search

crowdsecurity / crowdsec

CrowdSec - the open-source and participative security solution offering crowdsourced protection against malicious IPs and access to the most advanced real-world CTI.
https://crowdsec.net
MIT License
8.59k stars 442 forks source link

[enhancement] Ordering of s02-enrich to prevent confusion #3153

Open LaurenceJJones opened 1 month ago

LaurenceJJones commented 1 month ago

Preface

When a user is creating a whitelist that depends on other properties created in s02 stage if they name the file / name property of the yaml so that alphabetically it occurs before crowdsecurity/geoip-enrich it means they could have a failed whitelist and it isn't really explained anywhere

Example

My name is bob I create bob/country-whitelist which depends on evt.Meta.iso_code since my name is bob alphabetically it comes before crowdsecurity so in the ordering process my whitelist is placed before the geoip-enrich meaning my whitelist always fails.

Potential solutions

Force method items to top

This is solely based on geoip-enrich so might not be a good idea, but any static that contain a method func should be pushed to top of items list as most likely other stage items are based on what this provides

Create a s03 from docs POV

Instead of trying to achieve it via code, we could update our docs to introduce a new s03-whitelist stage since it happens after s02 stage. The only issue you have since this stage will not have any successful stage items there is currently a bug that if no items in a stage succeeds it classes the whole stage as unsuccessful meaning there has to be at least one item that succeeds.

Create a hierarchy based on expresssions

This is more involved and most likely will not be an option. Basically when we parse through the expression we detect which meta properties the expression is based on and create a hierarchy based on this meaning if an expression is based on evt.Meta.iso_code we know this stage item needs to execute after geoip-enrich item

The example above is for geoip-enrich, however, we have multiple enrichers function that should also be handled such a http based events

github-actions[bot] commented 1 month ago

@LaurenceJJones: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

  1. Check Crowdsec Documentation to see if your issue can be self resolved.
  2. You can also join our Discord.
  3. Check Releases to make sure your agent is on the latest version.
Details I am a bot created to help the [crowdsecurity](https://github.com/crowdsecurity) developers manage community feedback and contributions. You can check out my [manifest file](https://github.com/crowdsecurity/crowdsec/blob/master/.github/governance.yml) to understand my behavior and what I can do. If you want to use this for your project, you can check out the [BirthdayResearch/oss-governance-bot](https://github.com/BirthdayResearch/oss-governance-bot) repository.
github-actions[bot] commented 1 month ago

@LaurenceJJones: There are no 'kind' label on this issue. You need a 'kind' label to start the triage process.

Details I am a bot created to help the [crowdsecurity](https://github.com/crowdsecurity) developers manage community feedback and contributions. You can check out my [manifest file](https://github.com/crowdsecurity/crowdsec/blob/master/.github/governance.yml) to understand my behavior and what I can do. If you want to use this for your project, you can check out the [BirthdayResearch/oss-governance-bot](https://github.com/BirthdayResearch/oss-governance-bot) repository.