AppSec Component - CrowdSec WAF
What is CrowdSec?
If you're new to CrowdSec, here's a quick overview:
CrowdSec is an open-source, collaborative security solution that:
- Detects and blocks malicious actors threatening your infrastructure and applications
- Provides real-time threat intelligence through a participative community
- Offers both Infrastructure Protection (IP reputation, DDoS mitigation) and Application Security (WAF capabilities)
Introduction
Meet the CrowdSec Application Security Component (AppSec Component), which turns your CrowdSec install into a full-fledged WAF.
The AppSec Component offers:
- Low-effort virtual patching.
- Support for legacy ModSecurity rules.
- Classic WAF protection plus CrowdSec features for advanced behavior detection.
- Full integration with the CrowdSec stack, including the console and remediation components.
The component uses existing remediation hooks in web servers and reverse proxies (Nginx, Traefik, HAProxy, etc.) to provide web application firewall capabilities.
How it works
- The web server receives the HTTP request.
- The request is forwarded to the CrowdSec Security Engine over a local HTTP interface.
- The engine evaluates the request against AppSec rules (in-band rules can block immediately).
- Based on the result, the web server either blocks the request or processes it as usual.
Supported Web Servers & Reverse Proxies
The AppSec Component works seamlessly with modern web servers and reverse proxies:
NginxQuick Start Guide →
OpenRestyQuick Start Guide →
TraefikQuick Start Guide →
WordPressQuick Start Guide →Looking for other integrations? Check out the full list of remediation components on the CrowdSec Hub. We're constantly adding new integrations!
Inband Rules and Out-Of-Band Rules
The AppSec component relies on rules to inspect HTTP requests:
- Inband rules are meant to interrupt request processing
- Out-Of-Band rules are non-blocking and are evaluated asynchronously
In-band rule processing
The security engine first evaluates the inband rules, designed to identify and block specific requests.
Once these rules are evaluated, a response is relayed to the remediation component.
This leads to two possible outcomes:
- If an in-band rule is triggered, the remediation component returns a 403 or a captcha challenge to the requester, stopping processing.
- Otherwise, the request will be normally processed
Out-of-band rule processing
In the background, the security engine will then evaluate the out-of-band rules. These rules do not impact performance or response time, as they are evaluated after the AppSec Component instructs the webserver to continue or stop processing the request.
They are usually meant to detect repetitive unwanted behavior (for example, application spam, resource enumeration, scalping). When these rules trigger, they emit an event that the Security Engine processes like a log line.
Post processing
When a request triggers one or more rules, either in the inband section (blocking) or out-of-band (non-blocking), several things happen:
- Inband (blocking) rules will appear in your
cscli alerts list(and thus in your console dashboard). - Inband and Out-Of-Band rules will trigger an internal crowdsec event that can be treated as any log lines.
This lets scenarios leverage WAF rule events, such as extending a ban for an IP that triggers multiple virtual patching rules.
Next steps
You can follow our quick start guides depending on your web server:
Or consider learning more about the AppSec capabilities:
- Rules: How to read, write and debug rules
- Scenarios: How to create scenarios that leverage the AppSec Component events
- Hooks: To customise behavior of the AppSec at runtime
- Troubleshoot: How to troubleshoot the behavior of the AppSec Component
- AppSec Technical Details: For developers integrating with the AppSec Component
