CrowdSec•3w ago

cscli alerts list -i not showing all alerts

Maybe there is a misunderstanding on my side but it looks like cscli alerts list -i is not showing all alerts for the provided ip.

cscli alerts list
│  ID  │        value       │                      reason 
[...]         
│ 1185 │ Ip:52.169.252.59   │ crowdsecurity/http-admin-interface-probing      
│ 1184 │ Ip:52.169.252.59   │ crowdsecurity/generic-wordpress-uploads-php     
│ 1183 │ Ip:52.169.252.59   │ crowdsecurity/http-wordpress-scan               
│ 1182 │ Ip:52.169.252.59   │ crowdsecurity/appsec-vpatch                     
│ 1181 │ Ip:52.169.252.59   │ crowdsecurity/generic-wordpress-uploads-php     
│ 1180 │ Ip:52.169.252.59   │ crowdsecurity/generic-wordpress-uploads-listing 
│ 1179 │ Ip:52.169.252.59   │ crowdsecurity/http-crawl-non_statics            
│ 1178 │ Ip:52.169.252.59   │ crowdsecurity/http-backdoors-attempts           
│ 1177 │ Ip:52.169.252.59   │ crowdsecurity/http-probing
│ 1176 │ Ip:52.169.252.59   │ crowdsecurity/crowdsec-appsec-outofband
[...]

cscli alerts list -i 52.169.252.59
│  ID  │       value      │                   reason                   
│ 1185 │ Ip:52.169.252.59 │ crowdsecurity/http-admin-interface-probing 
│ 1183 │ Ip:52.169.252.59 │ crowdsecurity/http-wordpress-scan          
│ 1182 │ Ip:52.169.252.59 │ crowdsecurity/appsec-vpatch                
│ 1179 │ Ip:52.169.252.59 │ crowdsecurity/http-crawl-non_statics       
│ 1178 │ Ip:52.169.252.59 │ crowdsecurity/http-backdoors-attempts      
│ 1177 │ Ip:52.169.252.59 │ crowdsecurity/http-probing                 
│ 1176 │ Ip:52.169.252.59 │ crowdsecurity/crowdsec-appsec-outofband

Alert-IDs 1180, 1181, 1184 are missing from the 2nd listing. But each has a - Scope:Value : Ip:52.169.252.59 shown by cscli alerts inspect 1180 (and 1181, 11184). According to cscli alerts list -h: -i, --ip string restrict to alerts from this source ip (shorthand for --scope ip --value <IP>) So shouldn't the alerts 1180, 1181, 1184 be included?

4 Replies

CrowdSec•3w ago

Important Information

This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve

StreilingerOP•3w ago

Interestingly cscli alerts list --scope ip --value 52.169.252.59 is showing all alerts (including 1180, 1181, 1184).

iiamloz•3w ago

Yeah we plan to rewrite / fix the filtering logic on cscli alerts list, as currently there edge cases where as you seen it doesnt return everything.

CrowdSec•3w ago

Resolving cscli alerts list -i not showing all alerts This has now been resolved. If you think this is a mistake please run /unresolve

Gaming

Programming

cscli alerts list -i not showing all alerts

Did you find this page helpful?