Closed RobHofmann closed 6 months ago
Hi @RobHofmann,
Could you please provide DEBUG logs generated from the plugins.
This will help us throubleshoot quickly this issue.
You need to add: logLevel: Debug
and restart Traefik for the configuration to be reloaded.
Logs since startup are the most interesting, please try to make a couple of requests, wait a few minutes and copy the log files. You should remove any personal info/IP from the log file before printing it here.
I understand you are using a docker Traefik installation, could you provide the docker-compose if you are using one ?
Also what version of Crowdsec are you using ?
The first things that comes to my mind is something is not reacheable and the plugin is blocking requests (403).
Please verify that:
crowdsec:8080
(default)crowdsec:7422
(configured)crowdsec-redis:6379
(configured)However, usually it is Crowdsec LAPI which is not reachable and since it is working fine for you in none
mode it must be something else.
Main difference I see between the none
and stream
+ live
mode is the use of cache, so it could be linked somehow to redis.
I'll try to reproduce in a docker environment with you configuration.
I just noticed thanks to this issue during my reproduction that something changed in crowdsec @LaurenceJJones
Crowdsec seems to not load some collection as is used to in the same version 1.6.0.
I wonder if this is linked to this post in the Crowdsec discord:
Significant Upcoming Modifications to Container Operations :alpacas:
We've encountered issues with our container startup process recently, which has adversely affected both us and the user experience. To address this, version 1.6.1 will introduce critical changes to the startup process that need to be clearly understood.
Key changes going forward include:
All container images will now come with all parsers and scenarios pre-downloaded, though they won't be activated automatically.
Containers will NOT automatically download updates from the hub on startup unless a specific environment variable (DO_HUB_UPGRADE) is enabled. This setting should only be used if you have a limited number of containers behind your NAT/WAN, as exceeding this can trigger rate limits.
Should you encounter rate limits, the system will default to the pre-downloaded versions, preventing the container from being trapped in a continuous startup cycle.
If these modifications cause any concern, please don't hesitate to contact me directly. It's important to note that a lack of monitoring of their containers by users over the past month has led to significant AWS costs for us.
These adjustments are designed to enhance your overall experience, as most parsers/scenarios don't require frequent updates that necessitate downloading from the hub at every startup by default.
Crowdsec was restarting because it could not find some appsec collection:
crowdsec | time="2024-05-01T06:07:12Z" level=fatal msg="crowdsec init: while loading acquisition config: while configuring datasource of type appsec from /etc/crowdsec/acquis.yaml (position: 1): failed to configure datasource appsec: unable to load appsec_config : no appsec-config found for crowdsecurity/virtual-patching"
I had to change the crowdsec env var adding collections:
environment:
COLLECTIONS: crowdsecurity/traefik crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules
I don't know if this is linked @RobHofmann but can you look at the health of you crowdsec container and his logs ?
Here is a "working" docker-compose that is similar to the configuration you introduced:
services:
traefik:
image: "traefik:v3.0.0"
container_name: "traefik"
restart: unless-stopped
command:
- "--accesslog"
- "--accesslog.filepath=/var/log/traefik/access.log"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--experimental.plugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
- "--experimental.plugins.bouncer.version=v1.3.0"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- './ban.html:/ban.html:ro'
- "logs:/var/log/traefik"
ports:
- 8000:80
- 8080:8080
depends_on:
- crowdsec
- crowdsec-redis
crowdsec-redis:
image: "redis:7.2.4-alpine"
container_name: "crowdsec-redis"
hostname: crowdsec-redis
restart: unless-stopped
command: "redis-server --save 60 1 --loglevel debug"
volumes:
- redis-data:/data
whoami2:
image: traefik/whoami
container_name: "simple-service-bar"
restart: unless-stopped
labels:
- "traefik.enable=true"
# Definition of the router
- "traefik.http.routers.router-bar.rule=Path(`/bar`)"
- "traefik.http.routers.router-bar.entrypoints=web"
- "traefik.http.routers.router-bar.middlewares=crowdsec@docker"
# Definition of the service
- "traefik.http.services.service-bar.loadbalancer.server.port=80"
# Definitin of the middleware
- "traefik.http.middlewares.crowdsec.plugin.bouncer.enabled=true"
- "traefik.http.middlewares.crowdsec.plugin.bouncer.loglevel=DEBUG"
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecmode=live"
# crowdseclapikey is the key to authenticate to crowdsec
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdseclapikey=FIXME-LAPI-KEY-1="
# enable AppSec real time check
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecappsecenabled=true"
# Block (403) when appsec return 500
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecappsecfailureblock=true"
# Define AppSec host and port informations
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecappsechost=crowdsec:7422"
# forwardedheaderstrustedips should be the IP of the proxy that is in front of traefik (if any)
- "traefik.http.middlewares.crowdsec.plugin.bouncer.forwardedheaderstrustedips=172.21.0.5"
- "traefik.http.middlewares.crowdsec.plugin.bouncer.rediscacheenabled=true"
# Contact crowdsec-redis without a password
- "traefik.http.middlewares.crowdsec.plugin.bouncer.rediscachehost=crowdsec-redis:6379"
# Define ban HTML file path
- "traefik.http.middlewares.crowdsec.plugin.bouncer.banHtmlFilePath=/ban.html"
crowdsec:
image: crowdsecurity/crowdsec:v1.6.1-2
container_name: "crowdsec"
restart: unless-stopped
environment:
COLLECTIONS: crowdsecurity/traefik crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules
CUSTOM_HOSTNAME: crowdsec
# We need to register one api key per service we will use
BOUNCER_KEY_TRAEFIK: FIXME-LAPI-KEY-1=
volumes:
- ./acquis.yaml:/etc/crowdsec/acquis.yaml:ro
- logs:/var/log/traefik:ro
- crowdsec-db:/var/lib/crowdsec/data/
- crowdsec-config:/etc/crowdsec/
labels:
- "traefik.enable=false"
volumes:
logs:
crowdsec-db:
crowdsec-config:
redis-data:
File aquis.yaml
filenames:
- /var/log/traefik/access.log
labels:
type: traefik
---
listen_addr: 0.0.0.0:7422
appsec_config: crowdsecurity/virtual-patching
name: myAppSecComponent
source: appsec
labels:
type: appsec
Traefik logs in live mode
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:20:06 IP 172.21.0.5 is trusted
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:20:06 getTLSConfigCrowdsec:CrowdsecLapiScheme https:no
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:20:06 cache:New initialized isRedis:true
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:20:06 New initialized mode:live
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:20:11 ServeHTTP ip:172.18.0.1 isTrusted:false
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:20:11 cache:Get key:172.18.0.1
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:20:11 ServeHTTP ip:172.18.0.1 cache:hit isBanned:f
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:20:13 ServeHTTP ip:172.18.0.1 isTrusted:false
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:20:13 cache:Get key:172.18.0.1
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:20:13 ServeHTTP ip:172.18.0.1 cache:hit isBanned:f
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:20:15 ServeHTTP ip:172.18.0.1 isTrusted:false
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:20:15 cache:Get key:172.18.0.1
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:20:15 ServeHTTP ip:172.18.0.1 cache:hit isBanned:f
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:20:25 ServeHTTP ip:172.18.0.1 isTrusted:false
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:20:25 cache:Get key:172.18.0.1
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:20:25 ServeHTTP:Get ip:172.18.0.1 isBanned:false cache:miss
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:20:25 cache:Set key:172.18.0.1 value:f duration:60s
Traefik logs in stream mode
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:31:07 IP 172.21.0.5 is trusted
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:31:07 getTLSConfigCrowdsec:CrowdsecLapiScheme https:no
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:31:07 cache:New initialized isRedis:true
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:31:07 cache:Get key:updated
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:31:07 handleStreamCache:alreadyUpdated
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:31:07 New initialized mode:stream
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:31:15 ServeHTTP ip:172.18.0.1 isTrusted:false
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:31:15 cache:Get key:172.18.0.1
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:31:15 ServeHTTP:Get ip:172.18.0.1 isBanned:false cache:miss
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:31:16 ServeHTTP ip:172.18.0.1 isTrusted:false
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:31:16 cache:Get key:172.18.0.1
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:31:16 ServeHTTP:Get ip:172.18.0.1 isBanned:false cache:miss
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:31:17 ServeHTTP ip:172.18.0.1 isTrusted:false
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:31:17 cache:Get key:172.18.0.1
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:31:17 ServeHTTP:Get ip:172.18.0.1 isBanned:false cache:miss
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:31:17 ServeHTTP ip:172.18.0.1 isTrusted:false
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:31:17 cache:Get key:172.18.0.1
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:31:17 ServeHTTP:Get ip:172.18.0.1 isBanned:false cache:miss
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:32:07 cache:Get key:updated
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:32:07 cache:Set key:updated value:f duration:59s
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:32:07 handleStreamCache:updated
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:32:14 ServeHTTP ip:172.18.0.1 isTrusted:false
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:32:14 cache:Get key:172.18.0.1
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 06:32:14 ServeHTTP:Get ip:172.18.0.1 isBanned:false cache:miss
Redis logs
crowdsec-redis | 1:M 01 May 2024 06:19:10.105 . 0 clients connected (0 replicas), 915464 bytes in use
crowdsec-redis | 1:M 01 May 2024 06:19:15.121 . 0 clients connected (0 replicas), 915464 bytes in use
crowdsec-redis | 1:M 01 May 2024 06:19:20.143 . 0 clients connected (0 replicas), 915464 bytes in use
crowdsec-redis | 1:M 01 May 2024 06:19:22.807 - Accepted 172.18.0.5:52386
crowdsec-redis | 1:M 01 May 2024 06:19:22.807 - Client closed connection id=6 addr=172.18.0.5:52386 laddr=172.18.0.2:6379 fd=8 name= age=0 idle=0 flags=N db=0 sub=0 psub=0 ssub=0 multi=-1 qbuf=0 qbuf-free=20474 argv-mem=0 multi-mem=0 rbs=16384 rbp=16384 obl=0 oll=0 omem=0 tot-mem=37760 events=r cmd=get user=default redir=-1 resp=2 lib-name= lib-ver=
crowdsec-redis | 1:M 01 May 2024 06:19:22.820 - Accepted 172.18.0.5:52396
crowdsec-redis | 1:M 01 May 2024 06:19:22.821 - Client closed connection id=7 addr= laddr=172.18.0.2:6379 fd=8 name= age=0 idle=0 flags=N db=0 sub=0 psub=0 ssub=0 multi=-1 qbuf=0 qbuf-free=20474 argv-mem=0 multi-mem=0 rbs=16384 rbp=16384 obl=0 oll=0 omem=0 tot-mem=37760 events=r cmd=set user=default redir=-1 resp=2 lib-name= lib-ver=
crowdsec-redis | 1:M 01 May 2024 06:19:22.852 * 1 changes in 60 seconds. Saving...
crowdsec-redis | 1:M 01 May 2024 06:19:22.852 * Background saving started by pid 22
crowdsec-redis | 22:C 01 May 2024 06:19:22.854 - Fork CoW for RDB: current 0 MB, peak 0 MB, average 0 MB
crowdsec-redis | 22:C 01 May 2024 06:19:22.856 * DB saved on disk
crowdsec-redis | 22:C 01 May 2024 06:19:22.857 * Fork CoW for RDB: current 0 MB, peak 0 MB, average 0 MB
crowdsec-redis | 1:M 01 May 2024 06:19:22.953 * Background saving terminated with success
crowdsec-redis | 1:M 01 May 2024 06:19:25.161 - DB 0: 1 keys (1 volatile) in 4 slots HT.
crowdsec-redis | 1:M 01 May 2024 06:19:25.161 . 0 clients connected (0 replicas), 915552 bytes in use
crowdsec-redis | 1:M 01 May 2024 06:19:30.179 - DB 0: 1 keys (1 volatile) in 4 slots HT.
crowdsec-redis | 1:M 01 May 2024 06:19:30.179 . 0 clients connected (0 replicas), 915552 bytes in use
crowdsec-redis | 1:M 01 May 2024 06:19:31.821 - Accepted 172.18.0.5:34998
Crowdsec logs
crowdsec | time="2024-05-01T06:09:27Z" level=info msg="/etc/crowdsec/collections/http-cve.yaml already exists."
crowdsec | time="2024-05-01T06:09:27Z" level=info msg="Enabled collections: crowdsecurity/http-cve"
crowdsec | time="2024-05-01T06:09:27Z" level=info msg="/etc/crowdsec/collections/base-http-scenarios.yaml already exists."
crowdsec | time="2024-05-01T06:09:27Z" level=info msg="Enabled collections: crowdsecurity/base-http-scenarios"
crowdsec | time="2024-05-01T06:09:27Z" level=info msg="/etc/crowdsec/collections/traefik.yaml already exists."
crowdsec | time="2024-05-01T06:09:27Z" level=info msg="Enabled collections: crowdsecurity/traefik"
crowdsec | time="2024-05-01T06:09:27Z" level=info msg="Enabled crowdsecurity/traefik"
crowdsec | time="2024-05-01T06:09:27Z" level=info msg="Run 'sudo systemctl reload crowdsec' for the new configuration to be effective."
crowdsec | Running: cscli collections install "crowdsecurity/appsec-virtual-patching"
crowdsec | time="2024-05-01T06:09:27Z" level=info msg="crowdsecurity/appsec-logs: OK"
crowdsec | time="2024-05-01T06:09:27Z" level=info msg="Enabled parsers: crowdsecurity/appsec-logs"
crowdsec | time="2024-05-01T06:09:27Z" level=info msg="crowdsecurity/appsec-vpatch: OK"
crowdsec | time="2024-05-01T06:09:27Z" level=info msg="Enabled scenarios: crowdsecurity/appsec-vpatch"
crowdsec | time="2024-05-01T06:09:27Z" level=info msg="crowdsecurity/virtual-patching: OK"
crowdsec | time="2024-05-01T06:09:27Z" level=info msg="Enabled appsec-configs: crowdsecurity/virtual-patching"
crowdsec | time="2024-05-01T06:09:27Z" level=info msg="crowdsecurity/appsec-default: OK"
crowdsec | time="2024-05-01T06:09:27Z" level=info msg="Enabled appsec-configs: crowdsecurity/appsec-default"
crowdsec | time="2024-05-01T06:09:27Z" level=info msg="crowdsecurity/base-config: OK"
crowdsec | time="2024-05-01T06:09:27Z" level=info msg="Enabled appsec-rules: crowdsecurity/base-config"
crowdsec | time="2024-05-01T06:09:27Z" level=info msg="crowdsecurity/vpatch-env-access: OK"
crowdsec | time="2024-05-01T06:09:27Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-env-access"
crowdsec | time="2024-05-01T06:09:27Z" level=info msg="crowdsecurity/vpatch-CVE-2023-40044: OK"
crowdsec | time="2024-05-01T06:09:27Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2023-40044"
crowdsec | time="2024-05-01T06:09:27Z" level=info msg="crowdsecurity/vpatch-CVE-2017-9841: OK"
crowdsec | time="2024-05-01T06:09:27Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2017-9841"
crowdsec | time="2024-05-01T06:09:27Z" level=info msg="crowdsecurity/vpatch-CVE-2020-11738: OK"
crowdsec | time="2024-05-01T06:09:27Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2020-11738"
crowdsec | time="2024-05-01T06:09:27Z" level=info msg="crowdsecurity/vpatch-CVE-2022-27926: OK"
crowdsec | time="2024-05-01T06:09:27Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2022-27926"
crowdsec | time="2024-05-01T06:09:27Z" level=info msg="crowdsecurity/vpatch-CVE-2022-35914: OK"
crowdsec | time="2024-05-01T06:09:27Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2022-35914"
crowdsec | time="2024-05-01T06:09:28Z" level=info msg="crowdsecurity/vpatch-CVE-2022-46169: OK"
crowdsec | time="2024-05-01T06:09:28Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2022-46169"
crowdsec | time="2024-05-01T06:09:28Z" level=info msg="crowdsecurity/vpatch-CVE-2023-20198: OK"
crowdsec | time="2024-05-01T06:09:28Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2023-20198"
crowdsec | time="2024-05-01T06:09:28Z" level=info msg="crowdsecurity/vpatch-CVE-2023-22515: OK"
crowdsec | time="2024-05-01T06:09:28Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2023-22515"
crowdsec | time="2024-05-01T06:09:28Z" level=info msg="crowdsecurity/vpatch-CVE-2023-33617: OK"
crowdsec | time="2024-05-01T06:09:28Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2023-33617"
crowdsec | time="2024-05-01T06:09:28Z" level=info msg="crowdsecurity/vpatch-CVE-2023-34362: OK"
crowdsec | time="2024-05-01T06:09:28Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2023-34362"
crowdsec | time="2024-05-01T06:09:28Z" level=info msg="crowdsecurity/vpatch-CVE-2023-3519: OK"
crowdsec | time="2024-05-01T06:09:28Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2023-3519"
crowdsec | time="2024-05-01T06:09:29Z" level=info msg="crowdsecurity/vpatch-CVE-2023-42793: OK"
crowdsec | time="2024-05-01T06:09:29Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2023-42793"
crowdsec | time="2024-05-01T06:09:29Z" level=info msg="crowdsecurity/vpatch-CVE-2023-50164: OK"
crowdsec | time="2024-05-01T06:09:29Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2023-50164"
crowdsec | time="2024-05-01T06:09:29Z" level=info msg="crowdsecurity/vpatch-CVE-2023-38205: OK"
crowdsec | time="2024-05-01T06:09:29Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2023-38205"
crowdsec | time="2024-05-01T06:09:29Z" level=info msg="crowdsecurity/vpatch-CVE-2023-24489: OK"
crowdsec | time="2024-05-01T06:09:29Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2023-24489"
crowdsec | time="2024-05-01T06:09:29Z" level=info msg="crowdsecurity/vpatch-CVE-2021-3129: OK"
crowdsec | time="2024-05-01T06:09:29Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2021-3129"
crowdsec | time="2024-05-01T06:09:29Z" level=info msg="crowdsecurity/vpatch-CVE-2021-22941: OK"
crowdsec | time="2024-05-01T06:09:29Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2021-22941"
crowdsec | time="2024-05-01T06:09:29Z" level=info msg="crowdsecurity/vpatch-CVE-2019-12989: OK"
crowdsec | time="2024-05-01T06:09:29Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2019-12989"
crowdsec | time="2024-05-01T06:09:29Z" level=info msg="crowdsecurity/vpatch-CVE-2022-44877: OK"
crowdsec | time="2024-05-01T06:09:29Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2022-44877"
crowdsec | time="2024-05-01T06:09:29Z" level=info msg="crowdsecurity/vpatch-CVE-2018-10562: OK"
crowdsec | time="2024-05-01T06:09:29Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2018-10562"
crowdsec | time="2024-05-01T06:09:29Z" level=info msg="crowdsecurity/vpatch-CVE-2023-6553: OK"
crowdsec | time="2024-05-01T06:09:29Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2023-6553"
crowdsec | time="2024-05-01T06:09:29Z" level=info msg="crowdsecurity/vpatch-CVE-2018-1000861: OK"
crowdsec | time="2024-05-01T06:09:29Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2018-1000861"
crowdsec | time="2024-05-01T06:09:29Z" level=info msg="crowdsecurity/vpatch-CVE-2019-1003030: OK"
crowdsec | time="2024-05-01T06:09:29Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2019-1003030"
crowdsec | time="2024-05-01T06:09:29Z" level=info msg="crowdsecurity/vpatch-CVE-2022-22965: OK"
crowdsec | time="2024-05-01T06:09:29Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2022-22965"
crowdsec | time="2024-05-01T06:09:29Z" level=info msg="crowdsecurity/vpatch-CVE-2023-23752: OK"
crowdsec | time="2024-05-01T06:09:29Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2023-23752"
crowdsec | time="2024-05-01T06:09:29Z" level=info msg="crowdsecurity/vpatch-CVE-2023-49070: OK"
crowdsec | time="2024-05-01T06:09:29Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2023-49070"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="crowdsecurity/vpatch-laravel-debug-mode: OK"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-laravel-debug-mode"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="crowdsecurity/vpatch-CVE-2023-28121: OK"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2023-28121"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="crowdsecurity/vpatch-CVE-2020-17496: OK"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2020-17496"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="crowdsecurity/vpatch-CVE-2023-1389: OK"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2023-1389"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="crowdsecurity/vpatch-CVE-2023-7028: OK"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2023-7028"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="crowdsecurity/vpatch-CVE-2023-46805: OK"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2023-46805"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="crowdsecurity/vpatch-CVE-2024-23897: OK"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2024-23897"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="crowdsecurity/vpatch-CVE-2023-22527: OK"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2023-22527"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="crowdsecurity/vpatch-CVE-2023-35078: OK"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2023-35078"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="crowdsecurity/vpatch-CVE-2023-35082: OK"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2023-35082"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="crowdsecurity/vpatch-CVE-2022-22954: OK"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2022-22954"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="crowdsecurity/vpatch-CVE-2024-1212: OK"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2024-1212"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="crowdsecurity/vpatch-symfony-profiler: OK"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-symfony-profiler"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="crowdsecurity/vpatch-connectwise-auth-bypass: OK"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-connectwise-auth-bypass"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="crowdsecurity/vpatch-CVE-2024-22024: OK"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2024-22024"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="crowdsecurity/vpatch-CVE-2024-27198: OK"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="Enabled appsec-rules: crowdsecurity/vpatch-CVE-2024-27198"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="crowdsecurity/appsec-virtual-patching: OK"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="Enabled collections: crowdsecurity/appsec-virtual-patching"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="Enabled crowdsecurity/appsec-virtual-patching"
crowdsec | time="2024-05-01T06:09:30Z" level=info msg="Run 'sudo systemctl reload crowdsec' for the new configuration to be effective."
crowdsec | Running: cscli collections install "crowdsecurity/appsec-generic-rules"
crowdsec | time="2024-05-01T06:09:31Z" level=warning msg="crowdsecurity/appsec-logs: overwrite"
crowdsec | time="2024-05-01T06:09:31Z" level=warning msg="crowdsecurity/appsec-vpatch: overwrite"
crowdsec | time="2024-05-01T06:09:31Z" level=info msg="crowdsecurity/generic-rules: OK"
crowdsec | time="2024-05-01T06:09:31Z" level=info msg="Enabled appsec-configs: crowdsecurity/generic-rules"
crowdsec | time="2024-05-01T06:09:31Z" level=warning msg="crowdsecurity/appsec-default: overwrite"
crowdsec | time="2024-05-01T06:09:31Z" level=warning msg="crowdsecurity/base-config: overwrite"
crowdsec | time="2024-05-01T06:09:31Z" level=info msg="crowdsecurity/generic-freemarker-ssti: OK"
crowdsec | time="2024-05-01T06:09:31Z" level=info msg="Enabled appsec-rules: crowdsecurity/generic-freemarker-ssti"
crowdsec | time="2024-05-01T06:09:31Z" level=info msg="crowdsecurity/appsec-generic-rules: OK"
crowdsec | time="2024-05-01T06:09:31Z" level=info msg="Enabled collections: crowdsecurity/appsec-generic-rules"
crowdsec | time="2024-05-01T06:09:31Z" level=info msg="Enabled crowdsecurity/appsec-generic-rules"
crowdsec | time="2024-05-01T06:09:31Z" level=info msg="Run 'sudo systemctl reload crowdsec' for the new configuration to be effective."
crowdsec | time="2024-05-01T06:09:31Z" level=info msg="Enabled feature flags: <none>"
crowdsec | time="2024-05-01T06:09:31Z" level=info msg="Crowdsec v1.6.1-c6e40191"
crowdsec | time="2024-05-01T06:09:31Z" level=info msg="Loading prometheus collectors"
crowdsec | time="2024-05-01T06:09:31Z" level=info msg="Loading CAPI manager"
crowdsec | time="2024-05-01T06:09:32Z" level=info msg="CAPI manager configured successfully"
crowdsec | time="2024-05-01T06:09:32Z" level=info msg="Start push to CrowdSec Central API (interval: 17s once, then 10s)"
crowdsec | time="2024-05-01T06:09:32Z" level=info msg="Start sending metrics to CrowdSec Central API (interval: 26m9s once, then 30m0s)"
crowdsec | time="2024-05-01T06:09:32Z" level=info msg="CrowdSec Local API listening on 0.0.0.0:8080"
crowdsec | time="2024-05-01T06:09:32Z" level=warning msg="scenario list is empty, will not pull yet"
crowdsec | time="2024-05-01T06:09:32Z" level=info msg="capi metrics: sending"
crowdsec | time="2024-05-01T06:09:32Z" level=info msg="Loading grok library /etc/crowdsec/patterns"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Loading enrich plugins"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Successfully registered enricher 'GeoIpCity'"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Successfully registered enricher 'GeoIpASN'"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Successfully registered enricher 'IpToRange'"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Successfully registered enricher 'reverse_dns'"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Successfully registered enricher 'ParseDate'"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Successfully registered enricher 'UnmarshalJSON'"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Loading parsers from 10 files"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s00-raw/cri-logs.yaml stage=s00-raw
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s00-raw/docker-logs.yaml stage=s00-raw
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Loaded 2 parser nodes" file=/etc/crowdsec/parsers/s00-raw/syslog-logs.yaml stage=s00-raw
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/appsec-logs.yaml stage=s01-parse
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/sshd-logs.yaml stage=s01-parse
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/traefik-logs.yaml stage=s01-parse
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml stage=s02-enrich
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml stage=s02-enrich
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/http-logs.yaml stage=s02-enrich
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/whitelists.yaml stage=s02-enrich
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Loaded 11 nodes from 3 stages"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="No postoverflow parsers to load"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Loading 43 scenario files"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding trigger bucket" cfg=aged-dew name=crowdsecurity/vmware-vcenter-vmsa-2021-0027
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding trigger bucket" cfg=muddy-wave name=crowdsecurity/CVE-2023-49103
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding trigger bucket" cfg=twilight-wind name=crowdsecurity/http-cve-2021-41773
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding leaky bucket" cfg=misty-frost name=crowdsecurity/http-sqli-probbing-detection
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding leaky bucket" cfg=misty-forest name=crowdsecurity/http-generic-bf
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding leaky bucket" cfg=purple-sound name=LePresidente/http-generic-401-bf
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding leaky bucket" cfg=fragrant-brook name=LePresidente/http-generic-403-bf
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding leaky bucket" cfg=wispy-snow name=crowdsecurity/appsec-vpatch
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding leaky bucket" cfg=weathered-wood name=crowdsecurity/http-xss-probbing
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding trigger bucket" cfg=summer-night name=crowdsecurity/CVE-2017-9841
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding leaky bucket" cfg=hidden-pine name=crowdsecurity/http-crawl-non_statics
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding trigger bucket" cfg=small-waterfall name=crowdsecurity/vmware-cve-2022-22954
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding leaky bucket" cfg=empty-breeze name=crowdsecurity/http-probing
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding trigger bucket" cfg=twilight-fire name=crowdsecurity/CVE-2022-26134
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding trigger bucket" cfg=restless-sky name=crowdsecurity/thinkphp-cve-2018-20062
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding leaky bucket" cfg=summer-sunset name=crowdsecurity/CVE-2022-41697
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding trigger bucket" cfg=purple-moon name=crowdsecurity/CVE-2022-35914
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding trigger bucket" cfg=young-frog name=crowdsecurity/CVE-2022-41082
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding trigger bucket" cfg=billowing-sound name=ltsich/http-w00tw00t
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding trigger bucket" cfg=sparkling-snow name=crowdsecurity/CVE-2022-44877
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding trigger bucket" cfg=old-water name=crowdsecurity/CVE-2019-18935
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding leaky bucket" cfg=dawn-silence name=crowdsecurity/http-admin-interface-probing
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding leaky bucket" cfg=hidden-tree name=crowdsecurity/http-bad-user-agent
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding leaky bucket" cfg=delicate-moon name=crowdsecurity/http-wordpress-scan
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding trigger bucket" cfg=young-sky name=crowdsecurity/CVE-2023-22518
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding trigger bucket" cfg=shy-sky name=crowdsecurity/http-cve-2021-42013
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding trigger bucket" cfg=autumn-forest name=crowdsecurity/netgear_rce
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding leaky bucket" cfg=snowy-flower name=crowdsecurity/http-backdoors-attempts
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding trigger bucket" cfg=delicate-bird name=crowdsecurity/f5-big-ip-cve-2020-5902
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding trigger bucket" cfg=bold-mountain name=crowdsecurity/apache_log4j2_cve-2021-44228
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding trigger bucket" cfg=summer-paper name=crowdsecurity/CVE-2022-42889
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding leaky bucket" cfg=holy-smoke name=crowdsecurity/CVE-2022-46169-bf
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding trigger bucket" cfg=red-cherry name=crowdsecurity/CVE-2022-46169-cmd
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding trigger bucket" cfg=sparkling-water name=crowdsecurity/pulse-secure-sslvpn-cve-2019-11510
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding trigger bucket" cfg=autumn-paper name=crowdsecurity/grafana-cve-2021-43798
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding trigger bucket" cfg=twilight-sky name=crowdsecurity/jira_cve-2021-26086
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding trigger bucket" cfg=spring-wind name=crowdsecurity/CVE-2022-37042
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding trigger bucket" cfg=dawn-sun name=crowdsecurity/CVE-2023-22515
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding trigger bucket" cfg=nameless-frog name=crowdsecurity/http-open-proxy
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding trigger bucket" cfg=dawn-flower name=crowdsecurity/fortinet-cve-2022-40684
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding leaky bucket" cfg=fragrant-meadow name=crowdsecurity/ssh-slow-bf
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding leaky bucket" cfg=silent-brook name=crowdsecurity/ssh-slow-bf_user-enum
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding trigger bucket" cfg=damp-waterfall name=crowdsecurity/fortinet-cve-2018-13379
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding trigger bucket" cfg=wandering-water name=crowdsecurity/spring4shell_cve-2022-22965
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding leaky bucket" cfg=hidden-feather name=crowdsecurity/http-path-traversal-probing
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding leaky bucket" cfg=black-shape name=crowdsecurity/http-sensitive-files
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding leaky bucket" cfg=delicate-rain name=crowdsecurity/ssh-bf
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding leaky bucket" cfg=blue-dew name=crowdsecurity/ssh-bf_user-enum
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Loaded 48 scenarios"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2019-12989 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2023-33617 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-symfony-profiler to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/base-config to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/generic-freemarker-ssti to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2023-35078 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2023-40044 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2023-49070 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2024-22024 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2024-27198 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2021-3129 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2022-44877 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2023-24489 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2023-42793 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2023-7028 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-env-access to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-laravel-debug-mode to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2023-1389 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2023-22527 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2021-22941 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2022-35914 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2023-22515 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2023-46805 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2024-1212 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2018-1000861 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2023-28121 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2023-35082 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2023-3519 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2020-17496 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2022-22954 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2022-46169 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2023-23752 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2023-34362 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2023-50164 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2024-23897 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-connectwise-auth-bypass to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2017-9841 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2020-11738 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2022-22965 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2022-27926 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2018-10562 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2019-1003030 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2023-6553 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2023-20198 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding crowdsecurity/vpatch-CVE-2023-38205 to appsec rules"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="loading acquisition file : /etc/crowdsec/acquis.yaml"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Adding file /var/log/traefik/access.log to datasources" type=file
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Cache duration for auth not set, using default: 1m0s" name=myAppSecComponent type=appsec
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="loading /etc/crowdsec/appsec-configs/virtual-patching.yaml" component=appsec_config name=myAppSecComponent type=appsec
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Loaded 0 outofband rules" component=appsec_config name=crowdsecurity/virtual-patching type=appsec
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="loading inband rule crowdsecurity/base-config" component=appsec_config name=crowdsecurity/virtual-patching type=appsec
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="loading inband rule crowdsecurity/vpatch-*" component=appsec_config name=crowdsecurity/virtual-patching type=appsec
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Loaded 44 inband rules" component=appsec_config name=crowdsecurity/virtual-patching type=appsec
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Created 1 appsec runners" name=myAppSecComponent type=appsec
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="127.0.0.1 - [Wed, 01 May 2024 06:09:33 UTC] \"POST /v1/watchers/login HTTP/1.1 200 122.825445ms \"crowdsec/v1.6.1-c6e40191\" \""
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Starting processing data"
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="1 appsec runner to start" name=myAppSecComponent type=appsec
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="creating TCP server on 0.0.0.0:7422" name=myAppSecComponent type=appsec
crowdsec | time="2024-05-01T06:09:33Z" level=info msg="Appsec Runner ready to process event" name=myAppSecComponent runner_uuid=1c114093-af68-43a6-bad8-cf23b1629a3d type=appsec
crowdsec | time="2024-05-01T06:09:34Z" level=info msg="Starting community-blocklist update"
crowdsec | time="2024-05-01T06:09:34Z" level=info msg="capi/community-blocklist : 0 explicit deletions"
crowdsec | time="2024-05-01T06:09:34Z" level=info msg="capi/community-blocklist : received 0 new entries (expected if you just installed crowdsec)"
crowdsec | time="2024-05-01T06:09:34Z" level=info msg="Start pull from CrowdSec Central API (interval: 1h55m59s once, then 2h0m0s)"
crowdsec | time="2024-05-01T06:10:33Z" level=info msg="127.0.0.1 - [Wed, 01 May 2024 06:10:33 UTC] \"GET /v1/heartbeat HTTP/1.1 200 5.227563ms \"crowdsec/v1.6.1-c6e40191\" \""
crowdsec | time="2024-05-01T06:11:33Z" level=info msg="127.0.0.1 - [Wed, 01 May 2024 06:11:33 UTC] \"GET /v1/heartbeat HTTP/1.1 200 4.897486ms \"crowdsec/v1.6.1-c6e40191\" \""
crowdsec | time="2024-05-01T06:12:33Z" level=info msg="127.0.0.1 - [Wed, 01 May 2024 06:12:33 UTC] \"GET /v1/heartbeat HTTP/1.1 200 5.054671ms \"crowdsec/v1.6.1-c6e40191\" \""
crowdsec | time="2024-05-01T06:13:33Z" level=info msg="127.0.0.1 - [Wed, 01 May 2024 06:13:33 UTC] \"GET /v1/heartbeat HTTP/1.1 200 5.272179ms \"crowdsec/v1.6.1-c6e40191\" \""
crowdsec | time="2024-05-01T06:14:33Z" level=info msg="127.0.0.1 - [Wed, 01 May 2024 06:14:33 UTC] \"GET /v1/heartbeat HTTP/1.1 200 5.155555ms \"crowdsec/v1.6.1-c6e40191\" \""
crowdsec | time="2024-05-01T06:15:33Z" level=info msg="127.0.0.1 - [Wed, 01 May 2024 06:15:33 UTC] \"GET /v1/heartbeat HTTP/1.1 200 4.879705ms \"crowdsec/v1.6.1-c6e40191\" \""
crowdsec | time="2024-05-01T06:16:33Z" level=info msg="127.0.0.1 - [Wed, 01 May 2024 06:16:33 UTC] \"GET /v1/heartbeat HTTP/1.1 200 5.356323ms \"crowdsec/v1.6.1-c6e40191\" \""
crowdsec | time="2024-05-01T06:17:33Z" level=info msg="127.0.0.1 - [Wed, 01 May 2024 06:17:33 UTC] \"GET /v1/heartbeat HTTP/1.1 200 7.069006ms \"crowdsec/v1.6.1-c6e40191\" \""
crowdsec | time="2024-05-01T06:17:47Z" level=info msg="172.18.0.5 - [Wed, 01 May 2024 06:17:47 UTC] \"GET /v1/decisions?ip=172.18.0.1&banned=true HTTP/1.1 200 10.575045ms \"Go-http-client/1.1\" \""
crowdsec | time="2024-05-01T06:17:47Z" level=info msg="127.0.0.1 - [Wed, 01 May 2024 06:17:47 UTC] \"HEAD /v1/decisions/stream HTTP/1.1 200 501.488ยตs \"Go-http-client/1.1\" \""
crowdsec | time="2024-05-01T06:18:33Z" level=info msg="127.0.0.1 - [Wed, 01 May 2024 06:18:33 UTC] \"GET /v1/heartbeat HTTP/1.1 200 4.963918ms \"crowdsec/v1.6.1-c6e40191\" \""
crowdsec | time="2024-05-01T06:19:22Z" level=info msg="172.18.0.5 - [Wed, 01 May 2024 06:19:22 UTC] \"GET /v1/decisions?ip=172.18.0.1&banned=true HTTP/1.1 200 9.236965ms \"Go-http-client/1.1\" \""
crowdsec | time="2024-05-01T06:19:22Z" level=info msg="127.0.0.1 - [Wed, 01 May 2024 06:19:22 UTC] \"HEAD /v1/decisions/stream HTTP/1.1 200 477.802ยตs \"Go-http-client/1.1\" \""
crowdsec | time="2024-05-01T06:19:33Z" level=info msg="127.0.0.1 - [Wed, 01 May 2024 06:19:33 UTC] \"GET /v1/heartbeat HTTP/1.1 200 8.913281ms \"crowdsec/v1.6.1-c6e40191\" \""
crowdsec | time="2024-05-01T06:20:25Z" level=info msg="172.18.0.5 - [Wed, 01 May 2024 06:20:25 UTC] \"GET /v1/decisions?ip=172.18.0.1&banned=true HTTP/1.1 200 9.483845ms \"Go-http-client/1.1\" \""
crowdsec | time="2024-05-01T06:20:25Z" level=info msg="127.0.0.1 - [Wed, 01 May 2024 06:20:25 UTC] \"HEAD /v1/decisions/stream HTTP/1.1 200 639.221ยตs \"Go-http-client/1.1\" \""
crowdsec | time="2024-05-01T06:20:33Z" level=info msg="127.0.0.1 - [Wed, 01 May 2024 06:20:33 UTC] \"GET /v1/heartbeat HTTP/1.1 200 5.739924ms \"crowdsec/v1.6.1-c6e40191\" \""
crowdsec | time="2024-05-01T06:21:33Z" level=info msg="127.0.0.1 - [Wed, 01 May 2024 06:21:33 UTC] \"GET /v1/heartbeat HTTP/1.1 200 27.193133ms \"crowdsec/v1.6.1-c6e40191\" \""
crowdsec | time="2024-05-01T06:22:33Z" level=info msg="127.0.0.1 - [Wed, 01 May 2024 06:22:33 UTC] \"GET /v1/heartbeat HTTP/1.1 200 6.620711ms \"crowdsec/v1.6.1-c6e40191\" \""
crowdsec | time="2024-05-01T06:23:33Z" level=info msg="127.0.0.1 - [Wed, 01 May 2024 06:23:33 UTC] \"GET /v1/heartbeat HTTP/1.1 200 5.540851ms \"crowdsec/v1.6.1-c6e40191\" \""
crowdsec | time="2024-05-01T06:24:33Z" level=info msg="127.0.0.1 - [Wed, 01 May 2024 06:24:33 UTC] \"GET /v1/heartbeat HTTP/1.1 200 5.426612ms \"crowdsec/v1.6.1-c6e40191\" \""
Ah! I found out the issue. Apparently traefik will connect directly to the redis. I expected crowdsec to connect to redis and therefore i've put crowdsec & redis into the same docker network. However when I added traefik into the redis network, things started to work.
