C
CrowdSec3mo ago
mb

Scenario is not banning IP

I am trying to get a ban decision with the following parser and scenario Scenario: 
type: leaky
name: mqtt-new-connection-attempt
description: "Detect excessive MQTT connection attempts"
filter: "evt.Meta.log_type == 'mqtt_new_connection'"
leakspeed: 10s
capacity: 5
groupby: evt.Parsed.source_ip
blackhole: 1m
labels:
  remediation: true
type: leaky
name: mqtt-new-connection-attempt
description: "Detect excessive MQTT connection attempts"
filter: "evt.Meta.log_type == 'mqtt_new_connection'"
leakspeed: 10s
capacity: 5
groupby: evt.Parsed.source_ip
blackhole: 1m
labels:
  remediation: true
Parser: 
onsuccess: next_stage
#debug: true
filter: "evt.Parsed.program == 'mqtt'"
name: crowdsecurity/mqtt-successful
description: "Parse Mosquitto MQTT broker logs"

pattern_syntax:
  IPv4_WORKAROUND: (?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
  IP_WORKAROUND: (?:%{IPV6}|%{IPv4_WORKAROUND})

nodes:
  - grok:
      #name: mosquitto-new-connection
      pattern: '%{YEAR}-%{MONTHNUM}-%{MONTHDAY}T%{TIME:timestamp}: New connection from %{IP_WORKAROUND:source_ip}:%{NUMBER:source_port} on port %{NUMBER:port}\.'
      apply_on: message
      statics:
        - meta: log_type
          value: mqtt_new_connection

statics:
  - parsed: StrTime
    expression: evt.Parsed.timestamp
  - parsed: source_ip
    expression: evt.Parsed.source_ip
onsuccess: next_stage
#debug: true
filter: "evt.Parsed.program == 'mqtt'"
name: crowdsecurity/mqtt-successful
description: "Parse Mosquitto MQTT broker logs"

pattern_syntax:
  IPv4_WORKAROUND: (?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
  IP_WORKAROUND: (?:%{IPV6}|%{IPv4_WORKAROUND})

nodes:
  - grok:
      #name: mosquitto-new-connection
      pattern: '%{YEAR}-%{MONTHNUM}-%{MONTHDAY}T%{TIME:timestamp}: New connection from %{IP_WORKAROUND:source_ip}:%{NUMBER:source_port} on port %{NUMBER:port}\.'
      apply_on: message
      statics:
        - meta: log_type
          value: mqtt_new_connection

statics:
  - parsed: StrTime
    expression: evt.Parsed.timestamp
  - parsed: source_ip
    expression: evt.Parsed.source_ip
I don't know where I did something wrong in the configuration.
11 Replies
CrowdSec
CrowdSec3mo ago
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve
© Created By WhyAydan for CrowdSec ❤️
mb
mbOP3mo ago
These are the outputs of the cscli metrics command: 
Acquisition Metrics                                                                                                                                                │
├──────────────────────────────────────────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────┤
│ Source                                                                   │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├──────────────────────────────────────────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ file:/var/lib/docker/volumes/mosquitto_mosquitto-log/_data/mosquitto.log │ 33         │ 16           │ 17             │ 16                     │ -                 │
│ file:/var/log/auth.log                                                   │ 53         │ -            │ 53             │ -                      │ -                 │
│ file:/var/log/syslog                                                     │ 10         │ -            │ 10             │ -                      │ -                 


Scenario Metrics                                                                          │
├─────────────────────────────┬───────────────┬───────────┬──────────────┬────────┬─────────┤
│ Scenario                    │ Current Count │ Overflows │ Instantiated │ Poured │ Expired │
├─────────────────────────────┼───────────────┼───────────┼──────────────┼────────┼─────────┤
│ mqtt-new-connection-attempt │ 1             │ 1         │ 3            │ 16     │ 1    
Acquisition Metrics                                                                                                                                                │
├──────────────────────────────────────────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────┤
│ Source                                                                   │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├──────────────────────────────────────────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ file:/var/lib/docker/volumes/mosquitto_mosquitto-log/_data/mosquitto.log │ 33         │ 16           │ 17             │ 16                     │ -                 │
│ file:/var/log/auth.log                                                   │ 53         │ -            │ 53             │ -                      │ -                 │
│ file:/var/log/syslog                                                     │ 10         │ -            │ 10             │ -                      │ -                 


Scenario Metrics                                                                          │
├─────────────────────────────┬───────────────┬───────────┬──────────────┬────────┬─────────┤
│ Scenario                    │ Current Count │ Overflows │ Instantiated │ Poured │ Expired │
├─────────────────────────────┼───────────────┼───────────┼──────────────┼────────┼─────────┤
│ mqtt-new-connection-attempt │ 1             │ 1         │ 3            │ 16     │ 1
iiamloz
iiamloz3mo ago
It most likely an issue with your parser, at bottom of your statics you are setting parsed IP to the same value. Change parsed: to meta: cause we expect that meta value in s02 stage. Ohh wait scrap that, the metrics states it overflows. Do you see anything in crowdsec log file?
mb
mbOP3mo ago
I see this line: 
time="2025-06-19T17:21:52Z" level=error msg="unable to collect sources from bucket: while extracting scope from bucket mqtt-new-connection-attempt: scope is Ip but Meta[source_ip] doesn't exist"
time="2025-06-19T17:21:52Z" level=error msg="unable to collect sources from bucket: while extracting scope from bucket mqtt-new-connection-attempt: scope is Ip but Meta[source_ip] doesn't exist"
iiamloz
iiamloz3mo ago
Ahh then it goes back to what I said, you need to change your bottom static to set meta instead of parsed
mb
mbOP3mo ago
Thank you, It now creates ban decision. How did you know I had to change the value ? Trying to understand where I was wrong in my thinking. But is it normal, that if I still try to continue to attempt the login, that the mosquitto logs show me more connection attempts? Shouldn't the packets from that IP be blocked at this point from the firewall through the bouncer, so they wouldn't reach the application anymore?
iiamloz
iiamloz3mo ago
It depends where does mqtt operate? Like within a container?
mb
mbOP3mo ago
Yes, it is running inside a container and the container port 8883 is mapped to the host port 8883 But my crowdsec security engine and my bouncer are running on host. So when an IP gets banned, shouldn't it be on host level, not allowing any packets pass through to the docker container? 
services:
  mosquitto:
    image: eclipse-mosquitto
    container_name: mosquitto
    ports:
      - "8883:8883"
    volumes:
      - mosquitto-data:/mosquitto/data
      - mosquitto-log:/mosquitto/log
      - ./config:/mosquitto/config
    restart: unless-stopped

volumes:
  mosquitto-data:
  mosquitto-log:
services:
  mosquitto:
    image: eclipse-mosquitto
    container_name: mosquitto
    ports:
      - "8883:8883"
    volumes:
      - mosquitto-data:/mosquitto/data
      - mosquitto-log:/mosquitto/log
      - ./config:/mosquitto/config
    restart: unless-stopped

volumes:
  mosquitto-data:
  mosquitto-log:
Do I have to uncomment the DOCKER-USER in the .yaml config of the bouncer? 
iptables_chains:
  - INPUT
#  - FORWARD
#  - DOCKER-USER
iptables_chains:
  - INPUT
#  - FORWARD
#  - DOCKER-USER
iiamloz
iiamloz3mo ago
Yes Just remember if you get blocked you will loose all connections so make sure you have a way to access if you loose SSH
mb
mbOP3mo ago
I am using a VPN for testing with different IP addresses for this purpose 😄 Ok great this works now 😄 Thanks a lot 😄
CrowdSec
CrowdSec3mo ago
Resolving Scenario is not banning IP This has now been resolved. If you think this is a mistake please run /unresolve

Did you find this page helpful?