CrowdSec•2mo ago

Whitelist or set less strict rules on a specific resource

anybody more experienced with crowdsec than I am know how to whitelist specific endpoints on a specific resource? crowdsec presents a captia for an iframe that prevents the user from interacting with it as it's a read-only document (it's got anti-tampering, copy paste, and anti-dev tools). I want it for the main resource but not for that specific endpoint. anybody got any suggestions?

2 Replies

CrowdSec•2mo ago

Important Information

Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.

Log Files

If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.

Guide Followed (CrowdSec Official)

If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.

Screenshots

Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.

Streilinger•2mo ago

For scenarios you can use a postoverflow in /etc/crowdsec/postoverflows/s01-whitelist/your-whitelist.yaml We use something like:

name: Streilinger/postoverflow-whitelist
description: Whitelist some behavior of XXX application
filter: "any(evt.Overflow.Alert.Events, #.GetMeta('target_host') == 'XXX.XXX.de' || #.GetMeta('target_host') == 'XXX.XXX.de')"
whitelist:
  reason: XXX postoverflow whitelist
  expression:
    - "evt.Overflow.Alert.Scenario == 'crowdsecurity/http-crawl-non_statics' && any(evt.Overflow.Alert.Events, #.GetMeta('http_args') contains 'XXX' && #.GetMeta('http_args_len') == 'XX')"
    - "evt.Overflow.Alert.Scenario == 'crowdsecurity/http-probing' && any(evt.Overflow.Alert.Events, #.GetMeta('http_path') contains '/XXX/XXX/XXX/')"

name: Streilinger/postoverflow-whitelist
description: Whitelist some behavior of XXX application
filter: "any(evt.Overflow.Alert.Events, #.GetMeta('target_host') == 'XXX.XXX.de' || #.GetMeta('target_host') == 'XXX.XXX.de')"
whitelist:
  reason: XXX postoverflow whitelist
  expression:
    - "evt.Overflow.Alert.Scenario == 'crowdsecurity/http-crawl-non_statics' && any(evt.Overflow.Alert.Events, #.GetMeta('http_args') contains 'XXX' && #.GetMeta('http_args_len') == 'XX')"
    - "evt.Overflow.Alert.Scenario == 'crowdsecurity/http-probing' && any(evt.Overflow.Alert.Events, #.GetMeta('http_path') contains '/XXX/XXX/XXX/')"

For AppSec you can write an appsec-config in /etc/crowdsec/appsec-configs/yourconfig.yaml with something like:

name: Streilinger/appsec-config
pre_eval:
  - filter: IsOutBand == true && req.Method in ["PUT", "DELETE"] && (req.Host == "XXX.XXX.de" || req.Host == "XXX.XXX.de") && req.RequestURI contains "/api/"
    apply:
      - RemoveOutBandRuleByID(911100) # Allow PUT DELETE on API

name: Streilinger/appsec-config
pre_eval:
  - filter: IsOutBand == true && req.Method in ["PUT", "DELETE"] && (req.Host == "XXX.XXX.de" || req.Host == "XXX.XXX.de") && req.RequestURI contains "/api/"
    apply:
      - RemoveOutBandRuleByID(911100) # Allow PUT DELETE on API

Don't forget to include the name in /etc/crowdsec/acquis.d/appsec.yaml

Gaming

Programming

Whitelist or set less strict rules on a specific resource

Did you find this page helpful?