-
Notifications
You must be signed in to change notification settings - Fork 451
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crowdsecurity/iptables, iptables-scan-multi_ports never alerts on scan #1081
Comments
ucommented debug flag in /etc/crowdsec/parsers/s01-parse/iptables-logs.yaml and got this:
Is the parser choking on my iptable entries in kern.log? |
Nevermind
|
Still fails to alert or act, but I don't know why. |
Hello @Mist-Hunter ! Would you mind sharing a sample logs so I can see if the parser / scenario is failing ? Thanks, |
Thank you for the quick reply :) Which log would you like a sample of? Also, do I need any debug flags on? |
Hello @Mist-Hunter, A sample of your iptables logs please :) |
Logs attached, and also here: https://transfer.sh/gR6nhP/iptables.log.tar.gz Dashboard after test:
Installed parsers, bouncers, scenarios: root@crowdsecDev 09:15:13 /var/log → cscli hub list
INFO[14-12-2021 09:16:02 AM] Loaded 26 collecs, 32 parsers, 47 scenarios, 3 post-overflow parsers
INFO[14-12-2021 09:16:02 AM] unmanaged items : 2 local, 0 tainted
INFO[14-12-2021 09:16:02 AM] PARSERS:
-------------------------------------------------------------------------------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
-------------------------------------------------------------------------------------------------------------
crowdsecurity/geoip-enrich ✔️ enabled 0.2 /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml
crowdsecurity/syslog-logs ✔️ enabled 0.7 /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
crowdsecurity/dateparse-enrich ✔️ enabled 0.1 /etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml
crowdsecurity/whitelists ✔️ enabled 0.2 /etc/crowdsec/parsers/s02-enrich/whitelists.yaml
crowdsecurity/iptables-logs ✔️ enabled 0.2 /etc/crowdsec/parsers/s01-parse/iptables-logs.yaml
crowdsecurity/sshd-logs ✔️ enabled 1.3 /etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
-------------------------------------------------------------------------------------------------------------
INFO[14-12-2021 09:16:02 AM] SCENARIOS:
-----------------------------------------------------------------------------------------------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
-----------------------------------------------------------------------------------------------------------------------------
crowdsecurity/ssh-bf ✔️ enabled 0.1 /etc/crowdsec/scenarios/ssh-bf.yaml
crowdsecurity/ssh-slow-bf ✔️ enabled 0.2 /etc/crowdsec/scenarios/ssh-slow-bf.yaml
trigger-example.yaml 🏠 enabled,local /etc/crowdsec/scenarios/trigger-example.yaml
leaky-example.yaml 🏠 enabled,local /etc/crowdsec/scenarios/leaky-example.yaml
crowdsecurity/iptables-scan-multi_ports ✔️ enabled 0.1 /etc/crowdsec/scenarios/iptables-scan-multi_ports.yaml
-----------------------------------------------------------------------------------------------------------------------------
INFO[14-12-2021 09:16:02 AM] COLLECTIONS:
--------------------------------------------------------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
--------------------------------------------------------------------------------------
crowdsecurity/iptables ✔️ enabled 0.1 /etc/crowdsec/collections/iptables.yaml
crowdsecurity/linux ✔️ enabled 0.2 /etc/crowdsec/collections/linux.yaml
crowdsecurity/sshd ✔️ enabled 0.2 /etc/crowdsec/collections/sshd.yaml
--------------------------------------------------------------------------------------
INFO[14-12-2021 09:16:02 AM] POSTOVERFLOWS:
--------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
--------------------------------------
-------------------------------------- Though this edit has made no impact on my results, I have edited the bouncer config as I have disabled IPv6 on my system.
How I'm installing in Debian 11.1 VM that I'm testing in: iptables -A INPUT -m state --state NEW -m comment --comment "Apt, crowdsec, up.sh: Log new connections" -j LOG
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | bash
apt install crowdsec -y
apt install crowdsec-firewall-bouncer-iptables -y
cscli collections install crowdsecurity/iptables
systemctl reload crowdsec As above, the NMAP command that generated the 130k~ packets in a scan:
The 'leaky-example.yaml' listed in the hub list. I added this to have something that leaked more slowly than the default scenario, though I don't think that is the problem. cat << EOT > /etc/crowdsec/scenarios/leaky-example.yaml
type: leaky
debug: true
name: demo/leaky-example
description: "detect cool stuff"
filter: "evt.Meta.log_type == 'iptables_drop' and evt.Parsed.proto == 'TCP'"
groupby: evt.Meta.source_ip
distinct: evt.Parsed.dst_port
capacity: 15
leakspeed: 1m
blackhole: 1m
labels:
type: scan
EOT |
From the logs that you sent, it seems that you run the nmap from a private IP (which are whitelisted by default by the |
Awesome, thanks for the help. Will report back shortly. |
It immediately worked! Sorry I missed that. Thank you so much for your help, I'm very excited to use this :) root@crowdsecDev 09:38:09 ~ → cscli alerts list
+----+------------------------------+-----------------------------------------+---------+----+-----------+--------------------------------+
| ID | VALUE | REASON | COUNTRY | AS | DECISIONS | CREATED AT |
+----+------------------------------+-----------------------------------------+---------+----+-----------+--------------------------------+
| 4 | Ip:172.27.0.192 | crowdsecurity/iptables-scan-multi_ports | | 0 | ban:1 | 2021-12-14 09:38:34.390419721 |
| | | | | | | -0800 -0800 |
| 3 | Ip:172.27.0.192 | demo/leaky-example | | 0 | | 2021-12-14 09:38:34.390916277 |
| | | | | | | -0800 -0800 |
| 2 | Ip:172.27.0.192 | demo/trigger-example | | 0 | ban:1 | 2021-12-14 09:38:35.406821133 |
| | | | | | | -0800 -0800 |
| 1 | crowdsec/community-blocklist | update : +1279/-0 IPs | | | ban:1279 | 2021-12-14 08:41:07 -0800 |
| | | | | | | -0800 |
+----+------------------------------+-----------------------------------------+---------+----+-----------+--------------------------------+ root@crowdsecDev 09:40:56 ~ → ipset list crowdsec-blacklists | grep 172.27.0.192
172.27.0.192 timeout 14245 |
I spent many hours prior to posting this due to being a brand new user and feeling quite sure I'm doing something wrong. But I can't figure out what.
Debian 11.1, Ubuntu 20.04.3 LTS
I'm scanning the crowdsec machine with kali / nmap and tail -f kern.log, watching the packets pour in to the log. I have tried on debian and ubuntu. I must be missing something basic. Posting here as a plea for help, or incase this is a legit issue. So excited to use this great tool, thank you!
example nmap command
In your tutorial: https://docs.crowdsec.net/docs/scenarios/create
You show kernel output:
My rule, below, which is modeled off the recommended rule here: https://hub.crowdsec.net/author/crowdsecurity/configurations/iptables-logs , does not prepend the log entry with "DROP:", but is otherwise identical.Iptables rule
The only alert I ever see is:
The text was updated successfully, but these errors were encountered: