Scenarios and changes?

alexkoon · August 10, 2025, 10:53am

I have finally got Crowdsec setup and parsing my traefik files hopefully migrating from fail2ban.
I checked the validity of some scenarios and one typical one I would have expected to fire off was word-press scans.

I can see these were not triggered (via cscli explain with verbose) - and checked the yaml definition. It looks like this scan expects the ‘wp-’ to be in the URL path and to end with ‘.php’. The malicious scans I see in my own logs are for wp- but end in XML.
Can I simply amend the yaml and simplify the requirement (dropping the suffix ‘.php’) or is there some other way to amend this scenario?

isdnfan · August 15, 2025, 7:30pm

you definitely create your own scenarios!
but before you dig into I would double check existing ones - by default scenarios don’t create a “decision” immediately (they need multiple hits) so you might need multiple tries to generate alert/decision.

Topic		Replies	Views
Why Crowdsec + Appsec in traefik not automate banned? crowdsec	1	159	January 2, 2025
Creating scenario for CVE-2023-22515 crowdsec	4	420	October 6, 2023
Crowdsec and Traefik crowdsec	7	5227	March 13, 2022
Scenarios vs bouncers? crowdsec	6	676	July 6, 2023
Using Wordfence IP blockings (Wordpress WAF) for Crowdsec decisions crowdsec	0	98	July 13, 2024

Scenarios and changes?

Related topics