Skip to content

Scenarios

Crowdsec Hub allows you to find needed scenarios.

Installing scenarios

$ sudo cscli scenarios install crowdsecurity/http-bf-wordpress_bf
cscli scenarios install example
$ sudo cscli scenarios install crowdsecurity/http-bf-wordpress_bf
INFO[0000] crowdsecurity/http-bf-wordpress_bf : OK      
INFO[0000] Enabled scenarios : crowdsecurity/http-bf-wordpress_bf 
INFO[0000] Enabled crowdsecurity/http-bf-wordpress_bf   
INFO[0000] Run 'systemctl reload crowdsec' for the new configuration to be effective. 
$ systemctl reload crowdsec

Listing installed scenarios

sudo cscli scenarios list

Scenarios are yaml files in /etc/crowdsec/scenarios/.

cscli scenarios list example
$ sudo cscli scenarios list
---------------------------------------------------------------------------------------------------------------------------
 NAME                                       📦 STATUS    VERSION  LOCAL PATH                                               
---------------------------------------------------------------------------------------------------------------------------
 crowdsecurity/ssh-bf                       ✔️  enabled  0.1      /etc/crowdsec/scenarios/ssh-bf.yaml                      
 crowdsecurity/http-bf-wordpress_bf         ✔️  enabled  0.1      /etc/crowdsec/scenarios/http-bf-wordpress_bf.yaml        
 crowdsecurity/http-crawl-non_statics       ✔️  enabled  0.2      /etc/crowdsec/scenarios/http-crawl-non_statics.yaml      
 crowdsecurity/http-probing                 ✔️  enabled  0.1      /etc/crowdsec/scenarios/http-probing.yaml                
 crowdsecurity/http-sensitive-files         ✔️  enabled  0.2      /etc/crowdsec/scenarios/http-sensitive-files.yaml        
 crowdsecurity/http-bad-user-agent          ✔️  enabled  0.2      /etc/crowdsec/scenarios/http-bad-user-agent.yaml         
 crowdsecurity/http-path-traversal-probing  ✔️  enabled  0.2      /etc/crowdsec/scenarios/http-path-traversal-probing.yaml 
 crowdsecurity/http-sqli-probing            ✔️  enabled  0.2      /etc/crowdsec/scenarios/http-sqli-probing.yaml           
 crowdsecurity/http-backdoors-attempts      ✔️  enabled  0.2      /etc/crowdsec/scenarios/http-backdoors-attempts.yaml     
 crowdsecurity/http-xss-probing             ✔️  enabled  0.2      /etc/crowdsec/scenarios/http-xss-probing.yaml            
---------------------------------------------------------------------------------------------------------------------------

Upgrading installed scenarios

$ sudo cscli scenarios upgrade crowdsecurity/sshd-bf

Scenarios upgrade allows you to upgrade an existing scenario to the latest version.

cscli scenarios upgrade example
$ sudo cscli scenarios upgrade crowdsecurity/ssh-bf
INFO[0000] crowdsecurity/ssh-bf : up-to-date            
WARN[0000] crowdsecurity/ssh-bf : overwrite             
INFO[0000] 📦 crowdsecurity/ssh-bf : updated             
INFO[0000] Upgraded 1 items                             
INFO[0000] Run 'systemctl reload crowdsec' for the new configuration to be effective. 

Monitoring scenarios

$ sudo cscli scenarios inspect crowdsecurity/ssh-bf

Scenarios inspect will give you detailed information about a given scenario, including versioning information and runtime metrics (fetched from prometheus).

cscli scenarios inspect example
$ sudo cscli scenarios inspect crowdsecurity/ssh-bf    
type: scenarios
name: crowdsecurity/ssh-bf
filename: ssh-bf.yaml
description: Detect ssh bruteforce
author: crowdsecurity
references:
- http://wikipedia.com/ssh-bf-is-bad
belongs_to_collections:
- crowdsecurity/sshd
remote_path: scenarios/crowdsecurity/ssh-bf.yaml
version: "0.1"
local_path: /etc/crowdsec/scenarios/ssh-bf.yaml
localversion: "0.1"
localhash: 4441dcff07020f6690d998b7101e642359ba405c2abb83565bbbdcee36de280f
installed: true
downloaded: true
uptodate: true
tainted: false
local: false

Current metrics :

 - (Scenario) crowdsecurity/ssh-bf:
+---------------+-----------+--------------+--------+---------+
| CURRENT COUNT | OVERFLOWS | INSTANCIATED | POURED | EXPIRED |
+---------------+-----------+--------------+--------+---------+
|            14 |      5700 |         7987 |  42572 |    2273 |
+---------------+-----------+--------------+--------+---------+
## Reference documentation [Link to scenarios reference documentation](/Crowdsec/v1/references/scenarios/)