Compact ban statistics

How to see the statistics of the number of banned ip in general? cscli decisions list -all - this is an incomprehensible huge list, you can somehow get a table of how many bans there were in a compact and understandable form

Not as far as I know.
For my router where I have a crowdsec bouncer running I built a detection for collecting all occurring blocks of ips from the crowdsec banlist.
At the moment it’s 160 to 240 different ips per day. The logs on the web servers are much smaller now. :slight_smile:

I may share my solution if asked for.

1 Like

Hello,

cscli can output JSON, so you can use jq to parse the output.
For example:

  • To get the number of local decisions: cscli decisions list -o json | jq '[.[] | .decisions | .[]] | length '
  • To get the total numbers of decisions (local + CAPI): cscli decisions list -a -o json | jq '[.[] | .decisions | .[]] | length '
  • To get the number of decisions from CAPI only: cscli decisions list -a -o json | jq '[.[] | .decisions | .[] | select(.origin == "CAPI")] | length '
  • To get the number of decisions for the crowdsecurity/ssh-bf scenario: cscli decisions list -a -o json | jq '[.[] | .decisions | .[] | select(.scenario == "crowdsecurity/ssh-bf")] | length '
  • To get the number of decisions per scenario: cscli decisions list -a -o json | jq '[.[] | .decisions | .[]] | group_by(.scenario) | map({key: (.[] | .scenario), value: .|length}) | from_entries '
1 Like