I must disable one of the cidr (10/8) from parsers/s02-enrich/whitelists.yaml because I do want them to be reported and acted upon. They can be source of spread in internal huge network upon possible attack.
My question is:
how can I disable CSAPI upload, to not polute it?
a. completly?
b. selectively only for those in 10/8
as I plan to get update from CSAPI, removing online_client: from config.yaml is rather not an option.
It is not possible to not share signal with the Crowdsec Central API and get the community-blocklist for it.
It is ok for us to send signal about those privates IPs, you should not worry about poluting us.
One more question around this: documentation at Introduction | CrowdSec states " This information is only going to be pushed when a scenario is coming from the hub and is unmodified. Custom scenarios, tainted scenarios and manual decisions are not pushed"
I did modified
/etc/crowdsec/parsers/s02-enrich/whitelists.yaml
which came from hub, judging from the logs, signals are being pushed to CSAPI.
What does “this information” mean in the documentation in the sentence I quoted? what is or is not being pushed based on scenario being/not being modified?