crowdsec icon indicating copy to clipboard operation
crowdsec copied to clipboard
verified publisher icon crowdsecurity

Improvment/scenarios: sequence of scenario

Open AlteredCoder opened this issue 5 years ago • 3 comments

Is your feature request related to a problem? Please describe. I would like to trigger a scenario when a sequence of event occurs

Example of what you imagine I think a configuration file that looks like this can be a solution:

type: sequence
name: vist_uri_1_or_2_and_3
sequence:
 - seq_1:
 	type: leaky 
 	filter: evt.Parsed.uri == "1"
 	capacity: 3    # visit minimum 3 products page
 - seq_2:
 	type: trigger  # visit a specific page
 	filter: evt.Parsed_uri == "2"
 - seq_3:
 	type: trigger
 	filter: evt.Parsed_uri == "3"
condition: (seq_1 or seq_2) and seq_3
group_by: ip_addr
timeframe: 60s     # those 3 events should occurs in 60seconds

AlteredCoder avatar Jun 24 '20 13:06 AlteredCoder

One question though: Does the sequence has to be in order ?

ghost avatar Jun 24 '20 13:06 ghost

I think yes

AlteredCoder avatar Jun 24 '20 14:06 AlteredCoder

This sounds like a great idea and would allow to catch complex attacks.

opendba avatar Jan 19 '22 00:01 opendba

Conditional buckets have been merged in 1.5.0 and solves this need :smile:

buixor avatar Oct 13 '23 12:10 buixor