server

package
v1.8.0-beta.8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 8, 2022 License: AGPL-3.0 Imports: 47 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// IoCContainerName default container name to store manager's IoCs
	IoCContainerName = "edr_iocs"
)
View Source 
const (
	MaxLimitLogAPI = 10000
)

Variables

View Source 
var (
	// Used to specify a command timeout for command execution
	CommandTimeout = 15 * time.Second
)
View Source 
var (
	// ErrUnkEndpoint error to return when endpoint is unknown
	ErrUnkEndpoint = fmt.Errorf("unknown endpoint")
)
View Source 
var OpenAPIDefinition = `` /* 195357-byte string literal not displayed */

Functions

func IPFromRequest 

func IPFromRequest(req *http.Request) (net.IP, error)

IPFromRequest extracts the user IP address from req, if present. source: https://blog.golang.org/context/userip/userip.go

Types

type AdminAPIConfig 

type AdminAPIConfig struct {
	Host string `toml:"host" comment:"Hostname or IP address where the API should listen to"`
	Port int    `toml:"port" comment:"Port used by the API"`
}

AdminAPIConfig configuration for Administrative API

type AdminAPIResponse 

type AdminAPIResponse struct {
	Data    interface{} `json:"data"`
	Message string      `json:"message"`
	Error   string      `json:"error"`
}

AdminAPIResponse standard structure to encode any response from the AdminAPI

func NewAdminAPIRespError 

func NewAdminAPIRespError(err error) *AdminAPIResponse

NewAdminAPIRespError creates a new response from an error

func NewAdminAPIRespErrorString 

func NewAdminAPIRespErrorString(err string) *AdminAPIResponse

NewAdminAPIRespErrorString creates a new error response from an error

func NewAdminAPIResponse 

func NewAdminAPIResponse(data interface{}) *AdminAPIResponse

NewAdminAPIResponse creates a new response from data

func (*AdminAPIResponse) Err 

func (r *AdminAPIResponse) Err() error

Err returns a response Error field in a form of a Go error

func (*AdminAPIResponse) ToJSON 

func (r *AdminAPIResponse) ToJSON() []byte

ToJSON serializes the response to JSON

func (*AdminAPIResponse) UnmarshalData 

func (r *AdminAPIResponse) UnmarshalData(i interface{}) error

UnmarshalData unmarshals the Data field of the response to an interface

type AdminAPIUser 

type AdminAPIUser struct {
	sod.Item
	Uuid        string `json:"uuid" sod:"unique"`
	Identifier  string `json:"identifier" sod:"unique"`
	Key         string `json:"key,omitempty" sod:"unique"`
	Group       string `json:"group" sod:"index"`
	Description string `json:"description"`
}

AdminAPIUser structure definition

type CommandAPI 

type CommandAPI struct {
	CommandLine string        `json:"command-line"`
	FetchFiles  []string      `json:"fetch-files"`
	DropFiles   []string      `json:"drop-files"`
	Timeout     time.Duration `json:"timeout"`
}

CommandAPI structure used by Admin API clients to POST commands

func (*CommandAPI) ToCommand 

func (c *CommandAPI) ToCommand() (*api.EndpointCommand, error)

ToCommand converts a CommandAPI to an EndpointCommand

type DumpFile 

type DumpFile struct {
	Name      string    `json:"name"`
	Size      int64     `json:"size"`
	Timestamp time.Time `json:"timestamp"`
}

type EndpointAPIConfig 

type EndpointAPIConfig struct {
	Host      string `toml:"host" comment:"Hostname or IP where the API should listen to"`
	Port      int    `toml:"port" comment:"Port used by the API"`
	ServerKey string `` /* 162-byte string literal not displayed */
}

EndpointAPIConfig structure holding configuration for the API used by endpoints

type EndpointDumps 

type EndpointDumps struct {
	Created      time.Time  `json:"creation"`
	Modification time.Time  `json:"modification"`
	ProcessGUID  string     `json:"process-guid"`
	EventHash    string     `json:"event-hash"`
	BaseURL      string     `json:"base-url"`
	Files        []DumpFile `json:"files"`
}

type EventStreamer 

type EventStreamer struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

func NewEventStreamer 

func NewEventStreamer() *EventStreamer

func (*EventStreamer) NewStream 

func (s *EventStreamer) NewStream() *LogStream

func (*EventStreamer) Queue 

func (s *EventStreamer) Queue(e *event.EdrEvent)

type LogStream 

type LogStream struct {
	S chan *event.EdrEvent
	// contains filtered or unexported fields
}

func (*LogStream) Close 

func (s *LogStream) Close()

func (*LogStream) Queue 

func (s *LogStream) Queue(e *event.EdrEvent) bool

func (*LogStream) Stream 

func (s *LogStream) Stream()

type Manager 

type Manager struct {
	sync.RWMutex

	/* Public */
	Config *ManagerConfig
	// contains filtered or unexported fields
}

Manager structure definition

func NewManager 

func NewManager(c *ManagerConfig) (*Manager, error)

NewManager creates a new WHIDS manager with a logfile as parameter

func (*Manager) AddCommand 

func (m *Manager) AddCommand(uuid string, c *api.EndpointCommand) error

AddCommand sets a command to be executed on endpoint specified by UUID

func (*Manager) AddEndpoint 

func (m *Manager) AddEndpoint(uuid, key string)

AddEndpoint adds new endpoint to the manager

func (*Manager) CreateNewAdminAPIUser 

func (m *Manager) CreateNewAdminAPIUser(user *AdminAPIUser) (err error)

CreateNewAdminAPIUser creates a new user in the user able to access admin API in database.

func (*Manager) Endpoint 

func (m *Manager) Endpoint(uuid string) (*api.Endpoint, bool)

Endpoint returns an Endpoint pointer from database Result must be handled with care as any change to the Endpoint might be commited to the database. If an Endpoint needs to be modified but changes don't need to be commited, use Endpoint.Copy() to work on a copy

func (*Manager) Endpoints 

func (m *Manager) Endpoints() (endpoints []*api.Endpoint, err error)

Endpoints returns a slice of Endpoint pointers from database Result must be handled with care as any change to the Endpoint might be commited to the database. If an Endpoint needs to be modified but changes don't need to be commited, use Endpoint.Copy() to work on a copy

func (*Manager) GetCommand 

func (m *Manager) GetCommand(uuid string) (*api.EndpointCommand, error)

GetCommand gets the command set for an endpoint specified by UUID

func (*Manager) ImportRules 

func (m *Manager) ImportRules(directory string) (err error)

func (*Manager) IsDone 

func (m *Manager) IsDone() bool

IsDone returns true when manager is done

func (*Manager) Run 

func (m *Manager) Run()

Run starts a new thread spinning the receiver

func (*Manager) Shutdown 

func (m *Manager) Shutdown() (lastErr error)

Shutdown the Manager

func (*Manager) UpdateReducer 

func (m *Manager) UpdateReducer(identifier string, e *event.EdrEvent)

UpdateReducer updates the reducer member of the Manager

func (*Manager) Wait 

func (m *Manager) Wait()

Wait the Manager to Shutdown

type ManagerConfig 

type ManagerConfig struct {
	// TOML strings need to be first otherwise issue parsing back config
	Database    string            `toml:"db" comment:"Path to store database"`
	Repair      bool              `toml:"repair-db" comment:"Attempt to repair broken database"`
	DumpDir     string            `toml:"dump-dir" comment:"Directory where to dump artifacts collected on hosts"`
	AdminAPI    AdminAPIConfig    `toml:"admin-api" comment:"Settings to configure administrative API (not supposed to be reachable by endpoints)"`
	EndpointAPI EndpointAPIConfig `toml:"endpoint-api" comment:"Settings to configure API used by endpoints"`
	Logging     ManagerLogConfig  `toml:"logging" comment:"Logging settings"`
	TLS         TLSConfig         `toml:"tls" comment:"TLS settings. Leave empty, not to use TLS"`
	// contains filtered or unexported fields
}

ManagerConfig defines manager's configuration structure

func LoadManagerConfig 

func LoadManagerConfig(path string) (*ManagerConfig, error)

LoadManagerConfig loads the manager configuration from a file

func (*ManagerConfig) AdminAPIUrl 

func (mc *ManagerConfig) AdminAPIUrl() string

EndpointAPIUrl returns the URL of the Admin API

func (*ManagerConfig) EndpointAPIUrl 

func (mc *ManagerConfig) EndpointAPIUrl() string

EndpointAPIUrl returns the URL of the Endpoint API

func (*ManagerConfig) Save 

func (mc *ManagerConfig) Save() error

Save saves the configuration to a path specified by the path member of the structure

func (*ManagerConfig) SetPath 

func (mc *ManagerConfig) SetPath(path string)

SetPath exposes the path member for changes

type ManagerLogConfig 

type ManagerLogConfig struct {
	Root        string `toml:"root" comment:"Root directory where logfiles are stored"`
	LogBasename string `toml:"logfile" comment:"Logfile name (relative to root) used to store logs"`
	VerboseHTTP bool   `toml:"verbose-http" comment:"Enables verbose HTTP logs\n When disabled beaconing requests are filtered out"`
}

ManagerLogConfig structure to hold manager's logging configuration

type TLSConfig 

type TLSConfig struct {
	Cert string `toml:"cert" comment:"Path to the certificate file to use for TLS connections"`
	Key  string `toml:"key" comment:"Path to the key to use for TLS connection"`
}

TLSConfig structure definition

func (*TLSConfig) Empty 

func (t *TLSConfig) Empty() bool

Empty returns true if current TLSConfig is empty else false

func (*TLSConfig) Verify 

func (t *TLSConfig) Verify() error

Verify checks whether the files holding cert and key exist

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.