search

crowdsecurity / crowdsec

CrowdSec - the open-source and participative security solution offering crowdsourced protection against malicious IPs and access to the most advanced real-world CTI.
https://crowdsec.net
MIT License
8.75k stars 452 forks source link

Cscli explain --show-final-values #2326

Open LaurenceJJones opened 1 year ago

LaurenceJJones commented 1 year ago

What would you like to be added?

Hey team 👋🏻

When helping user to write a custom scenario for a given log line(s) I often inform them to run cscli explain so they can see what variables are parsed. However, the output can be daunting and confusing if the variable is overwritten down the line.

My feature request is to add a flag to explain to only show the final values of each variable but dumped as a list. For example running a nginx log line currently will get you.

``` $ cscli explain --log '213.10.10.10 - - [04/Jul/2023:08:38:52 +0000] "GET /img/secret/secret.txt HTTP/1.1" 404 153 "-" "curl/8.1.2""-"' --type nginx -v line: 213.10.10.10 - - [04/Jul/2023:08:38:52 +0000] "GET /img/secret/secret.txt HTTP/1.1" 404 153 "-" "curl/8.1.2""-" ├ s00-raw | ├ 🟢 crowdsecurity/non-syslog (+5 ~8) | ├ update evt.ExpectMode : %!s(int=0) -> 1 | ├ update evt.Stage : -> s01-parse | ├ update evt.Line.Raw : -> 213.10.10.10 - - [04/Jul/2023:08:38:52 +0000] "GET /img/secret/secret.txt HTTP/1.1" 404 153 "-" "curl/8.1.2""-" | ├ update evt.Line.Src : -> /tmp/cscli_explain2007969521/cscli_test_tmp.log | ├ update evt.Line.Time : 0001-01-01 00:00:00 +0000 UTC -> 2023-07-04 08:58:21.379040771 +0000 UTC | ├ create evt.Line.Labels.type : nginx | ├ update evt.Line.Process : %!s(bool=false) -> true | ├ update evt.Line.Module : -> file | ├ create evt.Parsed.message : 213.10.10.10 - - [04/Jul/2023:08:38:52 +0000] "GET /img/secret/secret.txt HTTP/1.1" 404 153 "-" "curl/8.1.2""-" | ├ create evt.Parsed.program : nginx | ├ update evt.Time : 0001-01-01 00:00:00 +0000 UTC -> 2023-07-04 08:58:21.379058029 +0000 UTC | ├ create evt.Meta.datasource_path : /tmp/cscli_explain2007969521/cscli_test_tmp.log | ├ create evt.Meta.datasource_type : file ├ s01-parse | ├ 🟢 crowdsecurity/nginx-logs (+22 ~2) | ├ update evt.Stage : s01-parse -> s02-enrich | ├ create evt.Parsed.verb : GET | ├ create evt.Parsed.http_user_agent : curl/8.1.2 | ├ create evt.Parsed.http_version : 1.1 | ├ create evt.Parsed.remote_user : - | ├ create evt.Parsed.request : /img/secret/secret.txt | ├ create evt.Parsed.target_fqdn : | ├ create evt.Parsed.body_bytes_sent : 153 | ├ create evt.Parsed.proxy_upstream_name : | ├ create evt.Parsed.request_length : | ├ create evt.Parsed.request_time : | ├ create evt.Parsed.time_local : 04/Jul/2023:08:38:52 +0000 | ├ create evt.Parsed.proxy_alternative_upstream_name : | ├ create evt.Parsed.remote_addr : 213.10.10.10 | ├ create evt.Parsed.status : 404 | ├ create evt.Parsed.http_referer : - | ├ update evt.StrTime : -> 04/Jul/2023:08:38:52 +0000 | ├ create evt.Meta.log_type : http_access-log | ├ create evt.Meta.http_path : /img/secret/secret.txt | ├ create evt.Meta.http_status : 404 | ├ create evt.Meta.http_user_agent : curl/8.1.2 | ├ create evt.Meta.http_verb : GET | ├ create evt.Meta.service : http | ├ create evt.Meta.source_ip : 213.10.10.10 ├ s02-enrich | ├ 🟢 crowdsecurity/dateparse-enrich (+2 ~2) | ├ create evt.Enriched.MarshaledTime : 2023-07-04T08:38:52Z | ├ update evt.Time : 2023-07-04 08:58:21.379058029 +0000 UTC -> 2023-07-04 08:38:52 +0000 UTC | ├ update evt.MarshaledTime : -> 2023-07-04T08:38:52Z | ├ create evt.Meta.timestamp : 2023-07-04T08:38:52Z | ├ 🟢 crowdsecurity/geoip-enrich (+13) | ├ create evt.Enriched.IsoCode : NL | ├ create evt.Enriched.SourceRange : 213.10.0.0/16 | ├ create evt.Enriched.ASNNumber : 1136 | ├ create evt.Enriched.ASNumber : 1136 | ├ create evt.Enriched.Latitude : 52.347400 | ├ create evt.Enriched.Longitude : 4.928400 | ├ create evt.Enriched.ASNOrg : KPN B.V. | ├ create evt.Enriched.IsInEU : true | ├ create evt.Meta.IsoCode : NL | ├ create evt.Meta.ASNNumber : 1136 | ├ create evt.Meta.IsInEU : true | ├ create evt.Meta.SourceRange : 213.10.0.0/16 | ├ create evt.Meta.ASNOrg : KPN B.V. | ├ 🟢 crowdsecurity/http-logs (+7) | ├ create evt.Parsed.static_ressource : false | ├ create evt.Parsed.file_ext : .txt | ├ create evt.Parsed.file_name : secret.txt | ├ create evt.Parsed.file_frag : secret | ├ create evt.Parsed.impact_completion : false | ├ create evt.Parsed.file_dir : /img/secret/ | ├ create evt.Meta.http_args_len : 0 | ├ 🟢 crowdsecurity/nextcloud-whitelist (unchanged) | └ 🟢 crowdsecurity/whitelists (unchanged) ├-------- parser success 🟢 ├ Scenarios ├ 🟢 crowdsecurity/http-crawl-non_statics └ 🟢 crowdsecurity/http-probing ```

However, when running with this flag I would get a list of usable variables within scenarios

``` [s01-stage] evt.Parsed.http_referer = - evt.Parsed.http_user_agent = curl/8.1.2 evt.Parsed.remote_addr = 213.10.10.10 evt.Parsed.remote_user = - evt.Parsed.body_bytes_sent = 153 evt.Parsed.request = /img/secret/secret.txt evt.Parsed.status = 404 evt.Parsed.verb = GET evt.Parsed.proxy_alternative_upstream_name = evt.Parsed.request_length = evt.Parsed.time_local = 04/Jul/2023=08=38=52 +0000 evt.Parsed.http_version = 1.1 evt.Parsed.proxy_upstream_name = "" evt.Parsed.request_time = "" evt.Parsed.target_fqdn = "" evt.Meta.source_ip = 213.10.10.10 evt.Meta.http_user_agent = curl/8.1.2 evt.Meta.http_verb = GET evt.Meta.service = http evt.Meta.http_path = /img/secret/secret.txt evt.Meta.http_status = 404 evt.Meta.log_type = http_access-log ```

/kind enhancement

Why is this needed?

This is to simplify the output and not overload the user by them having to understand about stages but these are what can be used within a scenario.

github-actions[bot] commented 1 year ago

@LaurenceJJones: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

  1. Check Crowdsec Documentation to see if your issue can be self resolved.
  2. You can also join our Discord.
  3. Check Releases to make sure your agent is on the latest version.
Details I am a bot created to help the [crowdsecurity](https://github.com/crowdsecurity) developers manage community feedback and contributions. You can check out my [manifest file](https://github.com/crowdsecurity/crowdsec/blob/master/.github/governance.yml) to understand my behavior and what I can do. If you want to use this for your project, you can check out the [BirthdayResearch/oss-governance-bot](https://github.com/BirthdayResearch/oss-governance-bot) repository.
github-actions[bot] commented 1 year ago

@LaurenceJJones: There are no 'kind' label on this issue. You need a 'kind' label to start the triage process.

Details I am a bot created to help the [crowdsecurity](https://github.com/crowdsecurity) developers manage community feedback and contributions. You can check out my [manifest file](https://github.com/crowdsecurity/crowdsec/blob/master/.github/governance.yml) to understand my behavior and what I can do. If you want to use this for your project, you can check out the [BirthdayResearch/oss-governance-bot](https://github.com/BirthdayResearch/oss-governance-bot) repository.
MrAlucardDante commented 11 months ago

/kind enhancement