Dyndns whitelist

level=warning msg=“failed to run whitelist expr : cannot get Source from Alert (1:5)\n | evt.Overflow.Alert.Source.IP in LookupHost("string-dc-njhgrpjwrm.dynamic-m.com")\n | …^” id=little-meadow name=me/FQDN-whitlists stage=s01-parse

cat /dockerfiles/crowdsec/conf/parsers/s01-parse/whitelistfqdn.yaml

name: me/FQDN-whitlists
description: "Whitelist postoverflows from FQDN"
whitelist:
  reason: "do whitelistings by FQDN"
  expression:
    - evt.Overflow.Alert.Source.IP in LookupHost("somestring-dc-njhgrpjwrm.dynamic-m.com")
    - evt.Overflow.Alert.Source.IP in LookupHost("anotherstring-ztwtkndmrm.dynamic-m.com")

what am I doing wrong here?

evt.Overflow is apart of the postoverflow stage as per documentation this should be within

Linux: /etc/crowdsec/postoverflows/s01-whitelist/
Postoverflow whitelist folders do not exist by default so you MUST manually create them

documentation

1 Like