ModSecurity rules errors

[gdlwolf]

What happened?

Crowdsec + appsec + Modsecurity rule：SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,192.168.200.1" "id:900101,phase:1,pass,nolog,allow"
The value of REMOTE_ADDR is 127.0.0.1:48926, and 48926 is a random port.

Therefore Modsecurity's rules for ip whitelisting are invalid.

What did you expect to happen?

Modsecurity's rules for ip whitelisting are invalid. Because I found that the variable REMOTE_ADDR is not the expected client ip, but 127.0.0.1: random port number

How can we reproduce it (as minimally and precisely as possible)?

1. os：AlmaLinux release 9.3 (Shamrock Pampas Cat)

2. nginx version：
   nginx version: openresty/1.25.3.2
   built by gcc 11.4.1 20231218 (Red Hat 11.4.1-3) (GCC)
   built with OpenSSL 1.1.1w 11 Sep 2023
   TLS SNI support enabled
   configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt=-O2 --add-module=../ngx_devel_kit-0.3.3 --add-module=../iconv-nginx-module-0.14 --add-module=../echo-nginx-module-0.63 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.33 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.09 --add-module=../srcache-nginx-module-0.33 --add-module=../ngx_lua-0.10.26 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.37 --add-module=../array-var-nginx-module-0.06 --add-module=../memc-nginx-module-0.20 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.9 --add-module=../rds-json-nginx-module-0.16 --add-module=../rds-csv-nginx-module-0.09 --add-module=../ngx_stream_lua-0.0.14 --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -L/usr/local/lib -ljemalloc' --user=www --group=www --with-http_stub_status_module --with-http_perl_module --with-http_ssl_module --with-http_gzip_static_module --with-http_sub_module --with-http_realip_module --with-http_addition_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-threads --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_ssl_preread_module --with-http_slice_module --with-mail=dynamic --with-mail_ssl_module --with-file-aio --with-http_v2_module --with-pcre=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/pcre-8.45 --with-zlib=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/zlib-1.3.1 --with-openssl=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/openssl-1.1.1w --with-http_perl_module=dynamic --add-module=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/ngx_cache_purge-2.3 --add-module=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/ngx_healthcheck_module-master --add-dynamic-module=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/ngx_http_geoip2_module-3.4 --add-dynamic-module=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/ip2location/ip2location-nginx-8.6.0 --add-module=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/nginx-ssl-fingerprint --add-module=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/ModSecurity-nginx --add-module=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/nginx-module-vts-0.2.2 --with-openssl-opt=-g --with-pcre-opt=-g --with-zlib-opt=-g --with-stream --without-pcre2

3. Crowdsec：v1.6.3

4. nginx.conf config：
   `
   http{

include /usr/local/openresty/nginx/conf/conf.d/crowdsec_openresty.conf;

}
`

5. crowdsec_openresty.conf is default
6. /etc/crowdsec/acquis.d/appsec.yaml
   listen_addr: 127.0.0.1:7422 appsec_config: crowdsecurity/appsec-default name: myAppSecComponent source: appsec labels: type: appsec log_level: debug
7. /etc/crowdsec/appsec-configs/appsec-default.yaml
   `

name: crowdsecurity/virtual-patching
default_remediation: ban
inband_rules:

• crowdsecurity/base-config
• crowdsecurity/vpatch-*
• crowdsecurity/generic-*
• gdl/modsecurity
  `

8. /etc/crowdsec/appsec-rules/modsecurity.yaml
   `
   name: gdl/modsecurity
   description: ModSecurity rules integration for CrowdSec
   seclang_files_rules:

• /coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
• /coreruleset/rules/REQUEST-901-INITIALIZATION.conf
• /coreruleset/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
• /coreruleset/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
• /coreruleset/rules/REQUEST-913-SCANNER-DETECTION.conf
• /coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
• /coreruleset/rules/REQUEST-921-PROTOCOL-ATTACK.conf
• /coreruleset/rules/REQUEST-922-MULTIPART-ATTACK.conf
• /coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
• /coreruleset/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
• /coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
• /coreruleset/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
• /coreruleset/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf
• /coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
• /coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
• /coreruleset/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
• /coreruleset/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
• /coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf
• /coreruleset/rules/RESPONSE-950-DATA-LEAKAGES.conf
• /coreruleset/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
• /coreruleset/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
• /coreruleset/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
• /coreruleset/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
• /coreruleset/rules/RESPONSE-955-WEB-SHELLS.conf
• /coreruleset/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
• /coreruleset/rules/RESPONSE-980-CORRELATION.conf
• /coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

