Describe the bug
Reading Apache logs from crowdsec with installed NextCloud brings up a false positive alert/decision
Reason: filenames in backdoors.txt used as regular expressions (at least I think so) and match also different filenames/URIs
To Reproduce
- Put a file
/dummy/v1.php to a PHP-enabled web server
- Request
http://.../dummy/v1.php from web server twice
Expected behavior
- Do NOT detect/block this request
- Search for
/<FILENAME> (prefixed with slash) in http_(access|error)-log instead of <FILENAME>
Screenshots
Not a screenshot but part of detail of alert:
+---------------+--------------------------------------------+
| Key | Value |
+---------------+--------------------------------------------+
| http_args_len | 11 |
| http_path | /ocs/v1.php/cloud/capabilities?format=json |
| http_status | 200 |
| log_type | http_access-log |
| service | http |
+---------------+--------------------------------------------+
Describe the bug
Reading Apache logs from crowdsec with installed NextCloud brings up a false positive alert/decision
Reason: filenames in
backdoors.txtused as regular expressions (at least I think so) and match also different filenames/URIsTo Reproduce
/dummy/v1.phpto a PHP-enabled web serverhttp://.../dummy/v1.phpfrom web server twiceExpected behavior
/<FILENAME>(prefixed with slash) inhttp_(access|error)-loginstead of<FILENAME>Screenshots
Not a screenshot but part of detail of alert: