grave sigil
Hey there,
I hope you have some time, as this may could get a bit more complicated with whitelisting.
To reduce a bit of overhead, I already opened a thread in the crowdsec community forum for this issue.
https://discourse.crowdsec.net/t/false-positive-occuring-with-nextcloud/2166
Maybe you could take a look? I'm not sure if the Crowdsec forum is still active?
Any help would be much appreciated, thank you :)
Kind regards,
Khensu
graceful shardBOT
© Created By WhyAydan for CrowdSec ❤️
grave sigil
Hey there! Just tinkered a bit and how could I check if my whitelist file works? I added following to the nextcloud-whitelist:
evt.Meta.http_status == '200' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path startsWith '/apps/' && evt.Meta.http_path endsWith '.mjs' #Static Load of MJS files
Would this work? When there is endsWith, I figured there maybe also is startsWith
I want it to match every path that starts with /apps/ and ends with .mjs with method GET and status 200. As those are the values of all the alerts why http-crawl-non-statics is banning falsely. Not sure if this is the right way to go, but sadly otherwise nextcloud is unusable
verbal jacinth
This false positive has been fixed. Update CrowdSec via hub update and hub upgradr
grave sigil
This false positive has been fixed. Update CrowdSec via `hub update` and `hub up...
It says everything is already up-to-date. But I'm also using crowdsec 1.6.3 on my opnsense. Is this only available on 1.6.4?
grave sigil
This false positive has been fixed. Update CrowdSec via `hub update` and `hub up...
In which parser/whitelist should the fix be? I can't find any difference :/
verbal jacinth
It says everything is already up-to-date. But I'm also using crowdsec 1.6.3 on m...
Hub updates usually are only available on the latest CrowdSec version
grave sigil
Hub updates usually are only available on the latest CrowdSec version
Mhh are you sure this specific false positive is fixed? I compared all the parsers and white-list from 1.6.4 with mine installed and they are the same.
Do you know which one includes the fix?
verbal jacinth
Mhh are you sure this specific false positive is fixed? I compared all the parse...
grave sigil
https://github.com/crowdsecurity/hub/pull/1166
Thanks! I have added , '.MJS' to the http-logs.yaml. That's it right? The .index.json is only relevant for the hub I assume.
verbal jacinth
Thanks! I have added , '.MJS' to the http-logs.yaml. That's it right? The .index...
yes
I wouldn't recommending editing that file directly though, it'll be marked as stale and you won't get automatic updates.
Upgrade to a newer version of CrowdSec and it should pull the latest version of the parser
or you can stick to your previous solution if you really don't want to upgrade
grave sigil
Yeah I noticed that ;/ Sadly I'm dependent on the plugin maintainer for opnsense. I can't update it myself :( So for now I stick with editing it manually and revert it when 1.6.4 gets released for OPNsense
Thank you for the solution!
graceful shardBOT
Resolving False positive occuring with Nextcloud
This has now been resolved. If you think this is a mistake please run /unresolve
verbal jacinth
Yeah I noticed that ;/ Sadly I'm dependent on the plugin maintainer for opnsense...
don't edit it manually, just create your own parser to whitelist .mjs
evt.Meta.http_status == '200' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path endsWith '.mjs' #Static Load of MJS files
grave sigil
Oh ok! Will do.