diff --git a/crowdsec-docs/sidebarsUnversioned.js b/crowdsec-docs/sidebarsUnversioned.js
index bee99f2d..c9daa4ba 100644
--- a/crowdsec-docs/sidebarsUnversioned.js
+++ b/crowdsec-docs/sidebarsUnversioned.js
@@ -351,6 +351,11 @@ module.exports = {
id: "troubleshooting/remediation_components",
label: "Remediation Components",
},
+ {
+ type: "doc",
+ id: "troubleshooting/cti",
+ label: "CTI",
+ },
],
serviceApiSideBar: [
{
diff --git a/crowdsec-docs/unversioned/cti_api/taxonomy/false_positives.mdx b/crowdsec-docs/unversioned/cti_api/taxonomy/false_positives.mdx
index 028cd5df..37a6102d 100644
--- a/crowdsec-docs/unversioned/cti_api/taxonomy/false_positives.mdx
+++ b/crowdsec-docs/unversioned/cti_api/taxonomy/false_positives.mdx
@@ -4,10 +4,11 @@ title: False Positives
sidebar_position: 7
---
-import TableRender from '@site/src/components/tableRender';
-import GithubIconRender from '@site/src/components/githubIconRender';
+import TableRender from "@site/src/components/tableRender"
+import GithubIconRender from "@site/src/components/githubIconRender"
-export const fpURL = "https://hub-cdn.crowdsec.net/master/taxonomy/false_positives.json";
+export const fpURL =
+ "https://hub-cdn.crowdsec.net/master/taxonomy/false_positives.json"
export const columns = [
{
header: "Name",
@@ -17,10 +18,33 @@ export const columns = [
header: "Description",
accessorKey: "description",
},
-];
+]
-
+## How to Get Tagged as a False Positive
+
+To be able to be classified as a false positive, you need a proper technical justification of why your IP might be misclassified as a threat. This part is to be reviewed and validated by crowdsec.
+
+You also need public documentation stating the IP, ranges, and/or reverse DNS associated with the assets in question. This data must be machine-readable (no HTML, no PDF, etc.).
+
+Once your IP addresses are publicly available and accessible via HTTPS, you can contact support@crowdsec.net. Please include the URL of your IPs and ranges.
+
+The CrowdSec team will do their best to update the CTI with false positive information, so your IPs are flagged correctly.
+
+Here are some examples of providers who share their IPs and ranges:
+
+- [Bing](https://www.bing.com/toolbox/bingbot.json)
+- [Google Bot](https://developers.google.com/search/apis/ipranges/googlebot.json)
+- [Cloudfront](https://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips)
+- [Fastly](https://api.fastly.com/public-ip-list)
+
+:::note
+
+You don’t need to follow a specific format for the exposed list, but it’s recommended to keep the same format over time. Otherwise, the false positive enrichment may stop working.
+
+It’s best to use CSV or JSON for the list format.
+
+:::
diff --git a/crowdsec-docs/unversioned/troubleshooting/cti.mdx b/crowdsec-docs/unversioned/troubleshooting/cti.mdx
new file mode 100644
index 00000000..0615dc4b
--- /dev/null
+++ b/crowdsec-docs/unversioned/troubleshooting/cti.mdx
@@ -0,0 +1,38 @@
+---
+title: Troubleshooting CTI
+id: cti
+---
+
+## Community support
+
+Please try to resolve your issue by reading [the documentation](../cti_api/intro). If you're unable to find a solution, don't hesitate to seek assistance in:
+
+- [Discourse](https://discourse.crowdsec.net/)
+- [Discord](https://discord.gg/crowdsec)
+
+## False Positive
+
+### How to Get Tagged as a False Positive
+
+To be able to be classified as a false positive, you need a proper technical justification of why your IP might be misclassified as a threat. This part is to be reviewed and validated by crowdsec.
+
+You also need public documentation stating the IP, ranges, and/or reverse DNS associated with the assets in question. This data must be machine-readable (no HTML, no PDF, etc.).
+
+Once your IP addresses are publicly available and accessible via HTTPS, you can contact support@crowdsec.net. Please include the URL of your IPs and ranges.
+
+The CrowdSec team will do their best to update the CTI with false positive information, so your IPs are flagged correctly.
+
+Here are some examples of providers who share their IPs and ranges:
+
+- [Bing](https://www.bing.com/toolbox/bingbot.json)
+- [Google Bot](https://developers.google.com/search/apis/ipranges/googlebot.json)
+- [Cloudfront](https://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips)
+- [Fastly](https://api.fastly.com/public-ip-list)
+
+:::note
+
+You don’t need to follow a specific format for the exposed list, but it’s recommended to keep the same format over time. Otherwise, the false positive enrichment may stop working.
+
+It’s best to use CSV or JSON for the list format.
+
+:::
diff --git a/crowdsec-docs/unversioned/troubleshooting/intro.md b/crowdsec-docs/unversioned/troubleshooting/intro.md
index e068d45c..c103d4b8 100644
--- a/crowdsec-docs/unversioned/troubleshooting/intro.md
+++ b/crowdsec-docs/unversioned/troubleshooting/intro.md
@@ -15,12 +15,14 @@ We have extended our troubleshooting documentation to cover more common issues a
### [Remediation Components](/troubleshooting/remediation_components.mdx)
+### [CTI](/troubleshooting/cti.mdx)
+
## Community support
Please try to resolve your issue by reading the documentation. If you're unable to find a solution, don't hesitate to seek assistance in:
-- [Discourse](https://discourse.crowdsec.net/)
-- [Discord](https://discord.gg/crowdsec)
+- [Discourse](https://discourse.crowdsec.net/)
+- [Discord](https://discord.gg/crowdsec)
# FAQ
@@ -64,9 +66,9 @@ If you need help for large scale deployment, please get in touch with us on the
Setting up a proxy works out of the box, the [net/http golang library](https://golang.org/src/net/http/transport.go) can handle those environment variables:
-* `HTTP_PROXY`
-* `HTTPS_PROXY`
-* `NO_PROXY`
+- `HTTP_PROXY`
+- `HTTPS_PROXY`
+- `NO_PROXY`
For example:
@@ -75,6 +77,7 @@ export HTTP_PROXY=http://:
```
#### Systemd variable
+
On Systemd devices you have to set the proxy variable in the environment section for the CrowdSec service. To avoid overwriting the service file during an update, a folder is created in `/etc/systemd/system/crowdsec.service.d` and a file in it named `http-proxy.conf`. The content for this file should look something like this:
```bash title="systemctl edit crowdsec.service"
@@ -90,6 +93,7 @@ Then you can restart CrowdSec like this:
`systemctl restart crowdsec`
#### Sudo
+
If you use `sudo cscli`, just add this line in `visudo` after setting up the previous environment variables:
```
@@ -146,20 +150,22 @@ CrowdSec Hub should be used when you have an issue with a parser, scenario or co
To disable the central API, simply comment out the [`online_client` section of the configuration file](/docs/next/configuration/crowdsec_configuration#online_client).
-### Why are some scenarios/parsers "tainted" or "custom" ?
+### Why are some scenarios/parsers "tainted" or "custom" ?
When using `cscli` to list your parsers, scenarios and collections, some might appear as "tainted" or "local".
"tainted" items:
- - Originate from the hub
- - Were locally modified
- - Will not be automatically updated/upgraded by `cscli` operations (unless `--force` or similar is specified)
- - Won't be sent to Central API and won't appear in the Console (unless `cscli console enable tainted` has been specified)
+
+- Originate from the hub
+- Were locally modified
+- Will not be automatically updated/upgraded by `cscli` operations (unless `--force` or similar is specified)
+- Won't be sent to Central API and won't appear in the Console (unless `cscli console enable tainted` has been specified)
"local" items:
- - Have been locally created by the user
- - Are not managed by `cscli` operations
- - Won't be sent to Central API and won't appear in the Console (unless `cscli console enable custom` has been specified)
+
+- Have been locally created by the user
+- Are not managed by `cscli` operations
+- Won't be sent to Central API and won't appear in the Console (unless `cscli console enable custom` has been specified)
### Which information is sent to your services ?
@@ -201,6 +207,7 @@ line: May 16 07:50:30 sd-126005 sshd[10041]: Invalid user git from 78.142.18.204
├ 🟢 crowdsecurity/ssh-slow-bf
└ 🟢 crowdsecurity/ssh-slow-bf_user-enum
```
+
This command will allow you to see each parser behavior.
:::warning