search

crowdsecurity / crowdsec

CrowdSec - the open-source and participative security solution offering crowdsourced protection against malicious IPs and access to the most advanced real-world CTI.
https://crowdsec.net
MIT License
8.52k stars 430 forks source link

config restore fails if acquis.d directory already exists #2503

Closed smac89 closed 11 months ago

smac89 commented 11 months ago

What happened?

sudo cscli config restore <path to backup folder> fails if /etc/crowdsec/acquis.d already exists

What did you expect to happen?

If the folder exists, just continue with the restoration

How can we reproduce it (as minimally and precisely as possible)?

Create /etc/crowdsec/acquis.d

sudo cscli config backup /path/for/backup/folder
sudo cscli config restore /path/for/backup/folder

Anything else we need to know?

No response

Crowdsec version

```console $ cscli version 2023/10/01 00:29:59 version: v1.5.4-e4dcdd25728b914823525f1efabf18d5c454902b 2023/10/01 00:29:59 Codename: alphaga 2023/10/01 00:29:59 BuildDate: 2023-09-20_10:31:03 2023/10/01 00:29:59 GoVersion: 1.20.8 2023/10/01 00:29:59 Platform: linux 2023/10/01 00:29:59 libre2: C++ 2023/10/01 00:29:59 Constraint_parser: >= 1.0, <= 2.0 2023/10/01 00:29:59 Constraint_scenario: >= 1.0, < 3.0 2023/10/01 00:29:59 Constraint_api: v1 2023/10/01 00:29:59 Constraint_acquis: >= 1.0, < 2.0 ```

OS version

```console # On Linux: $ cat /etc/os-release NAME="Arch Linux" PRETTY_NAME="Arch Linux" ID=arch BUILD_ID=rolling ANSI_COLOR="38;2;23;147;209" HOME_URL="https://archlinux.org/" DOCUMENTATION_URL="https://wiki.archlinux.org/" SUPPORT_URL="https://bbs.archlinux.org/" BUG_REPORT_URL="https://bugs.archlinux.org/" PRIVACY_POLICY_URL="https://terms.archlinux.org/docs/privacy-policy/" LOGO=archlinux-logo $ uname -a Linux hostname 6.4.12-arch1-1 #1 SMP PREEMPT_DYNAMIC Thu, 24 Aug 2023 00:38:14 +0000 x86_64 GNU/Linux # On Windows: C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture # paste output here ```

