diff --git a/.tests/iptables-scan-multi-port/iptables-scan-multi-port.log b/.tests/iptables-scan-multi-port/iptables-scan-multi-port.log index 62b3a5b0ca4..396195934bc 100644 --- a/.tests/iptables-scan-multi-port/iptables-scan-multi-port.log +++ b/.tests/iptables-scan-multi-port/iptables-scan-multi-port.log @@ -15,3 +15,35 @@ Sep 30 10:09:23 scw-d95986 kernel: [19955416.499523] IN=ens2 OUT= MAC=de:1c:88:6 Sep 30 10:09:23 scw-d95986 kernel: [19955416.499523] IN=ens2 OUT= MAC=de:1c:88:64:10:19:5e:e1:a4:3b:cf:f0:08:00 SRC=62.34.17.168 DST=10.73.140.49 LEN=44 TOS=0x00 PREC=0x00 TTL=27 ID=56552 PROTO=TCP SPT=52220 DPT=8081 WINDOW=1024 RES=0x00 SYN URGP=0 Sep 30 10:09:23 scw-d95986 kernel: [19955416.501968] IN=ens2 OUT= MAC=de:1c:88:64:10:19:5e:e1:a4:3b:cf:f0:08:00 SRC=62.34.17.168 DST=10.73.140.49 LEN=44 TOS=0x00 PREC=0x00 TTL=42 ID=6603 PROTO=TCP SPT=52220 DPT=8082 WINDOW=1024 RES=0x00 SYN URGP=0 Sep 30 10:09:23 scw-d95986 kernel: [19955416.501968] IN=ens2 OUT= MAC=de:1c:88:64:10:19:5e:e1:a4:3b:cf:f0:08:00 SRC=62.34.17.168 DST=10.73.140.49 LEN=44 TOS=0x00 PREC=0x00 TTL=42 ID=6603 PROTO=TCP SPT=52220 DPT=8083 WINDOW=1024 RES=0x00 SYN URGP=0 +Oct 30 10:09:23 vm-1 kernel: [UFW AUDIT] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=53 LEN=84 +Oct 30 10:09:23 vm-1 kernel: [UFW AUDIT] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=54 LEN=84 +Oct 30 10:09:23 vm-1 kernel: [UFW AUDIT] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=55 LEN=84 +Oct 30 10:09:23 vm-1 kernel: [UFW AUDIT] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=56 LEN=84 +Oct 30 10:09:23 vm-1 kernel: [UFW AUDIT] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=57 LEN=84 +Oct 30 10:09:23 vm-1 kernel: [UFW AUDIT] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=58 LEN=84 +Oct 30 10:09:23 vm-1 kernel: [UFW AUDIT] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=59 LEN=84 +Oct 30 10:09:23 vm-1 kernel: [UFW AUDIT] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=60 LEN=84 +Oct 30 10:09:23 vm-1 kernel: [UFW AUDIT] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=61 LEN=84 +Oct 30 10:09:23 vm-1 kernel: [UFW AUDIT] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=62 LEN=84 +Oct 30 10:09:23 vm-1 kernel: [UFW AUDIT] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=63 LEN=84 +Oct 30 10:09:23 vm-1 kernel: [UFW AUDIT] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=64 LEN=84 +Oct 30 10:09:23 vm-1 kernel: [UFW AUDIT] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=65 LEN=84 +Oct 30 10:09:23 vm-1 kernel: [UFW AUDIT] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=66 LEN=84 +Oct 30 10:09:23 vm-1 kernel: [UFW AUDIT] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=67 LEN=84 +Oct 30 10:09:23 vm-1 kernel: [UFW AUDIT] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=68 LEN=84 +Oct 30 10:09:23 vm-1 kernel: [UFW BLOCK] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.2 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=53 LEN=84 +Oct 30 10:09:23 vm-1 kernel: [UFW BLOCK] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.2 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=54 LEN=84 +Oct 30 10:09:23 vm-1 kernel: [UFW BLOCK] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.2 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=55 LEN=84 +Oct 30 10:09:23 vm-1 kernel: [UFW BLOCK] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.2 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=56 LEN=84 +Oct 30 10:09:23 vm-1 kernel: [UFW BLOCK] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.2 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=57 LEN=84 +Oct 30 10:09:23 vm-1 kernel: [UFW BLOCK] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.2 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=58 LEN=84 +Oct 30 10:09:23 vm-1 kernel: [UFW BLOCK] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.2 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=59 LEN=84 +Oct 30 10:09:23 vm-1 kernel: [UFW BLOCK] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.2 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=60 LEN=84 +Oct 30 10:09:23 vm-1 kernel: [UFW BLOCK] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.2 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=61 LEN=84 +Oct 30 10:09:23 vm-1 kernel: [UFW BLOCK] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.2 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=62 LEN=84 +Oct 30 10:09:23 vm-1 kernel: [UFW BLOCK] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.2 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=63 LEN=84 +Oct 30 10:09:23 vm-1 kernel: [UFW BLOCK] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.2 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=64 LEN=84 +Oct 30 10:09:23 vm-1 kernel: [UFW BLOCK] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.2 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=65 LEN=84 +Oct 30 10:09:23 vm-1 kernel: [UFW BLOCK] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.2 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=66 LEN=84 +Oct 30 10:09:23 vm-1 kernel: [UFW BLOCK] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.2 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=67 LEN=84 +Oct 30 10:09:23 vm-1 kernel: [UFW BLOCK] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.2 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=TCP SPT=50616 DPT=68 LEN=84 diff --git a/.tests/iptables-scan-multi-port/scenario.assert b/.tests/iptables-scan-multi-port/scenario.assert index 4aae53d2957..7401cbc1ac2 100644 --- a/.tests/iptables-scan-multi-port/scenario.assert +++ b/.tests/iptables-scan-multi-port/scenario.assert @@ -1,90 +1,241 @@ -len(results) == 1 +len(results) == 2 "62.34.17.168" in results[0].Overflow.GetSources() results[0].Overflow.Sources["62.34.17.168"].IP == "62.34.17.168" results[0].Overflow.Sources["62.34.17.168"].Range == "" results[0].Overflow.Sources["62.34.17.168"].GetScope() == "Ip" results[0].Overflow.Sources["62.34.17.168"].GetValue() == "62.34.17.168" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "iptables-scan-multi-port.log" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "iptables_drop" +results[0].Overflow.Alert.Events[0].GetMeta("machine") == "scw-d95986" results[0].Overflow.Alert.Events[0].GetMeta("service") == "tcp" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "62.34.17.168" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "iptables-scan-multi-port.log" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2026-09-30T10:09:23Z" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "iptables_drop" +results[0].Overflow.Alert.Events[1].GetMeta("machine") == "scw-d95986" results[0].Overflow.Alert.Events[1].GetMeta("service") == "tcp" results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "62.34.17.168" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "iptables-scan-multi-port.log" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2026-09-30T10:09:23Z" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "iptables_drop" +results[0].Overflow.Alert.Events[2].GetMeta("machine") == "scw-d95986" results[0].Overflow.Alert.Events[2].GetMeta("service") == "tcp" results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "62.34.17.168" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "iptables-scan-multi-port.log" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2026-09-30T10:09:23Z" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "iptables_drop" +results[0].Overflow.Alert.Events[3].GetMeta("machine") == "scw-d95986" results[0].Overflow.Alert.Events[3].GetMeta("service") == "tcp" results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "62.34.17.168" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "iptables-scan-multi-port.log" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2026-09-30T10:09:23Z" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "iptables_drop" +results[0].Overflow.Alert.Events[4].GetMeta("machine") == "scw-d95986" results[0].Overflow.Alert.Events[4].GetMeta("service") == "tcp" results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "62.34.17.168" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "iptables-scan-multi-port.log" +results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2026-09-30T10:09:23Z" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "iptables_drop" +results[0].Overflow.Alert.Events[5].GetMeta("machine") == "scw-d95986" results[0].Overflow.Alert.Events[5].GetMeta("service") == "tcp" results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "62.34.17.168" -results[0].Overflow.Alert.Events[6].GetMeta("datasource_path") == "iptables-scan-multi-port.log" +results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2026-09-30T10:09:23Z" +basename(results[0].Overflow.Alert.Events[6].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" results[0].Overflow.Alert.Events[6].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[6].GetMeta("log_type") == "iptables_drop" +results[0].Overflow.Alert.Events[6].GetMeta("machine") == "scw-d95986" results[0].Overflow.Alert.Events[6].GetMeta("service") == "tcp" results[0].Overflow.Alert.Events[6].GetMeta("source_ip") == "62.34.17.168" -results[0].Overflow.Alert.Events[7].GetMeta("datasource_path") == "iptables-scan-multi-port.log" +results[0].Overflow.Alert.Events[6].GetMeta("timestamp") == "2026-09-30T10:09:23Z" +basename(results[0].Overflow.Alert.Events[7].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" results[0].Overflow.Alert.Events[7].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[7].GetMeta("log_type") == "iptables_drop" +results[0].Overflow.Alert.Events[7].GetMeta("machine") == "scw-d95986" results[0].Overflow.Alert.Events[7].GetMeta("service") == "tcp" results[0].Overflow.Alert.Events[7].GetMeta("source_ip") == "62.34.17.168" -results[0].Overflow.Alert.Events[8].GetMeta("datasource_path") == "iptables-scan-multi-port.log" +results[0].Overflow.Alert.Events[7].GetMeta("timestamp") == "2026-09-30T10:09:23Z" +basename(results[0].Overflow.Alert.Events[8].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" results[0].Overflow.Alert.Events[8].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[8].GetMeta("log_type") == "iptables_drop" +results[0].Overflow.Alert.Events[8].GetMeta("machine") == "scw-d95986" results[0].Overflow.Alert.Events[8].GetMeta("service") == "tcp" results[0].Overflow.Alert.Events[8].GetMeta("source_ip") == "62.34.17.168" -results[0].Overflow.Alert.Events[9].GetMeta("datasource_path") == "iptables-scan-multi-port.log" +results[0].Overflow.Alert.Events[8].GetMeta("timestamp") == "2026-09-30T10:09:23Z" +basename(results[0].Overflow.Alert.Events[9].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" results[0].Overflow.Alert.Events[9].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[9].GetMeta("log_type") == "iptables_drop" +results[0].Overflow.Alert.Events[9].GetMeta("machine") == "scw-d95986" results[0].Overflow.Alert.Events[9].GetMeta("service") == "tcp" results[0].Overflow.Alert.Events[9].GetMeta("source_ip") == "62.34.17.168" -results[0].Overflow.Alert.Events[10].GetMeta("datasource_path") == "iptables-scan-multi-port.log" +results[0].Overflow.Alert.Events[9].GetMeta("timestamp") == "2026-09-30T10:09:23Z" +basename(results[0].Overflow.Alert.Events[10].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" results[0].Overflow.Alert.Events[10].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[10].GetMeta("log_type") == "iptables_drop" +results[0].Overflow.Alert.Events[10].GetMeta("machine") == "scw-d95986" results[0].Overflow.Alert.Events[10].GetMeta("service") == "tcp" results[0].Overflow.Alert.Events[10].GetMeta("source_ip") == "62.34.17.168" -results[0].Overflow.Alert.Events[11].GetMeta("datasource_path") == "iptables-scan-multi-port.log" +results[0].Overflow.Alert.Events[10].GetMeta("timestamp") == "2026-09-30T10:09:23Z" +basename(results[0].Overflow.Alert.Events[11].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" results[0].Overflow.Alert.Events[11].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[11].GetMeta("log_type") == "iptables_drop" +results[0].Overflow.Alert.Events[11].GetMeta("machine") == "scw-d95986" results[0].Overflow.Alert.Events[11].GetMeta("service") == "tcp" results[0].Overflow.Alert.Events[11].GetMeta("source_ip") == "62.34.17.168" -results[0].Overflow.Alert.Events[12].GetMeta("datasource_path") == "iptables-scan-multi-port.log" +results[0].Overflow.Alert.Events[11].GetMeta("timestamp") == "2026-09-30T10:09:23Z" +basename(results[0].Overflow.Alert.Events[12].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" results[0].Overflow.Alert.Events[12].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[12].GetMeta("log_type") == "iptables_drop" +results[0].Overflow.Alert.Events[12].GetMeta("machine") == "scw-d95986" results[0].Overflow.Alert.Events[12].GetMeta("service") == "tcp" results[0].Overflow.Alert.Events[12].GetMeta("source_ip") == "62.34.17.168" -results[0].Overflow.Alert.Events[13].GetMeta("datasource_path") == "iptables-scan-multi-port.log" +results[0].Overflow.Alert.Events[12].GetMeta("timestamp") == "2026-09-30T10:09:23Z" +basename(results[0].Overflow.Alert.Events[13].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" results[0].Overflow.Alert.Events[13].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[13].GetMeta("log_type") == "iptables_drop" +results[0].Overflow.Alert.Events[13].GetMeta("machine") == "scw-d95986" results[0].Overflow.Alert.Events[13].GetMeta("service") == "tcp" results[0].Overflow.Alert.Events[13].GetMeta("source_ip") == "62.34.17.168" -results[0].Overflow.Alert.Events[14].GetMeta("datasource_path") == "iptables-scan-multi-port.log" +results[0].Overflow.Alert.Events[13].GetMeta("timestamp") == "2026-09-30T10:09:23Z" +basename(results[0].Overflow.Alert.Events[14].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" results[0].Overflow.Alert.Events[14].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[14].GetMeta("log_type") == "iptables_drop" +results[0].Overflow.Alert.Events[14].GetMeta("machine") == "scw-d95986" results[0].Overflow.Alert.Events[14].GetMeta("service") == "tcp" results[0].Overflow.Alert.Events[14].GetMeta("source_ip") == "62.34.17.168" -results[0].Overflow.Alert.Events[15].GetMeta("datasource_path") == "iptables-scan-multi-port.log" +results[0].Overflow.Alert.Events[14].GetMeta("timestamp") == "2026-09-30T10:09:23Z" +basename(results[0].Overflow.Alert.Events[15].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" results[0].Overflow.Alert.Events[15].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[15].GetMeta("log_type") == "iptables_drop" +results[0].Overflow.Alert.Events[15].GetMeta("machine") == "scw-d95986" results[0].Overflow.Alert.Events[15].GetMeta("service") == "tcp" results[0].Overflow.Alert.Events[15].GetMeta("source_ip") == "62.34.17.168" +results[0].Overflow.Alert.Events[15].GetMeta("timestamp") == "2026-09-30T10:09:23Z" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/iptables-scan-multi_ports" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 16 - +"127.0.0.2" in results[1].Overflow.GetSources() +results[1].Overflow.Sources["127.0.0.2"].IP == "127.0.0.2" +results[1].Overflow.Sources["127.0.0.2"].Range == "" +results[1].Overflow.Sources["127.0.0.2"].GetScope() == "Ip" +results[1].Overflow.Sources["127.0.0.2"].GetValue() == "127.0.0.2" +basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" +results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "iptables_drop" +results[1].Overflow.Alert.Events[0].GetMeta("machine") == "vm-1" +results[1].Overflow.Alert.Events[0].GetMeta("service") == "tcp" +results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "127.0.0.2" +results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2026-10-30T10:09:23Z" +basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" +results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" +results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "iptables_drop" +results[1].Overflow.Alert.Events[1].GetMeta("machine") == "vm-1" +results[1].Overflow.Alert.Events[1].GetMeta("service") == "tcp" +results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "127.0.0.2" +results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2026-10-30T10:09:23Z" +basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" +results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" +results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "iptables_drop" +results[1].Overflow.Alert.Events[2].GetMeta("machine") == "vm-1" +results[1].Overflow.Alert.Events[2].GetMeta("service") == "tcp" +results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "127.0.0.2" +results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2026-10-30T10:09:23Z" +basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" +results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" +results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "iptables_drop" +results[1].Overflow.Alert.Events[3].GetMeta("machine") == "vm-1" +results[1].Overflow.Alert.Events[3].GetMeta("service") == "tcp" +results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "127.0.0.2" +results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2026-10-30T10:09:23Z" +basename(results[1].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" +results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" +results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "iptables_drop" +results[1].Overflow.Alert.Events[4].GetMeta("machine") == "vm-1" +results[1].Overflow.Alert.Events[4].GetMeta("service") == "tcp" +results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "127.0.0.2" +results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2026-10-30T10:09:23Z" +basename(results[1].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" +results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" +results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "iptables_drop" +results[1].Overflow.Alert.Events[5].GetMeta("machine") == "vm-1" +results[1].Overflow.Alert.Events[5].GetMeta("service") == "tcp" +results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "127.0.0.2" +results[1].Overflow.Alert.Events[5].GetMeta("timestamp") == "2026-10-30T10:09:23Z" +basename(results[1].Overflow.Alert.Events[6].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" +results[1].Overflow.Alert.Events[6].GetMeta("datasource_type") == "file" +results[1].Overflow.Alert.Events[6].GetMeta("log_type") == "iptables_drop" +results[1].Overflow.Alert.Events[6].GetMeta("machine") == "vm-1" +results[1].Overflow.Alert.Events[6].GetMeta("service") == "tcp" +results[1].Overflow.Alert.Events[6].GetMeta("source_ip") == "127.0.0.2" +results[1].Overflow.Alert.Events[6].GetMeta("timestamp") == "2026-10-30T10:09:23Z" +basename(results[1].Overflow.Alert.Events[7].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" +results[1].Overflow.Alert.Events[7].GetMeta("datasource_type") == "file" +results[1].Overflow.Alert.Events[7].GetMeta("log_type") == "iptables_drop" +results[1].Overflow.Alert.Events[7].GetMeta("machine") == "vm-1" +results[1].Overflow.Alert.Events[7].GetMeta("service") == "tcp" +results[1].Overflow.Alert.Events[7].GetMeta("source_ip") == "127.0.0.2" +results[1].Overflow.Alert.Events[7].GetMeta("timestamp") == "2026-10-30T10:09:23Z" +basename(results[1].Overflow.Alert.Events[8].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" +results[1].Overflow.Alert.Events[8].GetMeta("datasource_type") == "file" +results[1].Overflow.Alert.Events[8].GetMeta("log_type") == "iptables_drop" +results[1].Overflow.Alert.Events[8].GetMeta("machine") == "vm-1" +results[1].Overflow.Alert.Events[8].GetMeta("service") == "tcp" +results[1].Overflow.Alert.Events[8].GetMeta("source_ip") == "127.0.0.2" +results[1].Overflow.Alert.Events[8].GetMeta("timestamp") == "2026-10-30T10:09:23Z" +basename(results[1].Overflow.Alert.Events[9].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" +results[1].Overflow.Alert.Events[9].GetMeta("datasource_type") == "file" +results[1].Overflow.Alert.Events[9].GetMeta("log_type") == "iptables_drop" +results[1].Overflow.Alert.Events[9].GetMeta("machine") == "vm-1" +results[1].Overflow.Alert.Events[9].GetMeta("service") == "tcp" +results[1].Overflow.Alert.Events[9].GetMeta("source_ip") == "127.0.0.2" +results[1].Overflow.Alert.Events[9].GetMeta("timestamp") == "2026-10-30T10:09:23Z" +basename(results[1].Overflow.Alert.Events[10].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" +results[1].Overflow.Alert.Events[10].GetMeta("datasource_type") == "file" +results[1].Overflow.Alert.Events[10].GetMeta("log_type") == "iptables_drop" +results[1].Overflow.Alert.Events[10].GetMeta("machine") == "vm-1" +results[1].Overflow.Alert.Events[10].GetMeta("service") == "tcp" +results[1].Overflow.Alert.Events[10].GetMeta("source_ip") == "127.0.0.2" +results[1].Overflow.Alert.Events[10].GetMeta("timestamp") == "2026-10-30T10:09:23Z" +basename(results[1].Overflow.Alert.Events[11].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" +results[1].Overflow.Alert.Events[11].GetMeta("datasource_type") == "file" +results[1].Overflow.Alert.Events[11].GetMeta("log_type") == "iptables_drop" +results[1].Overflow.Alert.Events[11].GetMeta("machine") == "vm-1" +results[1].Overflow.Alert.Events[11].GetMeta("service") == "tcp" +results[1].Overflow.Alert.Events[11].GetMeta("source_ip") == "127.0.0.2" +results[1].Overflow.Alert.Events[11].GetMeta("timestamp") == "2026-10-30T10:09:23Z" +basename(results[1].Overflow.Alert.Events[12].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" +results[1].Overflow.Alert.Events[12].GetMeta("datasource_type") == "file" +results[1].Overflow.Alert.Events[12].GetMeta("log_type") == "iptables_drop" +results[1].Overflow.Alert.Events[12].GetMeta("machine") == "vm-1" +results[1].Overflow.Alert.Events[12].GetMeta("service") == "tcp" +results[1].Overflow.Alert.Events[12].GetMeta("source_ip") == "127.0.0.2" +results[1].Overflow.Alert.Events[12].GetMeta("timestamp") == "2026-10-30T10:09:23Z" +basename(results[1].Overflow.Alert.Events[13].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" +results[1].Overflow.Alert.Events[13].GetMeta("datasource_type") == "file" +results[1].Overflow.Alert.Events[13].GetMeta("log_type") == "iptables_drop" +results[1].Overflow.Alert.Events[13].GetMeta("machine") == "vm-1" +results[1].Overflow.Alert.Events[13].GetMeta("service") == "tcp" +results[1].Overflow.Alert.Events[13].GetMeta("source_ip") == "127.0.0.2" +results[1].Overflow.Alert.Events[13].GetMeta("timestamp") == "2026-10-30T10:09:23Z" +basename(results[1].Overflow.Alert.Events[14].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" +results[1].Overflow.Alert.Events[14].GetMeta("datasource_type") == "file" +results[1].Overflow.Alert.Events[14].GetMeta("log_type") == "iptables_drop" +results[1].Overflow.Alert.Events[14].GetMeta("machine") == "vm-1" +results[1].Overflow.Alert.Events[14].GetMeta("service") == "tcp" +results[1].Overflow.Alert.Events[14].GetMeta("source_ip") == "127.0.0.2" +results[1].Overflow.Alert.Events[14].GetMeta("timestamp") == "2026-10-30T10:09:23Z" +basename(results[1].Overflow.Alert.Events[15].GetMeta("datasource_path")) == "iptables-scan-multi-port.log" +results[1].Overflow.Alert.Events[15].GetMeta("datasource_type") == "file" +results[1].Overflow.Alert.Events[15].GetMeta("log_type") == "iptables_drop" +results[1].Overflow.Alert.Events[15].GetMeta("machine") == "vm-1" +results[1].Overflow.Alert.Events[15].GetMeta("service") == "tcp" +results[1].Overflow.Alert.Events[15].GetMeta("source_ip") == "127.0.0.2" +results[1].Overflow.Alert.Events[15].GetMeta("timestamp") == "2026-10-30T10:09:23Z" +results[1].Overflow.Alert.GetScenario() == "crowdsecurity/iptables-scan-multi_ports" +results[1].Overflow.Alert.Remediation == true +results[1].Overflow.Alert.GetEventsCount() == 16 \ No newline at end of file diff --git a/parsers/s01-parse/crowdsecurity/iptables-logs.yaml b/parsers/s01-parse/crowdsecurity/iptables-logs.yaml index 7b7eda28bdb..e0a50075382 100644 --- a/parsers/s01-parse/crowdsecurity/iptables-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/iptables-logs.yaml @@ -1,6 +1,6 @@ onsuccess: next_stage #debug: true -filter: "evt.Parsed.program == 'kernel' and evt.Parsed.message contains 'IN=' and not (evt.Parsed.message contains 'ACCEPT')" +filter: "evt.Parsed.program == 'kernel' and evt.Parsed.message contains 'IN=' and not (evt.Parsed.message contains 'ACCEPT') and not (evt.Parsed.message contains '[UFW AUDIT]' )" name: crowdsecurity/iptables-logs description: "Parse iptables drop logs" statics: