search

crowdsecurity / crowdsec

CrowdSec - the open-source and participative security solution offering crowdsourced protection against malicious IPs and access to the most advanced real-world CTI.
https://crowdsec.net
MIT License
8.91k stars 461 forks source link

crowdsecurity/iptables, iptables-scan-multi_ports never alerts on scan #1081

Closed Mist-Hunter closed 2 years ago

Mist-Hunter commented 2 years ago

I spent many hours prior to posting this due to being a brand new user and feeling quite sure I'm doing something wrong. But I can't figure out what.

Debian 11.1, Ubuntu 20.04.3 LTS

I'm scanning the crowdsec machine with kali / nmap and tail -f kern.log, watching the packets pour in to the log. I have tried on debian and ubuntu. I must be missing something basic. Posting here as a plea for help, or incase this is a legit issue. So excited to use this great tool, thank you!

example nmap command

nmap -p 1-65535 -T4 -A -v 192.168.1.2

In your tutorial: https://docs.crowdsec.net/docs/scenarios/create

You show kernel output:

Aug 20 16:20:09 mantis kernel: [887475.435839] DROP: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=192.168.1.23 DST=192.168.1.23 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=29037 DF PROTO=TCP SPT=39158 DPT=3389 WINDOW=65495 RES=0x00 SYN URGP=0

My rule, below, which is modeled off the recommended rule here: https://hub.crowdsec.net/author/crowdsecurity/configurations/iptables-logs , does not prepend the log entry with "DROP:", but is otherwise identical.

Iptables rule 

iptables -A INPUT -m state --state NEW -m comment --comment "Log new connections" -j LOG

The only alert I ever see is:

cscli alerts list
+----+------------------------------+-----------------------+---------+----+-----------+-------------------------------+
| ID |            VALUE             |        REASON         | COUNTRY | AS | DECISIONS |          CREATED AT           |
+----+------------------------------+-----------------------+---------+----+-----------+-------------------------------+
|  1 | crowdsec/community-blocklist | update : +1287/-1 IPs |         |    | ban:1287  | 2021-12-12 21:54:14 +0000 UTC |
+----+------------------------------+-----------------------+---------+----+-----------+-------------------------------+

cscli parsers list
-------------------------------------------------------------------------------------------------------------
 NAME                            📦 STATUS   VERSION  LOCAL PATH                                             
-------------------------------------------------------------------------------------------------------------
 crowdsecurity/sshd-logs         ✔️  enabled  1.3      /etc/crowdsec/parsers/s01-parse/sshd-logs.yaml         
 crowdsecurity/iptables-logs     ✔️  enabled  0.2      /etc/crowdsec/parsers/s01-parse/iptables-logs.yaml   
 crowdsecurity/syslog-logs       ✔️  enabled  0.7      /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml         
 crowdsecurity/whitelists        ✔️  enabled  0.2      /etc/crowdsec/parsers/s02-enrich/whitelists.yaml       
 crowdsecurity/dateparse-enrich  ✔️  enabled  0.1      /etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml 
 crowdsecurity/geoip-enrich      ✔️  enabled  0.2      /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml     
-------------------------------------------------------------------------------------------------------------

cscli scenarios list
----------------------------------------------------------------------------------------------------------------------
 NAME                                     📦 STATUS   VERSION  LOCAL PATH                                             
----------------------------------------------------------------------------------------------------------------------
 crowdsecurity/ssh-bf                     ✔️  enabled  0.1      /etc/crowdsec/scenarios/ssh-bf.yaml                    
 crowdsecurity/ssh-slow-bf                ✔️  enabled  0.2      /etc/crowdsec/scenarios/ssh-slow-bf.yaml               
 crowdsecurity/iptables-scan-multi_ports  ✔️  enabled  0.1      /etc/crowdsec/scenarios/iptables-scan-multi_ports.yaml
----------------------------------------------------------------------------------------------------------------------

cscli metrics
INFO[12-12-2021 10:24:15 PM] Acquisition Metrics:                         
+------------------------+------------+--------------+----------------+------------------------+
|         SOURCE         | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET |
+------------------------+------------+--------------+----------------+------------------------+
| file:/var/log/kern.log |       2041 |         2024 |             17 | -                      |
| file:/var/log/syslog   |       2116 |         2024 |             92 | -                      |
+------------------------+------------+--------------+----------------+------------------------+
INFO[12-12-2021 10:24:15 PM] Parser Metrics:                              
+--------------------------------+------+--------+----------+
|            PARSERS             | HITS | PARSED | UNPARSED |
+--------------------------------+------+--------+----------+
| crowdsecurity/dateparse-enrich | 4048 |   4048 | -        |
| crowdsecurity/geoip-enrich     | 4048 |   4048 | -        |
| crowdsecurity/iptables-logs    | 4080 |   4048 |       32 |
| crowdsecurity/syslog-logs      | 4157 |   4157 | -        |
| crowdsecurity/whitelists       | 4048 |   4048 | -        |
+--------------------------------+------+--------+----------+
INFO[12-12-2021 10:24:15 PM] Local Api Metrics:                           
+--------------------+--------+------+
|       ROUTE        | METHOD | HITS |
+--------------------+--------+------+
| /v1/alerts         | GET    |    1 |
| /v1/watchers/login | POST   |    5 |
+--------------------+--------+------+
INFO[12-12-2021 10:24:15 PM] Local Api Machines Metrics:
Mist-Hunter commented 2 years ago

ucommented debug flag in /etc/crowdsec/parsers/s01-parse/iptables-logs.yaml and got this:

time="12-12-2021 16:33:07" level=debug msg="eval variables:" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:33:07" level=debug msg="       evt.Parsed.program = 'kernel'" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:33:07" level=debug msg="       evt.Parsed.message = '[  511.815368] IN=ens<REDCATED> OUT= MAC=<REDACTED> SRC=172.27.0.192 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=60792 PROTO=2 '" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:33:07" level=debug msg="       evt.Parsed.message = '[  511.815368] IN=ens<REDCATED> OUT= MAC=<REDACTED> SRC=172.27.0.192 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=60792 PROTO=2 '" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:33:07" level=debug msg="+ Grok 'IN=%{...' didn't return data on '[  511.815368] IN=ens<REDCATED> OUT= MAC=<REDACTED> SRC=172.27.0.192 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=60792 PROTO=2 '" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:33:07" level=debug msg="Event leaving node : ko" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:33:07" level=debug msg="eval(evt.Parsed.program == 'kernel' and evt.Parsed.message contains 'IN=' and not (evt.Parsed.message contains 'ACCEPT')) = TRUE" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:33:07" level=debug msg="eval variables:" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:33:07" level=debug msg="       evt.Parsed.program = 'kernel'" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:33:07" level=debug msg="       evt.Parsed.message = '[  511.815368] IN=ens<REDCATED> OUT= MAC=<REDACTED> SRC=172.27.0.192 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=60792 PROTO=2 '" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:33:07" level=debug msg="       evt.Parsed.message = '[  511.815368] IN=ens<REDCATED> OUT= MAC=<REDACTED> SRC=172.27.0.192 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=60792 PROTO=2 '" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:33:07" level=debug msg="+ Grok 'IN=%{...' didn't return data on '[  511.815368] IN=ens<REDCATED> OUT= MAC=<REDACTED> SRC=172.27.0.192 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=60792 PROTO=2 '" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:33:07" level=debug msg="Event leaving node : ko" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse

Is the parser choking on my iptable entries in kern.log?

Mist-Hunter commented 2 years ago

Nevermind

time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
Mist-Hunter commented 2 years ago

Still fails to alert or act, but I don't know why.

buixor commented 2 years ago

Hello @Mist-Hunter !

Would you mind sharing a sample logs so I can see if the parser / scenario is failing ?

Thanks,

Mist-Hunter commented 2 years ago

Thank you for the quick reply :) Which log would you like a sample of? Also, do I need any debug flags on?

AlteredCoder commented 2 years ago

Hello @Mist-Hunter,

A sample of your iptables logs please :)

Mist-Hunter commented 2 years ago

Logs attached, and also here: https://transfer.sh/gR6nhP/iptables.log.tar.gz

Dashboard after test:

root@crowdsecDev 09:14:21 /var/log →  cscli metrics
INFO[14-12-2021 09:15:13 AM] Acquisition Metrics:                         
+------------------------+------------+--------------+----------------+------------------------+
|         SOURCE         | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET |
+------------------------+------------+--------------+----------------+------------------------+
| file:/var/log/auth.log |          3 | -            |              3 | -                      |
| file:/var/log/kern.log |     131510 |       131494 |             16 | -                      |
| file:/var/log/messages |     131656 |       131494 |            162 | -                      |
| file:/var/log/syslog   |     131665 |       131494 |            171 | -                      |
+------------------------+------------+--------------+----------------+------------------------+
INFO[14-12-2021 09:15:13 AM] Parser Metrics:                              
+--------------------------------+--------+--------+----------+
|            PARSERS             |  HITS  | PARSED | UNPARSED |
+--------------------------------+--------+--------+----------+
| crowdsecurity/dateparse-enrich | 394482 | 394482 | -        |
| crowdsecurity/geoip-enrich     | 394482 | 394482 | -        |
| crowdsecurity/iptables-logs    | 394530 | 394482 |       48 |
| crowdsecurity/syslog-logs      | 394834 | 394834 | -        |
| crowdsecurity/whitelists       | 394482 | 394482 | -        |
+--------------------------------+--------+--------+----------+
INFO[14-12-2021 09:15:13 AM] Local Api Metrics:                           
+----------------------+--------+------+
|        ROUTE         | METHOD | HITS |
+----------------------+--------+------+
| /v1/decisions/stream | GET    |  206 |
| /v1/watchers/login   | POST   |    4 |
+----------------------+--------+------+
INFO[14-12-2021 09:15:13 AM] Local Api Bouncers Metrics:                  
+----------------------------+----------------------+--------+------+
|          BOUNCER           |        ROUTE         | METHOD | HITS |
+----------------------------+----------------------+--------+------+
| FirewallBouncer-1639500060 | /v1/decisions/stream | GET    |  206 |
+----------------------------+----------------------+--------+------+

Installed parsers, bouncers, scenarios:

root@crowdsecDev 09:15:13 /var/log →  cscli hub list
INFO[14-12-2021 09:16:02 AM] Loaded 26 collecs, 32 parsers, 47 scenarios, 3 post-overflow parsers 
INFO[14-12-2021 09:16:02 AM] unmanaged items : 2 local, 0 tainted         
INFO[14-12-2021 09:16:02 AM] PARSERS:                                     
-------------------------------------------------------------------------------------------------------------
 NAME                            📦 STATUS   VERSION  LOCAL PATH                                             
-------------------------------------------------------------------------------------------------------------
 crowdsecurity/geoip-enrich      ✔️  enabled  0.2      /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml     
 crowdsecurity/syslog-logs       ✔️  enabled  0.7      /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml         
 crowdsecurity/dateparse-enrich  ✔️  enabled  0.1      /etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml 
 crowdsecurity/whitelists        ✔️  enabled  0.2      /etc/crowdsec/parsers/s02-enrich/whitelists.yaml       
 crowdsecurity/iptables-logs     ✔️  enabled  0.2      /etc/crowdsec/parsers/s01-parse/iptables-logs.yaml     
 crowdsecurity/sshd-logs         ✔️  enabled  1.3      /etc/crowdsec/parsers/s01-parse/sshd-logs.yaml         
-------------------------------------------------------------------------------------------------------------
INFO[14-12-2021 09:16:02 AM] SCENARIOS:                                   
-----------------------------------------------------------------------------------------------------------------------------
 NAME                                     📦 STATUS          VERSION  LOCAL PATH                                             
-----------------------------------------------------------------------------------------------------------------------------
 crowdsecurity/ssh-bf                     ✔️  enabled         0.1      /etc/crowdsec/scenarios/ssh-bf.yaml                    
 crowdsecurity/ssh-slow-bf                ✔️  enabled         0.2      /etc/crowdsec/scenarios/ssh-slow-bf.yaml               
 trigger-example.yaml                     🏠  enabled,local           /etc/crowdsec/scenarios/trigger-example.yaml           
 leaky-example.yaml                       🏠  enabled,local           /etc/crowdsec/scenarios/leaky-example.yaml             
 crowdsecurity/iptables-scan-multi_ports  ✔️  enabled         0.1      /etc/crowdsec/scenarios/iptables-scan-multi_ports.yaml 
-----------------------------------------------------------------------------------------------------------------------------
INFO[14-12-2021 09:16:02 AM] COLLECTIONS:                                 
--------------------------------------------------------------------------------------
 NAME                    📦 STATUS   VERSION  LOCAL PATH                              
--------------------------------------------------------------------------------------
 crowdsecurity/iptables  ✔️  enabled  0.1      /etc/crowdsec/collections/iptables.yaml 
 crowdsecurity/linux     ✔️  enabled  0.2      /etc/crowdsec/collections/linux.yaml    
 crowdsecurity/sshd      ✔️  enabled  0.2      /etc/crowdsec/collections/sshd.yaml     
--------------------------------------------------------------------------------------
INFO[14-12-2021 09:16:02 AM] POSTOVERFLOWS:                               
--------------------------------------
 NAME  📦 STATUS  VERSION  LOCAL PATH 
--------------------------------------
--------------------------------------

Though this edit has made no impact on my results, I have edited the bouncer config as I have disabled IPv6 on my system. 

sed -i 's/disable_ipv6: false/disable_ipv6: true/g' /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml

How I'm installing in Debian 11.1 VM that I'm testing in:

iptables -A INPUT -m state --state NEW -m comment --comment "Apt, crowdsec, up.sh: Log new connections" -j LOG
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | bash
apt install crowdsec -y
apt install crowdsec-firewall-bouncer-iptables -y
cscli collections install crowdsecurity/iptables
systemctl reload crowdsec

As above, the NMAP command that generated the 130k~ packets in a scan:

nmap -p 1-65535 -T4 -A -v 172.27.0.200

The 'leaky-example.yaml' listed in the hub list. I added this to have something that leaked more slowly than the default scenario, though I don't think that is the problem.

cat << EOT > /etc/crowdsec/scenarios/leaky-example.yaml
type: leaky
debug: true
name: demo/leaky-example
description: "detect cool stuff"
filter: "evt.Meta.log_type == 'iptables_drop' and evt.Parsed.proto == 'TCP'"
groupby: evt.Meta.source_ip
distinct: evt.Parsed.dst_port
capacity: 15
leakspeed: 1m
blackhole: 1m
labels:
  type: scan
EOT

iptables.log.tar.gz

AlteredCoder commented 2 years ago

From the logs that you sent, it seems that you run the nmap from a private IP (which are whitelisted by default by the crowdsecurity/whitelists parser. Can you try to test the scenario from a public IP or by removing the crowdsecurity/whitelists parser please (sudo cscli parsers remove crowdsecurity/whitelists).

Mist-Hunter commented 2 years ago

Awesome, thanks for the help. Will report back shortly.

Mist-Hunter commented 2 years ago

It immediately worked! Sorry I missed that. Thank you so much for your help, I'm very excited to use this :)

root@crowdsecDev 09:38:09 ~ →  cscli alerts list
+----+------------------------------+-----------------------------------------+---------+----+-----------+--------------------------------+
| ID |            VALUE             |                 REASON                  | COUNTRY | AS | DECISIONS |           CREATED AT           |
+----+------------------------------+-----------------------------------------+---------+----+-----------+--------------------------------+
|  4 | Ip:172.27.0.192              | crowdsecurity/iptables-scan-multi_ports |         | 0  | ban:1     | 2021-12-14 09:38:34.390419721  |
|    |                              |                                         |         |    |           | -0800 -0800                    |
|  3 | Ip:172.27.0.192              | demo/leaky-example                      |         | 0  |           | 2021-12-14 09:38:34.390916277  |
|    |                              |                                         |         |    |           | -0800 -0800                    |
|  2 | Ip:172.27.0.192              | demo/trigger-example                    |         | 0  | ban:1     | 2021-12-14 09:38:35.406821133  |
|    |                              |                                         |         |    |           | -0800 -0800                    |
|  1 | crowdsec/community-blocklist | update : +1279/-0 IPs                   |         |    | ban:1279  | 2021-12-14 08:41:07 -0800      |
|    |                              |                                         |         |    |           |                          -0800 |
+----+------------------------------+-----------------------------------------+---------+----+-----------+--------------------------------+
root@crowdsecDev 09:40:56 ~ →  ipset list crowdsec-blacklists | grep 172.27.0.192
172.27.0.192 timeout 14245