Help with allowlist/whitelist CIDR still creating alert and decision

crowdsec
1

I’m trying to understand why an IP that I included as a CIDR in an allow list parser is creating an alert and a decision :

crowdsec-agent-5c844f6f4-mlw7h:/# cscli alerts list | grep 13.37.148
| 7607 | Ip:13.37.148.210   | crowdsecurity/http-probing                 | FR      | 16509 AMAZON-02 | count:1   | 2025-10-14 07:01:14.199570649 +0000 UTC |
| 7606 | Ip:13.37.148.210   | crowdsecurity/http-probing                 | FR      | 16509 AMAZON-02 | count:1   | 2025-10-14 06:51:16.36452821 +0000 UTC  |
| 7605 | Ip:13.37.148.210   | crowdsecurity/http-probing                 | FR      | 16509 AMAZON-02 | count:1   | 2025-10-14 06:36:21.256225012 +0000 UTC |
| 7604 | Ip:13.37.148.210   | crowdsecurity/http-probing                 | FR      | 16509 AMAZON-02 | count:1   | 2025-10-14 06:21:15.271374407 +0000 UTC |
| 7603 | Ip:13.37.148.210   | crowdsecurity/http-probing                 | FR      | 16509 AMAZON-02 | count:1   | 2025-10-14 06:16:14.727617218 +0000 UTC |


crowdsec-agent-5c844f6f4-mlw7h:/# cscli parsers list
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 PARSERS                                                                                                                       
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Name                                📦 Status          Version  Local Path                                                    
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 crowdsecurity/aws-cloudfront        ✔️  enabled        0.3      /etc/crowdsec/parsers/s01-parse/aws-cloudfront.yaml           
 crowdsecurity/cri-logs              ✔️  enabled        0.1      /etc/crowdsec/parsers/s00-raw/cri-logs.yaml                   
 crowdsecurity/dateparse-enrich      🏠  enabled,local           /etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml        
 crowdsecurity/docker-logs           ✔️  enabled        0.1      /etc/crowdsec/parsers/s00-raw/docker-logs.yaml                
 crowdsecurity/geoip-enrich          ✔️  enabled        0.5      /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml            
 crowdsecurity/http-logs             ✔️  enabled        1.3      /etc/crowdsec/parsers/s02-enrich/http-logs.yaml               
 crowdsecurity/public-dns-allowlist  ✔️  enabled        0.1      /etc/crowdsec/parsers/s02-enrich/public-dns-allowlist.yaml    
 crowdsecurity/sshd-logs             ✔️  enabled        3.0      /etc/crowdsec/parsers/s01-parse/sshd-logs.yaml                
 crowdsecurity/syslog-logs           ✔️  enabled        0.8      /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml                
 crowdsecurity/whitelists            ✔️  enabled        0.3      /etc/crowdsec/parsers/s02-enrich/whitelists.yaml              
 rca/allowlist                       🏠  enabled,local           /etc/crowdsec/parsers/s01-parse/rca-allowlist.yaml            
 rca/aws-cloudfront-allowlist        🏠  enabled,local           /etc/crowdsec/parsers/s01-parse/aws-cloudfront-allowlist.yaml 
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


crowdsec-agent-5c844f6f4-mlw7h:/# cscli parsers inspect rca/allowlist
type: parsers
stage: s01-parse
name: rca/allowlist
file_name: rca-allowlist.yaml
dependencies: {}
local_path: /etc/crowdsec/parsers/s01-parse/rca-allowlist.yaml
downloadpath: ""
up_to_date: true
tainted: false
installed: true
local: true

Current metrics: 
╭────────────────────────────────────╮
│ (Parser) rca/allowlist             │
├─────────┬──────┬────────┬──────────┤
│ Parsers │ Hits │ Parsed │ Unparsed │
├─────────┼──────┼────────┼──────────┤
│ s3:     │ 1408 │ 1408   │ 0        │
╰─────────┴──────┴────────┴──────────╯


crowdsec-agent-5c844f6f4-mlw7h:/# cat /etc/crowdsec/parsers/s01-parse/rca-allowlist.yaml
name: "rca/allowlist"
description: "Allowlist events from ipv4 addresses (VPN, partners, etc)"
whitelist:
  reason: "Company allowed ipv4 ranges"
  cidr:
    - "37.1.255.229/32"
    - "13.37.148.210/32"
2

I’m not an expert but it looks like it’s because you’re putting your whitelist in s01-parse.

The crowdsecurity/http-probing (or any other rule) is getting triggered and then the chain naturally moves to the next stage in s02-enrich. So your whitelist is getting skipped.

That’s why you should put whitelists in s02-enrich. So then the chain always parses them.

Hope it helps!

3

Yes @jamesDev3 nailed it, putting the whitelist at s01-parse means this is essentially skipped as this stage is where all the logic for parsing out IP’s from log lines happens.

Moving the whitelist to s02-enrich or using the cscli allowlist command instead should resolve it.

ref: Whitelists | CrowdSec