What is CrowdSec and how does it work?
The solution
- allows you to detect attacks and respond at all required levels (detect where your logs are, block at CDN or application level)
- is easy to install and maintain with no technical requirement. The installer even comes with a wizard duh!
- is designed to be integrated with other solutions and components (ie. use CrowdSec to read your mod_security logs and automatically block attackers at your CDN level)
- is about sharing : meta-data about the attack/attacker you detect is sent to a central API, and malevolent IPs are shared with all users.
- is a lightweight : it runs standalone, doesn’t require much ram or CPU
- can work with cold logs: you can run it on “cold” logs and see what could have happened
- comes with out of the box dashboards, because we know visualisation is key
Decentralized as of day 1, not affected by Covid crisis.
We created several Open source products before
Reputation engine and real time analysis
Our previous cybersecurity corp was sold in 2016 for tens of millions
01
02
03
Downloading and installing the software
Acquistion configuration defines which streams of information CrowdSec is going to process.
It can be files but also any kind of stream, such as a kafka topic or a cloudtrail.
The acquisition configuration always contains a stream (i.e. a file to tail) and a tag (i.e. “these are in syslog format”; “these are non-syslog nginx logs”).
For logs to be exploited and analyzed, they need to be parsed and normalized, and this is where parsers are used. In most cases, you should be able to find the relevant parsers on our CrowdSec Hub.
Usually, a parser has a specific scope. For example, if you are using nginx, you will probably want to use the crowdsecurity/nginx-logs
which allows your CrowdSec setup to parse nginx’s access and error logs.
You can also write your own one!
Enrichment is the action of adding extra context to an event based on the information we already have, so a better decision can be made later on. In most cases, you should be able to find the relevant enrichers on our CrowdSec Hub.
The most common type of enrichment would be geoip-enrichment of an event (adding information such as: origin country, origin AS and origin IP range to an event).
Once again, you should be able to find the ones you’re looking for on the CrowdSec Hub!
Our ready-to-use scenario database allows you to qualify a specific event (usually an attack). In most cases, you should be able to find the relevant scenarios on our CrowdSec Hub.
While not going into details, a scenario often evolves due to different main triggers. More details can be found here.
You can also write your own one!
To make your life easier, “collections” are available, which are just a bundle of parsers and scenarios. In this way, if you want to cover basic use-cases of “nginx” for instance, you can just install the crowdsecurity/nginx
collection that is composed of crowdsecurity/nginx-logs
parser, as well as generic http scenarios such as crowdsecurity/base-http-scenarios
.
Again, these can be found on the CrowdSec Hub!
tar xvzf crowdsec-release.tgz
cd crowdsec-v0.X.X
A wizard is provided to help you deploy CrowdSec and cscli.
sudo ./wizard.sh -i
Deploy valid/empty CrowdSec configuration files and binaries.
sudo ./wizard.sh --bininstall
Best Security Tool
Station F Selection
JEI