need advice on Crowdsec

[caplam]

I setup opnsense a few months ago. My config is not finished yet and i want to better use crowdsec.
I installed crowdsec and registered it to the console. But until now i didn't had time to explore it.
It's working but with too many false postives. I had to remove some scenarios as i was constantly banned.
I guess there might be other methods than removing scenarios.
How do you troubleshoot false positives ?
I registered on crowdsec web console and i saw that for free edition you can subscribe to 3 blocklists. 
What are the best to subscribe to ?

here are my collections:

Code Select Expand

crowdsecurity/base-http-scenarios enabled,tainted 1.0 http common : scanners detection
crowdsecurity/caddy enabled,tainted 0.1 caddy support : parser and generic http scenarios
crowdsecurity/freebsd enabled 0.3 core freebsd support : syslog+geoip+ssh
crowdsecurity/http-cve enabled 2.9 Detect CVE exploitation in http logs
crowdsecurity/opnsense enabled 0.4 core opnsense support
crowdsecurity/opnsense-gui enabled 0.1 OPNSense web authentication support
crowdsecurity/sshd enabled 0.5 sshd support : parser and brute-force detection
firewallservices/pf enabled 0.2 Parser and scenario for Packet Filter logs
and my scenarios:

Code Select Expand

crowdsecurity/CVE-2017-9841 enabled 0.2 Detect CVE-2017-9841 exploits
crowdsecurity/CVE-2019-18935 enabled 0.2 Detect Telerik CVE-2019-18935 exploitation attempts
crowdsecurity/CVE-2022-26134 enabled 0.2 Detect CVE-2022-26134 exploits
crowdsecurity/CVE-2022-35914 enabled 0.2 Detect CVE-2022-35914 exploits
crowdsecurity/CVE-2022-37042 enabled 0.2 Detect CVE-2022-37042 exploits
crowdsecurity/CVE-2022-40684 enabled 0.3 Detect cve-2022-40684 exploitation attempts
crowdsecurity/CVE-2022-41082 enabled 0.4 Detect CVE-2022-41082 exploits
crowdsecurity/CVE-2022-41697 enabled 0.2 Detect CVE-2022-41697 enumeration
crowdsecurity/CVE-2022-42889 enabled 0.3 Detect CVE-2022-42889 exploits (Text4Shell)
crowdsecurity/CVE-2022-44877 enabled 0.3 Detect CVE-2022-44877 exploits
crowdsecurity/CVE-2022-46169 enabled 0.2 Detect CVE-2022-46169 brute forcing
crowdsecurity/CVE-2023-22515 enabled 0.1 Detect CVE-2023-22515 exploitation
crowdsecurity/CVE-2023-22518 enabled 0.2 Detect CVE-2023-22518 exploits
crowdsecurity/CVE-2023-49103 enabled 0.3 Detect owncloud CVE-2023-49103 exploitation attempts
crowdsecurity/CVE-2024-0012 enabled 0.1 Detect CVE-2024-0012 exploitation attempts
crowdsecurity/CVE-2024-38475 enabled 0.1 Detect CVE-2024-38475 exploitation attempts
crowdsecurity/CVE-2024-9474 enabled 0.1 Detect CVE-2024-9474 exploitation attempts
crowdsecurity/apache_log4j2_cve-2021-44228 enabled 0.6 Detect cve-2021-44228 exploitation attemps
crowdsecurity/f5-big-ip-cve-2020-5902 enabled 0.2 Detect cve-2020-5902 exploitation attemps
crowdsecurity/fortinet-cve-2018-13379 enabled 0.3 Detect cve-2018-13379 exploitation attemps
crowdsecurity/grafana-cve-2021-43798 enabled 0.2 Detect cve-2021-43798 exploitation attemps
crowdsecurity/http-admin-interface-probing enabled 0.4 Detect generic HTTP admin interface probing
crowdsecurity/http-backdoors-attempts enabled 0.6 Detect attempt to common backdoors
crowdsecurity/http-bad-user-agent enabled 1.2 Detect usage of bad User Agent
crowdsecurity/http-cve-2021-41773 enabled 0.3 Apache - Path Traversal (CVE-2021-41773)
crowdsecurity/http-cve-2021-42013 enabled 0.3 Apache - Path Traversal (CVE-2021-42013)
crowdsecurity/http-cve-probing enabled 0.6 Detect generic HTTP cve probing
crowdsecurity/http-open-proxy enabled 0.5 Detect scan for open proxy
crowdsecurity/http-path-traversal-probing enabled 0.4 Detect path traversal attempt
crowdsecurity/http-sqli-probing enabled 0.4 A scenario that detects SQL injection probing with minimal false positives
crowdsecurity/http-wordpress-scan enabled 0.2 Detect WordPress scan: vuln hunting
crowdsecurity/http-xss-probing enabled 0.4 A scenario that detects XSS probing with minimal false positives
crowdsecurity/jira_cve-2021-26086 enabled 0.3 Detect Atlassian Jira CVE-2021-26086 exploitation attemps
crowdsecurity/netgear_rce enabled 0.4 Detect Netgear RCE DGN1000/DGN220 exploitation attempts
crowdsecurity/opnsense-gui-bf enabled 0.3 Detect bruteforce on opnsense web interface
crowdsecurity/pulse-secure-sslvpn-cve-2019-11510 enabled 0.3 Detect cve-2019-11510 exploitation attemps
crowdsecurity/spring4shell_cve-2022-22965 enabled 0.3 Detect cve-2022-22965 probing
crowdsecurity/ssh-bf enabled 0.3 Detect ssh bruteforce
crowdsecurity/ssh-cve-2024-6387 enabled 0.2 Detect exploitation attempt of CVE-2024-6387
crowdsecurity/ssh-slow-bf enabled 0.4 Detect slow ssh bruteforce
crowdsecurity/thinkphp-cve-2018-20062 enabled 0.6 Detect ThinkPHP CVE-2018-20062 exploitation attemps
crowdsecurity/vmware-cve-2022-22954 enabled 0.3 Detect Vmware CVE-2022-22954 exploitation attempts
crowdsecurity/vmware-vcenter-vmsa-2021-0027 enabled 0.2 Detect VMSA-2021-0027 exploitation attemps
firewallservices/pf-scan-multi_ports enabled 0.5 Detect aggressive portscans (pf)
ltsich/http-w00tw00t enabled 0.2 detect w00tw00t

[cookiemonster]

Blocklists I am using are: Firehol cybercrime tracker list, Firehol cruzit.com list, Firehol greensnow.co list and CrowdSec Community Blocklist.
But if I'm honest, I am beginning to fall out with crowdsec. For me it has started to feel like they've reached the stage where they've enrolled enough people to their free offering to harvest enough data to then go for the paying customers, whilst not having time for the free users.
OPN users have been left only with the basic initial elements, just the LAPI and firewall bouncer since they released it for OPN in 2021.
I've tried to engage with them and is difficult to get their attention on discord or get anything moving on github. No ticketing system that I'm aware of. They don't seem very active on this forum so OPN users of theirs seem like second class citizens.
For instance, I had to figure out a way to get crowdsec to protect my haproxy. I made a how-to. Constant https scans are hitting my haproxy front end. I reported it that is not engaging any remediation because the http(s) logs aren't being correctly parsed. I took me a lot of convincing to get them to agree that it was "not working as expected", and they created an issue on github. No movement on it over 3 weeks.

[caplam]

Thanks for your answer.

i use crowdsec for parsing caddy logs and it's not very convincing. I had to disable some http based scenarios.
For example as soon as one user of nextcloud move files in his directory he is banned by crowdsec.
How do you add blocklists ? Adding them from the web console is enough ? nothing to do from the local gui in opnsense ?
I tried in the web console using opnsense integration but it didn't seem to do anything. I also tried with the registered security engine. I can see which lists i registered to.
Nothing is visible on the local gui in opnsense.

[cookiemonster]

No it won't and that's what I mean. Just the original basics and that's it on the OPN plugin.