Merge pull request #18 from DataDog/eslam.salem/update-logs

Update logs to add more visibility in traces

Dockerfile

@@ -1,20 +1,21 @@
-FROM node:16
+FROM node:18
 
 # Create app directory
 WORKDIR /usr/src/app
 
 # Install app dependencies
+
+# RUN npm install -g nodemon
+
 # A wildcard is used to ensure both package.json AND package-lock.json are copied
 # where available (npm@5+)
 COPY package*.json ./
 
 RUN npm i
-# If you are building your code for production
-# RUN npm ci --only=production
 
 # Bundle app source
 COPY . .
 
 RUN chmod +x ./bin/hash-honeypot
 
-ENTRYPOINT [ "./bin/hash-honeypot" ]
+CMD ["sleep", "infinity"]

bin/hash-honeypot-dev.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+nodemon ../index.js

cli/run.js

@@ -15,7 +15,9 @@ const run = (appFolder, options) => {
     app.config = config;
     app.config.options = options; //add the cli options to config
 
-    app.logger = newLogger(app.config);
+    const log = newLogger(app.config);
+    app.logger = log.logger
+    app.tracer = log.tracer
 
     app.logger.info('App -> Starting HASH ');
 

docker-compose.yaml

@@ -13,19 +13,22 @@ services:
             - DD_APM_NON_LOCAL_TRAFFIC=true
             - DD_API_KEY=${DD_API_KEY}
             - DD_SITE=${DD_SITE:-datadoghq.com}
-            - DD_ENV=prod
-    default:
+            - DD_ENV=dev
+    hash-honeypot:
         build:
             context: .
             dockerfile: Dockerfile
+        volumes:
+            - .:/usr/src/app
         environment:
             - DD_AGENT_HOST=agent
             - DD_TRACE_AGENT_PORT=8126
             - DD_TRACER_ENABLED=true
             - DD_APPSEC_ENABLED=true
+            - DD_API_KEY=${DD_API_KEY}
             - DD_SERVICE=${DD_SERVICE:-sec-research}
             - DD_TRACE_DEBUG=false
-            - DD_ENV=prod
+            - DD_ENV=dev
         tty: true
         depends_on:
             agent:

libs/init.js

@@ -9,11 +9,6 @@ module.exports = (app) => {
 
     const exp = express();
 
-    //generate an app key
-    //const randomAppKey = crypto.createHash('md5').update(text).digest('hex')
-
-    const randomAppKey = crypto.randomBytes(32).toString('hex');
-
     app.logger.info(
         'Init -> Configuring required middlewares (sessions, bodyparser)'
     );
@@ -54,32 +49,40 @@ module.exports = (app) => {
 
     app.logger.info('Init -> Configure datadog logger');
     const middlewareLogger = function (req, res, next) {
+
         exp.logger = (id, title, info) => {
-            app.logger.warn(
-                'HASH: ' + req.method + ' ' + req.originalUrl + ': ' + title,
-                {
-                    type: 'malicious',
-                    templateId: id,
-                    info,
-                    http: {
-                        client_ip: req.ip,
-                        host: req.headers.host,
-                        method: req.method,
-                        path: req.path,
-                    },
-                    request: {
-                        query: req.query || {},
-                        params: req.params || {},
-                        body: req.body || {},
-                        headers: {
-                            ...req.headers,
-                            ...{
-                                cookie_parsed: req.cookies,
-                            },
+            const payload = {
+                type: 'malicious',
+                templateId: id,
+                info,
+                http: {
+                    client_ip: req.ip,
+                    host: req.headers.host,
+                    method: req.method,
+                    path: req.path,
+                },
+                request: {
+                    query: req.query || {},
+                    params: req.params || {},
+                    body: req.body || {},
+                    headers: {
+                        ...req.headers,
+                        ...{
+                            cookie_parsed: req.cookies,
                         },
                     },
-                }
+                },
+            }
+            app.logger.warn(
+                'HASH: ' + req.method + ' ' + req.originalUrl + ': ' + title,
+                payload
             );
+
+            app.tracer.appsec.trackCustomEvent('malicious.trap', {
+                type: 'malicious',
+                templateId: id
+            })
+
         };
         next();
     };

libs/log.js

@@ -5,6 +5,7 @@ const MAX_FILE_SIZE = 1000000;
 const MAX_FILES = 100;
 
 module.exports.newLogger = (config) => {
+    let tracer = null; //init status in case of datadog is not enabled
     const availableTransports = {
         console: () => {
             return new winston.transports.Console({
@@ -42,12 +43,23 @@ module.exports.newLogger = (config) => {
                 return false;
             }
 
-            require('dd-trace').init({
+            tracer = require('dd-trace').init({
                 appsec: true,
                 logInjection: true,
                 service: datadogServiceName,
             });
 
+            tracer.use('express', {
+                // hook will be executed right before the request span is finished
+                hooks: {
+                  request: (span, req, res) => {
+                    span.setTag("http.body", req.body)
+                    span.setTag("http.query", req.query)
+                    span.setTag("http.full_headers", req.headers)
+                  }
+                }
+            })
+
             const params = new URLSearchParams({
                 "dd-api-key": datadogApiKey,
                 "ddsource": "nodejs",
@@ -89,5 +101,5 @@ module.exports.newLogger = (config) => {
             );
         }
     }
-    return logger;
+    return { logger, tracer };
 };

package.json

@@ -21,7 +21,7 @@
         "clui": "^0.3.6",
         "commander": "^11.0.0",
         "cookie-parser": "^1.4.6",
-        "dd-trace": "^3.9.3",
+        "dd-trace": "^5.6.0",
         "debug": "^4.3.4",
         "dotenv": "^16.0.3",
         "express": "^4.18.1",