crowdsecurity
diff --git a/‎crowdsec-docs/docs/appsec/hooks.md‎
Lines changed: 3 additions & 3 deletions b/‎crowdsec-docs/docs/appsec/hooks.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎crowdsec-docs/docs/appsec/protocol.md‎
Lines changed: 2 additions & 2 deletions b/‎crowdsec-docs/docs/appsec/protocol.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎crowdsec-docs/docs/appsec/quickstart/nginxopenresty.mdx‎
Lines changed: 2 additions & 2 deletions b/‎crowdsec-docs/docs/appsec/quickstart/nginxopenresty.mdx‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎crowdsec-docs/docs/appsec/troubleshooting.md‎
Lines changed: 5 additions & 5 deletions b/‎crowdsec-docs/docs/appsec/troubleshooting.md‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎crowdsec-docs/docs/central_api/blocklist.md‎
Lines changed: 29 additions & 5 deletions b/‎crowdsec-docs/docs/central_api/blocklist.md‎
Lines changed: 29 additions & 5 deletions
diff --git a/‎crowdsec-docs/docs/cscli/cscli_appsec-configs.md‎
Lines changed: 4 additions & 4 deletions b/‎crowdsec-docs/docs/cscli/cscli_appsec-configs.md‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎crowdsec-docs/docs/cscli/cscli_appsec-configs_inspect.md‎
Lines changed: 11 additions & 1 deletion b/‎crowdsec-docs/docs/cscli/cscli_appsec-configs_inspect.md‎
Lines changed: 11 additions & 1 deletion
diff --git a/‎crowdsec-docs/docs/cscli/cscli_appsec-configs_install.md‎
Lines changed: 20 additions & 1 deletion b/‎crowdsec-docs/docs/cscli/cscli_appsec-configs_install.md‎
Lines changed: 20 additions & 1 deletion
diff --git a/‎crowdsec-docs/docs/cscli/cscli_appsec-configs_list.md‎
Lines changed: 6 additions & 1 deletion b/‎crowdsec-docs/docs/cscli/cscli_appsec-configs_list.md‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎crowdsec-docs/docs/cscli/cscli_appsec-configs_remove.md‎
Lines changed: 24 additions & 5 deletions b/‎crowdsec-docs/docs/cscli/cscli_appsec-configs_remove.md‎
Lines changed: 24 additions & 5 deletions
@@ -102,7 +102,7 @@ inband_rules:
  - crowdsecurity/base-config
  - crowdsecurity/vpatch-*
 pre_eval:
- - filter: IsInBand == true && req.RemoteAddr == "42.42.42.42"
+ - filter: IsInBand == true && req.RemoteAddr == "192.168.1.1"
    apply:
     - RemoveInBandRuleByName("my_rule")
 ```
@@ -188,13 +188,13 @@ inband_rules:
  - crowdsecurity/base-config
  - crowdsecurity/vpatch-*
 post_eval:
- - filter: IsInBand == true && req.RemoteAddr == "42.42.42.42"
+ - filter: IsInBand == true && req.RemoteAddr == "192.168.1.1"
    apply:
     - CancelAlert()
     - CancelEvent()
   - filter: |
       any( evt.Appsec.MatchedRules, #.name == "crowdsecurity/vpatch-env-access") and
-      req.RemoteAddr = "42.42.42.42"
+      req.RemoteAddr = "192.168.1.1"
     apply:
     - SetRemediation("allow")
   - filter: evt.Appsec.MatchedRules.GetURI() contains "/foobar/"
 
@@ -41,7 +41,7 @@ All requests forwarded by the remediation component must be sent via a `GET` req
 
 For this example:
 
-- A `POST` HTTP request has been made by the IP `1.2.3.4` to a website on `example.com`.
+- A `POST` HTTP request has been made by the IP `192.168.1.1` to a website on `example.com`.
 - The Application Security Component listen on `http://localhost:4241/`.
 
 <details>
@@ -71,7 +71,7 @@ username=admin' OR '1'='1' -- &password=password
 ```
 POST / HTTP/1.1
 Host: localhost:4241
-X-Crowdsec-Appsec-ip: 1.2.3.4
+X-Crowdsec-Appsec-ip: 192.168.1.1
 X-Crowdsec-Appsec-Uri: /login
 X-Crowdsec-Appsec-Host: example.com
 X-Crowdsec-Appsec-Verb: POST
 
@@ -160,7 +160,7 @@ Please keep this key since you will not be able to retrieve it!
 2. Emit a legitimate request to the AppSec Component:
 
 ```bash
-curl -X POST localhost:7422/ -i -H 'x-crowdsec-appsec-uri: /test' -H 'x-crowdsec-appsec-ip: 42.42.42.42' -H 'x-crowdsec-appsec-host: foobar.com' -H 'x-crowdsec-appsec-verb: POST' -H 'x-crowdsec-appsec-api-key: this_is_a_bad_password'
+curl -X POST localhost:7422/ -i -H 'x-crowdsec-appsec-uri: /test' -H 'x-crowdsec-appsec-ip: 192.168.1.1' -H 'x-crowdsec-appsec-host: foobar.com' -H 'x-crowdsec-appsec-verb: POST' -H 'x-crowdsec-appsec-api-key: this_is_a_bad_password'
 ```
 
 Which will give us an answer such as:
@@ -181,7 +181,7 @@ We're trying to access a `.env` file, a [common way to get access to some creden
 :::
 
 ```bash
-curl -X POST localhost:7422/ -i -H 'x-crowdsec-appsec-uri: /.env' -H 'x-crowdsec-appsec-ip: 42.42.42.42' -H 'x-crowdsec-appsec-host: foobar.com' -H 'x-crowdsec-appsec-verb: POST' -H 'x-crowdsec-appsec-api-key: this_is_a_bad_password'
+curl -X POST localhost:7422/ -i -H 'x-crowdsec-appsec-uri: /.env' -H 'x-crowdsec-appsec-ip: 192.168.1.1' -H 'x-crowdsec-appsec-host: foobar.com' -H 'x-crowdsec-appsec-verb: POST' -H 'x-crowdsec-appsec-api-key: this_is_a_bad_password'
 
 ```
 
 
@@ -75,7 +75,7 @@ cscli bouncers add appsec_test -k this_is_a_bad_password
 > Emit a request to the AppSec Component
 
 ```bash
-curl -I -X POST localhost:7422/ -i -H 'x-crowdsec-appsec-api-key: this_is_a_bad_password' -H 'x-crowdsec-appsec-ip: 42.42.42.42' -H 'x-crowdsec-appsec-uri: /test' -H 'x-crowdsec-appsec-host: test.com' -H 'x-crowdsec-appsec-verb: GET' 
+curl -I -X POST localhost:7422/ -i -H 'x-crowdsec-appsec-api-key: this_is_a_bad_password' -H 'x-crowdsec-appsec-ip: 192.168.1.1' -H 'x-crowdsec-appsec-uri: /test' -H 'x-crowdsec-appsec-host: test.com' -H 'x-crowdsec-appsec-verb: GET' 
 HTTP/1.1 200 OK
 Date: Tue, 05 Dec 2023 19:37:56 GMT
 Content-Length: 18
@@ -85,7 +85,7 @@ Content-Type: text/plain; charset=utf-8
 If you receive a `200 OK`, you can authenticate to the AppSec Component. If the component is misconfigured or your API key is invalid, you will receive a `401 Unauthorized`:
 
 ```bash
-curl -I -X POST localhost:7422/ -i  -H 'x-crowdsec-appsec-api-key: meeh' -H 'x-crowdsec-appsec-ip: 42.42.42.42' -H 'x-crowdsec-appsec-uri: /test' -H 'x-crowdsec-appsec-host: test.com' -H 'x-crowdsec-appsec-verb: GET'          
+curl -I -X POST localhost:7422/ -i  -H 'x-crowdsec-appsec-api-key: meeh' -H 'x-crowdsec-appsec-ip: 192.168.1.1' -H 'x-crowdsec-appsec-uri: /test' -H 'x-crowdsec-appsec-host: test.com' -H 'x-crowdsec-appsec-verb: GET'          
 HTTP/1.1 401 Unauthorized
 Date: Tue, 05 Dec 2023 19:38:51 GMT
 Content-Length: 0
@@ -212,7 +212,7 @@ cscli bouncers add appsec_test -k this_is_a_bad_password
 We can now query our AppSec Component (we're assuming here that it runs on the default `127.0.0.1:7422`, see the `listen_addr` parameter of the acquisition config):
 
 ```bash
-▶ curl -X POST localhost:7422/ -i -H 'x-crowdsec-appsec-ip: 42.42.42.42' -H 'x-crowdsec-appsec-uri: /rpc2' -H 'x-crowdsec-appsec-host: google.com' -H 'x-crowdsec-appsec-verb: POST' -H 'x-crowdsec-appsec-api-key: this_is_a_bad_password'
+▶ curl -X POST localhost:7422/ -i -H 'x-crowdsec-appsec-ip: 192.168.1.1' -H 'x-crowdsec-appsec-uri: /rpc2' -H 'x-crowdsec-appsec-host: google.com' -H 'x-crowdsec-appsec-verb: POST' -H 'x-crowdsec-appsec-api-key: this_is_a_bad_password'
 HTTP/1.1 403 Forbidden
 Date: Tue, 05 Dec 2023 11:17:51 GMT
 Content-Length: 16
@@ -225,7 +225,7 @@ And we see the alert appearing in `crowdsec.log` :
 
 ```
 ...
-INFO[2023-12-05 12:17:52] (test) alert : crowdsecurity/vpatch-CVE-2023-42793 by ip 42.42.42.42
+INFO[2023-12-05 12:17:52] (test) alert : crowdsecurity/vpatch-CVE-2023-42793 by ip 192.168.1.1
 ...
 ```
 
@@ -235,7 +235,7 @@ And in `cscli alerts list` :
 ╭────┬────────────────┬─────────────────────────────────────┬─────────┬────┬───────────┬───────────────────────────────╮
 │ ID │     value      │               reason                │ country │ as │ decisions │          created_at           │
 ├────┼────────────────┼─────────────────────────────────────┼─────────┼────┼───────────┼───────────────────────────────┤
-│ 1  │ Ip:42.42.42.42 │ crowdsecurity/vpatch-CVE-2023-42793 │         │    │           │ 2023-12-05 11:17:51 +0000 UTC │
+│ 1  │ Ip:192.168.1.1 │ crowdsecurity/vpatch-CVE-2023-42793 │         │    │           │ 2023-12-05 11:17:51 +0000 UTC │
 ╰────┴────────────────┴─────────────────────────────────────┴─────────┴────┴───────────┴───────────────────────────────╯
 
 ```
@@ -12,29 +12,53 @@ The "Community Blocklist" is a curated list of IP addresses identified as malici
 # Community Blocklist Variation and Eligibility
 
 The rules are different for free and paying users:
- - Free users that **do not** contribute get the `Community Blocklist (Lite)`
- - Free users that **do** contribute get access to the `Community Blocklist`
+ - Free users that **do not regularly** contribute get the `Community Blocklist (Lite)`
+ - Free users that **do regularly** contribute get access to the `Community Blocklist`
  - Paying users get access to the `Community Blocklist (Premium)`, even if they don't contribute
 
 Regardless of the blocklist "tier" you have access to (`Lite`, `Community`, `Premium`), each Security Engine gets a tailored blocklist based on the kind of behavior you're trying to detect.
 
-# Community Blocklist
+## Community Blocklist
 
 Free users that are actively contributing to the network (sending signal on a regular basis) have their Security Engines automatically subscribed to the *Community Blocklist*.
 
 The content of the blocklist is unique to each Security Engine, as it mirrors the behaviours they report. For example, suppose you're running the Security Engine on a web server with WordPress. In that case, you will receive IPs performing generic attacks against web servers *and* IPs engaging in wordpress-specific attacks.
 
 The *Community Blocklist* contains 15 thousand malicious IP's based on your reported scenarios.
 
-# Community Blocklist (Premium)
+## Community Blocklist (Premium)
 
 Paying users' Security Engine are automatically subscribed to the *Community Blocklist (Premium)*, which contains IPs that mirror their installed scenarios.
 Paying users' do not need to contribute to the network to be eligible to the blocklist.
 
 The *Community Blocklist (Premium)* blocklist content has no size limit, unlike free users.
 
-# Community Blocklist (Lite)
+## Community Blocklist (Lite)
 
 Free users that are not actively contributing to the network or that have been flagged as cheating/abusing the system will receive the *Community Blocklist (Lite)*.
 
 This Blocklist is capped at 3 thousand IPs.
+
+### Why is my Security Engine on the Lite Blocklist?
+
+Your Security Engine may be placed on the Lite Blocklist for various reasons, such as:
+
+1. Low Visibility Services
+
+Your services are self-hosted (e.g., for private video or image hosting) and primarily accessed by a small group. As a result, your Security Engine detects less malicious activity compared to public-facing services like blogs or e-commerce sites.
+
+2. Comprehensive Security Setup
+
+Your existing security measures reduce reliance on the Community Blocklist. These may include:
+- Geoblocking (restricting access to certain countries)
+- IP whitelisting with a default deny-all policy
+- VPN-only access
+- OAuth authentication (e.g., Authentik, Authelia, Keycloak)
+
+This simply a result of your security model and access requirements, its neither an issue with your setup nor a limitation on our end.
+
+3. Incomplete CrowdSec Configuration
+
+Your Security Engine may not be monitoring all your services.
+
+If you suspect this might be the case, refer to our [post-installation guide](/u/getting_started/next_steps) to ensure full coverage.
@@ -10,10 +10,10 @@ Manage hub appsec-configs
 
 ```
 cscli appsec-configs list -a
-cscli appsec-configs install crowdsecurity/vpatch
-cscli appsec-configs inspect crowdsecurity/vpatch
-cscli appsec-configs upgrade crowdsecurity/vpatch
-cscli appsec-configs remove crowdsecurity/vpatch
+cscli appsec-configs install crowdsecurity/virtual-patching
+cscli appsec-configs inspect crowdsecurity/virtual-patching
+cscli appsec-configs upgrade crowdsecurity/virtual-patching
+cscli appsec-configs remove crowdsecurity/virtual-patching
 
 ```
 
 
@@ -17,7 +17,17 @@ cscli appsec-configs inspect [item]... [flags]
 ### Examples
 
 ```
-cscli appsec-configs inspect crowdsecurity/vpatch
+# Display metadata, state, metrics and ancestor collections of appsec-configs (installed or not).
+cscli appsec-configs inspect crowdsecurity/virtual-patching
+
+# Don't collect metrics (avoid error if crowdsec is not running).
+cscli appsec-configs inspect crowdsecurity/virtual-patching --no-metrics
+
+# Display difference between a tainted item and the latest one.
+cscli appsec-configs inspect crowdsecurity/virtual-patching --diff
+
+# Reverse the above diff
+cscli appsec-configs inspect crowdsecurity/virtual-patching --diff --rev
 ```
 
 ### Options
 
@@ -17,16 +17,35 @@ cscli appsec-configs install [item]... [flags]
 ### Examples
 
 ```
-cscli appsec-configs install crowdsecurity/vpatch
+# Install some appsec-configs.
+cscli appsec-configs install crowdsecurity/virtual-patching
+
+# Show the execution plan without changing anything - compact output sorted by type and name.
+cscli appsec-configs install crowdsecurity/virtual-patching --dry-run
+
+# Show the execution plan without changing anything - verbose output sorted by execution order.
+cscli appsec-configs install crowdsecurity/virtual-patching --dry-run -o raw
+
+# Download only, to be installed later.
+cscli appsec-configs install crowdsecurity/virtual-patching --download-only
+
+# Install over tainted items. Can be used to restore or repair after local modifications or missing dependencies.
+cscli appsec-configs install crowdsecurity/virtual-patching --force
+
+# Prompt for confirmation if running in an interactive terminal; otherwise, the option is ignored.
+cscli appsec-configs install crowdsecurity/virtual-patching -i
+cscli appsec-configs install crowdsecurity/virtual-patching --interactive
 ```
 
 ### Options
 
 ```
   -d, --download-only   Only download packages, don't enable
+      --dry-run         Don't install or remove anything; print the execution plan
       --force           Force install: overwrite tainted and outdated files
   -h, --help            help for install
       --ignore          Ignore errors when installing multiple appsec-configs
+  -i, --interactive     Ask for confirmation before proceeding
 ```
 
 ### Options inherited from parent commands
 
@@ -17,9 +17,14 @@ cscli appsec-configs list [item... | -a] [flags]
 ### Examples
 
 ```
+# List enabled (installed) appsec-configs.
 cscli appsec-configs list
+
+# List all available appsec-configs (installed or not).
 cscli appsec-configs list -a
-cscli appsec-configs list crowdsecurity/vpatch
+
+# List specific appsec-configs (installed or not).
+cscli appsec-configs list crowdsecurity/virtual-patching crowdsecurity/generic-rules
 ```
 
 ### Options
 
@@ -17,16 +17,35 @@ cscli appsec-configs remove [item]... [flags]
 ### Examples
 
 ```
-cscli appsec-configs remove crowdsecurity/vpatch
+# Uninstall some appsec-configs.
+cscli appsec-configs remove crowdsecurity/virtual-patching
+
+# Show the execution plan without changing anything - compact output sorted by type and name.
+cscli appsec-configs remove crowdsecurity/virtual-patching --dry-run
+
+# Show the execution plan without changing anything - verbose output sorted by execution order.
+cscli appsec-configs remove crowdsecurity/virtual-patching --dry-run -o raw
+
+# Uninstall and also remove the downloaded files.
+cscli appsec-configs remove crowdsecurity/virtual-patching --purge
+
+# Remove tainted items.
+cscli appsec-configs remove crowdsecurity/virtual-patching --force
+
+# Prompt for confirmation if running in an interactive terminal; otherwise, the option is ignored.
+cscli appsec-configs remove crowdsecurity/virtual-patching -i
+cscli appsec-configs remove crowdsecurity/virtual-patching --interactive
 ```
 
 ### Options
 
 ```
-      --all     Remove all the appsec-configs
-      --force   Force remove: remove tainted and outdated files
-  -h, --help    help for remove
-      --purge   Delete source file too
+      --all           Remove all the appsec-configs
+      --dry-run       Don't install or remove anything; print the execution plan
+      --force         Force remove: remove tainted and outdated files
+  -h, --help          help for remove
+  -i, --interactive   Ask for confirmation before proceeding
+      --purge         Delete source file too
 ```
 
 ### Options inherited from parent commands