Collections
Crowdsec Hub allows you to find needed collections.
Installing collections¶
$ sudo cscli collections install crowdsecurity/whitelist-good-actors
cscli collection install example
$ sudo cscli collections install crowdsecurity/whitelist-good-actors
INFO[0000] crowdsecurity/seo-bots-whitelist : OK
INFO[0000] downloading data 'https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/whitelists/benign_bots/search_engine_crawlers/rdns_seo_bots.txt' in '/var/lib/crowdsec/data/rdns_seo_bots.txt'
INFO[0001] downloading data 'https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/whitelists/benign_bots/search_engine_crawlers/rnds_seo_bots.regex' in '/var/lib/crowdsec/data/rdns_seo_bots.regex'
INFO[0002] downloading data 'https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/whitelists/benign_bots/search_engine_crawlers/ip_seo_bots.txt' in '/var/lib/crowdsec/data/ip_seo_bots.txt'
INFO[0002] crowdsecurity/cdn-whitelist : OK
INFO[0002] downloading data 'https://www.cloudflare.com/ips-v4' in '/var/lib/crowdsec/data/cloudflare_ips.txt'
INFO[0003] crowdsecurity/rdns : OK
INFO[0003] crowdsecurity/whitelist-good-actors : OK
INFO[0003] /etc/crowdsec/postoverflows/s01-whitelist doesn't exist, create
INFO[0003] Enabled postoverflows : crowdsecurity/seo-bots-whitelist
INFO[0003] Enabled postoverflows : crowdsecurity/cdn-whitelist
INFO[0003] /etc/crowdsec/postoverflows/s00-enrich doesn't exist, create
INFO[0003] Enabled postoverflows : crowdsecurity/rdns
INFO[0003] Enabled collections : crowdsecurity/whitelist-good-actors
INFO[0003] Enabled crowdsecurity/whitelist-good-actors
INFO[0003] Run 'systemctl reload crowdsec' for the new configuration to be effective.
$ systemctl reload crowdsec
Listing installed collections¶
$ sudo cscli collections list
cscli collections list example
$ sudo cscli collections list
-------------------------------------------------------------------------------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
-------------------------------------------------------------------------------------------------------------
crowdsecurity/nginx ✔️ enabled 0.1 /etc/crowdsec/collections/nginx.yaml
crowdsecurity/base-http-scenarios ✔️ enabled 0.1 /etc/crowdsec/collections/base-http-scenarios.yaml
crowdsecurity/sshd ✔️ enabled 0.1 /etc/crowdsec/collections/sshd.yaml
crowdsecurity/linux ✔️ enabled 0.2 /etc/crowdsec/collections/linux.yaml
-------------------------------------------------------------------------------------------------------------
Upgrading installed collections¶
$ sudo cscli hub update
$ sudo cscli collections upgrade crowdsecurity/sshd
Collection upgrade allows you to upgrade an existing collection (and its items) to the latest version.
cscli collections upgrade example
$ sudo cscli collections upgrade crowdsecurity/sshd
INFO[0000] crowdsecurity/sshd : up-to-date
WARN[0000] crowdsecurity/sshd-logs : overwrite
WARN[0000] crowdsecurity/ssh-bf : overwrite
WARN[0000] crowdsecurity/sshd : overwrite
INFO[0000] 📦 crowdsecurity/sshd : updated
INFO[0000] Upgraded 1 items
INFO[0000] Run 'systemctl reload crowdsec' for the new configuration to be effective.
$ systemctl reload crowdsec
Monitoring collections¶
$ sudo cscli collections inspect crowdsecurity/sshd
Collections inspect will give you detailed information about a given collection, including versioning information and runtime metrics (fetched from prometheus).
cscli collections inspect example
$ sudo cscli collections inspect crowdsecurity/sshd
type: collections
name: crowdsecurity/sshd
filename: sshd.yaml
description: 'sshd support : parser and brute-force detection'
author: crowdsecurity
belongs_to_collections:
- crowdsecurity/linux
- crowdsecurity/linux
remote_path: collections/crowdsecurity/sshd.yaml
version: "0.1"
local_path: /etc/crowdsec/collections/sshd.yaml
localversion: "0.1"
localhash: 21159aeb87529efcf1a5033f720413d5321a6451bab679a999f7f01a7aa972b3
installed: true
downloaded: true
uptodate: true
tainted: false
local: false
parsers:
- crowdsecurity/sshd-logs
scenarios:
- crowdsecurity/ssh-bf
Current metrics :
- (Scenario) crowdsecurity/ssh-bf:
+---------------+-----------+--------------+--------+---------+
| CURRENT COUNT | OVERFLOWS | INSTANCIATED | POURED | EXPIRED |
+---------------+-----------+--------------+--------+---------+
| 0 | 1 | 2 | 10 | 1 |
+---------------+-----------+--------------+--------+---------+