Profiles configuration

Hello,

I have an issue with the profiles configuration, have the default profiles.yaml file in /etc/crowdsec/profiles.yaml. I want to use my own profiles.yaml in /etc/crowdsec/profiles/profiles.yaml like this:

name: default_ip_remediation
filters:

  • Alert.Remediation == true && Alert.GetScope() == “Ip”
    decisions:
  • type: ban
    duration: 8h
    on_success: break

I have updated the config.yaml file to change the profiles_path variable to mine. But when i see the decisions (cscli decisions list) i see the ban for my ip for 4h. Can someone help me please ? ive tried a lot of configurations but its not working.

Thanks in advance,

Hello,

Just to make sure, have you reloaded/restarted crowdsec after updating the configuration ?

Updating your profile will only apply the updated ban duration for new bans, existing ban will expire after the old duration.

Also, profiles are not applied when you manually add a ban with cscli, you have to trigger an actual scenario, this might be your issue.

Hello blotus,

Thanks for your answer, yes i restarted the crowdsec container and also deleted manually the ip to test again the profiles but not working. I’am using an http parser with scenarios both are working i only have the issue with the profile which take default 4h ban always

Please any help ?, it is urgent

Sorry, I missed your last reply.

I was not able to reproduce your issue locally.

What is your crowdsec version ?
Does /etc/crowdsec/profiles.yaml still exist ?
What is the value of profiles_path in /etc/crowdsec/config.yaml ?

You can also just update the default profile and keep the default config.yaml, it would also work.

Hello Blotus,

Yes /etc/crowdsec/profiles.yaml still exists i tried to modify it also but it doesnt work, my crowdsec version is v1.1.1 under docker. in my /etc/crowdsec/conf.d/config.yaml the profiles_path: /etc/crowdsec/profiles/profiles.yaml. Because i use a custom profile located in /etc/crowdsec/profiles/profiles.yaml.

config.yaml

profiles.yaml
image

Thanks.

How do you run your container ?
By default, crowdsec will only look in /etc/crowdsec/config.yaml for its main configuration, not in /etc/crowdsec/conf.d/config.yaml.
If you want to use this configuration file, you will have to pass it with the -c flag.

Yes i use the crowdsec -c /etc/crowdsec/conf.d/config.yaml -dsn file:///etc/crowdsec/tests/httpd.log -type crowdsecurity/http-w00tw00t command to specify my custom config file.

I can see that my scenario matched with parsers. But the profiles always take the default ban duration (4h)

Can you show the output of cscli config show ? It seems that your profiles.yaml isn’t taken into account.

Thanks

I know that we see the profiles.yaml file is located in the default path /etc/crowdsec/profiles.yaml But when i launch the scenario test i use my own config with the crowdsec -c /etc/crowdsec/conf.d/config.yaml -dsn file:///etc/crowdsec/tests/httpd.log -type crowdsecurity/http-w00tw00t command. And in my config.yaml file the profiles file is located here /etc/crowdsec/profiles/profiles.yaml. So it should work right ?

With the -c flag
image

Thanks

Hello,

Please keep in mind that the profiles are evaluated by the local api and not by the crowdsec agent.
Is your local api running with the configuration pointing to your alternative profiles config ?

I’m sure I understand your setup completely, this sounds like a configuration issue rather than a bug, but looking forward to solve it with you :slight_smile:

Thanks for your answer thibault, how can i know if my local api is running with the configuration pointing to my alternative profiles config ? :slight_smile:
Because i though only have to put the profiles_path in my custom config.yaml if i refer to the documentation. I have a local_api_credentials.yaml file but it is only for credentials

The local api is usually the “long running” process that will receive alerts from the agent. So it’s a bit hard to tell without knowing your setup. Typically, if you have the crowdsec service running “in the background”, what is relevant would be the configuration with which this service runs.

Hope I make sense :sweat_smile: