Add supabase-supavisor Collection #1606

khashashin · 2025-12-14T16:40:46Z

Summary

This PR adds a new collection crowdsecurity/supabase-supavisor for detecting attacks against self-hosted Supabase deployments using the Supavisor connection pooler.

Why a New Collection (Not Extending supabase-compose)?

Modern Supabase deployments use Supavisor instead of PgBouncer. This fundamentally changes the monitoring architecture:

Client (attacker) → Supavisor → PostgreSQL
       ↑                              ↑
  Real IP visible here         Only sees Supavisor's IP

The existing supabase-compose collection monitors PostgreSQL logs, which in this architecture only show Supavisor's internal container IP - completely useless for blocking attackers.

This new collection monitors Supavisor directly where the real client IPs (peer_ip) are visible.

New Components

Parser

File	Description
`parsers/s01-parse/crowdsecurity/supavisor-logs.yaml`	Parses Supavisor Elixir Logger format

Scenario

File	Description
`scenarios/crowdsecurity/supavisor-bf.yaml`	Brute force detection (5 failures in 30s)

Collection

File	Description
`collections/crowdsecurity/supabase-supavisor.yaml`	Bundles parser and scenario

Real-World Tested

This collection has been tested on a production Coolify-managed Supabase deployment:

time="2025-12-14T15:54:55Z" level=info msg="Ip 123.123.123.123 performed 'crowdsecurity/supavisor-bf' (6 events over 10.99s)"
time="2025-12-14T15:54:56Z" level=info msg="crowdsecurity/supavisor-bf by ip 123.123.123.123 (CH/8758) : 4h ban"

Log Format (Verified)

Real Supavisor authentication failure:

18:38:17.778 project=dev_tenant user=postgres region=local mode=transaction type=single app_name=psql peer_ip=123.123.123.123 [error] ClientHandler: Exchange error: "Wrong password" when method :auth_query

Extracted fields:

source_ip: 123.123.123.123
project: dev_tenant
db_user: postgres
log_type: supavisor_auth_fail

Known Limitation

Some Supavisor error types don't include peer_ip and cannot be blocked:

Error Type	Has peer_ip	Can Block
Wrong password	✅ Yes	✅ Yes
SSL required	✅ Yes	✅ Yes
Bad startup payload	❌ No	❌ No
User not found	❌ No	❌ No

This is a Supavisor logging limitation.

Acquisition (Docker Socket Only)

This collection uses Docker socket acquisition exclusively - no file-based option:

source: docker
container_name_regexp:
  - "supabase-supavisor-.*"
  - ".*supavisor.*"
labels:
  type: supavisor

Testing

cscli hubtest run supavisor-logs
cscli hubtest explain supavisor-logs

Checklist

I have read the contributing guide
I have tested my changes locally
For new parsers or scenarios, tests have been added
I have run the hub linter and no issues were reported (see contributing guide)
Automated tests are passing
AI was used to generate any/all content of this PR

…cenario.

khashashin · 2025-12-14T17:05:14Z

@sbs2001 maybe you would like to have a look?

LaurenceJJones · 2025-12-15T07:44:19Z

Hey @khashashin when creating your pull request your overridden our checklist could you create a copy below and fill out the options in the original pull request notes

## Checklist
<!--

Add a x inside the [] to tick an item if it applies.

For AI use: we do not prevent you from using AI to help you create new hub items, but you must understand and be able to explain *yourself* what was generated.
-->
 - [ ] I have read the [contributing guide](https://docs.crowdsec.net/docs/next/contributing/contributing_hub)
 - [ ] I have tested my changes locally
 - [ ] For new parsers or scenarios, tests have been added 
 - [ ] I have run the hub linter and no issues were reported (see contributing guide)
 - [ ] Automated tests are passing
 - [ ] AI was used to generate any/all content of this PR

.tests/supavisor-logs/config.yaml

.tests/supavisor-logs/scenario.assert

.tests/supavisor-logs/parser.assert

collections/crowdsecurity/supabase-supavisor.md

parsers/s01-parse/crowdsecurity/supavisor-logs.yaml

scenarios/crowdsecurity/supavisor-bf.md

LaurenceJJones · 2025-12-15T07:56:36Z

Hey 👋🏻

Thank you for opening a pull request!

I have left some comments, ensure you fill out the checklist before moving forward and be honest about your answers as we can already see AI traits and we need to ensure we spend a little bit more time with reviewing as AI can hallucinate a lot when creating parsers, scenarios and collections.

khashashin · 2025-12-15T08:21:18Z

@LaurenceJJones , thank you for your review. Yes, most of this new collection was created with the help of AI. However, I did perform many iterations and tests in my VPS environment. I will go through your comments and make the changes today.

…by removing comments

…ant comments

…dant sections and improving clarity

…uracy

…sing

…ation

khashashin · 2025-12-16T15:37:03Z

@LaurenceJJones I made the changes and updated the PR description. The contribution guidelines mention formatting, but there is no information about automated linter commands. However, the linter is mentioned at https://docs.crowdsec.net/docs/next/contributing/contributing_crowdsec#git-workflow--branch-management and I ran the commands from the workflows locally. No issues were found in the files applied in this PR, although there were other linting issues in other files.

feat: add Supabase Supavisor collection with parser and brute-force s…

5d1eb93

…cenario.