search

crowdsecurity / crowdsec

CrowdSec - the open-source and participative security solution offering crowdsourced protection against malicious IPs and access to the most advanced real-world CTI.
https://crowdsec.net
MIT License
9.03k stars 467 forks source link

Crowdsec not blocking portscans to IIS #1871

Closed war3zlod3r closed 1 year ago

war3zlod3r commented 1 year ago

What happened?

Not blocking nikto attacks against IIS

What did you expect to happen?

for IIS to block the external IP was attacking from

How can we reproduce it (as minimally and precisely as possible)?

My acquis.yaml

source: wineventlog
event_channel: Security
event_ids:
 - 4625
 - 4623
event_level: information
labels:
 type: eventlog
---
source: wineventlog
event_channel: Microsoft-IIS-Logging/Logs
event_ids:
 - 6200
event_level: information
labels:
 type: iis
---
filenames:
  - C:\\Windows\\System32\\LogFiles\\Firewall\\pfirewall.log
labels:
  type: windows-firewall

Anything else we need to know?

image

Crowdsec version

```console $ cscli version 2022/11/16 13:13:49 version: v1.4.2-3beb84bcfe05885fdd9a00f3124b4a949e45ce82 2022/11/16 13:13:49 Codename: alphaga 2022/11/16 13:13:49 BuildDate: 2022-11-15_11:20:29 2022/11/16 13:13:49 GoVersion: 1.19 2022/11/16 13:13:49 Platform: windows 2022/11/16 13:13:49 Constraint_parser: >= 1.0, <= 2.0 2022/11/16 13:13:49 Constraint_scenario: >= 1.0, < 3.0 2022/11/16 13:13:49 Constraint_api: v1 2022/11/16 13:13:49 Constraint_acquis: >= 1.0, < 2.0 ```

OS version

```console # On Linux: $ cat /etc/os-release # paste output here $ uname -a # paste output here # On Windows: C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture BuildNumber Caption OSArchitecture Version 17763 Microsoft Windows Server 2019 Standard 64-bit 10.0.17763 ```

Enabled collections and parsers

```console $ cscli hub list -o raw crowdsecurity/base-http-scenarios,"enabled,update-available",0.6,http common : scanners detection,collections crowdsecurity/http-cve,"enabled,update-available",1.1,,collections crowdsecurity/iis,"enabled,update-available",0.1,IIS support : parser and generic http scenarios ,collections crowdsecurity/windows,enabled,0.1,core windows support : windows event log + bf detection,collections crowdsecurity/windows-firewall,enabled,0.1,windows firewall support : logs and port-scans detection scenarios,collections crowdsecurity/dateparse-enrich,enabled,0.2,,parsers crowdsecurity/geoip-enrich,enabled,0.2,"Populate event with geoloc info : as, country, coords, source range.",parsers crowdsecurity/http-logs,enabled,0.8,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers crowdsecurity/iis-logs,"enabled,update-available",0.3,Parse IIS access logs,parsers crowdsecurity/windows-auth,enabled,0.2,Parse windows authentication failure events (id 4625),parsers crowdsecurity/windows-firewall-logs,enabled,0.2,Parse windows firewall drop logs,parsers crowdsecurity/windows-logs,enabled,0.4,,parsers crowdsecurity/CVE-2022-26134,enabled,0.1,Detect CVE-2022-26134 exploits,scenarios crowdsecurity/CVE-2022-35914,enabled,0.1,Detect CVE-2022-35914 exploits,scenarios crowdsecurity/CVE-2022-37042,enabled,0.1,Detect CVE-2022-37042 exploits,scenarios crowdsecurity/CVE-2022-40684,enabled,0.2,Detect cve-2022-40684 exploitation attempts,scenarios crowdsecurity/CVE-2022-41082,enabled,0.3,Detect CVE-2022-41082 exploits,scenarios crowdsecurity/CVE-2022-42889,enabled,0.2,Detect CVE-2022-42889 exploits (Text4Shell),scenarios crowdsecurity/apache_log4j2_cve-2021-44228,enabled,0.4,Detect cve-2021-44228 exploitation attemps,scenarios crowdsecurity/f5-big-ip-cve-2020-5902,enabled,0.1,Detect cve-2020-5902 exploitation attemps,scenarios crowdsecurity/fortinet-cve-2018-13379,enabled,0.2,Detect cve-2018-13379 exploitation attemps,scenarios crowdsecurity/grafana-cve-2021-43798,enabled,0.1,Detect cve-2021-43798 exploitation attemps,scenarios crowdsecurity/http-backdoors-attempts,"enabled,update-available",0.2,Detect attempt to common backdoors,scenarios crowdsecurity/http-bad-user-agent,enabled,0.7,Detect bad user-agents,scenarios crowdsecurity/http-crawl-non_statics,enabled,0.3,Detect aggressive crawl from single ip,scenarios crowdsecurity/http-cve-2021-41773,enabled,0.1,cve-2021-41773,scenarios crowdsecurity/http-cve-2021-42013,enabled,0.1,cve-2021-42013,scenarios crowdsecurity/http-generic-bf,enabled,0.2,Detect generic http brute force,scenarios crowdsecurity/http-open-proxy,"enabled,update-available",0.2,Detect scan for open proxy,scenarios crowdsecurity/http-path-traversal-probing,enabled,0.2,Detect path traversal attempt,scenarios crowdsecurity/http-probing,enabled,0.2,Detect site scanning/probing from a single ip,scenarios crowdsecurity/http-sensitive-files,enabled,0.2,"Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",scenarios crowdsecurity/http-sqli-probing,enabled,0.2,A scenario that detects SQL injection probing with minimal false positives,scenarios crowdsecurity/http-xss-probing,enabled,0.2,A scenario that detects XSS probing with minimal false positives,scenarios crowdsecurity/iptables-scan-multi_ports,enabled,0.1,ban IPs that are scanning us,scenarios crowdsecurity/jira_cve-2021-26086,enabled,0.1,Detect Atlassian Jira CVE-2021-26086 exploitation attemps,scenarios crowdsecurity/pulse-secure-sslvpn-cve-2019-11510,enabled,0.2,Detect cve-2019-11510 exploitation attemps,scenarios crowdsecurity/spring4shell_cve-2022-22965,enabled,0.2,Detect cve-2022-22965 probing,scenarios crowdsecurity/thinkphp-cve-2018-20062,enabled,0.3,Detect ThinkPHP CVE-2018-20062 exploitation attemps,scenarios crowdsecurity/vmware-cve-2022-22954,enabled,0.2,Detect Vmware CVE-2022-22954 exploitation attempts,scenarios crowdsecurity/vmware-vcenter-vmsa-2021-0027,enabled,0.1,Detect VMSA-2021-0027 exploitation attemps,scenarios crowdsecurity/windows-bf,enabled,0.1,Detect windows auth bruteforce,scenarios ltsich/http-w00tw00t,enabled,0.1,detect w00tw00t,scenarios ```

Acquisition config

```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* # paste output here # On Windows: C:\> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml source: wineventlog event_channel: Security event_ids: - 4625 - 4623 event_level: information labels: type: eventlog --- source: wineventlog event_channel: Microsoft-IIS-Logging/Logs event_ids: - 6200 event_level: information labels: type: iis --- filenames: - C:\\Windows\\System32\\LogFiles\\Firewall\\pfirewall.log labels: type: windows-firewall

Config show

```console $ cscli config show Global: - Configuration Folder : C:\ProgramData\CrowdSec\config - Data Folder : C:\ProgramData\CrowdSec\data - Hub Folder : C:\ProgramData\CrowdSec\hub - Simulation File : C:\ProgramData\CrowdSec\config\simulation.yaml - Log Folder : C:\ProgramData\CrowdSec\log\ - Log level : info - Log Media : file Crowdsec: - Acquisition File : C:\ProgramData\CrowdSec\config\acquis.yaml - Parsers routines : 1 cscli: - Output : human - Hub Branch : - Hub Folder : C:\ProgramData\CrowdSec\hub Local API Server: - Listen URL : 127.0.0.1:8080 - Profile File : C:\ProgramData\Crowdsec\config\profiles.yaml - Trusted IPs: - Database: - Type : sqlite - Path : C:\ProgramData\CrowdSec\data\crowdsec.db - Flush age : 7d - Flush size : 5000 ```

Prometheus metrics

```console $ cscli metrics Acquisition Metrics: ╭─────────────────────────────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────╮ │ Source │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ ├─────────────────────────────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┤ │ wineventlog: │ │ │ │ │ ╰─────────────────────────────────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────╯ Bucket Metrics: ╭──────────────────────────┬───────────────┬───────────┬──────────────┬────────┬─────────╮ │ Bucket │ Current Count │ Overflows │ Instantiated │ Poured │ Expired │ ├──────────────────────────┼───────────────┼───────────┼──────────────┼────────┼─────────┤ │ crowdsecurity/windows-bf │ - │ - │ 1 │ 1 │ 1 │ ╰──────────────────────────┴───────────────┴───────────┴──────────────┴────────┴─────────╯ Parser Metrics: ╭────────────────────────────────┬──────┬────────┬──────────╮ │ Parsers │ Hits │ Parsed │ Unparsed │ ├────────────────────────────────┼──────┼────────┼──────────┤ │ crowdsecurity/dateparse-enrich │ 1 │ 1 │ - │ │ crowdsecurity/geoip-enrich │ 1 │ 1 │ - │ │ crowdsecurity/windows-auth │ 1 │ 1 │ - │ │ crowdsecurity/windows-eventlog │ 1 │ 1 │ - │ ╰────────────────────────────────┴──────┴────────┴──────────╯ Local Api Metrics: ╭──────────────────────┬────────┬──────╮ │ Route │ Method │ Hits │ ├──────────────────────┼────────┼──────┤ │ /v1/decisions/stream │ GET │ 131 │ │ /v1/heartbeat │ GET │ 21 │ │ /v1/watchers/login │ POST │ 2 │ ╰──────────────────────┴────────┴──────╯ Local Api Machines Metrics: ╭──────────────────────────────────────────────────┬───────────────┬────────┬──────╮ │ Machine │ Route │ Method │ Hits │ ├──────────────────────────────────────────────────┼───────────────┼────────┼──────┤ │ aedba0df6c40493b907d4084f59f830bMTTcuk4ffb3qopDf │ /v1/heartbeat │ GET │ 21 │ ╰──────────────────────────────────────────────────┴───────────────┴────────┴──────╯ Local Api Bouncers Metrics: ╭─────────────────────────────────────────────┬──────────────────────┬────────┬──────╮ │ Bouncer │ Route │ Method │ Hits │ ├─────────────────────────────────────────────┼──────────────────────┼────────┼──────┤ │ windows-firewall-bouncer-202211161217563065 │ /v1/decisions/stream │ GET │ 131 │ ╰─────────────────────────────────────────────┴──────────────────────┴────────┴──────╯ Local Api Decisions: ╭──────────────────────────┬────────┬────────┬───────╮ │ Reason │ Origin │ Action │ Count │ ├──────────────────────────┼────────┼────────┼───────┤ │ crowdsecurity/windows-bf │ CAPI │ ban │ 1426 │ ╰──────────────────────────┴────────┴────────┴───────╯ ```

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

LaurenceJJones commented 1 year ago

@war3zlod3r This is resolved now?

LaurenceJJones commented 1 year ago

Closing due resolution via discord if I am incorrect please reopen issue or ping via discord thread.

war3zlod3r commented 1 year ago

Thanks so much!On Nov 17, 2022, at 7:45 AM, Laurence Jones @.***> wrote: Closing due resolution via discord if I am incorrect please reopen issue or ping via discord thread.

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: @.***>