Skip to content

Improve appsec doc regarding multiple appsec_configs #707

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jan 16, 2025
Merged

Improve appsec doc regarding multiple appsec_configs #707

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c874d99
up
buixor Jan 8, 2025
0652c4d
specific precedence
buixor Jan 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 46 additions & 2 deletions crowdsec-docs/docs/appsec/configuration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,58 @@ sidebar_position: 6
Configuring the AppSec Component usually requires the use of multiple files:

- [AppSec rules](/appsec/rules_syntax.md) allow you to write a signature to detect and/or block malevolent requests. [You can find more information about the syntax here](/appsec/rules_syntax.md)
- [acquisition configuration](/log_processor/data_sources/appsec.md) indicates which port is the AppSec Component listening on, and which AppSec configuration it will use.
- [Acquisition configuration](/log_processor/data_sources/appsec.md) indicates which port is the AppSec Component listening on, and which AppSec configuration it will use.
- AppSec configuration tells which rules are loaded in in-band (blocking) and out-of-band (non-blocking)
phases. [it as well allows you to tweak the behavior of the component via the powerful expr bindings](/appsec/rules_syntax.md)

## Acquisition configuration

## Default configuration

The Acquisition configuration is usually present directly within `/etc/crowdsec/acquis.d/` or `/etc/crowdsec/acquis.yaml`:

> The default AppSec acquisition configuration
```yaml
appsec_config: crowdsecurity/appsec-default
labels:
type: appsec
listen_addr: 127.0.0.1:7422
source: appsec
```

## Creating custom configuration


If you want to add some custom rules or hooks, it is suggested to add a custom `appsec_config`.
Modifying existing `appsec_config` will make it *tainted* and will interfere with future updates.

```yaml title="/etc/crowdsec/acquis.d/appsec.yaml"
appsec_configs:
- crowdsecurity/appsec-default
- custom/my_vpatch_rules
labels:
type: appsec
listen_addr: 127.0.0.1:7422
source: appsec
```

:::info
When loading several app sec configs, _hooks_ and _appsec rules_ are appended, and for conflicting options (e.g., `default_remediation`), the last one takes precedence.
:::


```yaml title="/etc/crowdsec/appsec-configs/my_vpatch_rules.yaml"
name: custom/my_vpatch_rules
default_remediation: ban
inband_rules:
- custom/custom-vpatch-*
#on_match:
#...
```

## Appsec configuration

The AppSec configuration is referenced by the acquisition configuration (`appsec_config` or `appsec_config_path`):
The AppSec configuration is referenced by the acquisition configuration (`appsec_config`, `appsec_configs` or `appsec_config_path`):

> An example AppSec configuration
```yaml
Expand Down
Loading