perform geoip enrich on appsec alerts
This commit is contained in:
parent
127969d325
commit
170e5e8dd8
|
@ -3,14 +3,17 @@ package appsecacquisition
|
||||||
import (
|
import (
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"net"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/crowdsecurity/coraza/v3/collection"
|
"github.com/crowdsecurity/coraza/v3/collection"
|
||||||
"github.com/crowdsecurity/coraza/v3/types/variables"
|
"github.com/crowdsecurity/coraza/v3/types/variables"
|
||||||
"github.com/crowdsecurity/crowdsec/pkg/appsec"
|
"github.com/crowdsecurity/crowdsec/pkg/appsec"
|
||||||
|
"github.com/crowdsecurity/crowdsec/pkg/exprhelpers"
|
||||||
"github.com/crowdsecurity/crowdsec/pkg/models"
|
"github.com/crowdsecurity/crowdsec/pkg/models"
|
||||||
"github.com/crowdsecurity/crowdsec/pkg/types"
|
"github.com/crowdsecurity/crowdsec/pkg/types"
|
||||||
"github.com/crowdsecurity/go-cs-lib/ptr"
|
"github.com/crowdsecurity/go-cs-lib/ptr"
|
||||||
|
"github.com/oschwald/geoip2-golang"
|
||||||
"github.com/prometheus/client_golang/prometheus"
|
"github.com/prometheus/client_golang/prometheus"
|
||||||
log "github.com/sirupsen/logrus"
|
log "github.com/sirupsen/logrus"
|
||||||
)
|
)
|
||||||
|
@ -40,6 +43,34 @@ func AppsecEventGeneration(inEvt types.Event) (*types.Event, error) {
|
||||||
Scope: ptr.Of(types.Ip),
|
Scope: ptr.Of(types.Ip),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
asndata, err := exprhelpers.GeoIPASNEnrich(inEvt.Parsed["source_ip"])
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
log.Errorf("Unable to enrich ip '%s'", inEvt.Parsed["source_ip"])
|
||||||
|
} else if asndata != nil {
|
||||||
|
record := asndata.(*geoip2.ASN)
|
||||||
|
source.AsName = record.AutonomousSystemOrganization
|
||||||
|
source.AsNumber = fmt.Sprintf("%d", record.AutonomousSystemNumber)
|
||||||
|
}
|
||||||
|
|
||||||
|
cityData, err := exprhelpers.GeoIPEnrich(inEvt.Parsed["source_ip"])
|
||||||
|
if err != nil {
|
||||||
|
log.Errorf("Unable to enrich ip '%s'", inEvt.Parsed["source_ip"])
|
||||||
|
} else if cityData != nil {
|
||||||
|
record := cityData.(*geoip2.City)
|
||||||
|
source.Cn = record.Country.IsoCode
|
||||||
|
source.Latitude = float32(record.Location.Latitude)
|
||||||
|
source.Longitude = float32(record.Location.Longitude)
|
||||||
|
}
|
||||||
|
|
||||||
|
rangeData, err := exprhelpers.GeoIPRangeEnrich(inEvt.Parsed["source_ip"])
|
||||||
|
if err != nil {
|
||||||
|
log.Errorf("Unable to enrich ip '%s'", inEvt.Parsed["source_ip"])
|
||||||
|
} else if rangeData != nil {
|
||||||
|
record := rangeData.(*net.IPNet)
|
||||||
|
source.Range = record.String()
|
||||||
|
}
|
||||||
|
|
||||||
evt.Overflow.Sources = make(map[string]models.Source)
|
evt.Overflow.Sources = make(map[string]models.Source)
|
||||||
evt.Overflow.Sources["ip"] = source
|
evt.Overflow.Sources["ip"] = source
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue