cscli decisions import doesn't check allowlist for ranges

[hampoelz]

What happened?

According to the changelog of v1.6.9, the allowlists should be checked during bulk decision import. However, according to my tests, this isn't the case.

What did you expect to happen?

IPs that are covered by an allowlist shouldn't be imported.

How can we reproduce it (as minimally and precisely as possible)?

root@hampoelz:~# cscli allowlist create local -d "Local IP ranges"
allowlist 'local' created successfully
root@hampoelz:~# cscli allowlist add local 172.16.0.0/12
added 1 values to allowlist local
root@hampoelz:~# cscli allowlists check 172.18.0.6
172.18.0.6 is allowlisted by item 172.16.0.0/12 from local
root@hampoelz:~# cscli decisions list --ip 172.18.0.6
No active decisions
root@hampoelz:~# echo "scope,value" > "$BLOCKLIST_CSV_FILE"
root@hampoelz:~# echo "range,172.16.0.0/12" >> "$BLOCKLIST_CSV_FILE"
root@hampoelz:~# cscli decisions import --input "${BLOCKLIST_CSV_FILE}" --format csv --duration 24h --type ban
Parsing csv
Imported 1 decisions
root@hampoelz:~# cscli decisions list --ip 172.18.0.6
╭──────────┬──────────────┬─────────────────────┬────────┬────────┬─────────┬────┬────────┬────────────┬──────────╮
│    ID    │    Source    │     Scope:Value     │ Reason │ Action │ Country │ AS │ Events │ expiration │ Alert ID │
├──────────┼──────────────┼─────────────────────┼────────┼────────┼─────────┼────┼────────┼────────────┼──────────┤
│ 86225126 │ cscli-import │ Range:172.16.0.0/12 │ manual │ ban    │         │    │ 1      │ 23h59m37s  │ 86662    │
╰──────────┴──────────────┴─────────────────────┴────────┴────────┴─────────┴────┴────────┴────────────┴──────────╯
root@hampoelz:~#

Anything else we need to know?

For non-batch imports, the allowlist is successfully checked:

root@hampoelz:~# cscli decisions add --ip 172.18.0.6
Error: 172.18.0.6 is allowlisted by item 172.16.0.0/12 from local, use --bypass-allowlist to add the decision anyway

Crowdsec version

root@hampoelz:~# cscli version
version: v1.6.10-79870769
Codename: alphaga
BuildDate: 2025-07-10_15:07:05
GoVersion: 1.24.5
Platform: docker
libre2: C++
User-Agent: crowdsec/v1.6.10-79870769-docker
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_victorialogs, datasource_wineventlog

OS version

root@hampoelz:~# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Enabled collections and parsers

