"not in" on scenarios filter

itdoginfo · November 16, 2022, 10:19am

I create scenarios with filter

 filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.request in ['/path1', '/path2'] && evt.Parsed.http_user_agent not in ['Firefox', 'Chrome']"

I want this to apply only to those who do not meet agents Chrome and Firefox. Global whitelist in parsers/s02-enrich not suitable, must be implemented at the scenario level.

The exception doesn’t work. I tried ['*Firefox*', '*Chrome*'], it didn’t work either.
Are there other ways or am I using it wrong?

Thanks

thibault · November 16, 2022, 1:36pm

Hello !

This should be “true” if http_user_agent is exactly ‘Firefox’ or ‘Chrome’.
Do you want the condition to be true if http_user_agent contains ‘Firefox’ or ‘Chrome’ ?

itdoginfo · November 16, 2022, 1:51pm

Hello!
No, I want to have ‘true’ if it does not contain ‘Firefox’ or ‘Chrome’

Topic		Replies	Views
Whitelist User Agent crowdsec	9	1625	February 28, 2022
Whitelist user agent and regex expression crowdsec	7	901	November 18, 2021
How to add a new user-agent to blocking? crowdsec	3	822	November 15, 2022
Ban after number of attemps crowdsec	12	792	March 11, 2022
False bans from normal Jira usage crowdsec	8	782	February 1, 2022

"not in" on scenarios filter

Related topics