Communication between Crowdsec and a WAF


After putting Crowdsec, another step on securing my server is to have a Web Application Firewall to protect against malicious attempts. I was wondering, how to make Crowdsec and a WAF communicate?
For example, how can the WAF indicate to Crowdsec that an IP made a malicious attempt? In case of ban, what is the standard ban procedure and unban?

I have checked the API and I thought of route /decisions, but no POST, only GET and DELETE.
Then maybe Data Source? Though from what I understand, data sources are a thread possibly whereas the WAF would be much more certain.
Lastly, there is the command line which is not convenient for external services.

Any suggestion on how to implement this?

Hello !

A simple integration would be as we do for modsecurity : CrowdSec Hub having parser for the WAF’s logs and scenarios etc. You can then have quite fine control over how and when you would ban an IP.

If you’re sure that your WAF has no false positives, you could even make the WAF post decisions directly to crowdsec as if it was an agent : Swagger UI

Lastly (but this requires a bit more work), we were thinking of having crowdsec expose directly a http service as a data-source so that 3rd party software can post events in more loosely structured formats.

Please let us know :slight_smile: