False positive "unknown directive" and crash

[Simbiat]

What happened?

I am trying to use a customized setup of appsec CRS rules, specifically, trying to use latest version of CoreRuleSet (since the one bundles in Crowdsec is a year old now, if not more), but I fail. There are 2 issues, and this is ticket for one of them: "unknown directive" errors when using conf files from CoreRuleSet 4.9 and 4.10 (did not test earlier versions). To be more correct a few of the errors are from crs-setup file, but even if that one is disabled - it will be failing on REQUEST-901-INITIALIZATION.conf even. Here are logs (some errors are from another issue I will raise shortly):

time="2024-12-31T09:53:13Z" level=warning msg="Machine is not allowed to synchronize decisions, you can enable it with `cscli console enable console_management`"
time="2024-12-31T09:53:13Z" level=warning msg="scenario list is empty, will not pull yet"
time="2024-12-31T09:53:14Z" level=error msg="unknown directive \"\\\"id:900120,setvar:tx.early_blocking=1\\\"\"" band=outband line=39 runner_uuid=9114c61e-3773-4a5d-951a-223a187e80c7 type=appsec
time="2024-12-31T09:53:14Z" level=error msg="crowdsec - goroutine crowdsec/StartRunSvc crashed: runtime error: invalid memory address or nil pointer dereference"
time="2024-12-31T09:53:14Z" level=error msg="please report this error to https://github.com/crowdsecurity/crowdsec/issues"
time="2024-12-31T09:53:14Z" level=error msg="stacktrace/report is written to /var/lib/crowdsec/data/trace/crowdsec-crash.265839059.txt: please join it to your issue"
time="2024-12-31T09:53:14Z" level=fatal msg="crowdsec stopped"
time="2024-12-31T09:55:40Z" level=warning msg="Machine is not allowed to synchronize decisions, you can enable it with `cscli console enable console_management`"
time="2024-12-31T09:55:40Z" level=warning msg="scenario list is empty, will not pull yet"
time="2024-12-31T09:55:40Z" level=error msg="unknown directive \"\\\"id:900200,setvar:'tx.allowed_methods=get\"" band=outband line=39 runner_uuid=759e01ca-fa96-44f5-b77e-9068849e259a type=appsec
time="2024-12-31T09:55:40Z" level=error msg="crowdsec - goroutine crowdsec/StartRunSvc crashed: runtime error: invalid memory address or nil pointer dereference"
time="2024-12-31T09:55:40Z" level=error msg="please report this error to https://github.com/crowdsecurity/crowdsec/issues"
time="2024-12-31T09:55:40Z" level=error msg="stacktrace/report is written to /var/lib/crowdsec/data/trace/crowdsec-crash.2062540922.txt: please join it to your issue"
time="2024-12-31T09:55:40Z" level=fatal msg="crowdsec stopped"
time="2024-12-31T09:57:41Z" level=warning msg="scenario list is empty, will not pull yet"
time="2024-12-31T09:57:41Z" level=warning msg="Machine is not allowed to synchronize decisions, you can enable it with `cscli console enable console_management`"
time="2024-12-31T09:57:41Z" level=error msg="unknown directive \"\\\"id:900950,setvar:tx.crs_validate_utf8_encoding=1\\\"\"" band=outband line=39 runner_uuid=3bc415a2-9800-4cc5-b4fe-8d18dba2ee5b type=appsec
time="2024-12-31T09:57:41Z" level=error msg="crowdsec - goroutine crowdsec/StartRunSvc crashed: runtime error: invalid memory address or nil pointer dereference"
time="2024-12-31T09:57:41Z" level=error msg="please report this error to https://github.com/crowdsecurity/crowdsec/issues"
time="2024-12-31T09:57:41Z" level=error msg="stacktrace/report is written to /var/lib/crowdsec/data/trace/crowdsec-crash.2930224616.txt: please join it to your issue"
time="2024-12-31T09:57:41Z" level=fatal msg="crowdsec stopped"
time="2024-12-31T09:58:40Z" level=warning msg="Machine is not allowed to synchronize decisions, you can enable it with `cscli console enable console_management`"
time="2024-12-31T09:58:40Z" level=warning msg="scenario list is empty, will not pull yet"
time="2024-12-31T09:58:41Z" level=error msg="unknown directive \"\\\"id:900500,setvar:tx.crs_skip_response_analysis=0\\\"\"" band=outband line=39 runner_uuid=0373805d-d779-463d-b459-3e52f02936aa type=appsec
time="2024-12-31T09:58:41Z" level=error msg="crowdsec - goroutine crowdsec/StartRunSvc crashed: runtime error: invalid memory address or nil pointer dereference"
time="2024-12-31T09:58:41Z" level=error msg="please report this error to https://github.com/crowdsecurity/crowdsec/issues"
time="2024-12-31T09:58:41Z" level=error msg="stacktrace/report is written to /var/lib/crowdsec/data/trace/crowdsec-crash.2648244310.txt: please join it to your issue"
time="2024-12-31T09:58:41Z" level=fatal msg="crowdsec stopped"
time="2024-12-31T09:59:21Z" level=warning msg="Machine is not allowed to synchronize decisions, you can enable it with `cscli console enable console_management`"
time="2024-12-31T09:59:21Z" level=warning msg="scenario list is empty, will not pull yet"
time="2024-12-31T09:59:22Z" level=error msg="unknown directive \"\\\"id:900990,setvar:tx.crs_setup_version=4100\\\"\"" band=outband line=39 runner_uuid=9bef3e93-492a-4cb2-802e-4c3f36d5c54a type=appsec
time="2024-12-31T09:59:22Z" level=error msg="crowdsec - goroutine crowdsec/StartRunSvc crashed: runtime error: invalid memory address or nil pointer dereference"
time="2024-12-31T09:59:22Z" level=error msg="please report this error to https://github.com/crowdsecurity/crowdsec/issues"
time="2024-12-31T09:59:22Z" level=error msg="stacktrace/report is written to /var/lib/crowdsec/data/trace/crowdsec-crash.1928291702.txt: please join it to your issue"
time="2024-12-31T09:59:22Z" level=fatal msg="crowdsec stopped"
time="2024-12-31T10:01:22Z" level=warning msg="Machine is not allowed to synchronize decisions, you can enable it with `cscli console enable console_management`"
time="2024-12-31T10:01:22Z" level=warning msg="scenario list is empty, will not pull yet"
time="2024-12-31T10:01:23Z" level=error msg="unknown directive \"\\\"id:901200,setvar:'tx.blocking_inbound_anomaly_score=0',setvar:'tx.detection_inbound_anomaly_score=0',setvar:'tx.inbound_anomaly_score_pl1=0',setvar:'tx.inbound_anomaly_score_pl2=0',setvar:'tx.inbound_anomaly_score_pl3=0',setvar:'tx.inbound_anomaly_score_pl4=0',setvar:'tx.sql_injection_score=0',setvar:'tx.xss_score=0',setvar:'tx.rfi_score=0',setvar:'tx.lfi_score=0',setvar:'tx.rce_score=0',setvar:'tx.php_injection_score=0',setvar:'tx.http_violation_score=0',setvar:'tx.session_fixation_score=0',setvar:'tx.blocking_outbound_anomaly_score=0',setvar:'tx.detection_outbound_anomaly_score=0',setvar:'tx.outbound_anomaly_score_pl1=0',setvar:'tx.outbound_anomaly_score_pl2=0',setvar:'tx.outbound_anomaly_score_pl3=0',setvar:'tx.outbound_anomaly_score_pl4=0',setvar:'tx.anomaly_score=0'\\\"\"" band=outband line=132 runner_uuid=ecf26e01-2165-438c-8fc9-d2e3b3ed0082 type=appsec
time="2024-12-31T10:01:23Z" level=error msg="crowdsec - goroutine crowdsec/StartRunSvc crashed: runtime error: invalid memory address or nil pointer dereference"
time="2024-12-31T10:01:23Z" level=error msg="please report this error to https://github.com/crowdsecurity/crowdsec/issues"
time="2024-12-31T10:01:23Z" level=error msg="stacktrace/report is written to /var/lib/crowdsec/data/trace/crowdsec-crash.3531010672.txt: please join it to your issue"
time="2024-12-31T10:01:23Z" level=fatal msg="crowdsec stopped"
time="2024-12-31T13:02:14Z" level=warning msg="Machine is not allowed to synchronize decisions, you can enable it with `cscli console enable console_management`"
time="2024-12-31T13:02:14Z" level=warning msg="scenario list is empty, will not pull yet"
time="2024-12-31T13:02:14Z" level=error msg="unknown directive \"\\\"id:901200,setvar:'tx.blocking_inbound_anomaly_score=0',setvar:'tx.detection_inbound_anomaly_score=0',setvar:'tx.inbound_anomaly_score_pl1=0',setvar:'tx.inbound_anomaly_score_pl2=0',setvar:'tx.inbound_anomaly_score_pl3=0',setvar:'tx.inbound_anomaly_score_pl4=0',setvar:'tx.sql_injection_score=0',setvar:'tx.xss_score=0',setvar:'tx.rfi_score=0',setvar:'tx.lfi_score=0',setvar:'tx.rce_score=0',setvar:'tx.php_injection_score=0',setvar:'tx.http_violation_score=0',setvar:'tx.session_fixation_score=0',setvar:'tx.blocking_outbound_anomaly_score=0',setvar:'tx.detection_outbound_anomaly_score=0',setvar:'tx.outbound_anomaly_score_pl1=0',setvar:'tx.outbound_anomaly_score_pl2=0',setvar:'tx.outbound_anomaly_score_pl3=0',setvar:'tx.outbound_anomaly_score_pl4=0',setvar:'tx.anomaly_score=0'\\\"\"" band=outband line=132 runner_uuid=5d920e59-20a9-4935-8401-8e48aae55172 type=appsec
time="2024-12-31T13:02:14Z" level=error msg="crowdsec - goroutine crowdsec/StartRunSvc crashed: runtime error: invalid memory address or nil pointer dereference"
time="2024-12-31T13:02:14Z" level=error msg="please report this error to https://github.com/crowdsecurity/crowdsec/issues"
time="2024-12-31T13:02:14Z" level=error msg="stacktrace/report is written to /var/lib/crowdsec/data/trace/crowdsec-crash.1115858312.txt: please join it to your issue"
time="2024-12-31T13:02:14Z" level=fatal msg="crowdsec stopped"
time="2024-12-31T13:12:50Z" level=warning msg="Machine is not allowed to synchronize decisions, you can enable it with `cscli console enable console_management`"
time="2024-12-31T13:12:50Z" level=warning msg="scenario list is empty, will not pull yet"
time="2024-12-31T13:12:51Z" level=warning msg="No matching files for pattern /var/log/auth.log" type=file
time="2024-12-31T13:12:51Z" level=warning msg="No matching files for pattern /var/log/syslog" type=file
time="2024-12-31T13:13:31Z" level=warning msg="Machine is not allowed to synchronize decisions, you can enable it with `cscli console enable console_management`"
time="2024-12-31T13:13:31Z" level=error msg="unknown directive \"\\\"id:901200,setvar:'tx.blocking_inbound_anomaly_score=0',setvar:'tx.detection_inbound_anomaly_score=0',setvar:'tx.inbound_anomaly_score_pl1=0',setvar:'tx.inbound_anomaly_score_pl2=0',setvar:'tx.inbound_anomaly_score_pl3=0',setvar:'tx.inbound_anomaly_score_pl4=0',setvar:'tx.sql_injection_score=0',setvar:'tx.xss_score=0',setvar:'tx.rfi_score=0',setvar:'tx.lfi_score=0',setvar:'tx.rce_score=0',setvar:'tx.php_injection_score=0',setvar:'tx.http_violation_score=0',setvar:'tx.session_fixation_score=0',setvar:'tx.blocking_outbound_anomaly_score=0',setvar:'tx.detection_outbound_anomaly_score=0',setvar:'tx.outbound_anomaly_score_pl1=0',setvar:'tx.outbound_anomaly_score_pl2=0',setvar:'tx.outbound_anomaly_score_pl3=0',setvar:'tx.outbound_anomaly_score_pl4=0',setvar:'tx.anomaly_score=0'\\\"\"" band=outband line=133 runner_uuid=9d50db52-0513-4cea-9a47-78b92d77e1d7 type=appsec
time="2024-12-31T13:13:31Z" level=error msg="crowdsec - goroutine crowdsec/StartRunSvc crashed: runtime error: invalid memory address or nil pointer dereference"
time="2024-12-31T13:13:31Z" level=error msg="please report this error to https://github.com/crowdsecurity/crowdsec/issues"
time="2024-12-31T13:13:32Z" level=error msg="stacktrace/report is written to /var/lib/crowdsec/data/trace/crowdsec-crash.4237505156.txt: please join it to your issue"
time="2024-12-31T13:13:32Z" level=fatal msg="crowdsec stopped"
time="2024-12-31T15:32:32Z" level=warning msg="Machine is not allowed to synchronize decisions, you can enable it with `cscli console enable console_management`"
time="2024-12-31T15:32:33Z" level=warning msg="No matching files for pattern /var/log/auth.log" type=file
time="2024-12-31T15:32:33Z" level=warning msg="No matching files for pattern /var/log/syslog" type=file
time="2024-12-31T15:34:11Z" level=warning msg="Machine is not allowed to synchronize decisions, you can enable it with `cscli console enable console_management`"
time="2024-12-31T15:34:12Z" level=error msg="crowdsec - goroutine crowdsec/StartRunSvc crashed: runtime error: invalid memory address or nil pointer dereference"
time="2024-12-31T15:34:12Z" level=error msg="please report this error to https://github.com/crowdsecurity/crowdsec/issues"
time="2024-12-31T15:34:12Z" level=error msg="stacktrace/report is written to /var/lib/crowdsec/data/trace/crowdsec-crash.2245931857.txt: please join it to your issue"
time="2024-12-31T15:34:12Z" level=fatal msg="crowdsec stopped"
time="2024-12-31T15:35:44Z" level=warning msg="Machine is not allowed to synchronize decisions, you can enable it with `cscli console enable console_management`"
time="2024-12-31T15:35:45Z" level=error msg="crowdsec - goroutine crowdsec/StartRunSvc crashed: runtime error: invalid memory address or nil pointer dereference"
time="2024-12-31T15:35:45Z" level=error msg="please report this error to https://github.com/crowdsecurity/crowdsec/issues"
time="2024-12-31T15:35:45Z" level=error msg="stacktrace/report is written to /var/lib/crowdsec/data/trace/crowdsec-crash.1459077350.txt: please join it to your issue"
time="2024-12-31T15:35:45Z" level=fatal msg="crowdsec stopped"
time="2024-12-31T15:52:04Z" level=warning msg="Machine is not allowed to synchronize decisions, you can enable it with `cscli console enable console_management`"
time="2024-12-31T15:52:05Z" level=warning msg="No matching files for pattern /var/log/auth.log" type=file
time="2024-12-31T15:52:05Z" level=warning msg="No matching files for pattern /var/log/syslog" type=file

Trace files trace.zip

Comparing 901200 directive as example (since it comes from a conf file which is not customized at all, and is technically included in CrowdSec's official collection, the only differences are version and addition of tag element, but tag is available in other configs bundled with CrowdSec, so not sure if that's really the root cause.

On the other hand I "split" the CrowdSec's version to multiline for the sake of comparison, so maybe it does not like mutlilines?

What did you expect to happen?

Conf files to be processed normally and CrowdSec to start-up

How can we reproduce it (as minimally and precisely as possible)?

My docker-compose
All CrowdSec relate files for the container

1. In config/crowdsec/yaml/appsec/simbiat-seclang.yaml file remove/comment the default CrowdSec config and uncomment the custom one
2. Create container from docker-compose.yml (technically can remove GEOIP dependency)
3. Attempt to start the container
4. It fails to start

Anything else we need to know?

No response

Crowdsec version

version: v1.6.4-523164f6
Codename: alphaga
BuildDate: 2024-11-26_13:12:44
GoVersion: 1.23.3
Platform: docker
libre2: C++
User-Agent: crowdsec/v1.6.4-523164f6-docker
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_wineventlog

OS version

PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
Linux 6d1dd364f5a5 5.15.153.1-microsoft-standard-WSL2 #1 SMP Fri Mar 29 23:14:13 UTC 2024 x86_64 GNU/Linux

Enabled collections and parsers

name,status,version,description,type
crowdsecurity/appsec-logs,enabled,0.5,Parse Appsec events,parsers
crowdsecurity/caddy-logs,enabled,0.8,Parse caddy logs,parsers
crowdsecurity/cri-logs,enabled,0.1,CRI logging format parser,parsers
crowdsecurity/dateparse-enrich,enabled,0.2,,parsers
crowdsecurity/docker-logs,enabled,0.1,docker json logs parser,parsers
crowdsecurity/geoip-enrich,enabled,0.5,"Populate event with geoloc info : as, country, coords, source range.",parsers
crowdsecurity/http-logs,enabled,1.3,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers
crowdsecurity/sshd-logs,enabled,2.8,Parse openSSH logs,parsers
crowdsecurity/syslog-logs,enabled,0.8,,parsers
crowdsecurity/whitelists,enabled,0.2,Whitelist events from private ipv4 addresses,parsers
openappsec/openappsec-logs,enabled,0.1,Parse openappsec logs,parsers
crowdsecurity/cdn-whitelist,enabled,0.4,Whitelist CDN providers,postoverflows
crowdsecurity/discord-crawler-whitelist,enabled,0.1,Discord PTR whitelist,postoverflows
crowdsecurity/rdns,enabled,0.3,Lookup the DNS associated to the source IP only for overflows,postoverflows
crowdsecurity/seo-bots-whitelist,enabled,0.5,Whitelist good search engine crawlers,postoverflows
crowdsecurity/apache_log4j2_cve-2021-44228,enabled,0.6,Detect cve-2021-44228 exploitation attemps,scenarios
crowdsecurity/appsec-vpatch,enabled,0.5,Identify attacks flagged by CrowdSec AppSec,scenarios
crowdsecurity/CVE-2017-9841,enabled,0.2,Detect CVE-2017-9841 exploits,scenarios
crowdsecurity/CVE-2019-18935,enabled,0.2,Detect Telerik CVE-2019-18935 exploitation attempts,scenarios
crowdsecurity/CVE-2022-26134,enabled,0.2,Detect CVE-2022-26134 exploits,scenarios
crowdsecurity/CVE-2022-35914,enabled,0.2,Detect CVE-2022-35914 exploits,scenarios
crowdsecurity/CVE-2022-37042,enabled,0.2,Detect CVE-2022-37042 exploits,scenarios
crowdsecurity/CVE-2022-40684,enabled,0.3,Detect cve-2022-40684 exploitation attempts,scenarios
crowdsecurity/CVE-2022-41082,enabled,0.4,Detect CVE-2022-41082 exploits,scenarios
crowdsecurity/CVE-2022-41697,enabled,0.2,Detect CVE-2022-41697 enumeration,scenarios
crowdsecurity/CVE-2022-42889,enabled,0.3,Detect CVE-2022-42889 exploits (Text4Shell),scenarios
crowdsecurity/CVE-2022-44877,enabled,0.3,Detect CVE-2022-44877 exploits,scenarios
crowdsecurity/CVE-2022-46169,enabled,0.2,Detect CVE-2022-46169 brute forcing,scenarios
crowdsecurity/CVE-2023-22515,enabled,0.1,Detect CVE-2023-22515 exploitation,scenarios
crowdsecurity/CVE-2023-22518,enabled,0.2,Detect CVE-2023-22518 exploits,scenarios
crowdsecurity/CVE-2023-49103,enabled,0.3,Detect owncloud CVE-2023-49103 exploitation attempts,scenarios
crowdsecurity/CVE-2024-0012,enabled,0.1,Detect CVE-2024-0012 exploitation attempts,scenarios
crowdsecurity/CVE-2024-38475,enabled,0.1,Detect CVE-2024-38475 exploitation attempts,scenarios
crowdsecurity/CVE-2024-9474,enabled,0.1,Detect CVE-2024-9474 exploitation attempts,scenarios
crowdsecurity/f5-big-ip-cve-2020-5902,enabled,0.2,Detect cve-2020-5902 exploitation attemps,scenarios
crowdsecurity/fortinet-cve-2018-13379,enabled,0.3,Detect cve-2018-13379 exploitation attemps,scenarios
crowdsecurity/grafana-cve-2021-43798,enabled,0.2,Detect cve-2021-43798 exploitation attemps,scenarios
crowdsecurity/http-admin-interface-probing,enabled,0.4,Detect generic HTTP admin interface probing,scenarios
crowdsecurity/http-backdoors-attempts,enabled,0.6,Detect attempt to common backdoors,scenarios
crowdsecurity/http-bad-user-agent,enabled,1.2,Detect usage of bad User Agent,scenarios
crowdsecurity/http-bf-wordpress_bf,enabled,0.7,Detect WordPress bruteforce on admin interface,scenarios
crowdsecurity/http-crawl-non_statics,enabled,0.7,Detect aggressive crawl on non static resources,scenarios
crowdsecurity/http-cve-2021-41773,enabled,0.2,cve-2021-41773,scenarios
crowdsecurity/http-cve-2021-42013,enabled,0.2,cve-2021-42013,scenarios
crowdsecurity/http-cve-probing,enabled,0.2,Detect generic HTTP cve probing,scenarios
crowdsecurity/http-dos-bypass-cache,enabled,0.5,Detect DoS tools bypassing cache every request,scenarios
crowdsecurity/http-dos-invalid-http-versions,enabled,0.7,Detect DoS tools using invalid HTTP versions,scenarios
crowdsecurity/http-dos-random-uri,enabled,0.4,Detect DoS tools using random uri,scenarios
crowdsecurity/http-dos-switching-ua,enabled,0.5,Detect DoS tools switching user-agent too fast,scenarios
crowdsecurity/http-generic-bf,enabled,0.6,Detect generic http brute force,scenarios
crowdsecurity/http-open-proxy,enabled,0.5,Detect scan for open proxy,scenarios
crowdsecurity/http-path-traversal-probing,enabled,0.4,Detect path traversal attempt,scenarios
crowdsecurity/http-probing,enabled,0.4,Detect site scanning/probing from a single ip,scenarios
crowdsecurity/http-sensitive-files,enabled,0.4,"Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",scenarios
crowdsecurity/http-sqli-probing,enabled,0.4,A scenario that detects SQL injection probing with minimal false positives,scenarios
crowdsecurity/http-wordpress-scan,enabled,0.2,Detect WordPress scan: vuln hunting,scenarios
crowdsecurity/http-wordpress_user-enum,enabled,0.3,Detect WordPress probing: authors enumeration,scenarios
