How to work out why a ban occured

Hi, I’ve been using crowdsec for a while now on our inbound haproxy. It seems to be working ok apart from occasional bans affecting client IPs. We run an rmm system and we have a fairly high level of inbound web activity. Its pretty consistent though as the agents always do the same stuff.

I’d like to know how I work out why a particular ban occurred.

The other day a ban affected one of our biggest clients. ‘cscli decisions list’ reported reason: crowdsecurity/http-probing
Apart from crowdsec-firewall-bouncer.log, none of the crowdsec logs in /var/logs contained anything at all. The crowdsec-firewall-bouncer log just had the usual messages about ‘x decisions added’, nothing else.

I’ve searched on the site but can’t find anything which explains http-probing, so I can’t work out what crowdsec means by that.

Hello,

You can find the definition of all scenarios in the hub: https://hub.crowdsec.net/.

The HTTP-probing scenario is here: CrowdSec Hub.

It triggers when a client generates too many 400,403 or 404 errors.

You can also get more infos about a decision by getting its id (from cscli decisions list) and running cscli alerts inspect -d THE_ID (note that this will only contains metadata about the attack, you’ll also probably want to grep the IP that was banned in your log to see exactly what kind of requests it did).

The explanation on the hub really doesn’t say what the scenario is picking up on, but the cscli alerts inspect command works perfectly.

But the output is inconsistent with what I thought my config should be permitting. So, I’ll open another topic for that.

thanks for the help.