Format
Profile configuration example#
name: default_ip_remediation#debug: truefilters: - Alert.Remediation == true && Alert.GetScope() == "Ip"decisions: - type: ban duration: 4hnotifications: - slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.on_success: break
---name: another_profile...Profile directives#
name#
name: foobarA label for the profile (used in logging)
debug#
debug: trueA boolean flag that provides contextual debug.
filters#
filters: - Alert.Remediation == true && Alert.GetScope() == "Session" - Alert.Remediation == true && Alert.GetScope() == "Ip"If any filter of the list returns true, the profile is elligible and the decisions will be applied (note: filter can use expr helpers).
The filter allows you to then create custom decisions for some specific scenarios for example :
name: specific_remediation#debug: truefilters: - Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.GetScenario() in ["crowdsecurity/ssh-bf", "crowdsecurity/ssh-user-enum"]decisions: - type: ban duration: 8hon_success: break---...decisions#
decisions: - type: captcha duration: 1h scope: custom_app1_captcha - type: ban duration: 2hIf the profile applies, decisions objects will be created for each of the sources that triggered the scenario.
It is a list of models.Decision objects. The following fields, when present, allows to alter the resulting decision :
scope: defines the scope of the resulting decisionduration: defines for how long will the decision be validtype: defines the type of the remediation that will be applied by available bouncers, for exampleban,captchavalue: define a hardcoded value for the decision (ie.1.2.3.4)
on_success#
on_success: breakIf the profile applies and on_success is set to break, decisions processing will stop here and it won't evaluate against following profiles.
on_failure#
on_failure: breakIf the profile didn't apply and on_failure is set to break, decisions processing will stop here and it won't evaluate against following profiles.