#Appsec hits don't result in a ban

Hi, I have appsec set up, here is my config in acquis.d/appsec.yaml:

appsec_config: crowdsecurity/appsec-default
labels:
    type: appsec
listen_addr: 0.0.0.0:7422
source: appsec

And my bouncer is the traefik plugin middleware, sitting on top of geoblock middleware.
Yesterday I kept getting attacked by this IP for over an hour and a half with just a ton of requests, but none of them ever resulted in a ban.
Why did it happen and how do I set up a ban rule for appsec to avoid this?

Why did it happen and how do I set up a ban rule for appsec to avoid this?
So appsec intercepts the request so it will trigger an alert but it doesnt by default ban an IP address from triggering a single appsec rule, so there 2 ways you can go about it either update appsec-vpatch.yaml in scenarios to only have one capacity (so will trigger ban on a single appsec request) or remove the distinct constraint on the scenario so if an IP triggers two rules no matter if they are duplicate it will also trigger a ban.

in my opinion the latter is better as sometimes a single appsec should not be enough.

How do I do the latter without interfering with possible future updates to the appsec rules?

Hmmm honestly I always get mixed results from tainting so in the options I provided would you ban on the first appsec block?

Yeah I don't really see it being an issue in my setup

If it can be done without tainting I would prefer that

not related. but my 2 cents crowdsec should be below geoblock. someone once told me.

So I asked the appsec master @crimson saffron and he said best to create a local scenario which is a copy of ours just change the name and alter to the options I said

it has made a huge difference helping crowdsec positively

yeah always geo block firstly there no point looking at the IP if it fails at geoblock level

thanks to that someone

👀

hehehe

I just assumed it would help generate more appsec related data for Crowdsec to analyze and build blocklists from

Of course it would, but it would also generate noise for you. So up to you whichever you decide

I don't mind the noise if it makes Crowdsec a little better 😄
Plus geoblock for me is actually quite slow compared to Crowdsec, it often takes several seconds to get API response for a new uncached IP

sorry to bother again, but if I understand correctly capacity is already set to 1?

appsec-vpatch.yaml
type: leaky
format: 3.0
name: crowdsecurity/appsec-vpatch
description: "Identify attacks flagged by CrowdSec AppSec"
## See appsec-native.yaml for reasons why we created a negative startsWith here, we want to ignore is native_rules but catch any of our DSL rules.
filter: "evt.Meta.log_type == 'appsec-block' && evt.Meta.rule_name not startsWith 'native_rule'"
distinct: evt.Meta.rule_name
leakspeed: "60s"
capacity: 1
groupby: evt.Meta.source_ip
blackhole: 1m
labels:
  service: http
  confidence: 3
  spoofable: 0
  classification:
    - attack.T1110
  label: "Blocked by CrowdSec AppSec"
  behavior: "http:exploit"
  remediation: true

1 capacity means at least 2 events (the 1st will fill the bucket, and the 2nd will make it overflow)
You want a trigger bucket if you want to generate an alert with just 1 event (it's a shorthand for a 0 capacity bucket)

i see, I'll just change type: to trigger then for a local rule

thanks!

just ensure you change the name key @low dawn as it will get confused and think you have tainted the original

yeah I remember

just tested it from LTE, works! thanks everyone

Resolving Appsec hits don't result in a ban