crowdsec
crowdsec copied to clipboard
crowdsecurity
Implement reinject command to send notifications of alerts
Codecov Report
Merging #1638 (046b723) into master (e05515f) will increase coverage by
0.39%. The diff coverage is16.44%.
@@ Coverage Diff @@
## master #1638 +/- ##
==========================================
+ Coverage 52.06% 52.45% +0.39%
==========================================
Files 136 137 +1
Lines 18866 19440 +574
==========================================
+ Hits 9823 10198 +375
- Misses 7971 8113 +142
- Partials 1072 1129 +57
| Flag | Coverage Δ | |
|---|---|---|
| func-crowdsec | 45.84% <ø> (+29.34%) |
:arrow_up: |
| func-cscli | 41.63% <15.07%> (-2.97%) |
:arrow_down: |
| unit-linux | 64.03% <23.07%> (-0.07%) |
:arrow_down: |
| unit-windows | 53.46% <11.53%> (-0.12%) |
:arrow_down: |
Flags with carried forward coverage won't be shown. Click here to find out more.
| Impacted Files | Coverage Δ | |
|---|---|---|
| pkg/csplugin/broker.go | 66.42% <13.04%> (-3.96%) |
:arrow_down: |
| cmd/crowdsec-cli/notifications.go | 16.21% <15.07%> (-2.36%) |
:arrow_down: |
| pkg/csplugin/watcher.go | 95.19% <100.00%> (+0.14%) |
:arrow_up: |
| cmd/crowdsec-cli/metrics.go | 36.95% <0.00%> (-5.66%) |
:arrow_down: |
| pkg/apiserver/controllers/v1/decisions.go | 50.28% <0.00%> (-4.64%) |
:arrow_down: |
| pkg/parser/enrich_geoip.go | 43.00% <0.00%> (-4.20%) |
:arrow_down: |
| cmd/crowdsec-cli/parsers.go | 48.59% <0.00%> (-2.15%) |
:arrow_down: |
| cmd/crowdsec-cli/scenarios.go | 47.48% <0.00%> (-2.15%) |
:arrow_down: |
| cmd/crowdsec-cli/postoverflows.go | 47.48% <0.00%> (-2.15%) |
:arrow_down: |
| ... and 27 more |
:mega: We’re building smart automated test selection to slash your CI/CD build times. Learn more
@sabban : Can you add some doc to crowdsec-docs to accompany this plz ? thanks :)
few feedbacks playing around with the feature !
-
notifications inspect: the output currently looks like this :
It might be interesting to link the relevant paths to the user rather than just dumping the content. As well, the formatting of the config content looks a bit awkward.
-
notifications reinject: I didn't manage to make the feature work, the alert fetched from the database hasRemediationset to false and thus doesn't match the default profile.
./cscli -c dev.yaml alerts list
+----+-------------+----------------------+---------+----+-----------+--------------------------------+
| ID | VALUE | REASON | COUNTRY | AS | DECISIONS | CREATED AT |
+----+-------------+----------------------+---------+----+-----------+--------------------------------+
| 1 | Ip:1.2.3.42 | crowdsecurity/ssh-bf | AU | 0 | ban:1 | 2022-07-29 12:30:50.590639512 |
| | | | | | | +0000 UTC |
+----+-------------+----------------------+---------+----+-----------+--------------------------------+
./cscli -c dev.yaml notifications reinject 1
DEBU[0000] starting plugin args="[/home/bui/github/crowdsec/crowdsec-v1.4.1/tests/plugins/notification-slack]" path=/home/bui/github/crowdsec/crowdsec-v1.4.1/tests/plugins/notification-slack
DEBU[0000] plugin started path=/home/bui/github/crowdsec/crowdsec-v1.4.1/tests/plugins/notification-slack pid=581676
DEBU[0000] waiting for RPC address path=/home/bui/github/crowdsec/crowdsec-v1.4.1/tests/plugins/notification-slack
DEBU[0000] using plugin version=1
TRAC[0000] waiting for stdio data
INFO[29-07-2022 02:36:36 PM] registered plugin slack_default
INFO[29-07-2022 02:36:36 PM] The profile default_ip_remediation didn't match
INFO[29-07-2022 02:36:36 PM] plugingTomb dying
INFO[29-07-2022 02:36:36 PM] killing all plugins
DEBU[0000] received EOF, stopping recv loop err="rpc error: code = Unavailable desc = error reading from server: EOF"
DEBU[0000] plugin process exited path=/home/bui/github/crowdsec/crowdsec-v1.4.1/tests/plugins/notification-slack pid=581676
DEBU[0000] plugin exited
few feedbacks playing around with the feature !
* `notifications inspect`: the output currently looks like this :
It might be interesting to link the relevant paths to the user rather than just dumping the content. As well, the formatting of the config content looks a bit awkward.
As this feature is already merged, this should be taken care of in an other PR. For now an issue is opened https://github.com/crowdsecurity/crowdsec/issues/1712
* `notifications reinject`: I didn't manage to make the feature work, the alert fetched from the database has `Remediation` set to false and thus doesn't match the default profile../cscli -c dev.yaml alerts list +----+-------------+----------------------+---------+----+-----------+--------------------------------+ | ID | VALUE | REASON | COUNTRY | AS | DECISIONS | CREATED AT | +----+-------------+----------------------+---------+----+-----------+--------------------------------+ | 1 | Ip:1.2.3.42 | crowdsecurity/ssh-bf | AU | 0 | ban:1 | 2022-07-29 12:30:50.590639512 | | | | | | | | +0000 UTC | +----+-------------+----------------------+---------+----+-----------+--------------------------------+ ./cscli -c dev.yaml notifications reinject 1 DEBU[0000] starting plugin args="[/home/bui/github/crowdsec/crowdsec-v1.4.1/tests/plugins/notification-slack]" path=/home/bui/github/crowdsec/crowdsec-v1.4.1/tests/plugins/notification-slack DEBU[0000] plugin started path=/home/bui/github/crowdsec/crowdsec-v1.4.1/tests/plugins/notification-slack pid=581676 DEBU[0000] waiting for RPC address path=/home/bui/github/crowdsec/crowdsec-v1.4.1/tests/plugins/notification-slack DEBU[0000] using plugin version=1 TRAC[0000] waiting for stdio data INFO[29-07-2022 02:36:36 PM] registered plugin slack_default INFO[29-07-2022 02:36:36 PM] The profile default_ip_remediation didn't match INFO[29-07-2022 02:36:36 PM] plugingTomb dying INFO[29-07-2022 02:36:36 PM] killing all plugins DEBU[0000] received EOF, stopping recv loop err="rpc error: code = Unavailable desc = error reading from server: EOF" DEBU[0000] plugin process exited path=/home/bui/github/crowdsec/crowdsec-v1.4.1/tests/plugins/notification-slack pid=581676 DEBU[0000] plugin exited
I guess it's the expected behaviour then. The alert is reinjected only if the profile is matched.
Thank you I tested this with the Docker version and it works fine !
Config: https://github.com/datacenters-network/mails/blob/8122eafdc9527c9941aae2af8777434067035029/crowdsec/notifications/telegram.yaml
I am not sure about: received EOF, stopping recv loop err="rpc error: code = Unavailable desc = error reading from server: EOF
DEBU[0000] starting plugin args="[/usr/local/lib/crowdsec/plugins/notification-http]" path=/usr/local/lib/crowdsec/plugins/notification-http
DEBU[0000] plugin started path=/usr/local/lib/crowdsec/plugins/notification-http pid=118
DEBU[0000] waiting for RPC address path=/usr/local/lib/crowdsec/plugins/notification-http
DEBU[0000] using plugin version=1
TRAC[0000] waiting for stdio data
INFO[09-11-2022 04:39:50 PM] registered plugin http_default
INFO[09-11-2022 04:39:50 PM] The profile default_ip_remediation matched, sending to its configured notification plugins
INFO[09-11-2022 04:39:50 PM] sleeping
INFO[09-11-2022 04:39:50 PM] The profile default_ip_remediation contains a 'on_success: break' so bailing out
INFO[09-11-2022 04:39:50 PM] pluginTomb dying
INFO[0000] received signal for http_default config @module=http-plugin
INFO[09-11-2022 04:39:50 PM] killing all plugins
DEBU[0000] received EOF, stopping recv loop err="rpc error: code = Unavailable desc = error reading from server: EOF"
DEBU[0000] plugin process exited path=/usr/local/lib/crowdsec/plugins/notification-http pid=118
DEBU[0000] plugin exited
