Merge branch 'master' of github.com:crowdsecurity/crowdsec
This commit is contained in:
Thibault bui Koechlin
commit
3818fe4e7d
5 changed files with 34 additions and 7 deletions
Binary file not shown.
|
Before Width: | Height: | Size: 37 KiB After Width: | Height: | Size: 37 KiB |
|
|
@ -27,6 +27,14 @@ Besides detecting and stopping attacks in real time based on your logs, it allow
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## Core concepts
|
||||||
|
|
||||||
|
{{crowdsec.name}} relies on {{parsers.htmlname}} to normalize and enrich logs, and {{scenarios.htmlname}} to detect attacks, often bundled together in {{collections.htmlname}} to form a coherent configuration set. For example the collection [`crowdsecurity/nginx`](https://hub.crowdsec.net/author/crowdsecurity/collections/nginx) contains all the necessary parsers and scenarios to deal with nginx logs and the common attacks that can be seen on http servers.
|
||||||
|
|
||||||
|
All of those are represented as YAML files, that can be found, shared and kept up-to-date thanks to the {{hub.htmlname}}, or [easily hand-crafted](/write_configurations/scenarios/) to address specific needs.
|
||||||
|
|
||||||
|
|
||||||
## Moving forward
|
## Moving forward
|
||||||
|
|
||||||
To learn more about {{crowdsec.name}} and give it a try, please see :
|
To learn more about {{crowdsec.name}} and give it a try, please see :
|
||||||
|
|
|
||||||
|
|
@ -144,7 +144,8 @@ func (n *Node) process(p *types.Event, ctx UnixParserCtx) (bool, error) {
|
||||||
if n.Name != "" {
|
if n.Name != "" {
|
||||||
NodesHits.With(prometheus.Labels{"source": p.Line.Src, "name": n.Name}).Inc()
|
NodesHits.With(prometheus.Labels{"source": p.Line.Src, "name": n.Name}).Inc()
|
||||||
}
|
}
|
||||||
set := false
|
isWhitelisted := false
|
||||||
|
hasWhitelist := false
|
||||||
var src net.IP
|
var src net.IP
|
||||||
/*overflow and log don't hold the source ip in the same field, should be changed */
|
/*overflow and log don't hold the source ip in the same field, should be changed */
|
||||||
/* perform whitelist checks for ips, cidr accordingly */
|
/* perform whitelist checks for ips, cidr accordingly */
|
||||||
|
|
@ -160,18 +161,22 @@ func (n *Node) process(p *types.Event, ctx UnixParserCtx) (bool, error) {
|
||||||
if v.Equal(src) {
|
if v.Equal(src) {
|
||||||
clog.Debugf("Event from [%s] is whitelisted by Ips !", src)
|
clog.Debugf("Event from [%s] is whitelisted by Ips !", src)
|
||||||
p.Whitelisted = true
|
p.Whitelisted = true
|
||||||
set = true
|
isWhitelisted = true
|
||||||
|
} else {
|
||||||
|
clog.Debugf("whitelist: %s is not eq [%s]", src, v)
|
||||||
}
|
}
|
||||||
|
hasWhitelist = true
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, v := range n.Whitelist.B_Cidrs {
|
for _, v := range n.Whitelist.B_Cidrs {
|
||||||
if v.Contains(src) {
|
if v.Contains(src) {
|
||||||
clog.Debugf("Event from [%s] is whitelisted by Cidrs !", src)
|
clog.Debugf("Event from [%s] is whitelisted by Cidrs !", src)
|
||||||
p.Whitelisted = true
|
p.Whitelisted = true
|
||||||
set = true
|
isWhitelisted = true
|
||||||
} else {
|
} else {
|
||||||
clog.Debugf("whitelist: %s not in [%s]", src, v)
|
clog.Debugf("whitelist: %s not in [%s]", src, v)
|
||||||
}
|
}
|
||||||
|
hasWhitelist = true
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
clog.Debugf("no ip in event, cidr/ip whitelists not checked")
|
clog.Debugf("no ip in event, cidr/ip whitelists not checked")
|
||||||
|
|
@ -190,13 +195,14 @@ func (n *Node) process(p *types.Event, ctx UnixParserCtx) (bool, error) {
|
||||||
if out {
|
if out {
|
||||||
clog.Debugf("Event is whitelisted by Expr !")
|
clog.Debugf("Event is whitelisted by Expr !")
