fix: reduce false positives in security log detection #2

Merged
jimmy merged 1 commits from dev into main 2026-03-01 10:32:06 +08:00
Showing only changes of commit cb1028ebb6 - Show all commits
+15 -4
View File
@@ -13,8 +13,15 @@ _tz_cst = timezone(timedelta(hours=8))
# Suspicious path patterns (scanners, exploits, etc.) # Suspicious path patterns (scanners, exploits, etc.)
_SUSPICIOUS_PATHS = re.compile( _SUSPICIOUS_PATHS = re.compile(
r"(\.env|\.git|wp-login|wp-admin|phpmy|/admin|/cgi-bin|/shell|/eval|" r"(\.env|\.git/|wp-login|wp-admin|phpmy|/cgi-bin|/shell|/eval|"
r"\.php|\.asp|/etc/passwd|/proc/self|\.sql|/actuator|/debug|/config\.json)", r"\.asp|/etc/passwd|/proc/self|\.sql|/actuator|/debug|/config\.json|"
r"xmlrpc\.php|wp-cron\.php|wp-includes|/\.well-known/security)",
re.IGNORECASE,
)
# Known internal API paths that should not be flagged
_INTERNAL_PATHS = re.compile(
r"^/(api/|rest/|backend/|_next/|static/|assets/|favicon)",
re.IGNORECASE, re.IGNORECASE,
) )
@@ -71,8 +78,12 @@ def _parse_caddy_logs(lines: str, limit: int) -> list[dict]:
uri = obj.get("uri", obj.get("request", {}).get("uri", "")) uri = obj.get("uri", obj.get("request", {}).get("uri", ""))
remote_ip = obj.get("remote_ip", obj.get("request", {}).get("remote_ip", "")) remote_ip = obj.get("remote_ip", obj.get("request", {}).get("remote_ip", ""))
# Flag: 4xx/5xx or suspicious path # Flag: suspicious path (skip known internal paths), or 4xx on unknown paths
is_suspicious = status >= 400 or _SUSPICIOUS_PATHS.search(uri) is_suspicious = False
if _SUSPICIOUS_PATHS.search(uri):
is_suspicious = not _INTERNAL_PATHS.match(uri)
elif status >= 400 and not _INTERNAL_PATHS.match(uri):
is_suspicious = True
if not is_suspicious: if not is_suspicious:
continue continue