Disable geoip-enrich in the hub files

It would download GeoLite2*.mmdb files from the network. Let users
enable the hub by themselves if they want to use it.

When refreshing this patch, don't forget to update both digest and
content fields, using:

 - digest: sha256sum hub1/collections/crowdsecurity/linux.yaml
 - content: base64 -w 0 /etc/crowdsec/collections/linux.yaml

Gbp-Pq: Name 0004-disable-geoip-enrich.patch

diff --git a/hub1/.index.json b/hub1/.index.json
index a3198f0f7a67d905ea7cf83786da4091ba411c64..fe3dafe928167d7020ed00d333d49aca5db11413 100644 (file)
--- a/hub1/.index.json
+++ b/hub1/.index.json
@@ -585,12 +585,11 @@
    },
    "long_description": "Kipjb3JlIHBhY2thZ2UgZm9yIGZyZWVic2QqKgoKY29udGFpbnMgc3VwcG9ydCBmb3Igc3lzbG9nLCBkbyBub3QgcmVtb3ZlLgo=",
    "content": "cGFyc2VyczoKICAtIGNyb3dkc2VjdXJpdHkvc3lzbG9nLWxvZ3MKICAtIGNyb3dkc2VjdXJpdHkvZ2VvaXAtZW5yaWNoCiAgLSBjcm93ZHNlY3VyaXR5L2RhdGVwYXJzZS1lbnJpY2gKY29sbGVjdGlvbnM6CiAgLSBjcm93ZHNlY3VyaXR5L3NzaGQKZGVzY3JpcHRpb246ICJjb3JlIGZyZWVic2Qgc3VwcG9ydCA6IHN5c2xvZytnZW9pcCtzc2giCmF1dGhvcjogY3Jvd2RzZWN1cml0eQp0YWdzOgogIC0gZnJlZWJzZCAKCg==",
-   "description": "core freebsd support : syslog+geoip+ssh",
+   "description": "core freebsd support : syslog+ssh",
    "author": "crowdsecurity",
    "labels": null,
    "parsers": [
     "crowdsecurity/syslog-logs",
-    "crowdsecurity/geoip-enrich",
     "crowdsecurity/dateparse-enrich"
    ],
    "collections": [
@@ -819,18 +818,17 @@
      "deprecated": false
     },
     "0.2": {
-     "digest": "baaa37b12b4d734fab81ae01ff81c58ceb7a99304f21e6bb6ff86b871ed6d5eb",
+     "digest": "21ac34a4e2146ac8cd42f8377e1af5ead7eef5447bf3d6b0bf4e8ca456a7c16d",
      "deprecated": false
     }
    },
    "long_description": "Kipjb3JlIHBhY2thZ2UgZm9yIGxpbnV4KioKCmNvbnRhaW5zIHN1cHBvcnQgZm9yIHN5c2xvZywgZG8gbm90IHJlbW92ZS4K",
-   "content": "cGFyc2VyczoKICAtIGNyb3dkc2VjdXJpdHkvc3lzbG9nLWxvZ3MKICAtIGNyb3dkc2VjdXJpdHkvZ2VvaXAtZW5yaWNoCiAgLSBjcm93ZHNlY3VyaXR5L2RhdGVwYXJzZS1lbnJpY2gKY29sbGVjdGlvbnM6CiAgLSBjcm93ZHNlY3VyaXR5L3NzaGQKZGVzY3JpcHRpb246ICJjb3JlIGxpbnV4IHN1cHBvcnQgOiBzeXNsb2crZ2VvaXArc3NoIgphdXRob3I6IGNyb3dkc2VjdXJpdHkKdGFnczoKICAtIGxpbnV4Cgo=",
-   "description": "core linux support : syslog+geoip+ssh",
+   "content": "cGFyc2VyczoKICAtIGNyb3dkc2VjdXJpdHkvc3lzbG9nLWxvZ3MKICAtIGNyb3dkc2VjdXJpdHkvZGF0ZXBhcnNlLWVucmljaApjb2xsZWN0aW9uczoKICAtIGNyb3dkc2VjdXJpdHkvc3NoZApkZXNjcmlwdGlvbjogImNvcmUgbGludXggc3VwcG9ydCA6IHN5c2xvZytzc2giCmF1dGhvcjogY3Jvd2RzZWN1cml0eQp0YWdzOgogIC0gbGludXgKCg==",
+   "description": "core linux support : syslog+ssh",
    "author": "crowdsecurity",
    "labels": null,
    "parsers": [
     "crowdsecurity/syslog-logs",
-    "crowdsecurity/geoip-enrich",
     "crowdsecurity/dateparse-enrich"
    ],
    "collections": [
@@ -902,8 +900,7 @@
    "parsers": [
     "crowdsecurity/syslog-logs",
     "crowdsecurity/magento-extension-logs",
-    "crowdsecurity/dateparse-enrich",
-    "crowdsecurity/geoip-enrich"
+    "crowdsecurity/dateparse-enrich"
    ],
    "scenarios": [
     "crowdsecurity/http-magento-bf",
@@ -1473,7 +1470,6 @@
    "parsers": [
     "crowdsecurity/windows-logs",
     "crowdsecurity/windows-auth",
-    "crowdsecurity/geoip-enrich",
     "crowdsecurity/dateparse-enrich"
    ],
    "scenarios": [
@@ -2532,26 +2528,6 @@
    "author": "crowdsecurity",
    "labels": null
   },
-  "crowdsecurity/geoip-enrich": {
-   "path": "parsers/s02-enrich/crowdsecurity/geoip-enrich.yaml",
-   "stage": "s02-enrich",
-   "version": "0.2",
-   "versions": {
-    "0.1": {
-     "digest": "c0718adfc71ad462ad90485ad5c490e5de0e54d8af425bff552994e114443ab6",
-     "deprecated": false
-    },
-    "0.2": {
-     "digest": "ab327e6044a32de7d2f3780cbc8e0c4af0c11716f353023d2dc7b986571bb765",
-     "deprecated": false
-    }
-   },
-   "long_description": "VGhlIEdlb0lQIG1vZHVsZSByZWxpZXMgb24gZ2VvbGl0ZSBkYXRhYmFzZSB0byBwcm92aWRlIGVucmljaG1lbnQgb24gc291cmNlIGlwLgoKVGhlIGZvbGxvd2luZyBpbmZvcm1hdGlvbnMgd2lsbCBiZSBhZGRlZCB0byB0aGUgZXZlbnQgOgogLSBgTWV0YS5Jc29Db2RlYCA6IHR3by1sZXR0ZXJzIGNvdW50cnkgY29kZQogLSBgTWV0YS5Jc0luRVVgIDogYSBib29sZWFuIGluZGljYXRpbmcgaWYgSVAgaXMgaW4gRVUKIC0gYE1ldGEuR2VvQ29vcmRzYCA6IGxhdGl0dWRlICYgbG9uZ2l0dWRlIG9mIElQCiAtIGBNZXRhLkFTTk51bWJlcmAgOiBBdXRvbm9tb3VzIFN5c3RlbSBOdW1iZXIKIC0gYE1ldGEuQVNOT3JnYCA6IEF1dG9ub21vdXMgU3lzdGVtIE5hbWUKIC0gYE1ldGEuU291cmNlUmFuZ2VgIDogVGhlIHB1YmxpYyByYW5nZSB0byB3aGljaCB0aGUgSVAgYmVsb25ncwoKClRoaXMgY29uZmlndXJhdGlvbiBpbmNsdWRlcyBHZW9MaXRlMiBkYXRhIGNyZWF0ZWQgYnkgTWF4TWluZCBhdmFpbGFibGUgZnJvbSBbaHR0cHM6Ly93d3cubWF4bWluZC5jb21dKGh0dHBzOi8vd3d3Lm1heG1pbmQuY29tKSwgaXQgaW5jbHVkZXMgdHdvIGRhdGEgZmlsZXM6IAoqIFtHZW9MaXRlMi1DaXR5Lm1tZGJdKGh0dHBzOi8vY3Jvd2RzZWMtc3RhdGljcy1hc3NldHMuczMtZXUtd2VzdC0xLmFtYXpvbmF3cy5jb20vR2VvTGl0ZTItQ2l0eS5tbWRiKQoqIFtHZW9MaXRlMi1BU04ubW1kYl0oaHR0cHM6Ly9jcm93ZHNlYy1zdGF0aWNzLWFzc2V0cy5zMy1ldS13ZXN0LTEuYW1hem9uYXdzLmNvbS9HZW9MaXRlMi1BU04ubW1kYikKCg==",
-   "content": "ZmlsdGVyOiAiJ3NvdXJjZV9pcCcgaW4gZXZ0Lk1ldGEiCm5hbWU6IGNyb3dkc2VjdXJpdHkvZ2VvaXAtZW5yaWNoCmRlc2NyaXB0aW9uOiAiUG9wdWxhdGUgZXZlbnQgd2l0aCBnZW9sb2MgaW5mbyA6IGFzLCBjb3VudHJ5LCBjb29yZHMsIHNvdXJjZSByYW5nZS4iCmRhdGE6CiAgLSBzb3VyY2VfdXJsOiBodHRwczovL2Nyb3dkc2VjLXN0YXRpY3MtYXNzZXRzLnMzLWV1LXdlc3QtMS5hbWF6b25hd3MuY29tL0dlb0xpdGUyLUNpdHkubW1kYgogICAgZGVzdF9maWxlOiBHZW9MaXRlMi1DaXR5Lm1tZGIKICAtIHNvdXJjZV91cmw6IGh0dHBzOi8vY3Jvd2RzZWMtc3RhdGljcy1hc3NldHMuczMtZXUtd2VzdC0xLmFtYXpvbmF3cy5jb20vR2VvTGl0ZTItQVNOLm1tZGIKICAgIGRlc3RfZmlsZTogR2VvTGl0ZTItQVNOLm1tZGIKc3RhdGljczoKICAtIG1ldGhvZDogR2VvSXBDaXR5CiAgICBleHByZXNzaW9uOiBldnQuTWV0YS5zb3VyY2VfaXAKICAtIG1ldGE6IElzb0NvZGUKICAgIGV4cHJlc3Npb246IGV2dC5FbnJpY2hlZC5Jc29Db2RlCiAgLSBtZXRhOiBJc0luRVUKICAgIGV4cHJlc3Npb246IGV2dC5FbnJpY2hlZC5Jc0luRVUKICAtIG1ldGE6IEdlb0Nvb3JkcwogICAgZXhwcmVzc2lvbjogZXZ0LkVucmljaGVkLkdlb0Nvb3JkcwogIC0gbWV0aG9kOiBHZW9JcEFTTgogICAgZXhwcmVzc2lvbjogZXZ0Lk1ldGEuc291cmNlX2lwCiAgLSBtZXRhOiBBU05OdW1iZXIKICAgIGV4cHJlc3Npb246IGV2dC5FbnJpY2hlZC5BU05OdW1iZXIKICAtIG1ldGE6IEFTTk9yZwogICAgZXhwcmVzc2lvbjogZXZ0LkVucmljaGVkLkFTTk9yZwogIC0gbWV0aG9kOiBJcFRvUmFuZ2UKICAgIGV4cHJlc3Npb246IGV2dC5NZXRhLnNvdXJjZV9pcAogIC0gbWV0YTogU291cmNlUmFuZ2UKICAgIGV4cHJlc3Npb246IGV2dC5FbnJpY2hlZC5Tb3VyY2VSYW5nZQo=",
-   "description": "Populate event with geoloc info : as, country, coords, source range.",
-   "author": "crowdsecurity",
-   "labels": null
-  },
   "crowdsecurity/haproxy-logs": {
    "path": "parsers/s01-parse/crowdsecurity/haproxy-logs.yaml",
    "stage": "s01-parse",
@@ -6375,4 +6351,4 @@
    }
   }
  }
-}
\ No newline at end of file
+}

