Introduction

antonmedv/expr - Expression evaluation engine for Go: fast, non-Turing complete, dynamic typing, static typing

Several places of CrowdSec's configuration use expr, notably :

• Filters that are used to determine events eligibility in parsers, scenarios and profiles
• Statics use expr in the expression directive, to compute complex values
• Whitelists rely on expression directive to allow more complex whitelists filters
• Profiles rely on filters directives to find matching profiles

To learn more about expr syntax, check the official documentation of the project.

When CrowdSec relies on expr, a context is provided to let the expression access relevant objects :

• evt. is the representation of the current event and is the most relevant object
• in profiles, alert is accessible via the Alert object

If the debug is enabled (in the scenario or parser where expr is used), additional debug will be displayed regarding evaluated expressions.