beenull/crowdsec
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
crowdsec/scripts/func_tests/tests_post-install_4cold-logs.sh
Thibault "bui" Koechlin c2fd173d1e
fix node success logic (#993) 
* fix node success logic : only fail node on child failure if mother node has no successfull grok
2021-09-28 17:58:07 +02:00

62 lines
2.1 KiB
Bash
Executable file
Raw Blame History

#! /usr/bin/env bash
# -*- coding: utf-8 -*-
source tests_base.sh
# install sshd collection
${CSCLI} collections install crowdsecurity/sshd
${CSCLI} decisions delete --all
${SYSTEMCTL} reload crowdsec
# generate a fake bf log -> cold logs processing
rm -f ssh-bf.log
sync
for i in `seq 1 6` ; do
echo `LC_ALL=C date '+%b %d %H:%M:%S '`'sd-126005 sshd[12422]: Invalid user netflix from 1.1.1.172 port 35424' >> ssh-bf.log
done;
sync
${CROWDSEC} -dsn "file://./ssh-bf.log" -type syslog -no-api
${CSCLI} decisions list -o=json | ${JQ} '. | length == 1' || fail "expected exactly one decision"
${CSCLI} decisions list -o=json | ${JQ} '.[].decisions[0].value == "1.1.1.172"' || fail "(exact) expected ban on 1.1.1.172"
${CSCLI} decisions list -r 1.1.1.0/24 -o=json --contained | ${JQ} '.[].decisions[0].value == "1.1.1.172"' || fail "(range/contained) expected ban on 1.1.1.172"
${CSCLI} decisions list -r 1.1.2.0/24 -o=json | ${JQ} '. == null' || fail "(range/NOT-contained) expected no ban on 1.1.1.172"
${CSCLI} decisions list -i 1.1.1.172 -o=json | ${JQ} '.[].decisions[0].value == "1.1.1.172"' || fail "(range/NOT-contained) expected ban on 1.1.1.172"
${CSCLI} decisions list -i 1.1.1.173 -o=json | ${JQ} '. == null' || fail "(exact) expected no ban on 1.1.1.173"
# generate a live ssh bf
${CSCLI} decisions delete --all
sudo cp /etc/crowdsec/acquis.yaml ./acquis.yaml.backup
echo "" | sudo tee -a /etc/crowdsec/acquis.yaml > /dev/null
echo "filename: /tmp/test.log" | sudo tee -a /etc/crowdsec/acquis.yaml > /dev/null
echo "labels:" | sudo tee -a /etc/crowdsec/acquis.yaml > /dev/null
echo " type: syslog" | sudo tee -a /etc/crowdsec/acquis.yaml > /dev/null
touch /tmp/test.log
${SYSTEMCTL} restart crowdsec
wait_for_service "crowdsec should run (cold logs)"
${SYSTEMCTL} status crowdsec
sleep 2s
cat ssh-bf.log >> /tmp/test.log
sleep 5s
${CSCLI} decisions list -o=json | ${JQ} '.[].decisions[0].value == "1.1.1.172"' || fail "(live) expected ban on 1.1.1.172"
sudo cp ./acquis.yaml.backup /etc/crowdsec/acquis.yaml
sync
${SYSTEMCTL} restart crowdsec
wait_for_service "crowdsec should run"
Reference in a new issue View git blame Copy permalink