Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CTI/FAQ: Add documentation on how being tagged as False Positive #631

Merged
merged 3 commits into from
Oct 1, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions crowdsec-docs/sidebarsUnversioned.js
Original file line number Diff line number Diff line change
Expand Up @@ -351,6 +351,11 @@ module.exports = {
id: "troubleshooting/remediation_components",
label: "Remediation Components",
},
{
type: "doc",
id: "troubleshooting/cti",
label: "CTI",
},
],
serviceApiSideBar: [
{
Expand Down
34 changes: 29 additions & 5 deletions crowdsec-docs/unversioned/cti_api/taxonomy/false_positives.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,11 @@ title: False Positives
sidebar_position: 7
---

import TableRender from '@site/src/components/tableRender';
import GithubIconRender from '@site/src/components/githubIconRender';
import TableRender from "@site/src/components/tableRender"
import GithubIconRender from "@site/src/components/githubIconRender"

export const fpURL = "https://hub-cdn.crowdsec.net/master/taxonomy/false_positives.json";
export const fpURL =
"https://hub-cdn.crowdsec.net/master/taxonomy/false_positives.json"
export const columns = [
{
header: "Name",
Expand All @@ -17,10 +18,33 @@ export const columns = [
header: "Description",
accessorKey: "description",
},
];
]

<GithubIconRender url={fpURL}></GithubIconRender>


<TableRender columns={columns} url={fpURL}></TableRender>

## How to Get Tagged as a False Positive

To be able to be classified as a false positive, you need a proper technical justification of why your IP might be misclassified as a threat. This part is to be reviewed and validated by crowdsec.

You also need public documentation stating the IP, ranges, and/or reverse DNS associated with the assets in question. This data must be machine-readable (no HTML, no PDF, etc.).

Once your IP addresses are publicly available and accessible via HTTPS, you can contact [email protected]. Please include the URL of your IPs and ranges.

The CrowdSec team will do their best to update the CTI with false positive information, so your IPs are flagged correctly.

Here are some examples of providers who share their IPs and ranges:

- [Bing](https://www.bing.com/toolbox/bingbot.json)
- [Google Bot](https://developers.google.com/search/apis/ipranges/googlebot.json)
- [Cloudfront](https://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips)
- [Fastly](https://api.fastly.com/public-ip-list)

:::note

You don’t need to follow a specific format for the exposed list, but it’s recommended to keep the same format over time. Otherwise, the false positive enrichment may stop working.

It’s best to use CSV or JSON for the list format.

:::
38 changes: 38 additions & 0 deletions crowdsec-docs/unversioned/troubleshooting/cti.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
---
title: Troubleshooting CTI
id: cti
---

## Community support

Please try to resolve your issue by reading [the documentation](../cti_api/intro). If you're unable to find a solution, don't hesitate to seek assistance in:

- [Discourse](https://discourse.crowdsec.net/)
- [Discord](https://discord.gg/crowdsec)

## False Positive

### How to Get Tagged as a False Positive

To be able to be classified as a false positive, you need a proper technical justification of why your IP might be misclassified as a threat. This part is to be reviewed and validated by crowdsec.

You also need public documentation stating the IP, ranges, and/or reverse DNS associated with the assets in question. This data must be machine-readable (no HTML, no PDF, etc.).

Once your IP addresses are publicly available and accessible via HTTPS, you can contact [email protected]. Please include the URL of your IPs and ranges.

The CrowdSec team will do their best to update the CTI with false positive information, so your IPs are flagged correctly.

Here are some examples of providers who share their IPs and ranges:

- [Bing](https://www.bing.com/toolbox/bingbot.json)
- [Google Bot](https://developers.google.com/search/apis/ipranges/googlebot.json)
- [Cloudfront](https://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips)
- [Fastly](https://api.fastly.com/public-ip-list)

:::note

You don’t need to follow a specific format for the exposed list, but it’s recommended to keep the same format over time. Otherwise, the false positive enrichment may stop working.

It’s best to use CSV or JSON for the list format.

:::
33 changes: 20 additions & 13 deletions crowdsec-docs/unversioned/troubleshooting/intro.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,12 +15,14 @@ We have extended our troubleshooting documentation to cover more common issues a

### [Remediation Components](/troubleshooting/remediation_components.mdx)

### [CTI](/troubleshooting/cti.mdx)

## Community support

Please try to resolve your issue by reading the documentation. If you're unable to find a solution, don't hesitate to seek assistance in:

- [Discourse](https://discourse.crowdsec.net/)
- [Discord](https://discord.gg/crowdsec)
- [Discourse](https://discourse.crowdsec.net/)
- [Discord](https://discord.gg/crowdsec)

# FAQ

Expand Down Expand Up @@ -64,9 +66,9 @@ If you need help for large scale deployment, please get in touch with us on the

Setting up a proxy works out of the box, the [net/http golang library](https://golang.org/src/net/http/transport.go) can handle those environment variables:

* `HTTP_PROXY`
* `HTTPS_PROXY`
* `NO_PROXY`
- `HTTP_PROXY`
- `HTTPS_PROXY`
- `NO_PROXY`

For example:

Expand All @@ -75,6 +77,7 @@ export HTTP_PROXY=http://<proxy_url>:<proxy_port>
```

#### Systemd variable

On Systemd devices you have to set the proxy variable in the environment section for the CrowdSec service. To avoid overwriting the service file during an update, a folder is created in `/etc/systemd/system/crowdsec.service.d` and a file in it named `http-proxy.conf`. The content for this file should look something like this:

```bash title="systemctl edit crowdsec.service"
Expand All @@ -90,6 +93,7 @@ Then you can restart CrowdSec like this:
`systemctl restart crowdsec`

#### Sudo

If you use `sudo cscli`, just add this line in `visudo` after setting up the previous environment variables:

```
Expand Down Expand Up @@ -146,20 +150,22 @@ CrowdSec Hub should be used when you have an issue with a parser, scenario or co

To disable the central API, simply comment out the [`online_client` section of the configuration file](/docs/next/configuration/crowdsec_configuration#online_client).

### Why are some scenarios/parsers "tainted" or "custom" ?
### Why are some scenarios/parsers "tainted" or "custom" ?

When using `cscli` to list your parsers, scenarios and collections, some might appear as "tainted" or "local".

"tainted" items:
- Originate from the hub
- Were locally modified
- Will not be automatically updated/upgraded by `cscli` operations (unless `--force` or similar is specified)
- Won't be sent to Central API and won't appear in the Console (unless `cscli console enable tainted` has been specified)

- Originate from the hub
- Were locally modified
- Will not be automatically updated/upgraded by `cscli` operations (unless `--force` or similar is specified)
- Won't be sent to Central API and won't appear in the Console (unless `cscli console enable tainted` has been specified)

"local" items:
- Have been locally created by the user
- Are not managed by `cscli` operations
- Won't be sent to Central API and won't appear in the Console (unless `cscli console enable custom` has been specified)

- Have been locally created by the user
- Are not managed by `cscli` operations
- Won't be sent to Central API and won't appear in the Console (unless `cscli console enable custom` has been specified)

### Which information is sent to your services ?

Expand Down Expand Up @@ -201,6 +207,7 @@ line: May 16 07:50:30 sd-126005 sshd[10041]: Invalid user git from 78.142.18.204
├ 🟢 crowdsecurity/ssh-slow-bf
└ 🟢 crowdsecurity/ssh-slow-bf_user-enum
```

This command will allow you to see each parser behavior.

:::warning
Expand Down
Loading