LePresidente/http-generic-401-bf -> false positive & where does this role come from?


we had repeatingly some false positves, IPs that were blocked upon decision “LePresidente/http-generic-401-bf”.
Where does this decision/role come from? I did not select the repository “LePresidente” when installing crowsec. And how can I remove this pattern? I found who to unblock the IP/decision on the host, but I don’t want to have the reason “LePresidente/http-generic-401-bf” installed.
Can someone explain please, what it does?

I also marked as “false positive” in the backend…


OK, found that rule now here:


Alert when a single IP that try to bruteforce http basic auth.
Leakspeed of 10s, capacity of 5.

Well, that’s not bad :wink: But the name/source is confusing…

I’ll close this request now.