Crowdsec

Discover and Stop Attacks in Real Time

CrowdSec is an open-source, resource-efficient software that allows you to detect network sources with malicious behavior and block them from accessing your systems at various levels (infrastructure, system, application).

One of the advantages of CrowdSec compared to other solutions is its crowd-sourced aspect: metadata about detected attacks (source IP, time, and triggered scenario) is sent to a central API and shared with all users.

Thanks to this, in addition to detecting and stopping attacks in real time based on your log files, it also enables you to proactively block known malicious network sources from accessing your systems.

Cybersecurity as a service

We update and manage the solution at a fixed monthly price throughout the year.

Monthly Reports

We send detailed reports on a monthly basis.

GDPR

Complies with GDPR and Swedish laws.

CROWDSEC OVERVIEW

  • It reads log files (you define which data sources to read).
  • The log files are analyzed (and can be enriched with a special function if needed).
  • These normalized log files are matched against a number of scenarios that you can define.
  • When a scenario is triggered, CrowdSec will generate an alert and eventually make one or more associated decisions:
    • The alert is primarily for traceability and will remain even after the decision expires.
    • The decision, however, is temporary and determines the action to be taken against an attacking IP/IP range/user.
  • This information (the signal itself and the associated decision) is sent to CrowdSec’s local API and stored in the database.

CrowdSec handles the detection and logs the action. Then, a bouncer can use these actions (via the same local API) to apply the actual blocking.

CROWD SOURCING

When the local API receives an alert with an associated action, metadata about this is shared with CrowdSec’s central API:

  • The source IP address that triggered the alert
  • The scenario that was triggered
  • A timestamp of the attack

This is the only information sent to CrowdSec’s API, and it is processed by them to send relevant blocklists to all users. No information about your environment is stored or sent.

BOUNCERS

Bouncers are standalone applications whose role is to act when alerts are triggered. This is done by bouncers sending requests to the local API to find out if there is any active action to be applied for a specific IP, IP range, user, etc.

get in touch