Iโm trying to add cloudflare IPs to crowdsecurity/whitelists.
From what I understood, the yaml.local should be placed alongside the yaml file and would automatically be merged with the yaml.
I copied the original whitelists.yaml, modified it, added .local to the end and placed it to /etc/crowdsec/parsers/s02-enrich/
(also tried to copy it to the original location of the symlink)
ls -l /etc/crowdsec/parsers/s02-enrich/
total 4
lrwxrwxrwx 1 root root 72 Nov 26 16:24 dateparse-enrich.yaml -> /etc/crowdsec/hub/parsers/s02-enrich/crowdsecurity/dateparse-enrich.yaml
lrwxrwxrwx 1 root root 68 Nov 26 16:24 geoip-enrich.yaml -> /etc/crowdsec/hub/parsers/s02-enrich/crowdsecurity/geoip-enrich.yaml
lrwxrwxrwx 1 root root 65 Jan 4 13:36 http-logs.yaml -> /etc/crowdsec/hub/parsers/s02-enrich/crowdsecurity/http-logs.yaml
lrwxrwxrwx 1 root root 74 Jan 2 22:32 jellyfin-whitelist.yaml -> /etc/crowdsec/hub/parsers/s02-enrich/crowdsecurity/jellyfin-whitelist.yaml
lrwxrwxrwx 1 root root 66 Nov 26 16:24 whitelists.yaml -> /etc/crowdsec/hub/parsers/s02-enrich/crowdsecurity/whitelists.yaml
-rw-rw-rw- 1 root root 851 Jan 7 14:40 whitelists.yaml.local
checked the file with yaml validator
name: crowdsecurity/whitelists
description: "Whitelist events from private ipv4 addresses"
whitelist:
reason: "private ipv4/ipv6 ip/ranges"
ip:
- "127.0.0.1"
- "192.168.1.6"
- "::1"
cidr:
- "192.168.0.0/16"
- "10.0.0.0/8"
- "172.16.0.0/12"
- "173.245.48.0/20"
- "103.21.244.0/22"
- "103.22.200.0/22"
- "103.31.4.0/22"
- "141.101.64.0/18"
- "108.162.192.0/18"
- "190.93.240.0/20"
- "188.114.96.0/20"
- "197.234.240.0/22"
- "198.41.128.0/17"
- "162.158.0.0/15"
- "104.16.0.0/13"
- "104.24.0.0/14"
- "172.64.0.0/13"
- "131.0.72.0/22"
- "2400:cb00::/32"
- "2606:4700::/32"
- "2803:f800::/32"
- "2405:b500::/32"
- "2405:8100::/32"
- "2a06:98c0::/29"
- "2c0f:f248::/32"
# expression:
# - "'foo.com' in evt.Meta.source_ip.reverse"
It seems the .local file doesnโt get loaded correctly.
cscli parsers inspect crowdsecurity/whitelists
type: parsers
stage: s02-enrich
name: crowdsecurity/whitelists
file_name: whitelists.yaml
description: Whitelist events from private ipv4 addresses
author: crowdsecurity
path: parsers/s02-enrich/crowdsecurity/whitelists.yaml
version: "0.2"
local_path: /etc/crowdsec/parsers/s02-enrich/whitelists.yaml
local_version: "0.2"
local_hash: 326da7ad71aee690bf71c5a392ac6dbd028f502e617a8b8ed7a5c5554ecaf72c
installed: true
downloaded: true
uptodate: true
tainted: false
local: false
Tried to run
cscli console enable custom
cscli console status
โญโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ Option Name โ Activated โ Description โ
โโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ custom โ โ
โ Forward alerts from custom scenarios to the console โ
โ manual โ โ
โ Forward manual decisions to the console โ
โ tainted โ โ
โ Forward alerts from tainted scenarios to the console โ
โ context โ โ
โ Forward context with alerts to the console โ
โ console_management โ โ โ Receive decisions from console โ
โฐโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
I also tried to write the changes into the yaml but crowdsecurity/whitelists became tainted, so Iโd rather prefer to use a yaml.local variant if possible.
Would you be so kind and give me a hint what Iโm doing wrong?