Skip to content

Feat/sharry support#1685

Open
plague-doctor wants to merge 6 commits intocrowdsecurity:masterfrom
plague-doctor:feat/sharry-support
Open

Feat/sharry support#1685
plague-doctor wants to merge 6 commits intocrowdsecurity:masterfrom
plague-doctor:feat/sharry-support

Conversation

@plague-doctor
Copy link
Contributor

@plague-doctor plague-doctor commented Feb 12, 2026

Summary

This PR adds CrowdSec support for Sharry, a self-hosted file sharing platform.

Description

  • Add sharry-logs parser for authentication failures
  • Add sharry-bf scenario (5 failures in 20s -> 1m ban)
  • Add collection, parser, and scenario documentation
  • Add test log samples
  • Detects: Authentication attempt failure for username X from ip Y

Checklist

  • I have read the contributing guide
  • I have tested my changes locally
  • For new parsers or scenarios, tests have been added
  • I have run the hub linter and no issues were reported (see contributing guide)
  • Automated tests are passing
  • AI was used to generate any/all content of this PR (for tests)

plague-doctor and others added 5 commits February 12, 2026 13:11
@plague-doctor
feat(sharry): add Sharry collection with parser and bruteforce detection
8aa0536 
- Add sharry-logs parser for authentication failures
- Add sharry-bf scenario (5 failures in 20s -> 1m ban)
- Add collection, parser, and scenario documentation
- Add test log samples
- Detects: Authentication attempt failure for username X from ip Y
@plague-doctor
test(sharry): add parser and scenario tests
105ea9b 
- Add sharry-logs parser tests with assertions
- Add sharry-bf scenario tests with 5 authentication failures
- Tests verify correct field extraction and scenario triggering
@plague-doctor
fix(sharry): fix timestamp parsing and scenario capacity
f2a5b36 
- Add timezone support to parser (UTC+11 for Sharry logs)
- Add StrTimeFormat with timezone offset handling
- Reduce scenario capacity from 5 to 4 (5 events need capacity 4 to overflow)
- Update test assertions to expect +11:00 timezone format

Fixes test failures where:
1. Timestamps weren't being parsed correctly (was defaulting to 1970)
2. Scenario wasn't triggering (needed 6 events with capacity 5, only had 5)
@plague-doctor
Merge branch 'master' into feat/sharry-support
0b40747
@plague-doctor
Merge branch 'master' into feat/sharry-support
75d0079
sabban
sabban requested changes Mar 16, 2026
View reviewed changes
Copy link
Contributor

@sabban sabban left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's great work there's only one minor requested change before merging

Thank you for your contribution

parsers/s01-parse/plague-doctor/sharry-logs.yaml Outdated
- target: evt.StrTimeFormat
value: "2006.01.02 15:04:05:0000 -0700"
- target: evt.StrTime
expression: evt.Parsed.timestamp + " +1100"
Copy link
Contributor

@sabban sabban Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you replace +1100 by +0000 or Z ? It's not better because it sets the timezone to UTC, but for now it's the most common way it's done, when the log format doesn't give any information on the timezone

@plague-doctor
fix(sharry): use UTC timezone instead of hardcoded +1100
57a3bed 
Replace hardcoded +1100 timezone offset with +0000 (UTC) since Sharry logs don't include timezone information. This follows the standard approach for logs without explicit timezone data.
@plague-doctor plague-doctor requested a review from sabban March 16, 2026 21:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sabban sabban Awaiting requested review from sabban

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@plague-doctor @sabban