You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: crowdsec-docs/unversioned/tracker_api/fingerprints_vs_cves.mdx
+9-9Lines changed: 9 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -52,7 +52,7 @@ Fingerprint rules fill a critical gap:
52
52
53
53
2.**Zero-day coverage**: When a new vulnerability is disclosed for a product, attackers who were already probing that product may exploit it immediately. If you're tracking the fingerprint rule, you already have visibility into who has been scanning your infrastructure.
54
54
55
-
3.**Multi-CVE protection**: A single product may have dozens of CVEs. Rather than subscribing to each one individually, a fingerprint rule covers reconnaissance activity that could lead to any of them.
55
+
3.**Multi-CVE protection**: A single product may have dozens of CVEs. [Vendor subscriptions](./api_lookups#subscribe-an-integration-to-a-vendor) automatically cover all CVEs and reconnaissance rules for a vendor's products. Fingerprint rules complement this by providing reconnaissance-specific visibility — detecting probing activity that precedes exploitation.
56
56
57
57
## Feature Comparison
58
58
@@ -70,13 +70,13 @@ Fingerprint rules fill a critical gap:
70
70
71
71
## Using Them Together
72
72
73
-
The most comprehensive monitoring strategy combines both:
73
+
The most comprehensive monitoring strategy combines vendor subscriptions with targeted CVE and reconnaissance rule tracking:
74
74
75
-
1.**Subscribe fingerprint rules**for all products in your technology stack (Exchange, WordPress, F5, etc.). This gives you broad reconnaissance visibility.
76
-
2.**Monitor specific CVEs** for unpatched vulnerabilities in your environment. This gives you targeted exploitation intelligence.
77
-
3.**Create firewall integrations**subscribed to both CVEs and fingerprint rules to build layered blocklists.
75
+
1.**Subscribe to your vendors**— this is the simplest starting point. A vendor subscription automatically covers all current and future CVEs and reconnaissance rules for that vendor's products. See [Vendor Subscriptions](./api_lookups#subscribe-an-integration-to-a-vendor).
76
+
2.**Add individual fingerprint rules** for products outside your subscribed vendors, or when you want reconnaissance-specific visibility.
77
+
3.**Monitor specific CVEs**for unpatched vulnerabilities to inform patching priorities and triage decisions.
78
78
79
-
For example, if you run WordPress:
80
-
- Subscribe to the **WordPress Probing**fingerprint rule to catch general reconnaissance
81
-
-Subscribe to specific CVEs like **CVE-2024-25600** (Bricks Builder RCE) if you run affected plugins
82
-
-Create a firewall integration subscribed to both, so your blocklist captures both scanners and active exploiters
79
+
For example, if you run WordPress and Microsoft infrastructure:
80
+
- Subscribe to the **WordPress**and **Microsoft** vendors to automatically cover all their CVEs and reconnaissance rules
81
+
-Add individual subscriptions for any other products you use that aren't covered by a vendor subscription (e.g., a niche plugin or appliance)
82
+
-Use the tracker's scores and phases to prioritize which patches to apply first
Copy file name to clipboardExpand all lines: crowdsec-docs/unversioned/tracker_api/overview.mdx
+3Lines changed: 3 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,6 +13,7 @@ Live Exploit Tracker answers the questions that matter during triage:
13
13
-**How worried should I be?** Is this mass scanning noise, or are attackers carefully selecting targets?
14
14
-**Is the threat growing or fading?** Should I patch now, or is this yesterday's news?
15
15
-**Who is attacking?** What do we know about the IPs involved — are they known botnets, legitimate scanners, or fresh infrastructure?
16
+
-**How do I protect my technology stack?** Subscribe to the vendors you rely on and automatically block attacker IPs targeting their products — current and future threats included.
16
17
17
18
The tracker draws on telemetry from the CrowdSec Network — a global community of security practitioners sharing real-time attack signals — to provide exploitation intelligence that goes beyond what traditional vulnerability databases offer.
18
19
@@ -59,8 +60,10 @@ Both interfaces require an API key. Contact the CrowdSec team to obtain yours if
59
60
60
61
| I want to... | Start here |
61
62
|---|---|
63
+
| Protect my technology stack by vendor |[Vendor Subscriptions](./api_lookups#subscribe-an-integration-to-a-vendor)|
62
64
| Understand what the scores mean |[Scores & Ratings](./scores)|
63
65
| Browse CVEs and assess threats |[Web Interface Guide](./web_interface)|
64
66
| Automate with the API |[API Authentication & Setup](./api_authentication)|
65
67
| Block attacker IPs on my firewall |[Integrations & Blocklists](./api_integrations)|
66
68
| Investigate a specific alert |[Triage Workflow Guide](./guide_triage)|
69
+
| Set up proactive monitoring |[Proactive Monitoring Guide](./guide_proactive)|
0 commit comments