C
CrowdSec4mo ago
thatwhiff

Need Help Whitelisting Specific URL Paths

Hi everyone, I am facing a temporary issue with our application, where the following URLs are getting hit frequently (mostly via POST requests), causing CrowdSec scenarios like http-probing and http-open-proxy to trigger. I’ve identified these URL patterns that are safe and need to be whitelisted until we fix the app /etc/crowdsec/parsers/s02-enrich/whitelist-url-paths.yaml name: "local/whitelist-url-paths" description: "Whitelist specific URL paths from analysis" filter: "evt.Meta.http_verb == 'POST' && evt.Meta.http_path != ''" whitelist: reason: "Whitelist known safe URLs" expression: - "evt.Meta.http_path endsWith 'checkEmojisExist.json'" - "evt.Meta.http_path endsWith 'pressReleaseSave.htm'" - "evt.Meta.http_path endsWith 'leads.json'" - "evt.Meta.http_path endsWith 'inventoryWidgetData.json'" - "evt.Meta.http_path endsWith 'getInventory.json'" - "evt.Meta.http_path endsWith 'updateFilter.json'" - "evt.Meta.http_path endsWith 'banners.json'" - "evt.Meta.http_path endsWith 'gettranslations.json'" - "evt.Meta.http_path endsWith 'autoComplete.json'" Q1: Is this the correct way to whitelist based on URL paths? If not Please help me here Q2: Do I need to whitelist POST method explicitly too? If so, how can I combine evt.Meta.http_path and evt.Meta.http_verb == 'POST' in the whitelist expressions? Additionally, I’ve removed these two scenarios: crowdsecurity/http-bad-user-agent crowdsecurity/nginx-req-limit-exceeded But they are showing as tainted. Q3: If I add --force to my /etc/cron.daily/crowdsec update script, will these removed scenarios come back again? I don't want them to be reinstalled.
4 Replies
CrowdSec
CrowdSec4mo ago
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve
© Created By WhyAydan for CrowdSec ❤️
thatwhiff
thatwhiffOP4mo ago
@Loz any Help here?
iiamloz
iiamloz4mo ago
So yes the whitelist works, you dont need to define POST inside each statement since you are prefiltering it at the top with the verb check. You can remove those scenarios, you dont need to modify the cronjob at all, just simply removing them will stop the automatic updates from reimplementing them
CrowdSec
CrowdSec4mo ago
Resolving Need Help Whitelisting Specific URL Paths This has now been resolved. If you think this is a mistake please run /unresolve

Did you find this page helpful?