Dashboard - Queries and Clarifications

indranilkamulkar · August 31, 2020, 2:08pm

A CrodwSec instance has been installed on one of my server and have found no IP bans or no Dashboard Data … Seems very weird can you please help in this … Also find cscli metrics

±-------------------------------------±--------------±----------±-------------±-------±--------+
| BUCKET | CURRENT COUNT | OVERFLOWS | INSTANCIATED | POURED | EXPIRED |
±-------------------------------------±--------------±----------±-------------±-------±--------+
| crowdsecurity/http-crawl-non_statics | 3 | - | 680 | 1359 | 677 |
| crowdsecurity/http-probing | - | - | 10 | 18 | 10 |
| crowdsecurity/ssh-bf | - | - | 7 | 8 | 7 |
| crowdsecurity/ssh-bf_user-enum | - | - | 7 | 7 | 7 |
±-------------------------------------±--------------±----------±-------------±-------±--------+
INFO[0000] Acquisition Metrics:
±--------------------------±-----------±-------------±---------------±-----------------------+
| SOURCE | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET |
±--------------------------±-----------±-------------±---------------±-----------------------+
| /var/log/httpd/access_log | 2875 | 2875 | - | 1377 |
| /var/log/messages | 327 | - | 327 | - |
| /var/log/secure | 95 | 8 | 87 | 15 |
±--------------------------±-----------±-------------±---------------±-----------------------+
INFO[0000] Parser Metrics:
±-------------------------------±-----±-------±---------+
| PARSERS | HITS | PARSED | UNPARSED |
±-------------------------------±-----±-------±---------+
| child-crowdsecurity/http-logs | 8625 | 5970 | 2655 |
| child-crowdsecurity/sshd-logs | 311 | 8 | 303 |
| crowdsecurity/apache2-logs | 2875 | 2875 | - |
| crowdsecurity/dateparse-enrich | 2883 | 2883 | - |
| crowdsecurity/geoip-enrich | 2883 | 2883 | - |
| crowdsecurity/http-logs | 2875 | 2510 | 365 |
| crowdsecurity/non-syslog | 2875 | 2875 | - |
| crowdsecurity/sshd-logs | 67 | 8 | 59 |
| crowdsecurity/syslog-logs | 422 | 422 | - |
| crowdsecurity/whitelists | 2883 | 2883 | - |
±-------------------------------±-----±-------±---------+

thibault · August 31, 2020, 2:19pm

Hello,

From what appears in your cscli metrics, I would say it’s normal (in the way that it’s not surprising nothing shows up in your dashboard).

Regarding acquisition (logs being read/parsed)

±--------------------------±-----------±-------------±---------------±-----------------------+
| SOURCE | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET |
±--------------------------±-----------±-------------±---------------±-----------------------+
| /var/log/httpd/access_log | 2875 | 2875 | - | 1377 |
| /var/log/messages | 327 | - | 327 | - |
| /var/log/secure | 95 | 8 | 87 | 15 |
±--------------------------±-----------±-------------±---------------±-----------------------+

100% of your HTTP access logs are read and parsed, and nearly half of them are even being poured to buckets
none of your logs in /var/log/messages are being parsed (but it might be ok depending on what is there)
while most of your logs in /var/log/secure are not parsed, the ones that are, are being sent to buckets as well

Regarding the buckets:

±-------------------------------------±--------------±----------±-------------±-------±--------+
| BUCKET | CURRENT COUNT | OVERFLOWS | INSTANCIATED | POURED | EXPIRED |
±-------------------------------------±--------------±----------±-------------±-------±--------+
| crowdsecurity/http-crawl-non_statics | 3 | - | 680 | 1359 | 677 |
| crowdsecurity/http-probing | - | - | 10 | 18 | 10 |
| crowdsecurity/ssh-bf | - | - | 7 | 8 | 7 |
| crowdsecurity/ssh-bf_user-enum | - | - | 7 | 7 | 7 |
±-------------------------------------±--------------±----------±-------------±-------±--------+

Some buckets have been created, or are even existing instances right now, but none of them overflowed (you can see the column “OVERFLOWS” is always empty).
Events will be written in the database only once a bucket overflows.

So, from the metrics that are being shown here, I would say that it’s simply because no scenario have been triggered so far

If you want to be sure it’s working correctly, you can simulate an attack yourself, such as a ssh-bruteforce or a web vulnerability scanner (based on the scenarios that seem enabled on your setup).

For the latest case, running nikto -host yourdomain.com might do the trick, and you should see overflows popping up, in both the cscli metrics output, and in the logs

indranilkamulkar · August 31, 2020, 4:05pm

As per your suggestion INFO[0000] Buckets Metrics:
±-------------------------- | BUCKET ±-------------------------- | crowdsecurity/http-crawl-non_statics | crowdsecurity/http-path-tr | crowdsecurity/http-probing | crowdsecurity/http-sensitive-files | crowdsecurity/http-xss-probbing | crowdsecurity/ssh-bf | crowdsecurity/ssh-bf_user-enum ±-------------------------- INFO[0000] Acquisition Metrics:
±-------------------------- | SOURCE ±-------------------------- | /var/log/httpd/access_log | | /var/log/messages | /var/log/secure ±-------------------------- INFO[0000] Parser Metrics:
±-------------------------- | PARSERS ±-------------------------- | child-crowdsecurity/http-logs | child-crowdsecurity/sshd-logs | crowdsecurity/apache2-logs | crowdsecurity/cdn-whitelist | crowdsecurity/dateparse-enrich | crowdsecurity/geoip-enrich | crowdsecurity/http-logs | crowdsecurity/non-syslog | crowdsecurity/rdns | crowdsecurity/seo-bots-whitelist | | crowdsecurity/sshd-logs | crowdsecurity/syslog-logs | crowdsecurity/whitelists ±-------------------------- If you check for the have used nikto tool and checked on the Server and could get the results on the dashboard … Now everything is working fine as expected … Thanks Thibault for you clear explanation …
----------------±--------------±----------±-------------±-------±--------+
| CURRENT COUNT | OVERFLOWS | INSTANCIATED | POURED | EXPIRED |
----------------±--------------±----------±-------------±-------±--------+
| 1 | 28 | 942 | 3435 | 913 |
aversal-probing | 1 | 21 | 22 | 90 | - |
| 1 | 1 | 17 | 53 | 15 |
| 1 | 8 | 9 | 60 | - |
| - | 24 | 28 | 164 | 4 |
| - | - | 8 | 9 | 8 |
| - | - | 8 | 8 | 8 |
----------------±--------------±----------±-------------±-------±--------+
±-----------±-------------±---------------±-----------------------+
| LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET |
±-----------±-------------±---------------±-----------------------+
5816 | 5816 | - | 3802 |
| 423 | - | 423 | - |
| 111 | 9 | 102 | 17 |
±-----------±-------------±---------------±-----------------------+
-------±------±-------±---------+
| HITS | PARSED | UNPARSED |
-------±------±-------±---------+
| 17448 | 12334 | 5114 |
| 363 | 9 | 354 |
| 5816 | 5816 | - |
| 7 | 7 | - |
| 5825 | 5825 | - |
| 5825 | 5825 | - |
| 5816 | 5248 | 568 |
| 5816 | 5816 | - |
| 7 | 7 | - |
7 | 7 | - |
| 78 | 9 | 69 |
| 534 | 534 | - |
| 5825 | 5825 | - |
-------±------±-------±---------+
overflows and the count is 28

Thanks & Regards
Neil

Topic		Replies	Views
Checking bans really work and how to extend bans? crowdsec	8	3027	December 14, 2021
Crowdsec-blacklists empty	10	1787	November 28, 2020
My ip is in the decisions list	6	199	February 20, 2024
Can you explain me those things?	1	523	August 26, 2021
SSHD detection not working? crowdsec	27	1868	December 9, 2021

Dashboard - Queries and Clarifications

Related Topics