9. download Modsecurity：git clone https://github.com/coreruleset/coreruleset.git`

cd /home/soft
git clone https://github.com/coreruleset/coreruleset.git
mkdir -pv /var/lib/crowdsec/data/coreruleset/rules
cp /home/soft/coreruleset/rules/.conf /var/lib/crowdsec/data/coreruleset/rules/
cp /home/soft/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /var/lib/crowdsec/data/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
cp /home/soft/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example /var/lib/crowdsec/data/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
cp /home/soft/coreruleset/rules/.data /var/lib/crowdsec/data/coreruleset/

Finally, the rule for ip whitelisting: secRule REMOTE_ADDR “@ipMatch 127.0.0.1,192.168.200.1” “id:900101,phase:1,pass,nolog,allow” was added to the /var/lib/crowdsec/data/ coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf file.

systemctl restart crowdsec
systemctl restart nginx

Anything else we need to know?

No response

Crowdsec version

$ cscli version
version: v1.6.3-rpm-pragmatic-amd64-4851945a
Codename: alphaga
BuildDate: 2024-09-10_13:00:53
GoVersion: 1.22.2
Platform: linux
libre2: C++
User-Agent: crowdsec/v1.6.3-rpm-pragmatic-amd64-4851945a-linux
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0

OS version

# On Linux:
$ cat /etc/os-release
version: v1.6.3-rpm-pragmatic-amd64-4851945a
Codename: alphaga
BuildDate: 2024-09-10_13:00:53
GoVersion: 1.22.2
Platform: linux
libre2: C++
User-Agent: crowdsec/v1.6.3-rpm-pragmatic-amd64-4851945a-linux
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
[root@instance-20240912-1119 ~]# cat /etc/os-release
NAME="AlmaLinux"
VERSION="9.3 (Shamrock Pampas Cat)"
ID="almalinux"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.3"
PLATFORM_ID="platform:el9"
PRETTY_NAME="AlmaLinux 9.3 (Shamrock Pampas Cat)"
ANSI_COLOR="0;34"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:almalinux:almalinux:9::baseos"
HOME_URL="https://almalinux.org/"
DOCUMENTATION_URL="https://wiki.almalinux.org/"
BUG_REPORT_URL="https://bugs.almalinux.org/"

ALMALINUX_MANTISBT_PROJECT="AlmaLinux-9"
ALMALINUX_MANTISBT_PROJECT_VERSION="9.3"
REDHAT_SUPPORT_PRODUCT="AlmaLinux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.3"

$ uname -a
Linux instance-20240912-1119 5.14.0-362.8.1.el9_3.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Nov 7 14:54:22 EST 2023 x86_64 x86_64 x86_64 GNU/Linux

