Block subnet if multiple IPs from the same subnet are banned

Hello,

I would like to know if crowdsec is capable of taking ban measures retrospectively?

For example at the moment I have several IPs coming from the same subnet blocked for the same reason:

| 517 | Ip:X.113.194.43 | crowdsecurity/http-bad-user-agent | EN | 210743 xxxxxx SAS | ban:1 | 2024-07-03 07:57:03.993350467 +0000 UTC |
| 516 | Ip:X.113.194.34 | crowdsecurity/http-bad-user-agent | EN | 210743 xxxxxx SAS | ban:1 | 2024-07-03 07:56:54.868785498 +0000 UTC |
| 514 | Ip:X.113.194.39 | crowdsecurity/http-bad-user-agent | EN | 210743 xxxxxx SAS | ban:1 | 2024-07-03 07:20:21.308207165 +0000 UTC |

They are regularly unlocked (4 hours) then re-blocked immediatelyโ€ฆ

We could consider that after 3 IPs of the same subnet blocked for the same scenario I block the entire subnet, and this for a longer period than previouslyโ€ฆ

Is this feasible? If so, do you have any suggestions for me?

David

I answer myself, I was answered on Discord
This scenario seems to meet the need: https://app.crowdsec.net/hub/author/crowdsecurity/configurations/ban-defcon-drop_range

I link to this discussion: Ban-defcon-drop_range - #2 by thibault

For the scenario to work, you must modify your profile (/etc/crowdsec/profiles.yaml):

name: default_ip_remediation
...
+ ---
+ name: default_range_remediation
+ #debug: true
+ filters:
+ - Alert.Remediation == true && Alert.GetScope() == "Range"
+ decisions:
+ - type: ban
+ duration: 4h
+ on_success: break

And it works (tested with the loop proposed in the discussion.

THANKS !

Hello,
Thanks for the solution, this is very helpful for me.

Note we updated the readme of the scenario to reflect what steps are needed to get this working

https://app.crowdsec.net/hub/author/crowdsecurity/configurations/ban-defcon-drop_range

Good morning,

Is there a reason why the โ€˜ban-defcon-drop_rangeโ€™ scenario was triggered with the โ€œforโ€ loop shown here: https://discourse.crowdsec.net/t/ban-defcon-drop- range/70/2 but not in real life :slight_smile:

Right now for example I have a range that could be banned because I have lots of IPs from the same range:

โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚   ID   โ”‚  Source  โ”‚     Scope:Value    โ”‚               Reason              โ”‚ Action โ”‚ Country โ”‚                       AS                      โ”‚ Events โ”‚     expiration     โ”‚ Alert ID โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ 510258 โ”‚ crowdsec โ”‚ Ip:217.113.194.26  โ”‚ crowdsecurity/http-bad-user-agent โ”‚ ban    โ”‚ FR      โ”‚ 210743 Babbar SAS                             โ”‚ 2      โ”‚ 2h49m23.35232731s  โ”‚ 292      โ”‚
โ”‚ 510257 โ”‚ crowdsec โ”‚ Ip:217.113.194.27  โ”‚ crowdsecurity/http-bad-user-agent โ”‚ ban    โ”‚ FR      โ”‚ 210743 Babbar SAS                             โ”‚ 2      โ”‚ 2h11m57.63386388s  โ”‚ 291      โ”‚
โ”‚ 510256 โ”‚ crowdsec โ”‚ Ip:217.113.194.30  โ”‚ crowdsecurity/http-bad-user-agent โ”‚ ban    โ”‚ FR      โ”‚ 210743 Babbar SAS                             โ”‚ 2      โ”‚ 2h11m46.244394249s โ”‚ 290      โ”‚
โ”‚ 495255 โ”‚ crowdsec โ”‚ Ip:217.113.194.29  โ”‚ crowdsecurity/http-bad-user-agent โ”‚ ban    โ”‚ FR      โ”‚ 210743 Babbar SAS                             โ”‚ 3      โ”‚ 1h34m25.528271048s โ”‚ 288      โ”‚
โ”‚ 495254 โ”‚ crowdsec โ”‚ Ip:217.113.194.23  โ”‚ crowdsecurity/http-bad-user-agent โ”‚ ban    โ”‚ FR      โ”‚ 210743 Babbar SAS                             โ”‚ 2      โ”‚ 1h33m33.418597688s โ”‚ 287      โ”‚
โ”‚ 495253 โ”‚ crowdsec โ”‚ Ip:217.113.194.243 โ”‚ crowdsecurity/http-bad-user-agent โ”‚ ban    โ”‚ FR      โ”‚ 210743 Babbar SAS                             โ”‚ 2      โ”‚ 1h32m48.421020405s โ”‚ 286      โ”‚

When I try to insert a piece of log to play it doesnโ€™t work either:

test1.fr:80 112.86.225.168 - - [15/Jul/2024:05:51:09 +0200] "GET / HTTP/1.1" 301 458 "-" "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
test1.fr:443 112.86.225.168 - - [15/Jul/2024:05:51:10 +0200] "GET / HTTP/1.1" 301 4125 "-" "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
test1.fr:443 112.86.225.168 - - [15/Jul/2024:05:51:21 +0200] "GET / HTTP/1.1" 200 69682 "-" "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
test2.fr:80 112.86.225.149 - - [15/Jul/2024:07:18:47 +0200] "GET / HTTP/1.1" 301 444 "-" "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
test2.fr:443 112.86.225.149 - - [15/Jul/2024:07:18:48 +0200] "GET / HTTP/1.1" 301 4215 "-" "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
test2.fr:443 112.86.225.149 - - [15/Jul/2024:07:18:50 +0200] "GET / HTTP/1.1" 200 198251 "-" "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
test1.fr:80 112.86.225.170 - - [15/Jul/2024:14:55:17 +0200] "GET / HTTP/1.1" 301 458 "-" "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
test1.fr:443 112.86.225.170 - - [15/Jul/2024:14:55:18 +0200] "GET / HTTP/1.1" 301 4125 "-" "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
test1.fr:443 112.86.225.170 - - [15/Jul/2024:14:55:20 +0200] "GET / HTTP/1.1" 200 69682 "-" "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
test2.fr:80 112.86.225.163 - - [15/Jul/2024:16:34:34 +0200] "GET / HTTP/1.1" 301 444 "-" "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
test2.fr:443 112.86.225.163 - - [15/Jul/2024:16:34:35 +0200] "GET / HTTP/1.1" 301 4215 "-" "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
test2.fr:443 112.86.225.163 - - [15/Jul/2024:16:34:36 +0200] "GET / HTTP/1.1" 200 198252 "-" "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"

here โ€œhttp-bad-user-agentโ€ is triggered but never โ€œ'ban-defcon-drop_rangeโ€

Is there a link with the fact that it is โ€œno-syslogโ€?

==> /var/log/crowdsec.log <==
time="2024-07-15T19:35:11+02:00" level=info msg="(a4ae30fffff34047a2cfdffec80928e2D8EhX0lyMctpY8Dj/crowdsec) crowdsecurity/http-bad-user-agent by ip 112.86.225.168 (CN/4837) : 4h ban on Ip 112.86.225.168"
time="2024-07-15T19:35:11+02:00" level=info msg="(a4ae30fffff34047a2cfdffec80928e2D8EhX0lyMctpY8Dj/crowdsec) crowdsecurity/http-bad-user-agent by ip 112.86.225.149 (CN/4837) : 4h ban on Ip 112.86.225.149"
time="2024-07-15T19:35:11+02:00" level=info msg="(a4ae30fffff34047a2cfdffec80928e2D8EhX0lyMctpY8Dj/crowdsec) crowdsecurity/http-bad-user-agent by ip 112.86.225.170 (CN/4837) : 4h ban on Ip 112.86.225.170"
time="2024-07-15T19:35:11+02:00" level=info msg="(a4ae30fffff34047a2cfdffec80928e2D8EhX0lyMctpY8Dj/crowdsec) crowdsecurity/http-bad-user-agent by ip 112.86.225.163 (CN/4837) : 4h ban on Ip 112.86.225.163"
time="2024-07-15T19:35:11+02:00" level=info msg="(a4ae30fffff34047a2cfdffec80928e2D8EhX0lyMctpY8Dj/crowdsec) crowdsecurity/http-bad-user-agent by ip 112.86.225.164 (CN/4837) : 4h ban on Ip 112.86.225.164"
time="2024-07-15T19:35:11+02:00" level=info msg="(a4ae30fffff34047a2cfdffec80928e2D8EhX0lyMctpY8Dj/crowdsec) crowdsecurity/http-bad-user-agent by ip 112.86.225.165 (CN/4837) : 4h ban on Ip 112.86.225.165"
time="2024-07-15T19:35:12+02:00" level=info msg="Signal push: 6 signals to push"

Note : the scenario is indeed listed at enable when I make a โ€œcscli scenario listโ€

Thankโ€™s,
David