Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Duplicated decisions with different origins are not filtered correctly #3373

Open
AR2000AR opened this issue Dec 19, 2024 · 3 comments
Open

Duplicated decisions with different origins are not filtered correctly #3373

AR2000AR opened this issue Dec 19, 2024 · 3 comments
Labels
kind/bug Something isn't working needs/triage version/1.6.4

Comments

@AR2000AR
Copy link

AR2000AR commented Dec 19, 2024
edited
Loading

What happened?

LAPI stram mode doesn't return active decision when filtering origin "crowdsec" but will when using querry mode

What did you expect to happen?

The active decision should have been returned.

How can we reproduce it (as minimally and precisely as possible)?

  • Have one active crowdsec (ssh in the example) ban decision
  • curl --header "X-Api-Key: <REDACTED>" "http://127.0.0.1:8080/v1/decisions/stream?origins=crowdsec&scenarios_containing=ssh&scopes=Ip&startup=true" -s Fail
{"deleted":null,"new":null}
  • curl --header "X-Api-Key: <REDACTED>" "http://127.0.0.1:8080/v1/decisions?origins=crowdsec&scenarios_containing=ssh&scopes=Ip&startup=true" -s Normal
[
    {"duration":"4m1s","id":17209360,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","value":"103.216.116.126"},
    {"duration":"12m56s","id":17209361,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","value":"103.216.116.126"},
    {"duration":"22m43s","id":17209362,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","value":"103.216.116.126"},
    {"duration":"31m38s","id":17209363,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","value":"103.216.116.126"},
    {"duration":"41m25s","id":17230684,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","value":"103.216.116.126"},
    {"duration":"50m20s","id":17230685,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","value":"103.216.116.126"},
    {"duration":"59m14s","id":17230686,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","value":"103.216.116.126"},
    {"duration":"1h9m2s","id":17230687,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","value":"103.216.116.126"},
    {"duration":"1h17m56s","id":17230688,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","value":"103.216.116.126"},
    {"duration":"1h26m51s","id":17230689,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","value":"103.216.116.126"},
    {"duration":"1h35m46s","id":17230690,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","value":"103.216.116.126"},
    {"duration":"1h45m33s","id":17230691,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","value":"103.216.116.126"},
    {"duration":"1h54m28s","id":17230692,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","value":"103.216.116.126"},
    {"duration":"2h3m22s","id":17230693,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","value":"103.216.116.126"},
    {"duration":"2h12m17s","id":17230694,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","value":"103.216.116.126"},
    {"duration":"2h21m11s","id":17230695,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","value":"103.216.116.126"},
    {"duration":"2h31m9s","id":17230696,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","value":"103.216.116.126"},
    {"duration":"2h40m56s","id":17252017,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","value":"103.216.116.126"},
    {"duration":"2h49m57s","id":17252018,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","value":"103.216.116.126"},
    {"duration":"2h59m47s","id":17252019,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","value":"103.216.116.126"},
    {"duration":"3h8m34s","id":17252020,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","value":"103.216.116.126"},
    {"duration":"3h17m42s","id":17252021,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","value":"103.216.116.126"},
    {"duration":"3h28m42s","id":17252022,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","value":"103.216.116.126"},
    {"duration":"3h37m27s","id":17252023,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","value":"103.216.116.126"},
    {"duration":"3h47m34s","id":17252024,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","value":"103.216.116.126"},
    {"duration":"3h58m31s","id":17252025,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","value":"103.216.116.126"}
]

Anything else we need to know?

The ip appear in a CAPI decision

$ cscli decisions list --all | grep 103.216.116.126
│ 17262607 │ CAPI   │ Ip:103.216.116.126                        │ crowdsecurity/ssh-slow-bf                    │ ban    │         │    │ 0      │ 165h57m43s │ 8590     │

Crowdsec version

$ cscli version
version: v1.6.4-523164f6
Codename: alphaga
BuildDate: 2024-11-26_13:16:01
GoVersion: 1.23.3
Platform: docker
libre2: C++
User-Agent: crowdsec/v1.6.4-523164f6-docker
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_wineventlog

OS version

$ cat /etc/os-release
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.20.3
PRETTY_NAME="Alpine Linux v3.20"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"
$ uname -a
Linux crowdsec 5.13.x #1 SMP Mon Dec 9 00:11:50 CST 2024 x86_64 Linux

Enabled collections and parsers

$ cscli hub list -o raw
name,status,version,description,type
crowdsecurity/cri-logs,enabled,0.1,CRI logging format parser,parsers
crowdsecurity/dateparse-enrich,enabled,0.2,,parsers
crowdsecurity/docker-logs,enabled,0.1,docker json logs parser,parsers
crowdsecurity/geoip-enrich,enabled,0.5,"Populate event with geoloc info : as, country, coords, source range.",parsers
crowdsecurity/http-logs,enabled,1.3,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers
crowdsecurity/sshd-logs,enabled,2.8,Parse openSSH logs,parsers
crowdsecurity/syslog-logs,enabled,0.8,,parsers
crowdsecurity/traefik-logs,enabled,0.9,Parse Traefik access logs,parsers
crowdsecurity/whitelists,enabled,0.2,Whitelist events from private ipv4 addresses,parsers
LePresidente/gitea-logs,enabled,0.7,Parse gitea logs,parsers
my/whitelist,"enabled,local",,,parsers
crowdsecurity/apache_log4j2_cve-2021-44228,enabled,0.6,Detect cve-2021-44228 exploitation attemps,scenarios
crowdsecurity/CVE-2017-9841,enabled,0.2,Detect CVE-2017-9841 exploits,scenarios
crowdsecurity/CVE-2019-18935,enabled,0.2,Detect Telerik CVE-2019-18935 exploitation attempts,scenarios
crowdsecurity/CVE-2022-26134,enabled,0.2,Detect CVE-2022-26134 exploits,scenarios
crowdsecurity/CVE-2022-35914,enabled,0.2,Detect CVE-2022-35914 exploits,scenarios
crowdsecurity/CVE-2022-37042,enabled,0.2,Detect CVE-2022-37042 exploits,scenarios
crowdsecurity/CVE-2022-40684,enabled,0.3,Detect cve-2022-40684 exploitation attempts,scenarios
crowdsecurity/CVE-2022-41082,enabled,0.4,Detect CVE-2022-41082 exploits,scenarios
crowdsecurity/CVE-2022-41697,enabled,0.2,Detect CVE-2022-41697 enumeration,scenarios
crowdsecurity/CVE-2022-42889,enabled,0.3,Detect CVE-2022-42889 exploits (Text4Shell),scenarios
crowdsecurity/CVE-2022-44877,enabled,0.3,Detect CVE-2022-44877 exploits,scenarios
crowdsecurity/CVE-2022-46169,enabled,0.2,Detect CVE-2022-46169 brute forcing,scenarios
crowdsecurity/CVE-2023-22515,enabled,0.1,Detect CVE-2023-22515 exploitation,scenarios
crowdsecurity/CVE-2023-22518,enabled,0.2,Detect CVE-2023-22518 exploits,scenarios
crowdsecurity/CVE-2023-49103,enabled,0.3,Detect owncloud CVE-2023-49103 exploitation attempts,scenarios
crowdsecurity/CVE-2024-0012,enabled,0.1,Detect CVE-2024-0012 exploitation attempts,scenarios
crowdsecurity/CVE-2024-38475,enabled,0.1,Detect CVE-2024-38475 exploitation attempts,scenarios
crowdsecurity/CVE-2024-9474,enabled,0.1,Detect CVE-2024-9474 exploitation attempts,scenarios
crowdsecurity/f5-big-ip-cve-2020-5902,enabled,0.2,Detect cve-2020-5902 exploitation attemps,scenarios
crowdsecurity/fortinet-cve-2018-13379,enabled,0.3,Detect cve-2018-13379 exploitation attemps,scenarios
crowdsecurity/grafana-cve-2021-43798,enabled,0.2,Detect cve-2021-43798 exploitation attemps,scenarios
crowdsecurity/http-admin-interface-probing,enabled,0.4,Detect generic HTTP admin interface probing,scenarios
crowdsecurity/http-backdoors-attempts,enabled,0.6,Detect attempt to common backdoors,scenarios
crowdsecurity/http-bad-user-agent,enabled,1.2,Detect usage of bad User Agent,scenarios
crowdsecurity/http-crawl-non_statics,enabled,0.7,Detect aggressive crawl on non static resources,scenarios
crowdsecurity/http-cve-2021-41773,enabled,0.3,Apache - Path Traversal (CVE-2021-41773),scenarios
crowdsecurity/http-cve-2021-42013,enabled,0.3,Apache - Path Traversal (CVE-2021-42013),scenarios
crowdsecurity/http-cve-probing,enabled,0.2,Detect generic HTTP cve probing,scenarios
crowdsecurity/http-dos-bypass-cache,enabled,0.5,Detect DoS tools bypassing cache every request,scenarios
crowdsecurity/http-dos-invalid-http-versions,enabled,0.7,Detect DoS tools using invalid HTTP versions,scenarios
crowdsecurity/http-dos-random-uri,enabled,0.4,Detect DoS tools using random uri,scenarios
crowdsecurity/http-dos-switching-ua,enabled,0.5,Detect DoS tools switching user-agent too fast,scenarios
crowdsecurity/http-generic-bf,enabled,0.6,Detect generic http brute force,scenarios
crowdsecurity/http-open-proxy,enabled,0.5,Detect scan for open proxy,scenarios
crowdsecurity/http-path-traversal-probing,enabled,0.4,Detect path traversal attempt,scenarios
crowdsecurity/http-probing,enabled,0.4,Detect site scanning/probing from a single ip,scenarios
crowdsecurity/http-sensitive-files,enabled,0.4,"Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",scenarios
crowdsecurity/http-sqli-probing,enabled,0.4,A scenario that detects SQL injection probing with minimal false positives,scenarios
crowdsecurity/http-wordpress-scan,enabled,0.2,Detect WordPress scan: vuln hunting,scenarios
crowdsecurity/http-xss-probing,enabled,0.4,A scenario that detects XSS probing with minimal false positives,scenarios
crowdsecurity/jira_cve-2021-26086,enabled,0.3,Detect Atlassian Jira CVE-2021-26086 exploitation attemps,scenarios
crowdsecurity/netgear_rce,enabled,0.3,Detect Netgear RCE DGN1000/DGN220 exploitation attempts,scenarios
crowdsecurity/pulse-secure-sslvpn-cve-2019-11510,enabled,0.3,Detect cve-2019-11510 exploitation attemps,scenarios
crowdsecurity/spring4shell_cve-2022-22965,enabled,0.3,Detect cve-2022-22965 probing,scenarios
crowdsecurity/ssh-bf,enabled,0.3,Detect ssh bruteforce,scenarios
crowdsecurity/ssh-cve-2024-6387,enabled,0.2,Detect exploitation attempt of CVE-2024-6387,scenarios
crowdsecurity/ssh-slow-bf,enabled,0.4,Detect slow ssh bruteforce,scenarios
crowdsecurity/thinkphp-cve-2018-20062,enabled,0.6,Detect ThinkPHP CVE-2018-20062 exploitation attemps,scenarios
crowdsecurity/vmware-cve-2022-22954,enabled,0.3,Detect Vmware CVE-2022-22954 exploitation attempts,scenarios
crowdsecurity/vmware-vcenter-vmsa-2021-0027,enabled,0.2,Detect VMSA-2021-0027 exploitation attemps,scenarios
LePresidente/gitea-bf,enabled,0.3,Detect gitea bruteforce,scenarios
ltsich/http-w00tw00t,enabled,0.2,detect w00tw00t,scenarios
crowdsecurity/bf_base,enabled,0.1,,contexts
crowdsecurity/http_base,enabled,0.2,,contexts
crowdsecurity/base-http-scenarios,enabled,1.0,http common : scanners detection,collections
crowdsecurity/http-cve,enabled,2.9,Detect CVE exploitation in http logs,collections
crowdsecurity/http-dos,enabled,0.2,,collections
crowdsecurity/linux,enabled,0.2,core linux support : syslog+geoip+ssh,collections
crowdsecurity/sshd,enabled,0.5,sshd support : parser and brute-force detection,collections
crowdsecurity/traefik,enabled,0.1,traefik support: parser and generic http scenarios,collections
LePresidente/gitea,enabled,0.2,Gitea Support : parser and brute-force detection,collections

Acquisition config

$ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/*
filenames:
  - /var/log/traefik/*
labels:
  type: traefik
source: loki
log_level: info
url: http://loki:3100/
limit: 1000
query: |
  { container="gitea-gitea-1" }
labels:
  type: sshd

Config show

$ cscli config show
Global:
   - Configuration Folder   : /etc/crowdsec
   - Data Folder            : /var/lib/crowdsec/data
   - Hub Folder             : /etc/crowdsec/hub
   - Simulation File        : /etc/crowdsec/simulation.yaml
   - Log Folder             : /var/log
   - Log level              : info
   - Log Media              : stdout
Crowdsec:
  - Acquisition File        : /etc/crowdsec/acquis.yaml
  - Parsers routines        : 1
  - Acquisition Folder      : /etc/crowdsec/acquis.d
cscli:
  - Output                  : human
  - Hub Branch              : 
API Client:
  - URL                     : http://0.0.0.0:8080/
  - Login                   : localhost
  - Credentials File        : /etc/crowdsec/local_api_credentials.yaml
Local API Server:
  - Listen URL              : 0.0.0.0:8080
  - Listen Socket           : 
  - Profile File            : /etc/crowdsec/profiles.yaml

  - Trusted IPs:
      - 127.0.0.1
      - ::1
  - Database:
      - Type                : sqlite
      - Path                : /var/lib/crowdsec/data/crowdsec.db
      - Flush age           : 7d
      - Flush size          : 5000

Prometheus metrics

$ cscli metrics
╭──────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────╮
│ Source                           │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├──────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ file:/var/log/traefik/access.log │ 33.12k     │ 33.12k       │ -              │ 1.69k                  │ 30.87k            │
│ loki:http://loki:3100/           │ 2.09k      │ 1.37k        │ 724            │ 3.86k                  │ -                 │
╰──────────────────────────────────┴────────────┴──────────────┴────────────────┴───────────────────────┴───────────────────╯

Local API Alerts:
╭────────────────────────────────────────────┬───────╮
│ Reason                                     │ Count │
├────────────────────────────────────────────┼───────┤
│ LePresidente/http-generic-403-bf           │ 17    │
│ crowdsecurity/CVE-2022-41082               │ 3     │
│ crowdsecurity/http-cve-2021-41773          │ 12    │
│ crowdsecurity/ssh-slow-bf                  │ 110   │
│ crowdsecurity/http-probing                 │ 21    │
│ crowdsecurity/http-sensitive-files         │ 5     │
│ crowdsecurity/thinkphp-cve-2018-20062      │ 11    │
│ crowdsecurity/CVE-2017-9841                │ 13    │
│ crowdsecurity/CVE-2019-18935               │ 1     │
│ crowdsecurity/http-admin-interface-probing │ 2     │
│ crowdsecurity/http-crawl-non_statics       │ 2     │
╰────────────────────────────────────────────┴───────╯

Local API Decisions:
╭──────────────────────────────────────────────┬──────────┬────────┬───────╮
│ Reason                                       │ Origin   │ Action │ Count │
├──────────────────────────────────────────────┼──────────┼────────┼───────┤
│ crowdsecurity/http-path-traversal-probing    │ CAPI     │ ban    │ 297   │
│ crowdsecurity/http-sensitive-files           │ CAPI     │ ban    │ 549   │
│ crowdsecurity/netgear_rce                    │ CAPI     │ ban    │ 189   │
│ crowdsecurity/http-admin-interface-probing   │ CAPI     │ ban    │ 329   │
│ crowdsecurity/http-bad-user-agent            │ CAPI     │ ban    │ 14472 │
│ crowdsecurity/ssh-cve-2024-6387              │ CAPI     │ ban    │ 49    │
│ crowdsec_cve_2024_4577                       │ lists    │ ban    │ 2003  │
│ crowdsecurity/http-cve-2021-42013            │ CAPI     │ ban    │ 5     │
│ crowdsecurity/jira_cve-2021-26086            │ CAPI     │ ban    │ 10    │
│ crowdsecurity/http-cve-2021-41773             CAPI     │ ban    │ 633   │
│ crowdsecurity/http-dos-invalid-http-versions │ CAPI     │ ban    │ 1713  │
│ crowdsecurity/ssh-bf                         │ CAPI     │ ban    │ 8310  │
│ firehol_greensnow                            │ lists    │ ban    │ 5698  │
│ otx-webscanners                              │ lists    │ ban    │ 8473  │
│ crowdsecurity/CVE-2022-35914                 │ CAPI     │ ban    │ 6     │
│ crowdsecurity/http-crawl-non_statics         │ CAPI     │ ban    │ 834   │
│ crowdsecurity/CVE-2022-26134                 │ CAPI     │ ban    │ 12    │
│ crowdsecurity/CVE-2023-22515                 │ CAPI     │ ban    │ 10    │
│ crowdsecurity/CVE-2023-49103                 │ CAPI     │ ban    │ 80    │
│ crowdsecurity/apache_log4j2_cve-2021-44228   │ CAPI     │ ban    │ 37    │
│ crowdsecurity/f5-big-ip-cve-2020-5902        │ CAPI     │ ban    │ 5     │
│ crowdsecurity/fortinet-cve-2018-13379        │ CAPI     │ ban    │ 20    │
│ LePresidente/gitea-bf                        │ CAPI     │ ban    │ 2     │
│ crowdsecurity/CVE-2019-18935                 │ CAPI     │ ban    │ 81    │
│ crowdsecurity/http-dos-random-uri            │ CAPI     │ ban    │ 1     │
│ crowdsecurity/ssh-slow-bf                    │ CAPI     │ ban    │ 8329  │
│ crowdsecurity/ssh-slow-bf                    │ crowdsec │ ban    │ 25    │
│ crowdsecurity/thinkphp-cve-2018-20062        │ CAPI     │ ban    │ 210   │
│ crowdsecurity/CVE-2022-37042                 │ CAPI     │ ban    │ 2     │
│ crowdsecurity/http-probing                   │ CAPI     │ ban    │ 8799  │
│ crowdsecurity/grafana-cve-2021-43798         │ CAPI     │ ban    │ 2     │
│ crowdsecurity/http-wordpress-scan            │ CAPI     │ ban    │ 1890  │
│ ltsich/http-w00tw00t                         │ CAPI     │ ban    │ 5     │
│ crowdsecurity/CVE-2017-9841                  │ CAPI     │ ban    │ 555   │
│ crowdsecurity/CVE-2024-0012                  │ CAPI     │ ban    │ 1     │
│ crowdsecurity/http-generic-bf                │ CAPI     │ ban    │ 28    │
│ crowdsecurity/http-open-proxy                │ CAPI     │ ban    │ 2485  │
│ crowdsecurity/http-backdoors-attempts        │ CAPI     │ ban    │ 272   │
│ crowdsecurity/http-cve-probing               │ CAPI     │ ban    │ 36    │
╰──────────────────────────────────────────────┴──────────┴────────┴───────╯

Local API Metrics:
╭──────────────────────┬────────┬──────╮
│ Route                │ Method │ Hits │
├──────────────────────┼────────┼──────┤
│ /v1/alerts           │ GET    │ 3    │
│ /v1/alerts           │ POST   │ 76   │
│ /v1/decisions        │ GET    │ 1084 │
│ /v1/decisions/stream │ GET    │ 4149 │
│ /v1/heartbeat        │ GET    │ 684  │
│ /v1/usage-metrics    │ POST   │ 23   │
│ /v1/watchers/login   │ POST   │ 16   │
╰──────────────────────┴────────┴──────╯

Local API Bouncers Metrics:
╭────────────────────┬──────────────────────┬────────┬──────╮
│ Bouncer            │ Route                │ Method │ Hits │
├────────────────────┼──────────────────────┼────────┼──────┤
│ firewall           │ /v1/decisions/stream │ GET    │ 4108 │
[email protected] │ /v1/decisions        │ GET    │ 8    │
[email protected] │ /v1/decisions/stream │ GET    │ 38   │
│ traefik            │ /v1/decisions        │ GET    │ 1076 │
╰────────────────────┴──────────────────────┴────────┴──────╯

Local API Bouncers Decisions:
╭────────────────────┬───────────────┬───────────────────╮
│ Bouncer            │ Empty answers │ Non-empty answers │
├────────────────────┼───────────────┼───────────────────┤
│ traefik            │ 1074          │ 2                 │
[email protected] │ 0             │ 8                 │
╰────────────────────┴───────────────┴───────────────────╯

Local API Machines Metrics:
╭───────────┬───────────────┬────────┬──────╮
│ Machine   │ Route         │ Method │ Hits │
├───────────┼───────────────┼────────┼──────┤
│ localhost │ /v1/alerts    │ GET    │ 3    │
│ localhost │ /v1/alerts    │ POST   │ 76   │
│ localhost │ /v1/heartbeat │ GET    │ 684  │
╰───────────┴───────────────┴────────┴──────╯

Parser Metrics:
╭──────────────────────────────────┬────────┬────────┬──────────╮
│ Parsers                          │ Hits   │ Parsed │ Unparsed │
├──────────────────────────────────┼────────┼────────┼──────────┤
│ child-crowdsecurity/http-logs    │ 99.37k │ 70.33k │ 29.03k   │
│ child-crowdsecurity/sshd-logs    │ 15.59k │ 1.37k  │ 14.22k   │
│ child-crowdsecurity/traefik-logs │ 33.12k │ 33.12k │ -        │
│ crowdsecurity/dateparse-enrich   │ 33.12k │ 33.12k │ -        │
│ crowdsecurity/geoip-enrich       │ 6.10k  │ 6.10k  │ -        │
│ crowdsecurity/http-logs          │ 33.12k │ 33.12k │ -        │
│ crowdsecurity/non-syslog         │ 35.21k │ 35.21k │ -        │
│ crowdsecurity/sshd-logs          │ 2.09k  │ 1.37k  │ 724      │
│ crowdsecurity/traefik-logs       │ 33.12k │ 33.12k │ -        │
│ crowdsecurity/whitelists         │ 34.49k │ 34.49k │ -        │
│ my/whitelist                     │ 34.49k │ 34.49k │ -        │
╰──────────────────────────────────┴────────┴────────┴──────────╯

