Whitelisting one or more countries

crowdsec
1

Hi CrowdSec community,
I’m a CrowdSec n00b and it looks really great. Congrats!

It seems I don’t get how everything works yet though. For example I’m trying to disable bans for IP addreses that belongs to a specific country (or multiple countries).

I created a file /etc/crowdsec/postoverflows/s01-whitelist/sc-countries-whitelist.yaml that contains:

name: mycustomrules/sc-countires-whitelist
description: Whitelist trusted countries
whitelist:
  reason: Whitelisted country
  expression:
    - evt.Enriched.IsoCode == 'CH'

Is that the right way to do it ? It seems to me it’s still taking decison to ban IPs that belongs to this country.

I tried to use cscli explain in verbose mode, but I guess as this is a postoverflow rule it’s not taken into account in explain ?

For example:
cscli explain --log "195.141.44.1 - - [03/Jan/2023:16:35:45 +0100] \"GET /wp-login.php HTTP/1.1\" 200 3049 \"-\" \"-\" -" --type apache2 --verbose

ine: 195.141.44.1 - - [03/Jan/2023:16:35:45 +0100] "GET /wp-login.php HTTP/1.1" 200 3049 "-" "-" -
        ├ s00-raw
        |       ├ 🟢 crowdsecurity/non-syslog (first_parser)
        |       └ 🔴 crowdsecurity/syslog-logs
        ├ s01-parse
        |       └ 🟢 crowdsecurity/apache2-logs (+21 ~2)
        |               └ update evt.Stage : s01-parse -> s02-enrich
        |               └ create evt.Parsed.httpversion : 1.1
        |               └ create evt.Parsed.port : 
        |               └ create evt.Parsed.rawrequest : 
        |               └ create evt.Parsed.clientip : 195.141.44.1
        |               └ create evt.Parsed.http_user_agent : -
        |               └ create evt.Parsed.ident : -
        |               └ create evt.Parsed.target_fqdn : 
        |               └ create evt.Parsed.referrer : -
        |               └ create evt.Parsed.response : 200
        |               └ create evt.Parsed.timestamp : 03/Jan/2023:16:35:45 +0100
        |               └ create evt.Parsed.verb : GET
        |               └ create evt.Parsed.auth : -
        |               └ create evt.Parsed.bytes : 3049
        |               └ create evt.Parsed.request : /wp-login.php
        |               └ update evt.StrTime :  -> 03/Jan/2023:16:35:45 +0100
        |               └ create evt.Meta.http_path : /wp-login.php
        |               └ create evt.Meta.source_ip : 195.141.44.1
        |               └ create evt.Meta.http_status : 200
        |               └ create evt.Meta.http_user_agent : -
        |               └ create evt.Meta.http_verb : GET
        |               └ create evt.Meta.log_type : http_access-log
        |               └ create evt.Meta.service : http
        ├ s02-enrich
        |       ├ 🟢 crowdsecurity/dateparse-enrich (+2 ~1)
        |               ├ create evt.Enriched.MarshaledTime : 2023-01-03T16:35:45+01:00
        |               ├ update evt.MarshaledTime :  -> 2023-01-03T16:35:45+01:00
        |               ├ create evt.Meta.timestamp : 2023-01-03T16:35:45+01:00
        |       ├ 🟢 crowdsecurity/geoip-enrich (+13)
        |               ├ create evt.Enriched.Longitude : 7.369900
        |               ├ create evt.Enriched.ASNNumber : 6730
        |               ├ create evt.Enriched.IsoCode : CH
        |               ├ create evt.Enriched.IsInEU : false
        |               ├ create evt.Enriched.Latitude : 47.283000
        |               ├ create evt.Enriched.SourceRange : 195.141.0.0/18
        |               ├ create evt.Enriched.ASNOrg : Sunrise GmbH
        |               ├ create evt.Enriched.ASNumber : 6730
        |               ├ create evt.Meta.IsoCode : CH
        |               ├ create evt.Meta.ASNOrg : Sunrise GmbH
        |               ├ create evt.Meta.ASNNumber : 6730
        |               ├ create evt.Meta.SourceRange : 195.141.0.0/18
        |               ├ create evt.Meta.IsInEU : false
        |       ├ 🟢 crowdsecurity/http-logs (+7)
        |               ├ create evt.Parsed.file_frag : wp-login
        |               ├ create evt.Parsed.impact_completion : true
        |               ├ create evt.Parsed.file_dir : /
        |               ├ create evt.Parsed.file_ext : .php
        |               ├ create evt.Parsed.static_ressource : false
        |               ├ create evt.Parsed.file_name : wp-login.php
        |               ├ create evt.Meta.http_args_len : 0
        |       ├ 🟢 crowdsecurity/whitelists (unchanged)
        |       └ 🟢 mycustomrules/sc-network-whitelist (unchanged)
        ├-------- parser success 🟢
        ├ Scenarios
                └ 🟢 crowdsecurity/http-crawl-non_statics

Is there any way to tell explain that an overflow occured so it takes it into account for troubleshooting ?

Thanks a lot for your feedback!

2

Sorry I have replied on discord. I will replicate the answer here:

Yes /etc/crowdsec/postoverflows/s01-whitelist/sc-countries-whitelist.yaml will work and will only be evaluated once a bucket overflows. Yes, postoverflows are not taken into consideration for cscli explain this is an open issue and is not available at the moment.

3

Hi,
Is there a reason to put this whitelist in postoverflow ?
I tried it before but put the whitelist (on the AS) in the s02-enrich. It works also …
Stephane.

4

Honestly, it would be more performant to place it in s02-enrich as it would be discarded before hiting the buckets.

However, if you still would like a log entry about the overflow then you would need to place it within postoverflows

5

I wanted to try the example using the Argentine code, and it is not working for me, could I be missing something to install? I’m testing it on Ubuntu 20.04

cat /etc/crowdsec/postoverflows/s01-whitelist/sc-countries-whitelist.yaml


name: me/sc-paises
description: Whitelist paises permitidos
whitelist:
  reason: Whitelisted country
  expression:
    - evt.Enriched.IsoCode == 'AR'

cscli postoverflows inspect me/sc-paises


type: postoverflows
stage: s01-whitelist
name: me/sc-paises
file_name: sc-countries-whitelist.yaml
local_path: /etc/crowdsec/postoverflows/s01-whitelist/sc-countries-whitelist.yaml
installed: true
downloaded: false
uptodate: true
tainted: false
local: true

cscli postoverflows list


POSTOVERFLOWS
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Name                               📦 Status          Version   Local Path
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 crowdsecurity/cdn-whitelist        ✔️ enabled          0.4       /etc/crowdsec/postoverflows/s01-whitelist/cdn-whitelist.yaml
 crowdsecurity/rdns                 ✔️ enabled          0.3       /etc/crowdsec/postoverflows/s00-enrich/rdns.yaml
 crowdsecurity/seo-bots-whitelist   ✔️ enabled          0.4       /etc/crowdsec/postoverflows/s01-whitelist/seo-bots-whitelist.yaml
 me/my_cool_whitelist               🏠 enabled,local             /etc/crowdsec/postoverflows/s01-whitelist/miwhitelist.yaml
 me/sc-paises                       🏠 enabled,local             /etc/crowdsec/postoverflows/s01-whitelist/sc-countries-whitelist.yaml
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

for example miwhitelist.yaml is working and the file with the country not.

crowdsecurity/geoip-enrich is installed

crowdsecurity/geoip-enrich ✔️ enabled 0.2 /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml

6

The whitelist you are showing is a parser whitelist the Enriched key is not available within postoverflow object.