crowdsec: add profiles/profiles.yaml

crowdsec/docker-compose.yaml

@@ -36,6 +36,7 @@ services:
       - ./data/db:/var/lib/crowdsec/data
       - ./data/config:/etc/crowdsec
       - ./acquis.d:/etc/crowdsec/acquis.d:ro
+      - ./profiles/profiles.yaml:/etc/crowdsec/profiles.yaml:ro
       - ./parsers/s00-raw/stalwart-logs.yaml:/etc/crowdsec/parsers/s00-raw/stalwart-logs.yaml:ro
       - ./parsers/s01-parse/stalwart-logs-extended.yaml:/etc/crowdsec/parsers/s01-parse/stalwart-logs-extended.yaml:ro
       - ./parsers/s02-enrich/whitelist-trusted.yaml:/etc/crowdsec/parsers/s02-enrich/whitelist-trusted.yaml:ro

crowdsec/profiles/profiles.yaml

@@ -0,0 +1,18 @@
+name: default_ip_remediation
+filters:
+  - Alert.Remediation == true && Alert.GetScope() == "Ip"
+decisions:
+  - type: ban
+    duration: 4h
+    duration_expr: Sprintf('%dh', min(168, (GetDecisionsCount(Alert.GetValue())+1)*4))
+on_success: break
+
+---
+name: default_range_remediation
+filters:
+  - Alert.Remediation == true && Alert.GetScope() == "Range"
+decisions:
+  - type: ban
+    duration: 4h
+    duration_expr: Sprintf('%dh', min(168, (GetDecisionsCount(Alert.GetValue())+1)*4))
+on_success: break