crowdsecurity/http-wordpress_wpconfig,enabled,0.3,Detect WordPress probing: variations around wp-config.php by wpscan,scenarios
crowdsecurity/http-xss-probing,enabled,0.4,A scenario that detects XSS probing with minimal false positives,scenarios
crowdsecurity/jira_cve-2021-26086,enabled,0.3,Detect Atlassian Jira CVE-2021-26086 exploitation attemps,scenarios
crowdsecurity/netgear_rce,enabled,0.3,Detect Netgear RCE DGN1000/DGN220 exploitation attempts,scenarios
crowdsecurity/pulse-secure-sslvpn-cve-2019-11510,enabled,0.3,Detect cve-2019-11510 exploitation attemps,scenarios
crowdsecurity/spring4shell_cve-2022-22965,enabled,0.3,Detect cve-2022-22965 probing,scenarios
crowdsecurity/ssh-bf,enabled,0.3,Detect ssh bruteforce,scenarios
crowdsecurity/ssh-cve-2024-6387,enabled,0.2,Detect exploitation attempt of CVE-2024-6387,scenarios
crowdsecurity/ssh-slow-bf,enabled,0.4,Detect slow ssh bruteforce,scenarios
crowdsecurity/thinkphp-cve-2018-20062,enabled,0.6,Detect ThinkPHP CVE-2018-20062 exploitation attemps,scenarios
crowdsecurity/vmware-cve-2022-22954,enabled,0.3,Detect Vmware CVE-2022-22954 exploitation attempts,scenarios
crowdsecurity/vmware-vcenter-vmsa-2021-0027,enabled,0.2,Detect VMSA-2021-0027 exploitation attemps,scenarios
ltsich/http-w00tw00t,enabled,0.2,detect w00tw00t,scenarios
openappsec/openappsec-bot-protection,enabled,0.2,Detect openappsec 'prevent' securityActions on 'Bot Protection' events (when waf blocks malicious request),scenarios
openappsec/openappsec-cross-site-redirect,enabled,0.2,Detect openappsec 'prevent' securityActions on 'Cross Site Redirect' events (when waf blocks malicious request),scenarios
openappsec/openappsec-csrf,enabled,0.2,Detect openappsec 'prevent' securityActions on 'Cross Site Request Forgery' events (when waf blocks malicious request),scenarios
openappsec/openappsec-error-disclosure,enabled,0.2,Detect openappsec 'prevent' securityActions on 'Error Disclosure' events (when waf blocks malicious request),scenarios
openappsec/openappsec-error-limit,enabled,0.2,Detect openappsec 'prevent' securityActions on 'Error Limit' events (when waf blocks malicious request),scenarios
openappsec/openappsec-evasion-techniques,enabled,0.2,Detect openappsec 'prevent' securityActions on 'Evasion Techniques' events (when waf blocks malicious request),scenarios
openappsec/openappsec-general,enabled,0.2,Detect openappsec 'prevent' securityActions on 'General' events (when waf blocks malicious request),scenarios
openappsec/openappsec-http-limit-violation,enabled,0.2,Detect openappsec 'prevent' securityActions on 'Http limit violation' events (when waf blocks malicious request),scenarios
openappsec/openappsec-http-method-violation,enabled,0.2,Detect openappsec 'prevent' securityActions on 'Illegal http method violation' events (when waf blocks malicious request),scenarios
openappsec/openappsec-ldap-injection,enabled,0.2,Detect openappsec 'prevent' securityActions on 'LDAP Injection' events (when waf blocks malicious request),scenarios
openappsec/openappsec-open-redirect,enabled,0.2,Detect openappsec 'prevent' securityActions on 'Open Redirect' events (when waf blocks malicious request),scenarios
openappsec/openappsec-path-traversal,enabled,0.2,Detect openappsec 'prevent' securityActions on 'Path Traversal' events (when waf blocks malicious request),scenarios
openappsec/openappsec-probing,enabled,0.2,Detect openappsec 'prevent' securityActions on 'Vulnerability Scanning' events (when waf blocks malicious request),scenarios
openappsec/openappsec-rce,enabled,0.2,Detect openappsec 'prevent' securityActions on 'Remote Code Execution' events (when waf blocks malicious request),scenarios
openappsec/openappsec-request-rate-limit,enabled,0.2,Detect openappsec 'prevent' securityActions on 'Request Rate Limit' events (when waf blocks malicious request),scenarios
openappsec/openappsec-schema-validation,enabled,0.2,Detect openappsec 'prevent' securityActions on 'Schema Validation' events (when waf blocks malicious request),scenarios
openappsec/openappsec-sql-injection,enabled,0.2,Detect openappsec 'prevent' securityActions on 'SQL Injection' events (when waf blocks malicious request),scenarios
openappsec/openappsec-url-instead-of-file,enabled,0.2,Detect openappsec 'prevent' securityActions on 'URL instead of file' events (when waf blocks malicious request),scenarios
openappsec/openappsec-xss,enabled,0.2,Detect openappsec 'prevent' securityActions on 'Cross Site Scripting' events (when waf blocks malicious request),scenarios
openappsec/openappsec-xxe,enabled,0.2,Detect openappsec 'prevent' securityActions on 'XML External Entity' events (when waf blocks malicious request),scenarios
crowdsecurity/appsec_base,enabled,0.7,,contexts
crowdsecurity/bf_base,enabled,0.1,,contexts
crowdsecurity/http_base,enabled,0.2,,contexts
crowdsecurity/appsec-default,enabled,0.2,,appsec-configs
crowdsecurity/crs,enabled,0.2,,appsec-configs
crowdsecurity/generic-rules,enabled,0.3,,appsec-configs
crowdsecurity/virtual-patching,enabled,0.4,,appsec-configs
simbiat/simbiat-appsec,"enabled,local",,,appsec-configs
crowdsecurity/base-config,enabled,0.1,,appsec-rules
crowdsecurity/crs,enabled,0.4,,appsec-rules
crowdsecurity/generic-freemarker-ssti,enabled,0.3,Generic FreeMarker SSTI,appsec-rules
crowdsecurity/generic-wordpress-uploads-php,enabled,0.1,Detect php execution in wordpress uploads directory,appsec-rules
crowdsecurity/vpatch-connectwise-auth-bypass,enabled,0.3,Detect exploitation of auth bypass in ConnectWise ScreenConnect,appsec-rules
crowdsecurity/vpatch-CVE-2017-9841,enabled,0.3,PHPUnit RCE (CVE-2017-9841),appsec-rules
crowdsecurity/vpatch-CVE-2018-1000861,enabled,0.1,Jenkins - RCE (CVE-2018-1000861),appsec-rules
crowdsecurity/vpatch-CVE-2018-10562,enabled,0.2,Dasan GPON RCE (CVE-2018-10562),appsec-rules
crowdsecurity/vpatch-CVE-2018-13379,enabled,0.2,Fortinet FortiOS - Credentials Disclosure (CVE-2018-13379),appsec-rules
crowdsecurity/vpatch-CVE-2018-20062,enabled,0.1,ThinkPHP - RCE (CVE-2018-20062),appsec-rules
crowdsecurity/vpatch-CVE-2019-1003030,enabled,0.1,Jenkins - RCE (CVE-2019-1003030),appsec-rules
crowdsecurity/vpatch-CVE-2019-12989,enabled,0.3,Citrix SQLi (CVE-2019-12989),appsec-rules
crowdsecurity/vpatch-CVE-2019-18935,enabled,0.1,Telerik - RCE (CVE-2019-18935),appsec-rules
crowdsecurity/vpatch-CVE-2020-11738,enabled,0.6,Wordpress Snap Creek Duplicator - Path Traversal (CVE-2020-11738),appsec-rules
crowdsecurity/vpatch-CVE-2020-17496,enabled,0.1,vBulletin RCE (CVE-2020-17496),appsec-rules
crowdsecurity/vpatch-CVE-2020-5902,enabled,0.1,F5 BIG-IP TMUI - RCE (CVE-2020-5902),appsec-rules
crowdsecurity/vpatch-CVE-2021-22941,enabled,0.3,Citrix RCE (CVE-2021-22941),appsec-rules
crowdsecurity/vpatch-CVE-2021-26086,enabled,0.1,Atlassian Jira Server/Data Center 8.4.0 - Limited Remote File Read/Include (CVE-2021-26086),appsec-rules
crowdsecurity/vpatch-CVE-2021-3129,enabled,0.4,Laravel with Ignition Debug Mode RCE (CVE-2021-3129),appsec-rules
crowdsecurity/vpatch-CVE-2022-22954,enabled,0.2,VMWare Workspace ONE Access RCE (CVE-2022-22954),appsec-rules
crowdsecurity/vpatch-CVE-2022-22965,enabled,0.2,Spring4Shell - RCE (CVE-2022-22965),appsec-rules
crowdsecurity/vpatch-CVE-2022-26134,enabled,0.2,Confluence - RCE (CVE-2022-26134),appsec-rules
crowdsecurity/vpatch-CVE-2022-27926,enabled,0.4,Zimbra Collaboration XSS (CVE-2022-27926),appsec-rules
crowdsecurity/vpatch-CVE-2022-35914,enabled,0.5,GLPI RCE (CVE-2022-35914),appsec-rules
crowdsecurity/vpatch-CVE-2022-41082,enabled,0.1,Microsoft Exchange - RCE (CVE-2022-41082),appsec-rules
crowdsecurity/vpatch-CVE-2022-44877,enabled,0.2,CentOS Web Panel 7 RCE (CVE-2022-44877),appsec-rules
crowdsecurity/vpatch-CVE-2022-46169,enabled,0.5,Cacti RCE (CVE-2022-46169),appsec-rules
crowdsecurity/vpatch-CVE-2023-0600,enabled,0.1,WP Visitor Statistics - SQL Injection (CVE-2023-0600),appsec-rules
crowdsecurity/vpatch-CVE-2023-0900,enabled,0.1,AP Pricing Tables Lite - SQL Injection (CVE-2023-0900),appsec-rules
crowdsecurity/vpatch-CVE-2023-1389,enabled,0.1,TP-Link Archer AX21 - RCE (CVE-2023-1389),appsec-rules
crowdsecurity/vpatch-CVE-2023-2009,enabled,0.1,Pretty Url - XSS (CVE-2023-2009),appsec-rules
crowdsecurity/vpatch-CVE-2023-20198,enabled,0.6,CISCO IOS XE Account Creation (CVE-2023-20198),appsec-rules
crowdsecurity/vpatch-CVE-2023-22515,enabled,0.4,Atlassian Confluence Privesc (CVE-2023-22515),appsec-rules
crowdsecurity/vpatch-CVE-2023-22527,enabled,0.2,RCE using SSTI in Confluence (CVE-2023-22527),appsec-rules
crowdsecurity/vpatch-CVE-2023-23488,enabled,0.2,Wordpress Paid Memberships Pro Blind SQLi (CVE-2023-23488),appsec-rules
crowdsecurity/vpatch-CVE-2023-23489,enabled,0.1,WordPress Easy Digital Downloads plugin SQL injection (CVE-2023-23489),appsec-rules
crowdsecurity/vpatch-CVE-2023-23752,enabled,0.1,Joomla! Webservice - Password Disclosure (CVE-2023-23752),appsec-rules
crowdsecurity/vpatch-CVE-2023-24489,enabled,0.2,Citrix ShareFile RCE (CVE-2023-24489),appsec-rules
crowdsecurity/vpatch-CVE-2023-28121,enabled,0.1,WooCommerce auth bypass (CVE-2023-28121),appsec-rules
crowdsecurity/vpatch-CVE-2023-33617,enabled,0.4,Atlassian Confluence Privesc (CVE-2023-33617),appsec-rules
crowdsecurity/vpatch-CVE-2023-34362,enabled,0.6,MOVEit Transfer RCE (CVE-2023-34362),appsec-rules
crowdsecurity/vpatch-CVE-2023-35078,enabled,0.1,MobileIron Core Remote Unauthenticated API Access (CVE-2023-35078),appsec-rules
crowdsecurity/vpatch-CVE-2023-35082,enabled,0.2,MobileIron Core Remote Unauthenticated API Access (CVE-2023-35082),appsec-rules
crowdsecurity/vpatch-CVE-2023-3519,enabled,0.3,Citrix RCE (CVE-2023-3519),appsec-rules
crowdsecurity/vpatch-CVE-2023-38205,enabled,0.3,Adobe ColdFusion Access Control Bypass (CVE-2023-38205),appsec-rules
crowdsecurity/vpatch-CVE-2023-40044,enabled,0.3,WS_FTP .NET deserialize RCE (CVE-2023-40044),appsec-rules
crowdsecurity/vpatch-CVE-2023-42793,enabled,0.3,JetBrains Teamcity Auth Bypass (CVE-2023-42793),appsec-rules
crowdsecurity/vpatch-CVE-2023-4634,enabled,0.2,Media Library Assistant - RCE 2023 4634,appsec-rules
crowdsecurity/vpatch-CVE-2023-46805,enabled,0.4,Ivanti Connect Auth Bypass (CVE-2023-46805),appsec-rules
crowdsecurity/vpatch-CVE-2023-47218,enabled,0.2,QNAP QTS - RCE (CVE-2023-47218),appsec-rules
crowdsecurity/vpatch-CVE-2023-49070,enabled,0.1,Apache OFBiz - RCE (CVE-2023-49070),appsec-rules
crowdsecurity/vpatch-CVE-2023-50164,enabled,0.6,Apache Struts2 Path Traversal (CVE-2023-50164),appsec-rules
crowdsecurity/vpatch-CVE-2023-6360,enabled,0.1,WordPress My Calendar - SQL Injection (CVE-2023-6360),appsec-rules
crowdsecurity/vpatch-CVE-2023-6553,enabled,0.1,Backup Migration plugin for WordPress RCE (CVE-2023-6553),appsec-rules
crowdsecurity/vpatch-CVE-2023-6567,enabled,0.1,LearnPress - SQL Injection (CVE-2023-6567),appsec-rules
crowdsecurity/vpatch-CVE-2023-6623,enabled,0.1,Wordpress Essential Blocks plugin LFI (CVE-2023-6623),appsec-rules
crowdsecurity/vpatch-CVE-2023-7028,enabled,0.2,Gitlab Password Reset Account Takeover (CVE-2023-7028),appsec-rules
crowdsecurity/vpatch-CVE-2024-0012,enabled,0.1,PanOS - Authentication Bypass (CVE-2024-0012),appsec-rules
crowdsecurity/vpatch-CVE-2024-1061,enabled,0.1,WordPress HTML5 Video Player - SQL Injection (CVE-2024-1061),appsec-rules
crowdsecurity/vpatch-CVE-2024-1071,enabled,0.2,WordPress Ultimate Member - SQL Injection (CVE-2024-1071),appsec-rules
crowdsecurity/vpatch-CVE-2024-1212,enabled,0.3,Progress Kemp LoadMaster Unauthenticated Command Injection (CVE-2024-1212),appsec-rules
crowdsecurity/vpatch-CVE-2024-22024,enabled,0.1,Ivanti Connect Secure - XXE (CVE-2024-22024),appsec-rules
crowdsecurity/vpatch-CVE-2024-23897,enabled,0.4,Jenkins CLI RCE (CVE-2024-23897),appsec-rules
crowdsecurity/vpatch-CVE-2024-27198,enabled,0.5,Teamcity - Authentication Bypass (CVE-2024-27198),appsec-rules
crowdsecurity/vpatch-CVE-2024-27348,enabled,0.1,Apache HugeGraph-Server - RCE (CVE-2024-27348),appsec-rules
crowdsecurity/vpatch-CVE-2024-27954,enabled,0.1,WP Automatic - Path Traversal (CVE-2024-27954),appsec-rules
crowdsecurity/vpatch-CVE-2024-27956,enabled,0.1,WordPress Automatic Plugin - SQLi (CVE-2024-27956),appsec-rules
crowdsecurity/vpatch-CVE-2024-28255,enabled,0.1,OpenMetadata - Authentication Bypass (CVE-2024-28255),appsec-rules
crowdsecurity/vpatch-CVE-2024-28987,enabled,0.1,SolarWinds WHD Hardcoded Credentials (CVE-2024-28987),appsec-rules
crowdsecurity/vpatch-CVE-2024-29824,enabled,0.1,Ivanti EPM - SQLi (CVE-2024-29824),appsec-rules
crowdsecurity/vpatch-CVE-2024-29849,enabled,0.5,Veeam Backup Enterprise Manager - Authentication Bypass (CVE-2024-29849),appsec-rules
crowdsecurity/vpatch-CVE-2024-29973,enabled,0.1,Zyxel - RCE (CVE-2024-29973),appsec-rules
crowdsecurity/vpatch-CVE-2024-32113,enabled,0.1,Apache OFBiz - Path Traversal (CVE-2024-32113),appsec-rules
crowdsecurity/vpatch-CVE-2024-3272,enabled,0.1," D-Link NAS - RCE (CVE-2024-3272)",appsec-rules
crowdsecurity/vpatch-CVE-2024-3273,enabled,0.1,D-LINK NAS Command Injection (CVE-2024-3273),appsec-rules
crowdsecurity/vpatch-CVE-2024-34102,enabled,0.1,Adobe Commerce & Magento - XXE (CVE-2024-34102),appsec-rules
crowdsecurity/vpatch-CVE-2024-38856,enabled,0.1,Apache OFBiz Incorrect Authorization (CVE-2024-38856),appsec-rules
crowdsecurity/vpatch-CVE-2024-4577,enabled,0.1,PHP CGI Command Injection - CVE-2024-4577,appsec-rules
crowdsecurity/vpatch-CVE-2024-51567,enabled,0.1,CyberPanel RCE (CVE-2024-51567),appsec-rules
crowdsecurity/vpatch-CVE-2024-52301,enabled,0.1,Laravel - Parameter Injection (CVE-2024-52301),appsec-rules
crowdsecurity/vpatch-CVE-2024-7593,enabled,0.1,Ivanti vTM - Authentication Bypass (CVE-2024-7593),appsec-rules
crowdsecurity/vpatch-CVE-2024-8190,enabled,0.1,Ivanti Cloud Services Appliance - RCE (CVE-2024-8190),appsec-rules
crowdsecurity/vpatch-CVE-2024-9474,enabled,0.3,PanOS - Privilege Escalation (CVE-2024-9474),appsec-rules
crowdsecurity/vpatch-env-access,enabled,0.1,Detect access to .env files,appsec-rules
crowdsecurity/vpatch-git-config,enabled,0.2,Detect access to .git files,appsec-rules
crowdsecurity/vpatch-laravel-debug-mode,enabled,0.3,Detect bots exploiting laravel debug mode,appsec-rules
crowdsecurity/vpatch-symfony-profiler,enabled,0.1,Detect abuse of symfony profiler,appsec-rules
simbiat/simbiat-seclang,"enabled,local",,,appsec-rules
crowdsecurity/appsec-crs,enabled,0.4,Appsec: Modsecurity core rule set rules,collections
crowdsecurity/appsec-generic-rules,enabled,0.6,A collection of generic attack vectors for additional protection.,collections
crowdsecurity/appsec-virtual-patching,enabled,4.7,"a generic virtual patching collection, suitable for most web servers.",collections
crowdsecurity/appsec-wordpress,enabled,0.3,"A virtual patching collection, suitable for WordPress websites",collections
crowdsecurity/base-http-scenarios,enabled,1.0,http common : scanners detection,collections
crowdsecurity/caddy,enabled,0.1,caddy support : parser and generic http scenarios,collections
crowdsecurity/discord-crawler-whitelist,enabled,0.1,Whitelist Discord PTR domains,collections
crowdsecurity/http-cve,enabled,2.9,Detect CVE exploitation in http logs,collections
crowdsecurity/http-dos,enabled,0.2,,collections
crowdsecurity/linux,enabled,0.2,core linux support : syslog+geoip+ssh,collections
crowdsecurity/sshd,enabled,0.5,sshd support : parser and brute-force detection,collections
crowdsecurity/whitelist-good-actors,enabled,0.1,Good actors whitelists,collections
crowdsecurity/wordpress,enabled,0.5,wordpress: Bruteforce protection and config probing,collections
openappsec/openappsec,enabled,0.1,open-appsec support : open-appsec parser and scenarios,collections

Acquisition config

```console appsec_config: simbiat/simbiat-appsec labels: type: appsec listen_addr: 127.0.0.1:7422 source: appsecfilenames: - /usr/local/logs/access.log labels: type: caddyfilenames: - /usr/local/logs/mariadb.log labels: type: mariadbfilenames: - /var/log/auth.log - /var/log/syslog labels: type: syslog ```

Config show

Global:
   - Configuration Folder   : /etc/crowdsec
   - Data Folder            : /var/lib/crowdsec/data
   - Hub Folder             : /etc/crowdsec/hub
   - Simulation File        : /etc/crowdsec/simulation.yaml
   - Log Folder             : /usr/local/logs
   - Log level              : warning
   - Log Media              : file
Crowdsec:
  - Acquisition File        : /etc/crowdsec/acquis.yaml
  - Parsers routines        : 1
  - Acquisition Folder      : /etc/crowdsec/acquis.d
cscli:
  - Output                  : human
  - Hub Branch              : 
API Client:
  - URL                     : http://0.0.0.0:8080/
  - Login                   : localhost
  - Credentials File        : /etc/crowdsec/local_api_credentials.yaml
Local API Server:
  - Listen URL              : 0.0.0.0:8080
  - Listen Socket           : 
  - Profile File            : /etc/crowdsec/profiles.yaml

  - Trusted IPs:
      - 127.0.0.1
      - ::1
      - 172.21.0.0/16
      - 2001:db8:1::/64
  - Database:
      - Type                : sqlite
      - Path                : /var/lib/crowdsec/data/crowdsec.db
      - Flush age           : 7d
      - Flush size          : 5000

Prometheus metrics

Local API Decisions:
╭──────────────────────────────────────────────┬────────┬─────────┬───────╮
│ Reason                                       │ Origin │ Action  │ Count │
├──────────────────────────────────────────────┼────────┼─────────┼───────┤
│ crowdsec_cve_2024_4577                       │ lists  │ captcha │ 1804  │
│ crowdsecurity/vpatch-git-config              │ CAPI   │ ban     │ 41    │
│ crowdsecurity/CVE-2022-44877                 │ CAPI   │ ban     │ 1     │
│ crowdsecurity/CVE-2022-37042                 │ CAPI   │ ban     │ 2     │
│ firehol_cruzit_web_attacks                   │ lists  │ captcha │ 13252 │
│ crowdsecurity/CVE-2022-26134                 │ CAPI   │ ban     │ 12    │
│ crowdsecurity/ssh-bf                         │ CAPI   │ ban     │ 6932  │
│ crowdsecurity/vpatch-CVE-2023-1389           │ CAPI   │ ban     │ 2     │
│ crowdsecurity/http-wordpress-scan            │ CAPI   │ ban     │ 1780  │
│ crowdsecurity/CVE-2023-22515                 │ CAPI   │ ban     │ 25    │
│ crowdsecurity/http-open-proxy                │ CAPI   │ ban     │ 1743  │
│ crowdsecurity/vpatch-CVE-2023-50164          │ CAPI   │ ban     │ 2     │
│ crowdsecurity/CVE-2022-35914                 │ CAPI   │ ban     │ 2     │
│ crowdsecurity/vpatch-symfony-profiler        │ CAPI   │ ban     │ 12    │
│ crowdsecurity/http-cve-2021-41773            │ CAPI   │ ban     │ 429   │
│ crowdsecurity/fortinet-cve-2018-13379        │ CAPI   │ ban     │ 16    │
│ crowdsecurity/http-generic-bf                │ CAPI   │ ban     │ 20    │
│ crowdsecurity/http-wordpress_user-enum       │ CAPI   │ ban     │ 852   │
│ crowdsecurity/jira_cve-2021-26086            │ CAPI   │ ban     │ 10    │
│ crowdsecurity/CVE-2023-49103                 │ CAPI   │ ban     │ 81    │
│ crowdsecurity/netgear_rce                    │ CAPI   │ ban     │ 151   │
│ crowdsecurity/ssh-slow-bf                    │ CAPI   │ ban     │ 8031  │
│ crowdsecurity/vpatch-CVE-2022-22965          │ CAPI   │ ban     │ 1     │
│ crowdsecurity/apache_log4j2_cve-2021-44228   │ CAPI   │ ban     │ 17    │
│ crowdsecurity/http-cve-probing               │ CAPI   │ ban     │ 11    │
│ crowdsecurity/http-dos-invalid-http-versions │ CAPI   │ ban     │ 1542  │
│ crowdsecurity/thinkphp-cve-2018-20062        │ CAPI   │ ban     │ 124   │
│ crowdsecurity/vpatch-CVE-2021-3129           │ CAPI   │ ban     │ 1     │
│ crowdsecurity/CVE-2017-9841                  │ CAPI   │ ban     │ 661   │
│ ltsich/http-w00tw00t                         │ CAPI   │ ban     │ 3     │
│ crowdsecurity/ssh-cve-2024-6387              │ CAPI   │ ban     │ 41    │
│ crowdsecurity/http-path-traversal-probing    │ CAPI   │ ban     │ 188   │
│ crowdsecurity/vpatch-CVE-2023-23752          │ CAPI   │ ban     │ 1     │
│ crowdsecurity/generic-wordpress-uploads-php  │ CAPI   │ ban     │ 1     │
│ crowdsecurity/f5-big-ip-cve-2020-5902        │ CAPI   │ ban     │ 12    │
│ crowdsecurity/http-backdoors-attempts        │ CAPI   │ ban     │ 236   │
│ crowdsecurity/http-probing                   │ CAPI   │ ban     │ 6216  │
│ crowdsecurity/vpatch-CVE-2017-9841           │ CAPI   │ ban     │ 1     │
│ crowdsecurity/vpatch-CVE-2024-1061           │ CAPI   │ ban     │ 1     │
│ openappsec/openappsec-sql-injection          │ CAPI   │ ban     │ 32    │
│ crowdsecurity/CVE-2024-0012                  │ CAPI   │ ban     │ 2     │
│ crowdsecurity/http-bad-user-agent            │ CAPI   │ ban     │ 11718 │
│ crowdsecurity/http-crawl-non_statics         │ CAPI   │ ban     │ 872   │
│ crowdsecurity/http-sensitive-files           │ CAPI   │ ban     │ 300   │
│ crowdsecurity/vpatch-CVE-2024-4577           │ CAPI   │ ban     │ 1     │
│ crowdsecurity/http-admin-interface-probing   │ CAPI   │ ban     │ 242   │
│ crowdsecurity/vpatch-laravel-debug-mode      │ CAPI   │ ban     │ 29    │
│ crowdsecurity/http-bf-wordpress_bf           │ CAPI   │ ban     │ 989   │
│ crowdsecurity/http-cve-2021-42013            │ CAPI   │ ban     │ 3     │
│ crowdsecurity/vpatch-env-access              │ CAPI   │ ban     │ 340   │
│ crowdsecurity/appsec-vpatch                  │ CAPI   │ ban     │ 16    │
│ crowdsecurity/CVE-2023-22518                 │ CAPI   │ ban     │ 1     │
│ crowdsecurity/http-wordpress_wpconfig        │ CAPI   │ ban     │ 89    │
│ openappsec/openappsec-rce                    │ CAPI   │ ban     │ 18    │
│ firehol_cybercrime                           │ lists  │ captcha │ 554   │
│ crowdsecurity/CVE-2019-18935                 │ CAPI   │ ban     │ 10    │
╰──────────────────────────────────────────────┴────────┴─────────┴───────╯

Local API Metrics:
╭────────────────────┬────────┬──────╮
│ Route              │ Method │ Hits │
├────────────────────┼────────┼──────┤
│ /v1/heartbeat      │ GET    │ 2    │
│ /v1/usage-metrics  │ POST   │ 1    │
│ /v1/watchers/login │ POST   │ 17   │
╰────────────────────┴────────┴──────╯

Local API Machines Metrics:
╭───────────┬───────────────┬────────┬──────╮
│ Machine   │ Route         │ Method │ Hits │
├───────────┼───────────────┼────────┼──────┤
│ localhost │ /v1/heartbeat │ GET    │ 2    │
╰───────────┴───────────────┴────────┴──────╯

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

No response

[github-actions]

@Simbiat: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

1. Check Crowdsec Documentation to see if your issue can be self resolved.
2. You can also join our Discord.
3. Check Releases to make sure your agent is on the latest version.

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

[LaurenceJJones]

Hi we will triage your issue over the following week please note their is a current bug in latest crowdsec which does happen with custom seclang rules that are multi-line #3350 (comment)

Either revert back to 1.6.3 to see if the behaviour is linked to the same issue or format your rules not to be multi-lined

[Simbiat]

looks like different symptoms, but I will be able to test a bit tomorrow. I will try removing tag, using one-line and rolling back. Will share the results, when ready.

[Simbiat]

Strange, I tried with just

name: simbiat/simbiat-seclang
seclang_rules:
  - SecRuleEngine On
  - SecRequestBodyAccess On
seclang_files_rules:
  - /corerulset/rules/REQUEST-901-INITIALIZATION.conf

and somehow got a non-descriptive error instead of one complaining about 901200

time="2025-01-01T13:15:04Z" level=warning msg="Machine is not allowed to synchronize decisions, you can enable it with `cscli console enable console_management`"
time="2025-01-01T13:15:04Z" level=error msg="crowdsec - goroutine crowdsec/StartRunSvc crashed: runtime error: invalid memory address or nil pointer dereference"
time="2025-01-01T13:15:04Z" level=error msg="please report this error to https://github.com/crowdsecurity/crowdsec/issues"
time="2025-01-01T13:15:04Z" level=error msg="stacktrace/report is written to /var/lib/crowdsec/data/trace/crowdsec-crash.1572098102.txt: please join it to your issue"
time="2025-01-01T13:15:04Z" level=fatal msg="crowdsec stopped"

So tried

name: simbiat/simbiat-seclang
seclang_files_rules:
  - 01-coraza-recommended.conf
  - 02-crs-setup.conf
  - 03-exclusions-before-crs.conf

Failed same as before with reference to 900120. There are no references to 901200 in anything else besides crs-setup.conf, so unless default is somewhere there -deduplication is unlikely to be the cause.

Replaced

SecAction \
    "id:900120,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    tag:'OWASP_CRS',\
    ver:'OWASP_CRS/4.10.0',\
    setvar:tx.early_blocking=1"

with

SecAction "id:900120,phase:1,pass,t:none,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.10.0',setvar:tx.early_blocking=1"

So looked like multi-line was a problem. But I then reverted everything back to my full "expected" config with all the customization, and used 1.6.3 instead of 1.6.4 and... It worked completely fine. So yes it may, indeed, be related to #3350