Today I played again with a scenario which is not using the ip for the groupby field. Instead I’m using the IsoCode.
type: leaky
format: 2.0
name: bu/tariffs-by-country
description: "detect too many requests to tariffs endpoint from outside DE"
filter: "evt.Meta.log_type == 'http_access-log' && evt.Enriched.IsoCode != 'DE' && evt.Parsed.request startsWith '/desktopapi/tariffs/'"
leakspeed: "60s"
capacity: 4
groupby: evt.Enriched.IsoCode
blackhole: 0
reprocess: true
debug: true
labels:
service: http
type: crawler-check
remediation: true
What I wanted to achieve is, that all requests from outside Germany to a specific url will be counted and grouped by the country. When more requests than allowed in capacity, the bucket for the current country should overflow and I expect a decision and alert for each IP.
When I run my testscenario and I observe the decision list with watch cscli decision list. I seen an alert for the ip ending with 155, but not for the 154
this is my testdata
May 8 11:51:23 anyserver.intern.bu.xxx.de haproxy[948]: 178.190.110.154:50993 [08/May/2022:11:51:16.264] public~ desktopapi/desktopapi-02 0/0/1/7038/7039 200 5087 - - ---- 212/208/0/0/0 0/0 {Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36} "POST /desktopapi/tariffs/insurances HTTP/2.0"
May 8 11:51:23 anyserver.intern.bu.xxx.de haproxy[948]: 178.190.110.155:50993 [08/May/2022:11:51:16.264] public~ desktopapi/desktopapi-02 0/0/1/7038/7039 200 5087 - - ---- 212/208/0/0/0 0/0 {Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36} "POST /desktopapi/tariffs/insurances HTTP/2.0"
I just duplicated the data multiple time to simulate multiple requests from two ips.
This is the decision list
+----+----------+--------------------+-----------------------+---------+---------+----------------------------+--------+-----------------+----------+
| ID | SOURCE | SCOPE:VALUE | REASON | ACTION | COUNTRY | AS | EVENTS | EXPIRATION | ALERT ID |
+----+----------+--------------------+-----------------------+---------+---------+----------------------------+--------+-----------------+----------+
| 2 | crowdsec | Ip:178.190.110.155 | bu/tariffs-by-country | captcha | AT | 8447 A1 Telekom Austria AG | 5 | 4m54.795402488s | 2 |
+----+----------+--------------------+-----------------------+---------+---------+----------------------------+--------+-----------------+----------+
1 duplicated entries skipped
In the alerts list, I see two entries for IP 155, but not for 154.
I guess it’s using the wrong IP for the second alert. Is there a bug in Crowdsec or am I doing or thinking something completely wrong. I’m using the haproxy parser and cscli inspect shows me correct two different ip addresses. Thanks for support in advance.