crowdsecurity · Jgigantino31 · Jul 18, 2025 · Jul 18, 2025 · Jul 18, 2025 · Jul 18, 2025
diff --git a/.tests/overseerr-whitelist/config.yaml b/.tests/overseerr-whitelist/config.yaml
@@ -0,0 +1,14 @@
+parsers:
+- crowdsecurity/syslog-logs
+- crowdsecurity/dateparse-enrich
+- crowdsecurity/nginx-logs
+- ./parsers/s02-enrich/crowdsecurity/overseerr-whitelist.yaml
+scenarios:
+- ""
+postoverflows:
+- ""
+log_file: overseerr-logs.log
+log_type: nginx
+labels: {}
+ignore_parsers: false
+override_statics: []
diff --git a/.tests/overseerr-whitelist/overseerr-logs.log b/.tests/overseerr-whitelist/overseerr-logs.log
@@ -0,0 +1,5 @@
+2001:db8:1:2:3:4:5:6 - - [25/Jul/2025:10:25:21 -0400] "GET /api/v1/request/440 HTTP/3.0" 304 0 "" ""
+2001:db8:1:2:3:4:5:6 - - [25/Jul/2025:10:25:21 -0400] "GET /api/v1/request/439 HTTP/3.0" 304 0 "" ""
+2001:db8:1:2:3:4:5:6 - - [25/Jul/2025:10:25:21 -0400] "GET /api/v1/request/438 HTTP/3.0" 200 3226 "" ""
+2001:db8:1:2:3:4:5:6 - - [25/Jul/2025:10:25:21 -0400] "GET /api/v1/request/437 HTTP/3.0" 304 0 "" ""
+2001:db8:1:2:3:4:5:6 - - [25/Jul/2025:10:25:21 -0400] "GET /api/v1/request/436 HTTP/3.0" 200 3226 "" ""
diff --git a/.tests/overseerr-whitelist/parser.assert b/.tests/overseerr-whitelist/parser.assert
diff --git a/.tests/overseerr-whitelist/scenario.assert b/.tests/overseerr-whitelist/scenario.assert
@@ -0,0 +1 @@
+
diff --git a/collections/LePresidente/overseerr.yml b/collections/LePresidente/overseerr.yml
@@ -1,10 +1,11 @@
 parsers:
   - LePresidente/overseerr-logs
+  - crowdsecurity/overseerr-whitelist
 scenarios:
   - LePresidente/overseerr-bf
 description: "overseerr Support : parser and brute-force detection"
 author: LePresidente
 tags:
   - linux
   - brute-force
-  - overseerr
+  - overseerr
diff --git a/parsers/s01-parse/LePresidente/overseerr-logs.yaml b/parsers/s01-parse/LePresidente/overseerr-logs.yaml
@@ -30,6 +30,7 @@ nodes:
       statics:
         - meta: log_type
           value: overseerr_failed_auth
+
 statics:
     - meta: service
       value: overseerr
@@ -38,4 +39,4 @@ statics:
     - meta: user
       expression: "evt.Parsed.username"
     - target: evt.StrTime
-      expression: evt.Parsed.timestamp
+      expression: evt.Parsed.timestamp
diff --git a/parsers/s02-enrich/crowdsecurity/overseerr-whitelist.md b/parsers/s02-enrich/crowdsecurity/overseerr-whitelist.md
@@ -0,0 +1,4 @@
+## Overseerr Whitelist
+
+### Browsing Movies, Series or Requests
+When scrolling fast while using Overseerr on the Movies, Series or Requests pages, many GET requests are made to ``/api/v1/(movie|tv|request)``. The http-crawl-non_statics scenario will be triggered if too many requests to the API are made too quickly unless this whitelist is used.
diff --git a/parsers/s02-enrich/crowdsecurity/overseerr-whitelist.yaml b/parsers/s02-enrich/crowdsecurity/overseerr-whitelist.yaml
@@ -0,0 +1,7 @@
+name: crowdsecurity/overseerr-whitelist
+description: "Whitelist events from overseerr"
+filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log']"
+whitelist:
+  reason: "Overseerr whitelist"
+  expression:
+   - evt.Meta.http_status in ['200', '304'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path matches '^\\/api\\/v1\\/(movie|tv|request)\\/(\\d+)$' # When browsing Movies, Series or Requests
diff --git a/scenarios/LePresidente/overseerr-bf.yaml b/scenarios/LePresidente/overseerr-bf.yaml
@@ -5,7 +5,7 @@ filter: "evt.Meta.log_type == 'overseerr_failed_auth'"
 #debug: true
 type: leaky
 groupby: evt.Meta.source_ip
-leakspeed: "20s"
+leakspeed: 20s
 capacity: 5
 blackhole: 1m
 labels:
@@ -25,7 +25,7 @@ description: "Detect overseerr user enum bruteforce"
 filter: "evt.Meta.log_type == 'overseerr_failed_auth'"
 groupby: evt.Meta.source_ip
 distinct: evt.Meta.user
-leakspeed: 10s
+leakspeed: 1m
 capacity: 5
 blackhole: 1m
 labels: