initial import

Author: buixor

README.md

@@ -1,2 +1,80 @@
-# crowdsec-local-mcp
-An MCP exposing prompts and tools to help users write WAF rules, scenarios etc.
+<p align="center">
+<img src="https://github.com/crowdsecurity/crowdsec-docs/blob/main/crowdsec-docs/static/img/crowdsec_logo.png" alt="CrowdSec" title="CrowdSec" width="400" height="260"/>
+</p>
+
+
+**Life is too short to write YAML, just ask nicely!**
+
+> A Model Context Protocol (MCP) server to generate, validate, and deploy CrowdSec WAF rules & Scenarios.
+
+
+## Features
+
+### WAF Rules Features
+
+- **WAF Rule Generation**: Generate CrowdSec WAF rules from user input or a CVE reference
+- **Validation**: Validate syntaxical correctness of WAF rules
+- **Linting**: Get warnings and hints to improve your WAF rules
+- **Deployment Guide**: Step-by-step deployment instructions
+- **Docker Test Harness**: Spin up CrowdSec + nginx + bouncer to exercise rules for false positives/negatives
+- **Nuclei Lookup**: Quickly jump to existing templates in the official `projectdiscovery/nuclei-templates` repository for a given CVE
+
+### Scenarios Features
+
+- **CrowdSec Scenarios Generation**: Generate CrowdSec scenarios
+- **Validation**: Validate syntaxical correctness of scenarios
+- **Linting**: Get warnings and hints to improve your scenarios
+- **Deployment Guide**: Step-by-step deployment instructions
+- **Docker Test Harness**: Spin up CrowdSec to test scenario behavior
+
+## Demo
+
+### WAF Rules Creation and testing
+
+ - [Rule creation from natural language with Claude Desktop](https://claude.ai/share/f0f246b2-6b20-4d70-a16c-c6b627ab2d80)
+ - [Rule creation from CVE reference](https://claude.ai/share/b6599407-82dd-443c-a12d-9a9825ed99df)
+
+### Scenario Creation and testing
+
+ - XX
+ - XX
+
+## Installation
+
+### Setup
+
+Install dependencies using `uv`:
+```bash
+uv sync
+```
+
+## Configuration for Claude Desktop
+
+### macOS/Linux
+
+1. Find your Claude Desktop config file:
+   - macOS: `~/Library/Application Support/Claude/claude_desktop_config.json`
+   - Linux: `~/.config/Claude/claude_desktop_config.json`
+
+2. Add the MCP server configuration:
+```json
+{
+  "mcpServers": {
+    "crowdsec-prompt-server": {
+      "command": "/path/to/crowdsec-mcp-rule-helper/.venv/bin/python",
+      "args": [
+        "/path/to/crowdsec-mcp-rule-helper/mcp-prompt.py"
+      ],
+      "cwd": "/path/to/crowdsec-mcp-rule-helper"
+    }
+  }
+}
+```
+
+**Important**: Replace `/path/to/crowdsec-mcp-rule-helper` with the actual absolute path to your cloned repository.
+
+## Pre Requisites
+
+ - Docker + Docker Compose
+
+ - Python

compose/waf-test/.gitignore

@@ -0,0 +1,3 @@
+# Generated at runtime by the MCP integration.
+rules/current-rule.yaml
+crowdsec/appsec-configs/mcp-appsec.yaml

compose/waf-test/crowdsec/acquis.d/appsec.yaml

@@ -0,0 +1,8 @@
+# Acquisition file registering the MCP-generated AppSec configuration.
+appsec_configs:
+ - mcp-appsec
+labels:
+  type: appsec
+listen_addr: 0.0.0.0:7422
+source: appsec
+name: myAppSecComponent

compose/waf-test/crowdsec/appsec-configs/mcp-appsec.yaml.template

@@ -0,0 +1,8 @@
+name: mcp-appsec
+default_remediation: ban
+inband_rules:
+  # Keep the CrowdSec base config to ensure essential protections remain active.
+  - crowdsecurity/base-config
+  # The MCP tooling copies the user rule into the custom directory as current-rule.yaml
+  ## XXX FIXME : make this a variable :)
+  - __PLACEHOLDER_FOR_USER_RULE__

compose/waf-test/crowdsec/init-bouncer.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+set -euo pipefail
+
+API_KEY="mcp-nginx-bouncer-test-key"
+BOUNCER_NAME="mcp-nginx-bouncer"
+
+/bin/bash /docker_start.sh "$@" &
+PID=$!
+trap 'kill "$PID" 2>/dev/null || true' EXIT
+
+for _ in $(seq 1 90); do
+    if cscli lapi status >/dev/null 2>&1; then
+        break
+    fi
+    sleep 2;
+done
+
+if ! cscli lapi status >/dev/null 2>&1; then
+    echo "CrowdSec LAPI did not become ready in time" >&2
+    wait "$PID"
+    exit 1
+fi
+
+cscli bouncers delete "$BOUNCER_NAME" >/dev/null 2>&1 || true
+cscli bouncers add "$BOUNCER_NAME" -k "$API_KEY"
+
+trap - EXIT
+wait "$PID"
+exit $?

compose/waf-test/docker-compose.yml

@@ -0,0 +1,68 @@
+version: "3.9"
+
+services:
+  crowdsec:
+    image: crowdsecurity/crowdsec:latest
+    hostname: crowdsec
+    container_name: crowdsec-appsec
+    restart: "no"
+    entrypoint:
+      - /bin/bash
+      - /usr/local/bin/init-bouncer.sh
+    environment:
+      # Ensure the local API stays accessible for the nginx bouncer.
+      - DISABLE_LOCAL_API=0
+      - DISABLE_ONLINE_API=1
+      # Turn on AppSec mode inside the CrowdSec container.
+      - ENABLE_APPSEC=1
+    volumes:
+      # Persist CrowdSec data (buckets, alerts, etc.) between restarts.
+      - crowdsec-data:/var/lib/crowdsec/data
+      # Allow templated acquisition and AppSec config overrides without replacing the whole /etc/crowdsec tree.
+      - ./crowdsec/acquis.d/appsec.yaml:/etc/crowdsec/acquis.d/appsec-mcp.yaml:ro
+      - ./crowdsec/appsec-configs/mcp-appsec.yaml:/etc/crowdsec/appsec-configs/mcp-appsec.yaml:ro
+      - ./crowdsec/init-bouncer.sh:/usr/local/bin/init-bouncer.sh:ro
+      # The MCP tooling will drop the user-provided rule in this folder as current-rule.yaml
+      - ./rules:/etc/crowdsec/appsec-rules/custom
+    ports:
+      - "18080:8080" # LAPI (use non-default host port to avoid conflicts)
+      - "17422:7422" # AppSec Live mode (non-default host port)
+    networks:
+      - waf-net
+
+  nginx:
+    build:
+      context: ./nginx
+    container_name: nginx-appsec
+    restart: "no"
+    depends_on:
+      - crowdsec
+      - backend
+    ports:
+      - "8081:80"
+    command:
+      - openresty
+      - -g
+      - 'daemon off;'
+    volumes:
+      - ./nginx/nginx.conf:/usr/local/openresty/nginx/conf/nginx.conf:ro
+      # Site config enabling the CrowdSec module and proxying to the backend.
+      - ./nginx/site-enabled:/usr/local/openresty/nginx/conf/site-enabled:ro
+      # Override the bouncer configuration shipped in the image with the harness version.
+      - ./nginx/crowdsec/crowdsec-openresty-bouncer.conf:/etc/crowdsec/bouncers/crowdsec-openresty-bouncer.conf:ro
+    networks:
+      - waf-net
+
+  backend:
+    image: nginxdemos/hello:latest
+    container_name: app-backend
+    restart: unless-stopped
+    networks:
+      - waf-net
+
+volumes:
+  crowdsec-data:
+
+networks:
+  waf-net:
+    driver: bridge

compose/waf-test/nginx/Dockerfile

@@ -0,0 +1,67 @@
+
+FROM ubuntu:24.04
+
+# Install dependencies
+RUN apt-get update && apt-get install -y \
+    git \
+    make \
+    software-properties-common \
+    wget \
+    gnupg \
+    ca-certificates \
+    gettext \
+    curl
+
+RUN wget -O - https://openresty.org/package/pubkey.gpg | apt-key add -
+RUN echo "deb http://openresty.org/package/ubuntu $(lsb_release -sc) main"| tee /etc/apt/sources.list.d/openresty.list
+RUN curl -s https://install.crowdsec.net |  bash
+
+RUN apt update
+
+RUN apt install -y openresty openresty-opm gettext-base
+
+RUN apt install -y crowdsec-openresty-bouncer
+
+
+
+EXPOSE 80
+
+
+# # Install the bouncer
+# COPY build.sh /build.sh
+# COPY start.sh /start.sh
+
+# RUN chmod +x /build.sh && /build.sh
+# RUN chmod +x /start.sh
+
+# # Set the script as the entrypoint
+# ENTRYPOINT ["/start.sh"]
+
+
+
+# FROM debian:bookworm
+
+# ENV DEBIAN_FRONTEND=noninteractive
+
+# # Install nginx with Lua module support and prerequisites for the CrowdSec nginx bouncer.
+# RUN set -eux; \
+#     apt-get update; \
+#     apt-get install -y --no-install-recommends \
+#         ca-certificates \
+#         curl \
+#         gnupg2 \
+#         iproute2 \
+#         libnginx-mod-http-lua \
+#         lsb-release \
+#         nginx \
+#         procps; \
+#     curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | bash; \
+#     apt-get install -y --no-install-recommends crowdsec-nginx-bouncer; \
+#     rm -rf /var/lib/apt/lists/*
+
+# # Prepare directories that will receive bind mounts at runtime.
+# RUN mkdir -p /etc/nginx/conf.d /etc/nginx/crowdsec
+
+# EXPOSE 80
+
+# CMD ["nginx", "-g", "daemon off;"]

compose/waf-test/nginx/crowdsec/crowdsec-openresty-bouncer.conf

@@ -0,0 +1,25 @@
+API_URL=http://crowdsec:8080
+API_KEY=mcp-nginx-bouncer-test-key
+BOUNCING_ON_TYPE=all
+FALLBACK_REMEDIATION=ban
+MODE=stream
+REQUEST_TIMEOUT=1000
+EXCLUDE_LOCATION=
+ENABLE_INTERNAL=false
+CACHE_EXPIRATION=1
+UPDATE_FREQUENCY=10
+BAN_TEMPLATE_PATH=/var/lib/crowdsec/lua/templates/ban.html
+REDIRECT_LOCATION=
+RET_CODE=
+CAPTCHA_PROVIDER=
+SECRET_KEY=
+SITE_KEY=
+CAPTCHA_TEMPLATE_PATH=/var/lib/crowdsec/lua/templates/captcha.html
+CAPTCHA_EXPIRATION=3600
+APPSEC_URL=http://crowdsec:7422
+APPSEC_FAILURE_ACTION=passthrough
+APPSEC_CONNECT_TIMEOUT=100
+APPSEC_SEND_TIMEOUT=100
+APPSEC_PROCESS_TIMEOUT=1000
+ALWAYS_SEND_TO_APPSEC=false
+SSL_VERIFY=true

compose/waf-test/nginx/nginx.conf

@@ -0,0 +1,25 @@
+
+worker_processes  auto;
+
+error_log  /dev/stderr info;
+pid        /tmp/nginx.pid;
+
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    resolver 127.0.0.11;
+
+    include       /usr/local/openresty/nginx/conf/mime.types;
+    default_type  application/octet-stream;
+
+    sendfile        on;
+    keepalive_timeout  65;
+
+    access_log /dev/stdout;
+
+    include /usr/local/openresty/nginx/conf/conf.d/*.conf;
+    include /usr/local/openresty/nginx/conf/site-enabled/*.conf;
+}

compose/waf-test/nginx/site-enabled/default-site.conf

@@ -0,0 +1,15 @@
+# Auto-generated by MCP test harness. Route requests through AppSec and the CrowdSec bouncer.
+upstream backend_app {
+    server backend:80;
+}
+
+server {
+    listen 80;
+    server_name _;
+
+    location / {
+        proxy_pass http://backend_app;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
+}