is it possible to control the scope of Allowlists so that a custom scenario can bypass Allowlist?
Background: I am using an Allowlist for some of my internal IP ranges. However, I now have a custom scenario that I would like to trigger alerts for all internal IPs. Effectively, I have one scenario where I want all Allowlists to be ignored.
I can see that when my custom scenario triggers it is logged on the endpoint and sent to the LAPI, but the LAPI drops the alert with a corresponding log messge "
alert source <ip> is allowlisted by <cidr> from my_allowlist (...), skipping".
What I want to happen is that alerts for this particular scenario are not dropped. This will then allow me trigger a notification via a custom profile. What is the best way to achieve this?
Ideally, it would be great if Allowlists can somehow be optionally scoped/de-scoped for certain scenarios.3 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
At the moment, no it's not possible.
Allowlists are designed as a global override.
What the exact use case you have ?
I have written a custom scenario that will trigger if a firewall block event is repeated a lot for a single port (I want to raise an alert for this, which tiggers a notification only and no remediation ban). This is mainly to help identify misconfiguration on our internal network, typically where a firewall rule is missing or an app is using the wrong server. Problem is that with most internal subnets in the Allowlist, any alert gets dropped before it can be processed by a custom profile.
It would be good if there was some way that we could control/override the Allowlist logic (I think this could be achieved if Alerts got to the profiles and Is_allowlisted is a member that we can build our filter criteria with). The default profiles would simply need an additional filter criteria 'Is_allowlisted == false'.
Actually, I think i found a solution. I can simply set the scope of my custom scenarios to a 'pseudo_ip', this means that Allowlists will not be applied (as they only apply when scope == Ip | Range. Now the alerts get through to my profiles where I can trigger notifications.
scope:
type: "pseudo_ip"
expression: evt.Meta.source_ip