Confusion about "IP belongs to the CrowdSec Community Blocklist"

I am new to crowdsec and over this past weekend, I set up CrowdSec on my homelab running caddy and authelia. It seems to be working well, detecting a few alerts a day and banning the IPs (I have it set for the default 4h). I have also manually added an IP and confirmed that IPs are being banned properly.

When I do get an alert, I have been looking them up in the CrowdSec Threat Intelligence are of the website. When I do so, I see this:
image
On the “Blocklists containing this IP” section, I also see that it belongs to the ‘Firehol greensnow.co’ list which I subscribe to as part of one of my 3 free tier allowances. So far, every alert I have received says the IP belongs to the community blocklist.

Am I misunderstanding something?

The confusion may arise when you join the CrowdSec network you get IP’s based on the scenario you are reporting, however, to make it fair to users that have been apart of the network for a long time is new joiners receive a limited list and will download the bigger list over time as long as they are actively reporting and contributing to the network.

Interesting. Is that true for the third-party lists as well? Some of the IPs I am seeing alerts on are reported to be in the greensnow list as well.

How long to do you have to be participating until you get the full lists for the scenarios/collections you have (in my case, caddy and authelia)?

For a newbie, it’s very difficult to know whether my setup is functioning correctly…

No you should get all IP’s in a third party list, depending on your remediation (if only caddy) then it not 100% blocking the IP address it still responds with a 403 response code meaning it will end up in the logs again, meaning it can re-trigger scenarios.