ban-defcon-drop_range Configuration

Installation

cscli scenarios install crowdsecurity/ban-defcon-drop_range

Description

Scenario to ban a range if more than 5 IPs from said range are banned less than 1 minute apart.

For this to work, two non-default things must be set:

You must append a profile that will process decisions on ranges:

/etc/crowdsec/profiles.yaml

#...
---
name: default_range_remediation
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Range"
decisions:
 - type: ban
   duration: 4h
on_success: break

The related scenario(s) must be configured to have reprocess set to true: This is needed for the events (generated by the scenarios) to be processed again by CrowdSec so they can trigger our crowdsecurity/ban-defcon-drop_range scenario. Most scenarios do not have this option enabled by default.

YAML Configuration

1#TAP IT TWICE : if more than 5 unique IPs of a range are being banned, drop the range
2type: leaky
3#debug: true
4name: crowdsecurity/ban-defcon-drop_range
5description: "Ban a range if more than 5 ips from it are banned at a time"
6#it's an overflow from a scenario that triggered a remediation ;)
7filter: "evt.GetType() == 'overflow' && evt.Overflow.Alert.Remediation == true"
8groupby: "evt.Overflow.Alert.Source.Range"
9distinct: "evt.Overflow.Alert.Source.IP"
10capacity: 5
11leakspeed: "1m"
12blackhole: 5m
13labels:
14 remediation: true
15scope:
16 type: Range
17
18

Hub configuration

« ban-defcon-drop_range »
v0.2 by crowdsecurity
Attack scenarioremediation:truespoofable:nullconfidence:null

Hub configuration

« ban-defcon-drop_range »v0.2 by crowdsecurityAttack scenarioremediation:truespoofable:nullconfidence:null

« ban-defcon-drop_range »
v0.2 by crowdsecurity
Attack scenarioremediation:truespoofable:nullconfidence:null