// Your module's code is very good I'll have to be picky to suggest changes
==> crowdsec/src/Commands/CrowdSec.php
Are you going to call the refreshRemediation via a cron too?
==> crowdsec/src/Middleware.php
The message could contain this URL to unblock IP if people think it's a mistake: https://www.crowdsec.net/remove-ip-crowdsec-blocklist.
Their case will be studied, but it's very unlikely that someone's IP reached the blocklist by mistake.
It's just an option we offer; often we inform them that their device is infected by a malware taking control for malicious activities
Question: won't this 403 trigger a signal? It's not critical but if it can be avoided, it'd be better
==> crowdsec/src/Form/Settings.php
::signalScenarios()
We could rename the signals and eventually split the whispers
::scenarios()
Looks good to me for a first version
::buildForm(...)
==> crowdsec/src/EventSubscriber/CrowdSec.php
::onResponse()
We need to check if 404 triggered by missing asset would generate this.
Ideally we'd send signal only for a non existing url (or route)
We could split 4xx and 5xx in 2 types of signals
==> crowdsec/src/Buffer.php
::addWhisperSignal()
We're rethinking our whisper concept and your system may be the better version of it.
Your system is very good and we could use this to detect scans
So if we set a threshold of minimum 5 in a delay of 5 secondes this could work
==> MISC
Allowing to enroll in console
For the threshold system something that works fine in security to detect burst is the "leaky bucket"
Right now, you're removing whispers older than range and check if the count > threshold
the leaky bucket system is a little different, a bucket has:
This allows to better catch irregular burst by making the delay/(range of time) about activity tolerence rather than a strict cut
In our agent we setup the capacity to 10 and the leak speed at 10s
We also have a notion of "blackhole" time (5m in our scan scenario case) meaning that we ignore this kind of alert for this attacking IP for 5 minutes. But this might be a bit heavier on to implement, you don't have to do this.
Fixed
1.0
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
No activities found.