Hello Arthur !
Your whitelist seems correct to me (didn’t try it tho), did it work for you ?
You have a few solutions to do this :
- Add a new whitelist file (probably the best, so you avoid tainting existing parsers) in
/etc/crowdsec/config/parsers/s02-enrich/:
name: my-custom-whitelist
description: my custom whitelists
whitelist:
reason: do not ban jellyfin users
expression:
- "'/jellyfin' in evt.Parsed.request"
- Add a new section to your existing whitelist file (
/etc/crowdsec/config/parsers/s02-enrich/whitelists.yaml) :
name: crowdsecurity/whitelists
description: "Whitelist events from private ipv4 addresses"
whitelist:
reason: "private ipv4 ranges"
...
---
name: my-custom-whitelist
description: my custom whitelists
whitelist:
reason: do not ban jellyfin users
expression:
- "'/jellyfin' in evt.Parsed.request"
- Use the existing
expressionsection of the existing whitelist :
name: crowdsecurity/whitelists
description: "Whitelist events from private ipv4 addresses"
whitelist:
reason: "private ipv4 ranges"
ip:
- "127.0.0.1"
cidr:
- "192.168.0.0/16"
- "10.0.0.0/8"
- "172.16.0.0/12"
expression:
- "'/jellyfin' in evt.Parsed.request"
(Please note that solutions 2 & 3 will “taint” your existing parser and it will prevent it from upgrading automatically in the future)
From what you said, crowdsecurity/http-crawl-non_statics seems to be quite prone to false positives, would you mind sharing some sample logs so we can improve it & reduce FP ?
Thanks,