Allowlisted IP still triggers LePresidente/http-generic-403-bf scenario
Environment:
• CrowdSec v1.7.0-c3036e21-docker
• Docker deployment with Traefik
• Ubuntu Linux
Problem Details:
IP is properly added to trusted_ips allowlist and working for:
✅ AppSec (logs show "allowlisted...skipping")
✅ Bouncer enforcement (no active decisions)
❌ Scenario detection (LePresidente/http-generic-403-bf from crowdsecurity/http-generic-bf)
Documentation Reference:
https://doc.crowdsec.net/u/getting_started/post_installation/whitelists states allowlists "ensure the IP is excluded across all CrowdSec components"
What I've Tried:
1. Verified IP in allowlist: cscli allowlists inspect trusted_ips ✓
2. Checked no active decisions: cscli decisions list (empty)
3. Confirmed v1.7.0 supports full allowlist integration
Question:
Should centralized allowlists (cscli allowlists) automatically prevent scenario detection, or is manual filter modification required? The scenario filter doesn't include InAllowList() check.
Expected: Allowlisted IPs bypass all components including scenario detection
Actual: Scenario still processes events from allowlisted IPs
Is this a known limitation or configuration issue?
Whitelists | CrowdSec
Whitelists are a way to tell CrowdSec to ignore certain events or IP addresses. This can be useful if you have a static IP address that you know is safe, or if you have a service that could generates a lot of false triggers by loading alot of thumbnails, images or fonts.
6 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
So if you run
cscli alerts list you see the IP with an alert for the scenario after the allowlist was made? cause im confused why you say there no decisions but it triggered?When an IP is allowlisted, crowdsec will still log the alert, but it will be dropped when sent to LAPI.
You should see 2 logs:
- the alert when it gets created after a scenario was triggered
- A log telling you the alert is skipped because it is allowlisted
The idea is to still give you some insights about what is happening.
No, i did not see any alers for the whitelist IP. I check the container log and find
Ip performed 'LePresidente/http-generic-403-bf' (23 events over 2m59.670582697s)
you sure that is not an old log entry? also see what Blotus said.
Blotus is right, the logs show the allowlisted IP triggered the 'LePresidente/http-generic-403-bf' scenario, but CrowdSec skipped for this IP.
Ip xxx performed 'LePresidente/http-generic-403-bf' (24 events over 3m5.54761915s) alert source xxx is allowlisted by xxx from trusted_ips, skippingSo the ban must have another cause, not this scenario. I’d appreciate help in investigating further to find the real root cause