I’ve installed Debian Bookworm crowdsec package (1.4.6) and just added Exim parser into /etc/crowdsec/parsers/s01-parse without otherwise changing the default configuration in any way. Looking at cscli metrics output I see that some lines are parsed successfully and there are entries in exim-bf and exim-user-bf buckets, but cscli decisions list outputs “No active decisions” — why is it so?
If you check cscli metrics you will see it is parsing but may be hitting the whitelist of private networks if you are attempting to do this on a local lan.
Edit: if you did cscli explain and saw the buckets most likely the IP was not aggressive enough to trigger the bucket overflow.
FYI, the package you installed is quite outdated so I would recommend not installing from the debian repository and install from our official one crowdsec/crowdsec - Packages · packagecloud
We wrote an installation script that allows never version of distros.
curl -s https://install.crowdsec.net | sh
note you will need to purge the older installation before proceeding with ours as debian keeps it files in different location to ours
Thanks for your reply, but I didn’t modify /etc/crowdsec/parsers/s02-enrich/whitelists.yaml and so it indeed contains only private IPs while the addresses appearing in the Exim log messages are normal public IPs from all over the place.
Thanks, I guess this must explain it, I hadn’t realized that with the default options you need to get more than 5 requests in less than 10s to trigger the overflow. I’ve switched to much more aggressive options, let’s see if it helps…
Thanks, but I’d prefer to use the Debian version, at least for now, i.e. until I understand whether crowdsec works well for me.
1 Like