Welcome to CrowdSecurity discourse!

This is a place to discuss the open-source software published by crowdsecurity. Here is a good place to exchange and learn about your experiences.

Having trouble installing or configuring software components ? Having trouble writing, understanding or debugging a parser or a scenario ?

Come, ask, discuss, learn and improve together !

HI Team,
Just keen to know if this works well for Application Servers I am talking about pure Application Servers

Hello,

Yes it should be able to handle this properly, do you have a more specific idea in mind ?

Yes I do have an idea as well as a query … Normally when we place any Application under a WAF we keep the application on Learning Mode so that the WAF gets its own time to learn the genuine URL’s which are randomly created on its own … This basically trains the WAF to autolearn the good URL’s and possibly prevent’s blocking of genuine URL’s … How does this work in your case … Do we have something sort of Learning Mode in the Application if no how does this handles in your WAF … I have genuinely did not have a chance to check an Application Server using your software …

Thanks & Regards,
Neil

Hello Neil,

What kind of waf are you using ?

Regarding your question : Yes, crowdsec supports learning mode (https://doc.crowdsec.net/guide/crowdsec/simulation/), so that you can put some scenarios in learning mode if needed. If your WAF logs have “something” telling when they’re in learning mode, I think it would be the most convenient. It would allow for example to have scenario triggered only if the WAF is not in learning mode :slightly_smiling_face:

Let me know,

1 Like

HI,
I have used Imperva as well as CITRIX both of them … Practically I have worked on Imperva a lot since this was the WAF which was installed in our Production environment … The above link which you have sent me will help me a lot in understanding more about the simulation mode … Can we have a situation wherein we install a Reverse Proxy and above that we configure your WAF software and define this BOX as a dedicated WAF box … Can we also configure this WAF as a failover device in case of emergency … This is basically the need of the day of most of the corporates … Please let me know …

Thanks & Regards,
Neil

Hi,

I’m not sure to follow you here. Crowdsec itself wouldn’t be considered as a WAF : While it has the ability to detect patterns in the logs and thus detect some ongoing attacks, it couldn’t be considered as such, as it’s not intercepting traffic.

However, I guess you can have indeed a dedicated nginx+crowdsec box (for example) that might act as a way of detecting/blocking ongoing attacks ?

Please explain me a bit more what you want to achieve so I can let you know how it is possible :slight_smile: