beenull/crowdsec
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

propagate labels from acquis to appsec events

Browse source
This commit is contained in:
Sebastien Blot 2023-12-06 10:27:29 +01:00
parent 5503b2374a
commit 25635a306f
No known key found for this signature in database
GPG key ID: DFC2902F40449F6A
2 changed files with 5 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
pkg/acquisition/modules/appsec/appsec_runner.go
View file

@ -23,6 +23,7 @@ type AppsecRunner struct {
AppsecRuntime *appsec.AppsecRuntimeConfig //this holds the actual appsec runtime config, rules, remediations, hooks etc. AppsecRuntime *appsec.AppsecRuntimeConfig //this holds the actual appsec runtime config, rules, remediations, hooks etc.
AppsecInbandEngine coraza.WAF AppsecInbandEngine coraza.WAF
AppsecOutbandEngine coraza.WAF AppsecOutbandEngine coraza.WAF
Labels map[string]string
logger *log.Entry logger *log.Entry
} }
@ -205,7 +206,7 @@ func (r *AppsecRunner) ProcessOutOfBandRules(request *appsec.ParsedRequest) erro
func (r *AppsecRunner) handleInBandInterrupt(request *appsec.ParsedRequest) { func (r *AppsecRunner) handleInBandInterrupt(request *appsec.ParsedRequest) {
//create the associated event for crowdsec itself //create the associated event for crowdsec itself
evt, err := EventFromRequest(request) evt, err := EventFromRequest(request, r.Labels)
if err != nil { if err != nil {
//let's not interrupt the pipeline for this //let's not interrupt the pipeline for this
r.logger.Errorf("unable to create event from request : %s", err) r.logger.Errorf("unable to create event from request : %s", err)
@ -253,7 +254,7 @@ func (r *AppsecRunner) handleInBandInterrupt(request *appsec.ParsedRequest) {
} }
func (r *AppsecRunner) handleOutBandInterrupt(request *appsec.ParsedRequest) { func (r *AppsecRunner) handleOutBandInterrupt(request *appsec.ParsedRequest) {
evt, err := EventFromRequest(request) evt, err := EventFromRequest(request, r.Labels)
if err != nil { if err != nil {
//let's not interrupt the pipeline for this //let's not interrupt the pipeline for this
r.logger.Errorf("unable to create event from request : %s", err) r.logger.Errorf("unable to create event from request : %s", err)

4
pkg/acquisition/modules/appsec/utils.go
View file

@ -68,7 +68,7 @@ func AppsecEventGeneration(inEvt types.Event) (*types.Event, error) {
return &evt, nil return &evt, nil
} }
func EventFromRequest(r *appsec.ParsedRequest) (types.Event, error) { func EventFromRequest(r *appsec.ParsedRequest, labels map[string]string) (types.Event, error) {
evt := types.Event{} evt := types.Event{}
//we might want to change this based on in-band vs out-of-band ? //we might want to change this based on in-band vs out-of-band ?
evt.Type = types.LOG evt.Type = types.LOG
@ -91,7 +91,7 @@ func EventFromRequest(r *appsec.ParsedRequest) (types.Event, error) {
evt.Line = types.Line{ evt.Line = types.Line{
Time: time.Now(), Time: time.Now(),
//should we add some info like listen addr/port/path ? //should we add some info like listen addr/port/path ?
Labels: map[string]string{"type": "crowdsec-appsec"}, //FIXME: use the labels from the acquis Labels: labels,
Process: true, Process: true,
Module: "appsec", Module: "appsec",
Src: "appsec", Src: "appsec",