Block subnet if multiple IPs from the same subnet are banned

Hello,

I would like to know if crowdsec is capable of taking ban measures retrospectively?

For example at the moment I have several IPs coming from the same subnet blocked for the same reason:

| 517 | Ip:X.113.194.43 | crowdsecurity/http-bad-user-agent | EN | 210743 xxxxxx SAS | ban:1 | 2024-07-03 07:57:03.993350467 +0000 UTC |
| 516 | Ip:X.113.194.34 | crowdsecurity/http-bad-user-agent | EN | 210743 xxxxxx SAS | ban:1 | 2024-07-03 07:56:54.868785498 +0000 UTC |
| 514 | Ip:X.113.194.39 | crowdsecurity/http-bad-user-agent | EN | 210743 xxxxxx SAS | ban:1 | 2024-07-03 07:20:21.308207165 +0000 UTC |

They are regularly unlocked (4 hours) then re-blocked immediately…

We could consider that after 3 IPs of the same subnet blocked for the same scenario I block the entire subnet, and this for a longer period than previously…

Is this feasible? If so, do you have any suggestions for me?

David

I answer myself, I was answered on Discord
This scenario seems to meet the need: https://app.crowdsec.net/hub/author/crowdsecurity/configurations/ban-defcon-drop_range

I link to this discussion: Ban-defcon-drop_range - #2 by thibault

For the scenario to work, you must modify your profile (/etc/crowdsec/profiles.yaml):

name: default_ip_remediation
...
+ ---
+ name: default_range_remediation
+ #debug: true
+ filters:
+ - Alert.Remediation == true && Alert.GetScope() == "Range"
+ decisions:
+ - type: ban
+ duration: 4h
+ on_success: break

And it works (tested with the loop proposed in the discussion.

THANKS !

Hello,
Thanks for the solution, this is very helpful for me.

Note we updated the readme of the scenario to reflect what steps are needed to get this working

https://app.crowdsec.net/hub/author/crowdsecurity/configurations/ban-defcon-drop_range

Good morning,

Is there a reason why the ‘ban-defcon-drop_range’ scenario was triggered with the “for” loop shown here: https://discourse.crowdsec.net/t/ban-defcon-drop- range/70/2 but not in real life

Right now for example I have a range that could be banned because I have lots of IPs from the same range:

╭────────┬──────────┬────────────────────┬───────────────────────────────────┬────────┬─────────┬───────────────────────────────────────────────┬────────┬────────────────────┬──────────╮
│   ID   │  Source  │     Scope:Value    │               Reason              │ Action │ Country │                       AS                      │ Events │     expiration     │ Alert ID │
├────────┼──────────┼────────────────────┼───────────────────────────────────┼────────┼─────────┼───────────────────────────────────────────────┼────────┼────────────────────┼──────────┤
│ 510258 │ crowdsec │ Ip:217.113.194.26  │ crowdsecurity/http-bad-user-agent │ ban    │ FR      │ 210743 Babbar SAS                             │ 2      │ 2h49m23.35232731s  │ 292      │
│ 510257 │ crowdsec │ Ip:217.113.194.27  │ crowdsecurity/http-bad-user-agent │ ban    │ FR      │ 210743 Babbar SAS                             │ 2      │ 2h11m57.63386388s  │ 291      │
│ 510256 │ crowdsec │ Ip:217.113.194.30  │ crowdsecurity/http-bad-user-agent │ ban    │ FR      │ 210743 Babbar SAS                             │ 2      │ 2h11m46.244394249s │ 290      │
│ 495255 │ crowdsec │ Ip:217.113.194.29  │ crowdsecurity/http-bad-user-agent │ ban    │ FR      │ 210743 Babbar SAS                             │ 3      │ 1h34m25.528271048s │ 288      │
│ 495254 │ crowdsec │ Ip:217.113.194.23  │ crowdsecurity/http-bad-user-agent │ ban    │ FR      │ 210743 Babbar SAS                             │ 2      │ 1h33m33.418597688s │ 287      │
│ 495253 │ crowdsec │ Ip:217.113.194.243 │ crowdsecurity/http-bad-user-agent │ ban    │ FR      │ 210743 Babbar SAS                             │ 2      │ 1h32m48.421020405s │ 286      │

