From c9b2d723d8c611f124b2238174884acf2fd5e2c7 Mon Sep 17 00:00:00 2001
From: Aykhan Shahsuvarov <aykhan.shahs@gmail.com>
Date: Sun, 17 May 2026 13:52:59 +0400
Subject: [PATCH] crowdsec: add profiles/profiles.yaml

---
 crowdsec/docker-compose.yaml    |  1 +
 crowdsec/profiles/profiles.yaml | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+)
 create mode 100644 crowdsec/profiles/profiles.yaml

diff --git a/crowdsec/docker-compose.yaml b/crowdsec/docker-compose.yaml
index b0b2646..3932416 100644
--- a/crowdsec/docker-compose.yaml
+++ b/crowdsec/docker-compose.yaml
@@ -36,6 +36,7 @@ services:
       - ./data/db:/var/lib/crowdsec/data
       - ./data/config:/etc/crowdsec
       - ./acquis.d:/etc/crowdsec/acquis.d:ro
+      - ./profiles/profiles.yaml:/etc/crowdsec/profiles.yaml:ro
       - ./parsers/s00-raw/stalwart-logs.yaml:/etc/crowdsec/parsers/s00-raw/stalwart-logs.yaml:ro
       - ./parsers/s01-parse/stalwart-logs-extended.yaml:/etc/crowdsec/parsers/s01-parse/stalwart-logs-extended.yaml:ro
       - ./parsers/s02-enrich/whitelist-trusted.yaml:/etc/crowdsec/parsers/s02-enrich/whitelist-trusted.yaml:ro
diff --git a/crowdsec/profiles/profiles.yaml b/crowdsec/profiles/profiles.yaml
new file mode 100644
index 0000000..5eeb24d
--- /dev/null
+++ b/crowdsec/profiles/profiles.yaml
@@ -0,0 +1,18 @@
+name: default_ip_remediation
+filters:
+  - Alert.Remediation == true && Alert.GetScope() == "Ip"
+duration_expr: Sprintf('%dh', min(168, (GetDecisionsCount(Alert.GetValue())+1)*4))
+decisions:
+  - type: ban
+    duration: 4h
+on_success: break
+
+---
+name: default_range_remediation
+filters:
+  - Alert.Remediation == true && Alert.GetScope() == "Range"
+duration_expr: Sprintf('%dh', min(168, (GetDecisionsCount(Alert.GetValue())+1)*4))
+decisions:
+  - type: ban
+    duration: 4h
+on_success: break