CrowdSec Appsec doesn’t process JSON/XML for CRS in out-of-band mode

[ssany46]

What happened?

JSON is not processed for CRS out-of-band
A POST request with body {"id":"123","name":"test"} and Content-Type: application/json results in:

ARGS_NAMES: {"id":"123","name":"test"}   ← entire blob as one key
ARGS values: empty

What did you expect to happen?

The AppSec should parse the same POST request in the following way:

ARGS_NAMES: json.id
ARGS_NAMES: json.name
ARGS:json.id = 123
ARGS:json.name = test

How can we reproduce it (as minimally and precisely as possible)?

1. Set up CrowdSec AppSec with Coraza + CRS protecting any application with a JSON API
2. Enable Logging on Coraza level(set path SecAuditLog "/path/to/audit.log" and format - SecAuditLogFormat JSON) - https://coraza.io/docs/seclang/directives/#secauditlog
3. Send a POST or PUT request with Content-Type: application/json and a JSON body
4. Add a debug rule to inspect how the body is parsed:

SecRule ARGS_NAMES "@rx ." \
  "id:9998,phase:2,pass,log,msg:'ARGS_NAME: %{matched_var}'"

5. Observe that instead of individual field names, the entire JSON body appears as a single ARGS_NAMES value
6. Confirm that ARGS values are empty — JSON field values are never inspected

Anything else we need to know?

Here is more info - https://discourse.crowdsec.net/t/crowdsec-appsec-doesnt-process-json-xml/2787

Crowdsec version

Details

~> cscli version
version: v1.7.6-rpm-pragmatic-amd64-eacc8192
Codename: alphaga
BuildDate: 2026-01-23_11:10:50
GoVersion: 1.25.3
Platform: linux
libre2: C++
User-Agent: crowdsec/v1.7.6-rpm-pragmatic-amd64-eacc8192-linux
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_victorialogs, datasource_wineventlog, db_mysql, db_postgres, db_sqlite

OS version

Details

~> cat /etc/os-release
NAME="Oracle Linux Server"
VERSION="9.5"
ID="ol"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="9.5"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Oracle Linux Server 9.5"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:oracle:linux:9:5:server"
HOME_URL="https://linux.oracle.com/"
BUG_REPORT_URL="https://github.com/oracle/oracle-linux"

ORACLE_BUGZILLA_PRODUCT="Oracle Linux 9"
ORACLE_BUGZILLA_PRODUCT_VERSION=9.5
ORACLE_SUPPORT_PRODUCT="Oracle Linux"
ORACLE_SUPPORT_PRODUCT_VERSION=9.5

~> uname -a
Linux  5.15.0-304.171.4.3.el9uek.x86_64 #2 SMP Fri Jan 24 07:37:13 PST 2025 x86_64 x86_64 x86_64 GNU/Linux

Enabled collections and parsers

Details

~> cscli hub list -o raw
Loaded: 163 parsers, 11 postoverflows, 777 scenarios, 9 contexts, 6 appsec-configs, 197 appsec-rules, 161 collections
Unmanaged items: 5 local, 0 tainted
name,status,version,description,type
crowdsecurity/appsec-logs,enabled,0.5,Parse Appsec events,parsers
crowdsecurity/auditd-logs,enabled,0.9,Parse auditd logs,parsers
crowdsecurity/dateparse-enrich,enabled,0.2,,parsers
crowdsecurity/geoip-enrich,enabled,0.5,"Populate event with geoloc info : as, country, coords, source range.",parsers
crowdsecurity/http-logs,enabled,1.3,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers
crowdsecurity/nginx-logs,enabled,2.0,Parse nginx access and error logs,parsers
crowdsecurity/public-dns-allowlist,enabled,0.1,Allow events from public DNS servers,parsers
crowdsecurity/sshd-logs,enabled,3.1,Parse openSSH logs,parsers
crowdsecurity/sshd-success-logs,enabled,0.1,Parse successful ssh logins,parsers
crowdsecurity/syslog-logs,enabled,1.0,,parsers
crowdsecurity/whitelists,"enabled,local",,,parsers
custom/youtrack-nginx-logs,"enabled,local",,,parsers
custom/youtrack-whitelist,"enabled,local",,,parsers
crowdsecurity/auditd-whitelisted-process,enabled,0.2,Whitelist some process that are false-positives prone,postoverflows
crowdsecurity/cdn-whitelist,enabled,0.4,Whitelist CDN providers,postoverflows
crowdsecurity/rdns,enabled,0.3,Lookup the DNS associated to the source IP only for overflows,postoverflows
crowdsecurity/seo-bots-whitelist,enabled,0.5,Whitelist good search engine crawlers,postoverflows
crowdsecurity/apache_log4j2_cve-2021-44228,enabled,0.7,Detect cve-2021-44228 exploitation attempts,scenarios
crowdsecurity/appsec-generic-test,enabled,0.2,Crowdsec Generic Test Scenario for AppSec: generate an alert for appsec out of band rule for testing,scenarios
crowdsecurity/appsec-native,enabled,0.2,Identify attacks flagged by CrowdSec AppSec via native rules,scenarios
crowdsecurity/appsec-vpatch,enabled,0.6,Identify attacks flagged by CrowdSec AppSec,scenarios
crowdsecurity/auditd-base64-exec-behavior,enabled,0.5,Detect post-exploitation behaviour : base64 + interpreter (perl/bash/python),scenarios
crowdsecurity/auditd-postexploit-exec-from-net,enabled,0.6,Detect post-exploitation behaviour : curl/wget and exec,scenarios
crowdsecurity/auditd-postexploit-pkill,enabled,0.5,Detect post-exploitation behaviour : pkill execve bursts,scenarios
crowdsecurity/auditd-postexploit-rm,enabled,0.6,Detect post-exploitation behaviour : rm execve bursts,scenarios
crowdsecurity/auditd-suid-crash,enabled,0.6,Detect root suid process crashing,scenarios
crowdsecurity/auditd-sus-exec,enabled,0.5,Detect post-exploitation behaviour : exec from suspicious locations,scenarios
crowdsecurity/crowdsec-appsec-outofband,enabled,0.7,IP has made more than 5 requests that triggered out-of-band appsec rules,scenarios
crowdsecurity/CVE-2017-9841,enabled,0.2,Detect CVE-2017-9841 exploits,scenarios
crowdsecurity/CVE-2019-18935,enabled,0.2,Detect Telerik CVE-2019-18935 exploitation attempts,scenarios
crowdsecurity/CVE-2022-26134,enabled,0.4,Confluence - RCE (CVE-2022-26134),scenarios
crowdsecurity/CVE-2022-35914,enabled,0.2,Detect CVE-2022-35914 exploits,scenarios
crowdsecurity/CVE-2022-37042,enabled,0.2,Detect CVE-2022-37042 exploits,scenarios
crowdsecurity/CVE-2022-40684,enabled,0.3,Detect cve-2022-40684 exploitation attempts,scenarios
crowdsecurity/CVE-2022-41082,enabled,0.4,Detect CVE-2022-41082 exploits,scenarios
crowdsecurity/CVE-2022-41697,enabled,0.2,Detect CVE-2022-41697 enumeration,scenarios
crowdsecurity/CVE-2022-42889,enabled,0.3,Detect CVE-2022-42889 exploits (Text4Shell),scenarios
crowdsecurity/CVE-2022-44877,enabled,0.3,Detect CVE-2022-44877 exploits,scenarios
crowdsecurity/CVE-2022-46169,enabled,0.2,Detect CVE-2022-46169 brute forcing,scenarios
crowdsecurity/CVE-2023-22515,enabled,0.1,Detect CVE-2023-22515 exploitation,scenarios
crowdsecurity/CVE-2023-22518,enabled,0.3,Detect CVE-2023-22518 exploits,scenarios
crowdsecurity/CVE-2023-49103,enabled,0.3,Detect owncloud CVE-2023-49103 exploitation attempts,scenarios
crowdsecurity/CVE-2024-0012,enabled,0.1,Detect CVE-2024-0012 exploitation attempts,scenarios
crowdsecurity/CVE-2024-38475,enabled,0.1,Detect CVE-2024-38475 exploitation attempts,scenarios
crowdsecurity/CVE-2024-9474,enabled,0.1,Detect CVE-2024-9474 exploitation attempts,scenarios
crowdsecurity/f5-big-ip-cve-2020-5902,enabled,0.3,F5 BIG-IP TMUI - RCE (CVE-2020-5902),scenarios
crowdsecurity/fortinet-cve-2018-13379,enabled,0.4,Detect cve-2018-13379 exploitation attempts,scenarios
crowdsecurity/grafana-cve-2021-43798,enabled,0.3,Grafana - Arbitrary File Read (CVE-2021-43798),scenarios
crowdsecurity/http-admin-interface-probing,enabled,0.5,Detect generic HTTP admin interface probing,scenarios
crowdsecurity/http-backdoors-attempts,enabled,0.6,Detect attempt to common backdoors,scenarios
crowdsecurity/http-bad-user-agent,enabled,1.2,Detect usage of bad User Agent,scenarios
crowdsecurity/http-crawl-non_statics,enabled,0.7,Detect aggressive crawl on non static resources,scenarios
crowdsecurity/http-cve-2021-41773,enabled,0.3,Apache - Path Traversal (CVE-2021-41773),scenarios
crowdsecurity/http-cve-2021-42013,enabled,0.3,Apache - Path Traversal (CVE-2021-42013),scenarios
crowdsecurity/http-cve-probing,enabled,0.6,Detect generic HTTP cve probing,scenarios
crowdsecurity/http-generic-bf,enabled,0.9,Detect generic http brute force,scenarios
crowdsecurity/http-generic-test,enabled,0.2,Crowdsec Generic Test Scenario: basic HTTP trigger,scenarios
crowdsecurity/http-open-proxy,enabled,0.5,Detect scan for open proxy,scenarios
crowdsecurity/http-path-traversal-probing,enabled,0.4,Detect path traversal attempt,scenarios
crowdsecurity/http-probing,enabled,0.4,Detect site scanning/probing from a single ip,scenarios
crowdsecurity/http-sap-interface-probing,enabled,0.1,Detect generic HTTP SAP interface probing,scenarios
crowdsecurity/http-sensitive-files,enabled,0.4,"Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",scenarios
crowdsecurity/http-sqli-probing,enabled,0.4,A scenario that detects SQL injection probing with minimal false positives,scenarios
crowdsecurity/http-wordpress-scan,enabled,0.4,Detect exploitation attempts against common WordPress endpoints,scenarios
crowdsecurity/http-xss-probing,enabled,0.4,A scenario that detects XSS probing with minimal false positives,scenarios
crowdsecurity/jira_cve-2021-26086,enabled,0.4,Detect Atlassian Jira CVE-2021-26086 exploitation attempts,scenarios
crowdsecurity/netgear_rce,enabled,0.4,Detect Netgear RCE DGN1000/DGN220 exploitation attempts,scenarios
crowdsecurity/nginx-req-limit-exceeded,enabled,0.3,Detects IPs which violate nginx's user set request limit.,scenarios
crowdsecurity/pulse-secure-sslvpn-cve-2019-11510,enabled,0.4,Detect cve-2019-11510 exploitation attempts,scenarios
crowdsecurity/spring4shell_cve-2022-22965,enabled,0.3,Detect cve-2022-22965 probing,scenarios
crowdsecurity/ssh-bf,enabled,0.3,Detect ssh bruteforce,scenarios
crowdsecurity/ssh-cve-2024-6387,enabled,0.2,Detect exploitation attempt of CVE-2024-6387,scenarios
crowdsecurity/ssh-generic-test,enabled,0.2,Crowdsec Generic Test Scenario: SSH brute force trigger,scenarios
crowdsecurity/ssh-refused-conn,enabled,0.1,Detect sshd refused connections,scenarios
crowdsecurity/ssh-slow-bf,enabled,0.4,Detect slow ssh bruteforce,scenarios
crowdsecurity/ssh-time-based-bf,enabled,0.2,Detect time-based ssh bruteforce attempts that evade rate limiting (with false positive reduction),scenarios
crowdsecurity/thinkphp-cve-2018-20062,enabled,0.7,Detect ThinkPHP CVE-2018-20062 exploitation attempts,scenarios
crowdsecurity/vmware-cve-2022-22954,enabled,0.3,Detect Vmware CVE-2022-22954 exploitation attempts,scenarios
crowdsecurity/vmware-vcenter-vmsa-2021-0027,enabled,0.3,Detect VMSA-2021-0027 exploitation attempts,scenarios
ltsich/http-w00tw00t,enabled,0.3,detect w00tw00t,scenarios
crowdsecurity/appsec_base,enabled,1.1,,contexts
crowdsecurity/bf_base,enabled,0.1,,contexts
crowdsecurity/http_base,enabled,0.3,,contexts
crowdsecurity/appsec-default,enabled,0.4,,appsec-configs
crowdsecurity/crs,enabled,0.3,,appsec-configs
crowdsecurity/generic-rules,enabled,0.4,,appsec-configs
crowdsecurity/virtual-patching,enabled,0.4,,appsec-configs
custom/crs-setup-conf-override-outband,"enabled,local",,,appsec-configs
crowdsecurity/appsec-generic-test,enabled,0.3,AppSec Generic Test: trigger on GET /crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl`,appsec-rules
crowdsecurity/base-config,enabled,0.1,,appsec-rules
crowdsecurity/crs,enabled,0.5,,appsec-rules
crowdsecurity/experimental-no-user-agent,enabled,0.2,Protect against no user agent,appsec-rules
crowdsecurity/generic-freemarker-ssti,enabled,0.4,Generic FreeMarker SSTI,appsec-rules
crowdsecurity/generic-wordpress-uploads-listing,enabled,0.4,Protect Wordpress uploads directory from listing files,appsec-rules
crowdsecurity/generic-wordpress-uploads-php,enabled,0.2,Detect php execution in wordpress uploads directory,appsec-rules
crowdsecurity/vpatch-connectwise-auth-bypass,enabled,0.4,Detect exploitation of auth bypass in ConnectWise ScreenConnect,appsec-rules
crowdsecurity/vpatch-CVE-2002-1131,enabled,0.1,"Detects XSS attempts in SquirrelMail 1.2.6/1.2.7 via unsanitized input in addressbook, options, search, and help modules.",appsec-rules
crowdsecurity/vpatch-CVE-2007-0885,enabled,0.1,Detects XSS vulnerability in Jira Rainbow.Zen via the id parameter in BrowseProject.jspa.,appsec-rules
crowdsecurity/vpatch-CVE-2014-5181,enabled,0.2,Detects path traversal in Last.fm Rotation plugin via snode parameter in lastfm-proxy.php,appsec-rules
crowdsecurity/vpatch-CVE-2017-9841,enabled,0.4,PHPUnit RCE (CVE-2017-9841),appsec-rules
crowdsecurity/vpatch-CVE-2018-1000861,enabled,0.1,Jenkins - RCE (CVE-2018-1000861),appsec-rules
crowdsecurity/vpatch-CVE-2018-10562,enabled,0.3,Dasan GPON RCE (CVE-2018-10562),appsec-rules
crowdsecurity/vpatch-CVE-2018-11511,enabled,0.2,Detects SQL injection attempts in ASUSTOR ADM via album_id parameter in /photo-gallery/api/album/tree_lists/.,appsec-rules
crowdsecurity/vpatch-CVE-2018-1207,enabled,0.1,Detects remote code injection in Dell iDRAC7/8 devices via LD_DEBUG CGI variable.,appsec-rules
crowdsecurity/vpatch-CVE-2018-13317,enabled,0.1,Detects unauthenticated access to TOTOLINK A3002RU password disclosure endpoint.,appsec-rules
crowdsecurity/vpatch-CVE-2018-13379,enabled,0.2,Fortinet FortiOS - Credentials Disclosure (CVE-2018-13379),appsec-rules
crowdsecurity/vpatch-CVE-2018-20062,enabled,0.1,ThinkPHP - RCE (CVE-2018-20062),appsec-rules
crowdsecurity/vpatch-CVE-2019-1003030,enabled,0.1,Jenkins - RCE (CVE-2019-1003030),appsec-rules
crowdsecurity/vpatch-CVE-2019-12989,enabled,0.4,Citrix SQLi (CVE-2019-12989),appsec-rules
crowdsecurity/vpatch-CVE-2019-18935,enabled,0.1,Telerik - RCE (CVE-2019-18935),appsec-rules
crowdsecurity/vpatch-CVE-2019-18952,enabled,0.1,Detects arbitrary file upload attempts to Xfilesharing up.cgi endpoint (CVE-2019-18952),appsec-rules
crowdsecurity/vpatch-CVE-2019-5418,enabled,0.2,Detects Rails file content disclosure via crafted Accept header (CVE-2019-5418),appsec-rules
crowdsecurity/vpatch-CVE-2019-7276,enabled,0.1,Detects unauthenticated remote code execution in Optergy Proton/Enterprise via backdoor console endpoint.,appsec-rules
crowdsecurity/vpatch-CVE-2019-9762,enabled,0.2,Detects SQL injection in PHPSHE 1.7 via the id parameter in pay.php,appsec-rules
crowdsecurity/vpatch-CVE-2020-10987,enabled,0.1,Detects command injection in Tenda AC15 AC1900 via deviceName parameter in setUsbUnload endpoint.,appsec-rules
crowdsecurity/vpatch-CVE-2020-11738,enabled,0.7,Wordpress Snap Creek Duplicator - Path Traversal (CVE-2020-11738),appsec-rules
crowdsecurity/vpatch-CVE-2020-13640,enabled,0.2,Detects SQL injection in wpDiscuz plugin via the order parameter in wpdLoadMoreComments action.,appsec-rules
crowdsecurity/vpatch-CVE-2020-17496,enabled,0.2,vBulletin RCE (CVE-2020-17496),appsec-rules
crowdsecurity/vpatch-CVE-2020-25078,enabled,0.1,Detects unauthorized access to D-Link camera administrator password disclosure endpoint.,appsec-rules
crowdsecurity/vpatch-CVE-2020-37123,enabled,0.1,Detects remote code execution via unsanitized ping parameter in Pinger 1.0,appsec-rules
crowdsecurity/vpatch-CVE-2020-5902,enabled,0.1,F5 BIG-IP TMUI - RCE (CVE-2020-5902),appsec-rules
crowdsecurity/vpatch-CVE-2020-8656,enabled,0.2,Detects SQL injection in EyesOfNetwork getApiKey endpoint via username parameter.,appsec-rules
crowdsecurity/vpatch-CVE-2020-9054,enabled,0.1,Detects pre-authentication command injection in Zyxel NAS devices via weblogin.cgi,appsec-rules
crowdsecurity/vpatch-CVE-2021-22941,enabled,0.4,Citrix RCE (CVE-2021-22941),appsec-rules
crowdsecurity/vpatch-CVE-2021-25281,enabled,0.2,Detects SaltStack Salt API authentication bypass via wheel_async client in /run endpoint.,appsec-rules
crowdsecurity/vpatch-CVE-2021-26072,enabled,0.1,Detects SSRF in Atlassian Confluence via WidgetConnector plugin (CVE-2021-26072),appsec-rules
crowdsecurity/vpatch-CVE-2021-26086,enabled,0.2,Atlassian Jira Server/Data Center 8.4.0 - Limited Remote File Read/Include (CVE-2021-26086),appsec-rules
crowdsecurity/vpatch-CVE-2021-26294,enabled,0.2,Detects unauthorized access to AfterLogic Aurora/WebMail Pro WebDAV endpoint using default caldav_public_user credentials and path traversal.,appsec-rules
crowdsecurity/vpatch-CVE-2021-3129,enabled,0.5,Laravel with Ignition Debug Mode RCE (CVE-2021-3129),appsec-rules
crowdsecurity/vpatch-CVE-2021-32478,enabled,0.1,Detects reflected XSS and open redirect in Moodle LTI authorization endpoint via unsanitized redirect_uri parameter.,appsec-rules
crowdsecurity/vpatch-CVE-2021-34427,enabled,0.1,Detects JSP injection leading to remote code execution in Eclipse BIRT Viewer via crafted query parameters.,appsec-rules
crowdsecurity/vpatch-CVE-2021-43798,enabled,0.5,Grafana - Arbitrary File Read (CVE-2021-43798),appsec-rules
crowdsecurity/vpatch-CVE-2021-44529,enabled,0.2,Detects code injection in Ivanti EPM CSA via cookie manipulation (CVE-2021-44529),appsec-rules
crowdsecurity/vpatch-CVE-2022-1388,enabled,0.1,Detects F5 BIG-IP iControl REST authentication bypass and RCE via crafted POST to /mgmt/tm/util/bash with X-F5-Auth-Token header.,appsec-rules
crowdsecurity/vpatch-CVE-2022-22954,enabled,0.3,VMWare Workspace ONE Access RCE (CVE-2022-22954),appsec-rules
crowdsecurity/vpatch-CVE-2022-22965,enabled,0.2,Spring4Shell - RCE (CVE-2022-22965),appsec-rules
crowdsecurity/vpatch-CVE-2022-24086,enabled,0.1,Detects RCE in Adobe Commerce (Magento) via crafted JSON in checkout process (CVE-2022-24086),appsec-rules
crowdsecurity/vpatch-CVE-2022-25322,enabled,0.2,Detects SQL injection attempts in ZEROF Web Server 2.0 via /HandleEvent endpoint.,appsec-rules
crowdsecurity/vpatch-CVE-2022-25488,enabled,0.5,Atom CMS - SQLi (CVE-2022-25488),appsec-rules
crowdsecurity/vpatch-CVE-2022-26134,enabled,0.2,Confluence - RCE (CVE-2022-26134),appsec-rules
crowdsecurity/vpatch-CVE-2022-27926,enabled,0.4,Zimbra Collaboration XSS (CVE-2022-27926),appsec-rules
crowdsecurity/vpatch-CVE-2022-31499,enabled,0.1,Detects remote command injection in Nortek Linear eMerge E3-Series via ReaderNo parameter.,appsec-rules
crowdsecurity/vpatch-CVE-2022-3236,enabled,0.1,Detects code injection in Sophos Firewall User Portal and Webadmin via JSON parameter,appsec-rules
crowdsecurity/vpatch-CVE-2022-35914,enabled,0.6,GLPI RCE (CVE-2022-35914),appsec-rules
crowdsecurity/vpatch-CVE-2022-38627,enabled,0.2,Detects SQL injection vulnerability in Linear eMerge E3-Series via idt parameter,appsec-rules
crowdsecurity/vpatch-CVE-2022-41082,enabled,0.1,Microsoft Exchange - RCE (CVE-2022-41082),appsec-rules
crowdsecurity/vpatch-CVE-2022-44877,enabled,0.3,CentOS Web Panel 7 RCE (CVE-2022-44877),appsec-rules
crowdsecurity/vpatch-CVE-2022-46169,enabled,0.6,Cacti RCE (CVE-2022-46169),appsec-rules
crowdsecurity/vpatch-CVE-2023-0297,enabled,0.1,"Detects pre-auth remote code execution in PyLoad via code injection in the ""jk"" parameter of /flash/addcrypted2.",appsec-rules
crowdsecurity/vpatch-CVE-2023-1389,enabled,0.1,TP-Link Archer AX21 - RCE (CVE-2023-1389),appsec-rules
crowdsecurity/vpatch-CVE-2023-20198,enabled,0.7,CISCO IOS XE Account Creation (CVE-2023-20198),appsec-rules
crowdsecurity/vpatch-CVE-2023-22515,enabled,0.5,Atlassian Confluence Privesc (CVE-2023-22515),appsec-rules
crowdsecurity/vpatch-CVE-2023-22527,enabled,0.3,RCE using SSTI in Confluence (CVE-2023-22527),appsec-rules
crowdsecurity/vpatch-CVE-2023-23063,enabled,0.2,Detects local file disclosure in Cellinx NVT Web Server via GetFileContent.cgi PATH parameter.,appsec-rules
crowdsecurity/vpatch-CVE-2023-23752,enabled,0.1,Joomla! Webservice - Password Disclosure (CVE-2023-23752),appsec-rules
crowdsecurity/vpatch-CVE-2023-24489,enabled,0.3,Citrix ShareFile RCE (CVE-2023-24489),appsec-rules
crowdsecurity/vpatch-CVE-2023-28121,enabled,0.2,WooCommerce auth bypass (CVE-2023-28121),appsec-rules
crowdsecurity/vpatch-CVE-2023-3169,enabled,0.1,Detects unauthenticated stored XSS in tagDiv Composer via compiled_css parameter in /wp-json/tdw/save_css,appsec-rules
crowdsecurity/vpatch-CVE-2023-33617,enabled,0.5,Atlassian Confluence Privesc (CVE-2023-33617),appsec-rules
crowdsecurity/vpatch-CVE-2023-34362,enabled,0.7,MOVEit Transfer RCE (CVE-2023-34362),appsec-rules
crowdsecurity/vpatch-CVE-2023-35078,enabled,0.2,MobileIron Core Remote Unauthenticated API Access (CVE-2023-35078),appsec-rules
crowdsecurity/vpatch-CVE-2023-35082,enabled,0.3,MobileIron Core Remote Unauthenticated API Access (CVE-2023-35082),appsec-rules
crowdsecurity/vpatch-CVE-2023-3519,enabled,0.4,Citrix RCE (CVE-2023-3519),appsec-rules
crowdsecurity/vpatch-CVE-2023-38205,enabled,0.4,Adobe ColdFusion Access Control Bypass (CVE-2023-38205),appsec-rules
crowdsecurity/vpatch-CVE-2023-40044,enabled,0.4,WS_FTP .NET deserialize RCE (CVE-2023-40044),appsec-rules
crowdsecurity/vpatch-CVE-2023-42793,enabled,0.4,JetBrains Teamcity Auth Bypass (CVE-2023-42793),appsec-rules
crowdsecurity/vpatch-CVE-2023-46805,enabled,0.5,Ivanti Connect Auth Bypass (CVE-2023-46805),appsec-rules
crowdsecurity/vpatch-CVE-2023-47218,enabled,0.2,QNAP QTS - RCE (CVE-2023-47218),appsec-rules
crowdsecurity/vpatch-CVE-2023-49070,enabled,0.1,Apache OFBiz - RCE (CVE-2023-49070),appsec-rules
crowdsecurity/vpatch-CVE-2023-50164,enabled,0.7,Apache Struts2 Path Traversal (CVE-2023-50164),appsec-rules
crowdsecurity/vpatch-CVE-2023-6000,enabled,0.1,Detects unauthenticated stored XSS in WordPress Popup Builder plugin via sgpb-WillOpen parameter.,appsec-rules
crowdsecurity/vpatch-CVE-2023-6553,enabled,0.2,Backup Migration plugin for WordPress RCE (CVE-2023-6553),appsec-rules
crowdsecurity/vpatch-CVE-2023-7028,enabled,0.3,Gitlab Password Reset Account Takeover (CVE-2023-7028),appsec-rules
crowdsecurity/vpatch-CVE-2024-0012,enabled,0.1,PanOS - Authentication Bypass (CVE-2024-0012),appsec-rules
crowdsecurity/vpatch-CVE-2024-0204,enabled,0.1,Detects authentication bypass in Fortra GoAnywhere MFT via path traversal to InitialAccountSetup.xhtml,appsec-rules
crowdsecurity/vpatch-CVE-2024-1212,enabled,0.4,Progress Kemp LoadMaster Unauthenticated Command Injection (CVE-2024-1212),appsec-rules
crowdsecurity/vpatch-CVE-2024-22024,enabled,0.1,Ivanti Connect Secure - XXE (CVE-2024-22024),appsec-rules
