MCPcopy
hub / github.com/crowdsecurity/crowdsec / AppsecEventGeneration

Function AppsecEventGeneration

pkg/acquisition/modules/appsec/utils.go:104–271  ·  view source on GitHub ↗
(inEvt pipeline.Event, request *http.Request)

Source from the content-addressed store, hash-verified

102}
103
104func AppsecEventGeneration(inEvt pipeline.Event, request *http.Request) (*pipeline.Event, error) {
105 // if the request didn't trigger inband rules or out-of-band rules, we don't want to generate an event to LAPI/CAPI
106 if !inEvt.Appsec.HasInBandMatches && !inEvt.Appsec.HasOutBandMatches {
107 return nil, nil
108 }
109
110 evt := pipeline.Event{}
111 evt.Type = pipeline.APPSEC
112 evt.Process = true
113 // Carry hook-published vars onto the overflow event so downstream
114 // consumers of the APPSEC alert (not just the LOG event) can see them.
115 if len(inEvt.Appsec.HookVars) > 0 {
116 evt.Appsec.HookVars = inEvt.Appsec.HookVars
117 }
118 sourceIP := inEvt.Parsed["source_ip"]
119 source := models.Source{
120 Value: &sourceIP,
121 IP: sourceIP,
122 Scope: new(types.Ip),
123 }
124
125 // Enrich source with GeoIP data
126 if err := AppsecEventGenerationGeoIPEnrich(&source); err != nil {
127 log.Errorf("unable to enrich source with GeoIP data : %s", err)
128 }
129
130 // Build overflow
131 evt.Overflow.Sources = make(map[string]models.Source)
132 evt.Overflow.Sources[sourceIP] = source
133
134 alert := models.Alert{}
135 alert.Capacity = new(int32(1))
136 alert.Events = make([]*models.Event, len(evt.Appsec.MatchedRules))
137
138 now := time.Now().UTC().Format(time.RFC3339)
139
140 // Create one event (in the overflow) per matched rule
141 for _, rule := range inEvt.Appsec.MatchedRules {
142 event := models.Event{}
143 meta := models.Meta{}
144
145 if rule_name, ok := rule["name"].(string); ok {
146 meta = append(meta, &models.MetaItems0{
147 Key: "rule_name",
148 Value: rule_name,
149 })
150 }
151 if msg, ok := rule["msg"].(string); ok {
152 meta = append(meta, &models.MetaItems0{
153 Key: "message",
154 Value: msg,
155 })
156 }
157 if uri, ok := rule["uri"].(string); ok {
158 meta = append(meta, &models.MetaItems0{
159 Key: "uri",
160 Value: uri,
161 })

Callers 2

handleInBandInterruptMethod · 0.85

Calls 10

AppsecEventToContextFunction · 0.92
formatCRSMatchFunction · 0.85
GetHighestSeverityMethod · 0.80
BySeverityMethod · 0.80
GetHashMethod · 0.80
GetVersionMethod · 0.80
GetNameMethod · 0.65
FormatMethod · 0.45
StringMethod · 0.45

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…