This article will enable you to integrate events generated by Artica PCAP filter into the CrowdSec process.
Create a new file /etc/crowdsec/parsers/s01-parse/articapcap.yaml
Save this content
filter: "evt.Parsed.program == 'articapcap'"name: articatech/articapcap-logsdescription: "Parse Artica PCAP log"onsuccess: next_stage
nodes: - grok: pattern: 'Detected bad IP \[%{IP:source_ip}\]' apply_on: message statics: - meta: log_type value: articapcapstatics: - meta: service value: articapcap - meta: source_ip expression: "evt.Parsed.source_ip"
Create a new file /etc/crowdsec/scenarios/articatech/articalogon-bf.yaml
type: leakyname: articatech/articapcap-bfdescription: "Detect Artica PCAP bad reputation IP"filter: "evt.Meta.log_type == 'articapcap'"leakspeed: 5mcapacity: 5groupby: evt.Meta.source_ipblackhole: 5mreprocess: truelabels:service: articapcaptype: bruteforceremediation: true
Tune the leakspeed,capacity,blackhole according your needs
Open the /etc/crowdsec/acquis.yaml
add these values
---filenames:- /var/log/articapsniffer.loglabels: type: articapcap
Restart the service to take effects
Run crowdsec -t to see if there any issue on the configuration.
If you have already detected events in the Artica PCAP filter log file, run
cscli explain --file /var/log/articapsniffer.log --type articapcap
You should see as example :
line: {"level":"info","time":1691069841,"message":"Detected bad IP [124.123.122.108]:1433 (124.123.122.108.actcorp.in) Destination …"}├ s00-raw| ├ 🟢 crowdsecurity/non-syslog (+5 ~8)| └ 🔴 crowdsecurity/syslog-logs├ s01-parse| ├ 🔴 articatech/artica-logon-logs| └ 🟢 articatech/articapcap-logs (+4 ~1)├ s02-enrich| ├ 🔴 crowdsecurity/dateparse-enrich| └ 🟢 crowdsecurity/geoip-enrich (+13)├-------- parser success 🟢├ Scenarios └ 🟢 articatech/articapcap-bf