fix include_capi filter (#2478)
This commit is contained in:
parent
ac01faf483
commit
e4dcdd2572
|
@ -43,8 +43,6 @@ const (
|
||||||
metricsIntervalDelta = time.Minute * 15
|
metricsIntervalDelta = time.Minute * 15
|
||||||
)
|
)
|
||||||
|
|
||||||
var SCOPE_CAPI_ALIAS_ALIAS string = "crowdsecurity/community-blocklist" //we don't use "CAPI" directly, to make it less confusing for the user
|
|
||||||
|
|
||||||
type apic struct {
|
type apic struct {
|
||||||
// when changing the intervals in tests, always set *First too
|
// when changing the intervals in tests, always set *First too
|
||||||
// or they can be negative
|
// or they can be negative
|
||||||
|
@ -776,14 +774,14 @@ func (a *apic) UpdateBlocklists(links *modelscapi.GetDecisionsStreamResponseLink
|
||||||
for _, blocklist := range links.Blocklists {
|
for _, blocklist := range links.Blocklists {
|
||||||
if err := a.updateBlocklist(defaultClient, blocklist, add_counters); err != nil {
|
if err := a.updateBlocklist(defaultClient, blocklist, add_counters); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func setAlertScenario(alert *models.Alert, add_counters map[string]map[string]int, delete_counters map[string]map[string]int) {
|
func setAlertScenario(alert *models.Alert, add_counters map[string]map[string]int, delete_counters map[string]map[string]int) {
|
||||||
if *alert.Source.Scope == types.CAPIOrigin {
|
if *alert.Source.Scope == types.CAPIOrigin {
|
||||||
*alert.Source.Scope = SCOPE_CAPI_ALIAS_ALIAS
|
*alert.Source.Scope = types.CommunityBlocklistPullSourceScope
|
||||||
alert.Scenario = ptr.Of(fmt.Sprintf("update : +%d/-%d IPs", add_counters[types.CAPIOrigin]["all"], delete_counters[types.CAPIOrigin]["all"]))
|
alert.Scenario = ptr.Of(fmt.Sprintf("update : +%d/-%d IPs", add_counters[types.CAPIOrigin]["all"], delete_counters[types.CAPIOrigin]["all"]))
|
||||||
} else if *alert.Source.Scope == types.ListOrigin {
|
} else if *alert.Source.Scope == types.ListOrigin {
|
||||||
*alert.Source.Scope = fmt.Sprintf("%s:%s", types.ListOrigin, *alert.Scenario)
|
*alert.Source.Scope = fmt.Sprintf("%s:%s", types.ListOrigin, *alert.Scenario)
|
||||||
|
|
|
@ -689,7 +689,7 @@ func TestAPICWhitelists(t *testing.T) {
|
||||||
alertScenario[alert.SourceScope]++
|
alertScenario[alert.SourceScope]++
|
||||||
}
|
}
|
||||||
assert.Equal(t, 3, len(alertScenario))
|
assert.Equal(t, 3, len(alertScenario))
|
||||||
assert.Equal(t, 1, alertScenario[SCOPE_CAPI_ALIAS_ALIAS])
|
assert.Equal(t, 1, alertScenario[types.CommunityBlocklistPullSourceScope])
|
||||||
assert.Equal(t, 1, alertScenario["lists:blocklist1"])
|
assert.Equal(t, 1, alertScenario["lists:blocklist1"])
|
||||||
assert.Equal(t, 1, alertScenario["lists:blocklist2"])
|
assert.Equal(t, 1, alertScenario["lists:blocklist2"])
|
||||||
|
|
||||||
|
@ -818,7 +818,7 @@ func TestAPICPullTop(t *testing.T) {
|
||||||
alertScenario[alert.SourceScope]++
|
alertScenario[alert.SourceScope]++
|
||||||
}
|
}
|
||||||
assert.Equal(t, 3, len(alertScenario))
|
assert.Equal(t, 3, len(alertScenario))
|
||||||
assert.Equal(t, 1, alertScenario[SCOPE_CAPI_ALIAS_ALIAS])
|
assert.Equal(t, 1, alertScenario[types.CommunityBlocklistPullSourceScope])
|
||||||
assert.Equal(t, 1, alertScenario["lists:blocklist1"])
|
assert.Equal(t, 1, alertScenario["lists:blocklist1"])
|
||||||
assert.Equal(t, 1, alertScenario["lists:blocklist2"])
|
assert.Equal(t, 1, alertScenario["lists:blocklist2"])
|
||||||
|
|
||||||
|
|
|
@ -859,8 +859,24 @@ func AlertPredicatesFromFilter(filter map[string][]string) ([]predicate.Alert, e
|
||||||
predicates = append(predicates, alert.HasDecisionsWith(decision.OriginEQ(value[0])))
|
predicates = append(predicates, alert.HasDecisionsWith(decision.OriginEQ(value[0])))
|
||||||
case "include_capi": //allows to exclude one or more specific origins
|
case "include_capi": //allows to exclude one or more specific origins
|
||||||
if value[0] == "false" {
|
if value[0] == "false" {
|
||||||
predicates = append(predicates, alert.Not(alert.HasDecisionsWith(decision.OriginEQ(types.CAPIOrigin))))
|
predicates = append(predicates, alert.And(
|
||||||
predicates = append(predicates, alert.Not(alert.HasDecisionsWith(decision.OriginEQ(types.ListOrigin))))
|
//do not show alerts with active decisions having origin CAPI or lists
|
||||||
|
alert.And(
|
||||||
|
alert.Not(alert.HasDecisionsWith(decision.OriginEQ(types.CAPIOrigin))),
|
||||||
|
alert.Not(alert.HasDecisionsWith(decision.OriginEQ(types.ListOrigin))),
|
||||||
|
),
|
||||||
|
alert.Not(
|
||||||
|
alert.And(
|
||||||
|
//do not show neither alerts with no decisions if the Source Scope is lists: or CAPI
|
||||||
|
alert.Not(alert.HasDecisions()),
|
||||||
|
alert.Or(
|
||||||
|
alert.SourceScopeHasPrefix(types.ListOrigin+":"),
|
||||||
|
alert.SourceScopeEQ(types.CommunityBlocklistPullSourceScope),
|
||||||
|
),
|
||||||
|
),
|
||||||
|
),
|
||||||
|
),
|
||||||
|
)
|
||||||
|
|
||||||
} else if value[0] != "true" {
|
} else if value[0] != "true" {
|
||||||
log.Errorf("Invalid bool '%s' for include_capi", value[0])
|
log.Errorf("Invalid bool '%s' for include_capi", value[0])
|
||||||
|
|
|
@ -17,6 +17,7 @@ const ConsoleOrigin = "console"
|
||||||
const CscliImportOrigin = "cscli-import"
|
const CscliImportOrigin = "cscli-import"
|
||||||
const ListOrigin = "lists"
|
const ListOrigin = "lists"
|
||||||
const CAPIOrigin = "CAPI"
|
const CAPIOrigin = "CAPI"
|
||||||
|
const CommunityBlocklistPullSourceScope = "crowdsecurity/community-blocklist"
|
||||||
|
|
||||||
const DecisionTypeBan = "ban"
|
const DecisionTypeBan = "ban"
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue