search

crowdsecurity / crowdsec

CrowdSec - the open-source and participative security solution offering crowdsourced protection against malicious IPs and access to the most advanced real-world CTI.
https://crowdsec.net
MIT License
9.08k stars 470 forks source link

VPatch scenarios not triggering iptables bouncer actions while other scenarios do #3320

Closed gdlwolf closed 1 week ago

gdlwolf commented 1 week ago

What happened?

When using CrowdSec with AppSec enabled, I noticed that scenarios like 'crowdsecurity/vpatch-env-access' and other vpatch-related scenarios successfully detect and log alerts (visible in 'cscli alerts list'), but these detections do not result in the offending IPs being added to the iptables ipset by crowdsec-firewall-bouncer-iptables.

However, other scenarios like 'crowdsecurity/CVE-2017-9841' work as expected, with detected IPs being properly added to the iptables ipset for blocking.

image

What did you expect to happen?

I expected all detected malicious IPs, including those from vpatch scenarios, to be added to the iptables ipset by the bouncer, similar to how other scenarios like CVE-2017-9841 are handled.

How can we reproduce it (as minimally and precisely as possible)?

  1. Enable AppSec in CrowdSec configuration
  2. Install and enable vpatch scenarios (like crowdsecurity/vpatch-env-access)
  3. Generate traffic that triggers vpatch scenarios
  4. Check alerts using 'cscli alerts list' - alerts will be visible
  5. Check iptables ipset - IPs from vpatch alerts are not added to the blocklist

Anything else we need to know?

No response

Crowdsec version

```console $ cscli version # paste output here version: v1.6.3-rpm-pragmatic-amd64-4851945a Codename: alphaga BuildDate: 2024-09-10_13:00:53 GoVersion: 1.22.2 Platform: linux libre2: C++ User-Agent: crowdsec/v1.6.3-rpm-pragmatic-amd64-4851945a-linux Constraint_parser: >= 1.0, <= 3.0 Constraint_scenario: >= 1.0, <= 3.0 Constraint_api: v1 Constraint_acquis: >= 1.0, < 2.0 ```

OS version

```console # On Linux: $ cat /etc/os-release # paste output here version: v1.6.3-rpm-pragmatic-amd64-4851945a Codename: alphaga BuildDate: 2024-09-10_13:00:53 GoVersion: 1.22.2 Platform: linux libre2: C++ User-Agent: crowdsec/v1.6.3-rpm-pragmatic-amd64-4851945a-linux Constraint_parser: >= 1.0, <= 3.0 Constraint_scenario: >= 1.0, <= 3.0 Constraint_api: v1 Constraint_acquis: >= 1.0, < 2.0 [root@iZ2zehm5r8id9tvqtmbtt5Z ~]# cat /etc/os-release NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/" CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7" $ uname -a # paste output here Linux iZ2zehm5r8id9tvqtmbtt5Z 3.10.0-957.21.3.el7.x86_64 #1 SMP Tue Jun 18 16:35:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux # On Windows: C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture # paste output here ```

Enabled collections and parsers

```console $ cscli hub list -o raw # paste output here name,status,version,description,type crowdsecurity/appsec-logs,enabled,0.5,Parse Appsec events,parsers crowdsecurity/dateparse-enrich,enabled,0.2,,parsers crowdsecurity/geoip-enrich,enabled,0.5,"Populate event with geoloc info : as, country, coords, source range.",parsers crowdsecurity/http-logs,enabled,1.2,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers crowdsecurity/nginx-logs,enabled,1.6,Parse nginx access and error logs,parsers crowdsecurity/sshd-logs,enabled,2.8,Parse openSSH logs,parsers crowdsecurity/syslog-logs,enabled,0.8,,parsers crowdsecurity/whitelists,"enabled,tainted",?,Whitelist events from private ipv4 addresses,parsers crowdsecurity/apache_log4j2_cve-2021-44228,enabled,0.6,Detect cve-2021-44228 exploitation attemps,scenarios crowdsecurity/appsec-vpatch,enabled,0.5,Identify attacks flagged by CrowdSec AppSec,scenarios crowdsecurity/CVE-2017-9841,enabled,0.2,Detect CVE-2017-9841 exploits,scenarios crowdsecurity/CVE-2019-18935,enabled,0.2,Detect Telerik CVE-2019-18935 exploitation attempts,scenarios crowdsecurity/CVE-2022-26134,enabled,0.2,Detect CVE-2022-26134 exploits,scenarios crowdsecurity/CVE-2022-35914,enabled,0.2,Detect CVE-2022-35914 exploits,scenarios crowdsecurity/CVE-2022-37042,enabled,0.2,Detect CVE-2022-37042 exploits,scenarios crowdsecurity/CVE-2022-40684,enabled,0.3,Detect cve-2022-40684 exploitation attempts,scenarios crowdsecurity/CVE-2022-41082,enabled,0.4,Detect CVE-2022-41082 exploits,scenarios crowdsecurity/CVE-2022-41697,enabled,0.2,Detect CVE-2022-41697 enumeration,scenarios crowdsecurity/CVE-2022-42889,enabled,0.3,Detect CVE-2022-42889 exploits (Text4Shell),scenarios crowdsecurity/CVE-2022-44877,enabled,0.3,Detect CVE-2022-44877 exploits,scenarios crowdsecurity/CVE-2022-46169,enabled,0.2,Detect CVE-2022-46169 brute forcing,scenarios crowdsecurity/CVE-2023-22515,enabled,0.1,Detect CVE-2023-22515 exploitation,scenarios crowdsecurity/CVE-2023-22518,enabled,0.2,Detect CVE-2023-22518 exploits,scenarios crowdsecurity/CVE-2023-49103,enabled,0.3,Detect owncloud CVE-2023-49103 exploitation attempts,scenarios crowdsecurity/CVE-2024-38475,enabled,0.1,Detect CVE-2024-38475 exploitation attempts,scenarios crowdsecurity/f5-big-ip-cve-2020-5902,enabled,0.2,Detect cve-2020-5902 exploitation attemps,scenarios crowdsecurity/fortinet-cve-2018-13379,enabled,0.3,Detect cve-2018-13379 exploitation attemps,scenarios crowdsecurity/grafana-cve-2021-43798,enabled,0.2,Detect cve-2021-43798 exploitation attemps,scenarios crowdsecurity/http-admin-interface-probing,enabled,0.4,Detect generic HTTP admin interface probing,scenarios crowdsecurity/http-backdoors-attempts,enabled,0.6,Detect attempt to common backdoors,scenarios crowdsecurity/http-bad-user-agent,enabled,1.2,Detect usage of bad User Agent,scenarios crowdsecurity/http-crawl-non_statics,enabled,0.7,Detect aggressive crawl on non static resources,scenarios crowdsecurity/http-cve-2021-41773,enabled,0.2,cve-2021-41773,scenarios crowdsecurity/http-cve-2021-42013,enabled,0.2,cve-2021-42013,scenarios crowdsecurity/http-cve-probing,enabled,0.2,Detect generic HTTP cve probing,scenarios crowdsecurity/http-generic-bf,enabled,0.6,Detect generic http brute force,scenarios crowdsecurity/http-open-proxy,enabled,0.5,Detect scan for open proxy,scenarios crowdsecurity/http-path-traversal-probing,enabled,0.4,Detect path traversal attempt,scenarios crowdsecurity/http-probing,enabled,0.4,Detect site scanning/probing from a single ip,scenarios crowdsecurity/http-sensitive-files,enabled,0.4,"Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",scenarios crowdsecurity/http-sqli-probing,enabled,0.4,A scenario that detects SQL injection probing with minimal false positives,scenarios crowdsecurity/http-wordpress-scan,enabled,0.2,Detect WordPress scan: vuln hunting,scenarios crowdsecurity/http-xss-probing,enabled,0.4,A scenario that detects XSS probing with minimal false positives,scenarios crowdsecurity/jira_cve-2021-26086,enabled,0.3,Detect Atlassian Jira CVE-2021-26086 exploitation attemps,scenarios crowdsecurity/netgear_rce,enabled,0.3,Detect Netgear RCE DGN1000/DGN220 exploitation attempts,scenarios crowdsecurity/nginx-req-limit-exceeded,enabled,0.3,Detects IPs which violate nginx's user set request limit.,scenarios crowdsecurity/pulse-secure-sslvpn-cve-2019-11510,enabled,0.3,Detect cve-2019-11510 exploitation attemps,scenarios crowdsecurity/spring4shell_cve-2022-22965,enabled,0.3,Detect cve-2022-22965 probing,scenarios crowdsecurity/ssh-bf,enabled,0.3,Detect ssh bruteforce,scenarios crowdsecurity/ssh-cve-2024-6387,enabled,0.2,Detect exploitation attempt of CVE-2024-6387,scenarios crowdsecurity/ssh-slow-bf,enabled,0.4,Detect slow ssh bruteforce,scenarios crowdsecurity/thinkphp-cve-2018-20062,enabled,0.6,Detect ThinkPHP CVE-2018-20062 exploitation attemps,scenarios crowdsecurity/vmware-cve-2022-22954,enabled,0.3,Detect Vmware CVE-2022-22954 exploitation attempts,scenarios crowdsecurity/vmware-vcenter-vmsa-2021-0027,enabled,0.2,Detect VMSA-2021-0027 exploitation attemps,scenarios ltsich/http-w00tw00t,enabled,0.2,detect w00tw00t,scenarios crowdsecurity/appsec_base,enabled,0.2,,contexts crowdsecurity/bf_base,enabled,0.1,,contexts crowdsecurity/http_base,enabled,0.2,,contexts crowdsecurity/appsec-default,enabled,0.2,,appsec-configs crowdsecurity/generic-rules,enabled,0.3,,appsec-configs crowdsecurity/virtual-patching,enabled,0.4,,appsec-configs crowdsecurity/base-config,enabled,0.1,,appsec-rules crowdsecurity/generic-freemarker-ssti,enabled,0.3,Generic FreeMarker SSTI,appsec-rules crowdsecurity/generic-wordpress-uploads-php,enabled,0.1,Detect php execution in wordpress uploads directory,appsec-rules crowdsecurity/vpatch-connectwise-auth-bypass,enabled,0.3,Detect exploitation of auth bypass in ConnectWise ScreenConnect,appsec-rules crowdsecurity/vpatch-CVE-2017-9841,enabled,0.3,PHPUnit RCE (CVE-2017-9841),appsec-rules crowdsecurity/vpatch-CVE-2018-1000861,enabled,0.1,Jenkins - RCE (CVE-2018-1000861),appsec-rules crowdsecurity/vpatch-CVE-2018-10562,enabled,0.2,Dasan GPON RCE (CVE-2018-10562),appsec-rules crowdsecurity/vpatch-CVE-2018-13379,enabled,0.2,Fortinet FortiOS - Credentials Disclosure (CVE-2018-13379),appsec-rules crowdsecurity/vpatch-CVE-2018-20062,enabled,0.1,ThinkPHP - RCE (CVE-2018-20062),appsec-rules crowdsecurity/vpatch-CVE-2019-1003030,enabled,0.1,Jenkins - RCE (CVE-2019-1003030),appsec-rules crowdsecurity/vpatch-CVE-2019-12989,enabled,0.3,Citrix SQLi (CVE-2019-12989),appsec-rules crowdsecurity/vpatch-CVE-2019-18935,enabled,0.1,Telerik - RCE (CVE-2019-18935),appsec-rules crowdsecurity/vpatch-CVE-2020-11738,enabled,0.6,Wordpress Snap Creek Duplicator - Path Traversal (CVE-2020-11738),appsec-rules crowdsecurity/vpatch-CVE-2020-17496,enabled,0.1,vBulletin RCE (CVE-2020-17496),appsec-rules crowdsecurity/vpatch-CVE-2020-5902,enabled,0.1,F5 BIG-IP TMUI - RCE (CVE-2020-5902),appsec-rules crowdsecurity/vpatch-CVE-2021-22941,enabled,0.3,Citrix RCE (CVE-2021-22941),appsec-rules crowdsecurity/vpatch-CVE-2021-26086,enabled,0.1,Atlassian Jira Server/Data Center 8.4.0 - Limited Remote File Read/Include (CVE-2021-26086),appsec-rules crowdsecurity/vpatch-CVE-2021-3129,enabled,0.4,Laravel with Ignition Debug Mode RCE (CVE-2021-3129),appsec-rules crowdsecurity/vpatch-CVE-2022-22954,enabled,0.2,VMWare Workspace ONE Access RCE (CVE-2022-22954),appsec-rules crowdsecurity/vpatch-CVE-2022-22965,enabled,0.2,Spring4Shell - RCE (CVE-2022-22965),appsec-rules crowdsecurity/vpatch-CVE-2022-26134,enabled,0.2,Confluence - RCE (CVE-2022-26134),appsec-rules crowdsecurity/vpatch-CVE-2022-27926,enabled,0.4,Zimbra Collaboration XSS (CVE-2022-27926),appsec-rules crowdsecurity/vpatch-CVE-2022-35914,enabled,0.5,GLPI RCE (CVE-2022-35914),appsec-rules crowdsecurity/vpatch-CVE-2022-41082,enabled,0.1,Microsoft Exchange - RCE (CVE-2022-41082),appsec-rules crowdsecurity/vpatch-CVE-2022-44877,enabled,0.2,CentOS Web Panel 7 RCE (CVE-2022-44877),appsec-rules crowdsecurity/vpatch-CVE-2022-46169,enabled,0.5,Cacti RCE (CVE-2022-46169),appsec-rules crowdsecurity/vpatch-CVE-2023-1389,enabled,0.1,TP-Link Archer AX21 - RCE (CVE-2023-1389),appsec-rules crowdsecurity/vpatch-CVE-2023-20198,enabled,0.6,CISCO IOS XE Account Creation (CVE-2023-20198),appsec-rules crowdsecurity/vpatch-CVE-2023-22515,enabled,0.4,Atlassian Confluence Privesc (CVE-2023-22515),appsec-rules crowdsecurity/vpatch-CVE-2023-22527,enabled,0.2,RCE using SSTI in Confluence (CVE-2023-22527),appsec-rules crowdsecurity/vpatch-CVE-2023-23752,enabled,0.1,Joomla! Webservice - Password Disclosure (CVE-2023-23752),appsec-rules crowdsecurity/vpatch-CVE-2023-24489,enabled,0.2,Citrix ShareFile RCE (CVE-2023-24489),appsec-rules crowdsecurity/vpatch-CVE-2023-28121,enabled,0.1,WooCommerce auth bypass (CVE-2023-28121),appsec-rules crowdsecurity/vpatch-CVE-2023-33617,enabled,0.4,Atlassian Confluence Privesc (CVE-2023-33617),appsec-rules crowdsecurity/vpatch-CVE-2023-34362,enabled,0.6,MOVEit Transfer RCE (CVE-2023-34362),appsec-rules crowdsecurity/vpatch-CVE-2023-35078,enabled,0.1,MobileIron Core Remote Unauthenticated API Access (CVE-2023-35078),appsec-rules crowdsecurity/vpatch-CVE-2023-35082,enabled,0.2,MobileIron Core Remote Unauthenticated API Access (CVE-2023-35082),appsec-rules crowdsecurity/vpatch-CVE-2023-3519,enabled,0.3,Citrix RCE (CVE-2023-3519),appsec-rules crowdsecurity/vpatch-CVE-2023-38205,enabled,0.3,Adobe ColdFusion Access Control Bypass (CVE-2023-38205),appsec-rules crowdsecurity/vpatch-CVE-2023-40044,enabled,0.3,WS_FTP .NET deserialize RCE (CVE-2023-40044),appsec-rules crowdsecurity/vpatch-CVE-2023-42793,enabled,0.3,JetBrains Teamcity Auth Bypass (CVE-2023-42793),appsec-rules crowdsecurity/vpatch-CVE-2023-46805,enabled,0.4,Ivanti Connect Auth Bypass (CVE-2023-46805),appsec-rules crowdsecurity/vpatch-CVE-2023-47218,enabled,0.2,QNAP QTS - RCE (CVE-2023-47218),appsec-rules crowdsecurity/vpatch-CVE-2023-49070,enabled,0.1,Apache OFBiz - RCE (CVE-2023-49070),appsec-rules crowdsecurity/vpatch-CVE-2023-50164,enabled,0.6,Apache Struts2 Path Traversal (CVE-2023-50164),appsec-rules crowdsecurity/vpatch-CVE-2023-6553,enabled,0.1,Backup Migration plugin for WordPress RCE (CVE-2023-6553),appsec-rules crowdsecurity/vpatch-CVE-2023-7028,enabled,0.2,Gitlab Password Reset Account Takeover (CVE-2023-7028),appsec-rules crowdsecurity/vpatch-CVE-2024-1212,enabled,0.3,Progress Kemp LoadMaster Unauthenticated Command Injection (CVE-2024-1212),appsec-rules crowdsecurity/vpatch-CVE-2024-22024,enabled,0.1,Ivanti Connect Secure - XXE (CVE-2024-22024),appsec-rules crowdsecurity/vpatch-CVE-2024-23897,enabled,0.4,Jenkins CLI RCE (CVE-2024-23897),appsec-rules crowdsecurity/vpatch-CVE-2024-27198,enabled,0.5,Teamcity - Authentication Bypass (CVE-2024-27198),appsec-rules crowdsecurity/vpatch-CVE-2024-27348,enabled,0.1,Apache HugeGraph-Server - RCE (CVE-2024-27348),appsec-rules crowdsecurity/vpatch-CVE-2024-28255,enabled,0.1,OpenMetadata - Authentication Bypass (CVE-2024-28255),appsec-rules crowdsecurity/vpatch-CVE-2024-28987,enabled,0.1,SolarWinds WHD Hardcoded Credentials (CVE-2024-28987),appsec-rules crowdsecurity/vpatch-CVE-2024-29824,enabled,0.1,Ivanti EPM - SQLi (CVE-2024-29824),appsec-rules crowdsecurity/vpatch-CVE-2024-29849,enabled,0.5,Veeam Backup Enterprise Manager - Authentication Bypass (CVE-2024-29849),appsec-rules crowdsecurity/vpatch-CVE-2024-29973,enabled,0.1,Zyxel - RCE (CVE-2024-29973),appsec-rules crowdsecurity/vpatch-CVE-2024-32113,enabled,0.1,Apache OFBiz - Path Traversal (CVE-2024-32113),appsec-rules crowdsecurity/vpatch-CVE-2024-3272,enabled,0.1," D-Link NAS - RCE (CVE-2024-3272)",appsec-rules crowdsecurity/vpatch-CVE-2024-3273,enabled,0.1,D-LINK NAS Command Injection (CVE-2024-3273),appsec-rules crowdsecurity/vpatch-CVE-2024-34102,enabled,0.1,Adobe Commerce & Magento - XXE (CVE-2024-34102),appsec-rules crowdsecurity/vpatch-CVE-2024-38856,enabled,0.1,Apache OFBiz Incorrect Authorization (CVE-2024-38856),appsec-rules crowdsecurity/vpatch-CVE-2024-4577,enabled,0.1,PHP CGI Command Injection - CVE-2024-4577,appsec-rules crowdsecurity/vpatch-CVE-2024-8190,enabled,0.1,Ivanti Cloud Services Appliance - RCE (CVE-2024-8190),appsec-rules crowdsecurity/vpatch-env-access,enabled,0.1,Detect access to .env files,appsec-rules crowdsecurity/vpatch-git-config,enabled,0.2,Detect access to .git files,appsec-rules crowdsecurity/vpatch-laravel-debug-mode,enabled,0.3,Detect bots exploiting laravel debug mode,appsec-rules crowdsecurity/vpatch-symfony-profiler,enabled,0.1,Detect abuse of symfony profiler,appsec-rules crowdsecurity/appsec-generic-rules,enabled,0.6,A collection of generic attack vectors for additional protection.,collections crowdsecurity/appsec-virtual-patching,enabled,4.1,"a generic virtual patching collection, suitable for most web servers.",collections crowdsecurity/base-http-scenarios,enabled,1.0,http common : scanners detection,collections crowdsecurity/http-cve,enabled,2.7,Detect CVE exploitation in http logs,collections crowdsecurity/linux,enabled,0.2,core linux support : syslog+geoip+ssh,collections crowdsecurity/nginx,enabled,0.2,nginx support : parser and generic http scenarios,collections crowdsecurity/sshd,enabled,0.5,sshd support : parser and brute-force detection,collections ```

Acquisition config

```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* # paste output here #Generated acquisition file - wizard.sh (service: nginx) / files : /usr/local/openresty/nginx/logs/error.log filenames: - /usr/local/openresty/nginx/logs/error.log - /home/logs/nginx_crowdsec/nginx_crowdsec.log labels: type: nginx --- #Generated acquisition file - wizard.sh (service: sshd) / files : /var/log/secure filenames: - /var/log/secure labels: type: syslog --- #Generated acquisition file - wizard.sh (service: linux) / files : /var/log/messages filenames: - /var/log/messages labels: type: syslog --- listen_addr: 127.0.0.1:7422 appsec_config: crowdsecurity/appsec-default name: myAppSecComponent source: appsec labels: type: appsec # On Windows: C:\> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml # paste output here

Config show

```console $ cscli config show # paste output here Global: - Configuration Folder : /etc/crowdsec - Data Folder : /var/lib/crowdsec/data - Hub Folder : /etc/crowdsec/hub - Simulation File : /etc/crowdsec/simulation.yaml - Log Folder : /var/log - Log level : info - Log Media : file Crowdsec: - Acquisition File : /etc/crowdsec/acquis.yaml - Parsers routines : 1 - Acquisition Folder : /etc/crowdsec/acquis.d cscli: - Output : human - Hub Branch : API Client: - URL : http://127.0.0.1:8080/ - Login : 20190711105006363114529432776998F68VOE7R97TK6UOH - Credentials File : /etc/crowdsec/local_api_credentials.yaml Local API Server: - Listen URL : 127.0.0.1:8080 - Listen Socket : - Profile File : /etc/crowdsec/profiles.yaml - Trusted IPs: - 127.0.0.1 - ::1 - Database: - Type : sqlite - Path : /var/lib/crowdsec/data/crowdsec.db - Flush age : 7d - Flush size : 5000 ```

Prometheus metrics

```console $ cscli metrics # paste output here Acquisition Metrics: ╭───────────────────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────╮ │ Source │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │ ├───────────────────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤ │ appsec:appsec │ 167 │ 167 │ - │ 83 │ - │ │ file:/home/logs/nginx_crowdsec/nginx_crowdsec.log │ 16.83M │ 16.83M │ 1 │ 5.37M │ 144.24k │ │ file:/usr/local/openresty/nginx/logs/error.log │ 511 │ 174 │ 337 │ 154 │ - │ │ file:/var/log/messages │ 17.00M │ - │ 17.00M │ - │ - │ │ file:/var/log/secure │ 421.36k │ 276 │ 421.08k │ 423 │ 36 │ ╰───────────────────────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯ Local API Alerts: ╭─────────────────────────────────────────────┬───────╮ │ Reason │ Count │ ├─────────────────────────────────────────────┼───────┤ │ LePresidente/http-generic-403-bf │ 1 │ │ crowdsecurity/ssh-bf │ 1 │ │ crowdsecurity/thinkphp-cve-2018-20062 │ 1 │ │ crowdsecurity/vpatch-CVE-2024-32113 │ 1 │ │ crowdsecurity/CVE-2022-41082 │ 4 │ │ crowdsecurity/appsec-vpatch │ 11 │ │ crowdsecurity/http-bad-user-agent │ 49 │ │ crowdsecurity/vpatch-git-config │ 10 │ │ crowdsecurity/f5-big-ip-cve-2020-5902 │ 1 │ │ crowdsecurity/http-cve-2021-41773 │ 8 │ │ crowdsecurity/http-probing │ 16 │ │ crowdsecurity/http-xss-probbing │ 1 │ │ crowdsecurity/vpatch-CVE-2020-5902 │ 1 │ │ crowdsecurity/vpatch-CVE-2024-4577 │ 19 │ │ crowdsecurity/http-cve-probing │ 2 │ │ crowdsecurity/jira_cve-2021-26086 │ 8 │ │ crowdsecurity/generic-wordpress-uploads-php │ 23 │ │ crowdsecurity/vpatch-CVE-2018-20062 │ 1 │ │ crowdsecurity/vpatch-env-access │ 51 │ │ native_rule:3306924312 │ 7 │ │ crowdsecurity/CVE-2017-9841 │ 10 │ │ crowdsecurity/http-crawl-non_statics │ 5 │ │ crowdsecurity/vpatch-CVE-2024-1212 │ 1 │ │ crowdsecurity/vpatch-CVE-2017-9841 │ 41 │ │ crowdsecurity/http-cve-2021-42013 │ 6 │ │ crowdsecurity/http-open-proxy │ 2 │ │ crowdsecurity/http-path-traversal-probing │ 2 │ ╰─────────────────────────────────────────────┴───────╯ Appsec Metrics: ╭───────────────────┬───────────┬─────────╮ │ Appsec Engine │ Processed │ Blocked │ ├───────────────────┼───────────┼─────────┤ │ myAppSecComponent │ 16.77M │ 167 │ ╰───────────────────┴───────────┴─────────╯ Appsec 'myAppSecComponent' Rules Metrics: ╭─────────────────────────────────────────────┬───────────╮ │ Rule ID │ Triggered │ ├─────────────────────────────────────────────┼───────────┤ │ 3306924312 │ 7 │ │ crowdsecurity/generic-wordpress-uploads-php │ 30 │ │ crowdsecurity/vpatch-CVE-2017-9841 │ 41 │ │ crowdsecurity/vpatch-CVE-2018-20062 │ 1 │ │ crowdsecurity/vpatch-CVE-2020-5902 │ 2 │ │ crowdsecurity/vpatch-CVE-2024-1212 │ 1 │ │ crowdsecurity/vpatch-CVE-2024-32113 │ 1 │ │ crowdsecurity/vpatch-CVE-2024-4577 │ 19 │ │ crowdsecurity/vpatch-env-access │ 52 │ │ crowdsecurity/vpatch-git-config │ 12 │ │ crowdsecurity/vpatch-laravel-debug-mode │ 1 │ ╰─────────────────────────────────────────────┴───────────╯ Bouncer Metrics (cs-firewall-bouncer-1727406673) since 2024-11-04 02:12:03 +0000 UTC: ╭────────────────────────────┬──────────────────┬───────────────────┬───────────────────────╮ │ Origin │ active_decisions │ dropped │ processed │ │ │ IPs │ bytes │ packets │ bytes │ packets │ ├────────────────────────────┼──────────────────┼─────────┼─────────┼───────────┼───────────┤ │ CAPI (community blocklist) │ 55.03k │ 25.47M │ 427.88k │ - │ - │ │ crowdsec (security engine) │ 342 │ 8.70M │ 146.90k │ - │ - │ ├────────────────────────────┼──────────────────┼─────────┼─────────┼───────────┼───────────┤ │ Total │ 55.37k │ 34.17M │ 574.78k │ 493.87G │ 569.77M │ ╰────────────────────────────┴──────────────────┴─────────┴─────────┴───────────┴───────────╯ Local API Decisions: ╭─────────────────────────────────────────────┬──────────┬────────┬───────╮ │ Reason │ Origin │ Action │ Count │ ├─────────────────────────────────────────────┼──────────┼────────┼───────┤ │ LePresidente/http-generic-403-bf │ crowdsec │ ban │ 1 │ │ crowdsecurity/ssh-slow-bf │ CAPI │ ban │ 9305 │ │ crowdsecurity/vpatch-env-access │ CAPI │ ban │ 685 │ │ ltsich/http-w00tw00t │ CAPI │ ban │ 3 │ │ crowdsecurity/appsec-vpatch │ crowdsec │ ban │ 11 │ │ crowdsecurity/apache_log4j2_cve-2021-44228 │ CAPI │ ban │ 36 │ │ crowdsecurity/http-open-proxy │ CAPI │ ban │ 2661 │ │ crowdsecurity/http-open-proxy │ crowdsec │ ban │ 2 │ │ crowdsecurity/http-wordpress-scan │ CAPI │ ban │ 1217 │ │ crowdsecurity/vpatch-CVE-2023-1389 │ CAPI │ ban │ 11 │ │ crowdsecurity/vpatch-CVE-2023-50164 │ CAPI │ ban │ 1 │ │ crowdsecurity/http-xss-probbing │ crowdsec │ ban │ 1 │ │ crowdsecurity/http-crawl-non_statics │ CAPI │ ban │ 601 │ │ crowdsecurity/http-crawl-non_statics │ crowdsec │ ban │ 5 │ │ crowdsecurity/http-path-traversal-probing │ CAPI │ ban │ 352 │ │ crowdsecurity/http-path-traversal-probing │ crowdsec │ ban │ 2 │ │ crowdsecurity/http-probing │ CAPI │ ban │ 8442 │ │ crowdsecurity/http-probing │ crowdsec │ ban │ 16 │ │ crowdsecurity/generic-wordpress-uploads-php │ CAPI │ ban │ 1 │ │ crowdsecurity/http-cve-probing │ CAPI │ ban │ 47 │ │ crowdsecurity/http-cve-probing │ crowdsec │ ban │ 2 │ │ crowdsecurity/CVE-2019-18935 │ CAPI │ ban │ 127 │ │ crowdsecurity/CVE-2022-35914 │ CAPI │ ban │ 7 │ │ crowdsecurity/CVE-2022-44877 │ CAPI │ ban │ 1 │ │ crowdsecurity/nginx-req-limit-exceeded │ CAPI │ ban │ 753 │ │ crowdsecurity/ssh-cve-2024-6387 │ CAPI │ ban │ 52 │ │ crowdsecurity/vpatch-CVE-2023-28121 │ CAPI │ ban │ 1 │ │ crowdsecurity/vpatch-CVE-2024-4577 │ CAPI │ ban │ 4 │ │ crowdsecurity/CVE-2022-41082 │ crowdsec │ ban │ 4 │ │ crowdsecurity/CVE-2023-22515 │ CAPI │ ban │ 5 │ │ crowdsecurity/grafana-cve-2021-43798 │ CAPI │ ban │ 1 │ │ crowdsecurity/http-cve-2021-41773 │ crowdsec │ ban │ 8 │ │ crowdsecurity/http-cve-2021-41773 │ CAPI │ ban │ 906 │ │ crowdsecurity/http-admin-interface-probing │ CAPI │ ban │ 379 │ │ crowdsecurity/http-backdoors-attempts │ CAPI │ ban │ 235 │ │ crowdsecurity/http-generic-bf │ CAPI │ ban │ 50 │ │ crowdsecurity/thinkphp-cve-2018-20062 │ CAPI │ ban │ 342 │ │ crowdsecurity/thinkphp-cve-2018-20062 │ crowdsec │ ban │ 1 │ │ crowdsecurity/vpatch-CVE-2023-23752 │ CAPI │ ban │ 1 │ │ crowdsecurity/CVE-2023-49103 │ CAPI │ ban │ 73 │ │ crowdsecurity/f5-big-ip-cve-2020-5902 │ CAPI │ ban │ 3 │ │ crowdsecurity/f5-big-ip-cve-2020-5902 │ crowdsec │ ban │ 1 │ │ crowdsecurity/fortinet-cve-2018-13379 │ CAPI │ ban │ 15 │ │ crowdsecurity/vpatch-CVE-2023-6553 │ CAPI │ ban │ 2 │ │ crowdsecurity/http-sensitive-files │ CAPI │ ban │ 512 │ │ crowdsecurity/jira_cve-2021-26086 │ CAPI │ ban │ 23 │ │ crowdsecurity/jira_cve-2021-26086 │ crowdsec │ ban │ 8 │ │ crowdsecurity/netgear_rce │ CAPI │ ban │ 162 │ │ crowdsecurity/vpatch-CVE-2022-22965 │ CAPI │ ban │ 2 │ │ crowdsecurity/vpatch-git-config │ CAPI │ ban │ 52 │ │ crowdsecurity/CVE-2022-26134 │ CAPI │ ban │ 9 │ │ crowdsecurity/http-bad-user-agent │ CAPI │ ban │ 19434 │ │ crowdsecurity/http-bad-user-agent │ crowdsec │ ban │ 49 │ │ crowdsecurity/http-cve-2021-42013 │ CAPI │ ban │ 7 │ │ crowdsecurity/http-cve-2021-42013 │ crowdsec │ ban │ 6 │ │ crowdsecurity/vpatch-symfony-profiler │ CAPI │ ban │ 13 │ │ crowdsecurity/vpatch-CVE-2017-9841 │ CAPI │ ban │ 1 │ │ crowdsecurity/vpatch-laravel-debug-mode │ CAPI │ ban │ 74 │ │ crowdsecurity/CVE-2017-9841 │ CAPI │ ban │ 426 │ │ crowdsecurity/CVE-2017-9841 │ crowdsec │ ban │ 10 │ │ crowdsecurity/CVE-2022-37042 │ CAPI │ ban │ 2 │ │ crowdsecurity/ssh-bf │ CAPI │ ban │ 8025 │ │ crowdsecurity/ssh-bf │ crowdsec │ ban │ 1 │ ╰─────────────────────────────────────────────┴──────────┴────────┴───────╯ Local API Metrics: ╭──────────────────────┬────────┬────────╮ │ Route │ Method │ Hits │ ├──────────────────────┼────────┼────────┤ │ /v1/alerts │ GET │ 3 │ │ /v1/alerts │ POST │ 297 │ │ /v1/decisions/stream │ GET │ 112520 │ │ /v1/decisions/stream │ HEAD │ 16958 │ │ /v1/heartbeat │ GET │ 15626 │ │ /v1/usage-metrics │ POST │ 1564 │ │ /v1/watchers/login │ POST │ 268 │ ╰──────────────────────┴────────┴────────╯ Local API Bouncers Metrics: ╭─────────────────────────────────────┬──────────────────────┬────────┬───────╮ │ Bouncer │ Route │ Method │ Hits │ ├─────────────────────────────────────┼──────────────────────┼────────┼───────┤ │ crowdsec-openresty-bouncer-bZ96s0Ct │ /v1/decisions/stream │ GET │ 18759 │ │ crowdsec-openresty-bouncer-bZ96s0Ct │ /v1/decisions/stream │ HEAD │ 16958 │ │ cs-firewall-bouncer-1727406673 │ /v1/decisions/stream │ GET │ 93761 │ ╰─────────────────────────────────────┴──────────────────────┴────────┴───────╯ Local API Machines Metrics: ╭──────────────────────────────────────────────────┬───────────────┬────────┬───────╮ │ Machine │ Route │ Method │ Hits │ ├──────────────────────────────────────────────────┼───────────────┼────────┼───────┤ │ 20190711105006363114529432776998F68VOE7R97TK6UOH │ /v1/heartbeat │ GET │ 15626 │ │ 20190711105006363114529432776998F68VOE7R97TK6UOH │ /v1/alerts │ GET │ 3 │ │ 20190711105006363114529432776998F68VOE7R97TK6UOH │ /v1/alerts │ POST │ 297 │ ╰──────────────────────────────────────────────────┴───────────────┴────────┴───────╯ Parser Metrics: ╭─────────────────────────────────┬────────┬────────┬──────────╮ │ Parsers │ Hits │ Parsed │ Unparsed │ ├─────────────────────────────────┼────────┼────────┼──────────┤ │ child-crowdsecurity/http-logs │ 50.50M │ 46.11M │ 4.39M │ │ child-crowdsecurity/nginx-logs │ 16.84M │ 16.83M │ 5.60k │ │ child-crowdsecurity/sshd-logs │ 21.77k │ 276 │ 21.49k │ │ child-crowdsecurity/syslog-logs │ 17.42M │ 17.42M │ 1.30k │ │ crowdsecurity/appsec-logs │ 167 │ 167 │ - │ │ crowdsecurity/dateparse-enrich │ 16.83M │ 16.83M │ - │ │ crowdsecurity/geoip-enrich │ 16.83M │ 16.83M │ - │ │ crowdsecurity/http-logs │ 16.83M │ 16.83M │ 1.81k │ │ crowdsecurity/nginx-logs │ 16.83M │ 16.83M │ 338 │ │ crowdsecurity/non-syslog │ 16.83M │ 16.83M │ - │ │ crowdsecurity/sshd-logs │ 1.71k │ 276 │ 1.44k │ │ crowdsecurity/syslog-logs │ 17.42M │ 17.42M │ 651 │ │ crowdsecurity/whitelists │ 16.83M │ 16.83M │ - │ ╰─────────────────────────────────┴────────┴────────┴──────────╯ Scenario Metrics: ╭────────────────────────────────────────────┬───────────────┬───────────┬──────────────┬────────┬─────────╮ │ Scenario │ Current Count │ Overflows │ Instantiated │ Poured │ Expired │ ├────────────────────────────────────────────┼───────────────┼───────────┼──────────────┼────────┼─────────┤ │ LePresidente/http-generic-403-bf │ - │ 1 │ 18 │ 35 │ 17 │ │ crowdsecurity/CVE-2017-9841 │ - │ 54 │ 54 │ - │ - │ │ crowdsecurity/CVE-2022-41082 │ - │ 5 │ 5 │ - │ - │ │ crowdsecurity/appsec-vpatch │ - │ 12 │ 71 │ 83 │ 59 │ │ crowdsecurity/f5-big-ip-cve-2020-5902 │ - │ 4 │ 4 │ - │ - │ │ crowdsecurity/http-admin-interface-probing │ - │ - │ 19 │ 20 │ 19 │ │ crowdsecurity/http-backdoors-attempts │ - │ - │ 21 │ 23 │ 21 │ │ crowdsecurity/http-bad-user-agent │ 1 │ 157 │ 1.93k │ 2.09k │ 1.77k │ │ crowdsecurity/http-crawl-non_statics │ 97 │ 14 │ 4.53M │ 5.31M │ 4.53M │ │ crowdsecurity/http-cve-2021-41773 │ - │ 9 │ 9 │ - │ - │ │ crowdsecurity/http-cve-2021-42013 │ - │ 7 │ 7 │ - │ - │ │ crowdsecurity/http-cve-probing │ - │ 4 │ 13 │ 17 │ 9 │ │ crowdsecurity/http-open-proxy │ - │ 4 │ 4 │ - │ - │ │ crowdsecurity/http-path-traversal-probing │ - │ 2 │ 29 │ 41 │ 27 │ │ crowdsecurity/http-probing │ - │ 76 │ 35.87k │ 58.10k │ 35.80k │ │ crowdsecurity/http-sensitive-files │ - │ - │ 116 │ 138 │ 116 │ │ crowdsecurity/http-sqli-probbing-detection │ - │ - │ 12 │ 12 │ 12 │ │ crowdsecurity/http-wordpress-scan │ - │ - │ 11 │ 17 │ 11 │ │ crowdsecurity/http-xss-probbing │ - │ 1 │ 16 │ 33 │ 15 │ │ crowdsecurity/jira_cve-2021-26086 │ - │ 15 │ 15 │ - │ - │ │ crowdsecurity/ssh-bf │ - │ 1 │ 61 │ 130 │ 60 │ │ crowdsecurity/ssh-bf_user-enum │ - │ - │ 60 │ 91 │ 60 │ │ crowdsecurity/ssh-slow-bf │ - │ - │ 42 │ 130 │ 42 │ │ crowdsecurity/ssh-slow-bf_user-enum │ - │ - │ 43 │ 72 │ 43 │ │ crowdsecurity/thinkphp-cve-2018-20062 │ - │ 1 │ 1 │ - │ - │ ╰────────────────────────────────────────────┴───────────────┴───────────┴──────────────┴────────┴─────────╯ Whitelist Metrics: ╭──────────────────────────┬─────────────────────────────┬──────────┬─────────────╮ │ Whitelist │ Reason │ Hits │ Whitelisted │ ├──────────────────────────┼─────────────────────────────┼──────────┼─────────────┤ │ crowdsecurity/whitelists │ private ipv4/ipv6 ip/ranges │ 16834417 │ 144271 │ ╰──────────────────────────┴─────────────────────────────┴──────────┴─────────────╯ ```

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

github-actions[bot] commented 1 week ago

@gdlwolf: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

  1. Check Crowdsec Documentation to see if your issue can be self resolved.
  2. You can also join our Discord.
  3. Check Releases to make sure your agent is on the latest version.
Details I am a bot created to help the [crowdsecurity](https://github.com/crowdsecurity) developers manage community feedback and contributions. You can check out my [manifest file](https://github.com/crowdsecurity/crowdsec/blob/master/.github/governance.yml) to understand my behavior and what I can do. If you want to use this for your project, you can check out the [BirthdayResearch/oss-governance-bot](https://github.com/BirthdayResearch/oss-governance-bot) repository.
LaurenceJJones commented 1 week ago

This is intentionally how the appsec feature is designed.

So when an appsec rule is triggered 2 things happen:

If the user triggers 2 unique appsec rules then it would trigger the scenario as they are trying different things to your server.

However if you want to block them after the first try you can simply edit this scenario on your server and change capacity to 0.

(We don't recommend banning an IP address after the first appsec trigger as with any rule system there always a chance of false positive and you don't want to risk completely blocking yourself from your own server)

The CVE you point out happens because we have a trigger scenario and a vpatch rule for it. We don't have a trigger scenario for env access but we do have https://app.crowdsec.net/hub/author/crowdsecurity/configurations/http-sensitive-files which detects crawling.

gdlwolf commented 1 week ago

Thank you very much.