PostOverflow whitelists ONLY for specific scenarios

crowdsec
1

Hi

Basically I have this to whitelist some ASN of my country

name: xxx/ASN-whitelist
description: "Whitelist Trusted Belgian ASNs"
#debug: true
whitelist:
  reason: "xxx Whitelisted Belgian ASN"
  expression:
    - evt.Meta.ASNumber in ['6848', '5432', '12392']
    - evt.Enriched.ASNumber in ['6848', '5432', '12392']

But this is too much for me.
As I mostly only have false positive issues on my legit users with http-crawl-non_statics scenario, and sometimes probing.
And so I dont want to apply this ASN whitelist on all scenarios.

What I would like to do instead is a test like this in the whitelist expression:

SCENARIO in ['crowdsecurity/http-crawl-non_statics','crowdsecurity/http-probing'] 
AND 
evt.Enriched.ASNumber in ['6848', '5432', '12392']

I would prefer to not taint my scenarios files and so to do this in my custom s01-parse/whitelist file only.

Is it possible ?

Txs

2

I’m seeing http-probing and non_statics with legit users browsing Nextcloud (especially for image previews and avatars) so I added my custom application-related whitelist like this

cat ./crowdsec/_my-nextcloud-whitelist.yml 
name: _my/nextcloud-whitelist
description: "Whitelist more events from Nextcloud"
filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log']"
whitelist:
 reason: "my Nextcloud Whitelist"
 expression:
  - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'POST' && evt.Meta.http_path == '/login/v2/poll' #device login
  - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path == '/push/ws' #notify_push not running
  - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/remote.php/dav/addressbooks/users/' && evt.Parsed.http_args contains 'photo' #addressbook
  - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'HEAD' && evt.Meta.http_path contains '/remote.php/dav/files/' #HEAD while instant upload
  - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/contacts/css/contacts-index.css' && evt.Parsed.http_args contains 'v'
  - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'HEAD' && evt.Meta.http_path contains '/ocs/v2.php/apps/spreed/api/v1/(chat|room)' #Talk chats

this allows you to ignore only specific events valid in your specific application and still block scanning bots