C
CrowdSec4w ago
Streilinger

No target_host in AppsecAlerts

I am running CrowdSec on a nginx reverse-proxy. So AppSec is running for a lot of vhosts. However in most (all?) of the AppSec-alerts I don't get a target_host in the context. So I can't really tell which vhost was hit by the alert. Any way to enable this? cscli lapi context status is cve: - evt.Meta.cve id: - 'match.id != nil ? match.id : ''''' ja4h: - req.Method != '' ? JA4H(req) :'' matched_zones: - 'match.matched_zones != nil ? match.matched_zones : ''''' method: - 'match.method != nil ? match.method : ''''' - evt.Meta.http_verb msg: - 'match.msg != nil ? match.msg : ''''' name: - 'match.name != nil ? match.name : ''''' request_id: - evt.Meta.request_id rules: - evt.Meta.rule_name status: - evt.Meta.http_status target_host: - evt.Meta.target_host target_uri: - evt.Meta.target_uri - 'match.uri != nil ? match.uri : ''''' - evt.Meta.http_path target_user: - evt.Meta.target_user user_agent: - 'req.Method != '''' ? req.UserAgent() : ''''' - evt.Meta.http_user_agent I would prefer not to edit /etc/crowdsec/contexts/appsec_base.yaml as I'd like to have as little "tainted" files as possible. Is it possible to add something to my local/http_extra.yaml file in /etc/crowdsec/contexts/? Thanks for any guidance in the right direction.
5 Replies
CrowdSec
CrowdSec4w ago
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve
© Created By WhyAydan for CrowdSec ❤️
iiamloz
iiamloz4w ago
Yes you can add your own contexts for me I want to CRS log data so I added 
$ cat /etc/crowdsec/contexts/my_context.yaml
context:
  logdata:
    - "match.logdata != nil ? match.logdata : ''"
$ cat /etc/crowdsec/contexts/my_context.yaml
context:
  logdata:
    - "match.logdata != nil ? match.logdata : ''"
so you should be able to add a file ending in .yaml 
context:
  target_host:
    - "req.Method != '' ? req.Host : ''"
context:
  target_host:
    - "req.Method != '' ? req.Host : ''"
however I havent tested it so feedback if you get any issues.
Streilinger
StreilingerOP3w ago
Thank you - I’ll try it out. Btw. Someone should rework https://docs.crowdsec.net/docs/next/appsec/hooks/ It says req.URL.Path und req.URL.Host. Just req.Path worked for me in a post_eval filter.
AppSec Component Hooks | CrowdSec
The Application Security Component allows you to hook at different stages to change its behavior at runtime.
Streilinger
StreilingerOP3w ago
This works - thank you!
CrowdSec
CrowdSec3w ago
Resolving No target_host in AppsecAlerts This has now been resolved. If you think this is a mistake please run /unresolve

Did you find this page helpful?