Profiles
Profiles are a list of rules that drives what actions will be taken by CrowdSec upon a detection. This can be as trivial as banning an IP address, or as complex as computing previous detections and banning on a scaling factor.
The profiles.yaml file, situated at the root of the configuration directory, outlines profiles to be used. It is loaded during startup and can be refreshed while the system is running.
Here is the default file path fo profiles depending on your platform:
- Linux
/etc/crowdsec/profiles.yaml - Freebsd
/usr/local/etc/crowdsec/profiles.yaml - Windows
C:\ProgramData\CrowdSec\config\profiles.yaml - Kubernetes By default, in
/etc/crowdsec/profiles.yamlincrowdsec-lapi-*pod. You can overwrite it invalues.yaml -> config.profiles.yaml
name: default_ip_remediation
#debug: true
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
# notifications:
# - slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
# - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
# - http_default # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
# - email_default # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
on_success: break
We won't delve into the file's specifics in this section, but further information is available in the profiles.yaml reference.
Example Modifications
Here are a few examples of how you might modify your profiles to better suit your needs.
Enable Notifications
Notifications are plugins that can forward alerts to another service for example the http plugin can forward to your SIEM
This adjustment can be made by configuring the plugin files located under:
- Linux
/etc/crowdsec/notifications/ - Freebsd
/usr/local/etc/crowdsec/notifications/ - Windows
C:\ProgramData\CrowdSec\config\notifications\
We wont be covering the configuration as you can find extensive documentation on the files. Once this is done you can start by removing the comment (#) from the notifications lines. This will enable notifications for the specified components.
Modified profiles.yaml
name: default_ip_remediation
#debug: true
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
notifications:
- slack_default
on_success: break
Scaling Decision Duration
duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
This adjustment can be made by removing the comment (#) from the duration_expr line. The default formula utilizes GetDecisionsCount to determine how many times the specific value has been identified. We always add 1 to the count to ensure that the first ban is always 4 hours.
The resulting duration is calculated by multiplying this count by 4, then the Sprintf function formats the result into a string with the h suffix. The h suffix is used to denote hours within Go's time package.
So for example if an IP has been banned 3 times, the resulting string would be 12h meaning 12 hours.
Modified profiles.yaml
name: default_ip_remediation
#debug: true
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
# notifications:
# - slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
# - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
# - http_default # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
# - email_default # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
on_success: break
Captcha Decision
You MUST have configured a remediation component that supports Captcha Challenges, see here.
Upon detecting an incident, instead of immediately imposing a ban, you could opt to challenge the individual with a Captcha. This approach can be implemented by inserting an extra profile prior to the ban profile.
name: captcha_remediation
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.GetScenario() contains "http"
## Any scenario with http in its name will trigger a captcha challenge
decisions:
- type: captcha
duration: 4h
on_success: break
---
name: default_ip_remediation
...
The highlighted line above is the seperator between the two profiles. It is important to note that the on_success directive is set to break to ensure that the alert will not be evaluated by other profiles, so the offender will only get a captcha decision.
Modified profiles.yaml
name: captcha_remediation
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.GetScenario() contains "http"
## Any scenario with http in its name will trigger a captcha challenge
decisions:
- type: captcha
duration: 4h
on_success: break
---
name: default_ip_remediation
#debug: true
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
# notifications:
# - slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
# - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
# - http_default # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
# - email_default # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
on_success: break
Next Steps?
Now that you have made some modifications to your profiles, you MUST restart the CrowdSec service to apply the changes. You can do this by running the following command:
- Linux/Freebsd
- Windows
- Kubernetes
sudo crowdsec -t && sudo systemctl restart crowdsec
Restart-Service crowdsec
helm upgrade --install crowdsec crowdsecurity/crowdsec --namespace crowdsec -f values.yaml
