No decisions for the scope

Hello.
I want to block range of IPs with crowdsec-firewall bouncer. But I see only alerts for scope. No decision is apply.
My config is like this:

• /etc/crowdsec/scenarios/vpnserver.yaml

type: leaky
name: bruteforce-by-range
description: "Detect ipsec bruteforce from AS"
filter: "evt.Meta.ASNNumber != '0' && evt.Meta.log_type == 'vpn_log'"
groupby: "evt.Meta.ASNNumber"
distinct: "evt.Meta.source_ip"
leakspeed: "30s"
capacity: 5
blackhole: 1m
labels:
  service: vpn
  type: AS_bruteforce
  remediation: true
scope:
  type: AS
  expression: evt.Meta.SourceRange

• /etc/crowdsec/profiles.yaml

name: default_AS_remediation
filters:
 - Alert.Remediation == true && Alert.GetScope() == "AS"
decisions:
 - type: ban
   duration: 1h
on_success: break

And result like this:

# cscli alerts list
+-----+----------------------+-----------------------------------------+---------+---------------------+-----------+--------------------------------+
| ID  |        VALUE         |                 REASON                  | COUNTRY |         AS          | DECISIONS |           CREATED AT           |
+-----+----------------------+-----------------------------------------+---------+---------------------+-----------+--------------------------------+
| 160 | AS:141.210.0.0/16    | bruteforce-by-range                     |         |                     |           | 2021-11-24 23:54:16.500131807  |
|     |                      |                                         |         |                     |           | +0300 +0300                    |

As you can see, decisions is empty.
And result of command:

# cscli decisions list
No active decisions

Help me, please.

Hello @mainevent_07,

Here there is a confusion between IP range and AS. It might be the source of the error, as AS and IP ranges are some types that are “known” by crowdsec, and the IP range you captured cannot be treated as an AS.

Can you try to use the type Range instead ? (in both your scenario and your profile)

No changes Decision still empty.
Now my config is:

• /etc/crowdsec/scenarios/vpnserver.yaml

type: leaky
name: bruteforce-by-range
description: "Detect ipsec bruteforce from range"
filter: "evt.Meta.SourceRange != '' && evt.Meta.log_type == 'vpn_log'"
groupby: "evt.Meta.SourceRange"
distinct: "evt.Meta.source_ip"
leakspeed: "30s"
capacity: 5
blackhole: 1m
labels:
  service: vpn
  type: range_bruteforce
  remediation: true
scope:
  type: Range
  expression: evt.Meta.SourceRange

• /etc/crowdsec/profiles.yaml

name: default_range_remediation
debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Range"
decisions:
 - type: ban
   duration: 1h
on_success: break

And result of my own simulation:

# cscli alerts list
+-----+----------------------+-----------------------------------------+---------+---------------------+-----------+--------------------------------+
| ID  |        VALUE         |                 REASON                  | COUNTRY |         AS          | DECISIONS |           CREATED AT           |
+-----+----------------------+-----------------------------------------+---------+---------------------+-----------+--------------------------------+
| 170 | Range:141.210.0.0/16 | vpnserver-ipsec-bruteforce-by-range     | US      |  Merit Network Inc. |           | 2021-12-02 01:12:31.241193786  |
|     |                      |                                         |         |                     |           | +0300 +0300                    |

# cscli decisions list
No active decisions

In the log file I see that range performed:
time="02-12-2021 01:12:31" level=info msg="Range 141.210.0.0/16 performed 'vpnserver-ipsec-bruteforce-by-range' (6 events over 105.509535ms) at 2021-12-02 01:12:31.34670288 +0300 MSK m=+11.435410604"

Hello,

From what I read, your configuration seems correct. Would you mind sharing the parser and some log samples so I can try to reproduce on my own ?

Thank you very much,

Log files and parse file are available here to_cs_community — Яндекс.Диск

I am simulate attack with manually add same string with a different <src_ip> to the vpn.log file.
Log message like this:

2021-10-06 00:01:36.969 IPsec IKE Session (IKE SA) 3825548 (Client: 633372) (141.210.0.32:34821 -> 92.242.43.237:4500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xC9832C40B1D51852, Responder Cookie: 0x3BAA831BBA7A12B4, DH Group: MODP 1024 (Group 2), Hash Algorithm: SHA-1, Cipher Algorithm: 3DES-CBC, Cipher Key Size: 192 bits, Lifetime: 4294967295 Kbytes or 1 seconds

In one case I add 8 log messages at at a time (in the crowdsec log file this is interval 01:34:57-01:34:58), in another case - one message per second (in the crowdsec log file this is interval 01:36:55-01:37:17).

Thanks, I’ll try to reproduce it manually and let you know

Hello @mainevent_07 !

I managed to make it work locally, but I don’t know exactly what went wrong on your side, so let me detail my setup and hopefully you’ll figure out what was wrong in yours

On the parser side, I modified it a bit so that the timestamp is correctly captured (it allows to test scenarios etc on “cold” logs) :

filter: "evt.Line.Labels.type == 'vpnserver'"
#debug: true
onsuccess: next_stage
name: crowdsecurity/vpnserver-logs
description: "Parse vpnserver logs"
grok:
  pattern: '%{TIMESTAMP_ISO8601:time_local} IPsec IKE Session \(IKE SA\) \d+ \(Client: \d+\) \(%{IP:src_ip}:.*A new IKE SA \(Main Mode\) is created. Initiator Cookie:'
  apply_on: message
statics:
  - meta: log_type
    value: vpnserver_ipsec
  - meta: source_ip
    expression: "evt.Parsed.src_ip"
  - target: evt.StrTime
    expression: evt.Parsed.time_local

ps: note I captured the timestamp at the beginning of the lines and put it into evt.StrTime so that dateparse-enrich can deal with it

On the scenario, there was a mismatch between the event type produced by the parser and the one expected by the scenario :

type: leaky
name: bruteforce-by-range
#debug: true
description: "Detect ipsec bruteforce from range"
filter: "evt.Meta.SourceRange != '' && evt.Meta.log_type == 'vpnserver_ipsec'"
groupby: "evt.Meta.SourceRange"
distinct: "evt.Meta.source_ip"
leakspeed: "30s"
capacity: 5
blackhole: 1m
labels:
  service: vpn
  type: range_bruteforce
  remediation: true
scope:
  type: Range
  expression: evt.Meta.SourceRange

And when it comes to the profile, I simply add the profile your created to my local one :

name: default_range_remediation
debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Range"
decisions:
 - type: ban
   duration: 1h
on_success: break
---
name: default_ip_remediation
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
 - type: ban
   duration: 4h
on_success: break

With those, I was able to process logs and get the expected decision. Given the log

2021-12-06 13:01:36.969 IPsec IKE Session (IKE SA) 3825548 (Client: 633372) (141.210.0.32:34821 -> 92.242.43.237:4500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xC9832C40B1D51852, Responder Cookie: 0x3BAA831BBA7A12B4, DH Group: MODP 1024 (Group 2), Hash Algorithm: SHA-1, Cipher Algorithm: 3DES-CBC, Cipher Key Size: 192 bits, Lifetime: 4294967295 Kbytes or 1 seconds
2021-12-06 13:01:36.969 IPsec IKE Session (IKE SA) 3825548 (Client: 633372) (141.210.0.33:34821 -> 92.242.43.237:4500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xC9832C40B1D51852, Responder Cookie: 0x3BAA831BBA7A12B4, DH Group: MODP 1024 (Group 2), Hash Algorithm: SHA-1, Cipher Algorithm: 3DES-CBC, Cipher Key Size: 192 bits, Lifetime: 4294967295 Kbytes or 1 seconds
2021-12-06 13:01:36.969 IPsec IKE Session (IKE SA) 3825548 (Client: 633372) (141.210.0.34:34821 -> 92.242.43.237:4500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xC9832C40B1D51852, Responder Cookie: 0x3BAA831BBA7A12B4, DH Group: MODP 1024 (Group 2), Hash Algorithm: SHA-1, Cipher Algorithm: 3DES-CBC, Cipher Key Size: 192 bits, Lifetime: 4294967295 Kbytes or 1 seconds
2021-12-06 13:01:36.969 IPsec IKE Session (IKE SA) 3825548 (Client: 633372) (141.210.0.35:34821 -> 92.242.43.237:4500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xC9832C40B1D51852, Responder Cookie: 0x3BAA831BBA7A12B4, DH Group: MODP 1024 (Group 2), Hash Algorithm: SHA-1, Cipher Algorithm: 3DES-CBC, Cipher Key Size: 192 bits, Lifetime: 4294967295 Kbytes or 1 seconds
2021-12-06 13:01:36.969 IPsec IKE Session (IKE SA) 3825548 (Client: 633372) (141.210.0.36:34821 -> 92.242.43.237:4500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xC9832C40B1D51852, Responder Cookie: 0x3BAA831BBA7A12B4, DH Group: MODP 1024 (Group 2), Hash Algorithm: SHA-1, Cipher Algorithm: 3DES-CBC, Cipher Key Size: 192 bits, Lifetime: 4294967295 Kbytes or 1 seconds
2021-12-06 13:01:36.969 IPsec IKE Session (IKE SA) 3825548 (Client: 633372) (141.210.0.37:34821 -> 92.242.43.237:4500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xC9832C40B1D51852, Responder Cookie: 0x3BAA831BBA7A12B4, DH Group: MODP 1024 (Group 2), Hash Algorithm: SHA-1, Cipher Algorithm: 3DES-CBC, Cipher Key Size: 192 bits, Lifetime: 4294967295 Kbytes or 1 seconds
2021-12-06 13:01:36.969 IPsec IKE Session (IKE SA) 3825548 (Client: 633372) (141.210.0.38:34821 -> 92.242.43.237:4500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xC9832C40B1D51852, Responder Cookie: 0x3BAA831BBA7A12B4, DH Group: MODP 1024 (Group 2), Hash Algorithm: SHA-1, Cipher Algorithm: 3DES-CBC, Cipher Key Size: 192 bits, Lifetime: 4294967295 Kbytes or 1 seconds
2021-12-06 13:01:36.969 IPsec IKE Session (IKE SA) 3825548 (Client: 633372) (141.210.0.39:34821 -> 92.242.43.237:4500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xC9832C40B1D51852, Responder Cookie: 0x3BAA831BBA7A12B4, DH Group: MODP 1024 (Group 2), Hash Algorithm: SHA-1, Cipher Algorithm: 3DES-CBC, Cipher Key Size: 192 bits, Lifetime: 4294967295 Kbytes or 1 seconds
2021-12-06 13:01:36.969 IPsec IKE Session (IKE SA) 3825548 (Client: 633372) (141.210.0.32:34821 -> 92.242.43.237:4500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xC9832C40B1D51852, Responder Cookie: 0x3BAA831BBA7A12B4, DH Group: MODP 1024 (Group 2), Hash Algorithm: SHA-1, Cipher Algorithm: 3DES-CBC, Cipher Key Size: 192 bits, Lifetime: 4294967295 Kbytes or 1 seconds
2021-12-06 13:01:36.969 IPsec IKE Session (IKE SA) 3825548 (Client: 633372) (141.210.0.33:34821 -> 92.242.43.237:4500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xC9832C40B1D51852, Responder Cookie: 0x3BAA831BBA7A12B4, DH Group: MODP 1024 (Group 2), Hash Algorithm: SHA-1, Cipher Algorithm: 3DES-CBC, Cipher Key Size: 192 bits, Lifetime: 4294967295 Kbytes or 1 seconds
2021-12-06 13:01:36.969 IPsec IKE Session (IKE SA) 3825548 (Client: 633372) (141.210.0.34:34821 -> 92.242.43.237:4500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xC9832C40B1D51852, Responder Cookie: 0x3BAA831BBA7A12B4, DH Group: MODP 1024 (Group 2), Hash Algorithm: SHA-1, Cipher Algorithm: 3DES-CBC, Cipher Key Size: 192 bits, Lifetime: 4294967295 Kbytes or 1 seconds
2021-12-06 13:01:36.969 IPsec IKE Session (IKE SA) 3825548 (Client: 633372) (141.210.0.35:34821 -> 92.242.43.237:4500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xC9832C40B1D51852, Responder Cookie: 0x3BAA831BBA7A12B4, DH Group: MODP 1024 (Group 2), Hash Algorithm: SHA-1, Cipher Algorithm: 3DES-CBC, Cipher Key Size: 192 bits, Lifetime: 4294967295 Kbytes or 1 seconds
2021-12-06 13:01:36.969 IPsec IKE Session (IKE SA) 3825548 (Client: 633372) (141.210.0.36:34821 -> 92.242.43.237:4500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xC9832C40B1D51852, Responder Cookie: 0x3BAA831BBA7A12B4, DH Group: MODP 1024 (Group 2), Hash Algorithm: SHA-1, Cipher Algorithm: 3DES-CBC, Cipher Key Size: 192 bits, Lifetime: 4294967295 Kbytes or 1 seconds
2021-12-06 13:01:36.969 IPsec IKE Session (IKE SA) 3825548 (Client: 633372) (141.210.0.37:34821 -> 92.242.43.237:4500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xC9832C40B1D51852, Responder Cookie: 0x3BAA831BBA7A12B4, DH Group: MODP 1024 (Group 2), Hash Algorithm: SHA-1, Cipher Algorithm: 3DES-CBC, Cipher Key Size: 192 bits, Lifetime: 4294967295 Kbytes or 1 seconds
2021-12-06 13:01:36.969 IPsec IKE Session (IKE SA) 3825548 (Client: 633372) (141.210.0.38:34821 -> 92.242.43.237:4500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xC9832C40B1D51852, Responder Cookie: 0x3BAA831BBA7A12B4, DH Group: MODP 1024 (Group 2), Hash Algorithm: SHA-1, Cipher Algorithm: 3DES-CBC, Cipher Key Size: 192 bits, Lifetime: 4294967295 Kbytes or 1 seconds
2021-12-06 13:01:36.969 IPsec IKE Session (IKE SA) 3825548 (Client: 633372) (141.210.0.39:34821 -> 92.242.43.237:4500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xC9832C40B1D51852, Responder Cookie: 0x3BAA831BBA7A12B4, DH Group: MODP 1024 (Group 2), Hash Algorithm: SHA-1, Cipher Algorithm: 3DES-CBC, Cipher Key Size: 192 bits, Lifetime: 4294967295 Kbytes or 1 seconds
2021-12-06 13:01:36.969 IPsec IKE Session (IKE SA) 3825548 (Client: 633372) (141.210.0.40:34821 -> 92.242.43.237:4500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xC9832C40B1D51852, Responder Cookie: 0x3BAA831BBA7A12B4, DH Group: MODP 1024 (Group 2), Hash Algorithm: SHA-1, Cipher Algorithm: 3DES-CBC, Cipher Key Size: 192 bits, Lifetime: 4294967295 Kbytes or 1 seconds