Scenario Metrics:
╭────────────────────────────────────────────┬───────────────┬───────────┬──────────────┬────────┬─────────╮
│ Scenario                                   │ Current Count │ Overflows │ Instantiated │ Poured │ Expired │
├────────────────────────────────────────────┼───────────────┼───────────┼──────────────┼────────┼─────────┤
│ crowdsecurity/http-admin-interface-probing │ -             │ -         │ 2            │ 4      │ 2       │
│ crowdsecurity/http-crawl-non_statics       │ -             │ -         │ 918          │ 1.03k  │ 918     │
│ crowdsecurity/http-dos-swithcing-ua        │ -             │ -         │ 539          │ 539    │ 539     │
│ crowdsecurity/http-probing                 │ -             │ 3         │ 56           │ 104    │ 53      │
│ crowdsecurity/http-sensitive-files         │ -             │ 1         │ 4            │ 8      │ 3       
│ crowdsecurity/ssh-bf                       │ 1             │ -         │ 427          │ 1.37k  │ 426     │
│ crowdsecurity/ssh-bf_user-enum             │ 1             │ -         │ 428          │ 673    │ 427     │
│ crowdsecurity/ssh-slow-bf                  │ 1             │ 74        │ 75           │ 1.37k  │ -       │
│ crowdsecurity/ssh-slow-bf_user-enum        │ 1             │ -         │ 1            │ 447    │ -       │
╰────────────────────────────────────────────┴───────────────┴───────────┴──────────────┴────────┴─────────╯

Whitelist Metrics:
╭──────────────────────────┬─────────────────────────────┬───────┬─────────────╮
│ Whitelist                │ Reason                      │ Hits  │ Whitelisted │
├──────────────────────────┼─────────────────────────────┼───────┼─────────────┤
│ crowdsecurity/whitelists │ private ipv4/ipv6 ip/ranges │ 34490 │ 28395       │
│ my/whitelist             │ my public ip/lan devices    │ 34490 │ 2474        │
╰──────────────────────────┴─────────────────────────────┴───────┴─────────────╯

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

custom bouncer config:

log_mode: stdout # file or stdout
log_level: debug
api_url: http://127.0.0.1:43254/
api_key: <REDACTED> # as created in crowdsec
scenarios_containing: ["ssh"]
scopes: ["Ip"]
origins: ["crowdsec", "cscli"]
supported_decisions_types:
  - ban

Sample from the docker compose project:

crowdsec:
    hostname: crowdsec
    restart: unless-stopped
    image: crowdsecurity/crowdsec
    environment:
      GID: "1000"
      COLLECTION: "crowdsecurity/http-dos crowdsecurity/linux crowdsecurity/traefik LePresidente/gitea"
    volumes:
      - /share/Docker/crowdsec/db:/var/lib/crowdsec/data/
      - /share/Docker/crowdsec/etc/crowdsec:/etc/crowdsec/
      - /share/Docker/traefik/log/access.log:/var/log/traefik/access.log:ro
    depends_on:
      - 'reverse-proxy'
    ports:
      - 127.0.0.1:43254:8080
    networks:
      - monitoring
    
  cs-firewall-bouncer:
    image: gitea.ar2000.me/ar2000/crowdsec-legacy-firewall-bouncer:legacy
    pull_policy: build
    build:
      context: https://gitea.ar2000.me/AR2000/crowdsec-legacy-firewall-bouncer.git
      dockerfile: Dockerfile
      args:
        - IPTABLES_MODE=legacy
      pull: true
    restart: unless-stopped
    depends_on:
      - crowdsec
    environment:
      - TZ='Europe/Paris'
      - IPTABLES_INSERT=1
      - IPTABLES_CHAIN=DOCKER-USER
    cap_add:
      # allow modification of host's iptable
      - NET_ADMIN
      - NET_RAW
    network_mode: "host"
    volumes:
      - /share/Docker/crowdsec/firewall-bouncer.yml:/crowdsec-custom-bouncer.yaml.local
@AR2000AR AR2000AR added the kind/bug Something isn't working label Dec 19, 2024
@github-actions GitHub Actions
Copy link

@AR2000AR: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

  1. Check Crowdsec Documentation to see if your issue can be self resolved.
  2. You can also join our Discord.
  3. Check Releases to make sure your agent is on the latest version.
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

@AR2000AR AR2000AR changed the title LAPI stram mode doesn't return active decision when filtering origin "crowdsec" LAPI stream mode doesn't return active decision when filtering origin "crowdsec" Dec 19, 2024
@blotus
Copy link
Member

blotus commented Dec 19, 2024

After some digging, it's caused by having multiple decisions for the same IP, but different origins (in this case, crowdsec and CAPI): as crowdsec only looks at the longest available decision (very likely to be the one coming from CAPI), the local decision is never considered for inclusion.

