Closed andyoulovexy closed 1 year ago
Transferring to the hub as more appropriate location
For the suricata fast log we only support text format not JSON, is this configurable? plus which logs is it? is it one below stated?
the JSON eve.json format (type: suricata-evelogs)
the text fast.log format (type: suricata-fastlogs)
Stale issue closing please reopen if you find time to respond to questions
Hi team,
well, I exactly face the same problem.
I run suricata version 5.0.10 (cannot upgrade to version 6, since I need to use it together with prelude OSS). I run crowdsec version 1.4.3
The suricata logs do not get parsed.
FYI:
Acquisition Metrics: ╭───────────────────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────╮ │ Source │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ ├───────────────────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┤ │ file:/var/log/suricata/eve.json │ 30.83k │ - │ 30.83k │ - │ │ journalctl:journalctl-_SYSTEMD_UNIT=mysql.service │ 1 │ - │ 1 │ - │ │ journalctl:journalctl-_SYSTEMD_UNIT=sshd.service │ 1 │ - │ 1 │ - │ ╰───────────────────────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────╯
Local Api Metrics: ╭──────────────────────┬────────┬──────╮ │ Route │ Method │ Hits │ ├──────────────────────┼────────┼──────┤ │ /v1/alerts │ POST │ 3 │ │ /v1/decisions/stream │ GET │ 516 │ │ /v1/heartbeat │ GET │ 86 │ │ /v1/watchers/login │ POST │ 6 │ ╰──────────────────────┴────────┴──────╯
Local Api Machines Metrics: ╭──────────────────────────────────────────────────┬───────────────┬────────┬──────╮ │ Machine │ Route │ Method │ Hits │ ├──────────────────────────────────────────────────┼───────────────┼────────┼──────┤ │ 8cb9a62beb75b6665e560e3b59789ff3l2CvrtJ61bUuTHSs │ /v1/heartbeat │ GET │ 86 │ │ 8cb9a62beb75b2665e500e3b59789ff3l2CvrtJ61bUuTHSs │ /v1/alerts │ POST │ 3 │ ╰──────────────────────────────────────────────────┴───────────────┴────────┴──────╯
Local Api Bouncers Metrics: ╭────────────────────────────┬──────────────────────┬────────┬──────╮ │ Bouncer │ Route │ Method │ Hits │ ├────────────────────────────┼──────────────────────┼────────┼──────┤ │ FirewallBouncer-1671311503 │ /v1/decisions/stream │ GET │ 516 │ ╰────────────────────────────┴──────────────────────┴────────┴──────╯
Local Api Decisions: ╭──────────────────────────────────────────────────────────────────────┬────────┬────────┬───────╮ │ Reason │ Origin │ Action │ Count │ ├──────────────────────────────────────────────────────────────────────┼────────┼────────┼───────┤ │ crowdsecurity/CVE-2022-35914 │ CAPI │ ban │ 4 │ │ crowdsecurity/f5-big-ip-cve-2020-5902 │ CAPI │ ban │ 7 │ │ crowdsecurity/http-generic-bf │ CAPI │ ban │ 26 │ │ crowdsecurity/ssh-bf │ CAPI │ ban │ 1826 │ │ crowdsecurity/mysql-bf │ CAPI │ ban │ 67 │ │ crowdsecurity/spring4shell_cve-2022-22965 │ CAPI │ ban │ 2 │ │ crowdsecurity/thinkphp-cve-2018-20062 │ CAPI │ ban │ 33 │ │ crowdsecurity/http-bad-user-agent │ CAPI │ ban │ 5531 │ │ crowdsecurity/http-cve-2021-42013 │ CAPI │ ban │ 1 │ │ crowdsecurity/ssh-slow-bf │ CAPI │ ban │ 55 │ │ crowdsecurity/vmware-cve-2022-22954 │ CAPI │ ban │ 4 │ │ crowdsecurity/http-probing │ CAPI │ ban │ 4204 │ │ crowdsecurity/nginx-req-limit-exceeded │ CAPI │ ban │ 892 │ │ crowdsecurity/pulse-secure-sslvpn-cve-2019-11510 │ CAPI │ ban │ 2 │ │ ltsich/http-w00tw00t │ CAPI │ ban │ 3 │ │ crowdsecurity/CVE-2022-41082 │ CAPI │ ban │ 2 │ │ crowdsecurity/apache_log4j2_cve-2021-44228 │ CAPI │ ban │ 29 │ │ crowdsecurity/http-backdoors-attempts │ CAPI │ ban │ 262 │ │ crowdsecurity/http-crawl-non_statics │ CAPI │ ban │ 1165 │ │ crowdsecurity/http-cve-2021-41773 │ CAPI │ ban │ 71 │ │ crowdsecurity/fortinet-cve-2018-13379 │ CAPI │ ban │ 46 │ │ crowdsecurity/http-path-traversal-probing │ CAPI │ ban │ 617 │ │ crowdsecurity/CVE-2022-37042 │ CAPI │ ban │ 4 │ │ crowdsecurity/grafana-cve-2021-43798 │ CAPI │ ban │ 6 │ │ manual 'ban' from '8cb9a62beb75b2665e560e3b59789f3l2CvrtJ61bUuTHSs' │ cscli │ ban │ 1 │ │ crowdsecurity/CVE-2022-42889 │ CAPI │ ban │ 1 │ │ crowdsecurity/http-open-proxy │ CAPI │ ban │ 244 │ │ crowdsecurity/http-sensitive-files │ CAPI │ ban │ 182 │ │ crowdsecurity/jira_cve-2021-26086 │ CAPI │ ban │ 168 │ ╰──────────────────────────────────────────────────────────────────────┴────────┴────────┴───────╯
Local Api Alerts: ╭──────────────────────────────────────────────────────────────────────┬───────╮ │ Reason │ Count │ ├──────────────────────────────────────────────────────────────────────┼───────┤ │ manual 'ban' from '8cb9a62beb75b765e560e3b59789ff5l2CvrtJ61bUuTHSs' │ 3 │ ╰──────────────────────────────────────────────────────────────────────┴───────╯
This is one example line from eve.json
{"timestamp":"2022-12-18T18:30:53.263350+0200","flow_id":989059031607521,"in_iface":"eth0","event_type":"tls","src_ip":"84.44.200.23","src_port":47470,"dest_ip":"95.216.205.51","dest_port":443,"proto":"TCP","tls":{"sni":"tube.xy-space.de","version":"TLS 1.3","ja3":{"hash":"579ccef312d18482fc42e2b822ca2430","string":"771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-34-51-43-13-45-28-21,29-23-24-25-256-257,0"},"ja3s":{"hash":"15af977ce25de452b96affa2addb1036","string":"771,4866,43-51"}}}
Any ideas?
Hey so the filter is json based so the event_type needs to be "alert" the one you shared is "tls"
Here the filter
evt.Parsed.program == "suricata-evelogs" && JsonExtract(evt.Parsed.message, "event_type") == "alert"
Well, this was an example line. I have lines like this:
{"timestamp":"2022-12-18T22:13:41.010414+0200","flow_id":739629681939368,"in_iface":"eth0","event_type":"alert","src_ip":"135.181.5.2","src_port":38917,"dest_ip":"95.216.205.51","dest_port":8042,"proto":"TCP","metadata":{"flowints":{"applayer.anomaly.count":1,"http.anomaly.count":1}},"tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2221042,"rev":1,"signature":"SURICATA HTTP Request line incomplete","category":"Generic Protocol Command Decode","severity":3},"http":{"http_port":0,"status":400,"length":0},"app_proto":"http","app_proto_ts":"failed","flow":{"pkts_toserver":4,"pkts_toclient":7,"bytes_toserver":247,"bytes_toclient":657,"start":"2022-12-18T22:13:41.005032+0200"}}
which should be parsed, shouldn't they?
Reopening issue will look into it Monday. Would be helpful if you could run the line through cscli explain
Reopening issue will look into it Monday. Would be helpful if you could run the line through
cscli explain
cscli explain --file /var/log/suricata/eve.json --type suricata-evelogs --verbose yields many lines, e. g.
line: {"timestamp":"2022-12-18T23:31:09.003158+0200","flow_id":2159103788454115,"in_iface":"eth0","event_type":"flow","src_ip":"132.226.212.242","src_port":41784,"dest_ip":"95.216.205.51","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":14,"pkts_toclient":13,"bytes_toserver":3137,"bytes_toclient":7441,"start":"2022-12-18T23:30:00.921827+0200","end":"2022-12-18T23:30:06.410477+0200","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} ├ s01-parse | ├ 🔴 crowdsecurity/apache2-logs | ├ 🔴 crowdsecurity/mysql-logs | ├ 🔴 crowdsecurity/nginx-logs | ├ 🔴 crowdsecurity/sshd-logs | ├ 🔴 crowdsecurity/suricata-evelogs | └ 🔴 crowdsecurity/suricata-fastlogs └-------- parser failure 🔴
line: {"timestamp":"2022-12-18T23:36:58.012295+0200","flow_id":2041696589825413,"in_iface":"eth0","event_type":"tls","src_ip":"95.216.205.51","src_port":59106,"dest_ip":"172.67.202.221","dest_port":443,"proto":"TCP","tls":{"sni":"relay.national-defence.network","version":"TLS 1.3","ja3":{"hash":"c199b43d41b470f8f68c5561f8f1ce3e","string":"771,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47-255,0-11-10-35-22-23-13-43-45-51-21,29-23-30-25-24,0-1-2"},"ja3s":{"hash":"907bf3ecef1c987c889946b737b43de8","string":"771,4866,51-43"}}} ├ s01-parse | ├ 🔴 crowdsecurity/apache2-logs | ├ 🔴 crowdsecurity/mysql-logs | ├ 🔴 crowdsecurity/nginx-logs | ├ 🔴 crowdsecurity/sshd-logs | ├ 🔴 crowdsecurity/suricata-evelogs | └ 🔴 crowdsecurity/suricata-fastlogs └-------- parser failure 🔴
Is that a like for like copy of the output? Cause its missing s00 section
Helps if I have the full output also wrap the lines in ``` allows for better formatting
But it's clear something not parsing so I can debug on Monday
O. K. so there seems to be a different problem!? No, I did not omit anything.
This is my acquis.yaml file content:
journalctl_filter:
journalctl_filter:
Note that I removed every third minus sign when posting the content in order to avoid formatting issues.
Yes your missing the syslog parser? If you do cscli parsers list
if it is not there you need to do cscli collections install crowdsecurity/linux
Well, I did so, now I receive
├ s00-raw
| ├ 🟢 crowdsecurity/non-syslog (first_parser)
| └ 🔴 crowdsecurity/syslog-logs
├ s01-parse
| ├ 🔴 crowdsecurity/apache2-logs
| ├ 🔴 crowdsecurity/mysql-logs
| ├ 🔴 crowdsecurity/nginx-logs
| ├ 🔴 crowdsecurity/sshd-logs
| ├ 🔴 crowdsecurity/suricata-evelogs
| └ 🔴 crowdsecurity/suricata-fastlogs
└-------- parser failure 🔴
My updated acquis.yaml file looks like this:
filenames:
journalctl_filter:
journalctl_filter:
The crowdsec.log tells me:
time="19-12-2022 00:20:15" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/apache2-logs.yaml stage=s01-parse time="19-12-2022 00:20:15" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/mysql-logs.yaml stage=s01-parse time="19-12-2022 00:20:15" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/nginx-logs.yaml stage=s01-parse time="19-12-2022 00:20:15" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/sshd-logs.yaml stage=s01-parse time="19-12-2022 00:20:15" level=info msg="Loaded 2 parser nodes" file=/etc/crowdsec/parsers/s01-parse/suricata-logs.yaml stage=s01-parse
No errors or warnings, but still "s01-parse" only yields red dots...
That's because the log is stating the yaml syntax is correct doesn't mean the parser is correct for your log sample as stated will investigate Monday as its not just a syslog parser missing issue
So with the alert above with "event_type": "alert"
. The parser is working as intended.
[loz@unknown-dev ~]$ sudo cscli explain --log '{"timestamp":"2022-12-18T22:13:41.010414+0200","flow_id":739629681939368,"in_iface":"eth0","event_type":"alert","src_ip":"135.181.5.2","src_port":38917,"dest_ip":"95.216.205.51","dest_port":8042,"proto":"TCP","metadata":{"flowints":{"applayer.anomaly.count":1,"http.anomaly.count":1}},"tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2221042,"rev":1,"signature":"SURICATA HTTP Request line incomplete","category":"Generic Protocol Command Decode","severity":3},"http":{"http_port":0,"status":400,"length":0},"app_proto":"http","app_proto_ts":"failed","flow":{"pkts_toserver":4,"pkts_toclient":7,"bytes_toserver":247,"bytes_toclient":657,"start":"2022-12-18T22:13:41.005032+0200"}}' --type suricata-evelogs -v
line: {"timestamp":"2022-12-18T22:13:41.010414+0200","flow_id":739629681939368,"in_iface":"eth0","event_type":"alert","src_ip":"135.181.5.2","src_port":38917,"dest_ip":"95.216.205.51","dest_port":8042,"proto":"TCP","metadata":{"flowints":{"applayer.anomaly.count":1,"http.anomaly.count":1}},"tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2221042,"rev":1,"signature":"SURICATA HTTP Request line incomplete","category":"Generic Protocol Command Decode","severity":3},"http":{"http_port":0,"status":400,"length":0},"app_proto":"http","app_proto_ts":"failed","flow":{"pkts_toserver":4,"pkts_toclient":7,"bytes_toserver":247,"bytes_toclient":657,"start":"2022-12-18T22:13:41.005032+0200"}}
├ s00-raw
| ├ 🔴 crowdsecurity/docker-logs
| ├ 🟢 crowdsecurity/non-syslog (first_parser)
| └ 🔴 crowdsecurity/syslog-logs
├ s01-parse
| ├ 🔴 crowdsecurity/apache2-logs
| ├ 🔴 crowdsecurity/haproxy-logs
| ├ 🔴 crowdsecurity/mariadb-logs
| ├ 🔴 crowdsecurity/nginx-logs
| ├ 🔴 crowdsecurity/sshd-logs
| ├ 🟢 crowdsecurity/suricata-evelogs (+13 ~2)
| ├ update evt.Stage : s01-parse -> s02-enrich
| ├ create evt.Parsed.time : 2022-12-18T22:13:41.010414
| ├ create evt.Parsed.dest_ip : 95.216.205.51
| ├ create evt.Parsed.dest_port : 8042
| ├ create evt.Parsed.proto : TCP
| ├ create evt.Parsed.suricata_alert_signature : SURICATA HTTP Request line incomplete
| ├ create evt.Parsed.suricata_alert_signature_rev : 1
| ├ update evt.StrTime : -> 2022-12-18T22:13:41.010414Z
| ├ create evt.Meta.log_type : suricata_alert
| ├ create evt.Meta.service : suricata
| ├ create evt.Meta.source_ip : 135.181.5.2
| ├ create evt.Meta.sub_log_type : suricata_alert_eve_json
| ├ create evt.Meta.suricata_alert_signature_id : 2221042
| ├ create evt.Meta.suricata_flow_id : 739629681939368
| ├ create evt.Meta.suricata_rule_severity : 3
| ├ 🔴 crowdsecurity/suricata-fastlogs
| └ 🔴 proftpd-logs
├ s02-enrich
| ├ 🟢 crowdsecurity/dateparse-enrich (+2 ~1)
