CrowdSec - an open-source massively multiplayer firewall able to analyze visitor behavior & provide an adapted response to all kinds of attacks. It also leverages the crowd power to generate a global IP reputation database to protect the user network.

Overview

CrowdSec




Coverage Status

📚 Documentation 💠 Configuration Hub 💬 Discourse (Forum) 💬 Gitter (Live chat)

💃 This is a community driven project, we need your feedback.

<TL;DR>

CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network. It stacks on fail2ban's philosophy but is IPV6 compatible and 60x faster (Go vs Python), uses Grok patterns to parse logs and YAML scenario to identify behaviors. CrowdSec is engineered for modern Cloud / Containers / VM based infrastructures (by decoupling detection and remediation). Once detected you can remedy threats with various bouncers (firewall block, nginx http 403, Captchas, etc.) while the aggressive IP can be sent to CrowdSec for curation before being shared among all users to further improve everyone's security. See FAQ or read bellow for more.

2 mins install

Installing it through the Package system of your OS is the easiest way to proceed. Otherwise, to install from source, in a shell:

git clone https://github.com/crowdsecurity/crowdsec.git
cd crowdsec && ./wizard.sh -i

ℹ️ About the CrowdSec project

Crowdsec is an open-source, lightweight software, detecting peers with aggressive behaviors to prevent them from accessing your systems. Its user friendly design and assistance offers a low technical barrier of entry and nevertheless a high security gain.

Processing is done in 4 steps:

CrowdSec

Once an unwanted behavior is detected, deal with it through a bouncer. The aggressive IP, scenario triggered and timestamp are sent for curation, to avoid poisoning & false positives. (This can be disabled). If verified, this IP is then redistributed to all CrowdSec users running the same scenario.

Outnumbering hackers all together

By sharing the threat they faced, all users are protecting each-others (hence the name Crowd-Security). Crowdsec is designed for modern infrastructures, with its "Detect Here, Remedy There" approach, letting you analyse logs coming from several sources in one place and block threats at various levels (applicative, system, infrastructural) of your stack.

CrowdSec ships by default with scenarios (brute force, port scan, web scan, etc.) adapted for most context, but you can easily extend it by picking more of them from the HUB. It is also easy to adapt an existing one or create one yourself.

👉 What it is not

CrowdSec is not a SIEM, storing your logs (neither locally nor remotely). Your data are analyzed locally and forgotten.

Signals sent to the curation platform are limited to the very strict minimum: IP, Scenario, Timestamp. They are only used to allow the system to spot new rogue IPs, rule out false positives or poisoning attempts.

⬇️ Install it !

Crowdsec is available for various platforms :

Or look directly at installation documentation for other methods.

🎉 Key benefits

Fast assisted installation, no technical barrier

Initial configuration is automated, providing functional out-of-the-box setup

Out of the box detection

Baseline detection is effective out-of-the-box, no fine-tuning required (click to expand)

Easy bouncer deployment

It's trivial to add bouncers to enforce decisions of crowdsec (click to expand)

Easy dashboard access

It's easy to deploy a metabase interface to view your data simply with cscli (click to expand)

Hot & Cold logs

Process cold logs, for forensic, tests and chasing false-positives & false negatives (click to expand)

📦 About this repository

This repository contains the code for the two main components of crowdsec :

  • crowdsec : the daemon a-la-fail2ban that can read, parse, enrich and apply heuristics to logs. This is the component in charge of "detecting" the attacks
  • cscli : the cli tool mainly used to interact with crowdsec : ban/unban/view current bans, enable/disable parsers and scenarios.
Issues
  • Can't use mysql 8 DB

    Can't use mysql 8 DB

    What happened?

    -- Unit crowdsec.service has begun starting up. Jul 31 13:10:24 russiaws.ru crowdsec[2512174]: time="31-07-2022 13:10:24" level=fatal msg="unable to create database client: failed creating schema resources: dial tcp 127.0.0.1:3310: connect: connection refused" Jul 31 13:10:24 russiaws.ru systemd[1]: crowdsec.service: Control process exited, code=exited status=1 Jul 31 13:10:24 russiaws.ru systemd[1]: crowdsec.service: Failed with result 'exit-code'. -- Subject: Unit failed

    What did you expect to happen?

    work fine

    How can we reproduce it (as minimally and precisely as possible)?

    According with manual I made DB named crowdsec and made mysql user crowdsec with password crowdsec with grant all rights. MySQL not in docker.

    Anything else we need to know?

    my config

    db_config: log_level: info type: mysql #db_path: /var/lib/crowdsec/data/crowdsec.db #max_open_conns: 100 user: crowdsec password: crowdsec db_name: crowdsec host: 127.0.0.1 port: 3310 flush: max_items: 5000000 max_age: 4d

    Crowdsec version

    2022/07/31 13:17:30 version: v1.4.1-el8-rpm-e1954adc325baa9e3420c324caabd50b7074dd77 2022/07/31 13:17:30 Codename: alphaga 2022/07/31 13:17:30 BuildDate: 2022-07-25_09:53:23 2022/07/31 13:17:30 GoVersion: 1.17.5 2022/07/31 13:17:30 Platform: linux 2022/07/31 13:17:30 Constraint_parser: >= 1.0, <= 2.0 2022/07/31 13:17:30 Constraint_scenario: >= 1.0, < 3.0 2022/07/31 13:17:30 Constraint_api: v1 2022/07/31 13:17:30 Constraint_acquis: >= 1.0, < 2.0

    OS version

    NAME="AlmaLinux" VERSION="8.6 (Sky Tiger)" ID="almalinux" ID_LIKE="rhel centos fedora" VERSION_ID="8.6" PLATFORM_ID="platform:el8" PRETTY_NAME="AlmaLinux 8.6 (Sky Tiger)" ANSI_COLOR="0;34" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:almalinux:almalinux:8::baseos" HOME_URL="https://almalinux.org/" DOCUMENTATION_URL="https://wiki.almalinux.org/" BUG_REPORT_URL="https://bugs.almalinux.org/"

    ALMALINUX_MANTISBT_PROJECT="AlmaLinux-8" ALMALINUX_MANTISBT_PROJECT_VERSION="8.6" REDHAT_SUPPORT_PRODUCT="AlmaLinux" REDHAT_SUPPORT_PRODUCT_VERSION="8.6"

    Enabled collections and parsers

    $ cscli hub list -o raw
    # paste output here
    

    Acquisition config

    ```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* # paste output here

    On Windows:

    C:> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml

    paste output here

    Config show

    $ cscli config show
    # paste output here
    

    Prometheus metrics

    $ cscli metrics
    # paste output here
    

    Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

    bug 
    opened by AdzerKI 28
  • FreeBSD support

    FreeBSD support

    opened by sbz 24
  • Bug/crowdsec.service crashing

    Bug/crowdsec.service crashing

    Can somebody point me in the right direction to solve this issue?

    After successfully getting the multi machine setup working I noticed that crowdsec.service was crashing on my master machine. Probably some kind of malconfig issue as I'm just getting started with crowdsec.

    I installed from repo on Ubuntu 16/18 LTS VPS servers. My setup is one master machine with the api and one client with no api connecting to the master. And I only use the cs-firewall-bouncer I did some successful tests using cscli decisions add -i 123.123.123.123 on the master and saw that the client was getting the decision and blocking the IP in the firewall... so I was thrilled, it works great.

    But then after 20 minutes crowdsec.service crashed on the master. Now it crashes regulary every 20-30 minutes...

    Below is what is reported:

    time="28-03-2021 13:24:39" level=error msg="crowdsec - goroutine crowdsec/controllersV1/FindAlerts crashed : client disconnected" time="28-03-2021 13:24:39" level=error msg="please report this error to https://github.com/crowdsecurity/crowdsec/" time="28-03-2021 13:24:39" level=error msg="stacktrace/report is written to /tmp/crowdsec-crash.707091172.txt : please join it to your issue" time="28-03-2021 13:24:39" level=fatal msg="crowdsec stopped"

    The contents of /tmp/crowdsec-crash.707091172.txt

    version: 1.0.7-4-debian-pragmatic-a8b16a66b110ebe03bb330cda2600226a3a862d7 Codename: alphaga BuildDate: 2021-03-16_19:01:37 GoVersion: 1.15.8 goroutine 2688 [running]: runtime/debug.Stack(0xc000bc8fe8, 0xc0003b1d40, 0x8e) /usr/local/go/src/runtime/debug/stack.go:24 +0x9f github.com/crowdsecurity/crowdsec/pkg/types.CatchPanic(0x14c3fb0, 0x21) /crowdsec/pkg/types/utils.go:100 +0x238 panic(0x136c9c0, 0xc0000928a0) /usr/local/go/src/runtime/panic.go:969 +0x1b9 github.com/gin-gonic/gin/render.JSON.Render(...) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/render/json.go:59 github.com/gin-gonic/gin.(*Context).Render(0xc0004ea960, 0xc8, 0x15ee6e0, 0xc0009bc2e0) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:841 +0x149 github.com/gin-gonic/gin.(*Context).JSON(...) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:884 github.com/crowdsecurity/crowdsec/pkg/apiserver/controllers/v1.(*Controller).FindAlerts(0xc0003195e0, 0xc0004ea960) /crowdsec/pkg/apiserver/controllers/v1/alerts.go:163 +0x177 github.com/gin-gonic/gin.(*Context).Next(0xc0004ea960) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:161 +0x3b github.com/crowdsecurity/crowdsec/pkg/apiserver/controllers/v1.PrometheusMachinesMiddleware.func1(0xc0004ea960) /crowdsec/pkg/apiserver/controllers/v1/metrics.go:83 +0x96 github.com/gin-gonic/gin.(*Context).Next(0xc0004ea960) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:161 +0x3b github.com/appleboy/gin-jwt/v2.(*GinJWTMiddleware).middlewareImpl(0xc000152640, 0xc0004ea960) /root/go/pkg/mod/github.com/appleboy/gin-jwt/[email protected]/auth_jwt.go:403 +0x22b github.com/appleboy/gin-jwt/v2.(*GinJWTMiddleware).MiddlewareFunc.func1(0xc0004ea960) /root/go/pkg/mod/github.com/appleboy/gin-jwt/[email protected]/auth_jwt.go:365 +0x34 github.com/gin-gonic/gin.(*Context).Next(0xc0004ea960) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:161 +0x3b github.com/crowdsecurity/crowdsec/pkg/apiserver/controllers/v1.PrometheusMiddleware.func1(0xc0004ea960) /crowdsec/pkg/apiserver/controllers/v1/metrics.go:105 +0x145 github.com/gin-gonic/gin.(*Context).Next(0xc0004ea960) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:161 +0x3b github.com/gin-gonic/gin.RecoveryWithWriter.func1(0xc0004ea960) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/recovery.go:83 +0x65 github.com/gin-gonic/gin.(*Context).Next(0xc0004ea960) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:161 +0x3b github.com/gin-gonic/gin.LoggerWithConfig.func1(0xc0004ea960) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/logger.go:241 +0xe5 github.com/gin-gonic/gin.(*Context).Next(0xc0004ea960) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:161 +0x3b github.com/gin-gonic/gin.(*Engine).handleHTTPRequest(0xc0001523c0, 0xc0004ea960) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/gin.go:409 +0x67a github.com/gin-gonic/gin.(*Engine).ServeHTTP(0xc0001523c0, 0x15fa2a0, 0xc000011128, 0xc000481600) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/gin.go:367 +0x14d net/http.serverHandler.ServeHTTP(0xc0004640e0, 0x15fa2a0, 0xc000011128, 0xc000481600) /usr/local/go/src/net/http/server.go:2843 +0xa3 net/http.initALPNRequest.ServeHTTP(0x15fd3a0, 0xc000301920, 0xc0001a0700, 0xc0004640e0, 0x15fa2a0, 0xc000011128, 0xc000481600) /usr/local/go/src/net/http/server.go:3415 +0x8d net/http.(*http2serverConn).runHandler(0xc000073980, 0xc000011128, 0xc000481600, 0xc00042f760) /usr/local/go/src/net/http/h2_bundle.go:5719 +0x8b created by net/http.(*http2serverConn).processHeaders /usr/local/go/src/net/http/h2_bundle.go:5453 +0x505

    bug 
    opened by shaundma 20
  • Register bouncers on container init

    Register bouncers on container init

    This PR allows users to add bouncers on container init, rather than having to exec into the container and run cscli, for automated deployment scenarios. jq is added to the Dockerfile to support parsing cscli output.

    Supports both environment variables (in the format BOUNCER_KEY_<NAME>=<API-KEY>) and docker secrets (in the format BOUNCER_KEY_<name> with the contents <API-KEY>). Adding multiple bouncers and mixing environment and secrets are supported (though environment will take precedence in the event of conflicting names).

    The init script checks that both a name and a key value have been provided, then it checks to see if there is already an existing bouncer with that name registered (in which case it skips it), and then registers the bouncer with the NAME and KEY provided.

    This allows you to do something like:

    services:
      crowdsec:
        image: docker.io/crowdsecurity/crowdsec:latest
        container_name: crowdsec
        environment:
          - BOUNCER_KEY_traefik=mysecretkey12345
    
      bouncer-traefik:
        image: docker.io/fbonalair/traefik-crowdsec-bouncer:latest
        container_name: crowdsec-bouncer-traefik
        environment:
          - CROWDSEC_BOUNCER_API_KEY=mysecretkey12345
        depends_on:
          - crowdsec
    

    On first init of the crowdsec container the logs should output something along the lines of:

    Api key for 'traefik':
    
       mysecretkey12345
    
    Please keep this key since you will not be able to retrieve it!
    

    And cscli bouncers list should show:

    --------------------------------------------------------------
     NAME  IP ADDRESS  VALID  LAST API PULL         TYPE  VERSION 
    --------------------------------------------------------------
     traefik             ✔️   2022-03-09T20:55:12Z                
    --------------------------------------------------------------
    
    opened by thespad 15
  • Bug/notifications/email: Content needs <html>...</html> tags

    Bug/notifications/email: Content needs ... tags

    Describe the bug The default config for email notifications can trigger a high-scoring Spamassassin rules due to bare HTML without <html>...</html> enclosing tags.

    To Reproduce Steps to reproduce the behavior:

    1. Set up email notifications, with minimal edits to the default notifications/email.yaml
    2. Trigger an email
    3. Check the content of the solitary text/html attachment

    Expected behavior All reasonable attempts should be made for these emails to not look like spam.

    Technical Information (please complete the following information):

    • OS: Debian buster (currently oldstable)
    • Version: crowdsec 1.3.2 from the APT repository

    Additional context Spamassassin reports the following on crowdsec notification emails:

            *  3.8 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML
            *      tag
    

    and indeed the only part of a crowdsec notification email starts with:

    <a href=...
    

    Now, obviously, I've gone and whitelisted (won't even go through Spamassassin processing) the crowdsec emails in question now, and I can tweak my local config file to add the missing tags (presumably also <body>), but this is a small improvement that could be made to the defaults.

    bug 
    opened by Athanasius 15
  • Output plugins

    Output plugins

    1. New package called csplugin is added. This handles plugin discovery, feeding them config and dispatching alerts
    2. LAPI Server's controller has access to a PluginChannel, it pushes new alerts to this channel.
    3. Slack plugin is at https://github.com/sbs2001/crowdsec-slack-plugin

    Example setup

    1. In config_paths at /etc/crowdsec/config.yaml add the following :
      notification_dir: /etc/crowdsec/notifications
      plugin_dir: /etc/crowdsec/plugins
    
    1. At /etc/crowdsec/notifications create a file with any name eg slack.yaml with the contents :-
    type: slack
    name: slacktoto
    format: |
            slacktoto
            {{range .Decisions}}
             {{.Type}} decision : {{.Value}} has triggered the scenario {{.Scenario}} and has been banned for {{.Duration}}
            {{end}}
    
    webhook: https://hooks.slack.com/services/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    
    1. In profiles.yaml register the plugin via adding the following
    notifications:
     - slacktoto
    
    
    1. Build the plugin and put it at /etc/crowdsec/plugins with name notification-slack .
    git clone https://github.com/sbs2001/crowdsec-slack-plugin
    cd crowdsec-slack-plugin
     go build  -o notification-slack && sudo cp  notification-slack   /etc/crowdsec/plugins/notification-slack
    sudo systemctl reload crowdsec
    

    Any alert matching the profile will create a notification on the slack channel.

    Note: the diff is slightly large due to some refactor in tests.

    opened by buixor 14
  • Bug Crowsec does not block IP with IPTABLES

    Bug Crowsec does not block IP with IPTABLES

    Hello. I have installed crowdsec in Debian It detect SSH attach and says ban but does not create ipables rules ...

    `# cscli bouncers list

    NAME IP ADDRESS VALID LAST API PULL TYPE VERSION

    FirewallBouncer-1650891152 ✔️ 2022-04-25T12:52:32Z

    # cscli decisions list +-------+----------+--------------------+---------------------------+--------+---------+--------------------------------+--------+--------------------+----------+ | ID | SOURCE | SCOPE:VALUE | REASON | ACTION | COUNTRY | AS | EVENTS | EXPIRATION | ALERT ID | +-------+----------+--------------------+---------------------------+--------+---------+--------------------------------+--------+--------------------+----------+ | 13301 | crowdsec | Ip:153.34.238.67 | crowdsecurity/ssh-bf | ban | CN | 4837 CHINA UNICOM China169 | 6 | 3h58m38.32836517s | 11 | | | | | | | | Backbone | | | | | 9 | crowdsec | Ip:195.122.226.164 | crowdsecurity/ssh-slow-bf | ban | RU | 8580 MTS PJSC | 19 | 3h47m8.780944499s | 9 | | 8 | crowdsec | Ip:157.230.98.148 | crowdsecurity/ssh-slow-bf | ban | DE | 14061 DIGITALOCEAN-ASN | 17 | 3h43m6.992929346s | 8 | | 4 | crowdsec | Ip:176.111.173.242 | crowdsecurity/ssh-slow-bf | ban | EE | 213010 GigaHostingServices OU | 11 | 3h29m24.845633943s | 4 | +-------+----------+--------------------+---------------------------+--------+---------+--------------------------------+--------+--------------------+----------+

    `

    `[email protected]:~# iptables -L
    Chain INPUT (policy ACCEPT) target prot opt source destination

    Chain FORWARD (policy ACCEPT) target prot opt source destination

    Chain OUTPUT (policy ACCEPT) target prot opt source destination
    `

    bug 
    opened by bartounet16 13
  • High CPU on Multi-Server Setup

    High CPU on Multi-Server Setup

    What happened?

    I have a 4 node multi-server setup. All nodes are VPS linked by a wireguard VPN connection. After updating to version crowdsec 1.4.0 using the debian repo I am seeing consistently high CPU usage on the LAPI node. The 3 satellite nodes all remain at 1% to 5% cpu usage but the LAPI node ranges from 50% to 100%.

    I have attached copies of config.yaml, log file starting approx 24 hours before I upgraded, cscli metrics and an extract from top.

    I have prometheus collecting stats for grafana but don't know how to extract the data. If you can give me a pointer, I can provide these as well. Let me know if there is anything else

    config.yaml.txt crowdsec.log metrics.txt top.txt

    What did you expect to happen?

    LAPI node cpu usage to remain at approx 5%.

    How can we reproduce it (as minimally and precisely as possible)?

    Install version 1.4.0 in a multi-server setup.

    Anything else we need to know?

    No response

    Crowdsec version

    2022/07/21 11:58:04 version: v1.4.0-debian-pragmatic-865ff5c88dd133eb81a1128f8d4765b4be0cbd22 2022/07/21 11:58:04 Codename: alphaga 2022/07/21 11:58:04 BuildDate: 2022-07-19_09:24:14 2022/07/21 11:58:04 GoVersion: 1.17.5 2022/07/21 11:58:04 Platform: linux 2022/07/21 11:58:04 Constraint_parser: >= 1.0, <= 2.0 2022/07/21 11:58:04 Constraint_scenario: >= 1.0, < 3.0 2022/07/21 11:58:04 Constraint_api: v1 2022/07/21 11:58:04 Constraint_acquis: >= 1.0, < 2.0

    OS version

    PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/"

    Enabled collections and parsers

    crowdsecurity/base-http-scenarios,enabled,0.6,http common : scanners detection,collections crowdsecurity/http-cve,enabled,1.0,,collections crowdsecurity/linux,enabled,0.2,core linux support : syslog+geoip+ssh,collections crowdsecurity/nginx,enabled,0.2,nginx support : parser and generic http scenarios,collections crowdsecurity/sshd,enabled,0.2,sshd support : parser and brute-force detection,collections crowdsecurity/dateparse-enrich,enabled,0.2,,parsers crowdsecurity/geoip-enrich,enabled,0.2,"Populate event with geoloc info : as, country, coords, source range.",parsers crowdsecurity/http-logs,enabled,0.8,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers crowdsecurity/nginx-logs,enabled,1.2,Parse nginx access and error logs,parsers crowdsecurity/sshd-logs,enabled,1.9,Parse openSSH logs,parsers crowdsecurity/syslog-logs,enabled,0.8,,parsers crowdsecurity/whitelists,enabled,0.2,Whitelist events from private ipv4 addresses,parsers sshd-zlogs-extra.yaml,"enabled,local",n/a,,parsers crowdsecurity/apache_log4j2_cve-2021-44228,enabled,0.4,Detect cve-2021-44228 exploitation attemps,scenarios crowdsecurity/f5-big-ip-cve-2020-5902,enabled,0.1,Detect cve-2020-5902 exploitation attemps,scenarios crowdsecurity/fortinet-cve-2018-13379,enabled,0.2,Detect cve-2018-13379 exploitation attemps,scenarios crowdsecurity/grafana-cve-2021-43798,enabled,0.1,Detect cve-2021-43798 exploitation attemps,scenarios crowdsecurity/http-backdoors-attempts,enabled,0.2,Detect attempt to common backdoors,scenarios crowdsecurity/http-bad-user-agent,enabled,0.7,Detect bad user-agents,scenarios crowdsecurity/http-crawl-non_statics,enabled,0.3,Detect aggressive crawl from single ip,scenarios crowdsecurity/http-cve-2021-41773,enabled,0.1,cve-2021-41773,scenarios crowdsecurity/http-cve-2021-42013,enabled,0.1,cve-2021-42013,scenarios crowdsecurity/http-generic-bf,enabled,0.2,Detect generic http brute force,scenarios crowdsecurity/http-open-proxy,enabled,0.2,Detect scan for open proxy,scenarios crowdsecurity/http-path-traversal-probing,enabled,0.2,Detect path traversal attempt,scenarios crowdsecurity/http-probing,enabled,0.2,Detect site scanning/probing from a single ip,scenarios crowdsecurity/http-sensitive-files,enabled,0.2,"Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",scenarios crowdsecurity/http-sqli-probing,enabled,0.2,A scenario that detects SQL injection probing with minimal false positives,scenarios crowdsecurity/http-xss-probing,enabled,0.2,A scenario that detects XSS probing with minimal false positives,scenarios crowdsecurity/jira_cve-2021-26086,enabled,0.1,Detect Atlassian Jira CVE-2021-26086 exploitation attemps,scenarios crowdsecurity/nginx-req-limit-exceeded,enabled,0.1,Detects IPs which violate nginx's user set request limit.,scenarios crowdsecurity/pulse-secure-sslvpn-cve-2019-11510,enabled,0.2,Detect cve-2019-11510 exploitation attemps,scenarios crowdsecurity/spring4shell_cve-2022-22965,enabled,0.2,Detect cve-2022-22965 probing,scenarios crowdsecurity/ssh-bf,enabled,0.1,Detect ssh bruteforce,scenarios crowdsecurity/ssh-slow-bf,enabled,0.2,Detect slow ssh bruteforce,scenarios crowdsecurity/thinkphp-cve-2018-20062,enabled,0.3,Detect ThinkPHP CVE-2018-20062 exploitation attemps,scenarios crowdsecurity/vmware-cve-2022-22954,enabled,0.2,Detect Vmware CVE-2022-22954 exploitation attempts,scenarios crowdsecurity/vmware-vcenter-vmsa-2021-0027,enabled,0.1,Detect VMSA-2021-0027 exploitation attemps,scenarios http-strict-probing.yaml,"enabled,local",n/a,,scenarios ltsich/http-w00tw00t,enabled,0.1,detect w00tw00t,scenarios ssh-extra.yaml,"enabled,local",n/a,,scenarios ssh-strict-bf.yaml,"enabled,local",n/a,,scenarios whitelists-extra.yaml,"enabled,local",n/a,,postoverflows whitelists-monitors.yaml,"enabled,local",n/a,,postoverflows

    Acquisition config

    #Generated acquisition file - wizard.sh (service: nginx) / files : /var/log/nginx/sjs.access.log /var/log/nginx/access.log /var/log/nginx/error.log /var/log/nginx/php7.4-fpm.log /var/log/nginx/hamish.access.log /var/log/nginx/grafana.log /var/log/nginx/weddell.access.log filenames: - /var/log/nginx/sjs.access.log - /var/log/nginx/access.log - /var/log/nginx/error.log - /var/log/nginx/php7.4-fpm.log - /var/log/nginx/hamish.access.log - /var/log/nginx/grafana.log - /var/log/nginx/weddell.access.log labels: type: nginx --- #Generated acquisition file - wizard.sh (service: sshd) / files : /var/log/auth.log filenames: - /var/log/auth.log labels: type: syslog --- #Generated acquisition file - wizard.sh (service: linux) / files : /var/log/syslog /var/log/messages filenames: - /var/log/syslog - /var/log/messages labels: type: syslog ---

    Config show

    Global: - Configuration Folder : /etc/crowdsec - Data Folder : /var/lib/crowdsec/data - Hub Folder : /etc/crowdsec/hub - Simulation File : /etc/crowdsec/simulation.yaml - Log Folder : /var/log/ - Log level : info - Log Media : file Crowdsec: - Acquisition File : /etc/crowdsec/acquis.yaml - Parsers routines : 1 cscli: - Output : human - Hub Branch : - Hub Folder : /etc/crowdsec/hub Local API Server: - Listen URL : 10.90.80.11:8080 - Profile File : /etc/crowdsec/profiles.yaml - Trusted IPs: - 127.0.0.1 - ::1 - Database: - Type : sqlite - Path : /var/lib/crowdsec/data/crowdsec.db - Flush age : 7d - Flush size : 5000

    Prometheus metrics

    No response

    Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

    Custom SSH Parser - [sshd-zlogs-extra.yaml.txt](https://github.com/crowdsecurity/crowdsec/files/9158831/sshd-zlogs-extra.yaml.txt)

    Custom Scenarios - ssh-strict-bf.yaml.txt ssh-extra.yaml.txt http-strict-probing.yaml.txt

    bug 
    opened by lleddewk 12
  • Bug/failed to parse ingress-nginx logs in kubernetes

    Bug/failed to parse ingress-nginx logs in kubernetes

    Describe the bug Crowdsec can't parse ingress-nginx logs

    To Reproduce Official guide on how to install crowdsec to k8s

    Expected behavior Logs should be parsed

    Screenshots

    / # cscli metrics
    INFO[28-01-2022 10:53:23 AM] Acquisition Metrics:                         
    +-------------------------------------------------------------------------------------------------------------------------------------------------------+------------+--------------+----------------+------------------------+
    |                                                                        SOURCE                                                                         | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET |
    +-------------------------------------------------------------------------------------------------------------------------------------------------------+------------+--------------+----------------+------------------------+
    | file:/var/log/containers/ingress-nginx-controller-79pmx_ingress-nginx_controller-dcb11eee7ff5827ada9d1d174383acb9608d529681410b71f586a3dc7626832c.log |        309 | -            |            309 | -                      |
    +-------------------------------------------------------------------------------------------------------------------------------------------------------+------------+--------------+----------------+------------------------+
    INFO[28-01-2022 10:53:23 AM] Parser Metrics:                              
    +--------------------------------+------+--------+----------+
    |            PARSERS             | HITS | PARSED | UNPARSED |
    +--------------------------------+------+--------+----------+
    | child-crowdsecurity/nginx-logs |  618 | -      |      618 |
    | crowdsecurity/docker-logs      |  309 |    309 | -        |
    | crowdsecurity/nginx-logs       |  309 | -      |      309 |
    +--------------------------------+------+--------+----------+
    

    Technical Information (please complete the following information): k3s 1.23.1 crowdsec helm chart 0.2.1 ingress-nginx 1.1.1

    Additional context Sample log line from ingress-nginx: 2022-01-28T13:47:49.354767118+03:00 stdout F 69.162.124.232 - - [28/Jan/2022:10:47:49 +0000] "HEAD / HTTP/1.1" 308 0 "https://example.org" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)" 402 0.000 [example-wikijs-3000] [] - - - - 36dc88f75402b20189f5506c338d06c6

    bug 
    opened by rlex 10
  • crowdsecurity/iptables, iptables-scan-multi_ports never alerts on scan

    crowdsecurity/iptables, iptables-scan-multi_ports never alerts on scan

    I spent many hours prior to posting this due to being a brand new user and feeling quite sure I'm doing something wrong. But I can't figure out what.

    Debian 11.1, Ubuntu 20.04.3 LTS

    I'm scanning the crowdsec machine with kali / nmap and tail -f kern.log, watching the packets pour in to the log. I have tried on debian and ubuntu. I must be missing something basic. Posting here as a plea for help, or incase this is a legit issue. So excited to use this great tool, thank you!

    example nmap command

    nmap -p 1-65535 -T4 -A -v 192.168.1.2
    

    In your tutorial: https://docs.crowdsec.net/docs/scenarios/create

    You show kernel output:

    Aug 20 16:20:09 mantis kernel: [887475.435839] DROP: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=192.168.1.23 DST=192.168.1.23 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=29037 DF PROTO=TCP SPT=39158 DPT=3389 WINDOW=65495 RES=0x00 SYN URGP=0 
    

    ~~My rule, below, which is modeled off the recommended rule here: https://hub.crowdsec.net/author/crowdsecurity/configurations/iptables-logs , does not prepend the log entry with "DROP:", but is otherwise identical.~~

    Iptables rule

    iptables -A INPUT -m state --state NEW -m comment --comment "Log new connections" -j LOG
    

    The only alert I ever see is:

    cscli alerts list
    +----+------------------------------+-----------------------+---------+----+-----------+-------------------------------+
    | ID |            VALUE             |        REASON         | COUNTRY | AS | DECISIONS |          CREATED AT           |
    +----+------------------------------+-----------------------+---------+----+-----------+-------------------------------+
    |  1 | crowdsec/community-blocklist | update : +1287/-1 IPs |         |    | ban:1287  | 2021-12-12 21:54:14 +0000 UTC |
    +----+------------------------------+-----------------------+---------+----+-----------+-------------------------------+
    
    cscli parsers list
    -------------------------------------------------------------------------------------------------------------
     NAME                            📦 STATUS   VERSION  LOCAL PATH                                             
    -------------------------------------------------------------------------------------------------------------
     crowdsecurity/sshd-logs         ✔️  enabled  1.3      /etc/crowdsec/parsers/s01-parse/sshd-logs.yaml         
     crowdsecurity/iptables-logs     ✔️  enabled  0.2      /etc/crowdsec/parsers/s01-parse/iptables-logs.yaml   
     crowdsecurity/syslog-logs       ✔️  enabled  0.7      /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml         
     crowdsecurity/whitelists        ✔️  enabled  0.2      /etc/crowdsec/parsers/s02-enrich/whitelists.yaml       
     crowdsecurity/dateparse-enrich  ✔️  enabled  0.1      /etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml 
     crowdsecurity/geoip-enrich      ✔️  enabled  0.2      /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml     
    -------------------------------------------------------------------------------------------------------------
    
    cscli scenarios list
    ----------------------------------------------------------------------------------------------------------------------
     NAME                                     📦 STATUS   VERSION  LOCAL PATH                                             
    ----------------------------------------------------------------------------------------------------------------------
     crowdsecurity/ssh-bf                     ✔️  enabled  0.1      /etc/crowdsec/scenarios/ssh-bf.yaml                    
     crowdsecurity/ssh-slow-bf                ✔️  enabled  0.2      /etc/crowdsec/scenarios/ssh-slow-bf.yaml               
     crowdsecurity/iptables-scan-multi_ports  ✔️  enabled  0.1      /etc/crowdsec/scenarios/iptables-scan-multi_ports.yaml
    ----------------------------------------------------------------------------------------------------------------------
    
    cscli metrics
    INFO[12-12-2021 10:24:15 PM] Acquisition Metrics:                         
    +------------------------+------------+--------------+----------------+------------------------+
    |         SOURCE         | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET |
    +------------------------+------------+--------------+----------------+------------------------+
    | file:/var/log/kern.log |       2041 |         2024 |             17 | -                      |
    | file:/var/log/syslog   |       2116 |         2024 |             92 | -                      |
    +------------------------+------------+--------------+----------------+------------------------+
    INFO[12-12-2021 10:24:15 PM] Parser Metrics:                              
    +--------------------------------+------+--------+----------+
    |            PARSERS             | HITS | PARSED | UNPARSED |
    +--------------------------------+------+--------+----------+
    | crowdsecurity/dateparse-enrich | 4048 |   4048 | -        |
    | crowdsecurity/geoip-enrich     | 4048 |   4048 | -        |
    | crowdsecurity/iptables-logs    | 4080 |   4048 |       32 |
    | crowdsecurity/syslog-logs      | 4157 |   4157 | -        |
    | crowdsecurity/whitelists       | 4048 |   4048 | -        |
    +--------------------------------+------+--------+----------+
    INFO[12-12-2021 10:24:15 PM] Local Api Metrics:                           
    +--------------------+--------+------+
    |       ROUTE        | METHOD | HITS |
    +--------------------+--------+------+
    | /v1/alerts         | GET    |    1 |
    | /v1/watchers/login | POST   |    5 |
    +--------------------+--------+------+
    INFO[12-12-2021 10:24:15 PM] Local Api Machines Metrics: 
    
    bug 
    opened by Mist-Hunter 10
  • Enable detection of `httpd`

    Enable detection of `httpd`

    Fixes #195

    • [x] Fix httpd service discovery on RH based distros.

    • [x] Make installation process for httpd work.

    Signed-off-by: Shivam Sandbhor [email protected]

    opened by sbs2001 10
  • Blackhole new behaviour and add support for WAL when using sqlite

    Blackhole new behaviour and add support for WAL when using sqlite

    • Allow to enable WAL when using sqlite
    • Change blackhole behaviour: previously, a bucket would have been created even if the overflow would be discarded in the end. This could lead to a lot of useless buckets being created and tracked.

    The new behaviour prevents the bucket creation if the scenario is blackholed.

    This slightly change the meaning of blackhole: before, a new bucket would be created, events poured to it, if the blackhole expired before it was full enough to overflow, it would be allowed to overflow normally. Now, the bucket will not be created in the first place, which means that some overflows that would have happened with the old behaviour will not happen now (this is likely not an issue in real life).

    opened by blotus 2
  • Possible delay in logs procсessing

    Possible delay in logs procсessing

    What happened?

    Event records in sqlite database are created in batches (as if they are accumulated for some time and only then are flushed). Then, it looks like crowdsec makes decisions based on the record creation time, not the time from logs. As a result, the system triggers bans counting very old events.

    What did you expect to happen?

    Making decisions crowdsec should take into account the time field from its sqlite3 database, table events.

    How can we reproduce it (as minimally and precisely as possible)?

    Not sure, complete description below.

    Anything else we need to know?

    First of all, I have to note that my servers have lots of free resources, there are no lags and I see in real time that logs are generated without delay.

    When I tried to introduce crowdsec, I noticed weird records in its logs. In my scenarios, I use leaky buckets with capacity of 10 and 1-minute leakspeed. Mostly it banned for 11 events in less than 1 minute. But sometimes I saw records like 15 events over 8m21.82413899s which should have never taken place. And sometimes means a lot of false positives. Examining the case, I found out the events in the sqlite db have different created_at / updated_at and time dates. It looks to me that (for some reason) crowdsec doesn't process my logs in real time. Again, I see logs written to the local files and remote syslog server without delay, and crowdsec is not utilizing 100% of CPU and is not reloading or restarting.

    The same thing happens with syslog data source as well as journald.

    Tried using cache_size as suggested here https://github.com/crowdsecurity/crowdsec/issues/1464 with no effect

    Considering that past events can get into the database after some time, I would like to have a function that allows crowdsec to rely on the time from logs and not the creation time of db entries.

    Below is an example of logs and relevant db records (local time UTC+3).

    Crowdsec version

    $ cscli version
    2022/08/05 15:48:59 version: v1.4.1-debian-pragmatic-e1954adc325baa9e3420c324caabd50b7074dd77
    2022/08/05 15:48:59 Codename: alphaga
    2022/08/05 15:48:59 BuildDate: 2022-07-25_09:19:19
    2022/08/05 15:48:59 GoVersion: 1.17.5
    2022/08/05 15:48:59 Platform: linux
    2022/08/05 15:48:59 Constraint_parser: >= 1.0, <= 2.0
    2022/08/05 15:48:59 Constraint_scenario: >= 1.0, < 3.0
    2022/08/05 15:48:59 Constraint_api: v1
    2022/08/05 15:48:59 Constraint_acquis: >= 1.0, < 2.0
    

    OS version

    # On Linux:
    $ cat /etc/os-release
    NAME="Ubuntu"
    VERSION="18.04.6 LTS (Bionic Beaver)"
    ID=ubuntu
    ID_LIKE=debian
    PRETTY_NAME="Ubuntu 18.04.6 LTS"
    VERSION_ID="18.04"
    HOME_URL="https://www.ubuntu.com/"
    SUPPORT_URL="https://help.ubuntu.com/"
    BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
    PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
    VERSION_CODENAME=bionic
    UBUNTU_CODENAME=bionic
    $ uname -a
    Linux host_name 5.4.0-121-generic #137~18.04.1-Ubuntu SMP Mon Jun 20 07:25:24 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    
    # On Windows:
    C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture
    # paste output here
    

    Enabled collections and parsers

    $ cscli hub list -o raw
    my_nginx.yaml,"enabled,local",n/a,,collections
    my_ssh.yaml,"enabled,local",n/a,,collections
    my_vsftpd.yaml,"enabled,local",n/a,,collections
    crowdsecurity/dateparse-enrich,enabled,0.2,,parsers
    crowdsecurity/geoip-enrich,enabled,0.2,"Populate event with geoloc info : as, country, coords, source range.",parsers
    crowdsecurity/http-logs,enabled,0.8,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers
    crowdsecurity/syslog-logs,"enabled,tainted",?,,parsers
    crowdsecurity/whitelists,enabled,0.2,Whitelist events from private ipv4 addresses,parsers
    my_ftp_parser.yaml,"enabled,local",n/a,,parsers
    my_nginx_parser.yaml,"enabled,local",n/a,,parsers
    my_ssh_parser.yaml,"enabled,local",n/a,,parsers
    whitelist.yaml,"enabled,local",n/a,,parsers
    my_ftp_script.yaml,"enabled,local",n/a,,scenarios
    my_nginx_script.yaml,"enabled,local",n/a,,scenarios
    my_ssh_script.yaml,"enabled,local",n/a,,scenarios
    local-whitelist.yaml,"enabled,local",n/a,,postoverflows
    

    Acquisition config

    ```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* journalctl_filter: - _SYSTEMD_UNIT=vsftpd.service labels: type: ftp --- journalctl_filter: - _SYSTEMD_UNIT=ssh.service labels: type: ssh --- source: syslog listen_addr: 127.0.0.1 listen_port: 1108 labels: type: nginx --- cat: '/etc/crowdsec/acquis.d/*': No such file or directory

    On Windows:

    C:> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml

    paste output here

    Config show

    $ cscli config show
    Global:
       - Configuration Folder   : /etc/crowdsec
       - Data Folder            : /var/lib/crowdsec/data
       - Hub Folder             : /etc/crowdsec/hub
       - Simulation File        : /etc/crowdsec/simulation.yaml
       - Log Folder             : /var/log/
       - Log level              : info
       - Log Media              : file
    Crowdsec:
      - Acquisition File        : /etc/crowdsec/acquis.yaml
      - Parsers routines        : 1
    cscli:
      - Output                  : human
      - Hub Branch              :
      - Hub Folder              : /etc/crowdsec/hub
    Local API Server:
      - Listen URL              : 127.0.0.1:8080
      - Profile File            : /etc/crowdsec/profiles.yaml
      - Trusted IPs:
          - 127.0.0.1
          - ::1
      - Database:
          - Type                : sqlite
          - Path                : /var/lib/crowdsec/data/crowdsec.db
          - Flush age           : 2d
          - Flush size          : 5000000
    

    Prometheus metrics

    $ cscli metrics
    INFO[05-08-2022 04:25:01 PM] Buckets Metrics:
    +--------------------------+---------------+-----------+--------------+--------+---------+
    |          BUCKET          | CURRENT COUNT | OVERFLOWS | INSTANTIATED | POURED | EXPIRED |
    +--------------------------+---------------+-----------+--------------+--------+---------+
    | my/ftp_script            | 3             | 598       | 2.05k        | 9.71k  | 1.45k   |
    | my/ftp_slow_brute_script | 18            | 7         | 1.33k        | 9.71k  | 1.30k   |
    | my/nginx_button_script   | 155           | 1.95M     | 2.18M        | 22.24M | 224.36k |
    | my/nginx_proxy_script    | 331           | 79.84k    | 311.34k      | 1.40M  | 231.17k |
    | my/nginx_status_script   | -             | 107       | 13.98k       | 35.52k | 13.87k  |
    | my/ssh_script            | 4             | 73        | 4.20k        | 29.19k | 4.13k   |
    | my/ssh_slow_brute_script | 25            | 40        | 2.46k        | 29.19k | 2.39k   |
    +--------------------------+---------------+-----------+--------------+--------+---------+
    INFO[05-08-2022 04:25:01 PM] Acquisition Metrics:
    +----------------------------------------------------+------------+--------------+----------------+------------------------+
    |                       SOURCE                       | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET |
    +----------------------------------------------------+------------+--------------+----------------+------------------------+
    | journalctl:journalctl-_SYSTEMD_UNIT=ssh.service    | 211.26k    | 29.23k       | 182.04k        | 58.37k                 |
    | journalctl:journalctl-_SYSTEMD_UNIT=vsftpd.service | 2.39M      | 9.72k        | 2.38M          | 19.41k                 |
    | syslog:127.0.0.1                                   | 156.28M    | 34.64M       | 121.64M        | 23.67M                 |
    +----------------------------------------------------+------------+--------------+----------------+------------------------+
    INFO[05-08-2022 04:25:01 PM] Parser Metrics:
    +--------------------------+---------+---------+----------+
    |         PARSERS          |  HITS   | PARSED  | UNPARSED |
    +--------------------------+---------+---------+----------+
    | child-my/ftp_parser      | 2.39M   | 9.72k   | 2.38M    |
    | child-my/nginx_parser    | 465.67M | 34.64M  | 431.03M  |
    | child-my/ssh_parser      | 411.12k | 29.23k  | 381.89k  |
    | crowdsecurity/non-syslog | 158.88M | 158.88M | -        |
    | my/ftp_parser            | 2.39M   | 9.72k   | 2.38M    |
    | my/local_whitelist       | 99.25k  | 99.25k  | -        |
    | my/nginx_parser          | 156.28M | 34.64M  | 121.64M  |
    | my/ssh_parser            | 211.26k | 29.23k  | 182.04k  |
    | my/whitelist             | 34.68M  | 34.68M  | -        |
    | my/whitelist_trusted     | 34.68M  | 34.68M  | -        |
    +--------------------------+---------+---------+----------+
    INFO[05-08-2022 04:25:01 PM] Local Api Metrics:
    +-------------------------+--------+-------+
    |          ROUTE          | METHOD | HITS  |
    +-------------------------+--------+-------+
    | /credits-site-offers/.* | PURGE  | 15    |
    | /credits-site-one/.*    | PURGE  | 1     |
    | /v1/alerts              | POST   | 80981 |
    | /v1/decisions/stream    | GET    | 55234 |
    | /v1/heartbeat           | GET    | 9205  |
    | /v1/watchers/login      | POST   | 159   |
    +-------------------------+--------+-------+
    INFO[05-08-2022 04:25:01 PM] Local Api Machines Metrics:
    +--------------------------------------------------+---------------+--------+-------+
    |                     MACHINE                      |     ROUTE     | METHOD | HITS  |
    +--------------------------------------------------+---------------+--------+-------+
    | c8e3e5b9d1e640a6bf0a63bb3f7c9d6eNKKvHnjnxx0NxNCH | /v1/heartbeat | GET    | 9205  |
    | c8e3e5b9d1e640a6bf0a63bb3f7c9d6eNKKvHnjnxx0NxNCH | /v1/alerts    | POST   | 80981 |
    +--------------------------------------------------+---------------+--------+-------+
    INFO[05-08-2022 04:25:01 PM] Local Api Bouncers Metrics:
    +----------------------------+----------------------+--------+-------+
    |          BOUNCER           |        ROUTE         | METHOD | HITS  |
    +----------------------------+----------------------+--------+-------+
    | FirewallBouncer-1658923396 | /v1/decisions/stream | GET    | 55234 |
    +----------------------------+----------------------+--------+-------+
    INFO[05-08-2022 04:25:01 PM] Local Api Decisions:
    +--------------------------+----------+--------+-------+
    |          REASON          |  ORIGIN  | ACTION | COUNT |
    +--------------------------+----------+--------+-------+
    | my/ssh_slow_brute_script | crowdsec | ban    | 1     |
    | my/ftp_script            | crowdsec | ban    | 9     |
    | my/nginx_button_script   | crowdsec | ban    | 15    |
    | my/nginx_proxy_script    | crowdsec | ban    | 72    |
    | my/ssh_script            | crowdsec | ban    | 3     |
    +--------------------------+----------+--------+-------+
    INFO[05-08-2022 04:25:01 PM] Local Api Alerts:
    +--------------------------+-------+
    |          REASON          | COUNT |
    +--------------------------+-------+
    | my/ftp_script            | 95    |
    | my/ftp_slow_brute_script | 4     |
    | my/nginx_button_script   | 581   |
    | my/nginx_proxy_script    | 3812  |
    | my/ssh_script            | 24    |
    | my/ssh_slow_brute_script | 9     |
    +--------------------------+-------+
    

    Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

    $ grep 51.75.166.15 /var/log/crowdsec.log  | grep "05-08-2022"
    time="05-08-2022 13:06:04" level=info msg="Ip 51.75.166.15 performed 'my/nginx_button_script' (173 events over 4h35m50.833866353s) at 2022-08-05 10:06:04.165278018 +0000 UTC"
    time="05-08-2022 13:06:04" level=info msg="(c8e3e5b9d1e640a6bf0a63bb3f7c9d6eNKKvHnjnxx0NxNCH/crowdsec) my/nginx_button_script by ip 51.75.166.15 : 1h ban on Ip 51.75.166.15"
    time="05-08-2022 16:19:13" level=info msg="Ip 51.75.166.15 performed 'my/nginx_button_script' (18 events over 8m35.482457865s) at 2022-08-05 13:19:13.536115242 +0000 UTC"
    time="05-08-2022 16:19:14" level=info msg="(c8e3e5b9d1e640a6bf0a63bb3f7c9d6eNKKvHnjnxx0NxNCH/crowdsec) my/nginx_button_script by ip 51.75.166.15 : 1h ban on Ip 51.75.166.15"
    
    $ sqlite3 /var/lib/crowdsec/data/crowdsec.db
    sqlite> select * from events where serialized like '%51.75.166.15%';
    1464440|2022-08-05 10:06:04.170914908+00:00|2022-08-05 10:06:04.170915108+00:00|2022-08-05 09:59:35.803555621+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133017
    1464441|2022-08-05 10:06:04.170915658+00:00|2022-08-05 10:06:04.170915798+00:00|2022-08-05 10:03:24.183895395+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133017
    1464442|2022-08-05 10:06:04.170916038+00:00|2022-08-05 10:06:04.170916188+00:00|2022-08-05 10:03:24.51312344+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133017
    1464443|2022-08-05 10:06:04.170916418+00:00|2022-08-05 10:06:04.170916548+00:00|2022-08-05 10:03:37.830518321+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133017
    1464444|2022-08-05 10:06:04.170916778+00:00|2022-08-05 10:06:04.170916918+00:00|2022-08-05 10:03:38.164442578+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133017
    1464445|2022-08-05 10:06:04.170917148+00:00|2022-08-05 10:06:04.170917278+00:00|2022-08-05 10:04:26.884540776+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133017
    1464446|2022-08-05 10:06:04.170917518+00:00|2022-08-05 10:06:04.170917638+00:00|2022-08-05 10:04:27.233135766+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133017
    1464447|2022-08-05 10:06:04.170917868+00:00|2022-08-05 10:06:04.170918068+00:00|2022-08-05 10:05:18.422935082+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133017
    1464448|2022-08-05 10:06:04.170918308+00:00|2022-08-05 10:06:04.170918438+00:00|2022-08-05 10:05:18.718767843+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133017
    1464449|2022-08-05 10:06:04.170918678+00:00|2022-08-05 10:06:04.170918808+00:00|2022-08-05 10:06:03.817144863+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133017
    1464450|2022-08-05 10:06:04.170919008+00:00|2022-08-05 10:06:04.170919138+00:00|2022-08-05 10:06:04.164888438+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133017
    1467590|2022-08-05 13:19:14.170761756+00:00|2022-08-05 13:19:14.170761916+00:00|2022-08-05 13:14:21.658032638+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133302
    1467591|2022-08-05 13:19:14.170762426+00:00|2022-08-05 13:19:14.170762536+00:00|2022-08-05 13:14:45.588505246+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133302
    1467592|2022-08-05 13:19:14.170762826+00:00|2022-08-05 13:19:14.170762926+00:00|2022-08-05 13:14:45.915124564+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133302
    1467593|2022-08-05 13:19:14.170763086+00:00|2022-08-05 13:19:14.170763216+00:00|2022-08-05 13:16:17.626209489+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133302
    1467594|2022-08-05 13:19:14.170763366+00:00|2022-08-05 13:19:14.170763586+00:00|2022-08-05 13:16:17.967371233+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133302
    1467595|2022-08-05 13:19:14.170763756+00:00|2022-08-05 13:19:14.170763846+00:00|2022-08-05 13:16:54.867314065+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133302
    1467596|2022-08-05 13:19:14.170763996+00:00|2022-08-05 13:19:14.170764086+00:00|2022-08-05 13:16:55.196026272+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133302
    1467597|2022-08-05 13:19:14.170764226+00:00|2022-08-05 13:19:14.170764316+00:00|2022-08-05 13:18:55.488550354+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133302
    1467598|2022-08-05 13:19:14.170764456+00:00|2022-08-05 13:19:14.170764546+00:00|2022-08-05 13:18:55.819360088+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133302
    1467599|2022-08-05 13:19:14.170764686+00:00|2022-08-05 13:19:14.170764776+00:00|2022-08-05 13:19:13.114883349+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133302
    1467600|2022-08-05 13:19:14.170764926+00:00|2022-08-05 13:19:14.170765026+00:00|2022-08-05 13:19:13.535783484+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133302
    
    bug 
    opened by dudukakz 7
  • Improvement - Pass evt.Parsed to the postoverflow event

    Improvement - Pass evt.Parsed to the postoverflow event

    What would you like to be added?

    Pass the evt.Passed variable to the postoverflow event.

    Why is this needed?

    I think it can be very useful if the evt.Parsed variable is passed to the postoverflow event. This would make it possible to e.g. whitelist individual scenarios based on conditions of evt.Parsed. Currently I don't see any other way to whitelist for example http-crawl-non_statics only on a certain traefik route.

    enhancement 
    opened by scolastico 0
  • Crowdsec Metrics Log Valid Routes

    Crowdsec Metrics Log Valid Routes

    What happened?

    I visited the Crowdsec port via a browser and when I ran cscli metrics I saw the routes showing /favicon.ico. So it piqued my curiosity and I ran a feroxbuster scan against Crowdsec to which my cscli metrics was flooded with invalid route data.

    What did you expect to happen?

    The metric data that is collected for crowdsec only records valid requests/routes.

    How can we reproduce it (as minimally and precisely as possible)?

    (Crowdsec already running) Point a web scanner tool such as Nikto, gobuster or feroxbuster to the IP+PORT of crowdsec. nikto -h HTTP://<IP>:<port>/ Run cscli metrics and see invalid data.

    Anything else we need to know?

    A user can resolve this if they have crowdsec open to the internet by: Using iptables to only allow known IP's through to the port

    Crowdsec version

    2022/08/04 18:37:13 version: v1.4.1-debian-pragmatic-e1954adc325baa9e3420c324caabd50b7074dd77 2022/08/04 18:37:13 Codename: alphaga 2022/08/04 18:37:13 BuildDate: 2022-07-25_09:19:17 2022/08/04 18:37:13 GoVersion: 1.17.5 2022/08/04 18:37:13 Platform: linux 2022/08/04 18:37:13 Constraint_parser: >= 1.0, <= 2.0 2022/08/04 18:37:13 Constraint_scenario: >= 1.0, < 3.0 2022/08/04 18:37:13 Constraint_api: v1 2022/08/04 18:37:13 Constraint_acquis: >= 1.0, < 2.0

    OS version

    No response

    Enabled collections and parsers

    No response

    Acquisition config

    No response

    Config show

    No response

    Prometheus metrics

    https://pastebin.com/mdq8YzyA Output too long for me to copy and github is messing the styling

    Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

    No response

    bug 
    opened by LaurenceJJones 0
  • Don't suggest an item which user already mentioned

    Don't suggest an item which user already mentioned

    Old behaviour

    ❯ sudo cscli collection install crowdsecurity/apache2 crowdsecurity/
    …security/apache2              …security/freebsd         …security/mariadb              …security/odoo          …security/traefik
    

    New behaviour

    ❯ sudo cscli collection install crowdsecurity/apache2 crowdsecurity/
    …security/asterisk             …security/haproxy         …security/modsecurity          …security/opnsense      …security/vsftpd
    
    opened by sbs2001 1
Releases(v1.4.1)
  • v1.4.1(Jul 25, 2022)

    New Features

    • Windows is now officially supported (#1159, #1493)
    • Easier upgrade-resilient configuration customization via .local configuration files (#1497, fix #1385)
    • Support for client authentication via certificates (for agents and bouncers) (#1428)
    • Allow dynamic (ie. incremental) decisions duration in profiles.yaml (#1556)

    Improvements

    • cscli explain supports stdin input (#1597) @LaurenceJJones
    • add new performance related prometheus metrics in LAPI and agent (#1546) @buixor
    • new syslog parser for syslog datasource (#1554) @blotus
    • add more JSON expr helpers (#1576) @blotus
    • allow to set static to a pointer and add IsIPV6 helper (#1540) @AlteredCoder
    • add support for machine heartbeat (#1541) @buixor
    • add notifications command (#1537) @sabban
    • memory check for cscli dashboard setup (#1513) @LaurenceJJones
    • significant performance improvements (#1583) @buixor

    Bug Fixes

    • revert decision dedup behavior to 1.3.4 (#1675) @buixor
    • tls tests with bundle.pem (#1671) @mmetc
    • pkg/database fix count decisions since by value (#1606) @he2ss
    • support yml file (#1605) @AlteredCoder
    • docker_start: improve bash compat (#1599) @he2ss
    • fix decisions deduplication logic #1552 (#1569) @AlteredCoder
    • fix freebsd tests (#1600) @mmetc
    • fix concurrent map write on distinct cache (#1582) @buixor
    • do not rely on /proc/sys/kernel/random/uuid for portability (#1575) @blotus
    • fixed uid/gid bound check regression (#1555) @mmetc
    • do not spew.Sdump() the invalid node on error (#1550) @buixor
    • fix windows installer removing patterns folder on upgrade (#1548) @blotus
    • changed option 'alerts-tainted' (which does not exist) to 'tainted' (#1538) @mmetc
    • improved distinct/uniq behaviour & performances (#1478) @buixor
    • retry to send alert to plugin channel if it fails (#1530) @blotus
    • install config.yaml with chmod 600 (#1518) @mmetc
    • loglevel warning (#1461) @mmetc
    • fix /decisions/stream behaviour when refresh happened less often than 60s (#1517) @he2ss
    • close response body in heartbeat (#1637) @blotus
    • fix ticker leak (#1620) @buixor
    • Fix event.timestamp pointer usage (#1621) @AlteredCoder
    • Syslog datasource: do not set UDP read buffer size (#1657) @blotus
    • Get geoip Country from other objects if not present (#1659) @AlteredCoder

    Other changes

    • simplify err.Error() to err when used in printf context (#1603) @mmetc
    • cscli explain use temp dir (#1598) @LaurenceJJones
    • CI: colored test output, colored crowdsec and crowdsec-api logs, full final db dump for mysql and sqlite (#1596) @mmetc
    • make localstack-stop target (#1593) @mmetc
    • enabled linters and fixes for: misspell, predeclared, unconvert, ineffassign, gosimple, govet (#1595) @mmetc
    • removed bats warnings (#1592) @mmetc
    • use only one name generator (#1591) @buixor
    • shellcheck (#1584) @mmetc
    • reduce verbosity of TLS auth and FlushAgentsAndBouncers (#1588) @blotus
    • functional tests, minor refactoring and lint/cleanup (#1570) @mmetc
    • fixed coverage reporting for functional tests; added cscli (#1568) @mmetc
    • allow run-tests with -f "" (#1564) @mmetc
    • codecov badge (#1562) @mmetc
    • update codeql actions (v1 is going to be deprecated) (#1563) @mmetc
    • codecov (#1561) @mmetc
    • minor cleanup; export SetHubBranch (#1559) @mmetc
    • fix coverage report (#1553) @mmetc
    • increase lint timeout for windows (#1543) @mmetc
    • some tests for misconfigured plugins (#1534) @mmetc
    • func test: replaced one-shot bin/nc with a loop (#1542) @mmetc
    • error reporting (#1501) @mmetc
    • add bats-mock to mock external commands in functional tests (#1529) @mmetc
    • test multiple notification events with the same plugin (#1539) @mmetc
    • allow to override statics in hubtest. (#1495) @blotus
    • fix docker flaky test (#1494) @blotus
    • fix #1283: update and enable error reports from golangci (#1523) @mmetc
    • avoid double output (error + log fatal) and automatic --help after each error (#1536) @mmetc
    • add single quotes to log output (#1527) @LaurenceJJones
    • optimize GetExprEnv usage (#1515) @nitescuc
    • update machineid to 1.0.2 (#1533) @blotus
    • add the ability to build on fc36 (#1524) @sabban
    • test machines_tls: remove all existing machines in setup (#1678) @mmetc
    • do not hide unit test failure (#1677) @blotus

    Documentation related topics

    • update docker docs: filter on github.repository_owner == 'crowdsecurity' (#1511) @mmetc
    • add link to Console in README.md (#1509) @mazzma12
    • document LAPI filters (#1535) @sbs2001
    • "make localstack" target, link to docs/contributing (#1522) @mmetc

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(35.56 MB)
    crowdsec-release-static.tgz(36.27 MB)
    crowdsec_1.4.1.msi(36.49 MB)
  • v1.4.1-rc1(Jul 22, 2022)

  • v1.4.0(Jul 19, 2022)

    New Features

    • Windows is now officially supported (#1159, #1493)
    • Easier upgrade-resilient configuration customization via .local configuration files (#1497, fix #1385)
    • Support for client authentication via certificates (for agents and bouncers) (#1428)
    • Allow dynamic (ie. incremental) decisions duration in profiles.yaml (#1556)

    Improvements

    • cscli explain supports stdin input (#1597) @LaurenceJJones
    • add new performance related prometheus metrics in LAPI and agent (#1546) @buixor
    • new syslog parser for syslog datasource (#1554) @blotus
    • add more JSON expr helpers (#1576) @blotus
    • allow to set static to a pointer and add IsIPV6 helper (#1540) @AlteredCoder
    • add support for machine heartbeat (#1541) @buixor
    • add notifications command (#1537) @sabban
    • memory check for cscli dashboard setup (#1513) @LaurenceJJone
    • significant performance improvements (#1583) @buixor

    Bug Fixes

    • pkg/database fix count decisions since by value (#1606) @he2ss
    • support yml file (#1605) @AlteredCoder
    • docker_start: improve bash compat (#1599) @he2ss
    • fix decisions deduplication logic #1552 (#1569) @AlteredCoder
    • fix freebsd tests (#1600) @mmetc
    • fix concurrent map write on distinct cache (#1582) @buixor
    • do not rely on /proc/sys/kernel/random/uuid for portability (#1575) @blotus
    • fixed uid/gid bound check regression (#1555) @mmetc
    • do not spew.Sdump() the invalid node on error (#1550) @buixor
    • fix windows installer removing patterns folder on upgrade (#1548) @blotus
    • changed option 'alerts-tainted' (which does not exist) to 'tainted' (#1538) @mmetc
    • improved distinct/uniq behaviour & performances (#1478) @buixor
    • retry to send alert to plugin channel if it fails (#1530) @blotus
    • install config.yaml with chmod 600 (#1518) @mmetc
    • loglevel warning (#1461) @mmetc
    • fix /decisions/stream behaviour when refresh happened less often than 60s (#1517) @he2ss
    • close response body in heartbeat (#1637) @blotus
    • fix ticker leak (#1620) @buixor
    • Fix event.timestamp pointer usage (#1621) @AlteredCoder
    • Syslog datasource: do not set UDP read buffer size (#1657) @blotus
    • Get geoip Country from other objects if not present (#1659) @AlteredCoder

    Other changes

    • simplify err.Error() to err when used in printf context (#1603) @mmetc
    • cscli explain use temp dir (#1598) @LaurenceJJones
    • CI: colored test output, colored crowdsec and crowdsec-api logs, full final db dump for mysql and sqlite (#1596) @mmetc
    • make localstack-stop target (#1593) @mmetc
    • enabled linters and fixes for: misspell, predeclared, unconvert, ineffassign, gosimple, govet (#1595) @mmetc
    • removed bats warnings (#1592) @mmetc
    • use only one name generator (#1591) @buixor
    • shellcheck (#1584) @mmetc
    • reduce verbosity of TLS auth and FlushAgentsAndBouncers (#1588) @blotus
    • functional tests, minor refactoring and lint/cleanup (#1570) @mmetc
    • fixed coverage reporting for functional tests; added cscli (#1568) @mmetc
    • allow run-tests with -f "" (#1564) @mmetc
    • codecov badge (#1562) @mmetc
    • update codeql actions (v1 is going to be deprecated) (#1563) @mmetc
    • codecov (#1561) @mmetc
    • minor cleanup; export SetHubBranch (#1559) @mmetc
    • fix coverage report (#1553) @mmetc
    • increase lint timeout for windows (#1543) @mmetc
    • some tests for misconfigured plugins (#1534) @mmetc
    • func test: replaced one-shot bin/nc with a loop (#1542) @mmetc
    • error reporting (#1501) @mmetc
    • add bats-mock to mock external commands in functional tests (#1529) @mmetc
    • test multiple notification events with the same plugin (#1539) @mmetc
    • allow to override statics in hubtest. (#1495) @blotus
    • fix docker flaky test (#1494) @blotus
    • fix #1283: update and enable error reports from golangci (#1523) @mmetc
    • avoid double output (error + log fatal) and automatic --help after each error (#1536) @mmetc
    • add single quotes to log output (#1527) @LaurenceJJones
    • optimize GetExprEnv usage (#1515) @nitescuc
    • update machineid to 1.0.2 (#1533) @blotus
    • add the ability to build on fc36 (#1524) @sabban

    Documentation related topics

    • update docker docs: filter on github.repository_owner == 'crowdsecurity' (#1511) @mmetc
    • add link to Console in README.md (#1509) @mazzma12
    • document LAPI filters (#1535) @sbs2001
    • "make localstack" target, link to docs/contributing (#1522) @mmetc

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(35.56 MB)
    crowdsec-release-static.tgz(36.27 MB)
    crowdsec_1.4.0.msi(36.49 MB)
  • v1.4.0-rc5(Jul 13, 2022)

    New Features

    • Windows is now officially supported (#1159, #1493)
    • Easier upgrade-resilient configuration customization via .local configuration files (#1497, fix #1385)
    • Support for client authentication via certificates (for agents and bouncers) (#1428)
    • Allow dynamic (ie. incremental) decisions duration in profiles.yaml (#1556)

    Improvements

    • cscli explain supports stdin input (#1597) @LaurenceJJones
    • add new performance related prometheus metrics in LAPI and agent (#1546) @buixor
    • new syslog parser for syslog datasource (#1554) @blotus
    • add more JSON expr helpers (#1576) @blotus
    • allow to set static to a pointer and add IsIPV6 helper (#1540) @AlteredCoder
    • add support for machine heartbeat (#1541) @buixor
    • add notifications command (#1537) @sabban
    • memory check for cscli dashboard setup (#1513) @LaurenceJJone
    • significant performance improvements (#1583) @buixor

    Bug Fixes

    • pkg/database fix count decisions since by value (#1606) @he2ss
    • support yml file (#1605) @AlteredCoder
    • docker_start: improve bash compat (#1599) @he2ss
    • fix decisions deduplication logic #1552 (#1569) @AlteredCoder
    • fix freebsd tests (#1600) @mmetc
    • fix concurrent map write on distinct cache (#1582) @buixor
    • do not rely on /proc/sys/kernel/random/uuid for portability (#1575) @blotus
    • fixed uid/gid bound check regression (#1555) @mmetc
    • do not spew.Sdump() the invalid node on error (#1550) @buixor
    • fix windows installer removing patterns folder on upgrade (#1548) @blotus
    • changed option 'alerts-tainted' (which does not exist) to 'tainted' (#1538) @mmetc
    • improved distinct/uniq behaviour & performances (#1478) @buixor
    • retry to send alert to plugin channel if it fails (#1530) @blotus
    • install config.yaml with chmod 600 (#1518) @mmetc
    • loglevel warning (#1461) @mmetc
    • fix /decisions/stream behaviour when refresh happened less often than 60s (#1517) @he2ss
    • close response body in heartbeat (#1637) @blotus
    • fix ticker leak (#1620) @buixor
    • Fix event.timestamp pointer usage (#1621) @AlteredCoder
    • Syslog datasource: do not set UDP read buffer size (#1657) @blotus
    • Get geoip Country from other objects if not present (#1659) @AlteredCoder

    Other changes

    • simplify err.Error() to err when used in printf context (#1603) @mmetc
    • cscli explain use temp dir (#1598) @LaurenceJJones
    • CI: colored test output, colored crowdsec and crowdsec-api logs, full final db dump for mysql and sqlite (#1596) @mmetc
    • make localstack-stop target (#1593) @mmetc
    • enabled linters and fixes for: misspell, predeclared, unconvert, ineffassign, gosimple, govet (#1595) @mmetc
    • removed bats warnings (#1592) @mmetc
    • use only one name generator (#1591) @buixor
    • shellcheck (#1584) @mmetc
    • reduce verbosity of TLS auth and FlushAgentsAndBouncers (#1588) @blotus
    • functional tests, minor refactoring and lint/cleanup (#1570) @mmetc
    • fixed coverage reporting for functional tests; added cscli (#1568) @mmetc
    • allow run-tests with -f "" (#1564) @mmetc
    • codecov badge (#1562) @mmetc
    • update codeql actions (v1 is going to be deprecated) (#1563) @mmetc
    • codecov (#1561) @mmetc
    • minor cleanup; export SetHubBranch (#1559) @mmetc
    • fix coverage report (#1553) @mmetc
    • increase lint timeout for windows (#1543) @mmetc
    • some tests for misconfigured plugins (#1534) @mmetc
    • func test: replaced one-shot bin/nc with a loop (#1542) @mmetc
    • error reporting (#1501) @mmetc
    • add bats-mock to mock external commands in functional tests (#1529) @mmetc
    • test multiple notification events with the same plugin (#1539) @mmetc
    • allow to override statics in hubtest. (#1495) @blotus
    • fix docker flaky test (#1494) @blotus
    • fix #1283: update and enable error reports from golangci (#1523) @mmetc
    • avoid double output (error + log fatal) and automatic --help after each error (#1536) @mmetc
    • add single quotes to log output (#1527) @LaurenceJJones
    • optimize GetExprEnv usage (#1515) @nitescuc
    • update machineid to 1.0.2 (#1533) @blotus
    • add the ability to build on fc36 (#1524) @sabban

    Documentation related topics

    • update docker docs: filter on github.repository_owner == 'crowdsecurity' (#1511) @mmetc
    • add link to Console in README.md (#1509) @mazzma12
    • document LAPI filters (#1535) @sbs2001
    • "make localstack" target, link to docs/contributing (#1522) @mmetc

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(35.56 MB)
    crowdsec-release-static.tgz(36.27 MB)
    crowdsec_1.4.0.msi(36.49 MB)
  • v1.4.0-rc4(Jul 11, 2022)

    New Features

    • Windows is now officially supported (#1159, #1493)
    • Easier upgrade-resilient configuration customization via .local configuration files (#1497, fix #1385)
    • Support for client authentication via certificates (for agents and bouncers) (#1428)
    • Allow dynamic (ie. incremental) decisions duration in profiles.yaml (#1556)

    Improvements

    • cscli explain supports stdin input (#1597) @LaurenceJJones
    • add new performance related prometheus metrics in LAPI and agent (#1546) @buixor
    • new syslog parser for syslog datasource (#1554) @blotus
    • add more JSON expr helpers (#1576) @blotus
    • allow to set static to a pointer and add IsIPV6 helper (#1540) @AlteredCoder
    • add support for machine heartbeat (#1541) @buixor
    • add notifications command (#1537) @sabban
    • memory check for cscli dashboard setup (#1513) @LaurenceJJone
    • significant performance improvements (#1583) @buixor

    Bug Fixes

    • pkg/database fix count decisions since by value (#1606) @he2ss
    • support yml file (#1605) @AlteredCoder
    • docker_start: improve bash compat (#1599) @he2ss
    • fix decisions deduplication logic #1552 (#1569) @AlteredCoder
    • fix freebsd tests (#1600) @mmetc
    • fix concurrent map write on distinct cache (#1582) @buixor
    • do not rely on /proc/sys/kernel/random/uuid for portability (#1575) @blotus
    • fixed uid/gid bound check regression (#1555) @mmetc
    • do not spew.Sdump() the invalid node on error (#1550) @buixor
    • fix windows installer removing patterns folder on upgrade (#1548) @blotus
    • changed option 'alerts-tainted' (which does not exist) to 'tainted' (#1538) @mmetc
    • improved distinct/uniq behaviour & performances (#1478) @buixor
    • retry to send alert to plugin channel if it fails (#1530) @blotus
    • install config.yaml with chmod 600 (#1518) @mmetc
    • loglevel warning (#1461) @mmetc
    • fix /decisions/stream behaviour when refresh happened less often than 60s (#1517) @he2ss
    • close response body in heartbeat (#1637) @blotus
    • fix ticker leak (#1620) @buixor
    • Fix event.timestamp pointer usage (#1621) @AlteredCoder

    Other changes

    • simplify err.Error() to err when used in printf context (#1603) @mmetc
    • cscli explain use temp dir (#1598) @LaurenceJJones
    • CI: colored test output, colored crowdsec and crowdsec-api logs, full final db dump for mysql and sqlite (#1596) @mmetc
    • make localstack-stop target (#1593) @mmetc
    • enabled linters and fixes for: misspell, predeclared, unconvert, ineffassign, gosimple, govet (#1595) @mmetc
    • removed bats warnings (#1592) @mmetc
    • use only one name generator (#1591) @buixor
    • shellcheck (#1584) @mmetc
    • reduce verbosity of TLS auth and FlushAgentsAndBouncers (#1588) @blotus
    • functional tests, minor refactoring and lint/cleanup (#1570) @mmetc
    • fixed coverage reporting for functional tests; added cscli (#1568) @mmetc
    • allow run-tests with -f "" (#1564) @mmetc
    • codecov badge (#1562) @mmetc
    • update codeql actions (v1 is going to be deprecated) (#1563) @mmetc
    • codecov (#1561) @mmetc
    • minor cleanup; export SetHubBranch (#1559) @mmetc
    • fix coverage report (#1553) @mmetc
    • increase lint timeout for windows (#1543) @mmetc
    • some tests for misconfigured plugins (#1534) @mmetc
    • func test: replaced one-shot bin/nc with a loop (#1542) @mmetc
    • error reporting (#1501) @mmetc
    • add bats-mock to mock external commands in functional tests (#1529) @mmetc
    • test multiple notification events with the same plugin (#1539) @mmetc
    • allow to override statics in hubtest. (#1495) @blotus
    • fix docker flaky test (#1494) @blotus
    • fix #1283: update and enable error reports from golangci (#1523) @mmetc
    • avoid double output (error + log fatal) and automatic --help after each error (#1536) @mmetc
    • add single quotes to log output (#1527) @LaurenceJJones
    • optimize GetExprEnv usage (#1515) @nitescuc
    • update machineid to 1.0.2 (#1533) @blotus
    • add the ability to build on fc36 (#1524) @sabban

    Documentation related topics

    • update docker docs: filter on github.repository_owner == 'crowdsecurity' (#1511) @mmetc
    • add link to Console in README.md (#1509) @mazzma12
    • document LAPI filters (#1535) @sbs2001
    • "make localstack" target, link to docs/contributing (#1522) @mmetc

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release-static.tgz(36.27 MB)
    crowdsec_1.4.0.msi(36.48 MB)
  • v1.4.0-rc3(Jul 6, 2022)

    New Features

    • Windows is now officially supported (#1159, #1493)
    • Easier upgrade-resilient configuration customization via .local configuration files (#1497, fix #1385)
    • Support for client authentication via certificates (for agents and bouncers) (#1428)
    • Allow dynamic (ie. incremental) decisions duration in profiles.yaml (#1556)

    Improvements

    • cscli explain supports stdin input (#1597) @LaurenceJJones
    • add new performance related prometheus metrics in LAPI and agent (#1546) @buixor
    • new syslog parser for syslog datasource (#1554) @blotus
    • add more JSON expr helpers (#1576) @blotus
    • allow to set static to a pointer and add IsIPV6 helper (#1540) @AlteredCoder
    • add support for machine heartbeat (#1541) @buixor
    • add notifications command (#1537) @sabban
    • memory check for cscli dashboard setup (#1513) @LaurenceJJone
    • significant performance improvements (#1583) @buixor

    Bug Fixes

    • pkg/database fix count decisions since by value (#1606) @he2ss
    • support yml file (#1605) @AlteredCoder
    • docker_start: improve bash compat (#1599) @he2ss
    • fix decisions deduplication logic #1552 (#1569) @AlteredCoder
    • fix freebsd tests (#1600) @mmetc
    • fix concurrent map write on distinct cache (#1582) @buixor
    • do not rely on /proc/sys/kernel/random/uuid for portability (#1575) @blotus
    • fixed uid/gid bound check regression (#1555) @mmetc
    • do not spew.Sdump() the invalid node on error (#1550) @buixor
    • fix windows installer removing patterns folder on upgrade (#1548) @blotus
    • changed option 'alerts-tainted' (which does not exist) to 'tainted' (#1538) @mmetc
    • improved distinct/uniq behaviour & performances (#1478) @buixor
    • retry to send alert to plugin channel if it fails (#1530) @blotus
    • install config.yaml with chmod 600 (#1518) @mmetc
    • loglevel warning (#1461) @mmetc
    • fix /decisions/stream behaviour when refresh happened less often than 60s (#1517) @he2ss
    • close response body in heartbeat (#1637) @blotus
    • fix ticker leak (#1620) @buixor
    • Fix event.timestamp pointer usage (#1621) @AlteredCoder

    Other changes

    • simplify err.Error() to err when used in printf context (#1603) @mmetc
    • cscli explain use temp dir (#1598) @LaurenceJJones
    • CI: colored test output, colored crowdsec and crowdsec-api logs, full final db dump for mysql and sqlite (#1596) @mmetc
    • make localstack-stop target (#1593) @mmetc
    • enabled linters and fixes for: misspell, predeclared, unconvert, ineffassign, gosimple, govet (#1595) @mmetc
    • removed bats warnings (#1592) @mmetc
    • use only one name generator (#1591) @buixor
    • shellcheck (#1584) @mmetc
    • reduce verbosity of TLS auth and FlushAgentsAndBouncers (#1588) @blotus
    • functional tests, minor refactoring and lint/cleanup (#1570) @mmetc
    • fixed coverage reporting for functional tests; added cscli (#1568) @mmetc
    • allow run-tests with -f "" (#1564) @mmetc
    • codecov badge (#1562) @mmetc
    • update codeql actions (v1 is going to be deprecated) (#1563) @mmetc
    • codecov (#1561) @mmetc
    • minor cleanup; export SetHubBranch (#1559) @mmetc
    • fix coverage report (#1553) @mmetc
    • increase lint timeout for windows (#1543) @mmetc
    • some tests for misconfigured plugins (#1534) @mmetc
    • func test: replaced one-shot bin/nc with a loop (#1542) @mmetc
    • error reporting (#1501) @mmetc
    • add bats-mock to mock external commands in functional tests (#1529) @mmetc
    • test multiple notification events with the same plugin (#1539) @mmetc
    • allow to override statics in hubtest. (#1495) @blotus
    • fix docker flaky test (#1494) @blotus
    • fix #1283: update and enable error reports from golangci (#1523) @mmetc
    • avoid double output (error + log fatal) and automatic --help after each error (#1536) @mmetc
    • add single quotes to log output (#1527) @LaurenceJJones
    • optimize GetExprEnv usage (#1515) @nitescuc
    • update machineid to 1.0.2 (#1533) @blotus
    • add the ability to build on fc36 (#1524) @sabban

    Documentation related topics

    • update docker docs: filter on github.repository_owner == 'crowdsecurity' (#1511) @mmetc
    • add link to Console in README.md (#1509) @mazzma12
    • document LAPI filters (#1535) @sbs2001
    • "make localstack" target, link to docs/contributing (#1522) @mmetc

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(35.56 MB)
    crowdsec-release-static.tgz(36.27 MB)
    crowdsec_1.4.0.msi(36.48 MB)
  • v1.4.0-rc2(Jun 29, 2022)

    New Features

    • Windows is now officially supported (#1159, #1493)
    • Easier upgrade-resilient configuration customization via .local configuration files (#1497, fix #1385)
    • Support for client authentication via certificates (for agents and bouncers) (#1428)
    • Allow dynamic (ie. incremental) decisions duration in profiles.yaml (#1556)

    Improvements

    • cscli explain supports stdin input (#1597) @LaurenceJJones
    • add new performance related prometheus metrics in LAPI and agent (#1546) @buixor
    • new syslog parser for syslog datasource (#1554) @blotus
    • add more JSON expr helpers (#1576) @blotus
    • allow to set static to a pointer and add IsIPV6 helper (#1540) @AlteredCoder
    • add support for machine heartbeat (#1541) @buixor
    • add notifications command (#1537) @sabban
    • memory check for cscli dashboard setup (#1513) @LaurenceJJone
    • significant performance improvements (#1583) @buixor

    Bug Fixes

    • pkg/database fix count decisions since by value (#1606) @he2ss
    • support yml file (#1605) @AlteredCoder
    • docker_start: improve bash compat (#1599) @he2ss
    • fix decisions deduplication logic #1552 (#1569) @AlteredCoder
    • fix freebsd tests (#1600) @mmetc
    • fix concurrent map write on distinct cache (#1582) @buixor
    • do not rely on /proc/sys/kernel/random/uuid for portability (#1575) @blotus
    • fixed uid/gid bound check regression (#1555) @mmetc
    • do not spew.Sdump() the invalid node on error (#1550) @buixor
    • fix windows installer removing patterns folder on upgrade (#1548) @blotus
    • changed option 'alerts-tainted' (which does not exist) to 'tainted' (#1538) @mmetc
    • improved distinct/uniq behaviour & performances (#1478) @buixor
    • retry to send alert to plugin channel if it fails (#1530) @blotus
    • install config.yaml with chmod 600 (#1518) @mmetc
    • loglevel warning (#1461) @mmetc
    • fix /decisions/stream behaviour when refresh happened less often than 60s (#1517) @he2ss

    Other changes

    • simplify err.Error() to err when used in printf context (#1603) @mmetc
    • cscli explain use temp dir (#1598) @LaurenceJJones
    • CI: colored test output, colored crowdsec and crowdsec-api logs, full final db dump for mysql and sqlite (#1596) @mmetc
    • make localstack-stop target (#1593) @mmetc
    • enabled linters and fixes for: misspell, predeclared, unconvert, ineffassign, gosimple, govet (#1595) @mmetc
    • removed bats warnings (#1592) @mmetc
    • use only one name generator (#1591) @buixor
    • shellcheck (#1584) @mmetc
    • reduce verbosity of TLS auth and FlushAgentsAndBouncers (#1588) @blotus
    • functional tests, minor refactoring and lint/cleanup (#1570) @mmetc
    • fixed coverage reporting for functional tests; added cscli (#1568) @mmetc
    • allow run-tests with -f "" (#1564) @mmetc
    • codecov badge (#1562) @mmetc
    • update codeql actions (v1 is going to be deprecated) (#1563) @mmetc
    • codecov (#1561) @mmetc
    • minor cleanup; export SetHubBranch (#1559) @mmetc
    • fix coverage report (#1553) @mmetc
    • increase lint timeout for windows (#1543) @mmetc
    • some tests for misconfigured plugins (#1534) @mmetc
    • func test: replaced one-shot bin/nc with a loop (#1542) @mmetc
    • error reporting (#1501) @mmetc
    • add bats-mock to mock external commands in functional tests (#1529) @mmetc
    • test multiple notification events with the same plugin (#1539) @mmetc
    • allow to override statics in hubtest. (#1495) @blotus
    • fix docker flaky test (#1494) @blotus
    • fix #1283: update and enable error reports from golangci (#1523) @mmetc
    • avoid double output (error + log fatal) and automatic --help after each error (#1536) @mmetc
    • add single quotes to log output (#1527) @LaurenceJJones
    • optimize GetExprEnv usage (#1515) @nitescuc
    • update machineid to 1.0.2 (#1533) @blotus
    • add the ability to build on fc36 (#1524) @sabban

    Documentation related topics

    • update docker docs: filter on github.repository_owner == 'crowdsecurity' (#1511) @mmetc
    • add link to Console in README.md (#1509) @mazzma12
    • document LAPI filters (#1535) @sbs2001
    • "make localstack" target, link to docs/contributing (#1522) @mmetc

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(35.56 MB)
    crowdsec_1.4.0.msi(36.48 MB)
    crowdsec-release-static.tgz(36.27 MB)
  • v1.4.0-rc1(Jun 23, 2022)

    New Features

    • Windows is now officially supported (#1159, #1493)
    • Easier upgrade-resilient configuration customization via .local configuration files (#1497, fix #1385)
    • Support for client authentication via certificates (for agents and bouncers) (#1428)
    • Allow dynamic (ie. incremental) decisions duration in profiles.yaml (#1556)

    Improvements

    • cscli explain supports stdin input (#1597) @LaurenceJJones
    • add new performance related prometheus metrics in LAPI and agent (#1546) @buixor
    • new syslog parser for syslog datasource (#1554) @blotus
    • add more JSON expr helpers (#1576) @blotus
    • allow to set static to a pointer and add IsIPV6 helper (#1540) @AlteredCoder
    • add support for machine heartbeat (#1541) @buixor
    • add notifications command (#1537) @sabban
    • memory check for cscli dashboard setup (#1513) @LaurenceJJone
    • significant performance improvements (#1583) @buixor

    Bug Fixes

    • pkg/database fix count decisions since by value (#1606) @he2ss
    • support yml file (#1605) @AlteredCoder
    • docker_start: improve bash compat (#1599) @he2ss
    • fix decisions deduplication logic #1552 (#1569) @AlteredCoder
    • fix freebsd tests (#1600) @mmetc
    • fix concurrent map write on distinct cache (#1582) @buixor
    • do not rely on /proc/sys/kernel/random/uuid for portability (#1575) @blotus
    • fixed uid/gid bound check regression (#1555) @mmetc
    • do not spew.Sdump() the invalid node on error (#1550) @buixor
    • fix windows installer removing patterns folder on upgrade (#1548) @blotus
    • changed option 'alerts-tainted' (which does not exist) to 'tainted' (#1538) @mmetc
    • improved distinct/uniq behaviour & performances (#1478) @buixor
    • retry to send alert to plugin channel if it fails (#1530) @blotus
    • install config.yaml with chmod 600 (#1518) @mmetc
    • loglevel warning (#1461) @mmetc
    • fix /decisions/stream behaviour when refresh happened less often than 60s (#1517) @he2ss

    Other changes

    • simplify err.Error() to err when used in printf context (#1603) @mmetc
    • cscli explain use temp dir (#1598) @LaurenceJJones
    • CI: colored test output, colored crowdsec and crowdsec-api logs, full final db dump for mysql and sqlite (#1596) @mmetc
    • make localstack-stop target (#1593) @mmetc
    • enabled linters and fixes for: misspell, predeclared, unconvert, ineffassign, gosimple, govet (#1595) @mmetc
    • removed bats warnings (#1592) @mmetc
    • use only one name generator (#1591) @buixor
    • shellcheck (#1584) @mmetc
    • reduce verbosity of TLS auth and FlushAgentsAndBouncers (#1588) @blotus
    • functional tests, minor refactoring and lint/cleanup (#1570) @mmetc
    • fixed coverage reporting for functional tests; added cscli (#1568) @mmetc
    • allow run-tests with -f "" (#1564) @mmetc
    • codecov badge (#1562) @mmetc
    • update codeql actions (v1 is going to be deprecated) (#1563) @mmetc
    • codecov (#1561) @mmetc
    • minor cleanup; export SetHubBranch (#1559) @mmetc
    • fix coverage report (#1553) @mmetc
    • increase lint timeout for windows (#1543) @mmetc
    • some tests for misconfigured plugins (#1534) @mmetc
    • func test: replaced one-shot bin/nc with a loop (#1542) @mmetc
    • error reporting (#1501) @mmetc
    • add bats-mock to mock external commands in functional tests (#1529) @mmetc
    • test multiple notification events with the same plugin (#1539) @mmetc
    • allow to override statics in hubtest. (#1495) @blotus
    • fix docker flaky test (#1494) @blotus
    • fix #1283: update and enable error reports from golangci (#1523) @mmetc
    • avoid double output (error + log fatal) and automatic --help after each error (#1536) @mmetc
    • add single quotes to log output (#1527) @LaurenceJJones
    • optimize GetExprEnv usage (#1515) @nitescuc
    • update machineid to 1.0.2 (#1533) @blotus
    • add the ability to build on fc36 (#1524) @sabban

    Documentation related topics

    • update docker docs: filter on github.repository_owner == 'crowdsecurity' (#1511) @mmetc
    • add link to Console in README.md (#1509) @mazzma12
    • document LAPI filters (#1535) @sbs2001
    • "make localstack" target, link to docs/contributing (#1522) @mmetc

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec_1.4.0.msi(36.48 MB)
  • v1.3.4(Apr 29, 2022)

    Changes

    • Use lumberjack rotate (#1492) @buixor
    • Fix pipeline alert tests (#1491) @mmetc
    • Improve MySQL performance (#1477) @AlteredCoder
    • Use our own forked machineid lib (#1489) @sabban
    • Fix cwhub collections uninstall dependencies (#1486) @AlteredCoder
    • Allow to send email without auth again (#1485) @sabban
    • Fix decisions list with --no-simu flag (#1482) @AlteredCoder
    • Fix typos in docs, comments, code (#1483) @myersg86
    • Fix hub items installation (#1481) @AlteredCoder

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(34.60 MB)
    crowdsec-release-static.tgz(35.30 MB)
  • v1.3.4-rc2(Apr 28, 2022)

    Changes

    • Improve MySQL performance (#1477) @AlteredCoder
    • Use our own forked machineid lib (#1489) @sabban
    • Fix cwhub collections uninstall dependencies (#1486) @AlteredCoder
    • Allow to send email without auth again (#1485) @sabban
    • Fix decisions list with --no-simu flag (#1482) @AlteredCoder
    • Fix typos in docs, comments, code (#1483) @myersg86
    • Fix hub items installation (#1481) @AlteredCoder

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(34.60 MB)
    crowdsec-release-static.tgz(35.30 MB)
  • v1.3.4-rc1(Apr 27, 2022)

  • v1.3.3(Apr 25, 2022)

    Improvements

    • Deal with duplicate decisons (same scope, same value) while in stream mode (#1310 #1262) @sbs2001
    • Add query param to filter decisions by scenarios and origin (#1294) @sbs2001
    • Publish docker image to ghcr also (#1467) @he2ss
    • Cscli: add autocompletions for hubitems (#1465) @AlteredCoder
    • Register bouncers on container init (#1341) @thespad
    • Improve cscli metrics units (#1374) @AlteredCoder
    • Add -m flag for decisions list to display the machine (#1361) @AlteredCoder
    • Add trusted IPs which have admin API access (#1352) @sbs2001
    • Email notification plugin add sender_name option (#1297) @tuxtof

    Bugfixes

    • Fix journalctl deadlock on shutdown (#1468) @buixor
    • Wizard: removed jq dependency (#1460) @mmetc
    • Reduce the query unescape helper verbosity (#1447) @AlteredCoder
    • Update bouncer pull in rupture mode (#1445) @sbs2001
    • Add dialect to handle pgx correctly (#1376) @umglurf
    • Allow to ignore errors when installing multiple configuration items (#1359) @AlteredCoder
    • Allow cscli remove to remove with --all (#1360) @AlteredCoder
    • Don't omit fields of bouncer in json (#1354) @sbs2001
    • Deal with misconfigured post-overflow stages (#1358) @buixor
    • Refactor: use runtime rather than ldflags for go details (#1302) @06kellyjac
    • Allow "cscli completion..." without configuration file (#1340) @mmetc
    • Make notification plugins work on freebsd (#1253) @mmetc
    • Docker prestage - correct database path (#1312) @chad-jones
    • Send all installed scenario to LAPI (#1277) @AlteredCoder

    Minor changes

    • Fix check uid, gid values (#1309) @mmetc
    • Some noop code removal, typos and lint suggestions (#1329) @mmetc
    • Fix for /usr/bin/wc on freebsd (#1338) @mmetc
    • Return 1 with incomplete command line; always check error when calling cmd.Help (#1335) @mmetc
    • Test decision list -m (#1365) @mmetc
    • Fix for https://staticcheck.io/docs/checks#SA2002 (#1334) @mmetc
    • Don't set logger default level twice (#1336) @mmetc
    • Fix #1316 : add html body (#1339) @buixor
    • Display acquisition dir in cscli config show (#1349) @AlteredCoder
    • Deprecate pid_file config (#1346) @sbs2001
    • Deduplicate make package, package_static (#1344) @mmetc
    • Fix 1262 pgsql conflict resolve (#1363) @sbs2001
    • Update license (#1382) @sabban
    • Update rpm patch to allow build again (#1388) @sabban
    • Remove make warning "building for linux" (#1389) @mmetc
    • Skip broken tests (w/ postgres and test coverage) (#1410) @mmetc
    • Install *.cover binaries in $BIN_DIR; minor workflow changes (#1408) @mmetc
    • Fix "cscli" without arguments (#1406) @mmetc
    • Removed RELEASE.json, embed codename in makefile (#1442) @mmetc
    • Fix hub loader to support '.yml' files (#1433) @AlteredCoder
    • Add origins param in decision stream service (#1429) @sbs2001
    • Remove trailing / from cp in make release (#1416) @blotus
    • Single workflow for all tests (#1413) @mmetc
    • Bailout on incompatible duration format (#1326) @buixor
    • Bit of doc + tests for lapi stream mode (#1356) @buixor
    • Handle containers with TTY in docker acquis (#1422) @blotus
    • Int64 for metric units (#1419) @mmetc
    • Use golangci-lint 1.45.2 (#1420) @mmetc
    • Cwhub testing (#1438) @sbs2001
    • Docker: add enroll on startup (#1463) @he2ss
    • Cscli: add force enroll feature (#1430) @he2ss
    • Go mod update for 1.3.3 (#1462) @buixor
    • add logrotate file for debian (#1474) @sabban
    • Fix typo in cscli metrics and debug message (#1473) @AlteredCoder
    • cleanup container state if the reader tomb dies by itself (#1470 #1475) @blotus

    Special topic: improved testing

    • Overall refactor of functional tests, and now using bats (#1266 #1333 #1345 #1355 #1365 #1366 #1368 #1371 #1372 #1373 #1377 #1379 #1380 #1381 #1384 #1386 #1387 #1390 #1393 #1394 #1400 #1425 #1458 #1437 #1440 #1439 #1443 #1453 #1454 #1455 #1457 #1456 #1458 @sabban @mmetc @buixor
    • Instrument main() for coverage tests (#1399) @mmetc

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(34.59 MB)
  • v1.3.3-rc5(Apr 25, 2022)

    Improvements

    • Deal with duplicate decisons (same scope, same value) while in stream mode (#1310 #1262) @sbs2001
    • Add query param to filter decisions by scenarios and origin (#1294) @sbs2001
    • Publish docker image to ghcr also (#1467) @he2ss
    • Cscli: add autocompletions for hubitems (#1465) @AlteredCoder
    • Register bouncers on container init (#1341) @thespad
    • Improve cscli metrics units (#1374) @AlteredCoder
    • Add -m flag for decisions list to display the machine (#1361) @AlteredCoder
    • Add trusted IPs which have admin API access (#1352) @sbs2001
    • Email notification plugin add sender_name option (#1297) @tuxtof

    Bugfixes

    • Fix journalctl deadlock on shutdown (#1468) @buixor
    • Wizard: removed jq dependency (#1460) @mmetc
    • Reduce the query unescape helper verbosity (#1447) @AlteredCoder
    • Update bouncer pull in rupture mode (#1445) @sbs2001
    • Add dialect to handle pgx correctly (#1376) @umglurf
    • Allow to ignore errors when installing multiple configuration items (#1359) @AlteredCoder
    • Allow cscli remove to remove with --all (#1360) @AlteredCoder
    • Don't omit fields of bouncer in json (#1354) @sbs2001
    • Deal with misconfigured post-overflow stages (#1358) @buixor
    • Refactor: use runtime rather than ldflags for go details (#1302) @06kellyjac
    • Allow "cscli completion..." without configuration file (#1340) @mmetc
    • Make notification plugins work on freebsd (#1253) @mmetc
    • Docker prestage - correct database path (#1312) @chad-jones
    • Send all installed scenario to LAPI (#1277) @AlteredCoder

    Minor changes

    • Fix check uid, gid values (#1309) @mmetc
    • Some noop code removal, typos and lint suggestions (#1329) @mmetc
    • Fix for /usr/bin/wc on freebsd (#1338) @mmetc
    • Return 1 with incomplete command line; always check error when calling cmd.Help (#1335) @mmetc
    • Test decision list -m (#1365) @mmetc
    • Fix for https://staticcheck.io/docs/checks#SA2002 (#1334) @mmetc
    • Don't set logger default level twice (#1336) @mmetc
    • Fix #1316 : add html body (#1339) @buixor
    • Display acquisition dir in cscli config show (#1349) @AlteredCoder
    • Deprecate pid_file config (#1346) @sbs2001
    • Deduplicate make package, package_static (#1344) @mmetc
    • Fix 1262 pgsql conflict resolve (#1363) @sbs2001
    • Update license (#1382) @sabban
    • Update rpm patch to allow build again (#1388) @sabban
    • Remove make warning "building for linux" (#1389) @mmetc
    • Skip broken tests (w/ postgres and test coverage) (#1410) @mmetc
    • Install *.cover binaries in $BIN_DIR; minor workflow changes (#1408) @mmetc
    • Fix "cscli" without arguments (#1406) @mmetc
    • Removed RELEASE.json, embed codename in makefile (#1442) @mmetc
    • Fix hub loader to support '.yml' files (#1433) @AlteredCoder
    • Add origins param in decision stream service (#1429) @sbs2001
    • Remove trailing / from cp in make release (#1416) @blotus
    • Single workflow for all tests (#1413) @mmetc
    • Bailout on incompatible duration format (#1326) @buixor
    • Bit of doc + tests for lapi stream mode (#1356) @buixor
    • Handle containers with TTY in docker acquis (#1422) @blotus
    • Int64 for metric units (#1419) @mmetc
    • Use golangci-lint 1.45.2 (#1420) @mmetc
    • Cwhub testing (#1438) @sbs2001
    • Docker: add enroll on startup (#1463) @he2ss
    • Cscli: add force enroll feature (#1430) @he2ss
    • Go mod update for 1.3.3 (#1462) @buixor
    • add logrotate file for debian (#1474) @sabban
    • Fix typo in cscli metrics and debug message (#1473) @AlteredCoder
    • cleanup container state if the reader tomb dies by itself (#1470 #1475) @blotus

    Special topic: improved testing

    • Overall refactor of functional tests, and now using bats (#1266 #1333 #1345 #1355 #1365 #1366 #1368 #1371 #1372 #1373 #1377 #1379 #1380 #1381 #1384 #1386 #1387 #1390 #1393 #1394 #1400 #1425 #1458 #1437 #1440 #1439 #1443 #1453 #1454 #1455 #1457 #1456 #1458 @sabban @mmetc @buixor
    • Instrument main() for coverage tests (#1399) @mmetc

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(34.59 MB)
    crowdsec-release-static.tgz(35.30 MB)
  • v1.3.3-rc4(Apr 22, 2022)

    Improvements

    • Deal with duplicate decisons (same scope, same value) while in stream mode (#1310 #1262) @sbs2001
    • Add query param to filter decisions by scenarios and origin (#1294) @sbs2001
    • Publish docker image to ghcr also (#1467) @he2ss
    • Cscli: add autocompletions for hubitems (#1465) @AlteredCoder
    • Register bouncers on container init (#1341) @thespad
    • Improve cscli metrics units (#1374) @AlteredCoder
    • Add -m flag for decisions list to display the machine (#1361) @AlteredCoder
    • Add trusted IPs which have admin API access (#1352) @sbs2001
    • Email notification plugin add sender_name option (#1297) @tuxtof

    Bugfixes

    • Fix journalctl deadlock on shutdown (#1468) @buixor
    • Wizard: removed jq dependency (#1460) @mmetc
    • Reduce the query unescape helper verbosity (#1447) @AlteredCoder
    • Update bouncer pull in rupture mode (#1445) @sbs2001
    • Add dialect to handle pgx correctly (#1376) @umglurf
    • Allow to ignore errors when installing multiple configuration items (#1359) @AlteredCoder
    • Allow cscli remove to remove with --all (#1360) @AlteredCoder
    • Don't omit fields of bouncer in json (#1354) @sbs2001
    • Deal with misconfigured post-overflow stages (#1358) @buixor
    • Refactor: use runtime rather than ldflags for go details (#1302) @06kellyjac
    • Allow "cscli completion..." without configuration file (#1340) @mmetc
    • Make notification plugins work on freebsd (#1253) @mmetc
    • Docker prestage - correct database path (#1312) @chad-jones
    • Send all installed scenario to LAPI (#1277) @AlteredCoder

    Minor changes

    • Fix check uid, gid values (#1309) @mmetc
    • Some noop code removal, typos and lint suggestions (#1329) @mmetc
    • Fix for /usr/bin/wc on freebsd (#1338) @mmetc
    • Return 1 with incomplete command line; always check error when calling cmd.Help (#1335) @mmetc
    • Test decision list -m (#1365) @mmetc
    • Fix for https://staticcheck.io/docs/checks#SA2002 (#1334) @mmetc
    • Don't set logger default level twice (#1336) @mmetc
    • Fix #1316 : add html body (#1339) @buixor
    • Display acquisition dir in cscli config show (#1349) @AlteredCoder
    • Deprecate pid_file config (#1346) @sbs2001
    • Deduplicate make package, package_static (#1344) @mmetc
    • Fix 1262 pgsql conflict resolve (#1363) @sbs2001
    • Update license (#1382) @sabban
    • Update rpm patch to allow build again (#1388) @sabban
    • Remove make warning "building for linux" (#1389) @mmetc
    • Skip broken tests (w/ postgres and test coverage) (#1410) @mmetc
    • Install *.cover binaries in $BIN_DIR; minor workflow changes (#1408) @mmetc
    • Fix "cscli" without arguments (#1406) @mmetc
    • Removed RELEASE.json, embed codename in makefile (#1442) @mmetc
    • Fix hub loader to support '.yml' files (#1433) @AlteredCoder
    • Add origins param in decision stream service (#1429) @sbs2001
    • Remove trailing / from cp in make release (#1416) @blotus
    • Single workflow for all tests (#1413) @mmetc
    • Bailout on incompatible duration format (#1326) @buixor
    • Bit of doc + tests for lapi stream mode (#1356) @buixor
    • Handle containers with TTY in docker acquis (#1422) @blotus
    • Int64 for metric units (#1419) @mmetc
    • Use golangci-lint 1.45.2 (#1420) @mmetc
    • Cwhub testing (#1438) @sbs2001
    • Docker: add enroll on startup (#1463) @he2ss
    • Cscli: add force enroll feature (#1430) @he2ss
    • Go mod update for 1.3.3 (#1462) @buixor
    • add logrotate file for debian (#1474) @sabban
    • Fix typo in cscli metrics and debug message (#1473) @AlteredCoder
    • cleanup container state if the reader tomb dies by itself (#1470 #1475) @blotus

    Special topic: improved testing

    • Overall refactor of functional tests, and now using bats (#1266 #1333 #1345 #1355 #1365 #1366 #1368 #1371 #1372 #1373 #1377 #1379 #1380 #1381 #1384 #1386 #1387 #1390 #1393 #1394 #1400 #1425 #1458 #1437 #1440 #1439 #1443 #1453 #1454 #1455 #1457 #1456 #1458 @sabban @mmetc @buixor
    • Instrument main() for coverage tests (#1399) @mmetc

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(34.59 MB)
    crowdsec-release-static.tgz(35.30 MB)
  • v1.3.3-rc3(Apr 21, 2022)

    Improvements

    • Deal with duplicate decisons (same scope, same value) while in stream mode (#1310 #1262) @sbs2001
    • Add query param to filter decisions by scenarios and origin (#1294) @sbs2001
    • Publish docker image to ghcr also (#1467) @he2ss
    • Cscli: add autocompletions for hubitems (#1465) @AlteredCoder
    • Register bouncers on container init (#1341) @thespad
    • Improve cscli metrics units (#1374) @AlteredCoder
    • Add -m flag for decisions list to display the machine (#1361) @AlteredCoder
    • Add trusted IPs which have admin API access (#1352) @sbs2001
    • Email notification plugin add sender_name option (#1297) @tuxtof

    Bugfixes

    • Fix journalctl deadlock on shutdown (#1468) @buixor
    • Wizard: removed jq dependency (#1460) @mmetc
    • Reduce the query unescape helper verbosity (#1447) @AlteredCoder
    • Update bouncer pull in rupture mode (#1445) @sbs2001
    • Add dialect to handle pgx correctly (#1376) @umglurf
    • Allow to ignore errors when installing multiple configuration items (#1359) @AlteredCoder
    • Allow cscli remove to remove with --all (#1360) @AlteredCoder
    • Don't omit fields of bouncer in json (#1354) @sbs2001
    • Deal with misconfigured post-overflow stages (#1358) @buixor
    • Refactor: use runtime rather than ldflags for go details (#1302) @06kellyjac
    • Allow "cscli completion..." without configuration file (#1340) @mmetc
    • Make notification plugins work on freebsd (#1253) @mmetc
    • Docker prestage - correct database path (#1312) @chad-jones
    • Send all installed scenario to LAPI (#1277) @AlteredCoder

    Minor changes

    • Fix check uid, gid values (#1309) @mmetc
    • Some noop code removal, typos and lint suggestions (#1329) @mmetc
    • Fix for /usr/bin/wc on freebsd (#1338) @mmetc
    • Return 1 with incomplete command line; always check error when calling cmd.Help (#1335) @mmetc
    • Test decision list -m (#1365) @mmetc
    • Fix for https://staticcheck.io/docs/checks#SA2002 (#1334) @mmetc
    • Don't set logger default level twice (#1336) @mmetc
    • Fix #1316 : add html body (#1339) @buixor
    • Display acquisition dir in cscli config show (#1349) @AlteredCoder
    • Deprecate pid_file config (#1346) @sbs2001
    • Deduplicate make package, package_static (#1344) @mmetc
    • Fix 1262 pgsql conflict resolve (#1363) @sbs2001
    • Update license (#1382) @sabban
    • Update rpm patch to allow build again (#1388) @sabban
    • Remove make warning "building for linux" (#1389) @mmetc
    • Skip broken tests (w/ postgres and test coverage) (#1410) @mmetc
    • Install *.cover binaries in $BIN_DIR; minor workflow changes (#1408) @mmetc
    • Fix "cscli" without arguments (#1406) @mmetc
    • Removed RELEASE.json, embed codename in makefile (#1442) @mmetc
    • Fix hub loader to support '.yml' files (#1433) @AlteredCoder
    • Add origins param in decision stream service (#1429) @sbs2001
    • Remove trailing / from cp in make release (#1416) @blotus
    • Single workflow for all tests (#1413) @mmetc
    • Bailout on incompatible duration format (#1326) @buixor
    • Bit of doc + tests for lapi stream mode (#1356) @buixor
    • Handle containers with TTY in docker acquis (#1422) @blotus
    • Int64 for metric units (#1419) @mmetc
    • Use golangci-lint 1.45.2 (#1420) @mmetc
    • Cwhub testing (#1438) @sbs2001
    • Docker: add enroll on startup (#1463) @he2ss
    • Cscli: add force enroll feature (#1430) @he2ss
    • Go mod update for 1.3.3 (#1462) @buixor

    Special topic: improved testing

    • Overall refactor of functional tests, and now using bats (#1266 #1333 #1345 #1355 #1365 #1366 #1368 #1371 #1372 #1373 #1377 #1379 #1380 #1381 #1384 #1386 #1387 #1390 #1393 #1394 #1400 #1425 #1458 #1437 #1440 #1439 #1443 #1453 #1454 #1455 #1457 #1456 #1458 @sabban @mmetc @buixor
    • Instrument main() for coverage tests (#1399) @mmetc

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(34.59 MB)
    crowdsec-release-static.tgz(35.30 MB)
  • v1.3.3-rc2(Apr 20, 2022)

    Improvements

    • Send all installed scenario to LAPI (#1277) @AlteredCoder
    • instrument main() for coverage tests (#1399) @mmetc
    • functional tests are now using bats @mmetc @sabban @buixor

    Changes

    • wizard: removed jq dependency (#1460) @mmetc
    • Reduce the query unescape helper verbosity (#1447) @AlteredCoder
    • Update bouncer pull in rupture mode (#1445) @sbs2001
    • Register bouncers on container init (#1341) @thespad
    • add dialect to handle pgx correctly (#1376) @umglurf
    • Improve cscli metrics units (#1374) @AlteredCoder
    • Add -m flag for decisions list to display the machine (#1361) @AlteredCoder
    • Add trusted IPs which have admin API access (#1352) @sbs2001
    • Allow to ignore errors when installing multiple configuration items (#1359) @AlteredCoder
    • Allow cscli remove to remove with --all (#1360) @AlteredCoder
    • Add query param to filter decisions by scenarios and origin (#1294) @sbs2001
    • Don't omit fields of bouncer in json (#1354) @sbs2001
    • deal with misconfigured post-overflow stages (#1358) @buixor
    • dummy plugin (#142) @mmetc
    • refactor: use runtime rather than ldflags for go details (#1302) @06kellyjac
    • allow "cscli completion..." without configuration file (#1340) @mmetc
    • restore test_env.sh (#1332) @mmetc
    • make notification plugins work on freebsd (#1253) @mmetc
    • Docker prestage - correct database path (#1312) @chad-jones
    • Email notification plugin add sender_name option (#1297) @tuxtof

    Minor changes

    • fix check uid, gid values (#1309) @mmetc
    • some noop code removal, typos and lint suggestions (#1329) @mmetc
    • fix for /usr/bin/wc on freebsd (#1338) @mmetc
    • return 1 with incomplete command line; always check error when calling cmd.Help (#1335) @mmetc
    • test decision list -m (#1365) @mmetc
    • fix for https://staticcheck.io/docs/checks#SA2002 (#1334) @mmetc
    • don't set logger default level twice (#1336) @mmetc
    • fix #1316 : add html body (#1339) @buixor
    • Display acquisition dir in cscli config show (#1349) @AlteredCoder
    • Deprecate pid_file config (#1346) @sbs2001
    • deduplicate make package, package_static (#1344) @mmetc
    • Fix 1262 pgsql conflict resolve (#1363) @sbs2001
    • update license (#1382) @sabban
    • update rpm patch to allow build again (#1388) @sabban
    • remove make warning "building for linux" (#1389) @mmetc
    • skip broken tests (w/ postgres and test coverage) (#1410) @mmetc
    • install *.cover binaries in $BIN_DIR; minor workflow changes (#1408) @mmetc
    • fix "cscli" without arguments (#1406) @mmetc
    • removed RELEASE.json, embed codename in makefile (#1442) @mmetc
    • Fix hub loader to support '.yml' files (#1433) @AlteredCoder
    • Add origins param in decision stream service (#1429) @sbs2001
    • remove trailing / from cp in make release (#1416) @blotus
    • single workflow for all tests (#1413) @mmetc
    • bailout on incompatible duration format (#1326) @buixor
    • bit of doc + tests for lapi stream mode (#1356) @buixor
    • handle containers with TTY in docker acquis (#1422) @blotus
    • int64 for metric units (#1419) @mmetc
    • use golangci-lint 1.45.2 (#1420) @mmetc
    • Cwhub testing (#1438) @sbs2001
    • docker: add enroll on startup (#1463) @he2ss
    • cscli: add force enroll feature (#1430) @he2ss
    • go mod update for 1.3.3 (#1462) @buixor

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(34.59 MB)
  • v1.3.3-rc1(Apr 20, 2022)

    Improvements

    • Send all installed scenario to LAPI (#1277) @AlteredCoder
    • instrument main() for coverage tests (#1399) @mmetc
    • functional tests are now using bats (#1266 #1333 #1345 #1355 #1365 #1366 #1368 #1371 #1372 #1373 #1377 #1379 #1380 #1381 #1384 #1386 #1387 #1390 #1393 #1394 #1400 #1425 #1458 #1437 #1440 #1439 #1443 #1453 #1454 #1455 #1457 #1456 #1458) @mmetc @sabban @buixor

    Changes

    • wizard: removed jq dependency (#1460) @mmetc
    • Reduce the query unescape helper verbosity (#1447) @AlteredCoder
    • Update bouncer pull in rupture mode (#1445) @sbs2001
    • Register bouncers on container init (#1341) @thespad
    • add dialect to handle pgx correctly (#1376) @umglurf
    • Improve cscli metrics units (#1374) @AlteredCoder
    • Add -m flag for decisions list to display the machine (#1361) @AlteredCoder
    • Add trusted IPs which have admin API access (#1352) @sbs2001
    • Allow to ignore errors when installing multiple configuration items (#1359) @AlteredCoder
    • Allow cscli remove to remove with --all (#1360) @AlteredCoder
    • Add query param to filter decisions by scenarios and origin (#1294) @sbs2001
    • Don't omit fields of bouncer in json (#1354) @sbs2001
    • deal with misconfigured post-overflow stages (#1358) @buixor
    • dummy plugin (#142) @mmetc
    • refactor: use runtime rather than ldflags for go details (#1302) @06kellyjac
    • allow "cscli completion..." without configuration file (#1340) @mmetc
    • restore test_env.sh (#1332) @mmetc
    • make notification plugins work on freebsd (#1253) @mmetc
    • Docker prestage - correct database path (#1312) @chad-jones
    • Email notification plugin add sender_name option (#1297) @tuxtof

    Minor changes

    • fix check uid, gid values (#1309) @mmetc
    • some noop code removal, typos and lint suggestions (#1329) @mmetc
    • fix for /usr/bin/wc on freebsd (#1338) @mmetc
    • return 1 with incomplete command line; always check error when calling cmd.Help (#1335) @mmetc
    • test decision list -m (#1365) @mmetc
    • fix for https://staticcheck.io/docs/checks#SA2002 (#1334) @mmetc
    • don't set logger default level twice (#1336) @mmetc
    • fix #1316 : add html body (#1339) @buixor
    • Display acquisition dir in cscli config show (#1349) @AlteredCoder
    • Deprecate pid_file config (#1346) @sbs2001
    • deduplicate make package, package_static (#1344) @mmetc
    • Fix 1262 pgsql conflict resolve (#1363) @sbs2001
    • update license (#1382) @sabban
    • update rpm patch to allow build again (#1388) @sabban
    • remove make warning "building for linux" (#1389) @mmetc
    • skip broken tests (w/ postgres and test coverage) (#1410) @mmetc
    • install *.cover binaries in $BIN_DIR; minor workflow changes (#1408) @mmetc
    • fix "cscli" without arguments (#1406) @mmetc
    • removed RELEASE.json, embed codename in makefile (#1442) @mmetc
    • Fix hub loader to support '.yml' files (#1433) @AlteredCoder
    • Add origins param in decision stream service (#1429) @sbs2001
    • remove trailing / from cp in make release (#1416) @blotus
    • single workflow for all tests (#1413) @mmetc
    • bailout on incompatible duration format (#1326) @buixor
    • bit of doc + tests for lapi stream mode (#1356) @buixor
    • handle containers with TTY in docker acquis (#1422) @blotus
    • int64 for metric units (#1419) @mmetc
    • use golangci-lint 1.45.2 (#1420) @mmetc
    • Cwhub testing (#1438) @sbs2001

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(34.55 MB)
    crowdsec-release-static.tgz(35.26 MB)
  • v1.3.2(Mar 4, 2022)

  • v1.3.1(Mar 2, 2022)

    Changes

    • Docker image: add multi arch platforms (#1270) @he2ss
    • Add IpToRange helpers and allows to have an expression with scope Range (#1260) @AlteredCoder

    Improvements

    • Create debian docker package including journalctl/systemd (#1233) @woopstar
    • Use override possibility in systemd file management in functional tests (#1208) @sabban
    • Allow Makefile to override /etc/crowdsec and /var/lib/crowdsec/data (#1221) @mmetc
    • Fix upgrade when somthing is already listening on 8080 (#1258) @sabban

    Bugfixes

    • Fix typo in explain help (#1290) @sbs2001
    • Fix #1274 (#1285) @buixor
    • Improve LAPI performance when under high load (#1273) @blotus
    • Specify journalctl support (#1272) @woopstar
    • Wizard: install matched collections only (#1212) @he2ss
    • String comparison fix (#1220) @mmetc
    • Fix help message of cscli config show --key (#1228) @buixor
    • Email-plugin: fix install in debian package (#1219) @erdoukki
    • Handle decisions with varying expiry for same IP (#1262) @sbs2001
    • Make whitelist by expr debug level (#1236) @buixor
    • Detect missing plugin binary wrt profiles (#1252) @sbs2001
    • Upgrade download datafiles if doesn't exist (#1254) @AlteredCoder
    • Prestage files and copy on init to fix bind mount issues (#1216) @TheSpad
    • Exit syslog acquis only after server is dead (#1288) @sbs2001
    • Fix #1295 : deploy email plugin on RPMs (#1296) @buixor
    • Warn when log file in explain command is large. (#1293) @sbs2001
    • Remove the target test for build (#1279) @sabban
    • Refactor tests to reduce line count (#1264) @mmetc
    • Git tag detection fix for #1234 (#1265) @mmetc
    • Have "make test" from top directory actually run tests (#1249) @mmetc
    • Plugin configuration comments (#1255) @mmetc
    • Atoi() -> ParseInt() (#1256) @mmetc
    • Grammar (#1257) @mmetc
    • Check log level before dumping resp (#1243) @sbs2001
    • Fix for cwversion.System (#1238) @mmetc
    • Add LOCAL_API_URL to register auto an agent (#1231) @woopstar
    • Add TLS functionality from env variables (#1227) @woopstar
    • Set custom hostname for local agent credentials (#1229) @woopstar
    • Deadcode [wip] (#1215) @mmetc
    • Set LOCAL_API_URL on regeneration of local agent (#1226) @woopstar
    • Makefile: add ENV VARIABLES to override configdir & datadir (#1224) @erdoukki
    • Makefile cleanup (#1211) @mmetc

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(34.42 MB)
    crowdsec-release-static.tgz(35.12 MB)
  • v1.3.1-rc3(Mar 1, 2022)

    Changes

    • docker image: add multi arch platforms (#1270) @he2ss
    • remove the target test for build (#1279) @sabban
    • Refactor tests to reduce line count (#1264) @mmetc
    • git tag detection fix for #1234 (#1265) @mmetc
    • have "make test" from top directory actually run tests (#1249) @mmetc
    • plugin configuration comments (#1255) @mmetc
    • add IpToRange helpers and allows to have an expression with scope Range (#1260) @AlteredCoder
    • Atoi() -> ParseInt() (#1256) @mmetc
    • grammar (#1257) @mmetc
    • Check log level before dumping resp (#1243) @sbs2001
    • fix for cwversion.System (#1238) @mmetc
    • Add LOCAL_API_URL to register auto an agent (#1231) @woopstar
    • Add TLS functionality from env variables (#1227) @woopstar
    • Set custom hostname for local agent credentials (#1229) @woopstar
    • Deadcode [wip] (#1215) @mmetc
    • Set LOCAL_API_URL on regeneration of local agent (#1226) @woopstar
    • Makefile: add ENV VARIABLES to override configdir & datadir (#1224) @erdoukki
    • Makefile cleanup (#1211) @mmetc

    Improvements

    • Create debian docker package including journalctl/systemd (#1233) @woopstar
    • Use override possibility in systemd file management in functional tests (#1208) @sabban
    • allow Makefile to override /etc/crowdsec and /var/lib/crowdsec/data (#1221) @mmetc
    • fix upgrade when somthing is already listening on 8080 (#1258) @sabban

    Bugfixes

    • Fix typo in explain help (#1290) @sbs2001
    • fix #1274 (#1285) @buixor
    • Improve LAPI performance when under high load (#1273) @blotus
    • Specify journalctl support (#1272) @woopstar
    • wizard: install matched collections only (#1212) @he2ss
    • string comparison fix (#1220) @mmetc
    • fix help message of cscli config show --key (#1228) @buixor
    • email-plugin: fix install in debian package (#1219) @erdoukki
    • Handle decisions with varying expiry for same IP (#1262) @sbs2001
    • Make whitelist by expr debug level (#1236) @buixor
    • Detect missing plugin binary wrt profiles (#1252) @sbs2001
    • Upgrade download datafiles if doesn't exist (#1254) @AlteredCoder
    • Prestage files and copy on init to fix bind mount issues (#1216) @TheSpad
    • Exit syslog acquis only after server is dead (#1288) @sbs2001
    • fix #1295 : deploy email plugin on RPMs (#1296) @buixor
    • Warn when log file in explain command is large. (#1293) @sbs2001

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(34.42 MB)
    crowdsec-release-static.tgz(35.12 MB)
  • v1.3.1-rc2(Feb 28, 2022)

    Changes

    • docker image: add multi arch platforms (#1270) @he2ss
    • remove the target test for build (#1279) @sabban
    • Refactor tests to reduce line count (#1264) @mmetc
    • git tag detection fix for #1234 (#1265) @mmetc
    • have "make test" from top directory actually run tests (#1249) @mmetc
    • plugin configuration comments (#1255) @mmetc
    • add IpToRange helpers and allows to have an expression with scope Range (#1260) @AlteredCoder
    • Atoi() -> ParseInt() (#1256) @mmetc
    • grammar (#1257) @mmetc
    • Check log level before dumping resp (#1243) @sbs2001
    • fix for cwversion.System (#1238) @mmetc
    • Add LOCAL_API_URL to register auto an agent (#1231) @woopstar
    • Add TLS functionality from env variables (#1227) @woopstar
    • Set custom hostname for local agent credentials (#1229) @woopstar
    • Deadcode [wip] (#1215) @mmetc
    • Set LOCAL_API_URL on regeneration of local agent (#1226) @woopstar
    • Makefile: add ENV VARIABLES to override configdir & datadir (#1224) @erdoukki
    • Makefile cleanup (#1211) @mmetc

    Improvements

    • Create debian docker package including journalctl/systemd (#1233) @woopstar
    • Use override possibility in systemd file management in functional tests (#1208) @sabban
    • allow Makefile to override /etc/crowdsec and /var/lib/crowdsec/data (#1221) @mmetc
    • fix upgrade when somthing is already listening on 8080 (#1258) @sabban

    Bugfixes

    • Fix typo in explain help (#1290) @sbs2001
    • fix #1274 (#1285) @buixor
    • Improve LAPI performance when under high load (#1273) @blotus
    • Specify journalctl support (#1272) @woopstar
    • wizard: install matched collections only (#1212) @he2ss
    • string comparison fix (#1220) @mmetc
    • fix help message of cscli config show --key (#1228) @buixor
    • email-plugin: fix install in debian package (#1219) @erdoukki
    • Handle decisions with varying expiry for same IP (#1262) @sbs2001
    • Make whitelist by expr debug level (#1236) @buixor
    • Detect missing plugin binary wrt profiles (#1252) @sbs2001
    • Upgrade download datafiles if doesn't exist (#1254) @AlteredCoder
    • Prestage files and copy on init to fix bind mount issues (#1216) @TheSpad

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(34.42 MB)
    crowdsec-release-static.tgz(35.12 MB)
  • v1.3.1-rc1(Feb 18, 2022)

    Changes

    • remove the target test for build (#1279) @sabban
    • Refactor tests to reduce line count (#1264) @mmetc
    • git tag detection fix for #1234 (#1265) @mmetc
    • have "make test" from top directory actually run tests (#1249) @mmetc
    • plugin configuration comments (#1255) @mmetc
    • add IpToRange helpers and allows to have an expression with scope Range (#1260) @AlteredCoder
    • Atoi() -> ParseInt() (#1256) @mmetc
    • grammar (#1257) @mmetc
    • Check log level before dumping resp (#1243) @sbs2001
    • fix for cwversion.System (#1238) @mmetc
    • Add LOCAL_API_URL to register auto an agent (#1231) @woopstar
    • Add TLS functionality from env variables (#1227) @woopstar
    • Set custom hostname for local agent credentials (#1229) @woopstar
    • Deadcode [wip] (#1215) @mmetc
    • Set LOCAL_API_URL on regeneration of local agent (#1226) @woopstar
    • Makefile: add ENV VARIABLES to override configdir & datadir (#1224) @erdoukki
    • Makefile cleanup (#1211) @mmetc

    Improvements

    • Create debian docker package including journalctl/systemd (#1233) @woopstar
    • Use override possibility in systemd file management in functional tests (#1208) @sabban
    • allow Makefile to override /etc/crowdsec and /var/lib/crowdsec/data (#1221) @mmetc
    • fix upgrade when somthing is already listening on 8080 (#1258) @sabban

    Bugfixes

    • Improve LAPI performance when under high load (#1273) @blotus
    • Specify journalctl support (#1272) @woopstar
    • wizard: install matched collections only (#1212) @he2ss
    • string comparison fix (#1220) @mmetc
    • fix help message of cscli config show --key (#1228) @buixor
    • email-plugin: fix install in debian package (#1219) @erdoukki
    • Handle decisions with varying expiry for same IP (#1262) @sbs2001
    • Make whitelist by expr debug level (#1236) @buixor
    • Detect missing plugin binary wrt profiles (#1252) @sbs2001
    • Upgrade download datafiles if doesn't exist (#1254) @AlteredCoder
    • Prestage files and copy on init to fix bind mount issues (#1216) @TheSpad

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(34.42 MB)
    crowdsec-release-static.tgz(35.12 MB)
  • v1.3.1-rc0(Feb 18, 2022)

    Changes

    • Refactor tests to reduce line count (#1264) @mmetc
    • git tag detection fix for #1234 (#1265) @mmetc
    • have "make test" from top directory actually run tests (#1249) @mmetc
    • plugin configuration comments (#1255) @mmetc
    • add IpToRange helpers and allows to have an expression with scope Range (#1260) @AlteredCoder
    • Atoi() -> ParseInt() (#1256) @mmetc
    • grammar (#1257) @mmetc
    • Check log level before dumping resp (#1243) @sbs2001
    • fix for cwversion.System (#1238) @mmetc
    • Add LOCAL_API_URL to register auto an agent (#1231) @woopstar
    • Add TLS functionality from env variables (#1227) @woopstar
    • Set custom hostname for local agent credentials (#1229) @woopstar
    • Deadcode [wip] (#1215) @mmetc
    • Set LOCAL_API_URL on regeneration of local agent (#1226) @woopstar
    • Makefile: add ENV VARIABLES to override configdir & datadir (#1224) @erdoukki
    • Makefile cleanup (#1211) @mmetc

    Improvements

    • Create debian docker package including journalctl/systemd (#1233) @woopstar
    • Use override possibility in systemd file management in functional tests (#1208) @sabban
    • allow Makefile to override /etc/crowdsec and /var/lib/crowdsec/data (#1221) @mmetc
    • fix upgrade when somthing is already listening on 8080 (#1258) @sabban

    ## Bugfixes

    • Improve LAPI performance when under high load (#1273) @blotus
    • Specify journalctl support (#1272) @woopstar
    • wizard: install matched collections only (#1212) @he2ss
    • string comparison fix (#1220) @mmetc
    • fix help message of cscli config show --key (#1228) @buixor
    • email-plugin: fix install in debian package (#1219) @erdoukki
    • Handle decisions with varying expiry for same IP (#1262) @sbs2001
    • Make whitelist by expr debug level (#1236) @buixor
    • Detect missing plugin binary wrt profiles (#1252) @sbs2001
    • Upgrade download datafiles if doesn't exist (#1254) @AlteredCoder
    • Prestage files and copy on init to fix bind mount issues (#1216) @TheSpad

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(34.42 MB)
    crowdsec-release-static.tgz(35.12 MB)
  • v1.3.0(Jan 25, 2022)

    Changes

    • clean up hub dir on rpm remove (#1205) @sabban
    • fix #1200 (#1203) @buixor
    • console_config.yaml -> console.yaml (#1195) @mmetc
    • remove trailing carriage return (#1194) @mmetc
    • Support PGX (#1186) @AlteredCoder
    • Switch to utc time everywhere (#1167) @buixor
    • Allow push of tainted/custom/manual decisions (#1154) @buixor
    • Lists support from central api (#1074) @buixor
    • Kinesis datasource (#1147) @blotus

    Improvements

    • Update notifications template (#1188) @AlteredCoder
    • Gin upgrade (#1174) @buixor

    Bugfixes

    • fix rpm build (#1190) @sabban
    • Upgrade grokky following https://github.com/crowdsecurity/grokky/pull/2 (#1187) @buixor
    • Fix panic in plugin broker (#1181) @sbs2001
    • Fix postgreSQL count fail (#1184) @AlteredCoder
    • Fix #1168 (#1179) @buixor
    • Fix default perms for log file (#1177) @buixor
    • Fix #1170 : display full message in debug mode when syslog cannot parse (#1176) @buixor
    • Fix #1172 (#1175) @buixor
    • Replace link to Gitter with Discord in README.md (#1161) @mazzma12
    • Update LAPI swagger (#1155) @blotus
    • Add option to print machine creds (#1149) @sbs2001
    • update deps for fc35 (#1193) @sabban
    • fix crash on upgrade with nil last push field (#1191) @blotus

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(32.27 MB)
    crowdsec-release-static.tgz(32.98 MB)
  • v1.3.0-rc5(Jan 24, 2022)

    Changes

    • clean up hub dir on rpm remove (#1205) @sabban
    • fix #1200 (#1203) @buixor
    • console_config.yaml -> console.yaml (#1195) @mmetc
    • remove trailing carriage return (#1194) @mmetc
    • Support PGX (#1186) @AlteredCoder
    • Switch to utc time everywhere (#1167) @buixor
    • Allow push of tainted/custom/manual decisions (#1154) @buixor
    • Lists support from central api (#1074) @buixor
    • Kinesis datasource (#1147) @blotus

    Improvements

    • Update notifications template (#1188) @AlteredCoder
    • Gin upgrade (#1174) @buixor

    Bugfixes

    • fix rpm build (#1190) @sabban
    • Upgrade grokky following https://github.com/crowdsecurity/grokky/pull/2 (#1187) @buixor
    • Fix panic in plugin broker (#1181) @sbs2001
    • Fix postgreSQL count fail (#1184) @AlteredCoder
    • Fix #1168 (#1179) @buixor
    • Fix default perms for log file (#1177) @buixor
    • Fix #1170 : display full message in debug mode when syslog cannot parse (#1176) @buixor
    • Fix #1172 (#1175) @buixor
    • Replace link to Gitter with Discord in README.md (#1161) @mazzma12
    • Update LAPI swagger (#1155) @blotus
    • Add option to print machine creds (#1149) @sbs2001
    • update deps for fc35 (#1193) @sabban
    • fix crash on upgrade with nil last push field (#1191) @blotus

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(32.27 MB)
    crowdsec-release-static.tgz(32.98 MB)
  • v1.3.0-rc4(Jan 24, 2022)

    Changes

    • fix fc35 package (#1198) @sabban
    • console_config.yaml -> console.yaml (#1195) @mmetc
    • remove trailing carriage return (#1194) @mmetc
    • Support PGX (#1186) @AlteredCoder
    • Switch to utc time everywhere (#1167) @buixor
    • Allow push of tainted/custom/manual decisions (#1154) @buixor
    • Lists support from central api (#1074) @buixor
    • Kinesis datasource (#1147) @blotus

    Improvements

    • Update notifications template (#1188) @AlteredCoder
    • Gin upgrade (#1174) @buixor

    Bugfixes

    • fix rpm build (#1190) @sabban
    • Upgrade grokky following https://github.com/crowdsecurity/grokky/pull/2 (#1187) @buixor
    • Fix panic in plugin broker (#1181) @sbs2001
    • Fix postgreSQL count fail (#1184) @AlteredCoder
    • Fix #1168 (#1179) @buixor
    • Fix default perms for log file (#1177) @buixor
    • Fix #1170 : display full message in debug mode when syslog cannot parse (#1176) @buixor
    • Fix #1172 (#1175) @buixor
    • Replace link to Gitter with Discord in README.md (#1161) @mazzma12
    • Update LAPI swagger (#1155) @blotus
    • Add option to print machine creds (#1149) @sbs2001
    • update deps for fc35 (#1193) @sabban
    • fix crash on upgrade with nil last push field (#1191) @blotus

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(32.27 MB)
    crowdsec-release-static.tgz(32.98 MB)
  • v1.3.0-rc3(Jan 21, 2022)

    Changes

    • Support PGX (#1186) @AlteredCoder
    • Switch to utc time everywhere (#1167) @buixor
    • Allow push of tainted/custom/manual decisions (#1154) @buixor
    • Lists support from central api (#1074) @buixor
    • Kinesis datasource (#1147) @blotus

    Improvements

    • Update notifications template (#1188) @AlteredCoder
    • Gin upgrade (#1174) @buixor

    Bugfixes

    • fix rpm build (#1190) @sabban
    • Upgrade grokky following https://github.com/crowdsecurity/grokky/pull/2 (#1187) @buixor
    • Fix panic in plugin broker (#1181) @sbs2001
    • Fix postgreSQL count fail (#1184) @AlteredCoder
    • Fix #1168 (#1179) @buixor
    • Fix default perms for log file (#1177) @buixor
    • Fix #1170 : display full message in debug mode when syslog cannot parse (#1176) @buixor
    • Fix #1172 (#1175) @buixor
    • Replace link to Gitter with Discord in README.md (#1161) @mazzma12
    • Update LAPI swagger (#1155) @blotus
    • Add option to print machine creds (#1149) @sbs2001
    • update deps for fc35 (#1193) @sabban
    • fix crash on upgrade with nil last push field (#1191) @blotus

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(32.27 MB)
    crowdsec-release-static.tgz(32.97 MB)
  • v1.3.0-rc2(Jan 20, 2022)

    Changes

    • Support PGX (#1186) @AlteredCoder
    • Switch to utc time everywhere (#1167) @buixor
    • Allow push of tainted/custom/manual decisions (#1154) @buixor
    • Lists support from central api (#1074) @buixor
    • Kinesis datasource (#1147) @blotus

    Improvements

    • Update notifications template (#1188) @AlteredCoder
    • Gin upgrade (#1174) @buixor

    Bugfixes

    • fix rpm build (#1190) @sabban
    • Upgrade grokky following https://github.com/crowdsecurity/grokky/pull/2 (#1187) @buixor
    • Fix panic in plugin broker (#1181) @sbs2001
    • Fix postgreSQL count fail (#1184) @AlteredCoder
    • Fix #1168 (#1179) @buixor
    • Fix default perms for log file (#1177) @buixor
    • Fix #1170 : display full message in debug mode when syslog cannot parse (#1176) @buixor
    • Fix #1172 (#1175) @buixor
    • Replace link to Gitter with Discord in README.md (#1161) @mazzma12
    • Update LAPI swagger (#1155) @blotus
    • Add option to print machine creds (#1149) @sbs2001

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(32.27 MB)
    crowdsec-release-static.tgz(32.97 MB)
  • v1.3.0-rc(Jan 20, 2022)

    Changes

    • Support PGX (#1186) @AlteredCoder
    • Switch to utc time everywhere (#1167) @buixor
    • Allow push of tainted/custom/manual decisions (#1154) @buixor
    • Lists support from central api (#1074) @buixor
    • Kinesis datasource (#1147) @blotus

    Improvements

    • Update notifications template (#1188) @AlteredCoder
    • Gin upgrade (#1174) @buixor

    Bugfixes

    • Upgrade grokky following https://github.com/crowdsecurity/grokky/pull/2 (#1187) @buixor
    • Fix panic in plugin broker (#1181) @sbs2001
    • Fix postgreSQL count fail (#1184) @AlteredCoder
    • Fix #1168 (#1179) @buixor
    • Fix default perms for log file (#1177) @buixor
    • Fix #1170 : display full message in debug mode when syslog cannot parse (#1176) @buixor
    • Fix #1172 (#1175) @buixor
    • Replace link to Gitter with Discord in README.md (#1161) @mazzma12
    • Update LAPI swagger (#1155) @blotus
    • Add option to print machine creds (#1149) @sbs2001

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(32.27 MB)
    crowdsec-release-static.tgz(32.97 MB)
  • v1.2.3(Jan 6, 2022)

    Changes

    • Add email notification plugin. (#1013) @sbs2001
    • fix #1131 : complain when validating unknown machine (#1146) @buixor
    • Fix cscli inpsect json output (#1145) @sbs2001
    • fix race condition on repetitive trigger buckets creation (#1144) @buixor
    • Fix json output of cscli hub list (#1143) @sbs2001
    • fixed "help collections list" message (#1142) @mmetc
    • add the ability for the wizard to work on raspbian (#1136) @sabban
    • Docker api version negotiation (#1135) @blotus
    • cscli: raise error on unknown collection remove (#1133) @he2ss
    • Alert inspect improvement / Use correct CSV output when listing in raw format (#1127) @AlteredCoder
    • Allow to configure log rotation (#1130) @blotus
    • replaced   (#1129) @mmetc
    • fix #1057 (#1120) @buixor
    • added debian/README.md; updated gitignore (#1119) @mmetc

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(30.40 MB)
    crowdsec-release-static.tgz(31.11 MB)
go-xss is a module used to filter input from users to prevent XSS attacks

go-xss 根据白名单过滤 HTML(防止 XSS 攻击) go-xss is a module used to filter input from users to prevent XSS attacks go-xss是一个用于对用户输入的内容进行过滤,以避免遭受 XSS 攻击的模块

solar 30 Aug 1, 2022
A scanner/exploitation tool written in GO, which leverages Prototype Pollution to XSS by exploiting known gadgets.

ppmap A simple scanner/exploitation tool written in GO which automatically exploits known and existing gadgets (checks for specific variables in the g

kleiton0x00 338 Aug 8, 2022
A minimalistic LDAP server that is meant for test vulnerability to JNDI+LDAP injection attacks in Java, especially CVE-2021-44228.

jndi-ldap-test-server This is a minimalistic LDAP server that is meant for test vulnerability to JNDI+LDAP injection attacks in Java, especially CVE-2

Rakuten Group, Inc. 9 Aug 6, 2022
zero-trust remote firewall instrumentation

ShieldWall embraces the zero-trust principle and instruments your server firewall to block inbound connections from every IP on any port, by default.

Simone Margaritelli 177 Aug 17, 2022
Package for controlling the Windows firewall (aka Windows Filtering Platform, WFP)

wf What This is a package for controlling the Windows Filtering Platform (WFP), also known as the Windows firewall. See its docs: https://godoc.org/in

inet.af 46 Aug 15, 2022
A web-based testing platform for WAF (Web Application Firewall)'s correctness

WAFLab ?? WAFLab is a web-based platform for testing WAFs. Live Demo https://waflab.org/ Architecture WAFLab contains 2 parts: Name Description Langua

Microsoft 22 Jul 12, 2022
Coraza WAF is a golang modsecurity compatible web application firewall library

Coraza Web Application Firewall, this project is a Golang port of ModSecurity with the goal to become the first enterprise-grade Open Source Web Application Firewall, flexible and powerful enough to serve as the baseline for many projects.

Juan Pablo Tosso 624 Aug 14, 2022
A Declarative Cloud Firewall Reverse Proxy Solution with Companion Mobile App

A declarative Cloud firewall reverse proxy solution with inbuilt DDoS protection and alerting mechanism to protect your servers and keeping an eye on those malicious requests

null 14 Aug 10, 2022
Serpscan is a powerfull php script designed to allow you to leverage the power of dorking straight from the comfort of your command line.

SerpScan Serpscan is a powerful PHP tool designed to allow you to leverage the power of dorking straight from the comfort of your command line. Table

Alaa Abdulridha 50 Jul 9, 2022
go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data.

go-opa-validate go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data. Installation Usage Cont

chenk 5 Feb 5, 2022
mesh-kridik is an open-source security scanner that performs various security checks on a Kubernetes cluster with istio service mesh and is leveraged by OPA (Open Policy Agent) to enforce security rules.

mesh-kridik Enhance your Kubernetes service mesh security !! mesh-kridik is an open-source security scanner that performs various security checks on a

chenk 22 Jul 22, 2022
Scan and analyze OSS dependencies and licenses from compiled Go binaries

golicense - Go Binary OSS License Scanner golicense is a tool that scans compiled Go binaries and can output all the dependencies, their versions, and

Mitchell Hashimoto 627 Jul 27, 2022
Cyber Stasis is an economic simulator in the form of a fictional game based on global real-time demand and supply.

Cyber Stasis Cyber Stasis is an economic simulator in the form of a fictional game based on global real-time demand and supply. How to Play The game r

Stateless Minds 83 Jul 22, 2022
An easy-to-use XChaCha20-encryption wrapper for io.ReadWriteCloser (even lossy UDP) using ECDH key exchange algorithm, ED25519 signatures and Blake3+Poly1305 checksums/message-authentication for Go (golang). Also a multiplexer.

Quick start Prepare keys (on both sides): [ -f ~/.ssh/id_ed25519 ] && [ -f ~/.ssh/id_ed25519.pub ] || ssh-keygen -t ed25519 scp ~/.ssh/id_ed25519.pub

null 25 May 27, 2022
Curl & exec binary file in one step. Also a kind of stealth dropper.

curlNexec ?? Certainly useful , mainly for fun, rougly inspired by 0x00 article Short story curlNexec enable us to execute a remote binary on a local

Ariary 107 Aug 2, 2022
Incident Response - Fast suspicious file finder

FastFinder - Incident Response - Fast suspicious file finder What is this project designed for? FastFinder is a lightweight tool made for threat hunti

Jean-Pierre GARNIER 143 Aug 7, 2022
DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)

Minify and Secure Docker containers (free and open source!) Don't change anything in your Docker container image and minify it by up to 30x making it

docker-slim 14.7k Aug 8, 2022