Skip to content

Add Matrix/Synapse parser whitelist and description#1726

Open
pscriptos wants to merge 1 commit intocrowdsecurity:masterfrom
pscriptos:matrix-whitelist
Open

Add Matrix/Synapse parser whitelist and description#1726
pscriptos wants to merge 1 commit intocrowdsecurity:masterfrom
pscriptos:matrix-whitelist

Conversation

@pscriptos
Copy link

@pscriptos pscriptos commented Mar 13, 2026

Description

Add a parser whitelist for Matrix/Synapse traffic. This whitelist prevents legitimate Matrix federation, client-server API, Synapse admin/internal endpoints, and .well-known/matrix/ server discovery requests from being falsely flagged by CrowdSec scenarios such as http-probing or http-crawl-non_statics.

Whitelisted paths:

  • /_matrix/ — Federation and Client-Server API
  • /_synapse/ — Synapse Admin and internal endpoints
  • /.well-known/matrix/ — Matrix server discovery

Checklist

  • I have read the contributing guide
  • I have tested my changes locally
  • For new parsers or scenarios, tests have been added
  • I have run the hub linter and no issues were reported (see contributing guide)

    Note: I don't have a local Python environment to run the hub linter. Relying on CI to catch any issues.

  • Automated tests are passing
  • AI was used to generate any/all content of this PR

@blotus
Copy link
Member

blotus commented Mar 18, 2026

Hello,

Thanks for the PR.

Unfortunately, I think using a parser whitelist for that is a bit too broad: you are effectively ignoring every request on anything that starts with those paths.

A much better solution would be to use a postoverflow to only allow those paths for specific scenarios.

@pscriptos
Copy link
Author

pscriptos commented Mar 22, 2026

Thank you very much for your feedback.
I’ll look into it shortly and get back to you.
Have a good weekend.

@Nemric
Copy link

Nemric commented Mar 22, 2026
edited
Loading

Hi, I'm facing the same issue, then came here, I did follow the link about postoverflow, here is a file I'm now trying

name: synapse-client-whitelists
description: Whitelist synapse client application for crawl non static
whitelist:
  reason: synapse-client can trigger FP
  expression:
    - evt.Overflow.Alert.Scenario == "crowdsecurity/http-crawl-non_statics" and all(evt.Overflow.Alert.Events, {.GetMeta("http_path") startsWith "/_matrix/client/"})
    - evt.Overflow.Alert.Scenario == "crowdsecurity/http-probing" and all(evt.Overflow.Alert.Events, {.GetMeta("http_path") startsWith "/_matrix/client/"})

I did add the http-probing scenario because in some rooms there are a lot of 404 😕 that trigger the ban
I did just restart crowdsec, so, I don't yet now if it works as great as expected ^^

[edit]
After a couple of days, it looks like it works !
(the path I had this is : ./postoverflows/s01-whitelist/synapse-client.yaml)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@blotus blotus

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pscriptos @blotus @Nemric