C
CrowdSec3w ago
Unavi

Ban immediately after scenario is triggered

I adapted one of the scenarios to immediately ban an IP when it requests files like .env or wp. It bans the IP after some time when the url was called but always with a delay. How can I ban immediately? I don't want the requests to reach my server. Is that even possible? because crowdsec would have to read the log and by the time the log is written, it is probably to late. Additional info: When I call domain.tld/.env the alert and the decision are created right away but I can still browse around on the website and open other pages for half a minute until I get banned and when unbanning it always takes half a minute to be unbanned, if that is relevant. 
name: http-sensitive-files-local
description: "Detects and blocks attempts to access various common web application scan targets like /.env, WordPress paths, backups, and development leftovers."
type: trigger
labels:
  confidence: 3
  spoofable: 0
  classification:
    - attack.T1595
  behavior: "http:scan"
  label: "HTTP Admin Interface Probing"
  service: http
  remediation: true
filter: |
  evt.Meta.service == 'http' and
  evt.Meta.log_type in ['http_access-log', 'http_error-log'] and
  (
    let uri = Lower(evt.Meta.http_path);
    uri contains "/.env" or
    uri contains "/wp" or
    uri startsWith "/wordpress" or
    uri startsWith "/bak" or
    uri startsWith "/backup" or
    uri startsWith "/old" or
    uri startsWith "/new" or
    uri startsWith "/main" or
    uri startsWith "/.sql" or
    uri startsWith "/.zip" or
    uri startsWith "/.rar" or
    uri startsWith "/.tar.gz" or
    uri startsWith "/.bak" or
    uri startsWith "/.git/config"
  )

groupby: "evt.Meta.source_ip"
name: http-sensitive-files-local
description: "Detects and blocks attempts to access various common web application scan targets like /.env, WordPress paths, backups, and development leftovers."
type: trigger
labels:
  confidence: 3
  spoofable: 0
  classification:
    - attack.T1595
  behavior: "http:scan"
  label: "HTTP Admin Interface Probing"
  service: http
  remediation: true
filter: |
  evt.Meta.service == 'http' and
  evt.Meta.log_type in ['http_access-log', 'http_error-log'] and
  (
    let uri = Lower(evt.Meta.http_path);
    uri contains "/.env" or
    uri contains "/wp" or
    uri startsWith "/wordpress" or
    uri startsWith "/bak" or
    uri startsWith "/backup" or
    uri startsWith "/old" or
    uri startsWith "/new" or
    uri startsWith "/main" or
    uri startsWith "/.sql" or
    uri startsWith "/.zip" or
    uri startsWith "/.rar" or
    uri startsWith "/.tar.gz" or
    uri startsWith "/.bak" or
    uri startsWith "/.git/config"
  )

groupby: "evt.Meta.source_ip"
6 Replies
CrowdSec
CrowdSec3w ago
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.
Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
_KaszpiR_
_KaszpiR_3w ago
A lot depends on your remediation component - how frequently it gets updates from the lapi and how it applies the remediation ( thus if it for example blocks new connections but keeps the open ones)
iiamloz
iiamloz3w ago
How can I ban immediately? I don't want the requests to reach my server.
Then you have to use something to block the request midway, so a WAF https://docs.crowdsec.net/docs/next/appsec/intro
AppSec Component - CrowdSec WAF | CrowdSec
Introduction
iiamloz
iiamloz3w ago
also you most likely want to do a endsWith on these 
    uri startsWith "/.sql" or
    uri startsWith "/.zip" or
    uri startsWith "/.rar" or
    uri startsWith "/.tar.gz" or
    uri startsWith "/.bak" or
    uri startsWith "/.git/config"
    uri startsWith "/.sql" or
    uri startsWith "/.zip" or
    uri startsWith "/.rar" or
    uri startsWith "/.tar.gz" or
    uri startsWith "/.bak" or
    uri startsWith "/.git/config"
as you shouldnt care I look for /foo/bar/test.sql I prefer to write my rules in raw seclang but let me know and I can convert it to our DSL but here an example blocking programming UA's 
#/etc/crowdsec/appsec-rules/myrules.yaml
name: my/rules
description: "Custom inband rules"
seclang_rules:
  - |
    SecRule REQUEST_HEADERS:User-Agent "^(?:go-http|python|curl|wget|nmap|sqlmap|guzzle|wpscan|scrapy|colly)" "id:10004, phase:1, deny, t:lowercase, msg: 'Programming UA Header: %{MATCHED_VAR}'"
#/etc/crowdsec/appsec-rules/myrules.yaml
name: my/rules
description: "Custom inband rules"
seclang_rules:
  - |
    SecRule REQUEST_HEADERS:User-Agent "^(?:go-http|python|curl|wget|nmap|sqlmap|guzzle|wpscan|scrapy|colly)" "id:10004, phase:1, deny, t:lowercase, msg: 'Programming UA Header: %{MATCHED_VAR}'"
iiamloz
iiamloz3w ago
then it blocks these requests before they get to my backend
No description
Unavi
UnaviOP3w ago
Thank you! I enabled WAF and now the requests get blocked. When going back to a normal url I still am able to access it for a few seconds before the ip gets banned. This is my profiles.yaml with the remediation settings. 
name: default_ip_remediation
debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
 - type: ban
   duration: 30m
duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
notifications:
 - http_victoriametrics
# notifications:
#   - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
#   - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
#   - http_default   # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
#   - email_default  # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
on_success: break
---
name: default_range_remediation
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Range"
decisions:
 - type: ban
   duration: 30m
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
# notifications:
#   - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
#   - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
#   - http_default   # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
#   - email_default  # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
on_success: break
name: default_ip_remediation
debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
 - type: ban
   duration: 30m
duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
notifications:
 - http_victoriametrics
# notifications:
#   - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
#   - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
#   - http_default   # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
#   - email_default  # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
on_success: break
---
name: default_range_remediation
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Range"
decisions:
 - type: ban
   duration: 30m
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
# notifications:
#   - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
#   - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
#   - http_default   # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
#   - email_default  # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
on_success: break
That looks neat. This would block common crawler tools? Do I understand correctly that the appsec rules also ban like scenarios? but they only run for waf and not for the logs? And scenarios are treated as In-band rules for the waf? I think ideally I would want a seclang rule or new dsl that blocks all access to requests ending with certain keywords like .env and it would read the keywords from a new line separated list out of a txt file that is in the same folder as the rule. Is that possible and could you write me something like that? or point me to resources that explain that? I read over https://docs.crowdsec.net/docs/appsec/rules_syntax/ I guess you prefere seclang because you are used to it and you already have a lot of rules written in it?

Did you find this page helpful?