-
Notifications
You must be signed in to change notification settings - Fork 135
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False positive http-crawl-non_statics with Nextcloud Deck mobile app #991
Comments
This is a rather big problem fore me, but the only solutions i could find are way too broad. |
The nextcloud whitelist has this
I guess you are routing to nextcloud via a url so the path doesn't match? |
The url is not the problem but the status-code. Nextcloud log
So there might get a lot of messages with status-code |
Yes exactly you can just update the line to be
|
I ran into the same issue today with crowdsec: access to the android deck app, as well as access to deck in a browser, triggers http-crawl-non_statics.
Currently in nextcloud-whitelist.yaml, the URL Please include this in nextcloud-whitelist.yaml to fix the issue. I added a local file
which is fixing the issue for me. |
Thank you @fracklaus and @LaurenceJJones, it seems to work also for me on local white-list. I have also added a copy of this line with code 200 that triggered http-crawl-non_statics when syncing multiple small files in short period of time:
Hope all this fixes could be added to nextcloud-whitelist.yaml |
What happened?
When setup Nextcloud Deck andoid App connection or refreshing multiple Deck entries triggers crowdsecurity/http-crawl-non_statics and blocks the client.
What did you expect to happen?
Allow the app to refresh all data without triggering the crowdsecurity/http-crawl-non_statics
How can we reproduce it (as minimally and precisely as possible)?
Install the Nextcloud Deck app on an existing Nextcloud server instance, create multiple Decks entries and install Deck android app (From F-Droid : no fees).
Anything else we need to know?
Nextcloud instance : ver 27.1.7
PHP 8.1.27
Webserver version: Apache/2.4.38 (Debian)
Android Deck app : ver 1.23.4
The parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.yaml don't seem to handle this at the moment.
Crowdsec version
For LAPI Server:
version: v1.6.0-freebsd-4b8e6cd7
Codename: alphaga
BuildDate: 2024-02-20_01:09:28
GoVersion: 1.21.7
Platform: freebsd
libre2: C++
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
OS version
Enabled collections and parsers
COLLECTIONS (LAPI side)
crowdsecurity/freebsd ✔️ enabled 0.1 /usr/local/etc/crowdsec/collections/freebsd.yaml
crowdsecurity/opnsense ✔️ enabled 0.4 /usr/local/etc/crowdsec/collections/opnsense.yaml
crowdsecurity/opnsense-gui ✔️ enabled 0.1 /usr/local/etc/crowdsec/collections/opnsense-gui.yaml
crowdsecurity/sshd ✔️ enabled 0.3 /usr/local/etc/crowdsec/collections/sshd.yaml
firewallservices/pf ✔️ enabled 0.2 /usr/local/etc/crowdsec/collections/pf.yaml
COLLECTIONS (Nextcloud side)
crowdsecurity/apache2 ✔ enabled 0.1 /etc/crowdsec/collections/apache2.yaml
crowdsecurity/base-http-scenarios ✔ enabled 0.8 /etc/crowdsec/collections/base-http-scenarios.yaml
crowdsecurity/http-cve ✔ enabled 2.6 /etc/crowdsec/collections/http-cve.yaml
crowdsecurity/linux ✔ enabled 0.2 /etc/crowdsec/collections/linux.yaml
crowdsecurity/mysql ✔ enabled 0.1 /etc/crowdsec/collections/mysql.yaml
crowdsecurity/nextcloud ✔ enabled 0.3 /etc/crowdsec/collections/nextcloud.yaml
crowdsecurity/sshd ✔ enabled 0.3 /etc/crowdsec/collections/sshd.yaml
PARSERS (LAPI side)
crowdsecurity/dateparse-enrich ✔️ enabled 0.2 /usr/local/etc/crowdsec/parsers/s02-enrich/dateparse-enrich-
.yaml
crowdsecurity/geoip-enrich ✔️ enabled 0.2 /usr/local/etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml
crowdsecurity/opnsense-gui-logs ✔️ enabled 0.1 /usr/local/etc/crowdsec/parsers/s01-parse/opnsense-gui-logs-
.yaml
crowdsecurity/sshd-logs ✔️ enabled 2.3 /usr/local/etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
crowdsecurity/syslog-logs ✔️ enabled 0.8 /usr/local/etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
crowdsecurity/whitelists ✔️ enabled 0.2 /usr/local/etc/crowdsec/parsers/s02-enrich/whitelists.yaml
crowdsecurity/whitelists-local 🏠 enabled,local /usr/local/etc/crowdsec/parsers/s02-enrich/mywhitelist.yaml
firewallservices/pf-logs ✔️ enabled 0.5 /usr/local/etc/crowdsec/parsers/s01-parse/pf-logs.yaml
PARSERS (Nextcloud side)
crowdsecurity/apache2-logs ✔ enabled 1.4 /etc/crowdsec/parsers/s01-parse/apache2-logs.yaml
crowdsecurity/dateparse-enrich ✔ enabled 0.2 /etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml
crowdsecurity/geoip-enrich ✔ enabled 0.2 /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml
crowdsecurity/http-logs ✔ enabled 1.2 /etc/crowdsec/parsers/s02-enrich/http-logs.yaml
crowdsecurity/mysql-logs ✔ enabled 0.4 /etc/crowdsec/parsers/s01-parse/mysql-logs.yaml
crowdsecurity/nextcloud-logs ✔ enabled 0.3 /etc/crowdsec/parsers/s01-parse/nextcloud-logs.yaml
crowdsecurity/nextcloud-whitelist ✔ enabled 0.7 /etc/crowdsec/parsers/s02-enrich/nextcloud-whitelist.yaml
crowdsecurity/sshd-logs ✔ enabled 2.3 /etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
crowdsecurity/syslog-logs ✔ enabled 0.8 /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
crowdsecurity/whitelists ✔ enabled 0.2 /etc/crowdsec/parsers/s02-enrich/whitelists.yaml
Acquisition config
Nextcloud Side
Config show
Alert inspection
ID : 508
Date : 2024-03-06T09:45:05Z
Machine : b881
Simulation : false
Reason : crowdsecurity/http-crawl-non_statics
Events Count : 54
Scope:Value : Ip:
Country :
AS :
Begin : 2024-03-06 09:44:30.370898407 +0000 UTC
End : 2024-03-06 09:45:05.027992578 +0000 UTC
UUID : 6c9e49da
Context :
│ Key │ Value │
│ method │ GET │
│ status │ 200 │
│ target_uri │ /index.php/apps/deck/api/v1.1/boards/13/stacks/34/cards/239? │
│ target_uri │ /index.php/apps/deck/api/v1.1/boards/13/stacks/34/cards/275? │
│ target_uri │ /index.php/apps/deck/api/v1.1/boards/13/stacks/34/cards/283? │
│ target_uri │ /index.php/apps/deck/api/v1.1/boards/13/stacks/36/cards/360? │
│ target_uri │ /index.php/apps/deck/api/v1.1/boards/13/stacks/36/cards/282? │
│ target_uri │ /index.php/apps/deck/api/v1.1/boards/13/stacks/37/cards/175? │
│ user_agent │ Mozilla/5.0 (Android) Nextcloud-android/3.28.0 │
Events :
Date: 2024-03-06 10:45:04 +0100 +0100
│ Key │ Value │
│ datasource_path │ /var/log/apache2/nextcloud_access.log │
│ datasource_type │ file │
│ http_args_len │ 0 │
│ http_path │ /index.php/apps/deck/api/v1.1/boards/13/stacks/34/cards/239? │
│ http_status │ 200 │
│ http_user_agent │ Mozilla/5.0 (Android) Nextcloud-android/3.28.0 │
│ http_verb │ GET │
│ log_type │ http_access-log │
│ service │ http │
│ source_ip │ │
│ timestamp │ 2024-03-06T10:45:04+01:00 │
Date: 2024-03-06 10:45:04 +0100 +0100
│ Key │ Value │
│ datasource_path │ /var/log/apache2/nextcloud_access.log │
│ datasource_type │ file │
│ http_args_len │ 0 │
│ http_path │ /index.php/apps/deck/api/v1.1/boards/13/stacks/34/cards/275? │
│ http_status │ 200 │
│ http_user_agent │ Mozilla/5.0 (Android) Nextcloud-android/3.28.0 │
│ http_verb │ GET │
│ log_type │ http_access-log │
│ service │ http │
│ source_ip │ │
│ timestamp │ 2024-03-06T10:45:04+01:00 │
Date: 2024-03-06 10:45:04 +0100 +0100
│ Key │ Value │
│ datasource_path │ /var/log/apache2/nextcloud_access.log │
│ datasource_type │ file │
│ http_args_len │ 0 │
│ http_path │ /index.php/apps/deck/api/v1.1/boards/13/stacks/34/cards/283? │
│ http_status │ 200 │
│ http_user_agent │ Mozilla/5.0 (Android) Nextcloud-android/3.28.0 │
│ http_verb │ GET │
│ log_type │ http_access-log │
│ service │ http │
│ source_ip │ │
│ timestamp │ 2024-03-06T10:45:04+01:00 │
Date: 2024-03-06 10:45:04 +0100 +0100
│ Key │ Value │
│ datasource_path │ /var/log/apache2/nextcloud_access.log │
│ datasource_type │ file │
│ http_args_len │ 0 │
│ http_path │ /index.php/apps/deck/api/v1.1/boards/13/stacks/36/cards/360? │
│ http_status │ 200 │
│ http_user_agent │ Mozilla/5.0 (Android) Nextcloud-android/3.28.0 │
│ http_verb │ GET │
│ log_type │ http_access-log │
│ service │ http │
│ source_ip │ │
│ timestamp │ 2024-03-06T10:45:04+01:00 │
Date: 2024-03-06 10:45:04 +0100 +0100
│ Key │ Value │
│ datasource_path │ /var/log/apache2/nextcloud_access.log │
│ datasource_type │ file │
│ http_args_len │ 0 │
│ http_path │ /index.php/apps/deck/api/v1.1/boards/13/stacks/36/cards/282? │
│ http_status │ 200 │
│ http_user_agent │ Mozilla/5.0 (Android) Nextcloud-android/3.28.0 │
│ http_verb │ GET │
│ log_type │ http_access-log │
│ service │ http │
│ source_ip │ │
│ timestamp │ 2024-03-06T10:45:04+01:00 │
Date: 2024-03-06 10:45:04 +0100 +0100
│ Key │ Value │
│ datasource_path │ /var/log/apache2/nextcloud_access.log │
│ datasource_type │ file │
│ http_args_len │ 0 │
│ http_path │ /index.php/apps/deck/api/v1.1/boards/13/stacks/37/cards/175? │
│ http_status │ 200 │
│ http_user_agent │ Mozilla/5.0 (Android) Nextcloud-android/3.28.0 │
│ http_verb │ GET │
│ log_type │ http_access-log │
│ service │ http │
│ source_ip │ │
│ timestamp │ 2024-03-06T10:45:04+01:00 │
The text was updated successfully, but these errors were encountered: