Skip to content

feat: add NethVoice-specific CrowdSec detection scenarios#181

Open
gsanchietti wants to merge 5 commits into
feature/alerts-collectionsfrom
nethvoice_integration
Open

feat: add NethVoice-specific CrowdSec detection scenarios#181
gsanchietti wants to merge 5 commits into
feature/alerts-collectionsfrom
nethvoice_integration

Conversation

@gsanchietti

@gsanchietti gsanchietti commented Jul 2, 2026

Copy link
Copy Markdown
Member

Summary

  • Add a parser (nethvoice-middleware-logs.yaml) for nethcti-middleware's Gin access/auth logs
  • Add nethvoice-middleware-bf.yaml: detects low-and-slow brute-force/token-guessing against the middleware API (10m leaky window, since existing generic scenarios use a 10s window and miss this pace)
  • Add nethvoice-http-exploit-scan.yaml: detects scans against known FreePBX exploit paths (/admin/config.php) regardless of pace, since existing http-probing requires a faster hit rate than observed real scans
  • Add kamailio-logs.yaml + kamailio-bf.yaml: parses the new SECURITY-AUTHFAIL line kamailio now emits (nethvoice-proxy PR #193) and detects SIP login bruteforce (10s leaky window, capacity 5)
  • Wire all new tainted files into expand-configuration, following the existing pattern used for nethvoice-whitelist-http-probing.yaml
  • Add nethvoice-admin-login-bf.yaml: detects brute force against the NethVoice admin API login (/freepbx/rest/login)
  • Add nethvoice-reports-logs.yaml + nethvoice-reports-bf.yaml: parses reports-api Gin logs and detects brute force against the reports app login
  • Expose all of the above as a single fake collection nethesis/nethvoice in list-collections/toggle-collection, backed by NETHVOICE_COLLECTION_ENABLED, so it can be toggled from the Collections UI like a real collection
  • Align kamailio-bf.yaml labels (confidence/classification/behavior) with the other brute-force scenarios for consistent alert display

Issue:

For the SIP part, require also: nethesis/ns8-nethvoice-proxy#193

Testing

Install: add-module ghcr.io/nethserver/crowdsec:nethvoice_integration
Update: api-cli run update-module --data '{"module_url":"ghcr.io/nethserver/crowdsec:nethvoice_integration","instances": "crowdsec1", "force": true}

Add parsers and scenarios to block

- HTTP brute force attacks on nethcti-middleware
- SIP  brute force attacks on Kamailio
- FreePBX scan
@gsanchietti gsanchietti force-pushed the nethvoice_integration branch 3 times, most recently from 94db65b to 87bbd5f Compare July 3, 2026 12:56
List and toggle-collection actions now surface nethesis/nethvoice and
nethesis/kamailio as fake collections, backed by a single
NETHVOICE_COLLECTION_ENABLED flag, so the always-installed custom
parsers/scenarios can be seen and toggled from the Collections UI even
though they are not real CrowdSec hub collections.

Assisted-By: Claude:Sonnet5
Add nethvoice-admin-login-bf scenario to catch repeated 401/403 hits
on /freepbx/rest/login, keyed off the existing crowdsecurity/traefik
http meta fields. Bundled into the nethesis/nethvoice fake collection
alongside the other NethVoice/Kamailio detections.

Assisted-By: Claude:Sonnet5
Add nethvoice-reports-logs parser (Gin access log format, same as the
middleware parser) and nethvoice-reports-bf scenario to catch repeated
401/403 on reports-api login. Bundled into the nethesis/nethvoice fake
collection.

Assisted-By: Claude:Sonnet5
@gsanchietti gsanchietti force-pushed the nethvoice_integration branch from 87bbd5f to f8aa23a Compare July 3, 2026 13:03
@gsanchietti gsanchietti changed the title feat: Add NethVoice-specific CrowdSec detection scenarios feat: add NethVoice-specific CrowdSec detection scenarios Jul 3, 2026
kamailio-bf.yaml was missing the confidence, spoofable,
classification, behavior, and label keys used by every other
brute-force scenario in this module, and used a non-standard
"type" label instead. Alerts for SIP brute force showed up
without MITRE classification or a readable label in cscli/console
while every other scenario was fully annotated.

Align its labels block to the same schema as the nethvoice-*-bf
scenarios; capacity/leakspeed/blackhole are left unchanged as they
are intentionally tighter for a fast-retry protocol like SIP.

Assisted-by: Claude:claude-sonnet-5
@gsanchietti gsanchietti marked this pull request as ready for review July 3, 2026 13:39
@gsanchietti gsanchietti requested review from Stell0 and stephdl July 3, 2026 13:42

@stephdl stephdl left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lets see it in action

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants