NOPE LinkedIn

Catégories:
Security
Crowdsec

Installer Crowdsec sur pfsense

Installation de Crowdsec sur Pfsense 2.7.0

1. Quelle version de Crowdsec installer

Il faut au préalable connaitre la version de votre FreeBSD:

/root: freebsd-version
14.0-CURRENT

Pour avoir également la version de FreeBSD

/root: uname -mrs
FreeBSD 14.0-CURRENT amd64

2. Installation de Crowdsec

Note:

Si vous upgradez votre configuration et que vous avez déjà suivi cet article une fois et que vous souhaitez mettre à jour Crowdsec:

pkg del crowdsec

Ensuite dans une nouvelle page web: FreeBsd Ports et chercher la version de votre firewall. et suivez l’étape suivante:

/root: pkg add https://pkg.freebsd.org/FreeBSD:14:amd64/latest/All/crowdsec-1.5.1.pkg
Fetching crowdsec-1.5.1.pkg: 100%   38 MiB  40.0MB/s    00:01
Installing crowdsec-1.5.1...
Newer FreeBSD version for package crowdsec:
To ignore this error set IGNORE_OSVERSION=yes
- package: 1400092
- running kernel: 1400085
Ignore the mismatch and continue? [y/N]: y
Extracting crowdsec-1.5.1: 100%
=====
Message from crowdsec-1.5.1:

--
crowdsec is installed.

You need to check/edit the following files in /usr/local/etc/crowdsec as described in https://doc.crowdsec.net/docs/configuration/crowdsec_configuration

 - config.yaml: main configuration
 - acquis.yaml, acquis.d: datasource configuration (this port does not include automatic discovery of the running services)
 - profiles.yaml: remediation policies (ban, duration, etc)

Then you can enable the daemon via sysrc and run it.

# sysrc crowdsec_enable="YES"
crowdsec_enable: NO -> YES
# service crowdsec start

On active le service Crowdsec

sysrc crowdsec_enable="YES"
crowdsec_enable:  -> YES

On lance le service Crowdsec

/root: service crowdsec start
Fetching hub inventory
WARN[16-07-2023 14:47:02] Crowdsec is not the latest version. Current version is 'v1.5.1' and the latest stable version is 'v1.5.2'. Please update it!
WARN[16-07-2023 14:47:02] As a result, you will not be able to use parsers/scenarios/collections added to Crowdsec Hub after CrowdSec v1.5.2
INFO[16-07-2023 14:47:02] Wrote new 752629 bytes index to /usr/local/etc/crowdsec/hub/.index.json
Registering LAPI
WARN[16-07-2023 14:47:03] can't load CAPI credentials from '/usr/local/etc/crowdsec/online_api_credentials.yaml' (missing field)
INFO[16-07-2023 14:47:03] push and pull to Central API disabled
WARN[16-07-2023 14:47:03] You are using sqlite without WAL, this can have a performance impact. If you do not store the database in a network share, set db_config.use_wal to true. Set explicitly to false to disable this warning.
WARN[16-07-2023 14:47:03] can't load CAPI credentials from '/usr/local/etc/crowdsec/online_api_credentials.yaml' (missing field)
INFO[16-07-2023 14:47:03] push and pull to Central API disabled
INFO[16-07-2023 14:47:04] Machine 'MACHINE_ID' successfully added to the local API
INFO[16-07-2023 14:47:04] API credentials dumped to '/usr/local/etc/crowdsec/local_api_credentials.yaml'
Registering CAPI
WARN[16-07-2023 14:47:05] can't load CAPI credentials from '/usr/local/etc/crowdsec/online_api_credentials.yaml' (missing field)
INFO[16-07-2023 14:47:05] push and pull to Central API disabled
WARN[16-07-2023 14:47:05] You are using sqlite without WAL, this can have a performance impact. If you do not store the database in a network share, set db_config.use_wal to true. Set explicitly to false to disable this warning.
WARN[16-07-2023 14:47:05] can't load CAPI credentials from '/usr/local/etc/crowdsec/online_api_credentials.yaml' (missing field)
INFO[16-07-2023 14:47:05] push and pull to Central API disabled
INFO[16-07-2023 14:47:05] Successfully registered to Central API (CAPI)
INFO[16-07-2023 14:47:05] Central API credentials dumped to '/usr/local/etc/crowdsec/online_api_credentials.yaml'
WARN[16-07-2023 14:47:05] Run 'sudo service crowdsec reload' for the new configuration to be effective.
WARN[16-07-2023 14:47:06] Crowdsec is not the latest version. Current version is 'v1.5.1' and the latest stable version is 'v1.5.2'. Please update it!
WARN[16-07-2023 14:47:06] As a result, you will not be able to use parsers/scenarios/collections added to Crowdsec Hub after CrowdSec v1.5.2
INFO[16-07-2023 14:47:06] crowdsecurity/syslog-logs : OK
INFO[16-07-2023 14:47:06] /usr/local/etc/crowdsec/parsers/s00-raw doesn't exist, create
INFO[16-07-2023 14:47:06] Enabled parsers : crowdsecurity/syslog-logs
INFO[16-07-2023 14:47:06] crowdsecurity/geoip-enrich : OK
INFO[16-07-2023 14:47:06] downloading data 'https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/GeoLite2-City.mmdb' in '/var/db/crowdsec/data/GeoLite2-City.mmdb'
INFO[16-07-2023 14:47:09] downloading data 'https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/GeoLite2-ASN.mmdb' in '/var/db/crowdsec/data/GeoLite2-ASN.mmdb'
INFO[16-07-2023 14:47:09] /usr/local/etc/crowdsec/parsers/s02-enrich doesn't exist, create
INFO[16-07-2023 14:47:09] Enabled parsers : crowdsecurity/geoip-enrich
INFO[16-07-2023 14:47:10] crowdsecurity/dateparse-enrich : OK
INFO[16-07-2023 14:47:10] Enabled parsers : crowdsecurity/dateparse-enrich
INFO[16-07-2023 14:47:10] crowdsecurity/sshd-logs : OK
INFO[16-07-2023 14:47:10] /usr/local/etc/crowdsec/parsers/s01-parse doesn't exist, create
INFO[16-07-2023 14:47:10] Enabled parsers : crowdsecurity/sshd-logs
INFO[16-07-2023 14:47:10] crowdsecurity/ssh-bf : OK
INFO[16-07-2023 14:47:10] /usr/local/etc/crowdsec/scenarios doesn't exist, create
INFO[16-07-2023 14:47:10] Enabled scenarios : crowdsecurity/ssh-bf
INFO[16-07-2023 14:47:10] crowdsecurity/ssh-slow-bf : OK
INFO[16-07-2023 14:47:10] Enabled scenarios : crowdsecurity/ssh-slow-bf
INFO[16-07-2023 14:47:10] crowdsecurity/sshd : OK
WARN[16-07-2023 14:47:10] crowdsecurity/sshd : overwrite
INFO[16-07-2023 14:47:10] /usr/local/etc/crowdsec/collections doesn't exist, create
INFO[16-07-2023 14:47:10] Enabled collections : crowdsecurity/sshd
INFO[16-07-2023 14:47:10] crowdsecurity/freebsd : OK
INFO[16-07-2023 14:47:10] /usr/local/etc/crowdsec/collections/sshd.yaml already exists.
INFO[16-07-2023 14:47:10] Enabled collections : crowdsecurity/freebsd
INFO[16-07-2023 14:47:10] Enabled crowdsecurity/freebsd
INFO[16-07-2023 14:47:10] Run 'sudo service crowdsec reload' for the new configuration to be effective.

Pour les système utilisant /varsur un tmpfs

Il faut changer les valeurs de data_dir et de db_path dans /usr/local/etc/crowdsec/config.yaml Fixer la valeur à /usr/local/crowdsec/data/ et créer le répertoire

mkdir -p /usr/local/crowdsec/data/

Contrôle des fichiers de log.

/root: tail -f /var/log/crowdsec.log
time="16-07-2023 14:53:31" level=warning msg="Loaded 4 scenarios"
time="16-07-2023 14:53:31" level=info msg="loading acquisition file : /usr/local/etc/crowdsec/acquis.yaml"
time="16-07-2023 14:53:31" level=info msg="Adding file /var/log/nginx/error.log to datasources" type=file
time="16-07-2023 14:53:31" level=warning msg="No matching files for pattern ./tests/nginx/nginx.log" type=file
time="16-07-2023 14:53:31" level=info msg="Adding file /var/log/auth.log to datasources" type=file
time="16-07-2023 14:53:31" level=warning msg="No matching files for pattern /var/log/syslog" type=file
time="16-07-2023 14:53:31" level=warning msg="No matching files for pattern /var/log/httpd-access.log" type=file
time="16-07-2023 14:53:31" level=warning msg="No matching files for pattern /var/log/httpd-error.log" type=file
time="16-07-2023 14:53:31" level=error msg="Failed to notify(sent: false): <nil>"
time="16-07-2023 14:53:31" level=info msg="Starting processing data"

3. Enregistrement du serveur auprés de la console centrale.

Pour enregistrer le firewall chez Crowdsec il va falloir se connecter sur le site et récupérer le code identifiant votre compte.

/root: cscli console enroll <CODE INSTALLATION>
WARN[16-07-2023 15:14:42] You are using sqlite without WAL, this can have a performance impact. If you do not store the database in a network share, set db_config.use_wal to true. Set explicitly to false to disable this warning.
INFO[16-07-2023 15:14:43] manual set to true
INFO[16-07-2023 15:14:43] context set to true
INFO[16-07-2023 15:14:43] Enabled tainted&manual alerts sharing, see 'cscli console status'.
INFO[16-07-2023 15:14:43] Watcher successfully enrolled. Visit https://app.crowdsec.net to accept it.
INFO[16-07-2023 15:14:43] Please restart crowdsec after accepting the enrollment.

Il faut ensuite valider l’enregistrement sur la console Web du site de Crowdsec On peut ensuite contrôler la prise en compte sur notre Firewall pfsense

/root: cscli console status
WARN[16-07-2023 15:17:50] You are using sqlite without WAL, this can have a performance impact. If you do not store the database in a network share, set db_config.use_wal to true. Set explicitly to false to disable this warning.
╭────────────────────┬───────────┬───────────────────────────────────────────────────╮
│ Option Name        │ Activated │ Description                                       │
├────────────────────┼───────────┼───────────────────────────────────────────────────┤
│ custom             │ ✅        │ Send alerts from custom scenarios to the console  │
│ manual             │ ✅        │ Send manual decisions to the console              │
│ tainted            │ ✅        │ Send alerts from tainted scenarios to the console │
│ context            │ ✅        │ Send context with alerts to the console           │
│ console_management │ ❌        │ Receive decisions from console                    │
╰────────────────────┴───────────┴───────────────────────────────────────────────────╯

Pour supprimer le warning, il suffit d’éditer le fichier /usr/local/etc/crowdsec/config.yaml et d’ajouter la line 5 ci-dessous

 1db_config:
 2  log_level: info
 3  type: sqlite
 4  db_path: /var/db/crowdsec/data/crowdsec.db
 5  use_wal: true
 6  #max_open_conns: 100
 7  #user:
 8  #password:
 9  #db_name:
10  #host:
11  #port:
12  flush:
13    max_items: 5000
14    max_age: 7d

puis de relancer le service

/root: service crowdsec restart
Stopping crowdsec.
Waiting for PIDS: 5513.

L’alerte doit avoir disparue.

4. Installation du Bouncers Firewall

Il faut se rendre sur la page du bouncer et choisir la version correspondant au firewall.

 1/root: pkg add https://pkg.freebsd.org/FreeBSD:14:amd64/latest/All/crowdsec-firewall-bouncer-0.0.27.pkg
 2Fetching crowdsec-firewall-bouncer-0.0.27.pkg: 100%    4 MiB   3.8MB/s    00:01
 3Installing crowdsec-firewall-bouncer-0.0.27...
 4Newer FreeBSD version for package crowdsec-firewall-bouncer:
 5To ignore this error set IGNORE_OSVERSION=yes
 6- package: 1400092
 7- running kernel: 1400085
 8Ignore the mismatch and continue? [y/N]: y
 9Extracting crowdsec-firewall-bouncer-0.0.27: 100%
10=====
11Message from crowdsec-firewall-bouncer-0.0.27:
12
13--
14crowdsec-firewall-bouncer is installed.
15
16If you are running crowdsec on this machine, the bouncer will register itself with
17the Local API when it's started the first time.
18
19If the LAPI is on another machine, you need to manually register the bouncer
20and fill api_key and api_url in /usr/local/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml before
21starting the service.
22
23This package depends on the Packet Filter service.
24To make sure it's active:
25
26----------
27# sysrc pf_enable=YES
28pf_enable: NO -> YES
29# service pf start
30Enabling pf.
31----------
32
33Add the following in /etc/pf.conf to create the firewall tables and rules:
34
35----------
36table <crowdsec-blacklists> persist
37table <crowdsec6-blacklists> persist
38block drop in quick from <crowdsec-blacklists> to any
39block drop in quick from <crowdsec6-blacklists> to any
40----------
41
42To apply the file:
43
44# pfctl -f /etc/pf.conf
45
46Then activate the bouncer via sysrc and run it:
47
48----------
49# sysrc crowdsec_firewall_enable="YES"
50crowdsec_firewall_enable: NO -> YES
51# service crowdsec_firewall start
52----------

Il faut créer les tables requises en créant ou en ajoutant ceci à /etc/pf.conf:

table <crowdsec-blacklists> persist
table <crowdsec6-blacklists> persist
block drop in quick from <crowdsec-blacklists> to any
block drop in quick from <crowdsec6-blacklists> to any

On active le paquet filtering s’il n’est pas déjà actif

/root: sysrc pf_enable=YES
pf_enable: NO -> YES
/root: service pf start
Enabling pf.

on recharge les règles:

pfctl -f /etc/pf.conf

On vérifie ensuite la configuration avec les commandes suivantes:

/root: pfctl -sr
block drop in quick from <crowdsec-blacklists> to any
block drop in quick from <crowdsec6-blacklists> to any
/root: service pf check
Checking pf rules.
/root: service pf status
Status: Enabled for 0 days 00:09:34           Debug: Urgent

State Table                          Total             Rate
  current entries                        0
  searches                           16830           29.3/s
  inserts                                0            0.0/s
  removals                               0            0.0/s
Counters
  match                              16830           29.3/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                            108            0.2/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  map-failed                             0            0.0/s

On activer le service crowdsec_firewall et on le lance

/root: sysrc crowdsec_firewall_enable=YES
crowdsec_firewall_enable:  -> YES
/root: service crowdsec_firewall start
Registered: cs-firewall-bouncer-1689518929

Le bouncer du pare-feu est maintenant en cours d’exécution. Il applique des règles via paquet filter.

5. Installation de Crowdsec-blocklist-mirror

Il faut se rendre sur la page de blocklist-mirror et choisir la version correspondant au firewall.

Au besoin, désinstaller la version précédente:

service crowdsec_blocklist_mirror stop
rm /usr/local/etc/rc.d/crowdsec_blocklist_mirror
rm /usr/local/etc/crowdsec/bouncers/crowdsec-blocklist-mirror.yaml
rm /usr/local/bin/crowdsec-blocklist-mirror

cscli bouncers list
cscli bouncers remove crowdsec-blocklist-mirror-REPLACE_ME

# Remove the blocklist enable line in /etc/rc.conf.local
# Remove the service line in /usr/local/etc/rc.d/crowdsec.sh

Installation du package

pkg add https://pkg.freebsd.org/FreeBSD:14:amd64/latest/All/crowdsec-blocklist-mirror-0.0.2.pkg
Fetching crowdsec-blocklist-mirror-0.0.2.pkg: 100%    4 MiB   4.0MB/s    00:01
Installing crowdsec-blocklist-mirror-0.0.2...
Newer FreeBSD version for package crowdsec-blocklist-mirror:
To ignore this error set IGNORE_OSVERSION=yes
- package: 1400092
- running kernel: 1400085
Ignore the mismatch and continue? [y/N]: y
Extracting crowdsec-blocklist-mirror-0.0.2: 100%
=====
Message from crowdsec-blocklist-mirror-0.0.2:

--
crowdsec-blocklist-mirror is installed.

If you are running crowdsec on this machine, the bouncer will register itself with
the Local API when it's started the first time.

If the LAPI is on another machine, you need to manually register the bouncer
and fill lapi_key and lapi_url in /usr/local/etc/crowdsec/bouncers/crowdsec-blocklist-mirror.yaml before
starting the service.

Please refer to the documentation at
https://docs.crowdsec.net/docs/bouncers/blocklist-mirror/

Then activate the bouncer via sysrc and run it:

----------
# sysrc crowdsec_mirror_enable="YES"
crowdsec_mirror_enable: NO -> YES
# service crowdsec_mirror start
----------

The blocklist is available by default at
'http://127.0.0.1:41412/security/blocklist', check the configuration file to
change address, endpoint or add some authentication.

On active crowdsec_mirror

sysrc crowdsec_mirror_enable="YES"
crowdsec_mirror_enable:  -> YES

On va permettre au réseau interne de pourvoir se connecter sur notre firewall externe pour récupérer cette liste. On édite le fichier `` et on modifie l’entrée pour remplacer l’adresse de loopback par notre adresse interne.

#listen_uri: 127.0.0.1:41412
listen_uri: 192.168.XX.XX:41412

On démarre le service

 service crowdsec_mirror start
Registered: cs-blocklist-mirror-CODE
LAPI listen address set up.

On peut vérifier le bon fonctionnement avec la commande suivante:

curl http://192.168.55.1:41412/security/blocklist

On doit récupérer en retour une liste avec une IP par ligne. Il est possible de se servir de ce firewall comme installation de base pour mettre en oeuvre une installation multiservers

6. Création d’un régles de blocage des ips blacklistées

Création d’un alias

Via le GUI; Firewall > Aliases > URLs and click on + Add. The type is: URL Table (IPs) Faire comme sur la capture d’acréan en remplaçant l’url par celle utilisée précédemment pour tester la blacklist

Création alias via l'interface

Création d’une régle de Firewall

Via le GUI; Firewall > Rules > Interface name for Internet and click on Add La source est Single host and alias, on complète avec le nom de l’alias créé ci-dessus. Faire comme sur la caprture d’écran et appliquer les changements.

Création alias via l'interface

** NOTE:**

Normalement cette étape n’est pas utile si le bouncer fonctionne normalement.

7. Installation des scénarios

Ce scénario banni une plage si plus de 5 ips de ladite plage sont bannies.

/root: cscli scenarios install crowdsecurity/ban-defcon-drop_range
WARN[16-07-2023 22:35:16] Crowdsec is not the latest version. Current version is 'v1.5.1' and the latest stable version is 'v1.5.2'. Please update it!
WARN[16-07-2023 22:35:16] As a result, you will not be able to use parsers/scenarios/collections added to Crowdsec Hub after CrowdSec v1.5.2
INFO[16-07-2023 22:35:17] crowdsecurity/ban-defcon-drop_range : OK
INFO[16-07-2023 22:35:17] Enabled scenarios : crowdsecurity/ban-defcon-drop_range
INFO[16-07-2023 22:35:17] Enabled crowdsecurity/ban-defcon-drop_range
INFO[16-07-2023 22:35:17] Run 'sudo service crowdsec reload' for the new configuration to be effective.

Une liste compléte peut être récupérée sur le site de Crowdsec

cscli collections install crowdsecurity/base-http-scenarios
cscli scenarios install crowdsecurity/ban-defcon-drop_range

8. Installation de collections

cscli collections install crowdsecurity/freebsd
WARN[16-07-2023 23:01:24] Crowdsec is not the latest version. Current version is 'v1.5.1' and the latest stable version is 'v1.5.2'. Please update it!
WARN[16-07-2023 23:01:24] As a result, you will not be able to use parsers/scenarios/collections added to Crowdsec Hub after CrowdSec v1.5.2
WARN[16-07-2023 23:01:24] crowdsecurity/syslog-logs : overwrite
WARN[16-07-2023 23:01:24] crowdsecurity/geoip-enrich : overwrite
WARN[16-07-2023 23:01:24] crowdsecurity/dateparse-enrich : overwrite
WARN[16-07-2023 23:01:24] crowdsecurity/sshd-logs : overwrite
WARN[16-07-2023 23:01:24] crowdsecurity/ssh-bf : overwrite
WARN[16-07-2023 23:01:24] crowdsecurity/ssh-slow-bf : overwrite
WARN[16-07-2023 23:01:24] crowdsecurity/sshd : overwrite
WARN[16-07-2023 23:01:24] crowdsecurity/sshd : overwrite
WARN[16-07-2023 23:01:24] crowdsecurity/freebsd : overwrite
INFO[16-07-2023 23:01:24] /usr/local/etc/crowdsec/collections/sshd.yaml already exists.
INFO[16-07-2023 23:01:24] /usr/local/etc/crowdsec/collections/freebsd.yaml already exists.
INFO[16-07-2023 23:01:24] Enabled crowdsecurity/freebsd
INFO[16-07-2023 23:01:24] Run 'sudo service crowdsec reload' for the new configuration to be effective.

On installe une collection concernant apache2

cscli collections install crowdsecurity/apache2

A la différence d’un scénario, une collection installe plusieurs scénarios en même temps.

/root: cscli scenarios install crowdsecurity/ban-defcon-drop_range
WARN[16-07-2023 22:35:16] Crowdsec is not the latest version. Current version is 'v1.5.1' and the latest stable version is 'v1.5.2'. Please update it!
WARN[16-07-2023 22:35:16] As a result, you will not be able to use parsers/scenarios/collections added to Crowdsec Hub after CrowdSec v1.5.2
INFO[16-07-2023 22:35:17] crowdsecurity/ban-defcon-drop_range : OK
INFO[16-07-2023 22:35:17] Enabled scenarios : crowdsecurity/ban-defcon-drop_range
INFO[16-07-2023 22:35:17] Enabled crowdsecurity/ban-defcon-drop_range
INFO[16-07-2023 22:35:17] Run 'sudo service crowdsec reload' for the new configuration to be effective.
[2.7.0-RELEASE][admin@gatekeeper01.breizhland.eu]/root: cscli collections install crowdsecurity/apache2
WARN[16-07-2023 22:43:25] Crowdsec is not the latest version. Current version is 'v1.5.1' and the latest stable version is 'v1.5.2'. Please update it!
WARN[16-07-2023 22:43:25] As a result, you will not be able to use parsers/scenarios/collections added to Crowdsec Hub after CrowdSec v1.5.2
INFO[16-07-2023 22:43:25] crowdsecurity/apache2-logs : OK
INFO[16-07-2023 22:43:25] Enabled parsers : crowdsecurity/apache2-logs
INFO[16-07-2023 22:43:25] crowdsecurity/http-logs : OK
INFO[16-07-2023 22:43:25] Enabled parsers : crowdsecurity/http-logs
INFO[16-07-2023 22:43:25] crowdsecurity/http-crawl-non_statics : OK
INFO[16-07-2023 22:43:25] Enabled scenarios : crowdsecurity/http-crawl-non_statics
INFO[16-07-2023 22:43:25] crowdsecurity/http-probing : OK
INFO[16-07-2023 22:43:25] Enabled scenarios : crowdsecurity/http-probing
INFO[16-07-2023 22:43:25] crowdsecurity/http-bad-user-agent : OK
INFO[16-07-2023 22:43:25] downloading data 'https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/bad_user_agents.regex.txt' in '/var/db/crowdsec/data/bad_user_agents.regex.txt'
INFO[16-07-2023 22:43:25] Enabled scenarios : crowdsecurity/http-bad-user-agent
INFO[16-07-2023 22:43:25] crowdsecurity/http-path-traversal-probing : OK
INFO[16-07-2023 22:43:25] downloading data 'https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/path_traversal.txt' in '/var/db/crowdsec/data/http_path_traversal.txt'
INFO[16-07-2023 22:43:26] Enabled scenarios : crowdsecurity/http-path-traversal-probing
INFO[16-07-2023 22:43:26] crowdsecurity/http-sensitive-files : OK
INFO[16-07-2023 22:43:26] downloading data 'https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/sensitive_data.txt' in '/var/db/crowdsec/data/sensitive_data.txt'
INFO[16-07-2023 22:43:26] Enabled scenarios : crowdsecurity/http-sensitive-files
INFO[16-07-2023 22:43:26] crowdsecurity/http-sqli-probing : OK
INFO[16-07-2023 22:43:26] downloading data 'https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/sqli_probe_patterns.txt' in '/var/db/crowdsec/data/sqli_probe_patterns.txt'
INFO[16-07-2023 22:43:26] Enabled scenarios : crowdsecurity/http-sqli-probing
INFO[16-07-2023 22:43:26] crowdsecurity/http-xss-probing : OK
INFO[16-07-2023 22:43:26] downloading data 'https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/xss_probe_patterns.txt' in '/var/db/crowdsec/data/xss_probe_patterns.txt'
INFO[16-07-2023 22:43:26] Enabled scenarios : crowdsecurity/http-xss-probing
INFO[16-07-2023 22:43:26] crowdsecurity/http-backdoors-attempts : OK
INFO[16-07-2023 22:43:26] downloading data 'https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/backdoors.txt' in '/var/db/crowdsec/data/backdoors.txt'
INFO[16-07-2023 22:43:26] Enabled scenarios : crowdsecurity/http-backdoors-attempts
INFO[16-07-2023 22:43:26] ltsich/http-w00tw00t : OK
INFO[16-07-2023 22:43:26] Enabled scenarios : ltsich/http-w00tw00t
INFO[16-07-2023 22:43:26] crowdsecurity/http-generic-bf : OK
INFO[16-07-2023 22:43:26] Enabled scenarios : crowdsecurity/http-generic-bf
INFO[16-07-2023 22:43:26] crowdsecurity/http-open-proxy : OK
INFO[16-07-2023 22:43:26] Enabled scenarios : crowdsecurity/http-open-proxy
INFO[16-07-2023 22:43:26] crowdsecurity/http-cve-2021-41773 : OK
INFO[16-07-2023 22:43:26] Enabled scenarios : crowdsecurity/http-cve-2021-41773
INFO[16-07-2023 22:43:26] crowdsecurity/http-cve-2021-42013 : OK
INFO[16-07-2023 22:43:26] Enabled scenarios : crowdsecurity/http-cve-2021-42013
INFO[16-07-2023 22:43:26] crowdsecurity/grafana-cve-2021-43798 : OK
INFO[16-07-2023 22:43:26] Enabled scenarios : crowdsecurity/grafana-cve-2021-43798
INFO[16-07-2023 22:43:26] crowdsecurity/vmware-vcenter-vmsa-2021-0027 : OK
INFO[16-07-2023 22:43:26] Enabled scenarios : crowdsecurity/vmware-vcenter-vmsa-2021-0027
INFO[16-07-2023 22:43:26] crowdsecurity/fortinet-cve-2018-13379 : OK
INFO[16-07-2023 22:43:26] Enabled scenarios : crowdsecurity/fortinet-cve-2018-13379
INFO[16-07-2023 22:43:26] crowdsecurity/pulse-secure-sslvpn-cve-2019-11510 : OK
INFO[16-07-2023 22:43:26] Enabled scenarios : crowdsecurity/pulse-secure-sslvpn-cve-2019-11510
INFO[16-07-2023 22:43:26] crowdsecurity/f5-big-ip-cve-2020-5902 : OK
INFO[16-07-2023 22:43:26] Enabled scenarios : crowdsecurity/f5-big-ip-cve-2020-5902
INFO[16-07-2023 22:43:26] crowdsecurity/thinkphp-cve-2018-20062 : OK
INFO[16-07-2023 22:43:26] downloading data 'https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/thinkphp_cve_2018-20062.txt' in '/var/db/crowdsec/data/thinkphp_cve_2018-20062.txt'
INFO[16-07-2023 22:43:27] Enabled scenarios : crowdsecurity/thinkphp-cve-2018-20062
INFO[16-07-2023 22:43:27] crowdsecurity/apache_log4j2_cve-2021-44228 : OK
INFO[16-07-2023 22:43:27] downloading data 'https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/log4j2_cve_2021_44228.txt' in '/var/db/crowdsec/data/log4j2_cve_2021_44228.txt'
INFO[16-07-2023 22:43:27] Enabled scenarios : crowdsecurity/apache_log4j2_cve-2021-44228
INFO[16-07-2023 22:43:27] crowdsecurity/jira_cve-2021-26086 : OK
INFO[16-07-2023 22:43:27] downloading data 'https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/jira_cve_2021-26086.txt' in '/var/db/crowdsec/data/jira_cve_2021-26086.txt'
INFO[16-07-2023 22:43:27] Enabled scenarios : crowdsecurity/jira_cve-2021-26086
INFO[16-07-2023 22:43:27] crowdsecurity/spring4shell_cve-2022-22965 : OK
INFO[16-07-2023 22:43:27] Enabled scenarios : crowdsecurity/spring4shell_cve-2022-22965
INFO[16-07-2023 22:43:27] crowdsecurity/vmware-cve-2022-22954 : OK
INFO[16-07-2023 22:43:27] Enabled scenarios : crowdsecurity/vmware-cve-2022-22954
INFO[16-07-2023 22:43:27] crowdsecurity/CVE-2022-37042 : OK
INFO[16-07-2023 22:43:27] Enabled scenarios : crowdsecurity/CVE-2022-37042
INFO[16-07-2023 22:43:27] crowdsecurity/CVE-2022-41082 : OK
INFO[16-07-2023 22:43:27] Enabled scenarios : crowdsecurity/CVE-2022-41082
INFO[16-07-2023 22:43:27] crowdsecurity/CVE-2022-35914 : OK
INFO[16-07-2023 22:43:27] Enabled scenarios : crowdsecurity/CVE-2022-35914
INFO[16-07-2023 22:43:27] crowdsecurity/CVE-2022-40684 : OK
INFO[16-07-2023 22:43:27] Enabled scenarios : crowdsecurity/CVE-2022-40684
INFO[16-07-2023 22:43:27] crowdsecurity/CVE-2022-26134 : OK
INFO[16-07-2023 22:43:27] Enabled scenarios : crowdsecurity/CVE-2022-26134
INFO[16-07-2023 22:43:27] crowdsecurity/CVE-2022-42889 : OK
INFO[16-07-2023 22:43:27] Enabled scenarios : crowdsecurity/CVE-2022-42889
INFO[16-07-2023 22:43:27] crowdsecurity/CVE-2022-41697 : OK
INFO[16-07-2023 22:43:27] Enabled scenarios : crowdsecurity/CVE-2022-41697
INFO[16-07-2023 22:43:27] crowdsecurity/CVE-2022-46169 : OK
INFO[16-07-2023 22:43:27] Enabled scenarios : crowdsecurity/CVE-2022-46169
INFO[16-07-2023 22:43:27] crowdsecurity/CVE-2022-44877 : OK
INFO[16-07-2023 22:43:27] Enabled scenarios : crowdsecurity/CVE-2022-44877
INFO[16-07-2023 22:43:27] crowdsecurity/CVE-2019-18935 : OK
INFO[16-07-2023 22:43:27] Enabled scenarios : crowdsecurity/CVE-2019-18935
INFO[16-07-2023 22:43:27] crowdsecurity/http-cve : OK
WARN[16-07-2023 22:43:27] crowdsecurity/http-cve : overwrite
INFO[16-07-2023 22:43:27] Enabled collections : crowdsecurity/http-cve
INFO[16-07-2023 22:43:27] crowdsecurity/base-http-scenarios : OK
WARN[16-07-2023 22:43:27] crowdsecurity/base-http-scenarios : overwrite
INFO[16-07-2023 22:43:27] /usr/local/etc/crowdsec/collections/http-cve.yaml already exists.
INFO[16-07-2023 22:43:27] Enabled collections : crowdsecurity/base-http-scenarios
INFO[16-07-2023 22:43:27] crowdsecurity/apache2 : OK
INFO[16-07-2023 22:43:27] /usr/local/etc/crowdsec/collections/http-cve.yaml already exists.
INFO[16-07-2023 22:43:27] /usr/local/etc/crowdsec/collections/base-http-scenarios.yaml already exists.
INFO[16-07-2023 22:43:27] Enabled collections : crowdsecurity/apache2
INFO[16-07-2023 22:43:27] Enabled crowdsecurity/apache2
INFO[16-07-2023 22:43:27] Run 'sudo service crowdsec reload' for the new configuration to be effective.

On relance pour la prise en compte des nouveaux scénarios.

service crowdsec reload

On peut lister les scénarios.

/root: cscli scenarios list
WARN[16-07-2023 22:47:15] Crowdsec is not the latest version. Current version is 'v1.5.1' and the latest stable version is 'v1.5.2'. Please update it!
WARN[16-07-2023 22:47:15] As a result, you will not be able to use parsers/scenarios/collections added to Crowdsec Hub after CrowdSec v1.5.2

SCENARIOS
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Name                                               📦 Status   Version   Local Path
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 crowdsecurity/CVE-2019-18935                       ✔️ enabled   0.1       /usr/local/etc/crowdsec/scenarios/CVE-2019-18935.yaml
 crowdsecurity/CVE-2022-26134                       ✔️ enabled   0.1       /usr/local/etc/crowdsec/scenarios/CVE-2022-26134.yaml
 crowdsecurity/CVE-2022-35914                       ✔️ enabled   0.1       /usr/local/etc/crowdsec/scenarios/CVE-2022-35914.yaml
 crowdsecurity/CVE-2022-37042                       ✔️ enabled   0.1       /usr/local/etc/crowdsec/scenarios/CVE-2022-37042.yaml
 crowdsecurity/CVE-2022-40684                       ✔️ enabled   0.2       /usr/local/etc/crowdsec/scenarios/CVE-2022-40684.yaml
 crowdsecurity/CVE-2022-41082                       ✔️ enabled   0.3       /usr/local/etc/crowdsec/scenarios/CVE-2022-41082.yaml
 crowdsecurity/CVE-2022-41697                       ✔️ enabled   0.1       /usr/local/etc/crowdsec/scenarios/CVE-2022-41697.yaml
 crowdsecurity/CVE-2022-42889                       ✔️ enabled   0.2       /usr/local/etc/crowdsec/scenarios/CVE-2022-42889.yaml
 crowdsecurity/CVE-2022-44877                       ✔️ enabled   0.2       /usr/local/etc/crowdsec/scenarios/CVE-2022-44877.yaml
 crowdsecurity/CVE-2022-46169                       ✔️ enabled   0.1       /usr/local/etc/crowdsec/scenarios/CVE-2022-46169.yaml
 crowdsecurity/apache_log4j2_cve-2021-44228         ✔️ enabled   0.4       /usr/local/etc/crowdsec/scenarios/apache_log4j2_cve-2021-44228.yaml
 crowdsecurity/ban-defcon-drop_range                ✔️ enabled   0.2       /usr/local/etc/crowdsec/scenarios/ban-defcon-drop_range.yaml
 crowdsecurity/f5-big-ip-cve-2020-5902              ✔️ enabled   0.1       /usr/local/etc/crowdsec/scenarios/f5-big-ip-cve-2020-5902.yaml
 crowdsecurity/fortinet-cve-2018-13379              ✔️ enabled   0.2       /usr/local/etc/crowdsec/scenarios/fortinet-cve-2018-13379.yaml
 crowdsecurity/grafana-cve-2021-43798               ✔️ enabled   0.1       /usr/local/etc/crowdsec/scenarios/grafana-cve-2021-43798.yaml
 crowdsecurity/http-backdoors-attempts              ✔️ enabled   0.3       /usr/local/etc/crowdsec/scenarios/http-backdoors-attempts.yaml
 crowdsecurity/http-bad-user-agent                  ✔️ enabled   0.7       /usr/local/etc/crowdsec/scenarios/http-bad-user-agent.yaml
 crowdsecurity/http-crawl-non_statics               ✔️ enabled   0.3       /usr/local/etc/crowdsec/scenarios/http-crawl-non_statics.yaml
 crowdsecurity/http-cve-2021-41773                  ✔️ enabled   0.1       /usr/local/etc/crowdsec/scenarios/http-cve-2021-41773.yaml
 crowdsecurity/http-cve-2021-42013                  ✔️ enabled   0.1       /usr/local/etc/crowdsec/scenarios/http-cve-2021-42013.yaml
 crowdsecurity/http-generic-bf                      ✔️ enabled   0.4       /usr/local/etc/crowdsec/scenarios/http-generic-bf.yaml
 crowdsecurity/http-open-proxy                      ✔️ enabled   0.3       /usr/local/etc/crowdsec/scenarios/http-open-proxy.yaml
 crowdsecurity/http-path-traversal-probing          ✔️ enabled   0.2       /usr/local/etc/crowdsec/scenarios/http-path-traversal-probing.yaml
 crowdsecurity/http-probing                         ✔️ enabled   0.2       /usr/local/etc/crowdsec/scenarios/http-probing.yaml
 crowdsecurity/http-sensitive-files                 ✔️ enabled   0.2       /usr/local/etc/crowdsec/scenarios/http-sensitive-files.yaml
 crowdsecurity/http-sqli-probing                    ✔️ enabled   0.2       /usr/local/etc/crowdsec/scenarios/http-sqli-probing.yaml
 crowdsecurity/http-xss-probing                     ✔️ enabled   0.2       /usr/local/etc/crowdsec/scenarios/http-xss-probing.yaml
 crowdsecurity/jira_cve-2021-26086                  ✔️ enabled   0.1       /usr/local/etc/crowdsec/scenarios/jira_cve-2021-26086.yaml
 crowdsecurity/pulse-secure-sslvpn-cve-2019-11510   ✔️ enabled   0.2       /usr/local/etc/crowdsec/scenarios/pulse-secure-sslvpn-cve-2019-11510.yaml
 crowdsecurity/spring4shell_cve-2022-22965          ✔️ enabled   0.2       /usr/local/etc/crowdsec/scenarios/spring4shell_cve-2022-22965.yaml
 crowdsecurity/ssh-bf                               ✔️ enabled   0.1       /usr/local/etc/crowdsec/scenarios/ssh-bf.yaml
 crowdsecurity/ssh-slow-bf                          ✔️ enabled   0.2       /usr/local/etc/crowdsec/scenarios/ssh-slow-bf.yaml
 crowdsecurity/thinkphp-cve-2018-20062              ✔️ enabled   0.3       /usr/local/etc/crowdsec/scenarios/thinkphp-cve-2018-20062.yaml
 crowdsecurity/vmware-cve-2022-22954                ✔️ enabled   0.2       /usr/local/etc/crowdsec/scenarios/vmware-cve-2022-22954.yaml
 crowdsecurity/vmware-vcenter-vmsa-2021-0027        ✔️ enabled   0.1       /usr/local/etc/crowdsec/scenarios/vmware-vcenter-vmsa-2021-0027.yaml
 ltsich/http-w00tw00t                               ✔️ enabled   0.1       /usr/local/etc/crowdsec/scenarios/http-w00tw00t.yaml
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────