feat(expand-configuration): update nethvoice whitelist for HTTP probi…

…ng and remove deprecated file

imageroot/bin/expand-configuration

@@ -164,4 +164,4 @@ if whitelists:
 ## expand the tainted configuration files
 os.makedirs("crowdsec_config/hub/parsers/s01-parse/crowdsecurity", exist_ok=True)
 shutil.copyfile("../tainted/nextcloud-logs.yaml", "crowdsec_config/hub/parsers/s01-parse/crowdsecurity/nextcloud-logs.yaml")
-shutil.copyfile("../tainted/nethvoice-whitelist.yaml", "crowdsec_config/hub/parsers/s02-enrich/crowdsecurity/nethvoice-whitelist.yaml")
+shutil.copyfile("../tainted/nethvoice-whitelist-http-probing.yaml", "crowdsec_config/parsers/s02-enrich/nethvoice-whitelist-http-probing.yaml")

imageroot/tainted/nethvoice-whitelist-http-probing.yaml

@@ -13,3 +13,5 @@ whitelist:
    - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/freepbx/rest/mobiles'
    - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/freepbx/rest/nethlink'
    - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/freepbx/rest/mobileapp/'
+   - evt.Meta.http_status == '403' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/freepbx/rest/migration'
+   - evt.Meta.http_status == '403' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/freepbx/rest/login' # dangerous, this field is done by a user that has not been authenticated