Closed Mist-Hunter closed 2 years ago
ucommented debug flag in /etc/crowdsec/parsers/s01-parse/iptables-logs.yaml and got this:
time="12-12-2021 16:33:07" level=debug msg="eval variables:" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:33:07" level=debug msg=" evt.Parsed.program = 'kernel'" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:33:07" level=debug msg=" evt.Parsed.message = '[ 511.815368] IN=ens<REDCATED> OUT= MAC=<REDACTED> SRC=172.27.0.192 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=60792 PROTO=2 '" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:33:07" level=debug msg=" evt.Parsed.message = '[ 511.815368] IN=ens<REDCATED> OUT= MAC=<REDACTED> SRC=172.27.0.192 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=60792 PROTO=2 '" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:33:07" level=debug msg="+ Grok 'IN=%{...' didn't return data on '[ 511.815368] IN=ens<REDCATED> OUT= MAC=<REDACTED> SRC=172.27.0.192 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=60792 PROTO=2 '" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:33:07" level=debug msg="Event leaving node : ko" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:33:07" level=debug msg="eval(evt.Parsed.program == 'kernel' and evt.Parsed.message contains 'IN=' and not (evt.Parsed.message contains 'ACCEPT')) = TRUE" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:33:07" level=debug msg="eval variables:" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:33:07" level=debug msg=" evt.Parsed.program = 'kernel'" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:33:07" level=debug msg=" evt.Parsed.message = '[ 511.815368] IN=ens<REDCATED> OUT= MAC=<REDACTED> SRC=172.27.0.192 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=60792 PROTO=2 '" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:33:07" level=debug msg=" evt.Parsed.message = '[ 511.815368] IN=ens<REDCATED> OUT= MAC=<REDACTED> SRC=172.27.0.192 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=60792 PROTO=2 '" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:33:07" level=debug msg="+ Grok 'IN=%{...' didn't return data on '[ 511.815368] IN=ens<REDCATED> OUT= MAC=<REDACTED> SRC=172.27.0.192 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=60792 PROTO=2 '" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:33:07" level=debug msg="Event leaving node : ko" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
Is the parser choking on my iptable entries in kern.log?
Nevermind
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
time="12-12-2021 16:53:22" level=debug msg="+ Grok 'IN=%{...' returned 7 entries to merge in Parsed" id=wild-waterfall name=crowdsecurity/iptables-logs stage=s01-parse
Still fails to alert or act, but I don't know why.
Hello @Mist-Hunter !
Would you mind sharing a sample logs so I can see if the parser / scenario is failing ?
Thanks,
Thank you for the quick reply :) Which log would you like a sample of? Also, do I need any debug flags on?
Hello @Mist-Hunter,
A sample of your iptables logs please :)
Logs attached, and also here: https://transfer.sh/gR6nhP/iptables.log.tar.gz
Dashboard after test:
root@crowdsecDev 09:14:21 /var/log → cscli metrics
INFO[14-12-2021 09:15:13 AM] Acquisition Metrics:
+------------------------+------------+--------------+----------------+------------------------+
| SOURCE | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET |
+------------------------+------------+--------------+----------------+------------------------+
| file:/var/log/auth.log | 3 | - | 3 | - |
| file:/var/log/kern.log | 131510 | 131494 | 16 | - |
| file:/var/log/messages | 131656 | 131494 | 162 | - |
| file:/var/log/syslog | 131665 | 131494 | 171 | - |
+------------------------+------------+--------------+----------------+------------------------+
INFO[14-12-2021 09:15:13 AM] Parser Metrics:
+--------------------------------+--------+--------+----------+
| PARSERS | HITS | PARSED | UNPARSED |
+--------------------------------+--------+--------+----------+
| crowdsecurity/dateparse-enrich | 394482 | 394482 | - |
| crowdsecurity/geoip-enrich | 394482 | 394482 | - |
| crowdsecurity/iptables-logs | 394530 | 394482 | 48 |
| crowdsecurity/syslog-logs | 394834 | 394834 | - |
| crowdsecurity/whitelists | 394482 | 394482 | - |
+--------------------------------+--------+--------+----------+
INFO[14-12-2021 09:15:13 AM] Local Api Metrics:
+----------------------+--------+------+
| ROUTE | METHOD | HITS |
+----------------------+--------+------+
| /v1/decisions/stream | GET | 206 |
| /v1/watchers/login | POST | 4 |
+----------------------+--------+------+
INFO[14-12-2021 09:15:13 AM] Local Api Bouncers Metrics:
+----------------------------+----------------------+--------+------+
| BOUNCER | ROUTE | METHOD | HITS |
+----------------------------+----------------------+--------+------+
| FirewallBouncer-1639500060 | /v1/decisions/stream | GET | 206 |
+----------------------------+----------------------+--------+------+
Installed parsers, bouncers, scenarios:
root@crowdsecDev 09:15:13 /var/log → cscli hub list
INFO[14-12-2021 09:16:02 AM] Loaded 26 collecs, 32 parsers, 47 scenarios, 3 post-overflow parsers
INFO[14-12-2021 09:16:02 AM] unmanaged items : 2 local, 0 tainted
INFO[14-12-2021 09:16:02 AM] PARSERS:
-------------------------------------------------------------------------------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
-------------------------------------------------------------------------------------------------------------
crowdsecurity/geoip-enrich ✔️ enabled 0.2 /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml
crowdsecurity/syslog-logs ✔️ enabled 0.7 /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
crowdsecurity/dateparse-enrich ✔️ enabled 0.1 /etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml
crowdsecurity/whitelists ✔️ enabled 0.2 /etc/crowdsec/parsers/s02-enrich/whitelists.yaml
crowdsecurity/iptables-logs ✔️ enabled 0.2 /etc/crowdsec/parsers/s01-parse/iptables-logs.yaml
crowdsecurity/sshd-logs ✔️ enabled 1.3 /etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
-------------------------------------------------------------------------------------------------------------
INFO[14-12-2021 09:16:02 AM] SCENARIOS:
-----------------------------------------------------------------------------------------------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
-----------------------------------------------------------------------------------------------------------------------------
crowdsecurity/ssh-bf ✔️ enabled 0.1 /etc/crowdsec/scenarios/ssh-bf.yaml
crowdsecurity/ssh-slow-bf ✔️ enabled 0.2 /etc/crowdsec/scenarios/ssh-slow-bf.yaml
trigger-example.yaml 🏠 enabled,local /etc/crowdsec/scenarios/trigger-example.yaml
leaky-example.yaml 🏠 enabled,local /etc/crowdsec/scenarios/leaky-example.yaml
crowdsecurity/iptables-scan-multi_ports ✔️ enabled 0.1 /etc/crowdsec/scenarios/iptables-scan-multi_ports.yaml
-----------------------------------------------------------------------------------------------------------------------------
INFO[14-12-2021 09:16:02 AM] COLLECTIONS:
--------------------------------------------------------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
--------------------------------------------------------------------------------------
crowdsecurity/iptables ✔️ enabled 0.1 /etc/crowdsec/collections/iptables.yaml
crowdsecurity/linux ✔️ enabled 0.2 /etc/crowdsec/collections/linux.yaml
crowdsecurity/sshd ✔️ enabled 0.2 /etc/crowdsec/collections/sshd.yaml
--------------------------------------------------------------------------------------
INFO[14-12-2021 09:16:02 AM] POSTOVERFLOWS:
--------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
--------------------------------------
--------------------------------------
Though this edit has made no impact on my results, I have edited the bouncer config as I have disabled IPv6 on my system.
sed -i 's/disable_ipv6: false/disable_ipv6: true/g' /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
How I'm installing in Debian 11.1 VM that I'm testing in:
iptables -A INPUT -m state --state NEW -m comment --comment "Apt, crowdsec, up.sh: Log new connections" -j LOG
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | bash
apt install crowdsec -y
apt install crowdsec-firewall-bouncer-iptables -y
cscli collections install crowdsecurity/iptables
systemctl reload crowdsec
As above, the NMAP command that generated the 130k~ packets in a scan:
nmap -p 1-65535 -T4 -A -v 172.27.0.200
The 'leaky-example.yaml' listed in the hub list. I added this to have something that leaked more slowly than the default scenario, though I don't think that is the problem.
cat << EOT > /etc/crowdsec/scenarios/leaky-example.yaml
type: leaky
debug: true
name: demo/leaky-example
description: "detect cool stuff"
filter: "evt.Meta.log_type == 'iptables_drop' and evt.Parsed.proto == 'TCP'"
groupby: evt.Meta.source_ip
distinct: evt.Parsed.dst_port
capacity: 15
leakspeed: 1m
blackhole: 1m
labels:
type: scan
EOT
From the logs that you sent, it seems that you run the nmap from a private IP (which are whitelisted by default by the crowdsecurity/whitelists
parser. Can you try to test the scenario from a public IP or by removing the crowdsecurity/whitelists
parser please (sudo cscli parsers remove crowdsecurity/whitelists
).
Awesome, thanks for the help. Will report back shortly.
It immediately worked! Sorry I missed that. Thank you so much for your help, I'm very excited to use this :)
root@crowdsecDev 09:38:09 ~ → cscli alerts list
+----+------------------------------+-----------------------------------------+---------+----+-----------+--------------------------------+
| ID | VALUE | REASON | COUNTRY | AS | DECISIONS | CREATED AT |
+----+------------------------------+-----------------------------------------+---------+----+-----------+--------------------------------+
| 4 | Ip:172.27.0.192 | crowdsecurity/iptables-scan-multi_ports | | 0 | ban:1 | 2021-12-14 09:38:34.390419721 |
| | | | | | | -0800 -0800 |
| 3 | Ip:172.27.0.192 | demo/leaky-example | | 0 | | 2021-12-14 09:38:34.390916277 |
| | | | | | | -0800 -0800 |
| 2 | Ip:172.27.0.192 | demo/trigger-example | | 0 | ban:1 | 2021-12-14 09:38:35.406821133 |
| | | | | | | -0800 -0800 |
| 1 | crowdsec/community-blocklist | update : +1279/-0 IPs | | | ban:1279 | 2021-12-14 08:41:07 -0800 |
| | | | | | | -0800 |
+----+------------------------------+-----------------------------------------+---------+----+-----------+--------------------------------+
root@crowdsecDev 09:40:56 ~ → ipset list crowdsec-blacklists | grep 172.27.0.192
172.27.0.192 timeout 14245
I spent many hours prior to posting this due to being a brand new user and feeling quite sure I'm doing something wrong. But I can't figure out what.
Debian 11.1, Ubuntu 20.04.3 LTS
I'm scanning the crowdsec machine with kali / nmap and tail -f kern.log, watching the packets pour in to the log. I have tried on debian and ubuntu. I must be missing something basic. Posting here as a plea for help, or incase this is a legit issue. So excited to use this great tool, thank you!
example nmap command
In your tutorial: https://docs.crowdsec.net/docs/scenarios/create
You show kernel output:
My rule, below, which is modeled off the recommended rule here: https://hub.crowdsec.net/author/crowdsecurity/configurations/iptables-logs , does not prepend the log entry with "DROP:", but is otherwise identical.Iptables rule
The only alert I ever see is: