feat: add PumbaLP/adguardhome-dot collection for DoT scanner detection#1797
Open
PumbaLP wants to merge 5 commits into
Open
feat: add PumbaLP/adguardhome-dot collection for DoT scanner detection#1797PumbaLP wants to merge 5 commits into
PumbaLP wants to merge 5 commits into
Conversation
Parser: PumbaLP/adguardhome-dot-errors - Extracts remote IP from AdGuard Home DoT connection reset errors - Detects port 853 scanners that fail TLS handshake Scenario: PumbaLP/adguardhome-dot-scan - Bans after 5 resets within 10 minutes from same IP - Tested against AdGuard Home v0.107.x in production Closes: crowdsecurity#1753
buixor
reviewed
Jun 2, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new PumbaLP/adguardhome-dot collection (parser + scenario) that detects port scanners probing AdGuard Home's DNS-over-TLS port 853 by aggregating repeated connection reset by peer errors per source IP.
Changes:
- New s01 parser
PumbaLP/adguardhome-dot-errorsextractingsource_ip,serviceandlog_typefrom AdGuard Home DoT reset errors. - New leaky scenario
PumbaLP/adguardhome-dot-scan(capacity 5 / leakspeed 10m / blackhole 5m) plus the bundling collection. - Two hubtests under
.tests/adguardhome-dot-errorsand.tests/adguardhome-dot-scan, but the scenario assert does not actually validate the overflow.
Reviewed changes
Copilot reviewed 11 out of 13 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| collections/PumbaLP/adguardhome-dot.yaml | New collection bundling the parser and scenario. |
| parsers/s01-parse/PumbaLP/adguardhome-dot-errors.yaml | New grok parser on Line.Raw extracting remote IP from DoT reset errors. |
| parsers/s01-parse/PumbaLP/adguardhome-dot-errors.md | Parser documentation; has an unterminated YAML code fence. |
| scenarios/PumbaLP/adguardhome-dot-scan.yaml | New leaky scenario on source_ip triggering after 5 resets in 10m. |
| scenarios/PumbaLP/adguardhome-dot-scan.md | Scenario documentation; starts with a stray ```markdown fence. |
| .tests/adguardhome-dot-errors/* | Hubtest validating parser extraction; log fixture uses a real public IP. |
| .tests/adguardhome-dot-scan/* | Hubtest meant to validate the scenario, but scenario.assert asserts zero results. |
PumbaLP
force-pushed
the
feature/adguardhome-dot
branch
from
093b9e1 to
66cf04a
Compare
PumbaLP
force-pushed
the
feature/adguardhome-dot
branch
from
12971c1 to
5836985
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a parser and scenario to detect port 853 (DNS-over-TLS) scanners targeting AdGuard Home instances.
Port scanners that probe DoT without completing a proper TLS handshake cause repeated "connection reset by peer" errors in AdGuard Home logs. This collection extracts the remote IP from these errors and bans IPs that trigger 5+ resets within 10 minutes.
Components
PumbaLP/adguardhome-dot-errors: extracts remote_ip, log_type and service from AdGuard Home DoT error logsPumbaLP/adguardhome-dot-scan: leaky bucket, capacity 5, leakspeed 10m, grouped by source_ipPumbaLP/adguardhome-dot: bundles both componentsWhat it detects
Port scanners and probers that connect to port 853 (DoT) without completing a proper TLS handshake. These appear as repeated
connection reset by peererrors in AdGuard Home logs.What it does NOT detect
crowdsecurity/nginx-logsinsteadTesting
Two hubtests are included:
adguardhome-dot-errors: validates parser extracts source_ip, log_type and service correctlyadguardhome-dot-scan: validates scenario coverage with 6 events from same IPTested in production against AdGuard Home v0.107.x running in Docker.
Closes #1753
Checklist