crowdsecurity / crowdsec

CrowdSec - the open-source and participative security solution offering crowdsourced protection against malicious IPs and access to the most advanced real-world CTI.
https://crowdsec.net
MIT License
9.15k stars 472 forks source link

Docker image marks crowdsecurity/linux as tainted on first start #2202

Closed AlexisPPLIN closed 1 year ago

AlexisPPLIN commented 1 year ago

What happened?

Hi !

With the last version of the crowdsec docker image (crowdsecurity/crowdsec:v1.4.6). By default the collection crowdsecurity/linux and crowdsecurity/sshd are tainted.

So the parsers do no work out of the box.

Did I miss something ?

What did you expect to happen?

On a new container, using COLLECTION environnement variable. Every collections should be working without others commands.

Workaround

After the first start, we have to reinstall the crowdsecurity/linux collection.

$ cscli collections list
COLLECTIONS
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Name                                  📦 Status           Version   Local Path                                           
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 crowdsecurity/apache2                 ✔️ enabled           0.1       /etc/crowdsec/collections/apache2.yaml               
 crowdsecurity/base-http-scenarios     ✔️ enabled           0.6       /etc/crowdsec/collections/base-http-scenarios.yaml   
 crowdsecurity/http-cve                ✔️ enabled           2.0       /etc/crowdsec/collections/http-cve.yaml              
 crowdsecurity/linux                   ⚠️ enabled,tainted   0.2       /etc/crowdsec/collections/linux.yaml                 
 crowdsecurity/mariadb                 ✔️ enabled           0.1       /etc/crowdsec/collections/mariadb.yaml               
 crowdsecurity/sshd                    ⚠️ enabled,tainted   0.2       /etc/crowdsec/collections/sshd.yaml                  
 crowdsecurity/traefik                 ✔️ enabled           0.1       /etc/crowdsec/collections/traefik.yaml               
 crowdsecurity/whitelist-good-actors   ✔️ enabled           0.1       /etc/crowdsec/collections/whitelist-good-actors.yaml 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

$ cscli collection remove crowdsecurity/linux --force
...
$ cscli collection install crowdsecurity/linux
...

$ cscli collections list
COLLECTIONS
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Name                                  📦 Status   Version   Local Path                                           
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 crowdsecurity/apache2                 ✔️ enabled   0.1       /etc/crowdsec/collections/apache2.yaml               
 crowdsecurity/base-http-scenarios     ✔️ enabled   0.6       /etc/crowdsec/collections/base-http-scenarios.yaml   
 crowdsecurity/http-cve                ✔️ enabled   2.0       /etc/crowdsec/collections/http-cve.yaml              
 crowdsecurity/linux                   ✔️ enabled   0.2       /etc/crowdsec/collections/linux.yaml                 
 crowdsecurity/mariadb                 ✔️ enabled   0.1       /etc/crowdsec/collections/mariadb.yaml               
 crowdsecurity/sshd                    ✔️ enabled   0.2       /etc/crowdsec/collections/sshd.yaml                  
 crowdsecurity/traefik                 ✔️ enabled   0.1       /etc/crowdsec/collections/traefik.yaml               
 crowdsecurity/whitelist-good-actors   ✔️ enabled   0.1       /etc/crowdsec/collections/whitelist-good-actors.yaml 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────

How can we reproduce it (as minimally and precisely as possible)?

1. Start fresh new crowdsecurity/crowdsec docker container :

2. Attach with bash on newly started container :

$ docker exec -it <container_id> bash

3. Check installed collections :

$ cscli collections list
COLLECTIONS
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Name                                  📦 Status           Version   Local Path                                           
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 crowdsecurity/apache2                 ✔️ enabled           0.1       /etc/crowdsec/collections/apache2.yaml               
 crowdsecurity/base-http-scenarios     ✔️ enabled           0.6       /etc/crowdsec/collections/base-http-scenarios.yaml   
 crowdsecurity/http-cve                ✔️ enabled           2.0       /etc/crowdsec/collections/http-cve.yaml              
 crowdsecurity/linux                   ⚠️ enabled,tainted   0.2       /etc/crowdsec/collections/linux.yaml                 
 crowdsecurity/mariadb                 ✔️ enabled           0.1       /etc/crowdsec/collections/mariadb.yaml               
 crowdsecurity/sshd                    ⚠️ enabled,tainted   0.2       /etc/crowdsec/collections/sshd.yaml                  
 crowdsecurity/traefik                 ✔️ enabled           0.1       /etc/crowdsec/collections/traefik.yaml               
 crowdsecurity/whitelist-good-actors   ✔️ enabled           0.1       /etc/crowdsec/collections/whitelist-good-actors.yaml 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

As you see above, crowdsecurity/linux and crowdsecurity/sshd is marked as ⚠️ enabled,tainted

Anything else we need to know?

Crowdsec logs :

```console Populating configuration directory... Regenerate local agent credentials time="16-05-2023 16:02:21" level=info msg="push and pull to Central API disabled" time="16-05-2023 16:02:21" level=info msg="Machine 'localhost' successfully added to the local API" time="16-05-2023 16:02:21" level=info msg="API credentials dumped to '/etc/crowdsec/local_api_credentials.yaml'" Check if lapi needs to register an additional agent time="16-05-2023 16:02:21" level=warning msg="can't load CAPI credentials from '/etc/crowdsec//online_api_credentials.yaml' (missing field)" time="16-05-2023 16:02:21" level=info msg="push and pull to Central API disabled" time="16-05-2023 16:02:22" level=info msg="Successfully registered to Central API (CAPI)" time="16-05-2023 16:02:22" level=info msg="Central API credentials dumped to '/etc/crowdsec//online_api_credentials.yaml'" time="16-05-2023 16:02:22" level=warning msg="Run 'sudo systemctl reload crowdsec' for the new configuration to be effective." Registration to online API done time="16-05-2023 16:02:22" level=info msg="Wrote new 666063 bytes index to /etc/crowdsec/hub/.index.json" time="16-05-2023 16:02:22" level=info msg="dependency of crowdsecurity/linux : missing parsers crowdsecurity/syslog-logs, tainted." time="16-05-2023 16:02:22" level=info msg="dependency of crowdsecurity/sshd : missing parsers crowdsecurity/sshd-logs, tainted." Object collections/crowdsecurity/linux is tainted, skipping time="16-05-2023 16:02:22" level=error msg="Item 'crowdsecurity/whitelists' not found in hub" time="16-05-2023 16:02:22" level=info msg="Run 'sudo systemctl reload crowdsec' for the new configuration to be effective." time="16-05-2023 16:02:23" level=info msg="crowdsecurity/docker-logs : OK" time="16-05-2023 16:02:23" level=info msg="/etc/crowdsec/parsers/s00-raw doesn't exist, create" time="16-05-2023 16:02:23" level=info msg="Enabled parsers : crowdsecurity/docker-logs" time="16-05-2023 16:02:23" level=info msg="Enabled crowdsecurity/docker-logs" time="16-05-2023 16:02:23" level=info msg="Run 'sudo systemctl reload crowdsec' for the new configuration to be effective." time="16-05-2023 16:02:23" level=info msg="crowdsecurity/traefik-logs : OK" time="16-05-2023 16:02:23" level=info msg="/etc/crowdsec/parsers/s01-parse doesn't exist, create" time="16-05-2023 16:02:23" level=info msg="Enabled parsers : crowdsecurity/traefik-logs" time="16-05-2023 16:02:23" level=info msg="crowdsecurity/http-logs : OK" time="16-05-2023 16:02:23" level=info msg="Enabled parsers : crowdsecurity/http-logs" time="16-05-2023 16:02:23" level=info msg="crowdsecurity/http-crawl-non_statics : OK" time="16-05-2023 16:02:23" level=info msg="Enabled scenarios : crowdsecurity/http-crawl-non_statics" time="16-05-2023 16:02:23" level=info msg="crowdsecurity/http-probing : OK" time="16-05-2023 16:02:23" level=info msg="Enabled scenarios : crowdsecurity/http-probing" time="16-05-2023 16:02:23" level=info msg="crowdsecurity/http-bad-user-agent : OK" time="16-05-2023 16:02:23" level=info msg="downloading data 'https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/bad_user_agents.regex.txt' in '/var/lib/crowdsec/data/bad_user_agents.regex.txt'" time="16-05-2023 16:02:23" level=info msg="Enabled scenarios : crowdsecurity/http-bad-user-agent" time="16-05-2023 16:02:23" level=info msg="crowdsecurity/http-path-traversal-probing : OK" time="16-05-2023 16:02:23" level=info msg="downloading data 'https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/path_traversal.txt' in '/var/lib/crowdsec/data/http_path_traversal.txt'" time="16-05-2023 16:02:23" level=info msg="Enabled scenarios : crowdsecurity/http-path-traversal-probing" time="16-05-2023 16:02:23" level=info msg="crowdsecurity/http-sensitive-files : OK" time="16-05-2023 16:02:23" level=info msg="downloading data 'https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/sensitive_data.txt' in '/var/lib/crowdsec/data/sensitive_data.txt'" time="16-05-2023 16:02:23" level=info msg="Enabled scenarios : crowdsecurity/http-sensitive-files" time="16-05-2023 16:02:23" level=info msg="crowdsecurity/http-sqli-probing : OK" time="16-05-2023 16:02:23" level=info msg="downloading data 'https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/sqli_probe_patterns.txt' in '/var/lib/crowdsec/data/sqli_probe_patterns.txt'" time="16-05-2023 16:02:23" level=info msg="Enabled scenarios : crowdsecurity/http-sqli-probing" time="16-05-2023 16:02:23" level=info msg="crowdsecurity/http-xss-probing : OK" time="16-05-2023 16:02:23" level=info msg="downloading data 'https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/xss_probe_patterns.txt' in '/var/lib/crowdsec/data/xss_probe_patterns.txt'" time="16-05-2023 16:02:23" level=info msg="Enabled scenarios : crowdsecurity/http-xss-probing" time="16-05-2023 16:02:23" level=info msg="crowdsecurity/http-backdoors-attempts : OK" time="16-05-2023 16:02:23" level=info msg="downloading data 'https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/backdoors.txt' in '/var/lib/crowdsec/data/backdoors.txt'" time="16-05-2023 16:02:23" level=info msg="Enabled scenarios : crowdsecurity/http-backdoors-attempts" time="16-05-2023 16:02:23" level=info msg="ltsich/http-w00tw00t : OK" time="16-05-2023 16:02:23" level=info msg="Enabled scenarios : ltsich/http-w00tw00t" time="16-05-2023 16:02:23" level=info msg="crowdsecurity/http-generic-bf : OK" time="16-05-2023 16:02:23" level=info msg="Enabled scenarios : crowdsecurity/http-generic-bf" time="16-05-2023 16:02:23" level=info msg="crowdsecurity/http-open-proxy : OK" time="16-05-2023 16:02:23" level=info msg="Enabled scenarios : crowdsecurity/http-open-proxy" time="16-05-2023 16:02:23" level=info msg="crowdsecurity/http-cve-2021-41773 : OK" time="16-05-2023 16:02:23" level=info msg="Enabled scenarios : crowdsecurity/http-cve-2021-41773" time="16-05-2023 16:02:23" level=info msg="crowdsecurity/http-cve-2021-42013 : OK" time="16-05-2023 16:02:23" level=info msg="Enabled scenarios : crowdsecurity/http-cve-2021-42013" time="16-05-2023 16:02:23" level=info msg="crowdsecurity/grafana-cve-2021-43798 : OK" time="16-05-2023 16:02:23" level=info msg="Enabled scenarios : crowdsecurity/grafana-cve-2021-43798" time="16-05-2023 16:02:23" level=info msg="crowdsecurity/vmware-vcenter-vmsa-2021-0027 : OK" time="16-05-2023 16:02:23" level=info msg="Enabled scenarios : crowdsecurity/vmware-vcenter-vmsa-2021-0027" time="16-05-2023 16:02:23" level=info msg="crowdsecurity/fortinet-cve-2018-13379 : OK" time="16-05-2023 16:02:23" level=info msg="Enabled scenarios : crowdsecurity/fortinet-cve-2018-13379" time="16-05-2023 16:02:23" level=info msg="crowdsecurity/pulse-secure-sslvpn-cve-2019-11510 : OK" time="16-05-2023 16:02:23" level=info msg="Enabled scenarios : crowdsecurity/pulse-secure-sslvpn-cve-2019-11510" time="16-05-2023 16:02:24" level=info msg="crowdsecurity/f5-big-ip-cve-2020-5902 : OK" time="16-05-2023 16:02:24" level=info msg="Enabled scenarios : crowdsecurity/f5-big-ip-cve-2020-5902" time="16-05-2023 16:02:24" level=info msg="crowdsecurity/thinkphp-cve-2018-20062 : OK" time="16-05-2023 16:02:24" level=info msg="downloading data 'https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/thinkphp_cve_2018-20062.txt' in '/var/lib/crowdsec/data/thinkphp_cve_2018-20062.txt'" time="16-05-2023 16:02:24" level=info msg="Enabled scenarios : crowdsecurity/thinkphp-cve-2018-20062" time="16-05-2023 16:02:24" level=info msg="crowdsecurity/apache_log4j2_cve-2021-44228 : OK" time="16-05-2023 16:02:24" level=info msg="downloading data 'https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/log4j2_cve_2021_44228.txt' in '/var/lib/crowdsec/data/log4j2_cve_2021_44228.txt'" time="16-05-2023 16:02:24" level=info msg="Enabled scenarios : crowdsecurity/apache_log4j2_cve-2021-44228" time="16-05-2023 16:02:24" level=info msg="crowdsecurity/jira_cve-2021-26086 : OK" time="16-05-2023 16:02:24" level=info msg="downloading data 'https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/jira_cve_2021-26086.txt' in '/var/lib/crowdsec/data/jira_cve_2021-26086.txt'" time="16-05-2023 16:02:24" level=info msg="Enabled scenarios : crowdsecurity/jira_cve-2021-26086" time="16-05-2023 16:02:24" level=info msg="crowdsecurity/spring4shell_cve-2022-22965 : OK" time="16-05-2023 16:02:24" level=info msg="Enabled scenarios : crowdsecurity/spring4shell_cve-2022-22965" time="16-05-2023 16:02:24" level=info msg="crowdsecurity/vmware-cve-2022-22954 : OK" time="16-05-2023 16:02:24" level=info msg="Enabled scenarios : crowdsecurity/vmware-cve-2022-22954" time="16-05-2023 16:02:24" level=info msg="crowdsecurity/CVE-2022-37042 : OK" time="16-05-2023 16:02:24" level=info msg="Enabled scenarios : crowdsecurity/CVE-2022-37042" time="16-05-2023 16:02:24" level=info msg="crowdsecurity/CVE-2022-41082 : OK" time="16-05-2023 16:02:24" level=info msg="Enabled scenarios : crowdsecurity/CVE-2022-41082" time="16-05-2023 16:02:24" level=info msg="crowdsecurity/CVE-2022-35914 : OK" time="16-05-2023 16:02:24" level=info msg="Enabled scenarios : crowdsecurity/CVE-2022-35914" time="16-05-2023 16:02:24" level=info msg="crowdsecurity/CVE-2022-40684 : OK" time="16-05-2023 16:02:24" level=info msg="Enabled scenarios : crowdsecurity/CVE-2022-40684" time="16-05-2023 16:02:24" level=info msg="crowdsecurity/CVE-2022-26134 : OK" time="16-05-2023 16:02:24" level=info msg="Enabled scenarios : crowdsecurity/CVE-2022-26134" time="16-05-2023 16:02:24" level=info msg="crowdsecurity/CVE-2022-42889 : OK" time="16-05-2023 16:02:24" level=info msg="Enabled scenarios : crowdsecurity/CVE-2022-42889" time="16-05-2023 16:02:24" level=info msg="crowdsecurity/CVE-2022-41697 : OK" time="16-05-2023 16:02:24" level=info msg="Enabled scenarios : crowdsecurity/CVE-2022-41697" time="16-05-2023 16:02:24" level=info msg="crowdsecurity/CVE-2022-46169 : OK" time="16-05-2023 16:02:24" level=info msg="Enabled scenarios : crowdsecurity/CVE-2022-46169" time="16-05-2023 16:02:24" level=info msg="crowdsecurity/CVE-2022-44877 : OK" time="16-05-2023 16:02:24" level=info msg="Enabled scenarios : crowdsecurity/CVE-2022-44877" time="16-05-2023 16:02:24" level=info msg="crowdsecurity/CVE-2019-18935 : OK" time="16-05-2023 16:02:24" level=info msg="Enabled scenarios : crowdsecurity/CVE-2019-18935" time="16-05-2023 16:02:24" level=info msg="crowdsecurity/http-cve : OK" time="16-05-2023 16:02:24" level=warning msg="crowdsecurity/http-cve : overwrite" time="16-05-2023 16:02:24" level=info msg="Enabled collections : crowdsecurity/http-cve" time="16-05-2023 16:02:24" level=info msg="crowdsecurity/base-http-scenarios : OK" time="16-05-2023 16:02:24" level=warning msg="crowdsecurity/base-http-scenarios : overwrite" time="16-05-2023 16:02:24" level=info msg="/etc/crowdsec/collections/http-cve.yaml already exists." time="16-05-2023 16:02:24" level=info msg="Enabled collections : crowdsecurity/base-http-scenarios" time="16-05-2023 16:02:24" level=info msg="crowdsecurity/traefik : OK" time="16-05-2023 16:02:24" level=info msg="/etc/crowdsec/collections/http-cve.yaml already exists." time="16-05-2023 16:02:24" level=info msg="/etc/crowdsec/collections/base-http-scenarios.yaml already exists." time="16-05-2023 16:02:24" level=info msg="Enabled collections : crowdsecurity/traefik" time="16-05-2023 16:02:24" level=info msg="Enabled crowdsecurity/traefik" time="16-05-2023 16:02:24" level=info msg="Run 'sudo systemctl reload crowdsec' for the new configuration to be effective." time="16-05-2023 16:02:24" level=info msg="crowdsecurity/apache2-logs : OK" time="16-05-2023 16:02:24" level=info msg="Enabled parsers : crowdsecurity/apache2-logs" time="16-05-2023 16:02:24" level=warning msg="crowdsecurity/http-logs : overwrite" time="16-05-2023 16:02:24" level=warning msg="crowdsecurity/http-crawl-non_statics : overwrite" time="16-05-2023 16:02:24" level=warning msg="crowdsecurity/http-probing : overwrite" time="16-05-2023 16:02:24" level=warning msg="crowdsecurity/http-bad-user-agent : overwrite" time="16-05-2023 16:02:24" level=warning msg="crowdsecurity/http-path-traversal-probing : overwrite" time="16-05-2023 16:02:24" level=warning msg="crowdsecurity/http-sensitive-files : overwrite" time="16-05-2023 16:02:24" level=warning msg="crowdsecurity/http-sqli-probing : overwrite" time="16-05-2023 16:02:24" level=warning msg="crowdsecurity/http-xss-probing : overwrite" time="16-05-2023 16:02:24" level=warning msg="crowdsecurity/http-backdoors-attempts : overwrite" time="16-05-2023 16:02:24" level=warning msg="ltsich/http-w00tw00t : overwrite" time="16-05-2023 16:02:24" level=warning msg="crowdsecurity/http-generic-bf : overwrite" time="16-05-2023 16:02:24" level=warning msg="crowdsecurity/http-open-proxy : overwrite" time="16-05-2023 16:02:24" level=warning msg="crowdsecurity/http-cve-2021-41773 : overwrite" time="16-05-2023 16:02:24" level=warning msg="crowdsecurity/http-cve-2021-42013 : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/grafana-cve-2021-43798 : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/vmware-vcenter-vmsa-2021-0027 : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/fortinet-cve-2018-13379 : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/pulse-secure-sslvpn-cve-2019-11510 : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/f5-big-ip-cve-2020-5902 : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/thinkphp-cve-2018-20062 : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/apache_log4j2_cve-2021-44228 : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/jira_cve-2021-26086 : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/spring4shell_cve-2022-22965 : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/vmware-cve-2022-22954 : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/CVE-2022-37042 : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/CVE-2022-41082 : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/CVE-2022-35914 : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/CVE-2022-40684 : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/CVE-2022-26134 : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/CVE-2022-42889 : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/CVE-2022-41697 : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/CVE-2022-46169 : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/CVE-2022-44877 : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/CVE-2019-18935 : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/http-cve : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/http-cve : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/base-http-scenarios : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/base-http-scenarios : overwrite" time="16-05-2023 16:02:25" level=info msg="crowdsecurity/apache2 : OK" time="16-05-2023 16:02:25" level=info msg="/etc/crowdsec/collections/http-cve.yaml already exists." time="16-05-2023 16:02:25" level=info msg="/etc/crowdsec/collections/base-http-scenarios.yaml already exists." time="16-05-2023 16:02:25" level=info msg="Enabled collections : crowdsecurity/apache2" time="16-05-2023 16:02:25" level=info msg="Enabled crowdsecurity/apache2" time="16-05-2023 16:02:25" level=info msg="Run 'sudo systemctl reload crowdsec' for the new configuration to be effective." time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/http-logs : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/http-crawl-non_statics : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/http-probing : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/http-bad-user-agent : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/http-path-traversal-probing : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/http-sensitive-files : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/http-sqli-probing : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/http-xss-probing : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/http-backdoors-attempts : overwrite" time="16-05-2023 16:02:25" level=warning msg="ltsich/http-w00tw00t : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/http-generic-bf : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/http-open-proxy : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/http-cve-2021-41773 : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/http-cve-2021-42013 : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/grafana-cve-2021-43798 : overwrite" time="16-05-2023 16:02:25" level=warning msg="crowdsecurity/vmware-vcenter-vmsa-2021-0027 : overwrite" time="16-05-2023 16:02:26" level=warning msg="crowdsecurity/fortinet-cve-2018-13379 : overwrite" time="16-05-2023 16:02:26" level=warning msg="crowdsecurity/pulse-secure-sslvpn-cve-2019-11510 : overwrite" time="16-05-2023 16:02:26" level=warning msg="crowdsecurity/f5-big-ip-cve-2020-5902 : overwrite" time="16-05-2023 16:02:26" level=warning msg="crowdsecurity/thinkphp-cve-2018-20062 : overwrite" time="16-05-2023 16:02:26" level=warning msg="crowdsecurity/apache_log4j2_cve-2021-44228 : overwrite" time="16-05-2023 16:02:26" level=warning msg="crowdsecurity/jira_cve-2021-26086 : overwrite" time="16-05-2023 16:02:26" level=warning msg="crowdsecurity/spring4shell_cve-2022-22965 : overwrite" time="16-05-2023 16:02:26" level=warning msg="crowdsecurity/vmware-cve-2022-22954 : overwrite" time="16-05-2023 16:02:26" level=warning msg="crowdsecurity/CVE-2022-37042 : overwrite" time="16-05-2023 16:02:26" level=warning msg="crowdsecurity/CVE-2022-41082 : overwrite" time="16-05-2023 16:02:26" level=warning msg="crowdsecurity/CVE-2022-35914 : overwrite" time="16-05-2023 16:02:26" level=warning msg="crowdsecurity/CVE-2022-40684 : overwrite" time="16-05-2023 16:02:26" level=warning msg="crowdsecurity/CVE-2022-26134 : overwrite" time="16-05-2023 16:02:26" level=warning msg="crowdsecurity/CVE-2022-42889 : overwrite" time="16-05-2023 16:02:26" level=warning msg="crowdsecurity/CVE-2022-41697 : overwrite" time="16-05-2023 16:02:26" level=warning msg="crowdsecurity/CVE-2022-46169 : overwrite" time="16-05-2023 16:02:26" level=warning msg="crowdsecurity/CVE-2022-44877 : overwrite" time="16-05-2023 16:02:26" level=warning msg="crowdsecurity/CVE-2019-18935 : overwrite" time="16-05-2023 16:02:26" level=warning msg="crowdsecurity/http-cve : overwrite" time="16-05-2023 16:02:26" level=warning msg="crowdsecurity/http-cve : overwrite" time="16-05-2023 16:02:26" level=warning msg="crowdsecurity/base-http-scenarios : overwrite" time="16-05-2023 16:02:26" level=info msg="/etc/crowdsec/collections/http-cve.yaml already exists." time="16-05-2023 16:02:26" level=info msg="/etc/crowdsec/collections/base-http-scenarios.yaml already exists." time="16-05-2023 16:02:26" level=info msg="Enabled crowdsecurity/base-http-scenarios" time="16-05-2023 16:02:26" level=info msg="Run 'sudo systemctl reload crowdsec' for the new configuration to be effective." time="16-05-2023 16:02:26" level=info msg="crowdsecurity/mariadb-logs : OK" time="16-05-2023 16:02:26" level=info msg="Enabled parsers : crowdsecurity/mariadb-logs" time="16-05-2023 16:02:26" level=info msg="crowdsecurity/mariadb-bf : OK" time="16-05-2023 16:02:26" level=info msg="Enabled scenarios : crowdsecurity/mariadb-bf" time="16-05-2023 16:02:26" level=info msg="crowdsecurity/mariadb : OK" time="16-05-2023 16:02:26" level=info msg="Enabled collections : crowdsecurity/mariadb" time="16-05-2023 16:02:26" level=info msg="Enabled crowdsecurity/mariadb" time="16-05-2023 16:02:26" level=info msg="Run 'sudo systemctl reload crowdsec' for the new configuration to be effective." time="16-05-2023 16:02:27" level=info msg="crowdsecurity/seo-bots-whitelist : OK" time="16-05-2023 16:02:27" level=info msg="downloading data 'https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/whitelists/benign_bots/search_engine_crawlers/rdns_seo_bots.txt' in '/var/lib/crowdsec/data/rdns_seo_bots.txt'" time="16-05-2023 16:02:27" level=info msg="downloading data 'https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/whitelists/benign_bots/search_engine_crawlers/rnds_seo_bots.regex' in '/var/lib/crowdsec/data/rdns_seo_bots.regex'" time="16-05-2023 16:02:27" level=info msg="downloading data 'https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/whitelists/benign_bots/search_engine_crawlers/ip_seo_bots.txt' in '/var/lib/crowdsec/data/ip_seo_bots.txt'" time="16-05-2023 16:02:27" level=info msg="/etc/crowdsec/postoverflows/s01-whitelist doesn't exist, create" time="16-05-2023 16:02:27" level=info msg="Enabled postoverflows : crowdsecurity/seo-bots-whitelist" time="16-05-2023 16:02:27" level=info msg="crowdsecurity/cdn-whitelist : OK" time="16-05-2023 16:02:27" level=info msg="downloading data 'https://www.cloudflare.com/ips-v4' in '/var/lib/crowdsec/data/cloudflare_ips.txt'" time="16-05-2023 16:02:27" level=info msg="downloading data 'https://www.cloudflare.com/ips-v6' in '/var/lib/crowdsec/data/cloudflare_ip6s.txt'" time="16-05-2023 16:02:27" level=info msg="Enabled postoverflows : crowdsecurity/cdn-whitelist" time="16-05-2023 16:02:27" level=info msg="crowdsecurity/rdns : OK" time="16-05-2023 16:02:27" level=info msg="/etc/crowdsec/postoverflows/s00-enrich doesn't exist, create" time="16-05-2023 16:02:27" level=info msg="Enabled postoverflows : crowdsecurity/rdns" time="16-05-2023 16:02:27" level=info msg="crowdsecurity/whitelist-good-actors : OK" time="16-05-2023 16:02:27" level=info msg="Enabled collections : crowdsecurity/whitelist-good-actors" time="16-05-2023 16:02:27" level=info msg="Enabled crowdsecurity/whitelist-good-actors" time="16-05-2023 16:02:27" level=info msg="Run 'sudo systemctl reload crowdsec' for the new configuration to be effective." Registered bouncer for key_firewall time="2023-05-16T16:02:27+02:00" level=warning msg="Deprecation warning: the pid_dir config can be safely removed and is not required" time="16-05-2023 16:02:27" level=info msg="Crowdsec v1.4.6-linux-5f71037b40c498045e1b59923504469e2b8d0140" time="16-05-2023 16:02:27" level=info msg="Loading prometheus collectors" time="16-05-2023 16:02:27" level=info msg="Loading CAPI pusher" time="16-05-2023 16:02:27" level=info msg="CrowdSec Local API listening on 0.0.0.0:8080" time="16-05-2023 16:02:27" level=info msg="Start send metrics to CrowdSec Central API (interval: 42m10s once, then 30m0s)" time="16-05-2023 16:02:27" level=info msg="Start push to CrowdSec Central API (interval: 28s once, then 30s)" time="16-05-2023 16:02:27" level=warning msg="scenario list is empty, will not pull yet" time="16-05-2023 16:02:27" level=info msg="Loading grok library /etc/crowdsec/patterns" time="16-05-2023 16:02:28" level=info msg="capi metrics: metrics sent successfully" time="16-05-2023 16:02:28" level=info msg="Loading enrich plugins" time="16-05-2023 16:02:28" level=info msg="Successfully registered enricher 'GeoIpCity'" time="16-05-2023 16:02:28" level=info msg="Successfully registered enricher 'GeoIpASN'" time="16-05-2023 16:02:28" level=info msg="Successfully registered enricher 'IpToRange'" time="16-05-2023 16:02:28" level=info msg="Successfully registered enricher 'reverse_dns'" time="16-05-2023 16:02:28" level=info msg="Successfully registered enricher 'ParseDate'" time="16-05-2023 16:02:28" level=info msg="Loading parsers from 6 files" time="16-05-2023 16:02:28" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s00-raw/docker-logs.yaml stage=s00-raw time="16-05-2023 16:02:28" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/apache2-logs.yaml stage=s01-parse time="16-05-2023 16:02:28" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/mariadb-logs.yaml stage=s01-parse time="16-05-2023 16:02:28" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/traefik-logs.yaml stage=s01-parse time="16-05-2023 16:02:28" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/http-logs.yaml stage=s02-enrich time="16-05-2023 16:02:28" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/whitelist.yaml stage=s02-enrich time="16-05-2023 16:02:28" level=info msg="Loaded 6 nodes from 3 stages" time="16-05-2023 16:02:28" level=info msg="Loading postoverflow parsers" time="16-05-2023 16:02:28" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/postoverflows/s00-enrich/rdns.yaml stage=s00-enrich time="16-05-2023 16:02:28" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/postoverflows/s01-whitelist/cdn-whitelist.yaml stage=s01-whitelist time="16-05-2023 16:02:28" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/postoverflows/s01-whitelist/seo-bots-whitelist.yaml stage=s01-whitelist time="16-05-2023 16:02:28" level=info msg="Loaded 3 nodes from 2 stages" time="16-05-2023 16:02:28" level=info msg="Loading 36 scenario files" time="16-05-2023 16:02:28" level=info msg="Adding trigger bucket" cfg=holy-snow file=/etc/crowdsec/scenarios/CVE-2022-44877.yaml name=crowdsecurity/CVE-2022-44877 time="16-05-2023 16:02:28" level=info msg="Adding trigger bucket" cfg=little-dawn file=/etc/crowdsec/scenarios/vmware-cve-2022-22954.yaml name=crowdsecurity/vmware-cve-2022-22954 time="16-05-2023 16:02:28" level=info msg="Adding leaky bucket" cfg=snowy-shape file=/etc/crowdsec/scenarios/http-sqli-probing.yaml name=crowdsecurity/http-sqli-probbing-detection time="16-05-2023 16:02:28" level=info msg="Adding trigger bucket" cfg=autumn-thunder file=/etc/crowdsec/scenarios/f5-big-ip-cve-2020-5902.yaml name=crowdsecurity/f5-big-ip-cve-2020-5902 time="16-05-2023 16:02:28" level=info msg="Adding trigger bucket" cfg=billowing-snowflake file=/etc/crowdsec/scenarios/fortinet-cve-2018-13379.yaml name=crowdsecurity/fortinet-cve-2018-13379 time="16-05-2023 16:02:28" level=info msg="Adding trigger bucket" cfg=bitter-wildflower file=/etc/crowdsec/scenarios/http-cve-2021-41773.yaml name=crowdsecurity/http-cve-2021-41773 time="16-05-2023 16:02:28" level=info msg="Adding leaky bucket" cfg=broken-wood file=/etc/crowdsec/scenarios/http-path-traversal-probing.yaml name=crowdsecurity/http-path-traversal-probing time="16-05-2023 16:02:28" level=info msg="Adding leaky bucket" cfg=withered-dust file=/etc/crowdsec/scenarios/http-crawl-non_statics.yaml name=crowdsecurity/http-crawl-non_statics time="16-05-2023 16:02:28" level=info msg="Adding trigger bucket" cfg=restless-smoke file=/etc/crowdsec/scenarios/CVE-2022-40684.yaml name=crowdsecurity/fortinet-cve-2022-40684 time="16-05-2023 16:02:28" level=info msg="Adding leaky bucket" cfg=weathered-bird file=/etc/crowdsec/scenarios/CVE-2022-46169.yaml name=crowdsecurity/CVE-2022-46169-bf time="16-05-2023 16:02:28" level=info msg="Adding trigger bucket" cfg=hidden-dream file=/etc/crowdsec/scenarios/CVE-2022-46169.yaml name=crowdsecurity/CVE-2022-46169-cmd time="16-05-2023 16:02:28" level=info msg="Adding trigger bucket" cfg=floral-field file=/etc/crowdsec/scenarios/grafana-cve-2021-43798.yaml name=crowdsecurity/grafana-cve-2021-43798 time="16-05-2023 16:02:28" level=info msg="Adding trigger bucket" cfg=billowing-dawn file=/etc/crowdsec/scenarios/vmware-vcenter-vmsa-2021-0027.yaml name=crowdsecurity/vmware-vcenter-vmsa-2021-0027 time="16-05-2023 16:02:28" level=info msg="Adding leaky bucket" cfg=crimson-wood file=/etc/crowdsec/scenarios/http-generic-bf.yaml name=crowdsecurity/http-generic-bf time="16-05-2023 16:02:28" level=info msg="Adding leaky bucket" cfg=broken-hill file=/etc/crowdsec/scenarios/http-generic-bf.yaml name=LePresidente/http-generic-401-bf time="16-05-2023 16:02:28" level=info msg="Adding leaky bucket" cfg=snowy-wave file=/etc/crowdsec/scenarios/http-generic-bf.yaml name=LePresidente/http-generic-403-bf time="16-05-2023 16:02:28" level=info msg="Adding trigger bucket" cfg=proud-river file=/etc/crowdsec/scenarios/http-cve-2021-42013.yaml name=crowdsecurity/http-cve-2021-42013 time="16-05-2023 16:02:28" level=info msg="Adding trigger bucket" cfg=proud-frog file=/etc/crowdsec/scenarios/CVE-2022-35914.yaml name=crowdsecurity/CVE-2022-35914 time="16-05-2023 16:02:28" level=info msg="Adding leaky bucket" cfg=frosty-firefly file=/etc/crowdsec/scenarios/ssh-bf.yaml name=crowdsecurity/ssh-bf time="16-05-2023 16:02:28" level=info msg="Adding leaky bucket" cfg=broken-dust file=/etc/crowdsec/scenarios/ssh-bf.yaml name=crowdsecurity/ssh-bf_user-enum time="16-05-2023 16:02:28" level=info msg="Adding leaky bucket" cfg=late-pine file=/etc/crowdsec/scenarios/http-sensitive-files.yaml name=crowdsecurity/http-sensitive-files time="16-05-2023 16:02:28" level=info msg="Adding trigger bucket" cfg=red-shadow file=/etc/crowdsec/scenarios/http-w00tw00t.yaml name=ltsich/http-w00tw00t time="16-05-2023 16:02:28" level=info msg="Adding leaky bucket" cfg=long-bush file=/etc/crowdsec/scenarios/http-backdoors-attempts.yaml name=crowdsecurity/http-backdoors-attempts time="16-05-2023 16:02:28" level=info msg="Adding leaky bucket" cfg=dry-bird file=/etc/crowdsec/scenarios/http-bad-user-agent.yaml name=crowdsecurity/http-bad-user-agent time="16-05-2023 16:02:28" level=info msg="Adding trigger bucket" cfg=sparkling-sun file=/etc/crowdsec/scenarios/pulse-secure-sslvpn-cve-2019-11510.yaml name=crowdsecurity/pulse-secure-sslvpn-cve-2019-11510 time="16-05-2023 16:02:28" level=info msg="Adding leaky bucket" cfg=silent-moon file=/etc/crowdsec/scenarios/ssh-slow-bf.yaml name=crowdsecurity/ssh-slow-bf time="16-05-2023 16:02:28" level=info msg="Adding leaky bucket" cfg=falling-butterfly file=/etc/crowdsec/scenarios/ssh-slow-bf.yaml name=crowdsecurity/ssh-slow-bf_user-enum time="16-05-2023 16:02:28" level=info msg="Adding leaky bucket" cfg=divine-hill file=/etc/crowdsec/scenarios/http-xss-probing.yaml name=crowdsecurity/http-xss-probbing time="16-05-2023 16:02:28" level=info msg="Adding trigger bucket" cfg=floral-surf file=/etc/crowdsec/scenarios/CVE-2019-18935.yaml name=crowdsecurity/CVE-2019-18935 time="16-05-2023 16:02:28" level=info msg="Adding trigger bucket" cfg=icy-leaf file=/etc/crowdsec/scenarios/jira_cve-2021-26086.yaml name=crowdsecurity/jira_cve-2021-26086 time="16-05-2023 16:02:28" level=info msg="Adding leaky bucket" cfg=silent-thunder file=/etc/crowdsec/scenarios/mariadb-bf.yaml name=crowdsecurity/mariadb-bf time="16-05-2023 16:02:28" level=info msg="Adding trigger bucket" cfg=dry-lake file=/etc/crowdsec/scenarios/CVE-2022-26134.yaml name=crowdsecurity/CVE-2022-26134 time="16-05-2023 16:02:28" level=info msg="Adding trigger bucket" cfg=lively-bird file=/etc/crowdsec/scenarios/http-open-proxy.yaml name=crowdsecurity/http-open-proxy time="16-05-2023 16:02:28" level=info msg="Adding leaky bucket" cfg=purple-star file=/etc/crowdsec/scenarios/CVE-2022-41697.yaml name=crowdsecurity/CVE-2022-41697 time="16-05-2023 16:02:28" level=info msg="Adding trigger bucket" cfg=green-sky file=/etc/crowdsec/scenarios/CVE-2022-42889.yaml name=crowdsecurity/CVE-2022-42889 time="16-05-2023 16:02:28" level=info msg="Adding trigger bucket" cfg=small-paper file=/etc/crowdsec/scenarios/spring4shell_cve-2022-22965.yaml name=crowdsecurity/spring4shell_cve-2022-22965 time="16-05-2023 16:02:28" level=info msg="Adding trigger bucket" cfg=white-fire file=/etc/crowdsec/scenarios/CVE-2022-41082.yaml name=crowdsecurity/CVE-2022-41082 time="16-05-2023 16:02:28" level=info msg="Adding trigger bucket" cfg=spring-shape file=/etc/crowdsec/scenarios/apache_log4j2_cve-2021-44228.yaml name=crowdsecurity/apache_log4j2_cve-2021-44228 time="16-05-2023 16:02:28" level=info msg="Adding trigger bucket" cfg=restless-dawn file=/etc/crowdsec/scenarios/CVE-2022-37042.yaml name=crowdsecurity/CVE-2022-37042 time="16-05-2023 16:02:28" level=info msg="Adding leaky bucket" cfg=purple-snowflake file=/etc/crowdsec/scenarios/http-probing.yaml name=crowdsecurity/http-probing time="16-05-2023 16:02:28" level=info msg="Adding trigger bucket" cfg=frosty-cherry file=/etc/crowdsec/scenarios/thinkphp-cve-2018-20062.yaml name=crowdsecurity/thinkphp-cve-2018-20062 time="16-05-2023 16:02:28" level=warning msg="Loaded 41 scenarios" time="16-05-2023 16:02:28" level=info msg="loading acquisition file : /etc/crowdsec/acquis.yaml" time="16-05-2023 16:02:28" level=warning msg="No matching files for pattern /logs/auth.log" type=file time="16-05-2023 16:02:28" level=info msg="Starting processing data" time="16-05-2023 16:02:28" level=info msg="Starting docker acquisition" type=docker time="16-05-2023 16:02:28" level=info msg="Container watcher started, interval: 1s" type=docker time="16-05-2023 16:02:28" level=info msg="Starting docker acquisition" type=docker time="16-05-2023 16:02:28" level=info msg="Starting docker acquisition" type=docker time="16-05-2023 16:02:28" level=info msg="DockerSource Manager started" type=docker time="16-05-2023 16:02:28" level=info msg="Container watcher started, interval: 1s" type=docker time="16-05-2023 16:02:28" level=info msg="Container watcher started, interval: 1s" type=docker time="16-05-2023 16:02:28" level=info msg="Starting docker acquisition" type=docker time="16-05-2023 16:02:28" level=info msg="DockerSource Manager started" type=docker time="16-05-2023 16:02:28" level=info msg="DockerSource Manager started" type=docker time="16-05-2023 16:02:28" level=info msg="Container watcher started, interval: 1s" type=docker time="16-05-2023 16:02:28" level=info msg="DockerSource Manager started" type=docker time="16-05-2023 16:02:28" level=info msg="127.0.0.1 - [Tue, 16 May 2023 16:02:28 CEST] \"POST /v1/watchers/login HTTP/1.1 200 135.831184ms \"crowdsec/v1.4.6-linux-5f71037b40c498045e1b59923504469e2b8d0140\" \"" time="16-05-2023 16:02:28" level=info msg="127.0.0.1 - [Tue, 16 May 2023 16:02:28 CEST] \"POST /v1/watchers/login HTTP/1.1 200 135.136707ms \"crowdsec/v1.4.6-linux-5f71037b40c498045e1b59923504469e2b8d0140\" \"" time="16-05-2023 16:02:29" level=info msg="Starting community-blocklist update" time="16-05-2023 16:02:29" level=info msg="capi/community-blocklist : 0 explicit deletions" time="16-05-2023 16:02:29" level=info msg="capi/community-blocklist : received 0 new entries (expected if you just installed crowdsec)" time="16-05-2023 16:02:29" level=info msg="Start pull from CrowdSec Central API (interval: 2h4m30s once, then 2h0m0s)" ```

Crowdsec version

```console $ cscli version 2023/05/16 15:11:50 version: v1.4.6-5f71037b40c498045e1b59923504469e2b8d0140 2023/05/16 15:11:50 Codename: alphaga 2023/05/16 15:11:50 BuildDate: 2023-02-09_14:37:12 2023/05/16 15:11:50 GoVersion: 1.19.5 2023/05/16 15:11:50 Platform: linux 2023/05/16 15:11:50 Constraint_parser: >= 1.0, <= 2.0 2023/05/16 15:11:50 Constraint_scenario: >= 1.0, < 3.0 2023/05/16 15:11:50 Constraint_api: v1 2023/05/16 15:11:50 Constraint_acquis: >= 1.0, < 2.0 ```

OS version

```console # On Linux: $ cat /etc/os-release ID=alpine VERSION_ID=3.17.1 PRETTY_NAME="Alpine Linux v3.17" HOME_URL="https://alpinelinux.org/" BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues" $ uname -a Linux 4d3dacc55f94 6.2.15-300.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Thu May 11 17:37:39 UTC 2023 x86_64 Linux ```

Enabled collections and parsers

```console $ cscli hub list -o raw crowdsecurity/apache2,enabled,0.1,apache2 support : parser and generic http scenarios ,collections crowdsecurity/base-http-scenarios,enabled,0.6,http common : scanners detection,collections crowdsecurity/http-cve,enabled,2.0,,collections crowdsecurity/linux,"enabled,tainted",0.2,core linux support : syslog+geoip+ssh,collections crowdsecurity/mariadb,enabled,0.1,mariadb support : logs and brute-force scenarios,collections crowdsecurity/sshd,"enabled,tainted",0.2,sshd support : parser and brute-force detection,collections crowdsecurity/traefik,enabled,0.1,traefik support: parser and generic http scenarios,collections crowdsecurity/whitelist-good-actors,enabled,0.1,Good actors whitelists,collections crowdsecurity/apache2-logs,enabled,1.3,Parse Apache2 access and error logs,parsers crowdsecurity/docker-logs,enabled,0.1,docker json logs parser,parsers crowdsecurity/http-logs,enabled,1.1,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers crowdsecurity/mariadb-logs,enabled,0.4,Parse MariaDB logs,parsers crowdsecurity/traefik-logs,enabled,0.6,Parse Traefik access logs,parsers whitelist.yaml,"enabled,local",n/a,,parsers crowdsecurity/CVE-2019-18935,enabled,0.1,Detect Telerik CVE-2019-18935 exploitation attempts,scenarios crowdsecurity/CVE-2022-26134,enabled,0.1,Detect CVE-2022-26134 exploits,scenarios crowdsecurity/CVE-2022-35914,enabled,0.1,Detect CVE-2022-35914 exploits,scenarios crowdsecurity/CVE-2022-37042,enabled,0.1,Detect CVE-2022-37042 exploits,scenarios crowdsecurity/CVE-2022-40684,enabled,0.2,Detect cve-2022-40684 exploitation attempts,scenarios crowdsecurity/CVE-2022-41082,enabled,0.3,Detect CVE-2022-41082 exploits,scenarios crowdsecurity/CVE-2022-41697,enabled,0.1,Detect CVE-2022-41697 enumeration,scenarios crowdsecurity/CVE-2022-42889,enabled,0.2,Detect CVE-2022-42889 exploits (Text4Shell),scenarios crowdsecurity/CVE-2022-44877,enabled,0.2,Detect CVE-2022-44877 exploits,scenarios crowdsecurity/CVE-2022-46169,enabled,0.1,Detect CVE-2022-46169 brute forcing,scenarios crowdsecurity/apache_log4j2_cve-2021-44228,enabled,0.4,Detect cve-2021-44228 exploitation attemps,scenarios crowdsecurity/f5-big-ip-cve-2020-5902,enabled,0.1,Detect cve-2020-5902 exploitation attemps,scenarios crowdsecurity/fortinet-cve-2018-13379,enabled,0.2,Detect cve-2018-13379 exploitation attemps,scenarios crowdsecurity/grafana-cve-2021-43798,enabled,0.1,Detect cve-2021-43798 exploitation attemps,scenarios crowdsecurity/http-backdoors-attempts,enabled,0.3,Detect attempt to common backdoors,scenarios crowdsecurity/http-bad-user-agent,enabled,0.7,Detect bad user-agents,scenarios crowdsecurity/http-crawl-non_statics,enabled,0.3,Detect aggressive crawl from single ip,scenarios crowdsecurity/http-cve-2021-41773,enabled,0.1,cve-2021-41773,scenarios crowdsecurity/http-cve-2021-42013,enabled,0.1,cve-2021-42013,scenarios crowdsecurity/http-generic-bf,enabled,0.4,Detect generic http brute force,scenarios crowdsecurity/http-open-proxy,enabled,0.3,Detect scan for open proxy,scenarios crowdsecurity/http-path-traversal-probing,enabled,0.2,Detect path traversal attempt,scenarios crowdsecurity/http-probing,enabled,0.2,Detect site scanning/probing from a single ip,scenarios crowdsecurity/http-sensitive-files,enabled,0.2,"Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",scenarios crowdsecurity/http-sqli-probing,enabled,0.2,A scenario that detects SQL injection probing with minimal false positives,scenarios crowdsecurity/http-xss-probing,enabled,0.2,A scenario that detects XSS probing with minimal false positives,scenarios crowdsecurity/jira_cve-2021-26086,enabled,0.1,Detect Atlassian Jira CVE-2021-26086 exploitation attemps,scenarios crowdsecurity/mariadb-bf,enabled,0.1,Detect mariadb bruteforce,scenarios crowdsecurity/pulse-secure-sslvpn-cve-2019-11510,enabled,0.2,Detect cve-2019-11510 exploitation attemps,scenarios crowdsecurity/spring4shell_cve-2022-22965,enabled,0.2,Detect cve-2022-22965 probing,scenarios crowdsecurity/ssh-bf,enabled,0.1,Detect ssh bruteforce,scenarios crowdsecurity/ssh-slow-bf,enabled,0.2,Detect slow ssh bruteforce,scenarios crowdsecurity/thinkphp-cve-2018-20062,enabled,0.3,Detect ThinkPHP CVE-2018-20062 exploitation attemps,scenarios crowdsecurity/vmware-cve-2022-22954,enabled,0.2,Detect Vmware CVE-2022-22954 exploitation attempts,scenarios crowdsecurity/vmware-vcenter-vmsa-2021-0027,enabled,0.1,Detect VMSA-2021-0027 exploitation attemps,scenarios ltsich/http-w00tw00t,enabled,0.1,detect w00tw00t,scenarios crowdsecurity/cdn-whitelist,enabled,0.4,Whitelist CDN providers,postoverflows crowdsecurity/rdns,enabled,0.2,Lookup the DNS associated to the source IP only for overflows,postoverflows crowdsecurity/seo-bots-whitelist,enabled,0.4,Whitelist good search engine crawlers,postoverflows ```

Acquisition config

```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* source: docker container_name_regexp: - '^.*-web-.*$' labels: type: apache2 --- source: docker container_name_regexp: - '^.*-phpmyadmin-.*$' labels: type: apache2 --- source: file filenames: - /logs/auth.log labels: type: sshd --- source: docker container_name_regexp: - '^.*-db-.*$' labels: type: mariadb --- source: docker container_name_regexp: - '^.*-proxy-.*$' labels: type: traefik

Config show

```console $ cscli config show Global: - Configuration Folder : /etc/crowdsec - Data Folder : /var/lib/crowdsec/data - Hub Folder : /etc/crowdsec/hub - Simulation File : /etc/crowdsec/simulation.yaml - Log Folder : /var/log/ - Log level : info - Log Media : stdout Crowdsec: - Acquisition File : /etc/crowdsec/acquis.yaml - Parsers routines : 1 cscli: - Output : human - Hub Branch : - Hub Folder : /etc/crowdsec/hub Local API Server: - Listen URL : 0.0.0.0:8080 - Profile File : /etc/crowdsec/profiles.yaml - Trusted IPs: - 127.0.0.1 - ::1 - Database: - Type : sqlite - Path : /var/lib/crowdsec/data/crowdsec.db - Flush age : 7d - Flush size : 5000 ```

Prometheus metrics

```console $ cscli metrics Acquisition Metrics: ╭─────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────╮ │ Source │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ ├─────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┤ │ docker:/node-phpmyadmin-1 │ 514 │ - │ 514 │ - │ │ docker:/node-proxy-1 │ 514 │ - │ 514 │ - │ ╰─────────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────╯ Local Api Metrics: ╭────────────────────┬────────┬──────╮ │ Route │ Method │ Hits │ ├────────────────────┼────────┼──────┤ │ /v1/heartbeat │ GET │ 43 │ │ /v1/watchers/login │ POST │ 2 │ ╰────────────────────┴────────┴──────╯ Local Api Machines Metrics: ╭───────────┬───────────────┬────────┬──────╮ │ Machine │ Route │ Method │ Hits │ ├───────────┼───────────────┼────────┼──────┤ │ localhost │ /v1/heartbeat │ GET │ 43 │ ╰───────────┴───────────────┴────────┴──────╯ Local Api Decisions: ╭────────────────────────────────────────────┬────────┬────────┬───────╮ │ Reason │ Origin │ Action │ Count │ ├────────────────────────────────────────────┼────────┼────────┼───────┤ │ crowdsecurity/apache_log4j2_cve-2021-44228 │ CAPI │ ban │ 20 │ │ crowdsecurity/http-cve-2021-41773 │ CAPI │ ban │ 35 │ │ crowdsecurity/http-cve-2021-42013 │ CAPI │ ban │ 1 │ │ crowdsecurity/http-sensitive-files │ CAPI │ ban │ 74 │ │ crowdsecurity/jira_cve-2021-26086 │ CAPI │ ban │ 85 │ │ crowdsecurity/CVE-2022-26134 │ CAPI │ ban │ 1 │ │ crowdsecurity/CVE-2022-41082 │ CAPI │ ban │ 29 │ │ crowdsecurity/mariadb-bf │ CAPI │ ban │ 3 │ │ crowdsecurity/CVE-2022-35914 │ CAPI │ ban │ 3 │ │ crowdsecurity/http-backdoors-attempts │ CAPI │ ban │ 40 │ │ crowdsecurity/fortinet-cve-2018-13379 │ CAPI │ ban │ 17 │ │ crowdsecurity/http-bad-user-agent │ CAPI │ ban │ 3632 │ │ crowdsecurity/http-crawl-non_statics │ CAPI │ ban │ 371 │ │ crowdsecurity/http-generic-bf │ CAPI │ ban │ 4 │ │ crowdsecurity/http-probing │ CAPI │ ban │ 1955 │ │ crowdsecurity/spring4shell_cve-2022-22965 │ CAPI │ ban │ 1 │ │ crowdsecurity/CVE-2019-18935 │ CAPI │ ban │ 6 │ │ crowdsecurity/f5-big-ip-cve-2020-5902 │ CAPI │ ban │ 5 │ │ crowdsecurity/vmware-cve-2022-22954 │ CAPI │ ban │ 1 │ │ crowdsecurity/ssh-bf │ CAPI │ ban │ 8547 │ │ crowdsecurity/ssh-slow-bf │ CAPI │ ban │ 3354 │ │ crowdsecurity/thinkphp-cve-2018-20062 │ CAPI │ ban │ 39 │ │ crowdsecurity/http-open-proxy │ CAPI │ ban │ 181 │ │ crowdsecurity/http-path-traversal-probing │ CAPI │ ban │ 173 │ ╰────────────────────────────────────────────┴────────┴────────┴───────╯ ```

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

github-actions[bot] commented 1 year ago

@AlexisPPLIN: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

  1. Check Crowdsec Documentation to see if your issue can be self resolved.
  2. You can also join our Discord.
  3. Check Releases to make sure your agent is on the latest version.
Details I am a bot created to help the [crowdsecurity](https://github.com/crowdsecurity) developers manage community feedback and contributions. You can check out my [manifest file](https://github.com/crowdsecurity/crowdsec/blob/master/.github/governance.yml) to understand my behavior and what I can do. If you want to use this for your project, you can check out the [BirthdayResearch/oss-governance-bot](https://github.com/BirthdayResearch/oss-governance-bot) repository.
LaurenceJJones commented 1 year ago

Hey thank you for opening an issue:

The mount point you provided wouldn't make a direct difference because all parsers/scenarios are held under /etc/crowdsec/ rather than the data directory.

So the parsers do no work out of the box.

This is not the case, the term tainted means the local copy you have is not the same as the copy we have within the hub repo.

Tried to replicate but to no success maybe you have /etc/crowdsec/ mounted and it was removed on host?

vagrant@bullseye:/opt/cs-firewall-bouncer$ sudo docker run -d -e COLLECTIONS="crowdsecurity/traefik crowdsecurity/apache2 crowdsecurity/base-http-scenarios crowdsecurity/mariadb crowdsecurity/whitelist-good-actors" crowdsecurity/crowdsec:v1.4.6
9cb6872a18d78cf9608732a7c6d1cbb162cdbf4e4b31cbc0c837468c7fb62ab9
vagrant@bullseye:/opt/cs-firewall-bouncer$ sudo docker exec -it 9cb6872a18d78cf9608732a7c6d1cbb162cdbf4e4b31cbc0c837468c7fb62ab9 cscli collections list

COLLECTIONS
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Name                                  📦 Status   Version   Local Path                                  
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
crowdsecurity/apache2                 ✔ enabled   0.1       /etc/crowdsec/collections/apache2.yaml      
crowdsecurity/base-http-scenarios     ✔ enabled   0.6       /etc/crowdsec/collections/base-http-scenarios.yaml
crowdsecurity/http-cve                ✔ enabled   2.0       /etc/crowdsec/collections/http-cve.yaml     
crowdsecurity/linux                   ✔ enabled   0.2       /etc/crowdsec/collections/linux.yaml        
crowdsecurity/mariadb                 ✔ enabled   0.1       /etc/crowdsec/collections/mariadb.yaml      
crowdsecurity/sshd                    ✔ enabled   0.2       /etc/crowdsec/collections/sshd.yaml         
crowdsecurity/traefik                 ✔ enabled   0.1       /etc/crowdsec/collections/traefik.yaml      
crowdsecurity/whitelist-good-actors   ✔ enabled   0.1       /etc/crowdsec/collections/whitelist-good-actors.yaml
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
vagrant@bullseye:/opt/cs-firewall-bouncer$
LaurenceJJones commented 1 year ago

Incase the mounting made a difference here a full reproduce:

vagrant@bullseye:~$ sudo docker run -d -v "$PWD/empty:/var/lib/crowdsec/data" -e COLLECTIONS="crowdsecurity/traefik crowdsecurity/apache2 crowdsecurity/base-http-scenarios crowdsecurity/mariadb crowdsecurity/whitelist-good-actors" crowdsecurity/crowdsec:v1.4.6
1e8c3b94c531cfb1a2b8c4cb1cbf4b2df6b9c2caa696c0599d98e1b538e2d748
vagrant@bullseye:~$ ll
-bash: ll: command not found
vagrant@bullseye:~$ cd empty
vagrant@bullseye:~/empty$ ls -la
total 128
drwxr-xr-x 2 vagrant vagrant  4096 May 16 14:35 .
drwxr-xr-x 6 vagrant vagrant  4096 May 16 14:34 ..
lrwxrwxrwx 1 root    root       48 May 16 14:35 GeoLite2-ASN.mmdb -> /staging/var/lib/crowdsec/data/GeoLite2-ASN.mmdb
lrwxrwxrwx 1 root    root       49 May 16 14:35 GeoLite2-City.mmdb -> /staging/var/lib/crowdsec/data/GeoLite2-City.mmdb
-rw-r--r-- 1 root    root     2593 May 16 14:35 backdoors.txt
-rw-r--r-- 1 root    root     9824 May 16 14:35 bad_user_agents.regex.txt
-rw-r--r-- 1 root    root      104 May 16 14:35 cloudflare_ip6s.txt
-rw-r--r-- 1 root    root      230 May 16 14:35 cloudflare_ips.txt
-rw-r----- 1 root    root    57344 May 16 14:35 crowdsec.db
-rw-r--r-- 1 root    root      448 May 16 14:35 http_path_traversal.txt
-rw-r--r-- 1 root    root      401 May 16 14:35 ip_seo_bots.txt
-rw-r--r-- 1 root    root      749 May 16 14:35 jira_cve_2021-26086.txt
-rw-r--r-- 1 root    root     1432 May 16 14:35 log4j2_cve_2021_44228.txt
-rw-r--r-- 1 root    root      245 May 16 14:35 rdns_seo_bots.regex
-rw-r--r-- 1 root    root      154 May 16 14:35 rdns_seo_bots.txt
-rw-r--r-- 1 root    root     1021 May 16 14:35 sensitive_data.txt
-rw-r--r-- 1 root    root      249 May 16 14:35 sqli_probe_patterns.txt
-rw-r--r-- 1 root    root      935 May 16 14:35 thinkphp_cve_2018-20062.txt
-rw-r--r-- 1 root    root      274 May 16 14:35 xss_probe_patterns.txt
vagrant@bullseye:~/empty$ sudo docker ps
CONTAINER ID   IMAGE                           COMMAND                  CREATED          STATUS          PORTS     NAMES
1e8c3b94c531   crowdsecurity/crowdsec:v1.4.6   "/bin/sh -c '/bin/ba…"   20 seconds ago   Up 19 seconds   nifty_dubinsky
vagrant@bullseye:~/empty$ sudo docker exec -it 1e8c3b94c531 cscli collections list

COLLECTIONS
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Name                                  📦 Status   Version   Local Path                                  
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
crowdsecurity/apache2                 ✔ enabled   0.1       /etc/crowdsec/collections/apache2.yaml      
crowdsecurity/base-http-scenarios     ✔ enabled   0.6       /etc/crowdsec/collections/base-http-scenarios.yaml
crowdsecurity/http-cve                ✔ enabled   2.0       /etc/crowdsec/collections/http-cve.yaml     
crowdsecurity/linux                   ✔ enabled   0.2       /etc/crowdsec/collections/linux.yaml        
crowdsecurity/mariadb                 ✔ enabled   0.1       /etc/crowdsec/collections/mariadb.yaml      
crowdsecurity/sshd                    ✔ enabled   0.2       /etc/crowdsec/collections/sshd.yaml         
crowdsecurity/traefik                 ✔ enabled   0.1       /etc/crowdsec/collections/traefik.yaml      
crowdsecurity/whitelist-good-actors   ✔ enabled   0.1       /etc/crowdsec/collections/whitelist-good-actors.yaml
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
vagrant@bullseye:~/empty$
AlexisPPLIN commented 1 year ago

Thanks for your reply !

This is not the case, the term tainted means the local copy you have is not the same as the copy we have within the hub repo.

My bad, thanks for the clarification.

Tried to replicate but to no success maybe you have /etc/crowdsec/ mounted and it was removed on host?

I only have two mount on this container : .docker_data/crowdsec:/var/lib/crowdsec/data and /var/run/docker.sock:/var/run/docker.sock

$ ls -l .docker_data/crowdsec
-rw-r--r--. 1 root root  2593 16 mai   16:02 backdoors.txt
-rw-r--r--. 1 root root  9824 16 mai   16:02 bad_user_agents.regex.txt
-rw-r--r--. 1 root root   104 16 mai   16:02 cloudflare_ip6s.txt
-rw-r--r--. 1 root root   230 16 mai   16:02 cloudflare_ips.txt
-rw-r-----. 1 root root 57344 16 mai   16:26 crowdsec.db
lrwxrwxrwx. 1 root root    48 16 mai   16:02 GeoLite2-ASN.mmdb -> /staging/var/lib/crowdsec/data/GeoLite2-ASN.mmdb
lrwxrwxrwx. 1 root root    49 16 mai   16:02 GeoLite2-City.mmdb -> /staging/var/lib/crowdsec/data/GeoLite2-City.mmdb
-rw-r--r--. 1 root root   448 16 mai   16:02 http_path_traversal.txt
-rw-r--r--. 1 root root   401 16 mai   16:02 ip_seo_bots.txt
-rw-r--r--. 1 root root   749 16 mai   16:02 jira_cve_2021-26086.txt
-rw-r--r--. 1 root root  1432 16 mai   16:02 log4j2_cve_2021_44228.txt
-rw-r--r--. 1 root root   245 16 mai   16:02 rdns_seo_bots.regex
-rw-r--r--. 1 root root   154 16 mai   16:02 rdns_seo_bots.txt
-rw-r--r--. 1 root root  1021 16 mai   16:02 sensitive_data.txt
-rw-r--r--. 1 root root   249 16 mai   16:02 sqli_probe_patterns.txt
-rw-r--r--. 1 root root   935 16 mai   16:02 thinkphp_cve_2018-20062.txt
-rw-r--r--. 1 root root   274 16 mai   16:02 xss_probe_patterns.txt

Maybe it's a misconfig in my Dockerfile ?

FROM crowdsecurity/crowdsec:v1.4.6

COPY ./docker/config/crowdsec/acquis.yaml /staging/etc/crowdsec/acquis.yaml
COPY ./docker/config/crowdsec/whitelist.yaml /etc/crowdsec/parsers/s02-enrich/whitelist.yaml

ENV TZ=Europe/Paris
ENV COLLECTIONS="crowdsecurity/traefik crowdsecurity/apache2 crowdsecurity/base-http-scenarios crowdsecurity/mariadb crowdsecurity/whitelist-good-actors"

HEALTHCHECK --interval=5s --timeout=5s --start-period=5s --retries=5 \
    CMD wget -nv -t1 --spider http://localhost:8080/health
LaurenceJJones commented 1 year ago

I tried to replicate it to no success even using a custom image like the one you provided. So I am going to close the issue as completed, if the issue comes back or persists please reopen