C
CrowdSec2mo ago
-_-;.....

Is it possible to set remediation to false for specific ip adresses?

I have several IPs and ranges that I want to continue monitoring, but which must not be banned. Only a notification should be sent for these IPs. I built my own threat intelligence system for this purpose. The whitelist parser prevents any notification for listed IP's. ChatGPT told me to write a scenario, which has a name beginning with 0 to make sure it will be executed first. 
type: trigger
name: crowdsecurity/00-only-alert-my-ips
description: "Meldet Verstöße von meinen IPs/Ranges (v4/v6), aber kein automatisches Bannen"
filter: |
  IpInRange(evt.Meta.source_ip, [
    "127.0.0.1",
    "192.168.0.0/16",
    "10.0.0.0/8",
    "2001:db8::/32",
    "fe80::/10"
  ])
groupby: evt.Meta.source_ip
blackhole: 1h

labels:
  service: "internal-monitoring"
  remediation: false   # sorgt dafür, dass kein Ban erzeugt wird
  scope: ip
type: trigger
name: crowdsecurity/00-only-alert-my-ips
description: "Meldet Verstöße von meinen IPs/Ranges (v4/v6), aber kein automatisches Bannen"
filter: |
  IpInRange(evt.Meta.source_ip, [
    "127.0.0.1",
    "192.168.0.0/16",
    "10.0.0.0/8",
    "2001:db8::/32",
    "fe80::/10"
  ])
groupby: evt.Meta.source_ip
blackhole: 1h

labels:
  service: "internal-monitoring"
  remediation: false   # sorgt dafür, dass kein Ban erzeugt wird
  scope: ip
8 Replies
CrowdSec
CrowdSec2mo ago
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.
Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
blotus
blotus2mo ago
If you want to still have a notification, you need to do this in the profiles. add this at the top of /etc/crowdsec/profiles.yaml (untested, the syntax might be off): 
name: notif_only
filters:
 - any(["1.2.3.4/32", "10.0.0.0/8"], {IpInRange(Alert.GetValue(), #)})
notifications:
 - my_notif
on_success: break
name: notif_only
filters:
 - any(["1.2.3.4/32", "10.0.0.0/8"], {IpInRange(Alert.GetValue(), #)})
notifications:
 - my_notif
on_success: break
This will check if the IP is part of those ranges (you have to pass a /32 if you want to check for a single IP), and send a notification (notice there's no decisions key, so nothing decision will be taken)
-_-;.....
-_-;.....OP2mo ago
Looks promising, I will test this, thank you very much. Is there a way to test this? It looks like, explain does not take the profiles.yaml into account.
-_-;.....
-_-;.....OP2mo ago
-_-;.....
-_-;.....OP2mo ago
I coud not get it working: - any(["1.2.3.4/32", "10.0.0.0/8"], {IpInRange(Alert.GetValue(), #)}) Wrong Syntax.
blotus
blotus2mo ago
ah yes my bad, yaml issue with the # use something like this: 
filters:
 - |
   any(["1.2.3.4/32", "10.0.0.0/8"], { IpInRange(Alert.GetValue(), #)} )
filters:
 - |
   any(["1.2.3.4/32", "10.0.0.0/8"], { IpInRange(Alert.GetValue(), #)} )
jjg23
jjg232mo ago
Are the profiles in profiles.yaml processed in top to bottom order? Like in this scenario it would match the first by filter, then on_success: break causes no further profiles to be evaluated?
blotus
blotus2mo ago
yes they are processed in the order they are defined

Did you find this page helpful?