crowdsec icon indicating copy to clipboard operation
crowdsec copied to clipboard
verified publisher icon crowdsecurity

Bug/ Postoverflow assigned metadata not visible to notifications

Open RaphMad opened this issue 3 years ago • 3 comments

Describe the bug When using a postoverflow parser performing a statics: - meta assignment, the assigned value is not present in the object passed for notification rendering.

When using the same parser in the s02-enrich stage, the value is present for notifications.

To Reproduce Steps to reproduce the behavior:

  1. Install a postoverflow parser performing a meta-assignment, e.g.: https://github.com/crowdsecurity/hub/blob/master/postoverflows/s00-enrich/crowdsecurity/rdns.yaml
  2. Trigger any scenario
  3. Verify in the logfile that the value is assigned: time="10-03-2022 12:28:38" level=debug msg=".Meta[reverse_dns] = 'REDACTED.net.'" id=shy-night name=crowdsecurity/rdns stage=s00-enrich

Expected behavior When rendering the generated notificaiton via {{ . | toJson }}, a Meta entry with key reverse_dns and value REDACTED.net. should be present.

Technical Information (please complete the following information):

  • OS: Debian/dockerized
  • Versionv 1.3.1

Additional context When manually moving the postoverflow parser into s02-enrich instead, the meta value reverse_dns is visible within notifications rendered with {{ . | toJson }} as expected! So this bug seems to be a quirk related to postoverflow parsers.

RaphMad avatar Mar 10 '22 11:03 RaphMad

Hey sorry, about literally no response. I am going to try to replicate this now.

LaurenceJJones avatar May 26 '23 13:05 LaurenceJJones

i can confirm this behaviour still exists in latest version. We are tracking down the issue.

LaurenceJJones avatar Aug 21 '23 10:08 LaurenceJJones

Issue exists in how postoverflow alert works.

When overflown the bucket created the overflow state and when we pass to postoverflow it only keep the meta/enricher/parsed within the event created for that state only its not passed to the Overflown alert.

Now this gets tricky as where do we inject the meta data? as events are the metadata within the poured event and postoverflow does not really class as an event. There is a Metadata property on the base alert which has now been used for alert context, however, we cannot inject the data here as it will be forwarded to CAPI and has to be a string in the forma of a slice.

@buixor thoughts?

LaurenceJJones avatar Aug 21 '23 13:08 LaurenceJJones