Scenarios

Scenarios are yaml files that define "buckets". Most of the scenarios currently rely on the leaky bucket concept. Scenarios lead to the instantiation, and sometime the overflow, of buckets.

When a bucket "overflows", the scenario is considered as having been realized. This event leads to the creation of a new event that describes the scenario that just happened (via a alert).

Listing installed scenarios

scenarios are yaml files in /etc/crowdsec/config/scenarios/<scenario>.yaml.

You can view installed scenarios with the following command:

cscli list scenarios
cscli list example
# cscli  list scenarios
INFO[0000] Loaded 9 collecs, 14 parsers, 12 scenarios, 1 post-overflow parsers 
-----------------------------------------------------------------------------------------------------------------------------
 NAME                                📦 STATUS    VERSION  LOCAL PATH                                                        
-----------------------------------------------------------------------------------------------------------------------------
 crowdsec/http-scan-uniques_404      ✔️  enabled  0.4      /etc/crowdsec/config/scenarios/http-scan-uniques_404.yaml     
 crowdsec/ssh-bf                     ✔️  enabled  0.8      /etc/crowdsec/config/scenarios/ssh-bf.yaml                    
 crowdsec/http-crawl-non_statics     ✔️  enabled  0.4      /etc/crowdsec/config/scenarios/http-crawl-non_statics.yaml    
 crowdsec/iptables-scan-multi_ports  ✔️  enabled  0.4      /etc/crowdsec/config/scenarios/iptables-scan-multi_ports.yaml 
-----------------------------------------------------------------------------------------------------------------------------

Installing scenarios

From the hub

Crowdsec Hub allows you to find needed scenarios, just paste the command on your machine :

Hub Screenshot

# cscli install scenario crowdsec/ssh-bf
INFO[0000] Loaded 9 collecs, 14 parsers, 12 scenarios, 1 post-overflow parsers 
INFO[0000] crowdsec/ssh-bf : OK                     
INFO[0000] Enabled scenarios : crowdsec/ssh-bf        
INFO[0000] Enabled crowdsec/ssh-bf               
# systemctl reload crowdsec

Your own scenarios

Write your scenario configuration and deploy yaml file in /etc/crowdsec/config/scenarios/<scenario.yaml>.

Monitoring scenarios behavior

cscli allows you to view Crowdsec metrics info via the metrics command. This allows you to see how many "buckets" associated to each scenario have been created (an event eligible from said scenario has arrived), poured (how many subsequent events have been pushed to said bucket), overflowed (the scenario happened) or underflow (there was not enough event to make the bucket overflow, and it thus expired after a while).

You can see those metrics with the following command:

cscli metrics
cscli metrics example
# cscli metrics
INFO[0000] Buckets Metrics:                             
+------------------------------------+-----------+--------------+--------+---------+
|               BUCKET               | OVERFLOWS | INSTANTIATED | POURED | EXPIRED |
+------------------------------------+-----------+--------------+--------+---------+
| crowdsec/http-crawl-non_statics    | -         |            9 |     14 |       9 |
| crowdsec/http-scan-uniques_404     | -         |           11 |     14 |      11 |
| crowdsec/iptables-scan-multi_ports |        13 |       125681 | 141601 |  125650 |
| crowdsec/ssh-bf                    |       669 |         3721 |  12925 |    3046 |
| crowdsec/ssh-bf_user-enum          |       136 |         4093 |   7587 |    3956 |
+------------------------------------+-----------+--------------+--------+---------+