Merge branch 'main' into notification-integration-doc

Author: ziracmo

crowdsec-docs/docs/appsec/quickstart/traefik.mdx

@@ -157,6 +157,7 @@ http:
     crowdsec:
       plugin:
         bouncer:
+          enabled: true
           crowdsecAppsecEnabled: true
           crowdsecAppsecHost: crowdsec:7422
           crowdsecAppsecFailureBlock: true
@@ -168,6 +169,7 @@ Instead if you define the configuration using labels on the containers you can a
 
 ```yaml
   labels:
+      - "traefik.http.middlewares.crowdsec-bar.plugin.bouncer.enabled=true"
       - "traefik.http.middlewares.crowdsec-bar.plugin.bouncer.crowdsecAppsecEnabled=true"
       - "traefik.http.middlewares.crowdsec-bar.plugin.bouncer.crowdsecAppsecHost=crowdsec:7422"
       - "traefik.http.middlewares.crowdsec-bar.plugin.bouncer.crowdsecLapiKey=privateKey-foo"

crowdsec-docs/docusaurus.config.js

@@ -127,7 +127,7 @@ module.exports = {
                         {
                             type: "docsVersion",
                             to: "/docs/next/appsec/intro",
-                            label: "Application Security Component",
+                            label: "Web Application Firewall (AppSec)",
                         },
                         {
                             type: "doc",

crowdsec-docs/sidebarsUnversioned.js

@@ -37,6 +37,7 @@ module.exports = {
                 id: "cti_api/integration_intro",
             },
             items: [
+                "cti_api/integration_ipdex",
                 "cti_api/integration_chrome",
                 "cti_api/integration_gigasheet",
                 "cti_api/integration_intelowl",

crowdsec-docs/static/img/ipdex/ipdex_ip.png

@@ -181,6 +181,16 @@ The above will ensure you get values from LAPI to the script, however, you shoul
 
 ## Usage
 
+:::warning
+Remember to set execution permissions for your binary or script. If it's a script, include a shebang on the first line (e.g., `#!/bin/sh`).
+:::
+
+### Invoke mode
+
+:::warning
+While the default mode, it is not recommended to use it, as calling a binary for each decision can be very costly when a lot are present.
+:::
+
 The custom binary will be called with the following arguments :
 
 ```text
@@ -191,21 +201,48 @@ The custom binary will be called with the following arguments :
 - `value` : The value will be the decision scope value (eg `192.168.1.1` for IP)
 - `duration`: duration of the remediation in seconds
 - `reason` : reason of the decision
-- `json_object`: the serialized decision
-
-
-:::warning
-Remember to set execution permissions for your binary or script. If it's a script, include a shebang on the first line (e.g., `#!/bin/sh`).
-:::
+- `json_object`: the serialized decision (see the next section for more details)
 
-## Examples
+#### Examples
 
 ```text
 custom_binary.sh add 192.168.1.1/32 3600 "test blacklist" <json_object>
 custom_binary.sh del 192.168.1.1/32 3600 "test blacklist" <json_object>
 ```
 
 
+### Stdin mode
+
+In this mode, the custom binary will be executed when the bouncer starts and is expected to read data from stdin.
+
+If the binary exits for any reason, it will be reinvoked up to `max_retries` times. If the maximum number of retries is exhausted, the bouncer will quit.
+
+For each decision, the custom binary will be fed the serialized JSON object on stdin, one object per line.
+
+The JSON object is:
+```json
+{
+  "duration": "143h58m15s",
+  "origin": "CAPI",
+  "scenario": "ssh:bruteforce",
+  "scope": "Ip",
+  "type": "ban",
+  "value": "160.187.109.6",
+  "id": 83676344,
+  "action": "add"
+}
+```
+
+ - `duration`: duration of the decision, in the [go time.Duration format](https://pkg.go.dev/time#Duration). Can be negative for delete decisions.
+ - `origin`: origin the decision. Can be `crowdsec`, `cscli`, `cscli-import`, `CAPI`, `lists`.
+ - `scenario`: scenario that triggered the decision.
+ - `scope`: Scope of the decision. Most likely `Ip` or `Range` with the default config, but can be any value set in your scenarios.
+ - `type`: Type of the decision. Most likely `ban` or `captcha` with the default config, but can be any value set in your profiles.
+ - `value`: Target of the decision.
+ - `id`: id of the decision in the crowdsec database.
+ - `action`: Either `add` or `del`. 
+
+
 ## Configuration Reference
 
 ### `bin_path`
@@ -216,7 +253,9 @@ Absolute path to the binary that will be invoked
 ### `bin_args`
 > [ ]string
 
-Array of argument to give to the script that will be invoked
+Array of argument to give to the script that will be invoked.
+
+This option is only supported if `feed_via_stdin` is set to `true`.
 
 ### `feed_via_stdin`
 > boolean

crowdsec-docs/static/img/ipdex/ipdex_log_file.png

@@ -4,6 +4,11 @@ title: Decisions Management
 sidebar_position: 1
 ---
 
+:::info
+This feature needs the *console_management* feature activated on your Security Engine.  
+Activate it to make sure actions from the **decision management** are applied **immediately**.  
+Check the instructions to activate it [HERE](/u/console/decisions/decisions_intro).
+:::
 ## Console Management
 
 CrowdSec Local API is able to receive or delete local decisions from the Console.

crowdsec-docs/unversioned/bouncers/custom.mdx

@@ -48,6 +48,8 @@ On the next page you can create an API key by clicking the `+ New Key` button.
 
 ## Accessing the API
 
+### cURL
+
 You can test your newly created API key by running the following command in your terminal:
 
 :::info
@@ -216,6 +218,69 @@ And the default output looks something like this:
 
 </details>
 
+### ipdex
+
+You can interact with the CrowdSec CTI API with the [`ipdex`](https://github.com/crowdsecurity/ipdex) tool.
+
+First, initiliaze the tool with your API key:
+
+```console
+ipdex init
+```
+
+And then analyze an IP or a file of IPs:
+
+```console
+ipdex 193.105.134.155
+```
+
+<details>
+
+<summary>Command Output</summary>
+
+```console
+IP Information
+
+IP                       	193.105.134.155
+Reputation               	malicious
+Confidence               	high
+Country                  	SE 🇸🇪
+Autonomous System        	w1n ltd
+Reverse DNS              	N/A
+Range                    	193.105.134.0/24
+First Seen               	2023-06-23T01:15:00
+Last Seen                	2025-05-11T11:15:00
+Console URL              	https://app.crowdsec.net/cti/193.105.134.155
+Last Local Refresh       	2025-05-12 16:44:21
+
+Threat Information
+
+Behaviors
+                         	HTTP Scan
+                         	HTTP Bruteforce
+                         	SSH Bruteforce
+                         	... and 2 more
+
+
+Classifications
+                         	Spoofed User Agent
+                         	TOR exit node
+                         	VPN or Proxy
+                         	... and 1 more
+
+
+Blocklists
+                         	Extended AI-Detected VPN/Proxy
+                         	CrowdSec Intelligence Blocklist
+
+Target countries
+     🇺🇸 US             		29%
+     🇩🇪 DE             		15%
+     🇵🇱 PL             		12%
+                         	... and 2 more
+```
+</details>
+
 <AcademyPromo
   image="crowdsec_threat_intelligence.svg"
   description="Watch a short series of videos on how to get the most out of CrowdSec’s Cyber Threat Intelligence database"

crowdsec-docs/unversioned/console/decisions/decisions_management.md

@@ -0,0 +1,30 @@
+---
+id: integration_ipdex
+title: IPDEX
+sidebar_position: 1
+---
+
+`ipdex` is a simple CLI tool developed by CrowdSec to gather insight about a list of IPs or an IP using the CrowdSec CTI (Cyber Threat Intelligence) API.
+
+[Official IPDEX Repository](https://github.com/crowdsecurity/ipdex)
+
+## Installation
+
+You can check the [install guide on ipdex repository](https://github.com/crowdsecurity/ipdex?tab=readme-ov-file#1-install).
+
+
+## Usage
+
+You can check the [user guide on ipdex repository](https://github.com/crowdsecurity/ipdex?tab=readme-ov-file#user-guide).
+
+Here are some screenshot to demonstrate ipdex user experience.
+
+### Analyzing an IP address
+
+![IP Analyses](/img/ipdex/ipdex_ip.png)
+
+
+### Analyzing a log file
+
+
+![Log File Analyses](/img/ipdex/ipdex_log_file.png)

crowdsec-docs/unversioned/cti_api/getting_started.mdx

@@ -23,7 +23,19 @@ export const exclude = ["scanner:"]
 
 <GithubIconRender url={classificationsURL}></GithubIconRender>
 
-This classification page provides a taxonomy of IP addresses that exhibit potentially suspicious behaviors. These classifications are designed to help you identify and respond to various threat actors and malicious activities.
+Classification of Threat Intelligence follows the format `*category:name*`, where category is a broad type of classification encapsulating different elements.
+A summary of the main classification category is provided below, and you can use the search bar in the table to filter the classification you are looking for.
+
+## Summary
+
+* `hosts_malware:*`: IP identified as hosting live payloads associated with known malware families.
+* `botnet:*`: IP associated with known botnets, based on the exploited CVE(s) and the payload they spread (e.g. Mirai).
+* `profile:*`: Describe the services publicly exposed by the machine (e.g. `profile:insecure_services`).
+* `ai-crawler:*`: AI company using to index the data used to train Large Language Models. Such companies (OpenAPI, ByteDance, Anthropic ... ) are heavy consumers of the internet bandwidth and result in a large amount of traffic. They can be directly consumed inside a specialized blocklist available [here](https://app.crowdsec.net/blocklists/67b3524151bbde7a12b60be0).
+* `ai-search:*`: AI search engine that is used by users to search the internet. They are coming from an AI agent, and are not used directly to train the AI models compared to the AI crawlers category. But the results is the same in terms of traffic load, as they can be part of an automation workflow. IPs can be directly consumed inside a specialized blocklist available [here](https://app.crowdsec.net/blocklists/67b3524151bbde7a12b60be0).
+* `device:*`: The IP is associated with a device having known security weaknesses.
+* `proxy:*`: Hosts identified as proxies based on the services they expose and/or their behaviour. IPs be directly consumed inside a specialized blocklist available [here](https://app.crowdsec.net/blocklists/65a56839ec04bcd4f51670be).
+* `group:*`: Cohort of machines seen attacking in a coordinated fashion. IPs belonging to the same cohort or cluster have been seen to exhibit a new behaviour in a synchronised manner, such as starting to exploit a known vulnerability at the same time (experimental feature).
 
 <TableRender
     columns={columns}