Suricata with Crowdsec

[Meg]

Hello: Not sure if I should ask this here or in a crowdsec forum. I am running suricata in ids mode and have crowdsec set up to parse suricata logs and ban. I have been noticing that not all the suricata alerts are being sent to or collected by crowdsec. When I checked the suricata fast logs, I have found that only suricata alerts with Classification: Potentially Bad Traffic are being picked up by crowdsec. Others such as Classification: Attempted Information Leak seem to be ignored by crowdsec.

[cookiemonster]

Probably the parser for it is setup for that. Hopefully there'll be engagement from the crowdsec people here.

[iiAmLoz]

Hey Laurence from CrowdSec,

We do miss posts that are not in official forums so dont expect us to always find these posts.

So the scenario as outlined on the hub has the description: https://app.crowdsec.net/hub/author/crowdsecurity/scenarios/suricata-alerts


```
    trigger ban on Major (severity:1) rules
    trigger ban on >2 distinct rules of severity 2
```

So we always trigger an immediate ban on Major rules, but if the information leak is a severity of 2, we only trigger a ban if they have attempted >2 so 3 rules of the same severity

[cookiemonster]

@iiAmLoz good to see you around here.

[Meg]

Thanks for the answer. I got the same reply on crowdsec discord.