cscli parsers install crowdsecurity/rocketchat-whitelistRocketChat loads avatars as /avatar/<username> or /avatar/room/<room_uuid>, since the URL's does not end in a static extension such as .jpg it can trigger http-crawl-non_statics
1name: crowdsecurity/rocketchat-whitelist2description: "Whitelist events from rocketchat"3filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log']"4whitelist:5 reason: "RocketChat Whitelist"6 expression:7 - evt.Meta.http_status in ['200', '304'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path startsWith '/avatar/'