CrowdSec•8mo ago

Suricata scenario and slow scan

I just install crowdsec on my homelab. I just run some service for the family with traefik I don't send many alert to crowdsec because I have some geoip protection, oisd unboud protection etc. My goal is to send some alert to crowdsec. I want participate 🙂 I just install crowdsec on my opnsense firewall. I enable suricata on the wan I see some alert on my opnsense log like that :

    WAN        2025-02-12T09:12:02    194.180.49.220:43138    MY.WAN.IP:26724    tcp    Default deny / state violation rule    
    WAN        2025-02-12T09:06:24    194.180.49.220:43138    MY.WAN.IP:27173    tcp    Default deny / state violation rule    
    WAN        2025-02-12T09:04:45    194.180.49.220:43138    MY.WAN.IP:27777    tcp    Default deny / state violation rule    
    WAN        2025-02-12T08:55:42    194.180.49.220:43138    MY.WAN.IP:27202    tcp    Default deny / state violation rule    
    WAN        2025-02-12T08:52:43    194.180.49.220:43138    MY.WAN.IP:26075    tcp    Default deny / state violation rule    
    WAN        2025-02-12T08:52:16    194.180.49.220:43138    MY.WAN.IP:26735    tcp    Default deny / state violation rule    
    WAN        2025-02-12T08:47:25    194.180.49.220:43138    MY.WAN.IP:27035    tcp    Default deny / state violation rule    
    WAN        2025-02-12T08:42:49    194.180.49.220:43138    MY.WAN.IP:27848    tcp    Default deny / state violation rule

    WAN        2025-02-12T09:12:02    194.180.49.220:43138    MY.WAN.IP:26724    tcp    Default deny / state violation rule    
    WAN        2025-02-12T09:06:24    194.180.49.220:43138    MY.WAN.IP:27173    tcp    Default deny / state violation rule    
    WAN        2025-02-12T09:04:45    194.180.49.220:43138    MY.WAN.IP:27777    tcp    Default deny / state violation rule    
    WAN        2025-02-12T08:55:42    194.180.49.220:43138    MY.WAN.IP:27202    tcp    Default deny / state violation rule    
    WAN        2025-02-12T08:52:43    194.180.49.220:43138    MY.WAN.IP:26075    tcp    Default deny / state violation rule    
    WAN        2025-02-12T08:52:16    194.180.49.220:43138    MY.WAN.IP:26735    tcp    Default deny / state violation rule    
    WAN        2025-02-12T08:47:25    194.180.49.220:43138    MY.WAN.IP:27035    tcp    Default deny / state violation rule    
    WAN        2025-02-12T08:42:49    194.180.49.220:43138    MY.WAN.IP:27848    tcp    Default deny / state violation rule

I think I understand that this scan is too slow for the suricata scenario to work. The source ip is 100% on AbuseIPDB. I know I'm protected against that but it's just to help other. what can I do ? I'm here to learn 🙂

1 Reply

CrowdSec•8mo ago

Important Information

Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.

Log Files

If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.

Guide Followed (CrowdSec Official)

If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.

Screenshots

Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.

Gaming

Programming

Suricata scenario and slow scan

Did you find this page helpful?