It seems that we are getting frequent http-crawl-non_statics bans on our server for “normal” work with Jira (e.g. moving tasks around in a board or simply updating them)
I know I can whitelist IPs but those change. Is there any other approach to address such a problem?
Hello @arminus,
You can whitelist a scenario only for a range or an AS. Does the IPs that changed are always in the same range ?
Thanks, I’m aware of that. Problem is, we have clients accessing that site as well and I can’t manage their IPs in the whitelist.
Is there any other way to whitelist beyond the IPs, e.g. in the endpoint, like ignore a certain URL pattern or something?
Hello,
Yes you can whitelist with a certain URL pattern.
Can you share more information about what pattern you want to whitelist so i can help you ?
I’m afraid there is no clear repro. One sure thing seems to be to drag tickets back and forth between backlog and a sprint in a Jira scrum board. Sooner or later, I’ll get banned.
Unfortunately, at that point, if I try to export Firefoxe’s network connections as .HAR file, it exports a 0 byte file only, probably b/c at this point the respective server connection is dead. cscli decisions delete --ip lets me back in but the .HAR export stills doesn’t work without reloading the entire page.
Is there some log on crowdsec’s side which would tell me in detail why the http-crawl-non_statics rule gets triggered?
Hello,
Here is the crawl non static scenario configuration: CrowdSec Hub
To make it short, if an IP address query more than 40 differents URL (css, jpeg, js etc… are excluded) in a short period, the scenario will be trigger.
And there is no way to whitelist a URL like, say https://jira.<mydomain>/rest/analytics/* ?
Hello,
Yes you can whitelist a URL.
For example, the whitelist can looks like (in /etc/crowdsec/parsers/s02-enrich/):
name: crowdsecurity/whitelists_jira
description: "Whitelist Jira false positives"
whitelist:
reason: "Whitelist Jira False Positive"
expression:
- evt.Parsed.request startsWith "/rest/analytics/"
Which parser do you use to parse HTTP logs ? Can you paste a sample of a log to see how can we adjust the whitelist please ?
The scenario is http-crawl-non_statics.
Here’s the sanitized log trace which led to the ban at around 31/Jan/2022:09:35:56
I don’t think this is /rest/analytics but maybe /rest/gitplugin ? (nothing fancy here, just the regular Jira git plugin)