Hi!
I am trying to distinguish decisions depending on countrys. Eg. IPs from the country my servers are located at should only get banned for 12 hours after an alert is triggered and IPs from other countries for 24h.
Unfortunatly I am unable to query the source country in the profile.yaml filter. Is there a function to solve my problem (something like Alert.GetCountry()) or some other method?
Thank’s for the help in advance!
You can do the following:
name: not_my_country
#debug: true
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.Source.Cn != 'GB'
## Or Alert.Source.Cn not in ['GB', 'FR'] if you want multiple
decisions:
- type: ban
duration: 24h
#duration_expr: "Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)"
#notifications:
# - slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
on_success: break
---
name: default_ip_remediation
#debug: true
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 12h
#duration_expr: "Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)"
#notifications:
# - slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
on_success: break
But in short you can access the 2 character ISO code from Alert.Source.Cn remember that this depends on the geo location working correctly so if an IP cannot be identified it will default to 12h so you may want to inverse it if you rather default to 24 hours. EG first profile is Alert.Source.Cn == 'GB'
Works like a charm! Thank you so much for the quick response!
Is this one or two files?
And where did you put this in /etc/crowdsec ?
where did you put this in /etc/crowdsec ?
Its /etc/crowdsec/profiles.yaml