secubox-openwrt/package/secubox/secubox-app-crowdsec-custom/files/parsers/s02-enrich/secubox-whitelist.yaml

# CrowdSec whitelist for SecuBox trusted networks
# Prevents banning of internal/trusted IPs and known crawlers

name: secubox/whitelists
description: "SecuBox whitelist for trusted IPs and services"
whitelist:
  reason: "Trusted services and networks"
  expression:
    # Local networks (RFC1918)
    - evt.Meta.source_ip startsWith "192.168."
    - evt.Meta.source_ip startsWith "10."
    - evt.Meta.source_ip startsWith "172.16."
    - evt.Meta.source_ip startsWith "172.17."
    - evt.Meta.source_ip startsWith "172.18."
    - evt.Meta.source_ip startsWith "127."

    # Facebook/Meta infrastructure
    - evt.Meta.source_ip startsWith "69.171."
    - evt.Meta.source_ip startsWith "173.252."
    - evt.Meta.source_ip startsWith "31.13."
    - evt.Meta.source_ip startsWith "157.240."
    - evt.Meta.source_ip startsWith "179.60."
    - evt.Meta.source_ip startsWith "185.60."
    - evt.Meta.source_ip startsWith "204.15.20."

    # Ahrefs SEO crawler
    - evt.Meta.source_ip startsWith "54.39.210."
    - evt.Meta.source_ip startsWith "167.114.139."
    - evt.Meta.source_ip startsWith "54.36."
    - evt.Meta.source_ip startsWith "195.154."

    # Local IPv6
    - evt.Meta.source_ip startsWith "fe80:"
    - evt.Meta.source_ip startsWith "::1"
    - evt.Meta.source_ip startsWith "2a01:e0a:dec:c4e0"