crowdsecurity
Alert with multiple sources: only the last source is kept
What happened?
I experimenting stuff with the scenario "crowdsecurity/auditd-postexploit-exec-from-net". I'm triggering this scenario and have a custom bouncer that will kill the PID of the process when an alert is triggered. Currently, in this scenario, we put in the scope of the alert the "PPID" of the process (for notification I guess), but for the bouncer part, I need the PID of the last event to be killed (and not the PPID).
So I replaced evt.Meta.ppid by evt.Meta.pid in the expression field of the scope section, as below:
scope:
type: pid
expression: evt.Meta.pid
The problem is that four decisions are generated when I trigger the scenario (because four events are in the bucket). But each decisions has the PID of the last event (which is ok for my case, but it is still a bug):
time="05-10-2023 15:30:08" level=info msg="(11c1e4655bc54250b10c4e8d5ee47a22lrT49Y3WOXhIAKdy/crowdsec) crowdsecurity/auditd-postexploit-exec-from-net by pid 2080185 : 1h kill on pid 2080185"
time="05-10-2023 15:30:08" level=info msg="(11c1e4655bc54250b10c4e8d5ee47a22lrT49Y3WOXhIAKdy/crowdsec) crowdsecurity/auditd-postexploit-exec-from-net by pid 2080185 : 1h kill on pid 2080185"
time="05-10-2023 15:30:08" level=info msg="(11c1e4655bc54250b10c4e8d5ee47a22lrT49Y3WOXhIAKdy/crowdsec) crowdsecurity/auditd-postexploit-exec-from-net by pid 2080185 : 1h kill on pid 2080185"
time="05-10-2023 15:30:08" level=info msg="(11c1e4655bc54250b10c4e8d5ee47a22lrT49Y3WOXhIAKdy/crowdsec) crowdsecurity/auditd-postexploit-exec-from-net by pid 2080185 : 1h kill on pid 2080185"
Here is the output of cscl alert inspect (I kept only the interesting fields):
- Reason : crowdsecurity/auditd-postexploit-exec-from-net
- Events Count : 4
- Scope:Value : pid:2080185
...
...
...
- Events :
- Date: 2023-10-05 15:30:08 +0000 UTC
╭─────────────────┬──────────────────────────╮
│ Key │ Value │
├─────────────────┼──────────────────────────┤
│ euid │ 33 │
├─────────────────┼──────────────────────────┤
│ exe │ /usr/bin/ping │
├─────────────────┼──────────────────────────┤
│ gid │ 33 │
├─────────────────┼──────────────────────────┤
│ log_type │ execve │
├─────────────────┼──────────────────────────┤
│ parent_progname │ /usr/bin/dash │
├─────────────────┼──────────────────────────┤
│ pid │ 2080182 │
├─────────────────┼──────────────────────────┤
│ ppid │ 2080181 │
├─────────────────┼──────────────────────────┤
│ uid │ 33 │
╰─────────────────┴──────────────────────────╯
- Date: 2023-10-05 15:30:08 +0000 UTC
╭─────────────────┬──────────────────────────╮
│ Key │ Value │
├─────────────────┼──────────────────────────┤
│ euid │ 33 │
├─────────────────┼──────────────────────────┤
│ exe │ /usr/bin/curl │
├─────────────────┼──────────────────────────┤
│ gid │ 33 │
├─────────────────┼──────────────────────────┤
│ log_type │ execve │
├─────────────────┼──────────────────────────┤
│ parent_progname │ /usr/bin/dash │
├─────────────────┼──────────────────────────┤
│ pid │ 2080183 │
├─────────────────┼──────────────────────────┤
│ ppid │ 2080181 │
├─────────────────┼──────────────────────────┤
│ uid │ 33 │
╰─────────────────┴──────────────────────────╯
- Date: 2023-10-05 15:30:08 +0000 UTC
╭─────────────────┬──────────────────────────╮
│ Key │ Value │
├─────────────────┼──────────────────────────┤
│ euid │ 33 │
├─────────────────┼──────────────────────────┤
│ exe │ /usr/bin/chmod │
├─────────────────┼──────────────────────────┤
│ gid │ 33 │
├─────────────────┼──────────────────────────┤
│ log_type │ execve │
├─────────────────┼──────────────────────────┤
│ parent_progname │ /usr/bin/dash │
├─────────────────┼──────────────────────────┤
│ pid │ 2080184 │
├─────────────────┼──────────────────────────┤
│ ppid │ 2080181 │
├─────────────────┼──────────────────────────┤
│ uid │ 33 │
╰─────────────────┴──────────────────────────╯
- Date: 2023-10-05 15:30:08 +0000 UTC
╭─────────────────┬──────────────────────────╮
│ Key │ Value │
├─────────────────┼──────────────────────────┤
│ exe │ /tmp/backdoor.sh │
├─────────────────┼──────────────────────────┤
│ gid │ 33 │
├─────────────────┼──────────────────────────┤
│ log_type │ execve │
├─────────────────┼──────────────────────────┤
│ parent_progname │ /usr/bin/dash │
├─────────────────┼──────────────────────────┤
│ pid │ 2080185 │
├─────────────────┼──────────────────────────┤
│ ppid │ 2080181 │
├─────────────────┼──────────────────────────┤
│ uid │ 33 │
╰─────────────────┴──────────────────────────╯
And we can see that the source of the alert is the PID of the last event.
What did you expect to happen?
I would like to be able to specify (in the scenario or maybe in the profile directly) the PID of which event I want in the scope if I want only one decision to be generated. For example, if we do this directly in the scenario, it would be something like this (if I want to generate a decision only on the PID of the last event):
scope:
type: pid
expression: queue.queue[-1].Meta.pid
Or it can also be the PID of which events if I want to generate multiple decisions (if I want to generate a decision only for the PID of the first and last event):
scope:
- type: pid
expression: queue.queue[0].Meta.pid
- type: pid
expression: queue.queue[-1].Meta.pid
How can we reproduce it (as minimally and precisely as possible)?
- Install the
crowdsecurity/auditdcollection - Change the scope expression in the
crowdsecurity/auditd-postexploit-exec-from-netscenario byevt.Meta.pid - Trigger the scenario
- You should see X decisions but the value of all of them is always the PID of the last event in the bucket
Anything else we need to know?
No response
Crowdsec version
2023/10/05 15:54:31 version: v1.5.4-debian-pragmatic-amd64-e4dcdd25728b914823525f1efabf18d5c454902b
2023/10/05 15:54:31 Codename: alphaga
2023/10/05 15:54:31 BuildDate: 2023-09-20_10:36:53
2023/10/05 15:54:31 GoVersion: 1.20.5
2023/10/05 15:54:31 Platform: linux
2023/10/05 15:54:31 libre2: C++
2023/10/05 15:54:31 Constraint_parser: >= 1.0, <= 2.0
2023/10/05 15:54:31 Constraint_scenario: >= 1.0, < 3.0
2023/10/05 15:54:31 Constraint_api: v1
2023/10/05 15:54:31 Constraint_acquis: >= 1.0, < 2.0
OS version
# On Linux:
Ubuntu 22.04.3 LTS
Enabled collections and parsers
$ cscli collections list -o raw
name,status,version,description
crowdsecurity/auditd,"enabled,tainted",0.6,auditd support : parsers and scenarios
crowdsecurity/base-http-scenarios,enabled,0.6,http common : scanners detection
crowdsecurity/http-cve,enabled,2.1,
crowdsecurity/linux,enabled,0.2,core linux support : syslog+geoip+ssh
crowdsecurity/nginx,enabled,0.2,nginx support : parser and generic http scenarios
crowdsecurity/sshd,enabled,0.2,sshd support : parser and brute-force detection
Acquisition config
Config show
$ cscli config show
# paste output here
Prometheus metrics
$ cscli metrics
# paste output here
Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.
@AlteredCoder: Thanks for opening an issue, it is currently awaiting triage.
In the meantime, you can:
- Check Crowdsec Documentation to see if your issue can be self resolved.
- You can also join our Discord.
- Check Releases to make sure your agent is on the latest version.
Details
I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}