@AR2000AR
Copy link
Author

Test as instructed by @blotus. Using the dedup=false querry parameter fix the issue (yes my decision is highly duplicated)

curl --header "X-Api-Key: $TOKEN" "http://127.0.0.1:8080/v1/decisions/stream?origins=crowdsec&scenarios_containing=ssh&scopes=Ip&startup=true&dedup=false" -s
{"deleted":[{"duration":"-17h44m25s","id":17073027,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"beae3482-0e19-43a5-9bd5-cf7ef32761ce","value":"103.216.116.126"},{"duration":"-17h36m1s","id":17073028,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"58a6f95c-8717-4882-936b-cdcc29ae9f92","value":"103.216.116.126"},{"duration":"-17h27m26s","id":17073029,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"815a911e-7ca7-41f4-be61-37b56812ba08","value":"103.216.116.126"},{"duration":"-17h18m52s","id":17073030,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"bfd3c78e-8f3f-424f-9f2e-9d3b523269b6","value":"103.216.116.126"},{"duration":"-17h10m7s","id":17073031,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"bb08a5cc-188c-400c-8466-ee35c8a10101","value":"103.216.116.126"},{"duration":"-17h1m22s","id":17073032,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"fa70782e-ccbf-4641-933b-2d4410343dd8","value":"103.216.116.126"},{"duration":"-16h52m38s","id":17073033,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"cc3434e7-09f9-441a-bdf4-80e529c40738","value":"103.216.116.126"},{"duration":"-16h43m53s","id":17073034,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"8e7cafa8-5648-4615-af11-4466d4981d1c","value":"103.216.116.126"},{"duration":"-16h34m58s","id":17073035,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"009ba9ac-6117-4c18-a254-e1e79a7c30c8","value":"103.216.116.126"},{"duration":"-16h26m24s","id":17073036,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"4bc65e5a-5671-4682-ac91-766a871b2b21","value":"103.216.116.126"},{"duration":"-16h17m29s","id":17073037,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"3ae6e124-d0aa-4464-9043-4578fb2b8e0c","value":"103.216.116.126"},{"duration":"-16h8m44s","id":17073038,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"0b477955-7427-4390-b917-6e12f94b9f72","value":"103.216.116.126"},{"duration":"-16h0m10s","id":17073039,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"36805f48-5a73-437b-bfea-c30815f07c7b","value":"103.216.116.126"},{"duration":"-15h51m15s","id":17073040,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"79dd4db4-56c8-4761-8777-a2d99e85e989","value":"103.216.116.126"},{"duration":"-15h42m31s","id":17103704,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"9c1026bb-74ba-45f7-b4e5-3c8da196a1db","value":"103.216.116.126"},{"duration":"-15h33m46s","id":17103705,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"98da5943-1c6b-420d-9715-1bc410d10e60","value":"103.216.116.126"},{"duration":"-15h25m1s","id":17103706,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"069f1708-c113-4d98-a03e-f3a7b1411974","value":"103.216.116.126"},{"duration":"-15h16m17s","id":17103707,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"f21bc715-d980-4eff-9490-703001937a1f","value":"103.216.116.126"},{"duration":"-15h7m32s","id":17103708,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"79fb7816-2783-4cb4-9730-3aae99519515","value":"103.216.116.126"},{"duration":"-14h58m47s","id":17103709,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"326a6c0d-a30c-4bfd-be45-7ae51f225721","value":"103.216.116.126"},{"duration":"-14h50m3s","id":17103710,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"da96cda0-2e6c-4126-8c6f-428c6fddc7cb","value":"103.216.116.126"},{"duration":"-14h41m18s","id":17103711,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"4ec724b9-7926-4559-a64e-ae60c7126fbd","value":"103.216.116.126"},{"duration":"-14h32m34s","id":17103712,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"5be5cd08-68ca-4f4c-a809-5e8767b4b57a","value":"103.216.116.126"},{"duration":"-14h23m39s","id":17103713,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"0a1f774b-d7c5-4830-979d-8212f09732ac","value":"103.216.116.126"},{"duration":"-14h14m54s","id":17103714,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"69e74a4f-fe80-4df3-ae6f-608b096e0ec7","value":"103.216.116.126"},{"duration":"-14h6m20s","id":17103715,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"e13b9434-4a32-4bcb-903f-15927c1d560f","value":"103.216.116.126"},{"duration":"-13h57m25s","id":17103716,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"a57ba051-49d9-4bc2-a54c-2ccf000c9b57","value":"103.216.116.126"},{"duration":"-13h48m40s","id":17118717,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"4756fc92-89d2-481a-bb7a-38d45b5f1840","value":"103.216.116.126"},{"duration":"-13h39m56s","id":17118718,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"1e938afa-f2f2-4c17-a0be-00ddd1a2792c","value":"103.216.116.126"},{"duration":"-13h31m11s","id":17118719,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"9d792c9e-907f-480d-bd27-ff872f24eca2","value":"103.216.116.126"},{"duration":"-13h22m25s","id":17118720,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"8e18b0ed-a215-4c7d-a362-73c02bcd9ebc","value":"103.216.116.126"},{"duration":"-13h13m42s","id":17118721,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"a6e67df7-5d5b-4394-9bd0-dd1b96ea67cf","value":"103.216.116.126"},{"duration":"-13h4m52s","id":17118722,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"10e533e4-8124-493e-a915-bb1a3ad5bb90","value":"103.216.116.126"},{"duration":"-12h56m9s","id":17118723,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"a50c7b10-9414-4867-82c0-8a93ea716f41","value":"103.216.116.126"},{"duration":"-12h46m25s","id":17118724,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"dc7a5fd2-349b-4576-b47a-7370627b7067","value":"103.216.116.126"},{"duration":"-12h30m59s","id":17118725,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"47bf5006-1716-40b1-a9f7-7876ab46c1c2","value":"103.216.116.126"},{"duration":"-8h48m13s","id":17133749,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"6719d409-e35c-4458-a9e0-3287a6c9982a","value":"103.216.116.126"},{"duration":"-8h39m28s","id":17133750,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"f2d3a0cf-fb59-4a1a-8625-505c263dfaf9","value":"103.216.116.126"},{"duration":"-8h30m43s","id":17133751,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"edbd91d4-614b-4518-a9da-1eeef6e87d62","value":"103.216.116.126"},{"duration":"-8h21m59s","id":17133752,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"16550da0-e250-4e9b-8f9c-4bb97743e09c","value":"103.216.116.126"},{"duration":"-8h11m21s","id":17133753,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"67136b9d-8970-440c-b77c-a5a4cb718492","value":"103.216.116.126"},{"duration":"-8h2m37s","id":17133754,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"d56944dd-61ad-4dba-8e9f-ea80c2ef8ad8","value":"103.216.116.126"},{"duration":"-7h53m52s","id":17133755,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"1474ab58-50b4-4152-863d-3f92830be893","value":"103.216.116.126"},{"duration":"-7h45m7s","id":17133756,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"133ff1d3-9cba-4f1d-97de-c32bd1cb3a0f","value":"103.216.116.126"},{"duration":"-7h36m13s","id":17133758,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"f8c90aaf-e22b-4358-99a0-d02fdb5c895c","value":"103.216.116.126"},{"duration":"-7h27m28s","id":17133759,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"f4d9bb9a-5ed6-452e-aaf5-bba9c3011756","value":"103.216.116.126"},{"duration":"-7h18m43s","id":17133760,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"ce95c0a4-d241-43d9-84a2-f672beba5f9e","value":"103.216.116.126"},{"duration":"-7h9m59s","id":17133761,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"7b89b155-c333-4b84-b3a9-360dc096dbb3","value":"103.216.116.126"},{"duration":"-7h1m14s","id":17164425,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"e548813e-0e94-47eb-8067-4a152fb8ac03","value":"103.216.116.126"},{"duration":"-6h52m19s","id":17164426,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"b4f1a93e-d216-42e0-9a62-19cc410ac095","value":"103.216.116.126"},{"duration":"-6h43m35s","id":17164427,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"b26f7c3f-7172-43ac-881f-7d66d0ce137f","value":"103.216.116.126"},{"duration":"-6h34m50s","id":17164428,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"4e5736a2-99bc-4bed-97db-61ec92c6f95c","value":"103.216.116.126"},{"duration":"-6h25m56s","id":17164429,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"2760fc6c-f4ac-4fdf-b17e-6497bdd3ae2c","value":"103.216.116.126"},{"duration":"-6h17m11s","id":17164430,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"35c136c7-d41b-4a1a-a243-cd2382d93de6","value":"103.216.116.126"},{"duration":"-6h8m16s","id":17164431,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"e8935039-6830-4f09-bfa9-ad5a617b41ed","value":"103.216.116.126"},{"duration":"-5h59m32s","id":17164432,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"6be3b52a-2dd0-4f41-86a5-666e08f7b961","value":"103.216.116.126"},{"duration":"-5h50m37s","id":17164433,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"a5770206-baa1-43ac-8f93-992fe5d5acd0","value":"103.216.116.126"},{"duration":"-5h41m52s","id":17164434,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"68420a15-4ea4-449e-8258-f64aa06364aa","value":"103.216.116.126"},{"duration":"-5h33m8s","id":17164435,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"a6950ff9-198a-40b0-b120-f334aaf5e0e3","value":"103.216.116.126"},{"duration":"-5h24m13s","id":17164436,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"ae782906-b52f-4383-8223-ebd87bc51955","value":"103.216.116.126"},{"duration":"-5h15m29s","id":17164437,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"04bc34c1-c35b-402f-8794-a895301e4401","value":"103.216.116.126"},{"duration":"-5h6m34s","id":17164438,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"45a4ba65-13ee-4d28-a294-ee41d776db75","value":"103.216.116.126"},{"duration":"-4h57m49s","id":17179439,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"9c2b2d02-76c5-4917-98f0-87d0bee03f7e","value":"103.216.116.126"},{"duration":"-4h48m55s","id":17179440,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"7d895e4e-35fa-4556-ba05-f2e1993313fb","value":"103.216.116.126"},{"duration":"-4h39m17s","id":17179441,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"3e563505-496f-4b1e-866c-17fa5c772c8e","value":"103.216.116.126"},{"duration":"-4h30m23s","id":17179442,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"ce4a392b-cbff-4b53-813e-4b943d87c788","value":"103.216.116.126"},{"duration":"-4h21m38s","id":17179443,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"3d9e9acd-cda1-4e7f-812d-648ea2f90e78","value":"103.216.116.126"},{"duration":"-4h12m54s","id":17179446,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"793e903d-25c4-4119-8051-b9dce97b8d17","value":"103.216.116.126"},{"duration":"-4h3m59s","id":17179447,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"63cc72a1-029d-48ff-9909-2c170ff9a5d3","value":"103.216.116.126"},{"duration":"-3h55m14s","id":17179448,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"ff180319-d585-43d1-a4fc-dc87404a24e1","value":"103.216.116.126"},{"duration":"-3h46m20s","id":17179449,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"9a83a4f6-a1f6-4f3c-b007-dcf3fbd9c3c2","value":"103.216.116.126"},{"duration":"-3h37m35s","id":17179450,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"a457e3b1-f371-4fe6-b4d3-ad2f556da4c6","value":"103.216.116.126"},{"duration":"-3h28m51s","id":17179451,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"09d5e3bc-7d85-4091-9cfd-6bfe1276408d","value":"103.216.116.126"},{"duration":"-3h19m56s","id":17179452,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"45722287-86b9-4210-9860-03644298fc47","value":"103.216.116.126"},{"duration":"-3h11m11s","id":17179453,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"d46cf6a1-5ced-4185-b901-ea187662b764","value":"103.216.116.126"},{"duration":"-3h2m27s","id":17179454,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"2325b0a7-0a5a-4613-9966-cbe65260aadd","value":"103.216.116.126"},{"duration":"-2h53m32s","id":17209351,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"e326ada7-850b-4fb0-b432-63e5e2aedf8e","value":"103.216.116.126"},{"duration":"-2h44m47s","id":17209352,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"91f150f4-72d3-48aa-9339-dba7e7c32ac9","value":"103.216.116.126"},{"duration":"-2h35m53s","id":17209353,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"7ad60c74-232f-4346-8caf-b14dad8717c7","value":"103.216.116.126"},{"duration":"-2h26m58s","id":17209354,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"9610e4aa-92eb-412a-b0f7-cb70800c145b","value":"103.216.116.126"},{"duration":"-2h18m4s","id":17209355,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"10744e4a-c859-4fb9-b7a0-6b00d7cb5c49","value":"103.216.116.126"},{"duration":"-2h9m9s","id":17209356,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"4745fa63-8a9d-4511-8421-bbf15d359277","value":"103.216.116.126"},{"duration":"-1h59m22s","id":17209357,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"91409a09-8a8e-4f4f-86da-63b59194cfe2","value":"103.216.116.126"},{"duration":"-1h50m27s","id":17209358,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"f4be92d4-e2db-4ceb-a5b6-fc47b454ea66","value":"103.216.116.126"},{"duration":"-1h41m42s","id":17209359,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"5c961130-1612-4d1c-b972-3c6181d0f09f","value":"103.216.116.126"},{"duration":"-1h31m45s","id":17209360,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"0eeed5d6-1cdf-4b12-ad29-19df128a5991","value":"103.216.116.126"},{"duration":"-1h22m50s","id":17209361,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"32453530-8ca9-42b3-b84a-2ad0b20c6777","value":"103.216.116.126"},{"duration":"-1h13m3s","id":17209362,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"1902b274-bf4a-4816-a54f-c2ad026be82c","value":"103.216.116.126"},{"duration":"-1h4m8s","id":17209363,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"95b1df78-7974-4a2d-8f9e-9e6cd46741ff","value":"103.216.116.126"},{"duration":"-54m21s","id":17230684,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"e61cf59e-32ea-4dbe-8b94-7361ed6f78ee","value":"103.216.116.126"},{"duration":"-45m26s","id":17230685,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"78235ace-40d1-4322-ba0d-c7ebb430feb2","value":"103.216.116.126"},{"duration":"-36m32s","id":17230686,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"cabf2c1d-2d8f-4a45-bbe8-e8500c3e86dc","value":"103.216.116.126"},{"duration":"-26m44s","id":17230687,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"d3b9f16f-dd34-4a3e-b65a-ce489736cd6c","value":"103.216.116.126"},{"duration":"-17m50s","id":17230688,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"d90abcce-9fbd-4cb8-9c7d-31c7685153f8","value":"103.216.116.126"},{"duration":"-8m55s","id":17230689,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"42564c78-6452-4447-8a33-5244d07cc41a","value":"103.216.116.126"},{"duration":"0s","id":17230690,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"9d21a268-bde7-4dfb-acf8-24907a51e36d","value":"103.216.116.126"}],"new":[{"duration":"9m47s","id":17230691,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"8070208b-7690-4de0-8611-51401a254428","value":"103.216.116.126"},{"duration":"18m42s","id":17230692,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"39c18bf5-a3b0-4fd0-88a7-5ec72629a201","value":"103.216.116.126"},{"duration":"27m36s","id":17230693,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"18ad441f-b7f8-42a2-a519-edb29696c9a6","value":"103.216.116.126"},{"duration":"36m31s","id":17230694,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"a3c759b6-3fa4-4832-a842-1ae78bcb4901","value":"103.216.116.126"},{"duration":"45m25s","id":17230695,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"ee3c0e64-1442-4633-9a6a-6c861b7d66e2","value":"103.216.116.126"},{"duration":"55m23s","id":17230696,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"925aa38c-3f2b-4d37-835d-dd37bbe206b7","value":"103.216.116.126"},{"duration":"1h5m10s","id":17252017,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"5f158e4e-ea77-4ca2-b1c2-e144b20169a7","value":"103.216.116.126"},{"duration":"1h14m11s","id":17252018,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"bac39297-aff6-4f94-bf61-90a696d8f616","value":"103.216.116.126"},{"duration":"1h24m1s","id":17252019,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"56b9a4d0-4fbf-4b19-88d9-b23a00372fee","value":"103.216.116.126"},{"duration":"1h32m48s","id":17252020,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"f9177c99-72a1-4a1c-aeef-54b9a79e4911","value":"103.216.116.126"},{"duration":"1h41m56s","id":17252021,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"46f1b9d9-835a-40d7-b677-7799a5aab3bd","value":"103.216.116.126"},{"duration":"1h52m56s","id":17252022,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"54b7d145-ddf7-472f-b473-c2d3f24207fd","value":"103.216.116.126"},{"duration":"2h1m41s","id":17252023,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"4ff39927-5d64-4e1d-932e-7cd740a1c8dd","value":"103.216.116.126"},{"duration":"2h11m48s","id":17252024,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"fe22644c-47c1-45a6-9ec5-2bbe6502b3da","value":"103.216.116.126"},{"duration":"2h22m45s","id":17252025,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"433916cf-dd58-4afa-890f-5b107ff49b0b","value":"103.216.116.126"},{"duration":"2h31m45s","id":17252026,"origin":"crowdsec","scenario":"crowdsecurity/ssh-slow-bf","scope":"Ip","type":"ban","uuid":"63d6145b-1b47-4f94-8069-6cf7aac2b946","value":"103.216.116.126"}]}

@blotus blotus changed the title LAPI stream mode doesn't return active decision when filtering origin "crowdsec" Duplicated decisions with different origins are not filtered correctly Dec 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working needs/triage version/1.6.4
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@blotus @AR2000AR