Closed saz closed 1 year ago
github-actions[bot]
commented
1 year ago @saz: Thanks for opening an issue, it is currently awaiting triage.
In the meantime, you can:
github-actions[bot]
commented
1 year ago @saz: There are no 'kind' label on this issue. You need a 'kind' label to start the triage process.
/kind feature/kind enhancement/kind bug/kind packaging
LaurenceJJones
commented
1 year ago The alert object has the simulated flag you would need to use that within your format template. If you are using the default slack one you can see the modified versions below
format: |
{{range . -}}
{{$alert := . -}}
{{range .Decisions -}}
{{if $alert.Source.Cn -}}
:flag-{{$alert.Source.Cn}}: <https://www.whois.com/whois/{{.Value}}|{{.Value}}> will {{ ternary "not" "" $alert.Simulated }} get {{.Type}} for next {{.Duration}} for triggering {{.Scenario}} on machine '{{$alert.MachineID}}'. <https://app.crowdsec.net/cti/{{.Value}}|CrowdSec CTI>{{end}}
{{if not $alert.Source.Cn -}}
:pirate_flag: <https://www.whois.com/whois/{{.Value}}|{{.Value}}> will {{ ternary "not" "" $alert.Simulated }} get {{.Type}} for next {{.Duration}} for triggering {{.Scenario}} on machine '{{$alert.MachineID}}'. <https://app.crowdsec.net/cti/{{.Value}}|CrowdSec CTI>{{end}}
{{end -}}
{{end -}}
So the end result string will be
:flag-TW: 10.10.10.10 will not get ban for next 4h for triggering crowdsecurity/ssh-slow-bf on machine '<generic machine id>'.
OR if you want to prefix it will simulated infront of the alert
format: |
{{range . -}}
{{$alert := . -}}
{{range .Decisions -}}
{{if $alert.Simulated}}SIMULATED {{end -}}
{{if $alert.Source.Cn -}}
:flag-{{$alert.Source.Cn}}: <https://www.whois.com/whois/{{.Value}}|{{.Value}}> will get {{.Type}} for next {{.Duration}} for triggering {{.Scenario}} on machine '{{$alert.MachineID}}'. <https://app.crowdsec.net/cti/{{.Value}}|CrowdSec CTI>{{end}}
{{if not $alert.Source.Cn -}}
:pirate_flag: <https://www.whois.com/whois/{{.Value}}|{{.Value}}> will get {{.Type}} for next {{.Duration}} for triggering {{.Scenario}} on machine '{{$alert.MachineID}}'. <https://app.crowdsec.net/cti/{{.Value}}|CrowdSec CTI>{{end}}
{{end -}}
{{end -}}example output SIMULATED :flag-TW: 10.10.10.10 will not get ban for next 4h for triggering crowdsecurity/ssh-slow-bf on machine '<generic machine id>'.
saz
commented
1 year ago I saw that I'm able to change the format, but I think it's quite confusing, to get a notification without this information in there, as it might trigger some action, even if it's not required :-)
LaurenceJJones
commented
1 year ago I saw that I'm able to change the format, but I think it's quite confusing, to get a notification without this information in there, as it might trigger some action, even if it's not required :-)
The format provided is just an example, we cant cover everyone use cases in an example. I do agree, making simulation events not send an notification would be beneficial. However, it could then confuse people when they expect to see an alert 🤷🏻 . This needs to explored as adding additional config to profiles is complicated, maybe, adding a global config
LaurenceJJones
commented
1 year ago Evaluated this with the team we have decided that if you don't want to receive a notification based on the simulated flag then you should update your profiles to cater for this.
Example below:
name: default_ip_remediation
#debug: true
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip" && !Alert.Simulated
decisions:
- type: ban
duration: 4h
#duration_expr: "Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)"
notifications:
- slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
on_success: breakThere was no need to add any configuration options as we can evaluate within the filter itself. If you do want to notify but show simulated, these example are shown above.
What would you like to be added?
Show simulation status in notifications
/kind enhancement
Why is this needed?
If an IP gets blocked, it's visible in the decision list, if a ban is just simluated or not
Note the
(simul)banpart.We've got Slack notifications enabled, and this is the message posted to the channel:
This looks like, as if the IP got blocked, but it's not the case. Looking at other notifications, they seem to have the same "issue" and it would be great, if there's either no notification sent out (btw is this configurable somewhere?) for a simulation or it's shown within the notification, that it's just a simulation.