Difficulty Whitelisting AppSec CRS False Positives in Traefik Bouncer
Hi CrowdSec Team,
I need help configuring a whitelist for the AppSec component in Traefik Bouncer. Despite testing multiple filter expressions, I can’t stop legitimate traffic from being blocked.
Environment
Traefik v3 (Docker)
CrowdSec Agent: latest (Docker)
Bouncer: maxlerebourg/crowdsec-bouncer-traefik-plugin:latest with AppSec enabled
Rules: crowdsecurity/crs enabled and blocking as expected
appsec_configs:
- crowdsecurity/appsec-default
- crowdsecurity/crs
labels:
type: appsec
listen_addr: 0.0.0.0:7422
source: appsec
Problem
AppSec correctly blocks malicious traffic but also flags legitimate requests. Example: Siyuan Note S3 Sync, which uses complex S3 API calls that trigger CRS rules (e.g., 942100, 920420).
Sample alert:
rule_ids: [901340 911100 920420 920270 921150 949110 980170]
target_uri: /siyuan/repo/objects/... ?x-id=PutObject
Attempted Solution
I tried a whitelist parser using ids + target_uri:
name: crowdsecurity/local-siyuan-whitelist
description: "Whitelist Siyuan"
filter: "evt.Meta.service == 'appsec' && evt.Meta.log_type == 'appsec-info'"
whitelist:
reason: "Siyuan whitelist"
expression: |
any(evt.Appsec.MatchedRules, #.id in ["911100","920420","920270","921150"])
and evt.Meta.target_uri startsWith '/siyuan/repo/'
But CrowdSec fails to load it:
yaml: unmarshal errors: cannot unmarshal !!str
Question
What’s the correct way to implement this whitelist in AppSec? Any working example or best-practice guidance would be greatly appreciated.
Thanks!
I need help configuring a whitelist for the AppSec component in Traefik Bouncer. Despite testing multiple filter expressions, I can’t stop legitimate traffic from being blocked.
Environment
Traefik v3 (Docker)
CrowdSec Agent: latest (Docker)
Bouncer: maxlerebourg/crowdsec-bouncer-traefik-plugin:latest with AppSec enabled
Rules: crowdsecurity/crs enabled and blocking as expected
appsec_configs:
- crowdsecurity/appsec-default
- crowdsecurity/crs
labels:
type: appsec
listen_addr: 0.0.0.0:7422
source: appsec
Problem
AppSec correctly blocks malicious traffic but also flags legitimate requests. Example: Siyuan Note S3 Sync, which uses complex S3 API calls that trigger CRS rules (e.g., 942100, 920420).
Sample alert:
rule_ids: [901340 911100 920420 920270 921150 949110 980170]
target_uri: /siyuan/repo/objects/... ?x-id=PutObject
Attempted Solution
I tried a whitelist parser using ids + target_uri:
name: crowdsecurity/local-siyuan-whitelist
description: "Whitelist Siyuan"
filter: "evt.Meta.service == 'appsec' && evt.Meta.log_type == 'appsec-info'"
whitelist:
reason: "Siyuan whitelist"
expression: |
any(evt.Appsec.MatchedRules, #.id in ["911100","920420","920270","921150"])
and evt.Meta.target_uri startsWith '/siyuan/repo/'
But CrowdSec fails to load it:
yaml: unmarshal errors: cannot unmarshal !!str
any(ev...Question
What’s the correct way to implement this whitelist in AppSec? Any working example or best-practice guidance would be greatly appreciated.
Thanks!
