How to report IPs and/or scenarios not detected by Crowdec

Hi

Using Crowdsec Agent and Bouncer for only 15 days on my reverse proxy (Ubuntu/Apache) and it works great so far.

But I notice that it is missing some bad stuff from time to time and I am wondering how can I report it. I don’t see anything on app.crowdsec.net for doing this. It sound obvious to me that we should be able to report one way or another.

I am logging all the 404 on my domain along with GeoIP and I parse UA. I crafted a webpage to see all the attempts and its really easy for me to track abnormal behavior.

That IP landed on my 404 script 30 minutes ago 209.141.40.68 | Frantech Solutions | AbuseIPDB

And what it tried is exactly what was reported on abuseipdb 1 hour ago:

Web Attack GET ///wp-login.php

This IP is not known by CrowdSec and probably not the attack either since it was not detected and blocked.

So how to report this properly??

Cheers

We have a collection for wordpress attacks but this is under the presumption you would only install it if you are running wordpress Hub |

However, the http-bf-wordpress_bf would need a tweak to also look for 404 response codes.

The question was not about a missing wp scenario but more about the possibility to manually report bad IPs, for a specific malicious reason not yet taken into account by the scenarios.

So I assume it is not possible? Sounds a bit strange to me.

I took the wp-login as an example. There are others missed by crowdsec.

For instance on 2023-03-08 18:10:10, IP 3.144.190.193 landed in my 404 logs because it tried to get mydomain/.git/config
This is an obvious malicious intent crawler .

If I check https://www.abuseipdb.com/check/3.144.190.193 :

This IP was reported 32 times. Confidence of Abuse is 100%

And I can see in the log reports that a dozen of persons reported it for the exact same reason (/.git/config) at the same date than me.

So my question is : why isn’t there a functionality in Crowdsec allowing users to report bad IP for specific reasons ?

  1. That would improve the bad IP lists
  2. That would help to improve the scenarios
    looking for /.git/config or /wp-login.php attempts in the 404 logs isn’t really difficult. You just have to know that this is a thing used by malicious crawlers, and should therefore be added to the monitoring of a specific scenario.
    And user’s reportings can help with this. That’s how I see a crowd community effort. It shouldn’t be only delegated to the machines with predefined scenarios or you will always miss what is not known yet until the maintainer of the scenario finally realize by himself that its missing something…