Excuse me, what? So, once on the fire datalake, all it takes for bad actor to be withdrawn from fire DL is to become silent ( ceasse all activity ) for 72 hrs? After 72 hrs they can become " vocal " again?
Seriously flawed…
You must be kidding !!
Why? What are these details?
Why? If its wrong, than what we should think CS tries to be?
But, we already have well established, proven, working mechanism for detection and prevention of DDoS and other attacks. Its called CloudFlare; we dont need yet another clone.
For every serious security admin, thats huge NO-NO
GROK = REGEX…
Public-facing one or within cooperate network? If public facing than - unless its fully secured - its huge design flaw; if that server is accessed internally than ok.
True; just to add :: f2b is well-established.
Thats why you try to defend CS.
Now, regarding project’s README.md::
CrowdSec is not a SIEM, storing your logs (neither locally nor remotely). Your data are analyzed locally and forgotten. Signals sent to the curation platform are limited to the very strict minimum: IP, Scenario, Timestamp. They are only used to allow the system to spot new rogue IPs, rule out false positives or poisoning attempts.
So: not storing logs / data, but, at, the same time, sending data somewhere? Some thoughts:
- where is this " curation platform " hosted ?,
- if whole project is OSS, than we. should be able to have ( at least read ) access to this " curation platform ", dont you think?
- user’s IP is PII so storing it without user consent is illegal ( GDPR ),
- any guarantee that " curated platform " is leak-proof?
- if you say that other installations of CS rely on this " curated platform " than how do you know what other people do with data downloaded from this platform?
- whats the data retention period on this platform?
- if CS is not SIEM, than what it is? From what one can read, as well as how you present CS, its clear that CS is ( or at least tries to be ) fully fledged SIEM software