#Help with ASN Org in PostOverflows

1 messages Β· Page 1 of 1 (latest)

fossil root
#

Hello,

I am trying to whitelist the following key/value pair:

          {
            "key": "ASNOrg",
            "value": "XXX"
          },

I have added the following at /etc/crowdsec/postoverflows/s01-whitelist/whitelist-xxx.yaml

name: user/whitelist-xxx
description: Whitelist XXX
whitelist:
  reason: Whitelisted because XXX
  expression:
    - evt.Enriched.ASNOrg == 'XXX'

I made 100% sure I restarted the Crowdsec docker container, and I do see this:

cscli postoverflows list

POSTOVERFLOWS
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Name                     πŸ“¦ Status          Version  Local Path
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 user/whitelist-xxx       🏠  enabled,local           /etc/crowdsec/postoverflows/s01-whitelist/whitelist-xxx.yaml

However, I am still banning clients with that same ASNOrg value. Would appreciate any help!

earnest abyssBOT
#
Important Information

This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve

© Created By WhyAydan for CrowdSec ❀️ ·
steep willow
fossil root
#

no, I am fine with whitelisting in s02. Had a hard time finding a good guide for this.

#

I thought it was more efficient to whitelist post overflow because the enrich step was expensive

steep willow
#

Enrich is expensive if the whitelist uses something needs external data (like rDNS), however, since geo-ip information is quite free cause of the local database

#

So looking at https://app.crowdsec.net/hub/author/crowdsecurity/log-parsers/geoip-enrich you can use the same syntax, a thing to note Enriched key only stays for the pipeline, since geo-ip happens in s02-enrich then the Enriched key only stays for that pipeline and then is flushed when an overflow happens

CrowdSec Console
Hub configuration

Use CrowdSec Console to visualize security data, manage dynamic blocklists, and gain real-time intelligence on IPs. Enhance your threat response capabilities.

#

However, after the fact the Meta information is then stored within the alert under Events

fossil root
#

that explains it. I'll implement as s02 and keep that in mind if I want to use overflows before. ty

#

Thank you! I found crowdsec a bit too sensitive for my workplace as some docker containers were triggering too often. That fixed it

earnest abyssBOT