The whitelist is the following: name: custom/my-whitelists description: "Whitelist local network and trusted IPs" whitelist: reason: "Trusted local network/admin IPs" ip: - "127.0.0.1" # # Add specific trusted static IPs here # #- "YOUR_STATIC_IP_1" # # - "YOUR_STATIC_IP_2" cidr: # Whitelist your entire local network range (adjust if yours is different) - "192.168.100.0/24" - "172.18.0.0/24" The two log occurances are here: line: [26/Jun/2025:12:34:42 +0300] 114.217.26.245 0.000 "POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 444 0 0 - Custom-AsyncHttpClient ├ s00-raw |├ :red_circle: crowdsecurity/cri-logs |├ :red_circle: crowdsecurity/docker-logs |├ :red_circle: crowdsecurity/syslog-logs |└ :green_circle: crowdsecurity/non-syslog (+5 ~8) ├ s01-parse |├ :red_circle: crowdsecurity/appsec-logs |├ :red_circle: crowdsecurity/modsecurity |└ :green_circle: ZoeyVid/npmplus-logs (+20 ~2) ├ s01-whitelist |└ :green_circle: custom/my-whitelists (unchanged) └-------- parser success, ignored by whitelist (Trusted local network/admin IPs) :green_circle: Here's my attempt over VPN with a normal usage of a service: line: [26/Jun/2025:14:19:20 +0300] 149.50.216.211 0.144 "GET /api/ HTTP/2.0" 200 8868 9222 Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Mobile Safari/537.36 ├ s00-raw |├ :red_circle: crowdsecurity/cri-logs |├ :red_circle: crowdsecurity/docker-logs |├ :red_circle: crowdsecurity/syslog-logs |└ :green_circle: crowdsecurity/non-syslog (+5 ~8) ├ s01-parse |├ :red_circle: crowdsecurity/appsec-logs |├ :red_circle: crowdsecurity/modsecurity |└ :green_circle: ZoeyVid/npmplus-logs (+20 ~2) ├ s01-whitelist |└ :green_circle: custom/my-whitelists (unchanged) └-------- parser success, ignored by whitelist (Trusted local network/admin IPs) :green_circle: