Why is there no decision to this appsec alert
Shouldn't there be a decisions / remidiation for this alert?
18 Replies
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type
/unresolve© Created By WhyAydan for CrowdSec ❤️
It triggered two rules within 60 seconds:
Version is 1.7.0 - hub is up to date.
The alert was from AppSec, but you can see
Remediation : false from the alert details this was simply just the appsec trigger itself.
Even though the alert has two rules, CoreRuleSet has one rule which is simply just the Alert scoring level so we dont count that when it comes to scenarios anymore.Yes - I know that - but the scoring level is
and
But the request tirggered
I have more examples where more rules than just the scroing levels were triggered but they are all
Remediation : falseYes that cause our CRS by default is
out of band means the request is not blocked but there is a scenario counter to block the IP if they keep trying.
so we released an in band version: https://app.crowdsec.net/hub/author/crowdsecurity/collections/appsec-crs-inband
this will block requests, but again it does not ban the IP unless they trigger multiple rules, over multiple requests you can see the scenario https://app.crowdsec.net/hub/author/crowdsecurity/scenarios/appsec-native
So if you want to simply ban every IP even thought it can be highly false positive prone just copy the scenario, remove capacity and change type to triggerJust realised appsec_native has
capacity: 3Yes but those are for
inband requests, the CRS out of band has it own scenarios
https://app.crowdsec.net/hub/author/crowdsecurity/scenarios/crowdsec-appsec-outofband
but we provide these defaults, cause we seen CRS can be false positive prone if not properly managed by the user.In order for OutBand rules to result in a ban they to trigger
crowdsecurity/crowdsec-appsec-outofbandright?
Did not trigger crowdsecurity/crowdsec-appsec-outofband
But I just saw that 2 "Events" were the scoring rules.
Maybe not count them as event when the're not counted towards offending rules 🙂it does, but you are counting
events thinking it means capacity the capacity means it must be 5 different requests.
you can see buckets via cscli metrics if you dont see that scenario in the list then yes something offFor waf matches with the CRS, the event count in the alert generated by the WAF is not actually the number of requests
It's the number of CRS rules that matched the request: CRS will always match more than one rule, it's there to allow you to understand what what exactly happening inside the CRS (think of it as a very light version of the modsecurity audit log)
Got it. Thanks!
It's a change in 1.7.0, before we were not even populating the events
We probably need to document that to make it clearer (I thought it was obvious, but thinking about it, it's probably not)
While you're at it - please document that the message changed from "Appsec block" to "WAF block" this broke some profiles 🙂
ooooh this I did not see probably broke mine too 😄 @blotus
we really need to come up with a way to say "im an appsec alert"
And final question - where do I need to ask if I never got a signup mail for https://app.crowdsec.net/
I wrote an E-Mail to support...
DM me your email, was it to activation code?
Yes - never got the activation code.
Resolving Why is there no decision to this appsec alert
This has now been resolved. If you think this is a mistake please run
/unresolve