fix behavior so we only generate crowdsec events if interrupt was generated in either inband or outofband phases
This commit is contained in:
bui
parent
0cebf833c7
commit
cd1cefbc8b
2 changed files with 26 additions and 16 deletions
|
|
@ -72,7 +72,6 @@ func EventFromRequest(r waf.ParsedRequest) (types.Event, error) {
|
|||
evt.ExpectMode = types.LIVE
|
||||
//def needs fixing
|
||||
evt.Stage = "s00-raw"
|
||||
evt.Process = true
|
||||
evt.Parsed = map[string]string{
|
||||
"source_ip": r.ClientIP,
|
||||
"target_host": r.Host,
|
||||
|
|
@ -134,19 +133,25 @@ func (r *WaapRunner) AccumulateTxToEvent(evt *types.Event, req waf.ParsedRequest
|
|||
//an error was already emitted, let's not spam the logs
|
||||
return nil
|
||||
}
|
||||
if req.Tx.IsInterrupted() {
|
||||
if evt.Meta == nil {
|
||||
evt.Meta = map[string]string{}
|
||||
}
|
||||
if req.IsInBand {
|
||||
evt.Meta["waap_interrupted"] = "true"
|
||||
evt.Meta["waap_action"] = req.Tx.Interruption().Action
|
||||
evt.Parsed["inband_interrupted"] = "true"
|
||||
evt.Parsed["inband_action"] = req.Tx.Interruption().Action
|
||||
} else {
|
||||
evt.Parsed["outofband_interrupted"] = "true"
|
||||
evt.Parsed["outofband_action"] = req.Tx.Interruption().Action
|
||||
}
|
||||
|
||||
if !req.Tx.IsInterrupted() {
|
||||
//if the phase didn't generate an interruption, we don't have anything to add to the event
|
||||
return nil
|
||||
}
|
||||
//if one interruption was generated, event is good for processing :)
|
||||
evt.Process = true
|
||||
|
||||
if evt.Meta == nil {
|
||||
evt.Meta = map[string]string{}
|
||||
}
|
||||
if req.IsInBand {
|
||||
evt.Meta["waap_interrupted"] = "true"
|
||||
evt.Meta["waap_action"] = req.Tx.Interruption().Action
|
||||
evt.Parsed["inband_interrupted"] = "true"
|
||||
evt.Parsed["inband_action"] = req.Tx.Interruption().Action
|
||||
} else {
|
||||
evt.Parsed["outofband_interrupted"] = "true"
|
||||
evt.Parsed["outofband_action"] = req.Tx.Interruption().Action
|
||||
}
|
||||
|
||||
if evt.Waap.Vars == nil {
|
||||
|
|
|
|||
|
|
@ -234,9 +234,14 @@ func (r *WaapRunner) Run(t *tomb.Tomb) error {
|
|||
continue
|
||||
}
|
||||
}
|
||||
|
||||
if !evt.Process {
|
||||
continue
|
||||
}
|
||||
|
||||
//we generate two events: one that is going to be picked up by the acquisition pipeline (parsers, scenarios etc.)
|
||||
//and a second one that will go straight to LAPI
|
||||
r.outChan <- evt
|
||||
/*we generate a second event that will go directly to LAPI.
|
||||
we don't want to risk losing all visibility on waap events if the user is missing a scenario*/
|
||||
waapOvlfw, err := WaapEventGeneration(evt)
|
||||
if err != nil {
|
||||
r.logger.Errorf("unable to generate waap event : %s", err)
|
||||
|
|
|
|||
Loading…
Reference in a new issue