According to this bug report and also the troubleshooting guide, if you want to enable simulation mode for a custom scenario, instead of using the name of the scenario, you have to use the name of the file. I’ve tried doing so, but cscli always returns:
ERRO[2024-04-03T10:46:17+02:00] 'custom-scenario.yaml' doesn't exist or is not a scenario
I have the given scenario saved under /etc/crowdsec/scenarios. Using the full path of the file didn’t work either.
The original issue is now fixed you can use the actual name that is listed within the scenario.
╭─loz ~ took 17ms
╰─λ cat /etc/crowdsec/scenarios/ah.yaml
File: /etc/crowdsec/scenarios/ah.yaml
# 404 scan
type: leaky
#debug: true
name: crowdsecurity/ah
description: "Detect site scanning/probing from a single ip"
filter: "evt.Meta.service == 'http' && evt.Meta.http_status in ['404', '403', '400'] && evt.Parse
d.static_ressource == 'false'"
groupby: "evt.Meta.source_ip + '/' + evt.Parsed.target_fqdn"
distinct: "evt.Meta.http_path"
capacity: 10
reprocess: false
leakspeed: "10s"
blackhole: 5m
labels:
remediation: true
classification:
- attack.T1595.003
behavior: "http:scan"
label: "HTTP Probing"
spoofable: 0
service: http
confidence: 1
╭─loz ~ took 11ms
╰─λ cscli simulation enable crowdsecurity/ah
INFO[2024-04-03T12:54:55+01:00] simulation mode for 'crowdsecurity/ah' enabled
INFO[2024-04-03T12:54:55+01:00] Run 'sudo systemctl reload crowdsec' for the new configuration tobe effective.
It still doesn’t for me, unfortunately. Enabling them as simulated will still on alert result in a straightforward ban.
Did you restart the service after enabling simulation mode?
Yes I did. It still didn’t work.
Okay let me try in a test environment
Edit: it seems simulation for custom scenarios has been broken latest release, we will work on fixing this.