From 2fecde02199066f642cd1fc53358ccaf5ed4406c Mon Sep 17 00:00:00 2001 From: Laurence Date: Mon, 3 Feb 2025 07:25:53 +0000 Subject: [PATCH] enhance: Remove as much WAN ips from items that may cause CAPI signals --- crowdsec-docs/docs/appsec/hooks.md | 6 ++-- .../docs/appsec/quickstart/nginxopenresty.mdx | 4 +-- crowdsec-docs/docs/appsec/troubleshooting.md | 10 +++--- crowdsec-docs/docs/expr/other_helpers.md | 4 +-- .../docs/getting_started/crowdsec_tour.mdx | 8 ++--- crowdsec-docs/docs/local_api/bouncers-api.md | 14 ++++---- .../docs/local_api/profiles/format.md | 2 +- .../docs/log_processor/parsers/create.md | 28 +++++++-------- .../docs/log_processor/scenarios/create.md | 36 +++++++++---------- .../bouncers/cloudflare-workers.mdx | 2 +- .../unversioned/bouncers/cloudflare.mdx | 2 +- crowdsec-docs/unversioned/bouncers/custom.mdx | 8 ++--- .../console/decisions/decisions_management.md | 10 +++--- .../cti_api/integration_maltego.md | 4 +-- .../unversioned/user_guides/cscli_explain.md | 2 +- .../user_guides/decisions_management.md | 16 ++++----- .../getting_started/crowdsec_tour.md | 8 ++--- .../version-v1.3.4/local_api/bouncers-api.md | 14 ++++---- .../version-v1.3.4/parsers/create.md | 28 +++++++-------- .../version-v1.3.4/profiles/format.md | 2 +- .../version-v1.3.4/scenarios/create.md | 36 +++++++++---------- .../getting_started/crowdsec_tour.md | 8 ++--- .../version-v1.4.0/local_api/bouncers-api.md | 14 ++++---- .../version-v1.4.0/parsers/create.md | 28 +++++++-------- .../version-v1.4.0/profiles/format.md | 2 +- .../version-v1.4.0/scenarios/create.md | 36 +++++++++---------- .../console_management/decisions.md | 10 +++--- .../getting_started/crowdsec_tour.md | 8 ++--- .../version-v1.5.0/local_api/bouncers-api.md | 14 ++++---- .../version-v1.5.0/parsers/create.md | 28 +++++++-------- .../version-v1.5.0/profiles/format.md | 2 +- .../version-v1.5.0/scenarios/create.md | 36 +++++++++---------- .../version-v1.5.0/whitelist/create.md | 2 +- .../version-v1.6.0/appsec/hooks.md | 4 +-- .../version-v1.6.0/appsec/protocol.md | 4 +-- .../version-v1.6.0/appsec/quickstart.md | 4 +-- .../version-v1.6.0/appsec/troubleshooting.md | 10 +++--- .../version-v1.6.0/expr/other_helpers.md | 4 +-- .../getting_started/crowdsec_tour.mdx | 8 ++--- .../version-v1.6.0/local_api/bouncers-api.md | 14 ++++---- .../version-v1.6.0/parsers/create.md | 28 +++++++-------- .../version-v1.6.0/profiles/format.md | 2 +- .../version-v1.6.0/scenarios/create.md | 36 +++++++++---------- 43 files changed, 273 insertions(+), 273 deletions(-) diff --git a/crowdsec-docs/docs/appsec/hooks.md b/crowdsec-docs/docs/appsec/hooks.md index d9c72c218..19051b937 100644 --- a/crowdsec-docs/docs/appsec/hooks.md +++ b/crowdsec-docs/docs/appsec/hooks.md @@ -102,7 +102,7 @@ inband_rules: - crowdsecurity/base-config - crowdsecurity/vpatch-* pre_eval: - - filter: IsInBand == true && req.RemoteAddr == "42.42.42.42" + - filter: IsInBand == true && req.RemoteAddr == "192.168.1.1" apply: - RemoveInBandRuleByName("my_rule") ``` @@ -188,13 +188,13 @@ inband_rules: - crowdsecurity/base-config - crowdsecurity/vpatch-* post_eval: - - filter: IsInBand == true && req.RemoteAddr == "42.42.42.42" + - filter: IsInBand == true && req.RemoteAddr == "192.168.1.1" apply: - CancelAlert() - CancelEvent() - filter: | any( evt.Appsec.MatchedRules, #.name == "crowdsecurity/vpatch-env-access") and - req.RemoteAddr = "42.42.42.42" + req.RemoteAddr = "192.168.1.1" apply: - SetRemediation("allow") - filter: evt.Appsec.MatchedRules.GetURI() contains "/foobar/" diff --git a/crowdsec-docs/docs/appsec/quickstart/nginxopenresty.mdx b/crowdsec-docs/docs/appsec/quickstart/nginxopenresty.mdx index 12049f540..476f5bea7 100644 --- a/crowdsec-docs/docs/appsec/quickstart/nginxopenresty.mdx +++ b/crowdsec-docs/docs/appsec/quickstart/nginxopenresty.mdx @@ -160,7 +160,7 @@ Please keep this key since you will not be able to retrieve it! 2. Emit a legitimate request to the AppSec Component: ```bash -curl -X POST localhost:7422/ -i -H 'x-crowdsec-appsec-uri: /test' -H 'x-crowdsec-appsec-ip: 42.42.42.42' -H 'x-crowdsec-appsec-host: foobar.com' -H 'x-crowdsec-appsec-verb: POST' -H 'x-crowdsec-appsec-api-key: this_is_a_bad_password' +curl -X POST localhost:7422/ -i -H 'x-crowdsec-appsec-uri: /test' -H 'x-crowdsec-appsec-ip: 192.168.1.1' -H 'x-crowdsec-appsec-host: foobar.com' -H 'x-crowdsec-appsec-verb: POST' -H 'x-crowdsec-appsec-api-key: this_is_a_bad_password' ``` Which will give us an answer such as: @@ -181,7 +181,7 @@ We're trying to access a `.env` file, a [common way to get access to some creden ::: ```bash -curl -X POST localhost:7422/ -i -H 'x-crowdsec-appsec-uri: /.env' -H 'x-crowdsec-appsec-ip: 42.42.42.42' -H 'x-crowdsec-appsec-host: foobar.com' -H 'x-crowdsec-appsec-verb: POST' -H 'x-crowdsec-appsec-api-key: this_is_a_bad_password' +curl -X POST localhost:7422/ -i -H 'x-crowdsec-appsec-uri: /.env' -H 'x-crowdsec-appsec-ip: 192.168.1.1' -H 'x-crowdsec-appsec-host: foobar.com' -H 'x-crowdsec-appsec-verb: POST' -H 'x-crowdsec-appsec-api-key: this_is_a_bad_password' ``` diff --git a/crowdsec-docs/docs/appsec/troubleshooting.md b/crowdsec-docs/docs/appsec/troubleshooting.md index 94d77da0e..c98bdc02d 100644 --- a/crowdsec-docs/docs/appsec/troubleshooting.md +++ b/crowdsec-docs/docs/appsec/troubleshooting.md @@ -75,7 +75,7 @@ cscli bouncers add appsec_test -k this_is_a_bad_password > Emit a request to the AppSec Component ```bash -curl -I -X POST localhost:7422/ -i -H 'x-crowdsec-appsec-api-key: this_is_a_bad_password' -H 'x-crowdsec-appsec-ip: 42.42.42.42' -H 'x-crowdsec-appsec-uri: /test' -H 'x-crowdsec-appsec-host: test.com' -H 'x-crowdsec-appsec-verb: GET' +curl -I -X POST localhost:7422/ -i -H 'x-crowdsec-appsec-api-key: this_is_a_bad_password' -H 'x-crowdsec-appsec-ip: 192.168.1.1' -H 'x-crowdsec-appsec-uri: /test' -H 'x-crowdsec-appsec-host: test.com' -H 'x-crowdsec-appsec-verb: GET' HTTP/1.1 200 OK Date: Tue, 05 Dec 2023 19:37:56 GMT Content-Length: 18 @@ -85,7 +85,7 @@ Content-Type: text/plain; charset=utf-8 If you receive a `200 OK`, you can authenticate to the AppSec Component. If the component is misconfigured or your API key is invalid, you will receive a `401 Unauthorized`: ```bash -curl -I -X POST localhost:7422/ -i -H 'x-crowdsec-appsec-api-key: meeh' -H 'x-crowdsec-appsec-ip: 42.42.42.42' -H 'x-crowdsec-appsec-uri: /test' -H 'x-crowdsec-appsec-host: test.com' -H 'x-crowdsec-appsec-verb: GET' +curl -I -X POST localhost:7422/ -i -H 'x-crowdsec-appsec-api-key: meeh' -H 'x-crowdsec-appsec-ip: 192.168.1.1' -H 'x-crowdsec-appsec-uri: /test' -H 'x-crowdsec-appsec-host: test.com' -H 'x-crowdsec-appsec-verb: GET' HTTP/1.1 401 Unauthorized Date: Tue, 05 Dec 2023 19:38:51 GMT Content-Length: 0 @@ -212,7 +212,7 @@ cscli bouncers add appsec_test -k this_is_a_bad_password We can now query our AppSec Component (we're assuming here that it runs on the default `127.0.0.1:7422`, see the `listen_addr` parameter of the acquisition config): ```bash -▶ curl -X POST localhost:7422/ -i -H 'x-crowdsec-appsec-ip: 42.42.42.42' -H 'x-crowdsec-appsec-uri: /rpc2' -H 'x-crowdsec-appsec-host: google.com' -H 'x-crowdsec-appsec-verb: POST' -H 'x-crowdsec-appsec-api-key: this_is_a_bad_password' +▶ curl -X POST localhost:7422/ -i -H 'x-crowdsec-appsec-ip: 192.168.1.1' -H 'x-crowdsec-appsec-uri: /rpc2' -H 'x-crowdsec-appsec-host: google.com' -H 'x-crowdsec-appsec-verb: POST' -H 'x-crowdsec-appsec-api-key: this_is_a_bad_password' HTTP/1.1 403 Forbidden Date: Tue, 05 Dec 2023 11:17:51 GMT Content-Length: 16 @@ -225,7 +225,7 @@ And we see the alert appearing in `crowdsec.log` : ``` ... -INFO[2023-12-05 12:17:52] (test) alert : crowdsecurity/vpatch-CVE-2023-42793 by ip 42.42.42.42 +INFO[2023-12-05 12:17:52] (test) alert : crowdsecurity/vpatch-CVE-2023-42793 by ip 192.168.1.1 ... ``` @@ -235,7 +235,7 @@ And in `cscli alerts list` : ╭────┬────────────────┬─────────────────────────────────────┬─────────┬────┬───────────┬───────────────────────────────╮ │ ID │ value │ reason │ country │ as │ decisions │ created_at │ ├────┼────────────────┼─────────────────────────────────────┼─────────┼────┼───────────┼───────────────────────────────┤ -│ 1 │ Ip:42.42.42.42 │ crowdsecurity/vpatch-CVE-2023-42793 │ │ │ │ 2023-12-05 11:17:51 +0000 UTC │ +│ 1 │ Ip:192.168.1.1 │ crowdsecurity/vpatch-CVE-2023-42793 │ │ │ │ 2023-12-05 11:17:51 +0000 UTC │ ╰────┴────────────────┴─────────────────────────────────────┴─────────┴────┴───────────┴───────────────────────────────╯ ``` diff --git a/crowdsec-docs/docs/expr/other_helpers.md b/crowdsec-docs/docs/expr/other_helpers.md index 125f3279a..92cec6539 100644 --- a/crowdsec-docs/docs/expr/other_helpers.md +++ b/crowdsec-docs/docs/expr/other_helpers.md @@ -34,7 +34,7 @@ An empty string if the key doesn't exist (or has been evicted), and error is rai Returns true if it's a valid IPv4. -> `IsIPV4("1.2.3.4")` +> `IsIPV4("192.168.1.1")` > `IsIPV4(Alert.GetValue())` @@ -44,7 +44,7 @@ Returns true if it's a valid IP (v4 or v6). > `IsIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334")` -> `IsIP("1.2.3.4")` +> `IsIP("192.168.1.1")` > `IsIP(Alert.GetValue())` diff --git a/crowdsec-docs/docs/getting_started/crowdsec_tour.mdx b/crowdsec-docs/docs/getting_started/crowdsec_tour.mdx index b9100d392..6230d19c5 100644 --- a/crowdsec-docs/docs/getting_started/crowdsec_tour.mdx +++ b/crowdsec-docs/docs/getting_started/crowdsec_tour.mdx @@ -116,7 +116,7 @@ sudo cscli decisions list +-----+-----------+-------------+------------------------------------+--------+---------+----+--------+--------------------+----------+ | 802 | cscli | Ip:1.2.3.5 | manual 'ban' from | ban | | | 1 | 3h50m58.10039043s | 802 | | | | | 'b76cc7b1bbdc489e93909d2043031de8' | | | | | | | -| 801 | crowdsec | Ip:1.2.3.4 | crowdsecurity/ssh-bf | ban | | | 6 | 3h59m45.100387557s | 801 | +| 801 | crowdsec | Ip:192.168.1.1 | crowdsecurity/ssh-bf | ban | | | 6 | 3h59m45.100387557s | 801 | +-----+-----------+-------------+------------------------------------+--------+---------+----+--------+--------------------+----------+ ``` @@ -130,11 +130,11 @@ There are different decisions `SOURCE`: ## Add/Remove decisions ```bash -cscli decisions add -i 1.2.3.4 -cscli decisions delete -i 1.2.3.4 +cscli decisions add -i 192.168.1.1 +cscli decisions delete -i 192.168.1.1 ``` -Those commands will respectively add a manual decision for ip `1.2.3.4` (with default parameters such as duration and such), and remove all active decisions for ip `1.2.3.4`. +Those commands will respectively add a manual decision for ip `192.168.1.1` (with default parameters such as duration and such), and remove all active decisions for ip `192.168.1.1`. diff --git a/crowdsec-docs/docs/local_api/bouncers-api.md b/crowdsec-docs/docs/local_api/bouncers-api.md index 134ecb84b..de81d700f 100644 --- a/crowdsec-docs/docs/local_api/bouncers-api.md +++ b/crowdsec-docs/docs/local_api/bouncers-api.md @@ -72,7 +72,7 @@ As stated in the [swagger documentation](https://crowdsecurity.github.io/api_doc To have some data to query for, let's add two decisions to our local API ```bash -▶ sudo cscli decisions add -i 1.2.3.4 +▶ sudo cscli decisions add -i 192.168.1.1 INFO[0000] Decision successfully added ▶ sudo cscli decisions add -r 2.2.3.0/24 INFO[0000] Decision successfully added @@ -82,7 +82,7 @@ INFO[0000] Decision successfully added +------+--------+------------------+----------------------------------------------------+--------+---------+----+--------+--------------------+----------+ | 2337 | cscli | Range:2.2.3.0/24 | manual 'ban' from | ban | | | 1 | 3h59m18.079301785s | 1164 | | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | -| 2336 | cscli | Ip:1.2.3.4 | manual 'ban' from | ban | | | 1 | 3h59m11.079297437s | 1163 | +| 2336 | cscli | Ip:192.168.1.1 | manual 'ban' from | ban | | | 1 | 3h59m11.079297437s | 1163 | | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | +------+--------+------------------+----------------------------------------------------+--------+---------+----+--------+--------------------+----------+ @@ -92,8 +92,8 @@ INFO[0000] Decision successfully added ```bash title="Query a single banned IP" -▶ curl -H "X-Api-Key: 837be58e22a28738066de1be8f53636b" http://localhost:8080/v1/decisions\?ip=1.2.3.4 -[{"duration":"3h51m57.363171728s","id":2336,"origin":"cscli","scenario":"manual 'ban' from '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA'","scope":"Ip","type":"ban","value":"1.2.3.4"}] +▶ curl -H "X-Api-Key: 837be58e22a28738066de1be8f53636b" http://localhost:8080/v1/decisions\?ip=192.168.1.1 +[{"duration":"3h51m57.363171728s","id":2336,"origin":"cscli","scenario":"manual 'ban' from '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA'","scope":"Ip","type":"ban","value":"192.168.1.1"}] ``` ```bash title="Query a single IP" @@ -112,7 +112,7 @@ _note: notice that the decision returned is the range that we banned earlier and ```bash title="Query a range in which one of the ban is contained" ▶ curl -H "X-Api-Key: 837be58e22a28738066de1be8f53636b" http://localhost:8080/v1/decisions\?range=1.2.3.0/24\&contains\=false -[{"duration":"3h48m7.676653651s","id":2336,"origin":"cscli","scenario":"manual 'ban' from '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA'","scope":"Ip","type":"ban","value":"1.2.3.4"}] +[{"duration":"3h48m7.676653651s","id":2336,"origin":"cscli","scenario":"manual 'ban' from '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA'","scope":"Ip","type":"ban","value":"192.168.1.1"}] ``` _note: notice the `contains` flag that is set to false_ @@ -141,7 +141,7 @@ INFO[0000] Decision successfully added | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | | 2337 | cscli | Range:2.2.3.0/24 | manual 'ban' from | ban | | | 1 | 3h27m1.384972861s | 1164 | | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | -| 2336 | cscli | Ip:1.2.3.4 | manual 'ban' from | ban | | | 1 | 3h26m54.384971268s | 1163 | +| 2336 | cscli | Ip:192.168.1.1 | manual 'ban' from | ban | | | 1 | 3h26m54.384971268s | 1163 | | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | +------+--------+------------------+----------------------------------------------------+-------------+---------+----+--------+--------------------+----------+ ``` @@ -174,7 +174,7 @@ Given the our state looks like : +------+--------+------------------+----------------------------------------------------+--------+---------+----+--------+--------------------+----------+ | 2337 | cscli | Range:2.2.3.0/24 | manual 'ban' from | ban | | | 1 | 2h55m26.05271136s | 1164 | | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | -| 2336 | cscli | Ip:1.2.3.4 | manual 'ban' from | ban | | | 1 | 2h55m19.052706441s | 1163 | +| 2336 | cscli | Ip:192.168.1.1 | manual 'ban' from | ban | | | 1 | 2h55m19.052706441s | 1163 | | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | +------+--------+------------------+----------------------------------------------------+--------+---------+----+--------+--------------------+----------+ diff --git a/crowdsec-docs/docs/local_api/profiles/format.md b/crowdsec-docs/docs/local_api/profiles/format.md index d42de9ad8..f1e18cd28 100644 --- a/crowdsec-docs/docs/local_api/profiles/format.md +++ b/crowdsec-docs/docs/local_api/profiles/format.md @@ -102,7 +102,7 @@ It is a list of `models.Decision` objects. The following fields, when present, a - `scope` : defines the scope of the resulting decision - `duration` : defines for how long will the decision be valid. The format must comply with [golang's ParseDuration](https://pkg.go.dev/time#ParseDuration) - `type` : defines the type of the remediation that will be applied by available bouncers, for example `ban`, `captcha` - - `value` : define a hardcoded value for the decision (ie. `1.2.3.4`) + - `value` : define a hardcoded value for the decision (ie. `192.168.1.1`) ### `duration_expr` diff --git a/crowdsec-docs/docs/log_processor/parsers/create.md b/crowdsec-docs/docs/log_processor/parsers/create.md index 3afc77728..3b4463370 100644 --- a/crowdsec-docs/docs/log_processor/parsers/create.md +++ b/crowdsec-docs/docs/log_processor/parsers/create.md @@ -14,9 +14,9 @@ The creation of said functional testing will guide our process and will make it We're going to create a parser for the imaginary service "myservice" that produce three types of logs via syslog : ``` -Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'toto' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: accepted connection for user 'toto' from '1.2.3.4' +Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'toto' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: accepted connection for user 'toto' from '192.168.1.1' ``` As we are going to parse those logs to further detect bruteforce and user-enumeration attacks, we're simply going to "discard" the last type of logs. @@ -144,8 +144,8 @@ results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["program"] == results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["timestamp"] == "Dec 8 06:28:43" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["is_my_service"] == "yes" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["message"] == "bad password for user 'toto' from '1.2.3.4'" -results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["some_data"] == "bad password for user 'toto' from '1.2.3.4'" +results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["message"] == "bad password for user 'toto' from '192.168.1.1'" +results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["some_data"] == "bad password for user 'toto' from '192.168.1.1'" ... @@ -162,19 +162,19 @@ Further inspection can be seen with `cscli hubtest explain` : ```bash ▶ cscli hubtest explain myservice-logs -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs └ s01-parse └ 🟢 crowdsecurity/myservice-logs -line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs └ s01-parse └ 🟢 crowdsecurity/myservice-logs -line: Dec 8 06:28:43 mymachine myservice[2806]: accepted connection for user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: accepted connection for user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs └ s01-parse @@ -250,12 +250,12 @@ results["s01-parse"]["crowdsecurity/myservice-logs"][0].Success == true ... results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["timestamp"] == "Dec 8 06:28:43" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["program"] == "myservice" -results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["source_ip"] == "192.168.1.1" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["user"] == "toto" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Meta["log_subtype"] == "myservice_bad_password" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Meta["log_type"] == "myservice_failed_auth" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Meta["service"] == "myservice" -results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Meta["username"] == "toto" ... results["s01-parse"]["crowdsecurity/myservice-logs"][1].Evt.Meta["log_subtype"] == "myservice_bad_user" @@ -272,26 +272,26 @@ Again, further inspection with `cscli hubtest explain` will show us more about w ```bash ▶ cscli hubtest explain myservice-logs -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs └ s01-parse └ 🟢 crowdsecurity/myservice-logs -line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs └ s01-parse └ 🟢 crowdsecurity/myservice-logs -line: Dec 8 06:28:43 mymachine myservice[2806]: accepted connection for user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: accepted connection for user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs └ s01-parse └ 🔴 crowdsecurity/myservice-logs ``` -__note: we can see that our log line `accepted connection for user 'toto' from '1.2.3.4'` wasn't parsed by `crowdsecurity/myservice-logs` as we have no pattern for it__ +__note: we can see that our log line `accepted connection for user 'toto' from '192.168.1.1'` wasn't parsed by `crowdsecurity/myservice-logs` as we have no pattern for it__ ## Closing word diff --git a/crowdsec-docs/docs/log_processor/scenarios/create.md b/crowdsec-docs/docs/log_processor/scenarios/create.md index f0693c653..986a45eb8 100644 --- a/crowdsec-docs/docs/log_processor/scenarios/create.md +++ b/crowdsec-docs/docs/log_processor/scenarios/create.md @@ -20,12 +20,12 @@ The creation of said functional testing will guide our process and will make it We're going to create a scenario for an imaginary service "myservice" from the following logs of failed authentication : ``` -Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' +Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' ``` There's a [yaml schema @@ -145,17 +145,17 @@ INFO[01-10-2021 12:41:21 PM] Running test 'myservice-bf' WARN[01-10-2021 12:41:24 PM] Assert file '/home/dev/github/hub/.tests/myservice-bf/scenario.assert' is empty, generating assertion: len(results) == 1 -"1.2.3.4" in results[0].Overflow.GetSources() -results[0].Overflow.Sources["1.2.3.4"].IP == "1.2.3.4" -results[0].Overflow.Sources["1.2.3.4"].Range == "" -results[0].Overflow.Sources["1.2.3.4"].GetScope() == "Ip" -results[0].Overflow.Sources["1.2.3.4"].GetValue() == "1.2.3.4" +"192.168.1.1" in results[0].Overflow.GetSources() +results[0].Overflow.Sources["192.168.1.1"].IP == "192.168.1.1" +results[0].Overflow.Sources["192.168.1.1"].Range == "" +results[0].Overflow.Sources["192.168.1.1"].GetScope() == "Ip" +results[0].Overflow.Sources["192.168.1.1"].GetValue() == "192.168.1.1" results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "myservice-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("log_subtype") == "myservice_bad_user" results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "myservice_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "myservice" -results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4" +results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.1" results[0].Overflow.Alert.Events[0].GetMeta("username") == "toto" .... results[0].Overflow.Alert.GetScenario() == "crowdsecurity/myservice-bf" @@ -178,7 +178,7 @@ We can again understand more of what is going on thanks to `cscli hubtest explai ```bash ▶ cscli hubtest explain myservice-bf -line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs ├ s01-parse @@ -189,7 +189,7 @@ line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '1.2.3 ├ Scenarios └ 🟢 crowdsecurity/myservice-bf -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs ├ s01-parse @@ -200,7 +200,7 @@ line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' f ├ Scenarios └ 🟢 crowdsecurity/myservice-bf -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs ├ s01-parse @@ -211,7 +211,7 @@ line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' f ├ Scenarios └ 🟢 crowdsecurity/myservice-bf -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs ├ s01-parse @@ -222,7 +222,7 @@ line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' f ├ Scenarios └ 🟢 crowdsecurity/myservice-bf -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs ├ s01-parse @@ -233,7 +233,7 @@ line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' f ├ Scenarios └ 🟢 crowdsecurity/myservice-bf -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs ├ s01-parse diff --git a/crowdsec-docs/unversioned/bouncers/cloudflare-workers.mdx b/crowdsec-docs/unversioned/bouncers/cloudflare-workers.mdx index e9544b032..64fae683b 100644 --- a/crowdsec-docs/unversioned/bouncers/cloudflare-workers.mdx +++ b/crowdsec-docs/unversioned/bouncers/cloudflare-workers.mdx @@ -356,7 +356,7 @@ crowdsec_config: 3. *Failmode Configuration*: It's crucial to [configure the failmode properly](#setting-up-the-worker-route-fail-mode) to ensure your service remains operational even when request quotas are reached. 4. *Testing with manual decisions*: Verify the functionality by adding decisions manually, which should be promptly reflected in KV storage and enforced by the Remediation Component. ```bash - sudo cscli decisions add --ip 1.2.3.4 --type captcha + sudo cscli decisions add --ip 192.168.1.1 --type captcha ``` check your decisions has been added using: ```bash diff --git a/crowdsec-docs/unversioned/bouncers/cloudflare.mdx b/crowdsec-docs/unversioned/bouncers/cloudflare.mdx index 1173091fc..f234de3b2 100644 --- a/crowdsec-docs/unversioned/bouncers/cloudflare.mdx +++ b/crowdsec-docs/unversioned/bouncers/cloudflare.mdx @@ -399,7 +399,7 @@ The action to be applied for a decision, if the decision's action is not support Consider your zone config supports the actions `managed_challenge` and `js_challenge`. Your `default_action` is `managed_action`. If you create the following decision: ``` -sudo cscli decisions add --ip 1.2.3.4 --type ban +sudo cscli decisions add --ip 192.168.1.1 --type ban ``` Since the zone doesn't support `ban` decision type, it'll be inserted into the IP list given by `default_action`. In this case it'll be the list for `managed_challenge`. diff --git a/crowdsec-docs/unversioned/bouncers/custom.mdx b/crowdsec-docs/unversioned/bouncers/custom.mdx index b8a5469d5..fa7f88afc 100644 --- a/crowdsec-docs/unversioned/bouncers/custom.mdx +++ b/crowdsec-docs/unversioned/bouncers/custom.mdx @@ -150,7 +150,7 @@ prometheus: ``` -`cache_retention_duration` : The bouncer keeps track of all custom script invocations from the last `cache_retention_duration` interval. If a decision is identical to some decision already present in the cache, then the custom script is not invoked. The keys for hashing a decision is it's `Type` (eg `ban`, `captcha` etc) and `Value` (eg `1.2.3.4`, `CH` etc). +`cache_retention_duration` : The bouncer keeps track of all custom script invocations from the last `cache_retention_duration` interval. If a decision is identical to some decision already present in the cache, then the custom script is not invoked. The keys for hashing a decision is it's `Type` (eg `ban`, `captcha` etc) and `Value` (eg `192.168.1.1`, `CH` etc). You can then start the service: @@ -197,8 +197,8 @@ Remember to set execution permissions for your binary or script. If it's a scrip ## Examples ```text -custom_binary.sh add 1.2.3.4/32 3600 "test blacklist" -custom_binary.sh del 1.2.3.4/32 3600 "test blacklist" +custom_binary.sh add 192.168.1.1/32 3600 "test blacklist" +custom_binary.sh del 192.168.1.1/32 3600 "test blacklist" ``` @@ -267,7 +267,7 @@ origins: ["cscli", "crowdsec"] The component keeps track of all custom script invocations from the last `cache_retention_duration` interval. If a decision is identical to some decision already present in the cache, then the custom script is not invoked. -The keys for hashing a decision is it's `Type` (eg `ban`, `captcha` etc) and `Value` (eg `1.2.3.4`, `CH` etc). +The keys for hashing a decision is it's `Type` (eg `ban`, `captcha` etc) and `Value` (eg `192.168.1.1`, `CH` etc). ### `piddir` > string diff --git a/crowdsec-docs/unversioned/console/decisions/decisions_management.md b/crowdsec-docs/unversioned/console/decisions/decisions_management.md index 9c4efb170..54f0e4ba2 100644 --- a/crowdsec-docs/unversioned/console/decisions/decisions_management.md +++ b/crowdsec-docs/unversioned/console/decisions/decisions_management.md @@ -19,7 +19,7 @@ From the Console, it is possible to add a decision for your whole organization, ![Add decision button](/img/add_decision_button.png) - Then enter the IP address you want to ban, the remediation type, the duration, a reason and select the target of this decision: ->In this example, we are adding a __ban__ decision on __1.2.3.4__ for __4h__ because it is a __Bad IP__, to my two instances. +>In this example, we are adding a __ban__ decision on __192.168.1.1__ for __4h__ because it is a __Bad IP__, to my two instances. ![Add decision](/img/add_decision_to_machines.png) @@ -28,8 +28,8 @@ And we can see in the CrowdSec Local API logs that we received this new decision ```bash title="/var/log/crowdsec.log" time="31-03-2023 10:01:22" level=info msg="Received order 96384829-4dfd-4759-9e99-6b007dcf6452 from PAPI (1 decisions)" -time="31-03-2023 10:01:22" level=info msg="Adding decision for '1.2.3.4' with UUID: b0ab6879-99b0-4960-8e80-c231ff22aa6c" -time="31-03-2023 10:01:22" level=info msg="(console) xxxx@crowdsec.net ban decision from console by ip 1.2.3.4 : 4h ban on ip 1.2.3.4" +time="31-03-2023 10:01:22" level=info msg="Adding decision for '192.168.1.1' with UUID: b0ab6879-99b0-4960-8e80-c231ff22aa6c" +time="31-03-2023 10:01:22" level=info msg="(console) xxxx@crowdsec.net ban decision from console by ip 192.168.1.1 : 4h ban on ip 192.168.1.1" time="31-03-2023 10:01:29" level=info msg="Signal push: 1 signals to push" ``` @@ -38,7 +38,7 @@ sudo cscli decisions list ╭──────────┬──────────┬────────────────────┬─────────────────────────────────────┬────────┬─────────┬─────────────────────────────────────────────────────────┬────────┬────────────────────┬──────────╮ │ ID │ Source │ Scope:Value │ Reason │ Action │ Country │ AS │ Events │ expiration │ Alert ID │ ├──────────┼──────────┼────────────────────┼─────────────────────────────────────┼────────┼─────────┼─────────────────────────────────────────────────────────┼────────┼────────────────────┼──────────┤ -│ 51093289 │ console │ ip:1.2.3.4 │ Bad IP │ ban │ │ │ 0 │ 3h55m45.776620725s │ 13404 │ +│ 51093289 │ console │ ip:192.168.1.1 │ Bad IP │ ban │ │ │ 0 │ 3h55m45.776620725s │ 13404 │ ``` @@ -55,6 +55,6 @@ sudo cscli decisions list And we can see that our CrowdSec Local API received the order to delete the decision: ```bash -time="31-03-2023 11:41:52" level=info msg="Decision from 'console' for '1.2.3.4' (ban) has been deleted" +time="31-03-2023 11:41:52" level=info msg="Decision from 'console' for '192.168.1.1' (ban) has been deleted" time="31-03-2023 11:42:01" level=info msg="sync decisions: 1 deleted decisions to push" interval=10 source=papi ``` \ No newline at end of file diff --git a/crowdsec-docs/unversioned/cti_api/integration_maltego.md b/crowdsec-docs/unversioned/cti_api/integration_maltego.md index d6cfc21ef..656c9be12 100644 --- a/crowdsec-docs/unversioned/cti_api/integration_maltego.md +++ b/crowdsec-docs/unversioned/cti_api/integration_maltego.md @@ -33,10 +33,10 @@ docker compose up With your current working directory being in the cloned repo. Run the following command to point the settings to your instance's IP ``` -sed -i "s/my_ip/1.2.3.4/g" transforms.csv +sed -i "s/my_ip/192.168.1.1/g" transforms.csv ``` -Replace **1.2.3.4** with your instance's IP +Replace **192.168.1.1** with your instance's IP #### Registering at pTDS diff --git a/crowdsec-docs/unversioned/user_guides/cscli_explain.md b/crowdsec-docs/unversioned/user_guides/cscli_explain.md index 574b71927..bf3ddaa1d 100644 --- a/crowdsec-docs/unversioned/user_guides/cscli_explain.md +++ b/crowdsec-docs/unversioned/user_guides/cscli_explain.md @@ -18,7 +18,7 @@ This can be done with a single line, with a given logfile, or via a full `dsn` : ```bash cscli explain --file ./myfile.log --type nginx -cscli explain --log "Sep 19 18:33:22 scw-d95986 sshd[24347]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4" --type syslog +cscli explain --log "Sep 19 18:33:22 scw-d95986 sshd[24347]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1" --type syslog cscli explain --dsn "file://myfile.log" --type nginx ``` diff --git a/crowdsec-docs/unversioned/user_guides/decisions_management.md b/crowdsec-docs/unversioned/user_guides/decisions_management.md index cff230afe..2a7b82d12 100644 --- a/crowdsec-docs/unversioned/user_guides/decisions_management.md +++ b/crowdsec-docs/unversioned/user_guides/decisions_management.md @@ -68,7 +68,7 @@ sudo cscli decisions list --origin cscli-import > Ban an IP address ```bash -sudo cscli decisions add -i 1.2.3.4 +sudo cscli decisions add -i 192.168.1.1 ``` :::info @@ -78,10 +78,10 @@ sudo cscli decisions add -i 1.2.3.4 ::: -> Add a decision (ban) on the IP address `1.2.3.4` for 24 hours, with reason 'web bruteforce' +> Add a decision (ban) on the IP address `192.168.1.1` for 24 hours, with reason 'web bruteforce' ```bash -sudo cscli decisions add --ip 1.2.3.4 --duration 24h --reason "web bruteforce" +sudo cscli decisions add --ip 192.168.1.1 --duration 24h --reason "web bruteforce" ``` > Add a decision (ban) on the IP range `1.2.3.0/24` for 4 hours (the default duration), with reason 'web bruteforce' @@ -91,18 +91,18 @@ sudo cscli decisions add --range 1.2.3.0/24 --reason "web bruteforce" ``` -> Add a decision (captcha) the on IP address `1.2.3.4` for 4 hours, with reason 'web bruteforce' +> Add a decision (captcha) the on IP address `192.168.1.1` for 4 hours, with reason 'web bruteforce' ```bash -sudo cscli decisions add --ip 1.2.3.4 --reason "web bruteforce" --type captcha +sudo cscli decisions add --ip 192.168.1.1 --reason "web bruteforce" --type captcha ``` ## Delete a decision -> delete the decision on IP address `1.2.3.4` +> delete the decision on IP address `192.168.1.1` ```bash -sudo cscli decisions delete --ip 1.2.3.4 +sudo cscli decisions delete --ip 192.168.1.1 ``` > delete the decision on IP range 1.2.3.0/24 @@ -163,7 +163,7 @@ sudo cscli decisions import -i foo.csv ```csv title="Example CSV file" duration,scope,value -24h,ip,1.2.3.4 +24h,ip,192.168.1.1 ``` ### JSON File diff --git a/crowdsec-docs/versioned_docs/version-v1.3.4/getting_started/crowdsec_tour.md b/crowdsec-docs/versioned_docs/version-v1.3.4/getting_started/crowdsec_tour.md index 828d4d781..932145016 100644 --- a/crowdsec-docs/versioned_docs/version-v1.3.4/getting_started/crowdsec_tour.md +++ b/crowdsec-docs/versioned_docs/version-v1.3.4/getting_started/crowdsec_tour.md @@ -116,7 +116,7 @@ sudo cscli decisions list +-----+-----------+-------------+------------------------------------+--------+---------+----+--------+--------------------+----------+ | 802 | cscli | Ip:1.2.3.5 | manual 'ban' from | ban | | | 1 | 3h50m58.10039043s | 802 | | | | | 'b76cc7b1bbdc489e93909d2043031de8' | | | | | | | -| 801 | crowdsec | Ip:1.2.3.4 | crowdsecurity/ssh-bf | ban | | | 6 | 3h59m45.100387557s | 801 | +| 801 | crowdsec | Ip:192.168.1.1 | crowdsecurity/ssh-bf | ban | | | 6 | 3h59m45.100387557s | 801 | +-----+-----------+-------------+------------------------------------+--------+---------+----+--------+--------------------+----------+ ``` @@ -130,11 +130,11 @@ There are different decisions `SOURCE`: ## Add/Remove decisions ```bash -cscli decisions add -i 1.2.3.4 -cscli decisions delete -i 1.2.3.4 +cscli decisions add -i 192.168.1.1 +cscli decisions delete -i 192.168.1.1 ``` -Those commands will respectively add a manual decision for ip `1.2.3.4` (with default parameters such as duration and such), and remove all active decisions for ip `1.2.3.4`. +Those commands will respectively add a manual decision for ip `192.168.1.1` (with default parameters such as duration and such), and remove all active decisions for ip `192.168.1.1`. diff --git a/crowdsec-docs/versioned_docs/version-v1.3.4/local_api/bouncers-api.md b/crowdsec-docs/versioned_docs/version-v1.3.4/local_api/bouncers-api.md index 488086e42..20186b27e 100644 --- a/crowdsec-docs/versioned_docs/version-v1.3.4/local_api/bouncers-api.md +++ b/crowdsec-docs/versioned_docs/version-v1.3.4/local_api/bouncers-api.md @@ -70,7 +70,7 @@ As stated in the [swagger documentation](https://crowdsecurity.github.io/api_doc To have some data to query for, let's add two decisions to our local API ```bash -▶ sudo cscli decisions add -i 1.2.3.4 +▶ sudo cscli decisions add -i 192.168.1.1 INFO[0000] Decision successfully added ▶ sudo cscli decisions add -r 2.2.3.0/24 INFO[0000] Decision successfully added @@ -80,7 +80,7 @@ INFO[0000] Decision successfully added +------+--------+------------------+----------------------------------------------------+--------+---------+----+--------+--------------------+----------+ | 2337 | cscli | Range:2.2.3.0/24 | manual 'ban' from | ban | | | 1 | 3h59m18.079301785s | 1164 | | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | -| 2336 | cscli | Ip:1.2.3.4 | manual 'ban' from | ban | | | 1 | 3h59m11.079297437s | 1163 | +| 2336 | cscli | Ip:192.168.1.1 | manual 'ban' from | ban | | | 1 | 3h59m11.079297437s | 1163 | | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | +------+--------+------------------+----------------------------------------------------+--------+---------+----+--------+--------------------+----------+ @@ -90,8 +90,8 @@ INFO[0000] Decision successfully added ```bash title="Query a single banned IP" -▶ curl -H "X-Api-Key: 837be58e22a28738066de1be8f53636b" http://localhost:8080/v1/decisions\?ip=1.2.3.4 -[{"duration":"3h51m57.363171728s","id":2336,"origin":"cscli","scenario":"manual 'ban' from '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA'","scope":"Ip","type":"ban","value":"1.2.3.4"}] +▶ curl -H "X-Api-Key: 837be58e22a28738066de1be8f53636b" http://localhost:8080/v1/decisions\?ip=192.168.1.1 +[{"duration":"3h51m57.363171728s","id":2336,"origin":"cscli","scenario":"manual 'ban' from '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA'","scope":"Ip","type":"ban","value":"192.168.1.1"}] ``` ```bash title="Query a single IP" @@ -110,7 +110,7 @@ _note: notice that the decision returned is the range that we banned earlier and ```bash title="Query a range in which one of the ban is contained" ▶ curl -H "X-Api-Key: 837be58e22a28738066de1be8f53636b" http://localhost:8080/v1/decisions\?range=1.2.3.0/24\&contains\=false -[{"duration":"3h48m7.676653651s","id":2336,"origin":"cscli","scenario":"manual 'ban' from '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA'","scope":"Ip","type":"ban","value":"1.2.3.4"}] +[{"duration":"3h48m7.676653651s","id":2336,"origin":"cscli","scenario":"manual 'ban' from '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA'","scope":"Ip","type":"ban","value":"192.168.1.1"}] ``` _note: notice the `contains` flag that is set to false_ @@ -139,7 +139,7 @@ INFO[0000] Decision successfully added | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | | 2337 | cscli | Range:2.2.3.0/24 | manual 'ban' from | ban | | | 1 | 3h27m1.384972861s | 1164 | | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | -| 2336 | cscli | Ip:1.2.3.4 | manual 'ban' from | ban | | | 1 | 3h26m54.384971268s | 1163 | +| 2336 | cscli | Ip:192.168.1.1 | manual 'ban' from | ban | | | 1 | 3h26m54.384971268s | 1163 | | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | +------+--------+------------------+----------------------------------------------------+-------------+---------+----+--------+--------------------+----------+ ``` @@ -172,7 +172,7 @@ Given the our state looks like : +------+--------+------------------+----------------------------------------------------+--------+---------+----+--------+--------------------+----------+ | 2337 | cscli | Range:2.2.3.0/24 | manual 'ban' from | ban | | | 1 | 2h55m26.05271136s | 1164 | | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | -| 2336 | cscli | Ip:1.2.3.4 | manual 'ban' from | ban | | | 1 | 2h55m19.052706441s | 1163 | +| 2336 | cscli | Ip:192.168.1.1 | manual 'ban' from | ban | | | 1 | 2h55m19.052706441s | 1163 | | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | +------+--------+------------------+----------------------------------------------------+--------+---------+----+--------+--------------------+----------+ diff --git a/crowdsec-docs/versioned_docs/version-v1.3.4/parsers/create.md b/crowdsec-docs/versioned_docs/version-v1.3.4/parsers/create.md index 441d7fce4..11b932425 100644 --- a/crowdsec-docs/versioned_docs/version-v1.3.4/parsers/create.md +++ b/crowdsec-docs/versioned_docs/version-v1.3.4/parsers/create.md @@ -13,9 +13,9 @@ The creation of said functional testing will guide our process and will make it We're going to create a parser for the imaginary service "myservice" that produce three types of logs via syslog : ``` -Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'toto' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: accepted connection for user 'toto' from '1.2.3.4' +Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'toto' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: accepted connection for user 'toto' from '192.168.1.1' ``` As we are going to parse those logs to further detect bruteforce and user-enumeration attacks, we're simply going to "discard" the last type of logs. @@ -112,8 +112,8 @@ results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["program"] == results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["timestamp"] == "Dec 8 06:28:43" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["is_my_service"] == "yes" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["message"] == "bad password for user 'toto' from '1.2.3.4'" -results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["some_data"] == "bad password for user 'toto' from '1.2.3.4'" +results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["message"] == "bad password for user 'toto' from '192.168.1.1'" +results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["some_data"] == "bad password for user 'toto' from '192.168.1.1'" ... @@ -130,19 +130,19 @@ Further inspection can be seen with `cscli hubtest explain` : ```bash ▶ cscli hubtest explain myservice-logs -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs └ s01-parse └ 🟢 crowdsecurity/myservice-logs -line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs └ s01-parse └ 🟢 crowdsecurity/myservice-logs -line: Dec 8 06:28:43 mymachine myservice[2806]: accepted connection for user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: accepted connection for user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs └ s01-parse @@ -218,12 +218,12 @@ results["s01-parse"]["crowdsecurity/myservice-logs"][0].Success == true ... results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["timestamp"] == "Dec 8 06:28:43" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["program"] == "myservice" -results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["source_ip"] == "192.168.1.1" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["user"] == "toto" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Meta["log_subtype"] == "myservice_bad_password" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Meta["log_type"] == "myservice_failed_auth" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Meta["service"] == "myservice" -results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Meta["username"] == "toto" ... results["s01-parse"]["crowdsecurity/myservice-logs"][1].Evt.Meta["log_subtype"] == "myservice_bad_user" @@ -240,26 +240,26 @@ Again, further inspection with `cscli hubtest explain` will show us more about w ```bash ▶ cscli hubtest explain myservice-logs -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs └ s01-parse └ 🟢 crowdsecurity/myservice-logs -line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs └ s01-parse └ 🟢 crowdsecurity/myservice-logs -line: Dec 8 06:28:43 mymachine myservice[2806]: accepted connection for user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: accepted connection for user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs └ s01-parse └ 🔴 crowdsecurity/myservice-logs ``` -__note: we can see that our log line `accepted connection for user 'toto' from '1.2.3.4'` wasn't parsed by `crowdsecurity/myservice-logs` as we have no pattern for it__ +__note: we can see that our log line `accepted connection for user 'toto' from '192.168.1.1'` wasn't parsed by `crowdsecurity/myservice-logs` as we have no pattern for it__ ## Closing word diff --git a/crowdsec-docs/versioned_docs/version-v1.3.4/profiles/format.md b/crowdsec-docs/versioned_docs/version-v1.3.4/profiles/format.md index 341e4bb2a..abd132921 100644 --- a/crowdsec-docs/versioned_docs/version-v1.3.4/profiles/format.md +++ b/crowdsec-docs/versioned_docs/version-v1.3.4/profiles/format.md @@ -103,7 +103,7 @@ It is a list of `models.Decision` objects. The following fields, when present, a - `scope` : defines the scope of the resulting decision - `duration` : defines for how long will the decision be valid. The format must comply with [golang's ParseDuration](https://pkg.go.dev/time#ParseDuration) - `type` : defines the type of the remediation that will be applied by available bouncers, for example `ban`, `captcha` - - `value` : define a hardcoded value for the decision (ie. `1.2.3.4`) + - `value` : define a hardcoded value for the decision (ie. `192.168.1.1`) ### `on_success` diff --git a/crowdsec-docs/versioned_docs/version-v1.3.4/scenarios/create.md b/crowdsec-docs/versioned_docs/version-v1.3.4/scenarios/create.md index 6d516d23e..d5fe4cf8d 100644 --- a/crowdsec-docs/versioned_docs/version-v1.3.4/scenarios/create.md +++ b/crowdsec-docs/versioned_docs/version-v1.3.4/scenarios/create.md @@ -19,12 +19,12 @@ The creation of said functional testing will guide our process and will make it We're going to create a scenario for an imaginary service "myservice" from the following logs of failed authentication : ``` -Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' +Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' ``` ## Pre-requisites @@ -133,17 +133,17 @@ INFO[01-10-2021 12:41:21 PM] Running test 'myservice-bf' WARN[01-10-2021 12:41:24 PM] Assert file '/home/dev/github/hub/.tests/myservice-bf/scenario.assert' is empty, generating assertion: len(results) == 1 -"1.2.3.4" in results[0].Overflow.GetSources() -results[0].Overflow.Sources["1.2.3.4"].IP == "1.2.3.4" -results[0].Overflow.Sources["1.2.3.4"].Range == "" -results[0].Overflow.Sources["1.2.3.4"].GetScope() == "Ip" -results[0].Overflow.Sources["1.2.3.4"].GetValue() == "1.2.3.4" +"192.168.1.1" in results[0].Overflow.GetSources() +results[0].Overflow.Sources["192.168.1.1"].IP == "192.168.1.1" +results[0].Overflow.Sources["192.168.1.1"].Range == "" +results[0].Overflow.Sources["192.168.1.1"].GetScope() == "Ip" +results[0].Overflow.Sources["192.168.1.1"].GetValue() == "192.168.1.1" results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "myservice-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("log_subtype") == "myservice_bad_user" results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "myservice_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "myservice" -results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4" +results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.1" results[0].Overflow.Alert.Events[0].GetMeta("username") == "toto" .... results[0].Overflow.Alert.GetScenario() == "crowdsecurity/myservice-bf" @@ -167,7 +167,7 @@ We can again understand more of what is going on thanks to `cscli hubtest explai ```bash ▶ cscli hubtest explain myservice-bf -line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs ├ s01-parse @@ -178,7 +178,7 @@ line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '1.2.3 ├ Scenarios └ 🟢 crowdsecurity/myservice-bf -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs ├ s01-parse @@ -189,7 +189,7 @@ line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' f ├ Scenarios └ 🟢 crowdsecurity/myservice-bf -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs ├ s01-parse @@ -200,7 +200,7 @@ line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' f ├ Scenarios └ 🟢 crowdsecurity/myservice-bf -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs ├ s01-parse @@ -211,7 +211,7 @@ line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' f ├ Scenarios └ 🟢 crowdsecurity/myservice-bf -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs ├ s01-parse @@ -222,7 +222,7 @@ line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' f ├ Scenarios └ 🟢 crowdsecurity/myservice-bf -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs ├ s01-parse diff --git a/crowdsec-docs/versioned_docs/version-v1.4.0/getting_started/crowdsec_tour.md b/crowdsec-docs/versioned_docs/version-v1.4.0/getting_started/crowdsec_tour.md index 828d4d781..932145016 100644 --- a/crowdsec-docs/versioned_docs/version-v1.4.0/getting_started/crowdsec_tour.md +++ b/crowdsec-docs/versioned_docs/version-v1.4.0/getting_started/crowdsec_tour.md @@ -116,7 +116,7 @@ sudo cscli decisions list +-----+-----------+-------------+------------------------------------+--------+---------+----+--------+--------------------+----------+ | 802 | cscli | Ip:1.2.3.5 | manual 'ban' from | ban | | | 1 | 3h50m58.10039043s | 802 | | | | | 'b76cc7b1bbdc489e93909d2043031de8' | | | | | | | -| 801 | crowdsec | Ip:1.2.3.4 | crowdsecurity/ssh-bf | ban | | | 6 | 3h59m45.100387557s | 801 | +| 801 | crowdsec | Ip:192.168.1.1 | crowdsecurity/ssh-bf | ban | | | 6 | 3h59m45.100387557s | 801 | +-----+-----------+-------------+------------------------------------+--------+---------+----+--------+--------------------+----------+ ``` @@ -130,11 +130,11 @@ There are different decisions `SOURCE`: ## Add/Remove decisions ```bash -cscli decisions add -i 1.2.3.4 -cscli decisions delete -i 1.2.3.4 +cscli decisions add -i 192.168.1.1 +cscli decisions delete -i 192.168.1.1 ``` -Those commands will respectively add a manual decision for ip `1.2.3.4` (with default parameters such as duration and such), and remove all active decisions for ip `1.2.3.4`. +Those commands will respectively add a manual decision for ip `192.168.1.1` (with default parameters such as duration and such), and remove all active decisions for ip `192.168.1.1`. diff --git a/crowdsec-docs/versioned_docs/version-v1.4.0/local_api/bouncers-api.md b/crowdsec-docs/versioned_docs/version-v1.4.0/local_api/bouncers-api.md index 488086e42..20186b27e 100644 --- a/crowdsec-docs/versioned_docs/version-v1.4.0/local_api/bouncers-api.md +++ b/crowdsec-docs/versioned_docs/version-v1.4.0/local_api/bouncers-api.md @@ -70,7 +70,7 @@ As stated in the [swagger documentation](https://crowdsecurity.github.io/api_doc To have some data to query for, let's add two decisions to our local API ```bash -▶ sudo cscli decisions add -i 1.2.3.4 +▶ sudo cscli decisions add -i 192.168.1.1 INFO[0000] Decision successfully added ▶ sudo cscli decisions add -r 2.2.3.0/24 INFO[0000] Decision successfully added @@ -80,7 +80,7 @@ INFO[0000] Decision successfully added +------+--------+------------------+----------------------------------------------------+--------+---------+----+--------+--------------------+----------+ | 2337 | cscli | Range:2.2.3.0/24 | manual 'ban' from | ban | | | 1 | 3h59m18.079301785s | 1164 | | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | -| 2336 | cscli | Ip:1.2.3.4 | manual 'ban' from | ban | | | 1 | 3h59m11.079297437s | 1163 | +| 2336 | cscli | Ip:192.168.1.1 | manual 'ban' from | ban | | | 1 | 3h59m11.079297437s | 1163 | | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | +------+--------+------------------+----------------------------------------------------+--------+---------+----+--------+--------------------+----------+ @@ -90,8 +90,8 @@ INFO[0000] Decision successfully added ```bash title="Query a single banned IP" -▶ curl -H "X-Api-Key: 837be58e22a28738066de1be8f53636b" http://localhost:8080/v1/decisions\?ip=1.2.3.4 -[{"duration":"3h51m57.363171728s","id":2336,"origin":"cscli","scenario":"manual 'ban' from '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA'","scope":"Ip","type":"ban","value":"1.2.3.4"}] +▶ curl -H "X-Api-Key: 837be58e22a28738066de1be8f53636b" http://localhost:8080/v1/decisions\?ip=192.168.1.1 +[{"duration":"3h51m57.363171728s","id":2336,"origin":"cscli","scenario":"manual 'ban' from '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA'","scope":"Ip","type":"ban","value":"192.168.1.1"}] ``` ```bash title="Query a single IP" @@ -110,7 +110,7 @@ _note: notice that the decision returned is the range that we banned earlier and ```bash title="Query a range in which one of the ban is contained" ▶ curl -H "X-Api-Key: 837be58e22a28738066de1be8f53636b" http://localhost:8080/v1/decisions\?range=1.2.3.0/24\&contains\=false -[{"duration":"3h48m7.676653651s","id":2336,"origin":"cscli","scenario":"manual 'ban' from '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA'","scope":"Ip","type":"ban","value":"1.2.3.4"}] +[{"duration":"3h48m7.676653651s","id":2336,"origin":"cscli","scenario":"manual 'ban' from '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA'","scope":"Ip","type":"ban","value":"192.168.1.1"}] ``` _note: notice the `contains` flag that is set to false_ @@ -139,7 +139,7 @@ INFO[0000] Decision successfully added | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | | 2337 | cscli | Range:2.2.3.0/24 | manual 'ban' from | ban | | | 1 | 3h27m1.384972861s | 1164 | | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | -| 2336 | cscli | Ip:1.2.3.4 | manual 'ban' from | ban | | | 1 | 3h26m54.384971268s | 1163 | +| 2336 | cscli | Ip:192.168.1.1 | manual 'ban' from | ban | | | 1 | 3h26m54.384971268s | 1163 | | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | +------+--------+------------------+----------------------------------------------------+-------------+---------+----+--------+--------------------+----------+ ``` @@ -172,7 +172,7 @@ Given the our state looks like : +------+--------+------------------+----------------------------------------------------+--------+---------+----+--------+--------------------+----------+ | 2337 | cscli | Range:2.2.3.0/24 | manual 'ban' from | ban | | | 1 | 2h55m26.05271136s | 1164 | | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | -| 2336 | cscli | Ip:1.2.3.4 | manual 'ban' from | ban | | | 1 | 2h55m19.052706441s | 1163 | +| 2336 | cscli | Ip:192.168.1.1 | manual 'ban' from | ban | | | 1 | 2h55m19.052706441s | 1163 | | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | +------+--------+------------------+----------------------------------------------------+--------+---------+----+--------+--------------------+----------+ diff --git a/crowdsec-docs/versioned_docs/version-v1.4.0/parsers/create.md b/crowdsec-docs/versioned_docs/version-v1.4.0/parsers/create.md index 441d7fce4..11b932425 100644 --- a/crowdsec-docs/versioned_docs/version-v1.4.0/parsers/create.md +++ b/crowdsec-docs/versioned_docs/version-v1.4.0/parsers/create.md @@ -13,9 +13,9 @@ The creation of said functional testing will guide our process and will make it We're going to create a parser for the imaginary service "myservice" that produce three types of logs via syslog : ``` -Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'toto' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: accepted connection for user 'toto' from '1.2.3.4' +Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'toto' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: accepted connection for user 'toto' from '192.168.1.1' ``` As we are going to parse those logs to further detect bruteforce and user-enumeration attacks, we're simply going to "discard" the last type of logs. @@ -112,8 +112,8 @@ results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["program"] == results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["timestamp"] == "Dec 8 06:28:43" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["is_my_service"] == "yes" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["message"] == "bad password for user 'toto' from '1.2.3.4'" -results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["some_data"] == "bad password for user 'toto' from '1.2.3.4'" +results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["message"] == "bad password for user 'toto' from '192.168.1.1'" +results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["some_data"] == "bad password for user 'toto' from '192.168.1.1'" ... @@ -130,19 +130,19 @@ Further inspection can be seen with `cscli hubtest explain` : ```bash ▶ cscli hubtest explain myservice-logs -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs └ s01-parse └ 🟢 crowdsecurity/myservice-logs -line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs └ s01-parse └ 🟢 crowdsecurity/myservice-logs -line: Dec 8 06:28:43 mymachine myservice[2806]: accepted connection for user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: accepted connection for user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs └ s01-parse @@ -218,12 +218,12 @@ results["s01-parse"]["crowdsecurity/myservice-logs"][0].Success == true ... results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["timestamp"] == "Dec 8 06:28:43" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["program"] == "myservice" -results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["source_ip"] == "192.168.1.1" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["user"] == "toto" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Meta["log_subtype"] == "myservice_bad_password" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Meta["log_type"] == "myservice_failed_auth" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Meta["service"] == "myservice" -results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Meta["username"] == "toto" ... results["s01-parse"]["crowdsecurity/myservice-logs"][1].Evt.Meta["log_subtype"] == "myservice_bad_user" @@ -240,26 +240,26 @@ Again, further inspection with `cscli hubtest explain` will show us more about w ```bash ▶ cscli hubtest explain myservice-logs -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs └ s01-parse └ 🟢 crowdsecurity/myservice-logs -line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs └ s01-parse └ 🟢 crowdsecurity/myservice-logs -line: Dec 8 06:28:43 mymachine myservice[2806]: accepted connection for user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: accepted connection for user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs └ s01-parse └ 🔴 crowdsecurity/myservice-logs ``` -__note: we can see that our log line `accepted connection for user 'toto' from '1.2.3.4'` wasn't parsed by `crowdsecurity/myservice-logs` as we have no pattern for it__ +__note: we can see that our log line `accepted connection for user 'toto' from '192.168.1.1'` wasn't parsed by `crowdsecurity/myservice-logs` as we have no pattern for it__ ## Closing word diff --git a/crowdsec-docs/versioned_docs/version-v1.4.0/profiles/format.md b/crowdsec-docs/versioned_docs/version-v1.4.0/profiles/format.md index 28ea697bc..7144e669e 100644 --- a/crowdsec-docs/versioned_docs/version-v1.4.0/profiles/format.md +++ b/crowdsec-docs/versioned_docs/version-v1.4.0/profiles/format.md @@ -102,7 +102,7 @@ It is a list of `models.Decision` objects. The following fields, when present, a - `scope` : defines the scope of the resulting decision - `duration` : defines for how long will the decision be valid. The format must comply with [golang's ParseDuration](https://pkg.go.dev/time#ParseDuration) - `type` : defines the type of the remediation that will be applied by available bouncers, for example `ban`, `captcha` - - `value` : define a hardcoded value for the decision (ie. `1.2.3.4`) + - `value` : define a hardcoded value for the decision (ie. `192.168.1.1`) ### `duration_expr` diff --git a/crowdsec-docs/versioned_docs/version-v1.4.0/scenarios/create.md b/crowdsec-docs/versioned_docs/version-v1.4.0/scenarios/create.md index 6d516d23e..d5fe4cf8d 100644 --- a/crowdsec-docs/versioned_docs/version-v1.4.0/scenarios/create.md +++ b/crowdsec-docs/versioned_docs/version-v1.4.0/scenarios/create.md @@ -19,12 +19,12 @@ The creation of said functional testing will guide our process and will make it We're going to create a scenario for an imaginary service "myservice" from the following logs of failed authentication : ``` -Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' +Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' ``` ## Pre-requisites @@ -133,17 +133,17 @@ INFO[01-10-2021 12:41:21 PM] Running test 'myservice-bf' WARN[01-10-2021 12:41:24 PM] Assert file '/home/dev/github/hub/.tests/myservice-bf/scenario.assert' is empty, generating assertion: len(results) == 1 -"1.2.3.4" in results[0].Overflow.GetSources() -results[0].Overflow.Sources["1.2.3.4"].IP == "1.2.3.4" -results[0].Overflow.Sources["1.2.3.4"].Range == "" -results[0].Overflow.Sources["1.2.3.4"].GetScope() == "Ip" -results[0].Overflow.Sources["1.2.3.4"].GetValue() == "1.2.3.4" +"192.168.1.1" in results[0].Overflow.GetSources() +results[0].Overflow.Sources["192.168.1.1"].IP == "192.168.1.1" +results[0].Overflow.Sources["192.168.1.1"].Range == "" +results[0].Overflow.Sources["192.168.1.1"].GetScope() == "Ip" +results[0].Overflow.Sources["192.168.1.1"].GetValue() == "192.168.1.1" results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "myservice-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("log_subtype") == "myservice_bad_user" results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "myservice_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "myservice" -results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4" +results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.1" results[0].Overflow.Alert.Events[0].GetMeta("username") == "toto" .... results[0].Overflow.Alert.GetScenario() == "crowdsecurity/myservice-bf" @@ -167,7 +167,7 @@ We can again understand more of what is going on thanks to `cscli hubtest explai ```bash ▶ cscli hubtest explain myservice-bf -line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs ├ s01-parse @@ -178,7 +178,7 @@ line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '1.2.3 ├ Scenarios └ 🟢 crowdsecurity/myservice-bf -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs ├ s01-parse @@ -189,7 +189,7 @@ line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' f ├ Scenarios └ 🟢 crowdsecurity/myservice-bf -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs ├ s01-parse @@ -200,7 +200,7 @@ line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' f ├ Scenarios └ 🟢 crowdsecurity/myservice-bf -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs ├ s01-parse @@ -211,7 +211,7 @@ line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' f ├ Scenarios └ 🟢 crowdsecurity/myservice-bf -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs ├ s01-parse @@ -222,7 +222,7 @@ line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' f ├ Scenarios └ 🟢 crowdsecurity/myservice-bf -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs ├ s01-parse diff --git a/crowdsec-docs/versioned_docs/version-v1.5.0/console_management/decisions.md b/crowdsec-docs/versioned_docs/version-v1.5.0/console_management/decisions.md index 01e237b12..a583bb519 100644 --- a/crowdsec-docs/versioned_docs/version-v1.5.0/console_management/decisions.md +++ b/crowdsec-docs/versioned_docs/version-v1.5.0/console_management/decisions.md @@ -18,7 +18,7 @@ From the Console, it is possible to add a decision for your whole organization, ![Add decision button](/img/add_decision_button.png) - Then enter the IP address you want to ban, the remediation type, the duration, a reason and select the target of this decision: ->In this example, we are adding a __ban__ decision on __1.2.3.4__ for __4h__ because it is a __Bad IP__, to my two instances. +>In this example, we are adding a __ban__ decision on __192.168.1.1__ for __4h__ because it is a __Bad IP__, to my two instances. ![Add decision](/img/add_decision_to_machines.png) @@ -27,8 +27,8 @@ And we can see in the CrowdSec Local API logs that we received this new decision ```bash title="/var/log/crowdsec.log" time="31-03-2023 10:01:22" level=info msg="Received order 96384829-4dfd-4759-9e99-6b007dcf6452 from PAPI (1 decisions)" -time="31-03-2023 10:01:22" level=info msg="Adding decision for '1.2.3.4' with UUID: b0ab6879-99b0-4960-8e80-c231ff22aa6c" -time="31-03-2023 10:01:22" level=info msg="(console) xxxx@crowdsec.net ban decision from console by ip 1.2.3.4 : 4h ban on ip 1.2.3.4" +time="31-03-2023 10:01:22" level=info msg="Adding decision for '192.168.1.1' with UUID: b0ab6879-99b0-4960-8e80-c231ff22aa6c" +time="31-03-2023 10:01:22" level=info msg="(console) xxxx@crowdsec.net ban decision from console by ip 192.168.1.1 : 4h ban on ip 192.168.1.1" time="31-03-2023 10:01:29" level=info msg="Signal push: 1 signals to push" ``` @@ -37,7 +37,7 @@ sudo cscli decisions list ╭──────────┬──────────┬────────────────────┬─────────────────────────────────────┬────────┬─────────┬─────────────────────────────────────────────────────────┬────────┬────────────────────┬──────────╮ │ ID │ Source │ Scope:Value │ Reason │ Action │ Country │ AS │ Events │ expiration │ Alert ID │ ├──────────┼──────────┼────────────────────┼─────────────────────────────────────┼────────┼─────────┼─────────────────────────────────────────────────────────┼────────┼────────────────────┼──────────┤ -│ 51093289 │ console │ ip:1.2.3.4 │ Bad IP │ ban │ │ │ 0 │ 3h55m45.776620725s │ 13404 │ +│ 51093289 │ console │ ip:192.168.1.1 │ Bad IP │ ban │ │ │ 0 │ 3h55m45.776620725s │ 13404 │ ``` @@ -58,6 +58,6 @@ sudo cscli decisions list And we can see that our CrowdSec Local API received the order to delete the decision: ```bash -time="31-03-2023 11:41:52" level=info msg="Decision from 'console' for '1.2.3.4' (ban) has been deleted" +time="31-03-2023 11:41:52" level=info msg="Decision from 'console' for '192.168.1.1' (ban) has been deleted" time="31-03-2023 11:42:01" level=info msg="sync decisions: 1 deleted decisions to push" interval=10 source=papi ``` \ No newline at end of file diff --git a/crowdsec-docs/versioned_docs/version-v1.5.0/getting_started/crowdsec_tour.md b/crowdsec-docs/versioned_docs/version-v1.5.0/getting_started/crowdsec_tour.md index b9100d392..6230d19c5 100644 --- a/crowdsec-docs/versioned_docs/version-v1.5.0/getting_started/crowdsec_tour.md +++ b/crowdsec-docs/versioned_docs/version-v1.5.0/getting_started/crowdsec_tour.md @@ -116,7 +116,7 @@ sudo cscli decisions list +-----+-----------+-------------+------------------------------------+--------+---------+----+--------+--------------------+----------+ | 802 | cscli | Ip:1.2.3.5 | manual 'ban' from | ban | | | 1 | 3h50m58.10039043s | 802 | | | | | 'b76cc7b1bbdc489e93909d2043031de8' | | | | | | | -| 801 | crowdsec | Ip:1.2.3.4 | crowdsecurity/ssh-bf | ban | | | 6 | 3h59m45.100387557s | 801 | +| 801 | crowdsec | Ip:192.168.1.1 | crowdsecurity/ssh-bf | ban | | | 6 | 3h59m45.100387557s | 801 | +-----+-----------+-------------+------------------------------------+--------+---------+----+--------+--------------------+----------+ ``` @@ -130,11 +130,11 @@ There are different decisions `SOURCE`: ## Add/Remove decisions ```bash -cscli decisions add -i 1.2.3.4 -cscli decisions delete -i 1.2.3.4 +cscli decisions add -i 192.168.1.1 +cscli decisions delete -i 192.168.1.1 ``` -Those commands will respectively add a manual decision for ip `1.2.3.4` (with default parameters such as duration and such), and remove all active decisions for ip `1.2.3.4`. +Those commands will respectively add a manual decision for ip `192.168.1.1` (with default parameters such as duration and such), and remove all active decisions for ip `192.168.1.1`. diff --git a/crowdsec-docs/versioned_docs/version-v1.5.0/local_api/bouncers-api.md b/crowdsec-docs/versioned_docs/version-v1.5.0/local_api/bouncers-api.md index 134ecb84b..de81d700f 100644 --- a/crowdsec-docs/versioned_docs/version-v1.5.0/local_api/bouncers-api.md +++ b/crowdsec-docs/versioned_docs/version-v1.5.0/local_api/bouncers-api.md @@ -72,7 +72,7 @@ As stated in the [swagger documentation](https://crowdsecurity.github.io/api_doc To have some data to query for, let's add two decisions to our local API ```bash -▶ sudo cscli decisions add -i 1.2.3.4 +▶ sudo cscli decisions add -i 192.168.1.1 INFO[0000] Decision successfully added ▶ sudo cscli decisions add -r 2.2.3.0/24 INFO[0000] Decision successfully added @@ -82,7 +82,7 @@ INFO[0000] Decision successfully added +------+--------+------------------+----------------------------------------------------+--------+---------+----+--------+--------------------+----------+ | 2337 | cscli | Range:2.2.3.0/24 | manual 'ban' from | ban | | | 1 | 3h59m18.079301785s | 1164 | | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | -| 2336 | cscli | Ip:1.2.3.4 | manual 'ban' from | ban | | | 1 | 3h59m11.079297437s | 1163 | +| 2336 | cscli | Ip:192.168.1.1 | manual 'ban' from | ban | | | 1 | 3h59m11.079297437s | 1163 | | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | +------+--------+------------------+----------------------------------------------------+--------+---------+----+--------+--------------------+----------+ @@ -92,8 +92,8 @@ INFO[0000] Decision successfully added ```bash title="Query a single banned IP" -▶ curl -H "X-Api-Key: 837be58e22a28738066de1be8f53636b" http://localhost:8080/v1/decisions\?ip=1.2.3.4 -[{"duration":"3h51m57.363171728s","id":2336,"origin":"cscli","scenario":"manual 'ban' from '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA'","scope":"Ip","type":"ban","value":"1.2.3.4"}] +▶ curl -H "X-Api-Key: 837be58e22a28738066de1be8f53636b" http://localhost:8080/v1/decisions\?ip=192.168.1.1 +[{"duration":"3h51m57.363171728s","id":2336,"origin":"cscli","scenario":"manual 'ban' from '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA'","scope":"Ip","type":"ban","value":"192.168.1.1"}] ``` ```bash title="Query a single IP" @@ -112,7 +112,7 @@ _note: notice that the decision returned is the range that we banned earlier and ```bash title="Query a range in which one of the ban is contained" ▶ curl -H "X-Api-Key: 837be58e22a28738066de1be8f53636b" http://localhost:8080/v1/decisions\?range=1.2.3.0/24\&contains\=false -[{"duration":"3h48m7.676653651s","id":2336,"origin":"cscli","scenario":"manual 'ban' from '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA'","scope":"Ip","type":"ban","value":"1.2.3.4"}] +[{"duration":"3h48m7.676653651s","id":2336,"origin":"cscli","scenario":"manual 'ban' from '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA'","scope":"Ip","type":"ban","value":"192.168.1.1"}] ``` _note: notice the `contains` flag that is set to false_ @@ -141,7 +141,7 @@ INFO[0000] Decision successfully added | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | | 2337 | cscli | Range:2.2.3.0/24 | manual 'ban' from | ban | | | 1 | 3h27m1.384972861s | 1164 | | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | -| 2336 | cscli | Ip:1.2.3.4 | manual 'ban' from | ban | | | 1 | 3h26m54.384971268s | 1163 | +| 2336 | cscli | Ip:192.168.1.1 | manual 'ban' from | ban | | | 1 | 3h26m54.384971268s | 1163 | | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | +------+--------+------------------+----------------------------------------------------+-------------+---------+----+--------+--------------------+----------+ ``` @@ -174,7 +174,7 @@ Given the our state looks like : +------+--------+------------------+----------------------------------------------------+--------+---------+----+--------+--------------------+----------+ | 2337 | cscli | Range:2.2.3.0/24 | manual 'ban' from | ban | | | 1 | 2h55m26.05271136s | 1164 | | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | -| 2336 | cscli | Ip:1.2.3.4 | manual 'ban' from | ban | | | 1 | 2h55m19.052706441s | 1163 | +| 2336 | cscli | Ip:192.168.1.1 | manual 'ban' from | ban | | | 1 | 2h55m19.052706441s | 1163 | | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | +------+--------+------------------+----------------------------------------------------+--------+---------+----+--------+--------------------+----------+ diff --git a/crowdsec-docs/versioned_docs/version-v1.5.0/parsers/create.md b/crowdsec-docs/versioned_docs/version-v1.5.0/parsers/create.md index 72dac1b77..306edd305 100644 --- a/crowdsec-docs/versioned_docs/version-v1.5.0/parsers/create.md +++ b/crowdsec-docs/versioned_docs/version-v1.5.0/parsers/create.md @@ -14,9 +14,9 @@ The creation of said functional testing will guide our process and will make it We're going to create a parser for the imaginary service "myservice" that produce three types of logs via syslog : ``` -Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'toto' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: accepted connection for user 'toto' from '1.2.3.4' +Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'toto' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: accepted connection for user 'toto' from '192.168.1.1' ``` As we are going to parse those logs to further detect bruteforce and user-enumeration attacks, we're simply going to "discard" the last type of logs. @@ -144,8 +144,8 @@ results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["program"] == results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["timestamp"] == "Dec 8 06:28:43" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["is_my_service"] == "yes" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["message"] == "bad password for user 'toto' from '1.2.3.4'" -results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["some_data"] == "bad password for user 'toto' from '1.2.3.4'" +results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["message"] == "bad password for user 'toto' from '192.168.1.1'" +results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["some_data"] == "bad password for user 'toto' from '192.168.1.1'" ... @@ -162,19 +162,19 @@ Further inspection can be seen with `cscli hubtest explain` : ```bash ▶ cscli hubtest explain myservice-logs -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs └ s01-parse └ 🟢 crowdsecurity/myservice-logs -line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs └ s01-parse └ 🟢 crowdsecurity/myservice-logs -line: Dec 8 06:28:43 mymachine myservice[2806]: accepted connection for user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: accepted connection for user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs └ s01-parse @@ -250,12 +250,12 @@ results["s01-parse"]["crowdsecurity/myservice-logs"][0].Success == true ... results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["timestamp"] == "Dec 8 06:28:43" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["program"] == "myservice" -results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["source_ip"] == "192.168.1.1" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["user"] == "toto" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Meta["log_subtype"] == "myservice_bad_password" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Meta["log_type"] == "myservice_failed_auth" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Meta["service"] == "myservice" -results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Meta["username"] == "toto" ... results["s01-parse"]["crowdsecurity/myservice-logs"][1].Evt.Meta["log_subtype"] == "myservice_bad_user" @@ -272,26 +272,26 @@ Again, further inspection with `cscli hubtest explain` will show us more about w ```bash ▶ cscli hubtest explain myservice-logs -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs └ s01-parse └ 🟢 crowdsecurity/myservice-logs -line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs └ s01-parse └ 🟢 crowdsecurity/myservice-logs -line: Dec 8 06:28:43 mymachine myservice[2806]: accepted connection for user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: accepted connection for user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs └ s01-parse └ 🔴 crowdsecurity/myservice-logs ``` -__note: we can see that our log line `accepted connection for user 'toto' from '1.2.3.4'` wasn't parsed by `crowdsecurity/myservice-logs` as we have no pattern for it__ +__note: we can see that our log line `accepted connection for user 'toto' from '192.168.1.1'` wasn't parsed by `crowdsecurity/myservice-logs` as we have no pattern for it__ ## Closing word diff --git a/crowdsec-docs/versioned_docs/version-v1.5.0/profiles/format.md b/crowdsec-docs/versioned_docs/version-v1.5.0/profiles/format.md index 28ea697bc..7144e669e 100644 --- a/crowdsec-docs/versioned_docs/version-v1.5.0/profiles/format.md +++ b/crowdsec-docs/versioned_docs/version-v1.5.0/profiles/format.md @@ -102,7 +102,7 @@ It is a list of `models.Decision` objects. The following fields, when present, a - `scope` : defines the scope of the resulting decision - `duration` : defines for how long will the decision be valid. The format must comply with [golang's ParseDuration](https://pkg.go.dev/time#ParseDuration) - `type` : defines the type of the remediation that will be applied by available bouncers, for example `ban`, `captcha` - - `value` : define a hardcoded value for the decision (ie. `1.2.3.4`) + - `value` : define a hardcoded value for the decision (ie. `192.168.1.1`) ### `duration_expr` diff --git a/crowdsec-docs/versioned_docs/version-v1.5.0/scenarios/create.md b/crowdsec-docs/versioned_docs/version-v1.5.0/scenarios/create.md index 17adca29f..eab6425d6 100644 --- a/crowdsec-docs/versioned_docs/version-v1.5.0/scenarios/create.md +++ b/crowdsec-docs/versioned_docs/version-v1.5.0/scenarios/create.md @@ -21,12 +21,12 @@ The creation of said functional testing will guide our process and will make it We're going to create a scenario for an imaginary service "myservice" from the following logs of failed authentication : ``` -Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' +Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' ``` There's a [yaml schema @@ -151,17 +151,17 @@ INFO[01-10-2021 12:41:21 PM] Running test 'myservice-bf' WARN[01-10-2021 12:41:24 PM] Assert file '/home/dev/github/hub/.tests/myservice-bf/scenario.assert' is empty, generating assertion: len(results) == 1 -"1.2.3.4" in results[0].Overflow.GetSources() -results[0].Overflow.Sources["1.2.3.4"].IP == "1.2.3.4" -results[0].Overflow.Sources["1.2.3.4"].Range == "" -results[0].Overflow.Sources["1.2.3.4"].GetScope() == "Ip" -results[0].Overflow.Sources["1.2.3.4"].GetValue() == "1.2.3.4" +"192.168.1.1" in results[0].Overflow.GetSources() +results[0].Overflow.Sources["192.168.1.1"].IP == "192.168.1.1" +results[0].Overflow.Sources["192.168.1.1"].Range == "" +results[0].Overflow.Sources["192.168.1.1"].GetScope() == "Ip" +results[0].Overflow.Sources["192.168.1.1"].GetValue() == "192.168.1.1" results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "myservice-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("log_subtype") == "myservice_bad_user" results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "myservice_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "myservice" -results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4" +results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.1" results[0].Overflow.Alert.Events[0].GetMeta("username") == "toto" .... results[0].Overflow.Alert.GetScenario() == "crowdsecurity/myservice-bf" @@ -185,7 +185,7 @@ We can again understand more of what is going on thanks to `cscli hubtest explai ```bash ▶ cscli hubtest explain myservice-bf -line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs ├ s01-parse @@ -196,7 +196,7 @@ line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '1.2.3 ├ Scenarios └ 🟢 crowdsecurity/myservice-bf -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs ├ s01-parse @@ -207,7 +207,7 @@ line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' f ├ Scenarios └ 🟢 crowdsecurity/myservice-bf -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs ├ s01-parse @@ -218,7 +218,7 @@ line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' f ├ Scenarios └ 🟢 crowdsecurity/myservice-bf -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs ├ s01-parse @@ -229,7 +229,7 @@ line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' f ├ Scenarios └ 🟢 crowdsecurity/myservice-bf -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs ├ s01-parse @@ -240,7 +240,7 @@ line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' f ├ Scenarios └ 🟢 crowdsecurity/myservice-bf -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs ├ s01-parse diff --git a/crowdsec-docs/versioned_docs/version-v1.5.0/whitelist/create.md b/crowdsec-docs/versioned_docs/version-v1.5.0/whitelist/create.md index caf9445d1..da1048d98 100644 --- a/crowdsec-docs/versioned_docs/version-v1.5.0/whitelist/create.md +++ b/crowdsec-docs/versioned_docs/version-v1.5.0/whitelist/create.md @@ -191,7 +191,7 @@ We recommend to use a file like `/etc/crowdsec/capi_whitelists.yaml` and the con ```yaml ips: - - 1.2.3.4 + - 192.168.1.1 - 2.3.4.5 cidrs: - 1.2.3.0/24 diff --git a/crowdsec-docs/versioned_docs/version-v1.6.0/appsec/hooks.md b/crowdsec-docs/versioned_docs/version-v1.6.0/appsec/hooks.md index c338bf355..3cee31a75 100644 --- a/crowdsec-docs/versioned_docs/version-v1.6.0/appsec/hooks.md +++ b/crowdsec-docs/versioned_docs/version-v1.6.0/appsec/hooks.md @@ -102,7 +102,7 @@ inband_rules: - crowdsecurity/base-config - crowdsecurity/vpatch-* pre_eval: - - filter: IsInBand == true && req.RemoteAddr == "42.42.42.42" + - filter: IsInBand == true && req.RemoteAddr == "192.168.1.1" apply: - RemoveInBandRuleByName("my_rule") ``` @@ -188,7 +188,7 @@ inband_rules: - crowdsecurity/base-config - crowdsecurity/vpatch-* post_eval: - - filter: IsInBand == true && req.RemoteAddr == "42.42.42.42" + - filter: IsInBand == true && req.RemoteAddr == "192.168.1.1" apply: - CancelAlert() - CancelEvent() diff --git a/crowdsec-docs/versioned_docs/version-v1.6.0/appsec/protocol.md b/crowdsec-docs/versioned_docs/version-v1.6.0/appsec/protocol.md index 22e3483f7..762ef46ba 100644 --- a/crowdsec-docs/versioned_docs/version-v1.6.0/appsec/protocol.md +++ b/crowdsec-docs/versioned_docs/version-v1.6.0/appsec/protocol.md @@ -45,7 +45,7 @@ All requests forwarded by the remediation component must be sent via a `GET` req For this example: -- A `POST` HTTP request has been made by the IP `1.2.3.4` to a website on `example.com`. +- A `POST` HTTP request has been made by the IP `192.168.1.1` to a website on `example.com`. - The Application Security Component listen on `http://localhost:4241/`.
@@ -75,7 +75,7 @@ username=admin' OR '1'='1' -- &password=password ``` POST / HTTP/1.1 Host: localhost:4241 -X-Crowdsec-Appsec-ip: 1.2.3.4 +X-Crowdsec-Appsec-ip: 192.168.1.1 X-Crowdsec-Appsec-Uri: /login X-Crowdsec-Appsec-Host: example.com X-Crowdsec-Appsec-Verb: POST diff --git a/crowdsec-docs/versioned_docs/version-v1.6.0/appsec/quickstart.md b/crowdsec-docs/versioned_docs/version-v1.6.0/appsec/quickstart.md index f8f41a82a..9791c81c8 100644 --- a/crowdsec-docs/versioned_docs/version-v1.6.0/appsec/quickstart.md +++ b/crowdsec-docs/versioned_docs/version-v1.6.0/appsec/quickstart.md @@ -89,7 +89,7 @@ Please keep this key since you will not be able to retrieve it! 2. Emit a legitimate request to the AppSec Component: ```bash -curl -X POST localhost:7422/ -i -H 'x-crowdsec-appsec-uri: /test' -H 'x-crowdsec-appsec-ip: 42.42.42.42' -H 'x-crowdsec-appsec-host: foobar.com' -H 'x-crowdsec-appsec-verb: POST' -H 'x-crowdsec-appsec-api-key: this_is_a_bad_password' +curl -X POST localhost:7422/ -i -H 'x-crowdsec-appsec-uri: /test' -H 'x-crowdsec-appsec-ip: 192.168.1.1' -H 'x-crowdsec-appsec-host: foobar.com' -H 'x-crowdsec-appsec-verb: POST' -H 'x-crowdsec-appsec-api-key: this_is_a_bad_password' ``` Which will give us an answer such as: @@ -110,7 +110,7 @@ We're trying to access a `.env` file, a [common way to get access to some creden ::: ```bash -curl -X POST localhost:7422/ -i -H 'x-crowdsec-appsec-uri: /.env' -H 'x-crowdsec-appsec-ip: 42.42.42.42' -H 'x-crowdsec-appsec-host: foobar.com' -H 'x-crowdsec-appsec-verb: POST' -H 'x-crowdsec-appsec-api-key: this_is_a_bad_password' +curl -X POST localhost:7422/ -i -H 'x-crowdsec-appsec-uri: /.env' -H 'x-crowdsec-appsec-ip: 192.168.1.1' -H 'x-crowdsec-appsec-host: foobar.com' -H 'x-crowdsec-appsec-verb: POST' -H 'x-crowdsec-appsec-api-key: this_is_a_bad_password' ``` diff --git a/crowdsec-docs/versioned_docs/version-v1.6.0/appsec/troubleshooting.md b/crowdsec-docs/versioned_docs/version-v1.6.0/appsec/troubleshooting.md index 94d77da0e..c98bdc02d 100644 --- a/crowdsec-docs/versioned_docs/version-v1.6.0/appsec/troubleshooting.md +++ b/crowdsec-docs/versioned_docs/version-v1.6.0/appsec/troubleshooting.md @@ -75,7 +75,7 @@ cscli bouncers add appsec_test -k this_is_a_bad_password > Emit a request to the AppSec Component ```bash -curl -I -X POST localhost:7422/ -i -H 'x-crowdsec-appsec-api-key: this_is_a_bad_password' -H 'x-crowdsec-appsec-ip: 42.42.42.42' -H 'x-crowdsec-appsec-uri: /test' -H 'x-crowdsec-appsec-host: test.com' -H 'x-crowdsec-appsec-verb: GET' +curl -I -X POST localhost:7422/ -i -H 'x-crowdsec-appsec-api-key: this_is_a_bad_password' -H 'x-crowdsec-appsec-ip: 192.168.1.1' -H 'x-crowdsec-appsec-uri: /test' -H 'x-crowdsec-appsec-host: test.com' -H 'x-crowdsec-appsec-verb: GET' HTTP/1.1 200 OK Date: Tue, 05 Dec 2023 19:37:56 GMT Content-Length: 18 @@ -85,7 +85,7 @@ Content-Type: text/plain; charset=utf-8 If you receive a `200 OK`, you can authenticate to the AppSec Component. If the component is misconfigured or your API key is invalid, you will receive a `401 Unauthorized`: ```bash -curl -I -X POST localhost:7422/ -i -H 'x-crowdsec-appsec-api-key: meeh' -H 'x-crowdsec-appsec-ip: 42.42.42.42' -H 'x-crowdsec-appsec-uri: /test' -H 'x-crowdsec-appsec-host: test.com' -H 'x-crowdsec-appsec-verb: GET' +curl -I -X POST localhost:7422/ -i -H 'x-crowdsec-appsec-api-key: meeh' -H 'x-crowdsec-appsec-ip: 192.168.1.1' -H 'x-crowdsec-appsec-uri: /test' -H 'x-crowdsec-appsec-host: test.com' -H 'x-crowdsec-appsec-verb: GET' HTTP/1.1 401 Unauthorized Date: Tue, 05 Dec 2023 19:38:51 GMT Content-Length: 0 @@ -212,7 +212,7 @@ cscli bouncers add appsec_test -k this_is_a_bad_password We can now query our AppSec Component (we're assuming here that it runs on the default `127.0.0.1:7422`, see the `listen_addr` parameter of the acquisition config): ```bash -▶ curl -X POST localhost:7422/ -i -H 'x-crowdsec-appsec-ip: 42.42.42.42' -H 'x-crowdsec-appsec-uri: /rpc2' -H 'x-crowdsec-appsec-host: google.com' -H 'x-crowdsec-appsec-verb: POST' -H 'x-crowdsec-appsec-api-key: this_is_a_bad_password' +▶ curl -X POST localhost:7422/ -i -H 'x-crowdsec-appsec-ip: 192.168.1.1' -H 'x-crowdsec-appsec-uri: /rpc2' -H 'x-crowdsec-appsec-host: google.com' -H 'x-crowdsec-appsec-verb: POST' -H 'x-crowdsec-appsec-api-key: this_is_a_bad_password' HTTP/1.1 403 Forbidden Date: Tue, 05 Dec 2023 11:17:51 GMT Content-Length: 16 @@ -225,7 +225,7 @@ And we see the alert appearing in `crowdsec.log` : ``` ... -INFO[2023-12-05 12:17:52] (test) alert : crowdsecurity/vpatch-CVE-2023-42793 by ip 42.42.42.42 +INFO[2023-12-05 12:17:52] (test) alert : crowdsecurity/vpatch-CVE-2023-42793 by ip 192.168.1.1 ... ``` @@ -235,7 +235,7 @@ And in `cscli alerts list` : ╭────┬────────────────┬─────────────────────────────────────┬─────────┬────┬───────────┬───────────────────────────────╮ │ ID │ value │ reason │ country │ as │ decisions │ created_at │ ├────┼────────────────┼─────────────────────────────────────┼─────────┼────┼───────────┼───────────────────────────────┤ -│ 1 │ Ip:42.42.42.42 │ crowdsecurity/vpatch-CVE-2023-42793 │ │ │ │ 2023-12-05 11:17:51 +0000 UTC │ +│ 1 │ Ip:192.168.1.1 │ crowdsecurity/vpatch-CVE-2023-42793 │ │ │ │ 2023-12-05 11:17:51 +0000 UTC │ ╰────┴────────────────┴─────────────────────────────────────┴─────────┴────┴───────────┴───────────────────────────────╯ ``` diff --git a/crowdsec-docs/versioned_docs/version-v1.6.0/expr/other_helpers.md b/crowdsec-docs/versioned_docs/version-v1.6.0/expr/other_helpers.md index aed09f9df..c33a966bd 100644 --- a/crowdsec-docs/versioned_docs/version-v1.6.0/expr/other_helpers.md +++ b/crowdsec-docs/versioned_docs/version-v1.6.0/expr/other_helpers.md @@ -34,7 +34,7 @@ An empty string if the key doesn't exist (or has been evicted), and error is rai Returns true if it's a valid IPv4. -> `IsIPV4("1.2.3.4")` +> `IsIPV4("192.168.1.1")` > `IsIPV4(Alert.GetValue())` @@ -44,7 +44,7 @@ Returns true if it's a valid IP (v4 or v6). > `IsIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334")` -> `IsIP("1.2.3.4")` +> `IsIP("192.168.1.1")` > `IsIP(Alert.GetValue())` diff --git a/crowdsec-docs/versioned_docs/version-v1.6.0/getting_started/crowdsec_tour.mdx b/crowdsec-docs/versioned_docs/version-v1.6.0/getting_started/crowdsec_tour.mdx index b9100d392..6230d19c5 100644 --- a/crowdsec-docs/versioned_docs/version-v1.6.0/getting_started/crowdsec_tour.mdx +++ b/crowdsec-docs/versioned_docs/version-v1.6.0/getting_started/crowdsec_tour.mdx @@ -116,7 +116,7 @@ sudo cscli decisions list +-----+-----------+-------------+------------------------------------+--------+---------+----+--------+--------------------+----------+ | 802 | cscli | Ip:1.2.3.5 | manual 'ban' from | ban | | | 1 | 3h50m58.10039043s | 802 | | | | | 'b76cc7b1bbdc489e93909d2043031de8' | | | | | | | -| 801 | crowdsec | Ip:1.2.3.4 | crowdsecurity/ssh-bf | ban | | | 6 | 3h59m45.100387557s | 801 | +| 801 | crowdsec | Ip:192.168.1.1 | crowdsecurity/ssh-bf | ban | | | 6 | 3h59m45.100387557s | 801 | +-----+-----------+-------------+------------------------------------+--------+---------+----+--------+--------------------+----------+ ```
@@ -130,11 +130,11 @@ There are different decisions `SOURCE`: ## Add/Remove decisions ```bash -cscli decisions add -i 1.2.3.4 -cscli decisions delete -i 1.2.3.4 +cscli decisions add -i 192.168.1.1 +cscli decisions delete -i 192.168.1.1 ``` -Those commands will respectively add a manual decision for ip `1.2.3.4` (with default parameters such as duration and such), and remove all active decisions for ip `1.2.3.4`. +Those commands will respectively add a manual decision for ip `192.168.1.1` (with default parameters such as duration and such), and remove all active decisions for ip `192.168.1.1`. diff --git a/crowdsec-docs/versioned_docs/version-v1.6.0/local_api/bouncers-api.md b/crowdsec-docs/versioned_docs/version-v1.6.0/local_api/bouncers-api.md index 134ecb84b..de81d700f 100644 --- a/crowdsec-docs/versioned_docs/version-v1.6.0/local_api/bouncers-api.md +++ b/crowdsec-docs/versioned_docs/version-v1.6.0/local_api/bouncers-api.md @@ -72,7 +72,7 @@ As stated in the [swagger documentation](https://crowdsecurity.github.io/api_doc To have some data to query for, let's add two decisions to our local API ```bash -▶ sudo cscli decisions add -i 1.2.3.4 +▶ sudo cscli decisions add -i 192.168.1.1 INFO[0000] Decision successfully added ▶ sudo cscli decisions add -r 2.2.3.0/24 INFO[0000] Decision successfully added @@ -82,7 +82,7 @@ INFO[0000] Decision successfully added +------+--------+------------------+----------------------------------------------------+--------+---------+----+--------+--------------------+----------+ | 2337 | cscli | Range:2.2.3.0/24 | manual 'ban' from | ban | | | 1 | 3h59m18.079301785s | 1164 | | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | -| 2336 | cscli | Ip:1.2.3.4 | manual 'ban' from | ban | | | 1 | 3h59m11.079297437s | 1163 | +| 2336 | cscli | Ip:192.168.1.1 | manual 'ban' from | ban | | | 1 | 3h59m11.079297437s | 1163 | | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | +------+--------+------------------+----------------------------------------------------+--------+---------+----+--------+--------------------+----------+ @@ -92,8 +92,8 @@ INFO[0000] Decision successfully added ```bash title="Query a single banned IP" -▶ curl -H "X-Api-Key: 837be58e22a28738066de1be8f53636b" http://localhost:8080/v1/decisions\?ip=1.2.3.4 -[{"duration":"3h51m57.363171728s","id":2336,"origin":"cscli","scenario":"manual 'ban' from '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA'","scope":"Ip","type":"ban","value":"1.2.3.4"}] +▶ curl -H "X-Api-Key: 837be58e22a28738066de1be8f53636b" http://localhost:8080/v1/decisions\?ip=192.168.1.1 +[{"duration":"3h51m57.363171728s","id":2336,"origin":"cscli","scenario":"manual 'ban' from '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA'","scope":"Ip","type":"ban","value":"192.168.1.1"}] ``` ```bash title="Query a single IP" @@ -112,7 +112,7 @@ _note: notice that the decision returned is the range that we banned earlier and ```bash title="Query a range in which one of the ban is contained" ▶ curl -H "X-Api-Key: 837be58e22a28738066de1be8f53636b" http://localhost:8080/v1/decisions\?range=1.2.3.0/24\&contains\=false -[{"duration":"3h48m7.676653651s","id":2336,"origin":"cscli","scenario":"manual 'ban' from '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA'","scope":"Ip","type":"ban","value":"1.2.3.4"}] +[{"duration":"3h48m7.676653651s","id":2336,"origin":"cscli","scenario":"manual 'ban' from '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA'","scope":"Ip","type":"ban","value":"192.168.1.1"}] ``` _note: notice the `contains` flag that is set to false_ @@ -141,7 +141,7 @@ INFO[0000] Decision successfully added | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | | 2337 | cscli | Range:2.2.3.0/24 | manual 'ban' from | ban | | | 1 | 3h27m1.384972861s | 1164 | | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | -| 2336 | cscli | Ip:1.2.3.4 | manual 'ban' from | ban | | | 1 | 3h26m54.384971268s | 1163 | +| 2336 | cscli | Ip:192.168.1.1 | manual 'ban' from | ban | | | 1 | 3h26m54.384971268s | 1163 | | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | +------+--------+------------------+----------------------------------------------------+-------------+---------+----+--------+--------------------+----------+ ``` @@ -174,7 +174,7 @@ Given the our state looks like : +------+--------+------------------+----------------------------------------------------+--------+---------+----+--------+--------------------+----------+ | 2337 | cscli | Range:2.2.3.0/24 | manual 'ban' from | ban | | | 1 | 2h55m26.05271136s | 1164 | | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | -| 2336 | cscli | Ip:1.2.3.4 | manual 'ban' from | ban | | | 1 | 2h55m19.052706441s | 1163 | +| 2336 | cscli | Ip:192.168.1.1 | manual 'ban' from | ban | | | 1 | 2h55m19.052706441s | 1163 | | | | | '939972095cf1459c8b22cc608eff85daEb4yoi2wiTD7Y3fA' | | | | | | | +------+--------+------------------+----------------------------------------------------+--------+---------+----+--------+--------------------+----------+ diff --git a/crowdsec-docs/versioned_docs/version-v1.6.0/parsers/create.md b/crowdsec-docs/versioned_docs/version-v1.6.0/parsers/create.md index 72dac1b77..306edd305 100644 --- a/crowdsec-docs/versioned_docs/version-v1.6.0/parsers/create.md +++ b/crowdsec-docs/versioned_docs/version-v1.6.0/parsers/create.md @@ -14,9 +14,9 @@ The creation of said functional testing will guide our process and will make it We're going to create a parser for the imaginary service "myservice" that produce three types of logs via syslog : ``` -Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'toto' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: accepted connection for user 'toto' from '1.2.3.4' +Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'toto' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: accepted connection for user 'toto' from '192.168.1.1' ``` As we are going to parse those logs to further detect bruteforce and user-enumeration attacks, we're simply going to "discard" the last type of logs. @@ -144,8 +144,8 @@ results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["program"] == results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["timestamp"] == "Dec 8 06:28:43" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["is_my_service"] == "yes" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["message"] == "bad password for user 'toto' from '1.2.3.4'" -results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["some_data"] == "bad password for user 'toto' from '1.2.3.4'" +results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["message"] == "bad password for user 'toto' from '192.168.1.1'" +results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["some_data"] == "bad password for user 'toto' from '192.168.1.1'" ... @@ -162,19 +162,19 @@ Further inspection can be seen with `cscli hubtest explain` : ```bash ▶ cscli hubtest explain myservice-logs -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs └ s01-parse └ 🟢 crowdsecurity/myservice-logs -line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs └ s01-parse └ 🟢 crowdsecurity/myservice-logs -line: Dec 8 06:28:43 mymachine myservice[2806]: accepted connection for user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: accepted connection for user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs └ s01-parse @@ -250,12 +250,12 @@ results["s01-parse"]["crowdsecurity/myservice-logs"][0].Success == true ... results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["timestamp"] == "Dec 8 06:28:43" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["program"] == "myservice" -results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["source_ip"] == "192.168.1.1" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Parsed["user"] == "toto" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Meta["log_subtype"] == "myservice_bad_password" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Meta["log_type"] == "myservice_failed_auth" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Meta["service"] == "myservice" -results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4" +results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Meta["source_ip"] == "192.168.1.1" results["s01-parse"]["crowdsecurity/myservice-logs"][0].Evt.Meta["username"] == "toto" ... results["s01-parse"]["crowdsecurity/myservice-logs"][1].Evt.Meta["log_subtype"] == "myservice_bad_user" @@ -272,26 +272,26 @@ Again, further inspection with `cscli hubtest explain` will show us more about w ```bash ▶ cscli hubtest explain myservice-logs -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs └ s01-parse └ 🟢 crowdsecurity/myservice-logs -line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs └ s01-parse └ 🟢 crowdsecurity/myservice-logs -line: Dec 8 06:28:43 mymachine myservice[2806]: accepted connection for user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: accepted connection for user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs └ s01-parse └ 🔴 crowdsecurity/myservice-logs ``` -__note: we can see that our log line `accepted connection for user 'toto' from '1.2.3.4'` wasn't parsed by `crowdsecurity/myservice-logs` as we have no pattern for it__ +__note: we can see that our log line `accepted connection for user 'toto' from '192.168.1.1'` wasn't parsed by `crowdsecurity/myservice-logs` as we have no pattern for it__ ## Closing word diff --git a/crowdsec-docs/versioned_docs/version-v1.6.0/profiles/format.md b/crowdsec-docs/versioned_docs/version-v1.6.0/profiles/format.md index 63ddcf5af..8158c9f49 100644 --- a/crowdsec-docs/versioned_docs/version-v1.6.0/profiles/format.md +++ b/crowdsec-docs/versioned_docs/version-v1.6.0/profiles/format.md @@ -102,7 +102,7 @@ It is a list of `models.Decision` objects. The following fields, when present, a - `scope` : defines the scope of the resulting decision - `duration` : defines for how long will the decision be valid. The format must comply with [golang's ParseDuration](https://pkg.go.dev/time#ParseDuration) - `type` : defines the type of the remediation that will be applied by available bouncers, for example `ban`, `captcha` - - `value` : define a hardcoded value for the decision (ie. `1.2.3.4`) + - `value` : define a hardcoded value for the decision (ie. `192.168.1.1`) ### `duration_expr` diff --git a/crowdsec-docs/versioned_docs/version-v1.6.0/scenarios/create.md b/crowdsec-docs/versioned_docs/version-v1.6.0/scenarios/create.md index 5c99e8521..86e16ef43 100644 --- a/crowdsec-docs/versioned_docs/version-v1.6.0/scenarios/create.md +++ b/crowdsec-docs/versioned_docs/version-v1.6.0/scenarios/create.md @@ -20,12 +20,12 @@ The creation of said functional testing will guide our process and will make it We're going to create a scenario for an imaginary service "myservice" from the following logs of failed authentication : ``` -Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' -Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' +Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' +Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' ``` There's a [yaml schema @@ -145,17 +145,17 @@ INFO[01-10-2021 12:41:21 PM] Running test 'myservice-bf' WARN[01-10-2021 12:41:24 PM] Assert file '/home/dev/github/hub/.tests/myservice-bf/scenario.assert' is empty, generating assertion: len(results) == 1 -"1.2.3.4" in results[0].Overflow.GetSources() -results[0].Overflow.Sources["1.2.3.4"].IP == "1.2.3.4" -results[0].Overflow.Sources["1.2.3.4"].Range == "" -results[0].Overflow.Sources["1.2.3.4"].GetScope() == "Ip" -results[0].Overflow.Sources["1.2.3.4"].GetValue() == "1.2.3.4" +"192.168.1.1" in results[0].Overflow.GetSources() +results[0].Overflow.Sources["192.168.1.1"].IP == "192.168.1.1" +results[0].Overflow.Sources["192.168.1.1"].Range == "" +results[0].Overflow.Sources["192.168.1.1"].GetScope() == "Ip" +results[0].Overflow.Sources["192.168.1.1"].GetValue() == "192.168.1.1" results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "myservice-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("log_subtype") == "myservice_bad_user" results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "myservice_failed_auth" results[0].Overflow.Alert.Events[0].GetMeta("service") == "myservice" -results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4" +results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.1" results[0].Overflow.Alert.Events[0].GetMeta("username") == "toto" .... results[0].Overflow.Alert.GetScenario() == "crowdsecurity/myservice-bf" @@ -178,7 +178,7 @@ We can again understand more of what is going on thanks to `cscli hubtest explai ```bash ▶ cscli hubtest explain myservice-bf -line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs ├ s01-parse @@ -189,7 +189,7 @@ line: Dec 8 06:28:43 mymachine myservice[2806]: unknown user 'toto' from '1.2.3 ├ Scenarios └ 🟢 crowdsecurity/myservice-bf -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs ├ s01-parse @@ -200,7 +200,7 @@ line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' f ├ Scenarios └ 🟢 crowdsecurity/myservice-bf -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs ├ s01-parse @@ -211,7 +211,7 @@ line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' f ├ Scenarios └ 🟢 crowdsecurity/myservice-bf -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs ├ s01-parse @@ -222,7 +222,7 @@ line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' f ├ Scenarios └ 🟢 crowdsecurity/myservice-bf -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs ├ s01-parse @@ -233,7 +233,7 @@ line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' f ├ Scenarios └ 🟢 crowdsecurity/myservice-bf -line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '1.2.3.4' +line: Dec 8 06:28:43 mymachine myservice[2806]: bad password for user 'admin' from '192.168.1.1' ├ s00-raw | └ 🟢 crowdsecurity/syslog-logs ├ s01-parse