CRS Support
The CrowdSec WAF is compatible with the OWASP CRS project.
The OWASP Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSec-compatible web application firewalls. CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with minimal false positives.
Key features of OWASP CRS:
- Comprehensive Coverage: Protects against SQL injection, XSS, command injection, path traversal, and many other attack types
- Generic Detection: Uses pattern-based rules that detect attack techniques rather than specific exploits
- Mature Ruleset: Actively maintained by the OWASP community with regular updates
- Configurable Sensitivity: Supports paranoia levels to balance security vs false positives
- Wide Compatibility: Works with various WAF engines including CrowdSec's AppSec component
CRS vs Virtual Patching:
- Virtual Patching: Targets specific known vulnerabilities (CVEs) with minimal false positives
- CRS: Provides broad attack pattern detection with comprehensive coverage but may require tuning
In CrowdSec, CRS rules can be deployed in two modes:
- Out-of-band: Analyzes traffic without blocking, triggers bans after multiple violations
- In-band: Blocks malicious requests immediately at detection time
CRS compatibility is provided through Coraza.