False Positives
How to Get Tagged as a False Positive
To be able to be classified as a false positive, you need a proper technical justification of why your IP might be misclassified as a threat. This part is to be reviewed and validated by crowdsec.
You also need public documentation stating the IP, ranges, and/or reverse DNS associated with the assets in question. This data must be machine-readable (no HTML, no PDF, etc.).
Once your IP addresses are publicly available and accessible via HTTPS, you can contact support@crowdsec.net. Please include the URL of your IPs and ranges.
The CrowdSec team will do their best to update the CTI with false positive information, so your IPs are flagged correctly.
Here are some examples of providers who share their IPs and ranges:
You don’t need to follow a specific format for the exposed list, but it’s recommended to keep the same format over time. Otherwise, the false positive enrichment may stop working.
It’s best to use CSV or JSON for the list format.