Profiles configurations¶
The profiles configuration (/etc/crowdsec/profiles.yaml
) allow to configure what kind of remediation needs to be applied when a scenario is triggered :
The configuration file is a yaml file that looks like :
name: default_ip_remediation
#debug: true
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
on_success: break
Each YAML object in the file contains a list of models.Decision
that contains :
name
¶
name: foobar
A label for the profile (used in logging)
debug
¶
debug: true
A boolean flag that provides contextual debug.
filters
¶
filters:
- Alert.Remediation == true && Alert.GetScope() == "Session"
- Alert.Remediation == true && Alert.GetScope() == "Ip"
If any filter
of the list returns true
, the profile is elligible and the decisions
will be applied.
decisions
¶
decisions:
- type: captcha
duration: 1h
scope: custom_app1_captcha
- type: ban
duration: 2h
If the profile applies, decisions objects will be created for each of the sources that triggered the scenario.
It is a list of models.Decision
objects. The following fields, when present, allows to alter the resulting decision :
scope
: defines the scope of the resulting decisionduration
: defines for how long will the decision be validtype
: defines the type of the remediation that will be applied by available bouncers, for exampleban
,captcha
value
: define a hardcoded value for the decision (ie.1.2.3.4
)
on_success
¶
on_success: break
If the profile applies and on_success
is set to break
, decisions processing will stop here and it won't evaluate against following profiles.
on_failure
¶
on_failure: break
If the profile didn't apply and on_failure
is set to break
, decisions processing will stop here and it won't evaluate against following profiles.