Skip to main content
Version: v1.4.0

Format

Whitelist configuration example#

name: crowdsecurity/my-whitelistsdescription: "Whitelist events from my ipv4 addresses"#it's a normal parser, so we can restrict its scope with filterfilter: "1 == 1"whitelist:  reason: "my ipv4 ranges"  ip:     - "127.0.0.1"  cidr:    - "192.168.0.0/16"    - "10.0.0.0/8"    - "172.16.0.0/12"  expression:  #beware, this one will work *only* if you enabled the reverse dns (crowdsecurity/rdns) enrichment postoverflow parser    - evt.Enriched.reverse_dns endsWith ".mycoolorg.com."  #this one will work *only* if you enabled the geoip (crowdsecurity/geoip-enrich) enrichment parser    - evt.Enriched.IsoCode == 'FR'

Whitelist directives#

name#

name: my_author_name/my_whitelist_name

The name is mandatory.

It must be unique (and will define the scenario's name in the hub).

description#

description: whitelist office

The description is mandatory.

It is a quick sentence describing what it detects.

filter#

filter: expression

filter must be a valid expr expression that will be evaluated against the event.

If filter evaluation returns true or is absent, node will be processed.

If filter returns false or a non-boolean, node won't be processed.

Here is the expr documentation.

Examples :

  • filter: "evt.Enriched.foo == 'test'"
  • filter: "evt.Enriched.bar == 'test' && evt.Enriched.foo == 'test2'

whitelist#

whitelist:  reason: "my ipv4 ranges"  ip:     - "127.0.0.1"  cidr:    - "192.168.0.0/16"    - "10.0.0.0/8"    - "172.16.0.0/12"  expression:  #beware, this one will work *only* if you enabled the reverse dns (crowdsecurity/rdns) enrichment postoverflow parser    - evt.Enriched.reverse_dns endsWith ".mycoolorg.com."  #this one will work *only* if you enabled the geoip (crowdsecurity/geoip-enrich) enrichment parser    - evt.Enriched.IsoCode == 'FR'

reason#

reason: whitelist for test

The reason is mandatory.

It is a quick sentence describing the reason of the whitelist.

ip#

whitelist:  ip:     - "127.0.0.1"

A valid expr expression that return a string to apply the pattern on.

cidr#

whitelist:  cidr:    - "192.168.0.0/16"    - "10.0.0.0/8"    - "172.16.0.0/12"

A valid expr expression that return a string to apply the pattern on.

expression#

whitelist:  expression:  #beware, this one will work *only* if you enabled the reverse dns (crowdsecurity/rdns) enrichment postoverflow parser    - evt.Enriched.reverse_dns endsWith ".mycoolorg.com."  #this one will work *only* if you enabled the geoip (crowdsecurity/geoip-enrich) enrichment parser    - evt.Enriched.IsoCode == 'FR'

A valid expr expression that return a string to apply the pattern on.

data#

data:  - source_url: https://URL/TO/FILE    dest_file: LOCAL_FILENAME    type: (regexp|string)

data allows user to specify an external source of data. This section is only relevant when cscli is used to install parser from hub, as it will download the source_url and store it to dest_file. When the parser is not installed from the hub, CrowdSec won't download the URL, but the file must exist for the parser to be loaded correctly.

The type is mandatory if you want to evaluate the data in the file, and should be regex for valid (re2) regular expression per line or string for string per line. The regexps will be compiled, the strings will be loaded into a list and both will be kept in memory. Without specifying a type, the file will be downloaded and stored as a file and not in memory.

name: crowdsecurity/cdn-whitelist...data:  - source_url: https://www.cloudflare.com/ips-v4    dest_file: cloudflare_ips.txt    type: string