C
CrowdSec4w ago
Leeee

Getting many notifications for same ip

I am getting hundreds (!) of notifications for an already blocked IP on my opnsense bouncer. As I see, the logic is a loop here, as in: the firewall blocks the ip, because it is in the crowdsec block-list, writes that to the logs, triggering the blocking of said ip again. Is there a proper way to fix this?
4 Replies
CrowdSec
CrowdSec4w ago
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve
© Created By WhyAydan for CrowdSec ❤️
Loz
Loz4w ago
You have to alter your profiles to have a semi duplicate profiles and use the GetActiveDecisionsCount to gate your notifications. 
name: default_ip_remediation_notification
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip" && GetActiveDecisionsCount(Alert.GetValue()) == 0
decisions:
 - type: ban
   duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
notifications:
  - email_default
on_success: break
---
## Catch IP's that already have an active decision but dont call notification
name: default_ip_remediation
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
 - type: ban
   duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
on_success: break
---
name: default_range_remediation
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Range"
decisions:
 - type: ban
   duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
on_success: break
name: default_ip_remediation_notification
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip" && GetActiveDecisionsCount(Alert.GetValue()) == 0
decisions:
 - type: ban
   duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
notifications:
  - email_default
on_success: break
---
## Catch IP's that already have an active decision but dont call notification
name: default_ip_remediation
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
 - type: ban
   duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
on_success: break
---
name: default_range_remediation
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Range"
decisions:
 - type: ban
   duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
on_success: break
Leeee
LeeeeOP4w ago
Thank you 🙂
CrowdSec
CrowdSec4w ago
Resolving Getting many notifications for same ip This has now been resolved. If you think this is a mistake please run /unresolve

Did you find this page helpful?