Http-crawl-non_statics and Rocket.Chat

crowdsec
1

Hi Community,

I’m running a rocket.chat server behind a nginx reverse-proxy and some times IPs are getting blocked by http-crawl-non_statics.

################################################################################################

 - ID           : 30
 - Date         : 2023-10-27T11:22:43Z
 - Machine      : 53cc6264d0a34391bf38fcd3ea35234bUYd
 - Simulation   : false
 - Reason       : crowdsecurity/http-crawl-non_statics
 - Events Count : 53
 - Scope:Value  : Ip:x.x.x.x
 - Country      : xx
 - AS           : xx
 - Begin        : 2023-10-27 11:22:37.600517875 +0000 UTC
 - End          : 2023-10-27 11:22:43.651114205 +0000 UTC
 - UUID         : e598f649-a363-4771-a

I have checked the requests as well. That have been a lot of avatars etc. Like if the user is reloading without cache.

Any recommendation how to improve that behaviour?

Best regards
Timmi

2

Can you provide a redacted URL of the endpoint that is called?

If I remember its something like /api/avatars/{UUID} or something like that

3

The http_path in the details of the alert is always /avatar/<user>

4

Then you can implement a whitelist of sorts

name: timmi/rocketchat-whitelist
description: "Whitelist events from rocketchat"
filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log']"
whitelist:
  reason: "RocketChat Whitelist"
  expression:
   - evt.Meta.http_status == '200' && evt.Meta.http_verb == 'GET' && evt.Parsed.request startsWith '/avatar/'
## All 200 responses to `/avatar` are whitelisted if user is unauthenticated then it will be 401
5

OK I will give this a try.
Thx