github.com/crowdsecurity/crowdsec@v1.6.1/pkg/leakybucket/overflow_filter.go (about) 1 package leakybucket 2 3 import ( 4 "fmt" 5 6 "github.com/antonmedv/expr" 7 "github.com/antonmedv/expr/vm" 8 9 "github.com/crowdsecurity/crowdsec/pkg/exprhelpers" 10 "github.com/crowdsecurity/crowdsec/pkg/types" 11 ) 12 13 // Uniq creates three new functions that share the same initialisation and the same scope. 14 // They are triggered respectively: 15 // on pour 16 // on overflow 17 // on leak 18 19 type OverflowFilter struct { 20 Filter string 21 FilterRuntime *vm.Program 22 DumbProcessor 23 } 24 25 func NewOverflowFilter(g *BucketFactory) (*OverflowFilter, error) { 26 var err error 27 28 u := OverflowFilter{} 29 u.Filter = g.OverflowFilter 30 31 u.FilterRuntime, err = expr.Compile(u.Filter, exprhelpers.GetExprOptions(map[string]interface{}{"queue": &types.Queue{}, "signal": &types.RuntimeAlert{}, "leaky": &Leaky{}})...) 32 if err != nil { 33 g.logger.Errorf("Unable to compile filter : %v", err) 34 return nil, fmt.Errorf("unable to compile filter : %v", err) 35 } 36 return &u, nil 37 } 38 39 func (u *OverflowFilter) OnBucketOverflow(Bucket *BucketFactory) func(*Leaky, types.RuntimeAlert, *types.Queue) (types.RuntimeAlert, *types.Queue) { 40 return func(l *Leaky, s types.RuntimeAlert, q *types.Queue) (types.RuntimeAlert, *types.Queue) { 41 el, err := exprhelpers.Run(u.FilterRuntime, map[string]interface{}{ 42 "queue": q, "signal": s, "leaky": l}, l.logger, Bucket.Debug) 43 if err != nil { 44 l.logger.Errorf("Failed running overflow filter: %s", err) 45 return s, q 46 } 47 element, ok := el.(bool) 48 if !ok { 49 l.logger.Errorf("Overflow filter didn't return bool: %s", err) 50 return s, q 51 } 52 /*filter returned false, event is blackholded*/ 53 if !element { 54 l.logger.Infof("Event is discarded by overflow filter (%s)", u.Filter) 55 return types.RuntimeAlert{ 56 Mapkey: l.Mapkey, 57 }, nil 58 } 59 l.logger.Tracef("Event is not discarded by overflow filter (%s)", u.Filter) 60 return s, q 61 } 62 }