Simulation not working for some scenarios

apass · March 9, 2022, 2:10pm

Hi,
I’d like to use simulation only for some scenarios so my simulation.yaml file is

simulation: false
exclusions:
- whoami/custom_fd
- whoami/custom_fd_2

I haven’t yet installed a bouncer because I’m testing crowdsec but the decision list shows “ban” for all the scenarios instead of “(simul)ban”.

If I invert the simulation with “simulation: true” in the file (except the excluded scenarios) it simulated every scenario (including what I excluded).

What’s wrong?

Thanks in advance.

alteredCoder · March 10, 2022, 1:46pm

Hello,

This should not be the behavior. I will try to reproduce the issue and will come back to you.

alteredCoder · March 10, 2022, 6:00pm

Hello, i think i managed to reproduce.

When i run cscli alerts list i can see the alert without the (simul)ban.
But when i run cscli decisions list i can’t see the decisions.
Is it also your issue ?

I think it is just a display problem rather than a bug with the simulation mode. I will check this tomorrow.

I open an issue for this.

apass · March 11, 2022, 8:26am

Hi,
no, in my case the output of cscli alerts list and the cscli decisions list are equal.
I have disabled simulation except for two scenarios but in one of them the alert reports “ban: 1” and the decision “ban”.

apass · March 11, 2022, 3:07pm

Another evidence: with cscli simulation status i got:

INFO[11-03-2022 04:03:31 PM] global simulation: disabled                  
INFO[11-03-2022 04:03:31 PM] Scenarios in simulation mode :               
INFO[11-03-2022 04:03:31 PM]   - whoami/custom_fd1               
INFO[11-03-2022 04:03:31 PM]   - whoami/custom_fd2               
INFO[11-03-2022 04:03:31 PM]   - whoami/custom_fd3

but with cscli alerts inspect ID -d of an event related to the custom scenario whoami/custom_fd1 I got these headers:

- ID         : 533
 - Date       : 2022-03-11T14:59:26Z
 - Machine    : machine
 - Simulation : false
 - Reason     : whoami/custom_fd1
...

alteredCoder · March 11, 2022, 3:33pm

Hello @apass ,

I think there is a bug with the simulation mode and custom scenario. I will try to reproduce/fix it asap.

alteredCoder · March 11, 2022, 3:53pm

I managed to reproduce the issue. I opened an issue on Github and will fix this.

alteredCoder · March 11, 2022, 4:41pm

Hello, it seems more complicated than expected to fix the issue.
Currently, the workaround is to put the name of the scenario file instead of the name of the scenario.

For example, if your scenario whoami/custom_fd1 is in a file called custom_fd1.yaml, then you should enable the simulation like this:

sudo cscli simulation enable custom_fd1.yaml

And this should work.

klausagnoletti · March 14, 2022, 11:04am

@apass Can you confirm that the proposed solution works?

apass · March 14, 2022, 11:17am

@klausagnoletti Yes, it works!

Thanks!

Topic		Replies	Views
Cannot enable simulation mode for custom scenarios	6	139	April 3, 2024
Scenarios vs bouncers? crowdsec	6	574	July 6, 2023
Decision not listed crowdsec	9	59	November 11, 2024
How to work out why a ban occured crowdsec	2	2103	May 30, 2022
Decisions are not blocked in pf crowdsec	2	724	July 24, 2022

Simulation not working for some scenarios

Related topics