CrowdSec•2w ago

How to do without a service key and HTTP value?

Hello, I’m facing an issue: I have a LAMP server (Apache + PHP) on which I have two bouncers (PHP and iptables). I have CrowdSec installed with AppSec, and I also installed ModSecurity to strengthen detection, along with the ModSecurity collection to combine the two solutions. I configured the iptables bouncer with scenarios_not_containing: ["http"] so that only the PHP bouncer can handle HTTP blocking. However, this does not work when a ModSecurity scenario is triggered. After investigating, I found the reason: when I inspect the scenario in detail, I notice that the service key with the value http is missing (or something else, I’m not sure if it should be there). Consequently, I cannot make it so that this is handled by the PHP bouncer. Do you have any idea how to work around this problem? Or is there nothing that can be done?

5 Replies

CrowdSec•2w ago

Important Information

This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve

bbuddhaOP•2w ago

example :

cscli decisions list -o json | jq '.[0]'
{
  "capacity": 1,
  "created_at": "2025-08-18T13:43:46Z",
  "decisions": [
    {
      "duration": "59m51s",
      "id": 3847387,
      "origin": "crowdsec",
      "scenario": "crowdsecurity/http-bad-user-agent",
      "scope": "Ip",
      "simulated": false,
      "type": "captcha",
      "value": "1.2.3.4"
    }
  ],
  "events": [
    {
      "meta": [
        {
          "key": "ASNNumber",
          "value": "3215"
        },
        {
          "key": "ASNOrg",
          "value": "Orange"
        },
        {
          "key": "IsInEU",
          "value": "true"
        },
        {
          "key": "IsoCode",
          "value": "FR"
        },
        {
          "key": "SourceRange",
          "value": "1.2.3.4/12"
        },
        {
          "key": "datasource_path",
          "value": "access"
        },
        {
          "key": "datasource_type",
          "value": "file"
        },
        {
          "key": "http_args_len",
          "value": "0"
        },
        {
          "key": "http_path",
          "value": "/"
        },
        {
          "key": "http_status",
          "value": "200"
        },
        {
          "key": "http_user_agent",
          "value": "Cocolyzebot"
        },
        {
          "key": "http_verb",
          "value": "HEAD"
        },
        {
          "key": "log_type",
          "value": "http_access-log"
        },
        {
          "key": "service",
          "value": "http"
        },
        {
          "key": "source_ip",
          "value": "1.2.3.4"
        },
        {
          "key": "timestamp",
          "value": "2025-08-18T15:43:38+02:00"
        }
      ],

cscli decisions list -o json | jq '.[0]'
{
  "capacity": 1,
  "created_at": "2025-08-18T13:43:46Z",
  "decisions": [
    {
      "duration": "59m51s",
      "id": 3847387,
      "origin": "crowdsec",
      "scenario": "crowdsecurity/http-bad-user-agent",
      "scope": "Ip",
      "simulated": false,
      "type": "captcha",
      "value": "1.2.3.4"
    }
  ],
  "events": [
    {
      "meta": [
        {
          "key": "ASNNumber",
          "value": "3215"
        },
        {
          "key": "ASNOrg",
          "value": "Orange"
        },
        {
          "key": "IsInEU",
          "value": "true"
        },
        {
          "key": "IsoCode",
          "value": "FR"
        },
        {
          "key": "SourceRange",
          "value": "1.2.3.4/12"
        },
        {
          "key": "datasource_path",
          "value": "access"
        },
        {
          "key": "datasource_type",
          "value": "file"
        },
        {
          "key": "http_args_len",
          "value": "0"
        },
        {
          "key": "http_path",
          "value": "/"
        },
        {
          "key": "http_status",
          "value": "200"
        },
        {
          "key": "http_user_agent",
          "value": "Cocolyzebot"
        },
        {
          "key": "http_verb",
          "value": "HEAD"
        },
        {
          "key": "log_type",
          "value": "http_access-log"
        },
        {
          "key": "service",
          "value": "http"
        },
        {
          "key": "source_ip",
          "value": "1.2.3.4"
        },
        {
          "key": "timestamp",
          "value": "2025-08-18T15:43:38+02:00"
        }
      ],

cscli decisions list -o json | jq '.[0]'
{
  "capacity": 0,
  "created_at": "2025-08-18T13:28:56Z",
  "decisions": [
    {
      "duration": "3h46m26s",
      "id": 3847386,
      "origin": "crowdsec",
      "scenario": "crowdsecurity/modsecurity",
      "scope": "Ip",
      "simulated": false,
      "type": "ban",
      "value": "1.2.3.4"
    }
  ],
  "events": [
    {
      "meta": [
        {
          "key": "ASNNumber",
          "value": "3215"
        },
        {
          "key": "ASNOrg",
          "value": "Orange"
        },
        {
          "key": "IsInEU",
          "value": "true"
        },
        {
          "key": "IsoCode",
          "value": "FR"
        },
        {
          "key": "SourceRange",
          "value": "1.2.3.4/12"
        },
        {
          "key": "datasource_path",
          "value": "error"
        },
        {
          "key": "datasource_type",
          "value": "file"
        },
        {
          "key": "log_type",
          "value": "modsecurity"
        },
        {
          "key": "modsec_message",
          "value": "SQL Injection Attack Detected via libinjection"
        },
        {
          "key": "modsec_ruledata",
          "value": "Matched Data: s&sos found within ARGS:id: 1' OR '1'='1"
        },
        {
          "key": "rule_id",
          "value": "942100"
        },
        {
          "key": "source_ip",
          "value": "1.2.3.4"
        },
        {
          "key": "timestamp",
          "value": "2025-08-18T15:28:56.188526Z"
        }
      ],
      "timestamp": "2025-08-18 15:28:56.188526 +0000 UTC"
    }
  ],

cscli decisions list -o json | jq '.[0]'
{
  "capacity": 0,
  "created_at": "2025-08-18T13:28:56Z",
  "decisions": [
    {
      "duration": "3h46m26s",
      "id": 3847386,
      "origin": "crowdsec",
      "scenario": "crowdsecurity/modsecurity",
      "scope": "Ip",
      "simulated": false,
      "type": "ban",
      "value": "1.2.3.4"
    }
  ],
  "events": [
    {
      "meta": [
        {
          "key": "ASNNumber",
          "value": "3215"
        },
        {
          "key": "ASNOrg",
          "value": "Orange"
        },
        {
          "key": "IsInEU",
          "value": "true"
        },
        {
          "key": "IsoCode",
          "value": "FR"
        },
        {
          "key": "SourceRange",
          "value": "1.2.3.4/12"
        },
        {
          "key": "datasource_path",
          "value": "error"
        },
        {
          "key": "datasource_type",
          "value": "file"
        },
        {
          "key": "log_type",
          "value": "modsecurity"
        },
        {
          "key": "modsec_message",
          "value": "SQL Injection Attack Detected via libinjection"
        },
        {
          "key": "modsec_ruledata",
          "value": "Matched Data: s&sos found within ARGS:id: 1' OR '1'='1"
        },
        {
          "key": "rule_id",
          "value": "942100"
        },
        {
          "key": "source_ip",
          "value": "1.2.3.4"
        },
        {
          "key": "timestamp",
          "value": "2025-08-18T15:28:56.188526Z"
        }
      ],
      "timestamp": "2025-08-18 15:28:56.188526 +0000 UTC"
    }
  ],

iiamloz•2w ago

this is purely based on the scenario name (crowdsecurity/modsecurity) itself, and its an array so you can define multiple like:

scenarios_not_containing: ["http", "modsecurity"]

scenarios_not_containing: ["http", "modsecurity"]

bbuddhaOP•2w ago

Ohhh, sorry then. I thought it was coming from the service label in the scenarios. thx

CrowdSec•2w ago

Resolving How to do without a service key and HTTP value? This has now been resolved. If you think this is a mistake please run /unresolve

Gaming

Programming

How to do without a service key and HTTP value?

Did you find this page helpful?