Skip to content

add xray-logs parser and xray-brute-force scenario new features to global repository#1837

Open
xulianh wants to merge 2 commits into
crowdsecurity:masterfrom
xulianh:feat/xray-detection
Open

add xray-logs parser and xray-brute-force scenario new features to global repository#1837
xulianh wants to merge 2 commits into
crowdsecurity:masterfrom
xulianh:feat/xray-detection

Conversation

@xulianh

@xulianh xulianh commented Jul 1, 2026

Copy link
Copy Markdown

Description

This Pull Request introduces a complete detection suite for X-ray proxy services, consisting of a dedicated log parser and a brute-force correlation scenario.

The parser (xulianh/xray-logs) extracts connection metadata—specifically isolating the source IP, ephemeral source port, and action states—from raw X-ray access logs. It incorporates precise chronological synchronization via dateparse-enrich to allow accurate historical log analysis and forensic replays.

The scenario (xulianh/xray-brute-force) implements a leaky bucket algorithm to monitor authentication failures or network scanning attempts targeting the proxy. It tracks rejected connection states per source IP address using a capacity of 5 events and a 20-second leak speed. Following security best practices, the detection logic is fully resilient against mixed traffic noise; concurrent legitimate connections (accepted) from the same source IP do not clear or reset the malicious failure counter, neutralizing basic evasion techniques.

A comprehensive hubtest suite is provided to validate the entire pipeline. The test vector utilizes strictly anonymized log entries with documentation IP ranges, achieving a total of 613 successful assertions under isolated conditions.

Checklist

  • I have read the contributing guide
  • I have tested my changes locally
  • For new parsers or scenarios, tests have been added
  • I have run the hub linter and no issues were reported (see contributing guide)
  • Automated tests are passing
  • [Gemini] AI was used to generate any/all content of this PR

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a new CrowdSec Hub detection suite for X-ray proxy logs: a dedicated s01 parser (xulianh/xray-logs) plus a leaky-bucket scenario (xulianh/xray-brute-force), along with a hubtest pipeline covering parsing, date enrichment, and scenario triggering.

Changes:

  • Add xulianh/xray-logs parser to extract source_ip, source_port, and action, and to provide evt.StrTime for dateparse-enrich.
  • Add xulianh/xray-brute-force leaky-bucket scenario grouping on source_ip and triggering on action == rejected.
  • Add .tests/xray-brute-force/ hubtest suite (sample log, config, and frozen assertions).

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 13 comments.

Show a summary per file
File Description
scenarios/xulianh/xray-brute-force.yaml New leaky-bucket scenario to detect repeated rejected events by source IP.
scenarios/xulianh/xray-brute-force.md Scenario documentation for the X-ray brute-force detection.
parsers/s01-parse/xulianh/xray-logs.yaml New parser for X-ray access logs; sets metadata and event time for enrichment.
parsers/s01-parse/xulianh/xray-logs.md Parser documentation and acquisition guidance.
.tests/xray-brute-force/config.yaml Hubtest configuration wiring non-syslog ingestion, parser, and date enrichment to the scenario.
.tests/xray-brute-force/xray_sample.log Test log input used by hubtest.
.tests/xray-brute-force/parser.assert Frozen hubtest assertions for s00/s01/s02 stages.
.tests/xray-brute-force/scenario.assert Frozen hubtest assertions for scenario overflows.

Comment on lines +15 to +16
- target: evt.StrTime
expression: "evt.Parsed.year + '-' + evt.Parsed.month + '-' + evt.Parsed.day + 'T' + evt.Parsed.hour + ':' + evt.Parsed.minute + ':' + evt.Parsed.second + 'Z'"
blackhole: 1m
labels:
service: xray
type: brute-force
Comment on lines +1 to +12
---

author: xulianh
classification:

* AppSec
* Proxy
tags:
* xray
* brute-force

---

## 📝 Description

This parser is designed to extract relevant security events from X-ray proxy service logs. It targets incoming log strings to identify connection outcomes and safely isolate structural metadata such as source IP addresses and destination ports.

## 🔍 Extraction Logic

The component utilizes optimized Grok patterns to process the `message` field of raw incoming lines matching the `xray` program identifier.
results["s01-parse"]["xulianh/xray-logs"][5].Evt.Parsed["action"] == "accepted"
results["s01-parse"]["xulianh/xray-logs"][5].Evt.Parsed["day"] == "30"
results["s01-parse"]["xulianh/xray-logs"][5].Evt.Parsed["hour"] == "16"
results["s01-parse"]["xulianh/xray-logs"][5].Evt.Parsed["message"] == "2026/06/30 16:43:03.500000 from 192.0.2.10:62264 accepted tcp:1.1.1.1:443 [direct]"
results["s01-parse"]["xulianh/xray-logs"][5].Evt.Parsed["micro"] == "500000"
results["s01-parse"]["xulianh/xray-logs"][5].Evt.Parsed["minute"] == "43"
results["s01-parse"]["xulianh/xray-logs"][5].Evt.Parsed["month"] == "06"
results["s01-parse"]["xulianh/xray-logs"][5].Evt.Parsed["reason"] == "tcp:1.1.1.1:443 [direct]"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["action"] == "accepted"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["day"] == "30"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["hour"] == "16"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "2026/06/30 16:43:03.500000 from 192.0.2.10:62264 accepted tcp:1.1.1.1:443 [direct]"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["micro"] == "500000"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["minute"] == "43"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["month"] == "06"
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["reason"] == "tcp:1.1.1.1:443 [direct]"
Comment on lines +24 to +28
filenames:

* /var/log/xray/access.log
labels:
type: xray
@sabban sabban self-assigned this Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants