Unable to use blocklist inside scenario

crowdsec
1

Hello,

I’ve installed Crowdsec on Docker and it’s receiving logs from my Logstash instance. My logs are coming from our own SaaS and it has a custom format so I created a parser and it works very well. Now I’m stuck trying to match my scenario alerts with the blocklist I subscribed my engine. I wan’t my scenario to check in any of subscribed blocklists if the meta source_ip is in a blocklist and throw an alert only if it is. Right now, my blocklist don’t seem to throw any alert at all. Am I missing something ?

I want to be able to subscribe to any blocklist without needing to edit my configuration files every time to apply the changes if possible.

Here are my parser and my scenario :

filter: "evt.Line.Raw startsWith '{'"
debug: true
onsuccess: next_stage
name: dreamon/logstash-logs
description: "Parse Logstash logs"
statics:
  - parsed: json_parsed
    expression: UnmarshalJSON(evt.Line.Raw, evt.Unmarshaled, "message")
  - meta: source_ip
    expression: evt.Unmarshaled["message"]["source"]["ip"]
  - meta: source_port
    expression: evt.Unmarshaled["message"]["source"]["port"]
  - meta: timestamp
    expression: evt.Unmarshaled["message"]["@timestamp"]

type: leaky
name: "dreamon/panicsafe-logs"
description: "Panicsafe Logs"
filter: "true"
capacity: 50
leakspeed: "1h"
labels:
  service: custom
  type: single-event
  remediation: true

Thanks for the help :slight_smile:

2

Blocklists dont match to alerts, they simply downloaded and inserted as a decisions you configure on the console or if community blocklists these are simply just ban?

What behaviour are you expecting to do that doesnt exist?

edit: ohhh I wan’t my scenario to check in any of subscribed blocklists if the meta source_ip is in a blocklist and throw an alert only if it is.

This isnt really a thing, you can use the GetActiveDecisions but this checks all decisions not blocklists

so you can add a overflow_filter to your scenario:

overflow_filter: GetActiveDecisionCount(signal.Alert.GetValue()) == 0

However, your parser should set a meta key called service to a name, then you should filter that inside your scenario filter evt.Meta.service == 'myservice' as currently you will be catching all parsed lines as events for any service.

edit edit: Also thinking you not really matching anything malicious inside the parser or scenario your just saying count 50 items and then tell me if it already malicious by checking the blocklist, so what is the aim to use the blocklist as a CTI without using the CTI? kind of defeats the purpose to try to hack together something and we wouldnt want to support something like that.