C
CrowdSec4mo ago
RNab

Pocket-Id Scenario

Hey, I’d like to create a scenarios for Pocket Id that would ban a user trying to access a ressource that is forbidden. Problem is I see the logs are multi-line. Something like : [GIN] 2025/05/08 - 00:44:41 | 403 | 1.583982ms | a.b.c.d | POST "/api/oidc/authorize" Error #01: You're not allowed to access this service So abcd isn’t allowed to access the service and therefore should be banned. Is that possible ?
9 Replies
CrowdSec
CrowdSec4mo ago
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.
Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
blotus
blotus4mo ago
We do support multiline logs, but they need to have a common thing between them, which is not the case here. Looking at your example, I don't think parsing multiple lines is required ? Just matching on the 403 on the 1st line would be enough no ? If so, you can refer to this doc to create a new parser, and to this one to create a new scenario
Creating parsers | CrowdSec
Foreword
Creating scenarios | CrowdSec
All the examples assume that you have read the Creating parsers documentation.
RNab
RNabOP4mo ago
You’re absolutely right Let me look into it then
DJKatastrof
DJKatastrof3mo ago
Hey, I just did parsers and scenarios for pocket-id. I did get it to read my logs, but every time I tried to use a login code or wrong passkey it didn't read the 401, 400 or 429 error code as different attempts. did you get any further? I think i manged to solve it, scenario 
type: leaky
name: crowdsecurity/pocketid-error-limit
description: "Ban IPs that generate multiple 400/403/429 errors in Pocket-ID"
filter: "evt.Meta.service == 'http' && evt.Meta.http_status in ['429','400']"
groupby: "evt.Meta.source_ip"
capacity: 2
leakspeed: "4h"
blackhole: "4h"
labels:
  service: http
  type: bruteforce
  remediation: true
type: leaky
name: crowdsecurity/pocketid-error-limit
description: "Ban IPs that generate multiple 400/403/429 errors in Pocket-ID"
filter: "evt.Meta.service == 'http' && evt.Meta.http_status in ['429','400']"
groupby: "evt.Meta.source_ip"
capacity: 2
leakspeed: "4h"
blackhole: "4h"
labels:
  service: http
  type: bruteforce
  remediation: true
parser 
onsuccess: next_stage
debug: false
filter: "evt.Parsed.program == 'pocket-id'"
name: crowdsecurity/pocketid-logs
description: "Parse Pocket-ID logs from journald"
nodes:
  - grok:
      apply_on: message
      pattern: '\[GIN\] %{YEAR:year}/%{MONTHNUM:month}/%{MONTHDAY:day} - %{TIME:time} \| %{INT:http_status} \| %{DATA:duration} \|>
      statics:
        - meta: service
          value: http
        - meta: source_ip
          expression: evt.Parsed.client_ip
        - meta: http_status
          expression: evt.Parsed.http_status
        - meta: log_type
          value: pocketid_access
onsuccess: next_stage
debug: false
filter: "evt.Parsed.program == 'pocket-id'"
name: crowdsecurity/pocketid-logs
description: "Parse Pocket-ID logs from journald"
nodes:
  - grok:
      apply_on: message
      pattern: '\[GIN\] %{YEAR:year}/%{MONTHNUM:month}/%{MONTHDAY:day} - %{TIME:time} \| %{INT:http_status} \| %{DATA:duration} \|>
      statics:
        - meta: service
          value: http
        - meta: source_ip
          expression: evt.Parsed.client_ip
        - meta: http_status
          expression: evt.Parsed.http_status
        - meta: log_type
          value: pocketid_access
aquis.yaml 
# SSH service acquisition
---
source: journalctl
journalctl_filter:
  - "_SYSTEMD_UNIT=ssh.service"
labels:
  type: syslog

# PocketID service acquisition  
---
source: journalctl
journalctl_filter:
  - "_SYSTEMD_UNIT=pocketid.service"
labels:
  type: syslog

# Traditional file-based logs
---
source: file
filenames:
  - /var/log/syslog
  - /var/log/messages
labels:
  type: syslog
# SSH service acquisition
---
source: journalctl
journalctl_filter:
  - "_SYSTEMD_UNIT=ssh.service"
labels:
  type: syslog

# PocketID service acquisition  
---
source: journalctl
journalctl_filter:
  - "_SYSTEMD_UNIT=pocketid.service"
labels:
  type: syslog

# Traditional file-based logs
---
source: file
filenames:
  - /var/log/syslog
  - /var/log/messages
labels:
  type: syslog
@blotus , sorry if I ping you, but does my scenario look good? im not completly sure about leakspeed and blackhole
blotus
blotus3mo ago
they do seem a bit high 🙂 Leakspeed is the speed at which events will be removed from the bucket: here you are removing 1 event every 4h, so this means that triggering more than 2 400 or 429 in a 4h window will lead to a ban, which I find a bit aggressive. Typically, you want something in the order of seconds or minutes. Blackhole tells crowdsec to not create an alert if the same IP triggers the scenarios again during this period. 1 or 2 minutes is often enough to avoid issues with alert spamming
DJKatastrof
DJKatastrof3mo ago
Oh thank you. Any recommendations? 10s leakspeed, blackhole 1m? I changed to, capacity: 2 leakspeed: "5m" blackhole: "1h"
RNab
RNabOP3mo ago
Hey. Will you make them available in crowdsec hub ?
DJKatastrof
DJKatastrof3mo ago
I can try, but I don't know how to do that 😅 is there a guide somewhere?
blotus
blotus3mo ago
We have some basic documentation here: https://docs.crowdsec.net/docs/next/contributing/contributing_hub
Hub | CrowdSec
Parsers, Scenarios, Collections allow the Security Engine to detect and block malevolent behavior.

Did you find this page helpful?