False positive with http-crawl-non_statics?

I have a server inside company network that runs rocketchat and gitlab(with port mapped out of router). I found crowdsec seems to identify outside IP address of our company office at a different city as crowdsecurity/http-crawl-non_statics and blocked some of ports by netfilter bouncer. Is it intended?


It sounds like a false positive :frowning: would you mind sharing some (anonymized) logs with us so that we can look into it and see how we can reduce false positives? The workaround would be to have whitelists.

Let me know,

hi ! Same here,
on a simple webserver hosting dozens of website, this check was triggered quickly as follow:

time=“06-09-2022 01:46:51” level=info msg=“Ip 91.194.60.X performed ‘crowdsecurity/http-crawl-non_statics’ (145237 events over 49h21m2.889543946s) at 2022-09-05 23:46:51.051603814 +0000 UTC”

We found that some of those website had specific crontabs that crawl part of the websites to fill some cache, and other websites were using wp_cron …
in the end we had to whitelist this IP in our crowdsec (seems legit to whitelist your own IP addresses :wink: )