenarios based on helo and relay rejections to create a more specific filter, add tests and update parser to set a meta attribute for reason * enhance: Add to collections and update index manually cause of fork * Update taxonomy * Update npmplus.md (#1107) * Update npmplus.md * enhance: Run workflow manually cause of fork --------- Co-authored-by: Laurence <[email protected]> * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Fix duplicate behaviors in taxonomy (#1110) * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Update blockers meta * Add iCloud PRivate Relay (#1112) * Add iCloud PRivate Relay * Fix * Update blockers meta * Update blockers meta --------- Co-authored-by: GitHub Action <[email protected]> Co-authored-by: Pfostenberg <[email protected]> Co-authored-by: Laurence <[email protected]> Co-authored-by: blotus <[email protected]> Co-authored-by: Emanuel Seemann <[email protected]> Co-authored-by: napnap75 <[email protected]> Co-authored-by: Thibault "bui" Koechlin <[email protected]> Co-authored-by: Jeppe Fihl-Pearson <[email protected]> Co-authored-by: Steven Haigh <[email protected]> Co-authored-by: AlteredCoder <[email protected]> Co-authored-by: Zoey <[email protected]> Co-authored-by: Florian Wagner <[email protected]> Co-authored-by: Lourys <[email protected]> Co-authored-by: Lucas GETREAU <[email protected]> Co-authored-by: Zarklord <[email protected]> Co-authored-by: Daniel Hobe <[email protected]> Co-authored-by: Rae <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Basically just a fix for jellyfin/jellyfin-roku#1911 (and potentially jellyfin/Swiftfin#690 // jellyfin/Swiftfin#884 ??) until the Jellyfin devs can potentially try to fix it on their end.
The regex was primarily created by Nabeora over on the Crowdsec Discord, they just mentioned how to make it fully case insensitive, and I tweaked it to match. This was originally just for the Jellyfin-Roku app, however I saw the issue in the Swiftfin github and saw we basically had the same logs/errors.
my initial thread over on the Discord about this : https://discord.com/channels/921520481163673640/1277040020758200391
Sample logs you can use :
Logs from the Swiftfin issue (I tested them on my end and it looked like the filter worked. I'm not 100% sure if Swiftfin is still having this issue, however I did see that the original poster did mention earlier this year that it started doing it again)