ModSecurity parser not parsing response rules (Phase 4)
$ sudo cscli explain --file test_error.log --type modsecurity
``
WARNING Line 0/1 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode. file=/tmp/user/0/cscli_explain4047805967/parser-dump.yaml
line: 2025/10/27 19:47:46 [error] 273240#273240: *657 [client 1.1.1.1] ModSecurity: Access denied with code 403 (phase 4). Matched "Operator Contains' with parameter evil.webshell' against variable RESPONSE_BODY' (Value: `<title> evil.webshell </title>\x0a<h1> evil.webshell </h1>\x0a' ) [file "/etc/modsecurity/test.conf"] [line "190"] [id "955003"] [rev ""] [msg ""] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "example.com"] [uri "/evil-webshell.txt"] [unique_id "176155486667.073983"] [ref "o8,13v619,56"] while sending to client, client: 1.1.1.1, server: example.com, request: "GET /evil-webshell.txt HTTP/2.0", upstream: "https://2.2.2.2:443/evil-webshell.txt", host: "example.com"
β s00-raw...Why does this parser do/catch nothing?
Howdy --
Just set up NPNPlus + Crowdsec as a docker stack. I tested bad logins to *arr apps and did not get bounced (bouncer is working, i can manully add my IP to the block list and get bounced).
ChatGPT said it's because of the way *arr responds to a bad log in and i needed a custom parser to catch it. I'm trying to catch this 'loginFailed=true'....
empty body email notifications
When I try to create an email notification template that pulls an IP address, then I trigger the email notification (Not using
notifications test) I get an email with an empty body.
The strange thing is when I use notifications test I can see everything is being filled correctly so the issue shouldn't be a config issue.
I tried using the example notification template and the result is still the same:
```...Whitelist or set less strict rules on a specific resource
anybody more experienced with crowdsec than I am know how to whitelist specific endpoints on a specific resource? crowdsec presents a captia for an iframe that prevents the user from interacting with it as it's a read-only document (it's got anti-tampering, copy paste, and anti-dev tools). I want it for the main resource but not for that specific endpoint. anybody got any suggestions?
crowdsec X dockerized caddy adding to decision lists but not blocking
hello.
i am trying to set a contrainarized caddy and another crowdsec. and managed to make it work detect and read out the logs from stdout.
however am still able to access the domain... even though i should be blocked am not sure what is happening.
...
caddy crowdsec article related question
so i was checking this
https://www.crowdsec.net/blog/secure-caddy-crowdsec-remediation-waf-guide
as am trying to build my own proxy image to use in coolify with crowdsec.
...
Not getting blocks/remediations
Hi all, I have installed the latest crowdsec on my debian/apache2/wordpress site. Everything seems to be working fine with the exception of actually blocking connections, decisions are inserted, alerts are created successfully. I have created new api keys for my bouncers, not sure where to go from here.
APT Repository giving 403 error, no longer signed
I'm currently running crowdsec on 4 machines, two debian, two ubuntu. When attempting to perform routine updates, I received this error:
...
Error: The repository 'https://packagecloud.io/crowdsec/crowdsec/any any InRelease' is no longer signed.
Error: Failed to fetch https://packagecloud.io/crowdsec/crowdsec/any/dists/any/InRelease 403 Forbidden [IP: x.x.x.x 443]
Error: The repository 'https://packagecloud.io/crowdsec/crowdsec/any any InRelease' is no longer signed.
Error: Failed to fetch https://packagecloud.io/crowdsec/crowdsec/any/dists/any/InRelease 403 Forbidden [IP: x.x.x.x 443]
Accessing prometheus metrics for opnsense plugin
I am running OPNsense 25.7.6-amd64 on FreeBSD 14.3-RELEASE-p4 with OpenSSL 3.0.18 and have installed the os-crowdsec 1.0.12 plug in. I have registered the security engine and enabled acquisition of caddy logs and certain selected loki logs. Notifications for telegram have been configured and tested.
I have amended
/usr/local/etc/crowdsec/config.yaml as follows and restarted the crowdsec service:
```
prometheus:...Custom parser install
Crowdsec v1.6.11
I wrote my own parser to use with a custom app, and I want to upload to to crowdsec so I can test it before I move on to writing the scenario.
The documentation I've found assumes that I will upload it to the hub for functional testing....
Constant OOM kills
Hi there!
The past few weeks we've encountered some problems with our LAPI running out of resources and eventually getting killed by OOM-killer.
It has already happened twice today, and we can't seem to correlate it with a larger amount of alerts coming in.
Our LAPI runs in a VM with 12 gigs of RAM, and it ends up consuming all that (normally the whole VM sits at around 1-2G of RAM usage even during peak load).
Our graphs show that average load and the number of interrupts & context switches also goes through the roof when this happens. The VM doesn't run anything else other than a SaltStack agent....
HTTP notification with changing Bearer token
Hi all,
i am trying to use the HTTP notification plugin to send the alerts to Wazuh.
On Wazuh i can request an Bearer Access token with an curl command which is valid for 300 sec.
Is it possible to configure the HTTP notification plugin in that way that the Token is requested with the notification plugin and directly used?
The curl command which is working on the console looks like this:...
Crowdsec Update 1.7.1 unknown manifest
Hey, I need some help.
I am runing truenas scale, portainer > Crowdsec in it.
I am installing and refining my crowdsec setup for the past few weeks, started with 1.7.0, all was good. Now I cant update collections because there is v1.7.1, but I cant update to 1.7.1 either. With latest Tag it says there is nothing to update, with 1.7.1 tag unknown manifest. Tried searching for it online, nothing usefull shows up, so I think its something dumb on my end. Any help would be appreciated....
How to retrieve the User-Agent in a Postoverflow scenario?
Hello, Iβm trying to set up a Postoverflow whitelist to whitelist an IP if it triggers an alert on a specific UA, but it doesnβt seem to be working. Do you have any idea why?
```yaml
name: aukfood/whitelist_screaming_frog_ua
description: "Whitelist Screaming Frog SEO Spider UA from IP 192.192.192.192"
whitelist:...
DELETE requests not allowed
I'm currently running crowdsec with the appsec component in a docker container together with the Traefik bouncer to protect my proxy.
However I ran into a problem where crowdsec blocks requests that use the DELETE HTTP method.
Unfortunately one of my apps makes use of DELETE so how do I go about disabling this rule?
I would like to do so unsing my docker-config file and a separate yaml config if possible....
Traefik access log is read but not parsed
I cannot get crowdsec to parse the traefik access.log I've mounted into it's container.
I'm using the crowdsecurity/traefik collection which came with the crowdsecurity/traefik-logs parser (v1.2)
```console...
opnsense plugin engine update
I'm running crowdsec via the opnsense plugin. I'm going through some additional log parsers I'd like to install but when I try (using cli) it says my engine is 1.7.0 but needs to be 1.7.1. I can see in the hub that it's saying my engine is needing updated. opnsense shows no updates for itself, nor the plugin. Is there a cli command I can issue or a button on the website that will trigger the engine itself to update to the new version, or do I have to wait for a plug-in update via opnsense?
Stuck loading alerts
I've enrolled an engine in a container and it's showing in the web interface. However it's showing as loading alerts:
The time shown for security engine status was when I rebooted the container post enrollment.
Do I just need to wait (the container has existed for a while)?
Can I/Should I clear the historic alerts? If so, how?
...
Docker install: metrics not shown in web app
Hello, I have made a docker-compose project based on image "crowdsecurity/crowdsec:latest-debian". The ban works fine, I have enrolled the instance and I got metrics within the webapp.
Then 2 days latter I had the message "No alert receveid within the last 24h" on the webapp, I may have restarted the container in those two days.
Below is the docker-compose. I used the example provided on Github for journald: https://github.com/crowdsecurity/example-docker-compose/blob/main/journald/docker-compose.yml
...