api

package
v1.8.0-beta.8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 8, 2022 License: AGPL-3.0 Imports: 16 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// DefaultLogPerm default logfile permission for Manager
	DefaultLogPerm = 0600
	// DefaultManagerLogSize  default size for Manager's logfiles
	DefaultManagerLogSize = utils.Mega * 100
	// DefaultKeySize default size for API key generation
	DefaultKeySize = 64
	// EptAPIDefaultPort default port used by manager's endpoint API
	EptAPIDefaultPort = 1519
	// AdmAPIDefaultPort default port used by manager's admin API
	AdmAPIDefaultPort = 1520
	// DefaultMaxUploadSize default maximum upload size
	DefaultMaxUploadSize = 100 * utils.Mega
)
View Source 
const (
	AuthKeyHeader = "X-Api-Key"

	// Endpoint related
	EndpointUUIDHeader     = "X-Endpoint-Uuid"
	EndpointIPHeader       = "X-Endpoint-IP"
	EndpointHostnameHeader = "X-Endpoint-Hostname"
)
View Source 
const (
	QpIdentifier  = "identifier"
	QpGroup       = "group"
	QpStatus      = "status"
	QpShowKey     = "showkey"
	QpNewKey      = "newkey"
	QpCriticality = "criticality"
	QpWait        = "wait"
	QpSince       = "since"
	QpUntil       = "until"
	QpLast        = "last"
	QpLimit       = "limit"
	QpPivot       = "pivot"
	QpDelta       = "delta"
	QpSkip        = "skip"
	QpSource      = "source"
	QpValue       = "value"
	QpType        = "type"
	QpName        = "name"
	QpFilters     = "filters"
	QpUpdate      = "update"
	QpRaw         = "raw"
	QpGunzip      = "gunzip"
	QpUuid        = "uuid"
	QpGroupUuid   = "guuid"
	QpFormat      = "format"
	QpVersion     = "version"
	QpOS          = "os"
	QpBinary      = "binary"
	QpHash        = "hash"
)
View Source 
const (

	// EptAPIServerKeyPath API route used to get server key
	EptAPIServerKeyPath = "/key"
	// EptAPIConfigPath API route used to get/post endpoint configuration
	EptAPIConfigPath = "/config"
	// EptAPIRulesPath API route used to get Gene rules available in server
	EptAPIRulesPath = "/rules"
	// EptAPIRulesSha256Path API route used to retrieve sha256 of latest batch of Gene rules
	EptAPIRulesSha256Path = "/rules/sha256"

	// Routes to work with sysmon configuration
	EptAPISysmonConfigPath       = "/sysmon/config"
	EptAPISysmonConfigSha256Path = "/sysmon/config/sha256"

	// EptAPIIoCsPath API route used to serve IOC container
	EptAPIIoCsPath = "/iocs"
	// EptAPIIoCsSha256Path API route used to serve sha256 of IOC container
	EptAPIIoCsSha256Path = "/iocs/sha256"
	// EptAPITools API route used to update local tools
	EptAPITools = "/tools"

	// EptAPIPostLogsPath API route used to post logs
	EptAPIPostLogsPath = "/logs"
	// EptAPIPostDumpPath API route used to dump things
	EptAPIPostDumpPath = "/upload/dumps"
	// EptAPIPostSystemInfo API route used to send system information
	EptAPIPostSystemInfo = "/info/system"

	// EptAPICommandPath used to GET commands and POST results
	EptAPICommandPath = "/commands"
)

Routes used by Clients

View Source 
const (
	AdmAPIUsers    = "/users"
	AdmAPIUserByID = AdmAPIUsers + "/{uuuid:" + uuidRe + "}"

	AdmAPIStatsPath     = "/stats"
	AdmAPIIocsPath      = "/iocs"
	AdmAPIRulesPath     = "/rules"
	AdmAPIEndpointsPath = "/endpoints"

	AdmAPIEndpointsOSPath = AdmAPIEndpointsPath + `/{os:\w+}`

	// Sysmon related
	AdmAPIEndpointsSysmonPath   = AdmAPIEndpointsOSPath + `/sysmon`
	AdmAPIEndpointsSysmonBinary = AdmAPIEndpointsSysmonPath + `/binary`
	AdmAPIEndpointsSysmonConfig = AdmAPIEndpointsSysmonPath + `/config`

	// OSQueryi related
	AdmAPIEndpointsOSQueryiPath   = AdmAPIEndpointsOSPath + `/osqueryi`
	AdmAPIEndpointsOSQueryiBinary = AdmAPIEndpointsOSQueryiPath + `/binary`

	// Endpoint by UUID
	AdmAPIEndpointsByIDPath = AdmAPIEndpointsPath + "/{euuid:" + uuidRe + "}"
	// Config related
	AdmAPIConfigSuffix       = "/config"
	AdmAPIEndpointConfigPath = AdmAPIEndpointsByIDPath + AdmAPIConfigSuffix
	// Command related
	AdmAPICommandSuffix            = "/command"
	AdmAPIEndpointCommandPath      = AdmAPIEndpointsByIDPath + AdmAPICommandSuffix
	AdmAPIEndpointCommandFieldPath = AdmAPIEndpointCommandPath + "/{field}"
	// Logs related
	AdmAPILogsSuffix             = "/logs"
	AdmAPIEndpointLogsPath       = AdmAPIEndpointsByIDPath + AdmAPILogsSuffix
	AdmAPIDetectionSuffix        = "/detections"
	AdmAPIEndpointDetectionsPath = AdmAPIEndpointsByIDPath + AdmAPIDetectionSuffix
	// Reports related
	AdmAPIReportSuffix              = "/report"
	AdmAPIEndpointsReportsPath      = AdmAPIEndpointsPath + "/reports"
	AdmAPIEndpointReportPath        = AdmAPIEndpointsByIDPath + AdmAPIReportSuffix
	AdmAPIArchiveSuffix             = "/archive"
	AdmAPIEndpointReportArchivePath = AdmAPIEndpointReportPath + AdmAPIArchiveSuffix
	// Dumps related
	AdmAPIArticfactsSuffix       = "/artifacts"
	AdmAPIEndpointsArtifactsPath = AdmAPIEndpointsPath + AdmAPIArticfactsSuffix
	AdmAPIEndpointArtifacts      = AdmAPIEndpointsByIDPath + AdmAPIArticfactsSuffix
	AdmAPIEndpointArtifact       = AdmAPIEndpointArtifacts + "/{pguid:" + uuidRe + "}/{ehash:[[:xdigit:]]+}/{fname:.*}"

	//Websockets
	AdmAPIStreamEvents     = "/stream/events"
	AdmAPIStreamDetections = "/stream/detections"
)

Routes used for Admin API

Variables

View Source 
var (
	EptAPIVerbosePaths = []string{
		EptAPIServerKeyPath,
		EptAPICommandPath,
		EptAPIRulesSha256Path,
		EptAPIIoCsSha256Path,
	}
)

Functions

This section is empty.

Types

type ArchivedReport 

type ArchivedReport struct {
	sod.Item
	reducer.ReducedStats
	ArchivedTimestamp time.Time `json:"archived-time"`
}

type EdrRule 

type EdrRule struct {
	sod.Item
	engine.Rule
}

type Endpoint 

type Endpoint struct {
	sod.Item
	Uuid           string              `json:"uuid" sod:"unique"`
	Hostname       string              `json:"hostname"`
	IP             string              `json:"ip"`
	Group          string              `json:"group"`
	Criticality    int                 `json:"criticality"`
	Key            string              `json:"key,omitempty"`
	Command        *EndpointCommand    `json:"command,omitempty"`
	Score          float64             `json:"score"`
	Status         string              `json:"status"`
	SystemInfo     *sysinfo.SystemInfo `json:"system-info,omitempty"`
	Config         *config.Agent       `json:"config,omitempty"`
	LastEvent      time.Time           `json:"last-event"`
	LastDetection  time.Time           `json:"last-detection"`
	LastConnection time.Time           `json:"last-connection"`
}

Endpoint structure used to track and interact with endpoints

func NewEndpoint 

func NewEndpoint(uuid, key string) *Endpoint

NewEndpoint returns a new Endpoint structure

func (*Endpoint) Copy 

func (e *Endpoint) Copy() *Endpoint

Copy returns a pointer to a new copy of the Endpoint

func (*Endpoint) UpdateLastConnection 

func (e *Endpoint) UpdateLastConnection()

UpdateLastConnection updates the LastConnection member of Endpoint structure

func (*Endpoint) Validate 

func (e *Endpoint) Validate() error

Validate overwrite sod.Item function

type EndpointCommand 

type EndpointCommand struct {
	UUID string   `json:"uuid"`
	Name string   `json:"name"`
	Args []string `json:"args"`
	// used to drop files on the endpoint
	Drop []*EndpointFile `json:"drop"`
	// used to fetch files from the endpoint
	Fetch  map[string]*EndpointFile `json:"fetch"`
	Json   interface{}              `json:"json"`
	Stdout []byte                   `json:"stdout"`
	Stderr []byte                   `json:"stderr"`
	Error  string                   `json:"error"`
	//Error      error         `json:"error"`
	Sent       bool          `json:"sent"`
	Background bool          `json:"background"`
	Completed  bool          `json:"completed"`
	ExpectJSON bool          `json:"expect-json"`
	Timeout    time.Duration `json:"timeout"`
	SentTime   time.Time     `json:"sent-time"`
	// contains filtered or unexported fields
}

EndpointCommand structure representing a command sent to an endpoint

func NewEndpointCommand 

func NewEndpointCommand() *EndpointCommand

NewEndpointCommand creates a new Command to run on an endpoint

func (*EndpointCommand) AddDropFile 

func (c *EndpointCommand) AddDropFile(filename, filepath string) error

AddDropFile adds a file to drop on the endpoint. Argument filepath is the path of the file on the local filesystem

func (*EndpointCommand) AddDropFileFromPath 

func (c *EndpointCommand) AddDropFileFromPath(path string) error

AddDropFileFromPath adds a file to drop on the endpoint. It is a wrapper around AddDropFile

func (*EndpointCommand) AddFetchFile 

func (c *EndpointCommand) AddFetchFile(filepath string)

AddFetchFile adds a file to fetch from the endpoint.

func (*EndpointCommand) Complete 

func (c *EndpointCommand) Complete(other *EndpointCommand) error

Complete updates a command from another

func (*EndpointCommand) Err 

func (c *EndpointCommand) Err() error

func (*EndpointCommand) ErrorFrom 

func (c *EndpointCommand) ErrorFrom(err error)

func (*EndpointCommand) FromExecCmd 

func (c *EndpointCommand) FromExecCmd(cmd *exec.Cmd)

func (*EndpointCommand) Run 

func (c *EndpointCommand) Run() (err error)

Run runs the command according to the specified settings it aims at being used on the endpoint

func (*EndpointCommand) SetCommandLine 

func (c *EndpointCommand) SetCommandLine(cl string) error

SetCommandLine sets the command line to execute on the endpoint

func (EndpointCommand) String 

func (c EndpointCommand) String() string

func (*EndpointCommand) Strip 

func (c *EndpointCommand) Strip()

Strip reduces the command to the strict necessary fields to make the return trip from the endpoint to the manager

func (*EndpointCommand) Unrunnable 

func (c *EndpointCommand) Unrunnable()

type EndpointFile 

type EndpointFile struct {
	UUID  string `json:"uuid"`
	Name  string `json:"name"`
	Data  []byte `json:"data"`
	Error string `json:"error"`
}

EndpointFile describes a File to drop or fetch from the endpoint

Source Files

View all Source files

Directories

Path Synopsis
config

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.