diff --git a/web-log-monitor.py b/web-log-monitor.py index dc15e63..c30bc15 100644 --- a/web-log-monitor.py +++ b/web-log-monitor.py @@ -56,7 +56,7 @@ IMMEDIATE_ALERT_PATTERNS = [ (r"(?:;\s*(?:ls|cat|wget|curl|bash|sh|nc)\s)", "Command Injection"), (r"(?:wp-login|wp-admin|xmlrpc\.php).*(?:POST|HEAD)", "WordPress Scan"), (r"(?:phpmyadmin|pma|mysqladmin)", "DB Admin Scan"), - (r"(?:\.env|\.git/|\.aws/|\.ssh/)", "Sensitive File Probe"), + (r"(?:\.env|/\.git/|\.aws/|\.ssh/)", "Sensitive File Probe"), ] SYSTEM_PROMPT = """/no_think @@ -89,6 +89,19 @@ After your analysis (and any tool calls), respond with JSON only (no markdown, n If nothing suspicious, return: {"suspicious": false, "findings": [], "summary": "No suspicious activity detected"} +IMPORTANT CONTEXT about the infrastructure behind this reverse proxy (Traefik): +- Gitea (git server): Expect git clone/push/pull traffic with URLs like /user/repo.git/info/refs, /user/repo.git/git-upload-pack, etc. This is NORMAL git protocol traffic, not sensitive file probing. Gitea also serves web UI pages for browsing repositories. +- Nextcloud (cloud storage): Expect heavy API traffic including WebDAV, OCS API calls, app-specific endpoints (bookmarks, calendar, contacts sync). Burst of requests from a single IP to Nextcloud is normal client sync behavior, NOT reconnaissance. +- Immich (photo management): Expect API calls for photo sync and uploads from mobile/desktop clients. +- Gotify (push notifications): Expect WebSocket connections and message API calls. +- Other self-hosted services behind this proxy generate legitimate automated traffic patterns. + +Do NOT flag the following as suspicious: +- Git protocol operations to Gitea repositories (even with 401 responses — git auth negotiation starts with a 401) +- Nextcloud sync bursts (many rapid requests from one IP to Nextcloud endpoints) +- Authenticated API traffic to any of the above services +- Standard browser navigation patterns to any hosted service + Be conservative - normal traffic like health checks, static assets, and authenticated user activity is not suspicious.""" # Tool definitions for the LLM (OpenAI function-calling format)