diff --git a/.tests/ipv6-parser/config.yaml b/.tests/ipv6-parser/config.yaml
new file mode 100644
index 00000000000..d350c6bcf0b
--- /dev/null
+++ b/.tests/ipv6-parser/config.yaml
@@ -0,0 +1,14 @@
+parsers:
+- crowdsecurity/nginx-logs
+- crowdsecurity/syslog-logs
+- crowdsecurity/dateparse-enrich
+- ./parsers/s02-enrich/crowdsecurity/ipv6_shared_buckets.yaml
+scenarios:
+- crowdsecurity/http-bad-user-agent
+postoverflows:
+- crowdsecurity/ipv6_to_range
+log_file: ipv6-parser.log
+log_type: nginx
+labels: {}
+ignore_parsers: false
+override_statics: []
diff --git a/.tests/ipv6-parser/ipv6-parser.log b/.tests/ipv6-parser/ipv6-parser.log
new file mode 100644
index 00000000000..ebb5beccedb
--- /dev/null
+++ b/.tests/ipv6-parser/ipv6-parser.log
@@ -0,0 +1,2 @@
+2001:0db8:85a3:0000:0000:8a2e:0370:7334 - - [29/Sep/2021:14:11:34 +0200] "HEAD / HTTP/1.1" 200 0 "-" "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:Port Check)"
+2001:0db8:85a3:0000:0000:8a2e:0370:7334 - - [29/Sep/2021:14:11:34 +0200] "GET / HTTP/1.1" 200 10918 "-" "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:getinfo)"
diff --git a/.tests/ipv6-parser/parser.assert b/.tests/ipv6-parser/parser.assert
new file mode 100644
index 00000000000..86f0a41798b
--- /dev/null
+++ b/.tests/ipv6-parser/parser.assert
@@ -0,0 +1,170 @@
+len(results) == 5
+len(results["s00-enrich"]["crowdsecurity/ipv6_to_range"]) == 1
+results["s00-enrich"]["crowdsecurity/ipv6_to_range"][0].Success == true
+results["s00-enrich"]["crowdsecurity/ipv6_to_range"][0].Evt.Whitelisted == false
+len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 2
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "2001:0db8:85a3:0000:0000:8a2e:0370:7334 - - [29/Sep/2021:14:11:34 +0200] \"HEAD / HTTP/1.1\" 200 0 \"-\" \"Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:Port Check)\""
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "nginx"
+basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "ipv6-parser.log"
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true
+results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "2001:0db8:85a3:0000:0000:8a2e:0370:7334 - - [29/Sep/2021:14:11:34 +0200] \"GET / HTTP/1.1\" 200 10918 \"-\" \"Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:getinfo)\""
+results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "nginx"
+basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "ipv6-parser.log"
+results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false
+len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 2
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false
+len(results["s01-parse"]["crowdsecurity/nginx-logs"]) == 2
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Success == true
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["body_bytes_sent"] == "0"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["http_referer"] == "-"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["http_user_agent"] == "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:Port Check)"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["http_version"] == "1.1"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["message"] == "2001:0db8:85a3:0000:0000:8a2e:0370:7334 - - [29/Sep/2021:14:11:34 +0200] \"HEAD / HTTP/1.1\" 200 0 \"-\" \"Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:Port Check)\""
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["program"] == "nginx"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["remote_addr"] == "2001:0db8:85a3:0000:0000:8a2e:0370:7334"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["remote_user"] == "-"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["request"] == "/"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["status"] == "200"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["time_local"] == "29/Sep/2021:14:11:34 +0200"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["verb"] == "HEAD"
+basename(results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["datasource_path"]) == "ipv6-parser.log"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["http_path"] == "/"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["http_status"] == "200"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["http_user_agent"] == "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:Port Check)"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["http_verb"] == "HEAD"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["log_type"] == "http_access-log"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["service"] == "http"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["source_ip"] == "2001:0db8:85a3:0000:0000:8a2e:0370:7334"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Whitelisted == false
+results["s01-parse"]["crowdsecurity/nginx-logs"][1].Success == true
+results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Parsed["body_bytes_sent"] == "10918"
+results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Parsed["http_referer"] == "-"
+results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Parsed["http_user_agent"] == "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:getinfo)"
+results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Parsed["http_version"] == "1.1"
+results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Parsed["message"] == "2001:0db8:85a3:0000:0000:8a2e:0370:7334 - - [29/Sep/2021:14:11:34 +0200] \"GET / HTTP/1.1\" 200 10918 \"-\" \"Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:getinfo)\""
+results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Parsed["program"] == "nginx"
+results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Parsed["remote_addr"] == "2001:0db8:85a3:0000:0000:8a2e:0370:7334"
+results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Parsed["remote_user"] == "-"
+results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Parsed["request"] == "/"
+results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Parsed["status"] == "200"
+results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Parsed["time_local"] == "29/Sep/2021:14:11:34 +0200"
+results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Parsed["verb"] == "GET"
+basename(results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Meta["datasource_path"]) == "ipv6-parser.log"
+results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Meta["http_path"] == "/"
+results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Meta["http_status"] == "200"
+results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Meta["http_user_agent"] == "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:getinfo)"
+results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Meta["http_verb"] == "GET"
+results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Meta["log_type"] == "http_access-log"
+results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Meta["service"] == "http"
+results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Meta["source_ip"] == "2001:0db8:85a3:0000:0000:8a2e:0370:7334"
+results["s01-parse"]["crowdsecurity/nginx-logs"][1].Evt.Whitelisted == false
+len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 2
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["body_bytes_sent"] == "0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["http_referer"] == "-"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["http_user_agent"] == "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:Port Check)"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["http_version"] == "1.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "2001:0db8:85a3:0000:0000:8a2e:0370:7334 - - [29/Sep/2021:14:11:34 +0200] \"HEAD / HTTP/1.1\" 200 0 \"-\" \"Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:Port Check)\""
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "nginx"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_addr"] == "2001:0db8:85a3:0000:0000:8a2e:0370:7334"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_user"] == "-"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["request"] == "/"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["status"] == "200"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["time_local"] == "29/Sep/2021:14:11:34 +0200"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["verb"] == "HEAD"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "ipv6-parser.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["http_path"] == "/"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["http_status"] == "200"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["http_user_agent"] == "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:Port Check)"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["http_verb"] == "HEAD"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "http_access-log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "http"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "2001:0db8:85a3:0000:0000:8a2e:0370:7334"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2021-09-29T14:11:34+02:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2021-09-29T14:11:34+02:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["body_bytes_sent"] == "10918"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["http_referer"] == "-"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["http_user_agent"] == "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:getinfo)"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["http_version"] == "1.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "2001:0db8:85a3:0000:0000:8a2e:0370:7334 - - [29/Sep/2021:14:11:34 +0200] \"GET / HTTP/1.1\" 200 10918 \"-\" \"Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:getinfo)\""
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "nginx"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_addr"] == "2001:0db8:85a3:0000:0000:8a2e:0370:7334"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_user"] == "-"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["request"] == "/"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["status"] == "200"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["time_local"] == "29/Sep/2021:14:11:34 +0200"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["verb"] == "GET"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "ipv6-parser.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["http_path"] == "/"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["http_status"] == "200"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["http_user_agent"] == "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:getinfo)"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["http_verb"] == "GET"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "http_access-log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "http"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "2001:0db8:85a3:0000:0000:8a2e:0370:7334"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2021-09-29T14:11:34+02:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2021-09-29T14:11:34+02:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false
+len(results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"]) == 2
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][0].Success == true
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][0].Evt.Parsed["body_bytes_sent"] == "0"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][0].Evt.Parsed["http_referer"] == "-"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][0].Evt.Parsed["http_user_agent"] == "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:Port Check)"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][0].Evt.Parsed["http_version"] == "1.1"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][0].Evt.Parsed["message"] == "2001:0db8:85a3:0000:0000:8a2e:0370:7334 - - [29/Sep/2021:14:11:34 +0200] \"HEAD / HTTP/1.1\" 200 0 \"-\" \"Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:Port Check)\""
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][0].Evt.Parsed["program"] == "nginx"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][0].Evt.Parsed["remote_addr"] == "2001:0db8:85a3:0000:0000:8a2e:0370:7334"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][0].Evt.Parsed["remote_user"] == "-"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][0].Evt.Parsed["request"] == "/"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][0].Evt.Parsed["status"] == "200"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][0].Evt.Parsed["time_local"] == "29/Sep/2021:14:11:34 +0200"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][0].Evt.Parsed["verb"] == "HEAD"
+basename(results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][0].Evt.Meta["datasource_path"]) == "ipv6-parser.log"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][0].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][0].Evt.Meta["http_path"] == "/"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][0].Evt.Meta["http_status"] == "200"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][0].Evt.Meta["http_user_agent"] == "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:Port Check)"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][0].Evt.Meta["http_verb"] == "HEAD"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][0].Evt.Meta["log_type"] == "http_access-log"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][0].Evt.Meta["service"] == "http"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][0].Evt.Meta["source_ip"] == "2001:db8:85a3::"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][0].Evt.Meta["timestamp"] == "2021-09-29T14:11:34+02:00"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][0].Evt.Enriched["MarshaledTime"] == "2021-09-29T14:11:34+02:00"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][0].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][1].Success == true
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][1].Evt.Parsed["body_bytes_sent"] == "10918"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][1].Evt.Parsed["http_referer"] == "-"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][1].Evt.Parsed["http_user_agent"] == "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:getinfo)"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][1].Evt.Parsed["http_version"] == "1.1"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][1].Evt.Parsed["message"] == "2001:0db8:85a3:0000:0000:8a2e:0370:7334 - - [29/Sep/2021:14:11:34 +0200] \"GET / HTTP/1.1\" 200 10918 \"-\" \"Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:getinfo)\""
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][1].Evt.Parsed["program"] == "nginx"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][1].Evt.Parsed["remote_addr"] == "2001:0db8:85a3:0000:0000:8a2e:0370:7334"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][1].Evt.Parsed["remote_user"] == "-"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][1].Evt.Parsed["request"] == "/"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][1].Evt.Parsed["status"] == "200"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][1].Evt.Parsed["time_local"] == "29/Sep/2021:14:11:34 +0200"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][1].Evt.Parsed["verb"] == "GET"
+basename(results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][1].Evt.Meta["datasource_path"]) == "ipv6-parser.log"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][1].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][1].Evt.Meta["http_path"] == "/"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][1].Evt.Meta["http_status"] == "200"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][1].Evt.Meta["http_user_agent"] == "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:getinfo)"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][1].Evt.Meta["http_verb"] == "GET"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][1].Evt.Meta["log_type"] == "http_access-log"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][1].Evt.Meta["service"] == "http"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][1].Evt.Meta["source_ip"] == "2001:db8:85a3::"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][1].Evt.Meta["timestamp"] == "2021-09-29T14:11:34+02:00"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][1].Evt.Enriched["MarshaledTime"] == "2021-09-29T14:11:34+02:00"
+results["s02-enrich"]["crowdsecurity/ipv6_shared_buckets"][1].Evt.Whitelisted == false
+len(results["success"][""]) == 0
diff --git a/.tests/ipv6-parser/scenario.assert b/.tests/ipv6-parser/scenario.assert
new file mode 100644
index 00000000000..b5292d0486c
--- /dev/null
+++ b/.tests/ipv6-parser/scenario.assert
@@ -0,0 +1,29 @@
+len(results) == 1
+"2001:db8:85a3::" in results[0].Overflow.GetSources()
+results[0].Overflow.Sources["2001:db8:85a3::"].IP == "2001:db8:85a3::"
+results[0].Overflow.Sources["2001:db8:85a3::"].Range == ""
+results[0].Overflow.Sources["2001:db8:85a3::"].GetScope() == "Range"
+results[0].Overflow.Sources["2001:db8:85a3::"].GetValue() == "2001:db8:85a3::/64"
+basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "ipv6-parser.log"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[0].GetMeta("http_path") == "/"
+results[0].Overflow.Alert.Events[0].GetMeta("http_status") == "200"
+results[0].Overflow.Alert.Events[0].GetMeta("http_user_agent") == "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:Port Check)"
+results[0].Overflow.Alert.Events[0].GetMeta("http_verb") == "HEAD"
+results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "http_access-log"
+results[0].Overflow.Alert.Events[0].GetMeta("service") == "http"
+results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "2001:db8:85a3::"
+results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2021-09-29T14:11:34+02:00"
+basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "ipv6-parser.log"
+results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[1].GetMeta("http_path") == "/"
+results[0].Overflow.Alert.Events[1].GetMeta("http_status") == "200"
+results[0].Overflow.Alert.Events[1].GetMeta("http_user_agent") == "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:getinfo)"
+results[0].Overflow.Alert.Events[1].GetMeta("http_verb") == "GET"
+results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "http_access-log"
+results[0].Overflow.Alert.Events[1].GetMeta("service") == "http"
+results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "2001:db8:85a3::"
+results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2021-09-29T14:11:34+02:00"
+results[0].Overflow.Alert.GetScenario() == "crowdsecurity/http-bad-user-agent"
+results[0].Overflow.Alert.Remediation == true
+results[0].Overflow.Alert.GetEventsCount() == 2
diff --git a/parsers/s02-enrich/crowdsecurity/ipv6_shared_buckets.md b/parsers/s02-enrich/crowdsecurity/ipv6_shared_buckets.md
new file mode 100644
index 00000000000..039ef0d9807
--- /dev/null
+++ b/parsers/s02-enrich/crowdsecurity/ipv6_shared_buckets.md
@@ -0,0 +1,12 @@
+This parser checks if the source IP is an IPv6 address and if yes, will force the IPv6 address's lower 64 bits to zeros. The upper 64 bits are retained. This mean every IPv6 address in a given /64 range will be transformed into the same IPv6 address and will count towards the same bucket. This prevents an attacker from using one addresses in a /64 to fill up a bucket without causing it to overflow and then moving on to another address in the same /64 repeatedly allowing a practically infinite number of attempts. 
+
+This parser must be used with the crowdsecurity/ipv6_to_range postoverflow so that when the shared IPv6 bucket overflows the remediation applies to the entire /64 range.
+
+Example effects on source_ip:
+
+2001:db8:1234:5678::abcd => 2001:db8:1234:5678::  
+2001:db8:1234:5678::1234 => 2001:db8:1234:5678::  
+2001:db8:1234:5678::5678 => 2001:db8:1234:5678::  
+2001:db8:1234:5678:abcd:1234:ef10:5678 => 2001:db8:1234:5678::  
+2001:db8:1234:5678:4545:cdcd:6868:dada => 2001:db8:1234:5678::  
+2001:db8:abcd:2020:abcd:1234:ef10:5678 => 2001:db8:abcd:2020::
diff --git a/parsers/s02-enrich/crowdsecurity/ipv6_shared_buckets.yaml b/parsers/s02-enrich/crowdsecurity/ipv6_shared_buckets.yaml
new file mode 100644
index 00000000000..14b52474116
--- /dev/null
+++ b/parsers/s02-enrich/crowdsecurity/ipv6_shared_buckets.yaml
@@ -0,0 +1,6 @@
+name: crowdsecurity/ipv6_shared_buckets
+description: ""
+filter: "IsIPV6(evt.Meta.source_ip)"
+statics:
+  - target: evt.Meta.source_ip
+    expression: TrimSuffix(IpToRange(evt.Meta.source_ip,"/64"),"/64")