Hi,
My question is about the defaut ban time duration in sshd detection scénario.
Thanks.
Hello,
By default, the ban durations are 4 hours.
However, you can edit the profiles.yaml to change the default or have different ban duration per scenario.
2 Likes
merci 
I’ve noticed that after an update the profiles.yaml file was overwritten changing the ban duration back to the default of 4 hours.
Is it possible to make a custom setting that isn’t overwritten when there is an update?
2 Likes
Hello @gppixelworks !
Currently, there is no way to prevent this sorry, but I’ve open an issue so we can deal with it !
1 Like
How can I do that? The official manual (Format | CrowdSec) has no such directive.
To achieve a different ban per scenario you would create a new profile that uses Alert.GetScenario() to use in the filter, you can see how we use this in the captcha example
I havent explored it but you can also use expr_duration as well since you have access to same variables.
1 Like
Hmm, will this work? (the scenario to “catch” for longer ban duration has name my/pf-scan-multi_ports)
name: scan_ip_remediation
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.GetScenario() in ["my/pf-scan-multi_ports"]
decisions:
- type: ban
duration: 48h
on_success: break
---
Yes that will work or you can do a string compare like
Alert.GetScenario() == "my/pf-scan-multi_ports"
1 Like