Decisions management
info
Please see your local sudo cscli help decisions for up-to-date documentation.
List active decisions#
sudo cscli decisions listExample
sudo cscli decisions list+--------+----------+------------------+------------------------------------+--------+---------+--------------------------------+--------+-----------------+----------+| ID | SOURCE | SCOPE:VALUE | REASON | ACTION | COUNTRY | AS | EVENTS | EXPIRATION | ALERT ID |+--------+----------+------------------+------------------------------------+--------+---------+--------------------------------+--------+-----------------+----------+| 276009 | crowdsec | Ip:xx.93.x.xxx | crowdsecurity/telnet-bf | ban | CN | xxxxxxxx xxxxxxx Advertising | 7 | 2m53.949221341s | 33459 || | | | | | | Co.,Ltd. | | | || 276008 | crowdsec | Ip:xxx.53.xx.xxx | crowdsecurity/smb-bf | ban | BR | xxxxxxxxxx xxxxxxxxxxxxxxxx | 6 | 1m48.728998974s | 33458 || | | | | | | LTDA | | | |+--------+----------+------------------+------------------------------------+--------+---------+--------------------------------+--------+-----------------+----------+SOURCE: the source of the decisions:crowdsec: decision from crowdsec agentcscli: decision fromcscli(manual decision)CAPI: decision from crowdsec API
SCOPE:VALUEis the target of the decisions :- "scope" : the scope of the decisions (
ip,range,user...) - "value" : the value to apply on the decisions (ip_addr, ip_range, username ...)
- "scope" : the scope of the decisions (
REASONis the scenario that was triggered (or human-supplied reason)ACTIONis the type of the decision (ban,captcha ...)COUNTRYandASare provided by GeoIP enrichment if presentEVENTSnumber of event that triggered this decisonEXPIRATIONis the time left on remediationALERT IDis the ID of the corresponding alert
Check command usage for additional filtering and output control flags.
Add a decision#
Ban an IP
sudo cscli decisions add -i 1.2.3.4info
- default
duration:4h - default
type:ban
Add a decision (ban) on IP
1.2.3.4for 24 hours, with reason 'web bruteforce'
sudo cscli decisions add --ip 1.2.3.4 --duration 24h --reason "web bruteforce"Add a decision (ban) on range
1.2.3.0/24for 4 hours, with reason 'web bruteforce'
sudo cscli decisions add --range 1.2.3.0/24 --reason "web bruteforce"Add a decision (captcha) on ip
1.2.3.4for 4hours (default duration), with reason 'web bruteforce'
sudo cscli decisions add --ip 1.2.3.4 --reason "web bruteforce" --type captchaDelete a decision#
delete the decision on IP
1.2.3.4
sudo cscli decisions delete --ip 1.2.3.4delete the decision on range 1.2.3.0/24
sudo cscli decisions delete --range 1.2.3.0/24caution
Please note that cscli decisions list will show you only the latest alert per given ip/scope.
However, several decisions targeting the same IP can exist. If you want to be sure to clear all decisions for a given ip/scope, use cscli decisions delete -i x.x.x.x
delete a decision by ID
sudo cscli decisions delete --id 74Delete all existing bans#
Flush all the existing bans
sudo cscli decisions delete --allcaution
This will as well remove any existing ban
Import decisions#
sudo cscli decisions import -i foo.csvYou can import a CSV or JSON file containing decisions directly with cscli.
The value field is mandatory and contains the target of the decision (ip, range, username, ...).
The following fields are optional:
duration: duration of the decisions, defaults to 4hreason: reason for the decisions, defaults tomanualorigin: source of the decisions, defaults tocsclitype: action to apply for the decision, defaults tobanscope: scope of the decision, default toip
All fields (except for value) can be overwritten by command-line arguments, you can see the list in the cli documentation.
Example JSON file:
[ { "duration" : "4h", "scope" : "ip", "type" : "ban", "value" : "1.2.3.5" }]Example CSV file :
duration,scope,value24h,ip,1.2.3.4caution
If you use the sqlite database backend, performance can be negatively impacted if you import a lot of decisions (> 10000 decisions).