| 211 | Ip:185.253.97.235 | crowdsecurity/http-path-traversal-probing | | M247 Ltd | ban:1 | 2021-08-25 11:17:48.796651214 |
| 198 | Ip:185.253.97.235 | crowdsecurity/http-path-traversal-probing | | M247 Ltd | ban:1 | 2021-08-25 09:52:09.878302036 |
| 197 | Ip:185.253.97.235 | crowdsecurity/http-path-traversal-probing | | M247 Ltd | ban:1 | 2021-08-25 09:38:22.614388731 |
| 196 | Ip:185.253.97.235 | crowdsecurity/http-path-traversal-probing | | M247 Ltd | ban:1 | 2021-08-25 09:35:27.479266114 |
| 193 | Ip:185.253.97.235 | crowdsecurity/http-path-traversal-probing | | M247 Ltd | ban:1 | 2021-08-25 08:59:35.286548224 |
| 165 | Ip:185.253.97.235 | crowdsecurity/http-path-traversal-probing | | M247 Ltd | ban:1 | 2021-08-25 06:49:19.151134843 |
| 139 | Ip:185.253.97.235 | crowdsecurity/http-path-traversal-probing | | M247 Ltd | ban:1 | 2021-08-25 04:57:50.079403512 |
| 111 | Ip:185.253.97.235 | crowdsecurity/http-path-traversal-probing | | M247 Ltd | ban:1 | 2021-08-25 02:13:06.547834985 |
| 53 | Ip:185.253.97.235 | crowdsecurity/http-path-traversal-probing | | M247 Ltd | ban:1 | 2021-08-24 19:39:20.560827193 |
| 52 | Ip:185.253.97.235 | crowdsecurity/http-probing | | M247 Ltd | ban:1 | 2021-08-24 19:07:15.406812111 |
| 51 | Ip:185.253.97.235 | crowdsecurity/http-path-traversal-probing | | M247 Ltd | ban:1 | 2021-08-24 19:07:15.406897152 |
| 50 | Ip:185.253.97.235 | crowdsecurity/http-path-traversal-probing | | M247 Ltd | ban:1 | 2021-08-24 18:46:27.207730853 |
| 49 | Ip:185.253.97.235 | crowdsecurity/http-path-traversal-probing | | M247 Ltd | ban:1 | 2021-08-24 18:32:32.102330042 |
| 44 | Ip:185.253.97.235 | crowdsecurity/http-path-traversal-probing | | M247 Ltd | ban:1 | 2021-08-24 18:19:46.753098011 |
| 43 | Ip:185.253.97.235 | crowdsecurity/http-path-traversal-probing | | M247 Ltd | ban:1 | 2021-08-24 18:16:47.877478298 |
| 39 | Ip:185.253.97.235 | crowdsecurity/http-path-traversal-probing | | M247 Ltd | ban:1 | 2021-08-24 17:50:55.420897572 |
| 33 | Ip:185.253.97.235 | crowdsecurity/http-path-traversal-probing | | M247 Ltd | ban:1 | 2021-08-24 17:15:46.845790966 |
| 29 | Ip:185.253.97.235 | crowdsecurity/http-path-traversal-probing | | M247 Ltd | ban:1 | 2021-08-24 15:41:57.746549533 |
| 25 | Ip:185.253.97.235 | crowdsecurity/http-path-traversal-probing | | M247 Ltd | ban:1 | 2021-08-24 14:49:39.232150744 |
(alerts list output)
How come the same IP, can be seen in this log, a few minutes after the previous line ?
In my understanding, IP is detected, and banned for 4h.
2nd question, about leaky bucket
filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.file_name == 'wp-login.php' && evt.Parsed.verb == 'POST'"
groupby: evt.Meta.source_ip
capacity: 5
leakspeed: "10s"
blackhole: 5m
Capacity of 5 is exceeded, leaky bucket overflows, IP is banned, am I right ?
159.89.205.174 - - [25/Aug/2021:11:42:31 +0000] "POST //wp-login.php HTTP/1.1" 200 6597 "ref=https://www.toto//wp-login.php" "ua=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36" "rLoc=-" "reqt=0.175" "respt=0.000 : 0.172" "host=www.toto" "cache=-" "upstream=10.216.124.44:9010 : 10.216.124.47:9001" "uheadt=0.000 : 0.172"
159.89.205.174 - - [25/Aug/2021:11:42:31 +0000] "POST //wp-login.php HTTP/1.1" 200 6781 "ref=https://www.toto//wp-login.php" "ua=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36" "rLoc=-" "reqt=0.202" "respt=0.004 : 0.196" "host=www.toto" "cache=-" "upstream=10.216.124.44:9010 : 10.216.124.47:9001" "uheadt=0.004 : 0.196"
159.89.205.174 - - [25/Aug/2021:11:42:34 +0000] "POST //wp-login.php HTTP/1.1" 200 7149 "ref=https://www.toto//wp-login.php" "ua=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36" "rLoc=-" "reqt=1.422" "respt=0.008 : 1.420" "host=www.toto" "cache=-" "upstream=10.216.124.44:9010 : 10.216.124.47:9001" "uheadt=0.008 : 1.420"
159.89.205.174 - - [25/Aug/2021:11:42:35 +0000] "POST //wp-login.php HTTP/1.1" 200 7885 "ref=https://www.toto//wp-login.php" "ua=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36" "rLoc=-" "reqt=0.494" "respt=0.004 : 0.488" "host=www.toto" "cache=-" "upstream=10.216.124.44:9010 : 10.216.124.47:9001" "uheadt=0.004 : 0.488"
159.89.205.174 - - [25/Aug/2021:11:42:36 +0000] "POST //wp-login.php HTTP/1.1" 200 8253 "ref=https://www.toto//wp-login.php" "ua=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36" "rLoc=-" "reqt=0.257" "respt=0.000 : 0.224" "host=www.toto" "cache=-" "upstream=10.216.124.44:9010 : 10.216.124.47:9001" "uheadt=0.000 : 0.224"
159.89.205.174 - - [25/Aug/2021:11:42:40 +0000] "POST //wp-login.php HTTP/1.1" 200 9548 "ref=https://www.toto//wp-login.php" "ua=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36" "rLoc=-" "reqt=0.187" "respt=0.004 : 0.184" "host=www.toto" "cache=-" "upstream=10.216.124.44:9010 : 10.216.124.47:9001" "uheadt=0.004 : 0.180"
159.89.205.174 - - [25/Aug/2021:11:42:42 +0000] "POST //wp-login.php HTTP/1.1" 403 548 "ref=https://www.toto//wp-login.php" "ua=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36" "rLoc=-" "reqt=0.003" "respt=-" "host=www.toto" "cache=-" "upstream=-" "uheadt=-"
I would suggest to be able to see the “content” of the filter (capacity, leakspeed…) using cscli scenarios inspect command ?
The only solution I found, is to display the content of the scenario file…
Thanks