Merge branch 'main' into native-haproxy-redirect-optimization

Author: LaurenceJJones

crowdsec-docs/docs/appsec/benchmark.md

@@ -15,6 +15,8 @@ sidebar_position: 80
 
 -->
 
+# Basic Benchmark
+
 The Application Security Component benchmarks have been run on a AWS EC2 Instance `t2.medium` (2vCPU/4GiB RAM).
 
 All the benchmarks have been run with only one `routine` configured for the Application Security Component.
@@ -63,3 +65,111 @@ On the system, we deployed:
 
 ![15 concurrent connections / 1000 requests](/img/appsec/bench/big_post_appsec_one_routine_15_1000.png)
 -->
+
+# Stress Test
+
+This test was run on a `c5a.4xlarge` EC2 instance (16CPU/32GiB RAM).
+
+Tested versions are:
+
+- Openresty `v1.27.1.2`
+- CrowdSec `v1.7.0`
+- cs-openresty-bouncer `v1.1.2`
+
+Openresty was configured to not log anything and forward requests to a Go backend that always return 200, in order to improve raw throughput and not be limited by disk access.
+
+Crowdsec WAF was configured with 16 routines to make use of as much CPU as possible.
+
+All tests were simulating 400 concurrent users, making requests as quickly as possible during 1 minute.
+
+Except for the baseline, all values in the tables are shown as a delta from the baseline performance.
+
+## Baseline
+
+This test was run without loading the Openresty bouncer to get a baseline throughput of the system.
+
+### GET Requests
+
+| Metric                | Value    |
+| --------------------- | -------- |
+| Average Response Time | 23.55ms  |
+| Minimum Response Time | 21.24ms  |
+| Median Response Time  | 23.18ms  |
+| Maximum Response Time | 255.16ms |
+| P90 Response Time     | 24.72ms  |
+
+### 10% POST Requests
+
+| Metric                | Value    |
+| --------------------- | -------- |
+| Average Response Time | 25.08ms  |
+| Minimum Response Time | 21.29ms  |
+| Median Response Time  | 23.95ms  |
+| Maximum Response Time | 331.08ms |
+| P90 Response Time     | 30.95ms  |
+
+## Virtual Patching Rules
+
+### GET Requests - 10% malicious - InBand
+
+| Metric                | Delta    |
+| --------------------- | -------- |
+| Average Response Time | +4.94ms  |
+| Minimum Response Time | +0.93ms  |
+| Median Response Time  | +3.48ms  |
+| Maximum Response Time | +6.83ms  |
+| P90 Response Time     | +10.13ms |
+
+### Realistic Traffic - 70% GET - 25% POST - 5% malicious - Inband
+
+| Metric                | Delta   |
+| --------------------- | ------- |
+| Average Response Time | +4.03ms |
+| Minimum Response Time | +0.71ms |
+| Median Response Time  | +2.36ms |
+| Maximum Response Time | +6.79ms |
+| P90 Response Time     | +8.07ms |
+
+## CRS
+
+### GET Requests - 10% malicious - InBand
+
+| Metric                | Delta    |
+| --------------------- | -------- |
+| Average Response Time | +32.85ms |
+| Minimum Response Time | +2.21ms  |
+| Median Response Time  | +27.47ms |
+| Maximum Response Time | -64.45ms |
+| P90 Response Time     | +58.19ms |
+
+### POST Requests - 10% malicious - InBand
+
+| Metric                | Delta     |
+| --------------------- | --------- |
+| Average Response Time | +58.49ms  |
+| Minimum Response Time | +3.18ms   |
+| Median Response Time  | +54.1ms   |
+| Maximum Response Time | -106.76ms |
+| P90 Response Time     | +83.01ms  |
+
+### Realistic Traffic - 70% GET - 25% POST - 5% malicious - Inband
+
+| Metric                | Delta    |
+| --------------------- | -------- |
+| Average Response Time | +32.54ms |
+| Minimum Response Time | +1.87ms  |
+| Median Response Time  | +28.36ms |
+| Maximum Response Time | -68.34ms |
+| P90 Response Time     | +53.83ms |
+
+## Virtual Patching Inband + CRS Out-of-band
+
+### Realistic Traffic - 70% GET - 25% POST - 5% malicious
+
+| Metric                | Delta     |
+| --------------------- | --------- |
+| Average Response Time | +30.5ms   |
+| Minimum Response Time | +1.56ms   |
+| Median Response Time  | +26.26ms  |
+| Maximum Response Time | -101.66ms |
+| P90 Response Time     | +51.18ms  |

crowdsec-docs/docs/appsec/create_rules.md

@@ -1,6 +1,6 @@
 ---
 id: create_rules
-title: Rules Creation & Testing
+title: Creation & Testing
 sidebar_position: 3
 ---
 

crowdsec-docs/docs/appsec/rules_deploy.md

@@ -0,0 +1,128 @@
+---
+id: rules_deploy
+title: Deployment
+sidebar_position: 81
+---
+
+# WAF Rules Deployment
+
+This walkthrough assumes you already wrote and validated a custom AppSec (WAF) rule. We will deploy a concrete example so you can mirror the exact commands on your host.
+
+## Example Rule We Will Deploy
+
+The example blocks any `GET` request whose `user_id` query argument contains non-numeric characters. While you iterate locally, keep it in a working directory as `./block-nonnumeric-user-id.yaml`:
+
+```yaml title="./block-nonnumeric-user-id.yaml"
+name: custom/block-nonnumeric-user-id
+description: Block GET requests with a non-numeric user_id parameter.
+rules:
+  - and:
+      - zones:
+          - METHOD
+        match:
+          type: equals
+          value: GET
+      - zones:
+          - ARGS
+        variables:
+          - user_id
+        match:
+          type: regex
+          value: "[^0-9]"
+labels:
+  type: exploit
+  service: http
+  confidence: 2
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "Non numeric user id"
+```
+
+Once the rule behaves as expected, the remaining steps package it for CrowdSec, wire it into the acquisition pipeline, and test it end to end.
+
+## Step 1 — Stage the Rule File
+
+CrowdSec loads AppSec rules from `/etc/crowdsec/appsec-rules/`. Copy your YAML rule into that directory (create a `custom/` subfolder to keep things tidy if you manage several rules):
+
+```bash
+sudo install -d -m 750 /etc/crowdsec/appsec-rules/custom
+sudo install -m 640 ./block-nonnumeric-user-id.yaml \
+  /etc/crowdsec/appsec-rules/custom/block-nonnumeric-user-id.yaml
+```
+
+Make sure the `name` inside the rule file matches the file name convention you plan to reference (in our example `custom/block-nonnumeric-user-id`).
+
+:::tip
+If you run CrowdSec in a container, copy the file into the volume that is mounted at `/etc/crowdsec/appsec-rules/` inside the container.
+:::
+
+## Step 2 — Create an AppSec Configuration
+
+An AppSec configuration lists which rules to load and how to handle matches. Create a new file under `/etc/crowdsec/appsec-configs/` that targets your custom rule:
+
+```yaml title="/etc/crowdsec/appsec-configs/custom-block-nonnumeric-user-id.yaml"
+name: custom/block-nonnumeric-user-id
+default_remediation: ban
+inband_rules:
+  - custom/block-nonnumeric-user-id
+# Add outofband_rules or hooks here if needed
+```
+
+Key points:
+- `name` is how you will reference this configuration from the acquisition file and in logs.
+- `inband_rules` (and/or `outofband_rules`) accept glob patterns, so you can load multiple rules with a single entry such as `custom/block-*`.
+- During the reload step CrowdSec validates the syntax; if anything is off, the reload fails and the service logs the parsing error.
+
+## Step 3 — Reference the Configuration in the Acquisition File
+
+The AppSec acquisition file (`/etc/crowdsec/acquis.d/appsec.yaml`) controls which configurations are active for the WAF component. Add your configuration to the `appsec_configs` list. Order matters: later entries override conflicting defaults such as `default_remediation`.
+
+```yaml title="/etc/crowdsec/acquis.d/appsec.yaml"
+appsec_configs:
+  - crowdsecurity/appsec-default
+  - custom/block-nonnumeric-user-id
+labels:
+  type: appsec
+listen_addr: 127.0.0.1:7422
+source: appsec
+```
+
+If you only want to run your custom configuration, remove other entries and keep the list with a single item.
+
+## Step 4 — Reload CrowdSec and Validate the Load
+
+Apply the changes by reloading the CrowdSec service:
+
+```bash
+sudo systemctl reload crowdsec
+```
+
+If your init system does not support reload, perform a restart instead. Then verify the rule and configuration are active:
+
+```bash
+sudo cscli appsec-rules list | grep block-nonnumeric-user-id
+sudo cscli appsec-configs list | grep block-nonnumeric-user-id
+```
+
+The rule should appear as `enabled`, and the configuration should show up in the list. CrowdSec logs confirm the configuration was loaded without errors.
+
+## Step 5 — Functional Test with `curl`
+
+Trigger the behaviour your rule is meant to catch to ensure it blocks as expected. For the example rule, send a request with a non-numeric `user_id` value:
+
+```bash
+curl -i 'http://127.0.0.1/profile?user_id=abc123'
+```
+
+A successful block returns an HTTP status such as `403 Forbidden`, and CrowdSec logs a matching alert:
+
+```bash
+sudo cscli alerts list -s custom/block-nonnumeric-user-id
+```
+
+If the request is not blocked, double-check that the rule `name` matches the pattern in your AppSec configuration, that the acquisition file lists your configuration, and that the CrowdSec service picked up the changes.
+
+## Next Steps
+
+- Add automated regression tests with `cscli hubtest` so future updates do not break the rule.
+- Version-control your custom rule and configuration files to keep track of changes.

crowdsec-docs/docs/appsec/rules_syntax.md

@@ -1,6 +1,6 @@
 ---
 id: rules_syntax
-title: Rules syntax
+title: Syntax
 sidebar_position: 8
 ---
 
@@ -135,6 +135,7 @@ Match provides the pattern to match the target against, including optional trans
   - `trim` : remove leading and trailing spaces
   - `normalizepath` : normalize the path (remove double slashes, etc)
   - `htmlEntitydecode` : decode HTML entities
+  - `count` : number of times the _target_ appear
 
 ```yaml
 # we want the query parameter foo to be equal to 'toto'