search

crowdsecurity / crowdsec

CrowdSec - the open-source and participative security solution offering crowdsourced protection against malicious IPs and access to the most advanced real-world CTI.
https://crowdsec.net
MIT License
9.02k stars 467 forks source link

Improvement/ Warning when no profile was applied #1137

Open zotornit opened 2 years ago

zotornit commented 2 years ago

Is your feature request related to a problem? Please describe. I accidently remove the default profile from profiles.yaml. I created a custom docker image coping an editied profile.yaml to the image. When CS created the alert the decision field was empty which resulted in nothing happening when a scenario was triggered.

Describe the solution you'd like a) Auto fallback to default profile when no profile could be applied for the alert 0r b) Probaly better: Warning/Alert in the logfiles when no profile could be applied for the alert

Additional context

/ # cscli alerts list
+-----+------------------------------+------------------------------------+---------+--------------------------------+-----------+-------------------------------+
| ID  |            VALUE             |               REASON               | COUNTRY |               AS               | DECISIONS |          CREATED AT           |
+-----+------------------------------+------------------------------------+---------+--------------------------------+-----------+-------------------------------+
| 148 | Ip:94.16.xx.xx              | crowdsecurity/ssh-bf               | DE      | 15598                   |           | 2021-12-30 12:00:51 +0000 UTC |
| 146 | Ip:94.16.xx.xx              | crowdsecurity/postfix-spam         | DE      | 15598                    | ban:1     | 2021-12-30 11:15:47 +0000 UTC |

In my case I have only a profile for crowdsecurity/postfix-spam. Since the default profile was missing the alert for crowdsecurity/ssh-bf was created without DECISIONS - just empty.

I think when the profiles.yaml is processed and not a single profile could be applied for an alert then CS is in an illegal state and should handle that (by informing the admin). Basically its a illegal missconfiguration isn't it?

buixor commented 2 years ago

Hello @zotornit !

I wouldn't consider it an illegal configuration, people could use it for pure alerting or detection. However, it might be interesting to indeed have a log if an alert didn't hit any profile.