Trying to create a new collection With XRDP

1

Hello All
I try to add a new Collection (Parser + Scenario) with xrdp using a simple sentence in the Log : “failed to connect user” that appears in xrdp.log with false login.
Everything looks ok, but it doesn’t work (No alert detected when spamming).

There is an error when installing the collection (Error while downloading xrdp.yam: failed to download item : bad http code 400 for https://hub-cdn-crowdsec.net/v.1.4.6

But the scenario & the parser appear in the lists.

Here are my files, in case you can help. Thanks in advance.
Olivier

==================xrdp.yaml (/etc/crowdsec/collections)==============
parsers:

  • xrdp-log
    scenarios:
  • xrdp-bf

- xrdp-user-enum

collections: Xrdp
description: “Xrdp parser and brute-force detection”
author: Olivier
tags:

  • xrdp
    ==========================================

==================xrdp-bf.yaml (/etc/crowdsec/scenarios)=======

xrdp bruteforce

type: leaky
name: crowdsecurity/xrdp-bf
description: “Detect xrdp bruteforce”
filter: evt.Meta.log_type == ‘login failed for user’
groupby: evt.Meta.source_ip
leakspeed: 10s
capacity: 5
blackhole: 5m
labels:
service: xrdp
type: bruteforce
remediation: true

==================xrdp-log.yaml (/etc/crowdsec/parsers/s01-parse/)===============
onsuccess: next_stage
#debug: true
name: xrdp-logs
description: “Parse xrdp logs looking for failed logins”
filter: “evt.Parsed.program == ‘xrdp’”
nodes:

  • grok:
    pattern: ‘login failed for user’
    apply_on: message
    statics:
    • meta: log_type
      value: xrdp
    • meta: source_ip
      expression: evt.Parsed.source_ip
      statics:
  • meta: service
    value: xrdp
  • target: evt.StrTime
    expression: evt.Parsed.timestamp
  • meta: username
    expression: evt.Parsed.username
    ========================================================

==================acquis.yaml (/etc/crowdsec/aquis.d)==============
parsers:

  • xrdp-log
    scenarios:
  • xrdp-bf

- xrdp-user-enum

collections: Xrdp
description: “Xrdp parser and brute-force detection”
author: Olivier
tags:

  • xrdp
    ==========================================

======= xrdp.log============
xrdp_wm_log_msg: login failed for user qsdqsddqsqsddqsd

2

This is expected since the collection is locally created you wont be able to “download” the collection. The only problem I see is the pattern is very bare and doesnt seem to be parsing any data that is used later on EG evt.Parsed.timestamp and evt.Parsed.username if you can provide some example log lines then we can investigate a fully operational parser. (redact any PII data and replace it with something that we know what data should be there EG: <username> and <IP>)

3

Hi iiAmLoz and many thanks for your answer.
I am beginning in CrowdSec so my parse.log and scenario where mainly inspirated from ssh-bf.yaml
To answer your question, here is an example of what is “/var/log/xrdp.log” when somebody enter wrong ids.

image

Thank you again