search

crowdsecurity / crowdsec

CrowdSec - the open-source and participative security solution offering crowdsourced protection against malicious IPs and access to the most advanced real-world CTI.
https://crowdsec.net
MIT License
9.09k stars 470 forks source link

[Syslog] RFC3164 Acquisition does not handle relayed packets #2839

Open LaurenceJJones opened 9 months ago

LaurenceJJones commented 9 months ago

What happened?

``` A relay will add a TIMESTAMP and SHOULD add a HOSTNAME as follows and will treat the entire received packet after the PRI part from the original packet as the CONTENT field of the new packet. The value used in the HOSTNAME field is only the hostname without the domain name as it is known by the relay. A TAG value will not be added to the relayed packet. While the inclusion of the domain name and IPv4 address in the original message is a noble endeavor, it is not consistent with the use of the field as described in Section 4.1.2. <0>Oct 22 10:52:12 scapegoat 1990 Oct 22 10:52:01 TZ-6 scapegoat.dmz.example.org 10.1.2.3 sched[0]: That's All Folks! ```

https://www.rfc-editor.org/rfc/rfc3164

RFC3164 specifies that if the packet is relayed between syslog servers that the server should put itself as a HOST within the syslog line. Our current RFC3164 parser does not expect relayed packets

Example:

<14>Feb 12 09:50:07 ToonDreamMachine ToonDreamMachine ubios-udapi-server[3117]: svc-system-log-syslog-ng:       +(services): Restart running service systemLog

This packet is an internal relay from Unifi and fails both RFC's due to same hostname appearing twice.

Linked to hub item https://github.com/crowdsecurity/hub/issues/940

What did you expect to happen?

Handle relayed packets between syslog servers

How can we reproduce it (as minimally and precisely as possible)?

WIP

Anything else we need to know?

No response

Crowdsec version

```console $ cscli version # paste output here ```

OS version

```console # On Linux: $ cat /etc/os-release # paste output here $ uname -a # paste output here # On Windows: C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture # paste output here ```

Enabled collections and parsers

```console $ cscli hub list -o raw # paste output here ```

Acquisition config

```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* # paste output here # On Windows: C:\> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml # paste output here

Config show

```console $ cscli config show # paste output here ```

Prometheus metrics

```console $ cscli metrics # paste output here ```

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

github-actions[bot] commented 9 months ago

@LaurenceJJones: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

  1. Check Crowdsec Documentation to see if your issue can be self resolved.
  2. You can also join our Discord.
  3. Check Releases to make sure your agent is on the latest version.
Details I am a bot created to help the [crowdsecurity](https://github.com/crowdsecurity) developers manage community feedback and contributions. You can check out my [manifest file](https://github.com/crowdsecurity/crowdsec/blob/master/.github/governance.yml) to understand my behavior and what I can do. If you want to use this for your project, you can check out the [BirthdayResearch/oss-governance-bot](https://github.com/BirthdayResearch/oss-governance-bot) repository.