Decisions management
Please see your local sudo cscli help decisions
for up-to-date documentation.
List active decisions
sudo cscli decisions list
Example
sudo cscli decisions list
+--------+----------+------------------+------------------------------------+--------+---------+--------------------------------+--------+-----------------+----------+
| ID | SOURCE | SCOPE:VALUE | REASON | ACTION | COUNTRY | AS | EVENTS | EXPIRATION | ALERT ID |
+--------+----------+------------------+------------------------------------+--------+---------+--------------------------------+--------+-----------------+----------+
| 276009 | crowdsec | Ip:xx.93.x.xxx | crowdsecurity/telnet-bf | ban | CN | xxxxxxxx xxxxxxx Advertising | 7 | 2m53.949221341s | 33459 |
| | | | | | | Co.,Ltd. | | | |
| 276008 | crowdsec | Ip:xxx.53.xx.xxx | crowdsecurity/smb-bf | ban | BR | xxxxxxxxxx xxxxxxxxxxxxxxxx | 6 | 1m48.728998974s | 33458 |
| | | | | | | LTDA | | | |
+--------+----------+------------------+------------------------------------+--------+---------+--------------------------------+--------+-----------------+----------+
SOURCE
: the source of the decisions:crowdsec
: decision from crowdsec agentcscli
: decision fromcscli
(manual decision)CAPI
: decision from crowdsec API
SCOPE:VALUE
is the target of the decisions :- "scope" : the scope of the decisions (
ip
,range
,user
...) - "value" : the value to apply on the decisions (ip_addr, ip_range, username ...)
- "scope" : the scope of the decisions (
REASON
is the scenario that was triggered (or human-supplied reason)ACTION
is the type of the decision (ban
,captcha
...)COUNTRY
andAS
are provided by GeoIP enrichment if presentEVENTS
number of event that triggered this decisonEXPIRATION
is the time left on remediationALERT ID
is the ID of the corresponding alert
Check command usage for additional filtering and output control flags.
Add a decision
Ban an IP
sudo cscli decisions add -i 1.2.3.4
- default
duration
:4h
- default
type
:ban
Add a decision (ban) on IP
1.2.3.4
for 24 hours, with reason 'web bruteforce'
sudo cscli decisions add --ip 1.2.3.4 --duration 24h --reason "web bruteforce"
Add a decision (ban) on range
1.2.3.0/24
for 4 hours, with reason 'web bruteforce'
sudo cscli decisions add --range 1.2.3.0/24 --reason "web bruteforce"
Add a decision (captcha) on ip
1.2.3.4
for 4hours (default duration), with reason 'web bruteforce'
sudo cscli decisions add --ip 1.2.3.4 --reason "web bruteforce" --type captcha
Delete a decision
delete the decision on IP
1.2.3.4
sudo cscli decisions delete --ip 1.2.3.4
delete the decision on range 1.2.3.0/24
sudo cscli decisions delete --range 1.2.3.0/24
Please note that cscli decisions list
will show you only the latest alert per given ip/scope.
However, several decisions targeting the same IP can exist. If you want to be sure to clear all decisions for a given ip/scope, use cscli decisions delete -i x.x.x.x
delete a decision by ID
sudo cscli decisions delete --id 74
Delete all existing bans
Flush all the existing bans
sudo cscli decisions delete --all
This will as well remove any existing ban
Import decisions
sudo cscli decisions import -i foo.csv
You can import a CSV or JSON file containing decisions directly with cscli.
The value
field is mandatory and contains the target of the decision (ip, range, username, ...).
The following fields are optional:
duration
: duration of the decisions, defaults to 4hreason
: reason for the decisions, defaults tomanual
origin
: source of the decisions, defaults tocscli
type
: action to apply for the decision, defaults toban
scope
: scope of the decision, default toip
All fields (except for value
) can be overwritten by command-line arguments, you can see the list in the cli documentation.
Example JSON file:
[
{
"duration" : "4h",
"scope" : "ip",
"type" : "ban",
"value" : "1.2.3.5"
}
]
Example CSV file :
duration,scope,value
24h,ip,1.2.3.4
If you use the sqlite database backend, performance can be negatively impacted if you import a lot of decisions (> 10000 decisions).