Procházet zdrojové kódy

propagate labels from acquis to appsec events

Sebastien Blot před 1 rokem
rodič
revize
25635a306f

+ 3 - 2
pkg/acquisition/modules/appsec/appsec_runner.go

@@ -23,6 +23,7 @@ type AppsecRunner struct {
 	AppsecRuntime       *appsec.AppsecRuntimeConfig //this holds the actual appsec runtime config, rules, remediations, hooks etc.
 	AppsecInbandEngine  coraza.WAF
 	AppsecOutbandEngine coraza.WAF
+	Labels              map[string]string
 	logger              *log.Entry
 }
 
@@ -205,7 +206,7 @@ func (r *AppsecRunner) ProcessOutOfBandRules(request *appsec.ParsedRequest) erro
 
 func (r *AppsecRunner) handleInBandInterrupt(request *appsec.ParsedRequest) {
 	//create the associated event for crowdsec itself
-	evt, err := EventFromRequest(request)
+	evt, err := EventFromRequest(request, r.Labels)
 	if err != nil {
 		//let's not interrupt the pipeline for this
 		r.logger.Errorf("unable to create event from request : %s", err)
@@ -253,7 +254,7 @@ func (r *AppsecRunner) handleInBandInterrupt(request *appsec.ParsedRequest) {
 }
 
 func (r *AppsecRunner) handleOutBandInterrupt(request *appsec.ParsedRequest) {
-	evt, err := EventFromRequest(request)
+	evt, err := EventFromRequest(request, r.Labels)
 	if err != nil {
 		//let's not interrupt the pipeline for this
 		r.logger.Errorf("unable to create event from request : %s", err)

+ 2 - 2
pkg/acquisition/modules/appsec/utils.go

@@ -68,7 +68,7 @@ func AppsecEventGeneration(inEvt types.Event) (*types.Event, error) {
 	return &evt, nil
 }
 
-func EventFromRequest(r *appsec.ParsedRequest) (types.Event, error) {
+func EventFromRequest(r *appsec.ParsedRequest, labels map[string]string) (types.Event, error) {
 	evt := types.Event{}
 	//we might want to change this based on in-band vs out-of-band ?
 	evt.Type = types.LOG
@@ -91,7 +91,7 @@ func EventFromRequest(r *appsec.ParsedRequest) (types.Event, error) {
 	evt.Line = types.Line{
 		Time: time.Now(),
 		//should we add some info like listen addr/port/path ?
-		Labels:  map[string]string{"type": "crowdsec-appsec"}, //FIXME: use the labels from the acquis
+		Labels:  labels,
 		Process: true,
 		Module:  "appsec",
 		Src:     "appsec",