crowdsecurity/vpatch-CVE-2024-23897,enabled,0.5,Jenkins CLI RCE (CVE-2024-23897),appsec-rules
crowdsecurity/vpatch-CVE-2024-27198,enabled,0.5,Teamcity - Authentication Bypass (CVE-2024-27198),appsec-rules
crowdsecurity/vpatch-CVE-2024-27292,enabled,0.3,Local File Inclusion - Docassemble,appsec-rules
crowdsecurity/vpatch-CVE-2024-27348,enabled,0.1,Apache HugeGraph-Server - RCE (CVE-2024-27348),appsec-rules
crowdsecurity/vpatch-CVE-2024-27564,enabled,0.3,Detects SSRF attack via pictureproxy.php in ChatGPT application,appsec-rules
crowdsecurity/vpatch-CVE-2024-27954,enabled,0.1,WP Automatic - Path Traversal (CVE-2024-27954),appsec-rules
crowdsecurity/vpatch-CVE-2024-27956,enabled,0.2,WordPress Automatic Plugin - SQLi (CVE-2024-27956),appsec-rules
crowdsecurity/vpatch-CVE-2024-28255,enabled,0.1,OpenMetadata - Authentication Bypass (CVE-2024-28255),appsec-rules
crowdsecurity/vpatch-CVE-2024-2862,enabled,0.1,Detects unauthenticated password reset in LG LED Assistant via spoofed X-Forwarded-For header.,appsec-rules
crowdsecurity/vpatch-CVE-2024-28987,enabled,0.2,SolarWinds WHD Hardcoded Credentials (CVE-2024-28987),appsec-rules
crowdsecurity/vpatch-CVE-2024-29028,enabled,0.1,Detects SSRF vulnerability in Memos API /o/get/httpmeta endpoint via url parameter.,appsec-rules
crowdsecurity/vpatch-CVE-2024-29824,enabled,0.2,Ivanti EPM - SQLi (CVE-2024-29824),appsec-rules
crowdsecurity/vpatch-CVE-2024-29849,enabled,0.5,Veeam Backup Enterprise Manager - Authentication Bypass (CVE-2024-29849),appsec-rules
crowdsecurity/vpatch-CVE-2024-29973,enabled,0.1,Zyxel - RCE (CVE-2024-29973),appsec-rules
crowdsecurity/vpatch-CVE-2024-32113,enabled,0.1,Apache OFBiz - Path Traversal (CVE-2024-32113),appsec-rules
crowdsecurity/vpatch-CVE-2024-3272,enabled,0.2,D-Link NAS - RCE (CVE-2024-3272),appsec-rules
crowdsecurity/vpatch-CVE-2024-3273,enabled,0.2,D-LINK NAS Command Injection (CVE-2024-3273),appsec-rules
crowdsecurity/vpatch-CVE-2024-32870,enabled,0.1,Detects unauthorized access to iTop Hub Connector information disclosure endpoint.,appsec-rules
crowdsecurity/vpatch-CVE-2024-34102,enabled,0.1,Adobe Commerce & Magento - XXE (CVE-2024-34102),appsec-rules
crowdsecurity/vpatch-CVE-2024-38816,enabled,0.2,Spring - Path Traversal (CVE-2024-38816),appsec-rules
crowdsecurity/vpatch-CVE-2024-38856,enabled,0.2,Apache OFBiz Incorrect Authorization (CVE-2024-38856),appsec-rules
crowdsecurity/vpatch-CVE-2024-41713,enabled,0.2,Mitel MiCollab - Path Traversal (CVE-2024-41713),appsec-rules
crowdsecurity/vpatch-CVE-2024-4577,enabled,0.2,PHP CGI Command Injection - CVE-2024-4577,appsec-rules
crowdsecurity/vpatch-CVE-2024-46506,enabled,0.1,Detects unauthenticated command injection in NetAlertX via function=savesettings in util.php,appsec-rules
crowdsecurity/vpatch-CVE-2024-5057,enabled,0.2,Detects SQL injection vulnerability in WordPress Easy Digital Downloads <= 3.2.12 via the edd_download_search action.,appsec-rules
crowdsecurity/vpatch-CVE-2024-51378,enabled,0.1,Cyberpanel - RCE (CVE-2024-51378),appsec-rules
crowdsecurity/vpatch-CVE-2024-51482,enabled,0.2,Detects SQL injection attempts in ZoneMinder event.php via the tid parameter.,appsec-rules
crowdsecurity/vpatch-CVE-2024-51567,enabled,0.2,CyberPanel RCE (CVE-2024-51567),appsec-rules
crowdsecurity/vpatch-CVE-2024-51977,enabled,0.1,Detects unauthenticated access to sensitive information disclosure endpoint /etc/mnt_info.csv on Brother MFC-L9570CDW devices.,appsec-rules
crowdsecurity/vpatch-CVE-2024-52301,enabled,0.1,Laravel - Parameter Injection (CVE-2024-52301),appsec-rules
crowdsecurity/vpatch-CVE-2024-57727,enabled,0.4,Detects unauthenticated path traversal attempts targeting SimpleHelp <= 5.5.7,appsec-rules
crowdsecurity/vpatch-CVE-2024-6205,enabled,0.2,PayPlus Payment Gateway WordPress plugin - SQL Injection (CVE-2024-6205),appsec-rules
crowdsecurity/vpatch-CVE-2024-6235,enabled,0.2,Detects unauthorized access to sensitive NetScaler Console configuration endpoint disclosing ADM_SESSIONID.,appsec-rules
crowdsecurity/vpatch-CVE-2024-7593,enabled,0.1,Ivanti vTM - Authentication Bypass (CVE-2024-7593),appsec-rules
crowdsecurity/vpatch-CVE-2024-8190,enabled,0.1,Ivanti Cloud Services Appliance - RCE (CVE-2024-8190),appsec-rules
crowdsecurity/vpatch-CVE-2024-8911,enabled,0.2,Detects SQL injection in LatePoint WordPress plugin via password_reset_token parameter in admin-ajax.php.,appsec-rules
crowdsecurity/vpatch-CVE-2024-8943,enabled,0.1,Detects authentication bypass in LatePoint WordPress plugin via crafted customer[id] parameter.,appsec-rules
crowdsecurity/vpatch-CVE-2024-8963,enabled,0.2,Ivanti CSA - Path Traversal (CVE-2024-8963),appsec-rules
crowdsecurity/vpatch-CVE-2024-9465,enabled,0.2,Palo Alto Expedition - SQL Injection (CVE-2024-9465),appsec-rules
crowdsecurity/vpatch-CVE-2024-9474,enabled,0.4,PanOS - Privilege Escalation (CVE-2024-9474),appsec-rules
crowdsecurity/vpatch-CVE-2025-10353,enabled,0.1,Detects unrestricted file upload in Melis Platform CMS Slider module,appsec-rules
crowdsecurity/vpatch-CVE-2025-11700,enabled,0.1,Detects XML External Entities (XXE) injection in N-central via ServerMMS SOAP endpoint.,appsec-rules
crowdsecurity/vpatch-CVE-2025-13315,enabled,0.2,Detects unauthenticated access to Twonky Server log file exposure endpoint.,appsec-rules
crowdsecurity/vpatch-CVE-2025-24893,enabled,0.2,Detects arbitrary remote code execution vulnerability in XWiki via SolrSearch.,appsec-rules
crowdsecurity/vpatch-CVE-2025-25257,enabled,0.2,Fortinet FortiWeb Fabric Connector - Pre-Authenticated SQL Injection (CVE-2025-25257),appsec-rules
crowdsecurity/vpatch-CVE-2025-2611,enabled,0.2,Detects unauthenticated RCE via session cookie shell injection in ICTBroadcast,appsec-rules
crowdsecurity/vpatch-CVE-2025-27222,enabled,0.2,Detects path traversal in TRUfusion Enterprise via cobrandingImageName parameter in getCobrandingData endpoint.,appsec-rules
crowdsecurity/vpatch-CVE-2025-27223,enabled,0.1,Detects authentication bypass via hard-coded cryptographic key in TRUfusion Enterprise,appsec-rules
crowdsecurity/vpatch-CVE-2025-28367,enabled,0.2,Detects directory traversal in mojoPortal BetterImageGallery API Controller (CVE-2025-28367),appsec-rules
crowdsecurity/vpatch-CVE-2025-29306,enabled,0.1,Detects FoxCMS v1.2.5 RCE via malicious id parameter in /images/index.html,appsec-rules
crowdsecurity/vpatch-CVE-2025-29927,enabled,0.3,Next.js Middleware Bypass - (CVE-2025-29927),appsec-rules
crowdsecurity/vpatch-CVE-2025-31161,enabled,0.1,Detects authentication bypass in CrushFTP via crafted Authorization header and specific endpoint access.,appsec-rules
crowdsecurity/vpatch-CVE-2025-31324,enabled,0.1,SAP NetWeaver - File Upload (CVE-2025-31324),appsec-rules
crowdsecurity/vpatch-CVE-2025-3248,enabled,0.1,Detects unauthenticated remote code execution in Langflow via /api/v1/validate/code endpoint.,appsec-rules
crowdsecurity/vpatch-CVE-2025-34291,enabled,0.1,Detects CORS misconfiguration in Langflow AI allowing any origin with credentials (CVE-2025-34291),appsec-rules
crowdsecurity/vpatch-CVE-2025-3605,enabled,0.1,Detects privilege escalation in WordPress Frontend Login and Registration Blocks plugin via unauthorized email update.,appsec-rules
crowdsecurity/vpatch-CVE-2025-36604,enabled,0.1,Detects OS command injection in Dell UnityVSA via crafted path in /misc/ endpoint (CVE-2025-36604),appsec-rules
crowdsecurity/vpatch-CVE-2025-37164,enabled,0.1,Detects remote code execution attempts in HPE OneView via executeCommand endpoint.,appsec-rules
crowdsecurity/vpatch-CVE-2025-4689,enabled,0.2,Detects WordPress Ads Pro Plugin unauthenticated SQLi + LFI chain via wp-ajax endpoint targeting a_id parameter (CVE-2025-4689),appsec-rules
crowdsecurity/vpatch-CVE-2025-47188,enabled,0.1,Detects OS command injection in Mitel 6000 series SIP Phones via ringtone upload functionality.,appsec-rules
crowdsecurity/vpatch-CVE-2025-47812,enabled,0.1,Detects Wing FTP Server <= 7.4.3 RCE via Lua code injection in username parameter during login.,appsec-rules
crowdsecurity/vpatch-CVE-2025-49113,enabled,0.2,Detects arbitrary remote code execution vulnerability via PHP Object Deserialization in Roundcube,appsec-rules
crowdsecurity/vpatch-CVE-2025-49132,enabled,0.1,Detects unauthenticated remote code execution in Pterodactyl Panel via path traversal in /locales/locale.json,appsec-rules
crowdsecurity/vpatch-CVE-2025-52488,enabled,0.2,Detects Unicode path normalization NTLM hash disclosure in DNN (DotNetNuke) via crafted file upload filename.,appsec-rules
crowdsecurity/vpatch-CVE-2025-52970,enabled,0.1,Detects authentication bypass to admin privilege in Fortinet FortiWeb via crafted Authorization header.,appsec-rules
crowdsecurity/vpatch-CVE-2025-54249,enabled,0.1,Detects SSRF in Adobe Experience Manager via /services/accesstoken/verify endpoint with crafted auth_url parameter.,appsec-rules
crowdsecurity/vpatch-CVE-2025-55182,enabled,0.2,Detects React RCE via crafted form action parameters exploiting server action handlers,appsec-rules
crowdsecurity/vpatch-CVE-2025-55748,enabled,0.1,Detects path traversal in XWiki Platform via resource parameter in ssx and jsx endpoints.,appsec-rules
crowdsecurity/vpatch-CVE-2025-55749,enabled,0.1,Detects unauthorized access to sensitive files in XWiki webapp directory (CVE-2025-55749),appsec-rules
crowdsecurity/vpatch-CVE-2025-56520,enabled,0.1,Detects SSRF in Dify v1.6.0 via remote file fetch endpoint.,appsec-rules
crowdsecurity/vpatch-CVE-2025-57819,enabled,0.1,Detects unauthenticated SQL injection and RCE in FreePBX via vulnerable brand parameter in ajax.php endpoint.,appsec-rules
crowdsecurity/vpatch-CVE-2025-61678,enabled,0.1,Detects FreePBX arbitrary file upload RCE via fwbrand directory traversal in Custom Firmware Management endpoint (CVE-2025-61678),appsec-rules
crowdsecurity/vpatch-CVE-2025-61882,enabled,0.1,Detects Oracle E-Business Suite 12.2.3–12.2.14 LFI and SSRF/RCE via ieshostedsurvey.jsp and UiServlet endpoints.,appsec-rules
crowdsecurity/vpatch-CVE-2025-64446,enabled,0.1,Detects FortiWeb authentication bypass via path traversal and CGIINFO header with admin impersonation,appsec-rules
crowdsecurity/vpatch-CVE-2025-66039,enabled,0.2,"Detects FreePBX authentication bypass and SQL injection chain via admin config endpoint (CVE-2025-66039, CVE-2025-61675)",appsec-rules
crowdsecurity/vpatch-CVE-2025-8110,enabled,0.1,Detects symlink bypass vulnerability in Gogs PutContents API allowing file overwrite and potential RCE (CVE-2025-8110),appsec-rules
crowdsecurity/vpatch-CVE-2025-9316,enabled,0.1,Detects unauthenticated session ID generation in N-central via ServerUI SOAP endpoint.,appsec-rules
crowdsecurity/vpatch-CVE-2026-1207,enabled,0.2,Detects SQL injection via the band parameter in Django RasterField/PostGIS endpoint,appsec-rules
crowdsecurity/vpatch-CVE-2026-1281,enabled,0.1,Detects pre-auth RCE via Bash arithmetic expansion in Ivanti EPMM appstore endpoint,appsec-rules
crowdsecurity/vpatch-CVE-2026-20127,enabled,0.1,Detects path traversal file upload exploitation in Cisco Catalyst SD-WAN Manager (CVE-2026-20127),appsec-rules
crowdsecurity/vpatch-CVE-2026-20127-dca-disclosure,enabled,0.1,Detects unauthenticated access to the DCA credential file in Cisco Catalyst SD-WAN Manager (CVE-2026-20127),appsec-rules
crowdsecurity/vpatch-CVE-2026-23744,enabled,0.1,Detects RCE in MCPJam Inspector via crafted POST to /api/mcp/connect,appsec-rules
crowdsecurity/vpatch-env-access,enabled,0.3,Detect access to .env files,appsec-rules
crowdsecurity/vpatch-git-config,enabled,0.5,Detect access to .git files,appsec-rules
crowdsecurity/vpatch-laravel-debug-mode,enabled,0.4,Detect bots exploiting laravel debug mode,appsec-rules
crowdsecurity/vpatch-symfony-profiler,enabled,0.2,Detect abuse of symfony profiler,appsec-rules
crowdsecurity/vpatch-WT-2026-0001,enabled,0.2,Detects authentication bypass in SmarterTools SmarterMail via force-reset-password endpoint when IsSysAdmin is true,appsec-rules
custom/crs-setup-conf-override-outband,"enabled,local",,,appsec-rules
crowdsecurity/appsec-crs,enabled,0.8,WAF: Non-Blocking OWASP Core Rule Set,collections
crowdsecurity/appsec-generic-rules,enabled,1.1,A collection of generic attack vectors for additional protection.,collections
crowdsecurity/appsec-virtual-patching,enabled,13.9,"a generic virtual patching collection, suitable for most web servers.",collections
crowdsecurity/auditd,enabled,0.7,auditd support : parsers and scenarios,collections
crowdsecurity/base-http-scenarios,enabled,1.3,http common : scanners detection,collections
crowdsecurity/http-cve,enabled,3.0,Detect CVE exploitation in http logs,collections
crowdsecurity/linux,enabled,0.4,core linux support : syslog+geoip+ssh,collections
crowdsecurity/nginx,enabled,0.3,nginx support : parser and generic http scenarios,collections
crowdsecurity/sshd,enabled,0.9,sshd support : parser and brute-force detection,collections
crowdsecurity/whitelist-good-actors,enabled,0.3,Good actors whitelists,collections

Acquisition config

Details

~> cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/*
cat: /etc/crowdsec/acquis.yaml: No such file or directory
appsec_configs:
  - crowdsecurity/appsec-default
  - custom/crs-setup-conf-override-outband
  - crowdsecurity/crs
labels:
  type: appsec
listen_addr: 127.0.0.1:7422
source: appsec

filenames:
  - /var/log/audit/*.log
labels:
  type: auditd
source: file

filenames:
  - /var/log/messages
labels:
  type: syslog
source: file

filenames:
  - /var/log/nginx/*.log
  - /data/nginx/logs/*.log
labels:
  type: nginx
source: file
filenames:
  - /var/log/secure
labels:
  type: syslog
source: file

Config show

Details

~> cscli config show
Global:
   - Configuration Folder   : /etc/crowdsec
   - Data Folder            : /var/lib/crowdsec/data
   - Hub Folder             : /etc/crowdsec/hub
   - Notification Folder    : /etc/crowdsec/notifications
   - Simulation File        : /etc/crowdsec/simulation.yaml
   - Log Folder             : /var/log
   - Log level              : info
   - Log Media              : file
Crowdsec:
  - Acquisition File        : /etc/crowdsec/acquis.yaml
  - Parsers routines        : 1
  - Acquisition Folder      : /etc/crowdsec/acquis.d
cscli:
  - Output                  : human
  - Hub Branch              :
API Client:
  - URL                     : http://127.0.0.1:8080/
  - Login                   : XXXXXXXXX
  - Credentials File        : /etc/crowdsec/local_api_credentials.yaml
Local API Server:
  - Listen URL              : 127.0.0.1:8080
  - Listen Socket           :
  - Profile File            : /etc/crowdsec/profiles.yaml

  - Trusted IPs:
      - 127.0.0.1
      - ::1
  - Database:
      - Type                : sqlite
      - Path                : /var/lib/crowdsec/data/crowdsec.db
      - Flush age           : 168h0m0s
      - Flush size          : 5000

Prometheus metrics

Details

~> cscli metrics
╭─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Acquisition Metrics                                                                                                                 │
├───────────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────┤
│ Source                                    │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├───────────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ file:/data/nginx/logs/youtrack-access.log │ 22         │ 22           │ -              │ 6                      │ -                 │
│ file:/var/log/audit/audit.log             │ 41         │ 7            │ 34             │ -                      │ -                 │
│ file:/var/log/messages                    │ 110        │ -            │ 110            │ -                      │ -                 │
│ file:/var/log/nginx/access.log            │ 199        │ 199          │ -              │ -                      │ 199               │
╰───────────────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯
╭───────────────────────────────────────────────────────────╮
│ Local API Alerts                                          │
├───────────────────────────────────────────────────┬───────┤
│ Reason                                            │ Count │
├───────────────────────────────────────────────────┼───────┤
│ anomaly score out-of-band:                        │ 8     │
│ anomaly score out-of-band: lfi: 5, anomaly: 5,    │ 9     │
│ anomaly score out-of-band: rce: 15, anomaly: 15,  │ 1     │
│ crowdsecurity/vpatch-env-access                   │ 7     │
╰───────────────────────────────────────────────────┴───────╯
╭───────────────────────────────────────╮
│ Appsec Metrics                        │
├─────────────────┬───────────┬─────────┤
│ Appsec Engine   │ Processed │ Blocked │
├─────────────────┼───────────┼─────────┤
│ 127.0.0.1:7422/ │ 221       │ -       │
╰─────────────────┴───────────┴─────────╯
╭────────────────────╮
│ Bouncer Metrics (c │
│ rowdsec-openresty- │
│ bouncer-1770738368 │
│ ) since 2026-03-13 │
│ 22:20:40 +0000 UTC │
├────────┬───────────┤
│ Origin │ processed │
│        │  request  │
├────────┼───────────┤
│  Total │    21.09k │
╰────────┴───────────╯
╭───────────────────────────────────────────────────────────────────────────────────╮
│ Bouncer Metrics (cs-firewall-bouncer-1688719410) since 2026-03-13 22:22:25 +0000  │
│ UTC                                                                               │
├────────────────────────────┬──────────────────┬─────────────────┬─────────────────┤
│ Origin                     │ active_decisions │     dropped     │    processed    │
│                            │        IPs       │ bytes │ packets │ bytes │ packets │
├────────────────────────────┼──────────────────┼───────┼─────────┼───────┼─────────┤
│ crowdsec (security engine) │                0 │     0 │       0 │     - │       - │
├────────────────────────────┼──────────────────┼───────┼─────────┼───────┼─────────┤
│                      Total │                0 │     0 │       0 │ 4.22G │  14.27M │
╰────────────────────────────┴──────────────────┴───────┴─────────┴───────┴─────────╯
╭──────────────────────────────────────╮
│ Local API Metrics                    │
├──────────────────────┬────────┬──────┤
│ Route                │ Method │ Hits │
├──────────────────────┼────────┼──────┤
│ /v1/allowlists       │ GET    │ 100  │
│ /v1/decisions        │ GET    │ 206  │
│ /v1/decisions/stream │ GET    │ 598  │
│ /v1/decisions/stream │ HEAD   │ 100  │
│ /v1/heartbeat        │ GET    │ 99   │
│ /v1/usage-metrics    │ POST   │ 17   │
│ /v1/watchers/login   │ POST   │ 2    │
╰──────────────────────┴────────┴──────╯
╭──────────────────────────────────────────────────────────────────────────────╮
│ Local API Bouncers Metrics                                                   │
├───────────────────────────────────────┬──────────────────────┬────────┬──────┤
│ Bouncer                               │ Route                │ Method │ Hits │
├───────────────────────────────────────┼──────────────────────┼────────┼──────┤
│ crowdsec-openresty-bouncer-1770738368 │ /v1/decisions/stream │ HEAD   │ 100  │
│ crowdsec-openresty-bouncer-1770738368 │ /v1/decisions        │ GET    │ 206  │
│ cs-firewall-bouncer-1688719410        │ /v1/decisions/stream │ GET    │ 598  │
╰───────────────────────────────────────┴──────────────────────┴────────┴──────╯
╭───────────────────────────────────────────────────────────────────────────╮
│ Local API Bouncers Decisions                                              │
├───────────────────────────────────────┬───────────────┬───────────────────┤
│ Bouncer                               │ Empty answers │ Non-empty answers │
├───────────────────────────────────────┼───────────────┼───────────────────┤
│ crowdsec-openresty-bouncer-1770738368 │ 206           │ 0                 │
╰───────────────────────────────────────┴───────────────┴───────────────────╯
╭───────────────────────────────────────────────────────────────────────────────────╮
│ Local API Machines Metrics                                                        │
├──────────────────────────────────────────────────┬────────────────┬────────┬──────┤
│ Machine                                          │ Route          │ Method │ Hits │
├──────────────────────────────────────────────────┼────────────────┼────────┼──────┤
│ c24b74ee1ad64e81a2dbebe4a7b1e06484Qn8cHUS2T5awVK │ /v1/allowlists │ GET    │ 100  │
│ c24b74ee1ad64e81a2dbebe4a7b1e06484Qn8cHUS2T5awVK │ /v1/heartbeat  │ GET    │ 99   │
╰──────────────────────────────────────────────────┴────────────────┴────────┴──────╯
╭──────────────────────────────────────────────────────────────────╮
│ Parser Metrics                                                   │
├───────────────────────────────────────┬──────┬────────┬──────────┤
│ Parsers                               │ Hits │ Parsed │ Unparsed │
├───────────────────────────────────────┼──────┼────────┼──────────┤
│ child-child-crowdsecurity/auditd-logs │ 41   │ 7      │ 34       │
│ child-crowdsecurity/auditd-logs       │ 41   │ 7      │ 34       │
│ child-crowdsecurity/http-logs         │ 663  │ 464    │ 199      │
│ child-crowdsecurity/nginx-logs        │ 331  │ 199    │ 132      │
│ child-crowdsecurity/syslog-logs       │ 110  │ 110    │ -        │
│ child-custom/youtrack-nginx-logs    │ 22   │ 22     │ -        │
│ crowdsecurity/auditd-logs             │ 41   │ 7      │ 34       │
│ crowdsecurity/dateparse-enrich        │ 228  │ 228    │ -        │
│ crowdsecurity/geoip-enrich            │ 22   │ 22     │ -        │
│ crowdsecurity/http-logs               │ 221  │ 221    │ -        │
│ crowdsecurity/nginx-logs              │ 221  │ 199    │ 22       │
│ crowdsecurity/non-syslog              │ 262  │ 262    │ -        │
│ crowdsecurity/public-dns-allowlist    │ 228  │ 228    │ -        │
│ crowdsecurity/syslog-logs             │ 110  │ 110    │ -        │
│ crowdsecurity/whitelists              │ 228  │ 228    │ -        │
│ custom/youtrack-nginx-logs          │ 22   │ 22     │ -        │
│ custom/youtrack-whitelist           │ 228  │ 228    │ -        │
╰───────────────────────────────────────┴──────┴────────┴──────────╯
╭────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Scenario Metrics                                                                                   │
├──────────────────────────────────────┬───────────────┬───────────┬──────────────┬────────┬─────────┤
│ Scenario                             │ Current Count │ Overflows │ Instantiated │ Poured │ Expired │
├──────────────────────────────────────┼───────────────┼───────────┼──────────────┼────────┼─────────┤
│ crowdsecurity/http-crawl-non_statics │ -             │ -         │ 2            │ 6      │ 2       │
╰──────────────────────────────────────┴───────────────┴───────────┴──────────────┴────────┴─────────╯
╭────────────────────────────────────╮
│ Parser Stash Metrics               │
├─────────────────────┬──────┬───────┤
│ Name                │ Type │ Items │
├─────────────────────┼──────┼───────┤
│ auditd_pid_progname │ LRU  │ 0     │
╰─────────────────────┴──────┴───────╯
╭───────────────────────────────────────────────────────────────────────────────────────╮
│ Whitelist Metrics                                                                     │
├────────────────────────────────────┬─────────────────────────────┬──────┬─────────────┤
│ Whitelist                          │ Reason                      │ Hits │ Whitelisted │
├────────────────────────────────────┼─────────────────────────────┼──────┼─────────────┤
│ crowdsecurity/public-dns-allowlist │ public DNS server           │ 228  │ -           │
│ crowdsecurity/whitelists           │ private ipv4/ipv6 ip/ranges │ 228  │ 199         │
│ custom/youtrack-whitelist        │ url is in whitelist         │ 228  │ -           │
╰────────────────────────────────────┴─────────────────────────────┴──────┴─────────────╯

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

Details

[github-actions]

@ssany46: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

1. Check Crowdsec Documentation to see if your issue can be self resolved.
2. You can also join our Discord.
3. Check Releases to make sure your agent is on the latest version.

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.