github.com/crowdsecurity/crowdsec@v1.6.1/pkg/types/event.go

github.com/crowdsecurity/crowdsec@v1.6.1/pkg/types/event.go (about)

     1  package types
     2  
     3  import (
     4  	"net"
     5  	"time"
     6  
     7  	log "github.com/sirupsen/logrus"
     8  
     9  	"github.com/antonmedv/expr/vm"
    10  	"github.com/crowdsecurity/crowdsec/pkg/models"
    11  )
    12  
    13  const (
    14  	LOG = iota
    15  	OVFLW
    16  	APPSEC
    17  )
    18  
    19  // Event is the structure representing a runtime event (log or overflow)
    20  type Event struct {
    21  	/* is it a log or an overflow */
    22  	Type            int    `yaml:"Type,omitempty" json:"Type,omitempty"`             //Can be types.LOG (0) or types.OVFLOW (1)
    23  	ExpectMode      int    `yaml:"ExpectMode,omitempty" json:"ExpectMode,omitempty"` //how to buckets should handle event : types.TIMEMACHINE or types.LIVE
    24  	Whitelisted     bool   `yaml:"Whitelisted,omitempty" json:"Whitelisted,omitempty"`
    25  	WhitelistReason string `yaml:"WhitelistReason,omitempty" json:"whitelist_reason,omitempty"`
    26  	//should add whitelist reason ?
    27  	/* the current stage of the line being parsed */
    28  	Stage string `yaml:"Stage,omitempty" json:"Stage,omitempty"`
    29  	/* original line (produced by acquisition) */
    30  	Line Line `yaml:"Line,omitempty" json:"Line,omitempty"`
    31  	/* output of groks */
    32  	Parsed map[string]string `yaml:"Parsed,omitempty" json:"Parsed,omitempty"`
    33  	/* output of enrichment */
    34  	Enriched map[string]string `yaml:"Enriched,omitempty" json:"Enriched,omitempty"`
    35  	/* output of Unmarshal */
    36  	Unmarshaled map[string]interface{} `yaml:"Unmarshaled,omitempty" json:"Unmarshaled,omitempty"`
    37  	/* Overflow */
    38  	Overflow      RuntimeAlert `yaml:"Overflow,omitempty" json:"Alert,omitempty"`
    39  	Time          time.Time    `yaml:"Time,omitempty" json:"Time,omitempty"` //parsed time `json:"-"` ``
    40  	StrTime       string       `yaml:"StrTime,omitempty" json:"StrTime,omitempty"`
    41  	StrTimeFormat string       `yaml:"StrTimeFormat,omitempty" json:"StrTimeFormat,omitempty"`
    42  	MarshaledTime string       `yaml:"MarshaledTime,omitempty" json:"MarshaledTime,omitempty"`
    43  	Process       bool         `yaml:"Process,omitempty" json:"Process,omitempty"` //can be set to false to avoid processing line
    44  	Appsec        AppsecEvent  `yaml:"Appsec,omitempty" json:"Appsec,omitempty"`
    45  	/* Meta is the only part that will make it to the API - it should be normalized */
    46  	Meta map[string]string `yaml:"Meta,omitempty" json:"Meta,omitempty"`
    47  }
    48  
    49  func (e *Event) SetMeta(key string, value string) bool {
    50  	if e.Meta == nil {
    51  		e.Meta = make(map[string]string)
    52  	}
    53  	e.Meta[key] = value
    54  	return true
    55  }
    56  
    57  func (e *Event) SetParsed(key string, value string) bool {
    58  	if e.Parsed == nil {
    59  		e.Parsed = make(map[string]string)
    60  	}
    61  	e.Parsed[key] = value
    62  	return true
    63  }
    64  
    65  func (e *Event) GetType() string {
    66  	if e.Type == OVFLW {
    67  		return "overflow"
    68  	} else if e.Type == LOG {
    69  		return "log"
    70  	} else {
    71  		log.Warningf("unknown event type for %+v", e)
    72  		return "unknown"
    73  	}
    74  }
    75  
    76  func (e *Event) GetMeta(key string) string {
    77  	if e.Type == OVFLW {
    78  		for _, alert := range e.Overflow.APIAlerts {
    79  			for _, event := range alert.Events {
    80  				if event.GetMeta(key) != "" {
    81  					return event.GetMeta(key)
    82  				}
    83  			}
    84  		}
    85  	} else if e.Type == LOG {
    86  		for k, v := range e.Meta {
    87  			if k == key {
    88  				return v
    89  			}
    90  		}
    91  	}
    92  	return ""
    93  }
    94  
    95  func (e *Event) ParseIPSources() []net.IP {
    96  	var srcs []net.IP
    97  	switch e.Type {
    98  	case LOG:
    99  		if _, ok := e.Meta["source_ip"]; ok {
   100  			srcs = append(srcs, net.ParseIP(e.Meta["source_ip"]))
   101  		}
   102  	case OVFLW:
   103  		for k := range e.Overflow.Sources {
   104  			srcs = append(srcs, net.ParseIP(k))
   105  		}
   106  	}
   107  	return srcs
   108  }
   109  
   110  // Move in leakybuckets
   111  const (
   112  	Undefined = ""
   113  	Ip        = "Ip"
   114  	Range     = "Range"
   115  	Filter    = "Filter"
   116  	Country   = "Country"
   117  	AS        = "AS"
   118  )
   119  
   120  // Move in leakybuckets
   121  type ScopeType struct {
   122  	Scope         string `yaml:"type"`
   123  	Filter        string `yaml:"expression"`
   124  	RunTimeFilter *vm.Program
   125  }
   126  
   127  type RuntimeAlert struct {
   128  	Mapkey      string                   `yaml:"MapKey,omitempty" json:"MapKey,omitempty"`
   129  	BucketId    string                   `yaml:"BucketId,omitempty" json:"BucketId,omitempty"`
   130  	Whitelisted bool                     `yaml:"Whitelisted,omitempty" json:"Whitelisted,omitempty"`
   131  	Reprocess   bool                     `yaml:"Reprocess,omitempty" json:"Reprocess,omitempty"`
   132  	Sources     map[string]models.Source `yaml:"Sources,omitempty" json:"Sources,omitempty"`
   133  	Alert       *models.Alert            `yaml:"Alert,omitempty" json:"Alert,omitempty"` //this one is a pointer to APIAlerts[0] for convenience.
   134  	//APIAlerts will be populated at the end when there is more than one source
   135  	APIAlerts []models.Alert `yaml:"APIAlerts,omitempty" json:"APIAlerts,omitempty"`
   136  }
   137  
   138  func (r RuntimeAlert) GetSources() []string {
   139  	ret := make([]string, 0)
   140  	for key := range r.Sources {
   141  		ret = append(ret, key)
   142  	}
   143  	return ret
   144  }