Contrib.social
Created on 14 May 2025, 2 days ago

Problem/Motivation

Drupal currently only reports a bad signal for a specific IP address together with the timestamp and the scenario, which is either drupal/core-ban, or drupal/auth-bruteforce, or drupal/4xx-scan. The latest SDK from CrowdSec also supports context to be sent together with the signal. That will help a lot to better justify the severity of the signal and if enough trusted signals are received, the Drupal-specific block list will then start protecting Drupal sites sooner again.

Some extra info from CrowdSec:

  • For a given signal you can add the $property["context"] when you use Watcher::buildSignal
  • context is an array of objects : "context":[{"key":"exampleKey1","value":"exampleValue1"}]
  • you can pass multiple similar keys, for example for a scan alert you can pass all the target_uri that were part of the detection of this alert if you have them: context":[{"key":"target_uri","value":"adminroot.php"},{"key":"target_uri","value":"user/edit.php"}]

Here are the context keys that would be very good to have in signals:

  • target_uri: the HTTP path of the requests that were part of the scan alert. Ideally all the ones involved in the alert
  • user_agent: User agent of the attacker
  • method: the HTTP verb used GET, POST...
  • status: the HTTP status returned or that would have been returned
  • target_user: in case of bruteforce, the user(s) on which the attempts were made by the attacker

Proposed resolution

TBD

Feature request
Status

Active

Version

1.2

Component

Code

Created by

🇩🇪Germany jurgenhaas Gottmadingen

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024