Pocket-Id Scenario

RNab · 2025-05-08T00:47:43.769Z

Hey, I’d like to create a scenarios for Pocket Id that would ban a user trying to access a ressource that is forbidden. Problem is I see the logs are multi-line. Something like : [GIN] 2025/05/08 - 00:44:41 | 403 | 1.583982ms | a.b.c.d | POST "/api/oidc/authorize" Error #01: You're not allowed to access this service So abcd isn’t allowed to access the service and therefore should be banned. Is that possible ?

C

CrowdSec•5/8/25, 12:47 AM

Important Information

Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command

/resolve

/resolve

or press the green resolve button below.

Log Files

If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.

Guide Followed (CrowdSec Official)

If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.

Screenshots

Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.

•

5/8/25, 12:47 AM

B

blotus•5/8/25, 12:25 PM

We do support multiline logs, but they need to have a common thing between them, which is not the case here.

Looking at your example, I don't think parsing multiple lines is required ? Just matching on the

on the 1st line would be enough no ?

If so, you can refer to this doc to create a new parser, and to this one to create a new scenario

Creating parsers | CrowdSec

Foreword

Creating scenarios | CrowdSec

All the examples assume that you have read the Creating parsers documentation.

R

RNabOP•5/9/25, 1:41 AM

You’re absolutely right

R

RNabOP•5/9/25, 1:41 AM

Let me look into it then

D

DJKatastrof•6/5/25, 6:30 PM

Hey, I just did parsers and scenarios for pocket-id.
I did get it to read my logs, but every time I tried to use a login code or wrong passkey it didn't read the 401, 400 or 429 error code as different attempts.
did you get any further?

D

DJKatastrof•6/6/25, 11:43 AM

I think i manged to solve it,

scenario

type: leaky
name: crowdsecurity/pocketid-error-limit
description: "Ban IPs that generate multiple 400/403/429 errors in Pocket-ID"
filter: "evt.Meta.service == 'http' && evt.Meta.http_status in ['429','400']"
groupby: "evt.Meta.source_ip"
capacity: 2
leakspeed: "4h"
blackhole: "4h"
labels:
  service: http
  type: bruteforce
  remediation: true

type: leaky
name: crowdsecurity/pocketid-error-limit
description: "Ban IPs that generate multiple 400/403/429 errors in Pocket-ID"
filter: "evt.Meta.service == 'http' && evt.Meta.http_status in ['429','400']"
groupby: "evt.Meta.source_ip"
capacity: 2
leakspeed: "4h"
blackhole: "4h"
labels:
  service: http
  type: bruteforce
  remediation: true

type: leaky
name: crowdsecurity/pocketid-error-limit
description: "Ban IPs that generate multiple 400/403/429 errors in Pocket-ID"
filter: "evt.Meta.service == 'http' && evt.Meta.http_status in ['429','400']"
groupby: "evt.Meta.source_ip"
capacity: 2
leakspeed: "4h"
blackhole: "4h"
labels:
  service: http
  type: bruteforce
  remediation: true

type: leaky
name: crowdsecurity/pocketid-error-limit
description: "Ban IPs that generate multiple 400/403/429 errors in Pocket-ID"
filter: "evt.Meta.service == 'http' && evt.Meta.http_status in ['429','400']"
groupby: "evt.Meta.source_ip"
capacity: 2
leakspeed: "4h"
blackhole: "4h"
labels:
  service: http
  type: bruteforce
  remediation: true

parser

onsuccess: next_stage
debug: false
filter: "evt.Parsed.program == 'pocket-id'"
name: crowdsecurity/pocketid-logs
description: "Parse Pocket-ID logs from journald"
nodes:
  - grok:
      apply_on: message
      pattern: '\[GIN\] %{YEAR:year}/%{MONTHNUM:month}/%{MONTHDAY:day} - %{TIME:time} \| %{INT:http_status} \| %{DATA:duration} \|>
      statics:
        - meta: service
          value: http
        - meta: source_ip
          expression: evt.Parsed.client_ip
        - meta: http_status
          expression: evt.Parsed.http_status
        - meta: log_type
          value: pocketid_access

onsuccess: next_stage
debug: false
filter: "evt.Parsed.program == 'pocket-id'"
name: crowdsecurity/pocketid-logs
description: "Parse Pocket-ID logs from journald"
nodes:
  - grok:
      apply_on: message
      pattern: '\[GIN\] %{YEAR:year}/%{MONTHNUM:month}/%{MONTHDAY:day} - %{TIME:time} \| %{INT:http_status} \| %{DATA:duration} \|>
      statics:
        - meta: service
          value: http
        - meta: source_ip
          expression: evt.Parsed.client_ip
        - meta: http_status
          expression: evt.Parsed.http_status
        - meta: log_type
          value: pocketid_access

onsuccess: next_stage
debug: false
filter: "evt.Parsed.program == 'pocket-id'"
name: crowdsecurity/pocketid-logs
description: "Parse Pocket-ID logs from journald"
nodes:
  - grok:
      apply_on: message
      pattern: '\[GIN\] %{YEAR:year}/%{MONTHNUM:month}/%{MONTHDAY:day} - %{TIME:time} \| %{INT:http_status} \| %{DATA:duration} \|>
      statics:
        - meta: service
          value: http
        - meta: source_ip
          expression: evt.Parsed.client_ip
        - meta: http_status
          expression: evt.Parsed.http_status
        - meta: log_type
          value: pocketid_access

onsuccess: next_stage
debug: false
filter: "evt.Parsed.program == 'pocket-id'"
name: crowdsecurity/pocketid-logs
description: "Parse Pocket-ID logs from journald"
nodes:
  - grok:
      apply_on: message
      pattern: '\[GIN\] %{YEAR:year}/%{MONTHNUM:month}/%{MONTHDAY:day} - %{TIME:time} \| %{INT:http_status} \| %{DATA:duration} \|>
      statics:
        - meta: service
          value: http
        - meta: source_ip
          expression: evt.Parsed.client_ip
        - meta: http_status
          expression: evt.Parsed.http_status
        - meta: log_type
          value: pocketid_access

D

DJKatastrof•6/6/25, 11:44 AM

aquis.yaml

# SSH service acquisition
---
source: journalctl
journalctl_filter:
  - "_SYSTEMD_UNIT=ssh.service"
labels:
  type: syslog

# PocketID service acquisition  
---
source: journalctl
journalctl_filter:
  - "_SYSTEMD_UNIT=pocketid.service"
labels:
  type: syslog

# Traditional file-based logs
---
source: file
filenames:
  - /var/log/syslog
  - /var/log/messages
labels:
  type: syslog

# SSH service acquisition
---
source: journalctl
journalctl_filter:
  - "_SYSTEMD_UNIT=ssh.service"
labels:
  type: syslog

# PocketID service acquisition  
---
source: journalctl
journalctl_filter:
  - "_SYSTEMD_UNIT=pocketid.service"
labels:
  type: syslog

# Traditional file-based logs
---
source: file
filenames:
  - /var/log/syslog
  - /var/log/messages
labels:
  type: syslog

# SSH service acquisition
---
source: journalctl
journalctl_filter:
  - "_SYSTEMD_UNIT=ssh.service"
labels:
  type: syslog

# PocketID service acquisition  
---
source: journalctl
journalctl_filter:
  - "_SYSTEMD_UNIT=pocketid.service"
labels:
  type: syslog

# Traditional file-based logs
---
source: file
filenames:
  - /var/log/syslog
  - /var/log/messages
labels:
  type: syslog

# SSH service acquisition
---
source: journalctl
journalctl_filter:
  - "_SYSTEMD_UNIT=ssh.service"
labels:
  type: syslog

# PocketID service acquisition  
---
source: journalctl
journalctl_filter:
  - "_SYSTEMD_UNIT=pocketid.service"
labels:
  type: syslog

# Traditional file-based logs
---
source: file
filenames:
  - /var/log/syslog
  - /var/log/messages
labels:
  type: syslog

D

DJKatastrof•6/6/25, 12:49 PM

@blotus , sorry if I ping you, but does my scenario look good? im not completly sure about leakspeed and blackhole

B

blotus•6/6/25, 2:07 PM

they do seem a bit high

Leakspeed is the speed at which events will be removed from the bucket: here you are removing 1 event every 4h, so this means that triggering more than 2 400 or 429 in a 4h window will lead to a ban, which I find a bit aggressive.
Typically, you want something in the order of seconds or minutes.

Blackhole tells crowdsec to not create an alert if the same IP triggers the scenarios again during this period.
1 or 2 minutes is often enough to avoid issues with alert spamming

D

DJKatastrof•6/6/25, 3:52 PM

Oh thank you. Any recommendations?

D

DJKatastrof•6/6/25, 3:57 PM

10s leakspeed, blackhole 1m?

D

DJKatastrof•6/6/25, 6:28 PM

I changed to,
capacity: 2
leakspeed: "5m"
blackhole: "1h"

R

RNabOP•6/10/25, 2:41 PM

Hey. Will you make them available in crowdsec hub ?

D

DJKatastrof•6/10/25, 3:22 PM

I can try, but I don't know how to do that

is there a guide somewhere?

B

blotus•6/10/25, 4:02 PM

We have some basic documentation here: https://docs.crowdsec.net/docs/next/contributing/contributing_hub

Hub | CrowdSec

Parsers, Scenarios, Collections allow the Security Engine to detect and block malevolent behavior.

Pocket-Id Scenario

Similar Threads

Similar Threads

Similar Threads