note : I updated the timestamp to be “now” so that I can see the decision with cscli (if the log is too old, the decision will be deleted immediately as it expired - the log timestamp is what matter in cold logs).

I get the expected results :

./crowdsec -c dev.yaml -dsn file:///home/bui/Downloads/to_cs_community/vpn.log -type vpnserver
INFO[06-12-2021 13:55:08] Range 141.210.0.0/16 performed 'bruteforce-by-range' (6 events over 0s) at 2021-12-06 13:01:36.969 +0000 UTC 
INFO[06-12-2021 13:55:09] (test/crowdsec) bruteforce-by-range by range 141.210.0.0/16 (US/237) : 1h ban on Range 141.210.0.0/16 

and from cscli :

▶ ./cscli -c dev.yaml decisions list             
+----+----------+----------------------+---------------------+--------+---------+------------------------+--------+-------------------+----------+
| ID |  SOURCE  |     SCOPE:VALUE      |       REASON        | ACTION | COUNTRY |           AS           | EVENTS |    EXPIRATION     | ALERT ID |
+----+----------+----------------------+---------------------+--------+---------+------------------------+--------+-------------------+----------+
|  5 | crowdsec | Range:141.210.0.0/16 | bruteforce-by-range | ban    | US      | 237 Merit Network Inc. |      6 | 1h6m22.970722723s |        5 |
+----+----------+----------------------+---------------------+--------+---------+------------------------+--------+-------------------+----------+

Please let me know if you need some further help and/or if you figured it out

and btw, what VPN server is it ? would you mind contributing your parser to the GitHub - crowdsecurity/hub: Main repository for crowdsec scenarios/parsers ? It would be super useful !

Cheers,

I noticed that it works in test environment when reading vpn.log at once.
I started crowdsec in test environment like you and decisions works fine.
But if I try manually add multiple lines to the log file (e.g., via echo "2021-10-06 00:01:36.969 IPsec IKE Session ..." >> vpn.log) when crowdsec running as systemd service, in this case decisions doesn’t work.

Hello,

I think this might be an issue in your local configuration, as I got the expected results. Here is how I proceeded.

• I setup my acquis.yaml

filename: /tmp/vpn.log
labels:
  type: vpnserver

• I still have the parser, scenario and profile from my previous post

Now if I try to trigger it not in forensic mode :

▶  ./crowdsec -c dev.yaml
...
INFO[08-12-2021 09:01:52] Adding file /tmp/vpn.log to datasources       type=file
...

If I simulate log injection :

OIFS=${IFS} ; IFS='               
' ; for i in `cat /home/bui/Downloads/to_cs_community/vpn.log` ; do echo $i >> /tmp/vpn.log ; sleep 1 ; done ; IFS=${OIFS}

I get the expected results :

INFO[08-12-2021 09:02:03] Range 141.210.0.0/16 performed 'bruteforce-by-range' (6 events over 5.010398639s) at 2021-12-08 09:02:03.5659376 +0100 CET m=+11.739740947 
INFO[08-12-2021 09:02:04] (test/crowdsec) bruteforce-by-range by range 141.210.0.0/16 (US/237) : 1h ban on Range 141.210.0.0/16 

And I can see the decision in cscli :

▶ ./cscli -c dev.yaml decisions list
+------+----------+----------------------+---------------------+--------+---------+------------------------+--------+-----------------+----------+
|  ID  |  SOURCE  |     SCOPE:VALUE      |       REASON        | ACTION | COUNTRY |           AS           | EVENTS |   EXPIRATION    | ALERT ID |
+------+----------+----------------------+---------------------+--------+---------+------------------------+--------+-----------------+----------+
| 3322 | crowdsec | Range:141.210.0.0/16 | bruteforce-by-range | ban    | US      | 237 Merit Network Inc. |      6 | 59m55.08681241s |       24 |
+------+----------+----------------------+---------------------+--------+---------+------------------------+--------+-----------------+----------+

Please let me know if I can help, I’d guess you might want to hop onto crowdsec-project/community - Gitter if your time allows

I didn’t tell you that I use LAPI server separate from clients. And I described the decision on client machine. It’s my big mistake.
Thanks for the help and sorry to bother you.