github.com/crowdsecurity/crowdsec@v1.6.1/test/bats/81_alert_context.bats (about) 1 #!/usr/bin/env bats 2 # vim: ft=bats:list:ts=8:sts=4:sw=4:et:ai:si: 3 4 set -u 5 6 fake_log() { 7 for _ in $(seq 1 6); do 8 echo "$(LC_ALL=C date '+%b %d %H:%M:%S ')"'sd-126005 sshd[12422]: Invalid user netflix from 1.1.1.172 port 35424' 9 done 10 } 11 12 setup_file() { 13 load "../lib/setup_file.sh" 14 } 15 16 teardown_file() { 17 load "../lib/teardown_file.sh" 18 } 19 20 setup() { 21 load "../lib/setup.sh" 22 ./instance-data load 23 cscli collections install crowdsecurity/sshd --error 24 cscli parsers install crowdsecurity/syslog-logs --error 25 cscli parsers install crowdsecurity/dateparse-enrich --error 26 } 27 28 teardown() { 29 ./instance-crowdsec stop 30 } 31 32 #---------- 33 34 @test "$FILE 1.1.1.172 has context" { 35 tmpfile=$(TMPDIR="${BATS_TEST_TMPDIR}" mktemp) 36 touch "${tmpfile}" 37 38 ACQUIS_YAML=$(config_get '.crowdsec_service.acquisition_path') 39 40 cat <<-EOT >"${ACQUIS_YAML}" 41 filename: $tmpfile 42 labels: 43 type: syslog 44 EOT 45 46 # we set the path here because the default is empty 47 CONFIG_DIR=$(dirname "$CONFIG_YAML") 48 CONTEXT_YAML="$CONFIG_DIR/console/context.yaml" 49 export CONTEXT_YAML 50 config_set '.crowdsec_service.console_context_path=strenv(CONTEXT_YAML)' 51 mkdir -p "$CONFIG_DIR/console" 52 53 cat <<-EOT >"${CONTEXT_YAML}" 54 target_user: 55 - evt.Parsed.sshd_invalid_user 56 source_ip: 57 - evt.Parsed.sshd_client_ip 58 source_host: 59 - evt.Meta.machine 60 EOT 61 62 ./instance-crowdsec start 63 sleep 2 64 fake_log >>"${tmpfile}" 65 sleep 2 66 rm -f -- "${tmpfile}" 67 68 rune -0 cscli alerts list -o json 69 rune -0 jq '.[0].id' <(output) 70 ALERT_ID="$output" 71 rune -0 cscli alerts inspect "$ALERT_ID" -o json 72 rune -0 jq -c '.meta | sort_by(.key) | map([.key,.value])' <(output) 73 74 assert_json '[["source_host","[\"sd-126005\"]"],["source_ip","[\"1.1.1.172\"]"],["target_user","[\"netflix\"]"]]' 75 }