Hi
Basically I have this to whitelist some ASN of my country
name: xxx/ASN-whitelist
description: "Whitelist Trusted Belgian ASNs"
#debug: true
whitelist:
reason: "xxx Whitelisted Belgian ASN"
expression:
- evt.Meta.ASNumber in ['6848', '5432', '12392']
- evt.Enriched.ASNumber in ['6848', '5432', '12392']
But this is too much for me.
As I mostly only have false positive issues on my legit users with http-crawl-non_statics scenario, and sometimes probing.
And so I dont want to apply this ASN whitelist on all scenarios.
What I would like to do instead is a test like this in the whitelist expression:
SCENARIO in ['crowdsecurity/http-crawl-non_statics','crowdsecurity/http-probing']
AND
evt.Enriched.ASNumber in ['6848', '5432', '12392']
I would prefer to not taint my scenarios files and so to do this in my custom s01-parse/whitelist file only.
Is it possible ?
Txs