crowdsec icon indicating copy to clipboard operation
crowdsec copied to clipboard

Published 20 hours ago verified publisher icon crowdsecurity

Overwrite scenarios from Crowdsec hub with .local - file

Open onlynow2 opened this issue 8 months ago • 3 comments

What would you like to be added?

/kind enhancement

I haven't found a way to load *.local files to alter scenarios downloaded from the crowdsec hub. The documentation reads, overwriting values is only possible for profiles.yaml and a couple more (https://docs.crowdsec.net/docs/next/configuration/crowdsec_configuration#overriding-values).

It would be really helpful to implement the same for other files like scenario specific ones or similar.

Why is this needed?

This way one could keep the hub connection to get updates, but still change values (e.g. leakspeed or capacity) to their own preferences.

onlynow2 avatar Mar 23 '25 16:03 onlynow2

@onlynow2: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

  1. Check Crowdsec Documentation to see if your issue can be self resolved.
  2. You can also join our Discord.
  3. Check Releases to make sure your agent is on the latest version.
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

github-actions[bot] avatar Mar 23 '25 16:03 github-actions[bot]

@onlynow2: There are no 'kind' label on this issue. You need a 'kind' label to start the triage process.

  • /kind feature
  • /kind enhancement
  • /kind refactoring
  • /kind bug
  • /kind packaging
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

github-actions[bot] avatar Mar 23 '25 16:03 github-actions[bot]

This is not hard to implement but would require a review of what we mean by local/tainted/up-to-date items, and has several edge cases.

mmetc avatar Mar 25 '25 12:03 mmetc

I also would like this.

Currently I've just had another genuine user get an IP ban due to failed ssh logins.

They actually only failed twice, but because crowdsecurity/sshd-logs triggers on so much it treated this as failing six times, and with the default capacity: 5 in ssh-bf.yaml that resulted in a ban.

I want to change this to 10, to allow 3 failed attempts before the next will cause a ban. But as it is, according to https://discourse.crowdsec.net/t/is-there-a-way-to-customize-config-for-collecttions-szenarios/1981/3 , the only way to do this is to forgo future hub updates of this scenario.

Edge cases there might be, but right now I just want to override this single setting, but keep getting the benefits of future hub updates of the scenario.

I'd assume the implementation would be:

  1. Find scenario.
  2. Load main file for scenario.
  3. Check for .local file for scenario, and if it exists update any settings from the main file with those from this file.

I can see there being room for a warning on hub update of the scenario "you have local configuration overrides, check the scenario documentation in case they're no longer appropriate".

Athanasius avatar Jul 14 '25 11:07 Athanasius

Also, I might want to keep the crowdsecurity/ssh-bf_user-enum part of the ssh-bf scenario file, but just disable the crowdsecurity/ssh-bf part of it. I don't see a way to achieve this without editing the file and forgoing future hub updates.

Athanasius avatar Jul 14 '25 12:07 Athanasius

Hi

It would be nice to be able overriding scenarios values without changing config files.

Like locally decreasing capacity for http-sensitive-files will removed thousand of lines in my servers logs. 😉

Cyrille37 avatar Aug 09 '25 08:08 Cyrille37

/kind enhancement

Cyrille37 avatar Oct 29 '25 17:10 Cyrille37

Any news about ?

Cyrille37 avatar Oct 29 '25 17:10 Cyrille37

So to give you an overview context of what would need to be handled to get this off the ground:

  1. yaml patcher We already have a generic implementation of a yaml patcher which can automatically find the .local variant and override the values and return the completed yaml struct, so this is already done but we would need to test how the patcher handles multiple sceanrios in the same file. (probably wouldnt work)

1a) yaml patcher block certain values? Should the yaml patcher block users from changing key element of the scenario such as the filter? or expression?

if not, should we inform users that generating a .local variant with any value change will still class your signal as tainted by the consensus engine as we cannot validate what you have overridden in the .local override?

ref: https://docs.crowdsec.net/docs/next/central_api/community_blocklist#what-counts-as-a-signal

  1. Hub update The hub updates must not use the yaml patcher to understand if the local variant is tainted. but should it:
  • Update the scenario contents no matter what the .local does?
  • Warn the user somehow? we already had a handful of user complain that our cron sent too many email on tainting so we switched over to systemd timers but now user cannot get any notifications or information.

LaurenceJJones avatar Oct 30 '25 14:10 LaurenceJJones

After reading @LaurenceJJones I understand overriding configuration of "official" scenarios must taint them to keep community alerts "standard". So overriding "official" scenarios is not a good idea, better is to write a custom one.

Hope I've well understood.

Cyrille37 avatar Oct 30 '25 14:10 Cyrille37