search

crowdsecurity / hub

Main repository for crowdsec scenarios/parsers
https://hub.crowdsec.net
161 stars 150 forks source link

False Positive: Nextcloud while using Nextcloud Memories App (crowdsecurity/http-crawl-non_statics) #1097

Open florianwgnr opened 2 months ago

florianwgnr commented 2 months ago

Describe the bug The nextcloud whitelist is missing an entry for Nextcloud Memories, resulting in a false-positive (crowdsecurity/http-crawl-non_statics). 

################################################################################################

 - ID           : 875
 - Date         : 2024-08-22T17:28:34Z
 - Machine      : nginx
 - Simulation   : false
 - Reason       : crowdsecurity/http-crawl-non_statics
 - Events Count : 41
 - Scope:Value  : Ip:x.x.x.x
 - Country      : DE
 - AS           : Telefonica Germany
 - Begin        : 2024-08-22 17:28:33.82955281 +0000 UTC
 - End          : 2024-08-22 17:28:33.974726772 +0000 UTC
 - UUID         : 864324f4-f5ed-46dd-b587-497cd3436dbd

 - Active Decisions  :
╭─────────┬──────────────────┬────────┬──────────────────┬──────────────────────╮
│    ID   │    scope:value   │ action │    expiration    │      created_at      │
├─────────┼──────────────────┼────────┼──────────────────┼──────────────────────┤
│ 6412435 │ Ip:x.x.x.x │ ban    │ 29m14.786184048s │ 2024-08-22T17:28:34Z │
╰─────────┴──────────────────┴────────┴──────────────────┴──────────────────────╯

 - Context  :
╭────────────┬──────────────────────────────────────────────────────────────╮
│     Key    │                             Value                            │
├────────────┼──────────────────────────────────────────────────────────────┤
│ method     │ GET                                                          │
│ status     │ 200                                                          │
│ target_uri │ /apps/memories/api/image/preview/1217883?c=d44fe565156a99fa9 │
│            │ e06f3b1a0786733&x=1920&y=1080&a=1                            │
│ target_uri │ /apps/memories/api/image/preview/1197124?c=857362aae99dbc275 │
│            │ 696824426035dec&x=340&y=340&a=1                              │
│ target_uri │ /apps/memories/api/image/preview/1200903?c=634e1695eebb4d758 │
│            │ 742d5d45348346a&x=340&y=340&a=1                              │
│ target_uri │ /apps/memories/api/image/preview/1200979?c=c3811639b3bfcef1a │
│            │ a5f5a053d0163cd&x=511&y=511&a=1                              │
│ target_uri │ /apps/memories/api/image/preview/1201126?c=1c3930ce6171751ac │
│            │ 1b614a4a550a724&x=340&y=340&a=1                              │
│ target_uri │ /apps/memories/api/image/preview/1200228?c=d327f88f5a03f8a9c │
│            │ 6312fcd7b17160b&x=340&y=340&a=1                              │
│ user_agent │ Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0)          │
│            │ Gecko/20100101 Firefox/129.0                                 │
╰────────────┴──────────────────────────────────────────────────────────────╯

Logs

x.x.x.x - - [22/Aug/2024:19:28:25 +0200] "GET /apps/memories/api/image/preview/1197119?c=9635efa66aaa92bd0b1799adef1a4b47&x=340&y=340&a=1 HTTP/2.0" 200 19413 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0"
x.x.x.x - - [22/Aug/2024:19:28:25 +0200] "GET /apps/memories/api/image/preview/1200942?c=a47092255d3d0b0a8081cda7bcf11bdc&x=340&y=340&a=1 HTTP/2.0" 200 15233 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0"
x.x.x.x - - [22/Aug/2024:19:28:25 +0200] "GET /apps/memories/api/image/preview/1200429?c=e863bfccd96c249a86ba6967db9eac70&x=340&y=340&a=1 HTTP/2.0" 200 23197 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0"
x.x.x.x - - [22/Aug/2024:19:28:25 +0200] "GET /apps/memories/api/image/preview/1197115?c=59913b9d5e61150e2a8332a0754dd0ae&x=340&y=340&a=1 HTTP/2.0" 200 23840 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0"
x.x.x.x - - [22/Aug/2024:19:28:25 +0200] "GET /apps/memories/api/image/preview/1197120?c=0a713f353898a02d912d98f61a16d9ca&x=340&y=340&a=1 HTTP/2.0" 200 17552 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0"
x.x.x.x - - [22/Aug/2024:19:28:25 +0200] "GET /apps/memories/api/image/preview/1197130?c=68dc4753813114f7e866b915a1fdd5de&x=340&y=340&a=1 HTTP/2.0" 200 19478 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0"

To Reproduce Open Nextcloud Memories and scroll through some photos.

Notes There are maybe some other API-Endpoints/URLs that are queried -> developer contact for nextcloud memories: see https://github.com/pulsejet/memories/issues/1273

florianwgnr commented 2 months ago

Another endpoint: 

x.x.x.x - - [22/Aug/2024:19:27:55 +0200] "GET /apps/memories/api/image/info/1235718 HTTP/2.0" 200 675 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0"
x.x.x.x - - [22/Aug/2024:19:27:55 +0200] "GET /apps/memories/api/image/info/1236483 HTTP/2.0" 200 684 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0"
x.x.x.x - - [22/Aug/2024:19:27:55 +0200] "GET /apps/memories/api/image/info/1235719 HTTP/2.0" 200 677 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0"
x.x.x.x - - [22/Aug/2024:19:27:55 +0200] "GET /apps/memories/api/image/info/1236481 HTTP/2.0" 200 744 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0"