| ├ create evt.Enriched.MarshaledTime : 2022-12-18T22:13:41.010414Z
| ├ update evt.MarshaledTime : -> 2022-12-18T22:13:41.010414Z
| ├ create evt.Meta.timestamp : 2022-12-18T22:13:41.010414Z
| ├ 🟢 crowdsecurity/geoip-enrich (+13)
| ├ create evt.Enriched.IsInEU : true
| ├ create evt.Enriched.IsoCode : FI
| ├ create evt.Enriched.Longitude : 24.934700
| ├ create evt.Enriched.SourceRange : 135.181.0.0/16
| ├ create evt.Enriched.ASNumber : 24940
| ├ create evt.Enriched.ASNOrg : Hetzner Online GmbH
| ├ create evt.Enriched.Latitude : 60.171900
| ├ create evt.Enriched.ASNNumber : 24940
| ├ create evt.Meta.ASNOrg : Hetzner Online GmbH
| ├ create evt.Meta.SourceRange : 135.181.0.0/16
| ├ create evt.Meta.ASNNumber : 24940
| ├ create evt.Meta.IsInEU : true
| ├ create evt.Meta.IsoCode : FI
| ├ 🔴 crowdsecurity/http-logs
| └ 🔴 crowdsecurity/nextcloud-whitelist
├-------- parser success 🟢 ├ Scenarios
So when you pass it through a json prettifier you can see it more clearly.
[loz@unknown-dev ~]$ echo '{"timestamp":"2022-12-18T22:13:41.010414+0200","flow_id":739629681939368,"in_iface":"eth0","event_type":"alert","src_ip":"135.181.5.2","src_port":38917,"dest_ip":"95.216.205.51","dest_port":8042,"proto":"TCP","metadata":{"flowints":{"applayer.anomaly.count":1,"http.anomaly.count":1}},"tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2221042,"rev":1,"signature":"SURICATA HTTP Request line incomplete","category":"Generic Protocol Command Decode","severity":3},"http":{"http_port":0,"status":400,"length":0},"app_proto":"http","app_proto_ts":"failed","flow":{"pkts_toserver":4,"pkts_toclient":7,"bytes_toserver":247,"bytes_toclient":657,"start":"2022-12-18T22:13:41.005032+0200"}}' | jq
{
"timestamp": "2022-12-18T22:13:41.010414+0200",
"flow_id": 739629681939368,
"in_iface": "eth0",
"event_type": "alert",
"src_ip": "135.181.5.2",
"src_port": 38917,
"dest_ip": "95.216.205.51",
"dest_port": 8042,
"proto": "TCP",
"metadata": {
"flowints": {
"applayer.anomaly.count": 1,
"http.anomaly.count": 1
}
},
"tx_id": 0,
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 2221042,
"rev": 1,
"signature": "SURICATA HTTP Request line incomplete",
"category": "Generic Protocol Command Decode",
"severity": 3
},
"http": {
"http_port": 0,
"status": 400,
"length": 0
},
"app_proto": "http",
"app_proto_ts": "failed",
"flow": {
"pkts_toserver": 4,
"pkts_toclient": 7,
"bytes_toserver": 247,
"bytes_toclient": 657,
"start": "2022-12-18T22:13:41.005032+0200"
}
}
So the parser only parses the line when the "event_type" == "alert"
if is not it will miss the line as it not classed as an suricata alert.
Well, first of all thank you for digging into it! I verified on my machine, and indeed I do receive the same results. So I guess, it was due to
https://github.com/crowdsecurity/hub/issues/594#issuecomment-1356883553
I verified with the console, and receive alerts - as expected.
So after all I can state that the latest stable version of crowdsec (1.4.3) works with suricata version 5.0.10.
Thank you again.
Always best to get confirmation that it is working 👍🏻
What happened?
suricata logs can't parser?
What did you expect to happen?
parser suricata work
How can we reproduce it (as minimally and precisely as possible)?
suricata logs : {"timestamp":"2022-11-14T10:41:13.512844+0800","flow_id":171518089232986,"in_iface":"eth0","event_type":"anomaly","src_ip":"61.141.64.67","src_port":55191,"dest_ip":"103.164.63.78","dest_port":40189,"proto":"TCP","anomaly":{"app_proto":"dcer pc","type":"applayer","event":"APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION","layer":"proto_detect"}} {"timestamp":"2022-11-14T10:41:15.259165+0800","flow_id":1902553118510911,"in_iface":"eth0","event_type":"tls","src_ip":"103.164.63.78","src_port":37314,"dest_ip":"212.64.63.190","dest_port":443,"proto":"TCP","tls":{"subject":"CN=.gitee.com ","issuerdn":"C=CN, O=TrustAsia Technologies, Inc., OU=Domain Validated SSL, CN=TrustAsia TLS RSA CA","serial":"0E:9C:10:54:AA:30:0B:61:4B:19:82:19:4B:12:E0:B9","fingerprint":"73:77:c8:87:1a:3d:3b:5f:68:18:d8:3b:11:5a:e6:92:32:3a:5c:54","sni ":"gitee.com","version":"TLS 1.2","notbefore":"2022-02-21T00:00:00","notafter":"2023-03-06T23:59:59","ja3":{},"ja3s":{}}} {"timestamp":"2022-11-14T10:41:15.263897+0800","flow_id":2097420079606221,"in_iface":"eth0","event_type":"anomaly","src_ip":"61.141.64.67","src_port":55223,"dest_ip":"103.164.63.78","dest_port":40189,"proto":"TCP","anomaly":{"app_proto":"dce rpc","type":"applayer","event":"APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION","layer":"proto_detect"}} {"timestamp":"2022-11-14T10:41:15.279867+0800","flow_id":664576040082216,"in_iface":"eth0","event_type":"tls","src_ip":"103.164.63.78","src_port":37316,"dest_ip":"212.64.63.190","dest_port":443,"proto":"TCP","tls":{"subject":"CN=.gitee.com" ,"issuerdn":"C=CN, O=TrustAsia Technologies, Inc., OU=Domain Validated SSL, CN=TrustAsia TLS RSA CA","serial":"0E:9C:10:54:AA:30:0B:61:4B:19:82:19:4B:12:E0:B9","fingerprint":"73:77:c8:87:1a:3d:3b:5f:68:18:d8:3b:11:5a:e6:92:32:3a:5c:54","sni" :"gitee.com","version":"TLS 1.2","notbefore":"2022-02-21T00:00:00","notafter":"2023-03-06T23:59:59","ja3":{},"ja3s":{}}} {"timestamp":"2022-11-14T10:41:15.280621+0800","flow_id":1021023965817414,"in_iface":"eth0","event_type":"anomaly","src_ip":"61.141.64.67","src_port":55224,"dest_ip":"103.164.63.78","dest_port":40189,"proto":"TCP","anomaly":{"app_proto":"dce rpc","type":"applayer","event":"APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION","layer":"proto_detect"}} {"timestamp":"2022-11-14T10:41:15.307745+0800","event_type":"stats","stats":{"uptime":16,"capture":{"kernel_packets":1964,"kernel_drops":0,"errors":0},"decoder":{"pkts":2298,"bytes":1348785,"invalid":144,"ipv4":2286,"ipv6":3,"ethernet":2298, "chdlc":0,"raw":0,"null":0,"sll":0,"tcp":2112,"udp":33,"sctp":0,"icmpv4":0,"icmpv6":0,"ppp":0,"pppoe":0,"geneve":0,"gre":0,"vlan":0,"vlan_qinq":0,"vxlan":0,"vntag":0,"ieee8021ah":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_p