fix behavior so we only generate crowdsec events if interrupt was generated in either inband or outofband phases
This commit is contained in:
bui
parent
0cebf833c7
commit
cd1cefbc8b
2 changed files with 26 additions and 16 deletions
|
|
@ -72,7 +72,6 @@ func EventFromRequest(r waf.ParsedRequest) (types.Event, error) {
|
||||||
evt.ExpectMode = types.LIVE
|
evt.ExpectMode = types.LIVE
|
||||||
//def needs fixing
|
//def needs fixing
|
||||||
evt.Stage = "s00-raw"
|
evt.Stage = "s00-raw"
|
||||||
evt.Process = true
|
|
||||||
evt.Parsed = map[string]string{
|
evt.Parsed = map[string]string{
|
||||||
"source_ip": r.ClientIP,
|
"source_ip": r.ClientIP,
|
||||||
"target_host": r.Host,
|
"target_host": r.Host,
|
||||||
|
|
@ -134,19 +133,25 @@ func (r *WaapRunner) AccumulateTxToEvent(evt *types.Event, req waf.ParsedRequest
|
||||||
//an error was already emitted, let's not spam the logs
|
//an error was already emitted, let's not spam the logs
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
if req.Tx.IsInterrupted() {
|
|
||||||
if evt.Meta == nil {
|
if !req.Tx.IsInterrupted() {
|
||||||
evt.Meta = map[string]string{}
|
//if the phase didn't generate an interruption, we don't have anything to add to the event
|
||||||
}
|
return nil
|
||||||
if req.IsInBand {
|
}
|
||||||
evt.Meta["waap_interrupted"] = "true"
|
//if one interruption was generated, event is good for processing :)
|
||||||
evt.Meta["waap_action"] = req.Tx.Interruption().Action
|
evt.Process = true
|
||||||
evt.Parsed["inband_interrupted"] = "true"
|
|
||||||
evt.Parsed["inband_action"] = req.Tx.Interruption().Action
|
if evt.Meta == nil {
|
||||||
} else {
|
evt.Meta = map[string]string{}
|
||||||
evt.Parsed["outofband_interrupted"] = "true"
|
}
|
||||||
evt.Parsed["outofband_action"] = req.Tx.Interruption().Action
|
if req.IsInBand {
|
||||||
}
|
evt.Meta["waap_interrupted"] = "true"
|
||||||
|
evt.Meta["waap_action"] = req.Tx.Interruption().Action
|
||||||
|
evt.Parsed["inband_interrupted"] = "true"
|
||||||
|
evt.Parsed["inband_action"] = req.Tx.Interruption().Action
|
||||||
|
} else {
|
||||||
|
evt.Parsed["outofband_interrupted"] = "true"
|
||||||
|
evt.Parsed["outofband_action"] = req.Tx.Interruption().Action
|
||||||
}
|
}
|
||||||
|
|
||||||
if evt.Waap.Vars == nil {
|
if evt.Waap.Vars == nil {
|
||||||
|
|
|
||||||
|
|
@ -234,9 +234,14 @@ func (r *WaapRunner) Run(t *tomb.Tomb) error {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if !evt.Process {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
//we generate two events: one that is going to be picked up by the acquisition pipeline (parsers, scenarios etc.)
|
||||||
|
//and a second one that will go straight to LAPI
|
||||||
r.outChan <- evt
|
r.outChan <- evt
|
||||||
/*we generate a second event that will go directly to LAPI.
|
|
||||||
we don't want to risk losing all visibility on waap events if the user is missing a scenario*/
|
|
||||||
waapOvlfw, err := WaapEventGeneration(evt)
|
waapOvlfw, err := WaapEventGeneration(evt)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
r.logger.Errorf("unable to generate waap event : %s", err)
|
r.logger.Errorf("unable to generate waap event : %s", err)
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue