VPN Tagging: Prepare release 1.2.5

Author: AlteredCoder

CHANGELOG.md

@@ -12,6 +12,15 @@ Splunk app: i.e., all files and folders except ones that are ignored by the `.sl
 
 ---
 
+## [1.2.5](https://github.com/crowdsecurity/crowdsec-splunk-app/releases/tag/v1.2.5) - 2026-01-08
+
+[_Compare with previous release_](https://github.com/crowdsecurity/crowdsec-splunk-app/compare/v1.2.4...v1.2.5)
+
+### Changed
+
+- Support basic tagging of VPN.
+
+
 ## [1.2.4](https://github.com/crowdsecurity/crowdsec-splunk-app/releases/tag/v1.2.4) - 2025-12-19
 
 [_Compare with previous release_](https://github.com/crowdsecurity/crowdsec-splunk-app/compare/v1.2.3...v1.2.4)
@@ -22,7 +31,7 @@ Splunk app: i.e., all files and folders except ones that are ignored by the `.sl
 - `cssmoke`: new "profile" option, to display a preset of columns
 - `cssmokedownload`: new command to download the CrowdSec offline replication
 
-## [1.2.4](https://github.com/crowdsecurity/crowdsec-splunk-app/releases/tag/v1.2.3) - 2025-11-25
+## [1.2.3](https://github.com/crowdsecurity/crowdsec-splunk-app/releases/tag/v1.2.3) - 2025-11-25
 
 [_Compare with previous release_](https://github.com/crowdsecurity/crowdsec-splunk-app/compare/v1.2.2...v1.2.3)
 

Makefile

@@ -1,4 +1,4 @@
-PYTHON=python3.9
+PYTHON=uv run python3.9
 SDK_VERSION=2.1.1
 TARGET_DIR=bin/splunklib
 TMP_DIR=/tmp/splunk-sdk
@@ -11,7 +11,7 @@ add-sdk:
 	mkdir -p $(TARGET_DIR)
 
 	@echo "==> Installing Splunk SDK version $(SDK_VERSION) using $(PYTHON)..."
-	$(PYTHON) -m pip install --no-deps --no-cache-dir --target=$(TMP_DIR) splunk-sdk==$(SDK_VERSION)
+	uv pip install --no-deps --no-cache-dir --target=$(TMP_DIR) splunk-sdk==$(SDK_VERSION)
 
 	@echo "==> Copying SDK to $(TARGET_DIR)..."
 	cp -r $(TMP_DIR)/splunklib/* $(TARGET_DIR)/

app.manifest

@@ -5,7 +5,7 @@
     "id": {
       "group": null,
       "name": "crowdsec-splunk-app",
-      "version": "1.2.4"
+      "version": "1.2.5"
     },
     "author": [
       {

appserver/static/javascript/setup_page.js

@@ -10,7 +10,7 @@ require.config({
       "../app/" + app_name + "/javascript/vendor/react-dom.production.min",
   },
   scriptType: "module",
-  urlArgs: "v=v1.2.4",
+  urlArgs: "v=v1.2.5",
 });
 
 require(["react", "ReactDOM", "myApp"], function (react, ReactDOM, myApp) {

bin/crowdsec_constants.py

@@ -1,4 +1,4 @@
-VERSION = "1.2.4"
+VERSION = "1.2.5"
 APP_NAME = "crowdsec-splunk-app"
 
 DEFAULT_SPLUNK_HOME = "/opt/splunk"

bin/crowdsec_utils.py

@@ -38,3 +38,43 @@ def load_local_dump_settings(service):
                     stanza.content.get("local_dump", "0").lower() == "1"
                 )
     return local_dump_enabled
+
+
+VPN_PROVIDER = ["m247", "Datacamp", "PacketHub", "Proton AG", "Clouvider limited"]
+
+
+import logging
+import sys
+
+logger = logging.getLogger("crowdsec_mmdb_downloader")
+logger.setLevel(logging.INFO)
+_handler = logging.StreamHandler(sys.stderr)
+_handler.setFormatter(
+    logging.Formatter("%(asctime)s %(levelname)s %(name)s - %(message)s")
+)
+logger.handlers = [_handler]
+logger.propagate = False
+
+
+def set_vpn(entry):
+    as_name = entry.get("as_name")
+    if not as_name:
+        return entry
+
+    for provider in VPN_PROVIDER:
+        if provider.lower() in as_name.lower():
+            entry["proxy_or_vpn"] = True
+            if "classifications" not in entry:
+                entry["classifications"] = dict()
+            if "classifications" not in entry["classifications"]:
+                entry["classifications"]["classifications"] = list()
+            entry["classifications"]["classifications"].append(
+                {
+                    "description": "IP exposes a VPN service or is being flagged as one.",
+                    "label": "VPN",
+                    "name": "proxy:vpn",
+                },
+            )
+            return entry
+
+    return entry

bin/cssmoke.py

@@ -14,11 +14,7 @@
 )
 
 from download_mmdb import get_mmdb_local_path
-from crowdsec_utils import (
-    get_headers,
-    load_local_dump_settings,
-    load_api_key,
-)
+from crowdsec_utils import get_headers, load_local_dump_settings, load_api_key, set_vpn
 from crowdsec_constants import (
     LOCAL_DUMP_FILES,
     CROWDSEC_PROFILES,
@@ -317,7 +313,7 @@ def load_readers(self):
             mmdb_path = get_mmdb_local_path(info["output_filename"])
             if not os.path.isfile(mmdb_path):
                 raise Exception(
-                    f"MMDB file '{info['name']}' not found, run 'cssmokedownload' command to download the CrowdSec lookup database."
+                    f"MMDB file '{info['crowdsec_dump_name']}' not found, run 'cssmokedownload' command to download the CrowdSec lookup database."
                 )
 
             self.readers.append(
@@ -446,6 +442,7 @@ def _execute_batch(self, buffer, allowed_fields, local_dump_enabled):
         for record, ip in buffer:
             entry = data_by_ip.get(ip)
             if entry:
+                entry = set_vpn(entry)
                 entry["query_time"] = query_time
                 entry["query_mode"] = mode
                 attach_resp_to_record(record, entry, self.ipfield, allowed_fields)

config/example.json

@@ -0,0 +1,6 @@
+{
+    "api_key": "YOUR_API_KEY_HERE",
+    "batching": true,
+    "batch_size": 20,
+    "local_dump": true
+}

default/app.conf

@@ -17,7 +17,7 @@ label = CrowdSec
 [launcher]
 author=CrowdSec
 description=This app leverages the CrowdSec's CTI API to perform lookups on IPs
-version=1.2.4
+version=1.2.5
 
 [package]
 id = crowdsec-splunk-app

dev/README.md

@@ -142,6 +142,7 @@ Once you are ready to release a new version (e.g. when all your changes are on t
   - Each release description must respect the same format as the previous ones.
 - Update the `default/app.conf` file with the new version number.
 - Update the `appserver/static/javascript/setup_pages.js` file with the new version number.
+- Update the `bin/crowdsec_constants.py` file with the new version number.
 - Update the `app.manifest` file with the new version number by running the following command in the root folder of the project:
 
 ```bash