crowdsecurity/iptables-logs parser incorrectly parses [UFW AUDIT] events as iptables_drop #1582
Description
What happened?
I have installed the crowdsecurity/iptables collection on Ubuntu Server where UFW is used to manage the firewall. When UFW logging is set to "medium" or above it will log "[UFW AUDIT]" events in addition to "[UFW BLOCK]" events.
The " [UFW AUDIT] " events are incorrectly interpreted as drop events, causing false positives.
What did you expect to happen?
Only "[UFW BLOCK]" events should be interpreted as iptables_drop. " [UFW AUDIT] " should not.
UFW will also emit " [UFW LIMIT BLOCK] " events if rate-limiting rules have been configured, which will presumably also have the same issue, but I'm not sure how these should be treated.
How can we reproduce it (as minimally and precisely as possible)?
- Install CrowdSec SE on Ubuntu 24.04 with UFW.
- Install crowdsecurity/iptables collection.
- enable UFW and set logging to medium or high.
sudo ufw logging medium - Explain kern.log events with 'UFW AUDIT':
cat /var/log/kern.log | grep 'AUDIT' | sudo cscli explain -f- --type syslog -v
line: 2025-11-13T11:55:29.016190+00:00 vm-1 kernel: [UFW AUDIT] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=UDP SPT=50616 DPT=53 LEN=84
├ s00-raw
| └ 🟢 crowdsecurity/syslog-logs (+12 ~9)
| └ update evt.ExpectMode : %!s(int=0) -> 1
| └ update evt.Stage : -> s01-parse
| └ update evt.Line.Raw : -> 2025-11-13T11:55:29.016190+00:00 vm-1 kernel: [UFW AUDIT] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=UDP SPT=50616 DPT=53 LEN=84
| └ update evt.Line.Src : -> /tmp/cscli_explain1245139071/cscli_test_tmp.log
| └ update evt.Line.Time : 0001-01-01 00:00:00 +0000 UTC -> 2025-11-13 12:41:30.112044795 +0000 UTC
| └ create evt.Line.Labels.type : syslog
| └ update evt.Line.Process : %!s(bool=false) -> true
| └ update evt.Line.Module : -> file
| └ create evt.Parsed.timestamp :
| └ create evt.Parsed.timestamp8601 : 2025-11-13T11:55:29.016190+00:00
| └ create evt.Parsed.facility :
| └ create evt.Parsed.logsource : syslog
| └ create evt.Parsed.message : [UFW AUDIT] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.53 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=16820 DF PROTO=UDP SPT=50616 DPT=53 LEN=84
| └ create evt.Parsed.pid :
| └ create evt.Parsed.priority :
| └ create evt.Parsed.program : kernel
| └ update evt.Time : 0001-01-01 00:00:00 +0000 UTC -> 2025-11-13 12:41:30.112245515 +0000 UTC
| └ update evt.StrTime : -> 2025-11-13T11:55:29.016190+00:00
| └ create evt.Meta.datasource_path : /tmp/cscli_explain1245139071/cscli_test_tmp.log
| └ create evt.Meta.datasource_type : file
| └ create evt.Meta.machine : vm-1
├ s01-parse
| └ 🟢 crowdsecurity/iptables-logs (+11 ~1)
| └ update evt.Stage : s01-parse -> s02-enrich
| └ create evt.Parsed.src_ip : 127.0.0.1
| └ create evt.Parsed.src_port : 50616
| └ create evt.Parsed.int_eth : lo
| └ create evt.Parsed.length : 84
| └ create evt.Parsed.proto : UDP
| └ create evt.Parsed.dst_ip : 127.0.0.53
| └ create evt.Parsed.dst_port : 53
| └ create evt.Unmarshaled.iptables : map[DPT:53 DST:127.0.0.53 ID:16820 IN:lo LEN:84 MAC:00:00:00:00:00:00:00:00:00:00:00:00:08:00 OUT: PREC:0x00 PROTO:UDP SPT:50616 SRC:127.0.0.1 TOS:0x00 TTL:64]
| └ create evt.Meta.log_type : iptables_drop
| └ create evt.Meta.service : udp
| └ create evt.Meta.source_ip : 127.0.0.1
Anything else we need to know?
No response
Crowdsec version
Details
version: v1.7.3-debian-pragmatic-arm64-c8aad699
Codename: alphaga
BuildDate: 2025-10-24_13:49:45
GoVersion: 1.25.3
Platform: linux
libre2: C++
User-Agent: crowdsec/v1.7.3-debian-pragmatic-arm64-c8aad699-linux
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_victorialogs, datasource_wineventlog
OS version
Details
# On Linux:
$ cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.3 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
$ uname -a
Linux vm-1 6.14.0-1013-oracle crowdsecurity/crowdsec#13~24.04.1-Ubuntu SMP Wed Sep 10 06:43:11 UTC 2025 aarch64 aarch64 aarch64 GNU/LinuxEnabled collections and parsers
Details
$ cscli hub list -o raw
crowdsecurity/iptables is tainted by scenarios:crowdsecurity/iptables-scan-multi_ports
Loaded: 156 parsers, 11 postoverflows, 771 scenarios, 9 contexts, 5 appsec-configs, 157 appsec-rules, 156 collections
Unmanaged items: 1 local, 3 tainted
name,status,version,description,type
crowdsecurity/dateparse-enrich,enabled,0.2,,parsers
crowdsecurity/geoip-enrich,enabled,0.5,"Populate event with geoloc info : as, country, coords, source range.",parsers
crowdsecurity/http-logs,enabled,1.3,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers
crowdsecurity/iptables-logs,enabled,0.6,Parse iptables drop logs,parsers
crowdsecurity/public-dns-allowlist,enabled,0.1,Allow events from public DNS servers,parsers
crowdsecurity/sshd-logs,enabled,3.1,Parse openSSH logs,parsers
crowdsecurity/syslog-logs,enabled,0.9,,parsers
crowdsecurity/cdn-whitelist,enabled,0.4,Whitelist CDN providers,postoverflows
crowdsecurity/rdns,enabled,0.3,Lookup the DNS associated to the source IP only for overflows,postoverflows
crowdsecurity/seo-bots-whitelist,enabled,0.5,Whitelist good search engine crawlers,postoverflows
codersaur/firewall-single-port-block,"enabled,local",,,scenarios
crowdsecurity/apache_log4j2_cve-2021-44228,enabled,0.6,Detect cve-2021-44228 exploitation attemps,scenarios
crowdsecurity/CVE-2017-9841,enabled,0.2,Detect CVE-2017-9841 exploits,scenarios
crowdsecurity/CVE-2019-18935,enabled,0.2,Detect Telerik CVE-2019-18935 exploitation attempts,scenarios
crowdsecurity/CVE-2022-26134,enabled,0.4,Confluence - RCE (CVE-2022-26134),scenarios
crowdsecurity/CVE-2022-35914,enabled,0.2,Detect CVE-2022-35914 exploits,scenarios
crowdsecurity/CVE-2022-37042,enabled,0.2,Detect CVE-2022-37042 exploits,scenarios
crowdsecurity/CVE-2022-40684,enabled,0.3,Detect cve-2022-40684 exploitation attempts,scenarios
crowdsecurity/CVE-2022-41082,enabled,0.4,Detect CVE-2022-41082 exploits,scenarios
crowdsecurity/CVE-2022-41697,enabled,0.2,Detect CVE-2022-41697 enumeration,scenarios
crowdsecurity/CVE-2022-42889,enabled,0.3,Detect CVE-2022-42889 exploits (Text4Shell),scenarios
crowdsecurity/CVE-2022-44877,enabled,0.3,Detect CVE-2022-44877 exploits,scenarios
crowdsecurity/CVE-2022-46169,enabled,0.2,Detect CVE-2022-46169 brute forcing,scenarios
crowdsecurity/CVE-2023-22515,enabled,0.1,Detect CVE-2023-22515 exploitation,scenarios
crowdsecurity/CVE-2023-22518,enabled,0.3,Detect CVE-2023-22518 exploits,scenarios
crowdsecurity/CVE-2023-49103,enabled,0.3,Detect owncloud CVE-2023-49103 exploitation attempts,scenarios
crowdsecurity/CVE-2024-0012,enabled,0.1,Detect CVE-2024-0012 exploitation attempts,scenarios
crowdsecurity/CVE-2024-38475,enabled,0.1,Detect CVE-2024-38475 exploitation attempts,scenarios
crowdsecurity/CVE-2024-9474,enabled,0.1,Detect CVE-2024-9474 exploitation attempts,scenarios
crowdsecurity/f5-big-ip-cve-2020-5902,enabled,0.3,F5 BIG-IP TMUI - RCE (CVE-2020-5902),scenarios
crowdsecurity/fortinet-cve-2018-13379,enabled,0.3,Detect cve-2018-13379 exploitation attemps,scenarios
crowdsecurity/grafana-cve-2021-43798,enabled,0.3,Grafana - Arbitrary File Read (CVE-2021-43798),scenarios
crowdsecurity/http-admin-interface-probing,enabled,0.5,Detect generic HTTP admin interface probing,scenarios
crowdsecurity/http-backdoors-attempts,enabled,0.6,Detect attempt to common backdoors,scenarios
crowdsecurity/http-bad-user-agent,enabled,1.2,Detect usage of bad User Agent,scenarios
crowdsecurity/http-bf-wordpress_bf,enabled,0.7,Detect WordPress bruteforce on admin interface,scenarios
crowdsecurity/http-crawl-non_statics,enabled,0.7,Detect aggressive crawl on non static resources,scenarios
crowdsecurity/http-cve-2021-41773,enabled,0.3,Apache - Path Traversal (CVE-2021-41773),scenarios
crowdsecurity/http-cve-2021-42013,enabled,0.3,Apache - Path Traversal (CVE-2021-42013),scenarios
crowdsecurity/http-cve-probing,enabled,0.6,Detect generic HTTP cve probing,scenarios
crowdsecurity/http-generic-bf,enabled,0.9,Detect generic http brute force,scenarios
crowdsecurity/http-generic-test,enabled,0.2,Crowdsec Generic Test Scenario: basic HTTP trigger,scenarios
crowdsecurity/http-open-proxy,enabled,0.5,Detect scan for open proxy,scenarios
crowdsecurity/http-path-traversal-probing,enabled,0.4,Detect path traversal attempt,scenarios
crowdsecurity/http-probing,enabled,0.4,Detect site scanning/probing from a single ip,scenarios
crowdsecurity/http-sap-interface-probing,enabled,0.1,Detect generic HTTP SAP interface probing,scenarios
crowdsecurity/http-sensitive-files,enabled,0.4,"Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",scenarios
crowdsecurity/http-sqli-probing,enabled,0.4,A scenario that detects SQL injection probing with minimal false positives,scenarios
crowdsecurity/http-wordpress-scan,enabled,0.4,Detect exploitation attempts against common WordPress endpoints,scenarios
crowdsecurity/http-wordpress_user-enum,enabled,0.3,Detect WordPress probing: authors enumeration,scenarios
crowdsecurity/http-wordpress_wpconfig,enabled,0.3,Detect WordPress probing: variations around wp-config.php by wpscan,scenarios
crowdsecurity/http-xss-probing,enabled,0.4,A scenario that detects XSS probing with minimal false positives,scenarios
crowdsecurity/iptables-scan-multi_ports,"enabled,tainted",?,Detect aggressive portscans,scenarios
crowdsecurity/jira_cve-2021-26086,enabled,0.3,Detect Atlassian Jira CVE-2021-26086 exploitation attemps,scenarios
crowdsecurity/netgear_rce,enabled,0.4,Detect Netgear RCE DGN1000/DGN220 exploitation attempts,scenarios
crowdsecurity/pulse-secure-sslvpn-cve-2019-11510,enabled,0.3,Detect cve-2019-11510 exploitation attemps,scenarios
crowdsecurity/spring4shell_cve-2022-22965,enabled,0.3,Detect cve-2022-22965 probing,scenarios
crowdsecurity/ssh-bf,enabled,0.3,Detect ssh bruteforce,scenarios
crowdsecurity/ssh-cve-2024-6387,enabled,0.2,Detect exploitation attempt of CVE-2024-6387,scenarios
crowdsecurity/ssh-generic-test,enabled,0.2,Crowdsec Generic Test Scenario: SSH brute force trigger,scenarios
crowdsecurity/ssh-refused-conn,enabled,0.1,Detect sshd refused connections,scenarios
crowdsecurity/ssh-slow-bf,enabled,0.4,Detect slow ssh bruteforce,scenarios
crowdsecurity/thinkphp-cve-2018-20062,enabled,0.6,Detect ThinkPHP CVE-2018-20062 exploitation attemps,scenarios
crowdsecurity/vmware-cve-2022-22954,enabled,0.3,Detect Vmware CVE-2022-22954 exploitation attempts,scenarios
crowdsecurity/vmware-vcenter-vmsa-2021-0027,enabled,0.2,Detect VMSA-2021-0027 exploitation attemps,scenarios
ltsich/http-w00tw00t,enabled,0.3,detect w00tw00t,scenarios
crowdsecurity/bf_base,enabled,0.1,,contexts
crowdsecurity/firewall_base,enabled,0.2,,contexts
crowdsecurity/http_base,enabled,0.3,,contexts
crowdsecurity/base-http-scenarios,enabled,1.2,http common : scanners detection,collections
crowdsecurity/http-cve,enabled,2.9,Detect CVE exploitation in http logs,collections
crowdsecurity/iptables,"enabled,tainted",0.2,iptables support : logs and port-scans detection scenarios,collections
crowdsecurity/linux,enabled,0.3,core linux support : syslog+geoip+ssh,collections
crowdsecurity/sshd,enabled,0.7,sshd support : parser and brute-force detection,collections
crowdsecurity/whitelist-good-actors,enabled,0.2,Good actors whitelists,collections
crowdsecurity/wordpress,enabled,0.5,wordpress: Bruteforce protection and config probing,collectionsAcquisition config
Details
```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* # Collect journald events # See: https://docs.crowdsec.net/docs/next/log_processor/data_sources/journald/ # To test (explain) a journald log: cscli explain --dsn "journalctl://filters=_SYSTEMD_UNIT=docker.service" --type syslog # or: journalctl --since "10 seconds ago" | sudo cscli explain -f- --type syslog -v # or: journalctl --since "10 seconds ago" -u "docker.service" | sudo cscli explain -f- --type syslog -v source: journalctl journalctl_filter: # - "_SYSTEMD_UNIT=*" # - "PRIORITY=info" # Filter for info and lower (more important) # This seems to break crowdsec compeltely! - "_TRANSPORT=journal" # messages received via the native journal protocol. - "_TRANSPORT=kernel" # messages read from the kernel ring buffer. - "_TRANSPORT=stdout" # messages read from a service's standard output or error output. - "_TRANSPORT=syslog" # messages received via the local syslog socket using the syslog protocol. labels: type: syslog # # Configuration generated by "cscli setup". # Please check your non-generated configuration files to make sure # the log sources are not acquired twice. This includes # the file acquis.yaml created by crowdsec <= 1.7.0. # # cscli-checksum: a380e4b3fc5e43e510e8287a3fcbe374filenames:
- /var/log/messages
- /var/log/syslog
- /var/log/kern.log
labels:
type: syslog
source: file
Configuration generated by "cscli setup".
Please check your non-generated configuration files to make sure
the log sources are not acquired twice. This includes
the file acquis.yaml created by crowdsec <= 1.7.0.
cscli-checksum: 70986510f568531d62e879aeeea05989
filenames:
- /var/log/auth.log
- /var/log/secure
labels:
type: syslog
source: file
Config show
Details
$ cscli config show
# paste output herePrometheus metrics
Details
$ cscli metrics
# paste output hereRelated custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.
Details
Metadata
Metadata
Assignees
Labels
No labels