Why develop new scenarios?
Scenarios are core elements of the CrowdSec detection engine and enable it to recognize suspicious behavior as well as make a decision on whether to block an IP. Discover in this article how to modify existing scenarios, and help make the community safer by creating new ones.
What is a CrowdSec Scenario?
Scenarios are core elements of the CrowdSec detection engine. These models enable the CrowdSec Security Engine to recognize suspicious behavior and ultimately make a decision whether to block an IP or not.
Our unique blocklist contains thousands of malicious IPs that have matched one of the many scenarios designed by our team or community.
The extreme variety of these scenarios allows us to classify offensive IPs according to their activity and share this information with all CrowdSec users to better protect their systems. The full collection of available scenarios can be found on the CrowdSec Hub.
While the CrowdSec scenarios cover attack patterns for typical types of attack (CVE, Brute Force, DoS etc), there is a lot more that can be done with them. Read on to see how you can modify existing scenarios, and help make the community safer by creating new ones.
How does it work?
A scenario is a configuration file in readable YAML format, which allows modeling behavior from elements captured in log files. These elements are measured, compared, and correlated to determine a framework outside of which any activity will be considered suspicious.
For example, too many access attempts to an authentication page from a single IP over a short period is likely a brute-force login attempt. The source IP can be slowed down, redirected to a honeypot, or banned. That is a robust protection scenario. You would find many of them in the CrowdSec Hub for all types of web servers.
But what makes CrowdSec's scenarios extremely rich are the infinite possibilities of event correlations that describe specific behaviors, far from the detection standards. Because each application context is different, our power users have developed their own scenarios. They have identified new offensive behaviors and thus share unique malicious IPs with the entire CrowdSec community with a highly qualified context.
Why would you create your own scenarios?
There are many reasons why our users create new scenarios.
Once the CrowdSec Engine’s protection is in place, our users gain protection against any attempt from known malicious IPs shared by the community. They have deployed the usual scenarios corresponding to the types of servers they have and have covered the typical attack scenarios.
The next step in the security process will be to push the detection further to identify more sophisticated, internally and externally-driven behaviors. To do this, they will modify scenarios or create their own to model behaviors that correspond precisely to their applications or infrastructures and close the doors to the attackers for good.
There is no limit to the creation of scenarios. All available data can be processed to describe behavior that targets infrastructure or applications at the technical or business level. Scalping, the practice of using bots for bulk buying tickets or goods and reselling them for profit, is a perfect example of what a CrowdSec scenario can model.
Those who wish to can share these new scenarios with the CrowdSec community to better protect other users.
We are continuously developing new scenarios for all servers and applications. But above all, we enable our users to detect malicious behavior even more efficiently.
If we join our forces, we won't give attackers a chance.
How to create a scenario?
Start by identifying the internal or external scenario that you would like to model.
Here is how you can create a scenario:
We're going to create a scenario for an imaginary service "myservice" from the following logs of failed authentication:
Create our test
From the root of the hub repository:
Configure our test
Let's add our parser and scenario to the test configuration (.tests/myservice-bf/config.yaml) file.
Note: as our custom parser and scenario are not yet part of the hub, we specify their path relative to the root of the hub directory.
Let's create a simple scenario to detect bruteforce attempt on myservice:
Note: We filter on evt.Meta.log_type == 'myservice_failed_auth' because in the parser myservice-logs (created in the Creating parsers part) we set the log_type to myservice_failed_auth for bad password or bad user attempt.
We have the following fields:
- a type: the type of bucket to use (trigger or leaky).
- a name optional name
- a description optional description
- a filter: the filter to apply on events to be filled in this bucket.
- a leakspeed how fast an event would leak from a bucket
- a capacity: the number of events in the bucket before it overflows.
- a groupby: a field from the event to partition the bucket. It is often the source_ip of the event.
- a blackhole: the amount of time to not retrigger this scenario for the same groupby field.
- some labels: some labels to apply on the trigger event. Don't forget to set remediation: true if you want the IP to be blocked by remediation components.
We can then "test" our scenario like this:
What happened here?
- The scenario has been triggered and is generating some assertion (for functional test)
- In production environment, an alert would have been send to the CrowdSec Local API.
We can again understand more of what is going on thanks to cscli hubtest explain:
We have now a fully functional scenario for myservice to detect brute forces! We can either deploy it to our production systems to do stuff.
Once your scenario is ready to rumble, test it with your logs. We even provide a simulation mode for that ("cscli simulation") to ensure it is working properly. And then, share it with the community by posting it on the Hub!
Your benefits from doing that:
- You can identify internal or external illicit behaviors you were unaware of.
- You will be free to adapt your response to these behaviors.
- Your infrastructure and applications will be even better protected.
- You will get recognition as one of our amazing Power Users!