Enabled collections and parsers

$ cscli hub list -o raw
# paste output here

Acquisition config

```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* #Generated acquisition file - wizard.sh (service: nginx) / files : /usr/local/openresty/nginx/logs/error.log /usr/local/openresty/nginx/logs/access.log filenames: - /usr/local/openresty/nginx/logs/error.log - /usr/local/openresty/nginx/logs/access.log labels: type: nginx --- #Generated acquisition file - wizard.sh (service: sshd) / files : /var/log/secure filenames: - /var/log/secure labels: type: syslog --- #Generated acquisition file - wizard.sh (service: linux) / files : /var/log/messages filenames: - /var/log/messages labels: type: syslog --- listen_addr: 127.0.0.1:7422 appsec_config: crowdsecurity/appsec-default name: myAppSecComponent source: appsec labels: type: appsec

Config show

$ cscli config show
Global:
   - Configuration Folder   : /etc/crowdsec
   - Data Folder            : /var/lib/crowdsec/data
   - Hub Folder             : /etc/crowdsec/hub
   - Simulation File        : /etc/crowdsec/simulation.yaml
   - Log Folder             : /var/log
   - Log level              : info
   - Log Media              : file
Crowdsec:
  - Acquisition File        : /etc/crowdsec/acquis.yaml
  - Parsers routines        : 1
  - Acquisition Folder      : /etc/crowdsec/acquis.d
cscli:
  - Output                  : human
  - Hub Branch              : 
API Client:
  - URL                     : http://127.0.0.1:8080/
  - Login                   : d954f1dee50d446792dd10549aa821f1SIPuVEkiiFrJJPsC
  - Credentials File        : /etc/crowdsec/local_api_credentials.yaml
Local API Server:
  - Listen URL              : 127.0.0.1:8080
  - Listen Socket           : 
  - Profile File            : /etc/crowdsec/profiles.yaml

  - Trusted IPs:
      - 127.0.0.1
      - ::1
  - Database:
      - Type                : sqlite
      - Path                : /var/lib/crowdsec/data/crowdsec.db
      - Flush age           : 7d
      - Flush size          : 5000

Prometheus metrics

$ cscli metrics
Acquisition Metrics:
╭─────────────────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────╮
│ Source                                          │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├─────────────────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ appsec:appsec                                   │ 3          │ 3            │ -              │ 2                      │ -                 │
│ file:/usr/local/openresty/nginx/logs/access.log │ 3          │ 3            │ -              │ 5                      │ -                 │
│ file:/usr/local/openresty/nginx/logs/error.log  │ 12         │ 3            │ 9              │ 6                      │ -                 │
│ file:/var/log/messages                          │ 29         │ -            │ 29             │ -                      │ -                 │
│ file:/var/log/secure                            │ 49         │ 39           │ 10             │ 114                    │ -                 │
╰─────────────────────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯

Local API Alerts:
╭───────────────────────────────────────┬───────╮
│ Reason                                │ Count │
├───────────────────────────────────────┼───────┤
│ crowdsecurity/http-bad-user-agent     │ 11    │
│ crowdsecurity/ssh-bf_user-enum        │ 5     │
│ native_rule:901001                    │ 13    │
│ native_rule:920350                    │ 1     │
│ crowdsecurity/ssh-cve-2024-6387       │ 2     │
│ crowdsecurity/thinkphp-cve-2018-20062 │ 2     │
│ crowdsecurity/netgear_rce             │ 1     │
│ crowdsecurity/ssh-bf                  │ 44    │
│ crowdsecurity/ssh-slow-bf_user-enum   │ 4     │
│ crowdsecurity/CVE-2017-9841           │ 6     │
│ crowdsecurity/http-cve-2021-41773     │ 4     │
│ crowdsecurity/http-cve-2021-42013     │ 2     │
│ crowdsecurity/http-open-proxy         │ 5     │
│ crowdsecurity/http-probing            │ 1     │
│ crowdsecurity/vpatch-CVE-2023-42793   │ 7     │
│ crowdsecurity/ssh-slow-bf             │ 58    │
│ crowdsecurity/vpatch-env-access       │ 1     │
│ native_rule:901340                    │ 194   │
╰───────────────────────────────────────┴───────╯

Appsec Metrics:
╭───────────────────┬───────────┬─────────╮
│ Appsec Engine     │ Processed │ Blocked │
├───────────────────┼───────────┼─────────┤
│ myAppSecComponent │ 3         │ 3       │
╰───────────────────┴───────────┴─────────╯

Appsec 'myAppSecComponent' Rules Metrics:
╭─────────┬───────────╮
│ Rule ID │ Triggered │
├─────────┼───────────┤
│ 901001  │ 3         │
╰─────────┴───────────╯

Local API Decisions:
╭──────────────────────────────────────────────┬────────┬────────┬───────╮
│ Reason                                       │ Origin │ Action │ Count │
├──────────────────────────────────────────────┼────────┼────────┼───────┤
│ crowdsecurity/CVE-2019-18935                 │ CAPI   │ ban    │ 43    │
│ crowdsecurity/apache_log4j2_cve-2021-44228   │ CAPI   │ ban    │ 62    │
│ crowdsecurity/netgear_rce                    │ CAPI   │ ban    │ 132   │
│ crowdsecurity/vpatch-CVE-2024-4577           │ CAPI   │ ban    │ 2     │
│ crowdsecurity/vpatch-env-access              │ CAPI   │ ban    │ 175   │
│ crowdsecurity/fortinet-cve-2018-13379        │ CAPI   │ ban    │ 13    │
│ crowdsecurity/http-open-proxy                │ CAPI   │ ban    │ 1939  │
│ crowdsecurity/http-probing                   │ CAPI   │ ban    │ 6054  │
│ crowdsecurity/ssh-slow-bf                    │ CAPI   │ ban    │ 10723 │
│ crowdsecurity/vpatch-CVE-2023-6553           │ CAPI   │ ban    │ 1     │
│ crowdsecurity/http-cve-2021-42013            │ CAPI   │ ban    │ 3     │
│ crowdsecurity/http-dos-invalid-http-versions │ CAPI   │ ban    │ 1126  │
│ crowdsecurity/nginx-req-limit-exceeded       │ CAPI   │ ban    │ 662   │
│ crowdsecurity/spring4shell_cve-2022-22965    │ CAPI   │ ban    │ 1     │
│ ltsich/http-w00tw00t                         │ CAPI   │ ban    │ 4     │
│ crowdsecurity/CVE-2022-35914                 │ CAPI   │ ban    │ 6     │
│ crowdsecurity/CVE-2023-49103                 │ CAPI   │ ban    │ 107   │
│ crowdsecurity/ssh-bf                         │ CAPI   │ ban    │ 6492  │
│ crowdsecurity/ssh-cve-2024-6387              │ CAPI   │ ban    │ 46    │
│ crowdsecurity/thinkphp-cve-2018-20062        │ CAPI   │ ban    │ 233   │
│ crowdsecurity/vpatch-git-config              │ CAPI   │ ban    │ 18    │
│ crowdsecurity/vpatch-laravel-debug-mode      │ CAPI   │ ban    │ 29    │
│ crowdsecurity/CVE-2022-26134                 │ CAPI   │ ban    │ 6     │
│ crowdsecurity/http-bad-user-agent            │ CAPI   │ ban    │ 16506 │
│ crowdsecurity/http-crawl-non_statics         │ CAPI   │ ban    │ 486   │
│ crowdsecurity/http-generic-bf                │ CAPI   │ ban    │ 36    │
│ crowdsecurity/http-path-traversal-probing    │ CAPI   │ ban    │ 256   │
│ crowdsecurity/vpatch-CVE-2023-1389           │ CAPI   │ ban    │ 5     │
│ crowdsecurity/CVE-2017-9841                  │ CAPI   │ ban    │ 410   │
│ crowdsecurity/f5-big-ip-cve-2020-5902        │ CAPI   │ ban    │ 1     │
│ crowdsecurity/http-cve-probing               │ CAPI   │ ban    │ 27    │
│ crowdsecurity/CVE-2023-22515                 │ CAPI   │ ban    │ 3     │
│ crowdsecurity/http-admin-interface-probing   │ CAPI   │ ban    │ 340   │
│ crowdsecurity/http-sensitive-files           │ CAPI   │ ban    │ 461   │
│ crowdsecurity/http-wordpress-scan            │ CAPI   │ ban    │ 555   │
│ crowdsecurity/vpatch-symfony-profiler        │ CAPI   │ ban    │ 3     │
│ crowdsecurity/CVE-2022-37042                 │ CAPI   │ ban    │ 2     │
│ crowdsecurity/http-backdoors-attempts        │ CAPI   │ ban    │ 264   │
│ crowdsecurity/http-cve-2021-41773            │ CAPI   │ ban    │ 556   │
│ crowdsecurity/jira_cve-2021-26086            │ CAPI   │ ban    │ 22    │
│ crowdsecurity/modsecurity                    │ CAPI   │ ban    │ 1421  │
╰──────────────────────────────────────────────┴────────┴────────┴───────╯

Local API Metrics:
╭──────────────────────┬────────┬──────╮
│ Route                │ Method │ Hits │
├──────────────────────┼────────┼──────┤
│ /v1/alerts           │ POST   │ 3    │
│ /v1/decisions/stream │ GET    │ 312  │
│ /v1/decisions/stream │ HEAD   │ 2    │
│ /v1/heartbeat        │ GET    │ 26   │
│ /v1/usage-metrics    │ POST   │ 2    │
│ /v1/watchers/login   │ POST   │ 1    │
╰──────────────────────┴────────┴──────╯

Local API Bouncers Metrics:
╭─────────────────────────────────────┬──────────────────────┬────────┬──────╮
│ Bouncer                             │ Route                │ Method │ Hits │
├─────────────────────────────────────┼──────────────────────┼────────┼──────┤
│ crowdsec-openresty-bouncer-BNfUjB3R │ /v1/decisions/stream │ GET    │ 154  │
│ crowdsec-openresty-bouncer-BNfUjB3R │ /v1/decisions/stream │ HEAD   │ 2    │
│ cs-firewall-bouncer-1726126067      │ /v1/decisions/stream │ GET    │ 158  │
╰─────────────────────────────────────┴──────────────────────┴────────┴──────╯

Local API Machines Metrics:
╭──────────────────────────────────────────────────┬───────────────┬────────┬──────╮
│ Machine                                          │ Route         │ Method │ Hits │
├──────────────────────────────────────────────────┼───────────────┼────────┼──────┤
│ d954f1dee50d446792dd10549aa821f1SIPuVEkiiFrJJPsC │ /v1/alerts    │ POST   │ 3    │
│ d954f1dee50d446792dd10549aa821f1SIPuVEkiiFrJJPsC │ /v1/heartbeat │ GET    │ 26   │
╰──────────────────────────────────────────────────┴───────────────┴────────┴──────╯

Parser Metrics:
╭─────────────────────────────────┬──────┬────────┬──────────╮
│ Parsers                         │ Hits │ Parsed │ Unparsed │
├─────────────────────────────────┼──────┼────────┼──────────┤
│ child-crowdsecurity/http-logs   │ 18   │ 16     │ 2        │
│ child-crowdsecurity/nginx-logs  │ 36   │ 6      │ 30       │
│ child-crowdsecurity/sshd-logs   │ 314  │ 39     │ 275      │
│ child-crowdsecurity/syslog-logs │ 78   │ 78     │ -        │
│ crowdsecurity/appsec-logs       │ 3    │ 3      │ -        │
│ crowdsecurity/dateparse-enrich  │ 45   │ 45     │ -        │
│ crowdsecurity/geoip-enrich      │ 48   │ 48     │ -        │
│ crowdsecurity/http-logs         │ 6    │ 6      │ -        │
│ crowdsecurity/nginx-logs        │ 15   │ 6      │ 9        │
│ crowdsecurity/non-syslog        │ 18   │ 18     │ -        │
│ crowdsecurity/sshd-logs         │ 49   │ 39     │ 10       │
│ crowdsecurity/syslog-logs       │ 78   │ 78     │ -        │
│ crowdsecurity/whitelists        │ 48   │ 48     │ -        │
╰─────────────────────────────────┴──────┴────────┴──────────╯

Scenario Metrics:
╭──────────────────────────────────────┬───────────────┬───────────┬──────────────┬────────┬─────────╮
│ Scenario                             │ Current Count │ Overflows │ Instantiated │ Poured │ Expired │
├──────────────────────────────────────┼───────────────┼───────────┼──────────────┼────────┼─────────┤
│ crowdsecurity/appsec-vpatch          │ -             │ -         │ 2            │ 2      │ 2       │
│ crowdsecurity/http-crawl-non_statics │ -             │ -         │ 3            │ 3      │ 3       │
│ crowdsecurity/http-dos-swithcing-ua  │ -             │ -         │ 2            │ 4      │ 2       │
│ crowdsecurity/http-probing           │ -             │ -         │ 2            │ 2      │ 2       │
│ crowdsecurity/http-xss-probbing      │ -             │ -         │ 2            │ 2      │ 2       │
│ crowdsecurity/ssh-bf                 │ 2             │ -         │ 20           │ 39     │ 18      │
│ crowdsecurity/ssh-bf_user-enum       │ 2             │ -         │ 20           │ 20     │ 18      │
│ crowdsecurity/ssh-slow-bf            │ 6             │ -         │ 6            │ 39     │ -       │
│ crowdsecurity/ssh-slow-bf_user-enum  │ 5             │ -         │ 7            │ 16     │ 2       │
╰──────────────────────────────────────┴───────────────┴───────────┴──────────────┴────────┴─────────╯

Whitelist Metrics:
╭──────────────────────────┬─────────────────────────────┬──────┬─────────────╮
│ Whitelist                │ Reason                      │ Hits │ Whitelisted │
├──────────────────────────┼─────────────────────────────┼──────┼─────────────┤
│ crowdsecurity/whitelists │ private ipv4/ipv6 ip/ranges │ 48   │ -           │
╰──────────────────────────┴─────────────────────────────┴──────┴─────────────╯

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

[github-actions]

@gdlwolf: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

1. Check Crowdsec Documentation to see if your issue can be self resolved.
2. You can also join our Discord.
3. Check Releases to make sure your agent is on the latest version.

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

[LaurenceJJones]

Hi 👋🏻

Thank you for a detailed report and steps, we managed to reproduce the issue and can pinpoint the code at fault.

We will work on a patch for the next update 1.6.4

[gdlwolf]

thanks

[LaurenceJJones]

A fix has been merged, if you use docker you can point the image to :dev to get the latest changes, however, this will be included in the 1.6.4 release