root@hampoelz:~# cscli hub list -o raw
Loaded: 143 parsers, 10 postoverflows, 764 scenarios, 8 contexts, 4 appsec-configs, 117 appsec-rules, 139 collections
name,status,version,description,type
crowdsecurity/appsec-logs,enabled,0.5,Parse Appsec events,parsers
crowdsecurity/caddy-logs,enabled,1.1,Parse caddy logs,parsers
crowdsecurity/cri-logs,enabled,0.1,CRI logging format parser,parsers
crowdsecurity/dateparse-enrich,enabled,0.2,,parsers
crowdsecurity/docker-logs,enabled,0.1,docker json logs parser,parsers
crowdsecurity/geoip-enrich,enabled,0.5,"Populate event with geoloc info : as, country, coords, source range.",parsers
crowdsecurity/http-logs,enabled,1.3,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers
crowdsecurity/nextcloud-logs,enabled,0.4,Parse nextcloud logs,parsers
crowdsecurity/nextcloud-whitelist,enabled,2.2,Whitelist events from nextcloud,parsers
crowdsecurity/public-dns-allowlist,enabled,0.1,Allow events from public DNS servers,parsers
crowdsecurity/sshd-logs,enabled,3.0,Parse openSSH logs,parsers
crowdsecurity/syslog-logs,enabled,0.8,,parsers
crowdsecurity/whitelists,enabled,0.3,Whitelist events from private ipv4 addresses,parsers
crowdsecurity/cdn-whitelist,enabled,0.4,Whitelist CDN providers,postoverflows
crowdsecurity/rdns,enabled,0.3,Lookup the DNS associated to the source IP only for overflows,postoverflows
crowdsecurity/seo-bots-whitelist,enabled,0.5,Whitelist good search engine crawlers,postoverflows
crowdsecurity/apache_log4j2_cve-2021-44228,enabled,0.6,Detect cve-2021-44228 exploitation attemps,scenarios
crowdsecurity/appsec-generic-test,enabled,0.2,Crowdsec Generic Test Scenario for AppSec: generate an alert for appsec out of band rule for testing,scenarios
crowdsecurity/appsec-native,enabled,0.1,Identify attacks flagged by CrowdSec AppSec via native rules,scenarios
crowdsecurity/appsec-vpatch,enabled,0.6,Identify attacks flagged by CrowdSec AppSec,scenarios
crowdsecurity/CVE-2017-9841,enabled,0.2,Detect CVE-2017-9841 exploits,scenarios
crowdsecurity/CVE-2019-18935,enabled,0.2,Detect Telerik CVE-2019-18935 exploitation attempts,scenarios
crowdsecurity/CVE-2022-26134,enabled,0.3,Detect CVE-2022-26134 exploits,scenarios
crowdsecurity/CVE-2022-35914,enabled,0.2,Detect CVE-2022-35914 exploits,scenarios
crowdsecurity/CVE-2022-37042,enabled,0.2,Detect CVE-2022-37042 exploits,scenarios
crowdsecurity/CVE-2022-40684,enabled,0.3,Detect cve-2022-40684 exploitation attempts,scenarios
crowdsecurity/CVE-2022-41082,enabled,0.4,Detect CVE-2022-41082 exploits,scenarios
crowdsecurity/CVE-2022-41697,enabled,0.2,Detect CVE-2022-41697 enumeration,scenarios
crowdsecurity/CVE-2022-42889,enabled,0.3,Detect CVE-2022-42889 exploits (Text4Shell),scenarios
crowdsecurity/CVE-2022-44877,enabled,0.3,Detect CVE-2022-44877 exploits,scenarios
crowdsecurity/CVE-2022-46169,enabled,0.2,Detect CVE-2022-46169 brute forcing,scenarios
crowdsecurity/CVE-2023-22515,enabled,0.1,Detect CVE-2023-22515 exploitation,scenarios
crowdsecurity/CVE-2023-22518,enabled,0.3,Detect CVE-2023-22518 exploits,scenarios
crowdsecurity/CVE-2023-49103,enabled,0.3,Detect owncloud CVE-2023-49103 exploitation attempts,scenarios
crowdsecurity/CVE-2024-0012,enabled,0.1,Detect CVE-2024-0012 exploitation attempts,scenarios
crowdsecurity/CVE-2024-38475,enabled,0.1,Detect CVE-2024-38475 exploitation attempts,scenarios
crowdsecurity/CVE-2024-9474,enabled,0.1,Detect CVE-2024-9474 exploitation attempts,scenarios
crowdsecurity/f5-big-ip-cve-2020-5902,enabled,0.2,Detect cve-2020-5902 exploitation attemps,scenarios
crowdsecurity/fortinet-cve-2018-13379,enabled,0.3,Detect cve-2018-13379 exploitation attemps,scenarios
crowdsecurity/grafana-cve-2021-43798,enabled,0.2,Detect cve-2021-43798 exploitation attemps,scenarios
crowdsecurity/http-admin-interface-probing,enabled,0.4,Detect generic HTTP admin interface probing,scenarios
crowdsecurity/http-backdoors-attempts,enabled,0.6,Detect attempt to common backdoors,scenarios
crowdsecurity/http-bad-user-agent,enabled,1.2,Detect usage of bad User Agent,scenarios
crowdsecurity/http-crawl-non_statics,enabled,0.7,Detect aggressive crawl on non static resources,scenarios
crowdsecurity/http-cve-2021-41773,enabled,0.3,Apache - Path Traversal (CVE-2021-41773),scenarios
crowdsecurity/http-cve-2021-42013,enabled,0.3,Apache - Path Traversal (CVE-2021-42013),scenarios
crowdsecurity/http-cve-probing,enabled,0.6,Detect generic HTTP cve probing,scenarios
crowdsecurity/http-generic-bf,enabled,0.9,Detect generic http brute force,scenarios
crowdsecurity/http-generic-test,enabled,0.2,Crowdsec Generic Test Scenario: basic HTTP trigger,scenarios
crowdsecurity/http-open-proxy,enabled,0.5,Detect scan for open proxy,scenarios
crowdsecurity/http-path-traversal-probing,enabled,0.4,Detect path traversal attempt,scenarios
crowdsecurity/http-probing,enabled,0.4,Detect site scanning/probing from a single ip,scenarios
crowdsecurity/http-sap-interface-probing,enabled,0.1,Detect generic HTTP SAP interface probing,scenarios
crowdsecurity/http-sensitive-files,enabled,0.4,"Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",scenarios
crowdsecurity/http-sqli-probing,enabled,0.4,A scenario that detects SQL injection probing with minimal false positives,scenarios
crowdsecurity/http-wordpress-scan,enabled,0.2,Detect WordPress scan: vuln hunting,scenarios
crowdsecurity/http-xss-probing,enabled,0.4,A scenario that detects XSS probing with minimal false positives,scenarios
crowdsecurity/jira_cve-2021-26086,enabled,0.3,Detect Atlassian Jira CVE-2021-26086 exploitation attemps,scenarios
crowdsecurity/netgear_rce,enabled,0.4,Detect Netgear RCE DGN1000/DGN220 exploitation attempts,scenarios
crowdsecurity/nextcloud-bf,enabled,0.3,Detect Nextcloud bruteforce,scenarios
crowdsecurity/pulse-secure-sslvpn-cve-2019-11510,enabled,0.3,Detect cve-2019-11510 exploitation attemps,scenarios
crowdsecurity/spring4shell_cve-2022-22965,enabled,0.3,Detect cve-2022-22965 probing,scenarios
crowdsecurity/ssh-bf,enabled,0.3,Detect ssh bruteforce,scenarios
crowdsecurity/ssh-cve-2024-6387,enabled,0.2,Detect exploitation attempt of CVE-2024-6387,scenarios
crowdsecurity/ssh-generic-test,enabled,0.2,Crowdsec Generic Test Scenario: SSH brute force trigger,scenarios
crowdsecurity/ssh-refused-conn,enabled,0.1,Detect sshd refused connections,scenarios
crowdsecurity/ssh-slow-bf,enabled,0.4,Detect slow ssh bruteforce,scenarios
crowdsecurity/thinkphp-cve-2018-20062,enabled,0.6,Detect ThinkPHP CVE-2018-20062 exploitation attemps,scenarios
crowdsecurity/vmware-cve-2022-22954,enabled,0.3,Detect Vmware CVE-2022-22954 exploitation attempts,scenarios
crowdsecurity/vmware-vcenter-vmsa-2021-0027,enabled,0.2,Detect VMSA-2021-0027 exploitation attemps,scenarios
ltsich/http-w00tw00t,enabled,0.3,detect w00tw00t,scenarios
crowdsecurity/appsec_base,enabled,1.0,,contexts
crowdsecurity/bf_base,enabled,0.1,,contexts
crowdsecurity/http_base,enabled,0.3,,contexts
crowdsecurity/appsec-default,enabled,0.4,,appsec-configs
crowdsecurity/generic-rules,enabled,0.4,,appsec-configs
crowdsecurity/virtual-patching,enabled,0.4,,appsec-configs
crowdsecurity/appsec-generic-test,enabled,0.3,AppSec Generic Test: trigger on GET /crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl`,appsec-rules
crowdsecurity/base-config,enabled,0.1,,appsec-rules
crowdsecurity/experimental-no-user-agent,enabled,0.1,Protect against no user agent,appsec-rules
crowdsecurity/generic-freemarker-ssti,enabled,0.3,Generic FreeMarker SSTI,appsec-rules
crowdsecurity/generic-wordpress-uploads-listing,enabled,0.2,Protect Wordpress uploads directory from listing files,appsec-rules
crowdsecurity/generic-wordpress-uploads-php,enabled,0.1,Detect php execution in wordpress uploads directory,appsec-rules
crowdsecurity/vpatch-connectwise-auth-bypass,enabled,0.3,Detect exploitation of auth bypass in ConnectWise ScreenConnect,appsec-rules
crowdsecurity/vpatch-CVE-2002-1131,enabled,0.1,"Detects XSS attempts in SquirrelMail 1.2.6/1.2.7 via unsanitized input in addressbook, options, search, and help modules.",appsec-rules
crowdsecurity/vpatch-CVE-2007-0885,enabled,0.1,Detects XSS vulnerability in Jira Rainbow.Zen via the id parameter in BrowseProject.jspa.,appsec-rules
crowdsecurity/vpatch-CVE-2017-9841,enabled,0.3,PHPUnit RCE (CVE-2017-9841),appsec-rules
crowdsecurity/vpatch-CVE-2018-1000861,enabled,0.1,Jenkins - RCE (CVE-2018-1000861),appsec-rules
crowdsecurity/vpatch-CVE-2018-10562,enabled,0.2,Dasan GPON RCE (CVE-2018-10562),appsec-rules
crowdsecurity/vpatch-CVE-2018-13379,enabled,0.2,Fortinet FortiOS - Credentials Disclosure (CVE-2018-13379),appsec-rules
crowdsecurity/vpatch-CVE-2018-20062,enabled,0.1,ThinkPHP - RCE (CVE-2018-20062),appsec-rules
crowdsecurity/vpatch-CVE-2019-1003030,enabled,0.1,Jenkins - RCE (CVE-2019-1003030),appsec-rules
crowdsecurity/vpatch-CVE-2019-12989,enabled,0.3,Citrix SQLi (CVE-2019-12989),appsec-rules
crowdsecurity/vpatch-CVE-2019-18935,enabled,0.1,Telerik - RCE (CVE-2019-18935),appsec-rules
crowdsecurity/vpatch-CVE-2020-11738,enabled,0.6,Wordpress Snap Creek Duplicator - Path Traversal (CVE-2020-11738),appsec-rules
crowdsecurity/vpatch-CVE-2020-17496,enabled,0.1,vBulletin RCE (CVE-2020-17496),appsec-rules
crowdsecurity/vpatch-CVE-2020-5902,enabled,0.1,F5 BIG-IP TMUI - RCE (CVE-2020-5902),appsec-rules
crowdsecurity/vpatch-CVE-2020-9054,enabled,0.1,Detects pre-authentication command injection in Zyxel NAS devices via weblogin.cgi,appsec-rules
crowdsecurity/vpatch-CVE-2021-22941,enabled,0.3,Citrix RCE (CVE-2021-22941),appsec-rules
crowdsecurity/vpatch-CVE-2021-26086,enabled,0.1,Atlassian Jira Server/Data Center 8.4.0 - Limited Remote File Read/Include (CVE-2021-26086),appsec-rules
crowdsecurity/vpatch-CVE-2021-26294,enabled,0.1,Detects unauthorized access to AfterLogic Aurora/WebMail Pro WebDAV endpoint using default caldav_public_user credentials and path traversal.,appsec-rules
crowdsecurity/vpatch-CVE-2021-3129,enabled,0.4,Laravel with Ignition Debug Mode RCE (CVE-2021-3129),appsec-rules
crowdsecurity/vpatch-CVE-2021-43798,enabled,0.3,Grafana Arbitrary File Read (CVE-2021-43798),appsec-rules
crowdsecurity/vpatch-CVE-2021-44529,enabled,0.2,Detects code injection in Ivanti EPM CSA via cookie manipulation (CVE-2021-44529),appsec-rules
crowdsecurity/vpatch-CVE-2022-1388,enabled,0.1,Detects F5 BIG-IP iControl REST authentication bypass and RCE via crafted POST to /mgmt/tm/util/bash with X-F5-Auth-Token header.,appsec-rules
crowdsecurity/vpatch-CVE-2022-22954,enabled,0.2,VMWare Workspace ONE Access RCE (CVE-2022-22954),appsec-rules
crowdsecurity/vpatch-CVE-2022-22965,enabled,0.2,Spring4Shell - RCE (CVE-2022-22965),appsec-rules
crowdsecurity/vpatch-CVE-2022-25488,enabled,0.4,Atom CMS - SQLi (CVE-2022-25488),appsec-rules
crowdsecurity/vpatch-CVE-2022-26134,enabled,0.2,Confluence - RCE (CVE-2022-26134),appsec-rules
crowdsecurity/vpatch-CVE-2022-27926,enabled,0.4,Zimbra Collaboration XSS (CVE-2022-27926),appsec-rules
crowdsecurity/vpatch-CVE-2022-35914,enabled,0.5,GLPI RCE (CVE-2022-35914),appsec-rules
crowdsecurity/vpatch-CVE-2022-41082,enabled,0.1,Microsoft Exchange - RCE (CVE-2022-41082),appsec-rules
crowdsecurity/vpatch-CVE-2022-44877,enabled,0.2,CentOS Web Panel 7 RCE (CVE-2022-44877),appsec-rules
crowdsecurity/vpatch-CVE-2022-46169,enabled,0.5,Cacti RCE (CVE-2022-46169),appsec-rules
crowdsecurity/vpatch-CVE-2023-0297,enabled,0.1,"Detects pre-auth remote code execution in PyLoad via code injection in the ""jk"" parameter of /flash/addcrypted2.",appsec-rules
crowdsecurity/vpatch-CVE-2023-1389,enabled,0.1,TP-Link Archer AX21 - RCE (CVE-2023-1389),appsec-rules
crowdsecurity/vpatch-CVE-2023-20198,enabled,0.6,CISCO IOS XE Account Creation (CVE-2023-20198),appsec-rules
crowdsecurity/vpatch-CVE-2023-22515,enabled,0.4,Atlassian Confluence Privesc (CVE-2023-22515),appsec-rules
crowdsecurity/vpatch-CVE-2023-22527,enabled,0.2,RCE using SSTI in Confluence (CVE-2023-22527),appsec-rules
crowdsecurity/vpatch-CVE-2023-23752,enabled,0.1,Joomla! Webservice - Password Disclosure (CVE-2023-23752),appsec-rules
crowdsecurity/vpatch-CVE-2023-24489,enabled,0.2,Citrix ShareFile RCE (CVE-2023-24489),appsec-rules
crowdsecurity/vpatch-CVE-2023-28121,enabled,0.1,WooCommerce auth bypass (CVE-2023-28121),appsec-rules
crowdsecurity/vpatch-CVE-2023-33617,enabled,0.4,Atlassian Confluence Privesc (CVE-2023-33617),appsec-rules
crowdsecurity/vpatch-CVE-2023-34362,enabled,0.6,MOVEit Transfer RCE (CVE-2023-34362),appsec-rules
crowdsecurity/vpatch-CVE-2023-35078,enabled,0.1,MobileIron Core Remote Unauthenticated API Access (CVE-2023-35078),appsec-rules
crowdsecurity/vpatch-CVE-2023-35082,enabled,0.2,MobileIron Core Remote Unauthenticated API Access (CVE-2023-35082),appsec-rules
crowdsecurity/vpatch-CVE-2023-3519,enabled,0.3,Citrix RCE (CVE-2023-3519),appsec-rules
crowdsecurity/vpatch-CVE-2023-38205,enabled,0.3,Adobe ColdFusion Access Control Bypass (CVE-2023-38205),appsec-rules
crowdsecurity/vpatch-CVE-2023-40044,enabled,0.3,WS_FTP .NET deserialize RCE (CVE-2023-40044),appsec-rules
crowdsecurity/vpatch-CVE-2023-42793,enabled,0.3,JetBrains Teamcity Auth Bypass (CVE-2023-42793),appsec-rules
crowdsecurity/vpatch-CVE-2023-46805,enabled,0.4,Ivanti Connect Auth Bypass (CVE-2023-46805),appsec-rules
crowdsecurity/vpatch-CVE-2023-47218,enabled,0.2,QNAP QTS - RCE (CVE-2023-47218),appsec-rules
crowdsecurity/vpatch-CVE-2023-49070,enabled,0.1,Apache OFBiz - RCE (CVE-2023-49070),appsec-rules
crowdsecurity/vpatch-CVE-2023-50164,enabled,0.6,Apache Struts2 Path Traversal (CVE-2023-50164),appsec-rules
crowdsecurity/vpatch-CVE-2023-6553,enabled,0.1,Backup Migration plugin for WordPress RCE (CVE-2023-6553),appsec-rules
crowdsecurity/vpatch-CVE-2023-7028,enabled,0.2,Gitlab Password Reset Account Takeover (CVE-2023-7028),appsec-rules
crowdsecurity/vpatch-CVE-2024-0012,enabled,0.1,PanOS - Authentication Bypass (CVE-2024-0012),appsec-rules
crowdsecurity/vpatch-CVE-2024-1212,enabled,0.3,Progress Kemp LoadMaster Unauthenticated Command Injection (CVE-2024-1212),appsec-rules
crowdsecurity/vpatch-CVE-2024-22024,enabled,0.1,Ivanti Connect Secure - XXE (CVE-2024-22024),appsec-rules
crowdsecurity/vpatch-CVE-2024-23897,enabled,0.4,Jenkins CLI RCE (CVE-2024-23897),appsec-rules
crowdsecurity/vpatch-CVE-2024-27198,enabled,0.5,Teamcity - Authentication Bypass (CVE-2024-27198),appsec-rules
crowdsecurity/vpatch-CVE-2024-27292,enabled,0.2,Local File Inclusion - Docassemble,appsec-rules
crowdsecurity/vpatch-CVE-2024-27348,enabled,0.1,Apache HugeGraph-Server - RCE (CVE-2024-27348),appsec-rules
crowdsecurity/vpatch-CVE-2024-27564,enabled,0.3,Detects SSRF attack via pictureproxy.php in ChatGPT application,appsec-rules
crowdsecurity/vpatch-CVE-2024-27954,enabled,0.1,WP Automatic - Path Traversal (CVE-2024-27954),appsec-rules
crowdsecurity/vpatch-CVE-2024-27956,enabled,0.1,WordPress Automatic Plugin - SQLi (CVE-2024-27956),appsec-rules
crowdsecurity/vpatch-CVE-2024-28255,enabled,0.1,OpenMetadata - Authentication Bypass (CVE-2024-28255),appsec-rules
crowdsecurity/vpatch-CVE-2024-28987,enabled,0.1,SolarWinds WHD Hardcoded Credentials (CVE-2024-28987),appsec-rules
crowdsecurity/vpatch-CVE-2024-29824,enabled,0.1,Ivanti EPM - SQLi (CVE-2024-29824),appsec-rules
crowdsecurity/vpatch-CVE-2024-29849,enabled,0.5,Veeam Backup Enterprise Manager - Authentication Bypass (CVE-2024-29849),appsec-rules
crowdsecurity/vpatch-CVE-2024-29973,enabled,0.1,Zyxel - RCE (CVE-2024-29973),appsec-rules
crowdsecurity/vpatch-CVE-2024-32113,enabled,0.1,Apache OFBiz - Path Traversal (CVE-2024-32113),appsec-rules
crowdsecurity/vpatch-CVE-2024-3272,enabled,0.1,D-Link NAS - RCE (CVE-2024-3272),appsec-rules
crowdsecurity/vpatch-CVE-2024-3273,enabled,0.1,D-LINK NAS Command Injection (CVE-2024-3273),appsec-rules
crowdsecurity/vpatch-CVE-2024-32870,enabled,0.1,Detects unauthorized access to iTop Hub Connector information disclosure endpoint.,appsec-rules
crowdsecurity/vpatch-CVE-2024-34102,enabled,0.1,Adobe Commerce & Magento - XXE (CVE-2024-34102),appsec-rules
crowdsecurity/vpatch-CVE-2024-38816,enabled,0.2,Spring - Path Traversal (CVE-2024-38816),appsec-rules
crowdsecurity/vpatch-CVE-2024-38856,enabled,0.1,Apache OFBiz Incorrect Authorization (CVE-2024-38856),appsec-rules
crowdsecurity/vpatch-CVE-2024-41713,enabled,0.2,Mitel MiCollab - Path Traversal (CVE-2024-41713),appsec-rules
crowdsecurity/vpatch-CVE-2024-4577,enabled,0.1,PHP CGI Command Injection - CVE-2024-4577,appsec-rules
crowdsecurity/vpatch-CVE-2024-51378,enabled,0.1,Cyberpanel - RCE (CVE-2024-51378),appsec-rules
crowdsecurity/vpatch-CVE-2024-51567,enabled,0.1,CyberPanel RCE (CVE-2024-51567),appsec-rules
crowdsecurity/vpatch-CVE-2024-52301,enabled,0.1,Laravel - Parameter Injection (CVE-2024-52301),appsec-rules
crowdsecurity/vpatch-CVE-2024-57727,enabled,0.4,Detects unauthenticated path traversal attempts targeting SimpleHelp <= 5.5.7,appsec-rules
crowdsecurity/vpatch-CVE-2024-6205,enabled,0.2,PayPlus Payment Gateway WordPress plugin - SQL Injection (CVE-2024-6205),appsec-rules
crowdsecurity/vpatch-CVE-2024-7593,enabled,0.1,Ivanti vTM - Authentication Bypass (CVE-2024-7593),appsec-rules
crowdsecurity/vpatch-CVE-2024-8190,enabled,0.1,Ivanti Cloud Services Appliance - RCE (CVE-2024-8190),appsec-rules
crowdsecurity/vpatch-CVE-2024-8963,enabled,0.2,Ivanti CSA - Path Traversal (CVE-2024-8963),appsec-rules
crowdsecurity/vpatch-CVE-2024-9465,enabled,0.2,Palo Alto Expedition - SQL Injection (CVE-2024-9465),appsec-rules
crowdsecurity/vpatch-CVE-2024-9474,enabled,0.3,PanOS - Privilege Escalation (CVE-2024-9474),appsec-rules
crowdsecurity/vpatch-CVE-2025-24893,enabled,0.2,Detects arbitrary remote code execution vulnerability in XWiki via SolrSearch.,appsec-rules
crowdsecurity/vpatch-CVE-2025-28367,enabled,0.1,Detects directory traversal in mojoPortal BetterImageGallery API Controller (CVE-2025-28367),appsec-rules
crowdsecurity/vpatch-CVE-2025-29306,enabled,0.1,Detects FoxCMS v1.2.5 RCE via malicious id parameter in /images/index.html,appsec-rules
crowdsecurity/vpatch-CVE-2025-29927,enabled,0.1,Next.js Middleware Bypass - (CVE-2025-29927),appsec-rules
crowdsecurity/vpatch-CVE-2025-31161,enabled,0.1,Detects authentication bypass in CrushFTP via crafted Authorization header and specific endpoint access.,appsec-rules
crowdsecurity/vpatch-CVE-2025-31324,enabled,0.1,SAP NetWeaver - File Upload (CVE-2025-31324),appsec-rules
crowdsecurity/vpatch-CVE-2025-3248,enabled,0.1,Detects unauthenticated remote code execution in Langflow via /api/v1/validate/code endpoint.,appsec-rules
crowdsecurity/vpatch-CVE-2025-49113,enabled,0.1,Detects arbitrary remote code execution vulnerability via PHP Object Deserialization in Roundcube,appsec-rules
crowdsecurity/vpatch-env-access,enabled,0.2,Detect access to .env files,appsec-rules
crowdsecurity/vpatch-git-config,enabled,0.4,Detect access to .git files,appsec-rules
crowdsecurity/vpatch-laravel-debug-mode,enabled,0.3,Detect bots exploiting laravel debug mode,appsec-rules
crowdsecurity/vpatch-symfony-profiler,enabled,0.1,Detect abuse of symfony profiler,appsec-rules
crowdsecurity/appsec-generic-rules,enabled,1.0,A collection of generic attack vectors for additional protection.,collections
crowdsecurity/appsec-virtual-patching,enabled,7.3,"a generic virtual patching collection, suitable for most web servers.",collections
crowdsecurity/base-http-scenarios,enabled,1.2,http common : scanners detection,collections
crowdsecurity/caddy,enabled,0.1,caddy support : parser and generic http scenarios,collections
crowdsecurity/http-cve,enabled,2.9,Detect CVE exploitation in http logs,collections
crowdsecurity/linux,enabled,0.3,core linux support : syslog+geoip+ssh,collections
crowdsecurity/nextcloud,enabled,0.3,Nextcloud support : parser and brute-force detection,collections
crowdsecurity/sshd,enabled,0.7,sshd support : parser and brute-force detection,collections
crowdsecurity/whitelist-good-actors,enabled,0.2,Good actors whitelists,collections

Acquisition config

No response

Config show

root@hampoelz:~# cscli config show
Global:
   - Configuration Folder   : /etc/crowdsec
   - Data Folder            : /var/lib/crowdsec/data
   - Hub Folder             : /etc/crowdsec/hub
   - Notification Folder    : /etc/crowdsec/notifications
   - Simulation File        : /etc/crowdsec/simulation.yaml
   - Log Folder             : /var/log
   - Log level              : info
   - Log Media              : stdout
Crowdsec:
  - Acquisition File        : /etc/crowdsec/acquis.yaml
  - Parsers routines        : 1
  - Acquisition Folder      : /etc/crowdsec/acquis.d
cscli:
  - Output                  : human
  - Hub Branch              :
API Client:
  - URL                     : http://0.0.0.0:8080/
  - Login                   : localhost
  - Credentials File        : /etc/crowdsec/local_api_credentials.yaml
Local API Server:
  - Listen URL              : 0.0.0.0:8080
  - Listen Socket           :
  - Profile File            : /etc/crowdsec/profiles.yaml

  - Trusted IPs:
      - 127.0.0.1
      - ::1
  - Database:
      - Type                : sqlite
      - Path                : /var/lib/crowdsec/data/crowdsec.db
      - Flush age           : 168h0m0s
      - Flush size          : 5000

Prometheus metrics

root@hampoelz:~# cscli metrics
╭───────────────────────────────────────────────────────────────────────╮
│ Local API Alerts                                                      │
├───────────────────────────────────────────────────────────────┬───────┤
│ Reason                                                        │ Count │
├───────────────────────────────────────────────────────────────┼───────┤
│ import /var/lib/crowdsec/data/blocklist.HLqVkf6aGc: 1 IPs     │ 1     │
╰───────────────────────────────────────────────────────────────┴───────╯
╭────────────────────────────────────────────────────────────────────────────╮
│ Local API Decisions                                                        │
├────────────────────────────────────────────┬──────────────┬────────┬───────┤
│ Reason                                     │ Origin       │ Action │ Count │
├────────────────────────────────────────────┼──────────────┼────────┼───────┤
│ manual                                     │ cscli-import │ ban    │ 1     │
╰────────────────────────────────────────────┴──────────────┴────────┴───────╯
╭─────────────────────────────────────────────────╮
│ Local API Metrics                               │
├─────────────────────────────────┬────────┬──────┤
│ Route                           │ Method │ Hits │
├─────────────────────────────────┼────────┼──────┤
│ /v1/allowlists                  │ GET    │ 32   │
│ /v1/allowlists/check/172.18.0.6 │ GET    │ 3    │
│ /v1/heartbeat                   │ GET    │ 31   │
│ /v1/usage-metrics               │ POST   │ 2    │
│ /v1/watchers/login              │ POST   │ 13   │
╰─────────────────────────────────┴────────┴──────╯
╭─────────────────────────────────────────────────────────────╮
│ Local API Machines Metrics                                  │
├───────────┬─────────────────────────────────┬────────┬──────┤
│ Machine   │ Route                           │ Method │ Hits │
├───────────┼─────────────────────────────────┼────────┼──────┤
│ localhost │ /v1/heartbeat                   │ GET    │ 31   │
│ localhost │ /v1/allowlists                  │ GET    │ 32   │
│ localhost │ /v1/allowlists/check/172.18.0.6 │ GET    │ 3    │
╰───────────┴─────────────────────────────────┴────────┴──────╯

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

No response

[github-actions]

@hampoelz: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

1. Check Crowdsec Documentation to see if your issue can be self resolved.
2. You can also join our Discord.
3. Check Releases to make sure your agent is on the latest version.

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

[LaurenceJJones]

Will dive in deeper to see root cause, updated the title to reflect it most likely due to range remediation within the import but will update if tests suggest otherwise

edit: saw the update your testing --ip decisions which will work, you should try cscli decisions add --range 172.16.0.0/12 --duration 24h --type ban

I think in our design range remediations are not checked / supported against allowlists cause if we think about it you allowlist /12 but lets say you issue a ban on /8 what should we do? workout what we can ban and do that or bail like we do now. I'll look for @blotus opinion on this as original implementer.

TL;DR:
Issue is likely due to range remediation in your import file. Currently, allowlists aren’t checked for ranges because of ambiguity (e.g., allowlist /12 vs. ban /8). For now, assume any import using range as the scope will not work, only IP scope works as shown by your cscli decisions add command.

[LaurenceJJones]

Found the bug, it should work from @blotus stance.

However, we failed to normalise the scope here:

crowdsec/cmd/crowdsec-cli/clidecision/import.go

Lines 201 to 207 in 136be31

	for _, d := range chunk {
	if *d.Scope != types.Ip && *d.Scope != types.Range {
	continue
	}
	decisionsStr = append(decisionsStr, *d.Value)
	}

The check is for Range not range if your import changes the scope for now to Range as capital it works as intended. Accepting the triage but until a release the workaround is to uppercase the Range.

Parsing csv
Value 10.0.0.0/24 is allowlisted by [10.0.0.0/16 from foobar]
Imported 0 decisions

[hampoelz]

Thanks for the quick reply!

Indeed, by using Range and Ip instead of range and ip for the scope, the bulk import now behaves as expected.

saw the update your testing --ip decisions which will work, you should try cscli decisions add --range 172.16.0.0/12 --duration 24h --type ban

Should no longer be relevant, as you've already found the bug and the workaround works well. But for completeness: When I add the ranged decision, I get the same behaviour as with --ip, i.e. the decisions are not added:

root@hampoelz:~# cscli decisions add --ip 172.18.0.6 --duration 24h --type ban
Error: 172.18.0.6 is allowlisted by item 172.16.0.0/12 from local, use --bypass-allowlist to add the decision anyway

root@hampoelz:~# cscli decisions add --range 172.16.0.0/12 --duration 24h --type ban
Error: 172.16.0.0/12 is allowlisted by item 172.16.0.0/12 from local, use --bypass-allowlist to add the decision anyway

However, for bulk imports, the decisions were added in both cases:

root@hampoelz:~# echo "scope,value" > "$BLOCKLIST_CSV_FILE"
root@hampoelz:~# echo "ip,172.18.0.6" >> "$BLOCKLIST_CSV_FILE"
root@hampoelz:~# cscli decisions import --input "${BLOCKLIST_CSV_FILE}" --format csv --duration 24h --type ban
Parsing csv
Imported 1 decisions

root@hampoelz:~# echo "scope,value" > "$BLOCKLIST_CSV_FILE"
root@hampoelz:~# echo "range,172.16.0.0/12" >> "$BLOCKLIST_CSV_FILE"
root@hampoelz:~# cscli decisions import --input "${BLOCKLIST_CSV_FILE}" --format csv --duration 24h --type ban
Parsing csv
Imported 1 decisions

With the workaround, both bulk import cases now work exactly the same as with decisions add.

[LaurenceJJones]

Should no longer be relevant, as you've already found the bug and the workaround works well. But for completeness: When I add the ranged decision, I get the same behaviour as with --ip, i.e. the decisions are not added:

Yeah cause when using the cscli flag for --range it already sets the scope to Range with an uppercase, but the code for add actually does a further normalization check incase you use cscli decisions add --value 1.2.3.4/24 --scope range which was missing from the import code.

With the workaround, both bulk import cases now work exactly the same as with decisions add.

👍🏻 great, and created the PR that will now normalize the scope so doesnt miss it if the scope is not the right case which was a great find!