From c07a7fd484d5f630377abe7c70c85099c1fa9edc Mon Sep 17 00:00:00 2001 From: Laurence Date: Thu, 18 Sep 2025 14:46:05 +0100 Subject: [PATCH 1/4] Add valid signal criteria to community blocklist documentation - Clarify what signals count toward community contribution - Explain hash verification process for scenario validation - Document exclusion of custom and modified scenarios - Provide guidance on ensuring signals are counted - Add practical example of modified scenario impact - Update both main docs and v1.7 versioned docs --- crowdsec-docs/docs/central_api/blocklist.md | 24 +++++++++++++++++++ .../version-v1.7/central_api/blocklist.md | 24 +++++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/crowdsec-docs/docs/central_api/blocklist.md b/crowdsec-docs/docs/central_api/blocklist.md index 112e829f0..5c3bd17b5 100644 --- a/crowdsec-docs/docs/central_api/blocklist.md +++ b/crowdsec-docs/docs/central_api/blocklist.md @@ -29,6 +29,30 @@ The content of the blocklist is unique to each Security Engine, as it mirrors th The *Community Blocklist* contains 15 thousand malicious IP's based on your reported scenarios. +### What Counts as a Valid Signal? + +For your signals to be counted toward community contribution, they must meet specific criteria: + +#### What We Count + +- **Signals generated by official CrowdSec scenarios from the Hub, unmodified** +- We verify this by comparing the scenario's content hash we publish with the hash your engine reports + +#### What We Do Not Count + +- **Custom scenarios you write yourself** +- **Tainted or modified scenarios** (even small edits). We cannot reliably vet behavior once a scenario is changed, so the consensus engine ignores those signals + +#### Example + +If you only run a honeypot with a scenario you have modified, your local alerts will still fire, but the consensus engine will not use those signals. You can then show up as "not actively contributing," even though you see activity locally. + +#### How to Make Sure Your Signals Count + +- **Use the scenario straight from the Hub without edits** +- **Keep auto-updates on** so hashes stay in sync +- **If you need custom behavior**, copy to a local scenario and use it, but understand those signals will be excluded from consensus + ## Community Blocklist (Premium) Paying users' Security Engine are automatically subscribed to the *Community Blocklist (Premium)*, which contains IPs that mirror their installed scenarios. diff --git a/crowdsec-docs/versioned_docs/version-v1.7/central_api/blocklist.md b/crowdsec-docs/versioned_docs/version-v1.7/central_api/blocklist.md index 112e829f0..5c3bd17b5 100644 --- a/crowdsec-docs/versioned_docs/version-v1.7/central_api/blocklist.md +++ b/crowdsec-docs/versioned_docs/version-v1.7/central_api/blocklist.md @@ -29,6 +29,30 @@ The content of the blocklist is unique to each Security Engine, as it mirrors th The *Community Blocklist* contains 15 thousand malicious IP's based on your reported scenarios. +### What Counts as a Valid Signal? + +For your signals to be counted toward community contribution, they must meet specific criteria: + +#### What We Count + +- **Signals generated by official CrowdSec scenarios from the Hub, unmodified** +- We verify this by comparing the scenario's content hash we publish with the hash your engine reports + +#### What We Do Not Count + +- **Custom scenarios you write yourself** +- **Tainted or modified scenarios** (even small edits). We cannot reliably vet behavior once a scenario is changed, so the consensus engine ignores those signals + +#### Example + +If you only run a honeypot with a scenario you have modified, your local alerts will still fire, but the consensus engine will not use those signals. You can then show up as "not actively contributing," even though you see activity locally. + +#### How to Make Sure Your Signals Count + +- **Use the scenario straight from the Hub without edits** +- **Keep auto-updates on** so hashes stay in sync +- **If you need custom behavior**, copy to a local scenario and use it, but understand those signals will be excluded from consensus + ## Community Blocklist (Premium) Paying users' Security Engine are automatically subscribed to the *Community Blocklist (Premium)*, which contains IPs that mirror their installed scenarios. From ecd84c502e134fd7a8ee8c4b92534736255d1a03 Mon Sep 17 00:00:00 2001 From: Laurence Date: Thu, 18 Sep 2025 14:47:57 +0100 Subject: [PATCH 2/4] Improve valid signal documentation structure and wording - Move 'What Counts as a Valid Signal?' section above Community Blocklist - Update wording to 'do not regularly contribute valid signals' for clarity - Change 'sending signal' to 'sending valid signals' in Community Blocklist description - Improve document flow by explaining valid signals before describing blocklist tiers - Maintain consistency across both main docs and v1.7 versioned docs --- crowdsec-docs/docs/central_api/blocklist.md | 30 +++++++++---------- .../version-v1.7/central_api/blocklist.md | 30 +++++++++---------- 2 files changed, 30 insertions(+), 30 deletions(-) diff --git a/crowdsec-docs/docs/central_api/blocklist.md b/crowdsec-docs/docs/central_api/blocklist.md index 5c3bd17b5..faec42b97 100644 --- a/crowdsec-docs/docs/central_api/blocklist.md +++ b/crowdsec-docs/docs/central_api/blocklist.md @@ -15,44 +15,44 @@ The Community Blocklist is **only** available when using the Security Engine. To ::: The rules are different for free and paying users: - - Free users that **do not regularly** contribute get the `Community Blocklist (Lite)` - - Free users that **do regularly** contribute get access to the `Community Blocklist` + - Free users that **do not regularly contribute valid signals** get the `Community Blocklist (Lite)` + - Free users that **do regularly contribute valid signals** get access to the `Community Blocklist` - Paying users get access to the `Community Blocklist (Premium)`, even if they don't contribute Regardless of the blocklist "tier" you have access to (`Lite`, `Community`, `Premium`), each Security Engine gets a tailored blocklist based on the kind of behavior you're trying to detect. -## Community Blocklist - -Free users that are actively contributing to the network (sending signal on a regular basis) have their Security Engines automatically subscribed to the *Community Blocklist*. - -The content of the blocklist is unique to each Security Engine, as it mirrors the behaviours they report. For example, suppose you're running the Security Engine on a web server with WordPress. In that case, you will receive IPs performing generic attacks against web servers *and* IPs engaging in wordpress-specific attacks. - -The *Community Blocklist* contains 15 thousand malicious IP's based on your reported scenarios. - -### What Counts as a Valid Signal? +## What Counts as a Valid Signal? For your signals to be counted toward community contribution, they must meet specific criteria: -#### What We Count +### What We Count - **Signals generated by official CrowdSec scenarios from the Hub, unmodified** - We verify this by comparing the scenario's content hash we publish with the hash your engine reports -#### What We Do Not Count +### What We Do Not Count - **Custom scenarios you write yourself** - **Tainted or modified scenarios** (even small edits). We cannot reliably vet behavior once a scenario is changed, so the consensus engine ignores those signals -#### Example +### Example If you only run a honeypot with a scenario you have modified, your local alerts will still fire, but the consensus engine will not use those signals. You can then show up as "not actively contributing," even though you see activity locally. -#### How to Make Sure Your Signals Count +### How to Make Sure Your Signals Count - **Use the scenario straight from the Hub without edits** - **Keep auto-updates on** so hashes stay in sync - **If you need custom behavior**, copy to a local scenario and use it, but understand those signals will be excluded from consensus +## Community Blocklist + +Free users that are actively contributing to the network (sending valid signals on a regular basis) have their Security Engines automatically subscribed to the *Community Blocklist*. + +The content of the blocklist is unique to each Security Engine, as it mirrors the behaviours they report. For example, suppose you're running the Security Engine on a web server with WordPress. In that case, you will receive IPs performing generic attacks against web servers *and* IPs engaging in wordpress-specific attacks. + +The *Community Blocklist* contains 15 thousand malicious IP's based on your reported scenarios. + ## Community Blocklist (Premium) Paying users' Security Engine are automatically subscribed to the *Community Blocklist (Premium)*, which contains IPs that mirror their installed scenarios. diff --git a/crowdsec-docs/versioned_docs/version-v1.7/central_api/blocklist.md b/crowdsec-docs/versioned_docs/version-v1.7/central_api/blocklist.md index 5c3bd17b5..faec42b97 100644 --- a/crowdsec-docs/versioned_docs/version-v1.7/central_api/blocklist.md +++ b/crowdsec-docs/versioned_docs/version-v1.7/central_api/blocklist.md @@ -15,44 +15,44 @@ The Community Blocklist is **only** available when using the Security Engine. To ::: The rules are different for free and paying users: - - Free users that **do not regularly** contribute get the `Community Blocklist (Lite)` - - Free users that **do regularly** contribute get access to the `Community Blocklist` + - Free users that **do not regularly contribute valid signals** get the `Community Blocklist (Lite)` + - Free users that **do regularly contribute valid signals** get access to the `Community Blocklist` - Paying users get access to the `Community Blocklist (Premium)`, even if they don't contribute Regardless of the blocklist "tier" you have access to (`Lite`, `Community`, `Premium`), each Security Engine gets a tailored blocklist based on the kind of behavior you're trying to detect. -## Community Blocklist - -Free users that are actively contributing to the network (sending signal on a regular basis) have their Security Engines automatically subscribed to the *Community Blocklist*. - -The content of the blocklist is unique to each Security Engine, as it mirrors the behaviours they report. For example, suppose you're running the Security Engine on a web server with WordPress. In that case, you will receive IPs performing generic attacks against web servers *and* IPs engaging in wordpress-specific attacks. - -The *Community Blocklist* contains 15 thousand malicious IP's based on your reported scenarios. - -### What Counts as a Valid Signal? +## What Counts as a Valid Signal? For your signals to be counted toward community contribution, they must meet specific criteria: -#### What We Count +### What We Count - **Signals generated by official CrowdSec scenarios from the Hub, unmodified** - We verify this by comparing the scenario's content hash we publish with the hash your engine reports -#### What We Do Not Count +### What We Do Not Count - **Custom scenarios you write yourself** - **Tainted or modified scenarios** (even small edits). We cannot reliably vet behavior once a scenario is changed, so the consensus engine ignores those signals -#### Example +### Example If you only run a honeypot with a scenario you have modified, your local alerts will still fire, but the consensus engine will not use those signals. You can then show up as "not actively contributing," even though you see activity locally. -#### How to Make Sure Your Signals Count +### How to Make Sure Your Signals Count - **Use the scenario straight from the Hub without edits** - **Keep auto-updates on** so hashes stay in sync - **If you need custom behavior**, copy to a local scenario and use it, but understand those signals will be excluded from consensus +## Community Blocklist + +Free users that are actively contributing to the network (sending valid signals on a regular basis) have their Security Engines automatically subscribed to the *Community Blocklist*. + +The content of the blocklist is unique to each Security Engine, as it mirrors the behaviours they report. For example, suppose you're running the Security Engine on a web server with WordPress. In that case, you will receive IPs performing generic attacks against web servers *and* IPs engaging in wordpress-specific attacks. + +The *Community Blocklist* contains 15 thousand malicious IP's based on your reported scenarios. + ## Community Blocklist (Premium) Paying users' Security Engine are automatically subscribed to the *Community Blocklist (Premium)*, which contains IPs that mirror their installed scenarios. From bd721e8ae9ad37cd74c39c815d8262cc3e823453 Mon Sep 17 00:00:00 2001 From: Laurence Date: Thu, 18 Sep 2025 16:04:41 +0100 Subject: [PATCH 3/4] Simplify terminology: use 'signal' instead of 'valid signal' - Change 'What Counts as a Valid Signal?' to 'What Counts as a Signal?' - Update 'do not regularly contribute valid signals' to 'do not regularly contribute signals' - Update 'do regularly contribute valid signals' to 'do regularly contribute signals' - Change 'sending valid signals' to 'sending signals' in Community Blocklist description - Maintain same meaning while using simpler terminology as requested by team - Apply changes to both main docs and v1.7 versioned docs --- crowdsec-docs/docs/central_api/blocklist.md | 8 ++++---- .../versioned_docs/version-v1.7/central_api/blocklist.md | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/crowdsec-docs/docs/central_api/blocklist.md b/crowdsec-docs/docs/central_api/blocklist.md index faec42b97..5a467b327 100644 --- a/crowdsec-docs/docs/central_api/blocklist.md +++ b/crowdsec-docs/docs/central_api/blocklist.md @@ -15,13 +15,13 @@ The Community Blocklist is **only** available when using the Security Engine. To ::: The rules are different for free and paying users: - - Free users that **do not regularly contribute valid signals** get the `Community Blocklist (Lite)` - - Free users that **do regularly contribute valid signals** get access to the `Community Blocklist` + - Free users that **do not regularly contribute signals** get the `Community Blocklist (Lite)` + - Free users that **do regularly contribute signals** get access to the `Community Blocklist` - Paying users get access to the `Community Blocklist (Premium)`, even if they don't contribute Regardless of the blocklist "tier" you have access to (`Lite`, `Community`, `Premium`), each Security Engine gets a tailored blocklist based on the kind of behavior you're trying to detect. -## What Counts as a Valid Signal? +## What Counts as a Signal? For your signals to be counted toward community contribution, they must meet specific criteria: @@ -47,7 +47,7 @@ If you only run a honeypot with a scenario you have modified, your local alerts ## Community Blocklist -Free users that are actively contributing to the network (sending valid signals on a regular basis) have their Security Engines automatically subscribed to the *Community Blocklist*. +Free users that are actively contributing to the network (sending signals on a regular basis) have their Security Engines automatically subscribed to the *Community Blocklist*. The content of the blocklist is unique to each Security Engine, as it mirrors the behaviours they report. For example, suppose you're running the Security Engine on a web server with WordPress. In that case, you will receive IPs performing generic attacks against web servers *and* IPs engaging in wordpress-specific attacks. diff --git a/crowdsec-docs/versioned_docs/version-v1.7/central_api/blocklist.md b/crowdsec-docs/versioned_docs/version-v1.7/central_api/blocklist.md index faec42b97..5a467b327 100644 --- a/crowdsec-docs/versioned_docs/version-v1.7/central_api/blocklist.md +++ b/crowdsec-docs/versioned_docs/version-v1.7/central_api/blocklist.md @@ -15,13 +15,13 @@ The Community Blocklist is **only** available when using the Security Engine. To ::: The rules are different for free and paying users: - - Free users that **do not regularly contribute valid signals** get the `Community Blocklist (Lite)` - - Free users that **do regularly contribute valid signals** get access to the `Community Blocklist` + - Free users that **do not regularly contribute signals** get the `Community Blocklist (Lite)` + - Free users that **do regularly contribute signals** get access to the `Community Blocklist` - Paying users get access to the `Community Blocklist (Premium)`, even if they don't contribute Regardless of the blocklist "tier" you have access to (`Lite`, `Community`, `Premium`), each Security Engine gets a tailored blocklist based on the kind of behavior you're trying to detect. -## What Counts as a Valid Signal? +## What Counts as a Signal? For your signals to be counted toward community contribution, they must meet specific criteria: @@ -47,7 +47,7 @@ If you only run a honeypot with a scenario you have modified, your local alerts ## Community Blocklist -Free users that are actively contributing to the network (sending valid signals on a regular basis) have their Security Engines automatically subscribed to the *Community Blocklist*. +Free users that are actively contributing to the network (sending signals on a regular basis) have their Security Engines automatically subscribed to the *Community Blocklist*. The content of the blocklist is unique to each Security Engine, as it mirrors the behaviours they report. For example, suppose you're running the Security Engine on a web server with WordPress. In that case, you will receive IPs performing generic attacks against web servers *and* IPs engaging in wordpress-specific attacks. From 92a5a7448f63bfb8845a88167419d048a124513a Mon Sep 17 00:00:00 2001 From: Laurence Date: Thu, 18 Sep 2025 16:12:40 +0100 Subject: [PATCH 4/4] Add clarification about parser modifications - Add info box explaining that modifying parsers or using custom parsers has no impact on signal validity - Clarifies distinction between scenario modifications (which affect signals) and parser modifications (which don't) - Helps users understand they can customize parsers without affecting community contribution - Apply changes to both main docs and v1.7 versioned docs --- crowdsec-docs/docs/central_api/blocklist.md | 4 ++++ .../versioned_docs/version-v1.7/central_api/blocklist.md | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/crowdsec-docs/docs/central_api/blocklist.md b/crowdsec-docs/docs/central_api/blocklist.md index 5a467b327..35f8d767e 100644 --- a/crowdsec-docs/docs/central_api/blocklist.md +++ b/crowdsec-docs/docs/central_api/blocklist.md @@ -35,6 +35,10 @@ For your signals to be counted toward community contribution, they must meet spe - **Custom scenarios you write yourself** - **Tainted or modified scenarios** (even small edits). We cannot reliably vet behavior once a scenario is changed, so the consensus engine ignores those signals +:::info +Modifying a parser or using a custom parser has no impact on signal validity. +::: + ### Example If you only run a honeypot with a scenario you have modified, your local alerts will still fire, but the consensus engine will not use those signals. You can then show up as "not actively contributing," even though you see activity locally. diff --git a/crowdsec-docs/versioned_docs/version-v1.7/central_api/blocklist.md b/crowdsec-docs/versioned_docs/version-v1.7/central_api/blocklist.md index 5a467b327..35f8d767e 100644 --- a/crowdsec-docs/versioned_docs/version-v1.7/central_api/blocklist.md +++ b/crowdsec-docs/versioned_docs/version-v1.7/central_api/blocklist.md @@ -35,6 +35,10 @@ For your signals to be counted toward community contribution, they must meet spe - **Custom scenarios you write yourself** - **Tainted or modified scenarios** (even small edits). We cannot reliably vet behavior once a scenario is changed, so the consensus engine ignores those signals +:::info +Modifying a parser or using a custom parser has no impact on signal validity. +::: + ### Example If you only run a honeypot with a scenario you have modified, your local alerts will still fire, but the consensus engine will not use those signals. You can then show up as "not actively contributing," even though you see activity locally.