False positives with http-probing & http-crawl-non_statics in Jellyfin
Hello,
I have a few friends that are being banned from my Jellyfin instance because of http probing or http-crawl-non_statics.
I'm using Pangolin so Crowdsec is fed traefik logs.
Here are a few occurrences:
https://pastebin.com/Y1ZvSTA6
Pastebin
root@server:~/pangolin# docker exec -ti crowdsec cscli alerts inspe...
Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.
17 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
I guess you already have installed https://app.crowdsec.net/hub/author/crowdsecurity/log-parsers/jellyfin-whitelist?
Collections, AppSec Rules & Configurations | CrowdSec Hub
Manage collections, configurations, remediation components, and AppSec rules with CrowdSec Hub. Streamline security with tools and integrations for enhanced protection.
I had to make a custom 02 parser for some extra exceptions for Jellyfin. Depending on the app you use to access Jellyfin, they can cause different false positives not covered by that whitelist
It doesn’t look like mine will cover your false positives but I’ll post what I use regardless. You may have to do a similar thing yourself
Yes but unsure it's covering my examples
From my understanding the default whitelist would not cover your examples
You’ll have to make a custom s02 parser like I did above but apply it to your false positives
ChatGPT is pretty good at making the expressions but you’ll have to test it
Yes I'll give it a try
The default whitelist didn’t cover mine either. Hence why I had to made the one above
Certain apps hit Jellyfin different and can cause different crowdsec detections
What apps are they using btw? Just curious
Just Firefox ! That's what's weird
Strange
For example, I had to append “chapters” to the items/?/images exception because the Apple TV Swiftfin app could cause a false positive if you tried to view chapters but didn’t generate chapter images on the server
For me it seems to be limited to /api/ paths
Also the loading avatars exception would be triggered if you tried to view profile settings on the iOS Streamyfin app and didn’t have an avatar image set
Yea, that’s what’s strange to me
You’ll just need to build out an exception for it
If you paste the log into ChatGPT with an example of a Jellyfin whitelist s02 parser , it should be able to create a semi decent rule. Just make sure it’s not too lenient
Yes I'll give it a try this week end fingers crossed
Good luck!
Even better than what I expected, I'll give it a try
name: custom/api-whitelist
description: "Whitelist legitimate API calls (GET 403 on /api/v1/*) to prevent http-probing false positives"
filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log']"
whitelist:
reason: "Legitimate API access returning 403 on /api/v1/*"
expression:
- evt.Meta.http_verb == 'GET' && evt.Meta.http_status == '403' && evt.Meta.http_path matches '(?i)^/api/v1/.*'
Let me know if it works
Well it doesn't because I can't figure out how to add it to my existing setup. Adding it as a separate yaml file in s02-enrich doesn't work and modifying the existing jellyfin rules doesn't either
You just add it to the s02-enrich folder and restart the crowdsec service