Slack Notification plugin 400 Status Code

timbastin commented 6 months ago

What happened?

I integrated the slack notification plugin. I used the slack.yaml which is present in this repository. I followed the documentation.

What did you expect to happen?

I expected to receive a slack notification.

How can we reproduce it (as minimally and precisely as possible)?

You can follow your documentation on how to alert to slack.

Anything else we need to know?

The problem seems to be related to the "format" key of the plugin. If I change the content inside format to something like: "this is a test", I receive that notification.

Here are the logs of the failing plugin:

time="2024-03-17T19:26:38Z" level=info msg="found notify signal for slack_default config" @module=slack-plugin
time="2024-03-17T19:26:38Z" level=debug msg="posting to https://hooks.slack.com/services/XXX webhook, message " @module=slack-plugin
time="2024-03-17T19:26:39Z" level=error msg="slack server error: 400 Bad Request" @module=slack-plugin
time="2024-03-17T19:26:39Z" level=error msg="rpc error: code = Unknown desc = slack server error: 400 Bad Request error, retry num 1" plugin=slack_default
time="2024-03-17T19:26:40Z" level=error msg="rpc error: code = Unknown desc = slack server error: 400 Bad Request" plugin:=slack_default

Crowdsec version

```console 2024/03/17 19:33:10 version: v1.6.0-4b8e6cd7 2024/03/17 19:33:10 Codename: alphaga 2024/03/17 19:33:10 BuildDate: 2024-01-24_14:01:35 2024/03/17 19:33:10 GoVersion: 1.21.6 2024/03/17 19:33:10 Platform: docker 2024/03/17 19:33:10 libre2: C++ 2024/03/17 19:33:10 Constraint_parser: >= 1.0, <= 3.0 2024/03/17 19:33:10 Constraint_scenario: >= 1.0, <= 3.0 2024/03/17 19:33:10 Constraint_api: v1 2024/03/17 19:33:10 Constraint_acquis: >= 1.0, < 2.0 ```

OS version

We are using kubernetes and installed crowdsec with the helm chart.

Enabled collections and parsers

```console name,status,version,description,type crowdsecurity/cri-logs,enabled,0.1,CRI logging format parser,parsers crowdsecurity/dateparse-enrich,enabled,0.2,,parsers crowdsecurity/docker-logs,enabled,0.1,docker json logs parser,parsers crowdsecurity/geoip-enrich,enabled,0.2,"Populate event with geoloc info : as, country, coords, source range.",parsers crowdsecurity/sshd-logs,"enabled,update-available",2.2,Parse openSSH logs,parsers crowdsecurity/syslog-logs,enabled,0.8,,parsers crowdsecurity/whitelists,enabled,0.2,Whitelist events from private ipv4 addresses,parsers crowdsecurity/ssh-bf,enabled,0.3,Detect ssh bruteforce,scenarios crowdsecurity/ssh-slow-bf,enabled,0.4,Detect slow ssh bruteforce,scenarios crowdsecurity/bf_base,enabled,0.1,,contexts crowdsecurity/linux,enabled,0.2,core linux support : syslog+geoip+ssh,collections crowdsecurity/sshd,"enabled,update-available",0.3,sshd support : parser and brute-force detection,collections ```

Acquisition config

```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* # paste output here # On Windows: C:\> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml # paste output here

Config show

```console Global: - Configuration Folder : /etc/crowdsec - Data Folder : /var/lib/crowdsec/data - Hub Folder : /etc/crowdsec/hub - Simulation File : /etc/crowdsec/simulation.yaml - Log Folder : /var/log - Log level : info - Log Media : stdout Crowdsec: - Acquisition File : /etc/crowdsec/acquis.yaml - Parsers routines : 1 - Acquisition Folder : /etc/crowdsec/acquis.d cscli: - Output : human - Hub Branch : API Client: - URL : http://localhost:8080/ - Login : localhost - Credentials File : /etc/crowdsec/local_api_credentials.yaml Local API Server: - Listen URL : 0.0.0.0:8080 - Profile File : /etc/crowdsec/profiles.yaml - Trusted IPs: - 127.0.0.1 - ::1 - Database: - Type : sqlite - Path : /var/lib/crowdsec/data/crowdsec.db - Flush age : 7d - Flush size : 5000 ```

Prometheus metrics

```console Local API Metrics: ╭──────────────────────┬────────┬──────╮ │ Route │ Method │ Hits │ ├──────────────────────┼────────┼──────┤ │ /v1/alerts │ POST │ 3 │ │ /v1/decisions/stream │ GET │ 9 │ │ /v1/heartbeat │ GET │ 79 │ │ /v1/watchers/login │ POST │ 8 │ ╰──────────────────────┴────────┴──────╯ Local API Machines Metrics: ╭──────────────────────────────────────────────────┬───────────────┬────────┬──────╮ │ Machine │ Route │ Method │ Hits │ ├──────────────────────────────────────────────────┼───────────────┼────────┼──────┤ │ YjkKIyEqSp6RmGDgPJDU24dDOFeGQ9r1ngLbneqltnStSltj │ /v1/heartbeat │ GET │ 65 │ │ YjkKIyEqSp6RmGDgPJDU24dDOFeGQ9r1ngLbneqltnStSltj │ /v1/alerts │ POST │ 1 │ ╰──────────────────────────────────────────────────┴───────────────┴────────┴──────╯ Local API Bouncers Metrics: ╭─────────┬──────────────────────┬────────┬──────╮ │ Bouncer │ Route │ Method │ Hits │ ├─────────┼──────────────────────┼────────┼──────┤ │ traefik │ /v1/decisions/stream │ GET │ 9 │ ╰─────────┴──────────────────────┴────────┴──────╯ Local API Decisions: ╭────────────────────────────────────────────┬────────┬────────┬───────╮ │ Reason │ Origin │ Action │ Count │ ├────────────────────────────────────────────┼────────┼────────┼───────┤ │ crowdsecurity/http-sensitive-files │ CAPI │ ban │ 23 │ │ crowdsecurity/netgear_rce │ CAPI │ ban │ 7 │ │ crowdsecurity/CVE-2022-42889 │ CAPI │ ban │ 2 │ │ crowdsecurity/CVE-2023-22518 │ CAPI │ ban │ 9 │ │ crowdsecurity/ssh-bf │ CAPI │ ban │ 13523 │ │ crowdsecurity/ssh-slow-bf │ CAPI │ ban │ 13 │ │ crowdsecurity/CVE-2022-37042 │ CAPI │ ban │ 16 │ │ crowdsecurity/fortinet-cve-2018-13379 │ CAPI │ ban │ 43 │ │ crowdsecurity/http-cve-2021-41773 │ CAPI │ ban │ 8 │ │ crowdsecurity/CVE-2022-26134 │ CAPI │ ban │ 191 │ │ crowdsecurity/apache_log4j2_cve-2021-44228 │ CAPI │ ban │ 291 │ │ crowdsecurity/http-open-proxy │ CAPI │ ban │ 857 │ │ crowdsecurity/thinkphp-cve-2018-20062 │ CAPI │ ban │ 2 │ │ crowdsecurity/http-bad-user-agent │ CAPI │ ban │ 4082 │ │ crowdsecurity/http-cve-2021-42013 │ CAPI │ ban │ 3 │ │ crowdsecurity/CVE-2023-49103 │ CAPI │ ban │ 120 │ │ crowdsecurity/f5-big-ip-cve-2020-5902 │ CAPI │ ban │ 15 │ │ crowdsecurity/CVE-2023-22515 │ CAPI │ ban │ 12 │ │ crowdsecurity/http-admin-interface-probing │ CAPI │ ban │ 1734 │ │ crowdsecurity/http-path-traversal-probing │ CAPI │ ban │ 36 │ │ crowdsecurity/http-probing │ CAPI │ ban │ 810 │ │ ltsich/http-w00tw00t │ CAPI │ ban │ 1 │ │ crowdsecurity/CVE-2017-9841 │ CAPI │ ban │ 591 │ │ crowdsecurity/CVE-2022-35914 │ CAPI │ ban │ 40 │ │ crowdsecurity/jira_cve-2021-26086 │ CAPI │ ban │ 2 │ │ crowdsecurity/CVE-2022-41082 │ CAPI │ ban │ 490 │ │ crowdsecurity/http-generic-bf │ CAPI │ ban │ 13 │ │ crowdsecurity/http-backdoors-attempts │ CAPI │ ban │ 306 │ │ crowdsecurity/http-crawl-non_statics │ CAPI │ ban │ 177 │ │ crowdsecurity/CVE-2019-18935 │ CAPI │ ban │ 39 │ │ crowdsecurity/grafana-cve-2021-43798 │ CAPI │ ban │ 32 │ ╰────────────────────────────────────────────┴────────┴────────┴───────╯ Local API Alerts: ╭────────────────────────────────────────────┬───────╮ │ Reason │ Count │ ├────────────────────────────────────────────┼───────┤ │ crowdsecurity/http-admin-interface-probing │ 1 │ │ crowdsecurity/http-probing │ 16 │ │ crowdsecurity/netgear_rce │ 1 │ │ crowdsecurity/CVE-2022-41082 │ 2 │ │ crowdsecurity/fortinet-cve-2018-13379 │ 1 │ │ crowdsecurity/http-crawl-non_statics │ 1 │ │ crowdsecurity/http-cve-2021-41773 │ 1 │ │ crowdsecurity/http-sensitive-files │ 1 │ │ crowdsecurity/thinkphp-cve-2018-20062 │ 1 │ │ crowdsecurity/CVE-2017-9841 │ 1 │ │ crowdsecurity/CVE-2023-49103 │ 5 │ ```

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

```console type: slack name: slack_default log_level: debug format: | {{range . -}} {{$alert := . -}} {{range .Decisions -}} {{if $alert.Source.Cn -}} :flag-{{$alert.Source.Cn}}: will get {{.Type}} for next {{.Duration}} for triggering {{.Scenario}} on machine '{{$alert.MachineID}}'. {{end}} {{if not $alert.Source.Cn -}} :pirate_flag: will get {{.Type}} for next {{.Duration}} for triggering {{.Scenario}} on machine '{{$alert.MachineID}}'. {{end}} {{end -}} {{end -}} webhook: "https://hooks.slack.com/services/XXX" ```

github-actions[bot] commented 6 months ago

@timbastin: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

Check Crowdsec Documentation to see if your issue can be self resolved.
You can also join our Discord.
Check Releases to make sure your agent is on the latest version.

Details

I am a bot created to help the [crowdsecurity](https://github.com/crowdsecurity) developers manage community feedback and contributions. You can check out my [manifest file](https://github.com/crowdsecurity/crowdsec/blob/master/.github/governance.yml) to understand my behavior and what I can do. If you want to use this for your project, you can check out the [BirthdayResearch/oss-governance-bot](https://github.com/BirthdayResearch/oss-governance-bot) repository.

buixor commented 6 months ago

Hello @timbastin !

Are you referring to a profile that requires a decision to be made?

I'm not certain if the notification template is suitable for alerts that do not require a decision, but I'm using it for other purposes as well.

(You should be able to use cscli alerts inspect -d to get more context)

timbastin commented 6 months ago

Hello @buixor my profile.yaml looks like the one in the documentation:

name: default_ip_remediation
debug: true
filters:
  - Alert.Remediation == true && Alert.GetScope() == "Ip"
notifications:
  - slack_default

I am testing the slack notification by triggering a http probing alert using nikto.pl

timbastin commented 6 months ago

The issue was, that I was missing the decisions part in the profiles.yaml. The correct profiles.yaml looks like this:


name: default_ip_remediation
debug: true
filters:
  - Alert.Remediation == true && Alert.GetScope() == "Ip"
notifications:
  - slack_default
 decisions:
  - type: ban
    duration: 4h

LaurenceJJones commented 6 months ago

discord thread where answer was initially discovered.

crowdsecurity / crowdsec