Skip to main content
Security Engine version:
Version: Next

Format

Whitelist configuration example

YAML
name: "my/whitelist" ## Must be unique
description: "Whitelist events from my ipv4 addresses"
# This is a normal parser, so you can restrict its scope with a filter
filter: "1 == 1"
whitelist:
  reason: "my ipv4 ranges"
  ip: 
    - "127.0.0.1"
  cidr:
    - "192.168.0.0/16"
    - "10.0.0.0/8"
    - "172.16.0.0/12"
  expression:
  # Works only if reverse DNS enrichment (crowdsecurity/rdns) is enabled
    - evt.Enriched.reverse_dns endsWith ".mycoolorg.com."
  # Works only if geoip enrichment (crowdsecurity/geoip-enrich) is enabled
    - evt.Enriched.IsoCode == 'FR'

Whitelist directives

name

YAML
name: my_author_name/my_whitelist_name

The name is mandatory.

It must be unique (it also defines the scenario name in the hub).

description

YAML
description: whitelist office

The description is mandatory.

It is a short sentence describing what it detects.

filter

YAML
filter: expression

filter must be a valid expr expression that will be evaluated against the event.

If filter evaluates to true, or is absent, the node is processed.

If filter evaluates to false or a non-boolean value, the node is not processed.

Here is the expr documentation.

Examples:

  • filter: "evt.Enriched.foo == 'test'"
  • filter: "evt.Enriched.bar == 'test' && evt.Enriched.foo == 'test2'

whitelist

YAML
whitelist:
  reason: "my ipv4 ranges"
  ip: 
    - "127.0.0.1"
  cidr:
    - "192.168.0.0/16"
    - "10.0.0.0/8"
    - "172.16.0.0/12"
  expression:
  # Works only if reverse DNS enrichment (crowdsecurity/rdns) is enabled
    - evt.Enriched.reverse_dns endsWith ".mycoolorg.com."
  # Works only if geoip enrichment (crowdsecurity/geoip-enrich) is enabled
    - evt.Enriched.IsoCode == 'FR'

reason

YAML
reason: whitelist for test

The reason is mandatory.

It is a short sentence describing the reason for the whitelist.

ip

YAML
whitelist:
  ip: 
    - "127.0.0.1"

List of IP addresses to whitelist.

cidr

YAML
whitelist:
  cidr:
    - "192.168.0.0/16"
    - "10.0.0.0/8"
    - "172.16.0.0/12"

List of CIDR ranges to whitelist.

expression

YAML
whitelist:
  expression:
  # Works only if reverse DNS enrichment (crowdsecurity/rdns) is enabled
    - evt.Enriched.reverse_dns endsWith ".mycoolorg.com."
  # Works only if geoip enrichment (crowdsecurity/geoip-enrich) is enabled
    - evt.Enriched.IsoCode == 'FR'

List of expr expressions. If any expression evaluates to true, the event is whitelisted.

data

YAML
data:
  - source_url: https://URL/TO/FILE
    dest_file: LOCAL_FILENAME
    type: (regexp|string)

data lets you specify an external data source. This section is only relevant when cscli is used to install parser from hub, as it will download the source_url and store it to dest_file. When the parser is not installed from the hub, CrowdSec won't download the URL, but the file must exist for the parser to be loaded correctly.

The type is mandatory if you want to evaluate the data in the file, and should be regex for valid (re2) regular expression per line or string for string per line. The regexps will be compiled, the strings will be loaded into a list and both will be kept in memory. Without specifying a type, the file will be downloaded and stored as a file and not in memory.

YAML
name: crowdsecurity/cdn-whitelist
...
data:
  - source_url: https://www.cloudflare.com/ips-v4
    dest_file: cloudflare_ips.txt
    type: string
CrowdSec Docs
We use cookies

This site uses cookies to help us improve your experience. You can accept or decline below.