Communication between Crowdsec and a WAF


After putting Crowdsec, another step on securing my server is to have a Web Application Firewall to protect against malicious attempts. I was wondering, how to make Crowdsec and a WAF communicate?
For example, how can the WAF indicate to Crowdsec that an IP made a malicious attempt? In case of ban, what is the standard ban procedure and unban?

I have checked the API and I thought of route /decisions, but no POST, only GET and DELETE.
Then maybe Data Source? Though from what I understand, data sources are a thread possibly whereas the WAF would be much more certain.
Lastly, there is the command line which is not convenient for external services.

Any suggestion on how to implement this?

Hello !

A simple integration would be as we do for modsecurity : CrowdSec Hub having parser for the WAF’s logs and scenarios etc. You can then have quite fine control over how and when you would ban an IP.

If you’re sure that your WAF has no false positives, you could even make the WAF post decisions directly to crowdsec as if it was an agent : Swagger UI

Lastly (but this requires a bit more work), we were thinking of having crowdsec expose directly a http service as a data-source so that 3rd party software can post events in more loosely structured formats.

Please let us know :slight_smile:

Thanks for answer, took me time but here I am.

So it’s the /alert route to push decisions, I was expecting a POST to /decisions! Though, I don’t trust the WAF enough about false positives… Plus, half of the values, I have no idea what they mean, ironically most of them are required. I guess adding some descriptions to the property could help.

So I guess it’s the 3rd option then? Especially since from a WAF point of view some properties are not in their domains. For example leakspeed or capacity seems to be CrowdSec application rules that should not concern the 3rd party. Also in my case, it’s a stateless application so I don’t think it would know the events_count.