From 2ddd9785cae26b16f27c7be2482c01603b93a6c4 Mon Sep 17 00:00:00 2001
From: Kevin KADOSH <kevin@crowdsec.net>
Date: Thu, 8 Jan 2026 15:02:17 +0100
Subject: [PATCH] VPN Tagging: Prepare release 1.2.5

---
 CHANGELOG.md                              | 11 ++++++-
 Makefile                                  |  4 +--
 app.manifest                              |  2 +-
 appserver/static/javascript/setup_page.js |  2 +-
 bin/crowdsec_constants.py                 |  2 +-
 bin/crowdsec_utils.py                     | 40 +++++++++++++++++++++++
 bin/cssmoke.py                            |  9 ++---
 config/example.json                       |  6 ++++
 default/app.conf                          |  2 +-
 dev/README.md                             |  1 +
 10 files changed, 66 insertions(+), 13 deletions(-)
 create mode 100644 config/example.json

diff --git a/CHANGELOG.md b/CHANGELOG.md
index df07a16..628065c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,15 @@ Splunk app: i.e., all files and folders except ones that are ignored by the `.sl
 
 ---
 
+## [1.2.5](https://github.com/crowdsecurity/crowdsec-splunk-app/releases/tag/v1.2.5) - 2026-01-08
+
+[_Compare with previous release_](https://github.com/crowdsecurity/crowdsec-splunk-app/compare/v1.2.4...v1.2.5)
+
+### Changed
+
+- Support basic tagging of VPN.
+
+
 ## [1.2.4](https://github.com/crowdsecurity/crowdsec-splunk-app/releases/tag/v1.2.4) - 2025-12-19
 
 [_Compare with previous release_](https://github.com/crowdsecurity/crowdsec-splunk-app/compare/v1.2.3...v1.2.4)
@@ -22,7 +31,7 @@ Splunk app: i.e., all files and folders except ones that are ignored by the `.sl
 - `cssmoke`: new "profile" option, to display a preset of columns
 - `cssmokedownload`: new command to download the CrowdSec offline replication
 
-## [1.2.4](https://github.com/crowdsecurity/crowdsec-splunk-app/releases/tag/v1.2.3) - 2025-11-25
+## [1.2.3](https://github.com/crowdsecurity/crowdsec-splunk-app/releases/tag/v1.2.3) - 2025-11-25
 
 [_Compare with previous release_](https://github.com/crowdsecurity/crowdsec-splunk-app/compare/v1.2.2...v1.2.3)
 
diff --git a/Makefile b/Makefile
index 4d048d6..fc86890 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,4 @@
-PYTHON=python3.9
+PYTHON=uv run python3.9
 SDK_VERSION=2.1.1
 TARGET_DIR=bin/splunklib
 TMP_DIR=/tmp/splunk-sdk
@@ -11,7 +11,7 @@ add-sdk:
 	mkdir -p $(TARGET_DIR)
 
 	@echo "==> Installing Splunk SDK version $(SDK_VERSION) using $(PYTHON)..."
-	$(PYTHON) -m pip install --no-deps --no-cache-dir --target=$(TMP_DIR) splunk-sdk==$(SDK_VERSION)
+	uv pip install --no-deps --no-cache-dir --target=$(TMP_DIR) splunk-sdk==$(SDK_VERSION)
 
 	@echo "==> Copying SDK to $(TARGET_DIR)..."
 	cp -r $(TMP_DIR)/splunklib/* $(TARGET_DIR)/
diff --git a/app.manifest b/app.manifest
index 71934d7..020a2c1 100644
--- a/app.manifest
+++ b/app.manifest
@@ -5,7 +5,7 @@
     "id": {
       "group": null,
       "name": "crowdsec-splunk-app",
-      "version": "1.2.4"
+      "version": "1.2.5"
     },
     "author": [
       {
diff --git a/appserver/static/javascript/setup_page.js b/appserver/static/javascript/setup_page.js
index 4f1c515..6958feb 100644
--- a/appserver/static/javascript/setup_page.js
+++ b/appserver/static/javascript/setup_page.js
@@ -10,7 +10,7 @@ require.config({
       "../app/" + app_name + "/javascript/vendor/react-dom.production.min",
   },
   scriptType: "module",
-  urlArgs: "v=v1.2.4",
+  urlArgs: "v=v1.2.5",
 });
 
 require(["react", "ReactDOM", "myApp"], function (react, ReactDOM, myApp) {
diff --git a/bin/crowdsec_constants.py b/bin/crowdsec_constants.py
index 0ef78cc..eafbe27 100644
--- a/bin/crowdsec_constants.py
+++ b/bin/crowdsec_constants.py
@@ -1,4 +1,4 @@
-VERSION = "1.2.4"
+VERSION = "1.2.5"
 APP_NAME = "crowdsec-splunk-app"
 
 DEFAULT_SPLUNK_HOME = "/opt/splunk"
diff --git a/bin/crowdsec_utils.py b/bin/crowdsec_utils.py
index f3e8ecd..37015a8 100644
--- a/bin/crowdsec_utils.py
+++ b/bin/crowdsec_utils.py
@@ -38,3 +38,43 @@ def load_local_dump_settings(service):
                     stanza.content.get("local_dump", "0").lower() == "1"
                 )
     return local_dump_enabled
+
+
+VPN_PROVIDER = ["m247", "Datacamp", "PacketHub", "Proton AG", "Clouvider limited"]
+
+
+import logging
+import sys
+
+logger = logging.getLogger("crowdsec_mmdb_downloader")
+logger.setLevel(logging.INFO)
+_handler = logging.StreamHandler(sys.stderr)
+_handler.setFormatter(
+    logging.Formatter("%(asctime)s %(levelname)s %(name)s - %(message)s")
+)
+logger.handlers = [_handler]
+logger.propagate = False
+
+
+def set_vpn(entry):
+    as_name = entry.get("as_name")
+    if not as_name:
+        return entry
+
+    for provider in VPN_PROVIDER:
+        if provider.lower() in as_name.lower():
+            entry["proxy_or_vpn"] = True
+            if "classifications" not in entry:
+                entry["classifications"] = dict()
+            if "classifications" not in entry["classifications"]:
+                entry["classifications"]["classifications"] = list()
+            entry["classifications"]["classifications"].append(
+                {
+                    "description": "IP exposes a VPN service or is being flagged as one.",
+                    "label": "VPN",
+                    "name": "proxy:vpn",
+                },
+            )
+            return entry
+
+    return entry
diff --git a/bin/cssmoke.py b/bin/cssmoke.py
index 52f574f..f5638af 100755
--- a/bin/cssmoke.py
+++ b/bin/cssmoke.py
@@ -14,11 +14,7 @@
 )
 
 from download_mmdb import get_mmdb_local_path
-from crowdsec_utils import (
-    get_headers,
-    load_local_dump_settings,
-    load_api_key,
-)
+from crowdsec_utils import get_headers, load_local_dump_settings, load_api_key, set_vpn
 from crowdsec_constants import (
     LOCAL_DUMP_FILES,
     CROWDSEC_PROFILES,
@@ -317,7 +313,7 @@ def load_readers(self):
             mmdb_path = get_mmdb_local_path(info["output_filename"])
             if not os.path.isfile(mmdb_path):
                 raise Exception(
-                    f"MMDB file '{info['name']}' not found, run 'cssmokedownload' command to download the CrowdSec lookup database."
+                    f"MMDB file '{info['crowdsec_dump_name']}' not found, run 'cssmokedownload' command to download the CrowdSec lookup database."
                 )
 
             self.readers.append(
@@ -446,6 +442,7 @@ def _execute_batch(self, buffer, allowed_fields, local_dump_enabled):
         for record, ip in buffer:
             entry = data_by_ip.get(ip)
             if entry:
+                entry = set_vpn(entry)
                 entry["query_time"] = query_time
                 entry["query_mode"] = mode
                 attach_resp_to_record(record, entry, self.ipfield, allowed_fields)
diff --git a/config/example.json b/config/example.json
new file mode 100644
index 0000000..736892f
--- /dev/null
+++ b/config/example.json
@@ -0,0 +1,6 @@
+{
+    "api_key": "YOUR_API_KEY_HERE",
+    "batching": true,
+    "batch_size": 20,
+    "local_dump": true
+}
\ No newline at end of file
diff --git a/default/app.conf b/default/app.conf
index f55a20b..725565e 100644
--- a/default/app.conf
+++ b/default/app.conf
@@ -17,7 +17,7 @@ label = CrowdSec
 [launcher]
 author=CrowdSec
 description=This app leverages the CrowdSec's CTI API to perform lookups on IPs
-version=1.2.4
+version=1.2.5
 
 [package]
 id = crowdsec-splunk-app
diff --git a/dev/README.md b/dev/README.md
index 7552e04..0a5205b 100644
--- a/dev/README.md
+++ b/dev/README.md
@@ -142,6 +142,7 @@ Once you are ready to release a new version (e.g. when all your changes are on t
   - Each release description must respect the same format as the previous ones.
 - Update the `default/app.conf` file with the new version number.
 - Update the `appserver/static/javascript/setup_pages.js` file with the new version number.
+- Update the `bin/crowdsec_constants.py` file with the new version number.
 - Update the `app.manifest` file with the new version number by running the following command in the root folder of the project:
 
 ```bash