Skip to main content
Version: Next

Installation

Installing the CRS

CRS rules are provided with two configurations in CrowdSec: blocking mode (rules are loaded in-band) and non-blocking mode (rules are loaded out-of-band).

Non-blocking mode

If you have never deployed the CRS on your website, we recommend deploying the rules first in non-blocking mode.

In this mode, requests are evaluated out of band, meaning they cannot be blocked, but events will still be generated.

In order to use the CRS in non-blocking mode, you need to install the corresponding collection:

cscli collections install crowdsecurity/appsec-crs

The crowdsecurity/appsec-crs collection includes:

  • crowdsecurity/crs: AppSec config that loads CRS rules in out-of-band mode
  • crowdsecurity/crowdsec-appsec-outofband: Scenario that bans IPs after 5+ out-of-band rule violations

Then use it in your acquisition configuration, for example /etc/crowdsec/acquis.d/waf.yaml:

source: appsec
appsec-configs:
  - crowdsecurity/crs
labels:
  type: appsec

If an IP triggers too many different rules in a very short timespan, the IP will be blocked, regardless of whether the CRS rules are in blocking mode or not.

By default, non-blocking mode does not generate alerts. You can update the default configuration to generate an alert for every rule match.

To do so, create a file /etc/crowdsec/appsec-configs/crs-alerting.yaml with the following content:

name: custom/crs-alerting
on_match:
  - filter: IsOutBand == true
    apply:
      - SendAlert()
      - CancelEvent() # This one is optional: if set, no event will be generated, meaning CrowdSec will never take a decision based on the rules that were matched.

Then add it to your acquisition configuration:

source: appsec
appsec-configs:
  - crowdsecurity/crs
  - custom/crs-alerting
labels:
  type: appsec

Blocking mode

You can also configure the CRS in blocking mode. In this mode, any requests reaching the default CRS threshold for blocking will be dropped.

You need to install the corresponding collection:

cscli collections install crowdsecurity/appsec-crs-inband

Then load it in your configuration:

source: appsec
appsec-configs:
  - crowdsecurity/crs-inband
labels:
  type: appsec

In this mode, requests will be blocked, and alerts will be generated by default.