Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - (~ ̄▽ ̄)~

#1
Situation:
Since I use opnsense for dial-up, I turned off ips mode for suricata. I installed the Collections named suricata in crowdsec hub, which contains a suricata log parser and a defense rule, but it doesn't seem to be working properly.

I used the command to see how it was working
sudo cscli parsers inspect crowdsecurity/suricata-logs
and found that it wasn't parsing any of the log files
User@OPNsense:~ % sudo cscli parsers inspect crowdsecurity/suricata-logs
Password:
type: parsers
stage: s01-parse
name: crowdsecurity/suricata-logs
filename: suricata-logs.yaml
description: Parse suricata fast.log
author: crowdsecurity
belongs_to_collections:
- crowdsecurity/suricata
remote_path: parsers/s01-parse/crowdsecurity/suricata-logs.yaml
version: "0.6"
local_path: /usr/local/etc/crowdsec/parsers/s01-parse/suricata-logs.yaml
localversion: "0.6"
localhash: b3a55203e30b26f2cc1765278545389d79551838bc28643cf21a3150fc2efed6
installed: true
downloaded: true
uptodate: true
tainted: false
local: false

Current metrics :
User@OPNsense:~ % sudo cscli parsers inspect crowdsecurity/sshd-logs
type: parsers
stage: s01-parse
name: crowdsecurity/sshd-logs
filename: sshd-logs.yaml
description: Parse openSSH logs
author: crowdsecurity
belongs_to_collections:
- crowdsecurity/sshd
remote_path: parsers/s01-parse/crowdsecurity/sshd-logs.yaml
version: "2.2"
local_path: /usr/local/etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
localversion: "2.2"
localhash: 509cfb3fecfc6922de0d09eb54c8c63b773678d7ff543ef0e3590ea5a8b3dc2e
installed: true
downloaded: true
uptodate: true
tainted: false
local: false

Current metrics :

- (Parser) crowdsecurity/sshd-logs:
╭────────────────────────────────┬──────┬────────┬──────────╮
│            Parsers             │ Hits │ Parsed │ Unparsed │
├────────────────────────────────┼──────┼────────┼──────────┤
│ file:/var/log/audit/latest.log │ 1    │ 0      │ 1        │
╰────────────────────────────────┴──────┴────────┴──────────╯

Which means that it wasn't doing its job, or maybe even It doesn't even know where suricata's log files are?Because I've looked at other log parsers with that command, such as crowdsecurity/sshd-logs and it's working fine. This makes me quite puzzled.

How I can solve this problem?

System and Crowdsec version:
system:  23.7.6
crowdsec: 1.0.7

Thank you!

---

I've been using crowdsec since September and have had my eye on this since then, tried searching for it but couldn't find it. Thought about reading the crowdsec documentation to find a solution, but I'm just a rookie and what's in there is still difficult for me.
Until just now, I searched on Github and found an Issue
https://github.com/crowdsecurity/hub/issues/594#issuecomment-1356885402
which mentioned the file acquis.yaml, I modified the file according to the content in the Issue, and then looked at crowdsec's logs, which indeed began to show the operation of the defence rules.
Well, I finally found a solution.
#2
比如说,自动弄到别名里那样?
#3
Chinese - 中文 / 已编辑
September 13, 2023, 08:58:24 PM
搞不定,放弃了
#4
Chinese - 中文 / 已编辑
August 28, 2023, 07:31:43 AM
已编辑