Difficulty Whitelisting AppSec CRS False Positives in Traefik Bouncer
Hi CrowdSec Team,
I need help configuring a whitelist for the AppSec component in Traefik Bouncer. Despite testing multiple filter expressions, I can’t stop legitimate traffic from being blocked.
Environment
Traefik v3 (Docker)
CrowdSec Agent: latest (Docker)
Bouncer: maxlerebourg/crowdsec-bouncer-traefik-plugin:latest with AppSec enabled
Rules: crowdsecurity/crs enabled and blocking as expected
appsec_configs:
- crowdsecurity/appsec-default
- crowdsecurity/crs
labels:
type: appsec
listen_addr: 0.0.0.0:7422
source: appsec
Problem
AppSec correctly blocks malicious traffic but also flags legitimate requests. Example: Siyuan Note S3 Sync, which uses complex S3 API calls that trigger CRS rules (e.g., 942100, 920420).
Sample alert:
rule_ids: [901340 911100 920420 920270 921150 949110 980170]
target_uri: /siyuan/repo/objects/... ?x-id=PutObject
Attempted Solution
I tried a whitelist parser using ids + target_uri:
name: crowdsecurity/local-siyuan-whitelist
description: "Whitelist Siyuan"
filter: "evt.Meta.service == 'appsec' && evt.Meta.log_type == 'appsec-info'"
whitelist:
reason: "Siyuan whitelist"
expression: |
any(evt.Appsec.MatchedRules, #.id in ["911100","920420","920270","921150"])
and evt.Meta.target_uri startsWith '/siyuan/repo/'
But CrowdSec fails to load it:
yaml: unmarshal errors: cannot unmarshal !!str
any(ev... into []string
Question
What’s the correct way to implement this whitelist in AppSec? Any working example or best-practice guidance would be greatly appreciated.
Thanks!10 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
I followed the CrowdSec appsec component hooks documentation and switched to using a pre_eval hook.
name: crowdsecurity/my-appsec-config
default_remediation: ban
log_level: debug
outofband_rules:
- crowdsecurity/crs
pre_eval:
- filter: IsOutBand == true && req.URL.Path contains "/siyuan/repo/"
apply:
- RemoveOutBandRuleByID(911100)
- RemoveOutBandRuleByID(920420)
- RemoveOutBandRuleByID(920270)
- RemoveOutBandRuleByID(921150)
The AppSec config is enabled as shown below:
cscli appsec-configs list
───────────────────────────────────────────────────────────────────────────────────────────────────────────────
APPSEC-CONFIGS
─────────────────────────────────────────────────────────────────────────────────────────────────────────────── Name 📦 Status Version Local Path
─────────────────────────────────────────────────────────────────────────────────────────────────────────────── crowdsecurity/appsec-default ✔️ enabled 0.4 /etc/crowdsec/appsec-configs/appsec-default.yaml
crowdsecurity/generic-rules ✔️ enabled 0.4 /etc/crowdsec/appsec-configs/generic-rules.yaml
crowdsecurity/my-appsec-config 🏠 enabled,local /etc/crowdsec/appsec-configs/my-appsec-config.yaml crowdsecurity/virtual-patching ✔️ enabled 0.4 /etc/crowdsec/appsec-configs/virtual-patching.yaml ─────────────────────────────────────────────────────────────────────────────────────────────────────────────── However, the configuration still doesn’t take effect.
─────────────────────────────────────────────────────────────────────────────────────────────────────────────── Name 📦 Status Version Local Path
─────────────────────────────────────────────────────────────────────────────────────────────────────────────── crowdsecurity/appsec-default ✔️ enabled 0.4 /etc/crowdsec/appsec-configs/appsec-default.yaml
crowdsecurity/generic-rules ✔️ enabled 0.4 /etc/crowdsec/appsec-configs/generic-rules.yaml
crowdsecurity/my-appsec-config 🏠 enabled,local /etc/crowdsec/appsec-configs/my-appsec-config.yaml crowdsecurity/virtual-patching ✔️ enabled 0.4 /etc/crowdsec/appsec-configs/virtual-patching.yaml ─────────────────────────────────────────────────────────────────────────────────────────────────────────────── However, the configuration still doesn’t take effect.
Did you add this configuration to the acquisition as the loaded
appsec_configs? and then did you restart crowdsec?yes,i restart crowdsec and appsec.yaml in acquis.d
appsec_configs:
- crowdsecurity/appsec-default
- crowdsecurity/my-appsec-config
labels:
type: appsec
listen_addr: 0.0.0.0:7422
source: appsec
Try
filter: IsOutBand == true && req.RequestURI contains "/siyuan/repo/"this works. thank you!
Yeah - I ran into the same problem. Documentation doesn’t seem to be up to date.
We found a bug in
1.6.11 the req.URL was not being updated to the actual URL of the proxied request. This is now fixed in 1.7
apologies should have realized once the filter was shown@Loz thanks! Will req.RequestURI still work in 1.7? As I have adjusted all my filters to this.
Yes both will work