search

crowdsecurity / crowdsec

CrowdSec - the open-source and participative security solution offering crowdsourced protection against malicious IPs and access to the most advanced real-world CTI.
https://crowdsec.net
MIT License
8.75k stars 452 forks source link

ModSecurity rules errors #3245

Open gdlwolf opened 4 days ago

gdlwolf commented 4 days ago

What happened?

Crowdsec + appsec + Modsecurity rule:SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,192.168.200.1" "id:900101,phase:1,pass,nolog,allow" The value of REMOTE_ADDR is 127.0.0.1:48926, and 48926 is a random port. image-20240919143447-bzoza41 Therefore Modsecurity's rules for ip whitelisting are invalid.

What did you expect to happen?

Modsecurity's rules for ip whitelisting are invalid. Because I found that the variable REMOTE_ADDR is not the expected client ip, but 127.0.0.1: random port number

How can we reproduce it (as minimally and precisely as possible)?

  1. os:AlmaLinux release 9.3 (Shamrock Pampas Cat)

  2. nginx version: nginx version: openresty/1.25.3.2 built by gcc 11.4.1 20231218 (Red Hat 11.4.1-3) (GCC) built with OpenSSL 1.1.1w 11 Sep 2023 TLS SNI support enabled configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt=-O2 --add-module=../ngx_devel_kit-0.3.3 --add-module=../iconv-nginx-module-0.14 --add-module=../echo-nginx-module-0.63 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.33 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.09 --add-module=../srcache-nginx-module-0.33 --add-module=../ngx_lua-0.10.26 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.37 --add-module=../array-var-nginx-module-0.06 --add-module=../memc-nginx-module-0.20 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.9 --add-module=../rds-json-nginx-module-0.16 --add-module=../rds-csv-nginx-module-0.09 --add-module=../ngx_stream_lua-0.0.14 --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -L/usr/local/lib -ljemalloc' --user=www --group=www --with-http_stub_status_module --with-http_perl_module --with-http_ssl_module --with-http_gzip_static_module --with-http_sub_module --with-http_realip_module --with-http_addition_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-threads --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_ssl_preread_module --with-http_slice_module --with-mail=dynamic --with-mail_ssl_module --with-file-aio --with-http_v2_module --with-pcre=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/pcre-8.45 --with-zlib=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/zlib-1.3.1 --with-openssl=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/openssl-1.1.1w --with-http_perl_module=dynamic --add-module=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/ngx_cache_purge-2.3 --add-module=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/ngx_healthcheck_module-master --add-dynamic-module=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/ngx_http_geoip2_module-3.4 --add-dynamic-module=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/ip2location/ip2location-nginx-8.6.0 --add-module=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/nginx-ssl-fingerprint --add-module=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/ModSecurity-nginx --add-module=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/nginx-module-vts-0.2.2 --with-openssl-opt=-g --with-pcre-opt=-g --with-zlib-opt=-g --with-stream --without-pcre2

  3. Crowdsec:v1.6.3

  4. nginx.conf config: ` http{

include /usr/local/openresty/nginx/conf/conf.d/crowdsec_openresty.conf;

} `

  1. crowdsec_openresty.conf is default
  2. /etc/crowdsec/acquis.d/appsec.yaml listen_addr: 127.0.0.1:7422 appsec_config: crowdsecurity/appsec-default name: myAppSecComponent source: appsec labels: type: appsec log_level: debug
  3. /etc/crowdsec/appsec-configs/appsec-default.yaml `

name: crowdsecurity/virtual-patching default_remediation: ban inband_rules:

  1. /etc/crowdsec/appsec-rules/modsecurity.yaml ` name: gdl/modsecurity description: ModSecurity rules integration for CrowdSec seclang_files_rules:
    • /coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
    • /coreruleset/rules/REQUEST-901-INITIALIZATION.conf
    • /coreruleset/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
    • /coreruleset/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
    • /coreruleset/rules/REQUEST-913-SCANNER-DETECTION.conf
    • /coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
    • /coreruleset/rules/REQUEST-921-PROTOCOL-ATTACK.conf
    • /coreruleset/rules/REQUEST-922-MULTIPART-ATTACK.conf
    • /coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
    • /coreruleset/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
    • /coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
    • /coreruleset/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
    • /coreruleset/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf
    • /coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
    • /coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
    • /coreruleset/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
    • /coreruleset/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
    • /coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf
    • /coreruleset/rules/RESPONSE-950-DATA-LEAKAGES.conf
    • /coreruleset/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
    • /coreruleset/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
    • /coreruleset/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
    • /coreruleset/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
    • /coreruleset/rules/RESPONSE-955-WEB-SHELLS.conf
    • /coreruleset/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
    • /coreruleset/rules/RESPONSE-980-CORRELATION.conf
    • /coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

`

  1. download Modsecurity: git clone https://github.com/coreruleset/coreruleset.git

  2. cd /home/soft git clone https://github.com/coreruleset/coreruleset.git mkdir -pv /var/lib/crowdsec/data/coreruleset/rules cp /home/soft/coreruleset/rules/.conf /var/lib/crowdsec/data/coreruleset/rules/ cp /home/soft/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /var/lib/crowdsec/data/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf cp /home/soft/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example /var/lib/crowdsec/data/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf cp /home/soft/coreruleset/rules/.data /var/lib/crowdsec/data/coreruleset/

Finally, the rule for ip whitelisting: secRule REMOTE_ADDR “@ipMatch 127.0.0.1,192.168.200.1” “id:900101,phase:1,pass,nolog,allow” was added to the /var/lib/crowdsec/data/ coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf file.

systemctl restart crowdsec systemctl restart nginx

Anything else we need to know?

No response

Crowdsec version

```console $ cscli version version: v1.6.3-rpm-pragmatic-amd64-4851945a Codename: alphaga BuildDate: 2024-09-10_13:00:53 GoVersion: 1.22.2 Platform: linux libre2: C++ User-Agent: crowdsec/v1.6.3-rpm-pragmatic-amd64-4851945a-linux Constraint_parser: >= 1.0, <= 3.0 Constraint_scenario: >= 1.0, <= 3.0 Constraint_api: v1 Constraint_acquis: >= 1.0, < 2.0 ```

OS version

```console # On Linux: $ cat /etc/os-release version: v1.6.3-rpm-pragmatic-amd64-4851945a Codename: alphaga BuildDate: 2024-09-10_13:00:53 GoVersion: 1.22.2 Platform: linux libre2: C++ User-Agent: crowdsec/v1.6.3-rpm-pragmatic-amd64-4851945a-linux Constraint_parser: >= 1.0, <= 3.0 Constraint_scenario: >= 1.0, <= 3.0 Constraint_api: v1 Constraint_acquis: >= 1.0, < 2.0 [root@instance-20240912-1119 ~]# cat /etc/os-release NAME="AlmaLinux" VERSION="9.3 (Shamrock Pampas Cat)" ID="almalinux" ID_LIKE="rhel centos fedora" VERSION_ID="9.3" PLATFORM_ID="platform:el9" PRETTY_NAME="AlmaLinux 9.3 (Shamrock Pampas Cat)" ANSI_COLOR="0;34" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:almalinux:almalinux:9::baseos" HOME_URL="https://almalinux.org/" DOCUMENTATION_URL="https://wiki.almalinux.org/" BUG_REPORT_URL="https://bugs.almalinux.org/" ALMALINUX_MANTISBT_PROJECT="AlmaLinux-9" ALMALINUX_MANTISBT_PROJECT_VERSION="9.3" REDHAT_SUPPORT_PRODUCT="AlmaLinux" REDHAT_SUPPORT_PRODUCT_VERSION="9.3" $ uname -a Linux instance-20240912-1119 5.14.0-362.8.1.el9_3.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Nov 7 14:54:22 EST 2023 x86_64 x86_64 x86_64 GNU/Linux ```

Enabled collections and parsers

```console $ cscli hub list -o raw # paste output here ```

Acquisition config

```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* #Generated acquisition file - wizard.sh (service: nginx) / files : /usr/local/openresty/nginx/logs/error.log /usr/local/openresty/nginx/logs/access.log filenames: - /usr/local/openresty/nginx/logs/error.log - /usr/local/openresty/nginx/logs/access.log labels: type: nginx --- #Generated acquisition file - wizard.sh (service: sshd) / files : /var/log/secure filenames: - /var/log/secure labels: type: syslog --- #Generated acquisition file - wizard.sh (service: linux) / files : /var/log/messages filenames: - /var/log/messages labels: type: syslog --- listen_addr: 127.0.0.1:7422 appsec_config: crowdsecurity/appsec-default name: myAppSecComponent source: appsec labels: type: appsec

Config show

```console $ cscli config show Global: - Configuration Folder : /etc/crowdsec - Data Folder : /var/lib/crowdsec/data - Hub Folder : /etc/crowdsec/hub - Simulation File : /etc/crowdsec/simulation.yaml - Log Folder : /var/log - Log level : info - Log Media : file Crowdsec: - Acquisition File : /etc/crowdsec/acquis.yaml - Parsers routines : 1 - Acquisition Folder : /etc/crowdsec/acquis.d cscli: - Output : human - Hub Branch : API Client: - URL : http://127.0.0.1:8080/ - Login : d954f1dee50d446792dd10549aa821f1SIPuVEkiiFrJJPsC - Credentials File : /etc/crowdsec/local_api_credentials.yaml Local API Server: - Listen URL : 127.0.0.1:8080 - Listen Socket : - Profile File : /etc/crowdsec/profiles.yaml - Trusted IPs: - 127.0.0.1 - ::1 - Database: - Type : sqlite - Path : /var/lib/crowdsec/data/crowdsec.db - Flush age : 7d - Flush size : 5000 ```

Prometheus metrics

```console $ cscli metrics Acquisition Metrics: ╭─────────────────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────╮ │ Source │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │ ├─────────────────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤ │ appsec:appsec │ 3 │ 3 │ - │ 2 │ - │ │ file:/usr/local/openresty/nginx/logs/access.log │ 3 │ 3 │ - │ 5 │ - │ │ file:/usr/local/openresty/nginx/logs/error.log │ 12 │ 3 │ 9 │ 6 │ - │ │ file:/var/log/messages │ 29 │ - │ 29 │ - │ - │ │ file:/var/log/secure │ 49 │ 39 │ 10 │ 114 │ - │ ╰─────────────────────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯ Local API Alerts: ╭───────────────────────────────────────┬───────╮ │ Reason │ Count │ ├───────────────────────────────────────┼───────┤ │ crowdsecurity/http-bad-user-agent │ 11 │ │ crowdsecurity/ssh-bf_user-enum │ 5 │ │ native_rule:901001 │ 13 │ │ native_rule:920350 │ 1 │ │ crowdsecurity/ssh-cve-2024-6387 │ 2 │ │ crowdsecurity/thinkphp-cve-2018-20062 │ 2 │ │ crowdsecurity/netgear_rce │ 1 │ │ crowdsecurity/ssh-bf │ 44 │ │ crowdsecurity/ssh-slow-bf_user-enum │ 4 │ │ crowdsecurity/CVE-2017-9841 │ 6 │ │ crowdsecurity/http-cve-2021-41773 │ 4 │ │ crowdsecurity/http-cve-2021-42013 │ 2 │ │ crowdsecurity/http-open-proxy │ 5 │ │ crowdsecurity/http-probing │ 1 │ │ crowdsecurity/vpatch-CVE-2023-42793 │ 7 │ │ crowdsecurity/ssh-slow-bf │ 58 │ │ crowdsecurity/vpatch-env-access │ 1 │ │ native_rule:901340 │ 194 │ ╰───────────────────────────────────────┴───────╯ Appsec Metrics: ╭───────────────────┬───────────┬─────────╮ │ Appsec Engine │ Processed │ Blocked │ ├───────────────────┼───────────┼─────────┤ │ myAppSecComponent │ 3 │ 3 │ ╰───────────────────┴───────────┴─────────╯ Appsec 'myAppSecComponent' Rules Metrics: ╭─────────┬───────────╮ │ Rule ID │ Triggered │ ├─────────┼───────────┤ │ 901001 │ 3 │ ╰─────────┴───────────╯ Local API Decisions: ╭──────────────────────────────────────────────┬────────┬────────┬───────╮ │ Reason │ Origin │ Action │ Count │ ├──────────────────────────────────────────────┼────────┼────────┼───────┤ │ crowdsecurity/CVE-2019-18935 │ CAPI │ ban │ 43 │ │ crowdsecurity/apache_log4j2_cve-2021-44228 │ CAPI │ ban │ 62 │ │ crowdsecurity/netgear_rce │ CAPI │ ban │ 132 │ │ crowdsecurity/vpatch-CVE-2024-4577 │ CAPI │ ban │ 2 │ │ crowdsecurity/vpatch-env-access │ CAPI │ ban │ 175 │ │ crowdsecurity/fortinet-cve-2018-13379 │ CAPI │ ban │ 13 │ │ crowdsecurity/http-open-proxy │ CAPI │ ban │ 1939 │ │ crowdsecurity/http-probing │ CAPI │ ban │ 6054 │ │ crowdsecurity/ssh-slow-bf │ CAPI │ ban │ 10723 │ │ crowdsecurity/vpatch-CVE-2023-6553 │ CAPI │ ban │ 1 │ │ crowdsecurity/http-cve-2021-42013 │ CAPI │ ban │ 3 │ │ crowdsecurity/http-dos-invalid-http-versions │ CAPI │ ban │ 1126 │ │ crowdsecurity/nginx-req-limit-exceeded │ CAPI │ ban │ 662 │ │ crowdsecurity/spring4shell_cve-2022-22965 │ CAPI │ ban │ 1 │ │ ltsich/http-w00tw00t │ CAPI │ ban │ 4 │ │ crowdsecurity/CVE-2022-35914 │ CAPI │ ban │ 6 │ │ crowdsecurity/CVE-2023-49103 │ CAPI │ ban │ 107 │ │ crowdsecurity/ssh-bf │ CAPI │ ban │ 6492 │ │ crowdsecurity/ssh-cve-2024-6387 │ CAPI │ ban │ 46 │ │ crowdsecurity/thinkphp-cve-2018-20062 │ CAPI │ ban │ 233 │ │ crowdsecurity/vpatch-git-config │ CAPI │ ban │ 18 │ │ crowdsecurity/vpatch-laravel-debug-mode │ CAPI │ ban │ 29 │ │ crowdsecurity/CVE-2022-26134 │ CAPI │ ban │ 6 │ │ crowdsecurity/http-bad-user-agent │ CAPI │ ban │ 16506 │ │ crowdsecurity/http-crawl-non_statics │ CAPI │ ban │ 486 │ │ crowdsecurity/http-generic-bf │ CAPI │ ban │ 36 │ │ crowdsecurity/http-path-traversal-probing │ CAPI │ ban │ 256 │ │ crowdsecurity/vpatch-CVE-2023-1389 │ CAPI │ ban │ 5 │ │ crowdsecurity/CVE-2017-9841 │ CAPI │ ban │ 410 │ │ crowdsecurity/f5-big-ip-cve-2020-5902 │ CAPI │ ban │ 1 │ │ crowdsecurity/http-cve-probing │ CAPI │ ban │ 27 │ │ crowdsecurity/CVE-2023-22515 │ CAPI │ ban │ 3 │ │ crowdsecurity/http-admin-interface-probing │ CAPI │ ban │ 340 │ │ crowdsecurity/http-sensitive-files │ CAPI │ ban │ 461 │ │ crowdsecurity/http-wordpress-scan │ CAPI │ ban │ 555 │ │ crowdsecurity/vpatch-symfony-profiler │ CAPI │ ban │ 3 │ │ crowdsecurity/CVE-2022-37042 │ CAPI │ ban │ 2 │ │ crowdsecurity/http-backdoors-attempts │ CAPI │ ban │ 264 │ │ crowdsecurity/http-cve-2021-41773 │ CAPI │ ban │ 556 │ │ crowdsecurity/jira_cve-2021-26086 │ CAPI │ ban │ 22 │ │ crowdsecurity/modsecurity │ CAPI │ ban │ 1421 │ ╰──────────────────────────────────────────────┴────────┴────────┴───────╯ Local API Metrics: ╭──────────────────────┬────────┬──────╮ │ Route │ Method │ Hits │ ├──────────────────────┼────────┼──────┤ │ /v1/alerts │ POST │ 3 │ │ /v1/decisions/stream │ GET │ 312 │ │ /v1/decisions/stream │ HEAD │ 2 │ │ /v1/heartbeat │ GET │ 26 │ │ /v1/usage-metrics │ POST │ 2 │ │ /v1/watchers/login │ POST │ 1 │ ╰──────────────────────┴────────┴──────╯ Local API Bouncers Metrics: ╭─────────────────────────────────────┬──────────────────────┬────────┬──────╮ │ Bouncer │ Route │ Method │ Hits │ ├─────────────────────────────────────┼──────────────────────┼────────┼──────┤ │ crowdsec-openresty-bouncer-BNfUjB3R │ /v1/decisions/stream │ GET │ 154 │ │ crowdsec-openresty-bouncer-BNfUjB3R │ /v1/decisions/stream │ HEAD │ 2 │ │ cs-firewall-bouncer-1726126067 │ /v1/decisions/stream │ GET │ 158 │ ╰─────────────────────────────────────┴──────────────────────┴────────┴──────╯ Local API Machines Metrics: ╭──────────────────────────────────────────────────┬───────────────┬────────┬──────╮ │ Machine │ Route │ Method │ Hits │ ├──────────────────────────────────────────────────┼───────────────┼────────┼──────┤ │ d954f1dee50d446792dd10549aa821f1SIPuVEkiiFrJJPsC │ /v1/alerts │ POST │ 3 │ │ d954f1dee50d446792dd10549aa821f1SIPuVEkiiFrJJPsC │ /v1/heartbeat │ GET │ 26 │ ╰──────────────────────────────────────────────────┴───────────────┴────────┴──────╯ Parser Metrics: ╭─────────────────────────────────┬──────┬────────┬──────────╮ │ Parsers │ Hits │ Parsed │ Unparsed │ ├─────────────────────────────────┼──────┼────────┼──────────┤ │ child-crowdsecurity/http-logs │ 18 │ 16 │ 2 │ │ child-crowdsecurity/nginx-logs │ 36 │ 6 │ 30 │ │ child-crowdsecurity/sshd-logs │ 314 │ 39 │ 275 │ │ child-crowdsecurity/syslog-logs │ 78 │ 78 │ - │ │ crowdsecurity/appsec-logs │ 3 │ 3 │ - │ │ crowdsecurity/dateparse-enrich │ 45 │ 45 │ - │ │ crowdsecurity/geoip-enrich │ 48 │ 48 │ - │ │ crowdsecurity/http-logs │ 6 │ 6 │ - │ │ crowdsecurity/nginx-logs │ 15 │ 6 │ 9 │ │ crowdsecurity/non-syslog │ 18 │ 18 │ - │ │ crowdsecurity/sshd-logs │ 49 │ 39 │ 10 │ │ crowdsecurity/syslog-logs │ 78 │ 78 │ - │ │ crowdsecurity/whitelists │ 48 │ 48 │ - │ ╰─────────────────────────────────┴──────┴────────┴──────────╯ Scenario Metrics: ╭──────────────────────────────────────┬───────────────┬───────────┬──────────────┬────────┬─────────╮ │ Scenario │ Current Count │ Overflows │ Instantiated │ Poured │ Expired │ ├──────────────────────────────────────┼───────────────┼───────────┼──────────────┼────────┼─────────┤ │ crowdsecurity/appsec-vpatch │ - │ - │ 2 │ 2 │ 2 │ │ crowdsecurity/http-crawl-non_statics │ - │ - │ 3 │ 3 │ 3 │ │ crowdsecurity/http-dos-swithcing-ua │ - │ - │ 2 │ 4 │ 2 │ │ crowdsecurity/http-probing │ - │ - │ 2 │ 2 │ 2 │ │ crowdsecurity/http-xss-probbing │ - │ - │ 2 │ 2 │ 2 │ │ crowdsecurity/ssh-bf │ 2 │ - │ 20 │ 39 │ 18 │ │ crowdsecurity/ssh-bf_user-enum │ 2 │ - │ 20 │ 20 │ 18 │ │ crowdsecurity/ssh-slow-bf │ 6 │ - │ 6 │ 39 │ - │ │ crowdsecurity/ssh-slow-bf_user-enum │ 5 │ - │ 7 │ 16 │ 2 │ ╰──────────────────────────────────────┴───────────────┴───────────┴──────────────┴────────┴─────────╯ Whitelist Metrics: ╭──────────────────────────┬─────────────────────────────┬──────┬─────────────╮ │ Whitelist │ Reason │ Hits │ Whitelisted │ ├──────────────────────────┼─────────────────────────────┼──────┼─────────────┤ │ crowdsecurity/whitelists │ private ipv4/ipv6 ip/ranges │ 48 │ - │ ╰──────────────────────────┴─────────────────────────────┴──────┴─────────────╯ ```

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

github-actions[bot] commented 4 days ago

@gdlwolf: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

  1. Check Crowdsec Documentation to see if your issue can be self resolved.
  2. You can also join our Discord.
  3. Check Releases to make sure your agent is on the latest version.
Details I am a bot created to help the [crowdsecurity](https://github.com/crowdsecurity) developers manage community feedback and contributions. You can check out my [manifest file](https://github.com/crowdsecurity/crowdsec/blob/master/.github/governance.yml) to understand my behavior and what I can do. If you want to use this for your project, you can check out the [BirthdayResearch/oss-governance-bot](https://github.com/BirthdayResearch/oss-governance-bot) repository.
LaurenceJJones commented 4 days ago

Hi 👋🏻

Thank you for a detailed report and steps, we managed to reproduce the issue and can pinpoint the code at fault.

We will work on a patch for the next update 1.6.4

gdlwolf commented 4 days ago

thanks