Multiple alerts from the same IP (IPv6-masked IPv4 address) despite it should be blocked

[netchild]

What happened?

About those alerts:

| 5443 | Ip:::ffff:143.110.208.18 | baudneo/zoneminder_cve-2022-39290           | CA      | 14061 DIGITALOCEAN-ASN | ban:1     | 2025-02-10
10:51:04.386773421 +0000 UTC |
| 5440 | Ip:::ffff:143.110.208.18 | crowdsecurity/http-crawl-non_statics        | CA      | 14061 DIGITALOCEAN-ASN | ban:1     | 2025-02-10
10:10:25.369058954 +0000 UTC |
| 5439 | Ip:::ffff:143.110.208.18 | baudneo/zoneminder_cve-2022-39290           | CA      | 14061 DIGITALOCEAN-ASN | ban:1     | 2025-02-10
10:11:23.454881407 +0000 UTC |
| 5438 | Ip:::ffff:143.110.208.18 | crowdsecurity/apache_log4j2_cve-2021-44228  | CA      | 14061 DIGITALOCEAN-ASN | ban:1     | 2025-02-10 10:11:20.807191648 +0000 UTC |

Same IPv4, but IPv6 encoded. Given that the IP should have been blocked
already with the initial entry, shouldn't the subsequent entries not
show up at all because the first entry should have created a firewall
entry which blocked the second access? This IP is listed in the IPv4
part of the pf tables:

# pfctl -t crowdsec-blocklists -T show | grep 143.110.208.18
    143.110.208.18

Filter rules:

# pfctl -sr -v
No ALTQ support in kernel
ALTQ related functions disabled
scrub in all fragment reassemble
   [ Evaluations: 128946919  Packets: 83108155  Bytes: 37415891319 
States: 0     ]
   [ Inserted: uid 0 pid 0 State Creations: 0     ]
anchor "blacklistd/*" in on igb0 all
   [ Evaluations: 75632099  Packets: 0         Bytes: 0           States:
0     ]
   [ Inserted: uid 0 pid 0 State Creations: 0     ]
block return in log quick on igb0 from <martians> to any
   [ Evaluations: 2310856   Packets: 1815      Bytes: 362938      States:
0     ]
   [ Inserted: uid 0 pid 0 State Creations: 0     ]
block return in log quick on igb0 from <martians6> to any
   [ Evaluations: 2309041   Packets: 0         Bytes: 0           States:
0     ]
   [ Inserted: uid 0 pid 0 State Creations: 0     ]
block return in log quick on igb0 from <bruteforce> to any
   [ Evaluations: 2309041   Packets: 0         Bytes: 0           States:
0     ]
   [ Inserted: uid 0 pid 0 State Creations: 0     ]
block return out log quick on igb0 from any to <martians>
   [ Evaluations: 2309041   Packets: 0         Bytes: 0           States:
0     ]
   [ Inserted: uid 0 pid 0 State Creations: 0     ]
block drop in quick from <crowdsec-blocklists> to any
   [ Evaluations: 75630290  Packets: 255       Bytes: 12932       States:
0     ]
   [ Inserted: uid 0 pid 0 State Creations: 0     ]
block drop in quick from <crowdsec6-blocklists> to any
   [ Evaluations: 52655024  Packets: 0         Bytes: 0           States:
0     ]
   [ Inserted: uid 0 pid 0 State Creations: 0     ]

Entries without ::ffff: seem to be blocked correctly.

# crowdsec-cli alerts list | awk '{print $4}' | uniq -c | grep -v " 1 "
   32 Ip:::ffff:143.110.208.18

The questions which come up on my side are:

• Why is this not blocked and shows up multiple times?
• The address shows up in the crowdsec-blocklists (= IPv4), but doesn't seem to be blocked there. What is the IP path this comes into the system? Maybe via IPv6 maybe and should be in crowsdec6-blocklists (= IPv6, not listed there)?
• Is there a way to trace this IP back to a specific logfile? This could maybe allow me to trace back how this reaches the application in question.

What did you expect to happen?

Only 1 entry in the alerts, as the subsequent entries should have been blocked and as such not detected in access logs.

How can we reproduce it (as minimally and precisely as possible)?

No idea.

Anything else we need to know?

No response

Crowdsec version

This was with 1.6.4, since then I have upgraded but do not expect a change:

# cscli version
version: v1.6.5-d8dcdc91
Codename: alphaga
BuildDate: 2025-02-12_14:05:36
GoVersion: 1.23.6
Platform: freebsd
libre2: C++
User-Agent: crowdsec/v1.6.5-d8dcdc91-freebsd
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_victorialogs, datasource_wineventlog

OS version

FreeBSD -current (1 month old development snapshot), amd64 architecture, PF firewall

Enabled collections and parsers

# cscli hub list -o raw
Loaded: 133 parsers, 10 postoverflows, 751 scenarios, 8 contexts, 4 appsec-configs, 93 appsec-rules, 131 collections
name,status,version,description,type
andreasbrett/baikal-logs,enabled,0.1,Parse baikal logs,parsers
andreasbrett/paperless-ngx-logs,enabled,0.5,Parse paperless-ngx logs,parsers
baudneo/zoneminder-logs,enabled,0.2,"A parser for zoneminder web_php.log (Logins to DB/Web), now supports default PHP intl date format",parsers
crowdsecurity/apache2-logs,enabled,1.4,Parse Apache2 access and error logs,parsers
crowdsecurity/dateparse-enrich,enabled,0.2,,parsers
crowdsecurity/dovecot-logs,enabled,0.9,Parse dovecot logs,parsers
crowdsecurity/geoip-enrich,enabled,0.5,"Populate event with geoloc info : as, country, coords, source range.",parsers
crowdsecurity/http-logs,enabled,1.3,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers
crowdsecurity/mysql-logs,enabled,0.4,Parse MySQL logs,parsers
crowdsecurity/nginx-logs,enabled,1.7,Parse nginx access and error logs,parsers
crowdsecurity/pgsql-logs,enabled,0.7,Parse PgSQL logs,parsers
crowdsecurity/postfix-logs,enabled,0.8,Parse postfix logs,parsers
crowdsecurity/postscreen-logs,enabled,0.3,Parse postscreen logs,parsers
crowdsecurity/smb-logs,enabled,0.2,Parse SMB logs,parsers
crowdsecurity/sshd-logs,enabled,2.9,Parse openSSH logs,parsers
crowdsecurity/sshd-success-logs,enabled,0.1,Parse successful ssh logins,parsers
crowdsecurity/syslog-logs,enabled,0.8,,parsers
crowdsecurity/whitelists,enabled,0.2,Whitelist events from private ipv4 addresses,parsers
firewallservices/pf-logs,enabled,0.6,Parse packet filter logs,parsers
inherent-io/keycloak-logs,enabled,0.2,Parse keycloak logs,parsers
LePresidente/adguardhome-logs,enabled,0.3,Parse adguardhome logs,parsers
mstilkerich/bind9-logs,enabled,0.3,Parse bind9 logs,parsers
andreasbrett/baikal-bf,enabled,0.5,Detect Baikal bruteforce attacks,scenarios
andreasbrett/paperless-ngx-bf,enabled,0.3,Detect Paperless-ngx bruteforce attacks,scenarios
baudneo/zoneminder-bf,enabled,0.2,Detect ZoneMinder bruteforce,scenarios
baudneo/zoneminder_cve-2022-39285,enabled,0.2,Detect cve-2022-39285 exploitation attempts,scenarios
baudneo/zoneminder_cve-2022-39290,enabled,0.2,Detect cve-2022-39290 exploitation attempts,scenarios
baudneo/zoneminder_cve-2022-39291,enabled,0.2,Detect cve-2022-39291 exploitation attempts,scenarios
crowdsecurity/apache_log4j2_cve-2021-44228,enabled,0.6,Detect cve-2021-44228 exploitation attemps,scenarios
crowdsecurity/CVE-2017-9841,enabled,0.2,Detect CVE-2017-9841 exploits,scenarios
crowdsecurity/CVE-2019-18935,enabled,0.2,Detect Telerik CVE-2019-18935 exploitation attempts,scenarios
crowdsecurity/CVE-2022-26134,enabled,0.2,Detect CVE-2022-26134 exploits,scenarios
crowdsecurity/CVE-2022-35914,enabled,0.2,Detect CVE-2022-35914 exploits,scenarios
crowdsecurity/CVE-2022-37042,enabled,0.2,Detect CVE-2022-37042 exploits,scenarios
crowdsecurity/CVE-2022-40684,enabled,0.3,Detect cve-2022-40684 exploitation attempts,scenarios
crowdsecurity/CVE-2022-41082,enabled,0.4,Detect CVE-2022-41082 exploits,scenarios
crowdsecurity/CVE-2022-41697,enabled,0.2,Detect CVE-2022-41697 enumeration,scenarios
crowdsecurity/CVE-2022-42889,enabled,0.3,Detect CVE-2022-42889 exploits (Text4Shell),scenarios
crowdsecurity/CVE-2022-44877,enabled,0.3,Detect CVE-2022-44877 exploits,scenarios
crowdsecurity/CVE-2022-46169,enabled,0.2,Detect CVE-2022-46169 brute forcing,scenarios
crowdsecurity/CVE-2023-22515,enabled,0.1,Detect CVE-2023-22515 exploitation,scenarios
crowdsecurity/CVE-2023-22518,enabled,0.2,Detect CVE-2023-22518 exploits,scenarios
crowdsecurity/CVE-2023-49103,enabled,0.3,Detect owncloud CVE-2023-49103 exploitation attempts,scenarios
crowdsecurity/CVE-2024-0012,enabled,0.1,Detect CVE-2024-0012 exploitation attempts,scenarios
crowdsecurity/CVE-2024-38475,enabled,0.1,Detect CVE-2024-38475 exploitation attempts,scenarios
crowdsecurity/CVE-2024-9474,enabled,0.1,Detect CVE-2024-9474 exploitation attempts,scenarios
crowdsecurity/dovecot-spam,enabled,0.5,detect errors on dovecot,scenarios
crowdsecurity/f5-big-ip-cve-2020-5902,enabled,0.2,Detect cve-2020-5902 exploitation attemps,scenarios
crowdsecurity/fortinet-cve-2018-13379,enabled,0.3,Detect cve-2018-13379 exploitation attemps,scenarios
crowdsecurity/grafana-cve-2021-43798,enabled,0.2,Detect cve-2021-43798 exploitation attemps,scenarios
crowdsecurity/http-admin-interface-probing,enabled,0.4,Detect generic HTTP admin interface probing,scenarios
crowdsecurity/http-backdoors-attempts,enabled,0.6,Detect attempt to common backdoors,scenarios
crowdsecurity/http-bad-user-agent,enabled,1.2,Detect usage of bad User Agent,scenarios
crowdsecurity/http-bf-wordpress_bf,enabled,0.7,Detect WordPress bruteforce on admin interface,scenarios
crowdsecurity/http-crawl-non_statics,enabled,0.7,Detect aggressive crawl on non static resources,scenarios
crowdsecurity/http-cve-2021-41773,enabled,0.3,Apache - Path Traversal (CVE-2021-41773),scenarios
crowdsecurity/http-cve-2021-42013,enabled,0.3,Apache - Path Traversal (CVE-2021-42013),scenarios
crowdsecurity/http-cve-probing,enabled,0.2,Detect generic HTTP cve probing,scenarios
crowdsecurity/http-dos-bypass-cache,enabled,0.5,Detect DoS tools bypassing cache every request,scenarios
crowdsecurity/http-dos-invalid-http-versions,enabled,0.7,Detect DoS tools using invalid HTTP versions,scenarios
crowdsecurity/http-dos-random-uri,enabled,0.4,Detect DoS tools using random uri,scenarios
crowdsecurity/http-dos-switching-ua,enabled,0.5,Detect DoS tools switching user-agent too fast,scenarios
crowdsecurity/http-generic-bf,enabled,0.9,Detect generic http brute force,scenarios
crowdsecurity/http-open-proxy,enabled,0.5,Detect scan for open proxy,scenarios
crowdsecurity/http-path-traversal-probing,enabled,0.4,Detect path traversal attempt,scenarios
crowdsecurity/http-probing,enabled,0.4,Detect site scanning/probing from a single ip,scenarios
crowdsecurity/http-sensitive-files,enabled,0.4,"Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",scenarios
crowdsecurity/http-sqli-probing,enabled,0.4,A scenario that detects SQL injection probing with minimal false positives,scenarios
crowdsecurity/http-wordpress-scan,enabled,0.2,Detect WordPress scan: vuln hunting,scenarios
crowdsecurity/http-wordpress_user-enum,enabled,0.3,Detect WordPress probing: authors enumeration,scenarios
crowdsecurity/http-wordpress_wpconfig,enabled,0.3,Detect WordPress probing: variations around wp-config.php by wpscan,scenarios
crowdsecurity/http-xss-probing,enabled,0.4,A scenario that detects XSS probing with minimal false positives,scenarios
crowdsecurity/impossible-travel,enabled,0.2,Detect Impossible Travel,scenarios
crowdsecurity/impossible-travel-user,enabled,0.1,impossible travel user,scenarios
crowdsecurity/jira_cve-2021-26086,enabled,0.3,Detect Atlassian Jira CVE-2021-26086 exploitation attemps,scenarios
crowdsecurity/mysql-bf,enabled,0.2,Detect mysql bruteforce,scenarios
crowdsecurity/netgear_rce,enabled,0.4,Detect Netgear RCE DGN1000/DGN220 exploitation attempts,scenarios
crowdsecurity/nginx-req-limit-exceeded,enabled,0.3,Detects IPs which violate nginx's user set request limit.,scenarios
crowdsecurity/pgsql-bf,enabled,0.2,Detect PgSQL bruteforce,scenarios
crowdsecurity/postfix-helo-rejected,enabled,0.1,Detect HELO rejections,scenarios
crowdsecurity/postfix-non-smtp-command,enabled,0.1,Detect scanning of postfix service through non-SMTP commands,scenarios
crowdsecurity/postfix-relay-denied,enabled,0.1,Detect multiple open relay attempts,scenarios
crowdsecurity/postfix-spam,enabled,0.4,Detect spammers,scenarios
crowdsecurity/pulse-secure-sslvpn-cve-2019-11510,enabled,0.3,Detect cve-2019-11510 exploitation attemps,scenarios
crowdsecurity/smb-bf,enabled,0.2,Detect smb bruteforce,scenarios
crowdsecurity/spring4shell_cve-2022-22965,enabled,0.3,Detect cve-2022-22965 probing,scenarios
crowdsecurity/ssh-bf,enabled,0.3,Detect ssh bruteforce,scenarios
crowdsecurity/ssh-cve-2024-6387,enabled,0.2,Detect exploitation attempt of CVE-2024-6387,scenarios
crowdsecurity/ssh-slow-bf,enabled,0.4,Detect slow ssh bruteforce,scenarios
crowdsecurity/thinkphp-cve-2018-20062,enabled,0.6,Detect ThinkPHP CVE-2018-20062 exploitation attemps,scenarios
crowdsecurity/vmware-cve-2022-22954,enabled,0.3,Detect Vmware CVE-2022-22954 exploitation attempts,scenarios
crowdsecurity/vmware-vcenter-vmsa-2021-0027,enabled,0.2,Detect VMSA-2021-0027 exploitation attemps,scenarios
firewallservices/pf-scan-multi_ports,enabled,0.5,Detect aggressive portscans (pf),scenarios
inherent-io/keycloak-bf,enabled,0.3,Detect keycloak bruteforce,scenarios
inherent-io/keycloak-slow-bf,enabled,0.3,Detect keycloak bruteforce,scenarios
LePresidente/adguardhome-bf,enabled,0.2,Detect AdGuardHome bruteforce attacks,scenarios
ltsich/http-w00tw00t,enabled,0.2,detect w00tw00t,scenarios
mstilkerich/bind9-refused,enabled,0.2,Act on queries / zone transfers denied by bind9 policy,scenarios
crowdsecurity/bf_base,enabled,0.1,,contexts
crowdsecurity/firewall_base,enabled,0.2,,contexts
crowdsecurity/http_base,enabled,0.2,,contexts
andreasbrett/baikal,enabled,0.1,Baikal support: parser and brute-force detection,collections
andreasbrett/paperless-ngx,enabled,0.1,Paperless-ngx support: parser and brute-force detection,collections
baudneo/zoneminder,enabled,0.2,"ZoneMinder bruteforce login, user enum and cve  protection",collections
baudneo/zoneminder_http-cve,enabled,0.1,ZoneMinder CVE protection,collections
crowdsecurity/base-http-scenarios,enabled,1.0,http common : scanners detection,collections
crowdsecurity/dovecot,enabled,0.1,dovecot support : parser and spammer detection,collections
crowdsecurity/freebsd,enabled,0.3,core freebsd support : syslog+geoip+ssh,collections
crowdsecurity/http-cve,enabled,2.9,Detect CVE exploitation in http logs,collections
crowdsecurity/http-dos,enabled,0.2,,collections
crowdsecurity/mysql,enabled,0.1,mysql support : logs and brute-force scenarios,collections
crowdsecurity/nginx,enabled,0.2,nginx support : parser and generic http scenarios,collections
crowdsecurity/pgsql,enabled,0.1,postgres support : logs and brute-force scenarios,collections
crowdsecurity/postfix,enabled,0.4,postfix support : parser and spammer detection,collections
crowdsecurity/smb,enabled,0.1,smb support : parser and brute-force scenario,collections
crowdsecurity/sshd,enabled,0.5,sshd support : parser and brute-force detection,collections
crowdsecurity/sshd-impossible-travel,enabled,0.1,sshd success: parser and impossible travel,collections
crowdsecurity/wordpress,enabled,0.5,wordpress: Bruteforce protection and config probing,collections
firewallservices/pf,enabled,0.2,Parser and scenario for Packet Filter logs,collections
inherent-io/keycloak,enabled,0.2,Keycloak support : parser and brute-force detection,collections
LePresidente/adguardhome,enabled,0.1,AdGuardHome Support : parser and brute-force detection,collections
mstilkerich/bind9,enabled,0.1,bind9 support : security policy violations detection,collections

Acquisition config

```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* # paste output here

On Windows:

C:> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml

paste output here

Config show

$ cscli config show
# paste output here

Prometheus metrics

$ cscli metrics
# paste output here

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

[github-actions]

@netchild: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

1. Check Crowdsec Documentation to see if your issue can be self resolved.
2. You can also join our Discord.
3. Check Releases to make sure your agent is on the latest version.

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.