Block subnet if multiple IPs from the same subnet are banned

I link to this discussion: Ban-defcon-drop_range - #2 by thibault

For the scenario to work, you must modify your profile (/etc/crowdsec/profiles.yaml):

name: default_ip_remediation
...
+ ---
+ name: default_range_remediation
+ #debug: true
+ filters:
+ - Alert.Remediation == true && Alert.GetScope() == "Range"
+ decisions:
+ - type: ban
+ duration: 4h
+ on_success: break

And it works (tested with the loop proposed in the discussion.

THANKS !

2 Likes