crowdsecurity
Bug/cscli/crowdsec: simulation mode with custom scenarios
Describe the bug
When enabling the simulation mode for a custom scenario (maybe also tainted i didn't try) and triggering it, the decisions is still emitted.
To Reproduce
- Have a custom scenario
- Disable the simulation mode with
cscli simulation disable -gand enable it only for the custom scenario. - Reload crowdsec
- Trigger the scenario
- run
cscli alerts listorcscli decisions listand you can see that IP address is banned.
Expected behavior Allow simulation for custom/tainted scenarios also.
Technical Information (please complete the following information):
- Ubuntu
- CrowdSec v1.3.0
Hello, it seems more complicated than expected to fix the issue. Currently, the workaround is to put the name of the scenario file instead of the name of the scenario.
For example, if a scenario called test/custom_scenario is in a file called custom_scenario.yaml, then we should enable the simulation like this:
sudo cscli simulation enable custom_scenario.yaml
And this should work.
Maybe I haven't read it correctly, but I've tried doing that and I can't. When trying to enable the simulation for the file, it returns:
'custom_scenario.yaml' doesn't exist or is not a scenario
Maybe I haven't read it correctly, but I've tried doing that and I can't. When trying to enable the simulation for the file, it returns:
'custom_scenario.yaml' doesn't exist or is not a scenario
This is a 2 year old workaround that most likely does not work anymore, I will attempt to see if there a new workaround or the original issue has been resolved
I have tested this and the original bug report has been fixed
╭─loz ~ took 17ms
╰─λ cat /etc/crowdsec/scenarios/ah.yaml
File: /etc/crowdsec/scenarios/ah.yaml
# 404 scan
type: leaky
#debug: true
name: crowdsecurity/ah
description: "Detect site scanning/probing from a single ip"
filter: "evt.Meta.service == 'http' && evt.Meta.http_status in ['404', '403', '400'] && evt.Parse
d.static_ressource == 'false'"
groupby: "evt.Meta.source_ip + '/' + evt.Parsed.target_fqdn"
distinct: "evt.Meta.http_path"
capacity: 10
reprocess: false
leakspeed: "10s"
blackhole: 5m
labels:
remediation: true
classification:
- attack.T1595.003
behavior: "http:scan"
label: "HTTP Probing"
spoofable: 0
service: http
confidence: 1
╭─loz ~ took 11ms
╰─λ cscli simulation enable crowdsecurity/ah
INFO[2024-04-03T12:54:55+01:00] simulation mode for 'crowdsecurity/ah' enabled
INFO[2024-04-03T12:54:55+01:00] Run 'sudo systemctl reload crowdsec' for the new configuration tobe effective.
What is the status of this? Simulation mode - both global and enabled only for individual custom scenarios - doesn't work for me at all on version 1.6.x.
crowdsec-crowdsec-agent-947ql:/# cscli version && cscli simulation status && cscli scenarios inspect custom/brute_force && cscli alerts list && cscli alerts inspect 1 && cscli decisions list
2024/04/19 16:33:31 version: v1.6.1-c6e40191
2024/04/19 16:33:31 Codename: alphaga
2024/04/19 16:33:31 BuildDate: 2024-04-18_13:47:41
2024/04/19 16:33:31 GoVersion: 1.21.9
2024/04/19 16:33:31 Platform: docker
2024/04/19 16:33:31 libre2: C++
2024/04/19 16:33:31 Constraint_parser: >= 1.0, <= 3.0
2024/04/19 16:33:31 Constraint_scenario: >= 1.0, <= 3.0
2024/04/19 16:33:31 Constraint_api: v1
2024/04/19 16:33:31 Constraint_acquis: >= 1.0, < 2.0
INFO[2024-04-19T16:33:31Z] global simulation: disabled
INFO[2024-04-19T16:33:31Z] Scenarios in simulation mode :
INFO[2024-04-19T16:33:31Z] - custom/brute_force
type: scenarios
name: custom/brute_force
file_name: brute-force.yaml
local_path: /etc/crowdsec/scenarios/brute-force.yaml
installed: true
downloaded: false
uptodate: true
tainted: false
local: true
Current metrics:
- (Scenario) custom/brute_force:
╭───────────────┬───────────┬──────────────┬────────┬─────────╮
│ Current Count │ Overflows │ Instantiated │ Poured │ Expired │
├───────────────┼───────────┼──────────────┼────────┼─────────┤
│ 0 │ 1 │ 1 │ 6 │ 0 │
╰───────────────┴───────────┴──────────────┴────────┴─────────╯
╭────┬──────────────┬────────────────────┬─────────┬────┬───────────┬─────────────────────────────────────────╮
│ ID │ value │ reason │ country │ as │ decisions │ created_at │
├────┼──────────────┼────────────────────┼─────────┼────┼───────────┼─────────────────────────────────────────┤
│ 1 │ Ip:10.42.1.0 │ custom/brute_force │ │ │ ban:1 │ 2024-04-19 16:32:40.080501659 +0000 UTC │
╰────┴──────────────┴────────────────────┴─────────┴────┴───────────┴─────────────────────────────────────────╯
################################################################################################
- ID : 1
- Date : 2024-04-19T16:32:53Z
- Machine : CrowdSec [email protected]
- Simulation : false
- Reason : custom/brute_force
- Events Count : 6
- Scope:Value : Ip:10.42.1.0
- Country :
- AS :
- Begin : 2024-04-19 16:32:40.080501659 +0000 UTC
- End : 2024-04-19 16:32:52.848885005 +0000 UTC
- UUID : 31342e93-fbcc-430d-ad28-10a47bab32a1
- Active Decisions :
╭────┬──────────────┬────────┬──────────────────┬──────────────────────╮
│ ID │ scope:value │ action │ expiration │ created_at │
├────┼──────────────┼────────┼──────────────────┼──────────────────────┤
│ 1 │ Ip:10.42.1.0 │ ban │ 59m20.978523943s │ 2024-04-19T16:32:53Z │
╰────┴──────────────┴────────┴──────────────────┴──────────────────────╯
╭────┬──────────┬──────────────┬────────────────────┬────────┬─────────┬────┬────────┬──────────────────┬──────────╮
│ ID │ Source │ Scope:Value │ Reason │ Action │ Country │ AS │ Events │ expiration │ Alert ID │
├────┼──────────┼──────────────┼────────────────────┼────────┼─────────┼────┼────────┼──────────────────┼──────────┤
│ 1 │ crowdsec │ Ip:10.42.1.0 │ custom/brute_force │ ban │ │ │ 6 │ 59m20.914209538s │ 1 │
╰────┴──────────┴──────────────┴────────────────────┴────────┴─────────┴────┴────────┴──────────────────┴──────────╯
On version 1.5.5 global simulation works as expected, and enabled only for a custom scenario works after applying the previously mentioned workaround.
What is the status of this? Simulation mode - both global and enabled only for individual custom scenarios - doesn't work for me at all on version
1.6.x.crowdsec-crowdsec-agent-947ql:/# cscli version && cscli simulation status && cscli scenarios inspect custom/brute_force && cscli alerts list && cscli alerts inspect 1 && cscli decisions list 2024/04/19 16:33:31 version: v1.6.1-c6e40191 2024/04/19 16:33:31 Codename: alphaga 2024/04/19 16:33:31 BuildDate: 2024-04-18_13:47:41 2024/04/19 16:33:31 GoVersion: 1.21.9 2024/04/19 16:33:31 Platform: docker 2024/04/19 16:33:31 libre2: C++ 2024/04/19 16:33:31 Constraint_parser: >= 1.0, <= 3.0 2024/04/19 16:33:31 Constraint_scenario: >= 1.0, <= 3.0 2024/04/19 16:33:31 Constraint_api: v1 2024/04/19 16:33:31 Constraint_acquis: >= 1.0, < 2.0 INFO[2024-04-19T16:33:31Z] global simulation: disabled INFO[2024-04-19T16:33:31Z] Scenarios in simulation mode : INFO[2024-04-19T16:33:31Z] - custom/brute_force type: scenarios name: custom/brute_force file_name: brute-force.yaml local_path: /etc/crowdsec/scenarios/brute-force.yaml installed: true downloaded: false uptodate: true tainted: false local: true Current metrics: - (Scenario) custom/brute_force: ╭───────────────┬───────────┬──────────────┬────────┬─────────╮ │ Current Count │ Overflows │ Instantiated │ Poured │ Expired │ ├───────────────┼───────────┼──────────────┼────────┼─────────┤ │ 0 │ 1 │ 1 │ 6 │ 0 │ ╰───────────────┴───────────┴──────────────┴────────┴─────────╯ ╭────┬──────────────┬────────────────────┬─────────┬────┬───────────┬─────────────────────────────────────────╮ │ ID │ value │ reason │ country │ as │ decisions │ created_at │ ├────┼──────────────┼────────────────────┼─────────┼────┼───────────┼─────────────────────────────────────────┤ │ 1 │ Ip:10.42.1.0 │ custom/brute_force │ │ │ ban:1 │ 2024-04-19 16:32:40.080501659 +0000 UTC │ ╰────┴──────────────┴────────────────────┴─────────┴────┴───────────┴─────────────────────────────────────────╯ ################################################################################################ - ID : 1 - Date : 2024-04-19T16:32:53Z - Machine : CrowdSec [email protected] - Simulation : false - Reason : custom/brute_force - Events Count : 6 - Scope:Value : Ip:10.42.1.0 - Country : - AS : - Begin : 2024-04-19 16:32:40.080501659 +0000 UTC - End : 2024-04-19 16:32:52.848885005 +0000 UTC - UUID : 31342e93-fbcc-430d-ad28-10a47bab32a1 - Active Decisions : ╭────┬──────────────┬────────┬──────────────────┬──────────────────────╮ │ ID │ scope:value │ action │ expiration │ created_at │ ├────┼──────────────┼────────┼──────────────────┼──────────────────────┤ │ 1 │ Ip:10.42.1.0 │ ban │ 59m20.978523943s │ 2024-04-19T16:32:53Z │ ╰────┴──────────────┴────────┴──────────────────┴──────────────────────╯ ╭────┬──────────┬──────────────┬────────────────────┬────────┬─────────┬────┬────────┬──────────────────┬──────────╮ │ ID │ Source │ Scope:Value │ Reason │ Action │ Country │ AS │ Events │ expiration │ Alert ID │ ├────┼──────────┼──────────────┼────────────────────┼────────┼─────────┼────┼────────┼──────────────────┼──────────┤ │ 1 │ crowdsec │ Ip:10.42.1.0 │ custom/brute_force │ ban │ │ │ 6 │ 59m20.914209538s │ 1 │ ╰────┴──────────┴──────────────┴────────────────────┴────────┴─────────┴────┴────────┴──────────────────┴──────────╯On version
1.5.5global simulation works as expected, and enabled only for a custom scenario works after applying the previously mentioned workaround.
Yes, we found a bug introduced by 1.6.0 we will be fixing this for 1.6.2 which we expect to be within a month