Skip to main content
Version: Next

Format

Profile configuration example#

/etc/crowdsec/profiles.yaml
name: default_ip_remediation#debug: truefilters: - Alert.Remediation == true && Alert.GetScope() == "Ip"decisions: - type: ban   duration: 4hnotifications:  - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.on_success: break
---name: another_profile...

Profile directives#

name#

name: foobar

A label for the profile (used in logging)

debug#

debug: true

A boolean flag that provides contextual debug.

filters#

filters: - Alert.Remediation == true && Alert.GetScope() == "Session" - Alert.Remediation == true && Alert.GetScope() == "Ip"

If any filter of the list returns true, the profile is elligible and the decisions will be applied (note: filter can use expr helpers).

The filter allows you to then create custom decisions for some specific scenarios for example :

name: specific_remediation#debug: truefilters: - Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.GetScenario() in ["crowdsecurity/ssh-bf", "crowdsecurity/ssh-user-enum"]decisions: - type: ban   duration: 8hnotifications:  - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.on_success: break---...

This allows you as well to setup various notifications or profiles depending on the scope :

name: notif_only#debug: truefilters: - Alert.GetScope() == "Country"notifications:  - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.on_success: break---...

decisions#

decisions: - type: captcha   duration: 1h   scope: custom_app1_captcha - type: ban   duration: 2h

If the profile applies, decisions objects will be created for each of the sources that triggered the scenario.

It is a list of models.Decision objects. The following fields, when present, allows to alter the resulting decision :

  • scope : defines the scope of the resulting decision
  • duration : defines for how long will the decision be valid
  • type : defines the type of the remediation that will be applied by available bouncers, for example ban, captcha
  • value : define a hardcoded value for the decision (ie. 1.2.3.4)

on_success#

on_success: break

If the profile applies and on_success is set to break, decisions processing will stop here and it won't evaluate against following profiles.

on_failure#

on_failure: break

If the profile didn't apply and on_failure is set to break, decisions processing will stop here and it won't evaluate against following profiles.

notifications#

notifications:  - notification_plugin1  - notification_plugin2

The list of notification plugins to which the alert should be fed.