I link to this discussion: Ban-defcon-drop_range - #2 by thibault
For the scenario to work, you must modify your profile (/etc/crowdsec/profiles.yaml
):
name: default_ip_remediation
...
+ ---
+ name: default_range_remediation
+ #debug: true
+ filters:
+ - Alert.Remediation == true && Alert.GetScope() == "Range"
+ decisions:
+ - type: ban
+ duration: 4h
+ on_success: break
And it works (tested with the loop proposed in the discussion.
THANKS !