hub
hub copied to clipboard
crowdsecurity
[crowdsecurity/http-bad-user-agent] false-positive
Hello, I would like to report false-positive alert by crowdsecurity/http-bad-user-agent.
Incident details
################################################################################################
- ID : 1604
- Date : 2023-05-21T17:21:44Z
- Machine : bc9630b07f7c3d6fb32ffb5164071c81knwaPq7bxOLQLmLq
- Simulation : false
- Reason : crowdsecurity/http-bad-user-agent
- Events Count : 2
- Scope:Value : Ip:147.182.141.124
- Country : US
- AS : DIGITALOCEAN-ASN
- Begin : 2023-05-21 17:21:43.182412539 +0000 UTC
- End : 2023-05-21 17:21:43.657494946 +0000 UTC
- UUID : ee12c4f3-a635-4445-bc34-e4a234d1f927
- Events :
- Date: 2023-05-21 20:21:43 +0300 +0300
+-----------------+---------------------------------------------------------+
| Key | Value |
+-----------------+---------------------------------------------------------+
| ASNNumber | 14061 |
+-----------------+---------------------------------------------------------+
| ASNOrg | DIGITALOCEAN-ASN |
+-----------------+---------------------------------------------------------+
| IsInEU | false |
+-----------------+---------------------------------------------------------+
| IsoCode | US |
+-----------------+---------------------------------------------------------+
| SourceRange | 147.182.128.0/17 |
+-----------------+---------------------------------------------------------+
| datasource_path | /var/log/nginx/access_log |
+-----------------+---------------------------------------------------------+
| datasource_type | file |
+-----------------+---------------------------------------------------------+
| http_args_len | 0 |
+-----------------+---------------------------------------------------------+
| http_path | /blog/index.xml |
+-----------------+---------------------------------------------------------+
| http_status | 304 |
+-----------------+---------------------------------------------------------+
| http_user_agent | NewsBlur Feed Fetcher - 2 subscribers - |
| | https://www.newsblur.com/site/8305924/encrypch |
| | (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) |
| | AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 |
| | Safari/605.1.15\x22) |
+-----------------+---------------------------------------------------------+
| http_verb | GET |
+-----------------+---------------------------------------------------------+
| log_type | http_access-log |
+-----------------+---------------------------------------------------------+
| service | http |
+-----------------+---------------------------------------------------------+
| source_ip | 147.182.141.124 |
+-----------------+---------------------------------------------------------+
| target_fqdn | encryp.ch |
+-----------------+---------------------------------------------------------+
| timestamp | 2023-05-21T20:21:43+03:00 |
+-----------------+---------------------------------------------------------+
- Date: 2023-05-21 20:21:43 +0300 +0300
+-----------------+---------------------------------------------------------+
| Key | Value |
+-----------------+---------------------------------------------------------+
| ASNNumber | 14061 |
+-----------------+---------------------------------------------------------+
| ASNOrg | DIGITALOCEAN-ASN |
+-----------------+---------------------------------------------------------+
| IsInEU | false |
+-----------------+---------------------------------------------------------+
| IsoCode | US |
+-----------------+---------------------------------------------------------+
| SourceRange | 147.182.128.0/17 |
+-----------------+---------------------------------------------------------+
| datasource_path | /var/log/nginx/access_log |
+-----------------+---------------------------------------------------------+
| datasource_type | file |
+-----------------+---------------------------------------------------------+
| http_args_len | 0 |
+-----------------+---------------------------------------------------------+
| http_path | /blog/ |
+-----------------+---------------------------------------------------------+
| http_status | 200 |
+-----------------+---------------------------------------------------------+
| http_user_agent | NewsBlur Page Fetcher - 2 subscribers - |
| | https://www.newsblur.com/site/8305924/encrypch |
| | (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) |
| | AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 |
| | Safari/605.1.15\x22) |
+-----------------+---------------------------------------------------------+
| http_verb | GET |
+-----------------+---------------------------------------------------------+
| log_type | http_access-log |
+-----------------+---------------------------------------------------------+
| service | http |
+-----------------+---------------------------------------------------------+
| source_ip | 147.182.141.124 |
+-----------------+---------------------------------------------------------+
| target_fqdn | encryp.ch |
+-----------------+---------------------------------------------------------+
| timestamp | 2023-05-21T20:21:43+03:00 |
+-----------------+---------------------------------------------------------+
Why do I believe this is FP?
