Add Matrix/Synapse parser whitelist and description

[pscriptos]

Description

Add a parser whitelist for Matrix/Synapse traffic. This whitelist prevents legitimate Matrix federation, client-server API, Synapse admin/internal endpoints, and .well-known/matrix/ server discovery requests from being falsely flagged by CrowdSec scenarios such as http-probing or http-crawl-non_statics.

Whitelisted paths:

• /_matrix/ — Federation and Client-Server API
• /_synapse/ — Synapse Admin and internal endpoints
• /.well-known/matrix/ — Matrix server discovery

Checklist

• I have read the contributing guide
• I have tested my changes locally
• For new parsers or scenarios, tests have been added
• I have run the hub linter and no issues were reported (see contributing guide)

  Note: I don't have a local Python environment to run the hub linter. Relying on CI to catch any issues.

• Automated tests are passing
• AI was used to generate any/all content of this PR

[blotus]

Hello,

Thanks for the PR.

Unfortunately, I think using a parser whitelist for that is a bit too broad: you are effectively ignoring every request on anything that starts with those paths.

A much better solution would be to use a postoverflow to only allow those paths for specific scenarios.

[pscriptos]

Thank you very much for your feedback.
I’ll look into it shortly and get back to you.
Have a good weekend.

[Nemric]

Hi, I'm facing the same issue, then came here, I did follow the link about postoverflow, here is a file I'm now trying

name: synapse-client-whitelists
description: Whitelist synapse client application for crawl non static
whitelist:
  reason: synapse-client can trigger FP
  expression:
    - evt.Overflow.Alert.Scenario == "crowdsecurity/http-crawl-non_statics" and all(evt.Overflow.Alert.Events, {.GetMeta("http_path") startsWith "/_matrix/client/"})
    - evt.Overflow.Alert.Scenario == "crowdsecurity/http-probing" and all(evt.Overflow.Alert.Events, {.GetMeta("http_path") startsWith "/_matrix/client/"})

I did add the http-probing scenario because in some rooms there are a lot of 404 😕 that trigger the ban
I did just restart crowdsec, so, I don't yet now if it works as great as expected ^^

[edit]
After a couple of days, it looks like it works !
(the path I had this is : ./postoverflows/s01-whitelist/synapse-client.yaml)

[gemarcano]

The suggested postoverflow didn't work for me. Part of it is that some 404s caused by Nextcloud activity seem to be causing the bucket to overflow and then everything goes sideways.

Based on what I'm seeing, a parser whitelist may be the better option, if there are other services that may also be generating 404s... Nextcloud is notorious for being bad about 404s... even with https://app.crowdsec.net/hub/author/crowdsecurity/configurations/nextcloud-whitelist .

[Nemric]

The suggested postoverflow didn't work for me. Part of it is that some 404s caused by Nextcloud activity seem to be causing the bucket to overflow and then everything goes sideways.

Based on what I'm seeing, a parser whitelist may be the better option, if there are other services that may also be generating 404s... Nextcloud is notorious for being bad about 404s... even with https://app.crowdsec.net/hub/author/crowdsecurity/configurations/nextcloud-whitelist .

this PR is the whitelist about matrix/synapse

[Copilot]

Pull request overview

Adds a new enrich-stage HTTP whitelist parser intended to prevent legitimate Matrix/Synapse endpoints from being counted toward generic HTTP scanning/crawling scenarios (e.g., http-probing, http-crawl-non_statics).

Changes:

• Introduces a Matrix/Synapse path-prefix whitelist parser (/_matrix/, /_synapse/, /.well-known/matrix/).
• Adds documentation describing why these endpoints commonly generate benign “suspicious-looking” HTTP patterns.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
parsers/s02-enrich/crowdsecurity/matrix-whitelist.yaml	Adds a whitelist parser matching Matrix/Synapse request paths.
parsers/s02-enrich/crowdsecurity/matrix-whitelist.md	Documents the rationale and covered Matrix/Synapse endpoints.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

name is set to my/matrix-whitelist, but all other parsers in parsers/s02-enrich/crowdsecurity/ use the crowdsecurity/ namespace (e.g. parsers/s02-enrich/crowdsecurity/actual-budget-whitelist.yaml:1). Using a different namespace is likely to fail hub conventions/linting and makes the parser harder to discover; rename it to crowdsecurity/matrix-whitelist (and keep it consistent with the file path).

Suggested change

	name: my/matrix-whitelist
	name: crowdsecurity/matrix-whitelist

[Copilot]

The description says "from NPMplus logs", but the filter matches any event with evt.Meta.service == 'http' and the standard http_access-log/http_error-log log types. Either scope the filter to NPMplus-specific events (if that’s the intent) or update the description to reflect that this whitelist applies to generic HTTP logs.

Suggested change

	description: "Whitelist Matrix/Synapse requests from NPMplus logs"
	description: "Whitelist Matrix/Synapse HTTP requests from generic http_access-log/http_error-log entries"

[Copilot]

This whitelists all requests to /_matrix/ and /_synapse/ purely by path prefix. Unlike other HTTP app whitelists in this directory (which typically narrow by verb/status and specific endpoints), this creates a broad blind spot where probing/bruteforce against Synapse/Matrix endpoints would no longer contribute to remediation decisions. Consider narrowing the whitelist conditions (e.g., to specific verbs/statuses/endpoints known to FP) or moving the exception into the specific scenarios that FP (so Matrix-specific attacks can still be detected).

Suggested change

	- "evt.Meta.http_path startsWith '/_matrix/'"
	- "evt.Meta.http_path startsWith '/_synapse/'"
	- "evt.Meta.http_path startsWith '/.well-known/matrix/'"
	- "evt.Meta.http_verb == 'GET' && evt.Meta.http_path startsWith '/.well-known/matrix/'"

[Copilot]

A new whitelist parser is added, but there is no corresponding .tests/matrix-whitelist/ (most existing whitelists here have dedicated tests, e.g. .tests/actual-budget-whitelist/, .tests/calibre-web-whitelist/, .tests/nextcloud-whitelist/). Add a minimal test fixture asserting that Matrix/Synapse paths are marked whitelisted and that non-Matrix paths are not.

[gemarcano]

this PR is the whitelist about matrix/synapse

Sorry, I wasn't clear enough. The combination of matrix/synapse and Nextcloud endpoints 404'ing made the postoverflow whitelist to fail. Or really, if at any point any other 404 happens during that window, that would make the postoverflow whitelist to fail thanks to all() if I'm not misinterpreting that. I tried using any, but it was somehow also not quite working right... but that wouldn't be the right approach either, right?

The contents of this PR do seem to work for me, even if allows for a lot of request URLs.

[miguelrdev]

I'm also using Synapse and getting banned due to the scenario crowdsecurity/http-probing.