15 lines
1.2 KiB
Plaintext
15 lines
1.2 KiB
Plaintext
[Definition]
|
|
# JSON logs with ISO-8601 timestamps
|
|
datepattern = {^LN-BEG}%%Y-%%m-%%dT%%H:%%M:%%S(?:[.,]\\d+)?(?:Z|[+\\-]\\d{2}:\\d{2})?
|
|
|
|
# Define a custom IP regex for <HOST>
|
|
hostname = (?:\d{1,3}\.){3}\d{1,3}
|
|
|
|
# Detect scanners in user-agent
|
|
failregex = (?i)^.*"x_forwarded_for":"<HOST>(?:, [^"]+)?".*"http_user_agent":"[^"]*(?:sqlmap|nikto|acunetix|wpscan|dirbuster|gobuster|masscan|zgrab|ZmEu|nessus|openvas|libwww-perl|mechanize|lwp-trivial|python-requests|python-urllib|urllib|aiohttp|httpx|scrapy|curl|wget|Go-http-client|okhttp|httpclient|jakarta|java)[^"]*".*$
|
|
(?i)^.*"remote_addr":"<HOST>".*"http_user_agent":"[^"]*(?:sqlmap|nikto|acunetix|wpscan|dirbuster|gobuster|masscan|zgrab|ZmEu|nessus|openvas|libwww-perl|mechanize|lwp-trivial|python-requests|python-urllib|urllib|aiohttp|httpx|scrapy|curl|wget|Go-http-client|okhttp|httpclient|jakarta|java)[^"]*".*$
|
|
|
|
# Ignore internal/harmless endpoints and broken IPs
|
|
ignoreregex = ^.*"request_uri":"\/(?:stub_status|health\/system|health\/worker|pgadmin4(?:\/|$)|\.well-known\/acme-challenge\/|.*\.(?:css|js|png|jpg|jpeg|gif|svg|ico|webp|woff2?))".*$
|
|
^.*"x_forwarded_for":"\:?".*$
|
|
^.*"remote_addr":"\:?".*$ |