Nextcloud Photos false alerts for http-crawl-non_statics

[EngTurtle]

Describe the bug
The crowdsecurity/nextcloud-whitelist parser has an overly restrictive rule for Photos preview requests. It requires an etag= parameter that isn't present in all legitimate Nextcloud Photos API calls, causing false positives for crowdsecurity/http-crawl-non_statics.

To Reproduce

1. Install Nextcloud with Photos app
2. Browse photo library in Photos app, especially the albums section
3. CrowdSec triggers http-crawl-non_statics alert from the high volume of legitimate preview thumbnail requests

Expected behavior
Requests to /apps/photos/api/v1/preview/[id]?x=__&y=__ should be whitelisted as legitimate Photos app behavior, not flagged as crawling.

Current whitelist rule:

   - evt.Meta.http_status == '200' && evt.Parsed.static_ressource == 'false' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/apps/photos/api/v1/preview' && evt.Parsed.http_args contains '&x=' && evt.Parsed.http_args contains '&y=' && evt.Parsed.http_args contains 'etag=' #When loading multiple images inside Nextcloud Photos, HTTP Crawl non statics is triggered since the images look like dynamic assets.

Proposed fix:
Remove the evt.Parsed.http_args contains 'etag=' condition. The x= and y= parameters should be sufficient to identify Photos preview thumbnails.

Example Alert (click to expand)

capacity: 40
createdat: "2025-10-07T18:52:38Z"
decisions:
    - duration: -25m41s
      id: 15752724
      origin: crowdsec
      scenario: crowdsecurity/http-crawl-non_statics
      scope: Ip
      simulated: false
      type: ban
      until: ""
      uuid: ""
      value: 1.2.3.4
events:
    - meta:
        - key: ASNNumber
          value: "7992"
        - key: ASNOrg
          value: EXAMPLE-ISP
        - key: IsInEU
          value: "false"
        - key: IsoCode
          value: US
        - key: SourceRange
          value: 1.2.3.4/24
        - key: datasource_path
          value: traefik
        - key: datasource_type
          value: docker
        - key: http_args_len
          value: "11"
        - key: http_path
          value: /apps/photos/api/v1/preview/1725?x=512&y=512
        - key: http_status
          value: "200"
        - key: http_verb
          value: GET
        - key: log_type
          value: http_access-log
        - key: service
          value: http
        - key: source_ip
          value: 203.0.113.1
        - key: target_fqdn
          value: example.com
        - key: timestamp
          value: "2025-10-07T18:52:38Z"
        - key: traefik_router_name
          value: websecure-nextcloud@docker
      timestamp: 2025-10-07 18:52:38 +0000 UTC
eventscount: 61
id: 3583
message: Ip 203.0.113.1 performed 'crowdsecurity/http-crawl-non_statics' (61 events over 39.317660795s) at 2025-10-07 18:52:38.357854914 +0000 UTC
meta:
    - key: target_uri
      value: '["/apps/photos/api/v1/preview/1725?x=512&y=512","/apps/photos/api/v1/preview/1764?x=512&y=512","/apps/photos/api/v1/preview/12398?x=512&y=512"]'
    - key: status
      value: '["200"]'
    - key: method
      value: '["GET"]'
scenario: crowdsecurity/http-crawl-non_statics
source:
    ip: 1.2.3.4
    scope: Ip
    value: 1.2.3.4
startat: "2025-10-07T18:51:59Z"
stopat: "2025-10-07T18:52:38Z"

Additional context
Nextcloud 31.0.9
Nextcloud Photos App 4.0.0

[buixor]

Please provide log samples to be able to reproduce the issue.