Tips for scenario filtering
Hi guys,
how can i "edit" or whitelist some stuff, that would otherwise be blocked/captcha'd by "http-probing". I have a tool, that does quite some "HEAD" requests with response --> 404 on different url-paths on my subdomain. This is legitimate traffic for this subdomain. But my http-probing scenario always bans/captchas this legitimate traffic.
Ideally i would like to implement something of the following:
- whitelist "HEAD" requests, that get to my subdomain
- or: overwrite "http-probing" for "HEAD" requests, only for my subdomain
- or: overwrite "http-probing" only for 404, NOT 401, 403 only for my subdomain
- or: overwrite "http-probing" always, but only for 404, NOT 401, 403....
Kind of like this, like some filtering, that legitimates some traffic, only digging a small hole into my security and still making it possible, that my clients dont get banned for those requests.
I found out, that editing the scenarios or other standard files from crowdsec directly leads to crowdsec being "fainted"
This is why i am asking for help/expertise, since i am not an expert.
Thanks!
how can i "edit" or whitelist some stuff, that would otherwise be blocked/captcha'd by "http-probing". I have a tool, that does quite some "HEAD" requests with response --> 404 on different url-paths on my subdomain. This is legitimate traffic for this subdomain. But my http-probing scenario always bans/captchas this legitimate traffic.
Ideally i would like to implement something of the following:
- whitelist "HEAD" requests, that get to my subdomain
- or: overwrite "http-probing" for "HEAD" requests, only for my subdomain
- or: overwrite "http-probing" only for 404, NOT 401, 403 only for my subdomain
- or: overwrite "http-probing" always, but only for 404, NOT 401, 403....
Kind of like this, like some filtering, that legitimates some traffic, only digging a small hole into my security and still making it possible, that my clients dont get banned for those requests.
I found out, that editing the scenarios or other standard files from crowdsec directly leads to crowdsec being "fainted"
This is why i am asking for help/expertise, since i am not an expert.
Thanks!
