2020-05-15 09:39:16 +00:00
|
|
|
package leakybucket
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
|
|
|
|
"github.com/antonmedv/expr"
|
|
|
|
"github.com/antonmedv/expr/vm"
|
|
|
|
|
|
|
|
"github.com/crowdsecurity/crowdsec/pkg/exprhelpers"
|
|
|
|
"github.com/crowdsecurity/crowdsec/pkg/types"
|
|
|
|
)
|
|
|
|
|
|
|
|
// Uniq creates three new functions that share the same initialisation and the same scope.
|
|
|
|
// They are triggered respectively:
|
|
|
|
// on pour
|
|
|
|
// on overflow
|
|
|
|
// on leak
|
|
|
|
|
|
|
|
type OverflowFilter struct {
|
|
|
|
Filter string
|
|
|
|
FilterRuntime *vm.Program
|
|
|
|
DumbProcessor
|
|
|
|
}
|
|
|
|
|
|
|
|
func NewOverflowFilter(g *BucketFactory) (*OverflowFilter, error) {
|
|
|
|
var err error
|
|
|
|
|
|
|
|
u := OverflowFilter{}
|
|
|
|
u.Filter = g.OverflowFilter
|
2023-03-28 08:49:01 +00:00
|
|
|
|
2023-11-24 10:10:54 +00:00
|
|
|
u.FilterRuntime, err = expr.Compile(u.Filter, exprhelpers.GetExprOptions(map[string]interface{}{"queue": &types.Queue{}, "signal": &types.RuntimeAlert{}, "leaky": &Leaky{}})...)
|
2020-05-15 09:39:16 +00:00
|
|
|
if err != nil {
|
|
|
|
g.logger.Errorf("Unable to compile filter : %v", err)
|
2020-05-19 19:31:06 +00:00
|
|
|
return nil, fmt.Errorf("unable to compile filter : %v", err)
|
2020-05-15 09:39:16 +00:00
|
|
|
}
|
|
|
|
return &u, nil
|
|
|
|
}
|
|
|
|
|
2023-11-24 10:10:54 +00:00
|
|
|
func (u *OverflowFilter) OnBucketOverflow(Bucket *BucketFactory) func(*Leaky, types.RuntimeAlert, *types.Queue) (types.RuntimeAlert, *types.Queue) {
|
|
|
|
return func(l *Leaky, s types.RuntimeAlert, q *types.Queue) (types.RuntimeAlert, *types.Queue) {
|
|
|
|
el, err := exprhelpers.Run(u.FilterRuntime, map[string]interface{}{
|
|
|
|
"queue": q, "signal": s, "leaky": l}, l.logger, Bucket.Debug)
|
2020-05-15 09:39:16 +00:00
|
|
|
if err != nil {
|
|
|
|
l.logger.Errorf("Failed running overflow filter: %s", err)
|
|
|
|
return s, q
|
|
|
|
}
|
|
|
|
element, ok := el.(bool)
|
|
|
|
if !ok {
|
|
|
|
l.logger.Errorf("Overflow filter didn't return bool: %s", err)
|
|
|
|
return s, q
|
|
|
|
}
|
|
|
|
/*filter returned false, event is blackholded*/
|
2020-05-20 08:49:17 +00:00
|
|
|
if !element {
|
2022-02-01 21:08:06 +00:00
|
|
|
l.logger.Infof("Event is discarded by overflow filter (%s)", u.Filter)
|
2020-11-30 09:37:17 +00:00
|
|
|
return types.RuntimeAlert{
|
|
|
|
Mapkey: l.Mapkey,
|
2020-05-15 09:39:16 +00:00
|
|
|
}, nil
|
|
|
|
}
|
2022-02-01 21:08:06 +00:00
|
|
|
l.logger.Tracef("Event is not discarded by overflow filter (%s)", u.Filter)
|
2020-05-15 09:39:16 +00:00
|
|
|
return s, q
|
|
|
|
}
|
|
|
|
}
|