Posting multiple URLs in a forum triggers an anomaly

Hello,

I'm not sure on how to tell crowdsec that something is normal behaviour. I have a forum on which I setup crowdsec to avoid crawlers & such, and now that I have it setup, when I try to post a topic / post, I'll get a 403 whenever I put multiple URLs in the post :

crowdsec-1  | time="2025-12-01T17:19:59+01:00" level=info msg="WAF block: anomaly score block: rfi: 5, anomaly: 5,  from <myIP> (172.22.0.2)"
crowdsec-1  | time="2025-12-01T17:19:59+01:00" level=info msg="(localhost) alert : anomaly score block: rfi: 5, anomaly: 5,  by ip <myIP> (FR/12322)"

crowdsec-1  | time="2025-12-01T17:19:59+01:00" level=info msg="WAF block: anomaly score block: rfi: 5, anomaly: 5,  from <myIP> (172.22.0.2)"
crowdsec-1  | time="2025-12-01T17:19:59+01:00" level=info msg="(localhost) alert : anomaly score block: rfi: 5, anomaly: 5,  by ip <myIP> (FR/12322)"

How can I tell crowdsec to not trigger a 403 in that scenario?

CrowdSec•4mo ago•

4 replies

Wobak

Posting multiple URLs in a forum triggers an anomaly

crowdsec-1  | time="2025-12-01T17:19:59+01:00" level=info msg="WAF block: anomaly score block: rfi: 5, anomaly: 5,  from <myIP> (172.22.0.2)"
crowdsec-1  | time="2025-12-01T17:19:59+01:00" level=info msg="(localhost) alert : anomaly score block: rfi: 5, anomaly: 5,  by ip <myIP> (FR/12322)"

crowdsec-1  | time="2025-12-01T17:19:59+01:00" level=info msg="WAF block: anomaly score block: rfi: 5, anomaly: 5,  from <myIP> (172.22.0.2)"
crowdsec-1  | time="2025-12-01T17:19:59+01:00" level=info msg="(localhost) alert : anomaly score block: rfi: 5, anomaly: 5,  by ip <myIP> (FR/12322)"

How can I tell crowdsec to not trigger a 403 in that scenario?

Posting multiple URLs in a forum triggers an anomaly

Similar Threads

Posting multiple URLs in a forum triggers an anomaly

Similar Threads

Similar Threads

Similar Threads