Attack via URL
We experience sometimes very CPU consuming attacks on the URL from websites. I counted around 20 attacks per second. I don't think, that Crowdsec is able to combat these. Is this right?
If i have to create a scenario i would trigger "%2F%2A%2A%2F" in the URL one time and then say goodbye to the attacking IP-Address. Is this a good way?
Thanks!
Sample:
20.217.16.202 - - [06/Apr/2025:17:54:38 +0200] "GET /moebel.cfm?farbwelt=4&seite=11&stilwelt=-1+%2F%2A%2A%2F%2F%2A%2A%2FOR%2F%2A%2A%2FROW%282018%2C1386%29%3E%28SELECT%2F%2A%2A%2FCOUNT%28%5 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
It depends on how your
moebel.cfm works, as the query they put is a sql injection attack it seems
decoded value:
So I would first check that moebel.cfm isnt vulnerable to sql injection.Hi, the file isn't vulnerable. But the attack fills the log until the disk is full. So a scenario would be great for the future. By now i blocked the attacking IP address in the firewall.
Using the SQL keywords for a scenario might be good.
I wonder why such an attack hasn't been detected and combated by CrowSec yet. According to my online research, SQL attacks are nothing unusual.
CrowdSec does have a scenario to detect SQLi via log files but it's a very basic scenario. You'll have to write a custom scenario to catch this.
@GNU Plus Windows User Yes, i found a SQL scenario which i can use as a template.