diff --git a/hub1/collections/crowdsecurity/linux.yaml b/hub1/collections/crowdsecurity/linux.yaml
index 824a6eeca17cbb410110f6f35e7d1651696b033b..1815c77812735174733816eb1e727e7d76c3e084 100644 (file)
--- a/hub1/collections/crowdsecurity/linux.yaml
+++ b/hub1/collections/crowdsecurity/linux.yaml
@@ -1,10 +1,9 @@
 parsers:
   - crowdsecurity/syslog-logs
-  - crowdsecurity/geoip-enrich
   - crowdsecurity/dateparse-enrich
 collections:
   - crowdsecurity/sshd
-description: "core linux support : syslog+geoip+ssh"
+description: "core linux support : syslog+ssh"
 author: crowdsecurity
 tags:
   - linux

diff --git a/hub1/parsers/s02-enrich/crowdsecurity/geoip-enrich.yaml b/hub1/parsers/s02-enrich/crowdsecurity/geoip-enrich.yaml
deleted file mode 100644 (file)
index 59a4fca..0000000
--- a/hub1/parsers/s02-enrich/crowdsecurity/geoip-enrich.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
-filter: "'source_ip' in evt.Meta"
-name: crowdsecurity/geoip-enrich
-description: "Populate event with geoloc info : as, country, coords, source range."
-data:
-  - source_url: https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/GeoLite2-City.mmdb
-    dest_file: GeoLite2-City.mmdb
-  - source_url: https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/GeoLite2-ASN.mmdb
-    dest_file: GeoLite2-ASN.mmdb
-statics:
-  - method: GeoIpCity
-    expression: evt.Meta.source_ip
-  - meta: IsoCode
-    expression: evt.Enriched.IsoCode
-  - meta: IsInEU
-    expression: evt.Enriched.IsInEU
-  - meta: GeoCoords
-    expression: evt.Enriched.GeoCoords
-  - method: GeoIpASN
-    expression: evt.Meta.source_ip
-  - meta: ASNNumber
-    expression: evt.Enriched.ASNNumber
-  - meta: ASNOrg
-    expression: evt.Enriched.ASNOrg
-  - method: IpToRange
-    expression: evt.Meta.source_ip
-  - meta: SourceRange
-    expression: evt.Enriched.SourceRange