C
CrowdSec2mo ago
Coutabaniage

disable scenario for vhost

Is there a way to disable a specific scenario for a particular vhost?
4 Replies
CrowdSec
CrowdSec2mo ago
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.
Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
Loz
Loz2mo ago
Which web server are you running and if its nginx based do you log the vhost as a prefix to the log line?
Coutabaniage
CoutabaniageOP2mo ago
it is plain nginx, and I don't have a prefix
Streilinger
Streilinger2mo ago
I think the easiest way would be to configure a profile for it in /etc/crowdsec/profiles.yaml. This way can still have notifications about it without a decision. Something like: 
name: only_notification_appsec-outofband_endpoint
##debug: true
filters:
  - Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.GetScenario() == "crowdsecurity/crowdsec-appsec-outofband" && Alert.GetMeta("target_host") == "XXX.XXX.com"
#decisions:
# - type: ban
#   duration: 4h
notifications:
  - notify-only
on_success: break
name: only_notification_appsec-outofband_endpoint
##debug: true
filters:
  - Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.GetScenario() == "crowdsecurity/crowdsec-appsec-outofband" && Alert.GetMeta("target_host") == "XXX.XXX.com"
#decisions:
# - type: ban
#   duration: 4h
notifications:
  - notify-only
on_success: break
If you'd like to whitelist it completely you could also write a postoverflow for the scenario/vhost.

Did you find this page helpful?