feat: add NethVoice-specific CrowdSec detection scenarios#181
Open
gsanchietti wants to merge 5 commits into
Open
feat: add NethVoice-specific CrowdSec detection scenarios#181gsanchietti wants to merge 5 commits into
gsanchietti wants to merge 5 commits into
Conversation
This was referenced Jul 3, 2026
fbc7f0b to
9ca28f1
Compare
Add parsers and scenarios to block - HTTP brute force attacks on nethcti-middleware - SIP brute force attacks on Kamailio - FreePBX scan
94db65b to
87bbd5f
Compare
List and toggle-collection actions now surface nethesis/nethvoice and nethesis/kamailio as fake collections, backed by a single NETHVOICE_COLLECTION_ENABLED flag, so the always-installed custom parsers/scenarios can be seen and toggled from the Collections UI even though they are not real CrowdSec hub collections. Assisted-By: Claude:Sonnet5
Add nethvoice-admin-login-bf scenario to catch repeated 401/403 hits on /freepbx/rest/login, keyed off the existing crowdsecurity/traefik http meta fields. Bundled into the nethesis/nethvoice fake collection alongside the other NethVoice/Kamailio detections. Assisted-By: Claude:Sonnet5
Add nethvoice-reports-logs parser (Gin access log format, same as the middleware parser) and nethvoice-reports-bf scenario to catch repeated 401/403 on reports-api login. Bundled into the nethesis/nethvoice fake collection. Assisted-By: Claude:Sonnet5
87bbd5f to
f8aa23a
Compare
kamailio-bf.yaml was missing the confidence, spoofable, classification, behavior, and label keys used by every other brute-force scenario in this module, and used a non-standard "type" label instead. Alerts for SIP brute force showed up without MITRE classification or a readable label in cscli/console while every other scenario was fully annotated. Align its labels block to the same schema as the nethvoice-*-bf scenarios; capacity/leakspeed/blackhole are left unchanged as they are intentionally tighter for a fast-retry protocol like SIP. Assisted-by: Claude:claude-sonnet-5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
nethvoice-middleware-logs.yaml) for nethcti-middleware's Gin access/auth logsnethvoice-middleware-bf.yaml: detects low-and-slow brute-force/token-guessing against the middleware API (10m leaky window, since existing generic scenarios use a 10s window and miss this pace)nethvoice-http-exploit-scan.yaml: detects scans against known FreePBX exploit paths (/admin/config.php) regardless of pace, since existinghttp-probingrequires a faster hit rate than observed real scanskamailio-logs.yaml+kamailio-bf.yaml: parses the newSECURITY-AUTHFAILline kamailio now emits (nethvoice-proxy PR #193) and detects SIP login bruteforce (10s leaky window, capacity 5)expand-configuration, following the existing pattern used fornethvoice-whitelist-http-probing.yamlnethvoice-admin-login-bf.yaml: detects brute force against the NethVoice admin API login (/freepbx/rest/login)nethvoice-reports-logs.yaml+nethvoice-reports-bf.yaml: parsesreports-apiGin logs and detects brute force against the reports app loginnethesis/nethvoiceinlist-collections/toggle-collection, backed byNETHVOICE_COLLECTION_ENABLED, so it can be toggled from the Collections UI like a real collectionkamailio-bf.yamllabels (confidence/classification/behavior) with the other brute-force scenarios for consistent alert displayIssue:
For the SIP part, require also: nethesis/ns8-nethvoice-proxy#193
Testing
Install:
add-module ghcr.io/nethserver/crowdsec:nethvoice_integrationUpdate:
api-cli run update-module --data '{"module_url":"ghcr.io/nethserver/crowdsec:nethvoice_integration","instances": "crowdsec1", "force": true}