Configuration for block snmp scan

Hi all,

I am new to CrowdSec and I want to use it to replace fail2ban on my different servers, but I have some mail with the customization of the configurations.

In particular on how to customize the configurations on the number of attempts, duration and duration of the ban? I noticed that when I modify the configuration (yaml), the configuration is then in warning, is this normal behavior?

The second thing is how to add a rule simply? I have a lot of SNMP scan and I want to ban the IPs for 30m with after 5 attempts based on the firewall rules (iptables)

Jun  2 14:46:59 localhost kernel: [1570756.275089] FINAL_REJECT: IN=ens3 OUT= MAC=fa:16:3e:fa:20:b8:a6:3c:9a:3d:77:04:08:00 SRC=168.194.15.38 DST=*.*.*.* LEN=62 TOS=0x00 PREC=0x00 TTL=97 ID=10820 PROTO=UDP SPT=56721 DPT=161 LEN=42 
Jun  2 14:46:59 localhost kernel: [1570756.277475] FINAL_REJECT: IN=ens3 OUT= MAC=fa:16:3e:fa:20:b8:a6:3c:9a:3d:77:04:08:00 SRC=168.194.15.38 DST=*.*.*.* LEN=62 TOS=0x00 PREC=0x00 TTL=97 ID=10820 PROTO=UDP SPT=56721 DPT=161 LEN=42 
Jun  2 14:46:59 localhost kernel: [1570756.283114] FINAL_REJECT: IN=ens3 OUT= MAC=fa:16:3e:fa:20:b8:a6:3c:9a:3d:77:04:08:00 SRC=168.194.15.40 DST=*.*.*.* LEN=62 TOS=0x00 PREC=0x00 TTL=152 ID=31040 PROTO=UDP SPT=10983 DPT=161 LEN=42 
Jun  2 14:46:59 localhost kernel: [1570756.301960] FINAL_REJECT: IN=ens3 OUT= MAC=fa:16:3e:fa:20:b8:a6:3c:9a:3d:77:04:08:00 SRC=168.194.14.19 DST=*.*.*.* LEN=62 TOS=0x00 PREC=0x00 TTL=172 ID=36410 PROTO=UDP SPT=39755 DPT=161 LEN=42 
Jun  2 14:46:59 localhost kernel: [1570756.303354] FINAL_REJECT: IN=ens3 OUT= MAC=fa:16:3e:fa:20:b8:a6:3c:9a:3d:77:04:08:00 SRC=168.194.15.40 DST=*.*.*.* LEN=62 TOS=0x00 PREC=0x00 TTL=126 ID=27449 PROTO=UDP SPT=19815 DPT=161 LEN=42 
Jun  2 14:46:59 localhost kernel: [1570756.323062] FINAL_REJECT: IN=ens3 OUT= MAC=fa:16:3e:fa:20:b8:a6:3c:9a:3d:77:04:08:00 SRC=168.194.14.19 DST=*.*.*.* LEN=62 TOS=0x00 PREC=0x00 TTL=172 ID=36410 PROTO=UDP SPT=39755 DPT=161 LEN=42 
Jun  2 14:46:59 localhost kernel: [1570756.328768] FINAL_REJECT: IN=ens3 OUT= MAC=fa:16:3e:fa:20:b8:a6:3c:9a:3d:77:04:08:00 SRC=168.194.14.19 DST=*.*.*.* LEN=62 TOS=0x00 PREC=0x00 TTL=172 ID=36410 PROTO=UDP SPT=39755 DPT=161 LEN=42 
Jun  2 14:46:59 localhost kernel: [1570756.336171] FINAL_REJECT: IN=ens3 OUT= MAC=fa:16:3e:fa:20:b8:a6:3c:9a:3d:77:04:08:00 SRC=168.194.14.22 DST=*.*.*.* LEN=62 TOS=0x00 PREC=0x00 TTL=226 ID=41916 PROTO=UDP SPT=24507 DPT=161 LEN=42 
Jun  2 14:46:59 localhost kernel: [1570756.361122] FINAL_REJECT: IN=ens3 OUT= MAC=fa:16:3e:fa:20:b8:a6:3c:9a:3d:77:04:08:00 SRC=168.194.14.25 DST=*.*.*.* LEN=62 TOS=0x00 PREC=0x00 TTL=204 ID=22142 PROTO=UDP SPT=19280 DPT=161 LEN=42 

Thank

Romain

Okay after some research in the documentation here is what I came up with:

# SNMP Scan

type: leaky

#debug: true

name: rdrit/rdrit-snmp-bf

description: "detect snmp bf"

filter: "evt.Meta.log_type == 'iptables_drop' && evt.Parsed.dst_port == '161'"

groupby: evt.Meta.source_ip

#distinct: evt.Parsed.dst_port

capacity: 5

leakspeed: "10s"

blackhole: 1m

labels:

  type: scan

  service: tcp

  remediation: true

  scope: ip

What do you think ?

Hello @rdrit !

Yes, for now crowdsec will warn you when you “modify” a configuration from the hub, because then it can’t/won’t update it anymore. However, soon a mechanism is going to be added to make this easier : Request for comments : parsers & scenarios customization in the CrowdSec agent

Your scenario looks fine (didn’t tried it tho), does it seem to work as intended ?

Hi thibault,

Thank you for your answer, I am in a hurry to have this new functionality.

The scenario works quite well for SNMP blocking.

Romain

I’m more than you do :smiley:

If the scenario works well, would you mind doing a PR on the hub to add it ? :wink: