Scenario is not banning IP
I am trying to get a ban decision with the following parser and scenario
Scenario:
Parser:
I don't know where I did something wrong in the configuration.
Scenario:
type: leaky
name: mqtt-new-connection-attempt
description: "Detect excessive MQTT connection attempts"
filter: "evt.Meta.log_type == 'mqtt_new_connection'"
leakspeed: 10s
capacity: 5
groupby: evt.Parsed.source_ip
blackhole: 1m
labels:
remediation: truetype: leaky
name: mqtt-new-connection-attempt
description: "Detect excessive MQTT connection attempts"
filter: "evt.Meta.log_type == 'mqtt_new_connection'"
leakspeed: 10s
capacity: 5
groupby: evt.Parsed.source_ip
blackhole: 1m
labels:
remediation: trueParser:
onsuccess: next_stage
#debug: true
filter: "evt.Parsed.program == 'mqtt'"
name: crowdsecurity/mqtt-successful
description: "Parse Mosquitto MQTT broker logs"
pattern_syntax:
IPv4_WORKAROUND: (?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
IP_WORKAROUND: (?:%{IPV6}|%{IPv4_WORKAROUND})
nodes:
- grok:
#name: mosquitto-new-connection
pattern: '%{YEAR}-%{MONTHNUM}-%{MONTHDAY}T%{TIME:timestamp}: New connection from %{IP_WORKAROUND:source_ip}:%{NUMBER:source_port} on port %{NUMBER:port}\.'
apply_on: message
statics:
- meta: log_type
value: mqtt_new_connection
statics:
- parsed: StrTime
expression: evt.Parsed.timestamp
- parsed: source_ip
expression: evt.Parsed.source_iponsuccess: next_stage
#debug: true
filter: "evt.Parsed.program == 'mqtt'"
name: crowdsecurity/mqtt-successful
description: "Parse Mosquitto MQTT broker logs"
pattern_syntax:
IPv4_WORKAROUND: (?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
IP_WORKAROUND: (?:%{IPV6}|%{IPv4_WORKAROUND})
nodes:
- grok:
#name: mosquitto-new-connection
pattern: '%{YEAR}-%{MONTHNUM}-%{MONTHDAY}T%{TIME:timestamp}: New connection from %{IP_WORKAROUND:source_ip}:%{NUMBER:source_port} on port %{NUMBER:port}\.'
apply_on: message
statics:
- meta: log_type
value: mqtt_new_connection
statics:
- parsed: StrTime
expression: evt.Parsed.timestamp
- parsed: source_ip
expression: evt.Parsed.source_ipI don't know where I did something wrong in the configuration.
