My Crowdsec server receives many alerts, I’d like to forward to Crowdsec only those with a decision. Is it possible ? How ?
Could you elaborate on what you mean, as in alerts shown in the console?
if so, not really you can use cscli console disable to disable sending custom, manual or tainted alerts, however, there isnt an option for ones without decisions.
Thank you. my agent generates one alert each time a bad URL is called (such as phpinfo.php,..) and send a decision when there are more than X alerts in Y minutes (looking at alerts using API). These alerts are very “local”, no need to push them to console, only decisions are usefull
So is this a custom scenario you crafted?
Yes, I built an agent for Lemonldap-NG (LLNG Corwdsec Agent). Its logic is:
- push an alert for each bad behavior
- when X alerts during Y seconds, the new alert is a ban decision
Is it a good way ?
well good way is purely your own opinion, the problem is pushing any alerts will always go to console.
so it depends if you want to see “each bad behavior” as your bypassing the log processor component of the security engine which handles these monitoring and the eventual triggering of the bad behavior.