Review Docker Hub documentation

[buixor]

Currently, the docker documentation isn't very clear about running "Log Processor" or "LAPI" only.

The documentation is speaking about agent (?). A quick iteration could help improve this significantly.

[buixor]

To make things more obvious, we could:

• [ ] Revamp a bit the "Concepts" page to:
  • [ ] Define what is "Log Processor"
  • [ ] Ensure LAPI is properly defined
  • [ ] Move relevant items (parsers etc.) under each component (LAPI/LP)
• [ ] Move a bit the architecture of folders
  • [ ] Have a "Log Processor" section, and move Data Sources Collections Whitelists Scenarios and Parsers in it
  • [ ] Add a Alert Context page under the new "Log Processor" section
  • [ ] Have a "Local API" section, and move Profiles Notification plugins in it

[philippecrowdsec]

My proposal:

1 minute CrowdSec Core concepts

CrowdSec Security Engine (formerly Agent) is both an IDS and a WAF. It assumes three main functions: the log processor, the LAPI, and a Syslog facility. The log processor parses logs and/or web requests to detect attacks based on scenarios or WAF rules. Those configuration files can be found on the Hub (https://app.crowdsec.net/). The Local API (aka LAPI) coordinates the work between different Security Engine, the remediation components, and the CrowdSec global network. One LAPI can coordinate all your engines in a multi-server setup. Finally, the Engine also embeds a native Syslog facility to allow you to pipe your logs to it for convenience reasons directly. Most of those behaviors can be configured in the config.yaml config file.

The Remediation component (formerly bouncers) is the IPS. When an attack is detected it enforces the remediation you want, where you want. They are usually interfaces to other hardware or software components you may already have, like your hardware firewall, your reverse proxy, your web server, your CDN, your Cloud environment or simply your kernel level firewall (Linux nftables, BSD Pf or Windows Defender). Your answer to a specific threat can take multiple forms, like sending yourself a Slack message, pushing a captcha, or simply banning the problematic IP address. The way you address the threat can be configured in the profiles.yaml config file.

Finally, the Security engine acts as a community, sharing their detections altogether to create real-time blocklists of the most dangerous IP addresses and block them, as long as they are reported by enough trustable users, offering enough diversity (to avoid poisoning and false positives). This is commonly referred to as CAPI or CrowdSec API. CAPI is the API receiving all the alerts from the network of Security Engine, curating them and sending back blocklists to your LAPI.

[LaurenceJJones]

Addtional TODOs:

• [ ] Add alert context documentation under new LP section
• [ ] Add images to back up concepts of LAPI (database, pulls, pushes) and LP (parsers, scenarios, overflows, alert context, push)