level=warning msg=“failed to run whitelist expr : cannot get Source from Alert (1:5)\n | evt.Overflow.Alert.Source.IP in LookupHost("string-dc-njhgrpjwrm.dynamic-m.com")\n | …^” id=little-meadow name=me/FQDN-whitlists stage=s01-parse
cat /dockerfiles/crowdsec/conf/parsers/s01-parse/whitelistfqdn.yaml
name: me/FQDN-whitlists
description: "Whitelist postoverflows from FQDN"
whitelist:
reason: "do whitelistings by FQDN"
expression:
- evt.Overflow.Alert.Source.IP in LookupHost("somestring-dc-njhgrpjwrm.dynamic-m.com")
- evt.Overflow.Alert.Source.IP in LookupHost("anotherstring-ztwtkndmrm.dynamic-m.com")
what am I doing wrong here?