crowdsecurity
ModSecurity rules errors
What happened?
Crowdsec + appsec + Modsecurity rule:SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,192.168.200.1" "id:900101,phase:1,pass,nolog,allow"
The value of REMOTE_ADDR is 127.0.0.1:48926, and 48926 is a random port.
Therefore Modsecurity's rules for ip whitelisting are invalid.
What did you expect to happen?
Modsecurity's rules for ip whitelisting are invalid. Because I found that the variable REMOTE_ADDR is not the expected client ip, but 127.0.0.1: random port number
How can we reproduce it (as minimally and precisely as possible)?
-
os:AlmaLinux release 9.3 (Shamrock Pampas Cat)
-
nginx version: nginx version: openresty/1.25.3.2 built by gcc 11.4.1 20231218 (Red Hat 11.4.1-3) (GCC) built with OpenSSL 1.1.1w 11 Sep 2023 TLS SNI support enabled configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt=-O2 --add-module=../ngx_devel_kit-0.3.3 --add-module=../iconv-nginx-module-0.14 --add-module=../echo-nginx-module-0.63 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.33 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.09 --add-module=../srcache-nginx-module-0.33 --add-module=../ngx_lua-0.10.26 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.37 --add-module=../array-var-nginx-module-0.06 --add-module=../memc-nginx-module-0.20 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.9 --add-module=../rds-json-nginx-module-0.16 --add-module=../rds-csv-nginx-module-0.09 --add-module=../ngx_stream_lua-0.0.14 --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -L/usr/local/lib -ljemalloc' --user=www --group=www --with-http_stub_status_module --with-http_perl_module --with-http_ssl_module --with-http_gzip_static_module --with-http_sub_module --with-http_realip_module --with-http_addition_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-threads --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_ssl_preread_module --with-http_slice_module --with-mail=dynamic --with-mail_ssl_module --with-file-aio --with-http_v2_module --with-pcre=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/pcre-8.45 --with-zlib=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/zlib-1.3.1 --with-openssl=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/openssl-1.1.1w --with-http_perl_module=dynamic --add-module=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/ngx_cache_purge-2.3 --add-module=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/ngx_healthcheck_module-master --add-dynamic-module=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/ngx_http_geoip2_module-3.4 --add-dynamic-module=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/ip2location/ip2location-nginx-8.6.0 --add-module=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/nginx-ssl-fingerprint --add-module=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/ModSecurity-nginx --add-module=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/nginx-module-vts-0.2.2 --with-openssl-opt=-g --with-pcre-opt=-g --with-zlib-opt=-g --with-stream --without-pcre2
-
Crowdsec:v1.6.3
-
nginx.conf config: ` http{
include /usr/local/openresty/nginx/conf/conf.d/crowdsec_openresty.conf;
} `
- crowdsec_openresty.conf is default
- /etc/crowdsec/acquis.d/appsec.yaml
listen_addr: 127.0.0.1:7422 appsec_config: crowdsecurity/appsec-default name: myAppSecComponent source: appsec labels: type: appsec log_level: debug - /etc/crowdsec/appsec-configs/appsec-default.yaml `
name: crowdsecurity/virtual-patching default_remediation: ban inband_rules:
- crowdsecurity/base-config
- crowdsecurity/vpatch-*
- crowdsecurity/generic-*
- gdl/modsecurity `
- /etc/crowdsec/appsec-rules/modsecurity.yaml ` name: gdl/modsecurity description: ModSecurity rules integration for CrowdSec seclang_files_rules:
- /coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
- /coreruleset/rules/REQUEST-901-INITIALIZATION.conf
- /coreruleset/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
- /coreruleset/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
- /coreruleset/rules/REQUEST-913-SCANNER-DETECTION.conf
- /coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
- /coreruleset/rules/REQUEST-921-PROTOCOL-ATTACK.conf
- /coreruleset/rules/REQUEST-922-MULTIPART-ATTACK.conf
- /coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
- /coreruleset/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
- /coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
- /coreruleset/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
- /coreruleset/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf
- /coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
- /coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
- /coreruleset/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
- /coreruleset/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
- /coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf
- /coreruleset/rules/RESPONSE-950-DATA-LEAKAGES.conf
- /coreruleset/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
- /coreruleset/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
- /coreruleset/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
- /coreruleset/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
- /coreruleset/rules/RESPONSE-955-WEB-SHELLS.conf
- /coreruleset/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
- /coreruleset/rules/RESPONSE-980-CORRELATION.conf
- /coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
9. download Modsecurity:git clone https://github.com/coreruleset/coreruleset.git`
cd /home/soft git clone https://github.com/coreruleset/coreruleset.git mkdir -pv /var/lib/crowdsec/data/coreruleset/rules cp /home/soft/coreruleset/rules/.conf /var/lib/crowdsec/data/coreruleset/rules/ cp /home/soft/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /var/lib/crowdsec/data/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf cp /home/soft/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example /var/lib/crowdsec/data/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf cp /home/soft/coreruleset/rules/.data /var/lib/crowdsec/data/coreruleset/
Finally, the rule for ip whitelisting: secRule REMOTE_ADDR “@ipMatch 127.0.0.1,192.168.200.1” “id:900101,phase:1,pass,nolog,allow” was added to the /var/lib/crowdsec/data/ coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf file.
systemctl restart crowdsec systemctl restart nginx
Anything else we need to know?
No response
Crowdsec version
$ cscli version
version: v1.6.3-rpm-pragmatic-amd64-4851945a
Codename: alphaga
BuildDate: 2024-09-10_13:00:53
GoVersion: 1.22.2
Platform: linux
libre2: C++
User-Agent: crowdsec/v1.6.3-rpm-pragmatic-amd64-4851945a-linux
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
OS version
# On Linux:
$ cat /etc/os-release
version: v1.6.3-rpm-pragmatic-amd64-4851945a
Codename: alphaga
BuildDate: 2024-09-10_13:00:53
GoVersion: 1.22.2
Platform: linux
libre2: C++
User-Agent: crowdsec/v1.6.3-rpm-pragmatic-amd64-4851945a-linux
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
[root@instance-20240912-1119 ~]# cat /etc/os-release
NAME="AlmaLinux"
VERSION="9.3 (Shamrock Pampas Cat)"
ID="almalinux"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.3"
PLATFORM_ID="platform:el9"
PRETTY_NAME="AlmaLinux 9.3 (Shamrock Pampas Cat)"
ANSI_COLOR="0;34"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:almalinux:almalinux:9::baseos"
HOME_URL="https://almalinux.org/"
DOCUMENTATION_URL="https://wiki.almalinux.org/"
BUG_REPORT_URL="https://bugs.almalinux.org/"
ALMALINUX_MANTISBT_PROJECT="AlmaLinux-9"
ALMALINUX_MANTISBT_PROJECT_VERSION="9.3"
REDHAT_SUPPORT_PRODUCT="AlmaLinux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.3"
$ uname -a
Linux instance-20240912-1119 5.14.0-362.8.1.el9_3.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Nov 7 14:54:22 EST 2023 x86_64 x86_64 x86_64 GNU/Linux
Enabled collections and parsers
$ cscli hub list -o raw
# paste output here
Acquisition config
Config show
$ cscli config show
Global:
- Configuration Folder : /etc/crowdsec
- Data Folder : /var/lib/crowdsec/data
- Hub Folder : /etc/crowdsec/hub
- Simulation File : /etc/crowdsec/simulation.yaml
- Log Folder : /var/log
- Log level : info
- Log Media : file
Crowdsec:
- Acquisition File : /etc/crowdsec/acquis.yaml
- Parsers routines : 1
- Acquisition Folder : /etc/crowdsec/acquis.d
cscli:
- Output : human
- Hub Branch :
API Client:
- URL : http://127.0.0.1:8080/
- Login : d954f1dee50d446792dd10549aa821f1SIPuVEkiiFrJJPsC
- Credentials File : /etc/crowdsec/local_api_credentials.yaml
Local API Server:
- Listen URL : 127.0.0.1:8080
- Listen Socket :
- Profile File : /etc/crowdsec/profiles.yaml
- Trusted IPs:
- 127.0.0.1
- ::1
- Database:
- Type : sqlite
- Path : /var/lib/crowdsec/data/crowdsec.db
- Flush age : 7d
- Flush size : 5000
Prometheus metrics
$ cscli metrics
Acquisition Metrics:
╭─────────────────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────╮
│ Source │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├─────────────────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ appsec:appsec │ 3 │ 3 │ - │ 2 │ - │
│ file:/usr/local/openresty/nginx/logs/access.log │ 3 │ 3 │ - │ 5 │ - │
│ file:/usr/local/openresty/nginx/logs/error.log │ 12 │ 3 │ 9 │ 6 │ - │
│ file:/var/log/messages │ 29 │ - │ 29 │ - │ - │
│ file:/var/log/secure │ 49 │ 39 │ 10 │ 114 │ - │
╰─────────────────────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯
Local API Alerts:
╭───────────────────────────────────────┬───────╮
│ Reason │ Count │
├───────────────────────────────────────┼───────┤
│ crowdsecurity/http-bad-user-agent │ 11 │
│ crowdsecurity/ssh-bf_user-enum │ 5 │
│ native_rule:901001 │ 13 │
│ native_rule:920350 │ 1 │
│ crowdsecurity/ssh-cve-2024-6387 │ 2 │
│ crowdsecurity/thinkphp-cve-2018-20062 │ 2 │
│ crowdsecurity/netgear_rce │ 1 │
│ crowdsecurity/ssh-bf │ 44 │
│ crowdsecurity/ssh-slow-bf_user-enum │ 4 │
│ crowdsecurity/CVE-2017-9841 │ 6 │
│ crowdsecurity/http-cve-2021-41773 │ 4 │
│ crowdsecurity/http-cve-2021-42013 │ 2 │
│ crowdsecurity/http-open-proxy │ 5 │
│ crowdsecurity/http-probing │ 1 │
│ crowdsecurity/vpatch-CVE-2023-42793 │ 7 │
│ crowdsecurity/ssh-slow-bf │ 58 │
│ crowdsecurity/vpatch-env-access │ 1 │
│ native_rule:901340 │ 194 │
╰───────────────────────────────────────┴───────╯
Appsec Metrics:
╭───────────────────┬───────────┬─────────╮
│ Appsec Engine │ Processed │ Blocked │
├───────────────────┼───────────┼─────────┤
│ myAppSecComponent │ 3 │ 3 │
╰───────────────────┴───────────┴─────────╯
Appsec 'myAppSecComponent' Rules Metrics:
╭─────────┬───────────╮
│ Rule ID │ Triggered │
├─────────┼───────────┤
│ 901001 │ 3 │
╰─────────┴───────────╯
Local API Decisions:
╭──────────────────────────────────────────────┬────────┬────────┬───────╮
│ Reason │ Origin │ Action │ Count │
├──────────────────────────────────────────────┼────────┼────────┼───────┤
│ crowdsecurity/CVE-2019-18935 │ CAPI │ ban │ 43 │
│ crowdsecurity/apache_log4j2_cve-2021-44228 │ CAPI │ ban │ 62 │
│ crowdsecurity/netgear_rce │ CAPI │ ban │ 132 │
│ crowdsecurity/vpatch-CVE-2024-4577 │ CAPI │ ban │ 2 │
│ crowdsecurity/vpatch-env-access │ CAPI │ ban │ 175 │
│ crowdsecurity/fortinet-cve-2018-13379 │ CAPI │ ban │ 13 │
│ crowdsecurity/http-open-proxy │ CAPI │ ban │ 1939 │
│ crowdsecurity/http-probing │ CAPI │ ban │ 6054 │
│ crowdsecurity/ssh-slow-bf │ CAPI │ ban │ 10723 │
│ crowdsecurity/vpatch-CVE-2023-6553 │ CAPI │ ban │ 1 │
│ crowdsecurity/http-cve-2021-42013 │ CAPI │ ban │ 3 │
│ crowdsecurity/http-dos-invalid-http-versions │ CAPI │ ban │ 1126 │
│ crowdsecurity/nginx-req-limit-exceeded │ CAPI │ ban │ 662 │
│ crowdsecurity/spring4shell_cve-2022-22965 │ CAPI │ ban │ 1 │
│ ltsich/http-w00tw00t │ CAPI │ ban │ 4 │
│ crowdsecurity/CVE-2022-35914 │ CAPI │ ban │ 6 │
│ crowdsecurity/CVE-2023-49103 │ CAPI │ ban │ 107 │
│ crowdsecurity/ssh-bf │ CAPI │ ban │ 6492 │
│ crowdsecurity/ssh-cve-2024-6387 │ CAPI │ ban │ 46 │
│ crowdsecurity/thinkphp-cve-2018-20062 │ CAPI │ ban │ 233 │
│ crowdsecurity/vpatch-git-config │ CAPI │ ban │ 18 │
│ crowdsecurity/vpatch-laravel-debug-mode │ CAPI │ ban │ 29 │
│ crowdsecurity/CVE-2022-26134 │ CAPI │ ban │ 6 │
│ crowdsecurity/http-bad-user-agent │ CAPI │ ban │ 16506 │
│ crowdsecurity/http-crawl-non_statics │ CAPI │ ban │ 486 │
│ crowdsecurity/http-generic-bf │ CAPI │ ban │ 36 │
│ crowdsecurity/http-path-traversal-probing │ CAPI │ ban │ 256 │
│ crowdsecurity/vpatch-CVE-2023-1389 │ CAPI │ ban │ 5 │
│ crowdsecurity/CVE-2017-9841 │ CAPI │ ban │ 410 │
│ crowdsecurity/f5-big-ip-cve-2020-5902 │ CAPI │ ban │ 1 │
│ crowdsecurity/http-cve-probing │ CAPI │ ban │ 27 │
│ crowdsecurity/CVE-2023-22515 │ CAPI │ ban │ 3 │
│ crowdsecurity/http-admin-interface-probing │ CAPI │ ban │ 340 │
│ crowdsecurity/http-sensitive-files │ CAPI │ ban │ 461 │
│ crowdsecurity/http-wordpress-scan │ CAPI │ ban │ 555 │
│ crowdsecurity/vpatch-symfony-profiler │ CAPI │ ban │ 3 │
│ crowdsecurity/CVE-2022-37042 │ CAPI │ ban │ 2 │
│ crowdsecurity/http-backdoors-attempts │ CAPI │ ban │ 264 │
│ crowdsecurity/http-cve-2021-41773 │ CAPI │ ban │ 556 │
│ crowdsecurity/jira_cve-2021-26086 │ CAPI │ ban │ 22 │
│ crowdsecurity/modsecurity │ CAPI │ ban │ 1421 │
╰──────────────────────────────────────────────┴────────┴────────┴───────╯
Local API Metrics:
╭──────────────────────┬────────┬──────╮
│ Route │ Method │ Hits │
├──────────────────────┼────────┼──────┤
│ /v1/alerts │ POST │ 3 │
│ /v1/decisions/stream │ GET │ 312 │
│ /v1/decisions/stream │ HEAD │ 2 │
│ /v1/heartbeat │ GET │ 26 │
│ /v1/usage-metrics │ POST │ 2 │
│ /v1/watchers/login │ POST │ 1 │
╰──────────────────────┴────────┴──────╯
Local API Bouncers Metrics:
╭─────────────────────────────────────┬──────────────────────┬────────┬──────╮
│ Bouncer │ Route │ Method │ Hits │
├─────────────────────────────────────┼──────────────────────┼────────┼──────┤
│ crowdsec-openresty-bouncer-BNfUjB3R │ /v1/decisions/stream │ GET │ 154 │
│ crowdsec-openresty-bouncer-BNfUjB3R │ /v1/decisions/stream │ HEAD │ 2 │
│ cs-firewall-bouncer-1726126067 │ /v1/decisions/stream │ GET │ 158 │
╰─────────────────────────────────────┴──────────────────────┴────────┴──────╯
Local API Machines Metrics:
╭──────────────────────────────────────────────────┬───────────────┬────────┬──────╮
│ Machine │ Route │ Method │ Hits │
├──────────────────────────────────────────────────┼───────────────┼────────┼──────┤
│ d954f1dee50d446792dd10549aa821f1SIPuVEkiiFrJJPsC │ /v1/alerts │ POST │ 3 │
│ d954f1dee50d446792dd10549aa821f1SIPuVEkiiFrJJPsC │ /v1/heartbeat │ GET │ 26 │
╰──────────────────────────────────────────────────┴───────────────┴────────┴──────╯
Parser Metrics:
╭─────────────────────────────────┬──────┬────────┬──────────╮
│ Parsers │ Hits │ Parsed │ Unparsed │
├─────────────────────────────────┼──────┼────────┼──────────┤
│ child-crowdsecurity/http-logs │ 18 │ 16 │ 2 │
│ child-crowdsecurity/nginx-logs │ 36 │ 6 │ 30 │
│ child-crowdsecurity/sshd-logs │ 314 │ 39 │ 275 │
│ child-crowdsecurity/syslog-logs │ 78 │ 78 │ - │
│ crowdsecurity/appsec-logs │ 3 │ 3 │ - │
│ crowdsecurity/dateparse-enrich │ 45 │ 45 │ - │
│ crowdsecurity/geoip-enrich │ 48 │ 48 │ - │
│ crowdsecurity/http-logs │ 6 │ 6 │ - │
│ crowdsecurity/nginx-logs │ 15 │ 6 │ 9 │
│ crowdsecurity/non-syslog │ 18 │ 18 │ - │
│ crowdsecurity/sshd-logs │ 49 │ 39 │ 10 │
│ crowdsecurity/syslog-logs │ 78 │ 78 │ - │
│ crowdsecurity/whitelists │ 48 │ 48 │ - │
╰─────────────────────────────────┴──────┴────────┴──────────╯
Scenario Metrics:
╭──────────────────────────────────────┬───────────────┬───────────┬──────────────┬────────┬─────────╮
│ Scenario │ Current Count │ Overflows │ Instantiated │ Poured │ Expired │
├──────────────────────────────────────┼───────────────┼───────────┼──────────────┼────────┼─────────┤
│ crowdsecurity/appsec-vpatch │ - │ - │ 2 │ 2 │ 2 │
│ crowdsecurity/http-crawl-non_statics │ - │ - │ 3 │ 3 │ 3 │
│ crowdsecurity/http-dos-swithcing-ua │ - │ - │ 2 │ 4 │ 2 │
│ crowdsecurity/http-probing │ - │ - │ 2 │ 2 │ 2 │
│ crowdsecurity/http-xss-probbing │ - │ - │ 2 │ 2 │ 2 │
│ crowdsecurity/ssh-bf │ 2 │ - │ 20 │ 39 │ 18 │
│ crowdsecurity/ssh-bf_user-enum │ 2 │ - │ 20 │ 20 │ 18 │
│ crowdsecurity/ssh-slow-bf │ 6 │ - │ 6 │ 39 │ - │
│ crowdsecurity/ssh-slow-bf_user-enum │ 5 │ - │ 7 │ 16 │ 2 │
╰──────────────────────────────────────┴───────────────┴───────────┴──────────────┴────────┴─────────╯
Whitelist Metrics:
╭──────────────────────────┬─────────────────────────────┬──────┬─────────────╮
│ Whitelist │ Reason │ Hits │ Whitelisted │
├──────────────────────────┼─────────────────────────────┼──────┼─────────────┤
│ crowdsecurity/whitelists │ private ipv4/ipv6 ip/ranges │ 48 │ - │
╰──────────────────────────┴─────────────────────────────┴──────┴─────────────╯
Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.
@gdlwolf: Thanks for opening an issue, it is currently awaiting triage.
In the meantime, you can:
- Check Crowdsec Documentation to see if your issue can be self resolved.
- You can also join our Discord.
- Check Releases to make sure your agent is on the latest version.
Details
I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi 👋🏻
Thank you for a detailed report and steps, we managed to reproduce the issue and can pinpoint the code at fault.
We will work on a patch for the next update 1.6.4
A fix has been merged, if you use docker you can point the image to :dev to get the latest changes, however, this will be included in the 1.6.4 release
We will need to do some testing with our remediation, as I suspect the following line to not handle it correctly
https://github.com/crowdsecurity/crowdsec/blob/fb733ee43a4f0210dd65d32618dec00e5904ab6f/pkg/acquisition/modules/appsec/appsec_runner.go#L248
Okay seems my suspicions were not founded
root@bookworm:~# grep Response /var/log/crowdsec.log
time="2024-11-20T11:56:33Z" level=debug msg="Response: {Action:allow HTTPStatus:200}" client_ip=127.0.0.1 request_uuid=72418760-ec9d-4859-9624-01eaf24482a1 type=appsec
time="2024-11-20T11:58:38Z" level=debug msg="Response: {Action:allow HTTPStatus:200}" client_ip=127.0.0.1 request_uuid=ffe1d815-1c42-46ed-824d-2a93e7e3f01e type=appsec
time="2024-11-20T11:58:40Z" level=debug msg="Response: {Action:allow HTTPStatus:200}" client_ip=127.0.0.1 request_uuid=c4c2c935-9890-4f19-aa64-63533e11f82d type=appsec
time="2024-11-20T11:59:27Z" level=debug msg="Response: {Action:allow HTTPStatus:200}" client_ip=192.168.121.1 request_uuid=ca8e0938-255c-4469-ac7a-2c907f3d9c46 type=appsec
time="2024-11-20T11:59:29Z" level=debug msg="Response: {Action:ban HTTPStatus:403}" client_ip=192.168.121.1 request_uuid=f27dd56f-945a-49cd-b76e-4572a6078b2c type=appsec
time="2024-11-20T12:00:12Z" level=debug msg="Response: {Action:allow HTTPStatus:200}" client_ip=192.168.121.1 request_uuid=7dca4627-cb99-4d64-bf53-000c420c502d type=appsec
time="2024-11-20T12:00:14Z" level=debug msg="Response: {Action:allow HTTPStatus:200}" client_ip=192.168.121.1 request_uuid=a84dac7b-c590-4b1e-a6c9-45033f699f05 type=appsec
rules were modified to test that matching with allow works EG:
name: laurencejjones/myrules
description: "Custom inband rules"
seclang_rules:
- |
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,192.168.121.1" "id:900101,phase:1,pass,nolog,allow"
The ban log line was when the IP was not in the rule