How to use the bucket type counter

I have a question about the bucket type counter.

From the documentation I read “a bucket that only overflows every duration. It is especially useful to count things.”

type: counter
name: crowdsecurity/ban-reports-ssh_bf_report
description: "Count unique ips performing ssh bruteforce"
filter: "evt.Overflow.Scenario == 'ssh_bruteforce'"
distinct: "evt.Overflow.Source_ip"
capacity: -1
duration: 10m
  service: ssh

This example is also from the documentation. So what I understand is, that the bucket will overflow every 10 minutes. But what about the count. Where and how can I use the count? Can I use it in the profile to ban someone who tried 100 logins in 10m? If yes, how would the entry in the profile looks like? If not, how else can I use this bucket type?

Thanks in advance!

Is nobody here using this bucket type and can explain me, how to use the result of the overflow for decisions in the profile? Is it possible to read the count there and if it’s greater than a specific value, let ban the IP address?


Currently, the counter bucket is not in a satisfying bucket (technically speaking, as it’s not very accurate).
In terms of expected usage: the counter bucket overflow at a fixed interval, and its overflow can be consumed by another scenario, so " Can I use it in the profile to ban someone who tried 100 logins in 10m" should work.

It might be fixed in the coming releases, but I strongly advise not using it as is (it was not fixed before because it’s not very popular)

Thanks for your answer @thibault! Despite your advice, I would like to know, how I could use the result of such an overflow? How about the overflow_filter? Would it be possible to use the count there and compare it against a fixed value to prevent an overflowing in case it’s lower?

What does it mean, “it’s not very accurate”? Does it not count correctly?