### Install Hub Items and Generate Acquisition Config with cscli Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Use `cscli setup install-hub` to install detected items from the hub and `cscli setup datasources` to generate acquisition configuration files. ```bash # Install detected items and write acquisition config cscli setup install-hub cscli setup datasources --to-dir /etc/crowdsec/acquis.d/ ``` -------------------------------- ### Bats-core Setup and Teardown Example Source: https://github.com/crowdsecurity/crowdsec/blob/master/test/README.md Demonstrates the execution flow of setup, teardown, and test functions in bats-core. Code outside these functions is executed multiple times. ```sh echo "begin" >&3 setup_file() { echo "setup_file" >&3 } teardown_file() { echo "teardown_file" >&3 } setup() { echo "setup" >&3 } teardown() { echo "teardown" >&3 } @test "test 1" { echo "test #1" >&3 } @test "test 2" { echo "test #2" >&3 } echo "end" >&3 ``` -------------------------------- ### Unattended Setup with cscli Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Perform an unattended CrowdSec setup using `cscli setup detect --install-hub --setup-acquis` to automatically install hub items and configure data sources without prompts. ```bash # Unattended setup (no prompts) cscli setup detect --install-hub --setup-acquis ``` -------------------------------- ### cscli setup install-hub Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Installs detected hub items and generates acquisition configuration files. ```APIDOC ## cscli setup install-hub ### Description Installs detected hub items and generates acquisition configuration files. ### Usage ```bash cscli setup install-hub ``` ``` -------------------------------- ### Interact with CrowdSec CLI Source: https://github.com/crowdsecurity/crowdsec/blob/master/build/windows/README.md Examples of using the cscli.exe command-line tool after installation to retrieve metrics or install parsers. ```powershell & 'C:\Program Files\CrowdSec\cscli.exe' metrics ``` ```powershell & 'C:\Program Files\CrowdSec\cscli.exe' parsers install crowdsecurity/syslog-logs ``` -------------------------------- ### Install Installer Dependencies for Windows Source: https://github.com/crowdsecurity/crowdsec/blob/master/build/windows/README.md Execute this script to install additional dependencies required for building MSI and Chocolatey packages. ```powershell powershell .\build\windows\install_installer_windows.ps1 ``` -------------------------------- ### Apache Acquisition Configuration Example Source: https://github.com/crowdsecurity/crowdsec/blob/master/build/docker/README.md Example of an acquisition configuration file for Apache logs. This file should be placed in /etc/crowdsec/acquis.d/ within the container. ```yaml filename: /logs/apache2/*.log labels: type: apache2 ``` -------------------------------- ### cscli setup unattended Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Performs an unattended setup, including detecting services, installing hub items, and setting up acquisition configurations without user prompts. ```APIDOC ## cscli setup unattended ### Description Performs an unattended setup, including detecting services, installing hub items, and setting up acquisition configurations without user prompts. ### Usage ```bash cscli setup detect --install-hub --setup-acquis ``` ``` -------------------------------- ### cscli setup datasources Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Writes acquisition configuration files to a specified directory. ```APIDOC ## cscli setup datasources ### Description Writes acquisition configuration files to a specified directory. ### Usage ```bash cscli setup datasources --to-dir /etc/crowdsec/acquis.d/ ``` ### Options - `--to-dir `: Specifies the target directory for the acquisition configuration files. ``` -------------------------------- ### Validate Setup YAML File with cscli Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Validate the syntax and structure of a CrowdSec setup YAML file using `cscli setup validate`. ```bash # Validate a setup YAML file cscli setup validate /etc/crowdsec/setup.yaml ``` -------------------------------- ### List Supported Services for Detection with cscli Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Run `cscli setup detect --list-supported-services` to see which services CrowdSec can detect and potentially configure. ```bash # Run detect and show what would be installed cscli setup detect --list-supported-services ``` -------------------------------- ### Install vagrant-libvirt Plugin Source: https://github.com/crowdsecurity/crowdsec/blob/master/test/ansible/README.md Install the necessary Vagrant plugin for libvirt environments. Ensure Ruby gem versions are compatible if issues arise. ```bash vagrant plugin install vagrant-libvirt ``` -------------------------------- ### SSH Acquisition Configuration Example Source: https://github.com/crowdsecurity/crowdsec/blob/master/build/docker/README.md Example of an acquisition configuration file for SSH logs. This file should be placed in /etc/crowdsec/acquis.d/ within the container. ```yaml filenames: - /logs/auth.log - /logs/syslog labels: type: syslog ``` -------------------------------- ### Build Windows Installer and Chocolatey Package Source: https://github.com/crowdsecurity/crowdsec/blob/master/build/windows/README.md Commands to build the CrowdSec MSI installer and a Chocolatey package. The Chocolatey package can be tested with 'choco install '. ```makefile make windows_installer ``` ```makefile make chocolatey ``` -------------------------------- ### Install Development Dependencies for Windows Source: https://github.com/crowdsecurity/crowdsec/blob/master/build/windows/README.md Run this PowerShell script to install necessary development tools like Go, GCC, and Git for building CrowdSec on Windows. ```powershell powershell .\build\windows\install_dev_windows.ps1 ``` -------------------------------- ### cscli setup validate Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Validates a CrowdSec setup YAML file. ```APIDOC ## cscli setup validate ### Description Validates a CrowdSec setup YAML file. ### Usage ```bash cscli setup validate /etc/crowdsec/setup.yaml ``` ### Arguments - ``: The path to the setup YAML file to validate. ``` -------------------------------- ### Example Parser Node Configuration Source: https://github.com/crowdsecurity/crowdsec/blob/master/pkg/parser/README.md A complete example of a parser node configuration, including filter, debug flag, success behavior, name, pattern syntax, and grok nodes. ```yaml filter: "evt.Line.Labels.type == 'testlog'" debug: true onsuccess: next_stage name: tests/base-grok pattern_syntax: MYCAP: ".*" nodes: - grok: pattern: ^xxheader %{MYCAP:extracted_value} trailing stuff$ apply_on: Line.Raw statics: - meta: log_type value: parsed_testlog ``` -------------------------------- ### Install Ubuntu/Debian Dependencies Source: https://github.com/crowdsecurity/crowdsec/blob/master/test/README.md Installs necessary packages for building CrowdSec on Ubuntu/Debian systems. ```bash $ sudo apt install pkgconf golang-go libre2-dev ... ``` -------------------------------- ### Capture Command Output for Assertion Source: https://github.com/crowdsecurity/crowdsec/blob/master/test/README.md This example demonstrates how to capture the output of a command (e.g., `output`) and then use it with assertion commands provided by plugins like `bats-support`. ```bash run echo "$stderr" assert_output --partial "some stderr message" ``` -------------------------------- ### Install and Remove Hub Collections with cscli Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Installs or removes collections of CrowdSec components. Supports installing multiple collections and previewing changes with '--dry-run'. ```bash cscli collections install crowdsecurity/nginx ``` ```bash cscli collections install crowdsecurity/sshd crowdsecurity/apache2 ``` ```bash cscli collections install crowdsecurity/linux --dry-run ``` ```bash cscli collections remove crowdsecurity/nginx ``` -------------------------------- ### Install Test Suite Dependencies Source: https://github.com/crowdsecurity/crowdsec/blob/master/test/README.md Installs required dependencies for running the CrowdSec test suite. ```bash $ sudo apt install bash curl daemonize jq python3 ... ``` -------------------------------- ### Detect Running Services with cscli Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Use `cscli setup detect` to automatically identify running services on the host and suggest relevant CrowdSec hub collections. ```bash # Detect running services and show recommended hub items cscli setup detect ``` -------------------------------- ### Start a Crowdsec Docker Instance Source: https://github.com/crowdsecurity/crowdsec/blob/master/build/docker/README.md Run a Crowdsec container with persistent volumes for configuration and data, and map log files. This command also exposes necessary ports and sets up collections for specific services like Apache and SSH. ```shell docker run -d \ -v crowdsec_config:/etc/crowdsec \ -v local_path_to_crowdsec_config/acquis.d:/etc/crowdsec/acquis.d \ -v local_path_to_crowdsec_config/acquis.yaml:/etc/crowdsec/acquis.yaml \ -v crowdsec_data:/var/lib/crowdsec/data \ -v /var/log/auth.log:/logs/auth.log:ro \ -v /var/log/syslog.log:/logs/syslog.log:ro \ -v /var/log/apache:/logs/apache:ro \ -e COLLECTIONS="crowdsecurity/apache2 crowdsecurity/sshd" \ -p 8080:8080 -p 6060:6060 \ --name crowdsec crowdsecurity/crowdsec ``` -------------------------------- ### cscli setup detect Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Automatically detects running services on the host and suggests relevant CrowdSec hub collections. ```APIDOC ## cscli setup detect ### Description Automatically detects running services on the host and suggests relevant CrowdSec hub collections. ### Usage ```bash cscli setup detect ``` ### Options - `--list-supported-services`: Lists all services that CrowdSec can detect and configure. ``` -------------------------------- ### Manage Scenarios and Parsers with cscli Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Installs, inspects, or upgrades specific scenarios or parsers. Use '--force' to reinstall tainted items. ```bash cscli scenarios install crowdsecurity/ssh-bf --force ``` ```bash cscli scenarios inspect crowdsecurity/ssh-bf ``` ```bash cscli parsers list -a ``` ```bash cscli scenarios upgrade --all ``` -------------------------------- ### BATS Test Function Example Source: https://github.com/crowdsecurity/crowdsec/blob/master/test/README.md Example of a BATS test function demonstrating output redirection for debugging. Use sparingly and remove after development. ```bash @test "mytest" { echo "hello world!" >&3 run some-command assert_success echo "goodbye." } ``` -------------------------------- ### Grok Pattern Configuration Example Source: https://github.com/crowdsecurity/crowdsec/blob/master/pkg/parser/README.md Configuration for a grok pattern, specifying the pattern itself and the field it should be applied to. The pattern name refers to predefined patterns. ```yaml grok: name: "TCPDUMP_OUTPUT" apply_on: message ``` -------------------------------- ### Docker Run MariaDB for Testing Source: https://github.com/crowdsecurity/crowdsec/blob/master/test/README.md Starts a detached MariaDB container, granting necessary capabilities and exposing port 3306. This is used for setting up a MariaDB database for testing. ```bash $ sudo docker run --cap-add=sys_nice --detach --name=mariadb -p 3306:3306 --env="MYSQL_ROOT_PASSWORD=password" mariadb ``` -------------------------------- ### Static Event Modification Examples Source: https://github.com/crowdsecurity/crowdsec/blob/master/pkg/parser/README.md Examples of how to modify the event structure using statics. This can include adding/altering meta information, parsed fields, or using expressions to derive values. ```yaml statics: - meta: service value: tcp - meta: source_ip expression: "Event['source_ip']" - parsed: "new_connection" expression: "Event['tcpflags'] contains 'S' ? 'true' : 'false'" - target: Parsed.this_is_a_test value: foobar ``` -------------------------------- ### Docker Run Postgres for Testing Source: https://github.com/crowdsecurity/crowdsec/blob/master/test/README.md Starts a detached PostgreSQL container on version 10 or above, exposing port 5432. This is used for setting up a PostgreSQL database for testing. ```bash $ sudo docker run --detach --name=postgres -p 5432:5432 --env="POSTGRES_PASSWORD=postgres" postgres:latest ``` -------------------------------- ### Query Specific Configuration Field Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Use `cscli config show --key` with an expr expression to query and display a specific configuration field. Examples show querying API listen URI and database type. ```bash # Query a specific config field with an expr expression cscli config show --key "Config.API.Server.ListenURI" ``` ```bash # Output: 127.0.0.1:8080 ``` ```bash cscli config show --key "Config.DbConfig.Type" ``` ```bash # Output: sqlite ``` -------------------------------- ### Docker Run MySQL for Testing Source: https://github.com/crowdsecurity/crowdsec/blob/master/test/README.md Starts a detached MySQL container, granting necessary capabilities and exposing port 3306. This is used for setting up a MySQL database for testing. ```bash $ sudo docker run --cap-add=sys_nice --detach --name=mysql -p 3306:3306 --env="MYSQL_ROOT_PASSWORD=password" mysql ``` -------------------------------- ### Get Alerts List from Local API Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Retrieve a list of alerts from the Local API, with options to limit the results and format the output using `jq`. ```bash # Get alerts list curl -s "http://127.0.0.1:8080/v1/alerts?limit=10" \ -H "Authorization: Bearer " | jq '.[] | {id,scenario:.scenario,source_ip:.source.value}' ``` -------------------------------- ### Pattern Syntax Declaration Source: https://github.com/crowdsecurity/crowdsec/blob/master/pkg/parser/README.md Declares custom grok patterns at the event level that can be reused within node configurations. This example defines patterns for directory and file paths. ```yaml pattern_syntax: DIR: "^.*/" FILE: "[^/].*$" ``` -------------------------------- ### Configure Acquisition Directory (Older Versions) Source: https://github.com/crowdsecurity/crowdsec/blob/master/build/docker/README.md For Crowdsec versions older than 1.5.0, you can configure the acquisition directory by mounting a local configuration file. This example shows the content of such a file. ```yaml crowdsec_service: acquisition_dir: /etc/crowdsec/acquis.d ``` -------------------------------- ### Deprecated Single File Acquisition Configuration Source: https://github.com/crowdsecurity/crowdsec/blob/master/build/docker/README.md Before version 1.5.0, it was recommended to configure acquisition in a single file like /etc/crowdsec/acquis.yaml. This example shows the format for multiple datasources. ```yaml filenames: - /logs/auth.log - /logs/syslog labels: type: syslog --- filename: /logs/apache2/*.log labels: type: apache2 ``` -------------------------------- ### Manage Hub Items with cscli Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Manages CrowdSec Hub components like parsers, scenarios, and collections. Use 'update' to refresh the index and 'list' to see installed items. ```bash cscli hub update ``` ```bash cscli hub list ``` ```bash cscli hub upgrade --all ``` -------------------------------- ### Run Vagrant Up (Full Provisioning) Source: https://github.com/crowdsecurity/crowdsec/blob/master/test/ansible/README.md Execute a full Vagrant up command to create and provision the VM in a single step. Note that this command destroys the VM upon test failure, leaving no debug artifacts. ```bash vagrant up ``` -------------------------------- ### Automate Test Preparation and Execution Source: https://github.com/crowdsecurity/crowdsec/blob/master/test/ansible/README.md Use the `./prepare-run` script to automate the process of setting up the test environment. It requires bash version 4.4 or higher and can take an environment file and optional directories for Vagrant configurations. ```bash ./prepare-run [list_of_directories] ``` -------------------------------- ### Create and Provision Vagrant VM Source: https://github.com/crowdsecurity/crowdsec/blob/master/test/ansible/README.md Use Vagrant to create a virtual machine without initial provisioning, then provision it separately. This allows for debugging the VM state before provisioning. ```bash vagrant up --no-provision; vagrant provision ``` -------------------------------- ### List All Allowlists Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Display a list of all configured allowlists, showing their names and descriptions. ```bash # List all allowlists cscli allowlists list ``` -------------------------------- ### Filter Expression Example Source: https://github.com/crowdsecurity/crowdsec/blob/master/pkg/parser/README.md An example of a filter expression used to conditionally evaluate a parser node. The node is only processed if the expression returns true. ```yaml filter: "Line.Src endsWith '/foobar'" ``` -------------------------------- ### Configure DB Backend and Run Tests Source: https://github.com/crowdsecurity/crowdsec/blob/master/test/README.md Sets the `DB_BACKEND` environment variable to `pgx` for PostgreSQL testing and then runs the CrowdSec test suite using `make` commands. ```bash $ export DB_BACKEND=pgx $ make clean bats-build bats-fixture bats-test ``` -------------------------------- ### Manage CrowdSec Service Source: https://github.com/crowdsecurity/crowdsec/blob/master/build/windows/README.md Commands to stop and start the CrowdSec Windows service using the 'net' utility. ```powershell net stop crowdsec The CrowdSec service is stopping.. The CrowdSec service was stopped successfully. ``` ```powershell net start crowdsec The CrowdSec service is starting. The CrowdSec service was started successfully. ``` -------------------------------- ### Build CrowdSec Binaries and Run Tests Source: https://github.com/crowdsecurity/crowdsec/blob/master/build/windows/README.md Use 'make' commands to build the CrowdSec and cscli executables, or to run unit tests. Note that some tests requiring localstack are disabled, and functional tests are Unix-only. ```makefile make ``` ```makefile make test ``` -------------------------------- ### Local API - Get alerts list Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Retrieves a list of alerts managed by the CrowdSec Local API. ```APIDOC ## Get alerts list ### Description Retrieves a list of alerts managed by the CrowdSec Local API. ### Method GET ### Endpoint /v1/alerts?limit={limit_value} ### Parameters #### Query Parameters - **limit** (integer) - Optional - The maximum number of alerts to return. #### Headers - **Authorization** (string) - Required - Bearer token obtained from machine authentication. ### Response #### Success Response (200) - **[Array of Alert Objects]** - Contains details of the alerts. Each object includes at least `id`, `scenario`, and `source_ip`. ``` -------------------------------- ### Using File Descriptors for Command Output Source: https://github.com/crowdsecurity/crowdsec/blob/master/test/README.md Demonstrates how to pass the output of a command as a file descriptor to another command's standard input. This is useful when a command expects input from a file. ```bash mycmd < <(output) ``` -------------------------------- ### Build Debian/Ubuntu Package Source: https://github.com/crowdsecurity/crowdsec/blob/master/build/debian/README.md Build the Debian/Ubuntu package using dpkg-buildpackage. Ensure patches are applied and refreshed beforehand. ```bash dpkg-buildpackage -uc -us -b ``` -------------------------------- ### Configure MySQL Backend and Run Tests Source: https://github.com/crowdsecurity/crowdsec/blob/master/test/README.md Sets the `DB_BACKEND` environment variable to `mysql` for MySQL testing and then runs the CrowdSec test suite using `make` commands. ```bash $ export DB_BACKEND=mysql $ make clean bats-build bats-fixture bats-test ``` -------------------------------- ### Display Full Configuration Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Show the entire running configuration of CrowdSec in YAML format. This is useful for understanding the current settings. ```bash # Display full running configuration (YAML) cscli config show ``` -------------------------------- ### Grok Pattern with Apply On Source: https://github.com/crowdsecurity/crowdsec/blob/master/pkg/parser/README.md A grok pattern definition that includes an 'apply_on' field to specify which event field the pattern should parse. This example uses greedy data capture. ```yaml grok: pattern: "^%{GREEDYDATA:request}\?%{GREEDYDATA:http_args}$" apply_on: request ``` -------------------------------- ### Create a New Allowlist Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Create a new allowlist to exempt trusted IPs, ranges, or usernames from bans. Provide a unique name and an optional description. ```bash # Create a new allowlist cscli allowlists create my-trusted-ips --description "Office and VPN IPs" ``` -------------------------------- ### Authenticate Bouncer with Local API Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Authenticate a bouncer with the Local API using an API key to access decision streams. The `startup=true` parameter is used for initial synchronization. ```bash # Authenticate as a bouncer — returns JWT curl -s http://127.0.0.1:8080/v1/decisions/stream?startup=true \ -H "X-Api-Key: " ``` -------------------------------- ### Enroll Instance in CrowdSec Console Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Enroll your CrowdSec instance with the CrowdSec SaaS console using an enrollment key obtained from the console website. You can also specify a custom name for the instance. ```bash # Enroll the instance in the console using the enrollment key from app.crowdsec.net cscli console enroll ``` ```bash # Enroll with a custom name shown in the console cscli console enroll --name "prod-webserver-01" ``` -------------------------------- ### Enable Global Simulation Mode Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Use this command to enable simulation mode for all scenarios globally. Alerts will be generated but decisions will be simulated and not enforced. ```bash # Enable simulation globally (all scenarios) cscli simulation enable --global ``` -------------------------------- ### Build Custom Debian Image (Slim - Older Versions) Source: https://github.com/crowdsecurity/crowdsec/blob/master/build/docker/README.md Build a slim Debian version of the Crowdsec image for versions prior to 1.5.0. This uses a build argument to specify the target environment. ```console $ docker build -f build/docker/Dockerfile.debian --build-arg=BUILD_ENV=slim . ``` -------------------------------- ### Run All Functional Tests Source: https://github.com/crowdsecurity/crowdsec/blob/master/test/README.md Executes a test build and runs all functional tests using make. ```bash make clean bats-all ``` -------------------------------- ### Add Entries to Allowlist Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Add IP addresses, ranges (CIDR notation), or import entries from a file to an existing allowlist. Each entry should be on a new line in the file. ```bash # Add IPs/ranges to the allowlist cscli allowlists add my-trusted-ips 10.0.0.0/8 192.168.1.0/24 203.0.113.42 ``` ```bash # Import from a file (one entry per line) cscli allowlists add my-trusted-ips -f trusted_ips.txt ``` -------------------------------- ### Run All Tests with cscli hubtest Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Execute all available unit tests for parsers and scenarios using `cscli hubtest run --all`. ```bash # Run all tests cscli hubtest run --all ``` -------------------------------- ### Manage Local API Connection with cscli Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Manages the Local API registration and status. Allows registering the local agent to its own LAPI or a remote one, and checking connectivity. ```bash cscli lapi register ``` ```bash cscli lapi register --url http://192.168.1.10:8080 -m my-machine-name ``` ```bash cscli lapi status ``` ```bash cscli lapi context add --key "target_uri" --value "evt.Parsed.target_uri" ``` ```bash cscli lapi context add --key "user_agent" --value "evt.Parsed.http_user_agent" ``` ```bash cscli lapi context list ``` ```bash cscli lapi context delete --key "target_uri" ``` -------------------------------- ### Configure Simulation Mode via YAML Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Configure simulation mode settings using the YAML configuration file. Set `simulation: true` to enable globally or list exclusions for scenarios to be simulated even when global simulation is false. ```yaml # /etc/crowdsec/simulation.yaml simulation: false # set true to enable globally exclusions: - crowdsecurity/ssh-bf # these scenarios are simulated even when global=false ``` -------------------------------- ### Create a New Parser Test with cscli hubtest Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Initialize a new unit test for a parser using `cscli hubtest create`. Specify the test name and type (e.g., `syslog`). ```bash # Create a new parser test cscli hubtest create mytest --type syslog ``` -------------------------------- ### Bayesian Scenario Configuration Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Implements a Bayesian scenario for probabilistic detection, using prior probabilities and conditions to determine the likelihood of an event being malicious. It includes conditions for invalid user and root attempts. ```yaml type: leaky name: crowdsecurity/ssh-bayesian filter: "evt.Meta.log_type == 'ssh_failed-auth'" stackkey: "evt.Meta.source_ip" bayesian_prior: 0.5 bayesian_threshold: 0.9 bayesian_conditions: - condition: "evt.Parsed.ssh_invalid_user == 'true'" prob_given_evil: 0.9 prob_given_benign: 0.1 guillotine: true - condition: "evt.Parsed.ssh_root_attempt == 'true'" prob_given_evil: 0.8 prob_given_benign: 0.05 ``` -------------------------------- ### Apply Patches and Refresh Source: https://github.com/crowdsecurity/crowdsec/blob/master/build/debian/README.md Apply patches using quilt and refresh them. This is a required step before building the package. ```bash QUILT_PATCHES=debian/patches quilt push -a && quilt refresh ``` -------------------------------- ### Trigger Scenario Configuration Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Sets up a trigger scenario that emits an alert on every match, useful for immediate, non-rate-limited detection. Capacity is set to 0. ```yaml type: trigger name: crowdsecurity/ssh-slow-bf filter: "evt.Meta.log_type == 'ssh_failed-auth'" stackkey: "evt.Meta.source_ip" ``` -------------------------------- ### List Active Decisions via Local API Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Retrieve a list of all active decisions from the Local API. Requires bouncer API key authentication. ```bash # List active decisions (bouncer call) curl -s http://127.0.0.1:8080/v1/decisions \ -H "X-Api-Key: " | jq '.' ``` -------------------------------- ### Enable Simulation for Specific Scenario Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Enable simulation mode for a single, specific scenario. This is useful for testing individual scenario detections without affecting others. ```bash # Enable simulation for a specific scenario only cscli simulation enable crowdsecurity/ssh-bf ``` -------------------------------- ### Inspect a Specific Allowlist Source: https://context7.com/crowdsecurity/crowdsec/llms.txt View the details and entries of a specific allowlist by its name. ```bash # Inspect a specific allowlist cscli allowlists inspect my-trusted-ips ``` -------------------------------- ### Backup and Restore Configuration Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Backup the full CrowdSec configuration, including configs and hub items, to a specified directory. Restore the configuration from a previously created backup. ```bash # Backup full configuration (configs + hub items) cscli config backup /tmp/crowdsec-backup/ ``` ```bash # Restore from backup cscli config restore /tmp/crowdsec-backup/ ``` -------------------------------- ### Output Decisions as JSON Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Lists decisions and formats the output as JSON, piping it to `jq` for further processing. This is ideal for scripting and automation. ```bash cscli decisions list -o json | jq '.[] | .decisions[] | {value: .value, type: .type, expiration: .duration}' ``` -------------------------------- ### Stream Decisions (Delta Updates) via Local API Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Continuously stream decision updates (new and deleted) from the Local API. Set `startup=false` to only receive deltas after the initial stream. ```bash # Stream decisions (delta updates: new + deleted) curl -s "http://127.0.0.1:8080/v1/decisions/stream?startup=false" \ -H "X-Api-Key: " ``` -------------------------------- ### Run Command and Capture Output Source: https://github.com/crowdsecurity/crowdsec/blob/master/test/README.md Use `run` to execute a command and capture its combined stdout and stderr into the `$output` variable. The exit status is stored in `$status`. ```bash run mycommand ``` -------------------------------- ### Authenticate Agent with Local API Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Authenticate an agent (machine) with the Local API to obtain a JWT token. Requires machine ID, password, and scenario list. ```bash # Authenticate as a machine (agent) — returns JWT curl -s -X POST http://127.0.0.1:8080/v1/watchers/login \ -H "Content-Type: application/json" \ -d '{"machine_id":"mymachine","password":"mypassword","scenarios":["crowdsecurity/ssh-bf"]}' ``` -------------------------------- ### Build Custom Debian Image (Slim) Source: https://github.com/crowdsecurity/crowdsec/blob/master/build/docker/README.md Build a slim Debian version of the Crowdsec image, excluding plugin notifiers. This command is for Crowdsec versions 1.5.0 and later. ```console $ docker build -f build/docker/Dockerfile.debian --target slim . ``` -------------------------------- ### Local API - Authenticate as a machine (agent) Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Authenticates a machine (agent) with the Local API and returns a JWT for subsequent requests. ```APIDOC ## Authenticate as a machine (agent) ### Description Authenticates a machine (agent) with the Local API and returns a JWT for subsequent requests. ### Method POST ### Endpoint /v1/watchers/login ### Parameters #### Request Body - **machine_id** (string) - Required - The unique identifier for the machine. - **password** (string) - Required - The password for machine authentication. - **scenarios** (array of strings) - Required - A list of scenarios associated with the machine. ### Request Example ```json { "machine_id": "mymachine", "password": "mypassword", "scenarios": ["crowdsecurity/ssh-bf"] } ``` ### Response #### Success Response (200) - **code** (integer) - HTTP status code, expected to be 200. - **expire** (string) - The expiration time of the token. - **token** (string) - The JWT token for authenticated requests. ``` -------------------------------- ### Run Tests Matching a Pattern with cscli hubtest Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Execute multiple unit tests that match a given pattern using `cscli hubtest run ""`. ```bash # Run all tests matching a pattern cscli hubtest run "crowdsecurity/ssh-bf*" ``` -------------------------------- ### Manage CrowdSec Machines with cscli Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Manages CrowdSec agent instances (machines) registered with the Local API. Requires direct database access on the LAPI host. ```bash cscli machines list ``` ```bash cscli machines add my-agent --auto ``` ```bash cscli machines add my-agent -p "s3cr3tpassword" ``` ```bash cscli machines validate my-agent ``` ```bash cscli machines delete my-agent ``` ```bash cscli machines prune --duration 7d ``` ```bash cscli machines list -o json ``` -------------------------------- ### Register a New Agent with LAPI (No TLS) Source: https://github.com/crowdsecurity/crowdsec/blob/master/build/docker/README.md Use the `cscli` command within a running Crowdsec LAPI container to add a new agent. This command requires the container name, a username, and a password for the agent. ```shell docker exec -it crowdsec_lapi_container_name cscli machines add agent_user_name --password agent_password ``` -------------------------------- ### Enrichment Configuration via Statics Source: https://github.com/crowdsecurity/crowdsec/blob/master/pkg/parser/README.md Configures enrichment plugins, such as GeoIpCity, by specifying the method and the source expression. The results are available in the 'Enriched' map and can be copied to 'Meta' or other fields. ```yaml statics: - method: GeoIpCity expression: Meta.source_ip - meta: IsoCode expression: Enriched.IsoCode - meta: IsInEU expression: Enriched.IsInEU ``` -------------------------------- ### Run a Specific Test with cscli hubtest Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Execute a single, named unit test using `cscli hubtest run `. ```bash # Run a specific test cscli hubtest run mytest ``` -------------------------------- ### Show Test Coverage with cscli hubtest Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Display the test coverage report for parsers and scenarios using `cscli hubtest coverage`. ```bash # Show test coverage for parsers and scenarios cscli hubtest coverage ``` -------------------------------- ### Explain a raw log line with cscli Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Use this command to test how CrowdSec parses and analyzes a specific log line. It requires specifying the log type and the log message itself. ```bash cscli hubtest explain --type syslog --log 'Jan 1 00:00:01 srv sshd[123]: Failed password for root from 1.2.3.4 port 22 ssh2' ``` -------------------------------- ### HTTP Request Counter Scenario Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Configures a counter scenario to track HTTP requests over a specific duration. It emits an alert after the duration, regardless of the request count, and uses a distinct key for counting. ```yaml type: counter name: crowdsecurity/http-req-counter filter: "evt.Meta.log_type == 'http_access-log'" distinct: "evt.Meta.source_ip + ':' + evt.Parsed.request" duration: 5m capacity: -1 ``` -------------------------------- ### Add Bouncer Key via Environment Variable Source: https://github.com/crowdsecurity/crowdsec/blob/master/build/docker/README.md Register a bouncer with Crowdsec at startup by providing its key using an environment variable. The variable name format is `BOUNCER_KEY_`, where `` is the identifier for the bouncer. ```shell BOUNCER_KEY_nginx=mysecretkey12345 ``` -------------------------------- ### Mount Journal Log for Debian Image Source: https://github.com/crowdsecurity/crowdsec/blob/master/build/docker/README.md Mount the host's journal log directory into the container to enable journalctl as a log stream. This is specific to the Debian image flavor. ```bash -v /var/log/journal:/run/log/journal ``` -------------------------------- ### Debug log lines with cscli explain Source: https://context7.com/crowdsecurity/crowdsec/llms.txt This command processes a single log line through the full parser and scenario pipeline, showing parser matches and field extractions without altering live state. Specify the log type and the log message. ```bash # Explain a raw log line cscli explain --type syslog \ --log 'Jan 1 00:00:01 myhost sshd[1234]: Failed password for invalid user admin from 5.6.7.8 port 22 ssh2' ``` ```bash # Read from a log file cscli explain --type nginx --file /var/log/nginx/access.log ``` ```bash # Verbose output (show all parser nodes including misses) cscli explain --type syslog \ --log 'Failed password for root from 1.2.3.4' \ --verbose ``` ```bash # Output parser results as JSON cscli explain --type syslog \ --log 'Failed password for root from 1.2.3.4' \ -o json ``` -------------------------------- ### List All Decisions Including Community Blocklist Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Fetches all active decisions, including those from the Central API's community blocklist. Use this to see the complete picture of blocked entities. ```bash cscli decisions list --all ``` -------------------------------- ### cscli hubtest create Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Creates a new regression test file for parsers or scenarios. ```APIDOC ## cscli hubtest create ### Description Creates a new regression test file for parsers or scenarios. ### Usage ```bash cscli hubtest create --type ``` ### Arguments - ``: The name for the new test. ### Options - `--type `: The type of test to create (e.g., `syslog`, `json`, `raw`). ``` -------------------------------- ### Integer Division and Modulo Source: https://github.com/crowdsecurity/crowdsec/blob/master/build/mk/gmsl/gmsl.html Functions for performing integer division and calculating the remainder. ```APIDOC ## divide (wrapped version of int_divide) ### Description Performs integer division of the first argument by the second. ### Arguments 1: An integer 2: Another integer ### Returns Returns the integer division of the first argument by the second. ``` ```APIDOC ## int_modulo ### Description Calculates the remainder of integer division. ### Arguments 1: A number in x's representation 2: Another number in x's representation ### Returns Returns the remainder of integer division of argument 1 divided by argument 2 in x's representation. ``` ```APIDOC ## modulo (wrapped version of int_modulo) ### Description Calculates the remainder of integer division for standard integers. ### Arguments 1: An integer 2: Another integer ### Returns Returns the remainder of integer division of the first argument by the second. ``` -------------------------------- ### Rebuild Binaries for Testing Source: https://github.com/crowdsecurity/crowdsec/blob/master/test/README.md Rebuilds the CrowdSec binaries after code changes to prepare for re-running tests. ```bash make bats-build ``` -------------------------------- ### Show Console Status Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Display the current status and configuration options for the CrowdSec console integration. ```bash # Show current console options cscli console status ``` -------------------------------- ### Manage Bouncers with cscli Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Manages bouncers (remediation components) that register with the Local API. Commands include listing, adding, inspecting, deleting, and pruning bouncers. ```bash cscli bouncers list ``` ```bash cscli bouncers add my-firewall-bouncer ``` ```bash cscli bouncers add my-bouncer -k "mypresharedkey" ``` ```bash cscli bouncers inspect my-firewall-bouncer ``` ```bash cscli bouncers delete my-firewall-bouncer ``` ```bash cscli bouncers prune --duration 7d ``` ```bash cscli bouncers list -o json ``` -------------------------------- ### Local API - Authenticate as a bouncer Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Authenticates a bouncer with the Local API using an API key and returns a JWT. ```APIDOC ## Authenticate as a bouncer ### Description Authenticates a bouncer with the Local API using an API key and returns a JWT. ### Method GET ### Endpoint /v1/decisions/stream?startup=true ### Parameters #### Query Parameters - **startup** (boolean) - Required - Indicates if this is the initial startup request. #### Headers - **X-Api-Key** (string) - Required - The API key for bouncer authentication. ### Response #### Success Response (200) - **code** (integer) - HTTP status code, expected to be 200. - **expire** (string) - The expiration time of the token. - **token** (string) - The JWT token for authenticated requests. ``` -------------------------------- ### List All Active Decisions Source: https://context7.com/crowdsecurity/crowdsec/llms.txt Lists all active decisions in a human-readable table format. This is a fundamental command for monitoring CrowdSec's blocking actions. ```bash cscli decisions list ``` -------------------------------- ### New TCP Connection Reporting Source: https://github.com/crowdsecurity/crowdsec/blob/master/pkg/leakybucket/README.md Configures a counter to report new TCP connections. It tracks unique source IP and destination port combinations and emits an event every 5 minutes. ```yaml - type: counter name: counter filter: "Meta.service == 'tcp' && Event.new_connection == 'true'" distinct: "Meta.source_ip + ':' + Meta.dest_port" duration: 5m capacity: -1 ```