suricata logs can't parser?

[andyoulovexy]

What happened?

suricata logs can't parser?

What did you expect to happen?

parser suricata work

How can we reproduce it (as minimally and precisely as possible)?

suricata logs : {"timestamp":"2022-11-14T10:41:13.512844+0800","flow_id":171518089232986,"in_iface":"eth0","event_type":"anomaly","src_ip":"61.141.64.67","src_port":55191,"dest_ip":"103.164.63.78","dest_port":40189,"proto":"TCP","anomaly":{"app_proto":"dcer pc","type":"applayer","event":"APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION","layer":"proto_detect"}} {"timestamp":"2022-11-14T10:41:15.259165+0800","flow_id":1902553118510911,"in_iface":"eth0","event_type":"tls","src_ip":"103.164.63.78","src_port":37314,"dest_ip":"212.64.63.190","dest_port":443,"proto":"TCP","tls":{"subject":"CN=.gitee.com ","issuerdn":"C=CN, O=TrustAsia Technologies, Inc., OU=Domain Validated SSL, CN=TrustAsia TLS RSA CA","serial":"0E:9C:10:54:AA:30:0B:61:4B:19:82:19:4B:12:E0:B9","fingerprint":"73:77:c8:87:1a:3d:3b:5f:68:18:d8:3b:11:5a:e6:92:32:3a:5c:54","sni ":"gitee.com","version":"TLS 1.2","notbefore":"2022-02-21T00:00:00","notafter":"2023-03-06T23:59:59","ja3":{},"ja3s":{}}} {"timestamp":"2022-11-14T10:41:15.263897+0800","flow_id":2097420079606221,"in_iface":"eth0","event_type":"anomaly","src_ip":"61.141.64.67","src_port":55223,"dest_ip":"103.164.63.78","dest_port":40189,"proto":"TCP","anomaly":{"app_proto":"dce rpc","type":"applayer","event":"APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION","layer":"proto_detect"}} {"timestamp":"2022-11-14T10:41:15.279867+0800","flow_id":664576040082216,"in_iface":"eth0","event_type":"tls","src_ip":"103.164.63.78","src_port":37316,"dest_ip":"212.64.63.190","dest_port":443,"proto":"TCP","tls":{"subject":"CN=.gitee.com" ,"issuerdn":"C=CN, O=TrustAsia Technologies, Inc., OU=Domain Validated SSL, CN=TrustAsia TLS RSA CA","serial":"0E:9C:10:54:AA:30:0B:61:4B:19:82:19:4B:12:E0:B9","fingerprint":"73:77:c8:87:1a:3d:3b:5f:68:18:d8:3b:11:5a:e6:92:32:3a:5c:54","sni" :"gitee.com","version":"TLS 1.2","notbefore":"2022-02-21T00:00:00","notafter":"2023-03-06T23:59:59","ja3":{},"ja3s":{}}} {"timestamp":"2022-11-14T10:41:15.280621+0800","flow_id":1021023965817414,"in_iface":"eth0","event_type":"anomaly","src_ip":"61.141.64.67","src_port":55224,"dest_ip":"103.164.63.78","dest_port":40189,"proto":"TCP","anomaly":{"app_proto":"dce rpc","type":"applayer","event":"APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION","layer":"proto_detect"}} {"timestamp":"2022-11-14T10:41:15.307745+0800","event_type":"stats","stats":{"uptime":16,"capture":{"kernel_packets":1964,"kernel_drops":0,"errors":0},"decoder":{"pkts":2298,"bytes":1348785,"invalid":144,"ipv4":2286,"ipv6":3,"ethernet":2298, "chdlc":0,"raw":0,"null":0,"sll":0,"tcp":2112,"udp":33,"sctp":0,"icmpv4":0,"icmpv6":0,"ppp":0,"pppoe":0,"geneve":0,"gre":0,"vlan":0,"vlan_qinq":0,"vxlan":0,"vntag":0,"ieee8021ah":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_p kt_size":586,"max_pkt_size":1534,"max_mac_addrs_src":0,"max_mac_addrs_dst":0,"erspan":0,"event":{"ipv4":{"pkt_too_small":0,"hlen_too_small":0,"iplen_smaller_than_hlen":0,"trunc_pkt":144,"opt_invalid":0,"opt_invalid_len":0,"opt_malformed":0," opt_pad_required":0,"opt_eol_required":0,"opt_duplicate":0,"opt_unknown":0,"wrong_ip_version":0,"icmpv6":0,"frag_pkt_too_large":0,"frag_overlap":0,"frag_ignored":0},"icmpv4":{"pkt_too_small":0,"unknown_type":0,"unknown_code":0,"ipv4_trunc_pk t":0,"ipv4_unknown_ver":0},"icmpv6":{"unknown_type":0,"unknown_code":0,"pkt_too_small":0,"ipv6_unknown_version":0,"ipv6_trunc_pkt":0,"mld_message_with_invalid_hl":0,"unassigned_type":0,"experimentation_type":0},"ipv6":{"pkt_too_small":0,"tru nc_pkt":0,"trunc_exthdr":0,"exthdr_dupl_fh":0,"exthdr_useless_fh":0,"exthdr_dupl_rh":0,"exthdr_dupl_hh":0,"exthdr_dupl_dh":0,"exthdr_dupl_ah":0,"exthdr_dupl_eh":0,"exthdr_invalid_optlen":0,"wrong_ip_version":0,"exthdr_ah_res_not_null":0,"hop opts_unknown_opt":0,"hopopts_only_padding":0,"dstopts_unknown_opt":0,"dstopts_only_padding":0,"rh_type_0":0,"zero_len_padn":0,"fh_non_zero_reserved_field":0,"data_after_none_header":0,"unknown_next_header":0,"icmpv4":0,"frag_pkt_too_large":0 ,"frag_overlap":0,"frag_invalid_length":0,"frag_ignored":0,"ipv4_in_ipv6_too_small":0,"ipv4_in_ipv6_wrong_version":0,"ipv6_in_ipv6_too_small":0,"ipv6_in_ipv6_wrong_version":0},"tcp":{"pkt_too_small":0,"hlen_too_small":0,"invalid_optlen":0,"o pt_invalid_len":0,"opt_duplicate":0},"udp":{"pkt_too_small":0,"hlen_too_small":0,"hlen_invalid":0},"sll":{"pkt_too_small":0},"ethernet":{"pkt_too_small":0},"ppp":{"pkt_too_small":0,"vju_pkt_too_small":0,"ip4_pkt_too_small":0,"ip6_pkt_too_sma ll":0,"wrong_type":0,"unsup_proto":0},"pppoe":{"pkt_too_small":0,"wrong_code":0,"malformed_tags":0},"gre":{"pkt_too_small":0,"wrong_version":0,"version0_recur":0,"version0_flags":0,"version0_hdr_too_big":0,"version0_malformed_sre_hdr":0,"ver sion1_chksum":0,"version1_route":0,"version1_ssr":0,"version1_recur":0,"version1_flags":0,"version1_no_key":0,"version1_wrong_protocol":0,"version1_malformed_sre_hdr":0,"version1_hdr_too_big":0},"vlan":{"header_too_small":0,"unknown_type":0, "too_many_layers":0},"ieee8021ah":{"header_too_small":0},"vntag":{"header_too_small":0,"unknown_type":0},"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"sctp":{"pkt_too_small":0},"mpls":{"header_too_small" :0,"pkt_too_small":0,"bad_label_router_alert":0,"bad_label_implicit_null":0,"bad_label_reserved":0,"unknown_payload_type":0},"vxlan":{"unknown_payload_type":0},"geneve":{"unknown_payload_type":0},"erspan":{"header_too_small":0,"unsupported_v ersion":0,"too_many_vlan_layers":0},"dce":{"pkt_too_small":0},"chdlc":{"pkt_too_small":0}},"too_many_layers":0},"flow":{"memcap":0,"tcp":38,"udp":6,"icmpv4":0,"icmpv6":0,"tcp_reuse":0,"get_used":0,"get_used_eval":0,"get_used_eval_reject":0," get_used_eval_busy":0,"get_used_failed":0,"wrk":{"spare_sync_avg":100,"spare_sync":4,"spare_sync_incomplete":0,"spare_sync_empty":0,"flows_evicted_needs_work":0,"flows_evicted_pkt_inject":0,"flows_evicted":0,"flowsinjected":0},"mgr":{"full hash_pass":1,"closed_pruned":0,"new_pruned":0,"est_pruned":0,"bypassed_pruned":0,"rows_maxlen":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_evicted":0,"flows_evicted_needs_work":0},"spare":9600,"em erg_mode_entered":0,"emerg_mode_over":0,"memuse":7394304},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"flow_bypassed":{"local_pkts":0,"local_bytes":0,"l ocal_capture_pkts":0,"local_capture_bytes":0,"closed":0,"pkts":0,"bytes":0},"tcp":{"sessions":29,"ssn_memcap_drop":0,"pseudo":0,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":29,"synack":22,"rst":15,"midstream_pickups":0,"pkt_on_wr ong_thread":0,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":8,"overlap":2,"overlap_diff_data":0,"insert_data_normal_fail":0,"insert_data_overlap_fail":0,"insert_list_fail":0,"memuse":2424992,"reassembly_memuse":424024},"d etect":{"engines":[{"id":0,"last_reload":"2022-11-14T10:40:59.216508+0800","rules_loaded":0,"rules_failed":0}],"alert":0,"alert_queue_overflow":0,"alerts_suppressed":0},"app_layer":{"flow":{"http":0,"ftp":0,"smtp":0,"tls":9,"ssh":1,"imap":0, "smb":0,"dcerpc_tcp":10,"dns_tcp":0,"nfs_tcp":0,"ntp":1,"ftp-data":0,"tftp":0,"ikev2":0,"krb5_tcp":0,"dhcp":0,"snmp":0,"sip":0,"rfb":0,"mqtt":0,"rdp":0,"failed_tcp":0,"dcerpc_udp":0,"dns_udp":1,"nfs_udp":0,"krb5_udp":0,"failed_udp":4},"tx":{ "http":0,"ftp":0,"smtp":0,"tls":0,"ssh":0,"imap":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"nfs_tcp":0,"ntp":1,"ftp-data":0,"tftp":0,"ikev2":0,"krb5_tcp":0,"dhcp":0,"snmp":0,"sip":0,"rfb":0,"mqtt":0,"rdp":0,"dcerpc_udp":0,"dns_udp":2,"nfs_udp":0, "krb5_udp":0},"expectations":0},"http":{"memuse":0,"memcap":0},"ftp":{"memuse":0,"memcap":0},"file_store":{"open_files":0}}}

Anything else we need to know?

No response

Crowdsec version

```console $ cscli version # paste output here ```

2022/11/14 11:24:51 version: v1.4.1-el7-rpm-e1954adc325baa9e3420c324caabd50b7074dd77 2022/11/14 11:24:51 Codename: alphaga 2022/11/14 11:24:51 BuildDate: 2022-07-25_09:53:20 2022/11/14 11:24:51 GoVersion: 1.17.5 2022/11/14 11:24:51 Platform: linux 2022/11/14 11:24:51 Constraint_parser: >= 1.0, <= 2.0 2022/11/14 11:24:51 Constraint_scenario: >= 1.0, < 3.0 2022/11/14 11:24:51 Constraint_api: v1 2022/11/14 11:24:51 Constraint_acquis: >= 1.0, < 2.0

OS version

```console # On Linux: $ cat /etc/os-release NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/" CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7" $ uname -a Linux HKbact788966.local 3.10.0-957.1.3.el7.x86_64 crowdsecurity/crowdsec#1 SMP Thu Nov 29 14:49:43 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux # On Windows: C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture # paste output here ```

Enabled collections and parsers

```console $ cscli hub list -o raw crowdsecurity/base-http-scenarios,enabled,0.6,http common : scanners detection,collections crowdsecurity/http-cve,enabled,1.6,,collections crowdsecurity/linux,enabled,0.2,core linux support : syslog+geoip+ssh,collections crowdsecurity/nginx,enabled,0.2,nginx support : parser and generic http scenarios,collections crowdsecurity/sshd,enabled,0.2,sshd support : parser and brute-force detection,collections crowdsecurity/suricata,enabled,0.1,suricata support : parser and automatic remediation on high/major alerts,collections crowdsecurity/dateparse-enrich,enabled,0.2,,parsers crowdsecurity/geoip-enrich,enabled,0.2,"Populate event with geoloc info : as, country, coords, source range.",parsers crowdsecurity/http-logs,enabled,0.8,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers crowdsecurity/nginx-logs,enabled,1.3,Parse nginx access and error logs,parsers crowdsecurity/sshd-logs,enabled,2.0,Parse openSSH logs,parsers crowdsecurity/suricata-logs,enabled,0.5,Parse suricata fast.log,parsers crowdsecurity/syslog-logs,enabled,0.8,,parsers crowdsecurity/whitelists,enabled,0.2,Whitelist events from private ipv4 addresses,parsers crowdsecurity/CVE-2022-26134,enabled,0.1,Detect CVE-2022-26134 exploits,scenarios crowdsecurity/CVE-2022-35914,enabled,0.1,Detect CVE-2022-35914 exploits,scenarios crowdsecurity/CVE-2022-37042,enabled,0.1,Detect CVE-2022-37042 exploits,scenarios crowdsecurity/CVE-2022-40684,enabled,0.2,Detect cve-2022-40684 exploitation attempts,scenarios crowdsecurity/CVE-2022-41082,enabled,0.3,Detect CVE-2022-41082 exploits,scenarios crowdsecurity/CVE-2022-42889,enabled,0.2,Detect CVE-2022-42889 exploits (Text4Shell),scenarios crowdsecurity/apache_log4j2_cve-2021-44228,enabled,0.4,Detect cve-2021-44228 exploitation attemps,scenarios crowdsecurity/f5-big-ip-cve-2020-5902,enabled,0.1,Detect cve-2020-5902 exploitation attemps,scenarios crowdsecurity/fortinet-cve-2018-13379,enabled,0.2,Detect cve-2018-13379 exploitation attemps,scenarios crowdsecurity/grafana-cve-2021-43798,enabled,0.1,Detect cve-2021-43798 exploitation attemps,scenarios crowdsecurity/http-backdoors-attempts,enabled,0.3,Detect attempt to common backdoors,scenarios crowdsecurity/http-bad-user-agent,enabled,0.7,Detect bad user-agents,scenarios crowdsecurity/http-crawl-non_statics,enabled,0.3,Detect aggressive crawl from single ip,scenarios crowdsecurity/http-cve-2021-41773,enabled,0.1,cve-2021-41773,scenarios crowdsecurity/http-cve-2021-42013,enabled,0.1,cve-2021-42013,scenarios crowdsecurity/http-generic-bf,enabled,0.2,Detect generic http brute force,scenarios crowdsecurity/http-open-proxy,enabled,0.3,Detect scan for open proxy,scenarios crowdsecurity/http-path-traversal-probing,enabled,0.2,Detect path traversal attempt,scenarios crowdsecurity/http-probing,enabled,0.2,Detect site scanning/probing from a single ip,scenarios crowdsecurity/http-sensitive-files,enabled,0.2,"Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",scenarios crowdsecurity/http-sqli-probing,enabled,0.2,A scenario that detects SQL injection probing with minimal false positives,scenarios crowdsecurity/http-xss-probing,enabled,0.2,A scenario that detects XSS probing with minimal false positives,scenarios crowdsecurity/jira_cve-2021-26086,enabled,0.1,Detect Atlassian Jira CVE-2021-26086 exploitation attemps,scenarios crowdsecurity/modsecurity,enabled,0.4,Web exploitation via modsecurity,scenarios crowdsecurity/nginx-req-limit-exceeded,enabled,0.1,Detects IPs which violate nginx's user set request limit.,scenarios crowdsecurity/pulse-secure-sslvpn-cve-2019-11510,enabled,0.2,Detect cve-2019-11510 exploitation attemps,scenarios crowdsecurity/spring4shell_cve-2022-22965,enabled,0.2,Detect cve-2022-22965 probing,scenarios crowdsecurity/ssh-bf,enabled,0.1,Detect ssh bruteforce,scenarios crowdsecurity/ssh-slow-bf,enabled,0.2,Detect slow ssh bruteforce,scenarios crowdsecurity/suricata-alerts,enabled,0.3,Detect exploit attempts via emerging threat rules,scenarios crowdsecurity/thinkphp-cve-2018-20062,enabled,0.3,Detect ThinkPHP CVE-2018-20062 exploitation attemps,scenarios crowdsecurity/vmware-cve-2022-22954,enabled,0.2,Detect Vmware CVE-2022-22954 exploitation attempts,scenarios crowdsecurity/vmware-vcenter-vmsa-2021-0027,enabled,0.1,Detect VMSA-2021-0027 exploitation attemps,scenarios ltsich/http-w00tw00t,enabled,0.1,detect w00tw00t,scenarios ```

Acquisition config

```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* #Generated acquisition file - wizard.sh (service: nginx) / files : journalctl_filter: - _SYSTEMD_UNIT=openresty.service labels: type: openresty --- #Generated acquisition file - wizard.sh (service: sshd) / files : /var/log/secure filenames: - /var/log/secure labels: type: syslog --- #Generated acquisition file - wizard.sh (service: linux) / files : /var/log/messages filenames: - /var/log/messages labels: type: syslog --- filenames: - /usr/local/openresty/nginx/logs/*.log labels: type: nginx --- filename: /var/log/suricata/eve.json labels: type: suricata-evelogs --- # On Windows: C:\> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml # paste output here

Config show

```console $ cscli config show Global: - Configuration Folder : /etc/crowdsec - Data Folder : /var/lib/crowdsec/data - Hub Folder : /etc/crowdsec/hub - Simulation File : /etc/crowdsec/simulation.yaml - Log Folder : /var/log/ - Log level : info - Log Media : file Crowdsec: - Acquisition File : /etc/crowdsec/acquis.yaml - Parsers routines : 1 cscli: - Output : human - Hub Branch : - Hub Folder : /etc/crowdsec/hub Local API Server: - Listen URL : 0.0.0.0:8080 - Profile File : /etc/crowdsec/profiles.yaml - Trusted IPs: - 127.0.0.1 - ::1 - 103.233.255.193 - 103.164.63.78 - Database: - Type : sqlite - Path : /var/lib/crowdsec/data/crowdsec.db - Flush age : 7d - Flush size : 5000 ```

Prometheus metrics

```console $ cscli metrics INFO[14-11-2022 11:27:33 AM] Buckets Metrics: +-------------------------------------+---------------+-----------+--------------+--------+---------+ | BUCKET | CURRENT COUNT | OVERFLOWS | INSTANTIATED | POURED | EXPIRED | +-------------------------------------+---------------+-----------+--------------+--------+---------+ | crowdsecurity/ssh-bf | 1 | - | 17 | 34 | 16 | | crowdsecurity/ssh-bf_user-enum | 1 | - | 17 | 17 | 16 | | crowdsecurity/ssh-slow-bf | 1 | - | 1 | 34 | - | | crowdsecurity/ssh-slow-bf_user-enum | 1 | - | 1 | 7 | - | +-------------------------------------+---------------+-----------+--------------+--------+---------+ INFO[14-11-2022 11:27:33 AM] Acquisition Metrics: +-------------------------------------------------------+------------+--------------+----------------+------------------------+ | SOURCE | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET | +-------------------------------------------------------+------------+--------------+----------------+------------------------+ | file:/var/log/messages | 9 | - | 9 | - | | file:/var/log/secure | 121 | 51 | 70 | 92 | | file:/var/log/suricata/eve.json | 4.53k | - | 4.53k | - | | journalctl:journalctl-_SYSTEMD_UNIT=openresty.service | 2 | - | 2 | - | +-------------------------------------------------------+------------+--------------+----------------+------------------------+ INFO[14-11-2022 11:27:33 AM] Parser Metrics: +---------------------------------+-------+--------+----------+ | PARSERS | HITS | PARSED | UNPARSED | +---------------------------------+-------+--------+----------+ | child-crowdsecurity/sshd-logs | 1.01k | 51 | 955 | | child-crowdsecurity/syslog-logs | 130 | 130 | - | | crowdsecurity/dateparse-enrich | 51 | 51 | - | | crowdsecurity/geoip-enrich | 51 | 51 | - | | crowdsecurity/non-syslog | 4.53k | 4.53k | - | | crowdsecurity/sshd-logs | 121 | 51 | 70 | | crowdsecurity/syslog-logs | 130 | 130 | - | | crowdsecurity/whitelists | 51 | 51 | - | +---------------------------------+-------+--------+----------+ INFO[14-11-2022 11:27:33 AM] Local Api Metrics: +----------------------+--------+------+ | ROUTE | METHOD | HITS | +----------------------+--------+------+ | / | GET | 2 | | /v1/alerts | GET | 2 | | /v1/decisions/stream | GET | 236 | | /v1/heartbeat | GET | 110 | | /v1/watchers/login | POST | 10 | +----------------------+--------+------+ INFO[14-11-2022 11:27:33 AM] Local Api Machines Metrics: +--------------------------------------------------+---------------+--------+------+ | MACHINE | ROUTE | METHOD | HITS | +--------------------------------------------------+---------------+--------+------+ | 607ed7e2b03a61872e5d3b0aba2c900dGd82p4T25jlQqDAu | /v1/heartbeat | GET | 38 | | 6ed57b2003224bb0a771355be7660bfcnbap0ayYDhWSDGGU | /v1/heartbeat | GET | 31 | | testMachine | /v1/heartbeat | GET | 39 | | testMachine | /v1/alerts | GET | 2 | +--------------------------------------------------+---------------+--------+------+ INFO[14-11-2022 11:27:33 AM] Local Api Bouncers Metrics: +----------------------------+----------------------+--------+------+ | BOUNCER | ROUTE | METHOD | HITS | +----------------------------+----------------------+--------+------+ | FirewallBouncer-1667210992 | /v1/decisions/stream | GET | 236 | +----------------------------+----------------------+--------+------+ INFO[14-11-2022 11:27:33 AM] Local Api Decisions: +--------------------------------------------------+----------+--------+-------+ | REASON | ORIGIN | ACTION | COUNT | +--------------------------------------------------+----------+--------+-------+ | crowdsecurity/fortinet-cve-2018-13379 | CAPI | ban | 57 | | crowdsecurity/http-backdoors-attempts | CAPI | ban | 138 | | crowdsecurity/http-sensitive-files | CAPI | ban | 13 | | crowdsecurity/jira_cve-2021-26086 | CAPI | ban | 61 | | crowdsecurity/mysql-bf | CAPI | ban | 322 | | crowdsecurity/ssh-bf | CAPI | ban | 8982 | | crowdsecurity/ssh-bf | crowdsec | ban | 3 | | crowdsecurity/CVE-2022-41082 | CAPI | ban | 1112 | | crowdsecurity/http-cve-2021-41773 | CAPI | ban | 16 | | crowdsecurity/http-generic-bf | CAPI | ban | 37 | | crowdsecurity/http-path-traversal-probing | CAPI | ban | 266 | | crowdsecurity/http-probing | CAPI | ban | 1997 | | crowdsecurity/thinkphp-cve-2018-20062 | CAPI | ban | 135 | | crowdsecurity/vmware-cve-2022-22954 | CAPI | ban | 2 | | ltsich/http-w00tw00t | CAPI | ban | 5 | | crowdsecurity/CVE-2022-37042 | CAPI | ban | 2 | | crowdsecurity/http-crawl-non_statics | CAPI | ban | 1528 | | crowdsecurity/http-open-proxy | CAPI | ban | 225 | | crowdsecurity/pulse-secure-sslvpn-cve-2019-11510 | CAPI | ban | 1 | | crowdsecurity/ssh-slow-bf | CAPI | ban | 3627 | | crowdsecurity/ssh-slow-bf | crowdsec | ban | 6 | | crowdsecurity/spring4shell_cve-2022-22965 | CAPI | ban | 1 | | crowdsecurity/CVE-2022-26134 | CAPI | ban | 14 | | crowdsecurity/apache_log4j2_cve-2021-44228 | CAPI | ban | 36 | | crowdsecurity/grafana-cve-2021-43798 | CAPI | ban | 2 | | crowdsecurity/http-bad-user-agent | CAPI | ban | 1639 | | crowdsecurity/nginx-req-limit-exceeded | CAPI | ban | 297 | +--------------------------------------------------+----------+--------+-------+ INFO[14-11-2022 11:27:33 AM] Local Api Alerts: +----------------------------------------------------+-------+ | REASON | COUNT | +----------------------------------------------------+-------+ | crowdsecurity/ssh-bf | 657 | | crowdsecurity/http-xss-probbing | 1 | | crowdsecurity/ssh-slow-bf | 1575 | | crowdsecurity/http-path-traversal-probing | 4 | | crowdsecurity/http-probing | 10 | | crowdsecurity/ssh-slow-bf_user-enum | 27 | | manual 'ban' from | 3 | | '607ed7e2b03a61872e5d3b0aba2c900dGd82p4T25jlQqDAu' | | | crowdsecurity/http-bad-user-agent | 12 | | crowdsecurity/http-open-proxy | 2 | | crowdsecurity/http-sensitive-files | 5 | | crowdsecurity/http-sqli-probbing-detection | 1 | | crowdsecurity/ssh-bf_user-enum | 24 | | manual 'ban' from | 1 | | '607ed7e2b03a61872e5d3b0aba2c900dcQVCQafsRa7bqhNK' | | | crowdsecurity/http-crawl-non_statics | 8 | | crowdsecurity/http-cve-2021-41773 | 5 | +----------------------------------------------------+-------+ ```

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

[LaurenceJJones]

Transferring to the hub as more appropriate location

[LaurenceJJones]

For the suricata fast log we only support text format not JSON, is this configurable? plus which logs is it? is it one below stated?

the JSON eve.json format (type: suricata-evelogs)
the text fast.log format (type: suricata-fastlogs)

[LaurenceJJones]

Stale issue closing please reopen if you find time to respond to questions

[M-Stenzel]

Hi team,

well, I exactly face the same problem.

I run suricata version 5.0.10 (cannot upgrade to version 6, since I need to use it together with prelude OSS). I run crowdsec version 1.4.3

The suricata logs do not get parsed.

FYI:

Acquisition Metrics: ╭───────────────────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────╮ │ Source │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ ├───────────────────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┤ │ file:/var/log/suricata/eve.json │ 30.83k │ - │ 30.83k │ - │ │ journalctl:journalctl-_SYSTEMD_UNIT=mysql.service │ 1 │ - │ 1 │ - │ │ journalctl:journalctl-_SYSTEMD_UNIT=sshd.service │ 1 │ - │ 1 │ - │ ╰───────────────────────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────╯

Local Api Metrics: ╭──────────────────────┬────────┬──────╮ │ Route │ Method │ Hits │ ├──────────────────────┼────────┼──────┤ │ /v1/alerts │ POST │ 3 │ │ /v1/decisions/stream │ GET │ 516 │ │ /v1/heartbeat │ GET │ 86 │ │ /v1/watchers/login │ POST │ 6 │ ╰──────────────────────┴────────┴──────╯

Local Api Machines Metrics: ╭──────────────────────────────────────────────────┬───────────────┬────────┬──────╮ │ Machine │ Route │ Method │ Hits │ ├──────────────────────────────────────────────────┼───────────────┼────────┼──────┤ │ 8cb9a62beb75b6665e560e3b59789ff3l2CvrtJ61bUuTHSs │ /v1/heartbeat │ GET │ 86 │ │ 8cb9a62beb75b2665e500e3b59789ff3l2CvrtJ61bUuTHSs │ /v1/alerts │ POST │ 3 │ ╰──────────────────────────────────────────────────┴───────────────┴────────┴──────╯

Local Api Bouncers Metrics: ╭────────────────────────────┬──────────────────────┬────────┬──────╮ │ Bouncer │ Route │ Method │ Hits │ ├────────────────────────────┼──────────────────────┼────────┼──────┤ │ FirewallBouncer-1671311503 │ /v1/decisions/stream │ GET │ 516 │ ╰────────────────────────────┴──────────────────────┴────────┴──────╯

Local Api Decisions: ╭──────────────────────────────────────────────────────────────────────┬────────┬────────┬───────╮ │ Reason │ Origin │ Action │ Count │ ├──────────────────────────────────────────────────────────────────────┼────────┼────────┼───────┤ │ crowdsecurity/CVE-2022-35914 │ CAPI │ ban │ 4 │ │ crowdsecurity/f5-big-ip-cve-2020-5902 │ CAPI │ ban │ 7 │ │ crowdsecurity/http-generic-bf │ CAPI │ ban │ 26 │ │ crowdsecurity/ssh-bf │ CAPI │ ban │ 1826 │ │ crowdsecurity/mysql-bf │ CAPI │ ban │ 67 │ │ crowdsecurity/spring4shell_cve-2022-22965 │ CAPI │ ban │ 2 │ │ crowdsecurity/thinkphp-cve-2018-20062 │ CAPI │ ban │ 33 │ │ crowdsecurity/http-bad-user-agent │ CAPI │ ban │ 5531 │ │ crowdsecurity/http-cve-2021-42013 │ CAPI │ ban │ 1 │ │ crowdsecurity/ssh-slow-bf │ CAPI │ ban │ 55 │ │ crowdsecurity/vmware-cve-2022-22954 │ CAPI │ ban │ 4 │ │ crowdsecurity/http-probing │ CAPI │ ban │ 4204 │ │ crowdsecurity/nginx-req-limit-exceeded │ CAPI │ ban │ 892 │ │ crowdsecurity/pulse-secure-sslvpn-cve-2019-11510 │ CAPI │ ban │ 2 │ │ ltsich/http-w00tw00t │ CAPI │ ban │ 3 │ │ crowdsecurity/CVE-2022-41082 │ CAPI │ ban │ 2 │ │ crowdsecurity/apache_log4j2_cve-2021-44228 │ CAPI │ ban │ 29 │ │ crowdsecurity/http-backdoors-attempts │ CAPI │ ban │ 262 │ │ crowdsecurity/http-crawl-non_statics │ CAPI │ ban │ 1165 │ │ crowdsecurity/http-cve-2021-41773 │ CAPI │ ban │ 71 │ │ crowdsecurity/fortinet-cve-2018-13379 │ CAPI │ ban │ 46 │ │ crowdsecurity/http-path-traversal-probing │ CAPI │ ban │ 617 │ │ crowdsecurity/CVE-2022-37042 │ CAPI │ ban │ 4 │ │ crowdsecurity/grafana-cve-2021-43798 │ CAPI │ ban │ 6 │ │ manual 'ban' from '8cb9a62beb75b2665e560e3b59789f3l2CvrtJ61bUuTHSs' │ cscli │ ban │ 1 │ │ crowdsecurity/CVE-2022-42889 │ CAPI │ ban │ 1 │ │ crowdsecurity/http-open-proxy │ CAPI │ ban │ 244 │ │ crowdsecurity/http-sensitive-files │ CAPI │ ban │ 182 │ │ crowdsecurity/jira_cve-2021-26086 │ CAPI │ ban │ 168 │ ╰──────────────────────────────────────────────────────────────────────┴────────┴────────┴───────╯

Local Api Alerts: ╭──────────────────────────────────────────────────────────────────────┬───────╮ │ Reason │ Count │ ├──────────────────────────────────────────────────────────────────────┼───────┤ │ manual 'ban' from '8cb9a62beb75b765e560e3b59789ff5l2CvrtJ61bUuTHSs' │ 3 │ ╰──────────────────────────────────────────────────────────────────────┴───────╯

This is one example line from eve.json

{"timestamp":"2022-12-18T18:30:53.263350+0200","flow_id":989059031607521,"in_iface":"eth0","event_type":"tls","src_ip":"84.44.200.23","src_port":47470,"dest_ip":"95.216.205.51","dest_port":443,"proto":"TCP","tls":{"sni":"tube.xy-space.de","version":"TLS 1.3","ja3":{"hash":"579ccef312d18482fc42e2b822ca2430","string":"771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-34-51-43-13-45-28-21,29-23-24-25-256-257,0"},"ja3s":{"hash":"15af977ce25de452b96affa2addb1036","string":"771,4866,43-51"}}}

Any ideas?

[LaurenceJJones]

Hey so the filter is json based so the event_type needs to be "alert" the one you shared is "tls"

Here the filter evt.Parsed.program == "suricata-evelogs" && JsonExtract(evt.Parsed.message, "event_type") == "alert"

[M-Stenzel]

Well, this was an example line. I have lines like this:

{"timestamp":"2022-12-18T22:13:41.010414+0200","flow_id":739629681939368,"in_iface":"eth0","event_type":"alert","src_ip":"135.181.5.2","src_port":38917,"dest_ip":"95.216.205.51","dest_port":8042,"proto":"TCP","metadata":{"flowints":{"applayer.anomaly.count":1,"http.anomaly.count":1}},"tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2221042,"rev":1,"signature":"SURICATA HTTP Request line incomplete","category":"Generic Protocol Command Decode","severity":3},"http":{"http_port":0,"status":400,"length":0},"app_proto":"http","app_proto_ts":"failed","flow":{"pkts_toserver":4,"pkts_toclient":7,"bytes_toserver":247,"bytes_toclient":657,"start":"2022-12-18T22:13:41.005032+0200"}}

which should be parsed, shouldn't they?

[LaurenceJJones]

Reopening issue will look into it Monday. Would be helpful if you could run the line through cscli explain

[M-Stenzel]

Reopening issue will look into it Monday. Would be helpful if you could run the line through cscli explain

cscli explain --file /var/log/suricata/eve.json --type suricata-evelogs --verbose yields many lines, e. g.

line: {"timestamp":"2022-12-18T23:31:09.003158+0200","flow_id":2159103788454115,"in_iface":"eth0","event_type":"flow","src_ip":"132.226.212.242","src_port":41784,"dest_ip":"95.216.205.51","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":14,"pkts_toclient":13,"bytes_toserver":3137,"bytes_toclient":7441,"start":"2022-12-18T23:30:00.921827+0200","end":"2022-12-18T23:30:06.410477+0200","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} ├ s01-parse | ├ 🔴 crowdsecurity/apache2-logs | ├ 🔴 crowdsecurity/mysql-logs | ├ 🔴 crowdsecurity/nginx-logs | ├ 🔴 crowdsecurity/sshd-logs | ├ 🔴 crowdsecurity/suricata-evelogs | └ 🔴 crowdsecurity/suricata-fastlogs └-------- parser failure 🔴

line: {"timestamp":"2022-12-18T23:36:58.012295+0200","flow_id":2041696589825413,"in_iface":"eth0","event_type":"tls","src_ip":"95.216.205.51","src_port":59106,"dest_ip":"172.67.202.221","dest_port":443,"proto":"TCP","tls":{"sni":"relay.national-defence.network","version":"TLS 1.3","ja3":{"hash":"c199b43d41b470f8f68c5561f8f1ce3e","string":"771,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47-255,0-11-10-35-22-23-13-43-45-51-21,29-23-30-25-24,0-1-2"},"ja3s":{"hash":"907bf3ecef1c987c889946b737b43de8","string":"771,4866,51-43"}}} ├ s01-parse | ├ 🔴 crowdsecurity/apache2-logs | ├ 🔴 crowdsecurity/mysql-logs | ├ 🔴 crowdsecurity/nginx-logs | ├ 🔴 crowdsecurity/sshd-logs | ├ 🔴 crowdsecurity/suricata-evelogs | └ 🔴 crowdsecurity/suricata-fastlogs └-------- parser failure 🔴

[LaurenceJJones]

Is that a like for like copy of the output? Cause its missing s00 section

Helps if I have the full output also wrap the lines in ``` allows for better formatting

But it's clear something not parsing so I can debug on Monday

[M-Stenzel]

O. K. so there seems to be a different problem!? No, I did not omit anything.

[M-Stenzel]

This is my acquis.yaml file content:

Generated acquisition file - wizard.sh (service: sshd) / files :

journalctl_filter:

• _SYSTEMD_UNIT=sshd.service labels: type: syslog

  Generated acquisition file - wizard.sh (service: mysql) / files :

  journalctl_filter:

• _SYSTEMD_UNIT=mysql.service labels: type: mysql

  Added by Martin Stenzel :

  filename: /var/log/suricata/eve.json labels: type: suricata-evelogs

Note that I removed every third minus sign when posting the content in order to avoid formatting issues.

[LaurenceJJones]

Yes your missing the syslog parser? If you do cscli parsers list if it is not there you need to do cscli collections install crowdsecurity/linux

[M-Stenzel]

Well, I did so, now I receive

    ├ s00-raw
    |       ├ 🟢 crowdsecurity/non-syslog (first_parser)
    |       └ 🔴 crowdsecurity/syslog-logs
    ├ s01-parse
    |       ├ 🔴 crowdsecurity/apache2-logs
    |       ├ 🔴 crowdsecurity/mysql-logs
    |       ├ 🔴 crowdsecurity/nginx-logs
    |       ├ 🔴 crowdsecurity/sshd-logs
    |       ├ 🔴 crowdsecurity/suricata-evelogs
    |       └ 🔴 crowdsecurity/suricata-fastlogs
    └-------- parser failure 🔴

[M-Stenzel]

My updated acquis.yaml file looks like this:

Added by Martin Stenzel :

filenames:

• /var/log/messages labels: type: syslog

  Generated acquisition file - wizard.sh (service: sshd) / files :

  journalctl_filter:

  • _SYSTEMD_UNIT=sshd.service labels: type: syslog

    Generated acquisition file - wizard.sh (service: mysql) / files :

    journalctl_filter:

  • _SYSTEMD_UNIT=mysql.service labels: type: mysql

    Added by Martin Stenzel :

    filename: /var/log/suricata/eve.json labels: type: suricata-evelogs

[M-Stenzel]

The crowdsec.log tells me:

time="19-12-2022 00:20:15" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/apache2-logs.yaml stage=s01-parse time="19-12-2022 00:20:15" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/mysql-logs.yaml stage=s01-parse time="19-12-2022 00:20:15" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/nginx-logs.yaml stage=s01-parse time="19-12-2022 00:20:15" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/sshd-logs.yaml stage=s01-parse time="19-12-2022 00:20:15" level=info msg="Loaded 2 parser nodes" file=/etc/crowdsec/parsers/s01-parse/suricata-logs.yaml stage=s01-parse

No errors or warnings, but still "s01-parse" only yields red dots...

[LaurenceJJones]

That's because the log is stating the yaml syntax is correct doesn't mean the parser is correct for your log sample as stated will investigate Monday as its not just a syslog parser missing issue

[LaurenceJJones]

So with the alert above with "event_type": "alert". The parser is working as intended.

[loz@unknown-dev ~]$ sudo cscli explain --log '{"timestamp":"2022-12-18T22:13:41.010414+0200","flow_id":739629681939368,"in_iface":"eth0","event_type":"alert","src_ip":"135.181.5.2","src_port":38917,"dest_ip":"95.216.205.51","dest_port":8042,"proto":"TCP","metadata":{"flowints":{"applayer.anomaly.count":1,"http.anomaly.count":1}},"tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2221042,"rev":1,"signature":"SURICATA HTTP Request line incomplete","category":"Generic Protocol Command Decode","severity":3},"http":{"http_port":0,"status":400,"length":0},"app_proto":"http","app_proto_ts":"failed","flow":{"pkts_toserver":4,"pkts_toclient":7,"bytes_toserver":247,"bytes_toclient":657,"start":"2022-12-18T22:13:41.005032+0200"}}' --type suricata-evelogs -v
line: {"timestamp":"2022-12-18T22:13:41.010414+0200","flow_id":739629681939368,"in_iface":"eth0","event_type":"alert","src_ip":"135.181.5.2","src_port":38917,"dest_ip":"95.216.205.51","dest_port":8042,"proto":"TCP","metadata":{"flowints":{"applayer.anomaly.count":1,"http.anomaly.count":1}},"tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2221042,"rev":1,"signature":"SURICATA HTTP Request line incomplete","category":"Generic Protocol Command Decode","severity":3},"http":{"http_port":0,"status":400,"length":0},"app_proto":"http","app_proto_ts":"failed","flow":{"pkts_toserver":4,"pkts_toclient":7,"bytes_toserver":247,"bytes_toclient":657,"start":"2022-12-18T22:13:41.005032+0200"}}
        ├ s00-raw
        |       ├ 🔴 crowdsecurity/docker-logs
        |       ├ 🟢 crowdsecurity/non-syslog (first_parser)
        |       └ 🔴 crowdsecurity/syslog-logs
        ├ s01-parse
        |       ├ 🔴 crowdsecurity/apache2-logs
        |       ├ 🔴 crowdsecurity/haproxy-logs
        |       ├ 🔴 crowdsecurity/mariadb-logs
        |       ├ 🔴 crowdsecurity/nginx-logs
        |       ├ 🔴 crowdsecurity/sshd-logs
        |       ├ 🟢 crowdsecurity/suricata-evelogs (+13 ~2)
        |               ├ update evt.Stage : s01-parse -> s02-enrich
        |               ├ create evt.Parsed.time : 2022-12-18T22:13:41.010414
        |               ├ create evt.Parsed.dest_ip : 95.216.205.51
        |               ├ create evt.Parsed.dest_port : 8042
        |               ├ create evt.Parsed.proto : TCP
        |               ├ create evt.Parsed.suricata_alert_signature : SURICATA HTTP Request line incomplete
        |               ├ create evt.Parsed.suricata_alert_signature_rev : 1
        |               ├ update evt.StrTime :  -> 2022-12-18T22:13:41.010414Z
        |               ├ create evt.Meta.log_type : suricata_alert
        |               ├ create evt.Meta.service : suricata
        |               ├ create evt.Meta.source_ip : 135.181.5.2
        |               ├ create evt.Meta.sub_log_type : suricata_alert_eve_json
        |               ├ create evt.Meta.suricata_alert_signature_id : 2221042
        |               ├ create evt.Meta.suricata_flow_id : 739629681939368
        |               ├ create evt.Meta.suricata_rule_severity : 3
        |       ├ 🔴 crowdsecurity/suricata-fastlogs
        |       └ 🔴 proftpd-logs
        ├ s02-enrich
        |       ├ 🟢 crowdsecurity/dateparse-enrich (+2 ~1)
        |               ├ create evt.Enriched.MarshaledTime : 2022-12-18T22:13:41.010414Z
        |               ├ update evt.MarshaledTime :  -> 2022-12-18T22:13:41.010414Z
        |               ├ create evt.Meta.timestamp : 2022-12-18T22:13:41.010414Z
        |       ├ 🟢 crowdsecurity/geoip-enrich (+13)
        |               ├ create evt.Enriched.IsInEU : true
        |               ├ create evt.Enriched.IsoCode : FI
        |               ├ create evt.Enriched.Longitude : 24.934700
        |               ├ create evt.Enriched.SourceRange : 135.181.0.0/16
        |               ├ create evt.Enriched.ASNumber : 24940
        |               ├ create evt.Enriched.ASNOrg : Hetzner Online GmbH
        |               ├ create evt.Enriched.Latitude : 60.171900
        |               ├ create evt.Enriched.ASNNumber : 24940
        |               ├ create evt.Meta.ASNOrg : Hetzner Online GmbH
        |               ├ create evt.Meta.SourceRange : 135.181.0.0/16
        |               ├ create evt.Meta.ASNNumber : 24940
        |               ├ create evt.Meta.IsInEU : true
        |               ├ create evt.Meta.IsoCode : FI
        |       ├ 🔴 crowdsecurity/http-logs
        |       └ 🔴 crowdsecurity/nextcloud-whitelist
        ├-------- parser success 🟢        ├ Scenarios

[LaurenceJJones]

So when you pass it through a json prettifier you can see it more clearly.

[loz@unknown-dev ~]$ echo '{"timestamp":"2022-12-18T22:13:41.010414+0200","flow_id":739629681939368,"in_iface":"eth0","event_type":"alert","src_ip":"135.181.5.2","src_port":38917,"dest_ip":"95.216.205.51","dest_port":8042,"proto":"TCP","metadata":{"flowints":{"applayer.anomaly.count":1,"http.anomaly.count":1}},"tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2221042,"rev":1,"signature":"SURICATA HTTP Request line incomplete","category":"Generic Protocol Command Decode","severity":3},"http":{"http_port":0,"status":400,"length":0},"app_proto":"http","app_proto_ts":"failed","flow":{"pkts_toserver":4,"pkts_toclient":7,"bytes_toserver":247,"bytes_toclient":657,"start":"2022-12-18T22:13:41.005032+0200"}}' | jq
{
  "timestamp": "2022-12-18T22:13:41.010414+0200",
  "flow_id": 739629681939368,
  "in_iface": "eth0",
  "event_type": "alert",
  "src_ip": "135.181.5.2",
  "src_port": 38917,
  "dest_ip": "95.216.205.51",
  "dest_port": 8042,
  "proto": "TCP",
  "metadata": {
    "flowints": {
      "applayer.anomaly.count": 1,
      "http.anomaly.count": 1
    }
  },
  "tx_id": 0,
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 2221042,
    "rev": 1,
    "signature": "SURICATA HTTP Request line incomplete",
    "category": "Generic Protocol Command Decode",
    "severity": 3
  },
  "http": {
    "http_port": 0,
    "status": 400,
    "length": 0
  },
  "app_proto": "http",
  "app_proto_ts": "failed",
  "flow": {
    "pkts_toserver": 4,
    "pkts_toclient": 7,
    "bytes_toserver": 247,
    "bytes_toclient": 657,
    "start": "2022-12-18T22:13:41.005032+0200"
  }
}

So the parser only parses the line when the "event_type" == "alert" if is not it will miss the line as it not classed as an suricata alert.

[M-Stenzel]

Well, first of all thank you for digging into it! I verified on my machine, and indeed I do receive the same results. So I guess, it was due to

https://github.com/crowdsecurity/hub/issues/594#issuecomment-1356883553

I verified with the console, and receive alerts - as expected.

So after all I can state that the latest stable version of crowdsec (1.4.3) works with suricata version 5.0.10.

Thank you again.

[LaurenceJJones]

Always best to get confirmation that it is working 👍🏻