Open ppkarwasz opened 1 year ago
@ppkarwasz: Thanks for opening an issue, it is currently awaiting triage.
In the meantime, you can:
I am unable to reproduce the hub-test failure locally, flaky test?
Flakey tests recently. We are working on a fix on the hub side. Don't worry, we will pick this up starting tomorrow.
What happened?
My server is subject to batches of brute force attacks that target a single user, but are thrown from multiple IPs. No IP appears more than once per batch.
Therefore I use a scenario grouped by target user and not IP.
Each time the bucket overflows 6 alerts are issued, by they use the same source IP (the
source_ip
of the event that caused the overflow).What did you expect to happen?
I would expect 6 alerts for 6 different IPs.
How can we reproduce it (as minimally and precisely as possible)?
To reproduce this issue you can use a scenario like this:
Anything else we need to know?
No response
Crowdsec version
OS version
No response
Enabled collections and parsers
No response
Acquisition config
No response
Config show
No response
Prometheus metrics
No response
Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.
No response