Format
Profile configuration example
name: default_ip_remediation
#debug: true
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
#duration_expr: "Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)"
notifications:
- slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
on_success: break
---
name: another_profile
...
Profile directives
name
name: foobar
A label for the profile (used in logging)
debug
debug: true
A boolean flag that provides contextual debug.
filters
filters:
- Alert.Remediation == true && Alert.GetScope() == "Session"
- Alert.Remediation == true && Alert.GetScope() == "Ip"
If any filter
of the list returns true
, the profile is eligible and the decisions
will be applied (note: filter
can use expr helpers).
The filter allows you to then create custom decisions for some specific scenarios for example:
name: specific_remediation
#debug: true
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.GetScenario() in ["crowdsecurity/ssh-bf", "crowdsecurity/ssh-user-enum"]
decisions:
- type: ban
duration: 8h
notifications:
- slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
on_success: break
---
...
This allows you as well to setup various notifications or profiles depending on the scope :
name: notif_only
#debug: true
filters:
- Alert.GetScope() == "Country"
notifications:
- slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
on_success: break
---
...
decisions
decisions:
- type: captcha
duration: 1h
scope: custom_app1_captcha
- type: ban
duration: 2h
If the profile applies, decisions objects will be created for each of the sources that triggered the scenario.
It is a list of models.Decision
objects. The following fields, when present, allows to alter the resulting decision :
scope
: defines the scope of the resulting decisionduration
: defines for how long will the decision be valid. The format must comply with golang's ParseDurationtype
: defines the type of the remediation that will be applied by available bouncers, for exampleban
,captcha
value
: define a hardcoded value for the decision (ie.1.2.3.4
)
duration_expr
duration_expr: "Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)"
If the profile applies, and the duration_expr
generates a valid golang's duration, it will replace the decision duration.
It can be used to have custom duration. For example, you can have an increased duration every time an attacker comes back. It relies on expr helpers.
on_success
on_success: continue|break
If the profile applies and on_success
is set to break
, decisions processing will stop here and it won't evaluate against following profiles.
continue
will apply the profile even if the filter expression generates an error. (DEFAULT)break
will stop the processing of the alert if the filter expression generates an error.
on_failure
on_failure: continue|break
If the profile didn't apply and on_failure
is set to break
, decisions processing will stop here and it won't evaluate against following profiles.
continue
will continue to the next profile if the filter expression generates an error. (DEFAULT)break
will stop the processing of the alert if the filter expression generates an error.
on_error
on_error: continue|break|apply|ignore
If the filter expression generates an error, this would normally stop the alert from being processed to prevent a potential unwanted outcome.
break
will stop the processing of the alert if the filter expression generates an error. (DEFAULT)continue
will continue to the next profile if the filter expression generates an error.apply
will apply the profile even if the filter expression generates an error.ignore
will ignore the error and continue to the next profile.
However, there may be some expressions that do generate expected errors for example, when using the CTI helpers it may throw a rate limit error.
notifications
notifications:
- notification_plugin1
- notification_plugin2
The list of notification plugins to which the alert should be fed.