When I try to insert a piece of log to play it doesn’t work either:

test1.fr:80 112.86.225.168 - - [15/Jul/2024:05:51:09 +0200] "GET / HTTP/1.1" 301 458 "-" "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
test1.fr:443 112.86.225.168 - - [15/Jul/2024:05:51:10 +0200] "GET / HTTP/1.1" 301 4125 "-" "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
test1.fr:443 112.86.225.168 - - [15/Jul/2024:05:51:21 +0200] "GET / HTTP/1.1" 200 69682 "-" "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
test2.fr:80 112.86.225.149 - - [15/Jul/2024:07:18:47 +0200] "GET / HTTP/1.1" 301 444 "-" "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
test2.fr:443 112.86.225.149 - - [15/Jul/2024:07:18:48 +0200] "GET / HTTP/1.1" 301 4215 "-" "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
test2.fr:443 112.86.225.149 - - [15/Jul/2024:07:18:50 +0200] "GET / HTTP/1.1" 200 198251 "-" "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
test1.fr:80 112.86.225.170 - - [15/Jul/2024:14:55:17 +0200] "GET / HTTP/1.1" 301 458 "-" "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
test1.fr:443 112.86.225.170 - - [15/Jul/2024:14:55:18 +0200] "GET / HTTP/1.1" 301 4125 "-" "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
test1.fr:443 112.86.225.170 - - [15/Jul/2024:14:55:20 +0200] "GET / HTTP/1.1" 200 69682 "-" "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
test2.fr:80 112.86.225.163 - - [15/Jul/2024:16:34:34 +0200] "GET / HTTP/1.1" 301 444 "-" "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
test2.fr:443 112.86.225.163 - - [15/Jul/2024:16:34:35 +0200] "GET / HTTP/1.1" 301 4215 "-" "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
test2.fr:443 112.86.225.163 - - [15/Jul/2024:16:34:36 +0200] "GET / HTTP/1.1" 200 198252 "-" "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"

here “http-bad-user-agent” is triggered but never “'ban-defcon-drop_range”

Is there a link with the fact that it is “no-syslog”?

==> /var/log/crowdsec.log <==
time="2024-07-15T19:35:11+02:00" level=info msg="(a4ae30fffff34047a2cfdffec80928e2D8EhX0lyMctpY8Dj/crowdsec) crowdsecurity/http-bad-user-agent by ip 112.86.225.168 (CN/4837) : 4h ban on Ip 112.86.225.168"
time="2024-07-15T19:35:11+02:00" level=info msg="(a4ae30fffff34047a2cfdffec80928e2D8EhX0lyMctpY8Dj/crowdsec) crowdsecurity/http-bad-user-agent by ip 112.86.225.149 (CN/4837) : 4h ban on Ip 112.86.225.149"
time="2024-07-15T19:35:11+02:00" level=info msg="(a4ae30fffff34047a2cfdffec80928e2D8EhX0lyMctpY8Dj/crowdsec) crowdsecurity/http-bad-user-agent by ip 112.86.225.170 (CN/4837) : 4h ban on Ip 112.86.225.170"
time="2024-07-15T19:35:11+02:00" level=info msg="(a4ae30fffff34047a2cfdffec80928e2D8EhX0lyMctpY8Dj/crowdsec) crowdsecurity/http-bad-user-agent by ip 112.86.225.163 (CN/4837) : 4h ban on Ip 112.86.225.163"
time="2024-07-15T19:35:11+02:00" level=info msg="(a4ae30fffff34047a2cfdffec80928e2D8EhX0lyMctpY8Dj/crowdsec) crowdsecurity/http-bad-user-agent by ip 112.86.225.164 (CN/4837) : 4h ban on Ip 112.86.225.164"
time="2024-07-15T19:35:11+02:00" level=info msg="(a4ae30fffff34047a2cfdffec80928e2D8EhX0lyMctpY8Dj/crowdsec) crowdsecurity/http-bad-user-agent by ip 112.86.225.165 (CN/4837) : 4h ban on Ip 112.86.225.165"
time="2024-07-15T19:35:12+02:00" level=info msg="Signal push: 6 signals to push"

Note : the scenario is indeed listed at enable when I make a “cscli scenario list”

Thank’s,
David