2022-06-22 09:29:52 +00:00
|
|
|
package parser
|
2020-05-15 09:39:16 +00:00
|
|
|
|
|
|
|
import (
|
2023-10-16 09:08:57 +00:00
|
|
|
"fmt"
|
2020-05-15 09:39:16 +00:00
|
|
|
"net"
|
|
|
|
|
2023-10-16 09:08:57 +00:00
|
|
|
"github.com/antonmedv/expr"
|
2020-05-15 09:39:16 +00:00
|
|
|
"github.com/antonmedv/expr/vm"
|
2020-08-03 10:21:15 +00:00
|
|
|
"github.com/crowdsecurity/crowdsec/pkg/exprhelpers"
|
2023-10-16 09:08:57 +00:00
|
|
|
"github.com/crowdsecurity/crowdsec/pkg/types"
|
2024-02-06 17:04:17 +00:00
|
|
|
"github.com/prometheus/client_golang/prometheus"
|
2020-05-15 09:39:16 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
type Whitelist struct {
|
|
|
|
Reason string `yaml:"reason,omitempty"`
|
|
|
|
Ips []string `yaml:"ip,omitempty"`
|
|
|
|
B_Ips []net.IP
|
|
|
|
Cidrs []string `yaml:"cidr,omitempty"`
|
|
|
|
B_Cidrs []*net.IPNet
|
|
|
|
Exprs []string `yaml:"expression,omitempty"`
|
2020-08-03 10:21:15 +00:00
|
|
|
B_Exprs []*ExprWhitelist
|
|
|
|
}
|
|
|
|
|
|
|
|
type ExprWhitelist struct {
|
2023-11-24 10:10:54 +00:00
|
|
|
Filter *vm.Program
|
2020-05-15 09:39:16 +00:00
|
|
|
}
|
2023-10-16 09:08:57 +00:00
|
|
|
|
|
|
|
func (n *Node) ContainsWLs() bool {
|
|
|
|
return n.ContainsIPLists() || n.ContainsExprLists()
|
|
|
|
}
|
|
|
|
|
|
|
|
func (n *Node) ContainsExprLists() bool {
|
|
|
|
return len(n.Whitelist.B_Exprs) > 0
|
|
|
|
}
|
|
|
|
|
|
|
|
func (n *Node) ContainsIPLists() bool {
|
|
|
|
return len(n.Whitelist.B_Ips) > 0 || len(n.Whitelist.B_Cidrs) > 0
|
|
|
|
}
|
|
|
|
|
2024-02-06 17:04:17 +00:00
|
|
|
func (n *Node) CheckIPsWL(p *types.Event) bool {
|
|
|
|
srcs := p.ParseIPSources()
|
2023-10-16 09:08:57 +00:00
|
|
|
isWhitelisted := false
|
|
|
|
if !n.ContainsIPLists() {
|
|
|
|
return isWhitelisted
|
|
|
|
}
|
2024-02-06 17:04:17 +00:00
|
|
|
NodesWlHits.With(prometheus.Labels{"source": p.Line.Src, "type": p.Line.Module, "name": n.Name, "reason": n.Whitelist.Reason}).Inc()
|
2023-10-16 09:08:57 +00:00
|
|
|
for _, src := range srcs {
|
|
|
|
if isWhitelisted {
|
|
|
|
break
|
|
|
|
}
|
|
|
|
for _, v := range n.Whitelist.B_Ips {
|
|
|
|
if v.Equal(src) {
|
|
|
|
n.Logger.Debugf("Event from [%s] is whitelisted by IP (%s), reason [%s]", src, v, n.Whitelist.Reason)
|
|
|
|
isWhitelisted = true
|
|
|
|
break
|
|
|
|
}
|
|
|
|
n.Logger.Tracef("whitelist: %s is not eq [%s]", src, v)
|
|
|
|
}
|
|
|
|
for _, v := range n.Whitelist.B_Cidrs {
|
|
|
|
if v.Contains(src) {
|
|
|
|
n.Logger.Debugf("Event from [%s] is whitelisted by CIDR (%s), reason [%s]", src, v, n.Whitelist.Reason)
|
|
|
|
isWhitelisted = true
|
|
|
|
break
|
|
|
|
}
|
|
|
|
n.Logger.Tracef("whitelist: %s not in [%s]", src, v)
|
|
|
|
}
|
|
|
|
}
|
2024-02-06 17:04:17 +00:00
|
|
|
if isWhitelisted {
|
|
|
|
NodesWlHitsOk.With(prometheus.Labels{"source": p.Line.Src, "type": p.Line.Module, "name": n.Name, "reason": n.Whitelist.Reason}).Inc()
|
|
|
|
}
|
2023-10-16 09:08:57 +00:00
|
|
|
return isWhitelisted
|
|
|
|
}
|
|
|
|
|
2024-02-06 17:04:17 +00:00
|
|
|
func (n *Node) CheckExprWL(cachedExprEnv map[string]interface{}, p *types.Event) (bool, error) {
|
2023-10-16 09:08:57 +00:00
|
|
|
isWhitelisted := false
|
|
|
|
|
|
|
|
if !n.ContainsExprLists() {
|
|
|
|
return false, nil
|
|
|
|
}
|
2024-02-06 17:04:17 +00:00
|
|
|
NodesWlHits.With(prometheus.Labels{"source": p.Line.Src, "type": p.Line.Module, "name": n.Name, "reason": n.Whitelist.Reason}).Inc()
|
2023-10-16 09:08:57 +00:00
|
|
|
/* run whitelist expression tests anyway */
|
|
|
|
for eidx, e := range n.Whitelist.B_Exprs {
|
|
|
|
//if we already know the event is whitelisted, skip the rest of the expressions
|
|
|
|
if isWhitelisted {
|
|
|
|
break
|
|
|
|
}
|
2023-11-24 10:10:54 +00:00
|
|
|
|
|
|
|
output, err := exprhelpers.Run(e.Filter, cachedExprEnv, n.Logger, n.Debug)
|
2023-10-16 09:08:57 +00:00
|
|
|
if err != nil {
|
|
|
|
n.Logger.Warningf("failed to run whitelist expr : %v", err)
|
|
|
|
n.Logger.Debug("Event leaving node : ko")
|
|
|
|
return isWhitelisted, err
|
|
|
|
}
|
|
|
|
switch out := output.(type) {
|
|
|
|
case bool:
|
|
|
|
if out {
|
|
|
|
n.Logger.Debugf("Event is whitelisted by expr, reason [%s]", n.Whitelist.Reason)
|
|
|
|
isWhitelisted = true
|
|
|
|
}
|
|
|
|
default:
|
|
|
|
n.Logger.Errorf("unexpected type %t (%v) while running '%s'", output, output, n.Whitelist.Exprs[eidx])
|
|
|
|
}
|
|
|
|
}
|
2024-02-06 17:04:17 +00:00
|
|
|
if isWhitelisted {
|
|
|
|
NodesWlHitsOk.With(prometheus.Labels{"source": p.Line.Src, "type": p.Line.Module, "name": n.Name, "reason": n.Whitelist.Reason}).Inc()
|
|
|
|
}
|
2023-10-16 09:08:57 +00:00
|
|
|
return isWhitelisted, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (n *Node) CompileWLs() (bool, error) {
|
|
|
|
for _, v := range n.Whitelist.Ips {
|
|
|
|
n.Whitelist.B_Ips = append(n.Whitelist.B_Ips, net.ParseIP(v))
|
|
|
|
n.Logger.Debugf("adding ip %s to whitelists", net.ParseIP(v))
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, v := range n.Whitelist.Cidrs {
|
|
|
|
_, tnet, err := net.ParseCIDR(v)
|
|
|
|
if err != nil {
|
|
|
|
return false, fmt.Errorf("unable to parse cidr whitelist '%s' : %v", v, err)
|
|
|
|
}
|
|
|
|
n.Whitelist.B_Cidrs = append(n.Whitelist.B_Cidrs, tnet)
|
|
|
|
n.Logger.Debugf("adding cidr %s to whitelists", tnet)
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, filter := range n.Whitelist.Exprs {
|
|
|
|
var err error
|
|
|
|
expression := &ExprWhitelist{}
|
|
|
|
expression.Filter, err = expr.Compile(filter, exprhelpers.GetExprOptions(map[string]interface{}{"evt": &types.Event{}})...)
|
|
|
|
if err != nil {
|
|
|
|
return false, fmt.Errorf("unable to compile whitelist expression '%s' : %v", filter, err)
|
|
|
|
}
|
|
|
|
n.Whitelist.B_Exprs = append(n.Whitelist.B_Exprs, expression)
|
|
|
|
n.Logger.Debugf("adding expression %s to whitelists", filter)
|
|
|
|
}
|
|
|
|
return n.ContainsWLs(), nil
|
|
|
|
}
|