Hello, I have the following simple scenario. I want to count requests to a specific endpoint and group them by ip. If more than two requests within 30s comes from same IP, it should overflow.
type: leaky
name: bu/tariffs-by-ip
description: "detect too many requests to tariffs endpoint from the same ip"
filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.request startsWith '/desktopapi/tariffs/'"
leakspeed: "30s"
capacity: 2
groupby: evt.Meta.source_ip
blackhole: 1m
reprocess: false
debug: true
labels:
service: http
type: crawler-check
remediation: true
when I run now a replay with a logfile with 3 matching entries also with changed date time, I would expect one decision for the ip, but nothing happens, no alerts, no decision.
This is in the profiles
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.GetScenario() startsWith "bu/"
decisions:
- type: captcha
duration: 5m
on_success: break
I also see 3 matches in the logoutput
INFO[06-05-2022 18:04:35] Adding leaky bucket cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
WARN[06-05-2022 18:04:35] Loaded 1 scenarios
INFO[06-05-2022 18:04:35] Adding file /var/log/haproxy/access-tariffs.log to filelist type="file:///var/log/haproxy/access-tariffs.log"
WARN[06-05-2022 18:04:35] Starting processing data
INFO[06-05-2022 18:04:35] reading /var/log/haproxy/access-tariffs.log at once type="file:///var/log/haproxy/access-tariffs.log"
DEBU[06-05-2022 18:04:35] eval(evt.Meta.log_type == 'http_access-log' && evt.Parsed.request startsWith '/desktopapi/tariffs/') = TRUE cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
DEBU[06-05-2022 18:04:35] eval variables: cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
DEBU[06-05-2022 18:04:35] evt.Meta.log_type = 'http_access-log' cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
DEBU[06-05-2022 18:04:35] evt.Parsed.request = '/desktopapi/tariffs/1152' cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
DEBU[06-05-2022 18:04:35] Creating TimeMachine bucket cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
DEBU[06-05-2022 18:04:35] Leaky routine starting, lifetime : 1m30s bucket_id=late-dust capacity=2 cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip partition=bf0144f2f44b84cff9d26aa5697cc7202d323a8f
DEBU[06-05-2022 18:04:35] Created new bucket bf0144f2f44b84cff9d26aa5697cc7202d323a8f cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
DEBU[06-05-2022 18:04:35] bucket 'bu/tariffs-by-ip' is poured cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
DEBU[06-05-2022 18:04:35] First event, bucket creation time : 2022-05-06 16:36:34 +0000 UTC bucket_id=late-dust capacity=2 cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip partition=bf0144f2f44b84cff9d26aa5697cc7202d323a8f
DEBU[06-05-2022 18:04:35] eval(evt.Meta.log_type == 'http_access-log' && evt.Parsed.request startsWith '/desktopapi/tariffs/') = TRUE cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
DEBU[06-05-2022 18:04:35] eval variables: cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
DEBU[06-05-2022 18:04:35] evt.Meta.log_type = 'http_access-log' cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
DEBU[06-05-2022 18:04:35] evt.Parsed.request = '/desktopapi/tariffs/1152' cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
DEBU[06-05-2022 18:04:35] bucket 'bu/tariffs-by-ip' is poured cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
WARN[06-05-2022 18:04:35] Acquisition is finished, shutting down
INFO[06-05-2022 18:04:35] Killing parser routines
DEBU[06-05-2022 18:04:35] eval(evt.Meta.log_type == 'http_access-log' && evt.Parsed.request startsWith '/desktopapi/tariffs/') = TRUE cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
DEBU[06-05-2022 18:04:35] eval variables: cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
DEBU[06-05-2022 18:04:35] evt.Meta.log_type = 'http_access-log' cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
DEBU[06-05-2022 18:04:35] evt.Parsed.request = '/desktopapi/tariffs/1152' cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
DEBU[06-05-2022 18:04:35] bucket 'bu/tariffs-by-ip' is poured cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
INFO[06-05-2022 18:04:36] Bucket routine exiting
DEBU[06-05-2022 18:04:36] Bucket externally killed, return bucket_id=late-dust capacity=2 cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip partition=bf0144f2f44b84cff9d26aa5697cc7202d323a8f
INFO[06-05-2022 18:04:37] crowdsec shutdown
What is wrong here?