We use cookies to ensure you get the best experience on our website
Trang chủ Khám phá Trợ giúp
Đăng ký Đăng nhập
0ct0pu5
/
crowdsec
1
0
Fork 0
Các tập tin Các vấn đề 0 Yêu cầu kéo về 0 Wiki
Browse Source

fix behavior so we only generate crowdsec events if interrupt was generated in either inband or outofband phases

bui 1 năm trước cách đây
mục cha
0cebf833c7
commit
cd1cefbc8b
2 tập tin đã thay đổi với 26 bổ sung16 xóa
View chưa được định nghĩa Hiển thị tình trạng sai khác
  1. 19 14
      pkg/acquisition/modules/waap/utils.go
  2. 7 2
      pkg/acquisition/modules/waap/waap_runner.go

+ 19 - 14
pkg/acquisition/modules/waap/utils.go
Xem Tập Tin 

@@ -72,7 +72,6 @@ func EventFromRequest(r waf.ParsedRequest) (types.Event, error) {
 
 	evt.ExpectMode = types.LIVE
 
 	evt.ExpectMode = types.LIVE
 
 	//def needs fixing
 
 	//def needs fixing
 
 	evt.Stage = "s00-raw"
 
 	evt.Stage = "s00-raw"
 
-	evt.Process = true
 
 	evt.Parsed = map[string]string{
 
 	evt.Parsed = map[string]string{
 
 		"source_ip":   r.ClientIP,
 
 		"source_ip":   r.ClientIP,
 
 		"target_host": r.Host,
 
 		"target_host": r.Host,
 
@@ -134,19 +133,25 @@ func (r *WaapRunner) AccumulateTxToEvent(evt *types.Event, req waf.ParsedRequest
 
 		//an error was already emitted, let's not spam the logs
 
 		//an error was already emitted, let's not spam the logs
 
 		return nil
 
 		return nil
 
 	}
 
 	}
 
-	if req.Tx.IsInterrupted() {
 
-		if evt.Meta == nil {
 
-			evt.Meta = map[string]string{}
 
-		}
 
-		if req.IsInBand {
 
-			evt.Meta["waap_interrupted"] = "true"
 
-			evt.Meta["waap_action"] = req.Tx.Interruption().Action
 
-			evt.Parsed["inband_interrupted"] = "true"
 
-			evt.Parsed["inband_action"] = req.Tx.Interruption().Action
 
-		} else {
 
-			evt.Parsed["outofband_interrupted"] = "true"
 
-			evt.Parsed["outofband_action"] = req.Tx.Interruption().Action
 
-		}
 
+
 
+	if !req.Tx.IsInterrupted() {
 
+		//if the phase didn't generate an interruption, we don't have anything to add to the event
 
+		return nil
 
+	}
 
+	//if one interruption was generated, event is good for processing :)
 
+	evt.Process = true
 
+
 
+	if evt.Meta == nil {
 
+		evt.Meta = map[string]string{}
 
+	}
 
+	if req.IsInBand {
 
+		evt.Meta["waap_interrupted"] = "true"
 
+		evt.Meta["waap_action"] = req.Tx.Interruption().Action
 
+		evt.Parsed["inband_interrupted"] = "true"
 
+		evt.Parsed["inband_action"] = req.Tx.Interruption().Action
 
+	} else {
 
+		evt.Parsed["outofband_interrupted"] = "true"
 
+		evt.Parsed["outofband_action"] = req.Tx.Interruption().Action
 
 	}
 
 	}
 
 
 
 	if evt.Waap.Vars == nil {
 
 	if evt.Waap.Vars == nil {

+ 7 - 2
pkg/acquisition/modules/waap/waap_runner.go
Xem Tập Tin 

@@ -234,9 +234,14 @@ func (r *WaapRunner) Run(t *tomb.Tomb) error {
 
 					continue
 
 					continue
 
 				}
 
 				}
 
 			}
 
 			}
 
+
 
+			if !evt.Process {
 
+				continue
 
+			}
 
+
 
+			//we generate two events: one that is going to be picked up by the acquisition pipeline (parsers, scenarios etc.)
 
+			//and a second one that will go straight to LAPI
 
 			r.outChan <- evt
 
 			r.outChan <- evt
 
-			/*we generate a second event that will go directly to LAPI.
 
-			we don't want to risk losing all visibility on waap events if the user is missing a scenario*/
 
 			waapOvlfw, err := WaapEventGeneration(evt)
 
 			waapOvlfw, err := WaapEventGeneration(evt)
 
 			if err != nil {
 
 			if err != nil {
 
 				r.logger.Errorf("unable to generate waap event : %s", err)
 
 				r.logger.Errorf("unable to generate waap event : %s", err)

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5