Whitelisting one or more countries

Hi CrowdSec community,
I’m a CrowdSec n00b and it looks really great. Congrats!

It seems I don’t get how everything works yet though. For example I’m trying to disable bans for IP addreses that belongs to a specific country (or multiple countries).

I created a file /etc/crowdsec/postoverflows/s01-whitelist/sc-countries-whitelist.yaml that contains:

name: mycustomrules/sc-countires-whitelist
description: Whitelist trusted countries
whitelist:
  reason: Whitelisted country
  expression:
    - evt.Enriched.IsoCode == 'CH'

Is that the right way to do it ? It seems to me it’s still taking decison to ban IPs that belongs to this country.

I tried to use cscli explain in verbose mode, but I guess as this is a postoverflow rule it’s not taken into account in explain ?

For example:
cscli explain --log "195.141.44.1 - - [03/Jan/2023:16:35:45 +0100] \"GET /wp-login.php HTTP/1.1\" 200 3049 \"-\" \"-\" -" --type apache2 --verbose

ine: 195.141.44.1 - - [03/Jan/2023:16:35:45 +0100] "GET /wp-login.php HTTP/1.1" 200 3049 "-" "-" -
        ├ s00-raw
        |       ├ 🟢 crowdsecurity/non-syslog (first_parser)
        |       └ 🔴 crowdsecurity/syslog-logs
        ├ s01-parse
        |       └ 🟢 crowdsecurity/apache2-logs (+21 ~2)
        |               └ update evt.Stage : s01-parse -> s02-enrich
        |               └ create evt.Parsed.httpversion : 1.1
        |               └ create evt.Parsed.port : 
        |               └ create evt.Parsed.rawrequest : 
        |               └ create evt.Parsed.clientip : 195.141.44.1
        |               └ create evt.Parsed.http_user_agent : -
        |               └ create evt.Parsed.ident : -
        |               └ create evt.Parsed.target_fqdn : 
        |               └ create evt.Parsed.referrer : -
        |               └ create evt.Parsed.response : 200
        |               └ create evt.Parsed.timestamp : 03/Jan/2023:16:35:45 +0100
        |               └ create evt.Parsed.verb : GET
        |               └ create evt.Parsed.auth : -
        |               └ create evt.Parsed.bytes : 3049
        |               └ create evt.Parsed.request : /wp-login.php
        |               └ update evt.StrTime :  -> 03/Jan/2023:16:35:45 +0100
        |               └ create evt.Meta.http_path : /wp-login.php
        |               └ create evt.Meta.source_ip : 195.141.44.1
        |               └ create evt.Meta.http_status : 200
        |               └ create evt.Meta.http_user_agent : -
        |               └ create evt.Meta.http_verb : GET
        |               └ create evt.Meta.log_type : http_access-log
        |               └ create evt.Meta.service : http
        ├ s02-enrich
        |       ├ 🟢 crowdsecurity/dateparse-enrich (+2 ~1)
        |               ├ create evt.Enriched.MarshaledTime : 2023-01-03T16:35:45+01:00
        |               ├ update evt.MarshaledTime :  -> 2023-01-03T16:35:45+01:00
        |               ├ create evt.Meta.timestamp : 2023-01-03T16:35:45+01:00
        |       ├ 🟢 crowdsecurity/geoip-enrich (+13)
        |               ├ create evt.Enriched.Longitude : 7.369900
        |               ├ create evt.Enriched.ASNNumber : 6730
        |               ├ create evt.Enriched.IsoCode : CH
        |               ├ create evt.Enriched.IsInEU : false
        |               ├ create evt.Enriched.Latitude : 47.283000
        |               ├ create evt.Enriched.SourceRange : 195.141.0.0/18
        |               ├ create evt.Enriched.ASNOrg : Sunrise GmbH
        |               ├ create evt.Enriched.ASNumber : 6730
        |               ├ create evt.Meta.IsoCode : CH
        |               ├ create evt.Meta.ASNOrg : Sunrise GmbH
        |               ├ create evt.Meta.ASNNumber : 6730
        |               ├ create evt.Meta.SourceRange : 195.141.0.0/18
        |               ├ create evt.Meta.IsInEU : false
        |       ├ 🟢 crowdsecurity/http-logs (+7)
        |               ├ create evt.Parsed.file_frag : wp-login
        |               ├ create evt.Parsed.impact_completion : true
        |               ├ create evt.Parsed.file_dir : /
        |               ├ create evt.Parsed.file_ext : .php
        |               ├ create evt.Parsed.static_ressource : false
        |               ├ create evt.Parsed.file_name : wp-login.php
        |               ├ create evt.Meta.http_args_len : 0
        |       ├ 🟢 crowdsecurity/whitelists (unchanged)
        |       └ 🟢 mycustomrules/sc-network-whitelist (unchanged)
        ├-------- parser success 🟢
        ├ Scenarios
                └ 🟢 crowdsecurity/http-crawl-non_statics

Is there any way to tell explain that an overflow occured so it takes it into account for troubleshooting ?

Thanks a lot for your feedback!

Sorry I have replied on discord. I will replicate the answer here:

Yes /etc/crowdsec/postoverflows/s01-whitelist/sc-countries-whitelist.yaml will work and will only be evaluated once a bucket overflows. Yes, postoverflows are not taken into consideration for cscli explain this is an open issue and is not available at the moment.