C
CrowdSec3w ago
ThreatJaeger

Custom coraza/crs rules per host/ingress

Hello all! I'm using Crowdsec with traefik in kubernetes. Very simply, is a way to apply different appsec/coraza rules per ingress? For instance in my current setup, if I hit test.example.com it routes through traefik, which uses a traefik middleware plugin to pass the traffik to coraza. That coraza middleware contains custom rules for that specific ingress. It looks like this: 
test.example.com -> traefik_test_ingress -> coraza_test_rules -> application_test
test_2.example.com -> traefik_2_ingress -> coraza_test_2_rules -> application_test_2
test.example.com -> traefik_test_ingress -> coraza_test_rules -> application_test
test_2.example.com -> traefik_2_ingress -> coraza_test_2_rules -> application_test_2
With Crowdsec, I see how I could use a pre_eval filter to remove Coraza rules by host, something like this: 
- filter: IsInBand && req.Host == "test.example.com"
  apply:
    - RemoveInBandRuleByID(12345)
- filter: IsInBand && req.Host == "test.example.com"
  apply:
    - RemoveInBandRuleByID(12345)
However, I don't see how to define more complicated coraza rules, e.g. using an apply action to point to specific inband_rules, such as these: 
- SecRule REQUEST_URI "@rx ^/(redacted-examples)(/|$)" "id:500001,phase:1,log,deny,t:lowercase,status:400,msg:'Blocking specific paths'"
- SecRule ARGS_NAMES "!@rx (?i)^(redacted-examples)$" "id:500002,phase:1,deny,log,t:lowercase,status:400,msg:'Unexpected query param'"
- SecRule REQUEST_URI "@rx ^/(redacted-examples)(/|$)" "id:500001,phase:1,log,deny,t:lowercase,status:400,msg:'Blocking specific paths'"
- SecRule ARGS_NAMES "!@rx (?i)^(redacted-examples)$" "id:500002,phase:1,deny,log,t:lowercase,status:400,msg:'Unexpected query param'"
I tried creating a custom config and ruleset (including mapping it in as a configmap into the right location). The custom config works fine, but again, I don't see a way to apply the example custom rules per ingress. This is the final blocker for me to move from Coraza to Crowdsec, I would really appreciate any advice on how to accomplish this. Thanks!
1 Reply
CrowdSec
CrowdSec3w ago
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.
Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️

Did you find this page helpful?