C
CrowdSecβ€’5mo ago
j0nny54l1v3

looking into appsec setup, looks like some cvs are disabled, should i enable / update and how

Ran this command and found there are few diabled, and if I manually update it, it seems to stay disabled 
docker exec crowdsec cscli appsec-rules list -a | grep disabled
 crowdsecurity/vpatch-CVE-2021-43798           🚫  disabled                   0.3                                                                     
 crowdsecurity/vpatch-CVE-2023-0600            🚫  disabled                   0.1                                                                     
 crowdsecurity/vpatch-CVE-2023-0900            🚫  disabled,update-available                                                                                                                                           
 crowdsecurity/vpatch-CVE-2023-6623            🚫  disabled,update-available                                                                          
 crowdsecurity/vpatch-CVE-2024-1061            🚫  disabled,update-available                                                                          
 crowdsecurity/vpatch-CVE-2024-1071            🚫  disabled                   0.2         
docker exec crowdsec cscli appsec-rules list -a | grep disabled
 crowdsecurity/vpatch-CVE-2021-43798           🚫  disabled                   0.3                                                                     
 crowdsecurity/vpatch-CVE-2023-0600            🚫  disabled                   0.1                                                                     
 crowdsecurity/vpatch-CVE-2023-0900            🚫  disabled,update-available                                                                                                                                           
 crowdsecurity/vpatch-CVE-2023-6623            🚫  disabled,update-available                                                                          
 crowdsecurity/vpatch-CVE-2024-1061            🚫  disabled,update-available                                                                          
 crowdsecurity/vpatch-CVE-2024-1071            🚫  disabled                   0.2
It also seems a hub update and hub upgrade do not resolve the disabled status
11 Replies
CrowdSec
CrowdSecβ€’5mo ago
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.
Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❀️
iiamloz
iiamlozβ€’5mo ago
It also seems a hub update and hub upgrade do not resolve the disabled status
It also seems a hub update and hub upgrade do not resolve the disabled status
Did it state about anything being tainted?
j0nny54l1v3
j0nny54l1v3OPβ€’5mo ago
it did not
iiamloz
iiamlozβ€’5mo ago
hmmm, can you run docker exec crowdsec cscli collections list | grep appsec
j0nny54l1v3
j0nny54l1v3OPβ€’5mo ago
 crowdsecurity/appsec-crs               βœ”οΈ  enabled  0.5      /etc/crowdsec/collections/appsec-crs.yaml              
 crowdsecurity/appsec-generic-rules     βœ”οΈ  enabled  0.7      /etc/crowdsec/collections/appsec-generic-rules.yaml    
 crowdsecurity/appsec-virtual-patching  βœ”οΈ  enabled  5.9      /etc/crowdsec/collections/appsec-virtual-patching.yaml 
 crowdsecurity/appsec-crs               βœ”οΈ  enabled  0.5      /etc/crowdsec/collections/appsec-crs.yaml              
 crowdsecurity/appsec-generic-rules     βœ”οΈ  enabled  0.7      /etc/crowdsec/collections/appsec-generic-rules.yaml    
 crowdsecurity/appsec-virtual-patching  βœ”οΈ  enabled  5.9      /etc/crowdsec/collections/appsec-virtual-patching.yaml
iiamloz
iiamlozβ€’5mo ago
and if you run cscli version its 1.6.8?
j0nny54l1v3
j0nny54l1v3OPβ€’5mo ago
yes, but for extra 
version: v1.6.8-f209766e
Codename: alphaga
BuildDate: 2025-03-25_15:56:53
GoVersion: 1.24.1
Platform: docker
libre2: C++
User-Agent: crowdsec/v1.6.8-f209766e-docker
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_victorialogs, datasource_wineventlog
version: v1.6.8-f209766e
Codename: alphaga
BuildDate: 2025-03-25_15:56:53
GoVersion: 1.24.1
Platform: docker
libre2: C++
User-Agent: crowdsec/v1.6.8-f209766e-docker
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_victorialogs, datasource_wineventlog
iiamloz
iiamlozβ€’5mo ago
Can you run running both hub update and hub upgrade with the --debug flag and dump the logs to me in a DM? Ahhh I figured it out, some vpatch rules are only for wordpress specific behaviours Those rules you found are under the the crowdsecurity/appsec-wordpress collection and we dont install these by default since they might trigger on non wordpress sites.
j0nny54l1v3
j0nny54l1v3OPβ€’5mo ago
nice, I use Wordpress, seems I could enable them, but, I also have several domains, but only a few of them do WordPress, is there a way to match <domain> <--> <appsec_rule>?
blotus
blotusβ€’5mo ago
So currently, you need to disable the rule explicitly using a pre_eval hook in the config (https://docs.crowdsec.net/docs/next/appsec/hooks#pre_eval), but it's very verbose. We are thinking about ways on how to make this better, but it will take a bit of time
AppSec Component Hooks | CrowdSec
The Application Security Component allows you to hook at different stages to change its behavior at runtime.
blotus
blotusβ€’5mo ago
that being said, in theory, it won't hurt to enable the WP rules for non-WP websites, they are targeting specific vulnerabilities, so the risk of false positives is fairly low

Did you find this page helpful?