Whitelist user agent from file
Hi,
I try to write a whitelist parser, to whitelist user agent from a file. (stored in parsers/s02-enrich).
This is the parser that I write :
```
name: si/si_wl_useragent_ai...
Scenarios that have hit whitelist still showing up as alerts?
I have the following whitelist enabled, as I'm on NixOS: https://github.com/crowdsecurity/hub/blob/master/postoverflows/s01-whitelist/crowdsecurity/auditd-nix-wrappers-whitelist-process.yaml
It should be whitelisting all binaries that start follow the form of
/nix/store/*/.<binary name>-wrapped, but it still seems to be generating alerts, like in this case:
https://gist.github.com/poperigby/97fd29e297c9843ff677d98eeef90f8e...git-dumper requests not being blocked despite sensitive-files scenario
Hi all,
I'm having the CrowdSec + nginx bouncer setup on a server with a publicly accessible
.git/ directory. I'm using git-dumper to simulate exploitation, but CrowdSec isn't blocking the requests.
The nginx logs are correctly parsed and enriched (cscli explain confirms this)....Diagnosing what causes "Http error 400 while talking to LAPI"
Hi everyone. We have CrowdSec deployed in production (with OpenResty bouncer if this is relevant) and even though it works properly, "Http error 400 while talking to LAPI" are regularly being thrown in the logs. These seem to happen only for certain types of requests (origin and paths)
I couldn't find any relevant information on why error 400 happens. How can we look deeper into what causes these errors, like seeing the exact contents of LAPI request that caused the error?
Thank you in advance!...
Caddy Crowdsec no metrics
Hey, I have setup caddy with my lapi server
But I get no metrics on my local caddy server.
Is there any I can trigger some data on my caddy server? π
...
Stuck sending event
Hi there!
Yesterday our wordpress systems were under a denial of service attack from quite a large botnet. Not blocking this automatically was probably due to us not having CrowdSec properly configured, but this is something we will figure out.
However, upon looking through the logs I've found that quite often we get logs like this (a few dozen lines of the sort each time):
```...
Check if decision has been succesfully taken?
I'm really unsure if I've configured crowdsec fully functional now or not.
So ...
journalctl -u sshd -e contains messages like this:
Jun 03 02:47:01 server sshd-session[1760286]: Connection reset by authenticating user root 45.140.17.124 port 33492 [preauth]
Jun 03 02:47:01 server sshd-session[1760286]: Connection reset by authenticating user root 45.140.17.124 port 33492 [preauth]
Find out which type for acquisition?
You have to provide the
type of an acquisition but how do I know which are available and which is the correct one?Discord Notification Formatting Help
I found a custom discord.yaml template online that is almost perfect for me, however, it didn't have the
target_fqdn in it. I've been trying to figure out how to add it with the same style as the rest of the notification. As you see in the image everything is printing correctly but I cant get each target_fqdn to be surrounded with backticks. Any help is appreicated.
below is part of the fields section of my discord.yaml...
Need a help for Post "https://api.crowdsec.net/v3/watchers": net/http: TLS handshake timeout
Hi, CrowdSec,
I got this problem after restart my crowdsec container last week.
And then, I try to re-contruct the container like a new installation with following steps:...
auth.log seems to not get parsed
It seems my crowdsec instance is not parsing auth.log file from ubuntu linux.
I am running the crowdsec container, I have my auth.log mounted in the docker container.
Here is the metrics output:
```
ββββββββββββββββββββββββββββββββββββ¬βββββββββββββ¬βββββββββββββββ¬βββββββββββββββββ¬βββββββββββββββββββββββββ¬ββββββββββββββββββββ€...
apache bouncer
hello, i can't install apache bouncer on this page h
ttps://app.crowdsec.net/alerts...
`runtime stderr: creating `/etc/crowdsec/acquis.d`: openat2 `etc/crowdsec/acquis.d`: No such file or
Hi! I'm trying to setup through docker but I'm getting the following error message:
I'm using NixOS so the config is written in
Error: crun: creating `/etc/crowdsec/acquis.d`: openat2 `etc/crowdsec/acquis.d`: No such file or directory: OCI runtime attempted to invoke a command that was not found
Error: crun: creating `/etc/crowdsec/acquis.d`: openat2 `etc/crowdsec/acquis.d`: No such file or directory: OCI runtime attempted to invoke a command that was not found
nix but I hope it's fine:...How to confirm if blocking?
Hi all, possibly a silly question. I have CrowdSec protecting a Caddy reverse proxy. Also getting stats through to cloud CrowdSec dashboard. I can see it is detecting and alerting, does the screenshot also confirm it would be blocking these? I do have the firewall bouncer installed on the Caddy server as well.
Migrating LAPI
Hi there!
We are in the midst of migrating a lot of our VMs between Proxmox servers and CrowdSec is up next. I couldn't find any documentation on how one could migrate the LAPI.
We have a ton of bouncers connected to it, and I would like to migrate all the data without having to revalidate machines or do anything with the bouncers, all with minimal downtime. (I will be transferring the old machine's IP address to the new one)
Is there a recommended way to do this?...
private blocklist for development
I'm doing some development of the CrowdSec integration with mikrotik, and I'd like to test some edge cases with specific addresses being blocked permanently.
How can I create a block list, add to it a specific address ip (from CIDR class C) without ttl, and subscribe to it to test it on my device (and noone else).
Assuming the cheapest option π...