Skip to main content
Version: v1.4.0

Format

Profile configuration example#

/etc/crowdsec/profiles.yaml
name: default_ip_remediation#debug: truefilters: - Alert.Remediation == true && Alert.GetScope() == "Ip"decisions: - type: ban   duration: 4h#duration_expr: "Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)"notifications:  - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.on_success: break
---name: another_profile...

Profile directives#

name#

name: foobar

A label for the profile (used in logging)

debug#

debug: true

A boolean flag that provides contextual debug.

filters#

filters: - Alert.Remediation == true && Alert.GetScope() == "Session" - Alert.Remediation == true && Alert.GetScope() == "Ip"

If any filter of the list returns true, the profile is eligible and the decisions will be applied (note: filter can use expr helpers).

The filter allows you to then create custom decisions for some specific scenarios for example:

name: specific_remediation#debug: truefilters: - Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.GetScenario() in ["crowdsecurity/ssh-bf", "crowdsecurity/ssh-user-enum"]decisions: - type: ban   duration: 8hnotifications:  - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.on_success: break---...

This allows you as well to setup various notifications or profiles depending on the scope :

name: notif_only#debug: truefilters: - Alert.GetScope() == "Country"notifications:  - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.on_success: break---...

decisions#

decisions: - type: captcha   duration: 1h   scope: custom_app1_captcha - type: ban   duration: 2h

If the profile applies, decisions objects will be created for each of the sources that triggered the scenario.

It is a list of models.Decision objects. The following fields, when present, allows to alter the resulting decision :

  • scope : defines the scope of the resulting decision
  • duration : defines for how long will the decision be valid. The format must comply with golang's ParseDuration
  • type : defines the type of the remediation that will be applied by available bouncers, for example ban, captcha
  • value : define a hardcoded value for the decision (ie. 1.2.3.4)

duration_expr#

duration_expr: "Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)"

If the profile applies, and the duration_expr generates a valid golang's duration, it will replace the decision duration.

It can be used to have custom duration. For example, you can have an increased duration every time an attacker comes back. It relies on expr helpers.

on_success#

on_success: break

If the profile applies and on_success is set to break, decisions processing will stop here and it won't evaluate against following profiles.

on_failure#

on_failure: break

If the profile didn't apply and on_failure is set to break, decisions processing will stop here and it won't evaluate against following profiles.

notifications#

notifications:  - notification_plugin1  - notification_plugin2

The list of notification plugins to which the alert should be fed.