CrowdSec - an open-source massively multiplayer firewall able to analyze visitor behavior & provide an adapted response to all kinds of attacks. It also leverages the crowd power to generate a global IP reputation database to protect the user network.

Overview

CrowdSec




Coverage Status

📚 Documentation 💠 Configuration Hub 💬 Discourse (Forum) 💬 Gitter (Live chat)

💃 This is a community driven project, we need your feedback.

<TL;DR>

CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network. It stacks on fail2ban's philosophy but is IPV6 compatible and 60x faster (Go vs Python), uses Grok patterns to parse logs and YAML scenario to identify behaviors. CrowdSec is engineered for modern Cloud / Containers / VM based infrastructures (by decoupling detection and remediation). Once detected you can remedy threats with various bouncers (firewall block, nginx http 403, Captchas, etc.) while the aggressive IP can be sent to CrowdSec for curation before being shared among all users to further improve everyone's security. See FAQ or read bellow for more.

2 mins install

Installing it through the Package system of your OS is the easiest way to proceed. Otherwise, to install from source, in a shell:

git clone https://github.com/crowdsecurity/crowdsec.git
cd crowdsec && ./wizard.sh -i

ℹ️ About the CrowdSec project

Crowdsec is an open-source, lightweight software, detecting peers with aggressive behaviors to prevent them from accessing your systems. Its user friendly design and assistance offers a low technical barrier of entry and nevertheless a high security gain.

Processing is done in 4 steps:

CrowdSec

Once an unwanted behavior is detected, deal with it through a bouncer. The aggressive IP, scenario triggered and timestamp are sent for curation, to avoid poisoning & false positives. (This can be disabled). If verified, this IP is then redistributed to all CrowdSec users running the same scenario.

Outnumbering hackers all together

By sharing the threat they faced, all users are protecting each-others (hence the name Crowd-Security). Crowdsec is designed for modern infrastructures, with its "Detect Here, Remedy There" approach, letting you analyse logs coming from several sources in one place and block threats at various levels (applicative, system, infrastructural) of your stack.

CrowdSec ships by default with scenarios (brute force, port scan, web scan, etc.) adapted for most context, but you can easily extend it by picking more of them from the HUB. It is also easy to adapt an existing one or create one yourself.

👉 What it is not

CrowdSec is not a SIEM, storing your logs (neither locally nor remotely). Your data are analyzed locally and forgotten.

Signals sent to the curation platform are limited to the very strict minimum: IP, Scenario, Timestamp. They are only used to allow the system to spot new rogue IPs, rule out false positives or poisoning attempts.

⬇️ Install it !

Crowdsec is available for various platforms :

Or look directly at installation documentation for other methods.

🎉 Key benefits

Fast assisted installation, no technical barrier

Initial configuration is automated, providing functional out-of-the-box setup

Out of the box detection

Baseline detection is effective out-of-the-box, no fine-tuning required (click to expand)

Easy bouncer deployment

It's trivial to add bouncers to enforce decisions of crowdsec (click to expand)

Easy dashboard access

It's easy to deploy a metabase interface to view your data simply with cscli (click to expand)

Hot & Cold logs

Process cold logs, for forensic, tests and chasing false-positives & false negatives (click to expand)

📦 About this repository

This repository contains the code for the two main components of crowdsec :

  • crowdsec : the daemon a-la-fail2ban that can read, parse, enrich and apply heuristics to logs. This is the component in charge of "detecting" the attacks
  • cscli : the cli tool mainly used to interact with crowdsec : ban/unban/view current bans, enable/disable parsers and scenarios.
Issues
  • FreeBSD support

    FreeBSD support

    opened by sbz 24
  • Bug/crowdsec.service crashing

    Bug/crowdsec.service crashing

    Can somebody point me in the right direction to solve this issue?

    After successfully getting the multi machine setup working I noticed that crowdsec.service was crashing on my master machine. Probably some kind of malconfig issue as I'm just getting started with crowdsec.

    I installed from repo on Ubuntu 16/18 LTS VPS servers. My setup is one master machine with the api and one client with no api connecting to the master. And I only use the cs-firewall-bouncer I did some successful tests using cscli decisions add -i 123.123.123.123 on the master and saw that the client was getting the decision and blocking the IP in the firewall... so I was thrilled, it works great.

    But then after 20 minutes crowdsec.service crashed on the master. Now it crashes regulary every 20-30 minutes...

    Below is what is reported:

    time="28-03-2021 13:24:39" level=error msg="crowdsec - goroutine crowdsec/controllersV1/FindAlerts crashed : client disconnected" time="28-03-2021 13:24:39" level=error msg="please report this error to https://github.com/crowdsecurity/crowdsec/" time="28-03-2021 13:24:39" level=error msg="stacktrace/report is written to /tmp/crowdsec-crash.707091172.txt : please join it to your issue" time="28-03-2021 13:24:39" level=fatal msg="crowdsec stopped"

    The contents of /tmp/crowdsec-crash.707091172.txt

    version: 1.0.7-4-debian-pragmatic-a8b16a66b110ebe03bb330cda2600226a3a862d7 Codename: alphaga BuildDate: 2021-03-16_19:01:37 GoVersion: 1.15.8 goroutine 2688 [running]: runtime/debug.Stack(0xc000bc8fe8, 0xc0003b1d40, 0x8e) /usr/local/go/src/runtime/debug/stack.go:24 +0x9f github.com/crowdsecurity/crowdsec/pkg/types.CatchPanic(0x14c3fb0, 0x21) /crowdsec/pkg/types/utils.go:100 +0x238 panic(0x136c9c0, 0xc0000928a0) /usr/local/go/src/runtime/panic.go:969 +0x1b9 github.com/gin-gonic/gin/render.JSON.Render(...) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/render/json.go:59 github.com/gin-gonic/gin.(*Context).Render(0xc0004ea960, 0xc8, 0x15ee6e0, 0xc0009bc2e0) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:841 +0x149 github.com/gin-gonic/gin.(*Context).JSON(...) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:884 github.com/crowdsecurity/crowdsec/pkg/apiserver/controllers/v1.(*Controller).FindAlerts(0xc0003195e0, 0xc0004ea960) /crowdsec/pkg/apiserver/controllers/v1/alerts.go:163 +0x177 github.com/gin-gonic/gin.(*Context).Next(0xc0004ea960) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:161 +0x3b github.com/crowdsecurity/crowdsec/pkg/apiserver/controllers/v1.PrometheusMachinesMiddleware.func1(0xc0004ea960) /crowdsec/pkg/apiserver/controllers/v1/metrics.go:83 +0x96 github.com/gin-gonic/gin.(*Context).Next(0xc0004ea960) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:161 +0x3b github.com/appleboy/gin-jwt/v2.(*GinJWTMiddleware).middlewareImpl(0xc000152640, 0xc0004ea960) /root/go/pkg/mod/github.com/appleboy/gin-jwt/[email protected]/auth_jwt.go:403 +0x22b github.com/appleboy/gin-jwt/v2.(*GinJWTMiddleware).MiddlewareFunc.func1(0xc0004ea960) /root/go/pkg/mod/github.com/appleboy/gin-jwt/[email protected]/auth_jwt.go:365 +0x34 github.com/gin-gonic/gin.(*Context).Next(0xc0004ea960) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:161 +0x3b github.com/crowdsecurity/crowdsec/pkg/apiserver/controllers/v1.PrometheusMiddleware.func1(0xc0004ea960) /crowdsec/pkg/apiserver/controllers/v1/metrics.go:105 +0x145 github.com/gin-gonic/gin.(*Context).Next(0xc0004ea960) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:161 +0x3b github.com/gin-gonic/gin.RecoveryWithWriter.func1(0xc0004ea960) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/recovery.go:83 +0x65 github.com/gin-gonic/gin.(*Context).Next(0xc0004ea960) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:161 +0x3b github.com/gin-gonic/gin.LoggerWithConfig.func1(0xc0004ea960) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/logger.go:241 +0xe5 github.com/gin-gonic/gin.(*Context).Next(0xc0004ea960) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:161 +0x3b github.com/gin-gonic/gin.(*Engine).handleHTTPRequest(0xc0001523c0, 0xc0004ea960) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/gin.go:409 +0x67a github.com/gin-gonic/gin.(*Engine).ServeHTTP(0xc0001523c0, 0x15fa2a0, 0xc000011128, 0xc000481600) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/gin.go:367 +0x14d net/http.serverHandler.ServeHTTP(0xc0004640e0, 0x15fa2a0, 0xc000011128, 0xc000481600) /usr/local/go/src/net/http/server.go:2843 +0xa3 net/http.initALPNRequest.ServeHTTP(0x15fd3a0, 0xc000301920, 0xc0001a0700, 0xc0004640e0, 0x15fa2a0, 0xc000011128, 0xc000481600) /usr/local/go/src/net/http/server.go:3415 +0x8d net/http.(*http2serverConn).runHandler(0xc000073980, 0xc000011128, 0xc000481600, 0xc00042f760) /usr/local/go/src/net/http/h2_bundle.go:5719 +0x8b created by net/http.(*http2serverConn).processHeaders /usr/local/go/src/net/http/h2_bundle.go:5453 +0x505

    bug 
    opened by shaundma 20
  • Output plugins

    Output plugins

    1. New package called csplugin is added. This handles plugin discovery, feeding them config and dispatching alerts
    2. LAPI Server's controller has access to a PluginChannel, it pushes new alerts to this channel.
    3. Slack plugin is at https://github.com/sbs2001/crowdsec-slack-plugin

    Example setup

    1. In config_paths at /etc/crowdsec/config.yaml add the following :
      notification_dir: /etc/crowdsec/notifications
      plugin_dir: /etc/crowdsec/plugins
    
    1. At /etc/crowdsec/notifications create a file with any name eg slack.yaml with the contents :-
    type: slack
    name: slacktoto
    format: |
            slacktoto
            {{range .Decisions}}
             {{.Type}} decision : {{.Value}} has triggered the scenario {{.Scenario}} and has been banned for {{.Duration}}
            {{end}}
    
    webhook: https://hooks.slack.com/services/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    
    1. In profiles.yaml register the plugin via adding the following
    notifications:
     - slacktoto
    
    
    1. Build the plugin and put it at /etc/crowdsec/plugins with name notification-slack .
    git clone https://github.com/sbs2001/crowdsec-slack-plugin
    cd crowdsec-slack-plugin
     go build  -o notification-slack && sudo cp  notification-slack   /etc/crowdsec/plugins/notification-slack
    sudo systemctl reload crowdsec
    

    Any alert matching the profile will create a notification on the slack channel.

    Note: the diff is slightly large due to some refactor in tests.

    opened by buixor 14
  • can't make friends with haproxy

    can't make friends with haproxy

    installed haproxy, installed crowdsec, installed a parser for haproxy, but nothing wants to work, where am I doing something wrong?

    bug 
    opened by glebkhil 10
  • Enable detection of `httpd`

    Enable detection of `httpd`

    Fixes #195

    • [x] Fix httpd service discovery on RH based distros.

    • [x] Make installation process for httpd work.

    Signed-off-by: Shivam Sandbhor [email protected]

    opened by sbs2001 10
  • Bug/ api pull cron job fails

    Bug/ api pull cron job fails

    Describe the bug

    Doing a cscli ban list this morning I noticed that the IP ban from the api list was empty. Running cscli api pull manually works without issue. I believe the cron job is not working correctly. According to the cscli logs it works one day out of 3:

    time="2020-11-12T08:00:01+01:00" level=info msg="api load configuration: configuration loaded successfully (base:https://tmsov6x2n9.execute-
    api.eu-west-1.amazonaws.com/v1/)"
    time="2020-11-12T08:00:04+01:00" level=fatal msg="api signin: return bad HTTP code (500): Something went wrong."
    time="2020-11-13T08:00:01+01:00" level=info msg="api load configuration: configuration loaded successfully (base:https://tmsov6x2n9.execute-
    api.eu-west-1.amazonaws.com/v1/)"
    time="2020-11-13T08:00:01+01:00" level=info msg="dependency issue crowdsecurity/apache2 : tainted parsers crowdsecurity/apache2-logs, tainte
    d."
    time="2020-11-13T08:00:02+01:00" level=info msg="api signin: signed in successfuly"
    time="2020-11-13T08:00:04+01:00" level=warning msg="api pull returned 100 entries"
    time="2020-11-13T08:00:06+01:00" level=info msg="Wrote 100 bans from api to database."
    time="2020-11-14T08:00:02+01:00" level=info msg="api load configuration: configuration loaded successfully (base:https://tmsov6x2n9.execute-
    api.eu-west-1.amazonaws.com/v1/)"
    time="2020-11-14T08:00:02+01:00" level=info msg="dependency issue crowdsecurity/apache2 : tainted parsers crowdsecurity/apache2-logs, tainte
    d."
    time="2020-11-14T08:00:04+01:00" level=fatal msg="api signin: return bad HTTP code (500): Something went wrong."
    

    Technical Information (please complete the following information):

    • OS: Debian
    • Version 10 (Buster)
    bug 
    opened by ririsoft 10
  • Bug/crowdsec - goroutine crowdsec/runParse crashed : interface conversion: interface {} is nil, not parser.GeoIpEnricherCtx

    Bug/crowdsec - goroutine crowdsec/runParse crashed : interface conversion: interface {} is nil, not parser.GeoIpEnricherCtx

    process crashes after some seconds

    To Reproduce run this

    touch ./crowdsec/data/crowdsec.db
    touch ./crowdsec/config/local_api_credentials.yaml
    

    create this docker compose file

    crowdsec:
            container_name: crowdsec
            restart: always
            image: crowdsecurity/crowdsec:latest
            ports:
                - "8080:8080"
            volumes:
                - ./crowdsec/config/acquis.yaml:/etc/crowdsec/acquis.yaml
                - ./crowdsec/config/local_api_credentials.yaml:/etc/crowdsec/local_api_credentials.yaml
                - ./crowdsec/data:/var/lib/crowdsec/data
                - /var/log/auth.log:/logs/auth.log:ro
                - /var/log/syslog:/logs/syslog:ro
            environment:
                - "COLLECTIONS=crowdsecurity/sshd"
    

    run it :

    docker-compose up -d
    

    Expected behavior just running and working

    Technical Information (please complete the following information): ubuntu 20.04

    • crowdsec Version v1.0.9-docker-a8b16a66b110ebe03bb330cda2600226a3a862d7

    Additional context

    docker logs -f crowdsec time="22-03-2021 11:32:55 PM" level=info msg="push and pull to crowdsec API disabled" 0a10039f069d45e6b9fc4426a6bba1beyCi5ANeAGAP5OM6k 127.0.0.1 2021-03-22T23:30:18Z ✔️ v1.0.9-docker-a8b16a66b110ebe03bb330cda2600226a3a862d7 time="22-03-2021 11:32:56 PM" level=info msg="push and pull to crowdsec API disabled" time="22-03-2021 11:32:58 PM" level=info msg="Successfully registered to Central API (CAPI)" time="22-03-2021 11:32:58 PM" level=info msg="Central API credentials dumped to '/etc/crowdsec/online_api_credentials.yaml'" time="22-03-2021 11:32:58 PM" level=warning msg="Run 'sudo systemctl reload crowdsec' for the new configuration to be effective" time="22-03-2021 11:32:59 PM" level=info msg="Wrote new 103344 bytes index to /etc/crowdsec/hub/.index.json" time="22-03-2021 11:32:59 PM" level=info msg="crowdsecurity/linux : up-to-date" time="22-03-2021 11:32:59 PM" level=info msg="Item 'crowdsecurity/linux' is up-to-date" time="22-03-2021 11:32:59 PM" level=info msg="Run 'sudo systemctl reload crowdsec' for the new configuration to be effective." time="22-03-2021 11:32:59 PM" level=info msg="/etc/crowdsec/collections/sshd.yaml already exists." time="22-03-2021 11:32:59 PM" level=info msg="Enabled crowdsecurity/sshd" time="22-03-2021 11:32:59 PM" level=info msg="Run 'sudo systemctl reload crowdsec' for the new configuration to be effective." time="22-03-2021 23:32:59" level=info msg="Crowdsec v1.0.9-docker-a8b16a66b110ebe03bb330cda2600226a3a862d7" time="22-03-2021 23:32:59" level=info msg="Loading prometheus collectors" time="22-03-2021 23:32:59" level=info msg="Loading CAPI pusher" time="22-03-2021 23:32:59" level=info msg="start crowdsec api push (interval: 30s)" time="22-03-2021 23:32:59" level=info msg="start crowdsec api pull (interval: 2h)" time="22-03-2021 23:32:59" level=info msg="start crowdsec api send metrics (interval: 30m)" time="22-03-2021 23:32:59" level=info msg="Loading grok library /etc/crowdsec//patterns/" time="22-03-2021 23:33:00" level=info msg="Loading enrich plugins" time="22-03-2021 23:33:00" level=warning msg="load (fake) plugin load : open /var/lib/crowdsec/data//GeoLite2-City.mmdb: no such file or directory" time="22-03-2021 23:33:00" level=info msg="Loading parsers 4 stages" time="22-03-2021 23:33:00" level=info msg="Node in /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml has no name,author or description. Skipping." time="22-03-2021 23:33:00" level=info msg="Loaded 2 parser nodes" file=/etc/crowdsec/parsers/s00-raw/syslog-logs.yaml time="22-03-2021 23:33:00" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/sshd-logs.yaml time="22-03-2021 23:33:00" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml time="22-03-2021 23:33:00" level=error msg="open /var/lib/crowdsec/data/GeoLite2-City.mmdb: no such file or directory" time="22-03-2021 23:33:00" level=error msg="open /var/lib/crowdsec/data/GeoLite2-ASN.mmdb: no such file or directory" time="22-03-2021 23:33:00" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml time="22-03-2021 23:33:00" level=info msg="Loaded 5 nodes, 3 stages" time="22-03-2021 23:33:00" level=info msg="Loading postoverflow Parsers" time="22-03-2021 23:33:00" level=info msg="Loaded 0 nodes, 0 stages" time="22-03-2021 23:33:00" level=info msg="Loading 1 scenario files" time="22-03-2021 23:33:00" level=info msg="Adding leaky bucket" cfg=black-sea file=/etc/crowdsec/scenarios/ssh-bf.yaml name=crowdsecurity/ssh-bf time="22-03-2021 23:33:00" level=info msg="Adding leaky bucket" cfg=frosty-water file=/etc/crowdsec/scenarios/ssh-bf.yaml name=crowdsecurity/ssh-bf_user-enum time="22-03-2021 23:33:00" level=warning msg="Loaded 2 scenarios" time="22-03-2021 23:33:00" level=info msg="loading acquisition file : /etc/crowdsec/acquis.yaml" time="22-03-2021 23:33:00" level=info msg="[file datasource] opening file '/logs/auth.log'" time="22-03-2021 23:33:00" level=info msg="[file datasource] opening file '/logs/syslog'" time="22-03-2021 23:33:00" level=warning msg="Starting processing data" time="22-03-2021 23:33:42" level=info msg="pull top: added 100 entries" 127.0.0.1 - [Mon, 22 Mar 2021 23:33:42 UTC] "POST /v1/watchers/login HTTP/1.1 200 42.67325549s "crowdsec/v1.0.9-docker-a8b16a66b110ebe03bb330cda2600226a3a862d7" " 127.0.0.1 - [Mon, 22 Mar 2021 23:33:43 UTC] "POST /v1/watchers/login HTTP/1.1 200 259.329469ms "crowdsec/v1.0.9-docker-a8b16a66b110ebe03bb330cda2600226a3a862d7" " time="22-03-2021 23:34:08" level=error msg="crowdsec - goroutine crowdsec/runParse crashed : interface conversion: interface {} is nil, not parser.GeoIpEnricherCtx" time="22-03-2021 23:34:08" level=error msg="please report this error to https://github.com/crowdsecurity/crowdsec/" time="22-03-2021 23:34:08" level=error msg="stacktrace/report is written to /tmp/crowdsec-crash.224995139.txt : please join it to your issue" time="22-03-2021 23:34:08" level=fatal msg="crowdsec stopped"

    bug 
    opened by rafipiccolo 9
  • Add postgresql sslmode option

    Add postgresql sslmode option

    Add postgresql sslmode option, fix spaces in docs

    opened by SanchosPancho 8
  • Bug/ Install wizard fails with Unable to read downloaded index

    Bug/ Install wizard fails with Unable to read downloaded index

    Hello,

    Describe the bug I am running Debian Buster with SSH and Apache2. I downloaded the latest release tarball (after advert on LinuxFr ;-) ) and run ./wizard.sh -i.

    At the end of the process I got the following error message:

    INFO[0000] api load configuration: configuration loaded successfully (base:https://tmsov6x2n9.execute-api.eu-west-1.amazonaws.com/v1/)
    FATA[0000] Unable to read downloaded index : open /etc/crowdsec/config/cscli/.index.json: no such file or directory. Please run update
    

    running cscli update a first time returns the error:

    ERRO[0000] failed request Do : Get https://raw.githubusercontent.com/crowdsecurity/hub/master/.index.json: dial tcp: lookup raw.githubusercontent.com on 192.168.1.1:53: server misbehaving
    FATA[0000] Unable to download index : Get https://raw.githubusercontent.com/crowdsecurity/hub/master/.index.json: dial tcp: lookup raw.githubusercontent.com on 192.168.1.1:53: server misbehaving.
    
    

    I run it another time and it returns:

    INFO[0000] Wrote new 73826 bytes index to /etc/crowdsec/config/cscli/.index.json
    

    I restarted the crowdsec systemd service it fails with following errors in the logs:

    time="11-11-2020 21:45:39" level=info msg="Opening file '/var/log/apache2/error.log' (pattern:/var/log/apache2/error.log)"
    time="11-11-2020 21:45:39" level=info msg="Opening file '/var/log/apache2/access.log' (pattern:/var/log/apache2/access.log)"
    time="11-11-2020 21:45:39" level=info msg="No filename or filenames, skipping empty item {Type:file Mode:tail Filename: Filenames:[] tail:<nil> Labels:map[] Profiling:false}"
    time="11-11-2020 21:45:39" level=fatal msg="no parser(s) loaded, abort."
    

    Expected behavior crowdsec working out of the box after running the wizard.

    Technical Information (please complete the following information):

    • Debian
    • Buster

    Thanks in advance for your helps here, do not hesitate to ask for more info.

    Cheers, Riri.

    bug 
    opened by ririsoft 8
  • OpenWrt support

    OpenWrt support

    Is packaging for OpenWrt in the pipe ?

    enhancement 
    opened by erdoukki 8
  • High CPU after Upgrade to 1.2.0

    High CPU after Upgrade to 1.2.0

    Hi,

    after Upgrade to 1.2.0 i got high cpu load (300%). there are no log entries that are guiding me to the right solution. i'm not sure wich informations you need to dig into Problem

    crowdsec # cscli hub list
    INFO[23-10-2021 11:44:22 PM] dependency of crowdsecurity/nginx : sub collection crowdsecurity/base-http-scenarios is broken : missing scenarios crowdsecurity/http-crawl-non_statics, tainted.
    INFO[23-10-2021 11:44:22 PM] dependency of crowdsecurity/base-http-scenarios : missing scenarios crowdsecurity/http-crawl-non_statics, tainted.
    INFO[23-10-2021 11:44:22 PM] Loaded 23 collecs, 28 parsers, 36 scenarios, 3 post-overflow parsers
    INFO[23-10-2021 11:44:22 PM] PARSERS:
    -------------------------------------------------------------------------------------------------------------
     NAME                            📦 STATUS   VERSION  LOCAL PATH
    -------------------------------------------------------------------------------------------------------------
     crowdsecurity/dateparse-enrich  ✔️  enabled  0.1      /etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml
     crowdsecurity/geoip-enrich      ✔️  enabled  0.2      /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml
     crowdsecurity/sshd-logs         ✔️  enabled  1.0      /etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
     crowdsecurity/http-logs         ✔️  enabled  0.6      /etc/crowdsec/parsers/s02-enrich/http-logs.yaml
     crowdsecurity/nginx-logs        ✔️  enabled  0.8      /etc/crowdsec/parsers/s01-parse/nginx-logs.yaml
     crowdsecurity/mysql-logs        ✔️  enabled  0.2      /etc/crowdsec/parsers/s01-parse/mysql-logs.yaml
     crowdsecurity/whitelists        ✔️  enabled  0.2      /etc/crowdsec/parsers/s02-enrich/whitelists.yaml
     crowdsecurity/syslog-logs       ✔️  enabled  0.4      /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
    -------------------------------------------------------------------------------------------------------------
    INFO[23-10-2021 11:44:22 PM] SCENARIOS:
    --------------------------------------------------------------------------------------------------------------------------
     NAME                                       📦 STATUS   VERSION  LOCAL PATH
    --------------------------------------------------------------------------------------------------------------------------
     crowdsecurity/ssh-bf                       ✔️  enabled  0.1      /etc/crowdsec/scenarios/ssh-bf.yaml
     crowdsecurity/ssh-slow-bf                  ✔️  enabled  0.2      /etc/crowdsec/scenarios/ssh-slow-bf.yaml
     ltsich/http-w00tw00t                       ✔️  enabled  0.1      /etc/crowdsec/scenarios/http-w00tw00t.yaml
     crowdsecurity/http-path-traversal-probing  ✔️  enabled  0.2      /etc/crowdsec/scenarios/http-path-traversal-probing.yaml
     crowdsecurity/http-sqli-probing            ✔️  enabled  0.2      /etc/crowdsec/scenarios/http-sqli-probing.yaml
     crowdsecurity/http-bad-user-agent          ✔️  enabled  0.4      /etc/crowdsec/scenarios/http-bad-user-agent.yaml
     crowdsecurity/http-generic-bf              ✔️  enabled  0.1      /etc/crowdsec/scenarios/http-generic-bf.yaml
     crowdsecurity/mysql-bf                     ✔️  enabled  0.1      /etc/crowdsec/scenarios/mysql-bf.yaml
     crowdsecurity/http-backdoors-attempts      ✔️  enabled  0.2      /etc/crowdsec/scenarios/http-backdoors-attempts.yaml
     crowdsecurity/http-open-proxy              ✔️  enabled  0.2      /etc/crowdsec/scenarios/http-open-proxy.yaml
     crowdsecurity/http-probing                 ✔️  enabled  0.2      /etc/crowdsec/scenarios/http-probing.yaml
     crowdsecurity/http-xss-probing             ✔️  enabled  0.2      /etc/crowdsec/scenarios/http-xss-probing.yaml
    --------------------------------------------------------------------------------------------------------------------------
    INFO[23-10-2021 11:44:22 PM] COLLECTIONS:
    --------------------------------------------------------------------------------------------------------------------
     NAME                               📦 STATUS           VERSION  LOCAL PATH
    --------------------------------------------------------------------------------------------------------------------
     crowdsecurity/mysql                ✔️  enabled          0.1      /etc/crowdsec/collections/mysql.yaml
     crowdsecurity/nginx                ✔️  enabled          0.1      /etc/crowdsec/collections/nginx.yaml
     crowdsecurity/base-http-scenarios  ⚠️  enabled,tainted  0.5      /etc/crowdsec/collections/base-http-scenarios.yaml
     crowdsecurity/linux                ✔️  enabled          0.2      /etc/crowdsec/collections/linux.yaml
     crowdsecurity/sshd                 ✔️  enabled          0.2      /etc/crowdsec/collections/sshd.yaml
    --------------------------------------------------------------------------------------------------------------------
    INFO[23-10-2021 11:44:22 PM] POSTOVERFLOWS:
    --------------------------------------
     NAME  📦 STATUS  VERSION  LOCAL PATH
    --------------------------------------
    --------------------------------------
    
    cat /etc/crowdsec/config.yaml
    common:
      daemonize: true
      pid_dir: /var/run/
      log_media: file
      log_level: info
      log_dir: /var/log/
      working_dir: .
    config_paths:
      config_dir: /etc/crowdsec/
      data_dir: /var/lib/crowdsec/data/
      simulation_path: /etc/crowdsec/simulation.yaml
      hub_dir: /etc/crowdsec/hub/
      index_path: /etc/crowdsec/hub/.index.json
      notification_dir: /etc/crowdsec/notifications/
      plugin_dir: /usr/lib/crowdsec/plugins/
    crowdsec_service:
      acquisition_path: /etc/crowdsec/acquis.yaml
      parser_routines: 1
    cscli:
      output: human
    db_config:
      log_level: warn
      type: sqlite
      db_path: /var/lib/crowdsec/data/crowdsec.db
      #user:
      #password:
      #db_name:
      #host:
      #port:
      flush:
        max_items: 5000
        max_age: 7d
    plugin_config:
      user: nobody # plugin process would be ran on behalf of this user
      group: nogroup # plugin process would be ran on behalf of this group
    api:
      client:
        insecure_skip_verify: false
        credentials_path: /etc/crowdsec/local_api_credentials.yaml
      server:
        log_level: warn
        listen_uri: 0.0.0.0:8181
        profiles_path: /etc/crowdsec/profiles.yaml
        online_client: # Crowdsec API credentials (to push signals and receive bad IPs)
          credentials_path: /etc/crowdsec/online_api_credentials.yaml
    #    tls:
    #      cert_file: /etc/crowdsec/ssl/cert.pem
    #      key_file: /etc/crowdsec/ssl/key.pem
    prometheus:
      enabled: true
      level: full
      listen_addr: 127.0.0.1
      listen_port: 6060
    
    ==> /var/log/crowdsec.log <==
    time="23-10-2021 23:40:22" level=info msg="loading acquisition file : /etc/crowdsec/acquis.yaml"
    time="23-10-2021 23:40:22" level=info msg="Adding file /var/log/nginx/error.log to datasources" type=file
    time="23-10-2021 23:40:22" level=info msg="Adding file /var/log/nginx/access.log to datasources" type=file
    time="23-10-2021 23:40:22" level=info msg="Adding file /var/log/auth.log to datasources" type=file
    time="23-10-2021 23:40:22" level=info msg="Adding file /var/log/syslog to datasources" type=file
    time="23-10-2021 23:40:22" level=info msg="Adding file /var/log/kern.log to datasources" type=file
    time="23-10-2021 23:40:22" level=info msg="Reload is finished"
    time="23-10-2021 23:40:22" level=warning msg="Starting processing data"
    time="23-10-2021 23:42:21" level=info msg="Signal push: 1 signals to push"
    time="23-10-2021 23:45:21" level=info msg="Signal push: 1 signals to push"
    

    image

    let me know if you need anything

    opened by celevra 0
  • Bug/Make syslog datasource more verbose

    Bug/Make syslog datasource more verbose

    The syslog datasource is not very verbose, even in debug/trace mode.

    We should at least log the full received message if there is a parsing failure in debug or trace mode.

    bug 
    opened by blotus 0
  • update gin and gin-jwt

    update gin and gin-jwt

    null

    opened by AlteredCoder 0
  • Windows Poc

    Windows Poc

    null

    opened by zecloud 0
  • Add email notification plugin.

    Add email notification plugin.

    Fixes https://github.com/crowdsecurity/crowdsec/issues/1003

    See docs at https://github.com/crowdsecurity/crowdsec-docs/pull/96

    opened by sbs2001 0
  • LAPI->CAPI : Support new data

    LAPI->CAPI : Support new data

    • Allow support for tainted/custom scenarios (opt-in)
    • Allow support for manual decisions (opt-in)
    • Allow support for decisions w/ Alert (opt-in)
    • Allow name/tag/alias in cscli console enroll
    opened by buixor 0
  • Bug/ Crowdsec doesn't gracefully stop if acquisition is empty

    Bug/ Crowdsec doesn't gracefully stop if acquisition is empty

    To reproduce:

    Empty your acquisition file, and try doing systemctl stop crowdsec.

    Relevant culprit code: https://github.com/crowdsecurity/crowdsec/blob/4d4d6d802cd41b55408a5eca5e745d438145f38f/pkg/acquisition/acquisition.go#L224

    https://github.com/crowdsecurity/crowdsec/blob/4d4d6d802cd41b55408a5eca5e745d438145f38f/cmd/crowdsec/serve.go#L109

    bug 
    opened by sbs2001 0
  • Improvement/plugins/notification: Add email notification plugin

    Improvement/plugins/notification: Add email notification plugin

    Is your feature request related to a problem? Please describe. The documentation uses writing an email notification plugin as an example. As a user, I don't want to write, build, maintain, and deploy this plugin.

    Describe the solution you'd like Publish an email notification plugin, rather than leaving it as an exercise for the user to copy-pasta. The code already exists in the documentation, though it probably needs an option to send unauthenticated email (or just default to AuthNone if username/password are empty). Probably should also include an option to set subject from config.

    enhancement 
    opened by pdf 1
  • Bug/ High  CPU usage when using cloudwatch acquistion

    Bug/ High CPU usage when using cloudwatch acquistion

    To reproduce just use the cloudwatch acq to read logs. After crowdsec starts to read multiple cloudwatch streams, the CPU usage goe up.

    bug 
    opened by sbs2001 0
  • Use math.MaxInt32 instead of math.MaxUint32

    Use math.MaxInt32 instead of math.MaxUint32

    To fix 32 bits compilation in v1.2.0 https://github.com/crowdsecurity/crowdsec/issues/979

    Signed-off-by: Kerma Gérald [email protected]

    opened by erdoukki 4
Releases(v1.2.0)
  • v1.2.0(Sep 14, 2021)

    New features

    • Support for notification plugins (slack,splunk,ES, http push) (#878)
    • Improve community blocklist pull management : prepare for new consensus release (#871)
    • Add /health endpoint to local API (#881) @nanikjava

    Bugfixes & Improvements

    • update to use cdn for hub (#920) @sabban
    • Remove last remaining autogen messages in cscli doc (#926) @blotus
    • Avoid code duplication for protobuf in plugins (#918) @sbs2001
    • fix release drafter + readme + remove dead readme for acquis (#933) @buixor
    • fix #919 : display error message (#929) @buixor
    • fix datasource prometheus metrics not being registered (#927) @blotus
    • enforce a bit more parsing for resillience (#928) @buixor
    • allow deleting multiple machines (#930) @AlteredCoder
    • Update cscli doc for docusaurus (#924) @blotus
    • Add plugin interface code in protobufs package (#921) @sbs2001
    • don't try to send/don't notify if plugin chan is nil (#923) @buixor
    • add suport for --since in journalctl DSN (#917) @blotus
    • Rpm fixes (#909 #911 #912 #913 #914) @sabban
    • Minor changes to specific logs (#900) @ThinkChaos
    • Makefile: default GOARCH to the arch we are running on (#908) @blotus
    • Download datafile (#895) @sabban
    • Document scope parameter for stream API (#897) @sbs2001
    • import debian & rpm sources (#898) @blotus
    • fix #890 : log info if profile is in debug, independently of the result (#894) @buixor
    • fix #885 : remove dead dependencies for plugin (#891) @buixor
    • set hubBranch to master if not provided in the configuration and if c… (#884) @blotus
    • add a hook on fatal/panic to ensure we're logging to stderr as well (#879) @buixor
    • Fix big serialized entries (#877) @buixor
    • Goroutine leak hunt (#874) @buixor
    • don't wait for acquis tomb if we have no sources (#868) @blotus
    • check if api:client is present (#867) @buixor
    • fix the unit tests (#858) @sabban
    • simplify, and only kill/wait on tomb when relevant (#866) @buixor
    • allow to override GOARCH and GOOS when building with the Makefile (#862) @blotus
    • Update README for FreeBSD (#859) @sbz
    • Remove non POSIX sed usage (#855) @sbz
    • Fix the notification plugin directory structure (#942) @sabban
    • fix stacktrace when mmdb file are not present (#935) @AlteredCoder
    • Use our fork of grokky (#953) @blotus
    • don't install all items from hub when upgrade --force (#948) @AlteredCoder
    • make debian package own /etc/crowdsec/* (#947) @sabban
    • add jsonExtractUnescape Helper (#962) @he2ss
    • do no set hub_branch to master in docker (#956) @blotus
    • remove config.patch on master (#957) @buixor
    • multiple fixes for functional tests (#960) (#958) (#969) @sabban
    • Fix crash if plugin config is broken (#964) @sbs2001
    • update docker image documentation + docker start script (#965) @he2ss
    • log more information if server returns non 200 status code (#966) @blotus
    • fix docker image + install whitelists on build (#968) @he2ss
    • Func tests (#970) @sabban
    • default to current GOOS in makefile (#973) @blotus
    • fix static build (#971) @buixor

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release-static.tgz(27.51 MB)
    crowdsec-release.tgz(26.78 MB)
  • v1.2.0-rc7(Sep 10, 2021)

    New features

    • Support for notification plugins (slack,splunk,ES, http push) (#878)
    • Improve community blocklist pull management : prepare for new consensus release (#871)
    • Add /health endpoint to local API (#881) @nanikjava

    Bugfixes & Improvements

    • update to use cdn for hub (#920) @sabban
    • Remove last remaining autogen messages in cscli doc (#926) @blotus
    • Avoid code duplication for protobuf in plugins (#918) @sbs2001
    • fix release drafter + readme + remove dead readme for acquis (#933) @buixor
    • fix #919 : display error message (#929) @buixor
    • fix datasource prometheus metrics not being registered (#927) @blotus
    • enforce a bit more parsing for resillience (#928) @buixor
    • allow deleting multiple machines (#930) @AlteredCoder
    • Update cscli doc for docusaurus (#924) @blotus
    • Add plugin interface code in protobufs package (#921) @sbs2001
    • don't try to send/don't notify if plugin chan is nil (#923) @buixor
    • add suport for --since in journalctl DSN (#917) @blotus
    • Rpm fixes (#909 #911 #912 #913 #914) @sabban
    • Minor changes to specific logs (#900) @ThinkChaos
    • Makefile: default GOARCH to the arch we are running on (#908) @blotus
    • Download datafile (#895) @sabban
    • Document scope parameter for stream API (#897) @sbs2001
    • import debian & rpm sources (#898) @blotus
    • fix #890 : log info if profile is in debug, independently of the result (#894) @buixor
    • fix #885 : remove dead dependencies for plugin (#891) @buixor
    • set hubBranch to master if not provided in the configuration and if c… (#884) @blotus
    • add a hook on fatal/panic to ensure we're logging to stderr as well (#879) @buixor
    • Fix big serialized entries (#877) @buixor
    • Goroutine leak hunt (#874) @buixor
    • don't wait for acquis tomb if we have no sources (#868) @blotus
    • check if api:client is present (#867) @buixor
    • fix the unit tests (#858) @sabban
    • simplify, and only kill/wait on tomb when relevant (#866) @buixor
    • allow to override GOARCH and GOOS when building with the Makefile (#862) @blotus
    • Update README for FreeBSD (#859) @sbz
    • Remove non POSIX sed usage (#855) @sbz
    • Fix the notification plugin directory structure (#942) @sabban
    • fix stacktrace when mmdb file are not present (#935) @AlteredCoder
    • Use our fork of grokky (#953) @blotus
    • don't install all items from hub when upgrade --force (#948) @AlteredCoder
    • make debian package own /etc/crowdsec/* (#947) @sabban
    • add jsonExtractUnescape Helper (#962) @he2ss
    • do no set hub_branch to master in docker (#956) @blotus
    • remove config.patch on master (#957) @buixor
    • multiple fixes for functional tests (#960) (#958) (#969) @sabban
    • Fix crash if plugin config is broken (#964) @sbs2001
    • update docker image documentation + docker start script (#965) @he2ss
    • log more information if server returns non 200 status code (#966) @blotus

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(26.78 MB)
  • v1.2.0-rc8(Sep 13, 2021)

    New features

    • Support for notification plugins (slack,splunk,ES, http push) (#878)
    • Improve community blocklist pull management : prepare for new consensus release (#871)
    • Add /health endpoint to local API (#881) @nanikjava

    Bugfixes & Improvements

    • update to use cdn for hub (#920) @sabban
    • Remove last remaining autogen messages in cscli doc (#926) @blotus
    • Avoid code duplication for protobuf in plugins (#918) @sbs2001
    • fix release drafter + readme + remove dead readme for acquis (#933) @buixor
    • fix #919 : display error message (#929) @buixor
    • fix datasource prometheus metrics not being registered (#927) @blotus
    • enforce a bit more parsing for resillience (#928) @buixor
    • allow deleting multiple machines (#930) @AlteredCoder
    • Update cscli doc for docusaurus (#924) @blotus
    • Add plugin interface code in protobufs package (#921) @sbs2001
    • don't try to send/don't notify if plugin chan is nil (#923) @buixor
    • add suport for --since in journalctl DSN (#917) @blotus
    • Rpm fixes (#909 #911 #912 #913 #914) @sabban
    • Minor changes to specific logs (#900) @ThinkChaos
    • Makefile: default GOARCH to the arch we are running on (#908) @blotus
    • Download datafile (#895) @sabban
    • Document scope parameter for stream API (#897) @sbs2001
    • import debian & rpm sources (#898) @blotus
    • fix #890 : log info if profile is in debug, independently of the result (#894) @buixor
    • fix #885 : remove dead dependencies for plugin (#891) @buixor
    • set hubBranch to master if not provided in the configuration and if c… (#884) @blotus
    • add a hook on fatal/panic to ensure we're logging to stderr as well (#879) @buixor
    • Fix big serialized entries (#877) @buixor
    • Goroutine leak hunt (#874) @buixor
    • don't wait for acquis tomb if we have no sources (#868) @blotus
    • check if api:client is present (#867) @buixor
    • fix the unit tests (#858) @sabban
    • simplify, and only kill/wait on tomb when relevant (#866) @buixor
    • allow to override GOARCH and GOOS when building with the Makefile (#862) @blotus
    • Update README for FreeBSD (#859) @sbz
    • Remove non POSIX sed usage (#855) @sbz
    • Fix the notification plugin directory structure (#942) @sabban
    • fix stacktrace when mmdb file are not present (#935) @AlteredCoder
    • Use our fork of grokky (#953) @blotus
    • don't install all items from hub when upgrade --force (#948) @AlteredCoder
    • make debian package own /etc/crowdsec/* (#947) @sabban
    • add jsonExtractUnescape Helper (#962) @he2ss
    • do no set hub_branch to master in docker (#956) @blotus
    • remove config.patch on master (#957) @buixor
    • multiple fixes for functional tests (#960) (#958) (#969) @sabban
    • Fix crash if plugin config is broken (#964) @sbs2001
    • update docker image documentation + docker start script (#965) @he2ss
    • log more information if server returns non 200 status code (#966) @blotus
    • fix docker image + install whitelists on build (#968) @he2ss
    • Func tests (#970) @sabban

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(26.78 MB)
  • v1.2.0-rc6(Sep 10, 2021)

    New features

    • Support for notification plugins (slack,splunk,ES, http push) (#878)
    • Improve community blocklist pull management : prepare for new consensus release (#871)
    • Add /health endpoint to local API (#881) @nanikjava

    Bugfixes & Improvements

    • update to use cdn for hub (#920) @sabban
    • Remove last remaining autogen messages in cscli doc (#926) @blotus
    • Avoid code duplication for protobuf in plugins (#918) @sbs2001
    • fix release drafter + readme + remove dead readme for acquis (#933) @buixor
    • fix #919 : display error message (#929) @buixor
    • fix datasource prometheus metrics not being registered (#927) @blotus
    • enforce a bit more parsing for resillience (#928) @buixor
    • allow deleting multiple machines (#930) @AlteredCoder
    • Update cscli doc for docusaurus (#924) @blotus
    • Add plugin interface code in protobufs package (#921) @sbs2001
    • don't try to send/don't notify if plugin chan is nil (#923) @buixor
    • add suport for --since in journalctl DSN (#917) @blotus
    • Rpm fixes (#909 #911 #912 #913 #914) @sabban
    • Minor changes to specific logs (#900) @ThinkChaos
    • Makefile: default GOARCH to the arch we are running on (#908) @blotus
    • Download datafile (#895) @sabban
    • Document scope parameter for stream API (#897) @sbs2001
    • import debian & rpm sources (#898) @blotus
    • fix #890 : log info if profile is in debug, independently of the result (#894) @buixor
    • fix #885 : remove dead dependencies for plugin (#891) @buixor
    • set hubBranch to master if not provided in the configuration and if c… (#884) @blotus
    • add a hook on fatal/panic to ensure we're logging to stderr as well (#879) @buixor
    • Fix big serialized entries (#877) @buixor
    • Goroutine leak hunt (#874) @buixor
    • don't wait for acquis tomb if we have no sources (#868) @blotus
    • check if api:client is present (#867) @buixor
    • fix the unit tests (#858) @sabban
    • simplify, and only kill/wait on tomb when relevant (#866) @buixor
    • allow to override GOARCH and GOOS when building with the Makefile (#862) @blotus
    • Update README for FreeBSD (#859) @sbz
    • Remove non POSIX sed usage (#855) @sbz
    • Fix the notification plugin directory structure (#942) @sabban
    • fix stacktrace when mmdb file are not present (#935) @AlteredCoder
    • Use our fork of grokky (#953) @blotus
    • don't install all items from hub when upgrade --force (#948) @AlteredCoder
    • make debian package own /etc/crowdsec/* (#947) @sabban
    • add jsonExtractUnescape Helper (#962) @he2ss
    • do no set hub_branch to master in docker (#956) @blotus
    • remove config.patch on master (#957) @buixor
    • multiple fixes for functional tests (#960) (#958) @sabban
    • Fix crash if plugin config is broken (#964) @sbs2001
    • update docker image documentation + docker start script (#965) @he2ss
    • log more information if server returns non 200 status code (#966) @blotus

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(26.78 MB)
  • v1.2.0-rc4(Sep 10, 2021)

    New features

    • Support for notification plugins (slack,splunk,ES, http push) (#878)
    • Improve community blocklist pull management : prepare for new consensus release (#871)
    • Add /health endpoint to local API (#881) @nanikjava

    Bugfixes & Improvements

    • update to use cdn for hub (#920) @sabban
    • Remove last remaining autogen messages in cscli doc (#926) @blotus
    • Avoid code duplication for protobuf in plugins (#918) @sbs2001
    • fix release drafter + readme + remove dead readme for acquis (#933) @buixor
    • fix #919 : display error message (#929) @buixor
    • fix datasource prometheus metrics not being registered (#927) @blotus
    • enforce a bit more parsing for resillience (#928) @buixor
    • allow deleting multiple machines (#930) @AlteredCoder
    • Update cscli doc for docusaurus (#924) @blotus
    • Add plugin interface code in protobufs package (#921) @sbs2001
    • don't try to send/don't notify if plugin chan is nil (#923) @buixor
    • add suport for --since in journalctl DSN (#917) @blotus
    • Rpm fixes (#909 #911 #912 #913 #914) @sabban
    • Minor changes to specific logs (#900) @ThinkChaos
    • Makefile: default GOARCH to the arch we are running on (#908) @blotus
    • Download datafile (#895) @sabban
    • Document scope parameter for stream API (#897) @sbs2001
    • import debian & rpm sources (#898) @blotus
    • fix #890 : log info if profile is in debug, independently of the result (#894) @buixor
    • fix #885 : remove dead dependencies for plugin (#891) @buixor
    • set hubBranch to master if not provided in the configuration and if c… (#884) @blotus
    • add a hook on fatal/panic to ensure we're logging to stderr as well (#879) @buixor
    • Fix big serialized entries (#877) @buixor
    • Goroutine leak hunt (#874) @buixor
    • don't wait for acquis tomb if we have no sources (#868) @blotus
    • check if api:client is present (#867) @buixor
    • fix the unit tests (#858) @sabban
    • simplify, and only kill/wait on tomb when relevant (#866) @buixor
    • allow to override GOARCH and GOOS when building with the Makefile (#862) @blotus
    • Update README for FreeBSD (#859) @sbz
    • Remove non POSIX sed usage (#855) @sbz
    • Fix the notification plugin directory structure (#942) @sabban
    • fix stacktrace when mmdb file are not present (#935) @AlteredCoder
    • Use our fork of grokky (#953) @blotus
    • don't install all items from hub when upgrade --force (#948) @AlteredCoder
    • make debian package own /etc/crowdsec/* (#947) @sabban
    • add jsonExtractUnescape Helper (#962) @he2ss
    • do no set hub_branch to master in docker (#956) @blotus
    • remove config.patch on master (#957) @buixor
    • multiple fixes for functional tests (#960) (#958) @sabban

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(26.78 MB)
  • v1.2.0-rc3(Sep 9, 2021)

    New features

    • Support for notification plugins (slack,splunk,ES, http push) (#878)
    • Improve community blocklist pull management : prepare for new consensus release (#871)
    • Add /health endpoint to local API (#881) @nanikjava

    Bugfixes & Improvements

    • update to use cdn for hub (#920) @sabban
    • Remove last remaining autogen messages in cscli doc (#926) @blotus
    • Avoid code duplication for protobuf in plugins (#918) @sbs2001
    • fix release drafter + readme + remove dead readme for acquis (#933) @buixor
    • fix #919 : display error message (#929) @buixor
    • fix datasource prometheus metrics not being registered (#927) @blotus
    • enforce a bit more parsing for resillience (#928) @buixor
    • allow deleting multiple machines (#930) @AlteredCoder
    • Update cscli doc for docusaurus (#924) @blotus
    • Add plugin interface code in protobufs package (#921) @sbs2001
    • don't try to send/don't notify if plugin chan is nil (#923) @buixor
    • add suport for --since in journalctl DSN (#917) @blotus
    • Rpm fixes (#909 #911 #912 #913 #914) @sabban
    • Minor changes to specific logs (#900) @ThinkChaos
    • Makefile: default GOARCH to the arch we are running on (#908) @blotus
    • Download datafile (#895) @sabban
    • Document scope parameter for stream API (#897) @sbs2001
    • import debian & rpm sources (#898) @blotus
    • fix #890 : log info if profile is in debug, independently of the result (#894) @buixor
    • fix #885 : remove dead dependencies for plugin (#891) @buixor
    • set hubBranch to master if not provided in the configuration and if c… (#884) @blotus
    • add a hook on fatal/panic to ensure we're logging to stderr as well (#879) @buixor
    • Fix big serialized entries (#877) @buixor
    • Goroutine leak hunt (#874) @buixor
    • don't wait for acquis tomb if we have no sources (#868) @blotus
    • check if api:client is present (#867) @buixor
    • fix the unit tests (#858) @sabban
    • simplify, and only kill/wait on tomb when relevant (#866) @buixor
    • allow to override GOARCH and GOOS when building with the Makefile (#862) @blotus
    • Update README for FreeBSD (#859) @sbz
    • Remove non POSIX sed usage (#855) @sbz
    • Fix the notification plugin directory structure (#942) @sabban
    • fix stacktrace when mmdb file are not present (#935) @AlteredCoder
    • Use our fork of grokky (#953) @blotus
    • don't install all items from hub when upgrade --force (#948) @AlteredCoder
    • make debian package own /etc/crowdsec/* (#947) @sabban

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(26.77 MB)
  • v1.2.0-rc2(Sep 7, 2021)

    New features

    • Support for notification plugins (slack,splunk,ES, http push) (#878)
    • Improve community blocklist pull management : prepare for new consensus release (#871)
    • Add /health endpoint to local API (#881) @nanikjava

    Bugfixes & Improvements

    • update to use cdn for hub (#920) @sabban
    • Remove last remaining autogen messages in cscli doc (#926) @blotus
    • Avoid code duplication for protobuf in plugins (#918) @sbs2001
    • fix release drafter + readme + remove dead readme for acquis (#933) @buixor
    • fix #919 : display error message (#929) @buixor
    • fix datasource prometheus metrics not being registered (#927) @blotus
    • enforce a bit more parsing for resillience (#928) @buixor
    • allow deleting multiple machines (#930) @AlteredCoder
    • Update cscli doc for docusaurus (#924) @blotus
    • Add plugin interface code in protobufs package (#921) @sbs2001
    • don't try to send/don't notify if plugin chan is nil (#923) @buixor
    • add suport for --since in journalctl DSN (#917) @blotus
    • Rpm fixes (#909 #911 #912 #913 #914) @sabban
    • Minor changes to specific logs (#900) @ThinkChaos
    • Makefile: default GOARCH to the arch we are running on (#908) @blotus
    • Download datafile (#895) @sabban
    • Document scope parameter for stream API (#897) @sbs2001
    • import debian & rpm sources (#898) @blotus
    • fix #890 : log info if profile is in debug, independently of the result (#894) @buixor
    • fix #885 : remove dead dependencies for plugin (#891) @buixor
    • set hubBranch to master if not provided in the configuration and if c… (#884) @blotus
    • add a hook on fatal/panic to ensure we're logging to stderr as well (#879) @buixor
    • Fix big serialized entries (#877) @buixor
    • Goroutine leak hunt (#874) @buixor
    • don't wait for acquis tomb if we have no sources (#868) @blotus
    • check if api:client is present (#867) @buixor
    • fix the unit tests (#858) @sabban
    • simplify, and only kill/wait on tomb when relevant (#866) @buixor
    • allow to override GOARCH and GOOS when building with the Makefile (#862) @blotus
    • Update README for FreeBSD (#859) @sbz
    • Remove non POSIX sed usage (#855) @sbz
    • Fix the notification plugin directory structure (#942) @sabban

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(26.78 MB)
  • v1.2.0-rc1(Sep 3, 2021)

    New features

    • Support for notification plugins (slack,splunk,ES, http push) (#878)
    • Improve community blocklist pull management : prepare for new consensus release (#871)
    • Add /health endpoint to local API (#881) @nanikjava

    Bugfixes & Improvements

    • update to use cdn for hub (#920) @sabban
    • Remove last remaining autogen messages in cscli doc (#926) @blotus
    • Avoid code duplication for protobuf in plugins (#918) @sbs2001
    • fix release drafter + readme + remove dead readme for acquis (#933) @buixor
    • fix #919 : display error message (#929) @buixor
    • fix datasource prometheus metrics not being registered (#927) @blotus
    • enforce a bit more parsing for resillience (#928) @buixor
    • allow deleting multiple machines (#930) @AlteredCoder
    • Update cscli doc for docusaurus (#924) @blotus
    • Add plugin interface code in protobufs package (#921) @sbs2001
    • don't try to send/don't notify if plugin chan is nil (#923) @buixor
    • add suport for --since in journalctl DSN (#917) @blotus
    • Rpm fixes (#909 #911 #912 #913 #914) @sabban
    • Minor changes to specific logs (#900) @ThinkChaos
    • Makefile: default GOARCH to the arch we are running on (#908) @blotus
    • Download datafile (#895) @sabban
    • Document scope parameter for stream API (#897) @sbs2001
    • import debian & rpm sources (#898) @blotus
    • fix #890 : log info if profile is in debug, independently of the result (#894) @buixor
    • fix #885 : remove dead dependencies for plugin (#891) @buixor
    • set hubBranch to master if not provided in the configuration and if c… (#884) @blotus
    • add a hook on fatal/panic to ensure we're logging to stderr as well (#879) @buixor
    • Fix big serialized entries (#877) @buixor
    • Goroutine leak hunt (#874) @buixor
    • don't wait for acquis tomb if we have no sources (#868) @blotus
    • check if api:client is present (#867) @buixor
    • fix the unit tests (#858) @sabban
    • simplify, and only kill/wait on tomb when relevant (#866) @buixor
    • allow to override GOARCH and GOOS when building with the Makefile (#862) @blotus
    • Update README for FreeBSD (#859) @sbz
    • Remove non POSIX sed usage (#855) @sbz

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(26.78 MB)
  • v1.2.0-rc5(Sep 10, 2021)

    New features

    • Support for notification plugins (slack,splunk,ES, http push) (#878)
    • Improve community blocklist pull management : prepare for new consensus release (#871)
    • Add /health endpoint to local API (#881) @nanikjava

    Bugfixes & Improvements

    • update to use cdn for hub (#920) @sabban
    • Remove last remaining autogen messages in cscli doc (#926) @blotus
    • Avoid code duplication for protobuf in plugins (#918) @sbs2001
    • fix release drafter + readme + remove dead readme for acquis (#933) @buixor
    • fix #919 : display error message (#929) @buixor
    • fix datasource prometheus metrics not being registered (#927) @blotus
    • enforce a bit more parsing for resillience (#928) @buixor
    • allow deleting multiple machines (#930) @AlteredCoder
    • Update cscli doc for docusaurus (#924) @blotus
    • Add plugin interface code in protobufs package (#921) @sbs2001
    • don't try to send/don't notify if plugin chan is nil (#923) @buixor
    • add suport for --since in journalctl DSN (#917) @blotus
    • Rpm fixes (#909 #911 #912 #913 #914) @sabban
    • Minor changes to specific logs (#900) @ThinkChaos
    • Makefile: default GOARCH to the arch we are running on (#908) @blotus
    • Download datafile (#895) @sabban
    • Document scope parameter for stream API (#897) @sbs2001
    • import debian & rpm sources (#898) @blotus
    • fix #890 : log info if profile is in debug, independently of the result (#894) @buixor
    • fix #885 : remove dead dependencies for plugin (#891) @buixor
    • set hubBranch to master if not provided in the configuration and if c… (#884) @blotus
    • add a hook on fatal/panic to ensure we're logging to stderr as well (#879) @buixor
    • Fix big serialized entries (#877) @buixor
    • Goroutine leak hunt (#874) @buixor
    • don't wait for acquis tomb if we have no sources (#868) @blotus
    • check if api:client is present (#867) @buixor
    • fix the unit tests (#858) @sabban
    • simplify, and only kill/wait on tomb when relevant (#866) @buixor
    • allow to override GOARCH and GOOS when building with the Makefile (#862) @blotus
    • Update README for FreeBSD (#859) @sbz
    • Remove non POSIX sed usage (#855) @sbz
    • Fix the notification plugin directory structure (#942) @sabban
    • fix stacktrace when mmdb file are not present (#935) @AlteredCoder
    • Use our fork of grokky (#953) @blotus
    • don't install all items from hub when upgrade --force (#948) @AlteredCoder
    • make debian package own /etc/crowdsec/* (#947) @sabban
    • add jsonExtractUnescape Helper (#962) @he2ss
    • do no set hub_branch to master in docker (#956) @blotus
    • remove config.patch on master (#957) @buixor
    • multiple fixes for functional tests (#960) (#958) @sabban
    • Fix crash if plugin config is broken (#964) @sbs2001
    • log more information if server returns non 200 status code (#966) @blotus

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Installation

    Take a look at the installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(26.78 MB)
  • v1.1.1(Jul 7, 2021)

  • v1.1.0(Jul 6, 2021)

    New Features

    • add console enroll command to cscli (#828) @blotus
    • add support for 'expression' (fix #822) in grok patterns (#830) @buixor
    • refactor Acquisition Interface (#773) @buixor
    • allow bouncers to filter decisions by scope (#817) @sbs2001
    • add postgresql sslmode option (#772) @SanchosPancho

    Bug Fixes & improvements

    • ensure decisions from CAPI have proper case (#848) @buixor
    • load hub file properly when restoring config from tmpdir (#847) @buixor
    • fix #842 #837 (#845) @buixor
    • refuse to run the dashboard if not on amd64 (#843) @blotus
    • fix #840 : check for whiptail in detect mode (#844) @buixor
    • cscli: update completion doc (fix #841) (#846) @he2ss
    • trivial typo fix adresses -> addresses in msgbox (#832) @Plasma
    • fix #823 : lower JsonExtract debug (#824) @buixor
    • fix #781 - avoid unconsistent body : do not send NbDeleted on error (#812) @buixor
    • improve emoji for local configuration when listing (#811) @blotus
    • add docker option to specify local timezone (#803) @flo-mic
    • fix #787 : load simulation config at startup (#793) @he2ss
    • delete orphan nodes (fix #778) (#794) @buixor
    • gen passwd until it satisfies metabase policy (#792) @sbs2001

    Documentation & Other changes

    • update completion doc (#850) @AlteredCoder
    • remove dispatch to packaging repo (#852) @blotus
    • fix functional tests (#838) @sabban
    • update docker file to reflect change on acquisitions (#834) @buixor
    • build docker image for both amd64 and arm64 (#829) @blotus
    • fix image links in readme (#821) @blotus
    • remove documentation (#820) @blotus
    • update documentation for cscli metrics (#814) @AlteredCoder
    • doc: update user-guide network section (#813) @he2ss
    • ignore CI when it concern documentation (#815) @he2ss
    • fix #806 : improve upgrade documentation (#808) @buixor
    • update README.md (#810) @AlteredCoder
    • fix typo in writing parser documentation (#800) @AlteredCoder
    • fix typo in scenario doc (#798) @AlteredCoder
    • added steps for proxy on systemd service (#795) @Lamera
    • improve proxy doc (#791) @AlteredCoder
    • fix some bugs (#788) @AlteredCoder
    • update acquisition.md (#784) @AlteredCoder

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Upgrading installation

    Take a look at the upgrade instructions or installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release-static.tgz(18.10 MB)
    crowdsec-release.tgz(19.21 MB)
  • v1.0.14(May 5, 2021)

  • v1.0.13(Apr 27, 2021)

    New

    • add autocompletion for cscli (#717) @AlteredCoder
    • refactor configuration management : extend non-root usage (#698) @AlteredCoder
    • add TimeNow in the exprlib helpers (#756) @registergoofy

    Bug Fixes & Improvements

    • fix cscli alerts delete -all (#769) @AlteredCoder
    • fix test on prerelease (#768) @registergoofy
    • functional tests staticbuild (#767) @registergoofy
    • fix makefile for static binaries (#764) @AlteredCoder
    • do not leak fd on reload (#748) @buixor
    • ent update : 0.7.0 (#692) @buixor
    • cscli hub mgmt improvements (#710) @buixor
    • bump pyyaml from 5.3.1 to 5.4 in /docs (#720) @dependabot
    • bump jinja2 from 2.11.1 to 2.11.3 in /docs (#706) @dependabot
    • ensure LAPI logs respect log_media (#707) @buixor
    • fix pattern registration (#715) @AlteredCoder
    • debian package auto-testing (#701) @buixor
    • pkg/apiclient: pick up dropped errors (#676) @alrs
    • fix null deref in cscli config (#694) @AlteredCoder
    • use --no-cache with apk to skip manual apk update (#689) @PeterDaveHello
    • don't hide cscli version (#686) @AlteredCoder
    • fix #677 (#684) @AlteredCoder
    • reorder Dockerfile to improve image layer caching (#681) @PeterDaveHello
    • pattern syntax consistence (#675) @buixor
    • fix #670, improve decision delete doc (#673) @buixor
    • pkg/metabase: fix dropped error (#652) @alrs
    • remove pattern matching valid SSH disconnect (#668) @dani
    • pkg/apiserver: fix dropped error (#700) @alrs
    • fix #723 : intercept http2 stream closed errors (#724) @buixor
    • get rid of tmp stuff (#738) @registergoofy
    • Bump pygments from 2.6.1 to 2.7.4 in /docs (#725) @dependabot
    • Static release (#737) @registergoofy
    • dispatch on tag creation (#734) @sabban
    • README update (#730) @buixor
    • honor log levels for api : don't log access logs if level is warn/err (#732) @buixor
    • cscli machines|bouncers|dashboard error message clarification (#754) @buixor
    • cscli: sort meta by key in alerts inspect output (#762) @blotus

    Documentation & others

    • FreeBSD changes (#718) (#721) @AlteredCoder
    • update crowdsec tour documentation (#713) @AlteredCoder
    • update README (#714) @AlteredCoder
    • fix debian-like installation documentation (#708) @registergoofy
    • clarify doc on onsuccess in parsers + add new date formats for dateparse (#703) @buixor
    • unified functional tests (#696) @buixor
    • misspelling in docker Readme (#688) @thib3113
    • up installation documentation (#678) @buixor
    • automatically update docker hub readme (github action) (#679) @he2ss
    • update the config.yaml file (#674) @AlteredCoder
    • clarify help message, fix #659 (#672) @buixor
    • fix documentation in write_configurations (#666) @AlteredCoder
    • clarify doc on db migration (#747) @buixor
    • Updated readme.md (#743) @philippecrowdsec
    • fix #741 : document network streams about crowdsec and lapi (#750) @buixor
    • Update CI (#760) @blotus
    • add System to cwversion to have platform in UA (#763) @buixor

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Upgrading installation

    Take a look at the upgrade instructions or installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release-static.tgz(17.04 MB)
    crowdsec-release.tgz(17.92 MB)
  • v1.0.12(Apr 7, 2021)

    New

    • add autocompletion for cscli (#717) @AlteredCoder
    • refactor configuration management : extend non-root usage (#698) @AlteredCoder

    Bug Fixes & Improvements

    • ent update : 0.7.0 (#692) @buixor
    • cscli hub mgmt improvements (#710) @buixor
    • bump pyyaml from 5.3.1 to 5.4 in /docs (#720) @dependabot
    • bump jinja2 from 2.11.1 to 2.11.3 in /docs (#706) @dependabot
    • ensure LAPI logs respect log_media (#707) @buixor
    • fix pattern registration (#715) @AlteredCoder
    • debian package auto-testing (#701) @buixor
    • pkg/apiclient: pick up dropped errors (#676) @alrs
    • fix null deref in cscli config (#694) @AlteredCoder
    • use --no-cache with apk to skip manual apk update (#689) @PeterDaveHello
    • don't hide cscli version (#686) @AlteredCoder
    • fix #677 (#684) @AlteredCoder
    • reorder Dockerfile to improve image layer caching (#681) @PeterDaveHello
    • pattern syntax consistence (#675) @buixor
    • fix #670, improve decision delete doc (#673) @buixor
    • pkg/metabase: fix dropped error (#652) @alrs
    • remove pattern matching valid SSH disconnect (#668) @dani
    • pkg/apiserver: fix dropped error (#700) @alrs
    • fix #723 : intercept http2 stream closed errors (#724) @buixor
    • get rid of tmp stuff (#738) @registergoofy
    • Bump pygments from 2.6.1 to 2.7.4 in /docs (#725) @dependabot
    • Static release (#737) @registergoofy
    • dispatch on tag creation (#734) @sabban
    • README update (#730) @buixor
    • honor log levels for api : don't log access logs if level is warn/err (#732) @buixor

    Documentation & others

    • FreeBSD changes (#718) (#721) @AlteredCoder
    • update crowdsec tour documentation (#713) @AlteredCoder
    • update README (#714) @AlteredCoder
    • fix debian-like installation documentation (#708) @registergoofy
    • clarify doc on onsuccess in parsers + add new date formats for dateparse (#703) @buixor
    • unified functional tests (#696) @buixor
    • misspelling in docker Readme (#688) @thib3113
    • up installation documentation (#678) @buixor
    • automatically update docker hub readme (github action) (#679) @he2ss
    • update the config.yaml file (#674) @AlteredCoder
    • clarify help message, fix #659 (#672) @buixor
    • fix documentation in write_configurations (#666) @AlteredCoder

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Upgrading installation

    Take a look at the upgrade instructions or installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release-static.tgz(22.33 MB)
    crowdsec-release.tgz(17.92 MB)
  • v1.0.11(Mar 31, 2021)

    New

    • add autocompletion for cscli (#717) @AlteredCoder
    • refactor configuration management : extend non-root usage (#698) @AlteredCoder

    Bug Fixes & Improvements

    • ent update : 0.7.0 (#692) @buixor
    • cscli hub mgmt improvements (#710) @buixor
    • bump pyyaml from 5.3.1 to 5.4 in /docs (#720) @dependabot
    • bump jinja2 from 2.11.1 to 2.11.3 in /docs (#706) @dependabot
    • ensure LAPI logs respect log_media (#707) @buixor
    • fix pattern registration (#715) @AlteredCoder
    • debian package auto-testing (#701) @buixor
    • pkg/apiclient: pick up dropped errors (#676) @alrs
    • fix null deref in cscli config (#694) @AlteredCoder
    • use --no-cache with apk to skip manual apk update (#689) @PeterDaveHello
    • don't hide cscli version (#686) @AlteredCoder
    • fix #677 (#684) @AlteredCoder
    • reorder Dockerfile to improve image layer caching (#681) @PeterDaveHello
    • pattern syntax consistence (#675) @buixor
    • fix #670, improve decision delete doc (#673) @buixor
    • pkg/metabase: fix dropped error (#652) @alrs
    • remove pattern matching valid SSH disconnect (#668) @dani

    Documentation & others

    • FreeBSD changes (#718) (#721) @AlteredCoder
    • update crowdsec tour documentation (#713) @AlteredCoder
    • update README (#714) @AlteredCoder
    • fix debian-like installation documentation (#708) @registergoofy
    • clarify doc on onsuccess in parsers + add new date formats for dateparse (#703) @buixor
    • unified functional tests (#696) @buixor
    • misspelling in docker Readme (#688) @thib3113
    • up installation documentation (#678) @buixor
    • automatically update docker hub readme (github action) (#679) @he2ss
    • update the config.yaml file (#674) @AlteredCoder
    • clarify help message, fix #659 (#672) @buixor
    • fix documentation in write_configurations (#666) @AlteredCoder

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Upgrading installation

    Take a look at the upgrade instructions or installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(17.92 MB)
  • v1.0.9(Mar 4, 2021)

    Improvements

    • allow for acquisition files to be specified from a directory as well (#619) @buixor
    • improve logging cscli and wizard (#643) @AlteredCoder
    • add a prometheus_uri option for cscli's config (#625) @buixor

    Bug Fixes & various

    • docker: fix the perms of SQLite DB for metabase (#647) @buixor
    • don't try to login with zero scenarios (#627) @buixor
    • skip empty lines to avoid issue of #630 (#631) @buixor
    • only set logfile dir if media is file (#615) @buixor
    • fix races + significantly improve crowdsec forensic mode shutdown speed (#633) @registergoofy
    • truely don't try to send anything with empty online credentials configuration file (#657) @registergoofy

    Documentation

    • reference faq for metabase without docker (#649) @buixor
    • doc api + minor api fixes (#654) @buixor
    • update bouncer_machine_management.md (#614) @kingmilo
    • doc improvements (#644) @buixor

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Upgrading installation

    Take a look at the upgrade instructions or installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(17.89 MB)
  • v1.0.8(Feb 25, 2021)

    Improvements

    • allow for acquisition files to be specified from a directory as well (#619) @buixor
    • improve logging cscli and wizard (#643) @AlteredCoder
    • add a prometheus_uri option for cscli's config (#625) @buixor

    Bug Fixes

    • docker: fix the perms of SQLite DB for metabase (#647) @buixor
    • don't try to login with zero scenarios (#627) @buixor
    • skip empty lines to avoid issue of #630 (#631) @buixor
    • only set logfile dir if media is file (#615) @buixor
    • fix races + significantly improve crowdsec forensic mode shutdown speed (#633) @registergoofy

    Changes

    • Update bouncer_machine_management.md (#614) @kingmilo
    • Doc improvements (#644) @buixor

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Upgrading installation

    Take a look at the upgrade instructions or installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(17.90 MB)
  • v1.0.7(Feb 10, 2021)

    Changes

    Improvements

    • allow environment variable in configuration file (#601) @AlteredCoder
    • update docker image + documentation (#602) @erenJag
    • Add use_forwarded_for_headers configuration option for LAPI (#610) @blotus

    Bug fixes

    • Fix: typo in apic.go logs (#592) @sbs2001
    • Fix: default configurations (#597) @buixor
    • create crowdsec group for metabase and crowdsec.db (#606) @AlteredCoder
    • fix stack trace when missing cscli in config file (#607) @AlteredCoder
    • don't load lapi creds when running only api (#608) @AlteredCoder

    Various

    • update go.mod (#580) @AlteredCoder
    • add link to exported fields in write configuration documentation (#584) @AlteredCoder
    • add answer to #589 to FAQ (#590) @buixor
    • add two options: configure and noop (#591) @registergoofy
    • Docs: Correct link in README for installation via source (#593) @sbs2001
    • Documentation update (#596) @JeanDevaux
    • Update grammar of index.md for localAPI docs (#598) @kingmilo
    • remove help message backup/restore in wizard (#612) @AlteredCoder

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Upgrading installation

    Take a look at the upgrade instructions or installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(17.88 MB)
  • v1.0.6(Feb 4, 2021)

    Changes

    Improvements

    • allow environment variable in configuration file (#601) @AlteredCoder
    • add two options: configure and noop (#591) @registergoofy
    • update go.mod (#580) @AlteredCoder

    Bug fixes

    • Fix: enable items when upgrading a collection (#599) @AlteredCoder
    • Fix: default configurations (#597) @buixor
    • Fix: typo in apic.go logs (#592) @sbs2001

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Upgrading installation

    Take a look at the upgrade instructions or installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(17.84 MB)
  • v1.0.5(Feb 3, 2021)

    Changes

    • Update grammar of index.md for localAPI docs (#598) @kingmilo
    • update go.mod (#580) @AlteredCoder
    • Fix default configurations (#597) @buixor
    • Documentation update (#596) @JeanDevaux
    • Docs: Correct link in README for installation via source (#593) @sbs2001
    • Fix typo in apic.go logs (#592) @sbs2001
    • add two options: configure and noop (#591) @registergoofy
    • add answer to #589 to FAQ (#590) @buixor
    • add link to exported fields in write configuration documentation (#584) @AlteredCoder

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Upgrading installation

    Take a look at the upgrade instructions or installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(17.83 MB)
  • v1.0.4(Jan 18, 2021)

    Changes

    Improvements

    • fix ipv6 operations & allow iner/outer range search (#567) @AlteredCoder
    • wizard : enable detection of httpd (#512) @sbs2001 (centos)
    • wizard : improve upgrade (#542) @erenJag

    Bug fixes

    • fix jwt token desynchronization between crowdsec and lapi (#572) @buixor
    • wizard: don't force --binupgrade when upgrading a patch
    • cscli dashboard create : drop the platform argument to avoid being compatible ONLY with API 1.41 (#582) @buixor

    Various

    • Sanitize id from either source (#568) @srcr (BSD support)
    • MAKE is now a variable (#569) @srcr (BSD support)
    • go mod tidy (#566) @buixor
    • Update copyright year (#565) @registergoofy
    • Fix docker library used by cscli dashboard (#563) @AlteredCoder
    • jwt token generation improvement (#557) @registergoofy
    • Remove usage of tachymeter (#561) @buixor
    • Add doc on how to contribute bouncers (#560) @buixor
    • Update docker doc for database persistence (#551) @thelittlefireman
    • Tor doc : add http as well (#547) @buixor
    • Add tests for wizard upgrade (#545) @AlteredCoder
    • Document how to use it with tor (#546) @buixor
    • Delete old/empty docs (#544) @buixor
    • Update documentation for upgrade (#543) @buixor
    • Fix bugs in wizard and cscli (#577) @AlteredCoder
    • add useful links in the wizard (#576) @AlteredCoder
    • Update db schema in documentation (#575) @AlteredCoder

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Upgrading installation

    Take a look at the upgrade instructions or installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(17.75 MB)
  • v1.0.3(Jan 15, 2021)

    Changes

    Improvements

    • fix ipv6 operations & allow iner/outer range search (#567) @AlteredCoder
    • wizard : enable detection of httpd (#512) @sbs2001 (centos)
    • wizard : improve upgrade (#542) @erenJag

    Bug fixes

    • fix jwt token desynchronization between crowdsec and lapi (#572) @buixor
    • wizard: don't force --binupgrade when upgrading a patch

    Various

    • Sanitize id from either source (#568) @srcr (BSD support)
    • MAKE is now a variable (#569) @srcr (BSD support)
    • go mod tidy (#566) @buixor
    • Update copyright year (#565) @registergoofy
    • Fix docker library used by cscli dashboard (#563) @AlteredCoder
    • jwt token generation improvement (#557) @registergoofy
    • Remove usage of tachymeter (#561) @buixor
    • Add doc on how to contribute bouncers (#560) @buixor
    • Update docker doc for database persistence (#551) @thelittlefireman
    • Tor doc : add http as well (#547) @buixor
    • Add tests for wizard upgrade (#545) @AlteredCoder
    • Document how to use it with tor (#546) @buixor
    • Delete old/empty docs (#544) @buixor
    • Update documentation for upgrade (#543) @buixor

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Upgrading installation

    Take a look at the upgrade instructions or installation instructions.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(17.75 MB)
  • v1.0.2(Dec 15, 2020)

  • v1.0.1(Dec 14, 2020)

    Changes

    Bug fixes

    • Handle broken pipe errors in local API (#538) @buixor
    • Update systemctl env to use default LANG (#535) @AlteredCoder
    • Export node logger (needed for hub CI) (#537) @registergoofy
    • Avoid pushing signals from local/tainted scenarios (#536) @buixor
    • Deal with LAPI down : ensure client will reauthenticate (#527) @buixor
    • Fix cscli hub upgrade (#534) @AlteredCoder
    • Fix --all flags for cscli [item] upgrade (#534) @AlteredCoder
    • Fix localhost confusion (localhost vs 127.0.0.1) (#522) @erenJag
    • Don't trash bouncer configuration on wizard.sh --upgrade (#522) @erenJag
    • Early hub CI integration (#521) @registergoofy
    • Fix prometheus URL used by cscli (#520) @AlteredCoder

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(17.61 MB)
  • v1.0.0(Dec 7, 2020)

    Changes from v0.3.X to v1.0.0


    Local API

    • Crowdsec now expose an API. Crowdsec will send Alerts (triggered scenarios) to this API, which will handle decisions (with profiles). All bouncers will have to query this API to know if an IP should be blocked or not.
    • This change brings the following possibilities:
      • Multiple crowdsec can share their decisions by sending their alerts to the same API endpoint, instead of using a network database.
      • Bouncers will now have to only make a HTTP request to know if an IP is blocked or not, instead of supporting all kind of databases.
      • The pull of bad IPs from Crowdsec Central API will now be done periodically by the API in the background, instead of being done in a cronjob.
    • Local & Central API documentation

    Journald

    cscli

    • we now follow the cscli <domain> <action> logic :

    cscli install scenario crowdsecurity/ssh-bf becomes cscli scenarios install crowdsecurity/ssh-bf

    • new commands have been added

      • bouncers : Manage bouncers. You will have to use this command to generate an API Token for your bouncer or list bouncers.
      • capi : To register/check status to Central Crowdsec API.
      • hub : To update the hub cache, and see installed configurations from the hub.
      • lapi : To register/check status to a crowdsec API.
      • machines : Manage machines registered to the API. Create/Delete/List machines.
    • You can now see more information about an Alert with cscli alerts inspect <alert_id>:

    Runtime Object changes

    • SignalOccurences and ban are replaced by Alerts and Decisions :
      • Alert : An alert generated by a triggered scenario (for history)
      • Decision : A remediation (ban, captcha, mfa ...) to apply during a period defined in the profile configuration

    Note: The object exposed in the profile.yaml (Sig) become Alert

    Improvements

    • Improve dashboard management. Now username and password are stored locally so you don't have to recreate the dashboard if you lost your password
    • Improve dashboards and their graph
    • Better handling of stack trace
    • Usage of pagination for database interaction (create, select ...) for better performance and to avoid SQL errors
    • cscli alerts list (previous cscli ban list) is now faster with big database

    Bug fixes

    • Parser node evaluation order, where sub node were evaluated before the root one.
    • Crowdsec exited when the geoip enrichment failed
    • Fix a bug in cscli inspect <scenario> where the scenario belong to multiple collections
    • Fix range deletion with cscli

    Changes from last release candidate

    • change the hub branch for the upcoming release (#513) @buixor
    • improve docs (#511) @AlteredCoder
    • cscli: fix bug in restore command (#510) @erenJag
    • update prometheus doc (#509) @erenJag
    • Faq metabase (#508) @AlteredCoder
    • Add ci docker push (#504) @erenJag
    • rename username by machine (#506) @AlteredCoder
    • Fix a crash (#503) @registergoofy
    • allow to specify username when register to lapi (#505) @AlteredCoder
    • fix cscli remove (#501) @erenJag

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Migration

    Have a look at the migration tutorial !

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(17.61 MB)
  • v1.0.0-rc5(Dec 2, 2020)

    Changes

    • fix & improve collections remove + improve cscli args vars (#498) @erenJag
    • Fix overflows of overflows requesting for different decision scope (#499) @buixor
    • Fix documentation errors (#496) @AlteredCoder
    • improve error management of cscli bouncers add (#495) @buixor
    • Doc fix install (#494) @buixor
    • Improve create alerts input (#493) @erenJag
    • add info message when there is no hub index (#492) @erenJag
    • doc update (#491) @buixor

    Geolite2 notice

    This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(17.61 MB)
  • v1.0.0-rc3(Nov 26, 2020)

    What's changed

    New featurres

    • Support journald as datasource

    Improvment

    • Support HEAD method in LAPI
    • Set release mode for gin
    • Improve documentation
    • Improve the profile configuration

    Bug fix

    • Fix a bug in cscli alerts inspect <alert_id>
    • Fix prometheus configuration handling
    • Fix cscli config <backup|restore>
    • Fix parser node evaluation order
    • Fix database scheduled flush
    Source code(tar.gz)
    Source code(zip)
    crowdsec-release.tgz(17.59 MB)
  • v1.0.0-rc4(Nov 30, 2020)

  • v0.3.7(Nov 20, 2020)

How to systematically secure anything: a repository about security engineering

How to Secure Anything Security engineering is the discipline of building secure systems. Its lessons are not just applicable to computer security. In

Veeral Patel 6.4k Oct 17, 2021
Cossack Labs 807 Oct 15, 2021
DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)

Minify and Secure Docker containers (free and open source!) Don't change anything in your Docker container image and minify it by up to 30x making it

docker-slim 10.9k Oct 24, 2021
Coraza WAF is a golang modsecurity compatible web application firewall library

Coraza Web Application Firewall, this project is a Golang port of ModSecurity with the goal to become the first enterprise-grade Open Source Web Application Firewall, flexible and powerful enough to serve as the baseline for many projects.

Juan Pablo Tosso 233 Oct 22, 2021
一款适用于红蓝对抗中的蜜罐和钓鱼系统

goblin 钓鱼演练工具 [English Readme Click Me] goblin 是一款适用于红蓝对抗的钓鱼演练工具。通过反向代理,可以在不影响用户操作的情况下无感知的获取用户的信息,或者诱导用户操作。也可以通过使用代理方式达到隐藏服务端的目的。内置插件,通过简单的配置,快速调整网页内容

null 583 Oct 24, 2021
🌀 Dismap - Asset discovery and identification tool

?? Dismap - Asset discovery and identification tool [English readme Click Me] Dismap 定位是一个资产发现和识别工具;其特色功能在于快速识别 Web 指纹信息,定位资产类型。辅助红队快速定位目标资产信息,辅助蓝队发现疑

之乎者也 460 Oct 16, 2021
A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index

Nancy nancy is a tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index, and as well, works with Nexus IQ Server

Sonatype Community 328 Oct 21, 2021
Sqreen's Application Security Management for the Go language

Sqreen's Application Security Management for Go After performance monitoring (APM), error and log monitoring it’s time to add a security component int

Sqreen 148 Oct 18, 2021
🔑 A decentralized key derivation protocol for simple passphrase.

Throttled Identity Protocol (TIP) is a decentralized key derivation protocol, which allows people to obtain a strong secret key through a very simple passphrase, e.g. a six-digit PIN.

Mixin Network 25 Sep 17, 2021
Cameradar hacks its way into RTSP videosurveillance cameras

Cameradar An RTSP stream access tool that comes with its library Cameradar allows you to Detect open RTSP hosts on any accessible target host Detect w

Brendan Le Glaunec 2.7k Oct 24, 2021
Convenience of containers, security of virtual machines

Convenience of containers, security of virtual machines With firebuild, you can build and deploy secure VMs directly from Dockerfiles and Docker image

null 32 Oct 19, 2021
Open Source Web Application Firewall

DEPRECATED This repository started as a good idea but I didn't have enough time or desire to work on it. So, it's left here for historical / education

Ahmet Salih 173 Sep 19, 2021
gosec - Golang Security Checker

Inspects source code for security problems by scanning the Go AST.

Secure Go 5.5k Oct 15, 2021
Ah shhgit! Find secrets in your code. Secrets detection for your GitHub, GitLab and Bitbucket repositories: www.shhgit.com

shhgit helps secure forward-thinking development, operations, and security teams by finding secrets across their code before it leads to a security br

Paul 3.3k Oct 25, 2021
Fast web fuzzer written in Go

/'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \

null 5.4k Oct 16, 2021
zero-trust remote firewall instrumentation

ShieldWall embraces the zero-trust principle and instruments your server firewall to block inbound connections from every IP on any port, by default.

Simone Margaritelli 161 Oct 18, 2021
Password generator written in Go

go-generate-password Password generator written in Go. Use as a library or as a CLI. Usage CLI go-generate-password can be used on the cli, just insta

Miles Croxford 28 Oct 13, 2021
A scalable overlay networking tool with a focus on performance, simplicity and security

What is Nebula? Nebula is a scalable overlay networking tool with a focus on performance, simplicity and security. It lets you seamlessly connect comp

Slack 8.2k Oct 16, 2021
Gorsair hacks its way into remote docker containers that expose their APIs

Gorsair Gorsair is a penetration testing tool for discovering and remotely accessing Docker APIs from vulnerable Docker containers. Once it has access

Brendan Le Glaunec 733 Oct 11, 2021