I have a whitelist `/etc/crowdsec/postoverflows/s70-meine-dav-whitelist.yaml`:
name: me/meine-dav-whitelist
description: “Whitelist DAV sync clients for brute-force”
filter: “evt.Meta.service == ‘http’ && evt.Meta.log_type in [‘http_access-log’]”
whitelist:
reason: “werde oft gebannt wegen DAV-Syncs”
expression:
- evt.Meta.http_path contains ‘Name1’
- evt.Meta.http_path contains ‘Name2’
- evt.Meta.http_path contains ‘Name3’
- evt.Meta.http_path contains ‘Name4’
The whitelist is shown as “enabled, local” in `cscli postoverflows list`.
In my logs I get a lot of these entries:
{"level":"info","ts":1766442243.9269423,"logger":"http.log.access.log2","msg":"handled request","request":{"remote_ip":"12.23.34.45","remote_port":"61547","client_ip":"12.23.34.45","proto":"HTTP/3.0","method":"PUT","host":"``dav.abc.de``","uri":"/Name2/contacts/","headers":{"Sec-Fetch-Mode":["cors"],"Sec-Fetch-Dest":["empty"],"Priority":["u=1, i"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36"],"Sec-Fetch-Site":["same-origin"],"If-None-Match":["*"],"Sec-Ch-Ua":["\"Chromium\";v=\"142\", \"Google Chrome\";v=\"142\", \"Not_A Brand\";v=\"99\""],"Accept-Language":["de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7"],"Cookie":["REDACTED"],"Sec-Ch-Ua-Mobile":["?0"],"Cache-Control":["max-age=0"],"Referer":["``https://dav.abc.de/.web/"],"Accept-Encoding":["gzip``, deflate, br, zstd"],"Origin":["``https://dav.abc.de``"],"Sec-Ch-Ua-Platform":["\"Linux\""],"Accept":["*/*"],"Content-Length":["0"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h3","server_name":"``dav.abc.de``"}},"bytes_read":0,"user_id":"","duration":0.004568494,"size":61,"status":401,"resp_headers":{"Content-Encoding":["gzip"],"Via":["1.0 Caddy"],"Server":["WSGIServer/0.2 CPython/3.12.12"],"Content-Type":["text/plain; charset=utf-8"],"Www-Authenticate":["Basic realm=\"Radicale - Password Required\""],"X-Frame-Options":["DENY"],"Referrer-Policy":["no-referrer-when-downgrade"],"Strict-Transport-Security":["max-age=31536000; includeSubDomains"],"X-Content-Type-Options":["nosniff"],"Content-Length":["61"],"Date":["Mon, 22 Dec 2025 22:24:03 GMT"]}}
If I analyse these log entries with `cscli explain` I get something like this:
…
| └ create evt.Meta.http_verb : PUT
| └ create evt.Meta.target_fqdn : ``dav.abc.de
| └ create evt.Meta.http_path : /Name2/contacts/
| └ create evt.Meta.log_type : http_access-log
| └ create evt.Meta.service : http
| └ create evt.Meta.source_ip : 12.23.34.45
| └ create evt.Meta.sub_type : auth_fail
├ s02-enrich
| ├ 🟢 crowdsecurity/dateparse-enrich (+2 ~2)
| ├ create evt.Enriched.MarshaledTime : 2025-12-22T23:24:03+01:00
| ├ update evt.Time : 2025-12-22 23:26:53.547952254 +0000 UTC → 2025-12-22 23:24:03 +0100 CET
| ├ update evt.MarshaledTime : → 2025-12-22T23:24:03+01:00
| ├ create evt.Meta.timestamp : 2025-12-22T23:24:03+01:00
| ├ 🟢 crowdsecurity/geoip-enrich (+13)
…
| ├ create evt.Meta.ASNNumber : 3320
| ├ create evt.Meta.IsoCode : DE
| ├ create evt.Meta.ASNOrg : Deutsche Telekom AG
| ├ create evt.Meta.IsInEU : true
| ├ create evt.Meta.SourceRange : 93.192.0.0/10
| ├ 🟢 crowdsecurity/http-logs (+6)
| ├ create evt.Parsed.file_dir : /Name2/contacts/
| ├ create evt.Parsed.file_frag :
| ├ create evt.Parsed.impact_completion : true
| ├ create evt.Parsed.static_ressource : false
| ├ create evt.Parsed.file_ext :
| ├ create evt.Meta.http_args_len : 0
| ├ 🟢 crowdsecurity/public-dns-allowlist (unchanged)
| └ 🟢 crowdsecurity/whitelists (unchanged)
├-------- parser success 🟢
├ Scenarios
├ 🟢 crowdsecurity/http-generic-bf
└ 🟢 custom/mein-higher-tolerance-scenario
The criteria from the whitelist matches, so I would think, the whitelist should work. But it doesn’t, after a very short amount of entries my Ip is banned again regarding crowdsecurity/http-generic-bf.
I don’t want to disable the brute-force-rule, but under some circumstances (defined in the whitelist) should work a scenario with higher tolerance. But I’m not able to get this setting, what do I wrong?
I’m very new to CrowdSec and Linux too, but I do my best. Since three days now :-(. But I’m afraid, I need help here. Thank you.