Using Crowdsec Agent and Bouncer for only 15 days on my reverse proxy (Ubuntu/Apache) and it works great so far.
But I notice that it is missing some bad stuff from time to time and I am wondering how can I report it. I don’t see anything on app.crowdsec.net for doing this. It sound obvious to me that we should be able to report one way or another.
I am logging all the 404 on my domain along with GeoIP and I parse UA. I crafted a webpage to see all the attempts and its really easy for me to track abnormal behavior.
The question was not about a missing wp scenario but more about the possibility to manually report bad IPs, for a specific malicious reason not yet taken into account by the scenarios.
So I assume it is not possible? Sounds a bit strange to me.
I took the wp-login as an example. There are others missed by crowdsec.
For instance on 2023-03-08 18:10:10, IP 3.144.190.193 landed in my 404 logs because it tried to get mydomain/.git/config
This is an obvious malicious intent crawler .
This IP was reported 32 times. Confidence of Abuse is 100%
And I can see in the log reports that a dozen of persons reported it for the exact same reason (/.git/config) at the same date than me.
So my question is : why isn’t there a functionality in Crowdsec allowing users to report bad IP for specific reasons ?
That would improve the bad IP lists
That would help to improve the scenarios
looking for /.git/config or /wp-login.php attempts in the 404 logs isn’t really difficult. You just have to know that this is a thing used by malicious crawlers, and should therefore be added to the monitoring of a specific scenario.
And user’s reportings can help with this. That’s how I see a crowd community effort. It shouldn’t be only delegated to the machines with predefined scenarios or you will always miss what is not known yet until the maintainer of the scenario finally realize by himself that its missing something…