Because they don't do anything malicious, only access to a few pages on my blog:
Nginx logs
admin@flopster ~ $ sudo grep -e "NewsBlur Page Fetcher" /var/log/nginx/access_log-20230521
encryp.ch 147.182.164.60 - - [15/May/2023:02:31:29 +0300] "GET /blog/ HTTP/1.1" 200 3719 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 147.182.168.106 - - [16/May/2023:00:56:04 +0300] "GET /blog/ HTTP/1.1" 200 3719 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 198.199.69.95 - - [16/May/2023:22:28:28 +0300] "GET /blog/ HTTP/1.1" 200 3719 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 167.71.26.200 - - [19/May/2023:22:52:09 +0300] "GET /blog/ HTTP/1.1" 200 3719 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
admin@flopster ~ $ sudo zstdgrep -e "NewsBlur Page Fetcher" /var/log/nginx/access_log-20230514.zst
encryp.ch 147.182.164.50 - - [07/May/2023:09:04:21 +0300] "GET /blog/ HTTP/1.1" 200 3719 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 147.182.160.157 - - [07/May/2023:17:51:00 +0300] "GET /blog/ HTTP/1.1" 200 3719 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 147.182.172.174 - - [08/May/2023:16:12:34 +0300] "GET /blog/ HTTP/1.1" 200 3719 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 137.184.65.48 - - [08/May/2023:20:44:07 +0300] "GET /blog/ HTTP/1.1" 200 3719 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 147.182.164.62 - - [09/May/2023:06:10:04 +0300] "GET /blog/ HTTP/1.1" 200 3719 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 147.182.168.103 - - [09/May/2023:15:53:23 +0300] "GET /blog/ HTTP/1.1" 200 3719 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
admin@flopster ~ $ sudo zstdgrep -e "NewsBlur Page Fetcher" /var/log/nginx/access_log-20230507.zst
encryp.ch 157.230.14.164 - - [30/Apr/2023:07:54:18 +0300] "GET /blog/ HTTP/1.1" 200 3719 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 64.227.8.69 - - [30/Apr/2023:19:51:05 +0300] "GET /blog/ HTTP/1.1" 200 3719 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 165.22.177.185 - - [30/Apr/2023:23:06:41 +0300] "GET /blog/ HTTP/1.1" 200 3719 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 147.182.164.50 - - [01/May/2023:01:16:45 +0300] "GET /blog/ HTTP/1.1" 200 3719 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 147.182.172.177 - - [01/May/2023:07:57:52 +0300] "GET /blog/ HTTP/1.1" 200 3719 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 165.22.177.185 - - [01/May/2023:18:14:45 +0300] "GET /blog/ HTTP/1.1" 200 3719 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 64.227.8.69 - - [01/May/2023:19:26:41 +0300] "GET /blog/ HTTP/1.1" 200 3719 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 64.227.8.69 - - [03/May/2023:16:59:15 +0300] "GET /blog/ HTTP/1.1" 200 3719 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 157.230.182.237 - - [03/May/2023:18:09:19 +0300] "GET /blog/ HTTP/1.1" 200 3719 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 147.182.164.76 - - [04/May/2023:12:54:59 +0300] "GET /blog/ HTTP/1.1" 200 3719 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
admin@flopster ~ $ sudo zstdgrep -e "NewsBlur Page Fetcher" /var/log/nginx/access_log-20230430.zst
encryp.ch 143.198.114.142 - - [24/Apr/2023:22:04:50 +0300] "GET /blog/ HTTP/1.1" 200 3674 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 167.71.22.5 - - [25/Apr/2023:16:08:41 +0300] "GET /blog/ HTTP/1.1" 200 3674 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 157.245.136.93 - - [28/Apr/2023:16:24:41 +0300] "GET /blog/ HTTP/1.1" 200 3719 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 147.182.168.178 - - [28/Apr/2023:21:58:50 +0300] "GET /blog/ HTTP/1.1" 200 3719 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 147.182.177.224 - - [29/Apr/2023:04:32:06 +0300] "GET /blog/ HTTP/1.1" 200 3719 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 157.230.228.128 - - [29/Apr/2023:06:43:09 +0300] "GET /blog/ HTTP/1.1" 200 3719 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
admin@flopster ~ $ sudo zgrep -e "NewsBlur Page Fetcher" /var/log/nginx/access_log-20230326.gz
encryp.ch 67.205.151.52 - - [20/Mar/2023:02:53:20 +0200] "GET /blog/ HTTP/1.1" 200 2763 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 147.182.164.79 - - [20/Mar/2023:21:17:22 +0200] "GET /blog/ HTTP/1.1" 200 2763 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 147.182.172.177 - - [21/Mar/2023:23:34:20 +0200] "GET /blog/ HTTP/1.1" 200 2763 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 157.230.14.164 - - [22/Mar/2023:13:44:04 +0200] "GET /blog/ HTTP/1.1" 200 2700 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 147.182.172.165 - - [23/Mar/2023:21:03:10 +0200] "GET /blog/ HTTP/1.1" 200 2700 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 147.182.172.165 - - [24/Mar/2023:11:05:40 +0200] "GET /blog/ HTTP/1.1" 200 2700 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
admin@flopster ~ $ sudo zgrep -e "NewsBlur Page Fetcher" /var/log/nginx/access_log-20230319.gz
encryp.ch 143.244.160.247 - - [12/Mar/2023:12:15:08 +0200] "GET /blog/ HTTP/1.1" 200 2670 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 147.182.164.152 - - [14/Mar/2023:04:29:22 +0200] "GET /blog/ HTTP/1.1" 200 2763 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 147.182.160.74 - - [14/Mar/2023:08:57:28 +0200] "GET /blog/ HTTP/1.1" 200 2763 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 147.182.172.176 - - [18/Mar/2023:20:32:02 +0200] "GET /blog/ HTTP/1.1" 200 2763 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
admin@flopster ~ $ sudo zgrep -e "NewsBlur Page Fetcher" /var/log/nginx/access_log-20230312.gz
encryp.ch 147.182.172.175 - - [06/Mar/2023:07:09:28 +0200] "GET /blog/ HTTP/1.1" 200 2608 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 68.183.139.59 - - [08/Mar/2023:12:49:01 +0200] "GET /blog/ HTTP/1.1" 200 2608 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 64.227.15.93 - - [09/Mar/2023:07:37:41 +0200] "GET /blog/ HTTP/1.1" 200 2608 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
encryp.ch 157.230.14.164 - - [11/Mar/2023:22:33:35 +0200] "GET /blog/ HTTP/1.1" 200 2670 "-" "NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8305924/encrypch (\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\x22)" "-"
