False positive occuring with Nextcloud

crowdsec
1

Hey there,

I’m new here and just discovered crowdsec. I have tried a few things so far but can’t get this to work. I have Crowdsec on my OPNsense and running the LAPI there, my application do have parser installed on it. For example, and the reason why opening this thread, my nextcloud server (version 30.0.2). I’m always getting banned when browsing a while. I have installed following nextcloud collection:

Of course the parser on the nextcloud server and the brute force scenario on my OPNsense. I’m not entirely sure where I had to place the whitelist, so I installed it on my server and my OPNsense. I’m also running Caddy on my OPNsense and do have some scenarios for that. (Metrics found here: Pastebin.com - Locked Paste Password: vF5wTrkJvf)

Now to the problem, I got banned by crowdsecurity/http-crawl-non_statics.
Inspect of alert:

###########################################################################

 - ID           : 11185
 - Date         : 2024-12-02T11:44:25Z
 - Machine      : localhost
 - Simulation   : false
 - Remediation  : true
 - Reason       : crowdsecurity/http-crawl-non_statics
 - Events Count : 52
[REDACTED]
 - Begin        : 2024-12-02 11:44:09.007662869 +0000 UTC
 - End          : 2024-12-02 11:44:25.064423039 +0000 UTC
 - UUID         : cf618de9-f62d-4c38-8e09-04918c91ec4c


 - Context  :
╭────────────┬──────────────────────────────────────────────────────────────╮
│     Key    │                             Value                            │
├────────────┼──────────────────────────────────────────────────────────────┤
│ method     │ GET                                                          │
│ status     │ 200                                                          │
│ target_uri │ /apps/text/js/index-COlIf7vj.chunk.mjs                       │
│ target_uri │ /apps/viewer/js/NcActionLink--vFqColh.chunk.mjs              │
│ target_uri │ /apps/viewer/js/actionText-fFcUPi2g-1UIVDoW6.chunk.mjs       │
│ target_uri │ /apps/viewer/js/NcActionButton-Coia-Zl_.chunk.mjs            │
│ target_uri │ /apps/text/js/public-BnJZpQLY.chunk.mjs                      │
│ target_uri │ /apps/text/js/index-Br6XaFoY.chunk.mjs                       │
│ user_agent │ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 │
│            │ (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36           │
╰────────────┴──────────────────────────────────────────────────────────────╯
###########################################################################

I sadly can’t see any exceptions for that in the nextcloud whitelist and I’m also not familiar enough with CrowdSec yet to modify this on my own.

Maybe there also is something wrong with my CrowdSec / Nextcloud Installation.
If anybody could help me, I would be very grateful. Thanks!

2

Hey there,

this issue is resolved. Please see in the CrowdSec Discord for the solution in one of the support channels: Discord

Otherwise the solution is already in http-logs.yaml (add mjs to list of static extensions by GNU-Plus-Windows-User · Pull Request #1166 · crowdsecurity/hub · GitHub) As I was still on crowdsec version 1.6.3, due to the OPNSense plugin, I did not get this fix.
As I’m dependent on the plugin maintainer for opnsense crowdsec, I created my own whitelist with following expression:

evt.Meta.http_status == ‘200’ && evt.Meta.http_verb == ‘GET’ && evt.Meta.http_path endsWith ‘.mjs’ #Static Load of MJS files

Thanks to @GNU Plus Windows User in DIscord for that!