Posting multiple URLs in a forum triggers an anomaly | CrowdSec | Page 1

raw tapir Dec 1, 2025, 4:23 PM

#

Hello,

I'm not sure on how to tell crowdsec that something is normal behaviour. I have a forum on which I setup crowdsec to avoid crawlers & such, and now that I have it setup, when I try to post a topic / post, I'll get a 403 whenever I put multiple URLs in the post :

crowdsec-1  | time="2025-12-01T17:19:59+01:00" level=info msg="WAF block: anomaly score block: rfi: 5, anomaly: 5,  from <myIP> (172.22.0.2)"
crowdsec-1  | time="2025-12-01T17:19:59+01:00" level=info msg="(localhost) alert : anomaly score block: rfi: 5, anomaly: 5,  by ip <myIP> (FR/12322)"

How can I tell crowdsec to not trigger a 403 in that scenario?

topaz perchBOT Dec 1, 2025, 4:23 PM

#

Important Information

This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve

raw tapir Dec 1, 2025, 6:00 PM

#

ok so I figured out that it was when posting content that the issue happened, so I'm going to put the solution there as a reminder.
Created a custom yml for rules with the following content :

name: custom/forum-write
default_remediation: ban
on_match:
  - filter: req.URL.Path startsWith "/create-content/text/"
    apply:
      - CancelEvent()
      - CancelAlert()
      - SetRemediation("allow")

Modified the appsec in acquis.d to add this :

appsec_configs:
  - crowdsecurity/appsec-default
  - crowdsecurity/crs-inband
  - custom/forum-write

Added the yaml mounted through compose in /etc/crowdsec/appsec-configs/forum-write.yaml.

Reloaded everything, it now works

topaz perchBOT Dec 1, 2025, 6:00 PM

#

topaz perch

Resolving Posting multiple URLs in a forum triggers an anomaly

#Posting multiple URLs in a forum triggers an anomaly