C
CrowdSec4w ago
privinc

Get alerts linked to a fqdn

Hi everyone, I use Crowdsec on a NginX reverse proxy hosting around 2000 vhosts, and it works like a charm, thank you! The question I often get from customers is "my website blahblah.com is not online", with no IP address. To track false positives, I'm looking for a way to get Crowdsec's decisions related to this blahblah.com website. If there is only one IP I'm sure this is the customer's IP, otherwise I'm often able to tell which IP is the right one with the AS number. I added he following context so I get the fqdn when I use "cscli alert inspect": context: target_fqdn: - evt.Meta.target_fqdn The closest attempt I did is listing all decisions, extract alert ID, then run a "cscli alert inspect" and then looking for the right target_fqdn, but it is far from optimal. I would like to search all alerts/decisions with blahblah.com in their context.
8 Replies
CrowdSec
CrowdSec4w ago
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve
© Created By WhyAydan for CrowdSec ❤️
iiamloz
iiamloz4w ago
Yeah this is difficult via cscli since its just directly api requests to the local api. Unless you are sending notifications to an external system like elastic where you can filter down this context, then it would be the console since we allow filtering by alert context to alerts as we dont expose a way to filter via the local api as it would be a pain since the data is held a string in the database.
privinc
privincOP4w ago
Hmm I see... Thanks for your answer! I will dig the elastic topic
iiamloz
iiamloz4w ago
if it helps: https://docs.crowdsec.net/docs/next/local_api/notification_plugins/elastic
Elasticsearch | CrowdSec
CrowdSec can forward Alerts to Elasticsearch using the HTTP plugin. This guide will show you how to configure the plugin to send alerts to your Elasticsearch instance.
Streilinger
Streilinger4w ago
Would it be possible to write notification logfiles via the file plugin and setting log_pathto something like {{GetMeta $alert "target_fqdn")}}?
iiamloz
iiamloz4w ago
yeah but at that point you might as well do cscli alerts list -ojson | grep blahblah.com or just use something jq to filter. here an example bash script: 
#!/usr/bin/env bash
set -euo pipefail
FQDN="${1:?Usage: $(basename "$0") <target_fqdn> [input.json|-]}"
IN="${2:-/dev/stdin}"

jq -r --arg fqdn "$FQDN" '
  [ .[] 
    | select(any(.events[]?.meta[]?; .key=="target_fqdn" and .value==$fqdn))
    | .source.ip
  ] | unique[]' "$IN" \
| tee /dev/stderr \
| awk -v now="$(date -u +%FT%TZ)" '{ print now "\t" $0 }' >> source_ips.log
#!/usr/bin/env bash
set -euo pipefail
FQDN="${1:?Usage: $(basename "$0") <target_fqdn> [input.json|-]}"
IN="${2:-/dev/stdin}"

jq -r --arg fqdn "$FQDN" '
  [ .[] 
    | select(any(.events[]?.meta[]?; .key=="target_fqdn" and .value==$fqdn))
    | .source.ip
  ] | unique[]' "$IN" \
| tee /dev/stderr \
| awk -v now="$(date -u +%FT%TZ)" '{ print now "\t" $0 }' >> source_ips.log
then you can use it like: 
cscli alerts list -ojson | ./test.sh blog.laurencejones.dev
cscli alerts list -ojson | ./test.sh blog.laurencejones.dev
then it will list all ips that matched the target fqdn (from my example): 
172.190.142.176
20.240.88.1
4.230.34.225
52.173.130.12
172.190.142.176
20.240.88.1
4.230.34.225
52.173.130.12
you can expand it to log alert id or decision id, the world you is your oyster, just remember there a limitation that cscli alert list only return the last 100 alerts hence why elastic or console is better 😄
privinc
privincOP4w ago
Also works with cscli decision list -a -ojson for input 🥳 . This is way enough for my problem! Many thanks!
CrowdSec
CrowdSec4w ago
Resolving Get alerts linked to a fqdn This has now been resolved. If you think this is a mistake please run /unresolve

Did you find this page helpful?