Merge pull request #90 from team-europe/post-icc-fixes

Post icc fixes
OpenAttackDefenseTools · Jul 20, 2022 · fd63d22 · fd63d22
2 parents 1c03982 + 3a782b2
commit fd63d22
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 8 deletions.
diff --git a/services/go-importer/cmd/enricher/main.go b/services/go-importer/cmd/enricher/main.go
@@ -181,6 +181,11 @@ func handleEveLine(json string) (bool, error) {
  tag = jtag.String()
  }
 
+ // If no action was taken, there's no need for us to do anything with this line.
+ if !sig_action.Exists() {
+ return false, nil
+ }
+
  // canonicalize the IP address notation to make sure it matches what the assembler entered
  // into the database.
  // TODO; just assuming these are all valid for now. Should be fine, since this is coming from

diff --git a/services/go-importer/internal/pkg/db/db.go b/services/go-importer/internal/pkg/db/db.go
@@ -3,7 +3,6 @@ package db
 import (
  "context"
  "log"
- "strings"
  "time"
 
  "go.mongodb.org/mongo-driver/bson"
@@ -62,9 +61,8 @@ func ConnectMongo(uri string) Database {
 func (db Database) ConfigureDatabase() {
  db.InsertTag("flag-in")
  db.InsertTag("flag-out")
- db.InsertTag("fishy")
- db.InsertTag("steal")
  db.InsertTag("blocked")
+ db.InsertTag("suricata")
  db.ConfigureIndexes()
 }
 
@@ -160,6 +158,7 @@ func (db Database) AddSignature(sig Signature) string {
  "id": sig.ID,
  "msg": sig.Msg,
  "action": sig.Action,
+ "tag": sig.Tag,
  }
 
  var existing_sig Signature
@@ -200,11 +199,7 @@ func (db Database) AddSignatureToFlow(flow FlowID, sig Signature, window int) bo
  },
  }
 
- tags := []string{"fishy"}
- // TODO; pull this from metadata
- if strings.Contains(sig.Msg, "stolen flag") {
- tags = append(tags, "steal")
- }
+ tags := []string{"suricata"}
 
  // A tag from the signature if it contained one
  if sig.Tag != "" {