Here is a simple way to create a whitelist for trusted AS Numbers using @Crowd_Security PostOverflows
The main advantage of PostOveflow whitelists is they are only triggered once the bucket overflows meaning potentially expensive expressions are evaluated less often. You can also install the crowdsecurity/rdns postoverflow that will be in charge of enriching overflows with reverse DNS information of the offending IP address. Here is the path example where you will need to create a new whitelist: root@gw:/usr/local/etc/crowdsec/postoverflows/s01-whitelist
name: crowdsecurity/as-whitelist
description: Whitelist known AS Numbers
debug: true
whitelist:
reason: Whitelisted AS Number
expression:
- evt.Overflow.Alert.Source.AsNumber in ['15169', '62044']
Create a new file with the above config and add just the number of the “AS Number” you would like to whitelist. Save the file with a .yaml extension and restart Crowdsec with: sudo service crowdsec restart You should now also see this whitelist in the GUI if you are using OPNsense for example.
