crowdsecurity/iptables, iptables-scan-multi_ports never alerts on scan #1081
Labels
kind/bug
Something isn't working
Comments
|
ucommented debug flag in /etc/crowdsec/parsers/s01-parse/iptables-logs.yaml and got this: Is the parser choking on my iptable entries in kern.log? |
|
Nevermind |
|
Still fails to alert or act, but I don't know why. |
|
Hello @Mist-Hunter ! Would you mind sharing a sample logs so I can see if the parser / scenario is failing ? Thanks, |
|
Thank you for the quick reply :) Which log would you like a sample of? Also, do I need any debug flags on? |
|
Hello @Mist-Hunter, A sample of your iptables logs please :) |
|
Logs attached, and also here: https://transfer.sh/gR6nhP/iptables.log.tar.gz Dashboard after test: Installed parsers, bouncers, scenarios: root@crowdsecDev 09:15:13 /var/log → cscli hub list
INFO[14-12-2021 09:16:02 AM] Loaded 26 collecs, 32 parsers, 47 scenarios, 3 post-overflow parsers
INFO[14-12-2021 09:16:02 AM] unmanaged items : 2 local, 0 tainted
INFO[14-12-2021 09:16:02 AM] PARSERS:
-------------------------------------------------------------------------------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
-------------------------------------------------------------------------------------------------------------
crowdsecurity/geoip-enrich ✔️ enabled 0.2 /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml
crowdsecurity/syslog-logs ✔️ enabled 0.7 /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
crowdsecurity/dateparse-enrich ✔️ enabled 0.1 /etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml
crowdsecurity/whitelists ✔️ enabled 0.2 /etc/crowdsec/parsers/s02-enrich/whitelists.yaml
crowdsecurity/iptables-logs ✔️ enabled 0.2 /etc/crowdsec/parsers/s01-parse/iptables-logs.yaml
crowdsecurity/sshd-logs ✔️ enabled 1.3 /etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
-------------------------------------------------------------------------------------------------------------
INFO[14-12-2021 09:16:02 AM] SCENARIOS:
-----------------------------------------------------------------------------------------------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
-----------------------------------------------------------------------------------------------------------------------------
crowdsecurity/ssh-bf ✔️ enabled 0.1 /etc/crowdsec/scenarios/ssh-bf.yaml
crowdsecurity/ssh-slow-bf ✔️ enabled 0.2 /etc/crowdsec/scenarios/ssh-slow-bf.yaml
trigger-example.yaml 🏠 enabled,local /etc/crowdsec/scenarios/trigger-example.yaml
leaky-example.yaml 🏠 enabled,local /etc/crowdsec/scenarios/leaky-example.yaml
crowdsecurity/iptables-scan-multi_ports ✔️ enabled 0.1 /etc/crowdsec/scenarios/iptables-scan-multi_ports.yaml
-----------------------------------------------------------------------------------------------------------------------------
INFO[14-12-2021 09:16:02 AM] COLLECTIONS:
--------------------------------------------------------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
--------------------------------------------------------------------------------------
crowdsecurity/iptables ✔️ enabled 0.1 /etc/crowdsec/collections/iptables.yaml
crowdsecurity/linux ✔️ enabled 0.2 /etc/crowdsec/collections/linux.yaml
crowdsecurity/sshd ✔️ enabled 0.2 /etc/crowdsec/collections/sshd.yaml
--------------------------------------------------------------------------------------
INFO[14-12-2021 09:16:02 AM] POSTOVERFLOWS:
--------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
--------------------------------------
--------------------------------------Though this edit has made no impact on my results, I have edited the bouncer config as I have disabled IPv6 on my system. How I'm installing in Debian 11.1 VM that I'm testing in: iptables -A INPUT -m state --state NEW -m comment --comment "Apt, crowdsec, up.sh: Log new connections" -j LOG
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | bash
apt install crowdsec -y
apt install crowdsec-firewall-bouncer-iptables -y
cscli collections install crowdsecurity/iptables
systemctl reload crowdsecAs above, the NMAP command that generated the 130k~ packets in a scan: The 'leaky-example.yaml' listed in the hub list. I added this to have something that leaked more slowly than the default scenario, though I don't think that is the problem. cat << EOT > /etc/crowdsec/scenarios/leaky-example.yaml
type: leaky
debug: true
name: demo/leaky-example
description: "detect cool stuff"
filter: "evt.Meta.log_type == 'iptables_drop' and evt.Parsed.proto == 'TCP'"
groupby: evt.Meta.source_ip
distinct: evt.Parsed.dst_port
capacity: 15
leakspeed: 1m
blackhole: 1m
labels:
type: scan
EOT |
|
From the logs that you sent, it seems that you run the nmap from a private IP (which are whitelisted by default by the |
|
Awesome, thanks for the help. Will report back shortly. |
|
It immediately worked! Sorry I missed that. Thank you so much for your help, I'm very excited to use this :) root@crowdsecDev 09:38:09 ~ → cscli alerts list
+----+------------------------------+-----------------------------------------+---------+----+-----------+--------------------------------+
| ID | VALUE | REASON | COUNTRY | AS | DECISIONS | CREATED AT |
+----+------------------------------+-----------------------------------------+---------+----+-----------+--------------------------------+
| 4 | Ip:172.27.0.192 | crowdsecurity/iptables-scan-multi_ports | | 0 | ban:1 | 2021-12-14 09:38:34.390419721 |
| | | | | | | -0800 -0800 |
| 3 | Ip:172.27.0.192 | demo/leaky-example | | 0 | | 2021-12-14 09:38:34.390916277 |
| | | | | | | -0800 -0800 |
| 2 | Ip:172.27.0.192 | demo/trigger-example | | 0 | ban:1 | 2021-12-14 09:38:35.406821133 |
| | | | | | | -0800 -0800 |
| 1 | crowdsec/community-blocklist | update : +1279/-0 IPs | | | ban:1279 | 2021-12-14 08:41:07 -0800 |
| | | | | | | -0800 |
+----+------------------------------+-----------------------------------------+---------+----+-----------+--------------------------------+root@crowdsecDev 09:40:56 ~ → ipset list crowdsec-blacklists | grep 172.27.0.192
172.27.0.192 timeout 14245 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I spent many hours prior to posting this due to being a brand new user and feeling quite sure I'm doing something wrong. But I can't figure out what.
Debian 11.1, Ubuntu 20.04.3 LTS
I'm scanning the crowdsec machine with kali / nmap and tail -f kern.log, watching the packets pour in to the log. I have tried on debian and ubuntu. I must be missing something basic. Posting here as a plea for help, or incase this is a legit issue. So excited to use this great tool, thank you!
example nmap command
In your tutorial: https://docs.crowdsec.net/docs/scenarios/create
You show kernel output:
My rule, below, which is modeled off the recommended rule here: https://hub.crowdsec.net/author/crowdsecurity/configurations/iptables-logs , does not prepend the log entry with "DROP:", but is otherwise identical.Iptables rule
The only alert I ever see is:
The text was updated successfully, but these errors were encountered: