Skip to main content
Version: Next

CRS Support

The CrowdSec WAF is compatible with the OWASP CRS project.

The OWASP Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSec-compatible web application firewalls. CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with minimal false positives.

Key features of OWASP CRS:

  • Comprehensive Coverage: Protects against SQL injection, XSS, command injection, path traversal, and many other attack types
  • Generic Detection: Uses pattern-based rules that detect attack techniques rather than specific exploits
  • Mature Ruleset: Actively maintained by the OWASP community with regular updates
  • Configurable Sensitivity: Supports paranoia levels to balance security vs false positives
  • Wide Compatibility: Works with various WAF engines including CrowdSec's AppSec component

CRS vs Virtual Patching:

  • Virtual Patching: Targets specific known vulnerabilities (CVEs) with minimal false positives
  • CRS: Provides broad attack pattern detection with comprehensive coverage but may require tuning

In CrowdSec, CRS rules can be deployed in two modes:

  • Out-of-band: Analyzes traffic without blocking, triggers bans after multiple violations
  • In-band: Blocks malicious requests immediately at detection time

CRS compatibility is provided through Coraza.