Add on_error and some example profiles

crowdsecurity · Oct 11, 2023 · 0f7800e · 0f7800e
1 parent c3bcf6f
commit 0f7800e
Show file tree

Hide file tree

Showing 4 changed files with 136 additions and 1 deletion.
diff --git a/crowdsec-docs/docs/profiles/captcha_profile.md b/crowdsec-docs/docs/profiles/captcha_profile.md
@@ -0,0 +1,51 @@
+---
+id: captcha_profile
+title: Captcha
+sidebar_position: 2
+---
+
+Here is an example of a profile that provides users with a captcha challenge when they trigger a HTTP scenario.
+
+```yaml
+name: captcha_remediation
+filters:
+  - Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.GetScenario() contains "http"
+## Any scenario with http in its name will trigger a captcha challenge
+decisions:
+ - type: captcha
+   duration: 4h
+on_success: break
+---
+name: default_ip_remediation
+filters:
+ - Alert.Remediation == true && Alert.GetScope() == "Ip"
+decisions:
+ - type: ban
+   duration: 4h
+#duration_expr: "Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)"
+on_success: break
+```
+
+However, you may want to provide a limit to captcha challenges within a period of time to a given IP address because they may ignore your captcha challenges and still cause load on your server.
+
+You can use the `GetDecisionsCount` or `GetDecisionsSinceCount` helper to achieve this:
+
+```yaml
+name: captcha_remediation
+filters:
+  - Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.GetScenario() contains "http" && GetDecisionsSinceCount(Alert.GetValue(), "24h") <= 3
+## Same as above but only 3 captcha decision per 24 hours before ban
+decisions:
+ - type: captcha
+   duration: 4h
+on_success: break
+---
+name: default_ip_remediation
+filters:
+ - Alert.Remediation == true && Alert.GetScope() == "Ip"
+decisions:
+ - type: ban
+   duration: 4h
+#duration_expr: "Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)"
+on_success: break
+```
diff --git a/crowdsec-docs/docs/profiles/cti_profile.md b/crowdsec-docs/docs/profiles/cti_profile.md
@@ -0,0 +1,64 @@
+---
+id: cti_profile
+title: CrowdSec CTI
+sidebar_position: 2
+---
+
+Here is an example of a profile that uses the CTI module to make decisions based on the background noise score of an IP address.
+
+:::info
+You **MUST** configure the CTI beforehand, see [CTI helpers](/expr/cti_helpers.md).
+:::
+
+```yaml
+name: high_bn_score
+on_error: continue
+filters:
+ - Alert.Remediation == true && Alert.GetScope() == "Ip" && CrowdsecCTI(Alert.GetValue()).GetBackgroundNoiseScore() > 6 && !CrowdsecCTI(Alert.GetValue()).IsFalsePositive()
+decisions:
+ - type: ban
+   duration: 24h
+on_success: break
+---
+name: mid_bn_score
+on_error: continue
+filters:
+ - Alert.Remediation == true && Alert.GetScope() == "Ip" && CrowdsecCTI(Alert.GetValue()).GetBackgroundNoiseScore() >= 3 && !CrowdsecCTI(Alert.GetValue()).IsFalsePositive()
+decisions:
+ - type: ban
+   duration: 12h
+on_success: break
+---
+name: default_ip_remediation
+filters:
+ - Alert.Remediation == true && Alert.GetScope() == "Ip"
+decisions:
+ - type: ban
+   duration: 4h
+#duration_expr: "Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)"
+on_success: break
+```
+
+You could also use the background noise within the `duration_expr` to make the ban duration proportional to the background noise score:
+
+```yaml
+---
+name: bn_score
+on_error: continue
+filters:
+ - Alert.Remediation == true && Alert.GetScope() == "Ip" && CrowdsecCTI(Alert.GetValue()).GetBackgroundNoiseScore() > 0 && !CrowdsecCTI(Alert.GetValue()).IsFalsePositive()
+decisions:
+ - type: ban
+   duration: 12h
+duration_expr: "Sprintf('%dm', (240 + (144 * CrowdsecCTI(Alert.GetValue()).GetBackgroundNoiseScore()))"
+## 240 minutes (4 hours) + 144 minutes (2 hours) per point of background noise score
+on_success: break
+---
+name: default_ip_remediation
+filters:
+ - Alert.Remediation == true && Alert.GetScope() == "Ip"
+decisions:
+ - type: ban
+   duration: 4h
+on_success: break
+```
diff --git a/crowdsec-docs/docs/profiles/format.md b/crowdsec-docs/docs/profiles/format.md
@@ -131,6 +131,16 @@ on_failure: break
 
 If the profile didn't apply and `on_failure` is set to `break`, decisions processing will stop here and it won't evaluate against following profiles.
 
+### `on_error`
+
+```yaml
+on_error: continue
+```
+
+If the filter expression generates an error, this would normally stop the alert from being processed to prevent a potential unwanted outcome.
+
+However, there may be some expressions that do generate expected errors for example, when using the [CTI helpers](/expr/cti_helpers.md) it may throw a rate limit error.
+
 ### `notifications`
 
 ```yaml

diff --git a/crowdsec-docs/sidebars.js b/crowdsec-docs/sidebars.js
@@ -291,7 +291,17 @@
                 type: "doc",
                 id: "profiles/intro",
             },
-            items: ["profiles/format"],
+            items: [
+                "profiles/format",
+                {
+                    type: "category",
+                    label: "Examples",
+                    items: [
+                        "profiles/cti_profile",
+                        "profiles/captcha_profile",
+                    ],
+                }
+            ],
         },
         {
             type: "category",