Getting many notifications for same ip | CrowdSec | Page 1

worthy forum Nov 12, 2025, 11:18 PM

#

I am getting hundreds (!) of notifications for an already blocked IP on my opnsense bouncer. As I see, the logic is a loop here, as in: the firewall blocks the ip, because it is in the crowdsec block-list, writes that to the logs, triggering the blocking of said ip again. Is there a proper way to fix this?

torn hatchBOT Nov 12, 2025, 11:18 PM

#

Important Information

This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve

misty flint Nov 13, 2025, 9:07 AM

#

worthy forum I am getting hundreds (!) of notifications for an already blocked IP on my opnse...

You have to alter your profiles to have a semi duplicate profiles and use the GetActiveDecisionsCount to gate your notifications.

#

name: default_ip_remediation_notification
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip" && GetActiveDecisionsCount(Alert.GetValue()) == 0
decisions:
 - type: ban
   duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
notifications:
  - email_default
on_success: break
---
## Catch IP's that already have an active decision but dont call notification
name: default_ip_remediation
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
 - type: ban
   duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
on_success: break
---
name: default_range_remediation
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Range"
decisions:
 - type: ban
   duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
on_success: break

worthy forum Nov 13, 2025, 11:07 AM

#

Thank you 🙂

torn hatchBOT Nov 13, 2025, 11:07 AM

#

torn hatch

Resolving Getting many notifications for same ip

#Getting many notifications for same ip