types

package
v1.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 29, 2025 License: BSD-3-Clause Imports: 8 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// SuricataTimestampFormat is a Go time formatting string describing the
	// timestamp format used by Suricata's EVE JSON output.
	SuricataTimestampFormat = "2006-01-02T15:04:05.999999-0700"

	// EventTypeFlow is the EventType string for the flow type.
	EventTypeFlow = "flow"
	// EventTypeAlert is the EventType string for the alert type.
	EventTypeAlert = "alert"
)

Variables

View Source 
var FlowEventFlags = map[string]uint16{
	"TCP": 1 << 0,
	"UDP": 1 << 1,
}

FlowEventFlags defines various flags for use in FlowEvent.Flags (e.g. the protocol).

Functions

This section is empty.

Types

type AlertEvent 

type AlertEvent struct {
	Action      string `json:"action"`
	Gid         int    `json:"gid"`
	SignatureID int    `json:"signature_id"`
	Rev         int    `json:"rev"`
	Signature   string `json:"signature"`
	Category    string `json:"category"`
	Severity    int    `json:"severity"`
}

AlertEvent is am alert sub-object of an EVE entry.

type DNSAnswer 

type DNSAnswer struct {
	DNSRRName string
	DNSRRType string
	DNSRCode  string
	DNSRData  string
	DNSType   string
}

DNSAnswer is a single DNS answer as observed by Suricata

type DNSEvent 

type DNSEvent struct {
	Type   string `json:"type"`
	ID     int    `json:"id"`
	Rcode  string `json:"rcode"`
	Rrname string `json:"rrname"`
	Rrtype string `json:"rrtype"`
	TTL    int    `json:"ttl"`
	Rdata  string `json:"rdata"`
	TxID   int    `json:"tx_id"`
}

DNSEvent is a DNS sub-object of an EVE entry.

type Entry 

type Entry struct {
	SrcIP          string
	SrcHosts       []string
	SrcPort        int64
	DestIP         string
	DestHosts      []string
	DestPort       int64
	Timestamp      string
	EventType      string
	Proto          string
	HTTPHost       string
	HTTPUrl        string
	HTTPMethod     string
	JSONLine       string
	DNSVersion     int64
	DNSRRName      string
	DNSRRType      string
	DNSRCode       string
	DNSRData       string
	DNSType        string
	DNSAnswers     []DNSAnswer
	TLSSNI         string
	BytesToClient  int64
	BytesToServer  int64
	PktsToClient   int64
	PktsToServer   int64
	FlowID         string
	Iface          string
	AppProto       string
	TLSFingerprint string
}

Entry is a collection of data that needs to be parsed FAST from the entry

type EveEvent 

type EveEvent struct {
	Timestamp        *SuriTime      `json:"timestamp"`
	EventType        string         `json:"event_type"`
	FlowID           int64          `json:"flow_id,omitempty"`
	InIface          string         `json:"in_iface,omitempty"`
	SrcIP            string         `json:"src_ip,omitempty"`
	SrcPort          int            `json:"src_port,omitempty"`
	SrcHost          []string       `json:"src_host,omitempty"`
	DestIP           string         `json:"dest_ip,omitempty"`
	DestPort         int            `json:"dest_port,omitempty"`
	DestHost         []string       `json:"dest_host,omitempty"`
	Proto            string         `json:"proto,omitempty"`
	AppProto         string         `json:"app_proto,omitempty"`
	TxID             int            `json:"tx_id,omitempty"`
	TCP              *tcpEvent      `json:"tcp,omitempty"`
	PacketInfo       *packetInfo    `json:"packet_info,omitempty"`
	Alert            *AlertEvent    `json:"alert,omitempty"`
	Payload          string         `json:"payload,omitempty"`
	PayloadPrintable string         `json:"payload_printable,omitempty"`
	Stream           int            `json:"stream,omitempty"`
	Packet           string         `json:"packet,omitempty"`
	SMTP             *smtpEvent     `json:"smtp,omitempty"`
	Email            *emailEvent    `json:"email,omitempty"`
	DNS              *DNSEvent      `json:"dns,omitempty"`
	HTTP             *HTTPEvent     `json:"http,omitempty"`
	Fileinfo         *fileinfoEvent `json:"fileinfo,omitempty"`
	Flow             *EveFlowEvent  `json:"flow,omitempty"`
	SSH              *sshEvent      `json:"ssh,omitempty"`
	TLS              *TLSEvent      `json:"tls,omitempty"`
	Stats            *statsEvent    `json:"stats,omitempty"`
	ExtraInfo        *ExtraInfo     `json:"_extra,omitempty"`
}

EveEvent is the huge struct which can contain a parsed suricata eve.json log event.

type EveFlowEvent added in v1.0.9 

type EveFlowEvent struct {
	PktsToserver  int       `json:"pkts_toserver"`
	PktsToclient  int       `json:"pkts_toclient"`
	BytesToserver int       `json:"bytes_toserver"`
	BytesToclient int       `json:"bytes_toclient"`
	Start         *SuriTime `json:"start"`
	End           *SuriTime `json:"end"`
	Age           int       `json:"age"`
	State         string    `json:"state"`
	Reason        string    `json:"reason"`
}

EveFlowEvent is an Flow sub-object of an EVE entry.

type EveOutEvent added in v1.0.8 

type EveOutEvent EveEvent

EveOutEvent is the version of EveEvent that we use to marshal the output for downstream consumption.

func (EveOutEvent) MarshalJSON added in v1.0.8 

func (e EveOutEvent) MarshalJSON() ([]byte, error)

MarshalJSON for EveOutEvents ensures that FlowIDs are represented in JSON as a string. This is necessary to work around some arbitrary limitations such as syslog-ng's funny JSON parser implementation, which truncates large integers found in JSON values.

func (*EveOutEvent) UnmarshalJSON added in v1.0.8 

func (e *EveOutEvent) UnmarshalJSON(d []byte) error

UnmarshalJSON implements filling an EveOutEvent from a byte slice, converting the string in the FlowID field back into a number. This is necessary to ensure that a round-trip (write+read) works.

type ExtraInfo added in v1.0.5 

type ExtraInfo struct {
	BloomIOC     string      `json:"bloom-ioc,omitempty"`
	VastIOC      string      `json:"vast-ioc,omitempty"`
	StenosisInfo interface{} `json:"stenosis-info,omitempty"`
}

ExtraInfo contains non-EVE-standard extra information

type FlowEvent 

type FlowEvent struct {
	Timestamp     uint64
	Format        byte
	SrcIP         []byte
	DestIP        []byte
	SrcPort       uint16
	DestPort      uint16
	BytesToServer uint32
	BytesToClient uint32
	PktsToServer  uint32
	PktsToClient  uint32
	Flags         uint16
}

FlowEvent stores the meta-data of a flow event in a compact, binary form.

func (*FlowEvent) FromEntry 

func (fe *FlowEvent) FromEntry(e *Entry) error

FromEntry populates a FlowEvent using an Entry

func (*FlowEvent) Marshal 

func (fe *FlowEvent) Marshal(writer io.Writer) error

Marshal writes a FlowEvent to an io.Writer.

func (*FlowEvent) Unmarshal 

func (fe *FlowEvent) Unmarshal(reader io.Reader) error

Unmarshal reads a FlowEvent from an io.Reader.

type HTTPEvent 

type HTTPEvent struct {
	Hostname        string `json:"hostname"`
	URL             string `json:"url"`
	HTTPUserAgent   string `json:"http_user_agent"`
	HTTPContentType string `json:"http_content_type"`
	HTTPMethod      string `json:"http_method"`
	Protocol        string `json:"protocol"`
	Status          int    `json:"status"`
	Length          int    `json:"length"`
}

HTTPEvent is an HTTP sub-object of an EVE entry.

type SuriTime added in v1.0.9 

type SuriTime struct{ time.Time }

SuriTime is a Suricata-formatted timestamp string.

func (*SuriTime) MarshalJSON added in v1.0.9 

func (t *SuriTime) MarshalJSON() ([]byte, error)

MarshalJSON converts a SuriTime struct into a JSON byte slice.

func (*SuriTime) UnmarshalJSON added in v1.0.9 

func (t *SuriTime) UnmarshalJSON(b []byte) error

UnmarshalJSON converts a JSON byte slice into a SuriTime struct.

type TLSEvent 

type TLSEvent struct {
	Subject     string `json:"subject"`
	Issuerdn    string `json:"issuerdn"`
	Fingerprint string `json:"fingerprint"`
	Sni         string `json:"sni"`
	Version     string `json:"version"`
}

TLSEvent is a TLS sub-object of an EVE entry.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.