Skip to main content
Version: Next

Configuration Files

Foreword

Configuring the AppSec Component usually requires the use of multiple files:

Appsec configuration

The AppSec configuration is referenced by the acquisition configuration (appsec_config or appsec_config_path):

An example AppSec configuration

name: crowdsecurity/virtual-patching
default_remediation: ban
#log_level: debug
inband_rules:
- crowdsecurity/base-config
- crowdsecurity/vpatch-*
# inband_options:
# disable_body_inspection: true

name

(required) the name of the AppSec configuration, used for both logging purposes and to reference the configuration from acquisition configuration.

outofband_rules

A supplementary list of rules can be loaded during the out-of-band phase. These out-of-band rules are non-blocking and are assessed only after the AppSec Component has responded to the remediation component. This approach is beneficial for rules that may be costly to execute, have a higher likelihood of generating false positives, or are applicable in specific scenarios.

inband_rules

An optional list of rules to be loaded in inband phase. In band rules are blocking and evaluated before answering to the remediation component. Useful for virtual patching, rules with no/low false positives.

default_remediation

An optional remediation for inband rules, defaults to block.

default_pass_action

An optional remediation for requests that didn't match any rules (or rules with a pass action). Defaults to nothing.

blocked_http_code

The HTTP code to return to the remediation component when a request should be blocked. Defaults to 403

passed_http_code

The HTTP code to return to the remediation component when a request should not be blocked. Defaults to 200

on_load

See the dedicated doc

pre_eval

See the dedicated doc

post_eval

See the dedicated doc

on_match

See the dedicated doc

inband_options and outofband_options

Subset of options that can be applied to the inband/outofband rules:

  • disable_body_inspection : boolean, allows to disable HTTP body inspection
  • request_body_in_memory_limit : a number of byes indicating the maximum body size to be loaded in memory