|
||||||
p.Whitelisted = true
|
p.Whitelisted = true
|
||||||
set = true
|
isWhitelisted = true
|
||||||
}
|
}
|
||||||
|
hasWhitelist = true
|
||||||
default:
|
default:
|
||||||
log.Errorf("unexpected type %t (%v) while running '%s'", output, output, n.Whitelist.Exprs[eidx])
|
log.Errorf("unexpected type %t (%v) while running '%s'", output, output, n.Whitelist.Exprs[eidx])
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if set {
|
if isWhitelisted {
|
||||||
p.WhiteListReason = n.Whitelist.Reason
|
p.WhiteListReason = n.Whitelist.Reason
|
||||||
/*huglily wipe the ban order if the event is whitelisted and it's an overflow */
|
/*huglily wipe the ban order if the event is whitelisted and it's an overflow */
|
||||||
if p.Type == types.OVFLW { /*don't do this at home kids */
|
if p.Type == types.OVFLW { /*don't do this at home kids */
|
||||||
|
|
@ -298,9 +304,9 @@ func (n *Node) process(p *types.Event, ctx UnixParserCtx) (bool, error) {
|
||||||
if n.Name != "" {
|
if n.Name != "" {
|
||||||
NodesHitsOk.With(prometheus.Labels{"source": p.Line.Src, "name": n.Name}).Inc()
|
NodesHitsOk.With(prometheus.Labels{"source": p.Line.Src, "name": n.Name}).Inc()
|
||||||
}
|
}
|
||||||
if len(n.Statics) > 0 {
|
if hasWhitelist && isWhitelisted && len(n.Statics) > 0 || len(n.Statics) > 0 && !hasWhitelist {
|
||||||
clog.Debugf("+ Processing %d statics", len(n.Statics))
|
clog.Debugf("+ Processing %d statics", len(n.Statics))
|
||||||
// if all else is good, process node's statics
|
// if all else is good in whitelist, process node's statics
|
||||||
err := ProcessStatics(n.Statics, p, clog)
|
err := ProcessStatics(n.Statics, p, clog)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
clog.Fatalf("Failed to process statics : %v", err)
|
clog.Fatalf("Failed to process statics : %v", err)
|
||||||
|
|
|
||||||
|
|
@ -9,3 +9,6 @@ whitelist:
|
||||||
- "1.2.3.0/24"
|
- "1.2.3.0/24"
|
||||||
expression:
|
expression:
|
||||||
- "'supertoken1234' == evt.Enriched.test_token"
|
- "'supertoken1234' == evt.Enriched.test_token"
|
||||||
|
statics:
|
||||||
|
- meta: statics
|
||||||
|
value: success
|
||||||
|
|
|
||||||
|
|
@ -3,41 +3,51 @@ lines:
|
||||||
- Meta:
|
- Meta:
|
||||||
test: test1
|
test: test1
|
||||||
source_ip: 8.8.8.8
|
source_ip: 8.8.8.8
|
||||||
|
statics: toto
|
||||||
- Meta:
|
- Meta:
|
||||||
test: test2
|
test: test2
|
||||||
source_ip: 1.2.3.4
|
source_ip: 1.2.3.4
|
||||||
|
statics: toto
|
||||||
- Meta:
|
- Meta:
|
||||||
test: test3
|
test: test3
|
||||||
source_ip: 2.2.3.4
|
source_ip: 2.2.3.4
|
||||||
|
statics: toto
|
||||||
- Meta:
|
- Meta:
|
||||||
test: test4
|
test: test4
|
||||||
source_ip: 8.8.8.9
|
source_ip: 8.8.8.9
|
||||||
|
statics: toto
|
||||||
- Enriched:
|
- Enriched:
|
||||||
test_token: supertoken1234
|
test_token: supertoken1234
|
||||||
Meta:
|
Meta:
|
||||||
test: test5
|
test: test5
|
||||||
|
statics: toto
|
||||||
#these are the results we expect from the parser
|
#these are the results we expect from the parser
|
||||||
results:
|
results:
|
||||||
- Whitelisted: true
|
- Whitelisted: true
|
||||||
Process: true
|
Process: true
|
||||||
Meta:
|
Meta:
|
||||||
test: test1
|
test: test1
|
||||||
|
statics: success
|
||||||
- Whitelisted: true
|
- Whitelisted: true
|
||||||
Process: true
|
Process: true
|
||||||
Meta:
|
Meta:
|
||||||
test: test2
|
test: test2
|
||||||
|
statics: success
|
||||||
- Whitelisted: false
|
- Whitelisted: false
|
||||||
Process: true
|
Process: true
|
||||||
Meta:
|
Meta:
|
||||||
test: test3
|
test: test3
|
||||||
|
statics: toto
|
||||||
- Whitelisted: false
|
- Whitelisted: false
|
||||||
Process: true
|
Process: true
|
||||||
Meta:
|
Meta:
|
||||||
test: test4
|
test: test4
|
||||||
|
statics: toto
|
||||||
- Whitelisted: true
|
- Whitelisted: true
|
||||||
Process: true
|
Process: true
|
||||||
Meta:
|
Meta:
|
||||||
test: test5
|
test: test5
|
||||||
|
statics: success
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue