Skip to content

Banned after a normal Nextcloud request #4491

Description

@Ophrys78

What happened?

The client IP get banned with the following reason: crowdsecurity/http-crawl-non_statics
The client action (creation of a folder within Nextcloud) does not succeed (the ban happens before it).

What did you expect to happen?

No ban.

How can we reproduce it (as minimally and precisely as possible)?

Create a folder in the files tab in Nextcloud (root level, but I tested it only with that configuration), with Safari 26.5.
Does not happen with Firefox on Linux, for example.

Anything else we need to know?

It happens when I use Safari 26.5 (Mac OS 15.7.7) with Nextcloud 33.0.3 on the server side.

Crowdsec version

Details
$ 1.4.6-10+b4

OS version

Details
# cat /etc/debian_version 
13.5
# uname -a
Linux cersei 6.12.90+deb13.1-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.90-2 (2026-05-27) x86_64 GNU/Linux

Enabled collections and parsers

Details
# cscli hub list -o raw
crowdsecurity/apache2,enabled,0.1,apache2 support : parser and generic http scenarios ,collections
crowdsecurity/base-http-scenarios,enabled,0.6,http common : scanners detection,collections
crowdsecurity/http-cve,enabled,1.9,,collections
crowdsecurity/linux,enabled,0.2,core linux support : syslog+geoip+ssh,collections
crowdsecurity/mariadb,enabled,0.1,mariadb support : logs and brute-force scenarios,collections
crowdsecurity/nginx,enabled,0.2,nginx support : parser and generic http scenarios,collections
crowdsecurity/sshd,enabled,0.2,sshd support : parser and brute-force detection,collections
crowdsecurity/wordpress,enabled,0.4,wordpress: Bruteforce protection and config probing,collections
crowdsecurity/apache2-logs,enabled,1.3,Parse Apache2 access and error logs,parsers
crowdsecurity/dateparse-enrich,enabled,0.2,,parsers
crowdsecurity/geoip-enrich,enabled,0.2,"Populate event with geoloc info : as, country, coords, source range.",parsers
crowdsecurity/http-logs,enabled,1.1,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers
crowdsecurity/mariadb-logs,enabled,0.4,Parse MariaDB logs,parsers
crowdsecurity/nginx-logs,enabled,1.3,Parse nginx access and error logs,parsers
crowdsecurity/sshd-logs,enabled,2.0,Parse openSSH logs,parsers
crowdsecurity/syslog-logs,enabled,0.8,,parsers
crowdsecurity/whitelists,enabled,0.2,Whitelist events from private ipv4 addresses,parsers
whitelists-perso.yaml,"enabled,local",n/a,,parsers
crowdsecurity/CVE-2022-26134,enabled,0.1,Detect CVE-2022-26134 exploits,scenarios
crowdsecurity/CVE-2022-35914,enabled,0.1,Detect CVE-2022-35914 exploits,scenarios
crowdsecurity/CVE-2022-37042,enabled,0.1,Detect CVE-2022-37042 exploits,scenarios
crowdsecurity/CVE-2022-40684,enabled,0.2,Detect cve-2022-40684 exploitation attempts,scenarios
crowdsecurity/CVE-2022-41082,enabled,0.3,Detect CVE-2022-41082 exploits,scenarios
crowdsecurity/CVE-2022-41697,enabled,0.1,Detect CVE-2022-41697 enumeration,scenarios
crowdsecurity/CVE-2022-42889,enabled,0.2,Detect CVE-2022-42889 exploits (Text4Shell),scenarios
crowdsecurity/CVE-2022-44877,enabled,0.2,Detect CVE-2022-44877 exploits,scenarios
crowdsecurity/CVE-2022-46169,enabled,0.1,Detect CVE-2022-46169 brute forcing,scenarios
crowdsecurity/apache_log4j2_cve-2021-44228,enabled,0.4,Detect cve-2021-44228 exploitation attemps,scenarios
crowdsecurity/f5-big-ip-cve-2020-5902,enabled,0.1,Detect cve-2020-5902 exploitation attemps,scenarios
crowdsecurity/fortinet-cve-2018-13379,enabled,0.2,Detect cve-2018-13379 exploitation attemps,scenarios
crowdsecurity/grafana-cve-2021-43798,enabled,0.1,Detect cve-2021-43798 exploitation attemps,scenarios
crowdsecurity/http-backdoors-attempts,enabled,0.3,Detect attempt to common backdoors,scenarios
crowdsecurity/http-bad-user-agent,enabled,0.7,Detect bad user-agents,scenarios
crowdsecurity/http-bf-wordpress_bf,enabled,0.4,detect wordpress bruteforce,scenarios
crowdsecurity/http-crawl-non_statics,enabled,0.3,Detect aggressive crawl from single ip,scenarios
crowdsecurity/http-cve-2021-41773,enabled,0.1,cve-2021-41773,scenarios
crowdsecurity/http-cve-2021-42013,enabled,0.1,cve-2021-42013,scenarios
crowdsecurity/http-generic-bf,enabled,0.4,Detect generic http brute force,scenarios
crowdsecurity/http-open-proxy,enabled,0.3,Detect scan for open proxy,scenarios
crowdsecurity/http-path-traversal-probing,enabled,0.2,Detect path traversal attempt,scenarios
crowdsecurity/http-probing,enabled,0.2,Detect site scanning/probing from a single ip,scenarios
crowdsecurity/http-sensitive-files,enabled,0.2,"Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",scenarios
crowdsecurity/http-sqli-probing,enabled,0.2,A scenario that detects SQL injection probing with minimal false positives,scenarios
crowdsecurity/http-wordpress_user-enum,enabled,0.1,detect wordpress probing : authors enumeration,scenarios
crowdsecurity/http-wordpress_wpconfig,enabled,0.1,detect wordpress probing : variations around wp-config.php by wpscan,scenarios
crowdsecurity/http-xss-probing,enabled,0.2,A scenario that detects XSS probing with minimal false positives,scenarios
crowdsecurity/jira_cve-2021-26086,enabled,0.1,Detect Atlassian Jira CVE-2021-26086 exploitation attemps,scenarios
crowdsecurity/mariadb-bf,enabled,0.1,Detect mariadb bruteforce,scenarios
crowdsecurity/nginx-req-limit-exceeded,enabled,0.1,Detects IPs which violate nginx's user set request limit.,scenarios
crowdsecurity/pulse-secure-sslvpn-cve-2019-11510,enabled,0.2,Detect cve-2019-11510 exploitation attemps,scenarios
crowdsecurity/spring4shell_cve-2022-22965,enabled,0.2,Detect cve-2022-22965 probing,scenarios
crowdsecurity/ssh-bf,enabled,0.1,Detect ssh bruteforce,scenarios
crowdsecurity/ssh-slow-bf,enabled,0.2,Detect slow ssh bruteforce,scenarios
crowdsecurity/thinkphp-cve-2018-20062,enabled,0.3,Detect ThinkPHP CVE-2018-20062 exploitation attemps,scenarios
crowdsecurity/vmware-cve-2022-22954,enabled,0.2,Detect Vmware CVE-2022-22954 exploitation attempts,scenarios
crowdsecurity/vmware-vcenter-vmsa-2021-0027,enabled,0.1,Detect VMSA-2021-0027 exploitation attemps,scenarios
ltsich/http-w00tw00t,enabled,0.1,detect w00tw00t,scenarios

Acquisition config

Details
# On Linux:
# cat /etc/crowdsec/acquis.yaml 
filenames:
  - /var/log/nginx/*.log
  - ./tests/nginx/nginx.log
#this is not a syslog log, indicate which kind of logs it is
labels:
  type: nginx
---
filenames:
 - /var/log/auth.log
 - /var/log/syslog
labels:
  type: syslog
---
source: journalctl
journalctl_filter:
 - "_SYSTEMD_UNIT=ssh.service"
labels:
  type: syslog
---
filename: /var/log/apache2/*.log
labels:
  type: apache2

# cat /etc/crowdsec/acquis.d/*
fish: No matches for wildcard '/etc/crowdsec/acquis.d/*'. See `help wildcards-globbing`.
cat /etc/crowdsec/acquis.d/*
    ^~~~~~~~~~~~~~~~~~~~~~~^

Config show

Details
# cscli config show
Global:
   - Configuration Folder   : /etc/crowdsec
   - Data Folder            : /var/lib/crowdsec/data
   - Hub Folder             : /var/lib/crowdsec/hub
   - Simulation File        : /etc/crowdsec/simulation.yaml
   - Log Folder             : /var/log/
   - Log level              : info
   - Log Media              : file
Crowdsec:
  - Acquisition File        : /etc/crowdsec/acquis.yaml
  - Parsers routines        : 1
  - Acquisition Folder      : /etc/crowdsec/acquis.d
cscli:
  - Output                  : human
  - Hub Branch              : 
  - Hub Folder              : /var/lib/crowdsec/hub
Local API Server:
  - Listen URL              : 127.0.0.1:8080
  - Profile File            : /etc/crowdsec/profiles.yaml
  - Trusted IPs: 
      - 127.0.0.1
      - ::1
  - Database:
      - Type                : sqlite
      - Path                : /var/lib/crowdsec/data/crowdsec.db
      - Flush age           : 7d
      - Flush size          : 5000e

Prometheus metrics

Details
# cscli metrics

Acquisition Metrics:
╭─────────────────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────╮
│                     Source                      │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │
├─────────────────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┤
│ file:/var/log/apache2/access.log                │ 150        │ 150          │ -              │ 1                      │
│ file:/var/log/apache2/colanode-ssl-access.log   │ 11         │ 11           │ -              │ 1                      │
│ file:/var/log/apache2/colanode-ssl-error.log    │ 2          │ 2            │ -              │ -                      │
│ file:/var/log/apache2/deluge-access.log         │ 2.13k      │ 2.13k        │ -              │ 7                      │
│ file:/var/log/apache2/dh-ssl-access.log         │ 442        │ 442          │ -              │ -                      │
│ file:/var/log/apache2/dh-ssl-error.log          │ 36         │ 36           │ -              │ -                      │
│ file:/var/log/apache2/dolibarr-bzh-access.log   │ 6          │ 6            │ -              │ 4                      │
│ file:/var/log/apache2/dolibarr-fr-access.log    │ 50         │ 50           │ -              │ 17                     │
│ file:/var/log/apache2/dolibarr-fr-error.log     │ 28         │ 28           │ -              │ -                      │
│ file:/var/log/apache2/error.log                 │ 101        │ -            │ 101            │ -                      │
│ file:/var/log/apache2/immich-access.log         │ 153        │ 153          │ -              │ 17                     │
│ file:/var/log/apache2/n8n-ssl-access.log        │ 218        │ 218          │ -              │ -                      │
│ file:/var/log/apache2/n8n-ssl-error.log         │ 26         │ 26           │ -              │ -                      │
│ file:/var/log/apache2/nextcloud-access.log      │ 2.44k      │ 2.44k        │ 1              │ 579                    │
│ file:/var/log/apache2/paperless-access.log      │ 13         │ 13           │ -              │ 3                      │
│ file:/var/log/apache2/signaling-access.log      │ 1          │ 1            │ -              │ 1                      │
│ file:/var/log/apache2/teslamate-access.log      │ 1          │ 1            │ -              │ -                      │
│ file:/var/log/apache2/todo-access.log           │ 3          │ 3            │ -              │ 3                      │
│ file:/var/log/apache2/www-bzh-access.log        │ 4          │ 3            │ 1              │ 2                      │
│ file:/var/log/apache2/www-fr-access.log         │ 17         │ 17           │ -              │ 12                     │
│ file:/var/log/apache2/www-fr-error.log          │ 1          │ -            │ 1              │ -                      │
│ journalctl:journalctl-_SYSTEMD_UNIT=ssh.service │ 3          │ -            │ 3              │ -                      │
╰─────────────────────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────╯

Bucket Metrics:
╭──────────────────────────────────────┬───────────────┬───────────┬──────────────┬────────┬─────────╮
│                Bucket                │ Current Count │ Overflows │ Instantiated │ Poured │ Expired │
├──────────────────────────────────────┼───────────────┼───────────┼──────────────┼────────┼─────────┤
│ crowdsecurity/http-bf-wordpress_bf   │ -             │ -         │ 4            │ 4      │ 4       │
│ crowdsecurity/http-crawl-non_statics │ -             │ 8         │ 107          │ 638    │ 99      │
│ crowdsecurity/http-probing           │ -             │ -         │ 3            │ 5      │ 3       │
╰──────────────────────────────────────┴───────────────┴───────────┴──────────────┴────────┴─────────╯

Parser Metrics:
╭──────────────────────────────────┬────────┬────────┬──────────╮
│             Parsers              │  Hits  │ Parsed │ Unparsed │
├──────────────────────────────────┼────────┼────────┼──────────┤
│ child-crowdsecurity/apache2-logs │ 6.03k  │ 5.73k  │ 300      │
│ child-crowdsecurity/http-logs    │ 17.18k │ 12.54k │ 4.64k    │
│ child-crowdsecurity/syslog-logs  │ 3      │ 3      │ -        │
│ crowdsecurity/apache2-logs       │ 5.83k  │ 5.73k  │ 104      │
│ crowdsecurity/dateparse-enrich   │ 5.73k  │ 5.73k  │ -        │
│ crowdsecurity/geoip-enrich       │ 5.72k  │ 5.72k  │ -        │
│ crowdsecurity/http-logs          │ 5.73k  │ 5.48k  │ 251      │
│ crowdsecurity/non-syslog         │ 5.83k  │ 5.83k  │ -        │
│ crowdsecurity/syslog-logs        │ 3      │ 3      │ -        │
│ crowdsecurity/whitelists         │ 5.73k  │ 5.73k  │ -        │
│ my/whitelists-perso              │ 5.73k  │ 5.73k  │ -        │
╰──────────────────────────────────┴────────┴────────┴──────────╯

Local Api Metrics:
╭──────────────────────┬────────┬──────╮
│        Route         │ Method │ Hits │
├──────────────────────┼────────┼──────┤
│ /v1/alerts           │ GET    │ 2    │
│ /v1/alerts           │ POST   │ 3    │
│ /v1/decisions/stream │ GET    │ 215  │
│ /v1/heartbeat        │ GET    │ 36   │
│ /v1/watchers/login   │ POST   │ 4    │
╰──────────────────────┴────────┴──────╯

Local Api Machines Metrics:
╭──────────────────────────────────┬───────────────┬────────┬──────╮
│             Machine              │     Route     │ Method │ Hits │
├──────────────────────────────────┼───────────────┼────────┼──────┤
│ 70d30c8dfd1a493fab1058e30eab4596 │ /v1/alerts    │ GET    │ 2    │
│ 70d30c8dfd1a493fab1058e30eab4596 │ /v1/alerts    │ POST   │ 3    │
│ 70d30c8dfd1a493fab1058e30eab4596 │ /v1/heartbeat │ GET    │ 36   │
╰──────────────────────────────────┴───────────────┴────────┴──────╯

Local Api Bouncers Metrics:
╭──────────────────────────────────────────────────┬──────────────────────┬────────┬──────╮
│                     Bouncer                      │        Route         │ Method │ Hits │
├──────────────────────────────────────────────────┼──────────────────────┼────────┼──────┤
│ FirewallBouncer-YqUnvY0yyglYRfW8F1hXwgTXcZAV5WlQ │ /v1/decisions/stream │ GET    │ 215  │
╰──────────────────────────────────────────────────┴──────────────────────┴────────┴──────╯

Local Api Decisions:
╭──────────────────────────────────────┬──────────┬────────┬───────╮
│                Reason                │  Origin  │ Action │ Count │
├──────────────────────────────────────┼──────────┼────────┼───────┤
│ crowdsecurity/http-sensitive-files   │ crowdsec │ ban    │ 2     │
│ crowdsecurity/http-bad-user-agent    │ crowdsec │ ban    │ 2     │
│ firehol_cruzit_web_attacks           │ lists    │ ban    │ 13231 │
│ firehol_cybercrime                   │ lists    │ ban    │ 330   │
│ free_proxies                         │ lists    │ ban    │ 11224 │
│ http:bruteforce                      │ CAPI     │ ban    │ 1188  │
│ http:crawl                           │ CAPI     │ ban    │ 24    │
│ http:exploit                         │ CAPI     │ ban    │ 225   │
│ http:scan                            │ CAPI     │ ban    │ 27921 │
│ crowdsecurity/http-bf-wordpress_bf   │ crowdsec │ ban    │ 2     │
│ crowdsecurity/http-crawl-non_statics │ crowdsec │ ban    │ 4     │
│ crowdsecurity/http-probing           │ crowdsec │ ban    │ 4     │
╰──────────────────────────────────────┴──────────┴────────┴───────╯

Local Api Alerts:
╭───────────────────────────────────────────┬───────╮
│                  Reason                   │ Count │
├───────────────────────────────────────────┼───────┤
│ crowdsecurity/http-open-proxy             │ 9     │
│ crowdsecurity/http-wordpress_user-enum    │ 1     │
│ crowdsecurity/thinkphp-cve-2018-20062     │ 5     │
│ crowdsecurity/http-path-traversal-probing │ 2     │
│ crowdsecurity/http-probing                │ 146   │
│ LePresidente/http-generic-403-bf          │ 4     │
│ crowdsecurity/CVE-2022-41082              │ 3     │
│ crowdsecurity/http-bf-wordpress_bf        │ 39    │
│ crowdsecurity/http-crawl-non_statics      │ 25    │
│ crowdsecurity/http-cve-2021-42013         │ 14    │
│ crowdsecurity/http-cve-2021-41773         │ 32    │
│ crowdsecurity/http-sensitive-files        │ 53    │
│ crowdsecurity/http-wordpress_wpconfig     │ 2     │
│ ltsich/http-w00tw00t                      │ 1     │
│ crowdsecurity/fortinet-cve-2018-13379     │ 2     │
│ crowdsecurity/http-backdoors-attempts     │ 9     │
│ crowdsecurity/http-bad-user-agent         │ 96    │

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

Details

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions