AppSec Component - CrowdSec WAF

Introduction

Meet the CrowdSec Application Security Component (AppSec Component), which turns your CrowdSec install into a full-fledged WAF.

The AppSec Component offers:

• Low-effort virtual patching.
• Support for legacy ModSecurity rules.
• Classic WAF protection plus CrowdSec features for advanced behavior detection.
• Full integration with the CrowdSec stack, including the console and remediation components.

This component uses existing remediation hooks in web servers (Nginx, Traefik, HAProxy, etc.) to provide web application firewall capabilities.

1. The web server receives the HTTP request.
2. The request is intercepted and passed to the CrowdSec Security Engine via the HTTP API.
3. The Security Engine answers once the AppSec in-band rules have been processed.
4. Based on the Security Engine answer, the web server either blocks the request or processes it as usual.

In-band Rules and Out-of-Band Rules

The AppSec component relies on rules to inspect HTTP requests:

• In-band rules are meant to interrupt request processing
• Out-Of-Band rules are non-blocking and are evaluated asynchronously

In-band rule processing

The security engine first evaluates the in-band rules, designed to identify and block specific requests.
Once these rules are evaluated, a response is relayed to the remediation component.

This leads to two possible outcomes:

1. If an in-band rule is triggered, the remediation component returns a 403 or a captcha challenge to the requester, stopping processing.
2. Otherwise, the request will be normally processed

Out-of-band rules processing

In the background, the security engine then evaluates out-of-band rules. These rules do not impact performance or response time, as they run after the AppSec Component instructs the web server to continue or stop processing the request.

They are usually meant to detect repetitive unwanted behavior (for example, application spam, resource enumeration, scalping). When these rules trigger, they emit an event that the Security Engine processes like a log line.

Post processing

When a request triggers one or more rules, either in the in-band section (blocking) or out-of-band (non-blocking), several things happen:

• In-band (blocking) rules appear in your cscli alerts list (and thus in your console dashboard).
• In-band and Out-of-Band rules trigger an internal CrowdSec event that can be treated like any log line.

This lets scenarios leverage WAF rule events, such as extending a ban for an IP that triggers multiple virtual patching rules.

Next steps

You can follow our quick start guides depending on your web server:

• Nginx/OpenResty
• Traefik
• WordPress
• CrowdSec WAF with Nginx Reverse Proxy

Or consider learning more about the AppSec capabilities:

• Rules: How to read, write and debug rules
• Scenarios: How to create scenarios that leverage the AppSec Component events
• Hooks: To customize behavior of the AppSec at runtime
• Troubleshoot: How to troubleshoot the behavior of the AppSec Component
• AppSec Protocol: If you're maintaining or creating a remediation component and want to add AppSec capabilities