search

crowdsecurity / crowdsec

CrowdSec - the open-source and participative security solution offering crowdsourced protection against malicious IPs and access to the most advanced real-world CTI.
https://crowdsec.net
MIT License
8.64k stars 445 forks source link

Duplicated alerts use the same source IP #2237

Open ppkarwasz opened 1 year ago

ppkarwasz commented 1 year ago

What happened?

My server is subject to batches of brute force attacks that target a single user, but are thrown from multiple IPs. No IP appears more than once per batch.

Therefore I use a scenario grouped by target user and not IP.

Each time the bucket overflows 6 alerts are issued, by they use the same source IP (the source_ip of the event that caused the overflow).

What did you expect to happen?

I would expect 6 alerts for 6 different IPs.

How can we reproduce it (as minimally and precisely as possible)?

To reproduce this issue you can use a scenario like this:

type: leaky
#debug: true
name: pkarwasz/exim-ddos-slow-bf
description: "Detect Exim distributed brute force attack"
filter: "evt.Meta.log_type == 'exim_failed_auth'"
groupby: evt.Meta.target_user
capacity: 5
leakspeed: 10m
blackhole: 1m
labels:
 service: exim
 type: bf
 remediation: true

Anything else we need to know?

No response

Crowdsec version

```console $ cscli version 2023/05/26 18:06:30 version: v1.5.1-debian-pragmatic-eddb994c0b48d77b34a3f22b719dc5716670d2ae 2023/05/26 18:06:30 Codename: alphaga 2023/05/26 18:06:30 BuildDate: 2023-05-17_10:56:55 2023/05/26 18:06:30 GoVersion: 1.20.1 2023/05/26 18:06:30 Platform: linux 2023/05/26 18:06:30 Constraint_parser: >= 1.0, <= 2.0 2023/05/26 18:06:30 Constraint_scenario: >= 1.0, < 3.0 2023/05/26 18:06:30 Constraint_api: v1 2023/05/26 18:06:30 Constraint_acquis: >= 1.0, < 2.0 ```

OS version

No response

Enabled collections and parsers

No response

Acquisition config

No response

Config show

No response

Prometheus metrics

No response

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

No response

github-actions[bot] commented 1 year ago

@ppkarwasz: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

  1. Check Crowdsec Documentation to see if your issue can be self resolved.
  2. You can also join our Discord.
  3. Check Releases to make sure your agent is on the latest version.
Details I am a bot created to help the [crowdsecurity](https://github.com/crowdsecurity) developers manage community feedback and contributions. You can check out my [manifest file](https://github.com/crowdsecurity/crowdsec/blob/master/.github/governance.yml) to understand my behavior and what I can do. If you want to use this for your project, you can check out the [BirthdayResearch/oss-governance-bot](https://github.com/BirthdayResearch/oss-governance-bot) repository.
ppkarwasz commented 1 year ago

I am unable to reproduce the hub-test failure locally, flaky test?

LaurenceJJones commented 1 year ago

Flakey tests recently. We are working on a fix on the hub side. Don't worry, we will pick this up starting tomorrow.