Custom whitelists do not match

[anrxc]

Describe the bug

I can't use custom excludes to reduce false positives.

To Reproduce

# Lighttpd default log format
log_format: |
  $remote_addr $host $remote_user [$time_local] "$request_method $request_uri $request_protocol" $status $body_bytes_sent "$http_referer" "$http_user_agent"

# Rules
rules:
  cache: true
  threat:
    excludes:
      - "79\\.0\\.10\\.100"
      - "^/favicon\\.ico"

But neither of them prevents this alert:

$ tail -n1000 lighttpd-access.log | teler -c ~/teler.yaml -o foobar.log
[04/Mar/2021:00:46:10 +0100] [79.0.10.100] [Directory Bruteforce] /favicon.ico

Expected behavior

A clear description of what you expected to happen: No output is expected.

Environment (please complete the following information):

• OS: GNU/Linux
• OS version: x86_64
• teler 1.1.0

[anrxc]

Sorry I made a mistake, the string "whitelists:" got on the same line as the comment above it in teler.example.yaml so obviously what I did under excludes would not work.

But I still cannot get IP to match. The favicon.ico excludes are working.

rules:
  cache: true
  threat:
    whitelists:
      - "185\\.100\\.86\\.128"
      - "^/favicon\\.ico"

[01/Mar/2021:00:37:34 +0100] [185.100.86.128] [Common Web Attack: Detects basic directory traversal] 
/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

Original log line (lighttpd, log_format is in my original report):

185.100.86.128 example.org - [01/Mar/2021:00:37:34 +0100] "GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php HTTP/1.1" 301 0 "https://www.google.com/search" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"

[dwisiswant0]

Hei, @anrxc. We whitelist in their respective sections & patterns DO NOT apply as a whole. This means that if you whitelist an IP (pattern) and activate Bad IP Address detection, then the whitelist is valid - if Bad IP Address matches the given IP whitelist. But if your intention is to whitelist the IP from all types of threats - it won't!

What I get from your point is, you want to whitelisting the IPs from Common Web Attack threat, of course that doesn't apply - because it's not part of it. The workaroung is if you want to whitelist the detection of Common Web Attack threat - you must use a pattern for request URL/path, because we detected the Common Web Attack threat as coming from there.

Since this isn't explained yet - I've updated the documentation about this configuration.