Simulation not working for some scenarios

crowdsec
1

Hi,
I’d like to use simulation only for some scenarios so my simulation.yaml file is

simulation: false
exclusions:
- whoami/custom_fd
- whoami/custom_fd_2

I haven’t yet installed a bouncer because I’m testing crowdsec but the decision list shows “ban” for all the scenarios instead of “(simul)ban”.

If I invert the simulation with “simulation: true” in the file (except the excluded scenarios) it simulated every scenario (including what I excluded).

What’s wrong?

Thanks in advance.

2

Hello,

This should not be the behavior. I will try to reproduce the issue and will come back to you.

3

Hello, i think i managed to reproduce.

When i run cscli alerts list i can see the alert without the (simul)ban.
But when i run cscli decisions list i can’t see the decisions.
Is it also your issue ?

I think it is just a display problem rather than a bug with the simulation mode. I will check this tomorrow.

I open an issue for this.

4

Hi,
no, in my case the output of cscli alerts list and the cscli decisions list are equal.
I have disabled simulation except for two scenarios but in one of them the alert reports “ban: 1” and the decision “ban”.

5

Another evidence: with cscli simulation status i got:

INFO[11-03-2022 04:03:31 PM] global simulation: disabled                  
INFO[11-03-2022 04:03:31 PM] Scenarios in simulation mode :               
INFO[11-03-2022 04:03:31 PM]   - whoami/custom_fd1               
INFO[11-03-2022 04:03:31 PM]   - whoami/custom_fd2               
INFO[11-03-2022 04:03:31 PM]   - whoami/custom_fd3

but with cscli alerts inspect ID -d of an event related to the custom scenario whoami/custom_fd1 I got these headers:

- ID         : 533
 - Date       : 2022-03-11T14:59:26Z
 - Machine    : machine
 - Simulation : false
 - Reason     : whoami/custom_fd1
...
6

Hello @apass ,

I think there is a bug with the simulation mode and custom scenario. I will try to reproduce/fix it asap.

7

I managed to reproduce the issue. I opened an issue on Github and will fix this.

8

Hello, it seems more complicated than expected to fix the issue.
Currently, the workaround is to put the name of the scenario file instead of the name of the scenario.

For example, if your scenario whoami/custom_fd1 is in a file called custom_fd1.yaml, then you should enable the simulation like this:

sudo cscli simulation enable custom_fd1.yaml

And this should work.

9

@apass Can you confirm that the proposed solution works?

10

@klausagnoletti Yes, it works!

Thanks!