CrowdSec•3mo ago

Scenarios that have hit whitelist still showing up as alerts?

I have the following whitelist enabled, as I'm on NixOS: https://github.com/crowdsecurity/hub/blob/master/postoverflows/s01-whitelist/crowdsecurity/auditd-nix-wrappers-whitelist-process.yaml It should be whitelisting all binaries that start follow the form of /nix/store/*/.<binary name>-wrapped, but it still seems to be generating alerts, like in this case: https://gist.github.com/poperigby/97fd29e297c9843ff677d98eeef90f8e Why is this happening?

GitHub

hub/postoverflows/s01-whitelist/crowdsecurity/auditd-nix-wrappers-w...

Main repository for crowdsec scenarios/parsers. Contribute to crowdsecurity/hub development by creating an account on GitHub.

Gist

gist:97fd29e297c9843ff677d98eeef90f8e

GitHub Gist: instantly share code, notes, and snippets.

6 Replies

CrowdSec•3mo ago

Important Information

Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.

Log Files

If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.

Guide Followed (CrowdSec Official)

If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.

Screenshots

Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.

PopeRigbyOP•3mo ago

My whitelist metrics are showing that the whitelist is getting hits:

╭───────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Whitelist Metrics                                                                                         │
├─────────────────────────────────────────────────────┬─────────────────────────────┬─────────┬─────────────┤
│ Whitelist                                           │ Reason                      │ Hits    │ Whitelisted │
├─────────────────────────────────────────────────────┼─────────────────────────────┼─────────┼─────────────┤
│ crowdsecurity/auditd-nix-wrappers-whitelist-process │ Nix wrapped binaries        │ 20      │ 4           │
│ crowdsecurity/auditd-whitelisted-process            │ package managers            │ 20      │ -           │
│ crowdsecurity/whitelists                            │ private ipv4/ipv6 ip/ranges │ 1887595 │ -           │
╰─────────────────────────────────────────────────────┴─────────────────────────────┴─────────┴─────────────╯

╭───────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Whitelist Metrics                                                                                         │
├─────────────────────────────────────────────────────┬─────────────────────────────┬─────────┬─────────────┤
│ Whitelist                                           │ Reason                      │ Hits    │ Whitelisted │
├─────────────────────────────────────────────────────┼─────────────────────────────┼─────────┼─────────────┤
│ crowdsecurity/auditd-nix-wrappers-whitelist-process │ Nix wrapped binaries        │ 20      │ 4           │
│ crowdsecurity/auditd-whitelisted-process            │ package managers            │ 20      │ -           │
│ crowdsecurity/whitelists                            │ private ipv4/ipv6 ip/ranges │ 1887595 │ -           │
╰─────────────────────────────────────────────────────┴─────────────────────────────┴─────────┴─────────────╯

iiamloz•3mo ago

The reason is the whitelist looks for exe which is /.runc-wrapped from your alerts which seems to be invoked from "parent_progname" which I guess is a symlink?

PopeRigbyOP•3mo ago

parent_progname is considered this:

/nix/store/m6hfmlrj4hw45j8j88zvvl0j7qchbck9-docker-runc-27.5.1/bin/.runc-wrapped: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /nix/store/cg9s562sa33k78m63njfn1rw47dp9z0i-glibc-2.40-66/lib/ld-linux-x86-64.so.2, BuildID[sha1]=0ef6bd7ee7b5b03e9f9e1fd13182d337f3a53020, for GNU/Linux 3.10.0, not stripped

/nix/store/m6hfmlrj4hw45j8j88zvvl0j7qchbck9-docker-runc-27.5.1/bin/.runc-wrapped: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /nix/store/cg9s562sa33k78m63njfn1rw47dp9z0i-glibc-2.40-66/lib/ld-linux-x86-64.so.2, BuildID[sha1]=0ef6bd7ee7b5b03e9f9e1fd13182d337f3a53020, for GNU/Linux 3.10.0, not stripped

iiamloz•3mo ago

Yes but the whitelist looks for exe not parent name, so either we update it with an or case or create one for runc

PopeRigbyOP•3mo ago

Ohhh, I guess I messed it up when I made it. How can I make it look for parent name? I wouldn't want to create a special case for runc because it's going to be a similar case with every other exe.

we update it with an or case

How can I do that?

Gaming

Programming

Scenarios that have hit whitelist still showing up as alerts?

Did you find this page helpful?