cscli collections install crowdsecurity/appsec-crsThis collection enables non blocking OWASP CRS:
The OWASP CRS is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. It aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. CRS provides protection against many common attack categories, including SQL Injection, Cross Site Scripting, Local File Inclusion, etc.
The OWASP CRS are loaded in out-of-band. Requests matching CRS rules won't be blocked but will generate alerts.
The collection contains a scenario that will ban IPs that triggers more than 5 rules.
This collection intends to offer a balance between risk of false positives and security: Suspicious requests aren't blocked immediately, but repeating offenders will be banned.
Add the crowdsecurity/crs appsec-config to your WAF acquisition:
1appsec_configs:2 - ...3 - crowdsecurity/crs4labels:5 type: appsec6listen_addr: 127.0.0.1:74227source: appsec8
You can restrict out-of-band alerts to OWASP CRS, by adding the following appsec-config:
1on_match:2 - filter: IsOutBand == true and len(evt.Appsec.MatchedRules.ByID(980170)) == 03 apply:4 - CancelAlert()