C
CrowdSec5d ago
Wobak

Posting multiple URLs in a forum triggers an anomaly

Hello, I'm not sure on how to tell crowdsec that something is normal behaviour. I have a forum on which I setup crowdsec to avoid crawlers & such, and now that I have it setup, when I try to post a topic / post, I'll get a 403 whenever I put multiple URLs in the post : 
crowdsec-1  | time="2025-12-01T17:19:59+01:00" level=info msg="WAF block: anomaly score block: rfi: 5, anomaly: 5,  from <myIP> (172.22.0.2)"
crowdsec-1  | time="2025-12-01T17:19:59+01:00" level=info msg="(localhost) alert : anomaly score block: rfi: 5, anomaly: 5,  by ip <myIP> (FR/12322)"
crowdsec-1  | time="2025-12-01T17:19:59+01:00" level=info msg="WAF block: anomaly score block: rfi: 5, anomaly: 5,  from <myIP> (172.22.0.2)"
crowdsec-1  | time="2025-12-01T17:19:59+01:00" level=info msg="(localhost) alert : anomaly score block: rfi: 5, anomaly: 5,  by ip <myIP> (FR/12322)"
How can I tell crowdsec to not trigger a 403 in that scenario?
No description
3 Replies
CrowdSec
CrowdSec5d ago
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve
© Created By WhyAydan for CrowdSec ❤️
Wobak
WobakOP5d ago
ok so I figured out that it was when posting content that the issue happened, so I'm going to put the solution there as a reminder. Created a custom yml for rules with the following content : 
name: custom/forum-write
default_remediation: ban
on_match:
  - filter: req.URL.Path startsWith "/create-content/text/"
    apply:
      - CancelEvent()
      - CancelAlert()
      - SetRemediation("allow")
name: custom/forum-write
default_remediation: ban
on_match:
  - filter: req.URL.Path startsWith "/create-content/text/"
    apply:
      - CancelEvent()
      - CancelAlert()
      - SetRemediation("allow")
Modified the appsec in acquis.d to add this : 
appsec_configs:
  - crowdsecurity/appsec-default
  - crowdsecurity/crs-inband
  - custom/forum-write
appsec_configs:
  - crowdsecurity/appsec-default
  - crowdsecurity/crs-inband
  - custom/forum-write
Added the yaml mounted through compose in /etc/crowdsec/appsec-configs/forum-write.yaml. Reloaded everything, it now works
CrowdSec
CrowdSec5d ago
Resolving Posting multiple URLs in a forum triggers an anomaly This has now been resolved. If you think this is a mistake please run /unresolve

Did you find this page helpful?