Captcha reCAPTCHA is working - nginx bouncer - parser noch everytime working - i want captcha every time

Hi,
is there a option to have a captcha every time?

my profiles.yaml looks like this:

name: captcha_remediation
filters:

  • Alert.Remediation == true && Alert.GetScope() == “Ip” && Alert.GetScenario() contains “http”

Any scenario with http in its name will trigger a captcha challenge

decisions:

  • type: captcha
    duration: 4h
    on_success: break

name: default_ip_remediation
filters:

  • Alert.Remediation == true && Alert.GetScope() == “Ip”
    decisions:
  • type: ban
    duration: 4h
    #duration_expr: “Sprintf(‘%dh’, (GetDecisionsCount(Alert.GetValue()) + 1) * 4)”
    on_success: break

profiles.yaml

> 
> > 
> > 
> > name: captcha_remediation
> > filters:
> >   - Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.GetScenario() contains "http"
> > ## Any scenario with http in its name will trigger a captcha challenge
> > decisions:
> >  - type: captcha
> >    duration: 4h
> > on_success: break
> > ---
> > name: default_ip_remediation
> > filters:
> >  - Alert.Remediation == true && Alert.GetScope() == "Ip"
> > decisions:
> >  - type: ban
> >    duration: 4h
> > #duration_expr: "Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)"
> > on_success: break
> > #duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
> > # notifications:
> > #   - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
> > #   - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
> > #   - http_default   # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
> > #   - email_default  # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
root@vaultwarden:/etc/crowdsec/bouncers# ls
crowdsec-firewall-bouncer.yaml  crowdsec-firewall-bouncer.yaml.id  crowdsec-nginx-bouncer.conf

captcha is working if i set it manualy
cscli decisions add --ip X.X.240.81 --type captcha

Parser Metrics:
╭───────────────────────────────────────┬──────┬────────┬──────────╮
│ Parsers │ Hits │ Parsed │ Unparsed │
├───────────────────────────────────────┼──────┼────────┼──────────┤
│ Dominic-Wagner/vaultwarden-logs │ 14 │ - │ 14 │
│ child-Dominic-Wagner/vaultwarden-logs │ 42 │ - │ 42 │
│ crowdsecurity/non-syslog │ 14 │ 14 │ - │
╰───────────────────────────────────────┴──────┴────────┴──────────╯

root@vaultwarden:/etc/crowdsec/parsers/s01-parse# cscli explain --file /var/lib/vaultwarden/data/access.log --type vaultwarden
WARN Line 0/6 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode.
WARN Line 1/6 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode.
WARN Line 2/6 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode.
WARN Line 3/6 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode.
WARN Line 4/6 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode.
WARN Line 5/6 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode.
line: [2024-08-31 02:10:24.865][vaultwarden::util][WARN] Can’t connect to database, retrying: DieselCon.
├ s00-raw
| ├ :red_circle: crowdsecurity/syslog-logs
| └ :green_circle: crowdsecurity/non-syslog (+5 ~8)
├ s01-parse
| ├ :red_circle: crowdsecurity/nginx-logs
| ├ :red_circle: crowdsecurity/sshd-logs
| └ :red_circle: Dominic-Wagner/vaultwarden-logs
└-------- parser failure :red_circle:

line: [CAUSE] BadConnection(
├ s00-raw
| ├ :red_circle: crowdsecurity/syslog-logs
| └ :green_circle: crowdsecurity/non-syslog (+5 ~8)
├ s01-parse
| ├ :red_circle: crowdsecurity/nginx-logs
| ├ :red_circle: crowdsecurity/sshd-logs
| └ :red_circle: Dominic-Wagner/vaultwarden-logs
└-------- parser failure :red_circle:

line: “connection to server at "localhost" (::1), port 5432 failed: Connection refused\n\tIs the server running on that host and accepting TCP/IP connections?\nconnection to server at "localhost" (127.0.0.1), port 5432 failed: Connection refused\n\tIs the server running on that host and accepting TCP/IP connections?\n”,
├ s00-raw
| ├ :red_circle: crowdsecurity/syslog-logs
| └ :green_circle: crowdsecurity/non-syslog (+5 ~8)
├ s01-parse
| ├ :red_circle: crowdsecurity/nginx-logs
| ├ :red_circle: crowdsecurity/sshd-logs
| └ :red_circle: Dominic-Wagner/vaultwarden-logs
└-------- parser failure :red_circle:

