False positive for scenario
I'm seeing a lot of alerts for http-probing scenario for a specific endpoint that is behaving as expected (eg, this isn't malicious traffic). I could disable this scenario, but I wonder if there's any other way to handle this, like allowlisting based on URL or something else.
detect flooding
Hey everyone! I need help designing a scenario for a very specific use case and I'm not sure if it's even possible with CrowdSec's bucket types.
What I want to detect:
- Ban IPs that send 17+ POST requests within 1 second (burst attack)
- Allow IPs that spread their requests over longer periods...
Unable to parse NGINX logs
Hello, I've just installed crowdsec, I'm using NGINX as a reverse proxy and logs seems not to be correctly processed. I have followed the guide and added a custom nginx.yaml config file. Files are detectedd but unparsed according to
cscli metrics show acquisition
Here is the example of a line going through the parser:
```
line: 79.174.34.55 - - [04/Nov/2025:02:53:02 +0100] "GET /xleet-shell.php HTTP/1.1" 404 207 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
β s00-raw...Migrating Security Engine Reputation
I currently have a Crowdsec LAPI server running on a VM, it's been running for about 2ish years. I currently in the process of migrating it to my k8s cluster.
I was wondering if it's possible to "move" the reputation gained by contributing back upstream by my VM-based LAPI server to a fresh deployment of my k8s LAPI server. I never enrolled my Security Engine to the Console, I'm guessing it should be possible to do so by enrolling but correct me if I am wrong....
community-blocklist update
I'm using the custom bouncer, is there a way to differentiate community-blocklist update decisions from all other single decision? do one of the JSON key-value pair contain a value unique to blocklist update decisions?
{
"duration": "143h58m15s",
"origin": "CAPI",...
CrowdSec Windows Firewall Bouncer Isn't Making Decisions
Greetings,
I've been using CrowdSec for a good minute now. I think I've always had this issue, but I managed to mitigate it briefly by applying the blocklists to my firewall through a script. However, this worked for only so long. Anywho, the firewall bouncer doesn't log any firewall rules whatsoever. I've made test decisions, waited a few seconds, and checked my firewall and found nothing. I'm unsure how to solve this, or if there is a YAML file I should be updating. Below is what I mean. For the most part, I've had no issues with this program. However, I'd like to make full use of it if I can. I'm not on the enterprise version, I should mention. I'm using the community lists.
```PS C:\Users\Salem> cscli decisions add --ip 1.2.3.4 --duration 4h...
Whitelist
I keep getting banned by my crowdsec. this is part of my config.yml
```yml
server:
log_level: info...
RE2 feature flags don't work on Windows - CrowdSec crashes
Hi,
Tested RE2 flags on Windows Server (2012 R2 through 2025) with versions 1.6.11 and 1.7.3.
Observed behavior:...
friewall bouncer : crowdsec-chain-input empty
I noticed that the firewall bouncer failed to add the ip sets in the chrowdsec-chain-input chain, rendering the firewall useless.
```
set crowdsec-blacklists-crowdsec {
type ipv4_addr
flags timeout...
Logs from SQLite
Hello,
is it possible to read the logs from a sqlite?
WGDashbaord write his logs in a sqlite database, I will try to write a log parser for it.
...
CrowdSec 1.7.3 parser: evt.StrTime not being set when using microsecond timestamps
Hi everyone,
I'm currently working on a custom parser and I'm stuck on an issue.
The logs unfortunately contain timestamps with microseconds.
...
Setting http nonfictions for gotify crashes Crowdsec on Windows Machine
As soon as I uncomment notifications in profiles.yaml to configure http_default gotify notifications I receive the following error. It appears that the plugin broker is going through the .exe files in C:\ProgramData\CrowdSec\plugins\ and getting some kind of permissions error. The crowdsec service is running as Local System. The error goes away if I instead change log on as to a privileged admin account with user name and password. C:\ProgramData\CrowdSec\plugins\ file permission include SYSTEM - Full Control.
level=debug msg="current owner is S-1-5-18 (S-1-5-18) (defaulted: false)"
level=debug msg="current group is nil (defaulted: false), using builtin admin instead"
level=debug msg="current group is S-1-5-32-544 (S-1-5-32-544) (defaulted: false)"...
Include instance name in slack notification
Is it possible to include the instance name in a slack notification? I'm guessing no, since I don't see that info available here: https://pkg.go.dev/github.com/crowdsecurity/crowdsec/pkg/models#Alert but thought I'd ask. Maybe a better approach would be to use separate webhooks per instance. Thanks,
Getting hostname in notification in a distributed setup
I have been playing around with my crowdsec alerts trying to get the hostname for the attacked system in my notification. I have been doing some research and have gotten some results but it always returns the name of the machine running the LAPI. The way to do this differs depending on the OS the LAPI is running on and it doesnt seem to be documented clearly? ie
env "HOST" for freebsd, env "HOST_HOSTNAME" for docker, and {{ Hostname }} for Windows. (All of those variables are already built in and do not have to be added)
In a distributed setup, is the only way to get the actual host being attacked name using a lookup table based on the Machine property in the alert?
Below is a snippit of my discord.yaml:...Issue crowdsec agent upgrade
Hello, we encountered an issue this morning on our server.
We trying to upgrade crowdsec agent on a debian server but we get the following error :
```bash
W: Failed to fetch https://packagecloud.io/crowdsec/crowdsec/debian/dists/stretch/InRelease FailReason: ConnectionRefused...
pfSense, rule not being re-added after unchecking/checking 'Enable CrowdSec IPv4 blocklist'
In testing we unchecked the 'Enable CrowdSec IPv4 blocklist rule' and 'Enable CrowdSec IPv6 blocklist rule' options, the rule was removed from pf, but when we reenable these options and restart, the rules are not added back into pf. We have tried rebooting, removing and reinstalling, upgrading and nothing will make it come back. I can add the rules manuall using pfctl.
I have enabled debug logging for bouncer and engine and neither show anything useful.
Any suggestions?...
Testing Cloudflare Worker Bouncer on free plan
I am trying to test the Cloudflare worker bouncer on a free plan for now.
But I can't even set up the infra.
I can see the D1 Database and KVNS in Cloudflare Dashboard, but no workers.
...
Email template ModSec ruleid/message
I'm working on a custom email template for a custom modsec scenario, I specifically want to include the triggered rule id and the rule message so I can know what's going on at a glance.
Looking through here: https://docs.crowdsec.net/docs/next/local_api/notification_plugins/email and here: https://docs.crowdsec.net/docs/next/local_api/notification_plugins/template_helpers it's not really clear how I can figure out how to build my own email template and what options exist and don't exist....
My own serverβs IP got banned
Iβm currently testing and configuring CrowdSec inside a Docker environment with Traefik, and my own server's IP address was mistakenly banned during the setup process. It seems to have been flagged automatically while I was testing.
Please help me....
ModSecurity parser not parsing response rules (Phase 4)
$ sudo cscli explain --file test_error.log --type modsecurity
``
WARNING Line 0/1 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode. file=/tmp/user/0/cscli_explain4047805967/parser-dump.yaml
line: 2025/10/27 19:47:46 [error] 273240#273240: *657 [client 1.1.1.1] ModSecurity: Access denied with code 403 (phase 4). Matched "Operator Contains' with parameter evil.webshell' against variable RESPONSE_BODY' (Value: `<title> evil.webshell </title>\x0a<h1> evil.webshell </h1>\x0a' ) [file "/etc/modsecurity/test.conf"] [line "190"] [id "955003"] [rev ""] [msg ""] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "example.com"] [uri "/evil-webshell.txt"] [unique_id "176155486667.073983"] [ref "o8,13v619,56"] while sending to client, client: 1.1.1.1, server: example.com, request: "GET /evil-webshell.txt HTTP/2.0", upstream: "https://2.2.2.2:443/evil-webshell.txt", host: "example.com"
β s00-raw...