C
CrowdSec3w ago
Erwane

Custom scenario and local RegexpInFile data

Hi, based on http-bad-user-agent, i've created a local/http-bad-user-agent 
type: trigger
format: 2.0
#debug: true
name: local/http-bad-user-agent
description: "Detect usage of bad User Agent"
debug: false
filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] && RegexpInFile(evt.Parsed.http_user_agent, "local_bad_user_agents.regex.txt")'
data:
  - dest_file: local_bad_user_agents.regex.txt
    type: regexp
groupby: "evt.Meta.source_ip"
blackhole: 1m
labels:
  service: http
  label: "Bad User Agent"
type: trigger
format: 2.0
#debug: true
name: local/http-bad-user-agent
description: "Detect usage of bad User Agent"
debug: false
filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] && RegexpInFile(evt.Parsed.http_user_agent, "local_bad_user_agents.regex.txt")'
data:
  - dest_file: local_bad_user_agents.regex.txt
    type: regexp
groupby: "evt.Meta.source_ip"
blackhole: 1m
labels:
  service: http
  label: "Bad User Agent"
file exists in data -rw------- 1 root root 1,4K 16 sept. 20:18 /var/lib/crowdsec/data/local_bad_user_agents.regex.txt 
# head /var/lib/crowdsec/data/local_bad_user_agents.regex.txt -n 3
\bAddSearchBot\b
\bAhrefsBot\b
\bAI2Bot\b
# head /var/lib/crowdsec/data/local_bad_user_agents.regex.txt -n 3
\bAddSearchBot\b
\bAhrefsBot\b
\bAI2Bot\b
But nothing match, it look like the regex file is not used. Doc is not clear for local custom scenario and regexpInFile part. Do you known how to solve this please ? Thanks a lot
4 Replies
CrowdSec
CrowdSec3w ago
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve
© Created By WhyAydan for CrowdSec ❤️
CrowdSec
CrowdSec3w ago
Resolving Custom scenario and local RegexpInFile data This has now been resolved. If you think this is a mistake please run /unresolve
Erwane
ErwaneOP3w ago
It's working, was a problem with my apache log (not combined) and maybe the missing "remediation: true" in config.
iiamloz
iiamloz3w ago
Most likely the remediation: true as that is what informs crowdsec to take action on the scenario otherwise it doesnt match the default profiles.yaml

Did you find this page helpful?