crowdsecurity · AlteredCoder · Dec 8, 2023 · Dec 7, 2023 · Dec 7, 2023 · Dec 7, 2023
diff --git a/pkg/acquisition/modules/appsec/appsec_runner.go b/pkg/acquisition/modules/appsec/appsec_runner.go
@@ -298,8 +298,9 @@ func (r *AppsecRunner) handleRequest(request *appsec.ParsedRequest) {
 	request.IsInBand = true
 	request.IsOutBand = false
 
-	//to measure the time spent in the Application Security Engine
-	startParsing := time.Now()
+	//to measure the time spent in the Application Security Engine for InBand rules
+	startInBandParsing := time.Now()
+	startGlobalParsing := time.Now()
 
 	//inband appsec rules
 	err := r.ProcessInBandRules(request)
@@ -308,13 +309,14 @@ func (r *AppsecRunner) handleRequest(request *appsec.ParsedRequest) {
 		return
 	}
 
+	// time spent to process in band rules
+	inBandParsingElapsed := time.Since(startInBandParsing)
+	AppsecInbandParsingHistogram.With(prometheus.Labels{"source": request.RemoteAddrNormalized}).Observe(inBandParsingElapsed.Seconds())
+
 	if request.Tx.IsInterrupted() {
 		r.handleInBandInterrupt(request)
 	}
 
-	elapsed := time.Since(startParsing)
-	AppsecInbandParsingHistogram.With(prometheus.Labels{"source": request.RemoteAddr}).Observe(elapsed.Seconds())
-
 	// send back the result to the HTTP handler for the InBand part
 	request.ResponseChannel <- r.AppsecRuntime.Response
 
@@ -325,12 +327,23 @@ func (r *AppsecRunner) handleRequest(request *appsec.ParsedRequest) {
 	r.AppsecRuntime.Response.SendAlert = false
 	r.AppsecRuntime.Response.SendEvent = true
 
+	//to measure the time spent in the Application Security Engine for OutOfBand rules
+	startOutOfBandParsing := time.Now()
+
 	err = r.ProcessOutOfBandRules(request)
 	if err != nil {
 		logger.Errorf("unable to process OutOfBand rules: %s", err)
 		return
 	}
 
+	// time spent to process out of band rules
+	outOfBandParsingElapsed := time.Since(startOutOfBandParsing)
+	AppsecOutbandParsingHistogram.With(prometheus.Labels{"source": request.RemoteAddrNormalized}).Observe(outOfBandParsingElapsed.Seconds())
+
+	// time spent to process inband AND out of band rules
+	globalParsingElapsed := time.Since(startGlobalParsing)
+	AppsecGlobalParsingHistogram.With(prometheus.Labels{"source": request.RemoteAddrNormalized}).Observe(globalParsingElapsed.Seconds())
+
 	if request.Tx.IsInterrupted() {
 		r.handleOutBandInterrupt(request)
 	}

diff --git a/pkg/acquisition/modules/appsec/metrics.go b/pkg/acquisition/modules/appsec/metrics.go
@@ -6,7 +6,7 @@ var AppsecGlobalParsingHistogram = prometheus.NewHistogramVec(
 	prometheus.HistogramOpts{
 		Help:    "Time spent processing a request by the Application Security Engine.",
 		Name:    "cs_appsec_parsing_time_seconds",
-		Buckets: []float64{0.0005, 0.001, 0.0015, 0.002, 0.0025, 0.003, 0.004, 0.005, 0.0075, 0.01},
+		Buckets: []float64{0.005, 0.01, 0.025, 0.050, 0.1, 0.2, 0.3, 0.4, 0.5, 1},
 	},
 	[]string{"source"},
 )
@@ -15,7 +15,7 @@ var AppsecInbandParsingHistogram = prometheus.NewHistogramVec(
 	prometheus.HistogramOpts{
 		Help:    "Time spent processing a request by the inband Application Security Engine.",
 		Name:    "cs_appsec_inband_parsing_time_seconds",
-		Buckets: []float64{0.0005, 0.001, 0.0015, 0.002, 0.0025, 0.003, 0.004, 0.005, 0.0075, 0.01},
+		Buckets: []float64{0.005, 0.01, 0.025, 0.050, 0.1, 0.2, 0.3, 0.4, 0.5, 1},
 	},
 	[]string{"source"},
 )
@@ -24,7 +24,7 @@ var AppsecOutbandParsingHistogram = prometheus.NewHistogramVec(
 	prometheus.HistogramOpts{
 		Help:    "Time spent processing a request by the Application Security Engine.",
 		Name:    "cs_appsec_outband_parsing_time_seconds",
-		Buckets: []float64{0.0005, 0.001, 0.0015, 0.002, 0.0025, 0.003, 0.004, 0.005, 0.0075, 0.01},
+		Buckets: []float64{0.005, 0.01, 0.025, 0.050, 0.1, 0.2, 0.3, 0.4, 0.5, 1},
 	},
 	[]string{"source"},
 )

diff --git a/pkg/acquisition/modules/appsec/utils.go b/pkg/acquisition/modules/appsec/utils.go
@@ -63,18 +63,7 @@ func AppsecEventGeneration(inEvt types.Event) (*types.Event, error) {
 			alert.Meta = append(alert.Meta, &meta)
 		}
 	}
-	for _, key := range evt.Appsec.MatchedRules.GetMatchedZones() {
-		valueByte, err := json.Marshal([]string{key})
-		if err != nil {
-			log.Debugf("unable to serialize key %s", key)
-			continue
-		}
-		meta := models.MetaItems0{
-			Key:   "matched_zones",
-			Value: string(valueByte),
-		}
-		alert.Meta = append(alert.Meta, &meta)
-	}
+
 	alert.EventsCount = ptr.Of(int32(1))
 	alert.Leakspeed = ptr.Of("")
 	alert.Scenario = ptr.Of(inEvt.Appsec.MatchedRules.GetName())

diff --git a/pkg/types/appsec_event.go b/pkg/types/appsec_event.go
@@ -2,6 +2,7 @@ package types
 
 import (
 	"regexp"
+	"slices"
 
 	log "github.com/sirupsen/logrus"
 )
@@ -132,7 +133,11 @@ func (w MatchedRules) GetMatchedZones() []string {
 	ret := make([]string, 0)
 
 	for _, rule := range w {
-		ret = append(ret, rule["matched_zones"].([]string)...)
+		for _, zone := range rule["matched_zones"].([]string) {
+			if !slices.Contains(ret, zone) {
+				ret = append(ret, zone)
+			}
+		}
 	}
 	return ret
 }