Merge pull request #195 from AikidoSec/monitor-mode

Added monitoring-mode support for ips and user agents

Author: tudor-timcu

.github/workflows/build.yml

@@ -499,4 +499,4 @@ jobs:
           name: test-results-aikido-${{ env.AIKIDO_VERSION }}-${{ matrix.os }}-php-${{ matrix.php_version }}
           if-no-files-found: ignore
           path: |
-            ${{ github.workspace }}/tests/cli/**/*.diff
+            ${{ github.workspace }}/tests/cli/**/*.diff

lib/agent/aikido_types/events.go

@@ -52,17 +52,23 @@ type MonitoredSinkStats struct {
 	CompressedTimings     []CompressedTiming `json:"compressedTimings"`
 }
 
+type MonitoredListsBreakdown struct {
+	Breakdown map[string]int `json:"breakdown"`
+}
+
 type Requests struct {
 	Total           int             `json:"total"`
 	Aborted         int             `json:"aborted"`
 	AttacksDetected AttacksDetected `json:"attacksDetected"`
 }
 
 type Stats struct {
-	Sinks     map[string]MonitoredSinkStats `json:"sinks"`
-	StartedAt int64                         `json:"startedAt"`
-	EndedAt   int64                         `json:"endedAt"`
-	Requests  Requests                      `json:"requests"`
+	Sinks       map[string]MonitoredSinkStats `json:"sinks"`
+	StartedAt   int64                         `json:"startedAt"`
+	EndedAt     int64                         `json:"endedAt"`
+	Requests    Requests                      `json:"requests"`
+	UserAgents  MonitoredListsBreakdown       `json:"userAgents"`
+	IpAddresses MonitoredListsBreakdown       `json:"ipAddresses"`
 }
 
 type AgentInfo struct {

lib/agent/aikido_types/init_data.go

@@ -60,6 +60,9 @@ type CloudConfigData struct {
 	Block                 *bool      `json:"block,omitempty"`
 	BlockedIpsList        map[string]IpBlocklist
 	BlockedUserAgents     string
+	MonitoredIpsList      map[string]IpBlocklist
+	MonitoredUserAgents   string
+	UserAgentDetails      map[string]string
 }
 
 type BlockedIpsData struct {
@@ -68,11 +71,19 @@ type BlockedIpsData struct {
 	Ips         []string `json:"ips"`
 }
 
+type UserAgentDetails struct {
+	Key     string `json:"key"`
+	Pattern string `json:"pattern"`
+}
+
 type ListsConfigData struct {
-	Success            bool             `json:"success"`
-	ServiceId          int              `json:"serviceId"`
-	BlockedIpAddresses []BlockedIpsData `json:"blockedIPAddresses"`
-	BlockedUserAgents  string           `json:"blockedUserAgents"`
+	Success              bool               `json:"success"`
+	ServiceId            int                `json:"serviceId"`
+	BlockedIpAddresses   []BlockedIpsData   `json:"blockedIPAddresses"`
+	BlockedUserAgents    string             `json:"blockedUserAgents"`
+	MonitoredIpAddresses []BlockedIpsData   `json:"monitoredIpAddresses"`
+	MonitoredUserAgents  string             `json:"monitoredUserAgents"`
+	UserAgentDetails     []UserAgentDetails `json:"userAgentDetails"`
 }
 
 type CloudConfigUpdatedAt struct {

lib/agent/aikido_types/stats.go

@@ -20,6 +20,9 @@ type StatsDataType struct {
 	AttacksBlocked  int
 
 	MonitoredSinkTimings map[string]MonitoredSinkTimings
+
+	UserAgentsMatches  map[string]int
+	IpAddressesMatches map[string]int
 }
 
 type RateLimitingConfig struct {

lib/agent/cloud/common.go

@@ -101,6 +101,14 @@ func ApplyCloudConfig() {
 	UpdateRateLimitingConfig()
 }
 
+func UpdateIpsLists(BlockedIps []BlockedIpsData) map[string]IpBlocklist {
+	m := make(map[string]IpBlocklist)
+	for _, blockedIpsGroup := range BlockedIps {
+		m[blockedIpsGroup.Source] = IpBlocklist{Description: blockedIpsGroup.Description, Ips: blockedIpsGroup.Ips}
+	}
+	return m
+}
+
 func UpdateListsConfig() bool {
 	response, err := SendCloudRequest(globals.EnvironmentConfig.Endpoint, globals.ListsAPI, globals.ListsAPIMethod, nil)
 	if err != nil {
@@ -111,15 +119,21 @@ func UpdateListsConfig() bool {
 	tempListsConfig := ListsConfigData{}
 	err = json.Unmarshal(response, &tempListsConfig)
 	if err != nil {
-		log.Warnf("Failed to unmarshal lists config!")
+		log.Warnf("Failed to unmarshal lists config: %v", err)
 		return false
 	}
 
-	CloudConfig.BlockedIpsList = make(map[string]IpBlocklist)
-	for _, blockedIpsGroup := range tempListsConfig.BlockedIpAddresses {
-		CloudConfig.BlockedIpsList[blockedIpsGroup.Source] = IpBlocklist{Description: blockedIpsGroup.Description, Ips: blockedIpsGroup.Ips}
-	}
+	CloudConfig.BlockedIpsList = UpdateIpsLists(tempListsConfig.BlockedIpAddresses)
+	CloudConfig.MonitoredIpsList = UpdateIpsLists(tempListsConfig.MonitoredIpAddresses)
+
 	CloudConfig.BlockedUserAgents = tempListsConfig.BlockedUserAgents
+	CloudConfig.MonitoredUserAgents = tempListsConfig.MonitoredUserAgents
+
+	CloudConfig.UserAgentDetails = make(map[string]string)
+	for _, userAgentDetail := range tempListsConfig.UserAgentDetails {
+		CloudConfig.UserAgentDetails[userAgentDetail.Key] = userAgentDetail.Pattern
+	}
+
 	return true
 }
 

lib/agent/cloud/event_heartbeat.go

@@ -84,6 +84,22 @@ func GetMonitoredSinkStatsAndClear() map[string]MonitoredSinkStats {
 	return monitoredSinkStats
 }
 
+func GetIpsBreakdownAndClear() MonitoredListsBreakdown {
+	m := MonitoredListsBreakdown{
+		Breakdown: globals.StatsData.IpAddressesMatches,
+	}
+	globals.StatsData.IpAddressesMatches = make(map[string]int)
+	return m
+}
+
+func GetUserAgentsBreakdownAndClear() MonitoredListsBreakdown {
+	m := MonitoredListsBreakdown{
+		Breakdown: globals.StatsData.UserAgentsMatches,
+	}
+	globals.StatsData.UserAgentsMatches = make(map[string]int)
+	return m
+}
+
 func GetStatsAndClear() Stats {
 	globals.StatsData.StatsMutex.Lock()
 	defer globals.StatsData.StatsMutex.Unlock()
@@ -100,6 +116,8 @@ func GetStatsAndClear() Stats {
 				Blocked: globals.StatsData.AttacksBlocked,
 			},
 		},
+		UserAgents:  GetUserAgentsBreakdownAndClear(),
+		IpAddresses: GetIpsBreakdownAndClear(),
 	}
 
 	globals.StatsData.StartedAt = utils.GetTime()

lib/agent/go.mod

@@ -17,5 +17,9 @@ require (
 	golang.org/x/sys v0.30.0 // indirect
 	golang.org/x/text v0.22.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a // indirect
+	golang.org/x/net v0.35.0 // indirect
+	golang.org/x/sys v0.30.0 // indirect
+	golang.org/x/text v0.22.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

lib/agent/go.sum

@@ -18,32 +18,38 @@ golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
 golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
 golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8=
 golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
+golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8=
+golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
 golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
 golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
 golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
 golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
+golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
+golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f h1:OxYkA3wjPsZyBylwymxSHa7ViiW1Sml4ToBrncvFehI=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f/go.mod h1:+2Yz8+CLJbIfL9z73EW45avw8Lmge3xVElCP9zEKi50=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a h1:51aaUVRocpvUOSQKM6Q7VuoaktNIaMCLuhZB6DKksq4=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a/go.mod h1:uRxBH1mhmO8PGhU89cMcHaXKZqO+OfakD8QQO0oYwlQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a h1:51aaUVRocpvUOSQKM6Q7VuoaktNIaMCLuhZB6DKksq4=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a/go.mod h1:uRxBH1mhmO8PGhU89cMcHaXKZqO+OfakD8QQO0oYwlQ=
 google.golang.org/grpc v1.71.0 h1:kF77BGdPTQ4/JZWMlb9VpJ5pa25aqvVqogsxNHHdeBg=
 google.golang.org/grpc v1.71.0/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec=
 google.golang.org/grpc v1.71.1 h1:ffsFWr7ygTUscGPI0KKK6TLrGz0476KUvvsbqWK0rPI=
 google.golang.org/grpc v1.71.1/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec=
-google.golang.org/grpc v1.72.0 h1:S7UkcVa60b5AAQTaO6ZKamFp1zMZSU0fGDK2WZLbBnM=
-google.golang.org/grpc v1.72.0/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
-google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
-google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
 google.golang.org/grpc v1.72.2 h1:TdbGzwb82ty4OusHWepvFWGLgIbNo1/SUynEN0ssqv8=
 google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
 google.golang.org/protobuf v1.36.4 h1:6A3ZDJHn/eNqc1i+IdefRzy/9PokBTPvcqMySR7NNIM=
 google.golang.org/protobuf v1.36.4/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
 google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
+google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

lib/agent/grpc/request.go

@@ -26,6 +26,19 @@ func storeAttackStats(req *protos.AttackDetected) {
 	}
 }
 
+func storeMonitoredListsMatches(m *map[string]int, lists []string) {
+	if *m == nil {
+		*m = make(map[string]int)
+	}
+
+	for _, list := range lists {
+		if _, exists := (*m)[list]; !exists {
+			(*m)[list] = 0
+		}
+		(*m)[list] += 1
+	}
+}
+
 func storeSinkStats(protoSinkStats *protos.MonitoredSinkStats) {
 	globals.StatsData.StatsMutex.Lock()
 	defer globals.StatsData.StatsMutex.Unlock()
@@ -176,6 +189,14 @@ func getRateLimitingStatus(method string, route string, user string, ip string)
 	return &protos.RateLimitingStatus{Block: false}
 }
 
+func getIpsList(ipsList map[string]IpBlocklist) map[string]*protos.IpBlockList {
+	m := make(map[string]*protos.IpBlockList)
+	for ipBlocklistSource, ipBlocklist := range ipsList {
+		m[ipBlocklistSource] = &protos.IpBlockList{Description: ipBlocklist.Description, Ips: ipBlocklist.Ips}
+	}
+	return m
+}
+
 func getCloudConfig(configUpdatedAt int64) *protos.CloudConfig {
 	isBlockingEnabled := utils.IsBlockingEnabled()
 
@@ -187,19 +208,15 @@ func getCloudConfig(configUpdatedAt int64) *protos.CloudConfig {
 	}
 
 	cloudConfig := &protos.CloudConfig{
-		ConfigUpdatedAt:   globals.CloudConfig.ConfigUpdatedAt,
-		BlockedUserIds:    globals.CloudConfig.BlockedUserIds,
-		BypassedIps:       globals.CloudConfig.BypassedIps,
-		BlockedIps:        map[string]*protos.IpBlockList{},
-		BlockedUserAgents: globals.CloudConfig.BlockedUserAgents,
-		Block:             isBlockingEnabled,
-	}
-
-	for ipBlocklistSource, ipBlocklist := range globals.CloudConfig.BlockedIpsList {
-		cloudConfig.BlockedIps[ipBlocklistSource] = &protos.IpBlockList{
-			Description: ipBlocklist.Description,
-			Ips:         ipBlocklist.Ips,
-		}
+		ConfigUpdatedAt:     globals.CloudConfig.ConfigUpdatedAt,
+		BlockedUserIds:      globals.CloudConfig.BlockedUserIds,
+		BypassedIps:         globals.CloudConfig.BypassedIps,
+		BlockedIps:          getIpsList(globals.CloudConfig.BlockedIpsList),
+		BlockedUserAgents:   globals.CloudConfig.BlockedUserAgents,
+		MonitoredIps:        getIpsList(globals.CloudConfig.MonitoredIpsList),
+		MonitoredUserAgents: globals.CloudConfig.MonitoredUserAgents,
+		UserAgentDetails:    globals.CloudConfig.UserAgentDetails,
+		Block:               isBlockingEnabled,
 	}
 
 	for _, endpoint := range globals.CloudConfig.Endpoints {

lib/agent/grpc/server.go

@@ -90,6 +90,24 @@ func (s *server) OnMiddlewareInstalled(ctx context.Context, req *emptypb.Empty)
 	return &emptypb.Empty{}, nil
 }
 
+func (s *server) OnMonitoredIpMatch(ctx context.Context, req *protos.MonitoredIpMatch) (*emptypb.Empty, error) {
+	log.Debugf("Received MonitoredIpMatch: %v", req.GetLists())
+	globals.StatsData.StatsMutex.Lock()
+	defer globals.StatsData.StatsMutex.Unlock()
+
+	storeMonitoredListsMatches(&globals.StatsData.IpAddressesMatches, req.GetLists())
+	return &emptypb.Empty{}, nil
+}
+
+func (s *server) OnMonitoredUserAgentMatch(ctx context.Context, req *protos.MonitoredUserAgentMatch) (*emptypb.Empty, error) {
+	log.Debugf("Received MonitoredUserAgentMatch: %v", req.GetLists())
+	globals.StatsData.StatsMutex.Lock()
+	defer globals.StatsData.StatsMutex.Unlock()
+
+	storeMonitoredListsMatches(&globals.StatsData.UserAgentsMatches, req.GetLists())
+	return &emptypb.Empty{}, nil
+}
+
 var grpcServer *grpc.Server
 
 func StartServer(lis net.Listener) {