Hi. Title kinda says it all. 
Install went smooth, got the web GUI Metabase installed and working w/ minimal problems.
I woke up this morning to see I’ve already had a couple bad actors come knocking and get banned.
My question though is what exactly does http-bad-user-agent mean? I tried looking this up, but I guess it’s just something crowdsec has defined somewhere. Should I be concerned? It looks like they were banned.
Hello @hiro24,
The scenario http-bad-user-agent is triggered if the user agent of an IP visiting your website is in this list.
oh, ok, cool. I think I follow. But I’m not seeing a lot of information about what user-agent was used. Only that it came from DigitalOcean. Would I need to modify the decisions to set the logging higher to see more information then? Like exactly which user-agent got flagged?
If you want to view the user agent that got flagged, you can do :
cscli alerts list to get the the ID of the alert
cscli alerts inspect <alert_id> -d to view the details of the alert (here you should the user agent that got flagged
Maybe I’m missing something here, but I’m not seeing it.
hiro@olympus:/home$ sudo cscli alerts inspect 9 -d
################################################################################################
- ID : 9
- Date : 2021-08-26T00:05:32-04:00
- Machine : 2cc11acdc552491185318383b1c058ddu4lw6DlPVqk6Fc1J
- Simulation : false
- Reason : crowdsecurity/http-bad-user-agent
- Events Count : 2
- Scope:Value: Ip:192.241.204.198
- Country : US
- AS : DigitalOcean, LLC
- Events :
- Date: 2021-08-26 00:05:31 -0400 -0400
+-------------+-------------------+
| KEY | VALUE |
+-------------+-------------------+
| ASNNumber | 14061 |
| ASNOrg | DigitalOcean, LLC |
| IsInEU | false |
| IsoCode | US |
| SourceRange | 192.241.128.0/17 |
| http_path | / |
| http_status | 200 |
| log_type | http_access-log |
| service | http |
| source_ip | 192.241.204.198 |
+-------------+-------------------+
- Date: 2021-08-26 00:05:31 -0400 -0400
+-------------+-------------------+
| KEY | VALUE |
+-------------+-------------------+
| ASNNumber | 14061 |
| ASNOrg | DigitalOcean, LLC |
| IsInEU | false |
| IsoCode | US |
| SourceRange | 192.241.128.0/17 |
| http_path | / |
| http_status | 200 |
| log_type | http_access-log |
| service | http |
| source_ip | 192.241.204.198 |
+-------------+-------------------+
Are you using the nginx or apache parser?
Apache I believe. I’m running apache and I’m pretty sure I selected it in the configuration step.
Oh, okay. I found it. I looked in the actual apache logs. It was a zgrab user-agent.
Yes we must also add the user agent in the meta object for apache too so you can view what user agent got flagged in the cscli alerts inspect
Oh, well… cool? Maybe that means I helped? lol.
Yes you spot a mistake in the parser thanks!