File() helper not working

Netino · October 23, 2021, 2:04am

I’m trying to create a whitelist.
It’s working when create as reverse dns.
But I have a file with a IP adress as content.
The expression used in ‘/etc/crowdsec/postoverflows/s01-whitelists/mywhitelists.yaml’ was:
- evt.Parsed.remote_addr in File("/path/to/file.list")

I’m receiving the error message in logs:
time="22-10-2021 22:34:22" level=error msg="file '/path/to/file.list' (type:string) not found in expr library"

Where am I going wrong.?!
Thanks!
Netino

alteredCoder · October 25, 2021, 8:04am

Hello @Netino,

Can you paste the content of /etc/crowdsec/postoverflows/s01-whitelists/mywhitelists.yaml please?

Netino · October 25, 2021, 8:56pm

Yes, for sure:

# cat /etc/crowdsec/postoverflows/s01-whitelists/mywhitelists.yaml
name: me/my_cool_whitelist
description: lets whitelist our own reverse dns
whitelist:
  reason: dont ban my ISP
  expression:
  #this is the reverse of my ip, you can get it by performing a "host" command on your public IP for example
    - evt.Parsed.remote_addr in File("/root/my.whitelist")
#

alteredCoder · October 26, 2021, 7:49am

Hello @Netino ,

Is your file a local one or a file that it needed to be downloaded ?

alteredCoder · October 26, 2021, 8:27am

If it its a remote file you must add :

data:
  - source_url: <your_file_URL>
    dest_file: my.whitelist
    type: string

And use this in your filter: - evt.Parsed.remote_addr in File("my.whitelist")

If its a local file, put a bad or empty URL in the source_url field and put your whitelist file in /var/lib/crowdsec/data/

Netino · October 26, 2021, 11:28pm

OK thank you!
But unfortunately it didn’t work.

The following is the contents of my “/etc/crowdsec/postoverflows/s01-whitelists/mywhitelists.yaml” file:

name: me/my_cool_whitelist
description: lets whitelist our own reverse dns
data:
   - source_url: /rooot/
     dest_file: my.whitelist
     type: string
whitelist:
   reason: dont ban my ISP
   expression:
     - evt.Parsed.remote_addr in File("out.list")

The error message of “(type:string) not found in expr library” disappears, but it still doesn’t work.
(Note: When I set up the reverse IP filtering, and I try to attack my server with nikto, as the method indicated in https://doc.crowdsec.net/docs/whitelist/create, it works. But with searching IP in the file, with the helper function “File()”, and putting the file in the directory ‘/var/lib/crowdsec/data’, just doesn’t work. I tryed with no ‘source_url’ filled too.

alteredCoder · October 28, 2021, 8:22am

Hello @Netino,

Since you are writing a postoverflow whitelist, the evt.Parsed will be empty. Indeed, evt.Parsed is available when working on logs, but postoverflows mostly works with evt.Overflow.Alert.
Can you try to replace evt.Parsed.remote_addr by evt.Overflow.Alert.Source.IP in your expression please?

This is not clear in the documentation, i will improve it

Netino · October 28, 2021, 11:44pm

Yesss!!!
Really, really good, worked perfectly!

Thank you!

Topic		Replies	Views
Can't make postoverflow whitelist to work crowdsec	7	1580	June 22, 2022
Adding exceptions for allowed 404 errors crowdsec	11	1247	May 6, 2022
PostOverflow whitelist using forward DNS crowdsec	2	733	December 7, 2022
Whitelisting one or more countries crowdsec	5	1156	February 5, 2024
Help with whitelist rules - expression with portion of URL	10	2527	November 10, 2020

File() helper not working

Related Topics