kt_size":586,"max_pkt_size":1534,"max_mac_addrs_src":0,"max_mac_addrs_dst":0,"erspan":0,"event":{"ipv4":{"pkt_too_small":0,"hlen_too_small":0,"iplen_smaller_than_hlen":0,"trunc_pkt":144,"opt_invalid":0,"opt_invalid_len":0,"opt_malformed":0," opt_pad_required":0,"opt_eol_required":0,"opt_duplicate":0,"opt_unknown":0,"wrong_ip_version":0,"icmpv6":0,"frag_pkt_too_large":0,"frag_overlap":0,"frag_ignored":0},"icmpv4":{"pkt_too_small":0,"unknown_type":0,"unknown_code":0,"ipv4_trunc_pk t":0,"ipv4_unknown_ver":0},"icmpv6":{"unknown_type":0,"unknown_code":0,"pkt_too_small":0,"ipv6_unknown_version":0,"ipv6_trunc_pkt":0,"mld_message_with_invalid_hl":0,"unassigned_type":0,"experimentation_type":0},"ipv6":{"pkt_too_small":0,"tru nc_pkt":0,"trunc_exthdr":0,"exthdr_dupl_fh":0,"exthdr_useless_fh":0,"exthdr_dupl_rh":0,"exthdr_dupl_hh":0,"exthdr_dupl_dh":0,"exthdr_dupl_ah":0,"exthdr_dupl_eh":0,"exthdr_invalid_optlen":0,"wrong_ip_version":0,"exthdr_ah_res_not_null":0,"hop opts_unknown_opt":0,"hopopts_only_padding":0,"dstopts_unknown_opt":0,"dstopts_only_padding":0,"rh_type_0":0,"zero_len_padn":0,"fh_non_zero_reserved_field":0,"data_after_none_header":0,"unknown_next_header":0,"icmpv4":0,"frag_pkt_too_large":0 ,"frag_overlap":0,"frag_invalid_length":0,"frag_ignored":0,"ipv4_in_ipv6_too_small":0,"ipv4_in_ipv6_wrong_version":0,"ipv6_in_ipv6_too_small":0,"ipv6_in_ipv6_wrong_version":0},"tcp":{"pkt_too_small":0,"hlen_too_small":0,"invalid_optlen":0,"o pt_invalid_len":0,"opt_duplicate":0},"udp":{"pkt_too_small":0,"hlen_too_small":0,"hlen_invalid":0},"sll":{"pkt_too_small":0},"ethernet":{"pkt_too_small":0},"ppp":{"pkt_too_small":0,"vju_pkt_too_small":0,"ip4_pkt_too_small":0,"ip6_pkt_too_sma ll":0,"wrong_type":0,"unsup_proto":0},"pppoe":{"pkt_too_small":0,"wrong_code":0,"malformed_tags":0},"gre":{"pkt_too_small":0,"wrong_version":0,"version0_recur":0,"version0_flags":0,"version0_hdr_too_big":0,"version0_malformed_sre_hdr":0,"ver sion1_chksum":0,"version1_route":0,"version1_ssr":0,"version1_recur":0,"version1_flags":0,"version1_no_key":0,"version1_wrong_protocol":0,"version1_malformed_sre_hdr":0,"version1_hdr_too_big":0},"vlan":{"header_too_small":0,"unknown_type":0, "too_many_layers":0},"ieee8021ah":{"header_too_small":0},"vntag":{"header_too_small":0,"unknown_type":0},"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"sctp":{"pkt_too_small":0},"mpls":{"header_too_small" :0,"pkt_too_small":0,"bad_label_router_alert":0,"bad_label_implicit_null":0,"bad_label_reserved":0,"unknown_payload_type":0},"vxlan":{"unknown_payload_type":0},"geneve":{"unknown_payload_type":0},"erspan":{"header_too_small":0,"unsupported_v ersion":0,"too_many_vlan_layers":0},"dce":{"pkt_too_small":0},"chdlc":{"pkt_too_small":0}},"too_many_layers":0},"flow":{"memcap":0,"tcp":38,"udp":6,"icmpv4":0,"icmpv6":0,"tcp_reuse":0,"get_used":0,"get_used_eval":0,"get_used_eval_reject":0," get_used_eval_busy":0,"get_used_failed":0,"wrk":{"spare_sync_avg":100,"spare_sync":4,"spare_sync_incomplete":0,"spare_sync_empty":0,"flows_evicted_needs_work":0,"flows_evicted_pkt_inject":0,"flows_evicted":0,"flowsinjected":0},"mgr":{"full hash_pass":1,"closed_pruned":0,"new_pruned":0,"est_pruned":0,"bypassed_pruned":0,"rows_maxlen":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_evicted":0,"flows_evicted_needs_work":0},"spare":9600,"em erg_mode_entered":0,"emerg_mode_over":0,"memuse":7394304},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"flow_bypassed":{"local_pkts":0,"local_bytes":0,"l ocal_capture_pkts":0,"local_capture_bytes":0,"closed":0,"pkts":0,"bytes":0},"tcp":{"sessions":29,"ssn_memcap_drop":0,"pseudo":0,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":29,"synack":22,"rst":15,"midstream_pickups":0,"pkt_on_wr ong_thread":0,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":8,"overlap":2,"overlap_diff_data":0,"insert_data_normal_fail":0,"insert_data_overlap_fail":0,"insert_list_fail":0,"memuse":2424992,"reassembly_memuse":424024},"d etect":{"engines":[{"id":0,"last_reload":"2022-11-14T10:40:59.216508+0800","rules_loaded":0,"rules_failed":0}],"alert":0,"alert_queue_overflow":0,"alerts_suppressed":0},"app_layer":{"flow":{"http":0,"ftp":0,"smtp":0,"tls":9,"ssh":1,"imap":0, "smb":0,"dcerpc_tcp":10,"dns_tcp":0,"nfs_tcp":0,"ntp":1,"ftp-data":0,"tftp":0,"ikev2":0,"krb5_tcp":0,"dhcp":0,"snmp":0,"sip":0,"rfb":0,"mqtt":0,"rdp":0,"failed_tcp":0,"dcerpc_udp":0,"dns_udp":1,"nfs_udp":0,"krb5_udp":0,"failed_udp":4},"tx":{ "http":0,"ftp":0,"smtp":0,"tls":0,"ssh":0,"imap":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"nfs_tcp":0,"ntp":1,"ftp-data":0,"tftp":0,"ikev2":0,"krb5_tcp":0,"dhcp":0,"snmp":0,"sip":0,"rfb":0,"mqtt":0,"rdp":0,"dcerpc_udp":0,"dns_udp":2,"nfs_udp":0, "krb5_udp":0},"expectations":0},"http":{"memuse":0,"memcap":0},"ftp":{"memuse":0,"memcap":0},"file_store":{"open_files":0}}}
Anything else we need to know?
No response
Crowdsec version
2022/11/14 11:24:51 version: v1.4.1-el7-rpm-e1954adc325baa9e3420c324caabd50b7074dd77 2022/11/14 11:24:51 Codename: alphaga 2022/11/14 11:24:51 BuildDate: 2022-07-25_09:53:20 2022/11/14 11:24:51 GoVersion: 1.17.5 2022/11/14 11:24:51 Platform: linux 2022/11/14 11:24:51 Constraint_parser: >= 1.0, <= 2.0 2022/11/14 11:24:51 Constraint_scenario: >= 1.0, < 3.0 2022/11/14 11:24:51 Constraint_api: v1 2022/11/14 11:24:51 Constraint_acquis: >= 1.0, < 2.0
OS version
Enabled collections and parsers
Acquisition config
Config show
Prometheus metrics
Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.