Messages

1

Intrusion Detection and Prevention / [Solved] Questions about using crowdsec with suricata

« on: October 20, 2023, 07:40:03 am »

Situation:
Since I use opnsense for dial-up, I turned off ips mode for suricata. I installed the Collections named suricata in crowdsec hub, which contains a suricata log parser and a defense rule, but it doesn't seem to be working properly.

I used the command to see how it was working

Code: [Select]

sudo cscli parsers inspect crowdsecurity/suricata-logs
and found that it wasn't parsing any of the log files

Code: [Select]

User@OPNsense:~ % sudo cscli parsers inspect crowdsecurity/suricata-logs
Password:
type: parsers
stage: s01-parse
name: crowdsecurity/suricata-logs
filename: suricata-logs.yaml
description: Parse suricata fast.log
author: crowdsecurity
belongs_to_collections:
- crowdsecurity/suricata
remote_path: parsers/s01-parse/crowdsecurity/suricata-logs.yaml
version: "0.6"
local_path: /usr/local/etc/crowdsec/parsers/s01-parse/suricata-logs.yaml
localversion: "0.6"
localhash: b3a55203e30b26f2cc1765278545389d79551838bc28643cf21a3150fc2efed6
installed: true
downloaded: true
uptodate: true
tainted: false
local: false

Current metrics :
User@OPNsense:~ % sudo cscli parsers inspect crowdsecurity/sshd-logs
type: parsers
stage: s01-parse
name: crowdsecurity/sshd-logs
filename: sshd-logs.yaml
description: Parse openSSH logs
author: crowdsecurity
belongs_to_collections:
- crowdsecurity/sshd
remote_path: parsers/s01-parse/crowdsecurity/sshd-logs.yaml
version: "2.2"
local_path: /usr/local/etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
localversion: "2.2"
localhash: 509cfb3fecfc6922de0d09eb54c8c63b773678d7ff543ef0e3590ea5a8b3dc2e
installed: true
downloaded: true
uptodate: true
tainted: false
local: false

Current metrics :

 - (Parser) crowdsecurity/sshd-logs:
╭────────────────────────────────┬──────┬────────┬──────────╮
│            Parsers             │ Hits │ Parsed │ Unparsed │
├────────────────────────────────┼──────┼────────┼──────────┤
│ file:/var/log/audit/latest.log │ 1    │ 0      │ 1        │
╰────────────────────────────────┴──────┴────────┴──────────╯Which means that it wasn't doing its job, or maybe even It doesn't even know where suricata's log files are?Because I've looked at other log parsers with that command, such as crowdsecurity/sshd-logs and it's working fine. This makes me quite puzzled.

How I can solve this problem?

System and Crowdsec version:
system:  23.7.6
crowdsec: 1.0.7

Thank you!

---

I've been using crowdsec since September and have had my eye on this since then, tried searching for it but couldn't find it. Thought about reading the crowdsec documentation to find a solution, but I'm just a rookie and what's in there is still difficult for me.
Until just now, I searched on Github and found an Issue
https://github.com/crowdsecurity/hub/issues/594#issuecomment-1356885402
which mentioned the file acquis.yaml, I modified the file according to the content in the Issue, and then looked at crowdsec's logs, which indeed began to show the operation of the defence rules.
Well, I finally found a solution.

2

Intrusion Detection and Prevention / Re: Crowdsec whitelist

« on: October 20, 2023, 07:04:26 am »

Maybe this can help.
https://app.crowdsec.net/hub/author/crowdsecurity/configurations/whitelists

3

Chinese - 中文 / 当入侵检测处于ids模式时，有没有什么方便的方法可以利用它的日志？

« on: September 19, 2023, 10:19:04 am »

比如说，自动弄到别名里那样？

4

Chinese - 中文 / Re: 关于在OPNsense中IPV6的疑问

« on: September 13, 2023, 09:00:51 pm »

话说这帖子能删吗？没有看到选项欸

5

Chinese - 中文 / 已编辑

« on: September 13, 2023, 08:58:24 pm »

搞不定，放弃了

6

Chinese - 中文 / Re: [求助] NDP表里没有 LAN 下设备的 IP

« on: September 01, 2023, 08:07:21 pm »

edited

7

Chinese - 中文 / Re: [求助] NDP表里没有 LAN 下设备的 IP

« on: August 28, 2023, 12:58:52 pm »

link-local address has to be enabled at bridge settings.

I have already enabled this option before this.

8

Chinese - 中文 / 已编辑

« on: August 28, 2023, 07:31:43 am »

已编辑