128 lines
4.2 KiB
Go
128 lines
4.2 KiB
Go
package types
|
|
|
|
import (
|
|
"net"
|
|
"time"
|
|
|
|
log "github.com/sirupsen/logrus"
|
|
|
|
"github.com/antonmedv/expr/vm"
|
|
"github.com/crowdsecurity/crowdsec/pkg/models"
|
|
)
|
|
|
|
const (
|
|
LOG = iota
|
|
OVFLW
|
|
WAAP
|
|
)
|
|
|
|
// Event is the structure representing a runtime event (log or overflow)
|
|
type Event struct {
|
|
/* is it a log or an overflow */
|
|
Type int `yaml:"Type,omitempty" json:"Type,omitempty"` //Can be types.LOG (0) or types.OVFLOW (1)
|
|
ExpectMode int `yaml:"ExpectMode,omitempty" json:"ExpectMode,omitempty"` //how to buckets should handle event : types.TIMEMACHINE or types.LIVE
|
|
Whitelisted bool `yaml:"Whitelisted,omitempty" json:"Whitelisted,omitempty"`
|
|
WhitelistReason string `yaml:"WhitelistReason,omitempty" json:"whitelist_reason,omitempty"`
|
|
//should add whitelist reason ?
|
|
/* the current stage of the line being parsed */
|
|
Stage string `yaml:"Stage,omitempty" json:"Stage,omitempty"`
|
|
/* original line (produced by acquisition) */
|
|
Line Line `yaml:"Line,omitempty" json:"Line,omitempty"`
|
|
/* output of groks */
|
|
Parsed map[string]string `yaml:"Parsed,omitempty" json:"Parsed,omitempty"`
|
|
/* output of enrichment */
|
|
Enriched map[string]string `yaml:"Enriched,omitempty" json:"Enriched,omitempty"`
|
|
/* output of Unmarshal */
|
|
Unmarshaled map[string]interface{} `yaml:"Unmarshaled,omitempty" json:"Unmarshaled,omitempty"`
|
|
/* Overflow */
|
|
Overflow RuntimeAlert `yaml:"Overflow,omitempty" json:"Alert,omitempty"`
|
|
Time time.Time `yaml:"Time,omitempty" json:"Time,omitempty"` //parsed time `json:"-"` ``
|
|
StrTime string `yaml:"StrTime,omitempty" json:"StrTime,omitempty"`
|
|
StrTimeFormat string `yaml:"StrTimeFormat,omitempty" json:"StrTimeFormat,omitempty"`
|
|
MarshaledTime string `yaml:"MarshaledTime,omitempty" json:"MarshaledTime,omitempty"`
|
|
Process bool `yaml:"Process,omitempty" json:"Process,omitempty"` //can be set to false to avoid processing line
|
|
Waap WaapEvent `yaml:"Waap,omitempty" json:"Waap,omitempty"`
|
|
/* Meta is the only part that will make it to the API - it should be normalized */
|
|
Meta map[string]string `yaml:"Meta,omitempty" json:"Meta,omitempty"`
|
|
}
|
|
|
|
func (e *Event) GetType() string {
|
|
if e.Type == OVFLW {
|
|
return "overflow"
|
|
} else if e.Type == LOG {
|
|
return "log"
|
|
} else {
|
|
log.Warningf("unknown event type for %+v", e)
|
|
return "unknown"
|
|
}
|
|
}
|
|
|
|
func (e *Event) GetMeta(key string) string {
|
|
if e.Type == OVFLW {
|
|
for _, alert := range e.Overflow.APIAlerts {
|
|
for _, event := range alert.Events {
|
|
if event.GetMeta(key) != "" {
|
|
return event.GetMeta(key)
|
|
}
|
|
}
|
|
}
|
|
} else if e.Type == LOG {
|
|
for k, v := range e.Meta {
|
|
if k == key {
|
|
return v
|
|
}
|
|
}
|
|
}
|
|
return ""
|
|
}
|
|
|
|
func (e *Event) ParseIPSources() []net.IP {
|
|
var srcs []net.IP
|
|
switch e.Type {
|
|
case LOG:
|
|
if _, ok := e.Meta["source_ip"]; ok {
|
|
srcs = append(srcs, net.ParseIP(e.Meta["source_ip"]))
|
|
}
|
|
case OVFLW:
|
|
for k := range e.Overflow.Sources {
|
|
srcs = append(srcs, net.ParseIP(k))
|
|
}
|
|
}
|
|
return srcs
|
|
}
|
|
|
|
// Move in leakybuckets
|
|
const (
|
|
Undefined = ""
|
|
Ip = "Ip"
|
|
Range = "Range"
|
|
Filter = "Filter"
|
|
Country = "Country"
|
|
AS = "AS"
|
|
)
|
|
|
|
// Move in leakybuckets
|
|
type ScopeType struct {
|
|
Scope string `yaml:"type"`
|
|
Filter string `yaml:"expression"`
|
|
RunTimeFilter *vm.Program
|
|
}
|
|
|
|
type RuntimeAlert struct {
|
|
Mapkey string `yaml:"MapKey,omitempty" json:"MapKey,omitempty"`
|
|
BucketId string `yaml:"BucketId,omitempty" json:"BucketId,omitempty"`
|
|
Whitelisted bool `yaml:"Whitelisted,omitempty" json:"Whitelisted,omitempty"`
|
|
Reprocess bool `yaml:"Reprocess,omitempty" json:"Reprocess,omitempty"`
|
|
Sources map[string]models.Source `yaml:"Sources,omitempty" json:"Sources,omitempty"`
|
|
Alert *models.Alert `yaml:"Alert,omitempty" json:"Alert,omitempty"` //this one is a pointer to APIAlerts[0] for convenience.
|
|
//APIAlerts will be populated at the end when there is more than one source
|
|
APIAlerts []models.Alert `yaml:"APIAlerts,omitempty" json:"APIAlerts,omitempty"`
|
|
}
|
|
|
|
func (r RuntimeAlert) GetSources() []string {
|
|
ret := make([]string, 0)
|
|
for key := range r.Sources {
|
|
ret = append(ret, key)
|
|
}
|
|
return ret
|
|
}
|