PS. I figured this out with the debug logging, so thanks for that :)!
I do have, based on your config, another question:
My config in appsec.yaml is as following:
listen_addr: 0.0.0.0:7422
appsec_config: crowdsecurity/appsec-default
name: myAppSecComponent
source: appsec
labels:
type: appsec
However I see that you've added this part:
filenames:
- /traefik-external-logs/accessLogs.log.json
labels:
type: traefik
and also are using a different appsec_config
(crowdsecurity/virtual-patching
vs crowdsecurity/appsec-default
). I'm new to CrowdSec so I have no idea what the difference is here.
So 2 questions:
appsec_config
's?What is the difference between the two appsec_config's?
So we added a generic
appsec rules which means they only detect generic attacks and not directly tied to a CVE for example leaving a debug page exposed. So the latter is the new default we purpose which combines both the generic
and virtual-patching
under the name of crowdsecurity/appsec-default
Why do you include the logs into the crowdsec container? Doesnt traefik simply do an API call to CrowdSec to see if the client is allowed? What does this log "sharing" add?
Mounting the traefik logs to CrowdSec container means CrowdSec can read the container logs and detect behaviours via traefik for example bruteforce attacks. We can only read these from stdout of the container or the logs the example @mathieuHa provides is when traefik is writing to a log file.
Allright, so let me try to get this straight. I should be using the crowdsecurity/appsec-default
preferably because this is the most "complete" package for protection.
docker-compose.yml
:
(add crowdsecurity/appsec-default
to the COLLECTIONS env var)
If the above statement is true, i should modify my config as follows:
crowdsec:
image: crowdsecurity/crowdsec:v1.6.1-2
container_name: "crowdsec"
restart: unless-stopped
environment:
COLLECTIONS: crowdsecurity/appsec-default crowdsecurity/traefik crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules
CUSTOM_HOSTNAME: crowdsec
# We need to register one api key per service we will use
BOUNCER_KEY_TRAEFIK: FIXME-LAPI-KEY-1=
volumes:
- ./acquis.yaml:/etc/crowdsec/acquis.yaml:ro
- logs:/var/log/traefik:ro
- crowdsec-db:/var/lib/crowdsec/data/
- crowdsec-config:/etc/crowdsec/
labels:
- "traefik.enable=false"
appsec.yaml (change appsec_config
to crowdsecurity/appsec-default
):
filenames:
- /var/log/traefik/access.log
labels:
type: traefik
---
listen_addr: 0.0.0.0:7422
appsec_config: crowdsecurity/appsec-default
name: myAppSecComponent
source: appsec
labels:
type: appsec
And the second question: My format for the traefik logs are json. Does this also work? or should i use the normal log style?
Allright, so let me try to get this straight. I should be using the
crowdsecurity/appsec-default
preferably because this is the most "complete" package for protection.
docker-compose.yml
: (addcrowdsecurity/appsec-default
to the COLLECTIONS env var) If the above statement is true, i should modify my config as follows:
From my understanding, (thanks @LaurenceJJones for the information about collections) both configuration fetch/activate the same collections: "crowdsecurity/appsec-default" = "crowdsecurity/appsec-virtual-patching + crowdsecurity/appsec-generic-rules"
So you can do either:
COLLECTIONS: crowdsecurity/appsec-default crowdsecurity/traefik
COLLECTIONS: crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules crowdsecurity/traefik
/!\ The first one DOES NOT work, use the second configuration only: see response below
You can look at what theses collections do in the Crowdsec HUB.
For the most "complete" protection using this plugin and crowdsec, I suggest adding also the logs like in the exemples because it allows crowdsec to detect attacks/bruteforces based on some log pattern using multiples requests.
To simplify I would say that Crowdsec logs detection works similarly to fail2ban and appsec to modsecurity.
For the log format, yes JSON and CLF are supported. I personaly believe that Traefik JSON format is more complete than the traditional common log format.
For more advanced features, you can look in the exemples folder which shows various configurations options.
Alright, modifying the appsec.yaml to appsec_config: crowdsecurity/appsec-default
seems to work.
This however does not work:
COLLECTIONS: crowdsecurity/appsec-default crowdsecurity/traefik
This will crash the crowdsec on boot because the package crowdsecurity/appsec-default
does not exist.
Using this:
COLLECTIONS: crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules crowdsecurity/traefik
in combination with the appsec.yaml config seems to work :).
Thanks for the feedback, mybad I mixed up collections and appsec_config.
Thanks for clearing this up! I'm closing this one! Thanks again for all the great help :).
Describe the bug ๐ I'm running Traefik with this plugin & CrowdSec + AppSec in my docker environment.
Whenever I use
crowdSecMode: none
the system seems to work as intended. If i trigger AppSec i'm getting a 403, if i manually block myself i get a 403. If i unblock myself I get a 200 OK with response.Whenever I use anything else than
crowdSecMode: none
(for examplestream
orlive
), I always get a 403. I'm not sure what is going wrong here.The logs dont indicate anything that points even in the remote direction of this plugin.
Expected behavior ๐ I'd expect
stream
orlive
modes to give the same result asnone
.Context ๐
Config:
Version (please complete the following information):
To Reproduce Steps to reproduce the behavior:
none
; see that you get a 200 OKlive
; see that you always get 403.