From 170e5e8dd828f2299992eb555c72e54e7fdfa0c4 Mon Sep 17 00:00:00 2001 From: Sebastien Blot Date: Mon, 15 Apr 2024 22:31:08 +0200 Subject: [PATCH] perform geoip enrich on appsec alerts --- pkg/acquisition/modules/appsec/utils.go | 31 +++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/pkg/acquisition/modules/appsec/utils.go b/pkg/acquisition/modules/appsec/utils.go index f29f62b0a..6635ce61a 100644 --- a/pkg/acquisition/modules/appsec/utils.go +++ b/pkg/acquisition/modules/appsec/utils.go @@ -3,14 +3,17 @@ package appsecacquisition import ( "encoding/json" "fmt" + "net" "time" "github.com/crowdsecurity/coraza/v3/collection" "github.com/crowdsecurity/coraza/v3/types/variables" "github.com/crowdsecurity/crowdsec/pkg/appsec" + "github.com/crowdsecurity/crowdsec/pkg/exprhelpers" "github.com/crowdsecurity/crowdsec/pkg/models" "github.com/crowdsecurity/crowdsec/pkg/types" "github.com/crowdsecurity/go-cs-lib/ptr" + "github.com/oschwald/geoip2-golang" "github.com/prometheus/client_golang/prometheus" log "github.com/sirupsen/logrus" ) @@ -40,6 +43,34 @@ func AppsecEventGeneration(inEvt types.Event) (*types.Event, error) { Scope: ptr.Of(types.Ip), } + asndata, err := exprhelpers.GeoIPASNEnrich(inEvt.Parsed["source_ip"]) + + if err != nil { + log.Errorf("Unable to enrich ip '%s'", inEvt.Parsed["source_ip"]) + } else if asndata != nil { + record := asndata.(*geoip2.ASN) + source.AsName = record.AutonomousSystemOrganization + source.AsNumber = fmt.Sprintf("%d", record.AutonomousSystemNumber) + } + + cityData, err := exprhelpers.GeoIPEnrich(inEvt.Parsed["source_ip"]) + if err != nil { + log.Errorf("Unable to enrich ip '%s'", inEvt.Parsed["source_ip"]) + } else if cityData != nil { + record := cityData.(*geoip2.City) + source.Cn = record.Country.IsoCode + source.Latitude = float32(record.Location.Latitude) + source.Longitude = float32(record.Location.Longitude) + } + + rangeData, err := exprhelpers.GeoIPRangeEnrich(inEvt.Parsed["source_ip"]) + if err != nil { + log.Errorf("Unable to enrich ip '%s'", inEvt.Parsed["source_ip"]) + } else if rangeData != nil { + record := rangeData.(*net.IPNet) + source.Range = record.String() + } + evt.Overflow.Sources = make(map[string]models.Source) evt.Overflow.Sources["ip"] = source