Enabled collections and parsers

```console $ cscli hub list -o raw Dominic-Wagner/vaultwarden,enabled,0.1,Vaultwarden support : parser and brute-force detection,collections LePresidente/adguardhome,enabled,0.1,AdGuardHome Support : parser and brute-force detection,collections LePresidente/authelia,enabled,0.2,Authelia Support : parser and brute-force detection,collections LePresidente/emby,enabled,0.1,Emby support : parser and brute-force detection,collections LePresidente/gitea,enabled,0.2,Gitea Support : parser and brute-force detection,collections LePresidente/grafana,enabled,0.1,Grafana Support : parser and brute-force detection,collections LePresidente/harbor,enabled,0.1,Harbor Support : parser and brute-force detection,collections LePresidente/jellyfin,enabled,0.2,Jellyfin support : parser and brute-force detection,collections LePresidente/jellyseerr,enabled,0.1,jellyseerr Support : parser and brute-force detection,collections LePresidente/ombi,enabled,0.2,Ombi Support : parser and brute-force detection,collections LePresidente/redmine,enabled,0.1,Redmine Support : parser and brute-force detection,collections MariuszKociubinski/bitwarden,enabled,0.1,Bitwarden Self Hosted support : parser and brute-force detection,collections a1ad/meshcentral,enabled,0.2,Meshcentral support : parser and brute-force detection,collections a1ad/mikrotik,enabled,0.2,"Mikrotik support: logs, auth and port-scans detection scenarios",collections andreasbrett/baikal,enabled,0.1,Baikal support: parser and brute-force detection,collections andreasbrett/paperless-ngx,enabled,0.1,Paperless-ngx support: parser and brute-force detection,collections andreasbrett/webmin,enabled,0.1,Webmin support: parser and brute-force detection,collections baudneo/gotify,enabled,0.1,Gotify bruteforce login protection,collections baudneo/zoneminder,enabled,0.2,"ZoneMinder bruteforce login, user enum and cve protection",collections baudneo/zoneminder_http-cve,enabled,0.1,ZoneMinder CVE protection,collections corvese/apache-guacamole,enabled,0.1,Apache Guacamole bruteforce login protection,collections crowdsecurity/apache2,enabled,0.1,apache2 support : parser and generic http scenarios ,collections crowdsecurity/apiscp,enabled,0.1,apisCP support : collections for services supported by apisCP + apisCP admin page parser/scenario bruteforce,collections crowdsecurity/asterisk,enabled,0.1,asterisk support : parser and bruteforce/user enumeration scenarios ,collections crowdsecurity/auditd,enabled,0.5,auditd support : parsers and scenarios,collections crowdsecurity/aws-cis-benchmark,enabled,0.1,AWS CIS Benchmark: cloudtrail parser and alerting scenarios,collections crowdsecurity/aws-console,enabled,0.1,aws cloudtrail parser and aws console bruteforce,collections crowdsecurity/aws-postexploit,enabled,0.1,aws cloudtrail parser and aws postexploit scenarios,collections crowdsecurity/base-http-scenarios,enabled,0.6,http common : scanners detection,collections crowdsecurity/caddy,enabled,0.1,caddy support : parser and generic http scenarios,collections crowdsecurity/cpanel,enabled,0.2,cpanel support : parser and bruteforce detection,collections crowdsecurity/discord-crawler-whitelist,enabled,0.1,Whitelist Discord PTR domains,collections crowdsecurity/dovecot,enabled,0.1,dovecot support : parser and spammer detection,collections crowdsecurity/endlessh,enabled,0.1,endlessh support : logs parser and brute-force detection,collections crowdsecurity/exchange,enabled,0.3,"Exchange support : Bruteforce detection for OWA,SMTP,IMAP and POP",collections crowdsecurity/exim,enabled,0.1,exim support : parser and bruteforce/spam detection,collections crowdsecurity/fastly,enabled,0.1,fastly support : parser and generic http scenarios,collections crowdsecurity/freebsd,enabled,0.1,core freebsd support : syslog+geoip+ssh,collections crowdsecurity/freeswitch,enabled,0.1,freeswitch collection,collections crowdsecurity/haproxy,enabled,0.1,haproxy support : parser and generic http scenarios,collections crowdsecurity/home-assistant,enabled,0.1,Home assistant support : logs and brute-force scenario,collections crowdsecurity/http-cve,enabled,2.1,,collections crowdsecurity/iis,enabled,0.1,IIS support : parser and generic http scenarios ,collections crowdsecurity/iptables,enabled,0.1,iptables support : logs and port-scans detection scenarios,collections crowdsecurity/k8s-audit,enabled,0.1,Kubernetes audit log support: detect security sensitive events in a cluster,collections crowdsecurity/kasm,enabled,0.1,kasm workspaces support : parser and bruteforce scenario,collections crowdsecurity/linux,enabled,0.2,core linux support : syslog+geoip+ssh,collections crowdsecurity/linux-lpe,enabled,0.1,Linux Local Privilege Escalation collection : detect trivial LPEs,collections crowdsecurity/litespeed,enabled,0.1,litespeed support : parser and generic http scenarios,collections crowdsecurity/magento,enabled,0.1,Magento collection,collections crowdsecurity/mariadb,enabled,0.1,mariadb support : logs and brute-force scenarios,collections crowdsecurity/modsecurity,enabled,0.1,modsecurity support : modsecurity parser and scenario,collections crowdsecurity/mssql,enabled,0.1,mssql support : logs and brute-force scenarios,collections crowdsecurity/mysql,enabled,0.1,mysql support : logs and brute-force scenarios,collections crowdsecurity/naxsi,enabled,0.1,naxsi support : parser and vpatch scenario,collections crowdsecurity/nextcloud,enabled,0.3,Nextcloud support : parser and brute-force detection,collections crowdsecurity/nginx,enabled,0.2,nginx support : parser and generic http scenarios,collections crowdsecurity/nginx-proxy-manager,enabled,0.1,Nginx Proxy Manager support : parser and generic http scenarios,collections crowdsecurity/odoo,enabled,0.1,Odoo support : parser and brute-force/user enumeration detection,collections crowdsecurity/opnsense,enabled,0.4,core opnsense support,collections crowdsecurity/opnsense-gui,enabled,0.1,OPNSense web authentication support,collections crowdsecurity/palo-alto,enabled,0.1,Palo Alto support : Parser and scenarios for Palo Alto Threat Log,collections crowdsecurity/pgsql,enabled,0.1,postgres support : logs and brute-force scenarios,collections crowdsecurity/postfix,enabled,0.2,postfix support : parser and spammer detection,collections crowdsecurity/proftpd,enabled,0.1,proftpd support : parser and brute-force/user enumeration detection,collections crowdsecurity/smb,enabled,0.1,smb support : parser and brute-force scenario,collections crowdsecurity/sshd,enabled,0.2,sshd support : parser and brute-force detection,collections crowdsecurity/supabase-compose,enabled,0.2,supabase docker compose support,collections crowdsecurity/suricata,enabled,0.1,suricata support : parser and automatic remediation on high/major alerts,collections crowdsecurity/synology-dsm,enabled,0.2,Synology DSM web authentication support,collections crowdsecurity/teamspeak3,enabled,0.1,teamspeak3 support : parser and brute-force detection,collections crowdsecurity/thehive,enabled,0.1,Thehive support : parser and brute-force detection,collections crowdsecurity/traefik,enabled,0.1,traefik support: parser and generic http scenarios,collections crowdsecurity/unifi,enabled,0.1,Unifi support: syslog parser + port scan + SSH BF detection,collections crowdsecurity/vsftpd,enabled,0.1,VSFTPD support : logs and brute-force scenarios,collections crowdsecurity/whitelist-good-actors,enabled,0.1,Good actors whitelists,collections crowdsecurity/windows,enabled,0.1,core windows support : windows event log + bf detection,collections crowdsecurity/windows-cve,enabled,0.3,windows CVE: try to detect local CVE exploitation on windows.,collections crowdsecurity/windows-firewall,enabled,0.1,windows firewall support : logs and port-scans detection scenarios,collections crowdsecurity/wireguard,enabled,0.1,wireguard auth detection,collections crowdsecurity/wordpress,enabled,0.4,wordpress: Bruteforce protection and config probing,collections firewallservices/lemonldap-ng,enabled,0.1,Lemonldap::NG support : parser and brutefurce detection,collections firewallservices/pf,enabled,0.1,Parser and scenario for Packet Filter logs,collections firewallservices/zimbra,enabled,0.1,zimbra support : parser and spammer detection,collections fulljackz/proxmox,enabled,0.1,Proxmox Web interface support : parser for brute force detection on Proxmox VE Web UI,collections fulljackz/pureftpd,enabled,0.1,Pureftpd support : parser for brute force detection on Pureftpd,collections gauth-fr/immich,enabled,0.1,Immich support : parser and brute-force detection,collections hitech95/nginx-mail,enabled,0.1,nginx email core : parser and spammer detection,collections inherent-io/keycloak,enabled,0.2,Keycloak support : parser and brute-force detection,collections jusabatier/apereo-cas,enabled,0.1,APEREO-CAS support : parser and brute-force detection,collections lourys/pterodactyl,enabled,0.1,pterodactyl wings support : parser and generic wings bruteforce,collections mstilkerich/bind9,enabled,0.1,bind9 support : security policy violations detection,collections mwinters-stuff/mailu-admin,enabled,0.2,mailu admin support : parser and scenario,collections openappsec/openappsec,enabled,0.1,open-appsec support : open-appsec parser and scenarios,collections schiz0phr3ne/prowlarr,enabled,0.1,Prowlarr support: parser and brute-force detections,collections schiz0phr3ne/radarr,enabled,0.1,Radarr support: parser and brute-force detections,collections schiz0phr3ne/sonarr,enabled,0.1,Sonarr support: parser and brute-force detections,collections thespad/sshesame,enabled,0.1,Collection for sshesame SSH honeypot,collections timokoessler/gitlab,enabled,0.1,GitLab support: parser and brute-force detection,collections timokoessler/mongodb,enabled,0.1,MongoDB support: parser and brute-force detection,collections timokoessler/uptime-kuma,enabled,0.1,Uptime Kuma support: parser and brute-force detection,collections Dominic-Wagner/vaultwarden-logs,enabled,0.1,Parse vaultwarden logs,parsers LePresidente/adguardhome-logs,enabled,0.1,Parse adguardhome logs,parsers LePresidente/authelia-logs,enabled,0.4,Parse Authelia logs,parsers LePresidente/emby-logs,enabled,0.3,Parse emby logs,parsers LePresidente/gitea-logs,enabled,0.6,Parse gitea logs,parsers LePresidente/grafana-logs,enabled,0.1,Parse grafana logs,parsers LePresidente/harbor-logs,enabled,0.1,Parse Harbor logs,parsers LePresidente/jellyfin-logs,enabled,0.6,Parse jellyfin logs,parsers LePresidente/jellyseerr-logs,enabled,0.3,Parse jellyseerr logs,parsers LePresidente/ombi-logs,enabled,0.2,Parse ombi logs,parsers LePresidente/redmine-logs,enabled,0.2,Parse redmine logs,parsers MariuszKociubinski/bitwarden-logs,enabled,0.1,Parse bitwarden logs,parsers a1ad/meshcentral-logs,enabled,0.2,Parse meshcentral logs,parsers a1ad/mikrotik-logs,enabled,0.2,Parse Mikrotik logs,parsers andreasbrett/baikal-logs,enabled,0.1,Parse baikal logs,parsers andreasbrett/paperless-ngx-logs,enabled,0.4,Parse paperless-ngx logs,parsers andreasbrett/webmin-logs,enabled,0.2,Parse webmin logs,parsers baudneo/gotify-logs,enabled,0.1,parser for Gotify server,parsers baudneo/zoneminder-logs,enabled,0.2,"A parser for zoneminder web_php.log (Logins to DB/Web), now supports default PHP intl date format",parsers corvese/apache-guacamole-logs,enabled,0.1,Parses Apache Guacamole logs,parsers crowdsecurity/apache2-logs,enabled,1.3,Parse Apache2 access and error logs,parsers crowdsecurity/asterisk-logs,enabled,0.3,Parse Asterisk logs,parsers crowdsecurity/auditd-logs,enabled,0.7,Parse auditd logs,parsers crowdsecurity/aws-cloudtrail,enabled,0.4,Parse AWS Cloudtrail logs,parsers crowdsecurity/caddy-logs,enabled,0.4,Parse caddy logs,parsers crowdsecurity/cpanel-logs,enabled,0.4,Parse Cpanel logs,parsers crowdsecurity/dateparse-enrich,enabled,0.2,,parsers crowdsecurity/dovecot-logs,enabled,0.8,Parse dovecot logs,parsers crowdsecurity/dropbear-logs,enabled,0.2,Parse dropbear logs,parsers crowdsecurity/endlessh-logs,enabled,0.3,Parse Endlessh logs,parsers crowdsecurity/exchange-imap-logs,enabled,0.1,Parse exchange IMAP logs,parsers crowdsecurity/exchange-pop-logs,enabled,0.1,Parse exchange POP logs,parsers crowdsecurity/exchange-smtp-logs,enabled,0.2,Parse exchange SMTP logs,parsers crowdsecurity/exim-logs,enabled,0.3,Parse exim logs,parsers crowdsecurity/fastly-logs,enabled,0.6,fastly logs parser,parsers crowdsecurity/freeswitch,enabled,0.1,Parse freeswitch logs,parsers crowdsecurity/geoip-enrich,enabled,0.2,"Populate event with geoloc info : as, country, coords, source range.",parsers crowdsecurity/haproxy-logs,enabled,0.6,Parse haproxy http logs,parsers crowdsecurity/home-assistant-logs,enabled,0.5,Parse Home Assistant logs,parsers crowdsecurity/http-logs,enabled,1.2,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers crowdsecurity/iis-logs,enabled,0.4,Parse IIS access logs,parsers crowdsecurity/iptables-logs,enabled,0.5,Parse iptables drop logs,parsers crowdsecurity/jellyfin-whitelist,enabled,0.1,Whitelist events from jellyfin,parsers crowdsecurity/k8s-audit,enabled,0.3,Parse Kubernetes audit logs,parsers crowdsecurity/kasm-logs,enabled,0.1,Parse kasm logs,parsers crowdsecurity/litespeed-logs,enabled,0.1,Parse litespeed access and error logs,parsers crowdsecurity/magento-extension-logs,enabled,0.1,Parse CrowdSec Magento extension logs,parsers crowdsecurity/mariadb-logs,enabled,0.4,Parse MariaDB logs,parsers crowdsecurity/modsecurity,enabled,0.9,A parser for modsecurity WAF,parsers crowdsecurity/mssql-logs,enabled,0.2,Parse mssql logs,parsers crowdsecurity/mysql-logs,enabled,0.4,Parse MySQL logs,parsers crowdsecurity/naxsi-logs,enabled,0.1,Enrich logs if its from NAXSI,parsers crowdsecurity/nextcloud-logs,enabled,0.3,Parse nextcloud logs,parsers crowdsecurity/nextcloud-whitelist,enabled,0.7,Whitelist events from nextcloud,parsers crowdsecurity/nginx-logs,enabled,1.4,Parse nginx access and error logs,parsers crowdsecurity/nginx-proxy-manager-logs,enabled,0.2,Parse Nginx Proxy Manager access and error logs,parsers crowdsecurity/odoo-logs,enabled,0.1,Parse Odoo logs,parsers crowdsecurity/opnsense-gui-logs,enabled,0.1,Parse OPNSense web auth logs,parsers crowdsecurity/palo-alto-threat-log,enabled,0.2,Parse palo-alto-threat-log logs,parsers crowdsecurity/pgsql-logs,enabled,0.7,Parse PgSQL logs,parsers crowdsecurity/pkexec-logs,enabled,0.1,Parse pkexec logs specifically for CVE-2021-4034,parsers crowdsecurity/postfix-logs,enabled,0.4,Parse postfix logs,parsers crowdsecurity/postscreen-logs,enabled,0.2,Parse postscreen logs,parsers crowdsecurity/proftpd-logs,enabled,0.3,Parse proftpd logs,parsers crowdsecurity/smb-logs,enabled,0.2,Parse SMB logs,parsers crowdsecurity/sshd-logs,enabled,2.2,Parse openSSH logs,parsers crowdsecurity/supabase-docker-pgsql,enabled,0.1,Parse PgSQL logs,parsers crowdsecurity/suricata-logs,enabled,0.6,Parse suricata fast.log,parsers crowdsecurity/synology-dsm-logs,enabled,0.3,Parse Synology DSM web auth logs,parsers crowdsecurity/syslog-logs,enabled,0.8,,parsers crowdsecurity/sysmon-logs,enabled,0.1,Parse sysmon events,parsers crowdsecurity/teamspeak3-logs,enabled,0.2,Parse teamspeak3 server logs,parsers crowdsecurity/thehive-logs,enabled,0.1,Parse Thehive logs,parsers crowdsecurity/traefik-logs,enabled,0.9,Parse Traefik access logs,parsers crowdsecurity/unifi-logs,enabled,0.1,,parsers crowdsecurity/vsftpd-logs,enabled,0.3,Parse VSFTPD logs,parsers crowdsecurity/whitelists,enabled,0.2,Whitelist events from private ipv4 addresses,parsers crowdsecurity/windows-auth,enabled,0.2,Parse windows authentication failure events (id 4625),parsers crowdsecurity/windows-firewall-logs,enabled,0.3,Parse windows firewall drop logs,parsers crowdsecurity/windows-logs,enabled,0.4,,parsers crowdsecurity/wireguard-logs,enabled,0.1,Parses wireguard log via dyndbg,parsers firewallservices/lemonldap-ng,enabled,0.1,Parse Lemonldap::NG logs,parsers firewallservices/pf-logs,enabled,0.5,Parse packet filter logs,parsers firewallservices/zimbra-logs,enabled,0.1,Parse zimbra authentication failures,parsers fulljackz/proxmox-logs,enabled,0.2,Parse proxmox logs for bruteforce attempts,parsers fulljackz/pureftpd-logs,enabled,0.1,Parse pureftpd logs for bruteforce attempts,parsers gauth-fr/immich-logs,enabled,0.2,Parse Immich logs,parsers hitech95/nginx-mail-logs,enabled,0.2,Parse Nginx Mail logs,parsers inherent-io/keycloak-logs,enabled,0.1,Parse keycloak logs,parsers jusabatier/apereo-cas-audit-logs,enabled,0.2,Parse apereo CAS Audits logs,parsers lourys/pterodactyl-wings-logs,enabled,0.1,Parse Pterodactyl wings logs,parsers mstilkerich/bind9-logs,enabled,0.2,Parse bind9 logs,parsers mwinters-stuff/mailu-admin-logs,enabled,0.1,Parse mailu-admin logs,parsers openappsec/openappsec-logs,enabled,0.1,Parse openappsec logs,parsers schiz0phr3ne/prowlarr-logs,enabled,0.2,Parse Prowlarr Logs,parsers schiz0phr3ne/radarr-logs,enabled,0.2,Parse Radarr Logs,parsers schiz0phr3ne/sonarr-logs,enabled,0.2,Parse Sonarr Logs,parsers thespad/sshesame-logs,enabled,0.2,Parse sshesame logs,parsers timokoessler/gitlab-logs,enabled,0.1,Parse GitLab Logs,parsers timokoessler/mongodb-logs,enabled,0.1,Parse MongoDB logs,parsers timokoessler/uptime-kuma-logs,enabled,0.2,Parse Uptime Kuma Logs,parsers Dominic-Wagner/vaultwarden-bf,enabled,0.1,Detect vaultwarden bruteforce,scenarios LePresidente/adguardhome-bf,enabled,0.1,Detect AdGuardHome bruteforce attacks,scenarios LePresidente/authelia-bf,enabled,0.2,Detect authelia bruteforce,scenarios LePresidente/emby-bf,enabled,0.1,Detect emby bruteforce,scenarios LePresidente/gitea-bf,enabled,0.2,Detect gitea bruteforce,scenarios LePresidente/grafana-bf,enabled,0.1,Detect grafana bruteforce,scenarios LePresidente/harbor-bf,enabled,0.1,Detect harbor bruteforce,scenarios LePresidente/jellyfin-bf,enabled,0.1,Detect jellyfin bruteforce,scenarios LePresidente/jellyseerr-bf,enabled,0.1,Detect jellyseerr bruteforce,scenarios LePresidente/ombi-bf,enabled,0.1,Detect Ombi bruteforce,scenarios LePresidente/redmine-bf,enabled,0.1,Detect Redmine bruteforce attacks,scenarios MariuszKociubinski/bitwarden-bf,enabled,0.1,Detect bitwarden bruteforce,scenarios a1ad/meshcentral-bf,enabled,0.1,Detect meshcentral bruteforce,scenarios a1ad/mikrotik-bf,enabled,0.1,Detect Mikrotik bruteforce,scenarios a1ad/mikrotik-scan-multi_ports,enabled,0.1,ban IPs that are scanning us,scenarios andreasbrett/baikal-bf,enabled,0.1,Detect Baikal bruteforce attacks,scenarios andreasbrett/paperless-ngx-bf,enabled,0.1,Detect Paperless-ngx bruteforce attacks,scenarios andreasbrett/webmin-bf,enabled,0.1,Detect Webmin bruteforce attacks,scenarios baudneo/gotify-bf,enabled,0.1,Detect bruteforce,scenarios baudneo/zoneminder-bf,enabled,0.1,Detect ZoneMinder bruteforce,scenarios baudneo/zoneminder_cve-2022-39285,enabled,0.1,Detect cve-2022-39285 exploitation attempts,scenarios baudneo/zoneminder_cve-2022-39290,enabled,0.1,Detect cve-2022-39290 exploitation attempts,scenarios baudneo/zoneminder_cve-2022-39291,enabled,0.1,Detect cve-2022-39291 exploitation attempts,scenarios corvese/apache-guacamole_bf,enabled,0.1,Detect Apache Guacamole user bruteforce,scenarios corvese/apache-guacamole_user_enum,enabled,0.1,Detect Apache Guacamole user enum bruteforce,scenarios crowdsecurity/CVE-2019-18935,enabled,0.1,Detect Telerik CVE-2019-18935 exploitation attempts,scenarios crowdsecurity/CVE-2021-4034,enabled,0.1,Detect CVE-2021-4034 exploits,scenarios crowdsecurity/CVE-2022-26134,enabled,0.1,Detect CVE-2022-26134 exploits,scenarios crowdsecurity/CVE-2022-35914,enabled,0.1,Detect CVE-2022-35914 exploits,scenarios crowdsecurity/CVE-2022-37042,enabled,0.1,Detect CVE-2022-37042 exploits,scenarios crowdsecurity/CVE-2022-40684,enabled,0.2,Detect cve-2022-40684 exploitation attempts,scenarios crowdsecurity/CVE-2022-41082,enabled,0.3,Detect CVE-2022-41082 exploits,scenarios crowdsecurity/CVE-2022-41697,enabled,0.1,Detect CVE-2022-41697 enumeration,scenarios crowdsecurity/CVE-2022-42889,enabled,0.2,Detect CVE-2022-42889 exploits (Text4Shell),scenarios crowdsecurity/CVE-2022-44877,enabled,0.2,Detect CVE-2022-44877 exploits,scenarios crowdsecurity/CVE-2022-46169,enabled,0.1,Detect CVE-2022-46169 brute forcing,scenarios crowdsecurity/CVE-2023-23397,enabled,0.1,Detect CVE-2023-23397 from sysmon events,scenarios crowdsecurity/apache_log4j2_cve-2021-44228,enabled,0.4,Detect cve-2021-44228 exploitation attemps,scenarios crowdsecurity/asterisk_bf,enabled,0.1,Detect asterisk user bruteforce,scenarios crowdsecurity/asterisk_user_enum,enabled,0.1,Detect asterisk user enum bruteforce,scenarios crowdsecurity/auditd-base64-exec-behavior,enabled,0.4,Detect post-exploitation behaviour : base64 + interpreter (perl/bash/python),scenarios crowdsecurity/auditd-postexploit-exec-from-net,enabled,0.5,Detect post-exploitation behaviour : curl/wget and exec,scenarios crowdsecurity/auditd-postexploit-pkill,enabled,0.4,Detect post-exploitation behaviour : pkill execve bursts,scenarios crowdsecurity/auditd-postexploit-rm,enabled,0.5,Detect post-exploitation behaviour : rm execve bursts,scenarios crowdsecurity/auditd-sus-exec,enabled,0.4,Detect post-exploitation behaviour : exec from suspicious locations,scenarios crowdsecurity/aws-bf,enabled,0.3,Detect console login bruteforce,scenarios crowdsecurity/aws-cis-benchmark-cloudtrail-config-change,enabled,0.2,Detect AWS CloudTrail configuration change,scenarios crowdsecurity/aws-cis-benchmark-config-config-change,enabled,0.2,Detect AWS Config configuration change,scenarios crowdsecurity/aws-cis-benchmark-console-auth-fail,enabled,0.2,Detect AWS console authentication failure,scenarios crowdsecurity/aws-cis-benchmark-iam-policy-change,enabled,0.2,Detect AWS IAM policy change,scenarios crowdsecurity/aws-cis-benchmark-kms-deletion,enabled,0.2,Detect AWS KMS key deletion,scenarios crowdsecurity/aws-cis-benchmark-login-no-mfa,enabled,0.2,Detect login without MFA to the AWS console,scenarios crowdsecurity/aws-cis-benchmark-nacl-change,enabled,0.2,Detect AWS NACL change,scenarios crowdsecurity/aws-cis-benchmark-ngw-change,enabled,0.2,Detect AWS Network Gateway change,scenarios crowdsecurity/aws-cis-benchmark-root-usage,enabled,0.2,Detect AWS root account usage,scenarios crowdsecurity/aws-cis-benchmark-route-table-change,enabled,0.2,Detect AWS route table change,scenarios crowdsecurity/aws-cis-benchmark-s3-policy-change,enabled,0.2,Detect AWS S3 bucket policy change,scenarios crowdsecurity/aws-cis-benchmark-security-group-change,enabled,0.2,Detect AWS Security Group change,scenarios crowdsecurity/aws-cis-benchmark-unauthorized-call,enabled,0.3,Detect AWS API unauthorized calls,scenarios crowdsecurity/aws-cis-benchmark-vpc-change,enabled,0.2,Detect AWS VPC change,scenarios crowdsecurity/aws-cloudtrail-postexploit,enabled,0.2,postexploitation detection (noisy),scenarios crowdsecurity/aws-nwo-login,enabled,0.3,Detect console login outside of office hours,scenarios crowdsecurity/cpanel-bf,enabled,0.2,Detect bruteforce on cpanel login,scenarios crowdsecurity/cpanel-bf-attempt,enabled,0.1,Detect bruteforce attempt on cpanel login,scenarios crowdsecurity/dovecot-spam,enabled,0.3,detect errors on dovecot,scenarios crowdsecurity/endlessh-bf,enabled,0.1,Detect SSH bruteforce caught by Endlessh,scenarios crowdsecurity/exchange-bf,enabled,0.2,"Detect exchange bruteforce (SMTP,IMAP,POP3)",scenarios crowdsecurity/exim-bf,enabled,0.1,Detect Exim brute force,scenarios crowdsecurity/exim-spam,enabled,0.1,detect spam on Exim,scenarios crowdsecurity/f5-big-ip-cve-2020-5902,enabled,0.1,Detect cve-2020-5902 exploitation attemps,scenarios crowdsecurity/fortinet-cve-2018-13379,enabled,0.2,Detect cve-2018-13379 exploitation attemps,scenarios crowdsecurity/freeswitch-acl-reject,enabled,0.1,Detect freeswitch acl rejects,scenarios crowdsecurity/freeswitch-bf,enabled,0.1,Detect freeswitch auth bruteforce,scenarios crowdsecurity/freeswitch-user-enumeration,enabled,0.1,Detect freeswitch user enumeration,scenarios crowdsecurity/grafana-cve-2021-43798,enabled,0.1,Detect cve-2021-43798 exploitation attemps,scenarios crowdsecurity/home-assistant-bf,enabled,0.2,Detect Home Assistant bruteforce,scenarios crowdsecurity/http-apiscp-bf,enabled,0.2,detect apisCP dashboard bruteforce,scenarios crowdsecurity/http-backdoors-attempts,enabled,0.3,Detect attempt to common backdoors,scenarios crowdsecurity/http-bad-user-agent,enabled,0.8,Detect bad user-agents,scenarios crowdsecurity/http-bf-wordpress_bf,enabled,0.4,detect wordpress bruteforce,scenarios crowdsecurity/http-crawl-non_statics,enabled,0.3,Detect aggressive crawl from single ip,scenarios crowdsecurity/http-cve-2021-41773,enabled,0.1,cve-2021-41773,scenarios crowdsecurity/http-cve-2021-42013,enabled,0.1,cve-2021-42013,scenarios crowdsecurity/http-generic-bf,enabled,0.4,Detect generic http brute force,scenarios crowdsecurity/http-magento-bf,enabled,0.2,detect Magento bruteforce,scenarios crowdsecurity/http-magento-ccs,enabled,0.2,Detect credit card stuffing from a single IP,scenarios crowdsecurity/http-magento-ccs-by-as,enabled,0.2,Detect distributed credit card stuffing from same AS,scenarios crowdsecurity/http-magento-ccs-by-country,enabled,0.2,Detect distributed credit card stuffing from same country,scenarios crowdsecurity/http-open-proxy,enabled,0.3,Detect scan for open proxy,scenarios crowdsecurity/http-path-traversal-probing,enabled,0.2,Detect path traversal attempt,scenarios crowdsecurity/http-probing,enabled,0.2,Detect site scanning/probing from a single ip,scenarios crowdsecurity/http-sensitive-files,enabled,0.2,"Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",scenarios crowdsecurity/http-sqli-probing,enabled,0.2,A scenario that detects SQL injection probing with minimal false positives,scenarios crowdsecurity/http-wordpress_user-enum,enabled,0.1,detect wordpress probing : authors enumeration,scenarios crowdsecurity/http-wordpress_wpconfig,enabled,0.1,detect wordpress probing : variations around wp-config.php by wpscan,scenarios crowdsecurity/http-xss-probing,enabled,0.2,A scenario that detects XSS probing with minimal false positives,scenarios crowdsecurity/iptables-scan-multi_ports,enabled,0.1,ban IPs that are scanning us,scenarios crowdsecurity/jira_cve-2021-26086,enabled,0.1,Detect Atlassian Jira CVE-2021-26086 exploitation attemps,scenarios crowdsecurity/k8s-audit-anonymous-access,enabled,0.3,Detect allowed anonymous access to the K8S API,scenarios crowdsecurity/k8s-audit-api-server-bruteforce,enabled,0.3,Detect bruteforce attempts against K8S API server,scenarios crowdsecurity/k8s-audit-pod-exec,enabled,0.3,Detect execution (via kubectl exec) in pods,scenarios crowdsecurity/k8s-audit-pod-host-network,enabled,0.3,Detect pods started with host networking,scenarios crowdsecurity/k8s-audit-pod-host-path-volume,enabled,0.4,Detect pods mounting a sensitive host folder,scenarios crowdsecurity/k8s-audit-privileged-pod-creation,enabled,0.3,Detect privileged pod creation,scenarios crowdsecurity/k8s-audit-service-account-access-denied,enabled,0.3,Detect unauthorized requests from service accounts,scenarios crowdsecurity/kasm-bruteforce,enabled,0.1,Detect kasm login bruteforce,scenarios crowdsecurity/litespeed-admin-bf,enabled,0.1,Detect bruteforce against litespeed admin UI,scenarios crowdsecurity/mariadb-bf,enabled,0.1,Detect mariadb bruteforce,scenarios crowdsecurity/modsecurity,enabled,0.4,Web exploitation via modsecurity,scenarios crowdsecurity/mssql-bf,enabled,0.1,Detect mssql bruteforce,scenarios crowdsecurity/mysql-bf,enabled,0.1,Detect mysql bruteforce,scenarios crowdsecurity/naxsi-exploit-vpatch,enabled,0.1,Detect custom blacklist triggered in naxsi,scenarios crowdsecurity/netgear_rce,enabled,0.2,Detect Netgear RCE DGN1000/DGN220 exploitation attempts,scenarios crowdsecurity/nextcloud-bf,enabled,0.2,Detect Nextcloud bruteforce,scenarios crowdsecurity/nginx-req-limit-exceeded,enabled,0.1,Detects IPs which violate nginx's user set request limit.,scenarios crowdsecurity/odoo-bf_user-enum,enabled,0.1,Detect bruteforce on odoo web interface,scenarios crowdsecurity/opnsense-gui-bf,enabled,0.1,Detect bruteforce on opnsense web interface,scenarios crowdsecurity/palo-alto-threat,enabled,0.1,Detect palo alto threat with a severity higher or equal to medium,scenarios crowdsecurity/pgsql-bf,enabled,0.1,Detect PgSQL bruteforce,scenarios crowdsecurity/pgsql-user-enum,enabled,0.1,Detect postgresql user enumeration,scenarios crowdsecurity/postfix-spam,enabled,0.2,Detect spammers,scenarios crowdsecurity/proftpd-bf,enabled,0.1,Detect proftpd bruteforce,scenarios crowdsecurity/proftpd-bf_user-enum,enabled,0.1,Detect proftpd user enum bruteforce,scenarios crowdsecurity/pulse-secure-sslvpn-cve-2019-11510,enabled,0.2,Detect cve-2019-11510 exploitation attemps,scenarios crowdsecurity/smb-bf,enabled,0.1,Detect smb bruteforce,scenarios crowdsecurity/spring4shell_cve-2022-22965,enabled,0.2,Detect cve-2022-22965 probing,scenarios crowdsecurity/ssh-bf,enabled,0.1,Detect ssh bruteforce,scenarios crowdsecurity/ssh-slow-bf,enabled,0.2,Detect slow ssh bruteforce,scenarios crowdsecurity/suricata-alerts,enabled,0.3,Detect exploit attempts via emerging threat rules,scenarios crowdsecurity/synology-dsm-bf,enabled,0.1,Detect Synology DSM web auth bruteforce,scenarios crowdsecurity/teamspeak3-bf,enabled,0.1,detect teamspeak3 server bruteforce,scenarios crowdsecurity/thehive-bf,enabled,0.2,Detect bruteforce on Thehive web interface,scenarios crowdsecurity/thinkphp-cve-2018-20062,enabled,0.3,Detect ThinkPHP CVE-2018-20062 exploitation attemps,scenarios crowdsecurity/vmware-cve-2022-22954,enabled,0.2,Detect Vmware CVE-2022-22954 exploitation attempts,scenarios crowdsecurity/vmware-vcenter-vmsa-2021-0027,enabled,0.1,Detect VMSA-2021-0027 exploitation attemps,scenarios crowdsecurity/vsftpd-bf,enabled,0.1,Detect FTP bruteforce (vsftpd),scenarios crowdsecurity/windows-CVE-2022-30190-msdt,enabled,0.1,Detect CVE-2022-30190 from sysmon events,scenarios crowdsecurity/windows-bf,enabled,0.1,Detect windows auth bruteforce,scenarios crowdsecurity/wireguard-auth,enabled,0.1,Detects rejected connections attempts and unauthorized packets through wireguard tunnels,scenarios firewallservices/lemonldap-ng-bf,enabled,0.1,Detect Lemonldap::NG bruteforce,scenarios firewallservices/pf-scan-multi_ports,enabled,0.3,ban IPs that are scanning us,scenarios firewallservices/zimbra-bf,enabled,0.1,Detect Zimbra bruteforce,scenarios fulljackz/proxmox-bf,enabled,0.1,Detect proxmox bruteforce,scenarios fulljackz/pureftpd-bf,enabled,0.1,Detect pureftpd bruteforce,scenarios gauth-fr/immich-bf,enabled,0.1,Detect immich bruteforce,scenarios hitech95/mail-generic-bf,enabled,0.1,Detect generic email brute force,scenarios inherent-io/keycloak-bf,enabled,0.1,Detect keycloak bruteforce,scenarios inherent-io/keycloak-slow-bf,enabled,0.1,Detect keycloak bruteforce,scenarios jusabatier/apereo-cas-bf,enabled,0.1,Detect CAS bruteforce,scenarios jusabatier/apereo-cas-slow-bf,enabled,0.1,Detect slow CAS bruteforce,scenarios lourys/pterodactyl-wings-bf,enabled,0.1,Detect invalid_format ssh bruteforce,scenarios ltsich/http-w00tw00t,enabled,0.1,detect w00tw00t,scenarios mstilkerich/bind9-refused,enabled,0.1,Act on queries / zone transfers denied by bind9 policy,scenarios mwinters-stuff/mailu-admin-bf,enabled,0.1,Detect mailu admin bruteforce,scenarios openappsec/openappsec-bot-protection,enabled,0.1,Detect openappsec 'prevent' securityActions on 'Bot Protection' events (when waf blocks malicious request),scenarios openappsec/openappsec-cross-site-redirect,enabled,0.1,Detect openappsec 'prevent' securityActions on 'Cross Site Redirect' events (when waf blocks malicious request),scenarios openappsec/openappsec-csrf,enabled,0.1,Detect openappsec 'prevent' securityActions on 'Cross Site Request Forgery' events (when waf blocks malicious request),scenarios openappsec/openappsec-error-disclosure,enabled,0.1,Detect openappsec 'prevent' securityActions on 'Error Disclosure' events (when waf blocks malicious request),scenarios openappsec/openappsec-error-limit,enabled,0.1,Detect openappsec 'prevent' securityActions on 'Error Limit' events (when waf blocks malicious request),scenarios openappsec/openappsec-evasion-techniques,enabled,0.1,Detect openappsec 'prevent' securityActions on 'Evasion Techniques' events (when waf blocks malicious request),scenarios openappsec/openappsec-general,enabled,0.1,Detect openappsec 'prevent' securityActions on 'General' events (when waf blocks malicious request),scenarios openappsec/openappsec-http-limit-violation,enabled,0.1,Detect openappsec 'prevent' securityActions on 'Http limit violation' events (when waf blocks malicious request),scenarios openappsec/openappsec-http-method-violation,enabled,0.1,Detect openappsec 'prevent' securityActions on 'Illegal http method violation' events (when waf blocks malicious request),scenarios openappsec/openappsec-ldap-injection,enabled,0.1,Detect openappsec 'prevent' securityActions on 'LDAP Injection' events (when waf blocks malicious request),scenarios openappsec/openappsec-open-redirect,enabled,0.1,Detect openappsec 'prevent' securityActions on 'Open Redirect' events (when waf blocks malicious request),scenarios openappsec/openappsec-path-traversal,enabled,0.1,Detect openappsec 'prevent' securityActions on 'Path Traversal' events (when waf blocks malicious request),scenarios openappsec/openappsec-probing,enabled,0.1,Detect openappsec 'prevent' securityActions on 'Vulnerability Scanning' events (when waf blocks malicious request),scenarios openappsec/openappsec-rce,enabled,0.1,Detect openappsec 'prevent' securityActions on 'Remote Code Execution' events (when waf blocks malicious request),scenarios openappsec/openappsec-request-rate-limit,enabled,0.1,Detect openappsec 'prevent' securityActions on 'Request Rate Limit' events (when waf blocks malicious request),scenarios openappsec/openappsec-schema-validation,enabled,0.1,Detect openappsec 'prevent' securityActions on 'Schema Validation' events (when waf blocks malicious request),scenarios openappsec/openappsec-sql-injection,enabled,0.1,Detect openappsec 'prevent' securityActions on 'SQL Injection' events (when waf blocks malicious request),scenarios openappsec/openappsec-url-instead-of-file,enabled,0.1,Detect openappsec 'prevent' securityActions on 'URL instead of file' events (when waf blocks malicious request),scenarios openappsec/openappsec-xss,enabled,0.1,Detect openappsec 'prevent' securityActions on 'Cross Site Scripting' events (when waf blocks malicious request),scenarios openappsec/openappsec-xxe,enabled,0.1,Detect openappsec 'prevent' securityActions on 'XML External Entity' events (when waf blocks malicious request),scenarios schiz0phr3ne/prowlarr-bf,enabled,0.1,Detect Prowlarr bruteforce,scenarios schiz0phr3ne/radarr-bf,enabled,0.1,Detect Radarr bruteforce,scenarios schiz0phr3ne/sonarr-bf,enabled,0.1,Detect Sonarr bruteforce,scenarios thespad/sshesame-honeypot,enabled,0.2,Detect sshesame bruteforce,scenarios timokoessler/gitlab-bf,enabled,0.1,Detect gitlab bruteforce,scenarios timokoessler/mongodb-bf,enabled,0.1,Detect mongodb bruteforce,scenarios timokoessler/uptime-kuma-bf,enabled,0.1,Detect Uptime Kuma bruteforce,scenarios crowdsecurity/auditd-whitelisted-process,enabled,0.2,Whitelist some process that are false-positives prone,postoverflows crowdsecurity/cdn-whitelist,enabled,0.4,Whitelist CDN providers,postoverflows crowdsecurity/discord-crawler-whitelist,enabled,0.1,Discord PTR whitelist,postoverflows crowdsecurity/rdns,enabled,0.3,Lookup the DNS associated to the source IP only for overflows,postoverflows crowdsecurity/seo-bots-whitelist,enabled,0.4,Whitelist good search engine crawlers,postoverflows ```

Acquisition config

```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* # paste output here # On Windows: C:\> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml # paste output here

Config show

```console $ cscli config show Global: - Configuration Folder : /etc/crowdsec - Data Folder : /var/lib/crowdsec/data - Hub Folder : /etc/crowdsec/hub - Simulation File : /etc/crowdsec/simulation.yaml - Log Folder : /var/log/ - Log level : info - Log Media : file Crowdsec: - Acquisition File : /etc/crowdsec/acquis.yaml - Parsers routines : 1 - Acquisition Folder : /etc/crowdsec/acquis.d cscli: - Output : human - Hub Branch : - Hub Folder : /etc/crowdsec/hub API Client: - URL : http://127.0.0.1:8080/ - Login : 5500b62c1f1249bbb4b746c0839b93e4 - Credentials File : /etc/crowdsec/local_api_credentials.yaml Local API Server: - Listen URL : 127.0.0.1:8080 - Profile File : /etc/crowdsec/profiles.yaml - Trusted IPs: - 127.0.0.1 - ::1 - Database: - Type : sqlite - Path : /var/lib/crowdsec/data/crowdsec.db - Flush age : 7d - Flush size : 5000 ```

Prometheus metrics

```console $ cscli metrics Acquisition Metrics: ╭────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────╮ │ Source │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ ├────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┤ │ file:/var/log/nginx/access.log │ 666 │ - │ 666 │ - │ │ file:/var/log/nginx/error.log │ 181 │ 20 │ 161 │ 8 │ ╰────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────╯ Bucket Metrics: ╭──────────────────────────────────────┬───────────────┬───────────┬──────────────┬────────┬─────────╮ │ Bucket │ Current Count │ Overflows │ Instantiated │ Poured │ Expired │ ├──────────────────────────────────────┼───────────────┼───────────┼──────────────┼────────┼─────────┤ │ crowdsecurity/http-crawl-non_statics │ - │ - │ 7 │ 7 │ 7 │ │ crowdsecurity/http-sensitive-files │ - │ - │ 1 │ 1 │ 1 │ ╰──────────────────────────────────────┴───────────────┴───────────┴──────────────┴────────┴─────────╯ Parser Metrics: ╭───────────────────────────────────┬───────┬────────┬──────────╮ │ Parsers │ Hits │ Parsed │ Unparsed │ ├───────────────────────────────────┼───────┼────────┼──────────┤ │ child-crowdsecurity/http-logs │ 27 │ 18 │ 9 │ │ child-crowdsecurity/nginx-logs │ 1.69k │ 9 │ 1.69k │ │ child-hitech95/nginx-mail-logs │ 902 │ 11 │ 891 │ │ crowdsecurity/dateparse-enrich │ 20 │ 20 │ - │ │ crowdsecurity/geoip-enrich │ 20 │ 20 │ - │ │ crowdsecurity/http-logs │ 9 │ 9 │ - │ │ crowdsecurity/jellyfin-whitelist │ 9 │ 9 │ - │ │ crowdsecurity/naxsi-logs │ 9 │ - │ 9 │ │ crowdsecurity/nextcloud-whitelist │ 9 │ 9 │ - │ │ crowdsecurity/nginx-logs │ 847 │ 9 │ 838 │ │ crowdsecurity/non-syslog │ 847 │ 847 │ - │ │ crowdsecurity/whitelists │ 20 │ 20 │ - │ │ hitech95/nginx-mail-logs │ 838 │ 11 │ 827 │ ╰───────────────────────────────────┴───────┴────────┴──────────╯ Local API Metrics: ╭──────────────────────┬────────┬──────╮ │ Route │ Method │ Hits │ ├──────────────────────┼────────┼──────┤ │ /v1/decisions │ GET │ 40 │ │ /v1/decisions/stream │ GET │ 6872 │ │ /v1/heartbeat │ GET │ 1148 │ │ /v1/watchers/login │ POST │ 22 │ ╰──────────────────────┴────────┴──────╯ Local API Machines Metrics: ╭──────────────────────────────────┬───────────────┬────────┬──────╮ │ Machine │ Route │ Method │ Hits │ ├──────────────────────────────────┼───────────────┼────────┼──────┤ │ 5500b62c1f1249bbb4b746c0839b93e4 │ /v1/heartbeat │ GET │ 1148 │ ╰──────────────────────────────────┴───────────────┴────────┴──────╯ Local API Bouncers Metrics: ╭────────────────────────────────────┬──────────────────────┬────────┬──────╮ │ Bouncer │ Route │ Method │ Hits │ ├────────────────────────────────────┼──────────────────────┼────────┼──────┤ │ crowdsec-firewall-bouncer-nftables │ /v1/decisions/stream │ GET │ 6847 │ │ crowdsec-nginx-bouncer │ /v1/decisions │ GET │ 40 │ ╰────────────────────────────────────┴──────────────────────┴────────┴──────╯ Local API Bouncers Decisions: ╭────────────────────────┬───────────────┬───────────────────╮ │ Bouncer │ Empty answers │ Non-empty answers │ ├────────────────────────┼───────────────┼───────────────────┤ │ crowdsec-nginx-bouncer │ 40 │ 0 │ ╰────────────────────────┴───────────────┴───────────────────╯ Local API Decisions: ╭────────────────────────────────────────────┬────────┬────────┬───────╮ │ Reason │ Origin │ Action │ Count │ ├────────────────────────────────────────────┼────────┼────────┼───────┤ │ crowdsecurity/CVE-2022-37042 │ CAPI │ ban │ 16 │ │ crowdsecurity/dovecot-spam │ CAPI │ ban │ 2547 │ │ crowdsecurity/http-wordpress_user-enum │ CAPI │ ban │ 144 │ │ crowdsecurity/jira_cve-2021-26086 │ CAPI │ ban │ 6 │ │ crowdsecurity/windows-bf │ CAPI │ ban │ 118 │ │ a1ad/mikrotik-bf │ CAPI │ ban │ 23 │ │ crowdsecurity/http-bf-wordpress_bf │ CAPI │ ban │ 307 │ │ crowdsecurity/http-probing │ CAPI │ ban │ 815 │ │ crowdsecurity/http-sensitive-files │ CAPI │ ban │ 7 │ │ crowdsecurity/iptables-scan-multi_ports │ CAPI │ ban │ 103 │ │ firehol_cybercrime │ lists │ ban │ 484 │ │ crowdsecurity/http-open-proxy │ CAPI │ ban │ 228 │ │ a1ad/mikrotik-scan-multi_ports │ CAPI │ ban │ 14 │ │ crowdsecurity/CVE-2022-26134 │ CAPI │ ban │ 104 │ │ crowdsecurity/endlessh-bf │ CAPI │ ban │ 522 │ │ crowdsecurity/exim-bf │ CAPI │ ban │ 4 │ │ crowdsecurity/http-crawl-non_statics │ CAPI │ ban │ 214 │ │ crowdsecurity/http-cve-2021-41773 │ CAPI │ ban │ 14 │ │ crowdsecurity/CVE-2022-42889 │ CAPI │ ban │ 13 │ │ LePresidente/gitea-bf │ CAPI │ ban │ 187 │ │ crowdsecurity/apache_log4j2_cve-2021-44228 │ CAPI │ ban │ 258 │ │ crowdsecurity/http-backdoors-attempts │ CAPI │ ban │ 330 │ │ crowdsecurity/http-path-traversal-probing │ CAPI │ ban │ 32 │ │ crowdsecurity/mssql-bf │ CAPI │ ban │ 16 │ │ firewallservices/pf-scan-multi_ports │ CAPI │ ban │ 53 │ │ crowdsecurity/exim-spam │ CAPI │ ban │ 187 │ │ crowdsecurity/f5-big-ip-cve-2020-5902 │ CAPI │ ban │ 11 │ │ crowdsecurity/mysql-bf │ CAPI │ ban │ 46 │ │ baudneo/zoneminder_cve-2022-39290 │ CAPI │ ban │ 127 │ │ crowdsecurity/exchange-bf │ CAPI │ ban │ 1 │ │ crowdsecurity/asterisk_bf │ CAPI │ ban │ 4 │ │ LePresidente/authelia-bf │ CAPI │ ban │ 2 │ │ crowdsecurity/asterisk_user_enum │ CAPI │ ban │ 1 │ │ crowdsecurity/ssh-slow-bf │ CAPI │ ban │ 4 │ │ fulljackz/pureftpd-bf │ CAPI │ ban │ 1 │ │ crowdsecurity/CVE-2022-41082 │ CAPI │ ban │ 740 │ │ crowdsecurity/fortinet-cve-2018-13379 │ CAPI │ ban │ 48 │ │ crowdsecurity/http-bad-user-agent │ CAPI │ ban │ 3018 │ │ crowdsecurity/http-generic-bf │ CAPI │ ban │ 7 │ │ crowdsecurity/nginx-req-limit-exceeded │ CAPI │ ban │ 43 │ │ crowdsecurity/ssh-bf │ CAPI │ ban │ 10856 │ │ crowdsecurity/CVE-2019-18935 │ CAPI │ ban │ 33 │ │ crowdsecurity/postfix-spam │ CAPI │ ban │ 1586 │ │ crowdsecurity/proftpd-bf │ CAPI │ ban │ 15 │ │ Dominic-Wagner/vaultwarden-bf │ CAPI │ ban │ 15 │ │ crowdsecurity/thinkphp-cve-2018-20062 │ CAPI │ ban │ 53 │ │ ltsich/http-w00tw00t │ CAPI │ ban │ 2 │ │ crowdsecurity/grafana-cve-2021-43798 │ CAPI │ ban │ 37 │ │ crowdsecurity/mariadb-bf │ CAPI │ ban │ 6 │ │ crowdsecurity/modsecurity │ CAPI │ ban │ 314 │ │ crowdsecurity/netgear_rce │ CAPI │ ban │ 10 │ │ crowdsecurity/pgsql-bf │ CAPI │ ban │ 22 │ │ crowdsecurity/smb-bf │ CAPI │ ban │ 495 │ │ crowdsecurity/CVE-2022-35914 │ CAPI │ ban │ 34 │ │ crowdsecurity/naxsi-exploit-vpatch │ CAPI │ ban │ 1 │ │ firehol_botscout_7d │ lists │ ban │ 3393 │ │ firehol_cruzit_web_attacks │ lists │ ban │ 13252 │ ╰────────────────────────────────────────────┴────────┴────────┴───────╯ Parser Stash Metrics: ╭─────────────────────┬──────┬───────╮ │ Name │ Type │ Items │ ├─────────────────────┼──────┼───────┤ │ auditd_pid_progname │ LRU │ 0 │ ╰─────────────────────┴──────┴───────╯ ```

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

github-actions[bot] commented 11 months ago

@smac89: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

  1. Check Crowdsec Documentation to see if your issue can be self resolved.
  2. You can also join our Discord.
  3. Check Releases to make sure your agent is on the latest version.
Details I am a bot created to help the [crowdsecurity](https://github.com/crowdsecurity) developers manage community feedback and contributions. You can check out my [manifest file](https://github.com/crowdsecurity/crowdsec/blob/master/.github/governance.yml) to understand my behavior and what I can do. If you want to use this for your project, you can check out the [BirthdayResearch/oss-governance-bot](https://github.com/BirthdayResearch/oss-governance-bot) repository.
mmetc commented 11 months ago

Thanks!

Fix in https://github.com/crowdsecurity/crowdsec/pull/2504