From: Cyril Brulebois Date: Fri, 22 Jan 2021 14:35:42 +0000 (+0000) Subject: Disable geoip-enrich in the hub files X-Git-Tag: archive/raspbian/1.4.6-4+rpi1^2~11 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=0cbc587cce6d839c67506035cce8243c2363da47;p=crowdsec.git Disable geoip-enrich in the hub files It would download GeoLite2*.mmdb files from the network. Let users enable the hub by themselves if they want to use it. When refreshing this patch, don't forget to update both digest and content fields, using: - digest: sha256sum hub1/collections/crowdsecurity/linux.yaml - content: base64 -w 0 /etc/crowdsec/collections/linux.yaml Gbp-Pq: Name 0004-disable-geoip-enrich.patch --- diff --git a/hub1/.index.json b/hub1/.index.json index a3198f0..fe3dafe 100644 --- a/hub1/.index.json +++ b/hub1/.index.json @@ -585,12 +585,11 @@ }, "long_description": "Kipjb3JlIHBhY2thZ2UgZm9yIGZyZWVic2QqKgoKY29udGFpbnMgc3VwcG9ydCBmb3Igc3lzbG9nLCBkbyBub3QgcmVtb3ZlLgo=", "content": "cGFyc2VyczoKICAtIGNyb3dkc2VjdXJpdHkvc3lzbG9nLWxvZ3MKICAtIGNyb3dkc2VjdXJpdHkvZ2VvaXAtZW5yaWNoCiAgLSBjcm93ZHNlY3VyaXR5L2RhdGVwYXJzZS1lbnJpY2gKY29sbGVjdGlvbnM6CiAgLSBjcm93ZHNlY3VyaXR5L3NzaGQKZGVzY3JpcHRpb246ICJjb3JlIGZyZWVic2Qgc3VwcG9ydCA6IHN5c2xvZytnZW9pcCtzc2giCmF1dGhvcjogY3Jvd2RzZWN1cml0eQp0YWdzOgogIC0gZnJlZWJzZCAKCg==", - "description": "core freebsd support : syslog+geoip+ssh", + "description": "core freebsd support : syslog+ssh", "author": "crowdsecurity", "labels": null, "parsers": [ "crowdsecurity/syslog-logs", - "crowdsecurity/geoip-enrich", "crowdsecurity/dateparse-enrich" ], "collections": [ @@ -819,18 +818,17 @@ "deprecated": false }, "0.2": { - "digest": "baaa37b12b4d734fab81ae01ff81c58ceb7a99304f21e6bb6ff86b871ed6d5eb", + "digest": "21ac34a4e2146ac8cd42f8377e1af5ead7eef5447bf3d6b0bf4e8ca456a7c16d", "deprecated": false } }, "long_description": "Kipjb3JlIHBhY2thZ2UgZm9yIGxpbnV4KioKCmNvbnRhaW5zIHN1cHBvcnQgZm9yIHN5c2xvZywgZG8gbm90IHJlbW92ZS4K", - "content": "cGFyc2VyczoKICAtIGNyb3dkc2VjdXJpdHkvc3lzbG9nLWxvZ3MKICAtIGNyb3dkc2VjdXJpdHkvZ2VvaXAtZW5yaWNoCiAgLSBjcm93ZHNlY3VyaXR5L2RhdGVwYXJzZS1lbnJpY2gKY29sbGVjdGlvbnM6CiAgLSBjcm93ZHNlY3VyaXR5L3NzaGQKZGVzY3JpcHRpb246ICJjb3JlIGxpbnV4IHN1cHBvcnQgOiBzeXNsb2crZ2VvaXArc3NoIgphdXRob3I6IGNyb3dkc2VjdXJpdHkKdGFnczoKICAtIGxpbnV4Cgo=", - "description": "core linux support : syslog+geoip+ssh", + "content": "cGFyc2VyczoKICAtIGNyb3dkc2VjdXJpdHkvc3lzbG9nLWxvZ3MKICAtIGNyb3dkc2VjdXJpdHkvZGF0ZXBhcnNlLWVucmljaApjb2xsZWN0aW9uczoKICAtIGNyb3dkc2VjdXJpdHkvc3NoZApkZXNjcmlwdGlvbjogImNvcmUgbGludXggc3VwcG9ydCA6IHN5c2xvZytzc2giCmF1dGhvcjogY3Jvd2RzZWN1cml0eQp0YWdzOgogIC0gbGludXgKCg==", + "description": "core linux support : syslog+ssh", "author": "crowdsecurity", "labels": null, "parsers": [ "crowdsecurity/syslog-logs", - "crowdsecurity/geoip-enrich", "crowdsecurity/dateparse-enrich" ], "collections": [ @@ -902,8 +900,7 @@ "parsers": [ "crowdsecurity/syslog-logs", "crowdsecurity/magento-extension-logs", - "crowdsecurity/dateparse-enrich", - "crowdsecurity/geoip-enrich" + "crowdsecurity/dateparse-enrich" ], "scenarios": [ "crowdsecurity/http-magento-bf", @@ -1473,7 +1470,6 @@ "parsers": [ "crowdsecurity/windows-logs", "crowdsecurity/windows-auth", - "crowdsecurity/geoip-enrich", "crowdsecurity/dateparse-enrich" ], "scenarios": [ @@ -2532,26 +2528,6 @@ "author": "crowdsecurity", "labels": null }, - "crowdsecurity/geoip-enrich": { - "path": "parsers/s02-enrich/crowdsecurity/geoip-enrich.yaml", - "stage": "s02-enrich", - "version": "0.2", - "versions": { - "0.1": { - "digest": "c0718adfc71ad462ad90485ad5c490e5de0e54d8af425bff552994e114443ab6", - "deprecated": false - }, - "0.2": { - "digest": "ab327e6044a32de7d2f3780cbc8e0c4af0c11716f353023d2dc7b986571bb765", - "deprecated": false - } - }, - "long_description": "VGhlIEdlb0lQIG1vZHVsZSByZWxpZXMgb24gZ2VvbGl0ZSBkYXRhYmFzZSB0byBwcm92aWRlIGVucmljaG1lbnQgb24gc291cmNlIGlwLgoKVGhlIGZvbGxvd2luZyBpbmZvcm1hdGlvbnMgd2lsbCBiZSBhZGRlZCB0byB0aGUgZXZlbnQgOgogLSBgTWV0YS5Jc29Db2RlYCA6IHR3by1sZXR0ZXJzIGNvdW50cnkgY29kZQogLSBgTWV0YS5Jc0luRVVgIDogYSBib29sZWFuIGluZGljYXRpbmcgaWYgSVAgaXMgaW4gRVUKIC0gYE1ldGEuR2VvQ29vcmRzYCA6IGxhdGl0dWRlICYgbG9uZ2l0dWRlIG9mIElQCiAtIGBNZXRhLkFTTk51bWJlcmAgOiBBdXRvbm9tb3VzIFN5c3RlbSBOdW1iZXIKIC0gYE1ldGEuQVNOT3JnYCA6IEF1dG9ub21vdXMgU3lzdGVtIE5hbWUKIC0gYE1ldGEuU291cmNlUmFuZ2VgIDogVGhlIHB1YmxpYyByYW5nZSB0byB3aGljaCB0aGUgSVAgYmVsb25ncwoKClRoaXMgY29uZmlndXJhdGlvbiBpbmNsdWRlcyBHZW9MaXRlMiBkYXRhIGNyZWF0ZWQgYnkgTWF4TWluZCBhdmFpbGFibGUgZnJvbSBbaHR0cHM6Ly93d3cubWF4bWluZC5jb21dKGh0dHBzOi8vd3d3Lm1heG1pbmQuY29tKSwgaXQgaW5jbHVkZXMgdHdvIGRhdGEgZmlsZXM6IAoqIFtHZW9MaXRlMi1DaXR5Lm1tZGJdKGh0dHBzOi8vY3Jvd2RzZWMtc3RhdGljcy1hc3NldHMuczMtZXUtd2VzdC0xLmFtYXpvbmF3cy5jb20vR2VvTGl0ZTItQ2l0eS5tbWRiKQoqIFtHZW9MaXRlMi1BU04ubW1kYl0oaHR0cHM6Ly9jcm93ZHNlYy1zdGF0aWNzLWFzc2V0cy5zMy1ldS13ZXN0LTEuYW1hem9uYXdzLmNvbS9HZW9MaXRlMi1BU04ubW1kYikKCg==", - "content": "ZmlsdGVyOiAiJ3NvdXJjZV9pcCcgaW4gZXZ0Lk1ldGEiCm5hbWU6IGNyb3dkc2VjdXJpdHkvZ2VvaXAtZW5yaWNoCmRlc2NyaXB0aW9uOiAiUG9wdWxhdGUgZXZlbnQgd2l0aCBnZW9sb2MgaW5mbyA6IGFzLCBjb3VudHJ5LCBjb29yZHMsIHNvdXJjZSByYW5nZS4iCmRhdGE6CiAgLSBzb3VyY2VfdXJsOiBodHRwczovL2Nyb3dkc2VjLXN0YXRpY3MtYXNzZXRzLnMzLWV1LXdlc3QtMS5hbWF6b25hd3MuY29tL0dlb0xpdGUyLUNpdHkubW1kYgogICAgZGVzdF9maWxlOiBHZW9MaXRlMi1DaXR5Lm1tZGIKICAtIHNvdXJjZV91cmw6IGh0dHBzOi8vY3Jvd2RzZWMtc3RhdGljcy1hc3NldHMuczMtZXUtd2VzdC0xLmFtYXpvbmF3cy5jb20vR2VvTGl0ZTItQVNOLm1tZGIKICAgIGRlc3RfZmlsZTogR2VvTGl0ZTItQVNOLm1tZGIKc3RhdGljczoKICAtIG1ldGhvZDogR2VvSXBDaXR5CiAgICBleHByZXNzaW9uOiBldnQuTWV0YS5zb3VyY2VfaXAKICAtIG1ldGE6IElzb0NvZGUKICAgIGV4cHJlc3Npb246IGV2dC5FbnJpY2hlZC5Jc29Db2RlCiAgLSBtZXRhOiBJc0luRVUKICAgIGV4cHJlc3Npb246IGV2dC5FbnJpY2hlZC5Jc0luRVUKICAtIG1ldGE6IEdlb0Nvb3JkcwogICAgZXhwcmVzc2lvbjogZXZ0LkVucmljaGVkLkdlb0Nvb3JkcwogIC0gbWV0aG9kOiBHZW9JcEFTTgogICAgZXhwcmVzc2lvbjogZXZ0Lk1ldGEuc291cmNlX2lwCiAgLSBtZXRhOiBBU05OdW1iZXIKICAgIGV4cHJlc3Npb246IGV2dC5FbnJpY2hlZC5BU05OdW1iZXIKICAtIG1ldGE6IEFTTk9yZwogICAgZXhwcmVzc2lvbjogZXZ0LkVucmljaGVkLkFTTk9yZwogIC0gbWV0aG9kOiBJcFRvUmFuZ2UKICAgIGV4cHJlc3Npb246IGV2dC5NZXRhLnNvdXJjZV9pcAogIC0gbWV0YTogU291cmNlUmFuZ2UKICAgIGV4cHJlc3Npb246IGV2dC5FbnJpY2hlZC5Tb3VyY2VSYW5nZQo=", - "description": "Populate event with geoloc info : as, country, coords, source range.", - "author": "crowdsecurity", - "labels": null - }, "crowdsecurity/haproxy-logs": { "path": "parsers/s01-parse/crowdsecurity/haproxy-logs.yaml", "stage": "s01-parse", @@ -6375,4 +6351,4 @@ } } } -} \ No newline at end of file +} diff --git a/hub1/collections/crowdsecurity/linux.yaml b/hub1/collections/crowdsecurity/linux.yaml index 824a6ee..1815c77 100644 --- a/hub1/collections/crowdsecurity/linux.yaml +++ b/hub1/collections/crowdsecurity/linux.yaml @@ -1,10 +1,9 @@ parsers: - crowdsecurity/syslog-logs - - crowdsecurity/geoip-enrich - crowdsecurity/dateparse-enrich collections: - crowdsecurity/sshd -description: "core linux support : syslog+geoip+ssh" +description: "core linux support : syslog+ssh" author: crowdsecurity tags: - linux diff --git a/hub1/parsers/s02-enrich/crowdsecurity/geoip-enrich.yaml b/hub1/parsers/s02-enrich/crowdsecurity/geoip-enrich.yaml deleted file mode 100644 index 59a4fca..0000000 --- a/hub1/parsers/s02-enrich/crowdsecurity/geoip-enrich.yaml +++ /dev/null @@ -1,27 +0,0 @@ -filter: "'source_ip' in evt.Meta" -name: crowdsecurity/geoip-enrich -description: "Populate event with geoloc info : as, country, coords, source range." -data: - - source_url: https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/GeoLite2-City.mmdb - dest_file: GeoLite2-City.mmdb - - source_url: https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/GeoLite2-ASN.mmdb - dest_file: GeoLite2-ASN.mmdb -statics: - - method: GeoIpCity - expression: evt.Meta.source_ip - - meta: IsoCode - expression: evt.Enriched.IsoCode - - meta: IsInEU - expression: evt.Enriched.IsInEU - - meta: GeoCoords - expression: evt.Enriched.GeoCoords - - method: GeoIpASN - expression: evt.Meta.source_ip - - meta: ASNNumber - expression: evt.Enriched.ASNNumber - - meta: ASNOrg - expression: evt.Enriched.ASNOrg - - method: IpToRange - expression: evt.Meta.source_ip - - meta: SourceRange - expression: evt.Enriched.SourceRange