Describe the bug
Using the latest seafile sync client (v9.0.18) on Debian 13 to sync a library triggers the alert crowdsecurity/http-crawl-non_statics very quickly. I haven't tried any other versions, though.
To Reproduce
- download the latest seafile sync client
- run it
- log in
- sync a library
Of course this needs a Seafile server and a CrowdSec Security Engine. In my case, Seafile is behind a traefik reverse proxy instead of caddy and the engine parses the access log of traefik.
Expected behavior
The alert crowdsecurity/http-crawl-non_statics is not being triggered.
Additional context
The alert shows the following context information.
method: GET
status: 200
target_uri: /seafhttp/repo/<library uuid>/block/<block hash>
Workaround
I've added a whitelist parser to catch these events. It's based on the Nextcloud whitelist parser. Perhaps you could create one for Seafile, too.
name: "opiateblush/seafile-whitelist"
description: "Whitelist events from Seafile"
filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log']"
whitelist:
reason: "Seafile Whitelist"
expression:
- "evt.Meta.http_status == '200' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path matches '/seafhttp/repo/[a-f0-9-]+/block/[a-f0-9]+'" # file syncing
Describe the bug
Using the latest seafile sync client (v9.0.18) on Debian 13 to sync a library triggers the alert
crowdsecurity/http-crawl-non_staticsvery quickly. I haven't tried any other versions, though.To Reproduce
Of course this needs a Seafile server and a CrowdSec Security Engine. In my case, Seafile is behind a traefik reverse proxy instead of caddy and the engine parses the access log of traefik.
Expected behavior
The alert
crowdsecurity/http-crawl-non_staticsis not being triggered.Additional context
The alert shows the following context information.
Workaround
I've added a whitelist parser to catch these events. It's based on the Nextcloud whitelist parser. Perhaps you could create one for Seafile, too.