From a39122eb4bf35f9ad38f87bc7f02e4cfd3d43483 Mon Sep 17 00:00:00 2001 From: il Date: Mon, 11 May 2026 19:34:22 +0900 Subject: [PATCH] fix(crowdsec): update whitelist.yaml to prevent false positive false positive: - nextcloud chunk problem (crowdsecurity/http-crawl-non_statics) --- .../systemd/common/crowdsec/bouncers/whitelists.yaml.j2 | 2 ++ docs/issues/crowdsec/260502_nextcloud.md | 5 ++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2 b/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2 index 74f1135..f889706 100644 --- a/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2 +++ b/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2 @@ -16,4 +16,6 @@ whitelist: - "evt.Meta.target_fqdn == '{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'" # nextcloud thumbnail/preview request error false positive - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path startsWith '/index.php/core/preview?'" + # nextcloud chunks.mjs request false positive + - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status in ['200', '304'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains 'chunks.mjs'" {% endif %} diff --git a/docs/issues/crowdsec/260502_nextcloud.md b/docs/issues/crowdsec/260502_nextcloud.md index 05e0947..4d2e23e 100644 --- a/docs/issues/crowdsec/260502_nextcloud.md +++ b/docs/issues/crowdsec/260502_nextcloud.md @@ -23,11 +23,14 @@ - 2026-05-03: Make previous expressions annotation - 2026-05-07: Find the false positive case, which is not on `crowdsecurity/nextcloud-whitelist` - 2026-05-07: Set whitelist expression +- 2026-05-11: Find the false positive case, which is not on `crowdsec/nextcloud-whitelist` +- 2026-05-11: Set whitelist expression ## Solution - Install crowdsecurity/nextcloud-whitelist on auth node - Add expression on whitelist - - evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path startsWith '/index.php/core/preview?' + - evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path startsWith '/index.php/core/preview?' + - evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status in ['200', '304'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains 'chunks.mjs' ### Deprecated solution - Access to fw