line: )
├ s00-raw
| ├ :red_circle: crowdsecurity/syslog-logs
| └ :green_circle: crowdsecurity/non-syslog (+5 ~8)
├ s01-parse
| ├ :red_circle: crowdsecurity/nginx-logs
| ├ :red_circle: crowdsecurity/sshd-logs
| └ :red_circle: Dominic-Wagner/vaultwarden-logs
└-------- parser failure :red_circle:

line: [2024-08-31 02:11:22.129][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 80.187.85.94. Username: v@bdnej.de.
├ s00-raw
| ├ :red_circle: crowdsecurity/syslog-logs
| └ :green_circle: crowdsecurity/non-syslog (+5 ~8)
├ s01-parse
| ├ :red_circle: crowdsecurity/nginx-logs
| ├ :red_circle: crowdsecurity/sshd-logs
| └ :red_circle: Dominic-Wagner/vaultwarden-logs
└-------- parser failure :red_circle:

line: [2024-08-31 02:11:28.562][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 80.187.85.94. Username: v@bdnej.de.
├ s00-raw
| ├ :red_circle: crowdsecurity/syslog-logs
| └ :green_circle: crowdsecurity/non-syslog (+5 ~8)
├ s01-parse
| ├ :red_circle: crowdsecurity/nginx-logs
| ├ :red_circle: crowdsecurity/sshd-logs
| └ :red_circle: Dominic-Wagner/vaultwarden-logs
└-------- parser failure :red_circle:

line: [2024-08-30 22:43:43.350][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 109.40.240.81. Username: test@test.de.
├ s00-raw
| ├ :red_circle: crowdsecurity/syslog-logs
| └ :green_circle: crowdsecurity/non-syslog (+5 ~8)
├ s01-parse
| ├ :red_circle: crowdsecurity/nginx-logs
| ├ :red_circle: crowdsecurity/sshd-logs
| └ :green_circle: Dominic-Wagner/vaultwarden-logs (+11 ~2)
├ s02-enrich
| ├ :green_circle: crowdsecurity/dateparse-enrich (+2 ~2)
| ├ :green_circle: crowdsecurity/geoip-enrich (+13)
| ├ :red_circle: crowdsecurity/http-logs
| └ :green_circle: crowdsecurity/whitelists (unchanged)
├-------- parser success :green_circle:
├ Scenarios
:green_circle: Dominic-Wagner/vaultwarden-bf
:green_circle: Dominic-Wagner/vaultwarden-bf_user-enum

line: [2024-08-30 23:45:08.417][vaultwarden::util][WARN] Can’t connect to database, retrying: DieselCon.
├ s00-raw
| ├ :red_circle: crowdsecurity/syslog-logs
| └ :green_circle: crowdsecurity/non-syslog (+5 ~8)
├ s01-parse
| ├ :red_circle: crowdsecurity/nginx-logs
| ├ :red_circle: crowdsecurity/sshd-logs
| └ :red_circle: Dominic-Wagner/vaultwarden-logs
└-------- parser failure :red_circle:

line: )
├ s00-raw
| ├ :red_circle: crowdsecurity/syslog-logs
| └ :green_circle: crowdsecurity/non-syslog (+5 ~8)
├ s01-parse
| ├ :red_circle: crowdsecurity/nginx-logs
| ├ :red_circle: crowdsecurity/sshd-logs
| └ :red_circle: Dominic-Wagner/vaultwarden-logs
└-------- parser failure :red_circle:

line: [2024-08-31 00:58:28.644][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 80.187.85.83. Username: v@redbbb.de.
├ s00-raw
| ├ :red_circle: crowdsecurity/syslog-logs
| └ :green_circle: crowdsecurity/non-syslog (+5 ~8)
├ s01-parse
| ├ :red_circle: crowdsecurity/nginx-logs
| ├ :red_circle: crowdsecurity/sshd-logs
| └ :red_circle: Dominic-Wagner/vaultwarden-logs
└-------- parser failure :red_circle: