Dyndns whitelist

ohv · February 22, 2025, 3:17am

level=warning msg=“failed to run whitelist expr : cannot get Source from Alert (1:5)\n | evt.Overflow.Alert.Source.IP in LookupHost("string-dc-njhgrpjwrm.dynamic-m.com")\n | …^” id=little-meadow name=me/FQDN-whitlists stage=s01-parse

cat /dockerfiles/crowdsec/conf/parsers/s01-parse/whitelistfqdn.yaml

name: me/FQDN-whitlists
description: "Whitelist postoverflows from FQDN"
whitelist:
  reason: "do whitelistings by FQDN"
  expression:
    - evt.Overflow.Alert.Source.IP in LookupHost("somestring-dc-njhgrpjwrm.dynamic-m.com")
    - evt.Overflow.Alert.Source.IP in LookupHost("anotherstring-ztwtkndmrm.dynamic-m.com")

what am I doing wrong here?

iiAmLoz · February 24, 2025, 9:52am

evt.Overflow is apart of the postoverflow stage as per documentation this should be within

Linux: /etc/crowdsec/postoverflows/s01-whitelist/
Postoverflow whitelist folders do not exist by default so you MUST manually create them

documentation

Topic		Replies	Views
Can't make postoverflow whitelist to work crowdsec	7	2258	June 22, 2022
PostOverflow whitelist using forward DNS crowdsec	2	1021	December 7, 2022
File() helper not working crowdsec	7	937	October 28, 2021
Whitelist by ASNNumber crowdsec	3	1138	February 21, 2024
PostOverflow whitelists ONLY for specific scenarios crowdsec	1	22	May 26, 2025

Dyndns whitelist

Related topics